Context Navigation

source: branches/samba-3.2.x/source/passdb/pdb_ldap.c

Visit:

Last change on this file was 272, checked in by Herwig Bauernfeind, 16 years ago
Update 3.2 to 3.2.12
File size: 177.8 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	LDAP protocol helper functions for SAMBA
4	Copyright (C) Jean François Micouleau 1998
5	Copyright (C) Gerald Carter 2001-2003
6	Copyright (C) Shahms King 2001
7	Copyright (C) Andrew Bartlett 2002-2003
8	Copyright (C) Stefan (metze) Metzmacher 2002-2003
9	Copyright (C) Simo Sorce 2006
10
11	This program is free software; you can redistribute it and/or modify
12	it under the terms of the GNU General Public License as published by
13	the Free Software Foundation; either version 3 of the License, or
14	(at your option) any later version.
15
16	This program is distributed in the hope that it will be useful,
17	but WITHOUT ANY WARRANTY; without even the implied warranty of
18	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19	GNU General Public License for more details.
20
21	You should have received a copy of the GNU General Public License
22	along with this program. If not, see <http://www.gnu.org/licenses/>.
23
24	*/
25
26	/* TODO:
27	* persistent connections: if using NSS LDAP, many connections are made
28	* however, using only one within Samba would be nice
29	*
30	* Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
31	*
32	* Other LDAP based login attributes: accountExpires, etc.
33	* (should be the domain of Samba proper, but the sam_password/struct samu
34	* structures don't have fields for some of these attributes)
35	*
36	* SSL is done, but can't get the certificate based authentication to work
37	* against on my test platform (Linux 2.4, OpenLDAP 2.x)
38	*/
39
40	/* NOTE: this will NOT work against an Active Directory server
41	* due to the fact that the two password fields cannot be retrieved
42	* from a server; recommend using security = domain in this situation
43	* and/or winbind
44	*/
45
46	#include "includes.h"
47
48	#undef DBGC_CLASS
49	#define DBGC_CLASS DBGC_PASSDB
50
51	#include <lber.h>
52	#include <ldap.h>
53
54	/*
55	* Work around versions of the LDAP client libs that don't have the OIDs
56	* defined, or have them defined under the old name.
57	* This functionality is really a factor of the server, not the client
58	*
59	*/
60
61	#if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
62	#define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
63	#elif !defined(LDAP_EXOP_MODIFY_PASSWD)
64	#define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
65	#endif
66
67	#if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
68	#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
69	#elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
70	#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
71	#endif
72
73	#if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
74	#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
75	#elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
76	#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
77	#endif
78
79
80	#include "smbldap.h"
81
82	/**********************************************************************
83	Simple helper function to make stuff better readable
84	**********************************************************************/
85
86	static LDAP priv2ld(struct ldapsam_privates priv)
87	{
88	return priv->smbldap_state->ldap_struct;
89	}
90
91	/**********************************************************************
92	Get the attribute name given a user schame version.
93	**********************************************************************/
94
95	static const char* get_userattr_key2string( int schema_ver, int key )
96	{
97	switch ( schema_ver ) {
98	case SCHEMAVER_SAMBAACCOUNT:
99	return get_attr_key2string( attrib_map_v22, key );
100
101	case SCHEMAVER_SAMBASAMACCOUNT:
102	return get_attr_key2string( attrib_map_v30, key );
103
104	default:
105	DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
106	break;
107	}
108	return NULL;
109	}
110
111	/**********************************************************************
112	Return the list of attribute names given a user schema version.
113	**********************************************************************/
114
115	const char** get_userattr_list( TALLOC_CTX *mem_ctx, int schema_ver )
116	{
117	switch ( schema_ver ) {
118	case SCHEMAVER_SAMBAACCOUNT:
119	return get_attr_list( mem_ctx, attrib_map_v22 );
120
121	case SCHEMAVER_SAMBASAMACCOUNT:
122	return get_attr_list( mem_ctx, attrib_map_v30 );
123	default:
124	DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
125	break;
126	}
127
128	return NULL;
129	}
130
131	/**************************************************************************
132	Return the list of attribute names to delete given a user schema version.
133	**************************************************************************/
134
135	static const char** get_userattr_delete_list( TALLOC_CTX *mem_ctx,
136	int schema_ver )
137	{
138	switch ( schema_ver ) {
139	case SCHEMAVER_SAMBAACCOUNT:
140	return get_attr_list( mem_ctx,
141	attrib_map_to_delete_v22 );
142
143	case SCHEMAVER_SAMBASAMACCOUNT:
144	return get_attr_list( mem_ctx,
145	attrib_map_to_delete_v30 );
146	default:
147	DEBUG(0,("get_userattr_delete_list: unknown schema version specified!\n"));
148	break;
149	}
150
151	return NULL;
152	}
153
154
155	/*******************************************************************
156	Generate the LDAP search filter for the objectclass based on the
157	version of the schema we are using.
158	******************************************************************/
159
160	static const char* get_objclass_filter( int schema_ver )
161	{
162	fstring objclass_filter;
163	char *result;
164
165	switch( schema_ver ) {
166	case SCHEMAVER_SAMBAACCOUNT:
167	fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
168	break;
169	case SCHEMAVER_SAMBASAMACCOUNT:
170	fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
171	break;
172	default:
173	DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
174	objclass_filter[0] = '\0';
175	break;
176	}
177
178	result = talloc_strdup(talloc_tos(), objclass_filter);
179	SMB_ASSERT(result != NULL);
180	return result;
181	}
182
183	/*****************************************************************
184	Scan a sequence number off OpenLDAP's syncrepl contextCSN
185	******************************************************************/
186
187	static NTSTATUS ldapsam_get_seq_num(struct pdb_methods my_methods, time_t seq_num)
188	{
189	struct ldapsam_privates ldap_state = (struct ldapsam_privates )my_methods->private_data;
190	NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
191	LDAPMessage *msg = NULL;
192	LDAPMessage *entry = NULL;
193	TALLOC_CTX *mem_ctx;
194	char **values = NULL;
195	int rc, num_result, num_values, rid;
196	char *suffix = NULL;
197	char *tok;
198	const char *p;
199	const char **attrs;
200
201	/* Unfortunatly there is no proper way to detect syncrepl-support in
202	* smbldap_connect_system(). The syncrepl OIDs are submitted for publication
203	* but do not show up in the root-DSE yet. Neither we can query the
204	* subschema-context for the syncProviderSubentry or syncConsumerSubentry
205	* objectclass. Currently we require lp_ldap_suffix() to show up as
206	* namingContext. - Guenther
207	*/
208
209	if (!lp_parm_bool(-1, "ldapsam", "syncrepl_seqnum", False)) {
210	return ntstatus;
211	}
212
213	if (!seq_num) {
214	DEBUG(3,("ldapsam_get_seq_num: no sequence_number\n"));
215	return ntstatus;
216	}
217
218	if (!smbldap_has_naming_context(ldap_state->smbldap_state->ldap_struct, lp_ldap_suffix())) {
219	DEBUG(3,("ldapsam_get_seq_num: DIT not configured to hold %s "
220	"as top-level namingContext\n", lp_ldap_suffix()));
221	return ntstatus;
222	}
223
224	mem_ctx = talloc_init("ldapsam_get_seq_num");
225
226	if (mem_ctx == NULL)
227	return NT_STATUS_NO_MEMORY;
228
229	if ((attrs = TALLOC_ARRAY(mem_ctx, const char *, 2)) == NULL) {
230	ntstatus = NT_STATUS_NO_MEMORY;
231	goto done;
232	}
233
234	/* if we got a syncrepl-rid (up to three digits long) we speak with a consumer */
235	rid = lp_parm_int(-1, "ldapsam", "syncrepl_rid", -1);
236	if (rid > 0) {
237
238	/* consumer syncreplCookie: */
239	/* csn=20050126161620Z#0000001#00#00000 */
240	attrs[0] = talloc_strdup(mem_ctx, "syncreplCookie");
241	attrs[1] = NULL;
242	suffix = talloc_asprintf(mem_ctx,
243	"cn=syncrepl%d,%s", rid, lp_ldap_suffix());
244	if (!suffix) {
245	ntstatus = NT_STATUS_NO_MEMORY;
246	goto done;
247	}
248	} else {
249
250	/* provider contextCSN */
251	/* 20050126161620Z#000009#00#000000 */
252	attrs[0] = talloc_strdup(mem_ctx, "contextCSN");
253	attrs[1] = NULL;
254	suffix = talloc_asprintf(mem_ctx,
255	"cn=ldapsync,%s", lp_ldap_suffix());
256
257	if (!suffix) {
258	ntstatus = NT_STATUS_NO_MEMORY;
259	goto done;
260	}
261	}
262
263	rc = smbldap_search(ldap_state->smbldap_state, suffix,
264	LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0, &msg);
265
266	if (rc != LDAP_SUCCESS) {
267	goto done;
268	}
269
270	num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg);
271	if (num_result != 1) {
272	DEBUG(3,("ldapsam_get_seq_num: Expected one entry, got %d\n", num_result));
273	goto done;
274	}
275
276	entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg);
277	if (entry == NULL) {
278	DEBUG(3,("ldapsam_get_seq_num: Could not retrieve entry\n"));
279	goto done;
280	}
281
282	values = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, attrs[0]);
283	if (values == NULL) {
284	DEBUG(3,("ldapsam_get_seq_num: no values\n"));
285	goto done;
286	}
287
288	num_values = ldap_count_values(values);
289	if (num_values == 0) {
290	DEBUG(3,("ldapsam_get_seq_num: not a single value\n"));
291	goto done;
292	}
293
294	p = values[0];
295	if (!next_token_talloc(mem_ctx, &p, &tok, "#")) {
296	DEBUG(0,("ldapsam_get_seq_num: failed to parse sequence number\n"));
297	goto done;
298	}
299
300	p = tok;
301	if (!strncmp(p, "csn=", strlen("csn=")))
302	p += strlen("csn=");
303
304	DEBUG(10,("ldapsam_get_seq_num: got %s: %s\n", attrs[0], p));
305
306	*seq_num = generalized_to_unix_time(p);
307
308	/* very basic sanity check */
309	if (*seq_num <= 0) {
310	DEBUG(3,("ldapsam_get_seq_num: invalid sequence number: %d\n",
311	(int)*seq_num));
312	goto done;
313	}
314
315	ntstatus = NT_STATUS_OK;
316
317	done:
318	if (values != NULL)
319	ldap_value_free(values);
320	if (msg != NULL)
321	ldap_msgfree(msg);
322	if (mem_ctx)
323	talloc_destroy(mem_ctx);
324
325	return ntstatus;
326	}
327
328	/*******************************************************************
329	Run the search by name.
330	******************************************************************/
331
332	int ldapsam_search_suffix_by_name(struct ldapsam_privates *ldap_state,
333	const char *user,
334	LDAPMessage ** result,
335	const char **attr)
336	{
337	char *filter = NULL;
338	char *escape_user = escape_ldap_string_alloc(user);
339	int ret = -1;
340
341	if (!escape_user) {
342	return LDAP_NO_MEMORY;
343	}
344
345	/*
346	* in the filter expression, replace %u with the real name
347	* so in ldap filter, %u MUST exist :-)
348	*/
349	filter = talloc_asprintf(talloc_tos(), "(&%s%s)", "(uid=%u)",
350	get_objclass_filter(ldap_state->schema_ver));
351	if (!filter) {
352	SAFE_FREE(escape_user);
353	return LDAP_NO_MEMORY;
354	}
355	/*
356	* have to use this here because $ is filtered out
357	* in string_sub
358	*/
359
360	filter = talloc_all_string_sub(talloc_tos(),
361	filter, "%u", escape_user);
362	SAFE_FREE(escape_user);
363	if (!filter) {
364	return LDAP_NO_MEMORY;
365	}
366
367	ret = smbldap_search_suffix(ldap_state->smbldap_state,
368	filter, attr, result);
369	TALLOC_FREE(filter);
370	return ret;
371	}
372
373	/*******************************************************************
374	Run the search by rid.
375	******************************************************************/
376
377	static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state,
378	uint32 rid, LDAPMessage ** result,
379	const char **attr)
380	{
381	char *filter = NULL;
382	int rc;
383
384	filter = talloc_asprintf(talloc_tos(), "(&(rid=%i)%s)", rid,
385	get_objclass_filter(ldap_state->schema_ver));
386	if (!filter) {
387	return LDAP_NO_MEMORY;
388	}
389
390	rc = smbldap_search_suffix(ldap_state->smbldap_state,
391	filter, attr, result);
392	TALLOC_FREE(filter);
393	return rc;
394	}
395
396	/*******************************************************************
397	Run the search by SID.
398	******************************************************************/
399
400	static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
401	const DOM_SID sid, LDAPMessage * result,
402	const char **attr)
403	{
404	char *filter = NULL;
405	int rc;
406	fstring sid_string;
407
408	filter = talloc_asprintf(talloc_tos(), "(&(%s=%s)%s)",
409	get_userattr_key2string(ldap_state->schema_ver,
410	LDAP_ATTR_USER_SID),
411	sid_to_fstring(sid_string, sid),
412	get_objclass_filter(ldap_state->schema_ver));
413	if (!filter) {
414	return LDAP_NO_MEMORY;
415	}
416
417	rc = smbldap_search_suffix(ldap_state->smbldap_state,
418	filter, attr, result);
419
420	TALLOC_FREE(filter);
421	return rc;
422	}
423
424	/*******************************************************************
425	Delete complete object or objectclass and attrs from
426	object found in search_result depending on lp_ldap_delete_dn
427	******************************************************************/
428
429	static int ldapsam_delete_entry(struct ldapsam_privates *priv,
430	TALLOC_CTX *mem_ctx,
431	LDAPMessage *entry,
432	const char *objectclass,
433	const char **attrs)
434	{
435	LDAPMod **mods = NULL;
436	char *name;
437	const char *dn;
438	BerElement *ptr = NULL;
439
440	dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry);
441	if (dn == NULL) {
442	return LDAP_NO_MEMORY;
443	}
444
445	if (lp_ldap_delete_dn()) {
446	return smbldap_delete(priv->smbldap_state, dn);
447	}
448
449	/* Ok, delete only the SAM attributes */
450
451	for (name = ldap_first_attribute(priv2ld(priv), entry, &ptr);
452	name != NULL;
453	name = ldap_next_attribute(priv2ld(priv), entry, ptr)) {
454	const char **attrib;
455
456	/* We are only allowed to delete the attributes that
457	really exist. */
458
459	for (attrib = attrs; *attrib != NULL; attrib++) {
460	if (strequal(*attrib, name)) {
461	DEBUG(10, ("ldapsam_delete_entry: deleting "
462	"attribute %s\n", name));
463	smbldap_set_mod(&mods, LDAP_MOD_DELETE, name,
464	NULL);
465	}
466	}
467	ldap_memfree(name);
468	}
469
470	if (ptr != NULL) {
471	ber_free(ptr, 0);
472	}
473
474	smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
475	talloc_autofree_ldapmod(mem_ctx, mods);
476
477	return smbldap_modify(priv->smbldap_state, dn, mods);
478	}
479
480	static time_t ldapsam_get_entry_timestamp( struct ldapsam_privates ldap_state, LDAPMessage entry)
481	{
482	char *temp;
483	struct tm tm;
484
485	temp = smbldap_talloc_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
486	get_userattr_key2string(ldap_state->schema_ver,LDAP_ATTR_MOD_TIMESTAMP),
487	talloc_tos());
488	if (!temp) {
489	return (time_t) 0;
490	}
491
492	if ( !strptime(temp, "%Y%m%d%H%M%SZ", &tm)) {
493	DEBUG(2,("ldapsam_get_entry_timestamp: strptime failed on: %s\n",
494	(char*)temp));
495	TALLOC_FREE(temp);
496	return (time_t) 0;
497	}
498	TALLOC_FREE(temp);
499	tzset();
500	return timegm(&tm);
501	}
502
503	/**********************************************************************
504	Initialize struct samu from an LDAP query.
505	(Based on init_sam_from_buffer in pdb_tdb.c)
506	*********************************************************************/
507
508	static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state,
509	struct samu * sampass,
510	LDAPMessage * entry)
511	{
512	time_t logon_time,
513	logoff_time,
514	kickoff_time,
515	pass_last_set_time,
516	pass_can_change_time,
517	pass_must_change_time,
518	ldap_entry_time,
519	bad_password_time;
520	char *username = NULL,
521	*domain = NULL,
522	*nt_username = NULL,
523	*fullname = NULL,
524	*homedir = NULL,
525	*dir_drive = NULL,
526	*logon_script = NULL,
527	*profile_path = NULL,
528	*acct_desc = NULL,
529	*workstations = NULL,
530	*munged_dial = NULL;
531	uint32 user_rid;
532	uint8 smblmpwd[LM_HASH_LEN],
533	smbntpwd[NT_HASH_LEN];
534	bool use_samba_attrs = True;
535	uint32 acct_ctrl = 0;
536	uint16 logon_divs;
537	uint16 bad_password_count = 0,
538	logon_count = 0;
539	uint32 hours_len;
540	uint8 hours[MAX_HOURS_LEN];
541	char *temp = NULL;
542	LOGIN_CACHE *cache_entry = NULL;
543	uint32 pwHistLen;
544	bool expand_explicit = lp_passdb_expand_explicit();
545	bool ret = false;
546	TALLOC_CTX *ctx = talloc_init("init_sam_from_ldap");
547
548	if (!ctx) {
549	return false;
550	}
551	if (sampass == NULL \|\| ldap_state == NULL \|\| entry == NULL) {
552	DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
553	goto fn_exit;
554	}
555
556	if (priv2ld(ldap_state) == NULL) {
557	DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->"
558	"ldap_struct is NULL!\n"));
559	goto fn_exit;
560	}
561
562	if (!(username = smbldap_talloc_single_attribute(priv2ld(ldap_state),
563	entry,
564	"uid",
565	ctx))) {
566	DEBUG(1, ("init_sam_from_ldap: No uid attribute found for "
567	"this user!\n"));
568	goto fn_exit;
569	}
570
571	DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
572
573	nt_username = talloc_strdup(ctx, username);
574	if (!nt_username) {
575	goto fn_exit;
576	}
577
578	domain = talloc_strdup(ctx, ldap_state->domain_name);
579	if (!domain) {
580	goto fn_exit;
581	}
582
583	pdb_set_username(sampass, username, PDB_SET);
584
585	pdb_set_domain(sampass, domain, PDB_DEFAULT);
586	pdb_set_nt_username(sampass, nt_username, PDB_SET);
587
588	/* deal with different attributes between the schema first */
589
590	if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
591	if ((temp = smbldap_talloc_single_attribute(
592	ldap_state->smbldap_state->ldap_struct,
593	entry,
594	get_userattr_key2string(ldap_state->schema_ver,
595	LDAP_ATTR_USER_SID),
596	ctx))!=NULL) {
597	pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
598	}
599	} else {
600	if ((temp = smbldap_talloc_single_attribute(
601	ldap_state->smbldap_state->ldap_struct,
602	entry,
603	get_userattr_key2string(ldap_state->schema_ver,
604	LDAP_ATTR_USER_RID),
605	ctx))!=NULL) {
606	user_rid = (uint32)atol(temp);
607	pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
608	}
609	}
610
611	if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
612	DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
613	get_userattr_key2string(ldap_state->schema_ver,
614	LDAP_ATTR_USER_SID),
615	get_userattr_key2string(ldap_state->schema_ver,
616	LDAP_ATTR_USER_RID),
617	username));
618	return False;
619	}
620
621	temp = smbldap_talloc_single_attribute(
622	ldap_state->smbldap_state->ldap_struct,
623	entry,
624	get_userattr_key2string(ldap_state->schema_ver,
625	LDAP_ATTR_PWD_LAST_SET),
626	ctx);
627	if (temp) {
628	pass_last_set_time = (time_t) atol(temp);
629	pdb_set_pass_last_set_time(sampass,
630	pass_last_set_time, PDB_SET);
631	}
632
633	temp = smbldap_talloc_single_attribute(
634	ldap_state->smbldap_state->ldap_struct,
635	entry,
636	get_userattr_key2string(ldap_state->schema_ver,
637	LDAP_ATTR_LOGON_TIME),
638	ctx);
639	if (temp) {
640	logon_time = (time_t) atol(temp);
641	pdb_set_logon_time(sampass, logon_time, PDB_SET);
642	}
643
644	temp = smbldap_talloc_single_attribute(
645	ldap_state->smbldap_state->ldap_struct,
646	entry,
647	get_userattr_key2string(ldap_state->schema_ver,
648	LDAP_ATTR_LOGOFF_TIME),
649	ctx);
650	if (temp) {
651	logoff_time = (time_t) atol(temp);
652	pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
653	}
654
655	temp = smbldap_talloc_single_attribute(
656	ldap_state->smbldap_state->ldap_struct,
657	entry,
658	get_userattr_key2string(ldap_state->schema_ver,
659	LDAP_ATTR_KICKOFF_TIME),
660	ctx);
661	if (temp) {
662	kickoff_time = (time_t) atol(temp);
663	pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
664	}
665
666	temp = smbldap_talloc_single_attribute(
667	ldap_state->smbldap_state->ldap_struct,
668	entry,
669	get_userattr_key2string(ldap_state->schema_ver,
670	LDAP_ATTR_PWD_CAN_CHANGE),
671	ctx);
672	if (temp) {
673	pass_can_change_time = (time_t) atol(temp);
674	pdb_set_pass_can_change_time(sampass,
675	pass_can_change_time, PDB_SET);
676	}
677
678	temp = smbldap_talloc_single_attribute(
679	ldap_state->smbldap_state->ldap_struct,
680	entry,
681	get_userattr_key2string(ldap_state->schema_ver,
682	LDAP_ATTR_PWD_MUST_CHANGE),
683	ctx);
684	if (temp) {
685	pass_must_change_time = (time_t) atol(temp);
686	pdb_set_pass_must_change_time(sampass,
687	pass_must_change_time, PDB_SET);
688	}
689
690	/* recommend that 'gecos' and 'displayName' should refer to the same
691	* attribute OID. userFullName depreciated, only used by Samba
692	* primary rules of LDAP: don't make a new attribute when one is already defined
693	* that fits your needs; using cn then displayName rather than 'userFullName'
694	*/
695
696	fullname = smbldap_talloc_single_attribute(
697	ldap_state->smbldap_state->ldap_struct,
698	entry,
699	get_userattr_key2string(ldap_state->schema_ver,
700	LDAP_ATTR_DISPLAY_NAME),
701	ctx);
702	if (fullname) {
703	pdb_set_fullname(sampass, fullname, PDB_SET);
704	} else {
705	fullname = smbldap_talloc_single_attribute(
706	ldap_state->smbldap_state->ldap_struct,
707	entry,
708	get_userattr_key2string(ldap_state->schema_ver,
709	LDAP_ATTR_CN),
710	ctx);
711	if (fullname) {
712	pdb_set_fullname(sampass, fullname, PDB_SET);
713	}
714	}
715
716	dir_drive = smbldap_talloc_single_attribute(
717	ldap_state->smbldap_state->ldap_struct,
718	entry,
719	get_userattr_key2string(ldap_state->schema_ver,
720	LDAP_ATTR_HOME_DRIVE),
721	ctx);
722	if (dir_drive) {
723	pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
724	} else {
725	pdb_set_dir_drive( sampass, lp_logon_drive(), PDB_DEFAULT );
726	}
727
728	homedir = smbldap_talloc_single_attribute(
729	ldap_state->smbldap_state->ldap_struct,
730	entry,
731	get_userattr_key2string(ldap_state->schema_ver,
732	LDAP_ATTR_HOME_PATH),
733	ctx);
734	if (homedir) {
735	if (expand_explicit) {
736	homedir = talloc_sub_basic(ctx,
737	username,
738	domain,
739	homedir);
740	if (!homedir) {
741	goto fn_exit;
742	}
743	}
744	pdb_set_homedir(sampass, homedir, PDB_SET);
745	} else {
746	pdb_set_homedir(sampass,
747	talloc_sub_basic(ctx, username, domain,
748	lp_logon_home()),
749	PDB_DEFAULT);
750	}
751
752	logon_script = smbldap_talloc_single_attribute(
753	ldap_state->smbldap_state->ldap_struct,
754	entry,
755	get_userattr_key2string(ldap_state->schema_ver,
756	LDAP_ATTR_LOGON_SCRIPT),
757	ctx);
758	if (logon_script) {
759	if (expand_explicit) {
760	logon_script = talloc_sub_basic(ctx,
761	username,
762	domain,
763	logon_script);
764	if (!logon_script) {
765	goto fn_exit;
766	}
767	}
768	pdb_set_logon_script(sampass, logon_script, PDB_SET);
769	} else {
770	pdb_set_logon_script(sampass,
771	talloc_sub_basic(ctx, username, domain,
772	lp_logon_script()),
773	PDB_DEFAULT );
774	}
775
776	profile_path = smbldap_talloc_single_attribute(
777	ldap_state->smbldap_state->ldap_struct,
778	entry,
779	get_userattr_key2string(ldap_state->schema_ver,
780	LDAP_ATTR_PROFILE_PATH),
781	ctx);
782	if (profile_path) {
783	if (expand_explicit) {
784	profile_path = talloc_sub_basic(ctx,
785	username,
786	domain,
787	profile_path);
788	if (!profile_path) {
789	goto fn_exit;
790	}
791	}
792	pdb_set_profile_path(sampass, profile_path, PDB_SET);
793	} else {
794	pdb_set_profile_path(sampass,
795	talloc_sub_basic(ctx, username, domain,
796	lp_logon_path()),
797	PDB_DEFAULT );
798	}
799
800	acct_desc = smbldap_talloc_single_attribute(
801	ldap_state->smbldap_state->ldap_struct,
802	entry,
803	get_userattr_key2string(ldap_state->schema_ver,
804	LDAP_ATTR_DESC),
805	ctx);
806	if (acct_desc) {
807	pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
808	}
809
810	workstations = smbldap_talloc_single_attribute(
811	ldap_state->smbldap_state->ldap_struct,
812	entry,
813	get_userattr_key2string(ldap_state->schema_ver,
814	LDAP_ATTR_USER_WKS),
815	ctx);
816	if (workstations) {
817	pdb_set_workstations(sampass, workstations, PDB_SET);
818	}
819
820	munged_dial = smbldap_talloc_single_attribute(
821	ldap_state->smbldap_state->ldap_struct,
822	entry,
823	get_userattr_key2string(ldap_state->schema_ver,
824	LDAP_ATTR_MUNGED_DIAL),
825	ctx);
826	if (munged_dial) {
827	pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
828	}
829
830	/* FIXME: hours stuff should be cleaner */
831
832	logon_divs = 168;
833	hours_len = 21;
834	memset(hours, 0xff, hours_len);
835
836	if (ldap_state->is_nds_ldap) {
837	char *user_dn;
838	size_t pwd_len;
839	char clear_text_pw[512];
840
841	/* Make call to Novell eDirectory ldap extension to get clear text password.
842	NOTE: This will only work if we have an SSL connection to eDirectory. */
843	user_dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
844	if (user_dn != NULL) {
845	DEBUG(3, ("init_sam_from_ldap: smbldap_get_dn(%s) returned '%s'\n", username, user_dn));
846
847	pwd_len = sizeof(clear_text_pw);
848	if (pdb_nds_get_password(ldap_state->smbldap_state, user_dn, &pwd_len, clear_text_pw) == LDAP_SUCCESS) {
849	nt_lm_owf_gen(clear_text_pw, smbntpwd, smblmpwd);
850	if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
851	SAFE_FREE(user_dn);
852	return False;
853	}
854	ZERO_STRUCT(smblmpwd);
855	if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
856	SAFE_FREE(user_dn);
857	return False;
858	}
859	ZERO_STRUCT(smbntpwd);
860	use_samba_attrs = False;
861	}
862
863	SAFE_FREE(user_dn);
864
865	} else {
866	DEBUG(0, ("init_sam_from_ldap: failed to get user_dn for '%s'\n", username));
867	}
868	}
869
870	if (use_samba_attrs) {
871	temp = smbldap_talloc_single_attribute(
872	ldap_state->smbldap_state->ldap_struct,
873	entry,
874	get_userattr_key2string(ldap_state->schema_ver,
875	LDAP_ATTR_LMPW),
876	ctx);
877	if (temp) {
878	pdb_gethexpwd(temp, smblmpwd);
879	memset((char *)temp, '\0', strlen(temp)+1);
880	if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
881	goto fn_exit;
882	}
883	ZERO_STRUCT(smblmpwd);
884	}
885
886	temp = smbldap_talloc_single_attribute(
887	ldap_state->smbldap_state->ldap_struct,
888	entry,
889	get_userattr_key2string(ldap_state->schema_ver,
890	LDAP_ATTR_NTPW),
891	ctx);
892	if (temp) {
893	pdb_gethexpwd(temp, smbntpwd);
894	memset((char *)temp, '\0', strlen(temp)+1);
895	if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
896	goto fn_exit;
897	}
898	ZERO_STRUCT(smbntpwd);
899	}
900	}
901
902	pwHistLen = 0;
903
904	pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
905	if (pwHistLen > 0){
906	uint8 *pwhist = NULL;
907	int i;
908	char *history_string = TALLOC_ARRAY(ctx, char,
909	MAX_PW_HISTORY_LEN*64);
910
911	if (!history_string) {
912	goto fn_exit;
913	}
914
915	pwHistLen = MIN(pwHistLen, MAX_PW_HISTORY_LEN);
916
917	if ((pwhist = TALLOC_ARRAY(ctx, uint8,
918	pwHistLen * PW_HISTORY_ENTRY_LEN)) ==
919	NULL){
920	DEBUG(0, ("init_sam_from_ldap: talloc failed!\n"));
921	goto fn_exit;
922	}
923	memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
924
925	if (smbldap_get_single_attribute(
926	ldap_state->smbldap_state->ldap_struct,
927	entry,
928	get_userattr_key2string(ldap_state->schema_ver,
929	LDAP_ATTR_PWD_HISTORY),
930	history_string,
931	MAX_PW_HISTORY_LEN*64)) {
932	bool hex_failed = false;
933	for (i = 0; i < pwHistLen; i++){
934	/* Get the 16 byte salt. */
935	if (!pdb_gethexpwd(&history_string[i*64],
936	&pwhist[i*PW_HISTORY_ENTRY_LEN])) {
937	hex_failed = true;
938	break;
939	}
940	/* Get the 16 byte MD5 hash of salt+passwd. */
941	if (!pdb_gethexpwd(&history_string[(i*64)+32],
942	&pwhist[(i*PW_HISTORY_ENTRY_LEN)+
943	PW_HISTORY_SALT_LEN])) {
944	hex_failed = True;
945	break;
946	}
947	}
948	if (hex_failed) {
949	DEBUG(2,("init_sam_from_ldap: Failed to get password history for user %s\n",
950	username));
951	memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
952	}
953	}
954	if (!pdb_set_pw_history(sampass, pwhist, pwHistLen, PDB_SET)){
955	goto fn_exit;
956	}
957	}
958
959	temp = smbldap_talloc_single_attribute(
960	ldap_state->smbldap_state->ldap_struct,
961	entry,
962	get_userattr_key2string(ldap_state->schema_ver,
963	LDAP_ATTR_ACB_INFO),
964	ctx);
965	if (temp) {
966	acct_ctrl = pdb_decode_acct_ctrl(temp);
967
968	if (acct_ctrl == 0) {
969	acct_ctrl \|= ACB_NORMAL;
970	}
971
972	pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
973	} else {
974	acct_ctrl \|= ACB_NORMAL;
975	}
976
977	pdb_set_hours_len(sampass, hours_len, PDB_SET);
978	pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
979
980	temp = smbldap_talloc_single_attribute(
981	ldap_state->smbldap_state->ldap_struct,
982	entry,
983	get_userattr_key2string(ldap_state->schema_ver,
984	LDAP_ATTR_BAD_PASSWORD_COUNT),
985	ctx);
986	if (temp) {
987	bad_password_count = (uint32) atol(temp);
988	pdb_set_bad_password_count(sampass,
989	bad_password_count, PDB_SET);
990	}
991
992	temp = smbldap_talloc_single_attribute(
993	ldap_state->smbldap_state->ldap_struct,
994	entry,
995	get_userattr_key2string(ldap_state->schema_ver,
996	LDAP_ATTR_BAD_PASSWORD_TIME),
997	ctx);
998	if (temp) {
999	bad_password_time = (time_t) atol(temp);
1000	pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
1001	}
1002
1003
1004	temp = smbldap_talloc_single_attribute(
1005	ldap_state->smbldap_state->ldap_struct,
1006	entry,
1007	get_userattr_key2string(ldap_state->schema_ver,
1008	LDAP_ATTR_LOGON_COUNT),
1009	ctx);
1010	if (temp) {
1011	logon_count = (uint32) atol(temp);
1012	pdb_set_logon_count(sampass, logon_count, PDB_SET);
1013	}
1014
1015	/* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
1016
1017	temp = smbldap_talloc_single_attribute(
1018	ldap_state->smbldap_state->ldap_struct,
1019	entry,
1020	get_userattr_key2string(ldap_state->schema_ver,
1021	LDAP_ATTR_LOGON_HOURS),
1022	ctx);
1023	if (temp) {
1024	pdb_gethexhours(temp, hours);
1025	memset((char *)temp, '\0', strlen(temp) +1);
1026	pdb_set_hours(sampass, hours, PDB_SET);
1027	ZERO_STRUCT(hours);
1028	}
1029
1030	if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
1031	temp = smbldap_talloc_single_attribute(
1032	priv2ld(ldap_state),
1033	entry,
1034	"uidNumber",
1035	ctx);
1036	if (temp) {
1037	/* We've got a uid, feed the cache */
1038	uid_t uid = strtoul(temp, NULL, 10);
1039	store_uid_sid_cache(pdb_get_user_sid(sampass), uid);
1040	}
1041	}
1042
1043	/* check the timestamp of the cache vs ldap entry */
1044	if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state,
1045	entry))) {
1046	ret = true;
1047	goto fn_exit;
1048	}
1049
1050	/* see if we have newer updates */
1051	if (!(cache_entry = login_cache_read(sampass))) {
1052	DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
1053	(unsigned int)pdb_get_bad_password_count(sampass),
1054	(unsigned int)pdb_get_bad_password_time(sampass)));
1055	ret = true;
1056	goto fn_exit;
1057	}
1058
1059	DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
1060	(unsigned int)ldap_entry_time,
1061	(unsigned int)cache_entry->entry_timestamp,
1062	(unsigned int)cache_entry->bad_password_time));
1063
1064	if (ldap_entry_time > cache_entry->entry_timestamp) {
1065	/* cache is older than directory , so
1066	we need to delete the entry but allow the
1067	fields to be written out */
1068	login_cache_delentry(sampass);
1069	} else {
1070	/* read cache in */
1071	pdb_set_acct_ctrl(sampass,
1072	pdb_get_acct_ctrl(sampass) \|
1073	(cache_entry->acct_ctrl & ACB_AUTOLOCK),
1074	PDB_SET);
1075	pdb_set_bad_password_count(sampass,
1076	cache_entry->bad_password_count,
1077	PDB_SET);
1078	pdb_set_bad_password_time(sampass,
1079	cache_entry->bad_password_time,
1080	PDB_SET);
1081	}
1082
1083	ret = true;
1084
1085	fn_exit:
1086
1087	TALLOC_FREE(ctx);
1088	SAFE_FREE(cache_entry);
1089	return ret;
1090	}
1091
1092	/**********************************************************************
1093	Initialize the ldap db from a struct samu. Called on update.
1094	(Based on init_buffer_from_sam in pdb_tdb.c)
1095	*********************************************************************/
1096
1097	static bool init_ldap_from_sam (struct ldapsam_privates *ldap_state,
1098	LDAPMessage *existing,
1099	LDAPMod *** mods, struct samu * sampass,
1100	bool (need_update)(const struct samu ,
1101	enum pdb_elements))
1102	{
1103	char *temp = NULL;
1104	uint32 rid;
1105
1106	if (mods == NULL \|\| sampass == NULL) {
1107	DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
1108	return False;
1109	}
1110
1111	*mods = NULL;
1112
1113	/*
1114	* took out adding "objectclass: sambaAccount"
1115	* do this on a per-mod basis
1116	*/
1117	if (need_update(sampass, PDB_USERNAME)) {
1118	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1119	"uid", pdb_get_username(sampass));
1120	if (ldap_state->is_nds_ldap) {
1121	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1122	"cn", pdb_get_username(sampass));
1123	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1124	"sn", pdb_get_username(sampass));
1125	}
1126	}
1127
1128	DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
1129
1130	/* only update the RID if we actually need to */
1131	if (need_update(sampass, PDB_USERSID)) {
1132	fstring sid_string;
1133	const DOM_SID *user_sid = pdb_get_user_sid(sampass);
1134
1135	switch ( ldap_state->schema_ver ) {
1136	case SCHEMAVER_SAMBAACCOUNT:
1137	if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) {
1138	DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
1139	sid_string_dbg(user_sid),
1140	sid_string_dbg(
1141	&ldap_state->domain_sid)));
1142	return False;
1143	}
1144	if (asprintf(&temp, "%i", rid) < 0) {
1145	return false;
1146	}
1147	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1148	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
1149	temp);
1150	SAFE_FREE(temp);
1151	break;
1152
1153	case SCHEMAVER_SAMBASAMACCOUNT:
1154	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1155	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
1156	sid_to_fstring(sid_string, user_sid));
1157	break;
1158
1159	default:
1160	DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1161	break;
1162	}
1163	}
1164
1165	/* we don't need to store the primary group RID - so leaving it
1166	'free' to hang off the unix primary group makes life easier */
1167
1168	if (need_update(sampass, PDB_GROUPSID)) {
1169	fstring sid_string;
1170	const DOM_SID *group_sid = pdb_get_group_sid(sampass);
1171
1172	switch ( ldap_state->schema_ver ) {
1173	case SCHEMAVER_SAMBAACCOUNT:
1174	if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) {
1175	DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
1176	sid_string_dbg(group_sid),
1177	sid_string_dbg(
1178	&ldap_state->domain_sid)));
1179	return False;
1180	}
1181
1182	if (asprintf(&temp, "%i", rid) < 0) {
1183	return false;
1184	}
1185	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1186	get_userattr_key2string(ldap_state->schema_ver,
1187	LDAP_ATTR_PRIMARY_GROUP_RID), temp);
1188	SAFE_FREE(temp);
1189	break;
1190
1191	case SCHEMAVER_SAMBASAMACCOUNT:
1192	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1193	get_userattr_key2string(ldap_state->schema_ver,
1194	LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_fstring(sid_string, group_sid));
1195	break;
1196
1197	default:
1198	DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
1199	break;
1200	}
1201
1202	}
1203
1204	/* displayName, cn, and gecos should all be the same
1205	* most easily accomplished by giving them the same OID
1206	* gecos isn't set here b/c it should be handled by the
1207	* add-user script
1208	* We change displayName only and fall back to cn if
1209	* it does not exist.
1210	*/
1211
1212	if (need_update(sampass, PDB_FULLNAME))
1213	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1214	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
1215	pdb_get_fullname(sampass));
1216
1217	if (need_update(sampass, PDB_ACCTDESC))
1218	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1219	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
1220	pdb_get_acct_desc(sampass));
1221
1222	if (need_update(sampass, PDB_WORKSTATIONS))
1223	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1224	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
1225	pdb_get_workstations(sampass));
1226
1227	if (need_update(sampass, PDB_MUNGEDDIAL))
1228	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1229	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL),
1230	pdb_get_munged_dial(sampass));
1231
1232	if (need_update(sampass, PDB_SMBHOME))
1233	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1234	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
1235	pdb_get_homedir(sampass));
1236
1237	if (need_update(sampass, PDB_DRIVE))
1238	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1239	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
1240	pdb_get_dir_drive(sampass));
1241
1242	if (need_update(sampass, PDB_LOGONSCRIPT))
1243	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1244	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
1245	pdb_get_logon_script(sampass));
1246
1247	if (need_update(sampass, PDB_PROFILE))
1248	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1249	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
1250	pdb_get_profile_path(sampass));
1251
1252	if (asprintf(&temp, "%li", pdb_get_logon_time(sampass)) < 0) {
1253	return false;
1254	}
1255	if (need_update(sampass, PDB_LOGONTIME))
1256	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1257	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
1258	SAFE_FREE(temp);
1259
1260	if (asprintf(&temp, "%li", pdb_get_logoff_time(sampass)) < 0) {
1261	return false;
1262	}
1263	if (need_update(sampass, PDB_LOGOFFTIME))
1264	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1265	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
1266	SAFE_FREE(temp);
1267
1268	if (asprintf(&temp, "%li", pdb_get_kickoff_time(sampass)) < 0) {
1269	return false;
1270	}
1271	if (need_update(sampass, PDB_KICKOFFTIME))
1272	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1273	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
1274	SAFE_FREE(temp);
1275
1276	if (asprintf(&temp, "%li", pdb_get_pass_can_change_time_noncalc(sampass)) < 0) {
1277	return false;
1278	}
1279	if (need_update(sampass, PDB_CANCHANGETIME))
1280	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1281	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
1282	SAFE_FREE(temp);
1283
1284	if (asprintf(&temp, "%li", pdb_get_pass_must_change_time(sampass)) < 0) {
1285	return false;
1286	}
1287	if (need_update(sampass, PDB_MUSTCHANGETIME))
1288	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1289	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
1290	SAFE_FREE(temp);
1291
1292	if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST\|ACB_SVRTRUST\|ACB_DOMTRUST))
1293	\|\| (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
1294
1295	if (need_update(sampass, PDB_LMPASSWD)) {
1296	const uchar *lm_pw = pdb_get_lanman_passwd(sampass);
1297	if (lm_pw) {
1298	char pwstr[34];
1299	pdb_sethexpwd(pwstr, lm_pw,
1300	pdb_get_acct_ctrl(sampass));
1301	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1302	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
1303	pwstr);
1304	} else {
1305	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1306	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
1307	NULL);
1308	}
1309	}
1310	if (need_update(sampass, PDB_NTPASSWD)) {
1311	const uchar *nt_pw = pdb_get_nt_passwd(sampass);
1312	if (nt_pw) {
1313	char pwstr[34];
1314	pdb_sethexpwd(pwstr, nt_pw,
1315	pdb_get_acct_ctrl(sampass));
1316	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1317	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
1318	pwstr);
1319	} else {
1320	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1321	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
1322	NULL);
1323	}
1324	}
1325
1326	if (need_update(sampass, PDB_PWHISTORY)) {
1327	char *pwstr = NULL;
1328	uint32 pwHistLen = 0;
1329	pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
1330
1331	pwstr = SMB_MALLOC_ARRAY(char, 1024);
1332	if (!pwstr) {
1333	return false;
1334	}
1335	if (pwHistLen == 0) {
1336	/* Remove any password history from the LDAP store. */
1337	memset(pwstr, '0', 64); /* NOTE !!!! '0' NOT '\0' /
1338	pwstr[64] = '\0';
1339	} else {
1340	int i;
1341	uint32 currHistLen = 0;
1342	const uint8 *pwhist = pdb_get_pw_history(sampass, &currHistLen);
1343	if (pwhist != NULL) {
1344	/* We can only store (1024-1/64 password history entries. */
1345	pwHistLen = MIN(pwHistLen, ((1024-1)/64));
1346	for (i=0; i< pwHistLen && i < currHistLen; i++) {
1347	/* Store the salt. */
1348	pdb_sethexpwd(&pwstr[i64], &pwhist[iPW_HISTORY_ENTRY_LEN], 0);
1349	/* Followed by the md5 hash of salt + md4 hash */
1350	pdb_sethexpwd(&pwstr[(i*64)+32],
1351	&pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN], 0);
1352	DEBUG(100, ("pwstr=%s\n", pwstr));
1353	}
1354	}
1355	}
1356	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1357	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY),
1358	pwstr);
1359	SAFE_FREE(pwstr);
1360	}
1361
1362	if (need_update(sampass, PDB_PASSLASTSET)) {
1363	if (asprintf(&temp, "%li",
1364	pdb_get_pass_last_set_time(sampass)) < 0) {
1365	return false;
1366	}
1367	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1368	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
1369	temp);
1370	SAFE_FREE(temp);
1371	}
1372	}
1373
1374	if (need_update(sampass, PDB_HOURS)) {
1375	const uint8 *hours = pdb_get_hours(sampass);
1376	if (hours) {
1377	char hourstr[44];
1378	pdb_sethexhours(hourstr, hours);
1379	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct,
1380	existing,
1381	mods,
1382	get_userattr_key2string(ldap_state->schema_ver,
1383	LDAP_ATTR_LOGON_HOURS),
1384	hourstr);
1385	}
1386	}
1387
1388	if (need_update(sampass, PDB_ACCTCTRL))
1389	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
1390	get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
1391	pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
1392
1393	/* password lockout cache:
1394	- If we are now autolocking or clearing, we write to ldap
1395	- If we are clearing, we delete the cache entry
1396	- If the count is > 0, we update the cache
1397
1398	This even means when autolocking, we cache, just in case the
1399	update doesn't work, and we have to cache the autolock flag */
1400
1401	if (need_update(sampass, PDB_BAD_PASSWORD_COUNT)) /* &&
1402	need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
1403	uint16 badcount = pdb_get_bad_password_count(sampass);
1404	time_t badtime = pdb_get_bad_password_time(sampass);
1405	uint32 pol;
1406	pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &pol);
1407
1408	DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
1409	(unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
1410
1411	if ((badcount >= pol) \|\| (badcount == 0)) {
1412	DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
1413	(unsigned int)badcount, (unsigned int)badtime));
1414	if (asprintf(&temp, "%li", (long)badcount) < 0) {
1415	return false;
1416	}
1417	smbldap_make_mod(
1418	ldap_state->smbldap_state->ldap_struct,
1419	existing, mods,
1420	get_userattr_key2string(
1421	ldap_state->schema_ver,
1422	LDAP_ATTR_BAD_PASSWORD_COUNT),
1423	temp);
1424	SAFE_FREE(temp);
1425
1426	if (asprintf(&temp, "%li", badtime) < 0) {
1427	return false;
1428	}
1429	smbldap_make_mod(
1430	ldap_state->smbldap_state->ldap_struct,
1431	existing, mods,
1432	get_userattr_key2string(
1433	ldap_state->schema_ver,
1434	LDAP_ATTR_BAD_PASSWORD_TIME),
1435	temp);
1436	SAFE_FREE(temp);
1437	}
1438	if (badcount == 0) {
1439	DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
1440	login_cache_delentry(sampass);
1441	} else {
1442	LOGIN_CACHE cache_entry;
1443
1444	cache_entry.entry_timestamp = time(NULL);
1445	cache_entry.acct_ctrl = pdb_get_acct_ctrl(sampass);
1446	cache_entry.bad_password_count = badcount;
1447	cache_entry.bad_password_time = badtime;
1448
1449	DEBUG(7, ("Updating bad password count and time in login cache\n"));
1450	login_cache_write(sampass, cache_entry);
1451	}
1452	}
1453
1454	return True;
1455	}
1456
1457	/**********************************************************************
1458	End enumeration of the LDAP password list.
1459	*********************************************************************/
1460
1461	static void ldapsam_endsampwent(struct pdb_methods *my_methods)
1462	{
1463	struct ldapsam_privates ldap_state = (struct ldapsam_privates )my_methods->private_data;
1464	if (ldap_state->result) {
1465	ldap_msgfree(ldap_state->result);
1466	ldap_state->result = NULL;
1467	}
1468	}
1469
1470	static void append_attr(TALLOC_CTX mem_ctx, const char **attr_list,
1471	const char *new_attr)
1472	{
1473	int i;
1474
1475	if (new_attr == NULL) {
1476	return;
1477	}
1478
1479	for (i=0; (*attr_list)[i] != NULL; i++) {
1480	;
1481	}
1482
1483	(attr_list) = TALLOC_REALLOC_ARRAY(mem_ctx, (attr_list),
1484	const char *, i+2);
1485	SMB_ASSERT((*attr_list) != NULL);
1486	(attr_list)[i] = talloc_strdup((attr_list), new_attr);
1487	(*attr_list)[i+1] = NULL;
1488	}
1489
1490	/**********************************************************************
1491	Get struct samu entry from LDAP by username.
1492	*********************************************************************/
1493
1494	static NTSTATUS ldapsam_getsampwnam(struct pdb_methods my_methods, struct samu user, const char *sname)
1495	{
1496	NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1497	struct ldapsam_privates ldap_state = (struct ldapsam_privates )my_methods->private_data;
1498	LDAPMessage *result = NULL;
1499	LDAPMessage *entry = NULL;
1500	int count;
1501	const char ** attr_list;
1502	int rc;
1503
1504	attr_list = get_userattr_list( user, ldap_state->schema_ver );
1505	append_attr(user, &attr_list,
1506	get_userattr_key2string(ldap_state->schema_ver,
1507	LDAP_ATTR_MOD_TIMESTAMP));
1508	append_attr(user, &attr_list, "uidNumber");
1509	rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result,
1510	attr_list);
1511	TALLOC_FREE( attr_list );
1512
1513	if ( rc != LDAP_SUCCESS )
1514	return NT_STATUS_NO_SUCH_USER;
1515
1516	count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1517
1518	if (count < 1) {
1519	DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
1520	ldap_msgfree(result);
1521	return NT_STATUS_NO_SUCH_USER;
1522	} else if (count > 1) {
1523	DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
1524	ldap_msgfree(result);
1525	return NT_STATUS_NO_SUCH_USER;
1526	}
1527
1528	entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1529	if (entry) {
1530	if (!init_sam_from_ldap(ldap_state, user, entry)) {
1531	DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
1532	ldap_msgfree(result);
1533	return NT_STATUS_NO_SUCH_USER;
1534	}
1535	pdb_set_backend_private_data(user, result, NULL,
1536	my_methods, PDB_CHANGED);
1537	talloc_autofree_ldapmsg(user, result);
1538	ret = NT_STATUS_OK;
1539	} else {
1540	ldap_msgfree(result);
1541	}
1542	return ret;
1543	}
1544
1545	static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state,
1546	const DOM_SID sid, LDAPMessage *result)
1547	{
1548	int rc = -1;
1549	const char ** attr_list;
1550	uint32 rid;
1551
1552	switch ( ldap_state->schema_ver ) {
1553	case SCHEMAVER_SAMBASAMACCOUNT: {
1554	TALLOC_CTX *tmp_ctx = talloc_new(NULL);
1555	if (tmp_ctx == NULL) {
1556	return LDAP_NO_MEMORY;
1557	}
1558
1559	attr_list = get_userattr_list(tmp_ctx,
1560	ldap_state->schema_ver);
1561	append_attr(tmp_ctx, &attr_list,
1562	get_userattr_key2string(
1563	ldap_state->schema_ver,
1564	LDAP_ATTR_MOD_TIMESTAMP));
1565	append_attr(tmp_ctx, &attr_list, "uidNumber");
1566	rc = ldapsam_search_suffix_by_sid(ldap_state, sid,
1567	result, attr_list);
1568	TALLOC_FREE(tmp_ctx);
1569
1570	if ( rc != LDAP_SUCCESS )
1571	return rc;
1572	break;
1573	}
1574
1575	case SCHEMAVER_SAMBAACCOUNT:
1576	if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) {
1577	return rc;
1578	}
1579
1580	attr_list = get_userattr_list(NULL,
1581	ldap_state->schema_ver);
1582	rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list );
1583	TALLOC_FREE( attr_list );
1584
1585	if ( rc != LDAP_SUCCESS )
1586	return rc;
1587	break;
1588	}
1589	return rc;
1590	}
1591
1592	/**********************************************************************
1593	Get struct samu entry from LDAP by SID.
1594	*********************************************************************/
1595
1596	static NTSTATUS ldapsam_getsampwsid(struct pdb_methods my_methods, struct samu user, const DOM_SID *sid)
1597	{
1598	struct ldapsam_privates ldap_state = (struct ldapsam_privates )my_methods->private_data;
1599	LDAPMessage *result = NULL;
1600	LDAPMessage *entry = NULL;
1601	int count;
1602	int rc;
1603
1604	rc = ldapsam_get_ldap_user_by_sid(ldap_state,
1605	sid, &result);
1606	if (rc != LDAP_SUCCESS)
1607	return NT_STATUS_NO_SUCH_USER;
1608
1609	count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
1610
1611	if (count < 1) {
1612	DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] "
1613	"count=%d\n", sid_string_dbg(sid), count));
1614	ldap_msgfree(result);
1615	return NT_STATUS_NO_SUCH_USER;
1616	} else if (count > 1) {
1617	DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID "
1618	"[%s]. Failing. count=%d\n", sid_string_dbg(sid),
1619	count));
1620	ldap_msgfree(result);
1621	return NT_STATUS_NO_SUCH_USER;
1622	}
1623
1624	entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1625	if (!entry) {
1626	ldap_msgfree(result);
1627	return NT_STATUS_NO_SUCH_USER;
1628	}
1629
1630	if (!init_sam_from_ldap(ldap_state, user, entry)) {
1631	DEBUG(1,("ldapsam_getsampwsid: init_sam_from_ldap failed!\n"));
1632	ldap_msgfree(result);
1633	return NT_STATUS_NO_SUCH_USER;
1634	}
1635
1636	pdb_set_backend_private_data(user, result, NULL,
1637	my_methods, PDB_CHANGED);
1638	talloc_autofree_ldapmsg(user, result);
1639	return NT_STATUS_OK;
1640	}
1641
1642	/********************************************************************
1643	Do the actual modification - also change a plaintext passord if
1644	it it set.
1645	**********************************************************************/
1646
1647	static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
1648	struct samu newpwd, char dn,
1649	LDAPMod **mods, int ldap_op,
1650	bool (need_update)(const struct samu , enum pdb_elements))
1651	{
1652	struct ldapsam_privates ldap_state = (struct ldapsam_privates )my_methods->private_data;
1653	int rc;
1654
1655	if (!newpwd \|\| !dn) {
1656	return NT_STATUS_INVALID_PARAMETER;
1657	}
1658
1659	if (!mods) {
1660	DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
1661	/* may be password change below however */
1662	} else {
1663	switch(ldap_op) {
1664	case LDAP_MOD_ADD:
1665	if (ldap_state->is_nds_ldap) {
1666	smbldap_set_mod(&mods, LDAP_MOD_ADD,
1667	"objectclass",
1668	"inetOrgPerson");
1669	} else {
1670	smbldap_set_mod(&mods, LDAP_MOD_ADD,
1671	"objectclass",
1672	LDAP_OBJ_ACCOUNT);
1673	}
1674	rc = smbldap_add(ldap_state->smbldap_state,
1675	dn, mods);
1676	break;
1677	case LDAP_MOD_REPLACE:
1678	rc = smbldap_modify(ldap_state->smbldap_state,
1679	dn ,mods);
1680	break;
1681	default:
1682	DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
1683	ldap_op));
1684	return NT_STATUS_INVALID_PARAMETER;
1685	}
1686
1687	if (rc!=LDAP_SUCCESS) {
1688	return NT_STATUS_UNSUCCESSFUL;
1689	}
1690	}
1691
1692	if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST\|ACB_SVRTRUST\|ACB_DOMTRUST)) &&
1693	(lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
1694	need_update(newpwd, PDB_PLAINTEXT_PW) &&
1695	(pdb_get_plaintext_passwd(newpwd)!=NULL)) {
1696	BerElement *ber;
1697	struct berval *bv;
1698	char *retoid = NULL;
1699	struct berval *retdata = NULL;
1700	char *utf8_password;
1701	char *utf8_dn;
1702
1703	if (!ldap_state->is_nds_ldap) {
1704
1705	if (!smbldap_has_extension(ldap_state->smbldap_state->ldap_struct,
1706	LDAP_EXOP_MODIFY_PASSWD)) {
1707	DEBUG(2, ("ldap password change requested, but LDAP "
1708	"server does not support it -- ignoring\n"));
1709	return NT_STATUS_OK;
1710	}
1711	}
1712
1713	if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
1714	return NT_STATUS_NO_MEMORY;
1715	}
1716
1717	if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
1718	SAFE_FREE(utf8_password);
1719	return NT_STATUS_NO_MEMORY;
1720	}
1721
1722	if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
1723	DEBUG(0,("ber_alloc_t returns NULL\n"));
1724	SAFE_FREE(utf8_password);
1725	SAFE_FREE(utf8_dn);
1726	return NT_STATUS_UNSUCCESSFUL;
1727	}
1728
1729	if ((ber_printf (ber, "{") < 0) \|\|
1730	(ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn) < 0) \|\|
1731	(ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password) < 0) \|\|
1732	(ber_printf (ber, "n}") < 0)) {
1733	DEBUG(0,("ldapsam_modify_entry: ber_printf returns a value <0\n"));
1734	ber_free(ber,1);
1735	SAFE_FREE(utf8_dn);
1736	SAFE_FREE(utf8_password);
1737	return NT_STATUS_UNSUCCESSFUL;
1738	}
1739
1740	if ((rc = ber_flatten (ber, &bv))<0) {
1741	DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
1742	ber_free(ber,1);
1743	SAFE_FREE(utf8_dn);
1744	SAFE_FREE(utf8_password);
1745	return NT_STATUS_UNSUCCESSFUL;
1746	}
1747
1748	SAFE_FREE(utf8_dn);
1749	SAFE_FREE(utf8_password);
1750	ber_free(ber, 1);
1751
1752	if (!ldap_state->is_nds_ldap) {
1753	rc = smbldap_extended_operation(ldap_state->smbldap_state,
1754	LDAP_EXOP_MODIFY_PASSWD,
1755	bv, NULL, NULL, &retoid,
1756	&retdata);
1757	} else {
1758	rc = pdb_nds_set_password(ldap_state->smbldap_state, dn,
1759	pdb_get_plaintext_passwd(newpwd));
1760	}
1761	if (rc != LDAP_SUCCESS) {
1762	char *ld_error = NULL;
1763
1764	if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
1765	DEBUG(3, ("Could not set userPassword "
1766	"attribute due to an objectClass "
1767	"violation -- ignoring\n"));
1768	ber_bvfree(bv);
1769	return NT_STATUS_OK;
1770	}
1771
1772	ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1773	&ld_error);
1774	DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
1775	pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
1776	SAFE_FREE(ld_error);
1777	ber_bvfree(bv);
1778	#if defined(LDAP_CONSTRAINT_VIOLATION)
1779	if (rc == LDAP_CONSTRAINT_VIOLATION)
1780	return NT_STATUS_PASSWORD_RESTRICTION;
1781	#endif
1782	return NT_STATUS_UNSUCCESSFUL;
1783	} else {
1784	DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
1785	#ifdef DEBUG_PASSWORD
1786	DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
1787	#endif
1788	if (retdata)
1789	ber_bvfree(retdata);
1790	if (retoid)
1791	ldap_memfree(retoid);
1792	}
1793	ber_bvfree(bv);
1794	}
1795	return NT_STATUS_OK;
1796	}
1797
1798	/**********************************************************************
1799	Delete entry from LDAP for username.
1800	*********************************************************************/
1801
1802	static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods,
1803	struct samu * sam_acct)
1804	{
1805	struct ldapsam_privates *priv =
1806	(struct ldapsam_privates *)my_methods->private_data;
1807	const char *sname;
1808	int rc;
1809	LDAPMessage msg, entry;
1810	NTSTATUS result = NT_STATUS_NO_MEMORY;
1811	const char **attr_list;
1812	TALLOC_CTX *mem_ctx;
1813
1814	if (!sam_acct) {
1815	DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
1816	return NT_STATUS_INVALID_PARAMETER;
1817	}
1818
1819	sname = pdb_get_username(sam_acct);
1820
1821	DEBUG(3, ("ldapsam_delete_sam_account: Deleting user %s from "
1822	"LDAP.\n", sname));
1823
1824	mem_ctx = talloc_new(NULL);
1825	if (mem_ctx == NULL) {
1826	DEBUG(0, ("talloc_new failed\n"));
1827	goto done;
1828	}
1829
1830	attr_list = get_userattr_delete_list(mem_ctx, priv->schema_ver );
1831	if (attr_list == NULL) {
1832	goto done;
1833	}
1834
1835	rc = ldapsam_search_suffix_by_name(priv, sname, &msg, attr_list);
1836
1837	if ((rc != LDAP_SUCCESS) \|\|
1838	(ldap_count_entries(priv2ld(priv), msg) != 1) \|\|
1839	((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
1840	DEBUG(5, ("Could not find user %s\n", sname));
1841	result = NT_STATUS_NO_SUCH_USER;
1842	goto done;
1843	}
1844
1845	rc = ldapsam_delete_entry(
1846	priv, mem_ctx, entry,
1847	priv->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ?
1848	LDAP_OBJ_SAMBASAMACCOUNT : LDAP_OBJ_SAMBAACCOUNT,
1849	attr_list);
1850
1851	result = (rc == LDAP_SUCCESS) ?
1852	NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
1853
1854	done:
1855	TALLOC_FREE(mem_ctx);
1856	return result;
1857	}
1858
1859	/**********************************************************************
1860	Helper function to determine for update_sam_account whether
1861	we need LDAP modification.
1862	*********************************************************************/
1863
1864	static bool element_is_changed(const struct samu *sampass,
1865	enum pdb_elements element)
1866	{
1867	return IS_SAM_CHANGED(sampass, element);
1868	}
1869
1870	/**********************************************************************
1871	Update struct samu.
1872	*********************************************************************/
1873
1874	static NTSTATUS ldapsam_update_sam_account(struct pdb_methods my_methods, struct samu newpwd)
1875	{
1876	NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
1877	struct ldapsam_privates ldap_state = (struct ldapsam_privates )my_methods->private_data;
1878	int rc = 0;
1879	char *dn;
1880	LDAPMessage *result = NULL;
1881	LDAPMessage *entry = NULL;
1882	LDAPMod **mods = NULL;
1883	const char **attr_list;
1884
1885	result = (LDAPMessage *)pdb_get_backend_private_data(newpwd, my_methods);
1886	if (!result) {
1887	attr_list = get_userattr_list(NULL, ldap_state->schema_ver);
1888	if (pdb_get_username(newpwd) == NULL) {
1889	return NT_STATUS_INVALID_PARAMETER;
1890	}
1891	rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
1892	TALLOC_FREE( attr_list );
1893	if (rc != LDAP_SUCCESS) {
1894	return NT_STATUS_UNSUCCESSFUL;
1895	}
1896	pdb_set_backend_private_data(newpwd, result, NULL,
1897	my_methods, PDB_CHANGED);
1898	talloc_autofree_ldapmsg(newpwd, result);
1899	}
1900
1901	if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
1902	DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
1903	return NT_STATUS_UNSUCCESSFUL;
1904	}
1905
1906	entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
1907	dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
1908	if (!dn) {
1909	return NT_STATUS_UNSUCCESSFUL;
1910	}
1911
1912	DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
1913
1914	if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
1915	element_is_changed)) {
1916	DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
1917	SAFE_FREE(dn);
1918	if (mods != NULL)
1919	ldap_mods_free(mods,True);
1920	return NT_STATUS_UNSUCCESSFUL;
1921	}
1922
1923	if ((lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_ONLY)
1924	&& (mods == NULL)) {
1925	DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
1926	pdb_get_username(newpwd)));
1927	SAFE_FREE(dn);
1928	return NT_STATUS_OK;
1929	}
1930
1931	ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
1932
1933	if (mods != NULL) {
1934	ldap_mods_free(mods,True);
1935	}
1936
1937	SAFE_FREE(dn);
1938
1939	/*
1940	* We need to set the backend private data to NULL here. For example
1941	* setuserinfo level 25 does a pdb_update_sam_account twice on the
1942	* same one, and with the explicit delete / add logic for attribute
1943	* values the second time we would use the wrong "old" value which
1944	* does not exist in LDAP anymore. Thus the LDAP server would refuse
1945	* the update.
1946	* The existing LDAPMessage is still being auto-freed by the
1947	* destructor.
1948	*/
1949	pdb_set_backend_private_data(newpwd, NULL, NULL, my_methods,
1950	PDB_CHANGED);
1951
1952	if (!NT_STATUS_IS_OK(ret)) {
1953	return ret;
1954	}
1955
1956	DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
1957	pdb_get_username(newpwd)));
1958	return NT_STATUS_OK;
1959	}
1960
1961	/***************************************************************************
1962	Renames a struct samu
1963	- The "rename user script" has full responsibility for changing everything
1964	***************************************************************************/
1965
1966	static NTSTATUS ldapsam_rename_sam_account(struct pdb_methods *my_methods,
1967	struct samu *old_acct,
1968	const char *newname)
1969	{
1970	const char *oldname;
1971	int rc;
1972	char *rename_script = NULL;
1973	fstring oldname_lower, newname_lower;
1974
1975	if (!old_acct) {
1976	DEBUG(0, ("ldapsam_rename_sam_account: old_acct was NULL!\n"));
1977	return NT_STATUS_INVALID_PARAMETER;
1978	}
1979	if (!newname) {
1980	DEBUG(0, ("ldapsam_rename_sam_account: newname was NULL!\n"));
1981	return NT_STATUS_INVALID_PARAMETER;
1982	}
1983
1984	oldname = pdb_get_username(old_acct);
1985
1986	/* rename the posix user */
1987	rename_script = SMB_STRDUP(lp_renameuser_script());
1988	if (rename_script == NULL) {
1989	return NT_STATUS_NO_MEMORY;
1990	}
1991
1992	if (!(*rename_script)) {
1993	SAFE_FREE(rename_script);
1994	return NT_STATUS_ACCESS_DENIED;
1995	}
1996
1997	DEBUG (3, ("ldapsam_rename_sam_account: Renaming user %s to %s.\n",
1998	oldname, newname));
1999
2000	/* We have to allow the account name to end with a '$'.
2001	Also, follow the semantics in _samr_create_user() and lower case the
2002	posix name but preserve the case in passdb */
2003
2004	fstrcpy( oldname_lower, oldname );
2005	strlower_m( oldname_lower );
2006	fstrcpy( newname_lower, newname );
2007	strlower_m( newname_lower );
2008	rename_script = realloc_string_sub2(rename_script,
2009	"%unew",
2010	newname_lower,
2011	true,
2012	true);
2013	if (!rename_script) {
2014	return NT_STATUS_NO_MEMORY;
2015	}
2016	rename_script = realloc_string_sub2(rename_script,
2017	"%uold",
2018	oldname_lower,
2019	true,
2020	true);
2021	rc = smbrun(rename_script, NULL);
2022
2023	DEBUG(rc ? 0 : 3,("Running the command `%s' gave %d\n",
2024	rename_script, rc));
2025
2026	SAFE_FREE(rename_script);
2027
2028	if (rc == 0) {
2029	smb_nscd_flush_user_cache();
2030	}
2031
2032	if (rc)
2033	return NT_STATUS_UNSUCCESSFUL;
2034
2035	return NT_STATUS_OK;
2036	}
2037
2038	/**********************************************************************
2039	Helper function to determine for update_sam_account whether
2040	we need LDAP modification.
2041	*********************************************************************/
2042
2043	static bool element_is_set_or_changed(const struct samu *sampass,
2044	enum pdb_elements element)
2045	{
2046	return (IS_SAM_SET(sampass, element) \|\|
2047	IS_SAM_CHANGED(sampass, element));
2048	}
2049
2050	/**********************************************************************
2051	Add struct samu to LDAP.
2052	*********************************************************************/
2053
2054	static NTSTATUS ldapsam_add_sam_account(struct pdb_methods my_methods, struct samu newpwd)
2055	{
2056	NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2057	struct ldapsam_privates ldap_state = (struct ldapsam_privates )my_methods->private_data;
2058	int rc;
2059	LDAPMessage *result = NULL;
2060	LDAPMessage *entry = NULL;
2061	LDAPMod **mods = NULL;
2062	int ldap_op = LDAP_MOD_REPLACE;
2063	uint32 num_result;
2064	const char **attr_list;
2065	char *escape_user = NULL;
2066	const char *username = pdb_get_username(newpwd);
2067	const DOM_SID *sid = pdb_get_user_sid(newpwd);
2068	char *filter = NULL;
2069	char *dn = NULL;
2070	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
2071	TALLOC_CTX *ctx = talloc_init("ldapsam_add_sam_account");
2072
2073	if (!ctx) {
2074	return NT_STATUS_NO_MEMORY;
2075	}
2076
2077	if (!username \|\| !*username) {
2078	DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
2079	status = NT_STATUS_INVALID_PARAMETER;
2080	goto fn_exit;
2081	}
2082
2083	/* free this list after the second search or in case we exit on failure */
2084	attr_list = get_userattr_list(ctx, ldap_state->schema_ver);
2085
2086	rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
2087
2088	if (rc != LDAP_SUCCESS) {
2089	goto fn_exit;
2090	}
2091
2092	if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
2093	DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
2094	username));
2095	goto fn_exit;
2096	}
2097	ldap_msgfree(result);
2098	result = NULL;
2099
2100	if (element_is_set_or_changed(newpwd, PDB_USERSID)) {
2101	rc = ldapsam_get_ldap_user_by_sid(ldap_state,
2102	sid, &result);
2103	if (rc == LDAP_SUCCESS) {
2104	if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
2105	DEBUG(0,("ldapsam_add_sam_account: SID '%s' "
2106	"already in the base, with samba "
2107	"attributes\n", sid_string_dbg(sid)));
2108	goto fn_exit;
2109	}
2110	ldap_msgfree(result);
2111	result = NULL;
2112	}
2113	}
2114
2115	/* does the entry already exist but without a samba attributes?
2116	we need to return the samba attributes here */
2117
2118	escape_user = escape_ldap_string_alloc( username );
2119	filter = talloc_strdup(attr_list, "(uid=%u)");
2120	if (!filter) {
2121	status = NT_STATUS_NO_MEMORY;
2122	goto fn_exit;
2123	}
2124	filter = talloc_all_string_sub(attr_list, filter, "%u", escape_user);
2125	if (!filter) {
2126	status = NT_STATUS_NO_MEMORY;
2127	goto fn_exit;
2128	}
2129	SAFE_FREE(escape_user);
2130
2131	rc = smbldap_search_suffix(ldap_state->smbldap_state,
2132	filter, attr_list, &result);
2133	if ( rc != LDAP_SUCCESS ) {
2134	goto fn_exit;
2135	}
2136
2137	num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2138
2139	if (num_result > 1) {
2140	DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
2141	goto fn_exit;
2142	}
2143
2144	/* Check if we need to update an existing entry */
2145	if (num_result == 1) {
2146	char *tmp;
2147
2148	DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
2149	ldap_op = LDAP_MOD_REPLACE;
2150	entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
2151	tmp = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
2152	if (!tmp) {
2153	goto fn_exit;
2154	}
2155	dn = talloc_asprintf(ctx, "%s", tmp);
2156	SAFE_FREE(tmp);
2157	if (!dn) {
2158	status = NT_STATUS_NO_MEMORY;
2159	goto fn_exit;
2160	}
2161
2162	} else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
2163
2164	/* There might be a SID for this account already - say an idmap entry */
2165
2166	filter = talloc_asprintf(ctx,
2167	"(&(%s=%s)(\|(objectClass=%s)(objectClass=%s)))",
2168	get_userattr_key2string(ldap_state->schema_ver,
2169	LDAP_ATTR_USER_SID),
2170	sid_string_talloc(ctx, sid),
2171	LDAP_OBJ_IDMAP_ENTRY,
2172	LDAP_OBJ_SID_ENTRY);
2173	if (!filter) {
2174	status = NT_STATUS_NO_MEMORY;
2175	goto fn_exit;
2176	}
2177
2178	/* free old result before doing a new search */
2179	if (result != NULL) {
2180	ldap_msgfree(result);
2181	result = NULL;
2182	}
2183	rc = smbldap_search_suffix(ldap_state->smbldap_state,
2184	filter, attr_list, &result);
2185
2186	if ( rc != LDAP_SUCCESS ) {
2187	goto fn_exit;
2188	}
2189
2190	num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
2191
2192	if (num_result > 1) {
2193	DEBUG (0, ("ldapsam_add_sam_account: More than one user with specified Sid exists: bailing out!\n"));
2194	goto fn_exit;
2195	}
2196
2197	/* Check if we need to update an existing entry */
2198	if (num_result == 1) {
2199	char *tmp;
2200
2201	DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
2202	ldap_op = LDAP_MOD_REPLACE;
2203	entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
2204	tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
2205	if (!tmp) {
2206	goto fn_exit;
2207	}
2208	dn = talloc_asprintf(ctx, "%s", tmp);
2209	SAFE_FREE(tmp);
2210	if (!dn) {
2211	status = NT_STATUS_NO_MEMORY;
2212	goto fn_exit;
2213	}
2214	}
2215	}
2216
2217	if (num_result == 0) {
2218	char *escape_username;
2219	/* Check if we need to add an entry */
2220	DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
2221	ldap_op = LDAP_MOD_ADD;
2222
2223	escape_username = escape_rdn_val_string_alloc(username);
2224	if (!escape_username) {
2225	status = NT_STATUS_NO_MEMORY;
2226	goto fn_exit;
2227	}
2228
2229	if (username[strlen(username)-1] == '$') {
2230	dn = talloc_asprintf(ctx,
2231	"uid=%s,%s",
2232	escape_username,
2233	lp_ldap_machine_suffix());
2234	} else {
2235	dn = talloc_asprintf(ctx,
2236	"uid=%s,%s",
2237	escape_username,
2238	lp_ldap_user_suffix());
2239	}
2240
2241	SAFE_FREE(escape_username);
2242	if (!dn) {
2243	status = NT_STATUS_NO_MEMORY;
2244	goto fn_exit;
2245	}
2246	}
2247
2248	if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
2249	element_is_set_or_changed)) {
2250	DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
2251	if (mods != NULL) {
2252	ldap_mods_free(mods, true);
2253	}
2254	goto fn_exit;
2255	}
2256
2257	if (mods == NULL) {
2258	DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
2259	goto fn_exit;
2260	}
2261	switch ( ldap_state->schema_ver ) {
2262	case SCHEMAVER_SAMBAACCOUNT:
2263	smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
2264	break;
2265	case SCHEMAVER_SAMBASAMACCOUNT:
2266	smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
2267	break;
2268	default:
2269	DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
2270	break;
2271	}
2272
2273	ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
2274	if (!NT_STATUS_IS_OK(ret)) {
2275	DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
2276	pdb_get_username(newpwd),dn));
2277	ldap_mods_free(mods, true);
2278	goto fn_exit;
2279	}
2280
2281	DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
2282	ldap_mods_free(mods, true);
2283
2284	status = NT_STATUS_OK;
2285
2286	fn_exit:
2287
2288	TALLOC_FREE(ctx);
2289	SAFE_FREE(escape_user);
2290	if (result) {
2291	ldap_msgfree(result);
2292	}
2293	return status;
2294	}
2295
2296	/**********************************************************************
2297	*********************************************************************/
2298
2299	static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
2300	const char *filter,
2301	LDAPMessage ** result)
2302	{
2303	int scope = LDAP_SCOPE_SUBTREE;
2304	int rc;
2305	const char **attr_list;
2306
2307	attr_list = get_attr_list(NULL, groupmap_attr_list);
2308	rc = smbldap_search(ldap_state->smbldap_state,
2309	lp_ldap_group_suffix (), scope,
2310	filter, attr_list, 0, result);
2311	TALLOC_FREE(attr_list);
2312
2313	return rc;
2314	}
2315
2316	/**********************************************************************
2317	*********************************************************************/
2318
2319	static bool init_group_from_ldap(struct ldapsam_privates *ldap_state,
2320	GROUP_MAP map, LDAPMessage entry)
2321	{
2322	char *temp = NULL;
2323	TALLOC_CTX *ctx = talloc_init("init_group_from_ldap");
2324
2325	if (ldap_state == NULL \|\| map == NULL \|\| entry == NULL \|\|
2326	ldap_state->smbldap_state->ldap_struct == NULL) {
2327	DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
2328	TALLOC_FREE(ctx);
2329	return false;
2330	}
2331
2332	temp = smbldap_talloc_single_attribute(
2333	ldap_state->smbldap_state->ldap_struct,
2334	entry,
2335	get_attr_key2string(groupmap_attr_list,
2336	LDAP_ATTR_GIDNUMBER),
2337	ctx);
2338	if (!temp) {
2339	DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2340	get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
2341	TALLOC_FREE(ctx);
2342	return false;
2343	}
2344	DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
2345
2346	map->gid = (gid_t)atol(temp);
2347
2348	TALLOC_FREE(temp);
2349	temp = smbldap_talloc_single_attribute(
2350	ldap_state->smbldap_state->ldap_struct,
2351	entry,
2352	get_attr_key2string(groupmap_attr_list,
2353	LDAP_ATTR_GROUP_SID),
2354	ctx);
2355	if (!temp) {
2356	DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2357	get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
2358	TALLOC_FREE(ctx);
2359	return false;
2360	}
2361
2362	if (!string_to_sid(&map->sid, temp)) {
2363	DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
2364	TALLOC_FREE(ctx);
2365	return false;
2366	}
2367
2368	TALLOC_FREE(temp);
2369	temp = smbldap_talloc_single_attribute(
2370	ldap_state->smbldap_state->ldap_struct,
2371	entry,
2372	get_attr_key2string(groupmap_attr_list,
2373	LDAP_ATTR_GROUP_TYPE),
2374	ctx);
2375	if (!temp) {
2376	DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
2377	get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
2378	TALLOC_FREE(ctx);
2379	return false;
2380	}
2381	map->sid_name_use = (enum lsa_SidType)atol(temp);
2382
2383	if ((map->sid_name_use < SID_NAME_USER) \|\|
2384	(map->sid_name_use > SID_NAME_UNKNOWN)) {
2385	DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
2386	TALLOC_FREE(ctx);
2387	return false;
2388	}
2389
2390	TALLOC_FREE(temp);
2391	temp = smbldap_talloc_single_attribute(
2392	ldap_state->smbldap_state->ldap_struct,
2393	entry,
2394	get_attr_key2string(groupmap_attr_list,
2395	LDAP_ATTR_DISPLAY_NAME),
2396	ctx);
2397	if (!temp) {
2398	temp = smbldap_talloc_single_attribute(
2399	ldap_state->smbldap_state->ldap_struct,
2400	entry,
2401	get_attr_key2string(groupmap_attr_list,
2402	LDAP_ATTR_CN),
2403	ctx);
2404	if (!temp) {
2405	DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
2406	for gidNumber(%lu)\n",(unsigned long)map->gid));
2407	TALLOC_FREE(ctx);
2408	return false;
2409	}
2410	}
2411	fstrcpy(map->nt_name, temp);
2412
2413	TALLOC_FREE(temp);
2414	temp = smbldap_talloc_single_attribute(
2415	ldap_state->smbldap_state->ldap_struct,
2416	entry,
2417	get_attr_key2string(groupmap_attr_list,
2418	LDAP_ATTR_DESC),
2419	ctx);
2420	if (!temp) {
2421	temp = talloc_strdup(ctx, "");
2422	if (!temp) {
2423	TALLOC_FREE(ctx);
2424	return false;
2425	}
2426	}
2427	fstrcpy(map->comment, temp);
2428
2429	if (lp_parm_bool(-1, "ldapsam", "trusted", false)) {
2430	store_gid_sid_cache(&map->sid, map->gid);
2431	}
2432
2433	TALLOC_FREE(ctx);
2434	return true;
2435	}
2436
2437	/**********************************************************************
2438	*********************************************************************/
2439
2440	static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
2441	const char *filter,
2442	GROUP_MAP *map)
2443	{
2444	struct ldapsam_privates *ldap_state =
2445	(struct ldapsam_privates *)methods->private_data;
2446	LDAPMessage *result = NULL;
2447	LDAPMessage *entry = NULL;
2448	int count;
2449
2450	if (ldapsam_search_one_group(ldap_state, filter, &result)
2451	!= LDAP_SUCCESS) {
2452	return NT_STATUS_NO_SUCH_GROUP;
2453	}
2454
2455	count = ldap_count_entries(priv2ld(ldap_state), result);
2456
2457	if (count < 1) {
2458	DEBUG(4, ("ldapsam_getgroup: Did not find group, filter was "
2459	"%s\n", filter));
2460	ldap_msgfree(result);
2461	return NT_STATUS_NO_SUCH_GROUP;
2462	}
2463
2464	if (count > 1) {
2465	DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: "
2466	"count=%d\n", filter, count));
2467	ldap_msgfree(result);
2468	return NT_STATUS_NO_SUCH_GROUP;
2469	}
2470
2471	entry = ldap_first_entry(priv2ld(ldap_state), result);
2472
2473	if (!entry) {
2474	ldap_msgfree(result);
2475	return NT_STATUS_UNSUCCESSFUL;
2476	}
2477
2478	if (!init_group_from_ldap(ldap_state, map, entry)) {
2479	DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for "
2480	"group filter %s\n", filter));
2481	ldap_msgfree(result);
2482	return NT_STATUS_NO_SUCH_GROUP;
2483	}
2484
2485	ldap_msgfree(result);
2486	return NT_STATUS_OK;
2487	}
2488
2489	/**********************************************************************
2490	*********************************************************************/
2491
2492	static NTSTATUS ldapsam_getgrsid(struct pdb_methods methods, GROUP_MAP map,
2493	DOM_SID sid)
2494	{
2495	char *filter = NULL;
2496	NTSTATUS status;
2497	fstring tmp;
2498
2499	if (asprintf(&filter, "(&(objectClass=%s)(%s=%s))",
2500	LDAP_OBJ_GROUPMAP,
2501	get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
2502	sid_to_fstring(tmp, &sid)) < 0) {
2503	return NT_STATUS_NO_MEMORY;
2504	}
2505
2506	status = ldapsam_getgroup(methods, filter, map);
2507	SAFE_FREE(filter);
2508	return status;
2509	}
2510
2511	/**********************************************************************
2512	*********************************************************************/
2513
2514	static NTSTATUS ldapsam_getgrgid(struct pdb_methods methods, GROUP_MAP map,
2515	gid_t gid)
2516	{
2517	char *filter = NULL;
2518	NTSTATUS status;
2519
2520	if (asprintf(&filter, "(&(objectClass=%s)(%s=%lu))",
2521	LDAP_OBJ_GROUPMAP,
2522	get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
2523	(unsigned long)gid) < 0) {
2524	return NT_STATUS_NO_MEMORY;
2525	}
2526
2527	status = ldapsam_getgroup(methods, filter, map);
2528	SAFE_FREE(filter);
2529	return status;
2530	}
2531
2532	/**********************************************************************
2533	*********************************************************************/
2534
2535	static NTSTATUS ldapsam_getgrnam(struct pdb_methods methods, GROUP_MAP map,
2536	const char *name)
2537	{
2538	char *filter = NULL;
2539	char *escape_name = escape_ldap_string_alloc(name);
2540	NTSTATUS status;
2541
2542	if (!escape_name) {
2543	return NT_STATUS_NO_MEMORY;
2544	}
2545
2546	if (asprintf(&filter, "(&(objectClass=%s)(\|(%s=%s)(%s=%s)))",
2547	LDAP_OBJ_GROUPMAP,
2548	get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
2549	get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN),
2550	escape_name) < 0) {
2551	SAFE_FREE(escape_name);
2552	return NT_STATUS_NO_MEMORY;
2553	}
2554
2555	SAFE_FREE(escape_name);
2556	status = ldapsam_getgroup(methods, filter, map);
2557	SAFE_FREE(filter);
2558	return status;
2559	}
2560
2561	static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
2562	LDAPMessage *entry,
2563	const DOM_SID *domain_sid,
2564	uint32 *rid)
2565	{
2566	fstring str;
2567	DOM_SID sid;
2568
2569	if (!smbldap_get_single_attribute(ldap_struct, entry, "sambaSID",
2570	str, sizeof(str)-1)) {
2571	DEBUG(10, ("Could not find sambaSID attribute\n"));
2572	return False;
2573	}
2574
2575	if (!string_to_sid(&sid, str)) {
2576	DEBUG(10, ("Could not convert string %s to sid\n", str));
2577	return False;
2578	}
2579
2580	if (sid_compare_domain(&sid, domain_sid) != 0) {
2581	DEBUG(10, ("SID %s is not in expected domain %s\n",
2582	str, sid_string_dbg(domain_sid)));
2583	return False;
2584	}
2585
2586	if (!sid_peek_rid(&sid, rid)) {
2587	DEBUG(10, ("Could not peek into RID\n"));
2588	return False;
2589	}
2590
2591	return True;
2592	}
2593
2594	static NTSTATUS ldapsam_enum_group_members(struct pdb_methods *methods,
2595	TALLOC_CTX *mem_ctx,
2596	const DOM_SID *group,
2597	uint32 **pp_member_rids,
2598	size_t *p_num_members)
2599	{
2600	struct ldapsam_privates *ldap_state =
2601	(struct ldapsam_privates *)methods->private_data;
2602	struct smbldap_state *conn = ldap_state->smbldap_state;
2603	const char *id_attrs[] = { "memberUid", "gidNumber", NULL };
2604	const char *sid_attrs[] = { "sambaSID", NULL };
2605	NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2606	LDAPMessage *result = NULL;
2607	LDAPMessage *entry;
2608	char *filter;
2609	char **values = NULL;
2610	char **memberuid;
2611	char *gidstr;
2612	int rc, count;
2613
2614	*pp_member_rids = NULL;
2615	*p_num_members = 0;
2616
2617	filter = talloc_asprintf(mem_ctx,
2618	"(&(objectClass=%s)"
2619	"(objectClass=%s)"
2620	"(sambaSID=%s))",
2621	LDAP_OBJ_POSIXGROUP,
2622	LDAP_OBJ_GROUPMAP,
2623	sid_string_talloc(mem_ctx, group));
2624	if (filter == NULL) {
2625	ret = NT_STATUS_NO_MEMORY;
2626	goto done;
2627	}
2628
2629	rc = smbldap_search(conn, lp_ldap_group_suffix(),
2630	LDAP_SCOPE_SUBTREE, filter, id_attrs, 0,
2631	&result);
2632
2633	if (rc != LDAP_SUCCESS)
2634	goto done;
2635
2636	talloc_autofree_ldapmsg(mem_ctx, result);
2637
2638	count = ldap_count_entries(conn->ldap_struct, result);
2639
2640	if (count > 1) {
2641	DEBUG(1, ("Found more than one groupmap entry for %s\n",
2642	sid_string_dbg(group)));
2643	ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2644	goto done;
2645	}
2646
2647	if (count == 0) {
2648	ret = NT_STATUS_NO_SUCH_GROUP;
2649	goto done;
2650	}
2651
2652	entry = ldap_first_entry(conn->ldap_struct, result);
2653	if (entry == NULL)
2654	goto done;
2655
2656	gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
2657	if (!gidstr) {
2658	DEBUG (0, ("ldapsam_enum_group_members: Unable to find the group's gid!\n"));
2659	ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2660	goto done;
2661	}
2662
2663	values = ldap_get_values(conn->ldap_struct, entry, "memberUid");
2664
2665	if (values) {
2666
2667	filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(\|", LDAP_OBJ_SAMBASAMACCOUNT);
2668	if (filter == NULL) {
2669	ret = NT_STATUS_NO_MEMORY;
2670	goto done;
2671	}
2672
2673	for (memberuid = values; *memberuid != NULL; memberuid += 1) {
2674	char *escape_memberuid;
2675
2676	escape_memberuid = escape_ldap_string_alloc(*memberuid);
2677	if (escape_memberuid == NULL) {
2678	ret = NT_STATUS_NO_MEMORY;
2679	goto done;
2680	}
2681
2682	filter = talloc_asprintf_append_buffer(filter, "(uid=%s)", escape_memberuid);
2683	if (filter == NULL) {
2684	SAFE_FREE(escape_memberuid);
2685	ret = NT_STATUS_NO_MEMORY;
2686	goto done;
2687	}
2688
2689	SAFE_FREE(escape_memberuid);
2690	}
2691
2692	filter = talloc_asprintf_append_buffer(filter, "))");
2693	if (filter == NULL) {
2694	ret = NT_STATUS_NO_MEMORY;
2695	goto done;
2696	}
2697
2698	rc = smbldap_search(conn, lp_ldap_suffix(),
2699	LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
2700	&result);
2701
2702	if (rc != LDAP_SUCCESS)
2703	goto done;
2704
2705	count = ldap_count_entries(conn->ldap_struct, result);
2706	DEBUG(10,("ldapsam_enum_group_members: found %d accounts\n", count));
2707
2708	talloc_autofree_ldapmsg(mem_ctx, result);
2709
2710	for (entry = ldap_first_entry(conn->ldap_struct, result);
2711	entry != NULL;
2712	entry = ldap_next_entry(conn->ldap_struct, entry))
2713	{
2714	char *sidstr;
2715	DOM_SID sid;
2716	uint32 rid;
2717
2718	sidstr = smbldap_talloc_single_attribute(conn->ldap_struct,
2719	entry, "sambaSID",
2720	mem_ctx);
2721	if (!sidstr) {
2722	DEBUG(0, ("Severe DB error, sambaSamAccount can't miss "
2723	"the sambaSID attribute\n"));
2724	ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2725	goto done;
2726	}
2727
2728	if (!string_to_sid(&sid, sidstr))
2729	goto done;
2730
2731	if (!sid_check_is_in_our_domain(&sid)) {
2732	DEBUG(0, ("Inconsistent SAM -- group member uid not "
2733	"in our domain\n"));
2734	ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2735	goto done;
2736	}
2737
2738	sid_peek_rid(&sid, &rid);
2739
2740	if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2741	p_num_members)) {
2742	ret = NT_STATUS_NO_MEMORY;
2743	goto done;
2744	}
2745	}
2746	}
2747
2748	filter = talloc_asprintf(mem_ctx,
2749	"(&(objectClass=%s)"
2750	"(gidNumber=%s))",
2751	LDAP_OBJ_SAMBASAMACCOUNT,
2752	gidstr);
2753
2754	rc = smbldap_search(conn, lp_ldap_suffix(),
2755	LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
2756	&result);
2757
2758	if (rc != LDAP_SUCCESS)
2759	goto done;
2760
2761	talloc_autofree_ldapmsg(mem_ctx, result);
2762
2763	for (entry = ldap_first_entry(conn->ldap_struct, result);
2764	entry != NULL;
2765	entry = ldap_next_entry(conn->ldap_struct, entry))
2766	{
2767	uint32 rid;
2768
2769	if (!ldapsam_extract_rid_from_entry(conn->ldap_struct,
2770	entry,
2771	get_global_sam_sid(),
2772	&rid)) {
2773	DEBUG(0, ("Severe DB error, sambaSamAccount can't miss "
2774	"the sambaSID attribute\n"));
2775	ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2776	goto done;
2777	}
2778
2779	if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
2780	p_num_members)) {
2781	ret = NT_STATUS_NO_MEMORY;
2782	goto done;
2783	}
2784	}
2785
2786	ret = NT_STATUS_OK;
2787
2788	done:
2789
2790	if (values)
2791	ldap_value_free(values);
2792
2793	return ret;
2794	}
2795
2796	static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
2797	TALLOC_CTX *mem_ctx,
2798	struct samu *user,
2799	DOM_SID **pp_sids,
2800	gid_t **pp_gids,
2801	size_t *p_num_groups)
2802	{
2803	struct ldapsam_privates *ldap_state =
2804	(struct ldapsam_privates *)methods->private_data;
2805	struct smbldap_state *conn = ldap_state->smbldap_state;
2806	char *filter;
2807	const char *attrs[] = { "gidNumber", "sambaSID", NULL };
2808	char *escape_name;
2809	int rc, count;
2810	LDAPMessage *result = NULL;
2811	LDAPMessage *entry;
2812	NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
2813	size_t num_sids, num_gids;
2814	char *gidstr;
2815	gid_t primary_gid = -1;
2816
2817	*pp_sids = NULL;
2818	num_sids = 0;
2819
2820	if (pdb_get_username(user) == NULL) {
2821	return NT_STATUS_INVALID_PARAMETER;
2822	}
2823
2824	escape_name = escape_ldap_string_alloc(pdb_get_username(user));
2825	if (escape_name == NULL)
2826	return NT_STATUS_NO_MEMORY;
2827
2828	/* retrieve the users primary gid */
2829	filter = talloc_asprintf(mem_ctx,
2830	"(&(objectClass=%s)(uid=%s))",
2831	LDAP_OBJ_SAMBASAMACCOUNT,
2832	escape_name);
2833	if (filter == NULL) {
2834	ret = NT_STATUS_NO_MEMORY;
2835	goto done;
2836	}
2837
2838	rc = smbldap_search(conn, lp_ldap_suffix(),
2839	LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2840
2841	if (rc != LDAP_SUCCESS)
2842	goto done;
2843
2844	talloc_autofree_ldapmsg(mem_ctx, result);
2845
2846	count = ldap_count_entries(priv2ld(ldap_state), result);
2847
2848	switch (count) {
2849	case 0:
2850	DEBUG(1, ("User account [%s] not found!\n", pdb_get_username(user)));
2851	ret = NT_STATUS_NO_SUCH_USER;
2852	goto done;
2853	case 1:
2854	entry = ldap_first_entry(priv2ld(ldap_state), result);
2855
2856	gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
2857	if (!gidstr) {
2858	DEBUG (1, ("Unable to find the member's gid!\n"));
2859	ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2860	goto done;
2861	}
2862	primary_gid = strtoul(gidstr, NULL, 10);
2863	break;
2864	default:
2865	DEBUG(1, ("found more than one account with the same user name ?!\n"));
2866	ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
2867	goto done;
2868	}
2869
2870	filter = talloc_asprintf(mem_ctx,
2871	"(&(objectClass=%s)(\|(memberUid=%s)(gidNumber=%d)))",
2872	LDAP_OBJ_POSIXGROUP, escape_name, primary_gid);
2873	if (filter == NULL) {
2874	ret = NT_STATUS_NO_MEMORY;
2875	goto done;
2876	}
2877
2878	rc = smbldap_search(conn, lp_ldap_group_suffix(),
2879	LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
2880
2881	if (rc != LDAP_SUCCESS)
2882	goto done;
2883
2884	talloc_autofree_ldapmsg(mem_ctx, result);
2885
2886	num_gids = 0;
2887	*pp_gids = NULL;
2888
2889	num_sids = 0;
2890	*pp_sids = NULL;
2891
2892	/* We need to add the primary group as the first gid/sid */
2893
2894	if (!add_gid_to_array_unique(mem_ctx, primary_gid, pp_gids, &num_gids)) {
2895	ret = NT_STATUS_NO_MEMORY;
2896	goto done;
2897	}
2898
2899	/* This sid will be replaced later */
2900
2901	ret = add_sid_to_array_unique(mem_ctx, &global_sid_NULL, pp_sids,
2902	&num_sids);
2903	if (!NT_STATUS_IS_OK(ret)) {
2904	goto done;
2905	}
2906
2907	for (entry = ldap_first_entry(conn->ldap_struct, result);
2908	entry != NULL;
2909	entry = ldap_next_entry(conn->ldap_struct, entry))
2910	{
2911	fstring str;
2912	DOM_SID sid;
2913	gid_t gid;
2914	char *end;
2915
2916	if (!smbldap_get_single_attribute(conn->ldap_struct,
2917	entry, "sambaSID",
2918	str, sizeof(str)-1))
2919	continue;
2920
2921	if (!string_to_sid(&sid, str))
2922	goto done;
2923
2924	if (!smbldap_get_single_attribute(conn->ldap_struct,
2925	entry, "gidNumber",
2926	str, sizeof(str)-1))
2927	continue;
2928
2929	gid = strtoul(str, &end, 10);
2930
2931	if (PTR_DIFF(end, str) != strlen(str))
2932	goto done;
2933
2934	if (gid == primary_gid) {
2935	sid_copy(&(*pp_sids)[0], &sid);
2936	} else {
2937	if (!add_gid_to_array_unique(mem_ctx, gid, pp_gids,
2938	&num_gids)) {
2939	ret = NT_STATUS_NO_MEMORY;
2940	goto done;
2941	}
2942	ret = add_sid_to_array_unique(mem_ctx, &sid, pp_sids,
2943	&num_sids);
2944	if (!NT_STATUS_IS_OK(ret)) {
2945	goto done;
2946	}
2947	}
2948	}
2949
2950	if (sid_compare(&global_sid_NULL, &(*pp_sids)[0]) == 0) {
2951	DEBUG(3, ("primary group of [%s] not found\n",
2952	pdb_get_username(user)));
2953	goto done;
2954	}
2955
2956	*p_num_groups = num_sids;
2957
2958	ret = NT_STATUS_OK;
2959
2960	done:
2961
2962	SAFE_FREE(escape_name);
2963	return ret;
2964	}
2965
2966	/**********************************************************************
2967	* Augment a posixGroup object with a sambaGroupMapping domgroup
2968	*********************************************************************/
2969
2970	static NTSTATUS ldapsam_map_posixgroup(TALLOC_CTX *mem_ctx,
2971	struct ldapsam_privates *ldap_state,
2972	GROUP_MAP *map)
2973	{
2974	const char filter, dn;
2975	LDAPMessage msg, entry;
2976	LDAPMod **mods;
2977	int rc;
2978
2979	filter = talloc_asprintf(mem_ctx,
2980	"(&(objectClass=posixGroup)(gidNumber=%u))",
2981	map->gid);
2982	if (filter == NULL) {
2983	return NT_STATUS_NO_MEMORY;
2984	}
2985
2986	rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
2987	get_attr_list(mem_ctx, groupmap_attr_list),
2988	&msg);
2989	talloc_autofree_ldapmsg(mem_ctx, msg);
2990
2991	if ((rc != LDAP_SUCCESS) \|\|
2992	(ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) != 1) \|\|
2993	((entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg)) == NULL)) {
2994	return NT_STATUS_NO_SUCH_GROUP;
2995	}
2996
2997	dn = smbldap_talloc_dn(mem_ctx, ldap_state->smbldap_state->ldap_struct, entry);
2998	if (dn == NULL) {
2999	return NT_STATUS_NO_MEMORY;
3000	}
3001
3002	mods = NULL;
3003	smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass",
3004	"sambaGroupMapping");
3005	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaSid",
3006	sid_string_talloc(mem_ctx, &map->sid));
3007	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaGroupType",
3008	talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
3009	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "displayName",
3010	map->nt_name);
3011	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "description",
3012	map->comment);
3013	talloc_autofree_ldapmod(mem_ctx, mods);
3014
3015	rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3016	if (rc != LDAP_SUCCESS) {
3017	return NT_STATUS_ACCESS_DENIED;
3018	}
3019
3020	return NT_STATUS_OK;
3021	}
3022
3023	static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
3024	GROUP_MAP *map)
3025	{
3026	struct ldapsam_privates *ldap_state =
3027	(struct ldapsam_privates *)methods->private_data;
3028	LDAPMessage *msg = NULL;
3029	LDAPMod **mods = NULL;
3030	const char *attrs[] = { NULL };
3031	char *filter;
3032
3033	char *dn;
3034	TALLOC_CTX *mem_ctx;
3035	NTSTATUS result;
3036
3037	DOM_SID sid;
3038
3039	int rc;
3040
3041	mem_ctx = talloc_new(NULL);
3042	if (mem_ctx == NULL) {
3043	DEBUG(0, ("talloc_new failed\n"));
3044	return NT_STATUS_NO_MEMORY;
3045	}
3046
3047	filter = talloc_asprintf(mem_ctx, "(sambaSid=%s)",
3048	sid_string_talloc(mem_ctx, &map->sid));
3049	if (filter == NULL) {
3050	result = NT_STATUS_NO_MEMORY;
3051	goto done;
3052	}
3053
3054	rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
3055	LDAP_SCOPE_SUBTREE, filter, attrs, True, &msg);
3056	talloc_autofree_ldapmsg(mem_ctx, msg);
3057
3058	if ((rc == LDAP_SUCCESS) &&
3059	(ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) > 0)) {
3060
3061	DEBUG(3, ("SID %s already present in LDAP, refusing to add "
3062	"group mapping entry\n", sid_string_dbg(&map->sid)));
3063	result = NT_STATUS_GROUP_EXISTS;
3064	goto done;
3065	}
3066
3067	switch (map->sid_name_use) {
3068
3069	case SID_NAME_DOM_GRP:
3070	/* To map a domain group we need to have a posix group
3071	to attach to. */
3072	result = ldapsam_map_posixgroup(mem_ctx, ldap_state, map);
3073	goto done;
3074	break;
3075
3076	case SID_NAME_ALIAS:
3077	if (!sid_check_is_in_our_domain(&map->sid)
3078	&& !sid_check_is_in_builtin(&map->sid) )
3079	{
3080	DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n",
3081	sid_string_dbg(&map->sid)));
3082	result = NT_STATUS_INVALID_PARAMETER;
3083	goto done;
3084	}
3085	break;
3086
3087	default:
3088	DEBUG(3, ("Got invalid use '%s' for mapping\n",
3089	sid_type_lookup(map->sid_name_use)));
3090	result = NT_STATUS_INVALID_PARAMETER;
3091	goto done;
3092	}
3093
3094	/* Domain groups have been mapped in a separate routine, we have to
3095	* create an alias now */
3096
3097	if (map->gid == -1) {
3098	DEBUG(10, ("Refusing to map gid==-1\n"));
3099	result = NT_STATUS_INVALID_PARAMETER;
3100	goto done;
3101	}
3102
3103	if (pdb_gid_to_sid(map->gid, &sid)) {
3104	DEBUG(3, ("Gid %d is already mapped to SID %s, refusing to "
3105	"add\n", map->gid, sid_string_dbg(&sid)));
3106	result = NT_STATUS_GROUP_EXISTS;
3107	goto done;
3108	}
3109
3110	/* Ok, enough checks done. It's still racy to go ahead now, but that's
3111	* the best we can get out of LDAP. */
3112
3113	dn = talloc_asprintf(mem_ctx, "sambaSid=%s,%s",
3114	sid_string_talloc(mem_ctx, &map->sid),
3115	lp_ldap_group_suffix());
3116	if (dn == NULL) {
3117	result = NT_STATUS_NO_MEMORY;
3118	goto done;
3119	}
3120
3121	mods = NULL;
3122
3123	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass",
3124	"sambaSidEntry");
3125	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass",
3126	"sambaGroupMapping");
3127
3128	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaSid",
3129	sid_string_talloc(mem_ctx, &map->sid));
3130	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaGroupType",
3131	talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
3132	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "displayName",
3133	map->nt_name);
3134	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "description",
3135	map->comment);
3136	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "gidNumber",
3137	talloc_asprintf(mem_ctx, "%u", map->gid));
3138	talloc_autofree_ldapmod(mem_ctx, mods);
3139
3140	rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
3141
3142	result = (rc == LDAP_SUCCESS) ?
3143	NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
3144
3145	done:
3146	TALLOC_FREE(mem_ctx);
3147	return result;
3148	}
3149
3150	/**********************************************************************
3151	* Update a group mapping entry. We're quite strict about what can be changed:
3152	* Only the description and displayname may be changed. It simply does not
3153	* make any sense to change the SID, gid or the type in a mapping.
3154	*********************************************************************/
3155
3156	static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
3157	GROUP_MAP *map)
3158	{
3159	struct ldapsam_privates *ldap_state =
3160	(struct ldapsam_privates *)methods->private_data;
3161	int rc;
3162	const char filter, dn;
3163	LDAPMessage *msg = NULL;
3164	LDAPMessage *entry = NULL;
3165	LDAPMod **mods = NULL;
3166	TALLOC_CTX *mem_ctx;
3167	NTSTATUS result;
3168
3169	mem_ctx = talloc_new(NULL);
3170	if (mem_ctx == NULL) {
3171	DEBUG(0, ("talloc_new failed\n"));
3172	return NT_STATUS_NO_MEMORY;
3173	}
3174
3175	/* Make 100% sure that sid, gid and type are not changed by looking up
3176	* exactly the values we're given in LDAP. */
3177
3178	filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)"
3179	"(sambaSid=%s)(gidNumber=%u)"
3180	"(sambaGroupType=%d))",
3181	LDAP_OBJ_GROUPMAP,
3182	sid_string_talloc(mem_ctx, &map->sid),
3183	map->gid, map->sid_name_use);
3184	if (filter == NULL) {
3185	result = NT_STATUS_NO_MEMORY;
3186	goto done;
3187	}
3188
3189	rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
3190	get_attr_list(mem_ctx, groupmap_attr_list),
3191	&msg);
3192	talloc_autofree_ldapmsg(mem_ctx, msg);
3193
3194	if ((rc != LDAP_SUCCESS) \|\|
3195	(ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) != 1) \|\|
3196	((entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg)) == NULL)) {
3197	result = NT_STATUS_NO_SUCH_GROUP;
3198	goto done;
3199	}
3200
3201	dn = smbldap_talloc_dn(mem_ctx, ldap_state->smbldap_state->ldap_struct, entry);
3202
3203	if (dn == NULL) {
3204	result = NT_STATUS_NO_MEMORY;
3205	goto done;
3206	}
3207
3208	mods = NULL;
3209	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "displayName",
3210	map->nt_name);
3211	smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "description",
3212	map->comment);
3213	talloc_autofree_ldapmod(mem_ctx, mods);
3214
3215	if (mods == NULL) {
3216	DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: "
3217	"nothing to do\n"));
3218	result = NT_STATUS_OK;
3219	goto done;
3220	}
3221
3222	rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3223
3224	if (rc != LDAP_SUCCESS) {
3225	result = NT_STATUS_ACCESS_DENIED;
3226	goto done;
3227	}
3228
3229	DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified "
3230	"group %lu in LDAP\n", (unsigned long)map->gid));
3231
3232	result = NT_STATUS_OK;
3233
3234	done:
3235	TALLOC_FREE(mem_ctx);
3236	return result;
3237	}
3238
3239	/**********************************************************************
3240	*********************************************************************/
3241
3242	static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
3243	DOM_SID sid)
3244	{
3245	struct ldapsam_privates *priv =
3246	(struct ldapsam_privates *)methods->private_data;
3247	LDAPMessage msg, entry;
3248	int rc;
3249	NTSTATUS result;
3250	TALLOC_CTX *mem_ctx;
3251	char *filter;
3252
3253	mem_ctx = talloc_new(NULL);
3254	if (mem_ctx == NULL) {
3255	DEBUG(0, ("talloc_new failed\n"));
3256	return NT_STATUS_NO_MEMORY;
3257	}
3258
3259	filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=%s))",
3260	LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID,
3261	sid_string_talloc(mem_ctx, &sid));
3262	if (filter == NULL) {
3263	result = NT_STATUS_NO_MEMORY;
3264	goto done;
3265	}
3266	rc = smbldap_search_suffix(priv->smbldap_state, filter,
3267	get_attr_list(mem_ctx, groupmap_attr_list),
3268	&msg);
3269	talloc_autofree_ldapmsg(mem_ctx, msg);
3270
3271	if ((rc != LDAP_SUCCESS) \|\|
3272	(ldap_count_entries(priv2ld(priv), msg) != 1) \|\|
3273	((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
3274	result = NT_STATUS_NO_SUCH_GROUP;
3275	goto done;
3276	}
3277
3278	rc = ldapsam_delete_entry(priv, mem_ctx, entry, LDAP_OBJ_GROUPMAP,
3279	get_attr_list(mem_ctx,
3280	groupmap_attr_list_to_delete));
3281
3282	if ((rc == LDAP_NAMING_VIOLATION) \|\|
3283	(rc == LDAP_NOT_ALLOWED_ON_RDN) \|\|
3284	(rc == LDAP_OBJECT_CLASS_VIOLATION)) {
3285	const char *attrs[] = { "sambaGroupType", "description",
3286	"displayName", "sambaSIDList",
3287	NULL };
3288
3289	/* Second try. Don't delete the sambaSID attribute, this is
3290	for "old" entries that are tacked on a winbind
3291	sambaIdmapEntry. */
3292
3293	rc = ldapsam_delete_entry(priv, mem_ctx, entry,
3294	LDAP_OBJ_GROUPMAP, attrs);
3295	}
3296
3297	if ((rc == LDAP_NAMING_VIOLATION) \|\|
3298	(rc == LDAP_NOT_ALLOWED_ON_RDN) \|\|
3299	(rc == LDAP_OBJECT_CLASS_VIOLATION)) {
3300	const char *attrs[] = { "sambaGroupType", "description",
3301	"displayName", "sambaSIDList",
3302	"gidNumber", NULL };
3303
3304	/* Third try. This is a post-3.0.21 alias (containing only
3305	* sambaSidEntry and sambaGroupMapping classes), we also have
3306	* to delete the gidNumber attribute, only the sambaSidEntry
3307	* remains */
3308
3309	rc = ldapsam_delete_entry(priv, mem_ctx, entry,
3310	LDAP_OBJ_GROUPMAP, attrs);
3311	}
3312
3313	result = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
3314
3315	done:
3316	TALLOC_FREE(mem_ctx);
3317	return result;
3318	}
3319
3320	/**********************************************************************
3321	*********************************************************************/
3322
3323	static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods,
3324	bool update)
3325	{
3326	struct ldapsam_privates *ldap_state =
3327	(struct ldapsam_privates *)my_methods->private_data;
3328	char *filter = NULL;
3329	int rc;
3330	const char **attr_list;
3331
3332	filter = talloc_asprintf(NULL, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
3333	if (!filter) {
3334	return NT_STATUS_NO_MEMORY;
3335	}
3336	attr_list = get_attr_list( NULL, groupmap_attr_list );
3337	rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
3338	LDAP_SCOPE_SUBTREE, filter,
3339	attr_list, 0, &ldap_state->result);
3340	TALLOC_FREE(attr_list);
3341
3342	if (rc != LDAP_SUCCESS) {
3343	DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n",
3344	ldap_err2string(rc)));
3345	DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n",
3346	lp_ldap_group_suffix(), filter));
3347	ldap_msgfree(ldap_state->result);
3348	ldap_state->result = NULL;
3349	TALLOC_FREE(filter);
3350	return NT_STATUS_UNSUCCESSFUL;
3351	}
3352
3353	TALLOC_FREE(filter);
3354
3355	DEBUG(2, ("ldapsam_setsamgrent: %d entries in the base!\n",
3356	ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3357	ldap_state->result)));
3358
3359	ldap_state->entry =
3360	ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
3361	ldap_state->result);
3362	ldap_state->index = 0;
3363
3364	return NT_STATUS_OK;
3365	}
3366
3367	/**********************************************************************
3368	*********************************************************************/
3369
3370	static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
3371	{
3372	ldapsam_endsampwent(my_methods);
3373	}
3374
3375	/**********************************************************************
3376	*********************************************************************/
3377
3378	static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
3379	GROUP_MAP *map)
3380	{
3381	NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
3382	struct ldapsam_privates *ldap_state =
3383	(struct ldapsam_privates *)my_methods->private_data;
3384	bool bret = False;
3385
3386	while (!bret) {
3387	if (!ldap_state->entry)
3388	return ret;
3389
3390	ldap_state->index++;
3391	bret = init_group_from_ldap(ldap_state, map,
3392	ldap_state->entry);
3393
3394	ldap_state->entry =
3395	ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
3396	ldap_state->entry);
3397	}
3398
3399	return NT_STATUS_OK;
3400	}
3401
3402	/**********************************************************************
3403	*********************************************************************/
3404
3405	static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
3406	const DOM_SID *domsid, enum lsa_SidType sid_name_use,
3407	GROUP_MAP **pp_rmap,
3408	size_t *p_num_entries,
3409	bool unix_only)
3410	{
3411	GROUP_MAP map;
3412	size_t entries = 0;
3413
3414	*p_num_entries = 0;
3415	*pp_rmap = NULL;
3416
3417	if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
3418	DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open "
3419	"passdb\n"));
3420	return NT_STATUS_ACCESS_DENIED;
3421	}
3422
3423	while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, &map))) {
3424	if (sid_name_use != SID_NAME_UNKNOWN &&
3425	sid_name_use != map.sid_name_use) {
3426	DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
3427	"not of the requested type\n", map.nt_name));
3428	continue;
3429	}
3430	if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
3431	DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
3432	"non mapped\n", map.nt_name));
3433	continue;
3434	}
3435
3436	(pp_rmap)=SMB_REALLOC_ARRAY((pp_rmap), GROUP_MAP, entries+1);
3437	if (!(*pp_rmap)) {
3438	DEBUG(0,("ldapsam_enum_group_mapping: Unable to "
3439	"enlarge group map!\n"));
3440	return NT_STATUS_UNSUCCESSFUL;
3441	}
3442
3443	(*pp_rmap)[entries] = map;
3444
3445	entries += 1;
3446
3447	}
3448	ldapsam_endsamgrent(methods);
3449
3450	*p_num_entries = entries;
3451
3452	return NT_STATUS_OK;
3453	}
3454
3455	static NTSTATUS ldapsam_modify_aliasmem(struct pdb_methods *methods,
3456	const DOM_SID *alias,
3457	const DOM_SID *member,
3458	int modop)
3459	{
3460	struct ldapsam_privates *ldap_state =
3461	(struct ldapsam_privates *)methods->private_data;
3462	char *dn = NULL;
3463	LDAPMessage *result = NULL;
3464	LDAPMessage *entry = NULL;
3465	int count;
3466	LDAPMod **mods = NULL;
3467	int rc;
3468	enum lsa_SidType type = SID_NAME_USE_NONE;
3469	fstring tmp;
3470
3471	char *filter = NULL;
3472
3473	if (sid_check_is_in_builtin(alias)) {
3474	type = SID_NAME_ALIAS;
3475	}
3476
3477	if (sid_check_is_in_our_domain(alias)) {
3478	type = SID_NAME_ALIAS;
3479	}
3480
3481	if (type == SID_NAME_USE_NONE) {
3482	DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
3483	sid_string_dbg(alias)));
3484	return NT_STATUS_NO_SUCH_ALIAS;
3485	}
3486
3487	if (asprintf(&filter,
3488	"(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
3489	LDAP_OBJ_GROUPMAP, sid_to_fstring(tmp, alias),
3490	type) < 0) {
3491	return NT_STATUS_NO_MEMORY;
3492	}
3493
3494	if (ldapsam_search_one_group(ldap_state, filter,
3495	&result) != LDAP_SUCCESS) {
3496	SAFE_FREE(filter);
3497	return NT_STATUS_NO_SUCH_ALIAS;
3498	}
3499
3500	count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3501	result);
3502
3503	if (count < 1) {
3504	DEBUG(4, ("ldapsam_modify_aliasmem: Did not find alias\n"));
3505	ldap_msgfree(result);
3506	SAFE_FREE(filter);
3507	return NT_STATUS_NO_SUCH_ALIAS;
3508	}
3509
3510	if (count > 1) {
3511	DEBUG(1, ("ldapsam_modify_aliasmem: Duplicate entries for "
3512	"filter %s: count=%d\n", filter, count));
3513	ldap_msgfree(result);
3514	SAFE_FREE(filter);
3515	return NT_STATUS_NO_SUCH_ALIAS;
3516	}
3517
3518	SAFE_FREE(filter);
3519
3520	entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
3521	result);
3522
3523	if (!entry) {
3524	ldap_msgfree(result);
3525	return NT_STATUS_UNSUCCESSFUL;
3526	}
3527
3528	dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
3529	if (!dn) {
3530	ldap_msgfree(result);
3531	return NT_STATUS_UNSUCCESSFUL;
3532	}
3533
3534	smbldap_set_mod(&mods, modop,
3535	get_attr_key2string(groupmap_attr_list,
3536	LDAP_ATTR_SID_LIST),
3537	sid_to_fstring(tmp, member));
3538
3539	rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
3540
3541	ldap_mods_free(mods, True);
3542	ldap_msgfree(result);
3543	SAFE_FREE(dn);
3544
3545	if (rc == LDAP_TYPE_OR_VALUE_EXISTS) {
3546	return NT_STATUS_MEMBER_IN_ALIAS;
3547	}
3548
3549	if (rc == LDAP_NO_SUCH_ATTRIBUTE) {
3550	return NT_STATUS_MEMBER_NOT_IN_ALIAS;
3551	}
3552
3553	if (rc != LDAP_SUCCESS) {
3554	return NT_STATUS_UNSUCCESSFUL;
3555	}
3556
3557	return NT_STATUS_OK;
3558	}
3559
3560	static NTSTATUS ldapsam_add_aliasmem(struct pdb_methods *methods,
3561	const DOM_SID *alias,
3562	const DOM_SID *member)
3563	{
3564	return ldapsam_modify_aliasmem(methods, alias, member, LDAP_MOD_ADD);
3565	}
3566
3567	static NTSTATUS ldapsam_del_aliasmem(struct pdb_methods *methods,
3568	const DOM_SID *alias,
3569	const DOM_SID *member)
3570	{
3571	return ldapsam_modify_aliasmem(methods, alias, member,
3572	LDAP_MOD_DELETE);
3573	}
3574
3575	static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods,
3576	const DOM_SID *alias,
3577	DOM_SID **pp_members,
3578	size_t *p_num_members)
3579	{
3580	struct ldapsam_privates *ldap_state =
3581	(struct ldapsam_privates *)methods->private_data;
3582	LDAPMessage *result = NULL;
3583	LDAPMessage *entry = NULL;
3584	int count;
3585	char **values = NULL;
3586	int i;
3587	char *filter = NULL;
3588	size_t num_members = 0;
3589	enum lsa_SidType type = SID_NAME_USE_NONE;
3590	fstring tmp;
3591
3592	*pp_members = NULL;
3593	*p_num_members = 0;
3594
3595	if (sid_check_is_in_builtin(alias)) {
3596	type = SID_NAME_ALIAS;
3597	}
3598
3599	if (sid_check_is_in_our_domain(alias)) {
3600	type = SID_NAME_ALIAS;
3601	}
3602
3603	if (type == SID_NAME_USE_NONE) {
3604	DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
3605	sid_string_dbg(alias)));
3606	return NT_STATUS_NO_SUCH_ALIAS;
3607	}
3608
3609	if (asprintf(&filter,
3610	"(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
3611	LDAP_OBJ_GROUPMAP, sid_to_fstring(tmp, alias),
3612	type) < 0) {
3613	return NT_STATUS_NO_MEMORY;
3614	}
3615
3616	if (ldapsam_search_one_group(ldap_state, filter,
3617	&result) != LDAP_SUCCESS) {
3618	SAFE_FREE(filter);
3619	return NT_STATUS_NO_SUCH_ALIAS;
3620	}
3621
3622	count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
3623	result);
3624
3625	if (count < 1) {
3626	DEBUG(4, ("ldapsam_enum_aliasmem: Did not find alias\n"));
3627	ldap_msgfree(result);
3628	SAFE_FREE(filter);
3629	return NT_STATUS_NO_SUCH_ALIAS;
3630	}
3631
3632	if (count > 1) {
3633	DEBUG(1, ("ldapsam_enum_aliasmem: Duplicate entries for "
3634	"filter %s: count=%d\n", filter, count));
3635	ldap_msgfree(result);
3636	SAFE_FREE(filter);
3637	return NT_STATUS_NO_SUCH_ALIAS;
3638	}
3639
3640	SAFE_FREE(filter);
3641
3642	entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
3643	result);
3644
3645	if (!entry) {
3646	ldap_msgfree(result);
3647	return NT_STATUS_UNSUCCESSFUL;
3648	}
3649
3650	values = ldap_get_values(ldap_state->smbldap_state->ldap_struct,
3651	entry,
3652	get_attr_key2string(groupmap_attr_list,
3653	LDAP_ATTR_SID_LIST));
3654
3655	if (values == NULL) {
3656	ldap_msgfree(result);
3657	return NT_STATUS_OK;
3658	}
3659
3660	count = ldap_count_values(values);
3661
3662	for (i=0; i<count; i++) {
3663	DOM_SID member;
3664	NTSTATUS status;
3665
3666	if (!string_to_sid(&member, values[i]))
3667	continue;
3668
3669	status = add_sid_to_array(NULL, &member, pp_members,
3670	&num_members);
3671	if (!NT_STATUS_IS_OK(status)) {
3672	ldap_value_free(values);
3673	ldap_msgfree(result);
3674	return status;
3675	}
3676	}
3677
3678	*p_num_members = num_members;
3679	ldap_value_free(values);
3680	ldap_msgfree(result);
3681
3682	return NT_STATUS_OK;
3683	}
3684
3685	static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
3686	TALLOC_CTX *mem_ctx,
3687	const DOM_SID *domain_sid,
3688	const DOM_SID *members,
3689	size_t num_members,
3690	uint32 **pp_alias_rids,
3691	size_t *p_num_alias_rids)
3692	{
3693	struct ldapsam_privates *ldap_state =
3694	(struct ldapsam_privates *)methods->private_data;
3695	LDAP *ldap_struct;
3696
3697	const char *attrs[] = { LDAP_ATTRIBUTE_SID, NULL };
3698
3699	LDAPMessage *result = NULL;
3700	LDAPMessage *entry = NULL;
3701	int i;
3702	int rc;
3703	char *filter;
3704	enum lsa_SidType type = SID_NAME_USE_NONE;
3705
3706	if (sid_check_is_builtin(domain_sid)) {
3707	type = SID_NAME_ALIAS;
3708	}
3709
3710	if (sid_check_is_domain(domain_sid)) {
3711	type = SID_NAME_ALIAS;
3712	}
3713
3714	if (type == SID_NAME_USE_NONE) {
3715	DEBUG(5, ("SID %s is neither builtin nor domain!\n",
3716	sid_string_dbg(domain_sid)));
3717	return NT_STATUS_UNSUCCESSFUL;
3718	}
3719
3720	filter = talloc_asprintf(mem_ctx,
3721	"(&(\|(objectclass=%s)(sambaGroupType=%d))(\|",
3722	LDAP_OBJ_GROUPMAP, type);
3723
3724	for (i=0; i<num_members; i++)
3725	filter = talloc_asprintf(mem_ctx, "%s(sambaSIDList=%s)",
3726	filter,
3727	sid_string_talloc(mem_ctx,
3728	&members[i]));
3729
3730	filter = talloc_asprintf(mem_ctx, "%s))", filter);
3731
3732	if (filter == NULL) {
3733	return NT_STATUS_NO_MEMORY;
3734	}
3735
3736	rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
3737	LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
3738
3739	if (rc != LDAP_SUCCESS)
3740	return NT_STATUS_UNSUCCESSFUL;
3741
3742	ldap_struct = ldap_state->smbldap_state->ldap_struct;
3743
3744	for (entry = ldap_first_entry(ldap_struct, result);
3745	entry != NULL;
3746	entry = ldap_next_entry(ldap_struct, entry))
3747	{
3748	fstring sid_str;
3749	DOM_SID sid;
3750	uint32 rid;
3751
3752	if (!smbldap_get_single_attribute(ldap_struct, entry,
3753	LDAP_ATTRIBUTE_SID,
3754	sid_str,
3755	sizeof(sid_str)-1))
3756	continue;
3757
3758	if (!string_to_sid(&sid, sid_str))
3759	continue;
3760
3761	if (!sid_peek_check_rid(domain_sid, &sid, &rid))
3762	continue;
3763
3764	if (!add_rid_to_array_unique(mem_ctx, rid, pp_alias_rids,
3765	p_num_alias_rids)) {
3766	ldap_msgfree(result);
3767	return NT_STATUS_NO_MEMORY;
3768	}
3769	}
3770
3771	ldap_msgfree(result);
3772	return NT_STATUS_OK;
3773	}
3774
3775	static NTSTATUS ldapsam_set_account_policy_in_ldap(struct pdb_methods *methods,
3776	int policy_index,
3777	uint32 value)
3778	{
3779	NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
3780	int rc;
3781	LDAPMod **mods = NULL;
3782	fstring value_string;
3783	const char *policy_attr = NULL;
3784
3785	struct ldapsam_privates *ldap_state =
3786	(struct ldapsam_privates *)methods->private_data;
3787
3788	DEBUG(10,("ldapsam_set_account_policy_in_ldap\n"));
3789
3790	if (!ldap_state->domain_dn) {
3791	return NT_STATUS_INVALID_PARAMETER;
3792	}
3793
3794	policy_attr = get_account_policy_attr(policy_index);
3795	if (policy_attr == NULL) {
3796	DEBUG(0,("ldapsam_set_account_policy_in_ldap: invalid "
3797	"policy\n"));
3798	return ntstatus;
3799	}
3800
3801	slprintf(value_string, sizeof(value_string) - 1, "%i", value);
3802
3803	smbldap_set_mod(&mods, LDAP_MOD_REPLACE, policy_attr, value_string);
3804
3805	rc = smbldap_modify(ldap_state->smbldap_state, ldap_state->domain_dn,
3806	mods);
3807
3808	ldap_mods_free(mods, True);
3809
3810	if (rc != LDAP_SUCCESS) {
3811	return ntstatus;
3812	}
3813
3814	if (!cache_account_policy_set(policy_index, value)) {
3815	DEBUG(0,("ldapsam_set_account_policy_in_ldap: failed to "
3816	"update local tdb cache\n"));
3817	return ntstatus;
3818	}
3819
3820	return NT_STATUS_OK;
3821	}
3822
3823	static NTSTATUS ldapsam_set_account_policy(struct pdb_methods *methods,
3824	int policy_index, uint32 value)
3825	{
3826	return ldapsam_set_account_policy_in_ldap(methods, policy_index,
3827	value);
3828	}
3829
3830	static NTSTATUS ldapsam_get_account_policy_from_ldap(struct pdb_methods *methods,
3831	int policy_index,
3832	uint32 *value)
3833	{
3834	NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
3835	LDAPMessage *result = NULL;
3836	LDAPMessage *entry = NULL;
3837	int count;
3838	int rc;
3839	char **vals = NULL;
3840	const char *policy_attr = NULL;
3841
3842	struct ldapsam_privates *ldap_state =
3843	(struct ldapsam_privates *)methods->private_data;
3844
3845	const char *attrs[2];
3846
3847	DEBUG(10,("ldapsam_get_account_policy_from_ldap\n"));
3848
3849	if (!ldap_state->domain_dn) {
3850	return NT_STATUS_INVALID_PARAMETER;
3851	}
3852
3853	policy_attr = get_account_policy_attr(policy_index);
3854	if (!policy_attr) {
3855	DEBUG(0,("ldapsam_get_account_policy_from_ldap: invalid "
3856	"policy index: %d\n", policy_index));
3857	return ntstatus;
3858	}
3859
3860	attrs[0] = policy_attr;
3861	attrs[1] = NULL;
3862
3863	rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn,
3864	LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0,
3865	&result);
3866
3867	if (rc != LDAP_SUCCESS) {
3868	return ntstatus;
3869	}
3870
3871	count = ldap_count_entries(priv2ld(ldap_state), result);
3872	if (count < 1) {
3873	goto out;
3874	}
3875
3876	entry = ldap_first_entry(priv2ld(ldap_state), result);
3877	if (entry == NULL) {
3878	goto out;
3879	}
3880
3881	vals = ldap_get_values(priv2ld(ldap_state), entry, policy_attr);
3882	if (vals == NULL) {
3883	goto out;
3884	}
3885
3886	*value = (uint32)atol(vals[0]);
3887
3888	ntstatus = NT_STATUS_OK;
3889
3890	out:
3891	if (vals)
3892	ldap_value_free(vals);
3893	ldap_msgfree(result);
3894
3895	return ntstatus;
3896	}
3897
3898	/* wrapper around ldapsam_get_account_policy_from_ldap(), handles tdb as cache
3899
3900	- if user hasn't decided to use account policies inside LDAP just reuse the
3901	old tdb values
3902
3903	- if there is a valid cache entry, return that
3904	- if there is an LDAP entry, update cache and return
3905	- otherwise set to default, update cache and return
3906
3907	Guenther
3908	*/
3909	static NTSTATUS ldapsam_get_account_policy(struct pdb_methods *methods,
3910	int policy_index, uint32 *value)
3911	{
3912	NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
3913
3914	if (cache_account_policy_get(policy_index, value)) {
3915	DEBUG(11,("ldapsam_get_account_policy: got valid value from "
3916	"cache\n"));
3917	return NT_STATUS_OK;
3918	}
3919
3920	ntstatus = ldapsam_get_account_policy_from_ldap(methods, policy_index,
3921	value);
3922	if (NT_STATUS_IS_OK(ntstatus)) {
3923	goto update_cache;
3924	}
3925
3926	DEBUG(10,("ldapsam_get_account_policy: failed to retrieve from "
3927	"ldap\n"));
3928
3929	#if 0
3930	/* should we automagically migrate old tdb value here ? */
3931	if (account_policy_get(policy_index, value))
3932	goto update_ldap;
3933
3934	DEBUG(10,("ldapsam_get_account_policy: no tdb for %d, trying "
3935	"default\n", policy_index));
3936	#endif
3937
3938	if (!account_policy_get_default(policy_index, value)) {
3939	return ntstatus;
3940	}
3941
3942	/* update_ldap: */
3943
3944	ntstatus = ldapsam_set_account_policy(methods, policy_index, *value);
3945	if (!NT_STATUS_IS_OK(ntstatus)) {
3946	return ntstatus;
3947	}
3948
3949	update_cache:
3950
3951	if (!cache_account_policy_set(policy_index, *value)) {
3952	DEBUG(0,("ldapsam_get_account_policy: failed to update local "
3953	"tdb as a cache\n"));
3954	return NT_STATUS_UNSUCCESSFUL;
3955	}
3956
3957	return NT_STATUS_OK;
3958	}
3959
3960	static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
3961	const DOM_SID *domain_sid,
3962	int num_rids,
3963	uint32 *rids,
3964	const char **names,
3965	enum lsa_SidType *attrs)
3966	{
3967	struct ldapsam_privates *ldap_state =
3968	(struct ldapsam_privates *)methods->private_data;
3969	LDAPMessage *msg = NULL;
3970	LDAPMessage *entry;
3971	char *allsids = NULL;
3972	int i, rc, num_mapped;
3973	NTSTATUS result = NT_STATUS_NO_MEMORY;
3974	TALLOC_CTX *mem_ctx;
3975	LDAP *ld;
3976	bool is_builtin;
3977
3978	mem_ctx = talloc_new(NULL);
3979	if (mem_ctx == NULL) {
3980	DEBUG(0, ("talloc_new failed\n"));
3981	goto done;
3982	}
3983
3984	if (!sid_check_is_builtin(domain_sid) &&
3985	!sid_check_is_domain(domain_sid)) {
3986	result = NT_STATUS_INVALID_PARAMETER;
3987	goto done;
3988	}
3989
3990	for (i=0; i<num_rids; i++)
3991	attrs[i] = SID_NAME_UNKNOWN;
3992
3993	allsids = talloc_strdup(mem_ctx, "");
3994	if (allsids == NULL) {
3995	goto done;
3996	}
3997
3998	for (i=0; i<num_rids; i++) {
3999	DOM_SID sid;
4000	sid_compose(&sid, domain_sid, rids[i]);
4001	allsids = talloc_asprintf_append_buffer(
4002	allsids, "(sambaSid=%s)",
4003	sid_string_talloc(mem_ctx, &sid));
4004	if (allsids == NULL) {
4005	goto done;
4006	}
4007	}
4008
4009	/* First look for users */
4010
4011	{
4012	char *filter;
4013	const char *ldap_attrs[] = { "uid", "sambaSid", NULL };
4014
4015	filter = talloc_asprintf(
4016	mem_ctx, ("(&(objectClass=%s)(\|%s))"),
4017	LDAP_OBJ_SAMBASAMACCOUNT, allsids);
4018
4019	if (filter == NULL) {
4020	goto done;
4021	}
4022
4023	rc = smbldap_search(ldap_state->smbldap_state,
4024	lp_ldap_user_suffix(),
4025	LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
4026	&msg);
4027	talloc_autofree_ldapmsg(mem_ctx, msg);
4028	}
4029
4030	if (rc != LDAP_SUCCESS)
4031	goto done;
4032
4033	ld = ldap_state->smbldap_state->ldap_struct;
4034	num_mapped = 0;
4035
4036	for (entry = ldap_first_entry(ld, msg);
4037	entry != NULL;
4038	entry = ldap_next_entry(ld, entry)) {
4039	uint32 rid;
4040	int rid_index;
4041	const char *name;
4042
4043	if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
4044	&rid)) {
4045	DEBUG(2, ("Could not find sid from ldap entry\n"));
4046	continue;
4047	}
4048
4049	name = smbldap_talloc_single_attribute(ld, entry, "uid",
4050	names);
4051	if (name == NULL) {
4052	DEBUG(2, ("Could not retrieve uid attribute\n"));
4053	continue;
4054	}
4055
4056	for (rid_index = 0; rid_index < num_rids; rid_index++) {
4057	if (rid == rids[rid_index])
4058	break;
4059	}
4060
4061	if (rid_index == num_rids) {
4062	DEBUG(2, ("Got a RID not asked for: %d\n", rid));
4063	continue;
4064	}
4065
4066	attrs[rid_index] = SID_NAME_USER;
4067	names[rid_index] = name;
4068	num_mapped += 1;
4069	}
4070
4071	if (num_mapped == num_rids) {
4072	/* No need to look for groups anymore -- we're done */
4073	result = NT_STATUS_OK;
4074	goto done;
4075	}
4076
4077	/* Same game for groups */
4078
4079	{
4080	char *filter;
4081	const char *ldap_attrs[] = { "cn", "displayName", "sambaSid",
4082	"sambaGroupType", NULL };
4083
4084	filter = talloc_asprintf(
4085	mem_ctx, "(&(objectClass=%s)(\|%s))",
4086	LDAP_OBJ_GROUPMAP, allsids);
4087	if (filter == NULL) {
4088	goto done;
4089	}
4090
4091	rc = smbldap_search(ldap_state->smbldap_state,
4092	lp_ldap_group_suffix(),
4093	LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
4094	&msg);
4095	talloc_autofree_ldapmsg(mem_ctx, msg);
4096	}
4097
4098	if (rc != LDAP_SUCCESS)
4099	goto done;
4100
4101	/* ldap_struct might have changed due to a reconnect */
4102
4103	ld = ldap_state->smbldap_state->ldap_struct;
4104
4105	/* For consistency checks, we already checked we're only domain or builtin */
4106
4107	is_builtin = sid_check_is_builtin(domain_sid);
4108
4109	for (entry = ldap_first_entry(ld, msg);
4110	entry != NULL;
4111	entry = ldap_next_entry(ld, entry))
4112	{
4113	uint32 rid;
4114	int rid_index;
4115	const char *attr;
4116	enum lsa_SidType type;
4117	const char *dn = smbldap_talloc_dn(mem_ctx, ld, entry);
4118
4119	attr = smbldap_talloc_single_attribute(ld, entry, "sambaGroupType",
4120	mem_ctx);
4121	if (attr == NULL) {
4122	DEBUG(2, ("Could not extract type from ldap entry %s\n",
4123	dn));
4124	continue;
4125	}
4126
4127	type = (enum lsa_SidType)atol(attr);
4128
4129	/* Consistency checks */
4130	if ((is_builtin && (type != SID_NAME_ALIAS)) \|\|
4131	(!is_builtin && ((type != SID_NAME_ALIAS) &&
4132	(type != SID_NAME_DOM_GRP)))) {
4133	DEBUG(2, ("Rejecting invalid group mapping entry %s\n", dn));
4134	}
4135
4136	if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
4137	&rid)) {
4138	DEBUG(2, ("Could not find sid from ldap entry %s\n", dn));
4139	continue;
4140	}
4141
4142	attr = smbldap_talloc_single_attribute(ld, entry, "displayName", names);
4143
4144	if (attr == NULL) {
4145	DEBUG(10, ("Could not retrieve 'displayName' attribute from %s\n",
4146	dn));
4147	attr = smbldap_talloc_single_attribute(ld, entry, "cn", names);
4148	}
4149
4150	if (attr == NULL) {
4151	DEBUG(2, ("Could not retrieve naming attribute from %s\n",
4152	dn));
4153	continue;
4154	}
4155
4156	for (rid_index = 0; rid_index < num_rids; rid_index++) {
4157	if (rid == rids[rid_index])
4158	break;
4159	}
4160
4161	if (rid_index == num_rids) {
4162	DEBUG(2, ("Got a RID not asked for: %d\n", rid));
4163	continue;
4164	}
4165
4166	attrs[rid_index] = type;
4167	names[rid_index] = attr;
4168	num_mapped += 1;
4169	}
4170
4171	result = NT_STATUS_NONE_MAPPED;
4172
4173	if (num_mapped > 0)
4174	result = (num_mapped == num_rids) ?
4175	NT_STATUS_OK : STATUS_SOME_UNMAPPED;
4176	done:
4177	TALLOC_FREE(mem_ctx);
4178	return result;
4179	}
4180
4181	static char get_ldap_filter(TALLOC_CTX mem_ctx, const char *username)
4182	{
4183	char *filter = NULL;
4184	char *escaped = NULL;
4185	char *result = NULL;
4186
4187	asprintf(&filter, "(&%s(objectclass=sambaSamAccount))",
4188	"(uid=%u)");
4189	if (filter == NULL) goto done;
4190
4191	escaped = escape_ldap_string_alloc(username);
4192	if (escaped == NULL) goto done;
4193
4194	result = talloc_string_sub(mem_ctx, filter, "%u", username);
4195
4196	done:
4197	SAFE_FREE(filter);
4198	SAFE_FREE(escaped);
4199
4200	return result;
4201	}
4202
4203	const char *talloc_attrs(TALLOC_CTX mem_ctx, ...)
4204	{
4205	int i, num = 0;
4206	va_list ap;
4207	const char **result;
4208
4209	va_start(ap, mem_ctx);
4210	while (va_arg(ap, const char *) != NULL)
4211	num += 1;
4212	va_end(ap);
4213
4214	if ((result = TALLOC_ARRAY(mem_ctx, const char *, num+1)) == NULL) {
4215	return NULL;
4216	}
4217
4218	va_start(ap, mem_ctx);
4219	for (i=0; i<num; i++) {
4220	result[i] = talloc_strdup(result, va_arg(ap, const char*));
4221	if (result[i] == NULL) {
4222	talloc_free(result);
4223	return NULL;
4224	}
4225	}
4226	va_end(ap);
4227
4228	result[num] = NULL;
4229	return result;
4230	}
4231
4232	struct ldap_search_state {
4233	struct smbldap_state *connection;
4234
4235	uint32 acct_flags;
4236	uint16 group_type;
4237
4238	const char *base;
4239	int scope;
4240	const char *filter;
4241	const char **attrs;
4242	int attrsonly;
4243	void *pagedresults_cookie;
4244
4245	LDAPMessage entries, current_entry;
4246	bool (ldap2displayentry)(struct ldap_search_state state,
4247	TALLOC_CTX *mem_ctx,
4248	LDAP ld, LDAPMessage entry,
4249	struct samr_displayentry *result);
4250	};
4251
4252	static bool ldapsam_search_firstpage(struct pdb_search *search)
4253	{
4254	struct ldap_search_state *state =
4255	(struct ldap_search_state *)search->private_data;
4256	LDAP *ld;
4257	int rc = LDAP_OPERATIONS_ERROR;
4258
4259	state->entries = NULL;
4260
4261	if (state->connection->paged_results) {
4262	rc = smbldap_search_paged(state->connection, state->base,
4263	state->scope, state->filter,
4264	state->attrs, state->attrsonly,
4265	lp_ldap_page_size(), &state->entries,
4266	&state->pagedresults_cookie);
4267	}
4268
4269	if ((rc != LDAP_SUCCESS) \|\| (state->entries == NULL)) {
4270
4271	if (state->entries != NULL) {
4272	/* Left over from unsuccessful paged attempt */
4273	ldap_msgfree(state->entries);
4274	state->entries = NULL;
4275	}
4276
4277	rc = smbldap_search(state->connection, state->base,
4278	state->scope, state->filter, state->attrs,
4279	state->attrsonly, &state->entries);
4280
4281	if ((rc != LDAP_SUCCESS) \|\| (state->entries == NULL))
4282	return False;
4283
4284	/* Ok, the server was lying. It told us it could do paged
4285	* searches when it could not. */
4286	state->connection->paged_results = False;
4287	}
4288
4289	ld = state->connection->ldap_struct;
4290	if ( ld == NULL) {
4291	DEBUG(5, ("Don't have an LDAP connection right after a "
4292	"search\n"));
4293	return False;
4294	}
4295	state->current_entry = ldap_first_entry(ld, state->entries);
4296
4297	if (state->current_entry == NULL) {
4298	ldap_msgfree(state->entries);
4299	state->entries = NULL;
4300	}
4301
4302	return True;
4303	}
4304
4305	static bool ldapsam_search_nextpage(struct pdb_search *search)
4306	{
4307	struct ldap_search_state *state =
4308	(struct ldap_search_state *)search->private_data;
4309	int rc;
4310
4311	if (!state->connection->paged_results) {
4312	/* There is no next page when there are no paged results */
4313	return False;
4314	}
4315
4316	rc = smbldap_search_paged(state->connection, state->base,
4317	state->scope, state->filter, state->attrs,
4318	state->attrsonly, lp_ldap_page_size(),
4319	&state->entries,
4320	&state->pagedresults_cookie);
4321
4322	if ((rc != LDAP_SUCCESS) \|\| (state->entries == NULL))
4323	return False;
4324
4325	state->current_entry = ldap_first_entry(state->connection->ldap_struct, state->entries);
4326
4327	if (state->current_entry == NULL) {
4328	ldap_msgfree(state->entries);
4329	state->entries = NULL;
4330	}
4331
4332	return True;
4333	}
4334
4335	static bool ldapsam_search_next_entry(struct pdb_search *search,
4336	struct samr_displayentry *entry)
4337	{
4338	struct ldap_search_state *state =
4339	(struct ldap_search_state *)search->private_data;
4340	bool result;
4341
4342	retry:
4343	if ((state->entries == NULL) && (state->pagedresults_cookie == NULL))
4344	return False;
4345
4346	if ((state->entries == NULL) &&
4347	!ldapsam_search_nextpage(search))
4348	return False;
4349
4350	result = state->ldap2displayentry(state, search->mem_ctx, state->connection->ldap_struct,
4351	state->current_entry, entry);
4352
4353	if (!result) {
4354	char *dn;
4355	dn = ldap_get_dn(state->connection->ldap_struct, state->current_entry);
4356	DEBUG(5, ("Skipping entry %s\n", dn != NULL ? dn : "<NULL>"));
4357	if (dn != NULL) ldap_memfree(dn);
4358	}
4359
4360	state->current_entry = ldap_next_entry(state->connection->ldap_struct, state->current_entry);
4361
4362	if (state->current_entry == NULL) {
4363	ldap_msgfree(state->entries);
4364	state->entries = NULL;
4365	}
4366
4367	if (!result) goto retry;
4368
4369	return True;
4370	}
4371
4372	static void ldapsam_search_end(struct pdb_search *search)
4373	{
4374	struct ldap_search_state *state =
4375	(struct ldap_search_state *)search->private_data;
4376	int rc;
4377
4378	if (state->pagedresults_cookie == NULL)
4379	return;
4380
4381	if (state->entries != NULL)
4382	ldap_msgfree(state->entries);
4383
4384	state->entries = NULL;
4385	state->current_entry = NULL;
4386
4387	if (!state->connection->paged_results)
4388	return;
4389
4390	/* Tell the LDAP server we're not interested in the rest anymore. */
4391
4392	rc = smbldap_search_paged(state->connection, state->base, state->scope,
4393	state->filter, state->attrs,
4394	state->attrsonly, 0, &state->entries,
4395	&state->pagedresults_cookie);
4396
4397	if (rc != LDAP_SUCCESS)
4398	DEBUG(5, ("Could not end search properly\n"));
4399
4400	return;
4401	}
4402
4403	static bool ldapuser2displayentry(struct ldap_search_state *state,
4404	TALLOC_CTX *mem_ctx,
4405	LDAP ld, LDAPMessage entry,
4406	struct samr_displayentry *result)
4407	{
4408	char **vals;
4409	DOM_SID sid;
4410	uint32 acct_flags;
4411
4412	vals = ldap_get_values(ld, entry, "sambaAcctFlags");
4413	if ((vals == NULL) \|\| (vals[0] == NULL)) {
4414	DEBUG(5, ("\"sambaAcctFlags\" not found\n"));
4415	return False;
4416	}
4417	acct_flags = pdb_decode_acct_ctrl(vals[0]);
4418	ldap_value_free(vals);
4419
4420	if ((state->acct_flags != 0) &&
4421	((state->acct_flags & acct_flags) == 0))
4422	return False;
4423
4424	result->acct_flags = acct_flags;
4425	result->account_name = "";
4426	result->fullname = "";
4427	result->description = "";
4428
4429	vals = ldap_get_values(ld, entry, "uid");
4430	if ((vals == NULL) \|\| (vals[0] == NULL)) {
4431	DEBUG(5, ("\"uid\" not found\n"));
4432	return False;
4433	}
4434	pull_utf8_talloc(mem_ctx,
4435	CONST_DISCARD(char **, &result->account_name),
4436	vals[0]);
4437	ldap_value_free(vals);
4438
4439	vals = ldap_get_values(ld, entry, "displayName");
4440	if ((vals == NULL) \|\| (vals[0] == NULL))
4441	DEBUG(8, ("\"displayName\" not found\n"));
4442	else
4443	pull_utf8_talloc(mem_ctx,
4444	CONST_DISCARD(char **, &result->fullname),
4445	vals[0]);
4446	ldap_value_free(vals);
4447
4448	vals = ldap_get_values(ld, entry, "description");
4449	if ((vals == NULL) \|\| (vals[0] == NULL))
4450	DEBUG(8, ("\"description\" not found\n"));
4451	else
4452	pull_utf8_talloc(mem_ctx,
4453	CONST_DISCARD(char **, &result->description),
4454	vals[0]);
4455	ldap_value_free(vals);
4456
4457	if ((result->account_name == NULL) \|\|
4458	(result->fullname == NULL) \|\|
4459	(result->description == NULL)) {
4460	DEBUG(0, ("talloc failed\n"));
4461	return False;
4462	}
4463
4464	vals = ldap_get_values(ld, entry, "sambaSid");
4465	if ((vals == NULL) \|\| (vals[0] == NULL)) {
4466	DEBUG(0, ("\"objectSid\" not found\n"));
4467	return False;
4468	}
4469
4470	if (!string_to_sid(&sid, vals[0])) {
4471	DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
4472	ldap_value_free(vals);
4473	return False;
4474	}
4475	ldap_value_free(vals);
4476
4477	if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)) {
4478	DEBUG(0, ("sid %s does not belong to our domain\n",
4479	sid_string_dbg(&sid)));
4480	return False;
4481	}
4482
4483	return True;
4484	}
4485
4486
4487	static bool ldapsam_search_users(struct pdb_methods *methods,
4488	struct pdb_search *search,
4489	uint32 acct_flags)
4490	{
4491	struct ldapsam_privates *ldap_state =
4492	(struct ldapsam_privates *)methods->private_data;
4493	struct ldap_search_state *state;
4494
4495	state = TALLOC_P(search->mem_ctx, struct ldap_search_state);
4496	if (state == NULL) {
4497	DEBUG(0, ("talloc failed\n"));
4498	return False;
4499	}
4500
4501	state->connection = ldap_state->smbldap_state;
4502
4503	if ((acct_flags != 0) && ((acct_flags & ACB_NORMAL) != 0))
4504	state->base = lp_ldap_user_suffix();
4505	else if ((acct_flags != 0) &&
4506	((acct_flags & (ACB_WSTRUST\|ACB_SVRTRUST\|ACB_DOMTRUST)) != 0))
4507	state->base = lp_ldap_machine_suffix();
4508	else
4509	state->base = lp_ldap_suffix();
4510
4511	state->acct_flags = acct_flags;
4512	state->base = talloc_strdup(search->mem_ctx, state->base);
4513	state->scope = LDAP_SCOPE_SUBTREE;
4514	state->filter = get_ldap_filter(search->mem_ctx, "*");
4515	state->attrs = talloc_attrs(search->mem_ctx, "uid", "sambaSid",
4516	"displayName", "description",
4517	"sambaAcctFlags", NULL);
4518	state->attrsonly = 0;
4519	state->pagedresults_cookie = NULL;
4520	state->entries = NULL;
4521	state->ldap2displayentry = ldapuser2displayentry;
4522
4523	if ((state->filter == NULL) \|\| (state->attrs == NULL)) {
4524	DEBUG(0, ("talloc failed\n"));
4525	return False;
4526	}
4527
4528	search->private_data = state;
4529	search->next_entry = ldapsam_search_next_entry;
4530	search->search_end = ldapsam_search_end;
4531
4532	return ldapsam_search_firstpage(search);
4533	}
4534
4535	static bool ldapgroup2displayentry(struct ldap_search_state *state,
4536	TALLOC_CTX *mem_ctx,
4537	LDAP ld, LDAPMessage entry,
4538	struct samr_displayentry *result)
4539	{
4540	char **vals;
4541	DOM_SID sid;
4542	uint16 group_type;
4543
4544	result->account_name = "";
4545	result->fullname = "";
4546	result->description = "";
4547
4548
4549	vals = ldap_get_values(ld, entry, "sambaGroupType");
4550	if ((vals == NULL) \|\| (vals[0] == NULL)) {
4551	DEBUG(5, ("\"sambaGroupType\" not found\n"));
4552	if (vals != NULL) {
4553	ldap_value_free(vals);
4554	}
4555	return False;
4556	}
4557
4558	group_type = atoi(vals[0]);
4559
4560	if ((state->group_type != 0) &&
4561	((state->group_type != group_type))) {
4562	ldap_value_free(vals);
4563	return False;
4564	}
4565
4566	ldap_value_free(vals);
4567
4568	/* display name is the NT group name */
4569
4570	vals = ldap_get_values(ld, entry, "displayName");
4571	if ((vals == NULL) \|\| (vals[0] == NULL)) {
4572	DEBUG(8, ("\"displayName\" not found\n"));
4573
4574	/* fallback to the 'cn' attribute */
4575	vals = ldap_get_values(ld, entry, "cn");
4576	if ((vals == NULL) \|\| (vals[0] == NULL)) {
4577	DEBUG(5, ("\"cn\" not found\n"));
4578	return False;
4579	}
4580	pull_utf8_talloc(mem_ctx,
4581	CONST_DISCARD(char **, &result->account_name),
4582	vals[0]);
4583	}
4584	else {
4585	pull_utf8_talloc(mem_ctx,
4586	CONST_DISCARD(char **, &result->account_name),
4587	vals[0]);
4588	}
4589
4590	ldap_value_free(vals);
4591
4592	vals = ldap_get_values(ld, entry, "description");
4593	if ((vals == NULL) \|\| (vals[0] == NULL))
4594	DEBUG(8, ("\"description\" not found\n"));
4595	else
4596	pull_utf8_talloc(mem_ctx,
4597	CONST_DISCARD(char **, &result->description),
4598	vals[0]);
4599	ldap_value_free(vals);
4600
4601	if ((result->account_name == NULL) \|\|
4602	(result->fullname == NULL) \|\|
4603	(result->description == NULL)) {
4604	DEBUG(0, ("talloc failed\n"));
4605	return False;
4606	}
4607
4608	vals = ldap_get_values(ld, entry, "sambaSid");
4609	if ((vals == NULL) \|\| (vals[0] == NULL)) {
4610	DEBUG(0, ("\"objectSid\" not found\n"));
4611	if (vals != NULL) {
4612	ldap_value_free(vals);
4613	}
4614	return False;
4615	}
4616
4617	if (!string_to_sid(&sid, vals[0])) {
4618	DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
4619	return False;
4620	}
4621
4622	ldap_value_free(vals);
4623
4624	switch (group_type) {
4625	case SID_NAME_DOM_GRP:
4626	case SID_NAME_ALIAS:
4627
4628	if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)
4629	&& !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid))
4630	{
4631	DEBUG(0, ("%s is not in our domain\n",
4632	sid_string_dbg(&sid)));
4633	return False;
4634	}
4635	break;
4636
4637	default:
4638	DEBUG(0,("unkown group type: %d\n", group_type));
4639	return False;
4640	}
4641
4642	result->acct_flags = 0;
4643
4644	return True;
4645	}
4646
4647	static bool ldapsam_search_grouptype(struct pdb_methods *methods,
4648	struct pdb_search *search,
4649	const DOM_SID *sid,
4650	enum lsa_SidType type)
4651	{
4652	struct ldapsam_privates *ldap_state =
4653	(struct ldapsam_privates *)methods->private_data;
4654	struct ldap_search_state *state;
4655	fstring tmp;
4656
4657	state = TALLOC_P(search->mem_ctx, struct ldap_search_state);
4658	if (state == NULL) {
4659	DEBUG(0, ("talloc failed\n"));
4660	return False;
4661	}
4662
4663	state->connection = ldap_state->smbldap_state;
4664
4665	state->base = talloc_strdup(search->mem_ctx, lp_ldap_group_suffix());
4666	state->connection = ldap_state->smbldap_state;
4667	state->scope = LDAP_SCOPE_SUBTREE;
4668	state->filter = talloc_asprintf(search->mem_ctx,
4669	"(&(objectclass=sambaGroupMapping)"
4670	"(sambaGroupType=%d)(sambaSID=%s*))",
4671	type, sid_to_fstring(tmp, sid));
4672	state->attrs = talloc_attrs(search->mem_ctx, "cn", "sambaSid",
4673	"displayName", "description",
4674	"sambaGroupType", NULL);
4675	state->attrsonly = 0;
4676	state->pagedresults_cookie = NULL;
4677	state->entries = NULL;
4678	state->group_type = type;
4679	state->ldap2displayentry = ldapgroup2displayentry;
4680
4681	if ((state->filter == NULL) \|\| (state->attrs == NULL)) {
4682	DEBUG(0, ("talloc failed\n"));
4683	return False;
4684	}
4685
4686	search->private_data = state;
4687	search->next_entry = ldapsam_search_next_entry;
4688	search->search_end = ldapsam_search_end;
4689
4690	return ldapsam_search_firstpage(search);
4691	}
4692
4693	static bool ldapsam_search_groups(struct pdb_methods *methods,
4694	struct pdb_search *search)
4695	{
4696	return ldapsam_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
4697	}
4698
4699	static bool ldapsam_search_aliases(struct pdb_methods *methods,
4700	struct pdb_search *search,
4701	const DOM_SID *sid)
4702	{
4703	return ldapsam_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
4704	}
4705
4706	static bool ldapsam_rid_algorithm(struct pdb_methods *methods)
4707	{
4708	return False;
4709	}
4710
4711	static NTSTATUS ldapsam_get_new_rid(struct ldapsam_privates *priv,
4712	uint32 *rid)
4713	{
4714	struct smbldap_state *smbldap_state = priv->smbldap_state;
4715
4716	LDAPMessage *result = NULL;
4717	LDAPMessage *entry = NULL;
4718	LDAPMod **mods = NULL;
4719	NTSTATUS status;
4720	char *value;
4721	int rc;
4722	uint32 nextRid = 0;
4723	const char *dn;
4724
4725	TALLOC_CTX *mem_ctx;
4726
4727	mem_ctx = talloc_new(NULL);
4728	if (mem_ctx == NULL) {
4729	DEBUG(0, ("talloc_new failed\n"));
4730	return NT_STATUS_NO_MEMORY;
4731	}
4732
4733	status = smbldap_search_domain_info(smbldap_state, &result,
4734	get_global_sam_name(), False);
4735	if (!NT_STATUS_IS_OK(status)) {
4736	DEBUG(3, ("Could not get domain info: %s\n",
4737	nt_errstr(status)));
4738	goto done;
4739	}
4740
4741	talloc_autofree_ldapmsg(mem_ctx, result);
4742
4743	entry = ldap_first_entry(priv2ld(priv), result);
4744	if (entry == NULL) {
4745	DEBUG(0, ("Could not get domain info entry\n"));
4746	status = NT_STATUS_INTERNAL_DB_CORRUPTION;
4747	goto done;
4748	}
4749
4750	/* Find the largest of the three attributes "sambaNextRid",
4751	"sambaNextGroupRid" and "sambaNextUserRid". I gave up on the
4752	concept of differentiating between user and group rids, and will
4753	use only "sambaNextRid" in the future. But for compatibility
4754	reasons I look if others have chosen different strategies -- VL */
4755
4756	value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
4757	"sambaNextRid", mem_ctx);
4758	if (value != NULL) {
4759	uint32 tmp = (uint32)strtoul(value, NULL, 10);
4760	nextRid = MAX(nextRid, tmp);
4761	}
4762
4763	value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
4764	"sambaNextUserRid", mem_ctx);
4765	if (value != NULL) {
4766	uint32 tmp = (uint32)strtoul(value, NULL, 10);
4767	nextRid = MAX(nextRid, tmp);
4768	}
4769
4770	value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
4771	"sambaNextGroupRid", mem_ctx);
4772	if (value != NULL) {
4773	uint32 tmp = (uint32)strtoul(value, NULL, 10);
4774	nextRid = MAX(nextRid, tmp);
4775	}
4776
4777	if (nextRid == 0) {
4778	nextRid = BASE_RID-1;
4779	}
4780
4781	nextRid += 1;
4782
4783	smbldap_make_mod(priv2ld(priv), entry, &mods, "sambaNextRid",
4784	talloc_asprintf(mem_ctx, "%d", nextRid));
4785	talloc_autofree_ldapmod(mem_ctx, mods);
4786
4787	if ((dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry)) == NULL) {
4788	status = NT_STATUS_NO_MEMORY;
4789	goto done;
4790	}
4791
4792	rc = smbldap_modify(smbldap_state, dn, mods);
4793
4794	/* ACCESS_DENIED is used as a placeholder for "the modify failed,
4795	* please retry" */
4796
4797	status = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
4798
4799	done:
4800	if (NT_STATUS_IS_OK(status)) {
4801	*rid = nextRid;
4802	}
4803
4804	TALLOC_FREE(mem_ctx);
4805	return status;
4806	}
4807
4808	static NTSTATUS ldapsam_new_rid_internal(struct pdb_methods methods, uint32 rid)
4809	{
4810	int i;
4811
4812	for (i=0; i<10; i++) {
4813	NTSTATUS result = ldapsam_get_new_rid(
4814	(struct ldapsam_privates *)methods->private_data, rid);
4815	if (NT_STATUS_IS_OK(result)) {
4816	return result;
4817	}
4818
4819	if (!NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
4820	return result;
4821	}
4822
4823	/* The ldap update failed (maybe a race condition), retry */
4824	}
4825
4826	/* Tried 10 times, fail. */
4827	return NT_STATUS_ACCESS_DENIED;
4828	}
4829
4830	static bool ldapsam_new_rid(struct pdb_methods methods, uint32 rid)
4831	{
4832	NTSTATUS result = ldapsam_new_rid_internal(methods, rid);
4833	return NT_STATUS_IS_OK(result) ? True : False;
4834	}
4835
4836	static bool ldapsam_sid_to_id(struct pdb_methods *methods,
4837	const DOM_SID *sid,
4838	union unid_t id, enum lsa_SidType type)
4839	{
4840	struct ldapsam_privates *priv =
4841	(struct ldapsam_privates *)methods->private_data;
4842	char *filter;
4843	const char *attrs[] = { "sambaGroupType", "gidNumber", "uidNumber",
4844	NULL };
4845	LDAPMessage *result = NULL;
4846	LDAPMessage *entry = NULL;
4847	bool ret = False;
4848	char *value;
4849	int rc;
4850
4851	TALLOC_CTX *mem_ctx;
4852
4853	mem_ctx = talloc_new(NULL);
4854	if (mem_ctx == NULL) {
4855	DEBUG(0, ("talloc_new failed\n"));
4856	return False;
4857	}
4858
4859	filter = talloc_asprintf(mem_ctx,
4860	"(&(sambaSid=%s)"
4861	"(\|(objectClass=%s)(objectClass=%s)))",
4862	sid_string_talloc(mem_ctx, sid),
4863	LDAP_OBJ_GROUPMAP, LDAP_OBJ_SAMBASAMACCOUNT);
4864	if (filter == NULL) {
4865	DEBUG(5, ("talloc_asprintf failed\n"));
4866	goto done;
4867	}
4868
4869	rc = smbldap_search_suffix(priv->smbldap_state, filter,
4870	attrs, &result);
4871	if (rc != LDAP_SUCCESS) {
4872	goto done;
4873	}
4874	talloc_autofree_ldapmsg(mem_ctx, result);
4875
4876	if (ldap_count_entries(priv2ld(priv), result) != 1) {
4877	DEBUG(10, ("Got %d entries, expected one\n",
4878	ldap_count_entries(priv2ld(priv), result)));
4879	goto done;
4880	}
4881
4882	entry = ldap_first_entry(priv2ld(priv), result);
4883
4884	value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
4885	"sambaGroupType", mem_ctx);
4886
4887	if (value != NULL) {
4888	const char *gid_str;
4889	/* It's a group */
4890
4891	gid_str = smbldap_talloc_single_attribute(
4892	priv2ld(priv), entry, "gidNumber", mem_ctx);
4893	if (gid_str == NULL) {
4894	DEBUG(1, ("%s has sambaGroupType but no gidNumber\n",
4895	smbldap_talloc_dn(mem_ctx, priv2ld(priv),
4896	entry)));
4897	goto done;
4898	}
4899
4900	id->gid = strtoul(gid_str, NULL, 10);
4901	*type = (enum lsa_SidType)strtoul(value, NULL, 10);
4902	ret = True;
4903	goto done;
4904	}
4905
4906	/* It must be a user */
4907
4908	value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
4909	"uidNumber", mem_ctx);
4910	if (value == NULL) {
4911	DEBUG(1, ("Could not find uidNumber in %s\n",
4912	smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry)));
4913	goto done;
4914	}
4915
4916	id->uid = strtoul(value, NULL, 10);
4917	*type = SID_NAME_USER;
4918
4919	ret = True;
4920	done:
4921	TALLOC_FREE(mem_ctx);
4922	return ret;
4923	}
4924
4925	/*
4926	* The following functions is called only if
4927	* ldapsam:trusted and ldapsam:editposix are
4928	* set to true
4929	*/
4930
4931	/*
4932	* ldapsam_create_user creates a new
4933	* posixAccount and sambaSamAccount object
4934	* in the ldap users subtree
4935	*
4936	* The uid is allocated by winbindd.
4937	*/
4938
4939	static NTSTATUS ldapsam_create_user(struct pdb_methods *my_methods,
4940	TALLOC_CTX tmp_ctx, const char name,
4941	uint32 acb_info, uint32 *rid)
4942	{
4943	struct ldapsam_privates ldap_state = (struct ldapsam_privates )my_methods->private_data;
4944	LDAPMessage *entry = NULL;
4945	LDAPMessage *result = NULL;
4946	uint32 num_result;
4947	bool is_machine = False;
4948	bool add_posix = False;
4949	LDAPMod **mods = NULL;
4950	struct samu *user;
4951	char *filter;
4952	char *username;
4953	char *homedir;
4954	char *gidstr;
4955	char *uidstr;
4956	char *shell;
4957	const char *dn = NULL;
4958	DOM_SID group_sid;
4959	DOM_SID user_sid;
4960	gid_t gid = -1;
4961	uid_t uid = -1;
4962	NTSTATUS ret;
4963	int rc;
4964
4965	if (((acb_info & ACB_NORMAL) && name[strlen(name)-1] == '$') \|\|
4966	acb_info & ACB_WSTRUST \|\|
4967	acb_info & ACB_SVRTRUST \|\|
4968	acb_info & ACB_DOMTRUST) {
4969	is_machine = True;
4970	}
4971
4972	username = escape_ldap_string_alloc(name);
4973	filter = talloc_asprintf(tmp_ctx, "(&(uid=%s)(objectClass=%s))",
4974	username, LDAP_OBJ_POSIXACCOUNT);
4975	SAFE_FREE(username);
4976
4977	rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
4978	if (rc != LDAP_SUCCESS) {
4979	DEBUG(0,("ldapsam_create_user: ldap search failed!\n"));
4980	return NT_STATUS_ACCESS_DENIED;
4981	}
4982	talloc_autofree_ldapmsg(tmp_ctx, result);
4983
4984	num_result = ldap_count_entries(priv2ld(ldap_state), result);
4985
4986	if (num_result > 1) {
4987	DEBUG (0, ("ldapsam_create_user: More than one user with name [%s] ?!\n", name));
4988	return NT_STATUS_INTERNAL_DB_CORRUPTION;
4989	}
4990
4991	if (num_result == 1) {
4992	char *tmp;
4993	/* check if it is just a posix account.
4994	* or if there is a sid attached to this entry
4995	*/
4996
4997	entry = ldap_first_entry(priv2ld(ldap_state), result);
4998	if (!entry) {
4999	return NT_STATUS_UNSUCCESSFUL;
5000	}
5001
5002	tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "sambaSID", tmp_ctx);
5003	if (tmp) {
5004	DEBUG (1, ("ldapsam_create_user: The user [%s] already exist!\n", name));
5005	return NT_STATUS_USER_EXISTS;
5006	}
5007
5008	/* it is just a posix account, retrieve the dn for later use */
5009	dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
5010	if (!dn) {
5011	DEBUG(0,("ldapsam_create_user: Out of memory!\n"));
5012	return NT_STATUS_NO_MEMORY;
5013	}
5014	}
5015
5016	if (num_result == 0) {
5017	add_posix = True;
5018	}
5019
5020	/* Create the basic samu structure and generate the mods for the ldap commit */
5021	if (!NT_STATUS_IS_OK((ret = ldapsam_new_rid_internal(my_methods, rid)))) {
5022	DEBUG(1, ("ldapsam_create_user: Could not allocate a new RID\n"));
5023	return ret;
5024	}
5025
5026	sid_compose(&user_sid, get_global_sam_sid(), *rid);
5027
5028	user = samu_new(tmp_ctx);
5029	if (!user) {
5030	DEBUG(1,("ldapsam_create_user: Unable to allocate user struct\n"));
5031	return NT_STATUS_NO_MEMORY;
5032	}
5033
5034	if (!pdb_set_username(user, name, PDB_SET)) {
5035	DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5036	return NT_STATUS_UNSUCCESSFUL;
5037	}
5038	if (!pdb_set_domain(user, get_global_sam_name(), PDB_SET)) {
5039	DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5040	return NT_STATUS_UNSUCCESSFUL;
5041	}
5042	if (is_machine) {
5043	if (acb_info & ACB_NORMAL) {
5044	if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_SET)) {
5045	DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5046	return NT_STATUS_UNSUCCESSFUL;
5047	}
5048	} else {
5049	if (!pdb_set_acct_ctrl(user, acb_info, PDB_SET)) {
5050	DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5051	return NT_STATUS_UNSUCCESSFUL;
5052	}
5053	}
5054	} else {
5055	if (!pdb_set_acct_ctrl(user, ACB_NORMAL \| ACB_DISABLED, PDB_SET)) {
5056	DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5057	return NT_STATUS_UNSUCCESSFUL;
5058	}
5059	}
5060
5061	if (!pdb_set_user_sid(user, &user_sid, PDB_SET)) {
5062	DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5063	return NT_STATUS_UNSUCCESSFUL;
5064	}
5065
5066	if (!init_ldap_from_sam(ldap_state, NULL, &mods, user, element_is_set_or_changed)) {
5067	DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
5068	return NT_STATUS_UNSUCCESSFUL;
5069	}
5070
5071	if (ldap_state->schema_ver != SCHEMAVER_SAMBASAMACCOUNT) {
5072	DEBUG(1,("ldapsam_create_user: Unsupported schema version\n"));
5073	}
5074	smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
5075
5076	if (add_posix) {
5077	char *escape_name;
5078
5079	DEBUG(3,("ldapsam_create_user: Creating new posix user\n"));
5080
5081	/* retrieve the Domain Users group gid */
5082	if (!sid_compose(&group_sid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS) \|\|
5083	!sid_to_gid(&group_sid, &gid)) {
5084	DEBUG (0, ("ldapsam_create_user: Unable to get the Domain Users gid: bailing out!\n"));
5085	return NT_STATUS_INVALID_PRIMARY_GROUP;
5086	}
5087
5088	/* lets allocate a new userid for this user */
5089	if (!winbind_allocate_uid(&uid)) {
5090	DEBUG (0, ("ldapsam_create_user: Unable to allocate a new user id: bailing out!\n"));
5091	return NT_STATUS_UNSUCCESSFUL;
5092	}
5093
5094
5095	if (is_machine) {
5096	/* TODO: choose a more appropriate default for machines */
5097	homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), "SMB_workstations_home", ldap_state->domain_name, uid, gid);
5098	shell = talloc_strdup(tmp_ctx, "/bin/false");
5099	} else {
5100	homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), name, ldap_state->domain_name, uid, gid);
5101	shell = talloc_sub_specified(tmp_ctx, lp_template_shell(), name, ldap_state->domain_name, uid, gid);
5102	}
5103	uidstr = talloc_asprintf(tmp_ctx, "%d", uid);
5104	gidstr = talloc_asprintf(tmp_ctx, "%d", gid);
5105
5106	escape_name = escape_rdn_val_string_alloc(name);
5107	if (!escape_name) {
5108	DEBUG (0, ("ldapsam_create_user: Out of memory!\n"));
5109	return NT_STATUS_NO_MEMORY;
5110	}
5111
5112	if (is_machine) {
5113	dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", escape_name, lp_ldap_machine_suffix ());
5114	} else {
5115	dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", escape_name, lp_ldap_user_suffix ());
5116	}
5117
5118	SAFE_FREE(escape_name);
5119
5120	if (!homedir \|\| !shell \|\| !uidstr \|\| !gidstr \|\| !dn) {
5121	DEBUG (0, ("ldapsam_create_user: Out of memory!\n"));
5122	return NT_STATUS_NO_MEMORY;
5123	}
5124
5125	smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
5126	smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
5127	smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
5128	smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
5129	smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
5130	smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", homedir);
5131	smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
5132	}
5133
5134	talloc_autofree_ldapmod(tmp_ctx, mods);
5135
5136	if (add_posix) {
5137	rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
5138	} else {
5139	rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
5140	}
5141
5142	if (rc != LDAP_SUCCESS) {
5143	DEBUG(0,("ldapsam_create_user: failed to create a new user [%s] (dn = %s)\n", name ,dn));
5144	return NT_STATUS_UNSUCCESSFUL;
5145	}
5146
5147	DEBUG(2,("ldapsam_create_user: added account [%s] in the LDAP database\n", name));
5148
5149	flush_pwnam_cache();
5150
5151	return NT_STATUS_OK;
5152	}
5153
5154	static NTSTATUS ldapsam_delete_user(struct pdb_methods my_methods, TALLOC_CTX tmp_ctx, struct samu *sam_acct)
5155	{
5156	struct ldapsam_privates ldap_state = (struct ldapsam_privates )my_methods->private_data;
5157	LDAPMessage *result = NULL;
5158	LDAPMessage *entry = NULL;
5159	int num_result;
5160	const char *dn;
5161	char *filter;
5162	int rc;
5163
5164	DEBUG(0,("ldapsam_delete_user: Attempt to delete user [%s]\n", pdb_get_username(sam_acct)));
5165
5166	filter = talloc_asprintf(tmp_ctx,
5167	"(&(uid=%s)"
5168	"(objectClass=%s)"
5169	"(objectClass=%s))",
5170	pdb_get_username(sam_acct),
5171	LDAP_OBJ_POSIXACCOUNT,
5172	LDAP_OBJ_SAMBASAMACCOUNT);
5173	if (filter == NULL) {
5174	return NT_STATUS_NO_MEMORY;
5175	}
5176
5177	rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5178	if (rc != LDAP_SUCCESS) {
5179	DEBUG(0,("ldapsam_delete_user: user search failed!\n"));
5180	return NT_STATUS_UNSUCCESSFUL;
5181	}
5182	talloc_autofree_ldapmsg(tmp_ctx, result);
5183
5184	num_result = ldap_count_entries(priv2ld(ldap_state), result);
5185
5186	if (num_result == 0) {
5187	DEBUG(0,("ldapsam_delete_user: user not found!\n"));
5188	return NT_STATUS_NO_SUCH_USER;
5189	}
5190
5191	if (num_result > 1) {
5192	DEBUG (0, ("ldapsam_delete_user: More than one user with name [%s] ?!\n", pdb_get_username(sam_acct)));
5193	return NT_STATUS_INTERNAL_DB_CORRUPTION;
5194	}
5195
5196	entry = ldap_first_entry(priv2ld(ldap_state), result);
5197	if (!entry) {
5198	return NT_STATUS_UNSUCCESSFUL;
5199	}
5200
5201	/* it is just a posix account, retrieve the dn for later use */
5202	dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
5203	if (!dn) {
5204	DEBUG(0,("ldapsam_delete_user: Out of memory!\n"));
5205	return NT_STATUS_NO_MEMORY;
5206	}
5207
5208	rc = smbldap_delete(ldap_state->smbldap_state, dn);
5209	if (rc != LDAP_SUCCESS) {
5210	return NT_STATUS_UNSUCCESSFUL;
5211	}
5212
5213	flush_pwnam_cache();
5214
5215	return NT_STATUS_OK;
5216	}
5217
5218	/*
5219	* ldapsam_create_group creates a new
5220	* posixGroup and sambaGroupMapping object
5221	* in the ldap groups subtree
5222	*
5223	* The gid is allocated by winbindd.
5224	*/
5225
5226	static NTSTATUS ldapsam_create_dom_group(struct pdb_methods *my_methods,
5227	TALLOC_CTX *tmp_ctx,
5228	const char *name,
5229	uint32 *rid)
5230	{
5231	struct ldapsam_privates ldap_state = (struct ldapsam_privates )my_methods->private_data;
5232	NTSTATUS ret;
5233	LDAPMessage *entry = NULL;
5234	LDAPMessage *result = NULL;
5235	uint32 num_result;
5236	bool is_new_entry = False;
5237	LDAPMod **mods = NULL;
5238	char *filter;
5239	char *groupsidstr;
5240	char *groupname;
5241	char *grouptype;
5242	char *gidstr;
5243	const char *dn = NULL;
5244	DOM_SID group_sid;
5245	gid_t gid = -1;
5246	int rc;
5247
5248	groupname = escape_ldap_string_alloc(name);
5249	filter = talloc_asprintf(tmp_ctx, "(&(cn=%s)(objectClass=%s))",
5250	groupname, LDAP_OBJ_POSIXGROUP);
5251	SAFE_FREE(groupname);
5252
5253	rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5254	if (rc != LDAP_SUCCESS) {
5255	DEBUG(0,("ldapsam_create_group: ldap search failed!\n"));
5256	return NT_STATUS_UNSUCCESSFUL;
5257	}
5258	talloc_autofree_ldapmsg(tmp_ctx, result);
5259
5260	num_result = ldap_count_entries(priv2ld(ldap_state), result);
5261
5262	if (num_result > 1) {
5263	DEBUG (0, ("ldapsam_create_group: There exists more than one group with name [%s]: bailing out!\n", name));
5264	return NT_STATUS_INTERNAL_DB_CORRUPTION;
5265	}
5266
5267	if (num_result == 1) {
5268	char *tmp;
5269	/* check if it is just a posix group.
5270	* or if there is a sid attached to this entry
5271	*/
5272
5273	entry = ldap_first_entry(priv2ld(ldap_state), result);
5274	if (!entry) {
5275	return NT_STATUS_UNSUCCESSFUL;
5276	}
5277
5278	tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "sambaSID", tmp_ctx);
5279	if (tmp) {
5280	DEBUG (1, ("ldapsam_create_group: The group [%s] already exist!\n", name));
5281	return NT_STATUS_GROUP_EXISTS;
5282	}
5283
5284	/* it is just a posix group, retrieve the gid and the dn for later use */
5285	tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
5286	if (!tmp) {
5287	DEBUG (1, ("ldapsam_create_group: Couldn't retrieve the gidNumber for [%s]?!?!\n", name));
5288	return NT_STATUS_INTERNAL_DB_CORRUPTION;
5289	}
5290
5291	gid = strtoul(tmp, NULL, 10);
5292
5293	dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
5294	if (!dn) {
5295	DEBUG(0,("ldapsam_create_group: Out of memory!\n"));
5296	return NT_STATUS_NO_MEMORY;
5297	}
5298	}
5299
5300	if (num_result == 0) {
5301	char *escape_name;
5302
5303	DEBUG(3,("ldapsam_create_user: Creating new posix group\n"));
5304
5305	is_new_entry = True;
5306
5307	/* lets allocate a new groupid for this group */
5308	if (!winbind_allocate_gid(&gid)) {
5309	DEBUG (0, ("ldapsam_create_group: Unable to allocate a new group id: bailing out!\n"));
5310	return NT_STATUS_UNSUCCESSFUL;
5311	}
5312
5313	gidstr = talloc_asprintf(tmp_ctx, "%d", gid);
5314
5315	escape_name = escape_rdn_val_string_alloc(name);
5316	if (!escape_name) {
5317	DEBUG (0, ("ldapsam_create_group: Out of memory!\n"));
5318	return NT_STATUS_NO_MEMORY;
5319	}
5320
5321	dn = talloc_asprintf(tmp_ctx, "cn=%s,%s", escape_name, lp_ldap_group_suffix());
5322
5323	SAFE_FREE(escape_name);
5324
5325	if (!gidstr \|\| !dn) {
5326	DEBUG (0, ("ldapsam_create_group: Out of memory!\n"));
5327	return NT_STATUS_NO_MEMORY;
5328	}
5329
5330	smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
5331	smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
5332	smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
5333	}
5334
5335	if (!NT_STATUS_IS_OK((ret = ldapsam_new_rid_internal(my_methods, rid)))) {
5336	DEBUG(1, ("ldapsam_create_group: Could not allocate a new RID\n"));
5337	return ret;
5338	}
5339
5340	sid_compose(&group_sid, get_global_sam_sid(), *rid);
5341
5342	groupsidstr = talloc_strdup(tmp_ctx, sid_string_talloc(tmp_ctx,
5343	&group_sid));
5344	grouptype = talloc_asprintf(tmp_ctx, "%d", SID_NAME_DOM_GRP);
5345
5346	if (!groupsidstr \|\| !grouptype) {
5347	DEBUG(0,("ldapsam_create_group: Out of memory!\n"));
5348	return NT_STATUS_NO_MEMORY;
5349	}
5350
5351	smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
5352	smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", groupsidstr);
5353	smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", grouptype);
5354	smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
5355	talloc_autofree_ldapmod(tmp_ctx, mods);
5356
5357	if (is_new_entry) {
5358	rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
5359	#if 0
5360	if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
5361	/* This call may fail with rfc2307bis schema */
5362	/* Retry adding a structural class */
5363	smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "????");
5364	rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
5365	}
5366	#endif
5367	} else {
5368	rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
5369	}
5370
5371	if (rc != LDAP_SUCCESS) {
5372	DEBUG(0,("ldapsam_create_group: failed to create a new group [%s] (dn = %s)\n", name ,dn));
5373	return NT_STATUS_UNSUCCESSFUL;
5374	}
5375
5376	DEBUG(2,("ldapsam_create_group: added group [%s] in the LDAP database\n", name));
5377
5378	return NT_STATUS_OK;
5379	}
5380
5381	static NTSTATUS ldapsam_delete_dom_group(struct pdb_methods my_methods, TALLOC_CTX tmp_ctx, uint32 rid)
5382	{
5383	struct ldapsam_privates ldap_state = (struct ldapsam_privates )my_methods->private_data;
5384	LDAPMessage *result = NULL;
5385	LDAPMessage *entry = NULL;
5386	int num_result;
5387	const char *dn;
5388	char *gidstr;
5389	char *filter;
5390	DOM_SID group_sid;
5391	int rc;
5392
5393	/* get the group sid */
5394	sid_compose(&group_sid, get_global_sam_sid(), rid);
5395
5396	filter = talloc_asprintf(tmp_ctx,
5397	"(&(sambaSID=%s)"
5398	"(objectClass=%s)"
5399	"(objectClass=%s))",
5400	sid_string_talloc(tmp_ctx, &group_sid),
5401	LDAP_OBJ_POSIXGROUP,
5402	LDAP_OBJ_GROUPMAP);
5403	if (filter == NULL) {
5404	return NT_STATUS_NO_MEMORY;
5405	}
5406
5407	rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5408	if (rc != LDAP_SUCCESS) {
5409	DEBUG(1,("ldapsam_delete_dom_group: group search failed!\n"));
5410	return NT_STATUS_UNSUCCESSFUL;
5411	}
5412	talloc_autofree_ldapmsg(tmp_ctx, result);
5413
5414	num_result = ldap_count_entries(priv2ld(ldap_state), result);
5415
5416	if (num_result == 0) {
5417	DEBUG(1,("ldapsam_delete_dom_group: group not found!\n"));
5418	return NT_STATUS_NO_SUCH_GROUP;
5419	}
5420
5421	if (num_result > 1) {
5422	DEBUG (0, ("ldapsam_delete_dom_group: More than one group with the same SID ?!\n"));
5423	return NT_STATUS_INTERNAL_DB_CORRUPTION;
5424	}
5425
5426	entry = ldap_first_entry(priv2ld(ldap_state), result);
5427	if (!entry) {
5428	return NT_STATUS_UNSUCCESSFUL;
5429	}
5430
5431	/* here it is, retrieve the dn for later use */
5432	dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
5433	if (!dn) {
5434	DEBUG(0,("ldapsam_delete_dom_group: Out of memory!\n"));
5435	return NT_STATUS_NO_MEMORY;
5436	}
5437
5438	gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
5439	if (!gidstr) {
5440	DEBUG (0, ("ldapsam_delete_dom_group: Unable to find the group's gid!\n"));
5441	return NT_STATUS_INTERNAL_DB_CORRUPTION;
5442	}
5443
5444	/* check no user have this group marked as primary group */
5445	filter = talloc_asprintf(tmp_ctx,
5446	"(&(gidNumber=%s)"
5447	"(objectClass=%s)"
5448	"(objectClass=%s))",
5449	gidstr,
5450	LDAP_OBJ_POSIXACCOUNT,
5451	LDAP_OBJ_SAMBASAMACCOUNT);
5452
5453	rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5454	if (rc != LDAP_SUCCESS) {
5455	DEBUG(1,("ldapsam_delete_dom_group: accounts search failed!\n"));
5456	return NT_STATUS_UNSUCCESSFUL;
5457	}
5458	talloc_autofree_ldapmsg(tmp_ctx, result);
5459
5460	num_result = ldap_count_entries(priv2ld(ldap_state), result);
5461
5462	if (num_result != 0) {
5463	DEBUG(3,("ldapsam_delete_dom_group: Can't delete group, it is a primary group for %d users\n", num_result));
5464	return NT_STATUS_MEMBERS_PRIMARY_GROUP;
5465	}
5466
5467	rc = smbldap_delete(ldap_state->smbldap_state, dn);
5468	if (rc != LDAP_SUCCESS) {
5469	return NT_STATUS_UNSUCCESSFUL;
5470	}
5471
5472	return NT_STATUS_OK;
5473	}
5474
5475	static NTSTATUS ldapsam_change_groupmem(struct pdb_methods *my_methods,
5476	TALLOC_CTX *tmp_ctx,
5477	uint32 group_rid,
5478	uint32 member_rid,
5479	int modop)
5480	{
5481	struct ldapsam_privates ldap_state = (struct ldapsam_privates )my_methods->private_data;
5482	LDAPMessage *entry = NULL;
5483	LDAPMessage *result = NULL;
5484	uint32 num_result;
5485	LDAPMod **mods = NULL;
5486	char *filter;
5487	char *uidstr;
5488	const char *dn = NULL;
5489	DOM_SID group_sid;
5490	DOM_SID member_sid;
5491	int rc;
5492
5493	switch (modop) {
5494	case LDAP_MOD_ADD:
5495	DEBUG(1,("ldapsam_change_groupmem: add new member(rid=%d) to a domain group(rid=%d)", member_rid, group_rid));
5496	break;
5497	case LDAP_MOD_DELETE:
5498	DEBUG(1,("ldapsam_change_groupmem: delete member(rid=%d) from a domain group(rid=%d)", member_rid, group_rid));
5499	break;
5500	default:
5501	return NT_STATUS_UNSUCCESSFUL;
5502	}
5503
5504	/* get member sid */
5505	sid_compose(&member_sid, get_global_sam_sid(), member_rid);
5506
5507	/* get the group sid */
5508	sid_compose(&group_sid, get_global_sam_sid(), group_rid);
5509
5510	filter = talloc_asprintf(tmp_ctx,
5511	"(&(sambaSID=%s)"
5512	"(objectClass=%s)"
5513	"(objectClass=%s))",
5514	sid_string_talloc(tmp_ctx, &member_sid),
5515	LDAP_OBJ_POSIXACCOUNT,
5516	LDAP_OBJ_SAMBASAMACCOUNT);
5517	if (filter == NULL) {
5518	return NT_STATUS_NO_MEMORY;
5519	}
5520
5521	/* get the member uid */
5522	rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5523	if (rc != LDAP_SUCCESS) {
5524	DEBUG(1,("ldapsam_change_groupmem: member search failed!\n"));
5525	return NT_STATUS_UNSUCCESSFUL;
5526	}
5527	talloc_autofree_ldapmsg(tmp_ctx, result);
5528
5529	num_result = ldap_count_entries(priv2ld(ldap_state), result);
5530
5531	if (num_result == 0) {
5532	DEBUG(1,("ldapsam_change_groupmem: member not found!\n"));
5533	return NT_STATUS_NO_SUCH_MEMBER;
5534	}
5535
5536	if (num_result > 1) {
5537	DEBUG (0, ("ldapsam_change_groupmem: More than one account with the same SID ?!\n"));
5538	return NT_STATUS_INTERNAL_DB_CORRUPTION;
5539	}
5540
5541	entry = ldap_first_entry(priv2ld(ldap_state), result);
5542	if (!entry) {
5543	return NT_STATUS_UNSUCCESSFUL;
5544	}
5545
5546	if (modop == LDAP_MOD_DELETE) {
5547	/* check if we are trying to remove the member from his primary group */
5548	char *gidstr;
5549	gid_t user_gid, group_gid;
5550
5551	gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
5552	if (!gidstr) {
5553	DEBUG (0, ("ldapsam_change_groupmem: Unable to find the member's gid!\n"));
5554	return NT_STATUS_INTERNAL_DB_CORRUPTION;
5555	}
5556
5557	user_gid = strtoul(gidstr, NULL, 10);
5558
5559	if (!sid_to_gid(&group_sid, &group_gid)) {
5560	DEBUG (0, ("ldapsam_change_groupmem: Unable to get group gid from SID!\n"));
5561	return NT_STATUS_UNSUCCESSFUL;
5562	}
5563
5564	if (user_gid == group_gid) {
5565	DEBUG (3, ("ldapsam_change_groupmem: can't remove user from its own primary group!\n"));
5566	return NT_STATUS_MEMBERS_PRIMARY_GROUP;
5567	}
5568	}
5569
5570	/* here it is, retrieve the uid for later use */
5571	uidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "uid", tmp_ctx);
5572	if (!uidstr) {
5573	DEBUG (0, ("ldapsam_change_groupmem: Unable to find the member's name!\n"));
5574	return NT_STATUS_INTERNAL_DB_CORRUPTION;
5575	}
5576
5577	filter = talloc_asprintf(tmp_ctx,
5578	"(&(sambaSID=%s)"
5579	"(objectClass=%s)"
5580	"(objectClass=%s))",
5581	sid_string_talloc(tmp_ctx, &group_sid),
5582	LDAP_OBJ_POSIXGROUP,
5583	LDAP_OBJ_GROUPMAP);
5584
5585	/* get the group */
5586	rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5587	if (rc != LDAP_SUCCESS) {
5588	DEBUG(1,("ldapsam_change_groupmem: group search failed!\n"));
5589	return NT_STATUS_UNSUCCESSFUL;
5590	}
5591	talloc_autofree_ldapmsg(tmp_ctx, result);
5592
5593	num_result = ldap_count_entries(priv2ld(ldap_state), result);
5594
5595	if (num_result == 0) {
5596	DEBUG(1,("ldapsam_change_groupmem: group not found!\n"));
5597	return NT_STATUS_NO_SUCH_GROUP;
5598	}
5599
5600	if (num_result > 1) {
5601	DEBUG (0, ("ldapsam_change_groupmem: More than one group with the same SID ?!\n"));
5602	return NT_STATUS_INTERNAL_DB_CORRUPTION;
5603	}
5604
5605	entry = ldap_first_entry(priv2ld(ldap_state), result);
5606	if (!entry) {
5607	return NT_STATUS_UNSUCCESSFUL;
5608	}
5609
5610	/* here it is, retrieve the dn for later use */
5611	dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
5612	if (!dn) {
5613	DEBUG(0,("ldapsam_change_groupmem: Out of memory!\n"));
5614	return NT_STATUS_NO_MEMORY;
5615	}
5616
5617	smbldap_set_mod(&mods, modop, "memberUid", uidstr);
5618
5619	talloc_autofree_ldapmod(tmp_ctx, mods);
5620
5621	rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
5622	if (rc != LDAP_SUCCESS) {
5623	if (rc == LDAP_TYPE_OR_VALUE_EXISTS && modop == LDAP_MOD_ADD) {
5624	DEBUG(1,("ldapsam_change_groupmem: member is already in group, add failed!\n"));
5625	return NT_STATUS_MEMBER_IN_GROUP;
5626	}
5627	if (rc == LDAP_NO_SUCH_ATTRIBUTE && modop == LDAP_MOD_DELETE) {
5628	DEBUG(1,("ldapsam_change_groupmem: member is not in group, delete failed!\n"));
5629	return NT_STATUS_MEMBER_NOT_IN_GROUP;
5630	}
5631	return NT_STATUS_UNSUCCESSFUL;
5632	}
5633
5634	return NT_STATUS_OK;
5635	}
5636
5637	static NTSTATUS ldapsam_add_groupmem(struct pdb_methods *my_methods,
5638	TALLOC_CTX *tmp_ctx,
5639	uint32 group_rid,
5640	uint32 member_rid)
5641	{
5642	return ldapsam_change_groupmem(my_methods, tmp_ctx, group_rid, member_rid, LDAP_MOD_ADD);
5643	}
5644	static NTSTATUS ldapsam_del_groupmem(struct pdb_methods *my_methods,
5645	TALLOC_CTX *tmp_ctx,
5646	uint32 group_rid,
5647	uint32 member_rid)
5648	{
5649	return ldapsam_change_groupmem(my_methods, tmp_ctx, group_rid, member_rid, LDAP_MOD_DELETE);
5650	}
5651
5652	static NTSTATUS ldapsam_set_primary_group(struct pdb_methods *my_methods,
5653	TALLOC_CTX *mem_ctx,
5654	struct samu *sampass)
5655	{
5656	struct ldapsam_privates ldap_state = (struct ldapsam_privates )my_methods->private_data;
5657	LDAPMessage *entry = NULL;
5658	LDAPMessage *result = NULL;
5659	uint32 num_result;
5660	LDAPMod **mods = NULL;
5661	char *filter;
5662	char *escape_username;
5663	char *gidstr;
5664	const char *dn = NULL;
5665	gid_t gid;
5666	int rc;
5667
5668	DEBUG(0,("ldapsam_set_primary_group: Attempt to set primary group for user [%s]\n", pdb_get_username(sampass)));
5669
5670	if (!sid_to_gid(pdb_get_group_sid(sampass), &gid)) {
5671	DEBUG(0,("ldapsam_set_primary_group: failed to retrieve gid from user's group SID!\n"));
5672	return NT_STATUS_UNSUCCESSFUL;
5673	}
5674	gidstr = talloc_asprintf(mem_ctx, "%d", gid);
5675	if (!gidstr) {
5676	DEBUG(0,("ldapsam_set_primary_group: Out of Memory!\n"));
5677	return NT_STATUS_NO_MEMORY;
5678	}
5679
5680	escape_username = escape_ldap_string_alloc(pdb_get_username(sampass));
5681	if (escape_username== NULL) {
5682	return NT_STATUS_NO_MEMORY;
5683	}
5684
5685	filter = talloc_asprintf(mem_ctx,
5686	"(&(uid=%s)"
5687	"(objectClass=%s)"
5688	"(objectClass=%s))",
5689	escape_username,
5690	LDAP_OBJ_POSIXACCOUNT,
5691	LDAP_OBJ_SAMBASAMACCOUNT);
5692
5693	SAFE_FREE(escape_username);
5694
5695	if (filter == NULL) {
5696	return NT_STATUS_NO_MEMORY;
5697	}
5698
5699	rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
5700	if (rc != LDAP_SUCCESS) {
5701	DEBUG(0,("ldapsam_set_primary_group: user search failed!\n"));
5702	return NT_STATUS_UNSUCCESSFUL;
5703	}
5704	talloc_autofree_ldapmsg(mem_ctx, result);
5705
5706	num_result = ldap_count_entries(priv2ld(ldap_state), result);
5707
5708	if (num_result == 0) {
5709	DEBUG(0,("ldapsam_set_primary_group: user not found!\n"));
5710	return NT_STATUS_NO_SUCH_USER;
5711	}
5712
5713	if (num_result > 1) {
5714	DEBUG (0, ("ldapsam_set_primary_group: More than one user with name [%s] ?!\n", pdb_get_username(sampass)));
5715	return NT_STATUS_INTERNAL_DB_CORRUPTION;
5716	}
5717
5718	entry = ldap_first_entry(priv2ld(ldap_state), result);
5719	if (!entry) {
5720	return NT_STATUS_UNSUCCESSFUL;
5721	}
5722
5723	/* retrieve the dn for later use */
5724	dn = smbldap_talloc_dn(mem_ctx, priv2ld(ldap_state), entry);
5725	if (!dn) {
5726	DEBUG(0,("ldapsam_set_primary_group: Out of memory!\n"));
5727	return NT_STATUS_NO_MEMORY;
5728	}
5729
5730	/* remove the old one, and add the new one, this way we do not risk races */
5731	smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "gidNumber", gidstr);
5732
5733	if (mods == NULL) {
5734	return NT_STATUS_OK;
5735	}
5736
5737	rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
5738
5739	if (rc != LDAP_SUCCESS) {
5740	DEBUG(0,("ldapsam_set_primary_group: failed to modify [%s] primary group to [%s]\n",
5741	pdb_get_username(sampass), gidstr));
5742	return NT_STATUS_UNSUCCESSFUL;
5743	}
5744
5745	flush_pwnam_cache();
5746
5747	return NT_STATUS_OK;
5748	}
5749
5750
5751	/**********************************************************************
5752	trusted domains functions
5753	*********************************************************************/
5754
5755	static char trusteddom_dn(struct ldapsam_privates ldap_state,
5756	const char *domain)
5757	{
5758	return talloc_asprintf(talloc_tos(), "sambaDomainName=%s,%s", domain,
5759	ldap_state->domain_dn);
5760	}
5761
5762	static bool get_trusteddom_pw_int(struct ldapsam_privates *ldap_state,
5763	const char domain, LDAPMessage *entry)
5764	{
5765	int rc;
5766	char *filter;
5767	int scope = LDAP_SCOPE_SUBTREE;
5768	const char *attrs = NULL; / NULL: get all attrs */
5769	int attrsonly = 0; /* 0: return values too */
5770	LDAPMessage *result = NULL;
5771	char *trusted_dn;
5772	uint32 num_result;
5773
5774	filter = talloc_asprintf(talloc_tos(),
5775	"(&(objectClass=%s)(sambaDomainName=%s))",
5776	LDAP_OBJ_TRUSTDOM_PASSWORD, domain);
5777
5778	trusted_dn = trusteddom_dn(ldap_state, domain);
5779	if (trusted_dn == NULL) {
5780	return False;
5781	}
5782	rc = smbldap_search(ldap_state->smbldap_state, trusted_dn, scope,
5783	filter, attrs, attrsonly, &result);
5784
5785	if (rc == LDAP_NO_SUCH_OBJECT) {
5786	*entry = NULL;
5787	return True;
5788	}
5789
5790	if (rc != LDAP_SUCCESS) {
5791	return False;
5792	}
5793
5794	num_result = ldap_count_entries(priv2ld(ldap_state), result);
5795
5796	if (num_result > 1) {
5797	DEBUG(1, ("ldapsam_get_trusteddom_pw: more than one "
5798	"sambaTrustedDomainPassword object for domain '%s'"
5799	"?!\n", domain));
5800	return False;
5801	}
5802
5803	if (num_result == 0) {
5804	DEBUG(1, ("ldapsam_get_trusteddom_pw: no "
5805	"sambaTrustedDomainPassword object for domain %s.\n",
5806	domain));
5807	*entry = NULL;
5808	} else {
5809	*entry = ldap_first_entry(priv2ld(ldap_state), result);
5810	}
5811
5812	return True;
5813	}
5814
5815	static bool ldapsam_get_trusteddom_pw(struct pdb_methods *methods,
5816	const char *domain,
5817	char** pwd,
5818	DOM_SID *sid,
5819	time_t *pass_last_set_time)
5820	{
5821	struct ldapsam_privates *ldap_state =
5822	(struct ldapsam_privates *)methods->private_data;
5823	LDAPMessage *entry = NULL;
5824
5825	DEBUG(10, ("ldapsam_get_trusteddom_pw called for domain %s\n", domain));
5826
5827	if (!get_trusteddom_pw_int(ldap_state, domain, &entry) \|\|
5828	(entry == NULL))
5829	{
5830	return False;
5831	}
5832
5833	/* password */
5834	if (pwd != NULL) {
5835	char *pwd_str;
5836	pwd_str = smbldap_talloc_single_attribute(priv2ld(ldap_state),
5837	entry, "sambaClearTextPassword", talloc_tos());
5838	if (pwd_str == NULL) {
5839	return False;
5840	}
5841	/* trusteddom_pw routines do not use talloc yet... */
5842	*pwd = SMB_STRDUP(pwd_str);
5843	if (*pwd == NULL) {
5844	return False;
5845	}
5846	}
5847
5848	/* last change time */
5849	if (pass_last_set_time != NULL) {
5850	char *time_str;
5851	time_str = smbldap_talloc_single_attribute(priv2ld(ldap_state),
5852	entry, "sambaPwdLastSet", talloc_tos());
5853	if (time_str == NULL) {
5854	return False;
5855	}
5856	*pass_last_set_time = (time_t)atol(time_str);
5857	}
5858
5859	/* domain sid */
5860	if (sid != NULL) {
5861	char *sid_str;
5862	DOM_SID *dom_sid;
5863	sid_str = smbldap_talloc_single_attribute(priv2ld(ldap_state),
5864	entry, "sambaSID",
5865	talloc_tos());
5866	if (sid_str == NULL) {
5867	return False;
5868	}
5869	dom_sid = string_sid_talloc(talloc_tos(), sid_str);
5870	if (dom_sid == NULL) {
5871	return False;
5872	}
5873	sid_copy(sid, dom_sid);
5874	}
5875
5876	return True;
5877	}
5878
5879	static bool ldapsam_set_trusteddom_pw(struct pdb_methods *methods,
5880	const char* domain,
5881	const char* pwd,
5882	const DOM_SID *sid)
5883	{
5884	struct ldapsam_privates *ldap_state =
5885	(struct ldapsam_privates *)methods->private_data;
5886	LDAPMessage *entry = NULL;
5887	LDAPMod **mods = NULL;
5888	char *prev_pwd = NULL;
5889	char *trusted_dn = NULL;
5890	int rc;
5891
5892	DEBUG(10, ("ldapsam_set_trusteddom_pw called for domain %s\n", domain));
5893
5894	/*
5895	* get the current entry (if there is one) in order to put the
5896	* current password into the previous password attribute
5897	*/
5898	if (!get_trusteddom_pw_int(ldap_state, domain, &entry)) {
5899	return False;
5900	}
5901
5902	mods = NULL;
5903	smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
5904	"sambaTrustedDomainPassword");
5905	smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaDomainName",
5906	domain);
5907	smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaSID",
5908	sid_string_tos(sid));
5909	smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaPwdLastSet",
5910	talloc_asprintf(talloc_tos(), "%li", time(NULL)));
5911	smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
5912	"sambaClearTextPassword", pwd);
5913	if (entry != NULL) {
5914	prev_pwd = smbldap_talloc_single_attribute(priv2ld(ldap_state),
5915	entry, "sambaClearTextPassword", talloc_tos());
5916	if (prev_pwd != NULL) {
5917	smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
5918	"sambaPreviousClearTextPassword",
5919	prev_pwd);
5920	}
5921	}
5922
5923	trusted_dn = trusteddom_dn(ldap_state, domain);
5924	if (trusted_dn == NULL) {
5925	return False;
5926	}
5927	if (entry == NULL) {
5928	rc = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
5929	} else {
5930	rc = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
5931	}
5932
5933	if (rc != LDAP_SUCCESS) {
5934	DEBUG(1, ("error writing trusted domain password!\n"));
5935	return False;
5936	}
5937
5938	return True;
5939	}
5940
5941	static bool ldapsam_del_trusteddom_pw(struct pdb_methods *methods,
5942	const char *domain)
5943	{
5944	int rc;
5945	struct ldapsam_privates *ldap_state =
5946	(struct ldapsam_privates *)methods->private_data;
5947	LDAPMessage *entry = NULL;
5948	const char *trusted_dn;
5949
5950	if (!get_trusteddom_pw_int(ldap_state, domain, &entry)) {
5951	return False;
5952	}
5953
5954	if (entry == NULL) {
5955	DEBUG(5, ("ldapsam_del_trusteddom_pw: no such trusted domain: "
5956	"%s\n", domain));
5957	return True;
5958	}
5959
5960	trusted_dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state),
5961	entry);
5962	if (trusted_dn == NULL) {
5963	DEBUG(0,("ldapsam_del_trusteddom_pw: Out of memory!\n"));
5964	return False;
5965	}
5966
5967	rc = smbldap_delete(ldap_state->smbldap_state, trusted_dn);
5968	if (rc != LDAP_SUCCESS) {
5969	return False;
5970	}
5971
5972	return True;
5973	}
5974
5975	static NTSTATUS ldapsam_enum_trusteddoms(struct pdb_methods *methods,
5976	TALLOC_CTX *mem_ctx,
5977	uint32 *num_domains,
5978	struct trustdom_info ***domains)
5979	{
5980	int rc;
5981	struct ldapsam_privates *ldap_state =
5982	(struct ldapsam_privates *)methods->private_data;
5983	char *filter;
5984	int scope = LDAP_SCOPE_SUBTREE;
5985	const char *attrs[] = { "sambaDomainName", "sambaSID", NULL };
5986	int attrsonly = 0; /* 0: return values too */
5987	LDAPMessage *result = NULL;
5988	LDAPMessage *entry = NULL;
5989
5990	filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
5991	LDAP_OBJ_TRUSTDOM_PASSWORD);
5992
5993	rc = smbldap_search(ldap_state->smbldap_state,
5994	ldap_state->domain_dn,
5995	scope,
5996	filter,
5997	attrs,
5998	attrsonly,
5999	&result);
6000
6001	if (rc != LDAP_SUCCESS) {
6002	return NT_STATUS_UNSUCCESSFUL;
6003	}
6004
6005	*num_domains = 0;
6006	if (!(domains = TALLOC_ARRAY(mem_ctx, struct trustdom_info , 1))) {
6007	DEBUG(1, ("talloc failed\n"));
6008	return NT_STATUS_NO_MEMORY;
6009	}
6010
6011	for (entry = ldap_first_entry(priv2ld(ldap_state), result);
6012	entry != NULL;
6013	entry = ldap_next_entry(priv2ld(ldap_state), entry))
6014	{
6015	char dom_name, dom_sid_str;
6016	struct trustdom_info *dom_info;
6017
6018	dom_info = TALLOC_P(*domains, struct trustdom_info);
6019	if (dom_info == NULL) {
6020	DEBUG(1, ("talloc failed\n"));
6021	return NT_STATUS_NO_MEMORY;
6022	}
6023
6024	dom_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
6025	entry,
6026	"sambaDomainName",
6027	talloc_tos());
6028	if (dom_name == NULL) {
6029	DEBUG(1, ("talloc failed\n"));
6030	return NT_STATUS_NO_MEMORY;
6031	}
6032	dom_info->name = dom_name;
6033
6034	dom_sid_str = smbldap_talloc_single_attribute(
6035	priv2ld(ldap_state), entry, "sambaSID",
6036	talloc_tos());
6037	if (dom_sid_str == NULL) {
6038	DEBUG(1, ("talloc failed\n"));
6039	return NT_STATUS_NO_MEMORY;
6040	}
6041	if (!string_to_sid(&dom_info->sid, dom_sid_str)) {
6042	DEBUG(1, ("Error calling string_to_sid on SID %s\n",
6043	dom_sid_str));
6044	return NT_STATUS_UNSUCCESSFUL;
6045	}
6046
6047	ADD_TO_ARRAY(domains, struct trustdom_info , dom_info,
6048	domains, num_domains);
6049
6050	if (*domains == NULL) {
6051	DEBUG(1, ("talloc failed\n"));
6052	return NT_STATUS_NO_MEMORY;
6053	}
6054	}
6055
6056	DEBUG(5, ("ldapsam_enum_trusteddoms: got %d domains\n", *num_domains));
6057	return NT_STATUS_OK;
6058	}
6059
6060
6061	/**********************************************************************
6062	Housekeeping
6063	*********************************************************************/
6064
6065	static void free_private_data(void **vp)
6066	{
6067	struct ldapsam_privates ldap_state = (struct ldapsam_privates )vp;
6068
6069	smbldap_free_struct(&(*ldap_state)->smbldap_state);
6070
6071	if ((*ldap_state)->result != NULL) {
6072	ldap_msgfree((*ldap_state)->result);
6073	(*ldap_state)->result = NULL;
6074	}
6075	if ((*ldap_state)->domain_dn != NULL) {
6076	SAFE_FREE((*ldap_state)->domain_dn);
6077	}
6078
6079	*ldap_state = NULL;
6080
6081	/* No need to free any further, as it is talloc()ed */
6082	}
6083
6084	/*********************************************************************
6085	Intitalise the parts of the pdb_methods structure that are common to
6086	all pdb_ldap modes
6087	*********************************************************************/
6088
6089	static NTSTATUS pdb_init_ldapsam_common(struct pdb_methods *pdb_method, const char location)
6090	{
6091	NTSTATUS nt_status;
6092	struct ldapsam_privates *ldap_state;
6093
6094	if (!NT_STATUS_IS_OK(nt_status = make_pdb_method( pdb_method ))) {
6095	return nt_status;
6096	}
6097
6098	(*pdb_method)->name = "ldapsam";
6099
6100	(*pdb_method)->getsampwnam = ldapsam_getsampwnam;
6101	(*pdb_method)->getsampwsid = ldapsam_getsampwsid;
6102	(*pdb_method)->add_sam_account = ldapsam_add_sam_account;
6103	(*pdb_method)->update_sam_account = ldapsam_update_sam_account;
6104	(*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
6105	(*pdb_method)->rename_sam_account = ldapsam_rename_sam_account;
6106
6107	(*pdb_method)->getgrsid = ldapsam_getgrsid;
6108	(*pdb_method)->getgrgid = ldapsam_getgrgid;
6109	(*pdb_method)->getgrnam = ldapsam_getgrnam;
6110	(*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry;
6111	(*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry;
6112	(*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry;
6113	(*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
6114
6115	(*pdb_method)->get_account_policy = ldapsam_get_account_policy;
6116	(*pdb_method)->set_account_policy = ldapsam_set_account_policy;
6117
6118	(*pdb_method)->get_seq_num = ldapsam_get_seq_num;
6119
6120	(*pdb_method)->rid_algorithm = ldapsam_rid_algorithm;
6121	(*pdb_method)->new_rid = ldapsam_new_rid;
6122
6123	(*pdb_method)->get_trusteddom_pw = ldapsam_get_trusteddom_pw;
6124	(*pdb_method)->set_trusteddom_pw = ldapsam_set_trusteddom_pw;
6125	(*pdb_method)->del_trusteddom_pw = ldapsam_del_trusteddom_pw;
6126	(*pdb_method)->enum_trusteddoms = ldapsam_enum_trusteddoms;
6127
6128	/* TODO: Setup private data and free */
6129
6130	if ( !(ldap_state = TALLOC_ZERO_P(*pdb_method, struct ldapsam_privates)) ) {
6131	DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n"));
6132	return NT_STATUS_NO_MEMORY;
6133	}
6134
6135	nt_status = smbldap_init(*pdb_method, pdb_get_event_context(),
6136	location, &ldap_state->smbldap_state);
6137
6138	if ( !NT_STATUS_IS_OK(nt_status) ) {
6139	return nt_status;
6140	}
6141
6142	if ( !(ldap_state->domain_name = talloc_strdup(*pdb_method, get_global_sam_name()) ) ) {
6143	return NT_STATUS_NO_MEMORY;
6144	}
6145
6146	(*pdb_method)->private_data = ldap_state;
6147
6148	(*pdb_method)->free_private_data = free_private_data;
6149
6150	return NT_STATUS_OK;
6151	}
6152
6153	/**********************************************************************
6154	Initialise the 'compat' mode for pdb_ldap
6155	*********************************************************************/
6156
6157	NTSTATUS pdb_init_ldapsam_compat(struct pdb_methods *pdb_method, const char location)
6158	{
6159	NTSTATUS nt_status;
6160	struct ldapsam_privates *ldap_state;
6161	char *uri = talloc_strdup( NULL, location );
6162
6163	trim_char( uri, '\"', '\"' );
6164	nt_status = pdb_init_ldapsam_common( pdb_method, uri );
6165	if ( uri )
6166	TALLOC_FREE( uri );
6167
6168	if ( !NT_STATUS_IS_OK(nt_status) ) {
6169	return nt_status;
6170	}
6171
6172	(*pdb_method)->name = "ldapsam_compat";
6173
6174	ldap_state = (struct ldapsam_privates )((pdb_method)->private_data);
6175	ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT;
6176
6177	sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
6178
6179	return NT_STATUS_OK;
6180	}
6181
6182	/**********************************************************************
6183	Initialise the normal mode for pdb_ldap
6184	*********************************************************************/
6185
6186	NTSTATUS pdb_init_ldapsam(struct pdb_methods *pdb_method, const char location)
6187	{
6188	NTSTATUS nt_status;
6189	struct ldapsam_privates *ldap_state = NULL;
6190	uint32 alg_rid_base;
6191	char *alg_rid_base_string = NULL;
6192	LDAPMessage *result = NULL;
6193	LDAPMessage *entry = NULL;
6194	DOM_SID ldap_domain_sid;
6195	DOM_SID secrets_domain_sid;
6196	char *domain_sid_string = NULL;
6197	char *dn = NULL;
6198	char *uri = talloc_strdup( NULL, location );
6199
6200	trim_char( uri, '\"', '\"' );
6201	nt_status = pdb_init_ldapsam_common(pdb_method, uri);
6202	if (uri) {
6203	TALLOC_FREE(uri);
6204	}
6205
6206	if (!NT_STATUS_IS_OK(nt_status)) {
6207	return nt_status;
6208	}
6209
6210	(*pdb_method)->name = "ldapsam";
6211
6212	(*pdb_method)->add_aliasmem = ldapsam_add_aliasmem;
6213	(*pdb_method)->del_aliasmem = ldapsam_del_aliasmem;
6214	(*pdb_method)->enum_aliasmem = ldapsam_enum_aliasmem;
6215	(*pdb_method)->enum_alias_memberships = ldapsam_alias_memberships;
6216	(*pdb_method)->search_users = ldapsam_search_users;
6217	(*pdb_method)->search_groups = ldapsam_search_groups;
6218	(*pdb_method)->search_aliases = ldapsam_search_aliases;
6219
6220	if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
6221	(*pdb_method)->enum_group_members = ldapsam_enum_group_members;
6222	(*pdb_method)->enum_group_memberships =
6223	ldapsam_enum_group_memberships;
6224	(*pdb_method)->lookup_rids = ldapsam_lookup_rids;
6225	(*pdb_method)->sid_to_id = ldapsam_sid_to_id;
6226
6227	if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
6228	(*pdb_method)->create_user = ldapsam_create_user;
6229	(*pdb_method)->delete_user = ldapsam_delete_user;
6230	(*pdb_method)->create_dom_group = ldapsam_create_dom_group;
6231	(*pdb_method)->delete_dom_group = ldapsam_delete_dom_group;
6232	(*pdb_method)->add_groupmem = ldapsam_add_groupmem;
6233	(*pdb_method)->del_groupmem = ldapsam_del_groupmem;
6234	(*pdb_method)->set_unix_primary_group = ldapsam_set_primary_group;
6235	}
6236	}
6237
6238	ldap_state = (struct ldapsam_privates )((pdb_method)->private_data);
6239	ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
6240
6241	/* Try to setup the Domain Name, Domain SID, algorithmic rid base */
6242
6243	nt_status = smbldap_search_domain_info(ldap_state->smbldap_state,
6244	&result,
6245	ldap_state->domain_name, True);
6246
6247	if ( !NT_STATUS_IS_OK(nt_status) ) {
6248	DEBUG(2, ("pdb_init_ldapsam: WARNING: Could not get domain "
6249	"info, nor add one to the domain\n"));
6250	DEBUGADD(2, ("pdb_init_ldapsam: Continuing on regardless, "
6251	"will be unable to allocate new users/groups, "
6252	"and will risk BDCs having inconsistant SIDs\n"));
6253	sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
6254	return NT_STATUS_OK;
6255	}
6256
6257	/* Given that the above might fail, everything below this must be
6258	* optional */
6259
6260	entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
6261	result);
6262	if (!entry) {
6263	DEBUG(0, ("pdb_init_ldapsam: Could not get domain info "
6264	"entry\n"));
6265	ldap_msgfree(result);
6266	return NT_STATUS_UNSUCCESSFUL;
6267	}
6268
6269	dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
6270	if (!dn) {
6271	ldap_msgfree(result);
6272	return NT_STATUS_UNSUCCESSFUL;
6273	}
6274
6275	ldap_state->domain_dn = smb_xstrdup(dn);
6276	ldap_memfree(dn);
6277
6278	domain_sid_string = smbldap_talloc_single_attribute(
6279	ldap_state->smbldap_state->ldap_struct,
6280	entry,
6281	get_userattr_key2string(ldap_state->schema_ver,
6282	LDAP_ATTR_USER_SID),
6283	talloc_tos());
6284
6285	if (domain_sid_string) {
6286	bool found_sid;
6287	if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) {
6288	DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be "
6289	"read as a valid SID\n", domain_sid_string));
6290	ldap_msgfree(result);
6291	TALLOC_FREE(domain_sid_string);
6292	return NT_STATUS_INVALID_PARAMETER;
6293	}
6294	found_sid = secrets_fetch_domain_sid(ldap_state->domain_name,
6295	&secrets_domain_sid);
6296	if (!found_sid \|\| !sid_equal(&secrets_domain_sid,
6297	&ldap_domain_sid)) {
6298	DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain "
6299	"%s based on pdb_ldap results %s -> %s\n",
6300	ldap_state->domain_name,
6301	sid_string_dbg(&secrets_domain_sid),
6302	sid_string_dbg(&ldap_domain_sid)));
6303
6304	/* reset secrets.tdb sid */
6305	secrets_store_domain_sid(ldap_state->domain_name,
6306	&ldap_domain_sid);
6307	DEBUG(1, ("New global sam SID: %s\n",
6308	sid_string_dbg(get_global_sam_sid())));
6309	}
6310	sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
6311	TALLOC_FREE(domain_sid_string);
6312	}
6313
6314	alg_rid_base_string = smbldap_talloc_single_attribute(
6315	ldap_state->smbldap_state->ldap_struct,
6316	entry,
6317	get_attr_key2string( dominfo_attr_list,
6318	LDAP_ATTR_ALGORITHMIC_RID_BASE ),
6319	talloc_tos());
6320	if (alg_rid_base_string) {
6321	alg_rid_base = (uint32)atol(alg_rid_base_string);
6322	if (alg_rid_base != algorithmic_rid_base()) {
6323	DEBUG(0, ("The value of 'algorithmic RID base' has "
6324	"changed since the LDAP\n"
6325	"database was initialised. Aborting. \n"));
6326	ldap_msgfree(result);
6327	TALLOC_FREE(alg_rid_base_string);
6328	return NT_STATUS_UNSUCCESSFUL;
6329	}
6330	TALLOC_FREE(alg_rid_base_string);
6331	}
6332	ldap_msgfree(result);
6333
6334	return NT_STATUS_OK;
6335	}
6336
6337	NTSTATUS pdb_ldap_init(void)
6338	{
6339	NTSTATUS nt_status;
6340	if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam)))
6341	return nt_status;
6342
6343	if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat)))
6344	return nt_status;
6345
6346	/* Let pdb_nds register backends */
6347	pdb_nds_init();
6348
6349	return NT_STATUS_OK;
6350	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: