Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

source: trunk/server/source3/lib/smbldap.c@ 559

Visit:

Last change on this file since 559 was 414, checked in by Herwig Bauernfeind, 16 years ago
Samba 3.5.0: Initial import
File size: 53.5 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	LDAP protocol helper functions for SAMBA
4	Copyright (C) Jean FranÃ§ois Micouleau 1998
5	Copyright (C) Gerald Carter 2001-2003
6	Copyright (C) Shahms King 2001
7	Copyright (C) Andrew Bartlett 2002-2003
8	Copyright (C) Stefan (metze) Metzmacher 2002-2003
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22
23	*/
24
25	#include "includes.h"
26	#include "smbldap.h"
27
28	#ifndef LDAP_OPT_SUCCESS
29	#define LDAP_OPT_SUCCESS 0
30	#endif
31
32	/* Try not to hit the up or down server forever */
33
34	#define SMBLDAP_DONT_PING_TIME 10 /* ping only all 10 seconds */
35	#define SMBLDAP_NUM_RETRIES 8 /* retry only 8 times */
36
37	#define SMBLDAP_IDLE_TIME 150 /* After 2.5 minutes disconnect */
38
39
40	/* attributes used by Samba 2.2 */
41
42	ATTRIB_MAP_ENTRY attrib_map_v22[] = {
43	{ LDAP_ATTR_UID, "uid" },
44	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
45	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
46	{ LDAP_ATTR_UNIX_HOME, "homeDirectory" },
47	{ LDAP_ATTR_PWD_LAST_SET, "pwdLastSet" },
48	{ LDAP_ATTR_PWD_CAN_CHANGE, "pwdCanChange" },
49	{ LDAP_ATTR_PWD_MUST_CHANGE, "pwdMustChange" },
50	{ LDAP_ATTR_LOGON_TIME, "logonTime" },
51	{ LDAP_ATTR_LOGOFF_TIME, "logoffTime" },
52	{ LDAP_ATTR_KICKOFF_TIME, "kickoffTime" },
53	{ LDAP_ATTR_CN, "cn" },
54	{ LDAP_ATTR_SN, "sn" },
55	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
56	{ LDAP_ATTR_HOME_PATH, "smbHome" },
57	{ LDAP_ATTR_HOME_DRIVE, "homeDrive" },
58	{ LDAP_ATTR_LOGON_SCRIPT, "scriptPath" },
59	{ LDAP_ATTR_PROFILE_PATH, "profilePath" },
60	{ LDAP_ATTR_DESC, "description" },
61	{ LDAP_ATTR_USER_WKS, "userWorkstations"},
62	{ LDAP_ATTR_USER_RID, "rid" },
63	{ LDAP_ATTR_PRIMARY_GROUP_RID, "primaryGroupID"},
64	{ LDAP_ATTR_LMPW, "lmPassword" },
65	{ LDAP_ATTR_NTPW, "ntPassword" },
66	{ LDAP_ATTR_DOMAIN, "domain" },
67	{ LDAP_ATTR_OBJCLASS, "objectClass" },
68	{ LDAP_ATTR_ACB_INFO, "acctFlags" },
69	{ LDAP_ATTR_MOD_TIMESTAMP, "modifyTimestamp" },
70	{ LDAP_ATTR_LIST_END, NULL }
71	};
72
73	ATTRIB_MAP_ENTRY attrib_map_to_delete_v22[] = {
74	{ LDAP_ATTR_PWD_LAST_SET, "pwdLastSet" },
75	{ LDAP_ATTR_PWD_CAN_CHANGE, "pwdCanChange" },
76	{ LDAP_ATTR_PWD_MUST_CHANGE, "pwdMustChange" },
77	{ LDAP_ATTR_LOGON_TIME, "logonTime" },
78	{ LDAP_ATTR_LOGOFF_TIME, "logoffTime" },
79	{ LDAP_ATTR_KICKOFF_TIME, "kickoffTime" },
80	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
81	{ LDAP_ATTR_HOME_PATH, "smbHome" },
82	{ LDAP_ATTR_HOME_DRIVE, "homeDrives" },
83	{ LDAP_ATTR_LOGON_SCRIPT, "scriptPath" },
84	{ LDAP_ATTR_PROFILE_PATH, "profilePath" },
85	{ LDAP_ATTR_USER_WKS, "userWorkstations"},
86	{ LDAP_ATTR_USER_RID, "rid" },
87	{ LDAP_ATTR_PRIMARY_GROUP_RID, "primaryGroupID"},
88	{ LDAP_ATTR_LMPW, "lmPassword" },
89	{ LDAP_ATTR_NTPW, "ntPassword" },
90	{ LDAP_ATTR_DOMAIN, "domain" },
91	{ LDAP_ATTR_ACB_INFO, "acctFlags" },
92	{ LDAP_ATTR_LIST_END, NULL }
93	};
94
95	/* attributes used by Samba 3.0's sambaSamAccount */
96
97	ATTRIB_MAP_ENTRY attrib_map_v30[] = {
98	{ LDAP_ATTR_UID, "uid" },
99	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
100	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
101	{ LDAP_ATTR_UNIX_HOME, "homeDirectory" },
102	{ LDAP_ATTR_PWD_LAST_SET, "sambaPwdLastSet" },
103	{ LDAP_ATTR_PWD_CAN_CHANGE, "sambaPwdCanChange" },
104	{ LDAP_ATTR_PWD_MUST_CHANGE, "sambaPwdMustChange" },
105	{ LDAP_ATTR_LOGON_TIME, "sambaLogonTime" },
106	{ LDAP_ATTR_LOGOFF_TIME, "sambaLogoffTime" },
107	{ LDAP_ATTR_KICKOFF_TIME, "sambaKickoffTime" },
108	{ LDAP_ATTR_CN, "cn" },
109	{ LDAP_ATTR_SN, "sn" },
110	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
111	{ LDAP_ATTR_HOME_DRIVE, "sambaHomeDrive" },
112	{ LDAP_ATTR_HOME_PATH, "sambaHomePath" },
113	{ LDAP_ATTR_LOGON_SCRIPT, "sambaLogonScript" },
114	{ LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" },
115	{ LDAP_ATTR_DESC, "description" },
116	{ LDAP_ATTR_USER_WKS, "sambaUserWorkstations" },
117	{ LDAP_ATTR_USER_SID, LDAP_ATTRIBUTE_SID },
118	{ LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" },
119	{ LDAP_ATTR_LMPW, "sambaLMPassword" },
120	{ LDAP_ATTR_NTPW, "sambaNTPassword" },
121	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
122	{ LDAP_ATTR_OBJCLASS, "objectClass" },
123	{ LDAP_ATTR_ACB_INFO, "sambaAcctFlags" },
124	{ LDAP_ATTR_MUNGED_DIAL, "sambaMungedDial" },
125	{ LDAP_ATTR_BAD_PASSWORD_COUNT, "sambaBadPasswordCount" },
126	{ LDAP_ATTR_BAD_PASSWORD_TIME, "sambaBadPasswordTime" },
127	{ LDAP_ATTR_PWD_HISTORY, "sambaPasswordHistory" },
128	{ LDAP_ATTR_MOD_TIMESTAMP, "modifyTimestamp" },
129	{ LDAP_ATTR_LOGON_HOURS, "sambaLogonHours" },
130	{ LDAP_ATTR_LIST_END, NULL }
131	};
132
133	ATTRIB_MAP_ENTRY attrib_map_to_delete_v30[] = {
134	{ LDAP_ATTR_PWD_LAST_SET, "sambaPwdLastSet" },
135	{ LDAP_ATTR_PWD_CAN_CHANGE, "sambaPwdCanChange" },
136	{ LDAP_ATTR_PWD_MUST_CHANGE, "sambaPwdMustChange" },
137	{ LDAP_ATTR_LOGON_TIME, "sambaLogonTime" },
138	{ LDAP_ATTR_LOGOFF_TIME, "sambaLogoffTime" },
139	{ LDAP_ATTR_KICKOFF_TIME, "sambaKickoffTime" },
140	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
141	{ LDAP_ATTR_HOME_DRIVE, "sambaHomeDrive" },
142	{ LDAP_ATTR_HOME_PATH, "sambaHomePath" },
143	{ LDAP_ATTR_LOGON_SCRIPT, "sambaLogonScript" },
144	{ LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" },
145	{ LDAP_ATTR_USER_WKS, "sambaUserWorkstations" },
146	{ LDAP_ATTR_USER_SID, LDAP_ATTRIBUTE_SID },
147	{ LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" },
148	{ LDAP_ATTR_LMPW, "sambaLMPassword" },
149	{ LDAP_ATTR_NTPW, "sambaNTPassword" },
150	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
151	{ LDAP_ATTR_ACB_INFO, "sambaAcctFlags" },
152	{ LDAP_ATTR_MUNGED_DIAL, "sambaMungedDial" },
153	{ LDAP_ATTR_BAD_PASSWORD_COUNT, "sambaBadPasswordCount" },
154	{ LDAP_ATTR_BAD_PASSWORD_TIME, "sambaBadPasswordTime" },
155	{ LDAP_ATTR_PWD_HISTORY, "sambaPasswordHistory" },
156	{ LDAP_ATTR_LOGON_HOURS, "sambaLogonHours" },
157	{ LDAP_ATTR_LIST_END, NULL }
158	};
159
160	/* attributes used for allocating RIDs */
161
162	ATTRIB_MAP_ENTRY dominfo_attr_list[] = {
163	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
164	{ LDAP_ATTR_NEXT_RID, "sambaNextRid" },
165	{ LDAP_ATTR_NEXT_USERRID, "sambaNextUserRid" },
166	{ LDAP_ATTR_NEXT_GROUPRID, "sambaNextGroupRid" },
167	{ LDAP_ATTR_DOM_SID, LDAP_ATTRIBUTE_SID },
168	{ LDAP_ATTR_ALGORITHMIC_RID_BASE,"sambaAlgorithmicRidBase"},
169	{ LDAP_ATTR_OBJCLASS, "objectClass" },
170	{ LDAP_ATTR_LIST_END, NULL },
171	};
172
173	/* Samba 3.0 group mapping attributes */
174
175	ATTRIB_MAP_ENTRY groupmap_attr_list[] = {
176	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
177	{ LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
178	{ LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
179	{ LDAP_ATTR_SID_LIST, "sambaSIDList" },
180	{ LDAP_ATTR_DESC, "description" },
181	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
182	{ LDAP_ATTR_CN, "cn" },
183	{ LDAP_ATTR_OBJCLASS, "objectClass" },
184	{ LDAP_ATTR_LIST_END, NULL }
185	};
186
187	ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[] = {
188	{ LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
189	{ LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
190	{ LDAP_ATTR_DESC, "description" },
191	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
192	{ LDAP_ATTR_SID_LIST, "sambaSIDList" },
193	{ LDAP_ATTR_LIST_END, NULL }
194	};
195
196	/* idmap_ldap sambaUnixIdPool */
197
198	ATTRIB_MAP_ENTRY idpool_attr_list[] = {
199	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
200	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
201	{ LDAP_ATTR_OBJCLASS, "objectClass" },
202	{ LDAP_ATTR_LIST_END, NULL }
203	};
204
205	ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
206	{ LDAP_ATTR_SID, LDAP_ATTRIBUTE_SID },
207	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
208	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
209	{ LDAP_ATTR_OBJCLASS, "objectClass" },
210	{ LDAP_ATTR_LIST_END, NULL }
211	};
212
213	/**********************************************************************
214	perform a simple table lookup and return the attribute name
215	**********************************************************************/
216
217	const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key )
218	{
219	int i = 0;
220
221	while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
222	if ( table[i].attrib == key )
223	return table[i].name;
224	i++;
225	}
226
227	return NULL;
228	}
229
230
231	/**********************************************************************
232	Return the list of attribute names from a mapping table
233	**********************************************************************/
234
235	const char** get_attr_list( TALLOC_CTX *mem_ctx, ATTRIB_MAP_ENTRY table[] )
236	{
237	const char **names;
238	int i = 0;
239
240	while ( table[i].attrib != LDAP_ATTR_LIST_END )
241	i++;
242	i++;
243
244	names = TALLOC_ARRAY( mem_ctx, const char*, i );
245	if ( !names ) {
246	DEBUG(0,("get_attr_list: out of memory\n"));
247	return NULL;
248	}
249
250	i = 0;
251	while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
252	names[i] = talloc_strdup( names, table[i].name );
253	i++;
254	}
255	names[i] = NULL;
256
257	return names;
258	}
259
260	/*******************************************************************
261	Search an attribute and return the first value found.
262	******************************************************************/
263
264	bool smbldap_get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
265	const char attribute, char value,
266	int max_len)
267	{
268	char **values;
269
270	if ( !attribute )
271	return False;
272
273	value[0] = '\0';
274
275	if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
276	DEBUG (10, ("smbldap_get_single_attribute: [%s] = [<does not exist>]\n", attribute));
277
278	return False;
279	}
280
281	if (convert_string(CH_UTF8, CH_UNIX,values[0], -1, value, max_len, False) == (size_t)-1) {
282	DEBUG(1, ("smbldap_get_single_attribute: string conversion of [%s] = [%s] failed!\n",
283	attribute, values[0]));
284	ldap_value_free(values);
285	return False;
286	}
287
288	ldap_value_free(values);
289	#ifdef DEBUG_PASSWORDS
290	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n", attribute, value));
291	#endif
292	return True;
293	}
294
295	char * smbldap_talloc_single_attribute(LDAP ldap_struct, LDAPMessage entry,
296	const char *attribute,
297	TALLOC_CTX *mem_ctx)
298	{
299	char **values;
300	char *result;
301	size_t converted_size;
302
303	if (attribute == NULL) {
304	return NULL;
305	}
306
307	values = ldap_get_values(ldap_struct, entry, attribute);
308
309	if (values == NULL) {
310	DEBUG(10, ("attribute %s does not exist\n", attribute));
311	return NULL;
312	}
313
314	if (ldap_count_values(values) != 1) {
315	DEBUG(10, ("attribute %s has %d values, expected only one\n",
316	attribute, ldap_count_values(values)));
317	ldap_value_free(values);
318	return NULL;
319	}
320
321	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
322	DEBUG(10, ("pull_utf8_talloc failed\n"));
323	ldap_value_free(values);
324	return NULL;
325	}
326
327	ldap_value_free(values);
328
329	#ifdef DEBUG_PASSWORDS
330	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
331	attribute, result));
332	#endif
333	return result;
334	}
335
336	char * smbldap_talloc_first_attribute(LDAP ldap_struct, LDAPMessage entry,
337	const char *attribute,
338	TALLOC_CTX *mem_ctx)
339	{
340	char **values;
341	char *result;
342	size_t converted_size;
343
344	if (attribute == NULL) {
345	return NULL;
346	}
347
348	values = ldap_get_values(ldap_struct, entry, attribute);
349
350	if (values == NULL) {
351	DEBUG(10, ("attribute %s does not exist\n", attribute));
352	return NULL;
353	}
354
355	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
356	DEBUG(10, ("pull_utf8_talloc failed\n"));
357	ldap_value_free(values);
358	return NULL;
359	}
360
361	ldap_value_free(values);
362
363	#ifdef DEBUG_PASSWORDS
364	DEBUG (100, ("smbldap_get_first_attribute: [%s] = [%s]\n",
365	attribute, result));
366	#endif
367	return result;
368	}
369
370	char * smbldap_talloc_smallest_attribute(LDAP ldap_struct, LDAPMessage entry,
371	const char *attribute,
372	TALLOC_CTX *mem_ctx)
373	{
374	char **values;
375	char *result;
376	size_t converted_size;
377	int i, num_values;
378
379	if (attribute == NULL) {
380	return NULL;
381	}
382
383	values = ldap_get_values(ldap_struct, entry, attribute);
384
385	if (values == NULL) {
386	DEBUG(10, ("attribute %s does not exist\n", attribute));
387	return NULL;
388	}
389
390	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
391	DEBUG(10, ("pull_utf8_talloc failed\n"));
392	ldap_value_free(values);
393	return NULL;
394	}
395
396	num_values = ldap_count_values(values);
397
398	for (i=1; i<num_values; i++) {
399	char *tmp;
400
401	if (!pull_utf8_talloc(mem_ctx, &tmp, values[i],
402	&converted_size)) {
403	DEBUG(10, ("pull_utf8_talloc failed\n"));
404	TALLOC_FREE(result);
405	ldap_value_free(values);
406	return NULL;
407	}
408
409	if (StrCaseCmp(tmp, result) < 0) {
410	TALLOC_FREE(result);
411	result = tmp;
412	} else {
413	TALLOC_FREE(tmp);
414	}
415	}
416
417	ldap_value_free(values);
418
419	#ifdef DEBUG_PASSWORDS
420	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
421	attribute, result));
422	#endif
423	return result;
424	}
425
426	bool smbldap_talloc_single_blob(TALLOC_CTX mem_ctx, LDAP ld,
427	LDAPMessage msg, const char attrib,
428	DATA_BLOB *blob)
429	{
430	struct berval **values;
431
432	values = ldap_get_values_len(ld, msg, attrib);
433	if (!values) {
434	return false;
435	}
436
437	if (ldap_count_values_len(values) != 1) {
438	DEBUG(10, ("Expected one value for %s, got %d\n", attrib,
439	ldap_count_values_len(values)));
440	return false;
441	}
442
443	*blob = data_blob_talloc(mem_ctx, values[0]->bv_val,
444	values[0]->bv_len);
445	ldap_value_free_len(values);
446
447	return (blob->data != NULL);
448	}
449
450	bool smbldap_pull_sid(LDAP ld, LDAPMessage msg, const char *attrib,
451	struct dom_sid *sid)
452	{
453	DATA_BLOB blob;
454	bool ret;
455
456	if (!smbldap_talloc_single_blob(talloc_tos(), ld, msg, attrib,
457	&blob)) {
458	return false;
459	}
460	ret = sid_parse((char *)blob.data, blob.length, sid);
461	TALLOC_FREE(blob.data);
462	return ret;
463	}
464
465	static int ldapmsg_destructor(LDAPMessage **result) {
466	ldap_msgfree(*result);
467	return 0;
468	}
469
470	void talloc_autofree_ldapmsg(TALLOC_CTX mem_ctx, LDAPMessage result)
471	{
472	LDAPMessage **handle;
473
474	if (result == NULL) {
475	return;
476	}
477
478	handle = TALLOC_P(mem_ctx, LDAPMessage *);
479	SMB_ASSERT(handle != NULL);
480
481	*handle = result;
482	talloc_set_destructor(handle, ldapmsg_destructor);
483	}
484
485	static int ldapmod_destructor(LDAPMod ***mod) {
486	ldap_mods_free(*mod, True);
487	return 0;
488	}
489
490	void talloc_autofree_ldapmod(TALLOC_CTX mem_ctx, LDAPMod *mod)
491	{
492	LDAPMod ***handle;
493
494	if (mod == NULL) {
495	return;
496	}
497
498	handle = TALLOC_P(mem_ctx, LDAPMod **);
499	SMB_ASSERT(handle != NULL);
500
501	*handle = mod;
502	talloc_set_destructor(handle, ldapmod_destructor);
503	}
504
505	/************************************************************************
506	Routine to manage the LDAPMod structure array
507	manage memory used by the array, by each struct, and values
508	***********************************************************************/
509
510	void smbldap_set_mod (LDAPMod *** modlist, int modop, const char attribute, const char value)
511	{
512	LDAPMod **mods;
513	int i;
514	int j;
515
516	mods = *modlist;
517
518	/* sanity checks on the mod values */
519
520	if (attribute == NULL \|\| *attribute == '\0') {
521	return;
522	}
523
524	#if 0 /* commented out after discussion with abartlet. Do not reenable.
525	left here so other do not re-add similar code --jerry */
526	if (value == NULL \|\| *value == '\0')
527	return;
528	#endif
529
530	if (mods == NULL) {
531	mods = SMB_MALLOC_P(LDAPMod *);
532	if (mods == NULL) {
533	smb_panic("smbldap_set_mod: out of memory!");
534	/* notreached. */
535	}
536	mods[0] = NULL;
537	}
538
539	for (i = 0; mods[i] != NULL; ++i) {
540	if (mods[i]->mod_op == modop && strequal(mods[i]->mod_type, attribute))
541	break;
542	}
543
544	if (mods[i] == NULL) {
545	mods = SMB_REALLOC_ARRAY (mods, LDAPMod *, i + 2);
546	if (mods == NULL) {
547	smb_panic("smbldap_set_mod: out of memory!");
548	/* notreached. */
549	}
550	mods[i] = SMB_MALLOC_P(LDAPMod);
551	if (mods[i] == NULL) {
552	smb_panic("smbldap_set_mod: out of memory!");
553	/* notreached. */
554	}
555	mods[i]->mod_op = modop;
556	mods[i]->mod_values = NULL;
557	mods[i]->mod_type = SMB_STRDUP(attribute);
558	mods[i + 1] = NULL;
559	}
560
561	if (value != NULL) {
562	char *utf8_value = NULL;
563	size_t converted_size;
564
565	j = 0;
566	if (mods[i]->mod_values != NULL) {
567	for (; mods[i]->mod_values[j] != NULL; j++);
568	}
569	mods[i]->mod_values = SMB_REALLOC_ARRAY(mods[i]->mod_values, char *, j + 2);
570
571	if (mods[i]->mod_values == NULL) {
572	smb_panic("smbldap_set_mod: out of memory!");
573	/* notreached. */
574	}
575
576	if (!push_utf8_talloc(talloc_tos(), &utf8_value, value, &converted_size)) {
577	smb_panic("smbldap_set_mod: String conversion failure!");
578	/* notreached. */
579	}
580
581	mods[i]->mod_values[j] = SMB_STRDUP(utf8_value);
582	TALLOC_FREE(utf8_value);
583	SMB_ASSERT(mods[i]->mod_values[j] != NULL);
584
585	mods[i]->mod_values[j + 1] = NULL;
586	}
587	*modlist = mods;
588	}
589
590	/**********************************************************************
591	Set attribute to newval in LDAP, regardless of what value the
592	attribute had in LDAP before.
593	*********************************************************************/
594
595	void smbldap_make_mod(LDAP ldap_struct, LDAPMessage existing,
596	LDAPMod ***mods,
597	const char attribute, const char newval)
598	{
599	char oldval[2048]; /* current largest allowed value is mungeddial */
600	bool existed;
601
602	if (attribute == NULL) {
603	/* This can actually happen for ldapsam_compat where we for
604	* example don't have a password history */
605	return;
606	}
607
608	if (existing != NULL) {
609	existed = smbldap_get_single_attribute(ldap_struct, existing, attribute, oldval, sizeof(oldval));
610	} else {
611	existed = False;
612	*oldval = '\0';
613	}
614
615	/* all of our string attributes are case insensitive */
616
617	if (existed && newval && (StrCaseCmp(oldval, newval) == 0)) {
618
619	/* Believe it or not, but LDAP will deny a delete and
620	an add at the same time if the values are the
621	same... */
622	DEBUG(10,("smbldap_make_mod: attribute \|%s\| not changed.\n", attribute));
623	return;
624	}
625
626	if (existed) {
627	/* There has been no value before, so don't delete it.
628	* Here's a possible race: We might end up with
629	* duplicate attributes */
630	/* By deleting exactly the value we found in the entry this
631	* should be race-free in the sense that the LDAP-Server will
632	* deny the complete operation if somebody changed the
633	* attribute behind our back. */
634	/* This will also allow modifying single valued attributes
635	* in Novell NDS. In NDS you have to first remove attribute and then
636	* you could add new value */
637
638	DEBUG(10,("smbldap_make_mod: deleting attribute \|%s\| values \|%s\|\n", attribute, oldval));
639	smbldap_set_mod(mods, LDAP_MOD_DELETE, attribute, oldval);
640	}
641
642	/* Regardless of the real operation (add or modify)
643	we add the new value here. We rely on deleting
644	the old value, should it exist. */
645
646	if ((newval != NULL) && (strlen(newval) > 0)) {
647	DEBUG(10,("smbldap_make_mod: adding attribute \|%s\| value \|%s\|\n", attribute, newval));
648	smbldap_set_mod(mods, LDAP_MOD_ADD, attribute, newval);
649	}
650	}
651
652	/**********************************************************************
653	Some varients of the LDAP rebind code do not pass in the third 'arg'
654	pointer to a void*, so we try and work around it by assuming that the
655	value of the 'LDAP *' pointer is the same as the one we had passed in
656	**********************************************************************/
657
658	struct smbldap_state_lookup {
659	LDAP *ld;
660	struct smbldap_state *smbldap_state;
661	struct smbldap_state_lookup prev, next;
662	};
663
664	static struct smbldap_state_lookup *smbldap_state_lookup_list;
665
666	static struct smbldap_state smbldap_find_state(LDAP ld)
667	{
668	struct smbldap_state_lookup *t;
669
670	for (t = smbldap_state_lookup_list; t; t = t->next) {
671	if (t->ld == ld) {
672	return t->smbldap_state;
673	}
674	}
675	return NULL;
676	}
677
678	static void smbldap_delete_state(struct smbldap_state *smbldap_state)
679	{
680	struct smbldap_state_lookup *t;
681
682	for (t = smbldap_state_lookup_list; t; t = t->next) {
683	if (t->smbldap_state == smbldap_state) {
684	DLIST_REMOVE(smbldap_state_lookup_list, t);
685	SAFE_FREE(t);
686	return;
687	}
688	}
689	}
690
691	static void smbldap_store_state(LDAP ld, struct smbldap_state smbldap_state)
692	{
693	struct smbldap_state *tmp_ldap_state;
694	struct smbldap_state_lookup *t;
695
696	if ((tmp_ldap_state = smbldap_find_state(ld))) {
697	SMB_ASSERT(tmp_ldap_state == smbldap_state);
698	return;
699	}
700
701	t = SMB_XMALLOC_P(struct smbldap_state_lookup);
702	ZERO_STRUCTP(t);
703
704	DLIST_ADD_END(smbldap_state_lookup_list, t, struct smbldap_state_lookup *);
705	t->ld = ld;
706	t->smbldap_state = smbldap_state;
707	}
708
709	/********************************************************************
710	start TLS on an existing LDAP connection
711	*******************************************************************/
712
713	int smb_ldap_start_tls(LDAP *ldap_struct, int version)
714	{
715	#ifdef LDAP_OPT_X_TLS
716	int rc;
717	#endif
718
719	if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
720	return LDAP_SUCCESS;
721	}
722
723	#ifdef LDAP_OPT_X_TLS
724	if (version != LDAP_VERSION3) {
725	DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
726	return LDAP_OPERATIONS_ERROR;
727	}
728
729	if ((rc = ldap_start_tls_s (ldap_struct, NULL, NULL)) != LDAP_SUCCESS) {
730	DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
731	ldap_err2string(rc)));
732	return rc;
733	}
734
735	DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
736	return LDAP_SUCCESS;
737	#else
738	DEBUG(0,("StartTLS not supported by LDAP client libraries!\n"));
739	return LDAP_OPERATIONS_ERROR;
740	#endif
741	}
742
743	/********************************************************************
744	setup a connection to the LDAP server based on a uri
745	*******************************************************************/
746
747	int smb_ldap_setup_conn(LDAP *ldap_struct, const char uri)
748	{
749	int rc;
750
751	DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri));
752
753	#ifdef HAVE_LDAP_INITIALIZE
754
755	rc = ldap_initialize(ldap_struct, uri);
756	if (rc) {
757	DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
758	return rc;
759	}
760
761	if (lp_ldap_follow_referral() != Auto) {
762	rc = ldap_set_option(*ldap_struct, LDAP_OPT_REFERRALS,
763	lp_ldap_follow_referral() ? LDAP_OPT_ON : LDAP_OPT_OFF);
764	if (rc != LDAP_SUCCESS)
765	DEBUG(0, ("Failed to set LDAP_OPT_REFERRALS: %s\n",
766	ldap_err2string(rc)));
767	}
768
769	return LDAP_SUCCESS;
770	#else
771
772	/* Parse the string manually */
773
774	{
775	int port = 0;
776	fstring protocol;
777	fstring host;
778	SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
779
780
781	/* skip leading "URL:" (if any) */
782	if ( strnequal( uri, "URL:", 4 ) ) {
783	uri += 4;
784	}
785
786	sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
787
788	if (port == 0) {
789	if (strequal(protocol, "ldap")) {
790	port = LDAP_PORT;
791	} else if (strequal(protocol, "ldaps")) {
792	port = LDAPS_PORT;
793	} else {
794	DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
795	}
796	}
797
798	if ((*ldap_struct = ldap_init(host, port)) == NULL) {
799	DEBUG(0, ("ldap_init failed !\n"));
800	return LDAP_OPERATIONS_ERROR;
801	}
802
803	if (strequal(protocol, "ldaps")) {
804	#ifdef LDAP_OPT_X_TLS
805	int tls = LDAP_OPT_X_TLS_HARD;
806	if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
807	{
808	DEBUG(0, ("Failed to setup a TLS session\n"));
809	}
810
811	DEBUG(3,("LDAPS option set...!\n"));
812	#else
813	DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
814	return LDAP_OPERATIONS_ERROR;
815	#endif /* LDAP_OPT_X_TLS */
816	}
817	}
818	#endif /* HAVE_LDAP_INITIALIZE */
819
820	/* now set connection timeout */
821	#ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
822	{
823	int ct = lp_ldap_connection_timeout()*1000;
824	rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
825	if (rc != LDAP_SUCCESS) {
826	DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
827	ct, ldap_err2string(rc)));
828	}
829	}
830	#elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
831	{
832	struct timeval ct;
833	ct.tv_usec = 0;
834	ct.tv_sec = lp_ldap_connection_timeout();
835	rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
836	if (rc != LDAP_SUCCESS) {
837	DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
838	(int)ct.tv_sec, ldap_err2string(rc)));
839	}
840	}
841	#endif
842
843	return LDAP_SUCCESS;
844	}
845
846	/********************************************************************
847	try to upgrade to Version 3 LDAP if not already, in either case return current
848	version
849	*******************************************************************/
850
851	int smb_ldap_upgrade_conn(LDAP ldap_struct, int new_version)
852	{
853	int version;
854	int rc;
855
856	/* assume the worst */
857	*new_version = LDAP_VERSION2;
858
859	rc = ldap_get_option(ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
860	if (rc) {
861	return rc;
862	}
863
864	if (version == LDAP_VERSION3) {
865	*new_version = LDAP_VERSION3;
866	return LDAP_SUCCESS;
867	}
868
869	/* try upgrade */
870	version = LDAP_VERSION3;
871	rc = ldap_set_option (ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
872	if (rc) {
873	return rc;
874	}
875
876	*new_version = LDAP_VERSION3;
877	return LDAP_SUCCESS;
878	}
879
880	/*******************************************************************
881	open a connection to the ldap server (just until the bind)
882	******************************************************************/
883
884	int smb_ldap_setup_full_conn(LDAP *ldap_struct, const char uri)
885	{
886	int rc, version;
887
888	rc = smb_ldap_setup_conn(ldap_struct, uri);
889	if (rc) {
890	return rc;
891	}
892
893	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
894	if (rc) {
895	return rc;
896	}
897
898	rc = smb_ldap_start_tls(*ldap_struct, version);
899	if (rc) {
900	return rc;
901	}
902
903	return LDAP_SUCCESS;
904	}
905
906	/*******************************************************************
907	open a connection to the ldap server.
908	******************************************************************/
909	static int smbldap_open_connection (struct smbldap_state *ldap_state)
910
911	{
912	int rc = LDAP_SUCCESS;
913	int version;
914	int deref;
915	LDAP **ldap_struct = &ldap_state->ldap_struct;
916
917	rc = smb_ldap_setup_conn(ldap_struct, ldap_state->uri);
918	if (rc) {
919	return rc;
920	}
921
922	/* Store the LDAP pointer in a lookup list */
923
924	smbldap_store_state(*ldap_struct, ldap_state);
925
926	/* Upgrade to LDAPv3 if possible */
927
928	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
929	if (rc) {
930	return rc;
931	}
932
933	/* Start TLS if required */
934
935	rc = smb_ldap_start_tls(*ldap_struct, version);
936	if (rc) {
937	return rc;
938	}
939
940	/* Set alias dereferencing method */
941	deref = lp_ldap_deref();
942	if (deref != -1) {
943	if (ldap_set_option (*ldap_struct, LDAP_OPT_DEREF, &deref) != LDAP_OPT_SUCCESS) {
944	DEBUG(1,("smbldap_open_connection: Failed to set dereferencing method: %d\n", deref));
945	} else {
946	DEBUG(5,("Set dereferencing method: %d\n", deref));
947	}
948	}
949
950	DEBUG(2, ("smbldap_open_connection: connection opened\n"));
951	return rc;
952	}
953
954	/*******************************************************************
955	a rebind function for authenticated referrals
956	This version takes a void* that we can shove useful stuff in :-)
957	******************************************************************/
958	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
959	#else
960	static int rebindproc_with_state (LDAP * ld, char whop, char credp,
961	int methodp, int freeit, void arg)
962	{
963	struct smbldap_state *ldap_state = arg;
964
965	/** @TODO Should we be doing something to check what servers we rebind to?
966	Could we get a referral to a machine that we don't want to give our
967	username and password to? */
968
969	if (freeit) {
970	SAFE_FREE(*whop);
971	if (*credp) {
972	memset(credp, '\0', strlen(credp));
973	}
974	SAFE_FREE(*credp);
975	} else {
976	DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
977	ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
978
979	if (ldap_state->anonymous) {
980	*whop = NULL;
981	*credp = NULL;
982	} else {
983	*whop = SMB_STRDUP(ldap_state->bind_dn);
984	if (!*whop) {
985	return LDAP_NO_MEMORY;
986	}
987	*credp = SMB_STRDUP(ldap_state->bind_secret);
988	if (!*credp) {
989	SAFE_FREE(*whop);
990	return LDAP_NO_MEMORY;
991	}
992	}
993	*methodp = LDAP_AUTH_SIMPLE;
994	}
995
996	GetTimeOfDay(&ldap_state->last_rebind);
997
998	return 0;
999	}
1000	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1001
1002	/*******************************************************************
1003	a rebind function for authenticated referrals
1004	This version takes a void* that we can shove useful stuff in :-)
1005	and actually does the connection.
1006	******************************************************************/
1007	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1008	static int rebindproc_connect_with_state (LDAP *ldap_struct,
1009	LDAP_CONST char *url,
1010	ber_tag_t request,
1011	ber_int_t msgid, void *arg)
1012	{
1013	struct smbldap_state *ldap_state =
1014	(struct smbldap_state *)arg;
1015	int rc;
1016	int version;
1017
1018	DEBUG(5,("rebindproc_connect_with_state: Rebinding to %s as \"%s\"\n",
1019	url, ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
1020
1021	/* call START_TLS again (ldaps:// is handled by the OpenLDAP library
1022	* itself) before rebinding to another LDAP server to avoid to expose
1023	* our credentials. At least try to secure the connection - Guenther */
1024
1025	smb_ldap_upgrade_conn(ldap_struct, &version);
1026	smb_ldap_start_tls(ldap_struct, version);
1027
1028	/** @TODO Should we be doing something to check what servers we rebind to?
1029	Could we get a referral to a machine that we don't want to give our
1030	username and password to? */
1031
1032	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
1033
1034	/* only set the last rebind timestamp when we did rebind after a
1035	* non-read LDAP operation. That way we avoid the replication sleep
1036	* after a simple redirected search operation - Guenther */
1037
1038	switch (request) {
1039
1040	case LDAP_REQ_MODIFY:
1041	case LDAP_REQ_ADD:
1042	case LDAP_REQ_DELETE:
1043	case LDAP_REQ_MODDN:
1044	case LDAP_REQ_EXTENDED:
1045	DEBUG(10,("rebindproc_connect_with_state: "
1046	"setting last_rebind timestamp "
1047	"(req: 0x%02x)\n", (unsigned int)request));
1048	GetTimeOfDay(&ldap_state->last_rebind);
1049	break;
1050	default:
1051	ZERO_STRUCT(ldap_state->last_rebind);
1052	break;
1053	}
1054
1055	return rc;
1056	}
1057	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1058
1059	/*******************************************************************
1060	Add a rebind function for authenticated referrals
1061	******************************************************************/
1062	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1063	#else
1064	# if LDAP_SET_REBIND_PROC_ARGS == 2
1065	static int rebindproc (LDAP ldap_struct, char whop, char *credp,
1066	int *method, int freeit )
1067	{
1068	struct smbldap_state *ldap_state = smbldap_find_state(ldap_struct);
1069
1070	return rebindproc_with_state(ldap_struct, whop, credp,
1071	method, freeit, ldap_state);
1072	}
1073	# endif /LDAP_SET_REBIND_PROC_ARGS == 2/
1074	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1075
1076	/*******************************************************************
1077	a rebind function for authenticated referrals
1078	this also does the connection, but no void*.
1079	******************************************************************/
1080	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1081	# if LDAP_SET_REBIND_PROC_ARGS == 2
1082	static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
1083	ber_int_t msgid)
1084	{
1085	struct smbldap_state *ldap_state = smbldap_find_state(ld);
1086
1087	return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid,
1088	ldap_state);
1089	}
1090	# endif /LDAP_SET_REBIND_PROC_ARGS == 2/
1091	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1092
1093	/*******************************************************************
1094	connect to the ldap server under system privilege.
1095	******************************************************************/
1096	static int smbldap_connect_system(struct smbldap_state ldap_state, LDAP ldap_struct)
1097	{
1098	int rc;
1099	int version;
1100
1101	if (!ldap_state->anonymous && !ldap_state->bind_dn) {
1102	char *bind_dn = NULL;
1103	char *bind_secret = NULL;
1104
1105	/* get the default dn and password only if they are not set already */
1106	if (!fetch_ldap_pw(&bind_dn, &bind_secret)) {
1107	DEBUG(0, ("ldap_connect_system: Failed to retrieve password from secrets.tdb\n"));
1108	return LDAP_INVALID_CREDENTIALS;
1109	}
1110	smbldap_set_creds(ldap_state, false, bind_dn, bind_secret);
1111	SAFE_FREE(bind_dn);
1112	memset(bind_secret, '\0', strlen(bind_secret));
1113	SAFE_FREE(bind_secret);
1114	}
1115
1116	/* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
1117	(OpenLDAP) doesnt' seem to support it */
1118
1119	DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
1120	ldap_state->uri, ldap_state->bind_dn));
1121
1122	#ifdef HAVE_LDAP_SET_REBIND_PROC
1123	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1124	# if LDAP_SET_REBIND_PROC_ARGS == 2
1125	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);
1126	# endif
1127	# if LDAP_SET_REBIND_PROC_ARGS == 3
1128	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void *)ldap_state);
1129	# endif
1130	#else /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1131	# if LDAP_SET_REBIND_PROC_ARGS == 2
1132	ldap_set_rebind_proc(ldap_struct, &rebindproc);
1133	# endif
1134	# if LDAP_SET_REBIND_PROC_ARGS == 3
1135	ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void *)ldap_state);
1136	# endif
1137	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1138	#endif
1139
1140	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
1141
1142	if (rc != LDAP_SUCCESS) {
1143	char *ld_error = NULL;
1144	ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1145	&ld_error);
1146	DEBUG(ldap_state->num_failures ? 2 : 0,
1147	("failed to bind to server %s with dn=\"%s\" Error: %s\n\t%s\n",
1148	ldap_state->uri,
1149	ldap_state->bind_dn ? ldap_state->bind_dn : "[Anonymous bind]",
1150	ldap_err2string(rc),
1151	ld_error ? ld_error : "(unknown)"));
1152	SAFE_FREE(ld_error);
1153	ldap_state->num_failures++;
1154	return rc;
1155	}
1156
1157	ldap_state->num_failures = 0;
1158	ldap_state->paged_results = False;
1159
1160	ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
1161
1162	if (smbldap_has_control(ldap_state->ldap_struct, ADS_PAGE_CTL_OID) && version == 3) {
1163	ldap_state->paged_results = True;
1164	}
1165
1166	DEBUG(3, ("ldap_connect_system: successful connection to the LDAP server\n"));
1167	DEBUGADD(10, ("ldap_connect_system: LDAP server %s support paged results\n",
1168	ldap_state->paged_results ? "does" : "does not"));
1169	return rc;
1170	}
1171
1172	static void smbldap_idle_fn(struct event_context *event_ctx,
1173	struct timed_event *te,
1174	struct timeval now,
1175	void *private_data);
1176
1177	/**********************************************************************
1178	Connect to LDAP server (called before every ldap operation)
1179	*********************************************************************/
1180	static int smbldap_open(struct smbldap_state *ldap_state)
1181	{
1182	int rc, opt_rc;
1183	bool reopen = False;
1184	SMB_ASSERT(ldap_state);
1185
1186	if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + SMBLDAP_DONT_PING_TIME) < time(NULL))) {
1187
1188	#ifdef HAVE_UNIXSOCKET
1189	struct sockaddr_un addr;
1190	#else
1191	struct sockaddr addr;
1192	#endif
1193	socklen_t len = sizeof(addr);
1194	int sd;
1195
1196	opt_rc = ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_DESC, &sd);
1197	if (opt_rc == 0 && (getpeername(sd, (struct sockaddr *) &addr, &len)) < 0 )
1198	reopen = True;
1199
1200	#ifdef HAVE_UNIXSOCKET
1201	if (opt_rc == 0 && addr.sun_family == AF_UNIX)
1202	reopen = True;
1203	#endif
1204	if (reopen) {
1205	/* the other end has died. reopen. */
1206	ldap_unbind(ldap_state->ldap_struct);
1207	ldap_state->ldap_struct = NULL;
1208	ldap_state->last_ping = (time_t)0;
1209	} else {
1210	ldap_state->last_ping = time(NULL);
1211	}
1212	}
1213
1214	if (ldap_state->ldap_struct != NULL) {
1215	DEBUG(11,("smbldap_open: already connected to the LDAP server\n"));
1216	return LDAP_SUCCESS;
1217	}
1218
1219	if ((rc = smbldap_open_connection(ldap_state))) {
1220	return rc;
1221	}
1222
1223	if ((rc = smbldap_connect_system(ldap_state, ldap_state->ldap_struct))) {
1224	ldap_unbind(ldap_state->ldap_struct);
1225	ldap_state->ldap_struct = NULL;
1226	return rc;
1227	}
1228
1229
1230	ldap_state->last_ping = time(NULL);
1231	ldap_state->pid = sys_getpid();
1232
1233	TALLOC_FREE(ldap_state->idle_event);
1234
1235	if (ldap_state->event_context != NULL) {
1236	ldap_state->idle_event = event_add_timed(
1237	ldap_state->event_context, NULL,
1238	timeval_current_ofs(SMBLDAP_IDLE_TIME, 0),
1239	smbldap_idle_fn, ldap_state);
1240	}
1241
1242	DEBUG(4,("The LDAP server is successfully connected\n"));
1243
1244	return LDAP_SUCCESS;
1245	}
1246
1247	/**********************************************************************
1248	Disconnect from LDAP server
1249	*********************************************************************/
1250	static NTSTATUS smbldap_close(struct smbldap_state *ldap_state)
1251	{
1252	if (!ldap_state)
1253	return NT_STATUS_INVALID_PARAMETER;
1254
1255	if (ldap_state->ldap_struct != NULL) {
1256	ldap_unbind(ldap_state->ldap_struct);
1257	ldap_state->ldap_struct = NULL;
1258	}
1259
1260	smbldap_delete_state(ldap_state);
1261
1262	DEBUG(5,("The connection to the LDAP server was closed\n"));
1263	/* maybe free the results here --metze */
1264
1265	return NT_STATUS_OK;
1266	}
1267
1268	static bool got_alarm;
1269
1270	static void (*old_handler)(int);
1271
1272	static void gotalarm_sig(int dummy)
1273	{
1274	got_alarm = True;
1275	}
1276
1277	static int another_ldap_try(struct smbldap_state ldap_state, int rc,
1278	int *attempts, time_t endtime)
1279	{
1280	time_t now = time(NULL);
1281	int open_rc = LDAP_SERVER_DOWN;
1282
1283	if (*rc != LDAP_SERVER_DOWN)
1284	goto no_next;
1285
1286	if (now >= endtime) {
1287	smbldap_close(ldap_state);
1288	*rc = LDAP_TIMEOUT;
1289	goto no_next;
1290	}
1291
1292	if (*attempts == 0) {
1293	got_alarm = False;
1294	old_handler = CatchSignal(SIGALRM, gotalarm_sig);
1295	alarm(endtime - now);
1296
1297	if (ldap_state->pid != sys_getpid())
1298	smbldap_close(ldap_state);
1299	}
1300
1301	while (1) {
1302
1303	if (*attempts != 0)
1304	smb_msleep(1000);
1305
1306	*attempts += 1;
1307
1308	open_rc = smbldap_open(ldap_state);
1309
1310	if (open_rc == LDAP_SUCCESS) {
1311	ldap_state->last_use = now;
1312	return True;
1313	}
1314
1315	if (open_rc == LDAP_INSUFFICIENT_ACCESS) {
1316	/* The fact that we are non-root or any other
1317	* access-denied condition will not change in the next
1318	* round of trying */
1319	*rc = open_rc;
1320	break;
1321	}
1322
1323	if (got_alarm) {
1324	*rc = LDAP_TIMEOUT;
1325	break;
1326	}
1327
1328	if (open_rc != LDAP_SUCCESS) {
1329	DEBUG(1, ("Connection to LDAP server failed for the "
1330	"%d try!\n", *attempts));
1331	}
1332	}
1333
1334	no_next:
1335	CatchSignal(SIGALRM, old_handler);
1336	alarm(0);
1337	ldap_state->last_use = now;
1338	return False;
1339	}
1340
1341	/*********************************************************************
1342	********************************************************************/
1343
1344	static int smbldap_search_ext(struct smbldap_state *ldap_state,
1345	const char base, int scope, const char filter,
1346	const char *attrs[], int attrsonly,
1347	LDAPControl sctrls, LDAPControl cctrls,
1348	int sizelimit, LDAPMessage **res)
1349	{
1350	int rc = LDAP_SERVER_DOWN;
1351	int attempts = 0;
1352	char *utf8_filter;
1353	time_t endtime = time(NULL)+lp_ldap_timeout();
1354	struct timeval timeout;
1355	size_t converted_size;
1356
1357	SMB_ASSERT(ldap_state);
1358
1359	DEBUG(5,("smbldap_search_ext: base => [%s], filter => [%s], "
1360	"scope => [%d]\n", base, filter, scope));
1361
1362	if (ldap_state->last_rebind.tv_sec > 0) {
1363	struct timeval tval;
1364	int64_t tdiff = 0;
1365	int sleep_time = 0;
1366
1367	ZERO_STRUCT(tval);
1368	GetTimeOfDay(&tval);
1369
1370	tdiff = usec_time_diff(&tval, &ldap_state->last_rebind);
1371	tdiff /= 1000; /* Convert to milliseconds. */
1372
1373	sleep_time = lp_ldap_replication_sleep()-(int)tdiff;
1374	sleep_time = MIN(sleep_time, MAX_LDAP_REPLICATION_SLEEP_TIME);
1375
1376	if (sleep_time > 0) {
1377	/* we wait for the LDAP replication */
1378	DEBUG(5,("smbldap_search_ext: waiting %d milliseconds "
1379	"for LDAP replication.\n",sleep_time));
1380	smb_msleep(sleep_time);
1381	DEBUG(5,("smbldap_search_ext: go on!\n"));
1382	}
1383	ZERO_STRUCT(ldap_state->last_rebind);
1384	}
1385
1386	if (!push_utf8_talloc(talloc_tos(), &utf8_filter, filter, &converted_size)) {
1387	return LDAP_NO_MEMORY;
1388	}
1389
1390	/* Setup timeout for the ldap_search_ext_s call - local and remote. */
1391	timeout.tv_sec = lp_ldap_timeout();
1392	timeout.tv_usec = 0;
1393
1394	/* Setup alarm timeout.... Do we need both of these ? JRA.
1395	* Yes, I think we do need both of these. The server timeout only
1396	* covers the case where the server's operation takes too long. It
1397	* does not cover the case where the request hangs on its way to the
1398	* server. The server side timeout is not strictly necessary, it's
1399	* just a bit more kind to the server. VL. */
1400
1401	got_alarm = 0;
1402	CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
1403	alarm(lp_ldap_timeout());
1404	/* End setup timeout. */
1405
1406	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1407	rc = ldap_search_ext_s(ldap_state->ldap_struct, base, scope,
1408	utf8_filter,
1409	CONST_DISCARD(char **, attrs),
1410	attrsonly, sctrls, cctrls, &timeout,
1411	sizelimit, res);
1412	if (rc != LDAP_SUCCESS) {
1413	char *ld_error = NULL;
1414	int ld_errno;
1415
1416	ldap_get_option(ldap_state->ldap_struct,
1417	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1418
1419	ldap_get_option(ldap_state->ldap_struct,
1420	LDAP_OPT_ERROR_STRING, &ld_error);
1421	DEBUG(10, ("Failed search for base: %s, error: %d (%s) "
1422	"(%s)\n", base, ld_errno,
1423	ldap_err2string(rc),
1424	ld_error ? ld_error : "unknown"));
1425	SAFE_FREE(ld_error);
1426
1427	if (ld_errno == LDAP_SERVER_DOWN) {
1428	ldap_unbind(ldap_state->ldap_struct);
1429	ldap_state->ldap_struct = NULL;
1430	}
1431	}
1432	}
1433
1434	TALLOC_FREE(utf8_filter);
1435
1436	/* Teardown timeout. */
1437	CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
1438	alarm(0);
1439
1440	if (got_alarm != 0)
1441	return LDAP_TIMELIMIT_EXCEEDED;
1442
1443	return rc;
1444	}
1445
1446	int smbldap_search(struct smbldap_state *ldap_state,
1447	const char base, int scope, const char filter,
1448	const char *attrs[], int attrsonly,
1449	LDAPMessage **res)
1450	{
1451	return smbldap_search_ext(ldap_state, base, scope, filter, attrs,
1452	attrsonly, NULL, NULL, LDAP_NO_LIMIT, res);
1453	}
1454
1455	int smbldap_search_paged(struct smbldap_state *ldap_state,
1456	const char base, int scope, const char filter,
1457	const char **attrs, int attrsonly, int pagesize,
1458	LDAPMessage res, void cookie)
1459	{
1460	LDAPControl pr;
1461	LDAPControl **rcontrols;
1462	LDAPControl *controls[2] = { NULL, NULL};
1463	BerElement *cookie_be = NULL;
1464	struct berval *cookie_bv = NULL;
1465	int tmp = 0, i, rc;
1466	bool critical = True;
1467
1468	*res = NULL;
1469
1470	DEBUG(3,("smbldap_search_paged: base => [%s], filter => [%s],"
1471	"scope => [%d], pagesize => [%d]\n",
1472	base, filter, scope, pagesize));
1473
1474	cookie_be = ber_alloc_t(LBER_USE_DER);
1475	if (cookie_be == NULL) {
1476	DEBUG(0,("smbldap_create_page_control: ber_alloc_t returns "
1477	"NULL\n"));
1478	return LDAP_NO_MEMORY;
1479	}
1480
1481	/* construct cookie */
1482	if (*cookie != NULL) {
1483	ber_printf(cookie_be, "{iO}", (ber_int_t) pagesize, *cookie);
1484	ber_bvfree((struct berval )cookie); /* don't need it from last time */
1485	*cookie = NULL;
1486	} else {
1487	ber_printf(cookie_be, "{io}", (ber_int_t) pagesize, "", 0);
1488	}
1489	ber_flatten(cookie_be, &cookie_bv);
1490
1491	pr.ldctl_oid = CONST_DISCARD(char *, ADS_PAGE_CTL_OID);
1492	pr.ldctl_iscritical = (char) critical;
1493	pr.ldctl_value.bv_len = cookie_bv->bv_len;
1494	pr.ldctl_value.bv_val = cookie_bv->bv_val;
1495
1496	controls[0] = &pr;
1497	controls[1] = NULL;
1498
1499	rc = smbldap_search_ext(ldap_state, base, scope, filter, attrs,
1500	0, controls, NULL, LDAP_NO_LIMIT, res);
1501
1502	ber_free(cookie_be, 1);
1503	ber_bvfree(cookie_bv);
1504
1505	if (rc != 0) {
1506	DEBUG(3,("smbldap_search_paged: smbldap_search_ext(%s) "
1507	"failed with [%s]\n", filter, ldap_err2string(rc)));
1508	goto done;
1509	}
1510
1511	DEBUG(3,("smbldap_search_paged: search was successful\n"));
1512
1513	rc = ldap_parse_result(ldap_state->ldap_struct, *res, NULL, NULL,
1514	NULL, NULL, &rcontrols, 0);
1515	if (rc != 0) {
1516	DEBUG(3,("smbldap_search_paged: ldap_parse_result failed " \
1517	"with [%s]\n", ldap_err2string(rc)));
1518	goto done;
1519	}
1520
1521	if (rcontrols == NULL)
1522	goto done;
1523
1524	for (i=0; rcontrols[i]; i++) {
1525
1526	if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) != 0)
1527	continue;
1528
1529	cookie_be = ber_init(&rcontrols[i]->ldctl_value);
1530	ber_scanf(cookie_be,"{iO}", &tmp, &cookie_bv);
1531	/* the berval is the cookie, but must be freed when it is all
1532	done */
1533	if (cookie_bv->bv_len)
1534	*cookie=ber_bvdup(cookie_bv);
1535	else
1536	*cookie=NULL;
1537	ber_bvfree(cookie_bv);
1538	ber_free(cookie_be, 1);
1539	break;
1540	}
1541	ldap_controls_free(rcontrols);
1542	done:
1543	return rc;
1544	}
1545
1546	int smbldap_modify(struct smbldap_state ldap_state, const char dn, LDAPMod *attrs[])
1547	{
1548	int rc = LDAP_SERVER_DOWN;
1549	int attempts = 0;
1550	char *utf8_dn;
1551	time_t endtime = time(NULL)+lp_ldap_timeout();
1552	size_t converted_size;
1553
1554	SMB_ASSERT(ldap_state);
1555
1556	DEBUG(5,("smbldap_modify: dn => [%s]\n", dn ));
1557
1558	if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1559	return LDAP_NO_MEMORY;
1560	}
1561
1562	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1563	rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
1564	if (rc != LDAP_SUCCESS) {
1565	char *ld_error = NULL;
1566	int ld_errno;
1567
1568	ldap_get_option(ldap_state->ldap_struct,
1569	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1570
1571	ldap_get_option(ldap_state->ldap_struct,
1572	LDAP_OPT_ERROR_STRING, &ld_error);
1573	DEBUG(10, ("Failed to modify dn: %s, error: %d (%s) "
1574	"(%s)\n", dn, ld_errno,
1575	ldap_err2string(rc),
1576	ld_error ? ld_error : "unknown"));
1577	SAFE_FREE(ld_error);
1578
1579	if (ld_errno == LDAP_SERVER_DOWN) {
1580	ldap_unbind(ldap_state->ldap_struct);
1581	ldap_state->ldap_struct = NULL;
1582	}
1583	}
1584	}
1585
1586	TALLOC_FREE(utf8_dn);
1587	return rc;
1588	}
1589
1590	int smbldap_add(struct smbldap_state ldap_state, const char dn, LDAPMod *attrs[])
1591	{
1592	int rc = LDAP_SERVER_DOWN;
1593	int attempts = 0;
1594	char *utf8_dn;
1595	time_t endtime = time(NULL)+lp_ldap_timeout();
1596	size_t converted_size;
1597
1598	SMB_ASSERT(ldap_state);
1599
1600	DEBUG(5,("smbldap_add: dn => [%s]\n", dn ));
1601
1602	if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1603	return LDAP_NO_MEMORY;
1604	}
1605
1606	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1607	rc = ldap_add_s(ldap_state->ldap_struct, utf8_dn, attrs);
1608	if (rc != LDAP_SUCCESS) {
1609	char *ld_error = NULL;
1610	int ld_errno;
1611
1612	ldap_get_option(ldap_state->ldap_struct,
1613	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1614
1615	ldap_get_option(ldap_state->ldap_struct,
1616	LDAP_OPT_ERROR_STRING, &ld_error);
1617	DEBUG(10, ("Failed to add dn: %s, error: %d (%s) "
1618	"(%s)\n", dn, ld_errno,
1619	ldap_err2string(rc),
1620	ld_error ? ld_error : "unknown"));
1621	SAFE_FREE(ld_error);
1622
1623	if (ld_errno == LDAP_SERVER_DOWN) {
1624	ldap_unbind(ldap_state->ldap_struct);
1625	ldap_state->ldap_struct = NULL;
1626	}
1627	}
1628	}
1629
1630	TALLOC_FREE(utf8_dn);
1631	return rc;
1632	}
1633
1634	int smbldap_delete(struct smbldap_state ldap_state, const char dn)
1635	{
1636	int rc = LDAP_SERVER_DOWN;
1637	int attempts = 0;
1638	char *utf8_dn;
1639	time_t endtime = time(NULL)+lp_ldap_timeout();
1640	size_t converted_size;
1641
1642	SMB_ASSERT(ldap_state);
1643
1644	DEBUG(5,("smbldap_delete: dn => [%s]\n", dn ));
1645
1646	if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1647	return LDAP_NO_MEMORY;
1648	}
1649
1650	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1651	rc = ldap_delete_s(ldap_state->ldap_struct, utf8_dn);
1652	if (rc != LDAP_SUCCESS) {
1653	char *ld_error = NULL;
1654	int ld_errno;
1655
1656	ldap_get_option(ldap_state->ldap_struct,
1657	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1658
1659	ldap_get_option(ldap_state->ldap_struct,
1660	LDAP_OPT_ERROR_STRING, &ld_error);
1661	DEBUG(10, ("Failed to delete dn: %s, error: %d (%s) "
1662	"(%s)\n", dn, ld_errno,
1663	ldap_err2string(rc),
1664	ld_error ? ld_error : "unknown"));
1665	SAFE_FREE(ld_error);
1666
1667	if (ld_errno == LDAP_SERVER_DOWN) {
1668	ldap_unbind(ldap_state->ldap_struct);
1669	ldap_state->ldap_struct = NULL;
1670	}
1671	}
1672	}
1673
1674	TALLOC_FREE(utf8_dn);
1675	return rc;
1676	}
1677
1678	int smbldap_extended_operation(struct smbldap_state *ldap_state,
1679	LDAP_CONST char reqoid, struct berval reqdata,
1680	LDAPControl serverctrls, LDAPControl clientctrls,
1681	char retoidp, struct berval retdatap)
1682	{
1683	int rc = LDAP_SERVER_DOWN;
1684	int attempts = 0;
1685	time_t endtime = time(NULL)+lp_ldap_timeout();
1686
1687	if (!ldap_state)
1688	return (-1);
1689
1690	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1691	rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid,
1692	reqdata, serverctrls,
1693	clientctrls, retoidp, retdatap);
1694	if (rc != LDAP_SUCCESS) {
1695	char *ld_error = NULL;
1696	int ld_errno;
1697
1698	ldap_get_option(ldap_state->ldap_struct,
1699	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1700
1701	ldap_get_option(ldap_state->ldap_struct,
1702	LDAP_OPT_ERROR_STRING, &ld_error);
1703	DEBUG(10, ("Extended operation failed with error: "
1704	"%d (%s) (%s)\n", ld_errno,
1705	ldap_err2string(rc),
1706	ld_error ? ld_error : "unknown"));
1707	SAFE_FREE(ld_error);
1708
1709	if (ld_errno == LDAP_SERVER_DOWN) {
1710	ldap_unbind(ldap_state->ldap_struct);
1711	ldap_state->ldap_struct = NULL;
1712	}
1713	}
1714	}
1715
1716	return rc;
1717	}
1718
1719	/*******************************************************************
1720	run the search by name.
1721	******************************************************************/
1722	int smbldap_search_suffix (struct smbldap_state *ldap_state,
1723	const char filter, const char *search_attr,
1724	LDAPMessage ** result)
1725	{
1726	return smbldap_search(ldap_state, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE,
1727	filter, search_attr, 0, result);
1728	}
1729
1730	static void smbldap_idle_fn(struct event_context *event_ctx,
1731	struct timed_event *te,
1732	struct timeval now,
1733	void *private_data)
1734	{
1735	struct smbldap_state state = (struct smbldap_state )private_data;
1736
1737	TALLOC_FREE(state->idle_event);
1738
1739	if (state->ldap_struct == NULL) {
1740	DEBUG(10,("ldap connection not connected...\n"));
1741	return;
1742	}
1743
1744	if ((state->last_use+SMBLDAP_IDLE_TIME) > now.tv_sec) {
1745	DEBUG(10,("ldap connection not idle...\n"));
1746
1747	state->idle_event = event_add_timed(
1748	event_ctx, NULL,
1749	timeval_add(&now, SMBLDAP_IDLE_TIME, 0),
1750	smbldap_idle_fn,
1751	private_data);
1752	return;
1753	}
1754
1755	DEBUG(7,("ldap connection idle...closing connection\n"));
1756	smbldap_close(state);
1757	}
1758
1759	/**********************************************************************
1760	Housekeeping
1761	*********************************************************************/
1762
1763	void smbldap_free_struct(struct smbldap_state **ldap_state)
1764	{
1765	smbldap_close(*ldap_state);
1766
1767	if ((*ldap_state)->bind_secret) {
1768	memset((ldap_state)->bind_secret, '\0', strlen((ldap_state)->bind_secret));
1769	}
1770
1771	SAFE_FREE((*ldap_state)->bind_dn);
1772	SAFE_FREE((*ldap_state)->bind_secret);
1773
1774	TALLOC_FREE((*ldap_state)->idle_event);
1775
1776	*ldap_state = NULL;
1777
1778	/* No need to free any further, as it is talloc()ed */
1779	}
1780
1781
1782	/**********************************************************************
1783	Intitalise the 'general' ldap structures, on which ldap operations may be conducted
1784	*********************************************************************/
1785
1786	NTSTATUS smbldap_init(TALLOC_CTX mem_ctx, struct event_context event_ctx,
1787	const char *location,
1788	struct smbldap_state **smbldap_state)
1789	{
1790	*smbldap_state = TALLOC_ZERO_P(mem_ctx, struct smbldap_state);
1791	if (!*smbldap_state) {
1792	DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
1793	return NT_STATUS_NO_MEMORY;
1794	}
1795
1796	if (location) {
1797	(*smbldap_state)->uri = talloc_strdup(mem_ctx, location);
1798	} else {
1799	(*smbldap_state)->uri = "ldap://localhost";
1800	}
1801
1802	(*smbldap_state)->event_context = event_ctx;
1803
1804	return NT_STATUS_OK;
1805	}
1806
1807	char smbldap_talloc_dn(TALLOC_CTX mem_ctx, LDAP *ld,
1808	LDAPMessage *entry)
1809	{
1810	char utf8_dn, unix_dn;
1811	size_t converted_size;
1812
1813	utf8_dn = ldap_get_dn(ld, entry);
1814	if (!utf8_dn) {
1815	DEBUG (5, ("smbldap_talloc_dn: ldap_get_dn failed\n"));
1816	return NULL;
1817	}
1818	if (!pull_utf8_talloc(mem_ctx, &unix_dn, utf8_dn, &converted_size)) {
1819	DEBUG (0, ("smbldap_talloc_dn: String conversion failure utf8 "
1820	"[%s]\n", utf8_dn));
1821	return NULL;
1822	}
1823	ldap_memfree(utf8_dn);
1824	return unix_dn;
1825	}
1826
1827	/*******************************************************************
1828	Check if root-dse has a certain Control or Extension
1829	********************************************************************/
1830
1831	static bool smbldap_check_root_dse(LDAP ld, const char attrs, const char value)
1832	{
1833	LDAPMessage *msg = NULL;
1834	LDAPMessage *entry = NULL;
1835	char **values = NULL;
1836	int rc, num_result, num_values, i;
1837	bool result = False;
1838
1839	if (!attrs[0]) {
1840	DEBUG(3,("smbldap_check_root_dse: nothing to look for\n"));
1841	return False;
1842	}
1843
1844	if (!strequal(attrs[0], "supportedExtension") &&
1845	!strequal(attrs[0], "supportedControl") &&
1846	!strequal(attrs[0], "namingContexts")) {
1847	DEBUG(3,("smbldap_check_root_dse: no idea what to query root-dse for: %s ?\n", attrs[0]));
1848	return False;
1849	}
1850
1851	rc = ldap_search_s(ld, "", LDAP_SCOPE_BASE,
1852	"(objectclass=)", CONST_DISCARD(char *, attrs), 0 , &msg);
1853
1854	if (rc != LDAP_SUCCESS) {
1855	DEBUG(3,("smbldap_check_root_dse: Could not search rootDSE\n"));
1856	return False;
1857	}
1858
1859	num_result = ldap_count_entries(ld, msg);
1860
1861	if (num_result != 1) {
1862	DEBUG(3,("smbldap_check_root_dse: Expected one rootDSE, got %d\n", num_result));
1863	goto done;
1864	}
1865
1866	entry = ldap_first_entry(ld, msg);
1867
1868	if (entry == NULL) {
1869	DEBUG(3,("smbldap_check_root_dse: Could not retrieve rootDSE\n"));
1870	goto done;
1871	}
1872
1873	values = ldap_get_values(ld, entry, attrs[0]);
1874
1875	if (values == NULL) {
1876	DEBUG(5,("smbldap_check_root_dse: LDAP Server does not support any %s\n", attrs[0]));
1877	goto done;
1878	}
1879
1880	num_values = ldap_count_values(values);
1881
1882	if (num_values == 0) {
1883	DEBUG(5,("smbldap_check_root_dse: LDAP Server does not have any %s\n", attrs[0]));
1884	goto done;
1885	}
1886
1887	for (i=0; i<num_values; i++) {
1888	if (strcmp(values[i], value) == 0)
1889	result = True;
1890	}
1891
1892
1893	done:
1894	if (values != NULL)
1895	ldap_value_free(values);
1896	if (msg != NULL)
1897	ldap_msgfree(msg);
1898
1899	return result;
1900
1901	}
1902
1903	/*******************************************************************
1904	Check if LDAP-Server supports a certain Control (OID in string format)
1905	********************************************************************/
1906
1907	bool smbldap_has_control(LDAP ld, const char control)
1908	{
1909	const char *attrs[] = { "supportedControl", NULL };
1910	return smbldap_check_root_dse(ld, attrs, control);
1911	}
1912
1913	/*******************************************************************
1914	Check if LDAP-Server supports a certain Extension (OID in string format)
1915	********************************************************************/
1916
1917	bool smbldap_has_extension(LDAP ld, const char extension)
1918	{
1919	const char *attrs[] = { "supportedExtension", NULL };
1920	return smbldap_check_root_dse(ld, attrs, extension);
1921	}
1922
1923	/*******************************************************************
1924	Check if LDAP-Server holds a given namingContext
1925	********************************************************************/
1926
1927	bool smbldap_has_naming_context(LDAP ld, const char naming_context)
1928	{
1929	const char *attrs[] = { "namingContexts", NULL };
1930	return smbldap_check_root_dse(ld, attrs, naming_context);
1931	}
1932
1933	bool smbldap_set_creds(struct smbldap_state ldap_state, bool anon, const char dn, const char *secret)
1934	{
1935	ldap_state->anonymous = anon;
1936
1937	/* free any previously set credential */
1938
1939	SAFE_FREE(ldap_state->bind_dn);
1940	if (ldap_state->bind_secret) {
1941	/* make sure secrets are zeroed out of memory */
1942	memset(ldap_state->bind_secret, '\0', strlen(ldap_state->bind_secret));
1943	SAFE_FREE(ldap_state->bind_secret);
1944	}
1945
1946	if ( ! anon) {
1947	ldap_state->bind_dn = SMB_STRDUP(dn);
1948	ldap_state->bind_secret = SMB_STRDUP(secret);
1949	}
1950
1951	return True;
1952	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: