source: branches/samba-3.3.x/examples/misc/adssearch.pl

Last change on this file was 206, checked in by Herwig Bauernfeind, 16 years ago

Import Samba 3.3 branch at 3.0.0 level (psmedley's port)
File size: 47.1 KB
RevLine 
[206]1#!/usr/bin/perl -w
2#
3# adssearch.pl - query an Active Directory server and
4# display objects in a human readable format
5#
6# Copyright (C) Guenther Deschner <gd@samba.org> 2003-2008
7#
8# TODO: add range retrieval
9# write sddl-converter, decode userParameters
10# apparently only win2k3 allows simple-binds with machine-accounts.
11# make sasl support independent from Authen::SASL::Cyrus v >0.11
12use strict;
13
14use Net::LDAP;
15use Net::LDAP::Control;
16use Net::LDAP::Constant qw(LDAP_REFERRAL);
17use Convert::ASN1;
18use Time::Local;
19use POSIX qw(strftime);
20use Getopt::Long;
21
22my $have_sasl;
23my $works_sasl;
24my $pref_version;
25BEGIN {
26 my $class = 'Authen::SASL';
27 $pref_version = "0.32";
28 if ( eval "require $class;" ) {
29 $have_sasl = 1;
30 }
31 if ( eval "Net::LDAP->VERSION($pref_version);" ) {
32 $works_sasl = 1;
33 }
34}
35
36# users may set defaults here
37my $base = "";
38my $binddn = "";
39my $password = "";
40my $server = "";
41my $rebind_url;
42
43
44my $tdbdump = "/usr/bin/tdbdump";
45my $testparm = "/usr/bin/testparm";
46my $net = "/usr/bin/net";
47my $dig = "/usr/bin/dig";
48my $nmblookup = "/usr/bin/nmblookup";
49my $secrets_tdb = "/etc/samba/secrets.tdb";
50my $klist = "/usr/bin/klist";
51my $kinit = "/usr/bin/kinit";
52my $workgroup = "";
53my $machine = "";
54my $realm = "";
55
56# parse input
57my (
58 $opt_asq,
59 $opt_base,
60 $opt_binddn,
61 $opt_debug,
62 $opt_display_extendeddn,
63 $opt_display_metadata,
64 $opt_display_raw,
65 $opt_domain_scope,
66 $opt_dump_rootdse,
67 $opt_dump_schema,
68 $opt_dump_wknguid,
69 $opt_fastbind,
70 $opt_help,
71 $opt_host,
72 $opt_machine,
73 $opt_notify,
74 $opt_notify_nodiffs,
75 $opt_paging,
76 $opt_password,
77 $opt_port,
78 $opt_realm,
79 $opt_saslmech,
80 $opt_search_opt,
81 $opt_scope,
82 $opt_simpleauth,
83 $opt_starttls,
84 $opt_user,
85 $opt_verbose,
86 $opt_workgroup,
87);
88
89GetOptions(
90 'asq=s' => \$opt_asq,
91 'base|b=s' => \$opt_base,
92 'D|DN=s' => \$opt_binddn,
93 'debug=i' => \$opt_debug,
94 'domain_scope' => \$opt_domain_scope,
95 'extendeddn|e:i' => \$opt_display_extendeddn,
96 'fastbind' => \$opt_fastbind,
97 'help' => \$opt_help,
98 'host|h=s' => \$opt_host,
99 'machine|P' => \$opt_machine,
100 'metadata|m' => \$opt_display_metadata,
101 'nodiffs' => \$opt_notify_nodiffs,
102 'notify|n' => \$opt_notify,
103 'paging:i' => \$opt_paging,
104 'password|w=s' => \$opt_password,
105 'port=i' => \$opt_port,
106 'rawdisplay' => \$opt_display_raw,
107 'realm|R=s' => \$opt_realm,
108 'rootDSE' => \$opt_dump_rootdse,
109 'saslmech|Y=s' => \$opt_saslmech,
110 'schema|c' => \$opt_dump_schema,
111 'scope|s=s' => \$opt_scope,
112 'searchopt:i' => \$opt_search_opt,
113 'simpleauth|x' => \$opt_simpleauth,
114 'tls|Z' => \$opt_starttls,
115 'user|U=s' => \$opt_user,
116 'verbose|v' => \$opt_verbose,
117 'wknguid' => \$opt_dump_wknguid,
118 'workgroup|k=s' => \$opt_workgroup,
119 );
120
121
122if (!@ARGV && !$opt_dump_schema && !$opt_dump_rootdse && !$opt_notify || $opt_help) {
123 usage();
124 exit 1;
125}
126
127if ($opt_fastbind && !$opt_simpleauth) {
128 printf("LDAP fast bind can only be performed with simple binds\n");
129 exit 1;
130}
131
132if ($opt_notify) {
133 $opt_paging = undef;
134}
135
136# get the query
137my $query = shift;
138my @attrs = @ARGV;
139
140# some global vars
141my $filter = "";
142my ($dse, $uri);
143my ($attr, $value);
144my (@ctrls, @ctrls_s);
145my ($ctl_paged, $cookie);
146my ($page_count, $total_entry_count);
147my ($sasl_hd, $async_ldap_hd, $sync_ldap_hd);
148my ($mesg, $usn);
149my (%entry_store);
150my $async_search;
151
152# fixed values and vars
153my $set = "X";
154my $unset = "-";
155my $tabsize = "\t\t\t";
156
157# get defaults
158my $scope = $opt_scope || "sub";
159my $port = $opt_port;
160
161my %ads_controls = (
162"LDAP_SERVER_NOTIFICATION_OID" => "1.2.840.113556.1.4.528",
163"LDAP_SERVER_EXTENDED_DN_OID" => "1.2.840.113556.1.4.529",
164"LDAP_PAGED_RESULT_OID_STRING" => "1.2.840.113556.1.4.319",
165"LDAP_SERVER_SD_FLAGS_OID" => "1.2.840.113556.1.4.801",
166"LDAP_SERVER_SORT_OID" => "1.2.840.113556.1.4.473",
167"LDAP_SERVER_RESP_SORT_OID" => "1.2.840.113556.1.4.474",
168"LDAP_CONTROL_VLVREQUEST" => "2.16.840.1.113730.3.4.9",
169"LDAP_CONTROL_VLVRESPONSE" => "2.16.840.1.113730.3.4.10",
170"LDAP_SERVER_RANGE_RETRIEVAL" => "1.2.840.113556.1.4.802", #unsure
171"LDAP_SERVER_SHOW_DELETED_OID" => "1.2.840.113556.1.4.417",
172"LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID" => "1.2.840.113556.1.4.521",
173"LDAP_SERVER_LAZY_COMMIT_OID" => "1.2.840.113556.1.4.619",
174"LDAP_SERVER_TREE_DELETE_OID" => "1.2.840.113556.1.4.805",
175"LDAP_SERVER_DIRSYNC_OID" => "1.2.840.113556.1.4.841",
176"LDAP_SERVER_VERIFY_NAME_OID" => "1.2.840.113556.1.4.1338",
177"LDAP_SERVER_DOMAIN_SCOPE_OID" => "1.2.840.113556.1.4.1339",
178"LDAP_SERVER_SEARCH_OPTIONS_OID" => "1.2.840.113556.1.4.1340",
179"LDAP_SERVER_PERMISSIVE_MODIFY_OID" => "1.2.840.113556.1.4.1413",
180"LDAP_SERVER_ASQ_OID" => "1.2.840.113556.1.4.1504",
181"NONE (Get stats control)" => "1.2.840.113556.1.4.970",
182"LDAP_SERVER_QUOTA_CONTROL_OID" => "1.2.840.113556.1.4.1852",
183"LDAP_SERVER_SHUTDOWN_NOTIFY_OID" => "1.2.840.113556.1.4.1907",
184);
185
186my %ads_capabilities = (
187"LDAP_CAP_ACTIVE_DIRECTORY_OID" => "1.2.840.113556.1.4.800",
188"LDAP_CAP_ACTIVE_DIRECTORY_V51_OID" => "1.2.840.113556.1.4.1670",
189"LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID" => "1.2.840.113556.1.4.1791",
190);
191
192my %ads_extensions = (
193"LDAP_START_TLS_OID" => "1.3.6.1.4.1.1466.20037",
194"LDAP_TTL_EXTENDED_OP_OID" => "1.3.6.1.4.1.1466.101.119.1",
195"LDAP_SERVER_FAST_BIND_OID" => "1.2.840.113556.1.4.1781",
196"NONE (TTL refresh extended op)" => "1.3.6.1.4.1.1466.101.119.1",
197);
198
199my %ads_matching_rules = (
200"LDAP_MATCHING_RULE_BIT_AND" => "1.2.840.113556.1.4.803",
201"LDAP_MATCHING_RULE_BIT_OR" => "1.2.840.113556.1.4.804",
202);
203
204my %wknguids = (
205"WELL_KNOWN_GUID_COMPUTERS" => "AA312825768811D1ADED00C04FD8D5CD",
206"WELL_KNOWN_GUID_DOMAIN_CONTROLLERS" => "A361B2FFFFD211D1AA4B00C04FD7D83A",
207"WELL_KNOWN_GUID_SYSTEM" => "AB1D30F3768811D1ADED00C04FD8D5CD",
208"WELL_KNOWN_GUID_USERS" => "A9D1CA15768811D1ADED00C04FD8D5CD",
209);
210
211my %ads_systemflags = (
212"FLAG_DONT_REPLICATE" => 0x00000001, # 1
213"FLAG_REPLICATE_TO_GC" => 0x00000002, # 2
214"FLAG_ATTRIBUTE_CONSTRUCT" => 0x00000004, # 4
215"FLAG_CATEGORY_1_OBJECT" => 0x00000010, # 16
216"FLAG_DELETE_WITHOUT_TOMBSTONE" => 0x02000000, # 33554432
217"FLAG_DOMAIN_DISALLOW_MOVE" => 0x04000000, # 67108864
218"FLAG_DOMAIN_DISALLOW_RENAME" => 0x08000000, # 134217728
219#"FLAG_CONFIG_CAN_MOVE_RESTRICTED" => 0x10000000, # 268435456 # only setable on creation
220#"FLAG_CONFIG_CAN_MOVE" => 0x20000000, # 536870912 # only setable on creation
221#"FLAG_CONFIG_CAN_RENAME" => 0x40000000, # 1073741824 # only setable on creation
222"FLAG_DISALLOW_DELETE" => 0x80000000, # 2147483648
223);
224
225my %ads_mixed_domain = (
226"NATIVE_LEVEL_DOMAIN" => 0,
227"MIXED_LEVEL_DOMAIN" => 1,
228);
229
230my %ads_ds_func = (
231"DS_BEHAVIOR_WIN2000" => 0, # untested
232"DS_BEHAVIOR_WIN2003" => 2,
233"DS_BEHAVIOR_WIN2008" => 3,
234);
235
236my %ads_instance_type = (
237"DS_INSTANCETYPE_IS_NC_HEAD" => 0x1,
238"IT_WRITE" => 0x4,
239"IT_NC_ABOVE" => 0x8,
240);
241
242my %ads_uacc = (
243 "ACCOUNT_NEVER_EXPIRES" => 0x000000, # 0
244 "ACCOUNT_OK" => 0x800000, # 8388608
245 "ACCOUNT_LOCKED_OUT" => 0x800010, # 8388624
246);
247
248my %ads_enctypes = (
249 "DES-CBC-CRC" => 0x01,
250 "DES-CBC-MD5" => 0x02,
251 "RC4_HMAC_MD5" => 0x04,
252 "AES128_CTS_HMAC_SHA1_96" => 0x08,
253 "AES128_CTS_HMAC_SHA1_128" => 0x10,
254);
255
256my %ads_gpoptions = (
257 "GPOPTIONS_INHERIT" => 0,
258 "GPOPTIONS_BLOCK_INHERITANCE" => 1,
259);
260
261my %ads_gplink_opts = (
262 "GPLINK_OPT_NONE" => 0,
263 "GPLINK_OPT_DISABLED" => 1,
264 "GPLINK_OPT_ENFORCED" => 2,
265);
266
267my %ads_gpflags = (
268 "GPFLAGS_ALL_ENABLED" => 0,
269 "GPFLAGS_USER_SETTINGS_DISABLED" => 1,
270 "GPFLAGS_MACHINE_SETTINGS_DISABLED" => 2,
271 "GPFLAGS_ALL_DISABLED" => 3,
272);
273
274my %ads_serverstate = (
275 "SERVER_ENABLED" => 1,
276 "SERVER_DISABLED" => 2,
277);
278
279my %ads_sdeffective = (
280 "OWNER_SECURITY_INFORMATION" => 0x01,
281 "DACL_SECURITY_INFORMATION" => 0x04,
282 "SACL_SECURITY_INFORMATION" => 0x10,
283);
284
285my %ads_trustattrs = (
286 "TRUST_ATTRIBUTE_NON_TRANSITIVE" => 1,
287 "TRUST_ATTRIBUTE_TREE_PARENT" => 2,
288 "TRUST_ATTRIBUTE_TREE_ROOT" => 3,
289 "TRUST_ATTRIBUTE_UPLEVEL_ONLY" => 4,
290);
291
292my %ads_trustdirection = (
293 "TRUST_DIRECTION_INBOUND" => 1,
294 "TRUST_DIRECTION_OUTBOUND" => 2,
295 "TRUST_DIRECTION_BIDIRECTIONAL" => 3,
296);
297
298my %ads_trusttype = (
299 "TRUST_TYPE_DOWNLEVEL" => 1,
300 "TRUST_TYPE_UPLEVEL" => 2,
301 "TRUST_TYPE_KERBEROS" => 3,
302 "TRUST_TYPE_DCE" => 4,
303);
304
305my %ads_pwdproperties = (
306 "DOMAIN_PASSWORD_COMPLEX" => 1,
307 "DOMAIN_PASSWORD_NO_ANON_CHANGE" => 2,
308 "DOMAIN_PASSWORD_NO_CLEAR_CHANGE" => 4,
309 "DOMAIN_LOCKOUT_ADMINS" => 8,
310 "DOMAIN_PASSWORD_STORE_CLEARTEXT" => 16,
311 "DOMAIN_REFUSE_PASSWORD_CHANGE" => 32,
312);
313
314my %ads_uascompat = (
315 "LANMAN_USER_ACCOUNT_SYSTEM_NOLIMITS" => 0,
316 "LANMAN_USER_ACCOUNT_SYSTEM_COMPAT" => 1,
317);
318
319my %ads_frstypes = (
320 "REPLICA_SET_SYSVOL" => 2, # unsure
321 "REPLICA_SET_DFS" => 1, # unsure
322 "REPLICA_SET_OTHER" => 0, # unsure
323);
324
325my %ads_gp_cse_extensions = (
326"Administrative Templates Extension" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
327"Disk Quotas" => "3610EDA5-77EF-11D2-8DC5-00C04FA31A66",
328"EFS Recovery" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
329"Folder Redirection" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
330"IP Security" => "E437BC1C-AA7D-11D2-A382-00C04F991E27",
331"Internet Explorer Maintenance" => "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B",
332"QoS Packet Scheduler" => "426031c0-0b47-4852-b0ca-ac3d37bfcb39",
333"Scripts" => "42B5FAAE-6536-11D2-AE5A-0000F87571E3",
334"Security" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
335"Software Installation" => "C6DC5466-785A-11D2-84D0-00C04FB169F7",
336);
337
338# guess work
339my %ads_gpcextensions = (
340"Administrative Templates" => "0F6B957D-509E-11D1-A7CC-0000F87571E3",
341"Certificates" => "53D6AB1D-2488-11D1-A28C-00C04FB94F17",
342"EFS recovery policy processing" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
343"Folder Redirection policy processing" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
344"Folder Redirection" => "88E729D6-BDC1-11D1-BD2A-00C04FB9603F",
345"Registry policy processing" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
346"Remote Installation Services" => "3060E8CE-7020-11D2-842D-00C04FA372D4",
347"Security Settings" => "803E14A0-B4FB-11D0-A0D0-00A0C90F574B",
348"Security policy processing" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
349"unknown" => "3060E8D0-7020-11D2-842D-00C04FA372D4",
350"unknown2" => "53D6AB1B-2488-11D1-A28C-00C04FB94F17",
351);
352
353my %ads_gpo_default_guids = (
354"Default Domain Policy" => "31B2F340-016D-11D2-945F-00C04FB984F9",
355"Default Domain Controllers Policy" => "6AC1786C-016F-11D2-945F-00C04fB984F9",
356"mist" => "61718096-3D3F-4398-8318-203A48976F9E",
357);
358
359my %ads_uf = (
360 "UF_SCRIPT" => 0x00000001,
361 "UF_ACCOUNTDISABLE" => 0x00000002,
362# "UF_UNUSED_1" => 0x00000004,
363 "UF_HOMEDIR_REQUIRED" => 0x00000008,
364 "UF_LOCKOUT" => 0x00000010,
365 "UF_PASSWD_NOTREQD" => 0x00000020,
366 "UF_PASSWD_CANT_CHANGE" => 0x00000040,
367 "UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" => 0x00000080,
368 "UF_TEMP_DUPLICATE_ACCOUNT" => 0x00000100,
369 "UF_NORMAL_ACCOUNT" => 0x00000200,
370# "UF_UNUSED_2" => 0x00000400,
371 "UF_INTERDOMAIN_TRUST_ACCOUNT" => 0x00000800,
372 "UF_WORKSTATION_TRUST_ACCOUNT" => 0x00001000,
373 "UF_SERVER_TRUST_ACCOUNT" => 0x00002000,
374# "UF_UNUSED_3" => 0x00004000,
375# "UF_UNUSED_4" => 0x00008000,
376 "UF_DONT_EXPIRE_PASSWD" => 0x00010000,
377 "UF_MNS_LOGON_ACCOUNT" => 0x00020000,
378 "UF_SMARTCARD_REQUIRED" => 0x00040000,
379 "UF_TRUSTED_FOR_DELEGATION" => 0x00080000,
380 "UF_NOT_DELEGATED" => 0x00100000,
381 "UF_USE_DES_KEY_ONLY" => 0x00200000,
382 "UF_DONT_REQUIRE_PREAUTH" => 0x00400000,
383 "UF_PASSWORD_EXPIRED" => 0x00800000,
384 "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION" => 0x01000000,
385 "UF_NO_AUTH_DATA_REQUIRED" => 0x02000000,
386# "UF_UNUSED_8" => 0x04000000,
387# "UF_UNUSED_9" => 0x08000000,
388# "UF_UNUSED_10" => 0x10000000,
389# "UF_UNUSED_11" => 0x20000000,
390# "UF_UNUSED_12" => 0x40000000,
391# "UF_UNUSED_13" => 0x80000000,
392);
393
394my %ads_grouptype = (
395 "GROUP_TYPE_BUILTIN_LOCAL_GROUP" => 0x00000001,
396 "GROUP_TYPE_ACCOUNT_GROUP" => 0x00000002,
397 "GROUP_TYPE_RESOURCE_GROUP" => 0x00000004,
398 "GROUP_TYPE_UNIVERSAL_GROUP" => 0x00000008,
399 "GROUP_TYPE_APP_BASIC_GROUP" => 0x00000010,
400 "GROUP_TYPE_APP_QUERY_GROUP" => 0x00000020,
401 "GROUP_TYPE_SECURITY_ENABLED" => 0x80000000,
402);
403
404my %ads_atype = (
405 "ATYPE_NORMAL_ACCOUNT" => 0x30000000,
406 "ATYPE_WORKSTATION_TRUST" => 0x30000001,
407 "ATYPE_INTERDOMAIN_TRUST" => 0x30000002,
408 "ATYPE_SECURITY_GLOBAL_GROUP" => 0x10000000,
409 "ATYPE_DISTRIBUTION_GLOBAL_GROUP" => 0x10000001,
410 "ATYPE_DISTRIBUTION_UNIVERSAL_GROUP" => 0x10000001, # ATYPE_DISTRIBUTION_GLOBAL_GROUP
411 "ATYPE_SECURITY_LOCAL_GROUP" => 0x20000000,
412 "ATYPE_DISTRIBUTION_LOCAL_GROUP" => 0x20000001,
413 "ATYPE_ACCOUNT" => 0x30000000, # ATYPE_NORMAL_ACCOUNT
414 "ATYPE_GLOBAL_GROUP" => 0x10000000, # ATYPE_SECURITY_GLOBAL_GROUP
415 "ATYPE_LOCAL_GROUP" => 0x20000000, # ATYPE_SECURITY_LOCAL_GROUP
416);
417
418my %ads_gtype = (
419 "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP" => 0x80000005,
420 "GTYPE_SECURITY_DOMAIN_LOCAL_GROUP" => 0x80000004,
421 "GTYPE_SECURITY_GLOBAL_GROUP" => 0x80000002,
422 "GTYPE_SECURITY_UNIVERSAL_GROUP" => 0x80000008,
423 "GTYPE_DISTRIBUTION_GLOBAL_GROUP" => 0x00000002,
424 "GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP" => 0x00000004,
425 "GTYPE_DISTRIBUTION_UNIVERSAL_GROUP" => 0x00000008,
426);
427
428my %munged_dial = (
429 "CtxCfgPresent" => \&dump_int,
430 "CtxCfgFlags1" => \&dump_int,
431 "CtxCallback" => \&dump_string,
432 "CtxShadow" => \&dump_string,
433 "CtxMaxConnectionTime" => \&dump_int,
434 "CtxMaxDisconnectionTime"=> \&dump_int,
435 "CtxMaxIdleTime" => \&dump_int,
436 "CtxKeyboardLayout" => \&dump_int,
437 "CtxMinEncryptionLevel" => \&dump_int,
438 "CtxWorkDirectory" => \&dump_string,
439 "CtxNWLogonServer" => \&dump_string,
440 "CtxWFHomeDir" => \&dump_string,
441 "CtxWFHomeDirDrive" => \&dump_string,
442 "CtxWFProfilePath" => \&dump_string,
443 "CtxInitialProgram" => \&dump_string,
444 "CtxCallbackNumber" => \&dump_string,
445);
446
447$SIG{__WARN__} = sub {
448 use Carp;
449 Carp::cluck (shift);
450};
451
452# if there is data missing, we try to autodetect with samba-tools (if installed)
453# this might fill up workgroup, machine, realm
454get_samba_info();
455
456# get a workgroup
457$workgroup = $workgroup || $opt_workgroup || "";
458
459# get the server
460$server = process_servername($opt_host) ||
461 detect_server($workgroup,$opt_realm) ||
462 die "please define server to query with -h host\n";
463
464
465# get the base
466$base = defined($opt_base)? $opt_base : "" ||
467 get_base_from_rootdse($server,$dse);
468
469# get the realm
470$realm = $opt_realm ||
471 get_realm_from_rootdse($server,$dse);
472
473# get sasl mechs
474my @sasl_mechs = get_sasl_mechs_from_rootdse($server,$dse);
475my $sasl_mech = "GSSAPI";
476if ($opt_saslmech) {
477 $sasl_mech = sprintf("%s", (check_sasl_mech($opt_saslmech) == 0)?uc($opt_saslmech):"");
478}
479
480# set bind type
481my $sasl_bind = 1 if (!$opt_simpleauth);
482
483# get username
484my $user = check_user($opt_user) || $ENV{'USER'} || "";
485
486# gen upn
487my $upn = sprintf("%s", gen_upn($opt_machine ? "$machine\$" : $user, $realm));
488
489# get binddn
490$binddn = $opt_binddn || $upn;
491
492# get the password
493$password = $password || $opt_password;
494if (!$password) {
495 $password = $opt_machine ? get_machine_password($workgroup) : get_password();
496}
497
498my %attr_handler = (
499 "Token-Groups-No-GC-Acceptable" => \&dump_sid, #wrong name
500 "accountExpires" => \&dump_nttime,
501 "attributeSecurityGUID" => \&dump_guid,
502 "badPasswordTime" => \&dump_nttime,
503 "creationTime" => \&dump_nttime,
504 "currentTime" => \&dump_timestr,
505 "domainControllerFunctionality" => \&dump_ds_func,
506 "domainFunctionality" => \&dump_ds_func,
507 "fRSReplicaSetGUID" => \&dump_guid,
508 "fRSReplicaSetType" => \&dump_frstype,
509 "fRSVersionGUID" => \&dump_guid,
510 "flags" => \&dump_gpflags, # fixme: possibly only on gpos!
511 "forceLogoff" => \&dump_nttime_abs,
512 "forestFunctionality" => \&dump_ds_func,
513# "gPCMachineExtensionNames" => \&dump_gpcextensions,
514# "gPCUserExtensionNames" => \&dump_gpcextensions,
515 "gPLink" => \&dump_gplink,
516 "gPOptions" => \&dump_gpoptions,
517 "groupType" => \&dump_gtype,
518 "instanceType" => \&dump_instance_type,
519 "lastLogon" => \&dump_nttime,
520 "lastLogonTimestamp" => \&dump_nttime,
521 "lockOutObservationWindow" => \&dump_nttime_abs,
522 "lockoutDuration" => \&dump_nttime_abs,
523 "lockoutTime" => \&dump_nttime,
524# "logonHours" => \&dump_logonhours,
525 "maxPwdAge" => \&dump_nttime_abs,
526 "minPwdAge" => \&dump_nttime_abs,
527 "modifyTimeStamp" => \&dump_timestr,
528 "msDS-Behavior-Version" => \&dump_ds_func, #unsure
529 "msDS-User-Account-Control-Computed" => \&dump_uacc,
530 "msDS-SupportedEncryptionTypes" => \&dump_enctypes,
531 "mS-DS-CreatorSID" => \&dump_sid,
532# "msRADIUSFramedIPAddress" => \&dump_ipaddr,
533# "msRASSavedFramedIPAddress" => \&dump_ipaddr,
534 "netbootGUID" => \&dump_guid,
535 "nTMixedDomain" => \&dump_mixed_domain,
536 "nTSecurityDescriptor" => \&dump_secdesc,
537 "objectGUID" => \&dump_guid,
538 "objectSid" => \&dump_sid,
539 "pKT" => \&dump_pkt,
540 "pKTGuid" => \&dump_guid,
541 "pwdLastSet" => \&dump_nttime,
542 "pwdProperties" => \&dump_pwdproperties,
543 "sAMAccountType" => \&dump_atype,
544 "schemaIDGUID" => \&dump_guid,
545 "sDRightsEffective" => \&dump_sdeffective,
546 "securityIdentifier" => \&dump_sid,
547 "serverState" => \&dump_serverstate,
548 "supportedCapabilities", => \&dump_capabilities,
549 "supportedControl", => \&dump_controls,
550 "supportedExtension", => \&dump_extension,
551 "systemFlags" => \&dump_systemflags,
552 "tokenGroups", => \&dump_sid,
553 "tokenGroupsGlobalAndUniversal" => \&dump_sid,
554 "tokenGroupsNoGCAcceptable" => \&dump_sid,
555 "trustAttributes" => \&dump_trustattr,
556 "trustDirection" => \&dump_trustdirection,
557 "trustType" => \&dump_trusttype,
558 "uASCompat" => \&dump_uascompat,
559 "userAccountControl" => \&dump_uac,
560 "userCertificate" => \&dump_cert,
561 "userFlags" => \&dump_uf,
562 "userParameters" => \&dump_munged_dial,
563 "whenChanged" => \&dump_timestr,
564 "whenCreated" => \&dump_timestr,
565# "dSCorePropagationData" => \&dump_timestr,
566);
567
568
569
570################
571# subfunctions #
572################
573
574sub usage {
575 print "usage: $0 [--asq] [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n";
576 print "\t--asq [attribute]\n\t\tAttribute to use for a attribute scoped query (LDAP_SERVER_ASQ_OID)\n";
577 print "\t--base|-b [base]\n\t\tUse base [base]\n";
578 print "\t--debug [level]\n\t\tUse debuglevel (for Net::LDAP)\n";
579 print "\t--domain_scope\n\t\tLimit LDAP search to local domain (LDAP_SERVER_DOMAIN_SCOPE_OID)\n";
580 print "\t--DN|-D [binddn]\n\t\tUse binddn or principal\n";
581 print "\t--extendeddn|-e [value]\n\t\tDisplay extended dn (LDAP_SERVER_EXTENDED_DN_OID)\n";
582 print "\t--fastbind\n\t\tDo LDAP fast bind using LDAP_SERVER_FAST_BIND_OID extension\n";
583 print "\t--help\n\t\tDisplay help page\n";
584 print "\t--host|-h [host]\n\t\tQuery Host [host] (either a hostname or an LDAP uri)\n";
585 print "\t--machine|-P\n\t\tUse samba3 machine account stored in $secrets_tdb (needs root access)\n";
586 print "\t--metdata|-m\n\t\tDisplay replication metadata\n";
587 print "\t--nodiffs\n\t\tDisplay no diffs but full entry dump when running in notify mode\n";
588 print "\t--notify|-n\n\t\tActivate asynchronous change notification (LDAP_SERVER_NOTIFICATION_OID)\n";
589 print "\t--paging [pagesize]\n\t\tUse paged results when searching\n";
590 print "\t--password|-w [password]\n\t\tUse [password] for binddn\n";
591 print "\t--port [port]\n\t\tUse [port] when connecting ADS\n";
592 print "\t--rawdisplay\n\t\tDo not interpret values\n";
593 print "\t--realm|-R [realm]\n\t\tUse [realm] when trying to construct bind-principal\n";
594 print "\t--rootdse\n\t\tDisplay RootDSE (anonymously)\n";
595 print "\t--saslmech|-Y [saslmech]\n\t\tUse SASL Mechanism [saslmech] when binding\n";
596 print "\t--schema|-c\n\t\tDisplay DSE-Schema\n";
597 print "\t--scope|-s [scope]\n\t\tUse scope [scope] (sub, base, one)\n";
598 print "\t--simpleauth|-x\n\t\tUse simple bind (otherwise SASL binds are performed)\n";
599 print "\t--starttls|-Z\n\t\tUse Start TLS extended operation to secure LDAP traffic\n";
600 print "\t--user|-U [user]\n\t\tUse [user]\n";
601 print "\t--wknguid\n\t\tDisplay well known guids\n";
602 print "\t--workgroup|-k [workgroup]\n\t\tWhen LDAP-Server is not known try to find a Domain-Controller for [workgroup]\n";
603}
604
605sub write_ads_list {
606 my ($mod,$attr,$value) = @_;
607 my $ofh = select(STDOUT);
608 $~ = "ADS_LIST";
609 select($ofh);
610 write();
611
612format ADS_LIST =
613@<<<< @>>>>>>>>>>>>>>>>>>>>>>>: @*
614$mod, $attr, $value
615.
616}
617
618sub write_ads {
619 my ($mod,$attr,$value) = @_;
620 my $ofh = select(STDOUT);
621 $~ = "ADS";
622 select($ofh);
623 write();
624
625format ADS =
626@<<<< @>>>>>>>>>>>>>>>>>>>>>>>: ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
627$mod, $attr, $value
628~~ ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
629 $value
630.
631}
632
633sub detect_server {
634
635 my $workgroup = shift;
636 my $realm = shift;
637 my $result;
638 my $found;
639
640 # try net cache (nbt records)
641 if ( -x $net && $workgroup ) {
642 my $key = sprintf("NBT/%s#1C", uc($workgroup));
643 chomp($result = `$net cache search $key 2>&1 /dev/null`);
644 $result =~ s/^.*Value: //;
645 $result =~ s/:.*//;
646 return $result if $result;
647 printf("%10s query failed for [%s]\n", "net cache", $key);
648 }
649
650 # try dns SRV entries
651 if ( -x $dig && $realm ) {
652 my $key = sprintf("_ldap._tcp.%s", lc($realm));
653 chomp($result = `$dig $key SRV +short +search | egrep "^[0-9]" | head -1`);
654 $result =~ s/.* //g;
655 $result =~ s/.$//g;
656 return $result if $result;
657 printf("%10s query failed for [%s]\n", "dns", $key);
658 }
659
660 # try netbios broadcast query
661 if ( -x $nmblookup && $workgroup ) {
662 my $key = sprintf("%s#1C", uc($workgroup));
663 my $pattern = sprintf("%s<1c>", uc($workgroup));
664 chomp($result = `$nmblookup $key -d 0 | grep '$pattern'`);
665 $result =~ s/\s.*//;
666 return $result if $result;
667 printf("%10s query failed for [%s]\n", "nmblookup", $key);
668 }
669
670 return "";
671}
672
673sub get_samba_info {
674
675 if (! -x $testparm) { return -1; }
676
677 my $tmp;
678 open(TESTPARM, "$testparm -s -v 2> /dev/null |");
679 while (my $line = <TESTPARM>) {
680 chomp($line);
681 if ($line =~ /netbios name/) {
682 ($tmp, $machine) = split(/=/, $line);
683 $machine =~ s/\s+|\t+//g;
684 }
685 if ($line =~ /realm/) {
686 ($tmp, $realm) = split(/=/, $line);
687 $realm =~ s/\s+|\t+//g;
688 }
689 if ($line =~ /workgroup/) {
690 ($tmp, $workgroup) = split(/=/, $line);
691 $workgroup =~ s/\s+|\t+//g;
692 }
693 }
694 close(TESTPARM);
695 return 0;
696}
697
698sub gen_upn {
699 my $machine = shift;
700 my $realm = shift;
701 if ($machine && $realm) {
702 return sprintf("%s\@%s", lc($machine), uc($realm));
703 };
704 return undef;
705}
706
707sub get_password {
708 if (!$password && $opt_simpleauth && check_ticket($user)) {
709 return prompt_password($user);
710 }
711 return "";
712}
713
714sub get_user {
715 my $user = shift || prompt_user();
716 return $user;
717}
718
719sub get_machine_password {
720
721 my $workgroup = shift || "";
722 $workgroup = uc($workgroup);
723
724 my ($found, $tmp);
725 -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
726 -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
727
728 # get machine-password
729 my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup);
730 open(SECRETS,"$tdbdump $secrets_tdb |");
731 while(my $line = <SECRETS>) {
732 chomp($line);
733 if ($found) {
734 $line =~ s/\\00//;
735 ($line,$password) = split(/"/, $line);
736 last;
737 }
738 if ($line =~ /$key/) {
739 $found = 1;
740 }
741 }
742 close(SECRETS);
743
744 if ($found) {
745 print "Successfully autodetected machine password for workgroup: $workgroup\n";
746 return $password;
747 } else {
748 warn "No machine password available for $workgroup\n";
749 }
750 return "";
751}
752
753sub prompt_password {
754
755 my $acct = shift || "";
756 if ($acct =~ /\%/) {
757 ($acct, $password) = split(/\%/, $acct);
758 return $password;
759 }
760 system "stty -echo";
761 print "Enter password for $acct:";
762 my $password = <STDIN>;
763 chomp($password);
764 print "\n";
765 system "stty echo";
766 return $password;
767}
768
769sub prompt_user {
770
771 print "Enter Username:";
772 my $user = <STDIN>;
773 chomp($user);
774 print "\n";
775 return $user;
776}
777
778sub check_ticket {
779 return 0;
780 # works only for heimdal
781 return system("$klist -t");
782}
783
784sub get_ticket {
785
786 my $KRB5_CONFIG = "/tmp/.krb5.conf.telads-$<";
787
788 open(KRB5CONF, "> $KRB5_CONFIG") || die "cannot write $KRB5_CONFIG";
789 printf KRB5CONF "# autogenerated by $0\n";
790 printf KRB5CONF "[libdefaults]\n\tdefault_realm = %s\n\tclockskew = %d\n", uc($realm), 60*60;
791 printf KRB5CONF "[realms]\n\t%s = {\n\t\tkdc = %s\n\t}\n", uc($realm), $server;
792 close(KRB5CONF);
793
794 if ( system("KRB5_CONFIG=$KRB5_CONFIG $kinit $user") != 0) {
795 return -1;
796 }
797
798 return 0;
799}
800
801sub check_user {
802 my $acct = shift || "";
803 if ($acct =~ /\%/) {
804 ($acct, $password) = split(/\%/, $acct);
805 }
806 return $acct;
807}
808
809sub check_root_dse($$$@) {
810
811 # bogus function??
812 my $server = shift || "";
813 $dse = shift || get_dse($server) || return -1;
814 my $attr = shift || die "unknown query";
815 my @array = @_;
816
817 my $dse_list = $dse->get_value($attr, asref => '1');
818 my @dse_array = @$dse_list;
819
820 foreach my $i (@array) {
821 # we could use -> supported_control but this
822 # is only available in newer versions of perl-ldap
823# if ( ! $dse->supported_control( $i ) ) {
824 if ( grep(/$i->type()/, @dse_array) ) {
825 printf("required \"$attr\": %s is not supported by ADS-server.\n", $i->type());
826 return -1;
827 }
828 }
829 return 0;
830}
831
832sub check_ctrls ($$@) {
833 my $server = shift;
834 my $dse = shift;
835 my @array = @_;
836 return check_root_dse($server, $dse, "supportedControl", @array);
837}
838
839sub check_exts ($$@) {
840 my $server = shift;
841 my $dse = shift;
842 my @array = @_;
843 return check_root_dse($server, $dse, "supportedExtension", @array);
844}
845
846sub get_base_from_rootdse {
847
848 my $server = shift || "";
849 $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
850 return $dse->get_value($opt_dump_schema ? 'schemaNamingContext':
851 'defaultNamingContext');
852}
853
854sub get_realm_from_rootdse {
855
856 my $server = shift || "";
857 $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
858 my $service = $dse->get_value('ldapServiceName') || "";
859 if ($service) {
860 my ($t,$realm) = split(/\@/, $service);
861 return $realm;
862 } else {
863 die "very odd: could not get realm";
864 }
865}
866
867sub get_sasl_mechs_from_rootdse {
868
869 my $server = shift || "";
870 $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
871 my $mechs = $dse->get_value('supportedSASLMechanisms', asref => 1);
872 return @$mechs;
873}
874
875sub get_dse {
876
877 my $server = shift || return undef;
878 $async_ldap_hd = shift || get_ldap_hd($server,1);
879 if (!$async_ldap_hd) {
880 print "oh, no connection\n";
881 return undef;
882 }
883 my $mesg = $async_ldap_hd->bind() || die "cannot bind\n";
884 if ($mesg->code) { die "failed to bind\n"; };
885 my $dse = $async_ldap_hd->root_dse( attrs => ['*', "supportedExtension", "supportedFeatures" ] );
886
887 return $dse;
888}
889
890sub process_servername {
891
892 my $name = shift || return "";
893 if ($name =~ /^ldaps:\/\//i ) {
894 $name =~ s#^ldaps://##i;
895 $uri = sprintf("%s://%s", "ldaps", $name);
896 } else {
897 $name =~ s#^ldap://##i;
898 $uri = sprintf("%s://%s", "ldap", $name);
899 }
900 return $name;
901}
902
903sub get_ldap_hd {
904
905 my $server = shift || return undef;
906 my $async = shift || "0";
907 my $hd;
908 die "uri unavailable" if (!$uri);
909 if ($uri =~ /^ldaps:\/\//i ) {
910 $port = $port || 636;
911 use Net::LDAPS;
912 $hd = Net::LDAPS->new( $server, async => $async, port => $port ) ||
913 die "host $server not available: $!";
914 } else {
915 $port = $port || 389;
916 $hd = Net::LDAP->new( $server, async => $async, port => $port ) ||
917 die "host $server not available: $!";
918 }
919 $hd->debug($opt_debug);
920 if ($opt_starttls) {
921 $hd->start_tls( verify => 'none' );
922 }
923
924 return $hd;
925}
926
927sub get_sasl_hd {
928
929 if (!$have_sasl) {
930 print "no sasl support\n";
931 return undef;
932 }
933
934 my $hd;
935 if ($sasl_mech && $sasl_mech eq "GSSAPI") {
936 my $user = sprintf("%s\@%s", $user, uc($realm));
937 if (check_ticket($user) != 0 && get_ticket($user) != 0) {
938 print "Could not get Kerberos ticket for user [$user]\n";
939 return undef;
940 }
941
942 $hd = Authen::SASL->new( mechanism => 'GSSAPI' ) || die "nope";
943 my $conn = $hd->client_new("ldap", $server);
944
945 if ($conn->code == -1) {
946 printf "%s\n", $conn->error();
947 return undef;
948 };
949
950 } elsif ($sasl_mech) {
951
952 # here comes generic sasl code
953 $hd = Authen::SASL->new( mechanism => $sasl_mech,
954 callback => {
955 user => \&get_user,
956 pass => \&get_password
957 }
958 ) || die "nope";
959 } else {
960 $sasl_bind = 0;
961 print "no supported SASL mechanism found (@sasl_mechs).\n";
962 print "falling back to simple bind.\n";
963 return undef;
964 }
965
966 return $hd;
967}
968
969sub check_sasl_mech {
970 my $mech_check = shift;
971 my $have_mech = 0;
972 foreach my $mech (@sasl_mechs) {
973 $have_mech = 1 if ($mech eq uc($mech_check));
974 }
975 if (!$have_mech) {
976 return -1;
977 }
978 return 0;
979}
980
981sub store_result ($) {
982
983 my $entry = shift;
984 return if (!$entry);
985 $entry_store{$entry->dn} = $entry;
986}
987
988sub display_result_diff ($) {
989
990 my $entry_new = shift;
991 return if ( !$entry_new);
992
993 if ( !exists $entry_store{$entry_new->dn}) {
994 print "can't display any differences yet. full dump...\n";
995 display_entry_generic($entry_new);
996 return;
997 }
998
999 my $entry_old = $entry_store{$entry_new->dn};
1000
1001 foreach my $attr (sort $entry_new->attributes) {
1002 if ( $entry_new->exists($attr) && ! $entry_old->exists($attr)) {
1003 display_attr_generic("add:\t", $entry_new, $attr);
1004 next;
1005 }
1006 }
1007
1008 foreach my $attr (sort $entry_old->attributes) {
1009 if (! $entry_new->exists($attr) && $entry_old->exists($attr)) {
1010 display_attr_generic("del:\t", $entry_old, $attr);
1011 next;
1012 }
1013
1014 # now check for all values if they have changed, display changes
1015 my ($old_vals, $new_vals, @old_vals, @new_vals, %old, %new);
1016
1017 $old_vals = $entry_old->get_value($attr, asref => 1);
1018 @old_vals = @$old_vals;
1019 $new_vals = $entry_new->get_value($attr, asref => 1);
1020 @new_vals = @$new_vals;
1021
1022 if (scalar(@old_vals) == 1 && scalar(@new_vals) == 1) {
1023 if ($old_vals[0] ne $new_vals[0]) {
1024 display_attr_generic("old:\t", $entry_old, $attr);
1025 display_attr_generic("new:\t", $entry_new, $attr);
1026 }
1027 next;
1028 }
1029
1030 # handle multivalued diffs
1031 foreach my $val (@old_vals) { $old{$val} = "dummy"; };
1032 foreach my $val (@new_vals) { $new{$val} = "dummy"; };
1033 foreach my $val (sort keys %new) {
1034 if (!exists $old{$val}) {
1035 display_value_generic("add:\t", $attr, $val);
1036 }
1037 }
1038 foreach my $val (sort keys %old) {
1039 if (!exists $new{$val}) {
1040 display_value_generic("del:\t", $attr, $val);
1041 }
1042 }
1043 }
1044 print "\n";
1045
1046}
1047
1048sub sid2string ($) {
1049
1050 # Fix from Michael James <michael@james.st>
1051 my $binary_sid = shift;
1052 my($sid_rev, $num_auths, $id1, $id2, @ids) = unpack("H2 H2 n N V*", $binary_sid);
1053 my $sid_string = join("-", "S", hex($sid_rev), ($id1<<32)+$id2, @ids);
1054 return $sid_string;
1055
1056}
1057
1058sub string_to_guid {
1059 my $string = shift;
1060 return undef unless $string =~ /([0-9,a-z]{8})-([0-9,a-z]{4})-([0-9,a-z]{4})-([0-9,a-z]{2})([0-9,a-z]{2})-([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})/i;
1061
1062 return pack("I", hex $1) .
1063 pack("S", hex $2) .
1064 pack("S", hex $3) .
1065 pack("C", hex $4) .
1066 pack("C", hex $5) .
1067 pack("C", hex $6) .
1068 pack("C", hex $7) .
1069 pack("C", hex $8) .
1070 pack("C", hex $9) .
1071 pack("C", hex $10) .
1072 pack("C", hex $11);
1073
1074# print "$1\n$2\n$3\n$4\n$5\n$6\n$7\n$8\n$9\n$10\n$11\n";
1075}
1076
1077sub bindstring_to_guid {
1078 my $str = shift;
1079 return pack("H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2",
1080 substr($str,0,2),
1081 substr($str,2,2),
1082 substr($str,4,2),
1083 substr($str,6,2),
1084 substr($str,8,2),
1085 substr($str,10,2),
1086 substr($str,12,2),
1087 substr($str,14,2),
1088 substr($str,16,2),
1089 substr($str,18,2),
1090 substr($str,20,2),
1091 substr($str,22,2),
1092 substr($str,24,2),
1093 substr($str,26,2),
1094 substr($str,28,2),
1095 substr($str,30,2));
1096}
1097
1098sub guid_to_string {
1099 my $guid = shift;
1100 my $string = sprintf "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X",
1101 unpack("I", $guid),
1102 unpack("S", substr($guid, 4, 2)),
1103 unpack("S", substr($guid, 6, 2)),
1104 unpack("C", substr($guid, 8, 1)),
1105 unpack("C", substr($guid, 9, 1)),
1106 unpack("C", substr($guid, 10, 1)),
1107 unpack("C", substr($guid, 11, 1)),
1108 unpack("C", substr($guid, 12, 1)),
1109 unpack("C", substr($guid, 13, 1)),
1110 unpack("C", substr($guid, 14, 1)),
1111 unpack("C", substr($guid, 15, 1));
1112 return lc($string);
1113}
1114
1115sub guid_to_bindstring {
1116 my $guid = shift;
1117 return unpack("H" . 2 * length($guid), $guid),
1118}
1119
1120sub dump_wknguid {
1121 print "Dumping Well known GUIDs:\n";
1122 foreach my $wknguid (keys %wknguids) {
1123
1124 my $guid = bindstring_to_guid($wknguids{$wknguid});
1125 my $str = guid_to_string($guid);
1126 my $back = guid_to_bindstring($guid);
1127
1128 printf "wkguid: %s\n", $wknguid;
1129 printf "bind_string format: %s\n", $wknguids{$wknguid};
1130 printf "string format: %s\n", guid_to_string($guid);
1131 printf "back to bind_string:%s\n", guid_to_bindstring($guid);
1132
1133 printf "use base: \"<WKGUID=%s,%s>\"\n", guid_to_bindstring($guid), $base;
1134 }
1135}
1136
1137sub gen_bitmask_string_format($%) {
1138 my $mod = shift;
1139 my (%tmp) = @_;
1140 my @list;
1141 foreach my $key (sort keys %tmp) {
1142 push(@list, sprintf("%s %s", $tmp{$key}, $key));
1143 }
1144 return join("\n$mod$tabsize",@list);
1145}
1146
1147
1148sub nt_to_unixtime ($) {
1149 # the number of 100 nanosecond intervals since jan. 1. 1601 (utc)
1150 my $t64 = shift;
1151 $t64 =~ s/(.+).{7,7}/$1/;
1152 $t64 -= 11644473600;
1153 return $t64;
1154}
1155
1156sub dump_equal {
1157 my $val = shift;
1158 my $mod = shift || die "no mod";
1159 my (%header) = @_;
1160 my %tmp;
1161 my $found = 0;
1162 foreach my $key (keys %header) {
1163 if ($header{$key} eq $val) {
1164 $tmp{"($val)"} = $key;
1165 $found = 1;
1166 last;
1167 }
1168 }
1169 if (!$found) { $tmp{$val} = ""; };
1170 return gen_bitmask_string_format($mod,%tmp);
1171}
1172
1173sub dump_bitmask {
1174 my $op = shift || die "no op";
1175 my $val = shift;
1176 my $mod = shift || die "no mod";
1177 my (%header) = @_;
1178 my %tmp;
1179 $tmp{""} = sprintf("%s (0x%08x)", $val, $val);
1180 foreach my $key (sort keys %header) { # sort by val !
1181 my $val_hex = sprintf("0x%08x", $header{$key});
1182 if ($op eq "&") {
1183 $tmp{"$key ($val_hex)"} = ( $val & $header{$key} ) ? $set:$unset;
1184 } elsif ($op eq "==") {
1185 $tmp{"$key ($val_hex)"} = ( $val == $header{$key} ) ? $set:$unset;
1186 } else {
1187 print "unknown operator: $op\n";
1188 return;
1189 }
1190 }
1191 return gen_bitmask_string_format($mod,%tmp);
1192}
1193
1194sub dump_bitmask_and {
1195 return dump_bitmask("&",@_);
1196}
1197
1198sub dump_bitmask_equal {
1199 return dump_bitmask("==",@_);
1200}
1201
1202sub dump_uac {
1203 return dump_bitmask_and(@_,%ads_uf); # ads_uf ?
1204}
1205
1206sub dump_uascompat {
1207 return dump_bitmask_equal(@_,%ads_uascompat);
1208}
1209
1210sub dump_gpoptions {
1211 return dump_bitmask_equal(@_,%ads_gpoptions);
1212}
1213
1214sub dump_gpflags {
1215 return dump_bitmask_equal(@_,%ads_gpflags);
1216}
1217
1218sub dump_uacc {
1219 return dump_bitmask_equal(@_,%ads_uacc);
1220}
1221
1222sub dump_enctypes {
1223 return dump_bitmask_and(@_,%ads_enctypes);
1224}
1225
1226sub dump_uf {
1227 return dump_bitmask_and(@_,%ads_uf);
1228}
1229
1230sub dump_gtype {
1231 my $ret = dump_bitmask_and(@_,%ads_grouptype);
1232 $ret .= "\n$tabsize\t";
1233 $ret .= dump_bitmask_equal(@_,%ads_gtype);
1234 return $ret;
1235}
1236
1237sub dump_atype {
1238 return dump_bitmask_equal(@_,%ads_atype);
1239}
1240
1241sub dump_controls {
1242 return dump_equal(@_,%ads_controls);
1243}
1244
1245sub dump_capabilities {
1246 return dump_equal(@_,%ads_capabilities);
1247}
1248
1249sub dump_extension {
1250 return dump_equal(@_,%ads_extensions);
1251}
1252
1253sub dump_systemflags {
1254 return dump_bitmask_and(@_,%ads_systemflags);
1255}
1256
1257sub dump_instance_type {
1258 return dump_bitmask_and(@_,%ads_instance_type);
1259}
1260
1261sub dump_ds_func {
1262 return dump_bitmask_equal(@_,%ads_ds_func);
1263}
1264
1265sub dump_serverstate {
1266 return dump_bitmask_equal(@_,%ads_serverstate);
1267}
1268
1269sub dump_sdeffective {
1270 return dump_bitmask_and(@_,%ads_sdeffective);
1271}
1272
1273sub dump_trustattr {
1274 return dump_bitmask_equal(@_,%ads_trustattrs);
1275}
1276
1277sub dump_trusttype {
1278 return dump_bitmask_equal(@_,%ads_trusttype);
1279}
1280
1281sub dump_trustdirection {
1282 return dump_bitmask_equal(@_,%ads_trustdirection);
1283}
1284
1285sub dump_pwdproperties {
1286 return dump_bitmask_and(@_,%ads_pwdproperties);
1287}
1288
1289sub dump_frstype {
1290 return dump_bitmask_equal(@_,%ads_frstypes)
1291}
1292
1293sub dump_mixed_domain {
1294 return dump_bitmask_equal(@_,%ads_mixed_domain);
1295}
1296
1297sub dump_sid {
1298 my $bin_sid = shift;
1299 return sid2string($bin_sid);
1300}
1301
1302sub dump_guid {
1303 my $guid = shift;
1304 return guid_to_string($guid);
1305}
1306
1307sub dump_secdesc {
1308 my $val = shift;
1309 return "FIXME: write sddl-converter!";
1310}
1311
1312sub dump_nttime {
1313 my $nttime = shift;
1314 if ($nttime == 0) {
1315 return sprintf("%s (%s)", "never", $nttime);
1316 }
1317 my $localtime = localtime(nt_to_unixtime($nttime));
1318 return sprintf("%s (%s)", $localtime, $nttime);
1319}
1320
1321sub dump_nttime_abs {
1322 if ($_[0] == 9223372036854775807) {
1323 return sprintf("%s (%s)", "now", $_[0]);
1324 }
1325 if ($_[0] == -9223372036854775808 || $_[0] == 0) { # 0x7FFFFFFFFFFFFFFF
1326 return sprintf("%s (%s)", "never", $_[0]);
1327 }
1328 # FIXME: actually *do* abs time !
1329 return dump_nttime($_[0]);
1330}
1331
1332sub dump_timestr {
1333 my $time = shift;
1334 if ($time eq "16010101000010.0Z") {
1335 return sprintf("%s (%s)", "never", $time);
1336 }
1337 my ($year,$mon,$mday,$hour,$min,$sec,$zone) =
1338 unpack('a4 a2 a2 a2 a2 a2 a4', $time);
1339 $mon -= 1;
1340 my $localtime = localtime(timegm($sec,$min,$hour,$mday,$mon,$year));
1341 return sprintf("%s (%s)", $localtime, $time);
1342}
1343
1344sub dump_string {
1345 return $_[0];
1346}
1347
1348sub dump_int {
1349 return sprintf("%d", $_[0]);
1350}
1351
1352sub dump_munged_dial {
1353 my $dial = shift;
1354 return "FIXME! decode this";
1355}
1356
1357sub dump_cert {
1358
1359 my $cert = shift;
1360 open(OPENSSL, "| /usr/bin/openssl x509 -text -inform der");
1361 print OPENSSL $cert;
1362 close(OPENSSL);
1363 return "";
1364}
1365
1366sub dump_pkt {
1367 my $pkt = shift;
1368 return "not yet";
1369 printf("%s: ", $pkt);
1370 printf("%02X", $pkt);
1371
1372}
1373
1374sub dump_gplink {
1375
1376 my $gplink = shift;
1377 my $gplink_mod = $gplink;
1378 my @links = split("\\]\\[", $gplink_mod);
1379 foreach my $link (@links) {
1380 $link =~ s/^\[|\]$//g;
1381 my ($ldap_link, $opt) = split(";", $link);
1382 my @array = ( "$opt", "\t" );
1383 printf("%slink: %s, opt: %s\n", $tabsize, $ldap_link, dump_bitmask_and(@array, %ads_gplink_opts));
1384 }
1385 return $gplink;
1386}
1387
1388sub construct_filter {
1389
1390 my $tmp = shift;
1391
1392 if (!$tmp || $opt_notify) {
1393 return "(objectclass=*)";
1394 }
1395
1396 if ($tmp && $tmp !~ /^.*\=/) {
1397 return "(ANR=$tmp)";
1398 }
1399
1400 return $tmp;
1401 # (&(objectCategory=person)
1402 # (userAccountControl:$ads_matching_rules{LDAP_MATCHING_RULE_BIT_AND}:=2))
1403}
1404
1405sub construct_attrs {
1406
1407 my @attrs = @_;
1408
1409 if (!@attrs) {
1410 push(@attrs,"*");
1411 }
1412
1413 if ($opt_notify) {
1414 push(@attrs,"uSNChanged");
1415 }
1416
1417 if ($opt_display_metadata) {
1418 push(@attrs,"msDS-ReplAttributeMetaData");
1419 push(@attrs,"replPropertyMetaData");
1420 }
1421
1422 if ($opt_verbose) {
1423 push(@attrs,"nTSecurityDescriptor");
1424 push(@attrs,"msDS-KeyVersionNumber");
1425 push(@attrs,"msDS-User-Account-Control-Computed");
1426 push(@attrs,"modifyTimeStamp");
1427 }
1428
1429 return sort @attrs;
1430}
1431
1432sub print_header {
1433
1434 print "\n";
1435 printf "%10s: %s\n", "uri", $uri;
1436 printf "%10s: %s\n", "port", $port;
1437 printf "%10s: %s\n", "base", $base;
1438 printf "%10s: %s\n", $sasl_bind ? "principal" : "binddn", $sasl_bind ? $upn : $binddn;
1439 printf "%10s: %s\n", "password", $password;
1440 printf "%10s: %s\n", "bind-type", $sasl_bind ? "SASL" : "simple";
1441 printf "%10s: %s\n", "sasl-mech", $sasl_mech if ($sasl_mech);
1442 printf "%10s: %s\n", "filter", $filter;
1443 printf "%10s: %s\n", "scope", $scope;
1444 printf "%10s: %s\n", "attrs", join(", ", @attrs);
1445 printf "%10s: %s\n", "controls", join(", ", @ctrls_s);
1446 printf "%10s: %s\n", "page_size", $opt_paging if ($opt_paging);
1447 printf "%10s: %s\n", "start_tls", $opt_starttls ? "yes" : "no";
1448 printf "\n";
1449}
1450
1451sub gen_controls {
1452
1453 # setup attribute-scoped query control
1454 my $asq_asn = Convert::ASN1->new;
1455 $asq_asn->prepare(
1456 q< asq ::= SEQUENCE {
1457 sourceAttribute OCTET_STRING
1458 }
1459 >
1460 );
1461 my $ctl_asq_val = $asq_asn->encode( sourceAttribute => $opt_asq);
1462 my $ctl_asq = Net::LDAP::Control->new(
1463 type => $ads_controls{'LDAP_SERVER_ASQ_OID'},
1464 critical => 'true',
1465 value => $ctl_asq_val);
1466
1467
1468 # setup extended dn control
1469 my $asn_extended_dn = Convert::ASN1->new;
1470 $asn_extended_dn->prepare(
1471 q< ExtendedDn ::= SEQUENCE {
1472 mode INTEGER
1473 }
1474 >
1475 );
1476
1477 # only w2k3 accepts '1' and needs the ctl_val, w2k does not accept a ctl_val
1478 my $ctl_extended_dn_val = $asn_extended_dn->encode( mode => $opt_display_extendeddn);
1479 my $ctl_extended_dn = Net::LDAP::Control->new(
1480 type => $ads_controls{'LDAP_SERVER_EXTENDED_DN_OID'},
1481 critical => 'true',
1482 value => $opt_display_extendeddn ? $ctl_extended_dn_val : "");
1483
1484 # setup search options
1485 my $search_opt = Convert::ASN1->new;
1486 $search_opt->prepare(
1487 q< searchopt ::= SEQUENCE {
1488 flags INTEGER
1489 }
1490 >
1491 );
1492
1493 my $tmp = $search_opt->encode( flags => $opt_search_opt);
1494 my $ctl_search_opt = Net::LDAP::Control->new(
1495 type => $ads_controls{'LDAP_SERVER_SEARCH_OPTIONS_OID'},
1496 critical => 'true',
1497 value => $tmp);
1498
1499 # setup notify control
1500 my $ctl_notification = Net::LDAP::Control->new(
1501 type => $ads_controls{'LDAP_SERVER_NOTIFICATION_OID'},
1502 critical => 'true');
1503
1504
1505 # setup paging control
1506 $ctl_paged = Net::LDAP::Control->new(
1507 type => $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'},
1508 critical => 'true',
1509 size => $opt_paging ? $opt_paging : 1000);
1510
1511 # setup domscope control
1512 my $ctl_domscope = Net::LDAP::Control->new(
1513 type => $ads_controls{'LDAP_SERVER_DOMAIN_SCOPE_OID'},
1514 critical => 'true',
1515 value => "");
1516
1517 if (defined($opt_paging) || $opt_dump_schema) {
1518 push(@ctrls, $ctl_paged);
1519 push(@ctrls_s, "LDAP_PAGED_RESULT_OID_STRING" );
1520 }
1521
1522 if (defined($opt_display_extendeddn)) {
1523 push(@ctrls, $ctl_extended_dn);
1524 push(@ctrls_s, "LDAP_SERVER_EXTENDED_DN_OID");
1525 }
1526 if ($opt_notify) {
1527 push(@ctrls, $ctl_notification);
1528 push(@ctrls_s, "LDAP_SERVER_NOTIFICATION_OID");
1529 }
1530
1531 if ($opt_asq) {
1532 push(@ctrls, $ctl_asq);
1533 push(@ctrls_s, "LDAP_SERVER_ASQ_OID");
1534 }
1535
1536 if ($opt_domain_scope) {
1537 push(@ctrls, $ctl_domscope);
1538 push(@ctrls_s, "LDAP_SERVER_DOMAIN_SCOPE_OID");
1539 }
1540
1541 if ($opt_search_opt) {
1542 push(@ctrls, $ctl_search_opt);
1543 push(@ctrls_s, "LDAP_SERVER_SEARCH_OPTIONS_OID");
1544 }
1545
1546 return @ctrls;
1547}
1548
1549sub display_value_generic ($$$) {
1550
1551 my ($mod,$attr,$value) = @_;
1552 return unless (defined($value) and defined($attr));
1553
1554 if ( ! $opt_display_raw && exists $attr_handler{$attr} ) {
1555 $value = $attr_handler{$attr}($value,$mod);
1556 write_ads_list($mod,$attr,$value);
1557 return;
1558 }
1559 write_ads($mod,$attr,$value);
1560}
1561
1562sub display_attr_generic ($$$) {
1563
1564 my ($mod,$entry,$attr) = @_;
1565 return if (!$attr || !$entry);
1566
1567 my $ref = $entry->get_value($attr, asref => 1);
1568 my @values = @$ref;
1569
1570 foreach my $value ( sort @values) {
1571 display_value_generic($mod,$attr,$value);
1572 }
1573}
1574
1575sub display_entry_generic ($) {
1576
1577 my $entry = shift;
1578 return if (!$entry);
1579
1580 foreach my $attr ( sort $entry->attributes) {
1581 display_attr_generic("\t",$entry,$attr);
1582 }
1583}
1584
1585sub display_ldap_err ($) {
1586
1587 my $msg = shift;
1588 print_header();
1589 my ($package, $filename, $line, $subroutine) = caller(0);
1590
1591 print "got error from ADS:\n";
1592 printf("%s(%d): ERROR (%s): %s\n",
1593 $subroutine, $line, $msg->code, $msg->error);
1594
1595}
1596
1597sub process_result {
1598
1599 my ($msg,$entry) = @_;
1600
1601 if (!defined($msg)) {
1602 return;
1603 }
1604
1605 if ($msg->code) {
1606 display_ldap_err($msg);
1607 exit 1;
1608 }
1609
1610 if (!defined($entry)) {
1611 return;
1612 }
1613
1614 if ($entry->isa('Net::LDAP::Reference')) {
1615 foreach my $ref ($entry->references) {
1616 print "\ngot Reference: [$ref]\n";
1617 }
1618 return;
1619 }
1620
1621 print "\nfound entry: ".$entry->dn."\n".("-" x 80)."\n";
1622
1623 display_entry_generic($entry);
1624}
1625
1626sub default_callback {
1627
1628 my ($res,$obj) = @_;
1629
1630 if (!$opt_notify && $res->code == LDAP_REFERRAL) {
1631 return;
1632 }
1633
1634 if (!$opt_notify) {
1635 return process_result($res,$obj);
1636 }
1637}
1638
1639sub error_callback {
1640
1641 my ($msg,$entry) = @_;
1642
1643 if (!$msg) {
1644 return;
1645 }
1646
1647 if ($msg->code) {
1648 display_ldap_err($msg);
1649 exit(1);
1650 }
1651 return;
1652}
1653
1654sub notify_callback {
1655
1656 my ($msg, $obj) = @_;
1657
1658 if (! defined($obj)) {
1659 return;
1660 }
1661
1662 if ($obj->isa('Net::LDAP::Reference')) {
1663 foreach my $ref ($obj->references) {
1664 print "\ngot Reference: [$ref]\n";
1665 }
1666 return;
1667 }
1668
1669 while (1) {
1670
1671 my $async_entry = $async_search->pop_entry;
1672
1673 if (!$async_entry->dn) {
1674 print "very weird. entry has no dn\n";
1675 next;
1676 }
1677
1678 printf("\ngot changenotify for dn: [%s]\n%s\n", $async_entry->dn, ("-" x 80));
1679
1680 my $new_usn = $async_entry->get_value('uSNChanged');
1681 if (!$new_usn) {
1682 die "odd, no usnChanged attribute???";
1683 }
1684 if (!$usn || $new_usn > $usn) {
1685 $usn = $new_usn;
1686 if ($opt_notify_nodiffs) {
1687 display_entry_generic($async_entry);
1688 } else {
1689 display_result_diff($async_entry);
1690 }
1691 }
1692 store_result($async_entry);
1693 }
1694}
1695
1696sub do_bind($$) {
1697
1698 my $async_ldap_hd = shift || return undef;
1699 my $sasl_bind = shift;
1700
1701 if ($sasl_bind) {
1702 if (!$works_sasl) {
1703 print "this version of Net::LDAP does not have proper SASL support.\n";
1704 print "Need at least perl-ldap V. $pref_version\n";
1705 }
1706 $sasl_hd = get_sasl_hd();
1707 if (!$sasl_hd) {
1708 print "failed to create SASL handle\n";
1709 return -1;
1710 }
1711 $mesg = $async_ldap_hd->bind(
1712 sasl => $sasl_hd,
1713 callback => \&error_callback
1714 ) || die "doesnt work";
1715 } else {
1716 $sasl_mech = "";
1717 $mesg = $async_ldap_hd->bind(
1718 $binddn,
1719 password => $password,
1720 callback => $opt_fastbind ? undef : \&error_callback
1721 ) || die "doesnt work";
1722 };
1723 if ($mesg->code) {
1724 display_ldap_err($mesg) if (!$opt_fastbind);
1725 return -1;
1726 }
1727 return 0;
1728}
1729
1730sub do_fast_bind() {
1731
1732 do_unbind();
1733
1734 my $hd = get_ldap_hd($server,1);
1735
1736 my $mesg = $hd->extension(
1737 name => $ads_extensions{'LDAP_SERVER_FAST_BIND_OID'});
1738
1739 if ($mesg->code) {
1740 display_ldap_err($mesg);
1741 return -1;
1742 }
1743
1744 my $ret = do_bind($hd, undef);
1745 $hd->unbind;
1746
1747 printf("bind using 'LDAP_SERVER_FAST_BIND_OID' %s\n",
1748 $ret == 0 ? "succeeded" : "failed");
1749
1750 return $ret;
1751}
1752
1753sub do_unbind() {
1754 if ($async_ldap_hd) {
1755 $async_ldap_hd->unbind;
1756 }
1757 if ($sync_ldap_hd) {
1758 $sync_ldap_hd->unbind;
1759 }
1760}
1761
1762###############################################################################
1763
1764sub main () {
1765
1766 if ($opt_fastbind) {
1767
1768 if (check_exts($server,$dse,"LDAP_SERVER_FAST_BIND_OID") == -1) {
1769 print "LDAP_SERVER_FAST_BIND_OID not supported by this server\n";
1770 exit 1;
1771 }
1772
1773 # fast bind can only bind, not search
1774 exit do_fast_bind();
1775 }
1776
1777 $filter = construct_filter($query);
1778 @attrs = construct_attrs(@attrs);
1779 @ctrls = gen_controls();
1780
1781 if (check_ctrls($server,$dse,@ctrls) == -1) {
1782 print "not all required LDAP Controls are supported by this server\n";
1783 exit 1;
1784 }
1785
1786 if ($opt_dump_rootdse) {
1787 print "Dumping Root-DSE:\n";
1788 display_entry_generic($dse);
1789 exit 0;
1790 }
1791
1792 if ($opt_dump_wknguid) {
1793 dump_wknguid();
1794 exit 0;
1795 }
1796
1797 if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
1798 exit 1;
1799 }
1800
1801 print_header();
1802
1803 if ($opt_dump_schema) {
1804 print "Dumping Schema:\n";
1805# my $ads_schema = $async_ldap_hd->schema;
1806# $ads_schema->dump;
1807# exit 0;
1808 }
1809
1810 while (1) {
1811
1812 $async_search = $async_ldap_hd->search(
1813 base => $base,
1814 filter => $filter,
1815 attrs => [ @attrs ],
1816 control => [ @ctrls ],
1817 callback => \&default_callback,
1818 scope => $scope,
1819 ) || die "cannot search";
1820
1821 if (!$opt_notify && ($async_search->code == LDAP_REFERRAL)) {
1822 foreach my $ref ($async_search->referrals) {
1823 print "\ngot Referral: [$ref]\n";
1824 my ($prot, $host, $base) = split(/\/+/, $ref);
1825 $async_ldap_hd->unbind();
1826 $async_ldap_hd = get_ldap_hd($host, 1);
1827 if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
1828 $async_ldap_hd->unbind();
1829 next;
1830 }
1831 print "\nsuccessful rebind to: [$ref]\n";
1832 last;
1833 }
1834 next; # repeat the query
1835 }
1836
1837 if ($opt_notify) {
1838
1839 print "Base [$base] is registered now for change-notify\n";
1840 print "\nWaiting for change-notify...\n";
1841
1842 my $sync_ldap_hd = get_ldap_hd($server,0);
1843 if (do_bind($sync_ldap_hd, $sasl_bind) == -1) {
1844 exit 2;
1845 }
1846
1847 my $sync_search = $sync_ldap_hd->search(
1848 base => $base,
1849 filter => $filter,
1850 attrs => [ @attrs ],
1851 callback => \&notify_callback,
1852 scope => $scope,
1853 ) || die "cannot search";
1854
1855 }
1856
1857 $total_entry_count += $async_search->count;
1858 ++$page_count;
1859 print "-" x 80 . "\n";
1860 printf("Got %d Entries in Page %d \n\n",
1861 $async_search->count, $page_count);
1862 my ($resp) = $async_search->control(
1863 $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'} ) or last;
1864 last unless ref $resp && $ctl_paged->cookie($resp->cookie);
1865 }
1866
1867 if ($async_search->entries == 0) {
1868 print "No entries found with filter $filter\n";
1869 } else {
1870 print "Got $total_entry_count Entries in $page_count Pages\n" if ($opt_paging);
1871 }
1872
1873 do_unbind()
1874}
1875
1876main();
1877
1878exit 0;
Note: See TracBrowser for help on using the repository browser.