Context Navigation

source: branches/samba-3.3.x/source/lib/smbldap.c

Visit:

Last change on this file was 370, checked in by Herwig Bauernfeind, 16 years ago
Update Samba 3.3 to 3.3.10 (source)
File size: 55.5 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	LDAP protocol helper functions for SAMBA
4	Copyright (C) Jean FranÃ§ois Micouleau 1998
5	Copyright (C) Gerald Carter 2001-2003
6	Copyright (C) Shahms King 2001
7	Copyright (C) Andrew Bartlett 2002-2003
8	Copyright (C) Stefan (metze) Metzmacher 2002-2003
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22
23	*/
24
25	#include "includes.h"
26	#include "smbldap.h"
27
28	#ifndef LDAP_OPT_SUCCESS
29	#define LDAP_OPT_SUCCESS 0
30	#endif
31
32	/* Try not to hit the up or down server forever */
33
34	#define SMBLDAP_DONT_PING_TIME 10 /* ping only all 10 seconds */
35	#define SMBLDAP_NUM_RETRIES 8 /* retry only 8 times */
36
37	#define SMBLDAP_IDLE_TIME 150 /* After 2.5 minutes disconnect */
38
39
40	/* attributes used by Samba 2.2 */
41
42	ATTRIB_MAP_ENTRY attrib_map_v22[] = {
43	{ LDAP_ATTR_UID, "uid" },
44	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
45	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
46	{ LDAP_ATTR_UNIX_HOME, "homeDirectory" },
47	{ LDAP_ATTR_PWD_LAST_SET, "pwdLastSet" },
48	{ LDAP_ATTR_PWD_CAN_CHANGE, "pwdCanChange" },
49	{ LDAP_ATTR_PWD_MUST_CHANGE, "pwdMustChange" },
50	{ LDAP_ATTR_LOGON_TIME, "logonTime" },
51	{ LDAP_ATTR_LOGOFF_TIME, "logoffTime" },
52	{ LDAP_ATTR_KICKOFF_TIME, "kickoffTime" },
53	{ LDAP_ATTR_CN, "cn" },
54	{ LDAP_ATTR_SN, "sn" },
55	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
56	{ LDAP_ATTR_HOME_PATH, "smbHome" },
57	{ LDAP_ATTR_HOME_DRIVE, "homeDrive" },
58	{ LDAP_ATTR_LOGON_SCRIPT, "scriptPath" },
59	{ LDAP_ATTR_PROFILE_PATH, "profilePath" },
60	{ LDAP_ATTR_DESC, "description" },
61	{ LDAP_ATTR_USER_WKS, "userWorkstations"},
62	{ LDAP_ATTR_USER_RID, "rid" },
63	{ LDAP_ATTR_PRIMARY_GROUP_RID, "primaryGroupID"},
64	{ LDAP_ATTR_LMPW, "lmPassword" },
65	{ LDAP_ATTR_NTPW, "ntPassword" },
66	{ LDAP_ATTR_DOMAIN, "domain" },
67	{ LDAP_ATTR_OBJCLASS, "objectClass" },
68	{ LDAP_ATTR_ACB_INFO, "acctFlags" },
69	{ LDAP_ATTR_MOD_TIMESTAMP, "modifyTimestamp" },
70	{ LDAP_ATTR_LIST_END, NULL }
71	};
72
73	ATTRIB_MAP_ENTRY attrib_map_to_delete_v22[] = {
74	{ LDAP_ATTR_PWD_LAST_SET, "pwdLastSet" },
75	{ LDAP_ATTR_PWD_CAN_CHANGE, "pwdCanChange" },
76	{ LDAP_ATTR_PWD_MUST_CHANGE, "pwdMustChange" },
77	{ LDAP_ATTR_LOGON_TIME, "logonTime" },
78	{ LDAP_ATTR_LOGOFF_TIME, "logoffTime" },
79	{ LDAP_ATTR_KICKOFF_TIME, "kickoffTime" },
80	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
81	{ LDAP_ATTR_HOME_PATH, "smbHome" },
82	{ LDAP_ATTR_HOME_DRIVE, "homeDrives" },
83	{ LDAP_ATTR_LOGON_SCRIPT, "scriptPath" },
84	{ LDAP_ATTR_PROFILE_PATH, "profilePath" },
85	{ LDAP_ATTR_USER_WKS, "userWorkstations"},
86	{ LDAP_ATTR_USER_RID, "rid" },
87	{ LDAP_ATTR_PRIMARY_GROUP_RID, "primaryGroupID"},
88	{ LDAP_ATTR_LMPW, "lmPassword" },
89	{ LDAP_ATTR_NTPW, "ntPassword" },
90	{ LDAP_ATTR_DOMAIN, "domain" },
91	{ LDAP_ATTR_ACB_INFO, "acctFlags" },
92	{ LDAP_ATTR_LIST_END, NULL }
93	};
94
95	/* attributes used by Samba 3.0's sambaSamAccount */
96
97	ATTRIB_MAP_ENTRY attrib_map_v30[] = {
98	{ LDAP_ATTR_UID, "uid" },
99	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
100	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
101	{ LDAP_ATTR_UNIX_HOME, "homeDirectory" },
102	{ LDAP_ATTR_PWD_LAST_SET, "sambaPwdLastSet" },
103	{ LDAP_ATTR_PWD_CAN_CHANGE, "sambaPwdCanChange" },
104	{ LDAP_ATTR_PWD_MUST_CHANGE, "sambaPwdMustChange" },
105	{ LDAP_ATTR_LOGON_TIME, "sambaLogonTime" },
106	{ LDAP_ATTR_LOGOFF_TIME, "sambaLogoffTime" },
107	{ LDAP_ATTR_KICKOFF_TIME, "sambaKickoffTime" },
108	{ LDAP_ATTR_CN, "cn" },
109	{ LDAP_ATTR_SN, "sn" },
110	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
111	{ LDAP_ATTR_HOME_DRIVE, "sambaHomeDrive" },
112	{ LDAP_ATTR_HOME_PATH, "sambaHomePath" },
113	{ LDAP_ATTR_LOGON_SCRIPT, "sambaLogonScript" },
114	{ LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" },
115	{ LDAP_ATTR_DESC, "description" },
116	{ LDAP_ATTR_USER_WKS, "sambaUserWorkstations" },
117	{ LDAP_ATTR_USER_SID, LDAP_ATTRIBUTE_SID },
118	{ LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" },
119	{ LDAP_ATTR_LMPW, "sambaLMPassword" },
120	{ LDAP_ATTR_NTPW, "sambaNTPassword" },
121	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
122	{ LDAP_ATTR_OBJCLASS, "objectClass" },
123	{ LDAP_ATTR_ACB_INFO, "sambaAcctFlags" },
124	{ LDAP_ATTR_MUNGED_DIAL, "sambaMungedDial" },
125	{ LDAP_ATTR_BAD_PASSWORD_COUNT, "sambaBadPasswordCount" },
126	{ LDAP_ATTR_BAD_PASSWORD_TIME, "sambaBadPasswordTime" },
127	{ LDAP_ATTR_PWD_HISTORY, "sambaPasswordHistory" },
128	{ LDAP_ATTR_MOD_TIMESTAMP, "modifyTimestamp" },
129	{ LDAP_ATTR_LOGON_HOURS, "sambaLogonHours" },
130	{ LDAP_ATTR_LIST_END, NULL }
131	};
132
133	ATTRIB_MAP_ENTRY attrib_map_to_delete_v30[] = {
134	{ LDAP_ATTR_PWD_LAST_SET, "sambaPwdLastSet" },
135	{ LDAP_ATTR_PWD_CAN_CHANGE, "sambaPwdCanChange" },
136	{ LDAP_ATTR_PWD_MUST_CHANGE, "sambaPwdMustChange" },
137	{ LDAP_ATTR_LOGON_TIME, "sambaLogonTime" },
138	{ LDAP_ATTR_LOGOFF_TIME, "sambaLogoffTime" },
139	{ LDAP_ATTR_KICKOFF_TIME, "sambaKickoffTime" },
140	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
141	{ LDAP_ATTR_HOME_DRIVE, "sambaHomeDrive" },
142	{ LDAP_ATTR_HOME_PATH, "sambaHomePath" },
143	{ LDAP_ATTR_LOGON_SCRIPT, "sambaLogonScript" },
144	{ LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" },
145	{ LDAP_ATTR_USER_WKS, "sambaUserWorkstations" },
146	{ LDAP_ATTR_USER_SID, LDAP_ATTRIBUTE_SID },
147	{ LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" },
148	{ LDAP_ATTR_LMPW, "sambaLMPassword" },
149	{ LDAP_ATTR_NTPW, "sambaNTPassword" },
150	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
151	{ LDAP_ATTR_ACB_INFO, "sambaAcctFlags" },
152	{ LDAP_ATTR_MUNGED_DIAL, "sambaMungedDial" },
153	{ LDAP_ATTR_BAD_PASSWORD_COUNT, "sambaBadPasswordCount" },
154	{ LDAP_ATTR_BAD_PASSWORD_TIME, "sambaBadPasswordTime" },
155	{ LDAP_ATTR_PWD_HISTORY, "sambaPasswordHistory" },
156	{ LDAP_ATTR_LOGON_HOURS, "sambaLogonHours" },
157	{ LDAP_ATTR_LIST_END, NULL }
158	};
159
160	/* attributes used for allocating RIDs */
161
162	ATTRIB_MAP_ENTRY dominfo_attr_list[] = {
163	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
164	{ LDAP_ATTR_NEXT_RID, "sambaNextRid" },
165	{ LDAP_ATTR_NEXT_USERRID, "sambaNextUserRid" },
166	{ LDAP_ATTR_NEXT_GROUPRID, "sambaNextGroupRid" },
167	{ LDAP_ATTR_DOM_SID, LDAP_ATTRIBUTE_SID },
168	{ LDAP_ATTR_ALGORITHMIC_RID_BASE,"sambaAlgorithmicRidBase"},
169	{ LDAP_ATTR_OBJCLASS, "objectClass" },
170	{ LDAP_ATTR_LIST_END, NULL },
171	};
172
173	/* Samba 3.0 group mapping attributes */
174
175	ATTRIB_MAP_ENTRY groupmap_attr_list[] = {
176	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
177	{ LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
178	{ LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
179	{ LDAP_ATTR_SID_LIST, "sambaSIDList" },
180	{ LDAP_ATTR_DESC, "description" },
181	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
182	{ LDAP_ATTR_CN, "cn" },
183	{ LDAP_ATTR_OBJCLASS, "objectClass" },
184	{ LDAP_ATTR_LIST_END, NULL }
185	};
186
187	ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[] = {
188	{ LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
189	{ LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
190	{ LDAP_ATTR_DESC, "description" },
191	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
192	{ LDAP_ATTR_SID_LIST, "sambaSIDList" },
193	{ LDAP_ATTR_LIST_END, NULL }
194	};
195
196	/* idmap_ldap sambaUnixIdPool */
197
198	ATTRIB_MAP_ENTRY idpool_attr_list[] = {
199	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
200	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
201	{ LDAP_ATTR_OBJCLASS, "objectClass" },
202	{ LDAP_ATTR_LIST_END, NULL }
203	};
204
205	ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
206	{ LDAP_ATTR_SID, LDAP_ATTRIBUTE_SID },
207	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
208	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
209	{ LDAP_ATTR_OBJCLASS, "objectClass" },
210	{ LDAP_ATTR_LIST_END, NULL }
211	};
212
213	/**********************************************************************
214	perform a simple table lookup and return the attribute name
215	**********************************************************************/
216
217	const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key )
218	{
219	int i = 0;
220
221	while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
222	if ( table[i].attrib == key )
223	return table[i].name;
224	i++;
225	}
226
227	return NULL;
228	}
229
230
231	/**********************************************************************
232	Return the list of attribute names from a mapping table
233	**********************************************************************/
234
235	const char** get_attr_list( TALLOC_CTX *mem_ctx, ATTRIB_MAP_ENTRY table[] )
236	{
237	const char **names;
238	int i = 0;
239
240	while ( table[i].attrib != LDAP_ATTR_LIST_END )
241	i++;
242	i++;
243
244	names = TALLOC_ARRAY( mem_ctx, const char*, i );
245	if ( !names ) {
246	DEBUG(0,("get_attr_list: out of memory\n"));
247	return NULL;
248	}
249
250	i = 0;
251	while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
252	names[i] = talloc_strdup( names, table[i].name );
253	i++;
254	}
255	names[i] = NULL;
256
257	return names;
258	}
259
260	/*******************************************************************
261	Search an attribute and return the first value found.
262	******************************************************************/
263
264	bool smbldap_get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
265	const char attribute, char value,
266	int max_len)
267	{
268	char **values;
269
270	if ( !attribute )
271	return False;
272
273	value[0] = '\0';
274
275	if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
276	DEBUG (10, ("smbldap_get_single_attribute: [%s] = [<does not exist>]\n", attribute));
277
278	return False;
279	}
280
281	if (convert_string(CH_UTF8, CH_UNIX,values[0], -1, value, max_len, False) == (size_t)-1) {
282	DEBUG(1, ("smbldap_get_single_attribute: string conversion of [%s] = [%s] failed!\n",
283	attribute, values[0]));
284	ldap_value_free(values);
285	return False;
286	}
287
288	ldap_value_free(values);
289	#ifdef DEBUG_PASSWORDS
290	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n", attribute, value));
291	#endif
292	return True;
293	}
294
295	char * smbldap_talloc_single_attribute(LDAP ldap_struct, LDAPMessage entry,
296	const char *attribute,
297	TALLOC_CTX *mem_ctx)
298	{
299	char **values;
300	char *result;
301	size_t converted_size;
302
303	if (attribute == NULL) {
304	return NULL;
305	}
306
307	values = ldap_get_values(ldap_struct, entry, attribute);
308
309	if (values == NULL) {
310	DEBUG(10, ("attribute %s does not exist\n", attribute));
311	return NULL;
312	}
313
314	if (ldap_count_values(values) != 1) {
315	DEBUG(10, ("attribute %s has %d values, expected only one\n",
316	attribute, ldap_count_values(values)));
317	ldap_value_free(values);
318	return NULL;
319	}
320
321	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
322	DEBUG(10, ("pull_utf8_talloc failed\n"));
323	ldap_value_free(values);
324	return NULL;
325	}
326
327	ldap_value_free(values);
328
329	#ifdef DEBUG_PASSWORDS
330	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
331	attribute, result));
332	#endif
333	return result;
334	}
335
336	char * smbldap_talloc_first_attribute(LDAP ldap_struct, LDAPMessage entry,
337	const char *attribute,
338	TALLOC_CTX *mem_ctx)
339	{
340	char **values;
341	char *result;
342	size_t converted_size;
343
344	if (attribute == NULL) {
345	return NULL;
346	}
347
348	values = ldap_get_values(ldap_struct, entry, attribute);
349
350	if (values == NULL) {
351	DEBUG(10, ("attribute %s does not exist\n", attribute));
352	return NULL;
353	}
354
355	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
356	DEBUG(10, ("pull_utf8_talloc failed\n"));
357	ldap_value_free(values);
358	return NULL;
359	}
360
361	ldap_value_free(values);
362
363	#ifdef DEBUG_PASSWORDS
364	DEBUG (100, ("smbldap_get_first_attribute: [%s] = [%s]\n",
365	attribute, result));
366	#endif
367	return result;
368	}
369
370	char * smbldap_talloc_smallest_attribute(LDAP ldap_struct, LDAPMessage entry,
371	const char *attribute,
372	TALLOC_CTX *mem_ctx)
373	{
374	char **values;
375	char *result;
376	size_t converted_size;
377	int i, num_values;
378
379	if (attribute == NULL) {
380	return NULL;
381	}
382
383	values = ldap_get_values(ldap_struct, entry, attribute);
384
385	if (values == NULL) {
386	DEBUG(10, ("attribute %s does not exist\n", attribute));
387	return NULL;
388	}
389
390	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
391	DEBUG(10, ("pull_utf8_talloc failed\n"));
392	ldap_value_free(values);
393	return NULL;
394	}
395
396	num_values = ldap_count_values(values);
397
398	for (i=1; i<num_values; i++) {
399	char *tmp;
400
401	if (!pull_utf8_talloc(mem_ctx, &tmp, values[i],
402	&converted_size)) {
403	DEBUG(10, ("pull_utf8_talloc failed\n"));
404	TALLOC_FREE(result);
405	ldap_value_free(values);
406	return NULL;
407	}
408
409	if (StrCaseCmp(tmp, result) < 0) {
410	TALLOC_FREE(result);
411	result = tmp;
412	} else {
413	TALLOC_FREE(tmp);
414	}
415	}
416
417	ldap_value_free(values);
418
419	#ifdef DEBUG_PASSWORDS
420	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
421	attribute, result));
422	#endif
423	return result;
424	}
425
426	char * smbldap_talloc_smallest_attribute(LDAP ldap_struct, LDAPMessage entry,
427	const char *attribute,
428	TALLOC_CTX *mem_ctx)
429	{
430	char **values;
431	char *result;
432	size_t converted_size;
433	int i, num_values;
434
435	if (attribute == NULL) {
436	return NULL;
437	}
438
439	values = ldap_get_values(ldap_struct, entry, attribute);
440
441	if (values == NULL) {
442	DEBUG(10, ("attribute %s does not exist\n", attribute));
443	return NULL;
444	}
445
446	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
447	DEBUG(10, ("pull_utf8_talloc failed\n"));
448	ldap_value_free(values);
449	return NULL;
450	}
451
452	num_values = ldap_count_values(values);
453
454	for (i=1; i<num_values; i++) {
455	char *tmp;
456
457	if (!pull_utf8_talloc(mem_ctx, &tmp, values[i],
458	&converted_size)) {
459	DEBUG(10, ("pull_utf8_talloc failed\n"));
460	TALLOC_FREE(result);
461	ldap_value_free(values);
462	return NULL;
463	}
464
465	if (StrCaseCmp(tmp, result) < 0) {
466	TALLOC_FREE(result);
467	result = tmp;
468	} else {
469	TALLOC_FREE(tmp);
470	}
471	}
472
473	ldap_value_free(values);
474
475	#ifdef DEBUG_PASSWORDS
476	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
477	attribute, result));
478	#endif
479	return result;
480	}
481
482	static int ldapmsg_destructor(LDAPMessage **result) {
483	ldap_msgfree(*result);
484	return 0;
485	}
486
487	void talloc_autofree_ldapmsg(TALLOC_CTX mem_ctx, LDAPMessage result)
488	{
489	LDAPMessage **handle;
490
491	if (result == NULL) {
492	return;
493	}
494
495	handle = TALLOC_P(mem_ctx, LDAPMessage *);
496	SMB_ASSERT(handle != NULL);
497
498	*handle = result;
499	talloc_set_destructor(handle, ldapmsg_destructor);
500	}
501
502	static int ldapmod_destructor(LDAPMod ***mod) {
503	ldap_mods_free(*mod, True);
504	return 0;
505	}
506
507	void talloc_autofree_ldapmod(TALLOC_CTX mem_ctx, LDAPMod *mod)
508	{
509	LDAPMod ***handle;
510
511	if (mod == NULL) {
512	return;
513	}
514
515	handle = TALLOC_P(mem_ctx, LDAPMod **);
516	SMB_ASSERT(handle != NULL);
517
518	*handle = mod;
519	talloc_set_destructor(handle, ldapmod_destructor);
520	}
521
522	/************************************************************************
523	Routine to manage the LDAPMod structure array
524	manage memory used by the array, by each struct, and values
525	***********************************************************************/
526
527	void smbldap_set_mod (LDAPMod *** modlist, int modop, const char attribute, const char value)
528	{
529	LDAPMod **mods;
530	int i;
531	int j;
532
533	mods = *modlist;
534
535	/* sanity checks on the mod values */
536
537	if (attribute == NULL \|\| *attribute == '\0') {
538	return;
539	}
540
541	#if 0 /* commented out after discussion with abartlet. Do not reenable.
542	left here so other do not re-add similar code --jerry */
543	if (value == NULL \|\| *value == '\0')
544	return;
545	#endif
546
547	if (mods == NULL) {
548	mods = SMB_MALLOC_P(LDAPMod *);
549	if (mods == NULL) {
550	smb_panic("smbldap_set_mod: out of memory!");
551	/* notreached. */
552	}
553	mods[0] = NULL;
554	}
555
556	for (i = 0; mods[i] != NULL; ++i) {
557	if (mods[i]->mod_op == modop && strequal(mods[i]->mod_type, attribute))
558	break;
559	}
560
561	if (mods[i] == NULL) {
562	mods = SMB_REALLOC_ARRAY (mods, LDAPMod *, i + 2);
563	if (mods == NULL) {
564	smb_panic("smbldap_set_mod: out of memory!");
565	/* notreached. */
566	}
567	mods[i] = SMB_MALLOC_P(LDAPMod);
568	if (mods[i] == NULL) {
569	smb_panic("smbldap_set_mod: out of memory!");
570	/* notreached. */
571	}
572	mods[i]->mod_op = modop;
573	mods[i]->mod_values = NULL;
574	mods[i]->mod_type = SMB_STRDUP(attribute);
575	mods[i + 1] = NULL;
576	}
577
578	if (value != NULL) {
579	char *utf8_value = NULL;
580	size_t converted_size;
581
582	j = 0;
583	if (mods[i]->mod_values != NULL) {
584	for (; mods[i]->mod_values[j] != NULL; j++);
585	}
586	mods[i]->mod_values = SMB_REALLOC_ARRAY(mods[i]->mod_values, char *, j + 2);
587
588	if (mods[i]->mod_values == NULL) {
589	smb_panic("smbldap_set_mod: out of memory!");
590	/* notreached. */
591	}
592
593	if (!push_utf8_allocate(&utf8_value, value, &converted_size)) {
594	smb_panic("smbldap_set_mod: String conversion failure!");
595	/* notreached. */
596	}
597
598	mods[i]->mod_values[j] = utf8_value;
599
600	mods[i]->mod_values[j + 1] = NULL;
601	}
602	*modlist = mods;
603	}
604
605	/**********************************************************************
606	Set attribute to newval in LDAP, regardless of what value the
607	attribute had in LDAP before.
608	*********************************************************************/
609
610	void smbldap_make_mod(LDAP ldap_struct, LDAPMessage existing,
611	LDAPMod ***mods,
612	const char attribute, const char newval)
613	{
614	char oldval[2048]; /* current largest allowed value is mungeddial */
615	bool existed;
616
617	if (attribute == NULL) {
618	/* This can actually happen for ldapsam_compat where we for
619	* example don't have a password history */
620	return;
621	}
622
623	if (existing != NULL) {
624	existed = smbldap_get_single_attribute(ldap_struct, existing, attribute, oldval, sizeof(oldval));
625	} else {
626	existed = False;
627	*oldval = '\0';
628	}
629
630	/* all of our string attributes are case insensitive */
631
632	if (existed && newval && (StrCaseCmp(oldval, newval) == 0)) {
633
634	/* Believe it or not, but LDAP will deny a delete and
635	an add at the same time if the values are the
636	same... */
637	DEBUG(10,("smbldap_make_mod: attribute \|%s\| not changed.\n", attribute));
638	return;
639	}
640
641	if (existed) {
642	/* There has been no value before, so don't delete it.
643	* Here's a possible race: We might end up with
644	* duplicate attributes */
645	/* By deleting exactly the value we found in the entry this
646	* should be race-free in the sense that the LDAP-Server will
647	* deny the complete operation if somebody changed the
648	* attribute behind our back. */
649	/* This will also allow modifying single valued attributes
650	* in Novell NDS. In NDS you have to first remove attribute and then
651	* you could add new value */
652
653	DEBUG(10,("smbldap_make_mod: deleting attribute \|%s\| values \|%s\|\n", attribute, oldval));
654	smbldap_set_mod(mods, LDAP_MOD_DELETE, attribute, oldval);
655	}
656
657	/* Regardless of the real operation (add or modify)
658	we add the new value here. We rely on deleting
659	the old value, should it exist. */
660
661	if ((newval != NULL) && (strlen(newval) > 0)) {
662	DEBUG(10,("smbldap_make_mod: adding attribute \|%s\| value \|%s\|\n", attribute, newval));
663	smbldap_set_mod(mods, LDAP_MOD_ADD, attribute, newval);
664	}
665	}
666
667	/**********************************************************************
668	Some varients of the LDAP rebind code do not pass in the third 'arg'
669	pointer to a void*, so we try and work around it by assuming that the
670	value of the 'LDAP *' pointer is the same as the one we had passed in
671	**********************************************************************/
672
673	struct smbldap_state_lookup {
674	LDAP *ld;
675	struct smbldap_state *smbldap_state;
676	struct smbldap_state_lookup prev, next;
677	};
678
679	static struct smbldap_state_lookup *smbldap_state_lookup_list;
680
681	static struct smbldap_state smbldap_find_state(LDAP ld)
682	{
683	struct smbldap_state_lookup *t;
684
685	for (t = smbldap_state_lookup_list; t; t = t->next) {
686	if (t->ld == ld) {
687	return t->smbldap_state;
688	}
689	}
690	return NULL;
691	}
692
693	static void smbldap_delete_state(struct smbldap_state *smbldap_state)
694	{
695	struct smbldap_state_lookup *t;
696
697	for (t = smbldap_state_lookup_list; t; t = t->next) {
698	if (t->smbldap_state == smbldap_state) {
699	DLIST_REMOVE(smbldap_state_lookup_list, t);
700	SAFE_FREE(t);
701	return;
702	}
703	}
704	}
705
706	static void smbldap_store_state(LDAP ld, struct smbldap_state smbldap_state)
707	{
708	struct smbldap_state *tmp_ldap_state;
709	struct smbldap_state_lookup *t;
710
711	if ((tmp_ldap_state = smbldap_find_state(ld))) {
712	SMB_ASSERT(tmp_ldap_state == smbldap_state);
713	return;
714	}
715
716	t = SMB_XMALLOC_P(struct smbldap_state_lookup);
717	ZERO_STRUCTP(t);
718
719	DLIST_ADD_END(smbldap_state_lookup_list, t, struct smbldap_state_lookup *);
720	t->ld = ld;
721	t->smbldap_state = smbldap_state;
722	}
723
724	/********************************************************************
725	start TLS on an existing LDAP connection
726	*******************************************************************/
727
728	int smb_ldap_start_tls(LDAP *ldap_struct, int version)
729	{
730	#ifdef LDAP_OPT_X_TLS
731	int rc;
732	#endif
733
734	if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
735	return LDAP_SUCCESS;
736	}
737
738	#ifdef LDAP_OPT_X_TLS
739	if (version != LDAP_VERSION3) {
740	DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
741	return LDAP_OPERATIONS_ERROR;
742	}
743
744	if ((rc = ldap_start_tls_s (ldap_struct, NULL, NULL)) != LDAP_SUCCESS) {
745	DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
746	ldap_err2string(rc)));
747	return rc;
748	}
749
750	DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
751	return LDAP_SUCCESS;
752	#else
753	DEBUG(0,("StartTLS not supported by LDAP client libraries!\n"));
754	return LDAP_OPERATIONS_ERROR;
755	#endif
756	}
757
758	/********************************************************************
759	setup a connection to the LDAP server based on a uri
760	*******************************************************************/
761
762	int smb_ldap_setup_conn(LDAP *ldap_struct, const char uri)
763	{
764	int rc;
765
766	DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri));
767
768	#ifdef HAVE_LDAP_INITIALIZE
769
770	rc = ldap_initialize(ldap_struct, uri);
771	if (rc) {
772	DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
773	}
774
775	return rc;
776	#else
777
778	/* Parse the string manually */
779
780	{
781	int port = 0;
782	fstring protocol;
783	fstring host;
784	SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
785
786
787	/* skip leading "URL:" (if any) */
788	if ( strnequal( uri, "URL:", 4 ) ) {
789	uri += 4;
790	}
791
792	sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
793
794	if (port == 0) {
795	if (strequal(protocol, "ldap")) {
796	port = LDAP_PORT;
797	} else if (strequal(protocol, "ldaps")) {
798	port = LDAPS_PORT;
799	} else {
800	DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
801	}
802	}
803
804	if ((*ldap_struct = ldap_init(host, port)) == NULL) {
805	DEBUG(0, ("ldap_init failed !\n"));
806	return LDAP_OPERATIONS_ERROR;
807	}
808
809	if (strequal(protocol, "ldaps")) {
810	#ifdef LDAP_OPT_X_TLS
811	int tls = LDAP_OPT_X_TLS_HARD;
812	if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
813	{
814	DEBUG(0, ("Failed to setup a TLS session\n"));
815	}
816
817	DEBUG(3,("LDAPS option set...!\n"));
818	#else
819	DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
820	return LDAP_OPERATIONS_ERROR;
821	#endif /* LDAP_OPT_X_TLS */
822	}
823	}
824	#endif /* HAVE_LDAP_INITIALIZE */
825
826
827	/* now set connection timeout */
828	#ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
829	{
830	int ct = lp_ldap_connection_timeout()*1000;
831	rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
832	if (rc != LDAP_SUCCESS) {
833	DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
834	ct, ldap_err2string(rc)));
835	}
836	}
837	#elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
838	{
839	struct timeval ct;
840	ct.tv_usec = 0;
841	ct.tv_sec = lp_ldap_connection_timeout();
842	rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
843	if (rc != LDAP_SUCCESS) {
844	DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
845	(int)ct.tv_sec, ldap_err2string(rc)));
846	}
847	}
848	#endif
849
850	return LDAP_SUCCESS;
851	}
852
853	/********************************************************************
854	try to upgrade to Version 3 LDAP if not already, in either case return current
855	version
856	*******************************************************************/
857
858	int smb_ldap_upgrade_conn(LDAP ldap_struct, int new_version)
859	{
860	int version;
861	int rc;
862
863	/* assume the worst */
864	*new_version = LDAP_VERSION2;
865
866	rc = ldap_get_option(ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
867	if (rc) {
868	return rc;
869	}
870
871	if (version == LDAP_VERSION3) {
872	*new_version = LDAP_VERSION3;
873	return LDAP_SUCCESS;
874	}
875
876	/* try upgrade */
877	version = LDAP_VERSION3;
878	rc = ldap_set_option (ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
879	if (rc) {
880	return rc;
881	}
882
883	*new_version = LDAP_VERSION3;
884	return LDAP_SUCCESS;
885	}
886
887	/*******************************************************************
888	open a connection to the ldap server (just until the bind)
889	******************************************************************/
890
891	int smb_ldap_setup_full_conn(LDAP *ldap_struct, const char uri)
892	{
893	int rc, version;
894
895	rc = smb_ldap_setup_conn(ldap_struct, uri);
896	if (rc) {
897	return rc;
898	}
899
900	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
901	if (rc) {
902	return rc;
903	}
904
905	rc = smb_ldap_start_tls(*ldap_struct, version);
906	if (rc) {
907	return rc;
908	}
909
910	return LDAP_SUCCESS;
911	}
912
913	/*******************************************************************
914	open a connection to the ldap server.
915	******************************************************************/
916	static int smbldap_open_connection (struct smbldap_state *ldap_state)
917
918	{
919	int rc = LDAP_SUCCESS;
920	int version;
921	LDAP **ldap_struct = &ldap_state->ldap_struct;
922
923	rc = smb_ldap_setup_conn(ldap_struct, ldap_state->uri);
924	if (rc) {
925	return rc;
926	}
927
928	/* Store the LDAP pointer in a lookup list */
929
930	smbldap_store_state(*ldap_struct, ldap_state);
931
932	/* Upgrade to LDAPv3 if possible */
933
934	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
935	if (rc) {
936	return rc;
937	}
938
939	/* Start TLS if required */
940
941	rc = smb_ldap_start_tls(*ldap_struct, version);
942	if (rc) {
943	return rc;
944	}
945
946	DEBUG(2, ("smbldap_open_connection: connection opened\n"));
947	return rc;
948	}
949
950	/*******************************************************************
951	a rebind function for authenticated referrals
952	This version takes a void* that we can shove useful stuff in :-)
953	******************************************************************/
954	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
955	#else
956	static int rebindproc_with_state (LDAP * ld, char whop, char credp,
957	int methodp, int freeit, void arg)
958	{
959	struct smbldap_state *ldap_state = arg;
960
961	/** @TODO Should we be doing something to check what servers we rebind to?
962	Could we get a referral to a machine that we don't want to give our
963	username and password to? */
964
965	if (freeit) {
966	SAFE_FREE(*whop);
967	if (*credp) {
968	memset(credp, '\0', strlen(credp));
969	}
970	SAFE_FREE(*credp);
971	} else {
972	DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
973	ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
974
975	if (ldap_state->anonymous) {
976	*whop = NULL;
977	*credp = NULL;
978	} else {
979	*whop = SMB_STRDUP(ldap_state->bind_dn);
980	if (!*whop) {
981	return LDAP_NO_MEMORY;
982	}
983	*credp = SMB_STRDUP(ldap_state->bind_secret);
984	if (!*credp) {
985	SAFE_FREE(*whop);
986	return LDAP_NO_MEMORY;
987	}
988	}
989	*methodp = LDAP_AUTH_SIMPLE;
990	}
991
992	GetTimeOfDay(&ldap_state->last_rebind);
993
994	return 0;
995	}
996	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
997
998	/*******************************************************************
999	a rebind function for authenticated referrals
1000	This version takes a void* that we can shove useful stuff in :-)
1001	and actually does the connection.
1002	******************************************************************/
1003	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1004	static int rebindproc_connect_with_state (LDAP *ldap_struct,
1005	LDAP_CONST char *url,
1006	ber_tag_t request,
1007	ber_int_t msgid, void *arg)
1008	{
1009	struct smbldap_state *ldap_state =
1010	(struct smbldap_state *)arg;
1011	int rc;
1012	int version;
1013
1014	DEBUG(5,("rebindproc_connect_with_state: Rebinding to %s as \"%s\"\n",
1015	url, ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
1016
1017	/* call START_TLS again (ldaps:// is handled by the OpenLDAP library
1018	* itself) before rebinding to another LDAP server to avoid to expose
1019	* our credentials. At least try to secure the connection - Guenther */
1020
1021	smb_ldap_upgrade_conn(ldap_struct, &version);
1022	smb_ldap_start_tls(ldap_struct, version);
1023
1024	/** @TODO Should we be doing something to check what servers we rebind to?
1025	Could we get a referral to a machine that we don't want to give our
1026	username and password to? */
1027
1028	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
1029
1030	/* only set the last rebind timestamp when we did rebind after a
1031	* non-read LDAP operation. That way we avoid the replication sleep
1032	* after a simple redirected search operation - Guenther */
1033
1034	switch (request) {
1035
1036	case LDAP_REQ_MODIFY:
1037	case LDAP_REQ_ADD:
1038	case LDAP_REQ_DELETE:
1039	case LDAP_REQ_MODDN:
1040	case LDAP_REQ_EXTENDED:
1041	DEBUG(10,("rebindproc_connect_with_state: "
1042	"setting last_rebind timestamp "
1043	"(req: 0x%02x)\n", (unsigned int)request));
1044	GetTimeOfDay(&ldap_state->last_rebind);
1045	break;
1046	default:
1047	ZERO_STRUCT(ldap_state->last_rebind);
1048	break;
1049	}
1050
1051	return rc;
1052	}
1053	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1054
1055	/*******************************************************************
1056	Add a rebind function for authenticated referrals
1057	******************************************************************/
1058	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1059	#else
1060	# if LDAP_SET_REBIND_PROC_ARGS == 2
1061	static int rebindproc (LDAP ldap_struct, char whop, char *credp,
1062	int *method, int freeit )
1063	{
1064	struct smbldap_state *ldap_state = smbldap_find_state(ldap_struct);
1065
1066	return rebindproc_with_state(ldap_struct, whop, credp,
1067	method, freeit, ldap_state);
1068
1069	}
1070	# endif /LDAP_SET_REBIND_PROC_ARGS == 2/
1071	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1072
1073	/*******************************************************************
1074	a rebind function for authenticated referrals
1075	this also does the connection, but no void*.
1076	******************************************************************/
1077	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1078	# if LDAP_SET_REBIND_PROC_ARGS == 2
1079	static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
1080	ber_int_t msgid)
1081	{
1082	struct smbldap_state *ldap_state = smbldap_find_state(ld);
1083
1084	return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid,
1085	ldap_state);
1086	}
1087	# endif /LDAP_SET_REBIND_PROC_ARGS == 2/
1088	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1089
1090	/*******************************************************************
1091	connect to the ldap server under system privilege.
1092	******************************************************************/
1093	static int smbldap_connect_system(struct smbldap_state ldap_state, LDAP ldap_struct)
1094	{
1095	int rc;
1096	int version;
1097
1098	if (!ldap_state->anonymous && !ldap_state->bind_dn) {
1099
1100	/* get the default dn and password only if they are not set already */
1101	if (!fetch_ldap_pw(&ldap_state->bind_dn, &ldap_state->bind_secret)) {
1102	DEBUG(0, ("ldap_connect_system: Failed to retrieve password from secrets.tdb\n"));
1103	return LDAP_INVALID_CREDENTIALS;
1104	}
1105	}
1106
1107	/* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
1108	(OpenLDAP) doesnt' seem to support it */
1109
1110	DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
1111	ldap_state->uri, ldap_state->bind_dn));
1112
1113	#ifdef HAVE_LDAP_SET_REBIND_PROC
1114	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1115	# if LDAP_SET_REBIND_PROC_ARGS == 2
1116	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);
1117	# endif
1118	# if LDAP_SET_REBIND_PROC_ARGS == 3
1119	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void *)ldap_state);
1120	# endif
1121	#else /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1122	# if LDAP_SET_REBIND_PROC_ARGS == 2
1123	ldap_set_rebind_proc(ldap_struct, &rebindproc);
1124	# endif
1125	# if LDAP_SET_REBIND_PROC_ARGS == 3
1126	ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void *)ldap_state);
1127	# endif
1128	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1129	#endif
1130
1131	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
1132
1133	if (rc != LDAP_SUCCESS) {
1134	char *ld_error = NULL;
1135	ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1136	&ld_error);
1137	DEBUG(ldap_state->num_failures ? 2 : 0,
1138	("failed to bind to server %s with dn=\"%s\" Error: %s\n\t%s\n",
1139	ldap_state->uri,
1140	ldap_state->bind_dn ? ldap_state->bind_dn : "[Anonymous bind]",
1141	ldap_err2string(rc),
1142	ld_error ? ld_error : "(unknown)"));
1143	SAFE_FREE(ld_error);
1144	ldap_state->num_failures++;
1145	return rc;
1146	}
1147
1148	ldap_state->num_failures = 0;
1149	ldap_state->paged_results = False;
1150
1151	ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
1152
1153	if (smbldap_has_control(ldap_state->ldap_struct, ADS_PAGE_CTL_OID) && version == 3) {
1154	ldap_state->paged_results = True;
1155	}
1156
1157	DEBUG(3, ("ldap_connect_system: successful connection to the LDAP server\n"));
1158	DEBUGADD(10, ("ldap_connect_system: LDAP server %s support paged results\n",
1159	ldap_state->paged_results ? "does" : "does not"));
1160	return rc;
1161	}
1162
1163	static void smbldap_idle_fn(struct event_context *event_ctx,
1164	struct timed_event *te,
1165	struct timeval now,
1166	void *private_data);
1167
1168	/**********************************************************************
1169	Connect to LDAP server (called before every ldap operation)
1170	*********************************************************************/
1171	static int smbldap_open(struct smbldap_state *ldap_state)
1172	{
1173	int rc, opt_rc;
1174	bool reopen = False;
1175	SMB_ASSERT(ldap_state);
1176
1177	if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + SMBLDAP_DONT_PING_TIME) < time(NULL))) {
1178
1179	#ifdef HAVE_UNIXSOCKET
1180	struct sockaddr_un addr;
1181	#else
1182	struct sockaddr addr;
1183	#endif
1184	socklen_t len = sizeof(addr);
1185	int sd;
1186
1187	opt_rc = ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_DESC, &sd);
1188	if (opt_rc == 0 && (getpeername(sd, (struct sockaddr *) &addr, &len)) < 0 )
1189	reopen = True;
1190
1191	#ifdef HAVE_UNIXSOCKET
1192	if (opt_rc == 0 && addr.sun_family == AF_UNIX)
1193	reopen = True;
1194	#endif
1195	if (reopen) {
1196	/* the other end has died. reopen. */
1197	ldap_unbind(ldap_state->ldap_struct);
1198	ldap_state->ldap_struct = NULL;
1199	ldap_state->last_ping = (time_t)0;
1200	} else {
1201	ldap_state->last_ping = time(NULL);
1202	}
1203	}
1204
1205	if (ldap_state->ldap_struct != NULL) {
1206	DEBUG(11,("smbldap_open: already connected to the LDAP server\n"));
1207	return LDAP_SUCCESS;
1208	}
1209
1210	if ((rc = smbldap_open_connection(ldap_state))) {
1211	return rc;
1212	}
1213
1214	if ((rc = smbldap_connect_system(ldap_state, ldap_state->ldap_struct))) {
1215	ldap_unbind(ldap_state->ldap_struct);
1216	ldap_state->ldap_struct = NULL;
1217	return rc;
1218	}
1219
1220
1221	ldap_state->last_ping = time(NULL);
1222	ldap_state->pid = sys_getpid();
1223
1224	TALLOC_FREE(ldap_state->idle_event);
1225
1226	if (ldap_state->event_context != NULL) {
1227	ldap_state->idle_event = event_add_timed(
1228	ldap_state->event_context, NULL,
1229	timeval_current_ofs(SMBLDAP_IDLE_TIME, 0),
1230	smbldap_idle_fn, ldap_state);
1231	}
1232
1233	DEBUG(4,("The LDAP server is successfully connected\n"));
1234
1235	return LDAP_SUCCESS;
1236	}
1237
1238	/**********************************************************************
1239	Disconnect from LDAP server
1240	*********************************************************************/
1241	static NTSTATUS smbldap_close(struct smbldap_state *ldap_state)
1242	{
1243	if (!ldap_state)
1244	return NT_STATUS_INVALID_PARAMETER;
1245
1246	if (ldap_state->ldap_struct != NULL) {
1247	ldap_unbind(ldap_state->ldap_struct);
1248	ldap_state->ldap_struct = NULL;
1249	}
1250
1251	smbldap_delete_state(ldap_state);
1252
1253	DEBUG(5,("The connection to the LDAP server was closed\n"));
1254	/* maybe free the results here --metze */
1255
1256	return NT_STATUS_OK;
1257	}
1258
1259	static bool got_alarm;
1260
1261	static void (*old_handler)(int);
1262
1263	static void gotalarm_sig(int dummy)
1264	{
1265	got_alarm = True;
1266	}
1267
1268	static int another_ldap_try(struct smbldap_state ldap_state, int rc,
1269	int *attempts, time_t endtime)
1270	{
1271	time_t now = time(NULL);
1272	int open_rc = LDAP_SERVER_DOWN;
1273
1274	if (*rc != LDAP_SERVER_DOWN)
1275	goto no_next;
1276
1277	if (now >= endtime) {
1278	smbldap_close(ldap_state);
1279	*rc = LDAP_TIMEOUT;
1280	goto no_next;
1281	}
1282
1283	if (*attempts == 0) {
1284	got_alarm = False;
1285	old_handler = CatchSignal(SIGALRM, gotalarm_sig);
1286	alarm(endtime - now);
1287
1288	if (ldap_state->pid != sys_getpid())
1289	smbldap_close(ldap_state);
1290	}
1291
1292	while (1) {
1293
1294	if (*attempts != 0)
1295	smb_msleep(1000);
1296
1297	*attempts += 1;
1298
1299	open_rc = smbldap_open(ldap_state);
1300
1301	if (open_rc == LDAP_SUCCESS) {
1302	ldap_state->last_use = now;
1303	return True;
1304	}
1305
1306	if (open_rc == LDAP_INSUFFICIENT_ACCESS) {
1307	/* The fact that we are non-root or any other
1308	* access-denied condition will not change in the next
1309	* round of trying */
1310	*rc = open_rc;
1311	break;
1312	}
1313
1314	if (got_alarm) {
1315	*rc = LDAP_TIMEOUT;
1316	break;
1317	}
1318
1319	if (open_rc != LDAP_SUCCESS) {
1320	DEBUG(1, ("Connection to LDAP server failed for the "
1321	"%d try!\n", *attempts));
1322	}
1323	}
1324
1325	no_next:
1326	CatchSignal(SIGALRM, old_handler);
1327	alarm(0);
1328	ldap_state->last_use = now;
1329	return False;
1330	}
1331
1332	/*********************************************************************
1333	********************************************************************/
1334
1335	static int smbldap_search_ext(struct smbldap_state *ldap_state,
1336	const char base, int scope, const char filter,
1337	const char *attrs[], int attrsonly,
1338	LDAPControl sctrls, LDAPControl cctrls,
1339	int sizelimit, LDAPMessage **res)
1340	{
1341	int rc = LDAP_SERVER_DOWN;
1342	int attempts = 0;
1343	char *utf8_filter;
1344	time_t endtime = time(NULL)+lp_ldap_timeout();
1345	struct timeval timeout;
1346	size_t converted_size;
1347
1348	SMB_ASSERT(ldap_state);
1349
1350	DEBUG(5,("smbldap_search_ext: base => [%s], filter => [%s], "
1351	"scope => [%d]\n", base, filter, scope));
1352
1353	if (ldap_state->last_rebind.tv_sec > 0) {
1354	struct timeval tval;
1355	SMB_BIG_INT tdiff = 0;
1356	int sleep_time = 0;
1357
1358	ZERO_STRUCT(tval);
1359	GetTimeOfDay(&tval);
1360
1361	tdiff = usec_time_diff(&tval, &ldap_state->last_rebind);
1362	tdiff /= 1000; /* Convert to milliseconds. */
1363
1364	sleep_time = lp_ldap_replication_sleep()-(int)tdiff;
1365	sleep_time = MIN(sleep_time, MAX_LDAP_REPLICATION_SLEEP_TIME);
1366
1367	if (sleep_time > 0) {
1368	/* we wait for the LDAP replication */
1369	DEBUG(5,("smbldap_search_ext: waiting %d milliseconds "
1370	"for LDAP replication.\n",sleep_time));
1371	smb_msleep(sleep_time);
1372	DEBUG(5,("smbldap_search_ext: go on!\n"));
1373	}
1374	ZERO_STRUCT(ldap_state->last_rebind);
1375	}
1376
1377	if (!push_utf8_allocate(&utf8_filter, filter, &converted_size)) {
1378	return LDAP_NO_MEMORY;
1379	}
1380
1381	/* Setup timeout for the ldap_search_ext_s call - local and remote. */
1382	timeout.tv_sec = lp_ldap_timeout();
1383	timeout.tv_usec = 0;
1384
1385	/* Setup alarm timeout.... Do we need both of these ? JRA.
1386	* Yes, I think we do need both of these. The server timeout only
1387	* covers the case where the server's operation takes too long. It
1388	* does not cover the case where the request hangs on its way to the
1389	* server. The server side timeout is not strictly necessary, it's
1390	* just a bit more kind to the server. VL. */
1391
1392	got_alarm = 0;
1393	CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
1394	alarm(lp_ldap_timeout());
1395	/* End setup timeout. */
1396
1397	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1398	rc = ldap_search_ext_s(ldap_state->ldap_struct, base, scope,
1399	utf8_filter,
1400	CONST_DISCARD(char **, attrs),
1401	attrsonly, sctrls, cctrls, &timeout,
1402	sizelimit, res);
1403	if (rc != LDAP_SUCCESS) {
1404	char *ld_error = NULL;
1405	int ld_errno;
1406
1407	ldap_get_option(ldap_state->ldap_struct,
1408	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1409
1410	ldap_get_option(ldap_state->ldap_struct,
1411	LDAP_OPT_ERROR_STRING, &ld_error);
1412	DEBUG(10, ("Failed search for base: %s, error: %d (%s) "
1413	"(%s)\n", base, ld_errno,
1414	ldap_err2string(rc),
1415	ld_error ? ld_error : "unknown"));
1416	SAFE_FREE(ld_error);
1417
1418	if (ld_errno == LDAP_SERVER_DOWN) {
1419	ldap_unbind(ldap_state->ldap_struct);
1420	ldap_state->ldap_struct = NULL;
1421	}
1422	}
1423	}
1424
1425	SAFE_FREE(utf8_filter);
1426
1427	/* Teardown timeout. */
1428	CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
1429	alarm(0);
1430
1431	if (got_alarm != 0)
1432	return LDAP_TIMELIMIT_EXCEEDED;
1433
1434	return rc;
1435	}
1436
1437	int smbldap_search(struct smbldap_state *ldap_state,
1438	const char base, int scope, const char filter,
1439	const char *attrs[], int attrsonly,
1440	LDAPMessage **res)
1441	{
1442	return smbldap_search_ext(ldap_state, base, scope, filter, attrs,
1443	attrsonly, NULL, NULL, LDAP_NO_LIMIT, res);
1444	}
1445
1446	int smbldap_search_paged(struct smbldap_state *ldap_state,
1447	const char base, int scope, const char filter,
1448	const char **attrs, int attrsonly, int pagesize,
1449	LDAPMessage res, void cookie)
1450	{
1451	LDAPControl pr;
1452	LDAPControl **rcontrols;
1453	LDAPControl *controls[2] = { NULL, NULL};
1454	BerElement *cookie_be = NULL;
1455	struct berval *cookie_bv = NULL;
1456	int tmp = 0, i, rc;
1457	bool critical = True;
1458
1459	*res = NULL;
1460
1461	DEBUG(3,("smbldap_search_paged: base => [%s], filter => [%s],"
1462	"scope => [%d], pagesize => [%d]\n",
1463	base, filter, scope, pagesize));
1464
1465	cookie_be = ber_alloc_t(LBER_USE_DER);
1466	if (cookie_be == NULL) {
1467	DEBUG(0,("smbldap_create_page_control: ber_alloc_t returns "
1468	"NULL\n"));
1469	return LDAP_NO_MEMORY;
1470	}
1471
1472	/* construct cookie */
1473	if (*cookie != NULL) {
1474	ber_printf(cookie_be, "{iO}", (ber_int_t) pagesize, *cookie);
1475	ber_bvfree((struct berval )cookie); /* don't need it from last time */
1476	*cookie = NULL;
1477	} else {
1478	ber_printf(cookie_be, "{io}", (ber_int_t) pagesize, "", 0);
1479	}
1480	ber_flatten(cookie_be, &cookie_bv);
1481
1482	pr.ldctl_oid = CONST_DISCARD(char *, ADS_PAGE_CTL_OID);
1483	pr.ldctl_iscritical = (char) critical;
1484	pr.ldctl_value.bv_len = cookie_bv->bv_len;
1485	pr.ldctl_value.bv_val = cookie_bv->bv_val;
1486
1487	controls[0] = &pr;
1488	controls[1] = NULL;
1489
1490	rc = smbldap_search_ext(ldap_state, base, scope, filter, attrs,
1491	0, controls, NULL, LDAP_NO_LIMIT, res);
1492
1493	ber_free(cookie_be, 1);
1494	ber_bvfree(cookie_bv);
1495
1496	if (rc != 0) {
1497	DEBUG(3,("smbldap_search_paged: smbldap_search_ext(%s) "
1498	"failed with [%s]\n", filter, ldap_err2string(rc)));
1499	goto done;
1500	}
1501
1502	DEBUG(3,("smbldap_search_paged: search was successful\n"));
1503
1504	rc = ldap_parse_result(ldap_state->ldap_struct, *res, NULL, NULL,
1505	NULL, NULL, &rcontrols, 0);
1506	if (rc != 0) {
1507	DEBUG(3,("smbldap_search_paged: ldap_parse_result failed " \
1508	"with [%s]\n", ldap_err2string(rc)));
1509	goto done;
1510	}
1511
1512	if (rcontrols == NULL)
1513	goto done;
1514
1515	for (i=0; rcontrols[i]; i++) {
1516
1517	if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) != 0)
1518	continue;
1519
1520	cookie_be = ber_init(&rcontrols[i]->ldctl_value);
1521	ber_scanf(cookie_be,"{iO}", &tmp, &cookie_bv);
1522	/* the berval is the cookie, but must be freed when it is all
1523	done */
1524	if (cookie_bv->bv_len)
1525	*cookie=ber_bvdup(cookie_bv);
1526	else
1527	*cookie=NULL;
1528	ber_bvfree(cookie_bv);
1529	ber_free(cookie_be, 1);
1530	break;
1531	}
1532	ldap_controls_free(rcontrols);
1533	done:
1534	return rc;
1535	}
1536
1537	int smbldap_modify(struct smbldap_state ldap_state, const char dn, LDAPMod *attrs[])
1538	{
1539	int rc = LDAP_SERVER_DOWN;
1540	int attempts = 0;
1541	char *utf8_dn;
1542	time_t endtime = time(NULL)+lp_ldap_timeout();
1543	size_t converted_size;
1544
1545	SMB_ASSERT(ldap_state);
1546
1547	DEBUG(5,("smbldap_modify: dn => [%s]\n", dn ));
1548
1549	if (!push_utf8_allocate(&utf8_dn, dn, &converted_size)) {
1550	return LDAP_NO_MEMORY;
1551	}
1552
1553	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1554	rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
1555	if (rc != LDAP_SUCCESS) {
1556	char *ld_error = NULL;
1557	int ld_errno;
1558
1559	ldap_get_option(ldap_state->ldap_struct,
1560	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1561
1562	ldap_get_option(ldap_state->ldap_struct,
1563	LDAP_OPT_ERROR_STRING, &ld_error);
1564	DEBUG(10, ("Failed to modify dn: %s, error: %d (%s) "
1565	"(%s)\n", dn, ld_errno,
1566	ldap_err2string(rc),
1567	ld_error ? ld_error : "unknown"));
1568	SAFE_FREE(ld_error);
1569
1570	if (ld_errno == LDAP_SERVER_DOWN) {
1571	ldap_unbind(ldap_state->ldap_struct);
1572	ldap_state->ldap_struct = NULL;
1573	}
1574	}
1575	}
1576
1577	SAFE_FREE(utf8_dn);
1578	return rc;
1579	}
1580
1581	int smbldap_add(struct smbldap_state ldap_state, const char dn, LDAPMod *attrs[])
1582	{
1583	int rc = LDAP_SERVER_DOWN;
1584	int attempts = 0;
1585	char *utf8_dn;
1586	time_t endtime = time(NULL)+lp_ldap_timeout();
1587	size_t converted_size;
1588
1589	SMB_ASSERT(ldap_state);
1590
1591	DEBUG(5,("smbldap_add: dn => [%s]\n", dn ));
1592
1593	if (!push_utf8_allocate(&utf8_dn, dn, &converted_size)) {
1594	return LDAP_NO_MEMORY;
1595	}
1596
1597	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1598	rc = ldap_add_s(ldap_state->ldap_struct, utf8_dn, attrs);
1599	if (rc != LDAP_SUCCESS) {
1600	char *ld_error = NULL;
1601	int ld_errno;
1602
1603	ldap_get_option(ldap_state->ldap_struct,
1604	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1605
1606	ldap_get_option(ldap_state->ldap_struct,
1607	LDAP_OPT_ERROR_STRING, &ld_error);
1608	DEBUG(10, ("Failed to add dn: %s, error: %d (%s) "
1609	"(%s)\n", dn, ld_errno,
1610	ldap_err2string(rc),
1611	ld_error ? ld_error : "unknown"));
1612	SAFE_FREE(ld_error);
1613
1614	if (ld_errno == LDAP_SERVER_DOWN) {
1615	ldap_unbind(ldap_state->ldap_struct);
1616	ldap_state->ldap_struct = NULL;
1617	}
1618	}
1619	}
1620
1621	SAFE_FREE(utf8_dn);
1622	return rc;
1623	}
1624
1625	int smbldap_delete(struct smbldap_state ldap_state, const char dn)
1626	{
1627	int rc = LDAP_SERVER_DOWN;
1628	int attempts = 0;
1629	char *utf8_dn;
1630	time_t endtime = time(NULL)+lp_ldap_timeout();
1631	size_t converted_size;
1632
1633	SMB_ASSERT(ldap_state);
1634
1635	DEBUG(5,("smbldap_delete: dn => [%s]\n", dn ));
1636
1637	if (!push_utf8_allocate(&utf8_dn, dn, &converted_size)) {
1638	return LDAP_NO_MEMORY;
1639	}
1640
1641	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1642	rc = ldap_delete_s(ldap_state->ldap_struct, utf8_dn);
1643	if (rc != LDAP_SUCCESS) {
1644	char *ld_error = NULL;
1645	int ld_errno;
1646
1647	ldap_get_option(ldap_state->ldap_struct,
1648	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1649
1650	ldap_get_option(ldap_state->ldap_struct,
1651	LDAP_OPT_ERROR_STRING, &ld_error);
1652	DEBUG(10, ("Failed to delete dn: %s, error: %d (%s) "
1653	"(%s)\n", dn, ld_errno,
1654	ldap_err2string(rc),
1655	ld_error ? ld_error : "unknown"));
1656	SAFE_FREE(ld_error);
1657
1658	if (ld_errno == LDAP_SERVER_DOWN) {
1659	ldap_unbind(ldap_state->ldap_struct);
1660	ldap_state->ldap_struct = NULL;
1661	}
1662	}
1663	}
1664
1665	SAFE_FREE(utf8_dn);
1666	return rc;
1667	}
1668
1669	int smbldap_extended_operation(struct smbldap_state *ldap_state,
1670	LDAP_CONST char reqoid, struct berval reqdata,
1671	LDAPControl serverctrls, LDAPControl clientctrls,
1672	char retoidp, struct berval retdatap)
1673	{
1674	int rc = LDAP_SERVER_DOWN;
1675	int attempts = 0;
1676	time_t endtime = time(NULL)+lp_ldap_timeout();
1677
1678	if (!ldap_state)
1679	return (-1);
1680
1681	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1682	rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid,
1683	reqdata, serverctrls,
1684	clientctrls, retoidp, retdatap);
1685	if (rc != LDAP_SUCCESS) {
1686	char *ld_error = NULL;
1687	int ld_errno;
1688
1689	ldap_get_option(ldap_state->ldap_struct,
1690	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1691
1692	ldap_get_option(ldap_state->ldap_struct,
1693	LDAP_OPT_ERROR_STRING, &ld_error);
1694	DEBUG(10, ("Extended operation failed with error: "
1695	"%d (%s) (%s)\n", ld_errno,
1696	ldap_err2string(rc),
1697	ld_error ? ld_error : "unknown"));
1698	SAFE_FREE(ld_error);
1699
1700	if (ld_errno == LDAP_SERVER_DOWN) {
1701	ldap_unbind(ldap_state->ldap_struct);
1702	ldap_state->ldap_struct = NULL;
1703	}
1704	}
1705	}
1706
1707	return rc;
1708	}
1709
1710	/*******************************************************************
1711	run the search by name.
1712	******************************************************************/
1713	int smbldap_search_suffix (struct smbldap_state *ldap_state,
1714	const char filter, const char *search_attr,
1715	LDAPMessage ** result)
1716	{
1717	return smbldap_search(ldap_state, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE,
1718	filter, search_attr, 0, result);
1719	}
1720
1721	static void smbldap_idle_fn(struct event_context *event_ctx,
1722	struct timed_event *te,
1723	struct timeval now,
1724	void *private_data)
1725	{
1726	struct smbldap_state state = (struct smbldap_state )private_data;
1727
1728	TALLOC_FREE(state->idle_event);
1729
1730	if (state->ldap_struct == NULL) {
1731	DEBUG(10,("ldap connection not connected...\n"));
1732	return;
1733	}
1734
1735	if ((state->last_use+SMBLDAP_IDLE_TIME) > now.tv_sec) {
1736	DEBUG(10,("ldap connection not idle...\n"));
1737
1738	state->idle_event = event_add_timed(
1739	event_ctx, NULL,
1740	timeval_add(&now, SMBLDAP_IDLE_TIME, 0),
1741	smbldap_idle_fn,
1742	private_data);
1743	return;
1744	}
1745
1746	DEBUG(7,("ldap connection idle...closing connection\n"));
1747	smbldap_close(state);
1748	}
1749
1750	/**********************************************************************
1751	Housekeeping
1752	*********************************************************************/
1753
1754	void smbldap_free_struct(struct smbldap_state **ldap_state)
1755	{
1756	smbldap_close(*ldap_state);
1757
1758	if ((*ldap_state)->bind_secret) {
1759	memset((ldap_state)->bind_secret, '\0', strlen((ldap_state)->bind_secret));
1760	}
1761
1762	SAFE_FREE((*ldap_state)->bind_dn);
1763	SAFE_FREE((*ldap_state)->bind_secret);
1764
1765	TALLOC_FREE((*ldap_state)->idle_event);
1766
1767	*ldap_state = NULL;
1768
1769	/* No need to free any further, as it is talloc()ed */
1770	}
1771
1772
1773	/**********************************************************************
1774	Intitalise the 'general' ldap structures, on which ldap operations may be conducted
1775	*********************************************************************/
1776
1777	NTSTATUS smbldap_init(TALLOC_CTX mem_ctx, struct event_context event_ctx,
1778	const char *location,
1779	struct smbldap_state **smbldap_state)
1780	{
1781	*smbldap_state = TALLOC_ZERO_P(mem_ctx, struct smbldap_state);
1782	if (!*smbldap_state) {
1783	DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
1784	return NT_STATUS_NO_MEMORY;
1785	}
1786
1787	if (location) {
1788	(*smbldap_state)->uri = talloc_strdup(mem_ctx, location);
1789	} else {
1790	(*smbldap_state)->uri = "ldap://localhost";
1791	}
1792
1793	(*smbldap_state)->event_context = event_ctx;
1794
1795	return NT_STATUS_OK;
1796	}
1797
1798	/*******************************************************************
1799	Return a copy of the DN for a LDAPMessage. Convert from utf8 to CH_UNIX.
1800	********************************************************************/
1801	char smbldap_get_dn(LDAP ld, LDAPMessage *entry)
1802	{
1803	char utf8_dn, unix_dn;
1804	size_t converted_size;
1805
1806	utf8_dn = ldap_get_dn(ld, entry);
1807	if (!utf8_dn) {
1808	DEBUG (5, ("smbldap_get_dn: ldap_get_dn failed\n"));
1809	return NULL;
1810	}
1811	if (!pull_utf8_allocate(&unix_dn, utf8_dn, &converted_size)) {
1812	DEBUG (0, ("smbldap_get_dn: String conversion failure utf8 "
1813	"[%s]\n", utf8_dn));
1814	return NULL;
1815	}
1816	ldap_memfree(utf8_dn);
1817	return unix_dn;
1818	}
1819
1820	const char smbldap_talloc_dn(TALLOC_CTX mem_ctx, LDAP *ld,
1821	LDAPMessage *entry)
1822	{
1823	char utf8_dn, unix_dn;
1824	size_t converted_size;
1825
1826	utf8_dn = ldap_get_dn(ld, entry);
1827	if (!utf8_dn) {
1828	DEBUG (5, ("smbldap_get_dn: ldap_get_dn failed\n"));
1829	return NULL;
1830	}
1831	if (!pull_utf8_talloc(mem_ctx, &unix_dn, utf8_dn, &converted_size)) {
1832	DEBUG (0, ("smbldap_get_dn: String conversion failure utf8 "
1833	"[%s]\n", utf8_dn));
1834	return NULL;
1835	}
1836	ldap_memfree(utf8_dn);
1837	return unix_dn;
1838	}
1839
1840	/*******************************************************************
1841	Check if root-dse has a certain Control or Extension
1842	********************************************************************/
1843
1844	static bool smbldap_check_root_dse(LDAP ld, const char attrs, const char value)
1845	{
1846	LDAPMessage *msg = NULL;
1847	LDAPMessage *entry = NULL;
1848	char **values = NULL;
1849	int rc, num_result, num_values, i;
1850	bool result = False;
1851
1852	if (!attrs[0]) {
1853	DEBUG(3,("smbldap_check_root_dse: nothing to look for\n"));
1854	return False;
1855	}
1856
1857	if (!strequal(attrs[0], "supportedExtension") &&
1858	!strequal(attrs[0], "supportedControl") &&
1859	!strequal(attrs[0], "namingContexts")) {
1860	DEBUG(3,("smbldap_check_root_dse: no idea what to query root-dse for: %s ?\n", attrs[0]));
1861	return False;
1862	}
1863
1864	rc = ldap_search_s(ld, "", LDAP_SCOPE_BASE,
1865	"(objectclass=)", CONST_DISCARD(char *, attrs), 0 , &msg);
1866
1867	if (rc != LDAP_SUCCESS) {
1868	DEBUG(3,("smbldap_check_root_dse: Could not search rootDSE\n"));
1869	return False;
1870	}
1871
1872	num_result = ldap_count_entries(ld, msg);
1873
1874	if (num_result != 1) {
1875	DEBUG(3,("smbldap_check_root_dse: Expected one rootDSE, got %d\n", num_result));
1876	goto done;
1877	}
1878
1879	entry = ldap_first_entry(ld, msg);
1880
1881	if (entry == NULL) {
1882	DEBUG(3,("smbldap_check_root_dse: Could not retrieve rootDSE\n"));
1883	goto done;
1884	}
1885
1886	values = ldap_get_values(ld, entry, attrs[0]);
1887
1888	if (values == NULL) {
1889	DEBUG(5,("smbldap_check_root_dse: LDAP Server does not support any %s\n", attrs[0]));
1890	goto done;
1891	}
1892
1893	num_values = ldap_count_values(values);
1894
1895	if (num_values == 0) {
1896	DEBUG(5,("smbldap_check_root_dse: LDAP Server does not have any %s\n", attrs[0]));
1897	goto done;
1898	}
1899
1900	for (i=0; i<num_values; i++) {
1901	if (strcmp(values[i], value) == 0)
1902	result = True;
1903	}
1904
1905
1906	done:
1907	if (values != NULL)
1908	ldap_value_free(values);
1909	if (msg != NULL)
1910	ldap_msgfree(msg);
1911
1912	return result;
1913
1914	}
1915
1916	/*******************************************************************
1917	Check if LDAP-Server supports a certain Control (OID in string format)
1918	********************************************************************/
1919
1920	bool smbldap_has_control(LDAP ld, const char control)
1921	{
1922	const char *attrs[] = { "supportedControl", NULL };
1923	return smbldap_check_root_dse(ld, attrs, control);
1924	}
1925
1926	/*******************************************************************
1927	Check if LDAP-Server supports a certain Extension (OID in string format)
1928	********************************************************************/
1929
1930	bool smbldap_has_extension(LDAP ld, const char extension)
1931	{
1932	const char *attrs[] = { "supportedExtension", NULL };
1933	return smbldap_check_root_dse(ld, attrs, extension);
1934	}
1935
1936	/*******************************************************************
1937	Check if LDAP-Server holds a given namingContext
1938	********************************************************************/
1939
1940	bool smbldap_has_naming_context(LDAP ld, const char naming_context)
1941	{
1942	const char *attrs[] = { "namingContexts", NULL };
1943	return smbldap_check_root_dse(ld, attrs, naming_context);
1944	}
1945
1946	bool smbldap_set_creds(struct smbldap_state ldap_state, bool anon, const char dn, const char *secret)
1947	{
1948	ldap_state->anonymous = anon;
1949
1950	/* free any previously set credential */
1951
1952	SAFE_FREE(ldap_state->bind_dn);
1953	if (ldap_state->bind_secret) {
1954	/* make sure secrets are zeroed out of memory */
1955	memset(ldap_state->bind_secret, '\0', strlen(ldap_state->bind_secret));
1956	SAFE_FREE(ldap_state->bind_secret);
1957	}
1958
1959	if ( ! anon) {
1960	ldap_state->bind_dn = SMB_STRDUP(dn);
1961	ldap_state->bind_secret = SMB_STRDUP(secret);
1962	}
1963
1964	return True;
1965	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: