Context Navigation

source: branches/samba-3.3.x/source/lib/smbldap.c@ 221

Visit:

Last change on this file since 221 was 221, checked in by Herwig Bauernfeind, 16 years ago
Update Samba 3.3 to 3.3.1
File size: 52.4 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	LDAP protocol helper functions for SAMBA
4	Copyright (C) Jean FranÃ§ois Micouleau 1998
5	Copyright (C) Gerald Carter 2001-2003
6	Copyright (C) Shahms King 2001
7	Copyright (C) Andrew Bartlett 2002-2003
8	Copyright (C) Stefan (metze) Metzmacher 2002-2003
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22
23	*/
24
25	#include "includes.h"
26	#include "smbldap.h"
27
28	#ifndef LDAP_OPT_SUCCESS
29	#define LDAP_OPT_SUCCESS 0
30	#endif
31
32	/* Try not to hit the up or down server forever */
33
34	#define SMBLDAP_DONT_PING_TIME 10 /* ping only all 10 seconds */
35	#define SMBLDAP_NUM_RETRIES 8 /* retry only 8 times */
36
37	#define SMBLDAP_IDLE_TIME 150 /* After 2.5 minutes disconnect */
38
39
40	/* attributes used by Samba 2.2 */
41
42	ATTRIB_MAP_ENTRY attrib_map_v22[] = {
43	{ LDAP_ATTR_UID, "uid" },
44	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
45	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
46	{ LDAP_ATTR_UNIX_HOME, "homeDirectory" },
47	{ LDAP_ATTR_PWD_LAST_SET, "pwdLastSet" },
48	{ LDAP_ATTR_PWD_CAN_CHANGE, "pwdCanChange" },
49	{ LDAP_ATTR_PWD_MUST_CHANGE, "pwdMustChange" },
50	{ LDAP_ATTR_LOGON_TIME, "logonTime" },
51	{ LDAP_ATTR_LOGOFF_TIME, "logoffTime" },
52	{ LDAP_ATTR_KICKOFF_TIME, "kickoffTime" },
53	{ LDAP_ATTR_CN, "cn" },
54	{ LDAP_ATTR_SN, "sn" },
55	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
56	{ LDAP_ATTR_HOME_PATH, "smbHome" },
57	{ LDAP_ATTR_HOME_DRIVE, "homeDrive" },
58	{ LDAP_ATTR_LOGON_SCRIPT, "scriptPath" },
59	{ LDAP_ATTR_PROFILE_PATH, "profilePath" },
60	{ LDAP_ATTR_DESC, "description" },
61	{ LDAP_ATTR_USER_WKS, "userWorkstations"},
62	{ LDAP_ATTR_USER_RID, "rid" },
63	{ LDAP_ATTR_PRIMARY_GROUP_RID, "primaryGroupID"},
64	{ LDAP_ATTR_LMPW, "lmPassword" },
65	{ LDAP_ATTR_NTPW, "ntPassword" },
66	{ LDAP_ATTR_DOMAIN, "domain" },
67	{ LDAP_ATTR_OBJCLASS, "objectClass" },
68	{ LDAP_ATTR_ACB_INFO, "acctFlags" },
69	{ LDAP_ATTR_MOD_TIMESTAMP, "modifyTimestamp" },
70	{ LDAP_ATTR_LIST_END, NULL }
71	};
72
73	ATTRIB_MAP_ENTRY attrib_map_to_delete_v22[] = {
74	{ LDAP_ATTR_PWD_LAST_SET, "pwdLastSet" },
75	{ LDAP_ATTR_PWD_CAN_CHANGE, "pwdCanChange" },
76	{ LDAP_ATTR_PWD_MUST_CHANGE, "pwdMustChange" },
77	{ LDAP_ATTR_LOGON_TIME, "logonTime" },
78	{ LDAP_ATTR_LOGOFF_TIME, "logoffTime" },
79	{ LDAP_ATTR_KICKOFF_TIME, "kickoffTime" },
80	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
81	{ LDAP_ATTR_HOME_PATH, "smbHome" },
82	{ LDAP_ATTR_HOME_DRIVE, "homeDrives" },
83	{ LDAP_ATTR_LOGON_SCRIPT, "scriptPath" },
84	{ LDAP_ATTR_PROFILE_PATH, "profilePath" },
85	{ LDAP_ATTR_USER_WKS, "userWorkstations"},
86	{ LDAP_ATTR_USER_RID, "rid" },
87	{ LDAP_ATTR_PRIMARY_GROUP_RID, "primaryGroupID"},
88	{ LDAP_ATTR_LMPW, "lmPassword" },
89	{ LDAP_ATTR_NTPW, "ntPassword" },
90	{ LDAP_ATTR_DOMAIN, "domain" },
91	{ LDAP_ATTR_ACB_INFO, "acctFlags" },
92	{ LDAP_ATTR_LIST_END, NULL }
93	};
94
95	/* attributes used by Samba 3.0's sambaSamAccount */
96
97	ATTRIB_MAP_ENTRY attrib_map_v30[] = {
98	{ LDAP_ATTR_UID, "uid" },
99	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
100	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
101	{ LDAP_ATTR_UNIX_HOME, "homeDirectory" },
102	{ LDAP_ATTR_PWD_LAST_SET, "sambaPwdLastSet" },
103	{ LDAP_ATTR_PWD_CAN_CHANGE, "sambaPwdCanChange" },
104	{ LDAP_ATTR_PWD_MUST_CHANGE, "sambaPwdMustChange" },
105	{ LDAP_ATTR_LOGON_TIME, "sambaLogonTime" },
106	{ LDAP_ATTR_LOGOFF_TIME, "sambaLogoffTime" },
107	{ LDAP_ATTR_KICKOFF_TIME, "sambaKickoffTime" },
108	{ LDAP_ATTR_CN, "cn" },
109	{ LDAP_ATTR_SN, "sn" },
110	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
111	{ LDAP_ATTR_HOME_DRIVE, "sambaHomeDrive" },
112	{ LDAP_ATTR_HOME_PATH, "sambaHomePath" },
113	{ LDAP_ATTR_LOGON_SCRIPT, "sambaLogonScript" },
114	{ LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" },
115	{ LDAP_ATTR_DESC, "description" },
116	{ LDAP_ATTR_USER_WKS, "sambaUserWorkstations" },
117	{ LDAP_ATTR_USER_SID, LDAP_ATTRIBUTE_SID },
118	{ LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" },
119	{ LDAP_ATTR_LMPW, "sambaLMPassword" },
120	{ LDAP_ATTR_NTPW, "sambaNTPassword" },
121	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
122	{ LDAP_ATTR_OBJCLASS, "objectClass" },
123	{ LDAP_ATTR_ACB_INFO, "sambaAcctFlags" },
124	{ LDAP_ATTR_MUNGED_DIAL, "sambaMungedDial" },
125	{ LDAP_ATTR_BAD_PASSWORD_COUNT, "sambaBadPasswordCount" },
126	{ LDAP_ATTR_BAD_PASSWORD_TIME, "sambaBadPasswordTime" },
127	{ LDAP_ATTR_PWD_HISTORY, "sambaPasswordHistory" },
128	{ LDAP_ATTR_MOD_TIMESTAMP, "modifyTimestamp" },
129	{ LDAP_ATTR_LOGON_HOURS, "sambaLogonHours" },
130	{ LDAP_ATTR_LIST_END, NULL }
131	};
132
133	ATTRIB_MAP_ENTRY attrib_map_to_delete_v30[] = {
134	{ LDAP_ATTR_PWD_LAST_SET, "sambaPwdLastSet" },
135	{ LDAP_ATTR_PWD_CAN_CHANGE, "sambaPwdCanChange" },
136	{ LDAP_ATTR_PWD_MUST_CHANGE, "sambaPwdMustChange" },
137	{ LDAP_ATTR_LOGON_TIME, "sambaLogonTime" },
138	{ LDAP_ATTR_LOGOFF_TIME, "sambaLogoffTime" },
139	{ LDAP_ATTR_KICKOFF_TIME, "sambaKickoffTime" },
140	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
141	{ LDAP_ATTR_HOME_DRIVE, "sambaHomeDrive" },
142	{ LDAP_ATTR_HOME_PATH, "sambaHomePath" },
143	{ LDAP_ATTR_LOGON_SCRIPT, "sambaLogonScript" },
144	{ LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" },
145	{ LDAP_ATTR_USER_WKS, "sambaUserWorkstations" },
146	{ LDAP_ATTR_USER_SID, LDAP_ATTRIBUTE_SID },
147	{ LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" },
148	{ LDAP_ATTR_LMPW, "sambaLMPassword" },
149	{ LDAP_ATTR_NTPW, "sambaNTPassword" },
150	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
151	{ LDAP_ATTR_ACB_INFO, "sambaAcctFlags" },
152	{ LDAP_ATTR_MUNGED_DIAL, "sambaMungedDial" },
153	{ LDAP_ATTR_BAD_PASSWORD_COUNT, "sambaBadPasswordCount" },
154	{ LDAP_ATTR_BAD_PASSWORD_TIME, "sambaBadPasswordTime" },
155	{ LDAP_ATTR_PWD_HISTORY, "sambaPasswordHistory" },
156	{ LDAP_ATTR_LOGON_HOURS, "sambaLogonHours" },
157	{ LDAP_ATTR_LIST_END, NULL }
158	};
159
160	/* attributes used for allocating RIDs */
161
162	ATTRIB_MAP_ENTRY dominfo_attr_list[] = {
163	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
164	{ LDAP_ATTR_NEXT_RID, "sambaNextRid" },
165	{ LDAP_ATTR_NEXT_USERRID, "sambaNextUserRid" },
166	{ LDAP_ATTR_NEXT_GROUPRID, "sambaNextGroupRid" },
167	{ LDAP_ATTR_DOM_SID, LDAP_ATTRIBUTE_SID },
168	{ LDAP_ATTR_ALGORITHMIC_RID_BASE,"sambaAlgorithmicRidBase"},
169	{ LDAP_ATTR_OBJCLASS, "objectClass" },
170	{ LDAP_ATTR_LIST_END, NULL },
171	};
172
173	/* Samba 3.0 group mapping attributes */
174
175	ATTRIB_MAP_ENTRY groupmap_attr_list[] = {
176	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
177	{ LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
178	{ LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
179	{ LDAP_ATTR_SID_LIST, "sambaSIDList" },
180	{ LDAP_ATTR_DESC, "description" },
181	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
182	{ LDAP_ATTR_CN, "cn" },
183	{ LDAP_ATTR_OBJCLASS, "objectClass" },
184	{ LDAP_ATTR_LIST_END, NULL }
185	};
186
187	ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[] = {
188	{ LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
189	{ LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
190	{ LDAP_ATTR_DESC, "description" },
191	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
192	{ LDAP_ATTR_SID_LIST, "sambaSIDList" },
193	{ LDAP_ATTR_LIST_END, NULL }
194	};
195
196	/* idmap_ldap sambaUnixIdPool */
197
198	ATTRIB_MAP_ENTRY idpool_attr_list[] = {
199	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
200	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
201	{ LDAP_ATTR_OBJCLASS, "objectClass" },
202	{ LDAP_ATTR_LIST_END, NULL }
203	};
204
205	ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
206	{ LDAP_ATTR_SID, LDAP_ATTRIBUTE_SID },
207	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
208	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
209	{ LDAP_ATTR_OBJCLASS, "objectClass" },
210	{ LDAP_ATTR_LIST_END, NULL }
211	};
212
213	/**********************************************************************
214	perform a simple table lookup and return the attribute name
215	**********************************************************************/
216
217	const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key )
218	{
219	int i = 0;
220
221	while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
222	if ( table[i].attrib == key )
223	return table[i].name;
224	i++;
225	}
226
227	return NULL;
228	}
229
230
231	/**********************************************************************
232	Return the list of attribute names from a mapping table
233	**********************************************************************/
234
235	const char** get_attr_list( TALLOC_CTX *mem_ctx, ATTRIB_MAP_ENTRY table[] )
236	{
237	const char **names;
238	int i = 0;
239
240	while ( table[i].attrib != LDAP_ATTR_LIST_END )
241	i++;
242	i++;
243
244	names = TALLOC_ARRAY( mem_ctx, const char*, i );
245	if ( !names ) {
246	DEBUG(0,("get_attr_list: out of memory\n"));
247	return NULL;
248	}
249
250	i = 0;
251	while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
252	names[i] = talloc_strdup( names, table[i].name );
253	i++;
254	}
255	names[i] = NULL;
256
257	return names;
258	}
259
260	/*******************************************************************
261	Search an attribute and return the first value found.
262	******************************************************************/
263
264	bool smbldap_get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
265	const char attribute, char value,
266	int max_len)
267	{
268	char **values;
269
270	if ( !attribute )
271	return False;
272
273	value[0] = '\0';
274
275	if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
276	DEBUG (10, ("smbldap_get_single_attribute: [%s] = [<does not exist>]\n", attribute));
277
278	return False;
279	}
280
281	if (convert_string(CH_UTF8, CH_UNIX,values[0], -1, value, max_len, False) == (size_t)-1) {
282	DEBUG(1, ("smbldap_get_single_attribute: string conversion of [%s] = [%s] failed!\n",
283	attribute, values[0]));
284	ldap_value_free(values);
285	return False;
286	}
287
288	ldap_value_free(values);
289	#ifdef DEBUG_PASSWORDS
290	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n", attribute, value));
291	#endif
292	return True;
293	}
294
295	char * smbldap_talloc_single_attribute(LDAP ldap_struct, LDAPMessage entry,
296	const char *attribute,
297	TALLOC_CTX *mem_ctx)
298	{
299	char **values;
300	char *result;
301	size_t converted_size;
302
303	if (attribute == NULL) {
304	return NULL;
305	}
306
307	values = ldap_get_values(ldap_struct, entry, attribute);
308
309	if (values == NULL) {
310	DEBUG(10, ("attribute %s does not exist\n", attribute));
311	return NULL;
312	}
313
314	if (ldap_count_values(values) != 1) {
315	DEBUG(10, ("attribute %s has %d values, expected only one\n",
316	attribute, ldap_count_values(values)));
317	ldap_value_free(values);
318	return NULL;
319	}
320
321	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
322	DEBUG(10, ("pull_utf8_talloc failed\n"));
323	ldap_value_free(values);
324	return NULL;
325	}
326
327	ldap_value_free(values);
328
329	#ifdef DEBUG_PASSWORDS
330	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
331	attribute, result));
332	#endif
333	return result;
334	}
335
336	static int ldapmsg_destructor(LDAPMessage **result) {
337	ldap_msgfree(*result);
338	return 0;
339	}
340
341	void talloc_autofree_ldapmsg(TALLOC_CTX mem_ctx, LDAPMessage result)
342	{
343	LDAPMessage **handle;
344
345	if (result == NULL) {
346	return;
347	}
348
349	handle = TALLOC_P(mem_ctx, LDAPMessage *);
350	SMB_ASSERT(handle != NULL);
351
352	*handle = result;
353	talloc_set_destructor(handle, ldapmsg_destructor);
354	}
355
356	static int ldapmod_destructor(LDAPMod ***mod) {
357	ldap_mods_free(*mod, True);
358	return 0;
359	}
360
361	void talloc_autofree_ldapmod(TALLOC_CTX mem_ctx, LDAPMod *mod)
362	{
363	LDAPMod ***handle;
364
365	if (mod == NULL) {
366	return;
367	}
368
369	handle = TALLOC_P(mem_ctx, LDAPMod **);
370	SMB_ASSERT(handle != NULL);
371
372	*handle = mod;
373	talloc_set_destructor(handle, ldapmod_destructor);
374	}
375
376	/************************************************************************
377	Routine to manage the LDAPMod structure array
378	manage memory used by the array, by each struct, and values
379	***********************************************************************/
380
381	void smbldap_set_mod (LDAPMod *** modlist, int modop, const char attribute, const char value)
382	{
383	LDAPMod **mods;
384	int i;
385	int j;
386
387	mods = *modlist;
388
389	/* sanity checks on the mod values */
390
391	if (attribute == NULL \|\| *attribute == '\0') {
392	return;
393	}
394
395	#if 0 /* commented out after discussion with abartlet. Do not reenable.
396	left here so other do not re-add similar code --jerry */
397	if (value == NULL \|\| *value == '\0')
398	return;
399	#endif
400
401	if (mods == NULL) {
402	mods = SMB_MALLOC_P(LDAPMod *);
403	if (mods == NULL) {
404	smb_panic("smbldap_set_mod: out of memory!");
405	/* notreached. */
406	}
407	mods[0] = NULL;
408	}
409
410	for (i = 0; mods[i] != NULL; ++i) {
411	if (mods[i]->mod_op == modop && strequal(mods[i]->mod_type, attribute))
412	break;
413	}
414
415	if (mods[i] == NULL) {
416	mods = SMB_REALLOC_ARRAY (mods, LDAPMod *, i + 2);
417	if (mods == NULL) {
418	smb_panic("smbldap_set_mod: out of memory!");
419	/* notreached. */
420	}
421	mods[i] = SMB_MALLOC_P(LDAPMod);
422	if (mods[i] == NULL) {
423	smb_panic("smbldap_set_mod: out of memory!");
424	/* notreached. */
425	}
426	mods[i]->mod_op = modop;
427	mods[i]->mod_values = NULL;
428	mods[i]->mod_type = SMB_STRDUP(attribute);
429	mods[i + 1] = NULL;
430	}
431
432	if (value != NULL) {
433	char *utf8_value = NULL;
434	size_t converted_size;
435
436	j = 0;
437	if (mods[i]->mod_values != NULL) {
438	for (; mods[i]->mod_values[j] != NULL; j++);
439	}
440	mods[i]->mod_values = SMB_REALLOC_ARRAY(mods[i]->mod_values, char *, j + 2);
441
442	if (mods[i]->mod_values == NULL) {
443	smb_panic("smbldap_set_mod: out of memory!");
444	/* notreached. */
445	}
446
447	if (!push_utf8_allocate(&utf8_value, value, &converted_size)) {
448	smb_panic("smbldap_set_mod: String conversion failure!");
449	/* notreached. */
450	}
451
452	mods[i]->mod_values[j] = utf8_value;
453
454	mods[i]->mod_values[j + 1] = NULL;
455	}
456	*modlist = mods;
457	}
458
459	/**********************************************************************
460	Set attribute to newval in LDAP, regardless of what value the
461	attribute had in LDAP before.
462	*********************************************************************/
463
464	void smbldap_make_mod(LDAP ldap_struct, LDAPMessage existing,
465	LDAPMod ***mods,
466	const char attribute, const char newval)
467	{
468	char oldval[2048]; /* current largest allowed value is mungeddial */
469	bool existed;
470
471	if (attribute == NULL) {
472	/* This can actually happen for ldapsam_compat where we for
473	* example don't have a password history */
474	return;
475	}
476
477	if (existing != NULL) {
478	existed = smbldap_get_single_attribute(ldap_struct, existing, attribute, oldval, sizeof(oldval));
479	} else {
480	existed = False;
481	*oldval = '\0';
482	}
483
484	/* all of our string attributes are case insensitive */
485
486	if (existed && newval && (StrCaseCmp(oldval, newval) == 0)) {
487
488	/* Believe it or not, but LDAP will deny a delete and
489	an add at the same time if the values are the
490	same... */
491	DEBUG(10,("smbldap_make_mod: attribute \|%s\| not changed.\n", attribute));
492	return;
493	}
494
495	if (existed) {
496	/* There has been no value before, so don't delete it.
497	* Here's a possible race: We might end up with
498	* duplicate attributes */
499	/* By deleting exactly the value we found in the entry this
500	* should be race-free in the sense that the LDAP-Server will
501	* deny the complete operation if somebody changed the
502	* attribute behind our back. */
503	/* This will also allow modifying single valued attributes
504	* in Novell NDS. In NDS you have to first remove attribute and then
505	* you could add new value */
506
507	DEBUG(10,("smbldap_make_mod: deleting attribute \|%s\| values \|%s\|\n", attribute, oldval));
508	smbldap_set_mod(mods, LDAP_MOD_DELETE, attribute, oldval);
509	}
510
511	/* Regardless of the real operation (add or modify)
512	we add the new value here. We rely on deleting
513	the old value, should it exist. */
514
515	if ((newval != NULL) && (strlen(newval) > 0)) {
516	DEBUG(10,("smbldap_make_mod: adding attribute \|%s\| value \|%s\|\n", attribute, newval));
517	smbldap_set_mod(mods, LDAP_MOD_ADD, attribute, newval);
518	}
519	}
520
521	/**********************************************************************
522	Some varients of the LDAP rebind code do not pass in the third 'arg'
523	pointer to a void*, so we try and work around it by assuming that the
524	value of the 'LDAP *' pointer is the same as the one we had passed in
525	**********************************************************************/
526
527	struct smbldap_state_lookup {
528	LDAP *ld;
529	struct smbldap_state *smbldap_state;
530	struct smbldap_state_lookup prev, next;
531	};
532
533	static struct smbldap_state_lookup *smbldap_state_lookup_list;
534
535	static struct smbldap_state smbldap_find_state(LDAP ld)
536	{
537	struct smbldap_state_lookup *t;
538
539	for (t = smbldap_state_lookup_list; t; t = t->next) {
540	if (t->ld == ld) {
541	return t->smbldap_state;
542	}
543	}
544	return NULL;
545	}
546
547	static void smbldap_delete_state(struct smbldap_state *smbldap_state)
548	{
549	struct smbldap_state_lookup *t;
550
551	for (t = smbldap_state_lookup_list; t; t = t->next) {
552	if (t->smbldap_state == smbldap_state) {
553	DLIST_REMOVE(smbldap_state_lookup_list, t);
554	SAFE_FREE(t);
555	return;
556	}
557	}
558	}
559
560	static void smbldap_store_state(LDAP ld, struct smbldap_state smbldap_state)
561	{
562	struct smbldap_state *tmp_ldap_state;
563	struct smbldap_state_lookup *t;
564
565	if ((tmp_ldap_state = smbldap_find_state(ld))) {
566	SMB_ASSERT(tmp_ldap_state == smbldap_state);
567	return;
568	}
569
570	t = SMB_XMALLOC_P(struct smbldap_state_lookup);
571	ZERO_STRUCTP(t);
572
573	DLIST_ADD_END(smbldap_state_lookup_list, t, struct smbldap_state_lookup *);
574	t->ld = ld;
575	t->smbldap_state = smbldap_state;
576	}
577
578	/********************************************************************
579	start TLS on an existing LDAP connection
580	*******************************************************************/
581
582	int smb_ldap_start_tls(LDAP *ldap_struct, int version)
583	{
584	#ifdef LDAP_OPT_X_TLS
585	int rc;
586	#endif
587
588	if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
589	return LDAP_SUCCESS;
590	}
591
592	#ifdef LDAP_OPT_X_TLS
593	if (version != LDAP_VERSION3) {
594	DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
595	return LDAP_OPERATIONS_ERROR;
596	}
597
598	if ((rc = ldap_start_tls_s (ldap_struct, NULL, NULL)) != LDAP_SUCCESS) {
599	DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
600	ldap_err2string(rc)));
601	return rc;
602	}
603
604	DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
605	return LDAP_SUCCESS;
606	#else
607	DEBUG(0,("StartTLS not supported by LDAP client libraries!\n"));
608	return LDAP_OPERATIONS_ERROR;
609	#endif
610	}
611
612	/********************************************************************
613	setup a connection to the LDAP server based on a uri
614	*******************************************************************/
615
616	int smb_ldap_setup_conn(LDAP *ldap_struct, const char uri)
617	{
618	int rc;
619
620	DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri));
621
622	#ifdef HAVE_LDAP_INITIALIZE
623
624	rc = ldap_initialize(ldap_struct, uri);
625	if (rc) {
626	DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
627	}
628
629	return rc;
630	#else
631
632	/* Parse the string manually */
633
634	{
635	int port = 0;
636	fstring protocol;
637	fstring host;
638	SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
639
640
641	/* skip leading "URL:" (if any) */
642	if ( strnequal( uri, "URL:", 4 ) ) {
643	uri += 4;
644	}
645
646	sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
647
648	if (port == 0) {
649	if (strequal(protocol, "ldap")) {
650	port = LDAP_PORT;
651	} else if (strequal(protocol, "ldaps")) {
652	port = LDAPS_PORT;
653	} else {
654	DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
655	}
656	}
657
658	if ((*ldap_struct = ldap_init(host, port)) == NULL) {
659	DEBUG(0, ("ldap_init failed !\n"));
660	return LDAP_OPERATIONS_ERROR;
661	}
662
663	if (strequal(protocol, "ldaps")) {
664	#ifdef LDAP_OPT_X_TLS
665	int tls = LDAP_OPT_X_TLS_HARD;
666	if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
667	{
668	DEBUG(0, ("Failed to setup a TLS session\n"));
669	}
670
671	DEBUG(3,("LDAPS option set...!\n"));
672	#else
673	DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
674	return LDAP_OPERATIONS_ERROR;
675	#endif /* LDAP_OPT_X_TLS */
676	}
677	}
678	#endif /* HAVE_LDAP_INITIALIZE */
679
680
681	/* now set connection timeout */
682	#ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
683	{
684	int ct = lp_ldap_connection_timeout()*1000;
685	rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
686	if (rc != LDAP_SUCCESS) {
687	DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
688	ct, ldap_err2string(rc)));
689	}
690	}
691	#elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
692	{
693	struct timeval ct;
694	ct.tv_usec = 0;
695	ct.tv_sec = lp_ldap_connection_timeout();
696	rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
697	if (rc != LDAP_SUCCESS) {
698	DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
699	(int)ct.tv_sec, ldap_err2string(rc)));
700	}
701	}
702	#endif
703
704	return LDAP_SUCCESS;
705	}
706
707	/********************************************************************
708	try to upgrade to Version 3 LDAP if not already, in either case return current
709	version
710	*******************************************************************/
711
712	int smb_ldap_upgrade_conn(LDAP ldap_struct, int new_version)
713	{
714	int version;
715	int rc;
716
717	/* assume the worst */
718	*new_version = LDAP_VERSION2;
719
720	rc = ldap_get_option(ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
721	if (rc) {
722	return rc;
723	}
724
725	if (version == LDAP_VERSION3) {
726	*new_version = LDAP_VERSION3;
727	return LDAP_SUCCESS;
728	}
729
730	/* try upgrade */
731	version = LDAP_VERSION3;
732	rc = ldap_set_option (ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
733	if (rc) {
734	return rc;
735	}
736
737	*new_version = LDAP_VERSION3;
738	return LDAP_SUCCESS;
739	}
740
741	/*******************************************************************
742	open a connection to the ldap server (just until the bind)
743	******************************************************************/
744
745	int smb_ldap_setup_full_conn(LDAP *ldap_struct, const char uri)
746	{
747	int rc, version;
748
749	rc = smb_ldap_setup_conn(ldap_struct, uri);
750	if (rc) {
751	return rc;
752	}
753
754	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
755	if (rc) {
756	return rc;
757	}
758
759	rc = smb_ldap_start_tls(*ldap_struct, version);
760	if (rc) {
761	return rc;
762	}
763
764	return LDAP_SUCCESS;
765	}
766
767	/*******************************************************************
768	open a connection to the ldap server.
769	******************************************************************/
770	static int smbldap_open_connection (struct smbldap_state *ldap_state)
771
772	{
773	int rc = LDAP_SUCCESS;
774	int version;
775	LDAP **ldap_struct = &ldap_state->ldap_struct;
776
777	rc = smb_ldap_setup_conn(ldap_struct, ldap_state->uri);
778	if (rc) {
779	return rc;
780	}
781
782	/* Store the LDAP pointer in a lookup list */
783
784	smbldap_store_state(*ldap_struct, ldap_state);
785
786	/* Upgrade to LDAPv3 if possible */
787
788	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
789	if (rc) {
790	return rc;
791	}
792
793	/* Start TLS if required */
794
795	rc = smb_ldap_start_tls(*ldap_struct, version);
796	if (rc) {
797	return rc;
798	}
799
800	DEBUG(2, ("smbldap_open_connection: connection opened\n"));
801	return rc;
802	}
803
804	/*******************************************************************
805	a rebind function for authenticated referrals
806	This version takes a void* that we can shove useful stuff in :-)
807	******************************************************************/
808	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
809	#else
810	static int rebindproc_with_state (LDAP * ld, char whop, char credp,
811	int methodp, int freeit, void arg)
812	{
813	struct smbldap_state *ldap_state = arg;
814
815	/** @TODO Should we be doing something to check what servers we rebind to?
816	Could we get a referral to a machine that we don't want to give our
817	username and password to? */
818
819	if (freeit) {
820	SAFE_FREE(*whop);
821	if (*credp) {
822	memset(credp, '\0', strlen(credp));
823	}
824	SAFE_FREE(*credp);
825	} else {
826	DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
827	ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
828
829	if (ldap_state->anonymous) {
830	*whop = NULL;
831	*credp = NULL;
832	} else {
833	*whop = SMB_STRDUP(ldap_state->bind_dn);
834	if (!*whop) {
835	return LDAP_NO_MEMORY;
836	}
837	*credp = SMB_STRDUP(ldap_state->bind_secret);
838	if (!*credp) {
839	SAFE_FREE(*whop);
840	return LDAP_NO_MEMORY;
841	}
842	}
843	*methodp = LDAP_AUTH_SIMPLE;
844	}
845
846	GetTimeOfDay(&ldap_state->last_rebind);
847
848	return 0;
849	}
850	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
851
852	/*******************************************************************
853	a rebind function for authenticated referrals
854	This version takes a void* that we can shove useful stuff in :-)
855	and actually does the connection.
856	******************************************************************/
857	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
858	static int rebindproc_connect_with_state (LDAP *ldap_struct,
859	LDAP_CONST char *url,
860	ber_tag_t request,
861	ber_int_t msgid, void *arg)
862	{
863	struct smbldap_state *ldap_state =
864	(struct smbldap_state *)arg;
865	int rc;
866	int version;
867
868	DEBUG(5,("rebindproc_connect_with_state: Rebinding to %s as \"%s\"\n",
869	url, ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
870
871	/* call START_TLS again (ldaps:// is handled by the OpenLDAP library
872	* itself) before rebinding to another LDAP server to avoid to expose
873	* our credentials. At least try to secure the connection - Guenther */
874
875	smb_ldap_upgrade_conn(ldap_struct, &version);
876	smb_ldap_start_tls(ldap_struct, version);
877
878	/** @TODO Should we be doing something to check what servers we rebind to?
879	Could we get a referral to a machine that we don't want to give our
880	username and password to? */
881
882	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
883
884	/* only set the last rebind timestamp when we did rebind after a
885	* non-read LDAP operation. That way we avoid the replication sleep
886	* after a simple redirected search operation - Guenther */
887
888	switch (request) {
889
890	case LDAP_REQ_MODIFY:
891	case LDAP_REQ_ADD:
892	case LDAP_REQ_DELETE:
893	case LDAP_REQ_MODDN:
894	case LDAP_REQ_EXTENDED:
895	DEBUG(10,("rebindproc_connect_with_state: "
896	"setting last_rebind timestamp "
897	"(req: 0x%02x)\n", (unsigned int)request));
898	GetTimeOfDay(&ldap_state->last_rebind);
899	break;
900	default:
901	ZERO_STRUCT(ldap_state->last_rebind);
902	break;
903	}
904
905	return rc;
906	}
907	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
908
909	/*******************************************************************
910	Add a rebind function for authenticated referrals
911	******************************************************************/
912	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
913	#else
914	# if LDAP_SET_REBIND_PROC_ARGS == 2
915	static int rebindproc (LDAP ldap_struct, char whop, char *credp,
916	int *method, int freeit )
917	{
918	struct smbldap_state *ldap_state = smbldap_find_state(ldap_struct);
919
920	return rebindproc_with_state(ldap_struct, whop, credp,
921	method, freeit, ldap_state);
922
923	}
924	# endif /LDAP_SET_REBIND_PROC_ARGS == 2/
925	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
926
927	/*******************************************************************
928	a rebind function for authenticated referrals
929	this also does the connection, but no void*.
930	******************************************************************/
931	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
932	# if LDAP_SET_REBIND_PROC_ARGS == 2
933	static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
934	ber_int_t msgid)
935	{
936	struct smbldap_state *ldap_state = smbldap_find_state(ld);
937
938	return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid,
939	ldap_state);
940	}
941	# endif /LDAP_SET_REBIND_PROC_ARGS == 2/
942	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
943
944	/*******************************************************************
945	connect to the ldap server under system privilege.
946	******************************************************************/
947	static int smbldap_connect_system(struct smbldap_state ldap_state, LDAP ldap_struct)
948	{
949	int rc;
950	int version;
951
952	if (!ldap_state->anonymous && !ldap_state->bind_dn) {
953
954	/* get the default dn and password only if they are not set already */
955	if (!fetch_ldap_pw(&ldap_state->bind_dn, &ldap_state->bind_secret)) {
956	DEBUG(0, ("ldap_connect_system: Failed to retrieve password from secrets.tdb\n"));
957	return LDAP_INVALID_CREDENTIALS;
958	}
959	}
960
961	/* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
962	(OpenLDAP) doesnt' seem to support it */
963
964	DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
965	ldap_state->uri, ldap_state->bind_dn));
966
967	#ifdef HAVE_LDAP_SET_REBIND_PROC
968	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
969	# if LDAP_SET_REBIND_PROC_ARGS == 2
970	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);
971	# endif
972	# if LDAP_SET_REBIND_PROC_ARGS == 3
973	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void *)ldap_state);
974	# endif
975	#else /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
976	# if LDAP_SET_REBIND_PROC_ARGS == 2
977	ldap_set_rebind_proc(ldap_struct, &rebindproc);
978	# endif
979	# if LDAP_SET_REBIND_PROC_ARGS == 3
980	ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void *)ldap_state);
981	# endif
982	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
983	#endif
984
985	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
986
987	if (rc != LDAP_SUCCESS) {
988	char *ld_error = NULL;
989	ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
990	&ld_error);
991	DEBUG(ldap_state->num_failures ? 2 : 0,
992	("failed to bind to server %s with dn=\"%s\" Error: %s\n\t%s\n",
993	ldap_state->uri,
994	ldap_state->bind_dn ? ldap_state->bind_dn : "[Anonymous bind]",
995	ldap_err2string(rc),
996	ld_error ? ld_error : "(unknown)"));
997	SAFE_FREE(ld_error);
998	ldap_state->num_failures++;
999	return rc;
1000	}
1001
1002	ldap_state->num_failures = 0;
1003	ldap_state->paged_results = False;
1004
1005	ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
1006
1007	if (smbldap_has_control(ldap_state->ldap_struct, ADS_PAGE_CTL_OID) && version == 3) {
1008	ldap_state->paged_results = True;
1009	}
1010
1011	DEBUG(3, ("ldap_connect_system: successful connection to the LDAP server\n"));
1012	DEBUGADD(10, ("ldap_connect_system: LDAP server %s support paged results\n",
1013	ldap_state->paged_results ? "does" : "does not"));
1014	return rc;
1015	}
1016
1017	static void smbldap_idle_fn(struct event_context *event_ctx,
1018	struct timed_event *te,
1019	struct timeval now,
1020	void *private_data);
1021
1022	/**********************************************************************
1023	Connect to LDAP server (called before every ldap operation)
1024	*********************************************************************/
1025	static int smbldap_open(struct smbldap_state *ldap_state)
1026	{
1027	int rc, opt_rc;
1028	bool reopen = False;
1029	SMB_ASSERT(ldap_state);
1030
1031	if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + SMBLDAP_DONT_PING_TIME) < time(NULL))) {
1032
1033	#ifdef HAVE_UNIXSOCKET
1034	struct sockaddr_un addr;
1035	#else
1036	struct sockaddr addr;
1037	#endif
1038	socklen_t len = sizeof(addr);
1039	int sd;
1040
1041	opt_rc = ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_DESC, &sd);
1042	if (opt_rc == 0 && (getpeername(sd, (struct sockaddr *) &addr, &len)) < 0 )
1043	reopen = True;
1044
1045	#ifdef HAVE_UNIXSOCKET
1046	if (opt_rc == 0 && addr.sun_family == AF_UNIX)
1047	reopen = True;
1048	#endif
1049	if (reopen) {
1050	/* the other end has died. reopen. */
1051	ldap_unbind(ldap_state->ldap_struct);
1052	ldap_state->ldap_struct = NULL;
1053	ldap_state->last_ping = (time_t)0;
1054	} else {
1055	ldap_state->last_ping = time(NULL);
1056	}
1057	}
1058
1059	if (ldap_state->ldap_struct != NULL) {
1060	DEBUG(11,("smbldap_open: already connected to the LDAP server\n"));
1061	return LDAP_SUCCESS;
1062	}
1063
1064	if ((rc = smbldap_open_connection(ldap_state))) {
1065	return rc;
1066	}
1067
1068	if ((rc = smbldap_connect_system(ldap_state, ldap_state->ldap_struct))) {
1069	ldap_unbind(ldap_state->ldap_struct);
1070	ldap_state->ldap_struct = NULL;
1071	return rc;
1072	}
1073
1074
1075	ldap_state->last_ping = time(NULL);
1076	ldap_state->pid = sys_getpid();
1077
1078	TALLOC_FREE(ldap_state->idle_event);
1079
1080	if (ldap_state->event_context != NULL) {
1081	ldap_state->idle_event = event_add_timed(
1082	ldap_state->event_context, NULL,
1083	timeval_current_ofs(SMBLDAP_IDLE_TIME, 0),
1084	smbldap_idle_fn, ldap_state);
1085	}
1086
1087	DEBUG(4,("The LDAP server is successfully connected\n"));
1088
1089	return LDAP_SUCCESS;
1090	}
1091
1092	/**********************************************************************
1093	Disconnect from LDAP server
1094	*********************************************************************/
1095	static NTSTATUS smbldap_close(struct smbldap_state *ldap_state)
1096	{
1097	if (!ldap_state)
1098	return NT_STATUS_INVALID_PARAMETER;
1099
1100	if (ldap_state->ldap_struct != NULL) {
1101	ldap_unbind(ldap_state->ldap_struct);
1102	ldap_state->ldap_struct = NULL;
1103	}
1104
1105	smbldap_delete_state(ldap_state);
1106
1107	DEBUG(5,("The connection to the LDAP server was closed\n"));
1108	/* maybe free the results here --metze */
1109
1110	return NT_STATUS_OK;
1111	}
1112
1113	static bool got_alarm;
1114
1115	static void (*old_handler)(int);
1116
1117	static void gotalarm_sig(int dummy)
1118	{
1119	got_alarm = True;
1120	}
1121
1122	static int another_ldap_try(struct smbldap_state ldap_state, int rc,
1123	int *attempts, time_t endtime)
1124	{
1125	time_t now = time(NULL);
1126	int open_rc = LDAP_SERVER_DOWN;
1127
1128	if (*rc != LDAP_SERVER_DOWN)
1129	goto no_next;
1130
1131	if (now >= endtime) {
1132	smbldap_close(ldap_state);
1133	*rc = LDAP_TIMEOUT;
1134	goto no_next;
1135	}
1136
1137	if (*attempts == 0) {
1138	got_alarm = False;
1139	old_handler = CatchSignal(SIGALRM, gotalarm_sig);
1140	alarm(endtime - now);
1141
1142	if (ldap_state->pid != sys_getpid())
1143	smbldap_close(ldap_state);
1144	}
1145
1146	while (1) {
1147
1148	if (*attempts != 0)
1149	smb_msleep(1000);
1150
1151	*attempts += 1;
1152
1153	open_rc = smbldap_open(ldap_state);
1154
1155	if (open_rc == LDAP_SUCCESS) {
1156	ldap_state->last_use = now;
1157	return True;
1158	}
1159
1160	if (open_rc == LDAP_INSUFFICIENT_ACCESS) {
1161	/* The fact that we are non-root or any other
1162	* access-denied condition will not change in the next
1163	* round of trying */
1164	*rc = open_rc;
1165	break;
1166	}
1167
1168	if (got_alarm) {
1169	*rc = LDAP_TIMEOUT;
1170	break;
1171	}
1172
1173	if (open_rc != LDAP_SUCCESS) {
1174	DEBUG(1, ("Connection to LDAP server failed for the "
1175	"%d try!\n", *attempts));
1176	}
1177	}
1178
1179	no_next:
1180	CatchSignal(SIGALRM, old_handler);
1181	alarm(0);
1182	ldap_state->last_use = now;
1183	return False;
1184	}
1185
1186	/*********************************************************************
1187	********************************************************************/
1188
1189	static int smbldap_search_ext(struct smbldap_state *ldap_state,
1190	const char base, int scope, const char filter,
1191	const char *attrs[], int attrsonly,
1192	LDAPControl sctrls, LDAPControl cctrls,
1193	int sizelimit, LDAPMessage **res)
1194	{
1195	int rc = LDAP_SERVER_DOWN;
1196	int attempts = 0;
1197	char *utf8_filter;
1198	time_t endtime = time(NULL)+lp_ldap_timeout();
1199	struct timeval timeout;
1200	size_t converted_size;
1201
1202	SMB_ASSERT(ldap_state);
1203
1204	DEBUG(5,("smbldap_search_ext: base => [%s], filter => [%s], "
1205	"scope => [%d]\n", base, filter, scope));
1206
1207	if (ldap_state->last_rebind.tv_sec > 0) {
1208	struct timeval tval;
1209	SMB_BIG_INT tdiff = 0;
1210	int sleep_time = 0;
1211
1212	ZERO_STRUCT(tval);
1213	GetTimeOfDay(&tval);
1214
1215	tdiff = usec_time_diff(&tval, &ldap_state->last_rebind);
1216	tdiff /= 1000; /* Convert to milliseconds. */
1217
1218	sleep_time = lp_ldap_replication_sleep()-(int)tdiff;
1219	sleep_time = MIN(sleep_time, MAX_LDAP_REPLICATION_SLEEP_TIME);
1220
1221	if (sleep_time > 0) {
1222	/* we wait for the LDAP replication */
1223	DEBUG(5,("smbldap_search_ext: waiting %d milliseconds "
1224	"for LDAP replication.\n",sleep_time));
1225	smb_msleep(sleep_time);
1226	DEBUG(5,("smbldap_search_ext: go on!\n"));
1227	}
1228	ZERO_STRUCT(ldap_state->last_rebind);
1229	}
1230
1231	if (!push_utf8_allocate(&utf8_filter, filter, &converted_size)) {
1232	return LDAP_NO_MEMORY;
1233	}
1234
1235	/* Setup timeout for the ldap_search_ext_s call - local and remote. */
1236	timeout.tv_sec = lp_ldap_timeout();
1237	timeout.tv_usec = 0;
1238
1239	/* Setup alarm timeout.... Do we need both of these ? JRA.
1240	* Yes, I think we do need both of these. The server timeout only
1241	* covers the case where the server's operation takes too long. It
1242	* does not cover the case where the request hangs on its way to the
1243	* server. The server side timeout is not strictly necessary, it's
1244	* just a bit more kind to the server. VL. */
1245
1246	got_alarm = 0;
1247	CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
1248	alarm(lp_ldap_timeout());
1249	/* End setup timeout. */
1250
1251	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1252	rc = ldap_search_ext_s(ldap_state->ldap_struct, base, scope,
1253	utf8_filter,
1254	CONST_DISCARD(char **, attrs),
1255	attrsonly, sctrls, cctrls, &timeout,
1256	sizelimit, res);
1257	if (rc != LDAP_SUCCESS) {
1258	char *ld_error = NULL;
1259	int ld_errno;
1260
1261	ldap_get_option(ldap_state->ldap_struct,
1262	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1263
1264	ldap_get_option(ldap_state->ldap_struct,
1265	LDAP_OPT_ERROR_STRING, &ld_error);
1266	DEBUG(10, ("Failed search for base: %s, error: %d (%s) "
1267	"(%s)\n", base, ld_errno,
1268	ldap_err2string(rc),
1269	ld_error ? ld_error : "unknown"));
1270	SAFE_FREE(ld_error);
1271
1272	if (ld_errno == LDAP_SERVER_DOWN) {
1273	ldap_unbind(ldap_state->ldap_struct);
1274	ldap_state->ldap_struct = NULL;
1275	}
1276	}
1277	}
1278
1279	SAFE_FREE(utf8_filter);
1280
1281	/* Teardown timeout. */
1282	CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
1283	alarm(0);
1284
1285	if (got_alarm != 0)
1286	return LDAP_TIMELIMIT_EXCEEDED;
1287
1288	return rc;
1289	}
1290
1291	int smbldap_search(struct smbldap_state *ldap_state,
1292	const char base, int scope, const char filter,
1293	const char *attrs[], int attrsonly,
1294	LDAPMessage **res)
1295	{
1296	return smbldap_search_ext(ldap_state, base, scope, filter, attrs,
1297	attrsonly, NULL, NULL, LDAP_NO_LIMIT, res);
1298	}
1299
1300	int smbldap_search_paged(struct smbldap_state *ldap_state,
1301	const char base, int scope, const char filter,
1302	const char **attrs, int attrsonly, int pagesize,
1303	LDAPMessage res, void cookie)
1304	{
1305	LDAPControl pr;
1306	LDAPControl **rcontrols;
1307	LDAPControl *controls[2] = { NULL, NULL};
1308	BerElement *cookie_be = NULL;
1309	struct berval *cookie_bv = NULL;
1310	int tmp = 0, i, rc;
1311	bool critical = True;
1312
1313	*res = NULL;
1314
1315	DEBUG(3,("smbldap_search_paged: base => [%s], filter => [%s],"
1316	"scope => [%d], pagesize => [%d]\n",
1317	base, filter, scope, pagesize));
1318
1319	cookie_be = ber_alloc_t(LBER_USE_DER);
1320	if (cookie_be == NULL) {
1321	DEBUG(0,("smbldap_create_page_control: ber_alloc_t returns "
1322	"NULL\n"));
1323	return LDAP_NO_MEMORY;
1324	}
1325
1326	/* construct cookie */
1327	if (*cookie != NULL) {
1328	ber_printf(cookie_be, "{iO}", (ber_int_t) pagesize, *cookie);
1329	ber_bvfree((struct berval )cookie); /* don't need it from last time */
1330	*cookie = NULL;
1331	} else {
1332	ber_printf(cookie_be, "{io}", (ber_int_t) pagesize, "", 0);
1333	}
1334	ber_flatten(cookie_be, &cookie_bv);
1335
1336	pr.ldctl_oid = CONST_DISCARD(char *, ADS_PAGE_CTL_OID);
1337	pr.ldctl_iscritical = (char) critical;
1338	pr.ldctl_value.bv_len = cookie_bv->bv_len;
1339	pr.ldctl_value.bv_val = cookie_bv->bv_val;
1340
1341	controls[0] = &pr;
1342	controls[1] = NULL;
1343
1344	rc = smbldap_search_ext(ldap_state, base, scope, filter, attrs,
1345	0, controls, NULL, LDAP_NO_LIMIT, res);
1346
1347	ber_free(cookie_be, 1);
1348	ber_bvfree(cookie_bv);
1349
1350	if (rc != 0) {
1351	DEBUG(3,("smbldap_search_paged: smbldap_search_ext(%s) "
1352	"failed with [%s]\n", filter, ldap_err2string(rc)));
1353	goto done;
1354	}
1355
1356	DEBUG(3,("smbldap_search_paged: search was successfull\n"));
1357
1358	rc = ldap_parse_result(ldap_state->ldap_struct, *res, NULL, NULL,
1359	NULL, NULL, &rcontrols, 0);
1360	if (rc != 0) {
1361	DEBUG(3,("smbldap_search_paged: ldap_parse_result failed " \
1362	"with [%s]\n", ldap_err2string(rc)));
1363	goto done;
1364	}
1365
1366	if (rcontrols == NULL)
1367	goto done;
1368
1369	for (i=0; rcontrols[i]; i++) {
1370
1371	if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) != 0)
1372	continue;
1373
1374	cookie_be = ber_init(&rcontrols[i]->ldctl_value);
1375	ber_scanf(cookie_be,"{iO}", &tmp, &cookie_bv);
1376	/* the berval is the cookie, but must be freed when it is all
1377	done */
1378	if (cookie_bv->bv_len)
1379	*cookie=ber_bvdup(cookie_bv);
1380	else
1381	*cookie=NULL;
1382	ber_bvfree(cookie_bv);
1383	ber_free(cookie_be, 1);
1384	break;
1385	}
1386	ldap_controls_free(rcontrols);
1387	done:
1388	return rc;
1389	}
1390
1391	int smbldap_modify(struct smbldap_state ldap_state, const char dn, LDAPMod *attrs[])
1392	{
1393	int rc = LDAP_SERVER_DOWN;
1394	int attempts = 0;
1395	char *utf8_dn;
1396	time_t endtime = time(NULL)+lp_ldap_timeout();
1397	size_t converted_size;
1398
1399	SMB_ASSERT(ldap_state);
1400
1401	DEBUG(5,("smbldap_modify: dn => [%s]\n", dn ));
1402
1403	if (!push_utf8_allocate(&utf8_dn, dn, &converted_size)) {
1404	return LDAP_NO_MEMORY;
1405	}
1406
1407	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1408	rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
1409	if (rc != LDAP_SUCCESS) {
1410	char *ld_error = NULL;
1411	int ld_errno;
1412
1413	ldap_get_option(ldap_state->ldap_struct,
1414	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1415
1416	ldap_get_option(ldap_state->ldap_struct,
1417	LDAP_OPT_ERROR_STRING, &ld_error);
1418	DEBUG(10, ("Failed to modify dn: %s, error: %d (%s) "
1419	"(%s)\n", dn, ld_errno,
1420	ldap_err2string(rc),
1421	ld_error ? ld_error : "unknown"));
1422	SAFE_FREE(ld_error);
1423
1424	if (ld_errno == LDAP_SERVER_DOWN) {
1425	ldap_unbind(ldap_state->ldap_struct);
1426	ldap_state->ldap_struct = NULL;
1427	}
1428	}
1429	}
1430
1431	SAFE_FREE(utf8_dn);
1432	return rc;
1433	}
1434
1435	int smbldap_add(struct smbldap_state ldap_state, const char dn, LDAPMod *attrs[])
1436	{
1437	int rc = LDAP_SERVER_DOWN;
1438	int attempts = 0;
1439	char *utf8_dn;
1440	time_t endtime = time(NULL)+lp_ldap_timeout();
1441	size_t converted_size;
1442
1443	SMB_ASSERT(ldap_state);
1444
1445	DEBUG(5,("smbldap_add: dn => [%s]\n", dn ));
1446
1447	if (!push_utf8_allocate(&utf8_dn, dn, &converted_size)) {
1448	return LDAP_NO_MEMORY;
1449	}
1450
1451	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1452	rc = ldap_add_s(ldap_state->ldap_struct, utf8_dn, attrs);
1453	if (rc != LDAP_SUCCESS) {
1454	char *ld_error = NULL;
1455	int ld_errno;
1456
1457	ldap_get_option(ldap_state->ldap_struct,
1458	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1459
1460	ldap_get_option(ldap_state->ldap_struct,
1461	LDAP_OPT_ERROR_STRING, &ld_error);
1462	DEBUG(10, ("Failed to add dn: %s, error: %d (%s) "
1463	"(%s)\n", dn, ld_errno,
1464	ldap_err2string(rc),
1465	ld_error ? ld_error : "unknown"));
1466	SAFE_FREE(ld_error);
1467
1468	if (ld_errno == LDAP_SERVER_DOWN) {
1469	ldap_unbind(ldap_state->ldap_struct);
1470	ldap_state->ldap_struct = NULL;
1471	}
1472	}
1473	}
1474
1475	SAFE_FREE(utf8_dn);
1476	return rc;
1477	}
1478
1479	int smbldap_delete(struct smbldap_state ldap_state, const char dn)
1480	{
1481	int rc = LDAP_SERVER_DOWN;
1482	int attempts = 0;
1483	char *utf8_dn;
1484	time_t endtime = time(NULL)+lp_ldap_timeout();
1485	size_t converted_size;
1486
1487	SMB_ASSERT(ldap_state);
1488
1489	DEBUG(5,("smbldap_delete: dn => [%s]\n", dn ));
1490
1491	if (!push_utf8_allocate(&utf8_dn, dn, &converted_size)) {
1492	return LDAP_NO_MEMORY;
1493	}
1494
1495	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1496	rc = ldap_delete_s(ldap_state->ldap_struct, utf8_dn);
1497	if (rc != LDAP_SUCCESS) {
1498	char *ld_error = NULL;
1499	int ld_errno;
1500
1501	ldap_get_option(ldap_state->ldap_struct,
1502	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1503
1504	ldap_get_option(ldap_state->ldap_struct,
1505	LDAP_OPT_ERROR_STRING, &ld_error);
1506	DEBUG(10, ("Failed to delete dn: %s, error: %d (%s) "
1507	"(%s)\n", dn, ld_errno,
1508	ldap_err2string(rc),
1509	ld_error ? ld_error : "unknown"));
1510	SAFE_FREE(ld_error);
1511
1512	if (ld_errno == LDAP_SERVER_DOWN) {
1513	ldap_unbind(ldap_state->ldap_struct);
1514	ldap_state->ldap_struct = NULL;
1515	}
1516	}
1517	}
1518
1519	SAFE_FREE(utf8_dn);
1520	return rc;
1521	}
1522
1523	int smbldap_extended_operation(struct smbldap_state *ldap_state,
1524	LDAP_CONST char reqoid, struct berval reqdata,
1525	LDAPControl serverctrls, LDAPControl clientctrls,
1526	char retoidp, struct berval retdatap)
1527	{
1528	int rc = LDAP_SERVER_DOWN;
1529	int attempts = 0;
1530	time_t endtime = time(NULL)+lp_ldap_timeout();
1531
1532	if (!ldap_state)
1533	return (-1);
1534
1535	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1536	rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid,
1537	reqdata, serverctrls,
1538	clientctrls, retoidp, retdatap);
1539	if (rc != LDAP_SUCCESS) {
1540	char *ld_error = NULL;
1541	int ld_errno;
1542
1543	ldap_get_option(ldap_state->ldap_struct,
1544	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1545
1546	ldap_get_option(ldap_state->ldap_struct,
1547	LDAP_OPT_ERROR_STRING, &ld_error);
1548	DEBUG(10, ("Extended operation failed with error: "
1549	"%d (%s) (%s)\n", ld_errno,
1550	ldap_err2string(rc),
1551	ld_error ? ld_error : "unknown"));
1552	SAFE_FREE(ld_error);
1553
1554	if (ld_errno == LDAP_SERVER_DOWN) {
1555	ldap_unbind(ldap_state->ldap_struct);
1556	ldap_state->ldap_struct = NULL;
1557	}
1558	}
1559	}
1560
1561	return rc;
1562	}
1563
1564	/*******************************************************************
1565	run the search by name.
1566	******************************************************************/
1567	int smbldap_search_suffix (struct smbldap_state *ldap_state,
1568	const char filter, const char *search_attr,
1569	LDAPMessage ** result)
1570	{
1571	return smbldap_search(ldap_state, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE,
1572	filter, search_attr, 0, result);
1573	}
1574
1575	static void smbldap_idle_fn(struct event_context *event_ctx,
1576	struct timed_event *te,
1577	struct timeval now,
1578	void *private_data)
1579	{
1580	struct smbldap_state state = (struct smbldap_state )private_data;
1581
1582	TALLOC_FREE(state->idle_event);
1583
1584	if (state->ldap_struct == NULL) {
1585	DEBUG(10,("ldap connection not connected...\n"));
1586	return;
1587	}
1588
1589	if ((state->last_use+SMBLDAP_IDLE_TIME) > now.tv_sec) {
1590	DEBUG(10,("ldap connection not idle...\n"));
1591
1592	state->idle_event = event_add_timed(
1593	event_ctx, NULL,
1594	timeval_add(&now, SMBLDAP_IDLE_TIME, 0),
1595	smbldap_idle_fn,
1596	private_data);
1597	return;
1598	}
1599
1600	DEBUG(7,("ldap connection idle...closing connection\n"));
1601	smbldap_close(state);
1602	}
1603
1604	/**********************************************************************
1605	Housekeeping
1606	*********************************************************************/
1607
1608	void smbldap_free_struct(struct smbldap_state **ldap_state)
1609	{
1610	smbldap_close(*ldap_state);
1611
1612	if ((*ldap_state)->bind_secret) {
1613	memset((ldap_state)->bind_secret, '\0', strlen((ldap_state)->bind_secret));
1614	}
1615
1616	SAFE_FREE((*ldap_state)->bind_dn);
1617	SAFE_FREE((*ldap_state)->bind_secret);
1618
1619	TALLOC_FREE((*ldap_state)->idle_event);
1620
1621	*ldap_state = NULL;
1622
1623	/* No need to free any further, as it is talloc()ed */
1624	}
1625
1626
1627	/**********************************************************************
1628	Intitalise the 'general' ldap structures, on which ldap operations may be conducted
1629	*********************************************************************/
1630
1631	NTSTATUS smbldap_init(TALLOC_CTX mem_ctx, struct event_context event_ctx,
1632	const char *location,
1633	struct smbldap_state **smbldap_state)
1634	{
1635	*smbldap_state = TALLOC_ZERO_P(mem_ctx, struct smbldap_state);
1636	if (!*smbldap_state) {
1637	DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
1638	return NT_STATUS_NO_MEMORY;
1639	}
1640
1641	if (location) {
1642	(*smbldap_state)->uri = talloc_strdup(mem_ctx, location);
1643	} else {
1644	(*smbldap_state)->uri = "ldap://localhost";
1645	}
1646
1647	(*smbldap_state)->event_context = event_ctx;
1648
1649	return NT_STATUS_OK;
1650	}
1651
1652	/*******************************************************************
1653	Return a copy of the DN for a LDAPMessage. Convert from utf8 to CH_UNIX.
1654	********************************************************************/
1655	char smbldap_get_dn(LDAP ld, LDAPMessage *entry)
1656	{
1657	char utf8_dn, unix_dn;
1658	size_t converted_size;
1659
1660	utf8_dn = ldap_get_dn(ld, entry);
1661	if (!utf8_dn) {
1662	DEBUG (5, ("smbldap_get_dn: ldap_get_dn failed\n"));
1663	return NULL;
1664	}
1665	if (!pull_utf8_allocate(&unix_dn, utf8_dn, &converted_size)) {
1666	DEBUG (0, ("smbldap_get_dn: String conversion failure utf8 "
1667	"[%s]\n", utf8_dn));
1668	return NULL;
1669	}
1670	ldap_memfree(utf8_dn);
1671	return unix_dn;
1672	}
1673
1674	const char smbldap_talloc_dn(TALLOC_CTX mem_ctx, LDAP *ld,
1675	LDAPMessage *entry)
1676	{
1677	char utf8_dn, unix_dn;
1678	size_t converted_size;
1679
1680	utf8_dn = ldap_get_dn(ld, entry);
1681	if (!utf8_dn) {
1682	DEBUG (5, ("smbldap_get_dn: ldap_get_dn failed\n"));
1683	return NULL;
1684	}
1685	if (!pull_utf8_talloc(mem_ctx, &unix_dn, utf8_dn, &converted_size)) {
1686	DEBUG (0, ("smbldap_get_dn: String conversion failure utf8 "
1687	"[%s]\n", utf8_dn));
1688	return NULL;
1689	}
1690	ldap_memfree(utf8_dn);
1691	return unix_dn;
1692	}
1693
1694	/*******************************************************************
1695	Check if root-dse has a certain Control or Extension
1696	********************************************************************/
1697
1698	static bool smbldap_check_root_dse(LDAP ld, const char attrs, const char value)
1699	{
1700	LDAPMessage *msg = NULL;
1701	LDAPMessage *entry = NULL;
1702	char **values = NULL;
1703	int rc, num_result, num_values, i;
1704	bool result = False;
1705
1706	if (!attrs[0]) {
1707	DEBUG(3,("smbldap_check_root_dse: nothing to look for\n"));
1708	return False;
1709	}
1710
1711	if (!strequal(attrs[0], "supportedExtension") &&
1712	!strequal(attrs[0], "supportedControl") &&
1713	!strequal(attrs[0], "namingContexts")) {
1714	DEBUG(3,("smbldap_check_root_dse: no idea what to query root-dse for: %s ?\n", attrs[0]));
1715	return False;
1716	}
1717
1718	rc = ldap_search_s(ld, "", LDAP_SCOPE_BASE,
1719	"(objectclass=)", CONST_DISCARD(char *, attrs), 0 , &msg);
1720
1721	if (rc != LDAP_SUCCESS) {
1722	DEBUG(3,("smbldap_check_root_dse: Could not search rootDSE\n"));
1723	return False;
1724	}
1725
1726	num_result = ldap_count_entries(ld, msg);
1727
1728	if (num_result != 1) {
1729	DEBUG(3,("smbldap_check_root_dse: Expected one rootDSE, got %d\n", num_result));
1730	goto done;
1731	}
1732
1733	entry = ldap_first_entry(ld, msg);
1734
1735	if (entry == NULL) {
1736	DEBUG(3,("smbldap_check_root_dse: Could not retrieve rootDSE\n"));
1737	goto done;
1738	}
1739
1740	values = ldap_get_values(ld, entry, attrs[0]);
1741
1742	if (values == NULL) {
1743	DEBUG(5,("smbldap_check_root_dse: LDAP Server does not support any %s\n", attrs[0]));
1744	goto done;
1745	}
1746
1747	num_values = ldap_count_values(values);
1748
1749	if (num_values == 0) {
1750	DEBUG(5,("smbldap_check_root_dse: LDAP Server does not have any %s\n", attrs[0]));
1751	goto done;
1752	}
1753
1754	for (i=0; i<num_values; i++) {
1755	if (strcmp(values[i], value) == 0)
1756	result = True;
1757	}
1758
1759
1760	done:
1761	if (values != NULL)
1762	ldap_value_free(values);
1763	if (msg != NULL)
1764	ldap_msgfree(msg);
1765
1766	return result;
1767
1768	}
1769
1770	/*******************************************************************
1771	Check if LDAP-Server supports a certain Control (OID in string format)
1772	********************************************************************/
1773
1774	bool smbldap_has_control(LDAP ld, const char control)
1775	{
1776	const char *attrs[] = { "supportedControl", NULL };
1777	return smbldap_check_root_dse(ld, attrs, control);
1778	}
1779
1780	/*******************************************************************
1781	Check if LDAP-Server supports a certain Extension (OID in string format)
1782	********************************************************************/
1783
1784	bool smbldap_has_extension(LDAP ld, const char extension)
1785	{
1786	const char *attrs[] = { "supportedExtension", NULL };
1787	return smbldap_check_root_dse(ld, attrs, extension);
1788	}
1789
1790	/*******************************************************************
1791	Check if LDAP-Server holds a given namingContext
1792	********************************************************************/
1793
1794	bool smbldap_has_naming_context(LDAP ld, const char naming_context)
1795	{
1796	const char *attrs[] = { "namingContexts", NULL };
1797	return smbldap_check_root_dse(ld, attrs, naming_context);
1798	}
1799
1800	bool smbldap_set_creds(struct smbldap_state ldap_state, bool anon, const char dn, const char *secret)
1801	{
1802	ldap_state->anonymous = anon;
1803
1804	/* free any previously set credential */
1805
1806	SAFE_FREE(ldap_state->bind_dn);
1807	if (ldap_state->bind_secret) {
1808	/* make sure secrets are zeroed out of memory */
1809	memset(ldap_state->bind_secret, '\0', strlen(ldap_state->bind_secret));
1810	SAFE_FREE(ldap_state->bind_secret);
1811	}
1812
1813	if ( ! anon) {
1814	ldap_state->bind_dn = SMB_STRDUP(dn);
1815	ldap_state->bind_secret = SMB_STRDUP(secret);
1816	}
1817
1818	return True;
1819	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: