Context Navigation

source: trunk/server/source3/lib/smbldap.c@ 622

Visit:

Last change on this file since 622 was 620, checked in by Herwig Bauernfeind, 14 years ago
Samba 3.5: Update trunk to 3.5.11
File size: 55.7 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	LDAP protocol helper functions for SAMBA
4	Copyright (C) Jean FranÃ§ois Micouleau 1998
5	Copyright (C) Gerald Carter 2001-2003
6	Copyright (C) Shahms King 2001
7	Copyright (C) Andrew Bartlett 2002-2003
8	Copyright (C) Stefan (metze) Metzmacher 2002-2003
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22
23	*/
24
25	#include "includes.h"
26	#include "smbldap.h"
27
28	#ifndef LDAP_OPT_SUCCESS
29	#define LDAP_OPT_SUCCESS 0
30	#endif
31
32	/* Try not to hit the up or down server forever */
33
34	#define SMBLDAP_DONT_PING_TIME 10 /* ping only all 10 seconds */
35	#define SMBLDAP_NUM_RETRIES 8 /* retry only 8 times */
36
37	#define SMBLDAP_IDLE_TIME 150 /* After 2.5 minutes disconnect */
38
39
40	/* attributes used by Samba 2.2 */
41
42	ATTRIB_MAP_ENTRY attrib_map_v22[] = {
43	{ LDAP_ATTR_UID, "uid" },
44	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
45	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
46	{ LDAP_ATTR_UNIX_HOME, "homeDirectory" },
47	{ LDAP_ATTR_PWD_LAST_SET, "pwdLastSet" },
48	{ LDAP_ATTR_PWD_CAN_CHANGE, "pwdCanChange" },
49	{ LDAP_ATTR_PWD_MUST_CHANGE, "pwdMustChange" },
50	{ LDAP_ATTR_LOGON_TIME, "logonTime" },
51	{ LDAP_ATTR_LOGOFF_TIME, "logoffTime" },
52	{ LDAP_ATTR_KICKOFF_TIME, "kickoffTime" },
53	{ LDAP_ATTR_CN, "cn" },
54	{ LDAP_ATTR_SN, "sn" },
55	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
56	{ LDAP_ATTR_HOME_PATH, "smbHome" },
57	{ LDAP_ATTR_HOME_DRIVE, "homeDrive" },
58	{ LDAP_ATTR_LOGON_SCRIPT, "scriptPath" },
59	{ LDAP_ATTR_PROFILE_PATH, "profilePath" },
60	{ LDAP_ATTR_DESC, "description" },
61	{ LDAP_ATTR_USER_WKS, "userWorkstations"},
62	{ LDAP_ATTR_USER_RID, "rid" },
63	{ LDAP_ATTR_PRIMARY_GROUP_RID, "primaryGroupID"},
64	{ LDAP_ATTR_LMPW, "lmPassword" },
65	{ LDAP_ATTR_NTPW, "ntPassword" },
66	{ LDAP_ATTR_DOMAIN, "domain" },
67	{ LDAP_ATTR_OBJCLASS, "objectClass" },
68	{ LDAP_ATTR_ACB_INFO, "acctFlags" },
69	{ LDAP_ATTR_MOD_TIMESTAMP, "modifyTimestamp" },
70	{ LDAP_ATTR_LIST_END, NULL }
71	};
72
73	ATTRIB_MAP_ENTRY attrib_map_to_delete_v22[] = {
74	{ LDAP_ATTR_PWD_LAST_SET, "pwdLastSet" },
75	{ LDAP_ATTR_PWD_CAN_CHANGE, "pwdCanChange" },
76	{ LDAP_ATTR_PWD_MUST_CHANGE, "pwdMustChange" },
77	{ LDAP_ATTR_LOGON_TIME, "logonTime" },
78	{ LDAP_ATTR_LOGOFF_TIME, "logoffTime" },
79	{ LDAP_ATTR_KICKOFF_TIME, "kickoffTime" },
80	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
81	{ LDAP_ATTR_HOME_PATH, "smbHome" },
82	{ LDAP_ATTR_HOME_DRIVE, "homeDrives" },
83	{ LDAP_ATTR_LOGON_SCRIPT, "scriptPath" },
84	{ LDAP_ATTR_PROFILE_PATH, "profilePath" },
85	{ LDAP_ATTR_USER_WKS, "userWorkstations"},
86	{ LDAP_ATTR_USER_RID, "rid" },
87	{ LDAP_ATTR_PRIMARY_GROUP_RID, "primaryGroupID"},
88	{ LDAP_ATTR_LMPW, "lmPassword" },
89	{ LDAP_ATTR_NTPW, "ntPassword" },
90	{ LDAP_ATTR_DOMAIN, "domain" },
91	{ LDAP_ATTR_ACB_INFO, "acctFlags" },
92	{ LDAP_ATTR_LIST_END, NULL }
93	};
94
95	/* attributes used by Samba 3.0's sambaSamAccount */
96
97	ATTRIB_MAP_ENTRY attrib_map_v30[] = {
98	{ LDAP_ATTR_UID, "uid" },
99	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
100	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
101	{ LDAP_ATTR_UNIX_HOME, "homeDirectory" },
102	{ LDAP_ATTR_PWD_LAST_SET, "sambaPwdLastSet" },
103	{ LDAP_ATTR_PWD_CAN_CHANGE, "sambaPwdCanChange" },
104	{ LDAP_ATTR_PWD_MUST_CHANGE, "sambaPwdMustChange" },
105	{ LDAP_ATTR_LOGON_TIME, "sambaLogonTime" },
106	{ LDAP_ATTR_LOGOFF_TIME, "sambaLogoffTime" },
107	{ LDAP_ATTR_KICKOFF_TIME, "sambaKickoffTime" },
108	{ LDAP_ATTR_CN, "cn" },
109	{ LDAP_ATTR_SN, "sn" },
110	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
111	{ LDAP_ATTR_HOME_DRIVE, "sambaHomeDrive" },
112	{ LDAP_ATTR_HOME_PATH, "sambaHomePath" },
113	{ LDAP_ATTR_LOGON_SCRIPT, "sambaLogonScript" },
114	{ LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" },
115	{ LDAP_ATTR_DESC, "description" },
116	{ LDAP_ATTR_USER_WKS, "sambaUserWorkstations" },
117	{ LDAP_ATTR_USER_SID, LDAP_ATTRIBUTE_SID },
118	{ LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" },
119	{ LDAP_ATTR_LMPW, "sambaLMPassword" },
120	{ LDAP_ATTR_NTPW, "sambaNTPassword" },
121	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
122	{ LDAP_ATTR_OBJCLASS, "objectClass" },
123	{ LDAP_ATTR_ACB_INFO, "sambaAcctFlags" },
124	{ LDAP_ATTR_MUNGED_DIAL, "sambaMungedDial" },
125	{ LDAP_ATTR_BAD_PASSWORD_COUNT, "sambaBadPasswordCount" },
126	{ LDAP_ATTR_BAD_PASSWORD_TIME, "sambaBadPasswordTime" },
127	{ LDAP_ATTR_PWD_HISTORY, "sambaPasswordHistory" },
128	{ LDAP_ATTR_MOD_TIMESTAMP, "modifyTimestamp" },
129	{ LDAP_ATTR_LOGON_HOURS, "sambaLogonHours" },
130	{ LDAP_ATTR_LIST_END, NULL }
131	};
132
133	ATTRIB_MAP_ENTRY attrib_map_to_delete_v30[] = {
134	{ LDAP_ATTR_PWD_LAST_SET, "sambaPwdLastSet" },
135	{ LDAP_ATTR_PWD_CAN_CHANGE, "sambaPwdCanChange" },
136	{ LDAP_ATTR_PWD_MUST_CHANGE, "sambaPwdMustChange" },
137	{ LDAP_ATTR_LOGON_TIME, "sambaLogonTime" },
138	{ LDAP_ATTR_LOGOFF_TIME, "sambaLogoffTime" },
139	{ LDAP_ATTR_KICKOFF_TIME, "sambaKickoffTime" },
140	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
141	{ LDAP_ATTR_HOME_DRIVE, "sambaHomeDrive" },
142	{ LDAP_ATTR_HOME_PATH, "sambaHomePath" },
143	{ LDAP_ATTR_LOGON_SCRIPT, "sambaLogonScript" },
144	{ LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" },
145	{ LDAP_ATTR_USER_WKS, "sambaUserWorkstations" },
146	{ LDAP_ATTR_USER_SID, LDAP_ATTRIBUTE_SID },
147	{ LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" },
148	{ LDAP_ATTR_LMPW, "sambaLMPassword" },
149	{ LDAP_ATTR_NTPW, "sambaNTPassword" },
150	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
151	{ LDAP_ATTR_ACB_INFO, "sambaAcctFlags" },
152	{ LDAP_ATTR_MUNGED_DIAL, "sambaMungedDial" },
153	{ LDAP_ATTR_BAD_PASSWORD_COUNT, "sambaBadPasswordCount" },
154	{ LDAP_ATTR_BAD_PASSWORD_TIME, "sambaBadPasswordTime" },
155	{ LDAP_ATTR_PWD_HISTORY, "sambaPasswordHistory" },
156	{ LDAP_ATTR_LOGON_HOURS, "sambaLogonHours" },
157	{ LDAP_ATTR_LIST_END, NULL }
158	};
159
160	/* attributes used for allocating RIDs */
161
162	ATTRIB_MAP_ENTRY dominfo_attr_list[] = {
163	{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
164	{ LDAP_ATTR_NEXT_RID, "sambaNextRid" },
165	{ LDAP_ATTR_NEXT_USERRID, "sambaNextUserRid" },
166	{ LDAP_ATTR_NEXT_GROUPRID, "sambaNextGroupRid" },
167	{ LDAP_ATTR_DOM_SID, LDAP_ATTRIBUTE_SID },
168	{ LDAP_ATTR_ALGORITHMIC_RID_BASE,"sambaAlgorithmicRidBase"},
169	{ LDAP_ATTR_OBJCLASS, "objectClass" },
170	{ LDAP_ATTR_LIST_END, NULL },
171	};
172
173	/* Samba 3.0 group mapping attributes */
174
175	ATTRIB_MAP_ENTRY groupmap_attr_list[] = {
176	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
177	{ LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
178	{ LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
179	{ LDAP_ATTR_SID_LIST, "sambaSIDList" },
180	{ LDAP_ATTR_DESC, "description" },
181	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
182	{ LDAP_ATTR_CN, "cn" },
183	{ LDAP_ATTR_OBJCLASS, "objectClass" },
184	{ LDAP_ATTR_LIST_END, NULL }
185	};
186
187	ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[] = {
188	{ LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
189	{ LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
190	{ LDAP_ATTR_DESC, "description" },
191	{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
192	{ LDAP_ATTR_SID_LIST, "sambaSIDList" },
193	{ LDAP_ATTR_LIST_END, NULL }
194	};
195
196	/* idmap_ldap sambaUnixIdPool */
197
198	ATTRIB_MAP_ENTRY idpool_attr_list[] = {
199	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
200	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
201	{ LDAP_ATTR_OBJCLASS, "objectClass" },
202	{ LDAP_ATTR_LIST_END, NULL }
203	};
204
205	ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
206	{ LDAP_ATTR_SID, LDAP_ATTRIBUTE_SID },
207	{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
208	{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
209	{ LDAP_ATTR_OBJCLASS, "objectClass" },
210	{ LDAP_ATTR_LIST_END, NULL }
211	};
212
213	/**********************************************************************
214	perform a simple table lookup and return the attribute name
215	**********************************************************************/
216
217	const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key )
218	{
219	int i = 0;
220
221	while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
222	if ( table[i].attrib == key )
223	return table[i].name;
224	i++;
225	}
226
227	return NULL;
228	}
229
230
231	/**********************************************************************
232	Return the list of attribute names from a mapping table
233	**********************************************************************/
234
235	const char** get_attr_list( TALLOC_CTX *mem_ctx, ATTRIB_MAP_ENTRY table[] )
236	{
237	const char **names;
238	int i = 0;
239
240	while ( table[i].attrib != LDAP_ATTR_LIST_END )
241	i++;
242	i++;
243
244	names = TALLOC_ARRAY( mem_ctx, const char*, i );
245	if ( !names ) {
246	DEBUG(0,("get_attr_list: out of memory\n"));
247	return NULL;
248	}
249
250	i = 0;
251	while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
252	names[i] = talloc_strdup( names, table[i].name );
253	i++;
254	}
255	names[i] = NULL;
256
257	return names;
258	}
259
260	/*******************************************************************
261	Search an attribute and return the first value found.
262	******************************************************************/
263
264	bool smbldap_get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
265	const char attribute, char value,
266	int max_len)
267	{
268	char **values;
269
270	if ( !attribute )
271	return False;
272
273	value[0] = '\0';
274
275	if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
276	DEBUG (10, ("smbldap_get_single_attribute: [%s] = [<does not exist>]\n", attribute));
277
278	return False;
279	}
280
281	if (convert_string(CH_UTF8, CH_UNIX,values[0], -1, value, max_len, False) == (size_t)-1) {
282	DEBUG(1, ("smbldap_get_single_attribute: string conversion of [%s] = [%s] failed!\n",
283	attribute, values[0]));
284	ldap_value_free(values);
285	return False;
286	}
287
288	ldap_value_free(values);
289	#ifdef DEBUG_PASSWORDS
290	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n", attribute, value));
291	#endif
292	return True;
293	}
294
295	char * smbldap_talloc_single_attribute(LDAP ldap_struct, LDAPMessage entry,
296	const char *attribute,
297	TALLOC_CTX *mem_ctx)
298	{
299	char **values;
300	char *result;
301	size_t converted_size;
302
303	if (attribute == NULL) {
304	return NULL;
305	}
306
307	values = ldap_get_values(ldap_struct, entry, attribute);
308
309	if (values == NULL) {
310	DEBUG(10, ("attribute %s does not exist\n", attribute));
311	return NULL;
312	}
313
314	if (ldap_count_values(values) != 1) {
315	DEBUG(10, ("attribute %s has %d values, expected only one\n",
316	attribute, ldap_count_values(values)));
317	ldap_value_free(values);
318	return NULL;
319	}
320
321	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
322	DEBUG(10, ("pull_utf8_talloc failed\n"));
323	ldap_value_free(values);
324	return NULL;
325	}
326
327	ldap_value_free(values);
328
329	#ifdef DEBUG_PASSWORDS
330	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
331	attribute, result));
332	#endif
333	return result;
334	}
335
336	char * smbldap_talloc_first_attribute(LDAP ldap_struct, LDAPMessage entry,
337	const char *attribute,
338	TALLOC_CTX *mem_ctx)
339	{
340	char **values;
341	char *result;
342	size_t converted_size;
343
344	if (attribute == NULL) {
345	return NULL;
346	}
347
348	values = ldap_get_values(ldap_struct, entry, attribute);
349
350	if (values == NULL) {
351	DEBUG(10, ("attribute %s does not exist\n", attribute));
352	return NULL;
353	}
354
355	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
356	DEBUG(10, ("pull_utf8_talloc failed\n"));
357	ldap_value_free(values);
358	return NULL;
359	}
360
361	ldap_value_free(values);
362
363	#ifdef DEBUG_PASSWORDS
364	DEBUG (100, ("smbldap_get_first_attribute: [%s] = [%s]\n",
365	attribute, result));
366	#endif
367	return result;
368	}
369
370	char * smbldap_talloc_smallest_attribute(LDAP ldap_struct, LDAPMessage entry,
371	const char *attribute,
372	TALLOC_CTX *mem_ctx)
373	{
374	char **values;
375	char *result;
376	size_t converted_size;
377	int i, num_values;
378
379	if (attribute == NULL) {
380	return NULL;
381	}
382
383	values = ldap_get_values(ldap_struct, entry, attribute);
384
385	if (values == NULL) {
386	DEBUG(10, ("attribute %s does not exist\n", attribute));
387	return NULL;
388	}
389
390	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
391	DEBUG(10, ("pull_utf8_talloc failed\n"));
392	ldap_value_free(values);
393	return NULL;
394	}
395
396	num_values = ldap_count_values(values);
397
398	for (i=1; i<num_values; i++) {
399	char *tmp;
400
401	if (!pull_utf8_talloc(mem_ctx, &tmp, values[i],
402	&converted_size)) {
403	DEBUG(10, ("pull_utf8_talloc failed\n"));
404	TALLOC_FREE(result);
405	ldap_value_free(values);
406	return NULL;
407	}
408
409	if (StrCaseCmp(tmp, result) < 0) {
410	TALLOC_FREE(result);
411	result = tmp;
412	} else {
413	TALLOC_FREE(tmp);
414	}
415	}
416
417	ldap_value_free(values);
418
419	#ifdef DEBUG_PASSWORDS
420	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
421	attribute, result));
422	#endif
423	return result;
424	}
425
426	bool smbldap_talloc_single_blob(TALLOC_CTX mem_ctx, LDAP ld,
427	LDAPMessage msg, const char attrib,
428	DATA_BLOB *blob)
429	{
430	struct berval **values;
431
432	values = ldap_get_values_len(ld, msg, attrib);
433	if (!values) {
434	return false;
435	}
436
437	if (ldap_count_values_len(values) != 1) {
438	DEBUG(10, ("Expected one value for %s, got %d\n", attrib,
439	ldap_count_values_len(values)));
440	return false;
441	}
442
443	*blob = data_blob_talloc(mem_ctx, values[0]->bv_val,
444	values[0]->bv_len);
445	ldap_value_free_len(values);
446
447	return (blob->data != NULL);
448	}
449
450	bool smbldap_pull_sid(LDAP ld, LDAPMessage msg, const char *attrib,
451	struct dom_sid *sid)
452	{
453	DATA_BLOB blob;
454	bool ret;
455
456	if (!smbldap_talloc_single_blob(talloc_tos(), ld, msg, attrib,
457	&blob)) {
458	return false;
459	}
460	ret = sid_parse((char *)blob.data, blob.length, sid);
461	TALLOC_FREE(blob.data);
462	return ret;
463	}
464
465	static int ldapmsg_destructor(LDAPMessage **result) {
466	ldap_msgfree(*result);
467	return 0;
468	}
469
470	void talloc_autofree_ldapmsg(TALLOC_CTX mem_ctx, LDAPMessage result)
471	{
472	LDAPMessage **handle;
473
474	if (result == NULL) {
475	return;
476	}
477
478	handle = TALLOC_P(mem_ctx, LDAPMessage *);
479	SMB_ASSERT(handle != NULL);
480
481	*handle = result;
482	talloc_set_destructor(handle, ldapmsg_destructor);
483	}
484
485	static int ldapmod_destructor(LDAPMod ***mod) {
486	ldap_mods_free(*mod, True);
487	return 0;
488	}
489
490	void talloc_autofree_ldapmod(TALLOC_CTX mem_ctx, LDAPMod *mod)
491	{
492	LDAPMod ***handle;
493
494	if (mod == NULL) {
495	return;
496	}
497
498	handle = TALLOC_P(mem_ctx, LDAPMod **);
499	SMB_ASSERT(handle != NULL);
500
501	*handle = mod;
502	talloc_set_destructor(handle, ldapmod_destructor);
503	}
504
505	/************************************************************************
506	Routine to manage the LDAPMod structure array
507	manage memory used by the array, by each struct, and values
508	***********************************************************************/
509
510	void smbldap_set_mod (LDAPMod *** modlist, int modop, const char attribute, const char value)
511	{
512	LDAPMod **mods;
513	int i;
514	int j;
515
516	mods = *modlist;
517
518	/* sanity checks on the mod values */
519
520	if (attribute == NULL \|\| *attribute == '\0') {
521	return;
522	}
523
524	#if 0 /* commented out after discussion with abartlet. Do not reenable.
525	left here so other do not re-add similar code --jerry */
526	if (value == NULL \|\| *value == '\0')
527	return;
528	#endif
529
530	if (mods == NULL) {
531	mods = SMB_MALLOC_P(LDAPMod *);
532	if (mods == NULL) {
533	smb_panic("smbldap_set_mod: out of memory!");
534	/* notreached. */
535	}
536	mods[0] = NULL;
537	}
538
539	for (i = 0; mods[i] != NULL; ++i) {
540	if (mods[i]->mod_op == modop && strequal(mods[i]->mod_type, attribute))
541	break;
542	}
543
544	if (mods[i] == NULL) {
545	mods = SMB_REALLOC_ARRAY (mods, LDAPMod *, i + 2);
546	if (mods == NULL) {
547	smb_panic("smbldap_set_mod: out of memory!");
548	/* notreached. */
549	}
550	mods[i] = SMB_MALLOC_P(LDAPMod);
551	if (mods[i] == NULL) {
552	smb_panic("smbldap_set_mod: out of memory!");
553	/* notreached. */
554	}
555	mods[i]->mod_op = modop;
556	mods[i]->mod_values = NULL;
557	mods[i]->mod_type = SMB_STRDUP(attribute);
558	mods[i + 1] = NULL;
559	}
560
561	if (value != NULL) {
562	char *utf8_value = NULL;
563	size_t converted_size;
564
565	j = 0;
566	if (mods[i]->mod_values != NULL) {
567	for (; mods[i]->mod_values[j] != NULL; j++);
568	}
569	mods[i]->mod_values = SMB_REALLOC_ARRAY(mods[i]->mod_values, char *, j + 2);
570
571	if (mods[i]->mod_values == NULL) {
572	smb_panic("smbldap_set_mod: out of memory!");
573	/* notreached. */
574	}
575
576	if (!push_utf8_talloc(talloc_tos(), &utf8_value, value, &converted_size)) {
577	smb_panic("smbldap_set_mod: String conversion failure!");
578	/* notreached. */
579	}
580
581	mods[i]->mod_values[j] = SMB_STRDUP(utf8_value);
582	TALLOC_FREE(utf8_value);
583	SMB_ASSERT(mods[i]->mod_values[j] != NULL);
584
585	mods[i]->mod_values[j + 1] = NULL;
586	}
587	*modlist = mods;
588	}
589
590	/**********************************************************************
591	Set attribute to newval in LDAP, regardless of what value the
592	attribute had in LDAP before.
593	*********************************************************************/
594
595	void smbldap_make_mod(LDAP ldap_struct, LDAPMessage existing,
596	LDAPMod ***mods,
597	const char attribute, const char newval)
598	{
599	char oldval[2048]; /* current largest allowed value is mungeddial */
600	bool existed;
601
602	if (attribute == NULL) {
603	/* This can actually happen for ldapsam_compat where we for
604	* example don't have a password history */
605	return;
606	}
607
608	if (existing != NULL) {
609	existed = smbldap_get_single_attribute(ldap_struct, existing, attribute, oldval, sizeof(oldval));
610	} else {
611	existed = False;
612	*oldval = '\0';
613	}
614
615	/* all of our string attributes are case insensitive */
616
617	if (existed && newval && (StrCaseCmp(oldval, newval) == 0)) {
618
619	/* Believe it or not, but LDAP will deny a delete and
620	an add at the same time if the values are the
621	same... */
622	DEBUG(10,("smbldap_make_mod: attribute \|%s\| not changed.\n", attribute));
623	return;
624	}
625
626	if (existed) {
627	/* There has been no value before, so don't delete it.
628	* Here's a possible race: We might end up with
629	* duplicate attributes */
630	/* By deleting exactly the value we found in the entry this
631	* should be race-free in the sense that the LDAP-Server will
632	* deny the complete operation if somebody changed the
633	* attribute behind our back. */
634	/* This will also allow modifying single valued attributes
635	* in Novell NDS. In NDS you have to first remove attribute and then
636	* you could add new value */
637
638	DEBUG(10,("smbldap_make_mod: deleting attribute \|%s\| values \|%s\|\n", attribute, oldval));
639	smbldap_set_mod(mods, LDAP_MOD_DELETE, attribute, oldval);
640	}
641
642	/* Regardless of the real operation (add or modify)
643	we add the new value here. We rely on deleting
644	the old value, should it exist. */
645
646	if ((newval != NULL) && (strlen(newval) > 0)) {
647	DEBUG(10,("smbldap_make_mod: adding attribute \|%s\| value \|%s\|\n", attribute, newval));
648	smbldap_set_mod(mods, LDAP_MOD_ADD, attribute, newval);
649	}
650	}
651
652	/**********************************************************************
653	Some varients of the LDAP rebind code do not pass in the third 'arg'
654	pointer to a void*, so we try and work around it by assuming that the
655	value of the 'LDAP *' pointer is the same as the one we had passed in
656	**********************************************************************/
657
658	struct smbldap_state_lookup {
659	LDAP *ld;
660	struct smbldap_state *smbldap_state;
661	struct smbldap_state_lookup prev, next;
662	};
663
664	static struct smbldap_state_lookup *smbldap_state_lookup_list;
665
666	static struct smbldap_state smbldap_find_state(LDAP ld)
667	{
668	struct smbldap_state_lookup *t;
669
670	for (t = smbldap_state_lookup_list; t; t = t->next) {
671	if (t->ld == ld) {
672	return t->smbldap_state;
673	}
674	}
675	return NULL;
676	}
677
678	static void smbldap_delete_state(struct smbldap_state *smbldap_state)
679	{
680	struct smbldap_state_lookup *t;
681
682	for (t = smbldap_state_lookup_list; t; t = t->next) {
683	if (t->smbldap_state == smbldap_state) {
684	DLIST_REMOVE(smbldap_state_lookup_list, t);
685	SAFE_FREE(t);
686	return;
687	}
688	}
689	}
690
691	static void smbldap_store_state(LDAP ld, struct smbldap_state smbldap_state)
692	{
693	struct smbldap_state *tmp_ldap_state;
694	struct smbldap_state_lookup *t;
695
696	if ((tmp_ldap_state = smbldap_find_state(ld))) {
697	SMB_ASSERT(tmp_ldap_state == smbldap_state);
698	return;
699	}
700
701	t = SMB_XMALLOC_P(struct smbldap_state_lookup);
702	ZERO_STRUCTP(t);
703
704	DLIST_ADD_END(smbldap_state_lookup_list, t, struct smbldap_state_lookup *);
705	t->ld = ld;
706	t->smbldap_state = smbldap_state;
707	}
708
709	/********************************************************************
710	start TLS on an existing LDAP connection
711	*******************************************************************/
712
713	int smb_ldap_start_tls(LDAP *ldap_struct, int version)
714	{
715	#ifdef LDAP_OPT_X_TLS
716	int rc;
717	#endif
718
719	if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
720	return LDAP_SUCCESS;
721	}
722
723	#ifdef LDAP_OPT_X_TLS
724	if (version != LDAP_VERSION3) {
725	DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
726	return LDAP_OPERATIONS_ERROR;
727	}
728
729	if ((rc = ldap_start_tls_s (ldap_struct, NULL, NULL)) != LDAP_SUCCESS) {
730	DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
731	ldap_err2string(rc)));
732	return rc;
733	}
734
735	DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
736	return LDAP_SUCCESS;
737	#else
738	DEBUG(0,("StartTLS not supported by LDAP client libraries!\n"));
739	return LDAP_OPERATIONS_ERROR;
740	#endif
741	}
742
743	/********************************************************************
744	setup a connection to the LDAP server based on a uri
745	*******************************************************************/
746
747	int smb_ldap_setup_conn(LDAP *ldap_struct, const char uri)
748	{
749	int rc;
750
751	DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri));
752
753	#ifdef HAVE_LDAP_INITIALIZE
754
755	rc = ldap_initialize(ldap_struct, uri);
756	if (rc) {
757	DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
758	return rc;
759	}
760
761	if (lp_ldap_follow_referral() != Auto) {
762	rc = ldap_set_option(*ldap_struct, LDAP_OPT_REFERRALS,
763	lp_ldap_follow_referral() ? LDAP_OPT_ON : LDAP_OPT_OFF);
764	if (rc != LDAP_SUCCESS)
765	DEBUG(0, ("Failed to set LDAP_OPT_REFERRALS: %s\n",
766	ldap_err2string(rc)));
767	}
768
769	return LDAP_SUCCESS;
770	#else
771
772	/* Parse the string manually */
773
774	{
775	int port = 0;
776	fstring protocol;
777	fstring host;
778	SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
779
780
781	/* skip leading "URL:" (if any) */
782	if ( strnequal( uri, "URL:", 4 ) ) {
783	uri += 4;
784	}
785
786	sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
787
788	if (port == 0) {
789	if (strequal(protocol, "ldap")) {
790	port = LDAP_PORT;
791	} else if (strequal(protocol, "ldaps")) {
792	port = LDAPS_PORT;
793	} else {
794	DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
795	}
796	}
797
798	if ((*ldap_struct = ldap_init(host, port)) == NULL) {
799	DEBUG(0, ("ldap_init failed !\n"));
800	return LDAP_OPERATIONS_ERROR;
801	}
802
803	if (strequal(protocol, "ldaps")) {
804	#ifdef LDAP_OPT_X_TLS
805	int tls = LDAP_OPT_X_TLS_HARD;
806	if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
807	{
808	DEBUG(0, ("Failed to setup a TLS session\n"));
809	}
810
811	DEBUG(3,("LDAPS option set...!\n"));
812	#else
813	DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
814	return LDAP_OPERATIONS_ERROR;
815	#endif /* LDAP_OPT_X_TLS */
816	}
817	}
818	#endif /* HAVE_LDAP_INITIALIZE */
819
820	/* now set connection timeout */
821	#ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
822	{
823	int ct = lp_ldap_connection_timeout()*1000;
824	rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
825	if (rc != LDAP_SUCCESS) {
826	DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
827	ct, ldap_err2string(rc)));
828	}
829	}
830	#elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
831	{
832	struct timeval ct;
833	ct.tv_usec = 0;
834	ct.tv_sec = lp_ldap_connection_timeout();
835	rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
836	if (rc != LDAP_SUCCESS) {
837	DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
838	(int)ct.tv_sec, ldap_err2string(rc)));
839	}
840	}
841	#endif
842
843	return LDAP_SUCCESS;
844	}
845
846	/********************************************************************
847	try to upgrade to Version 3 LDAP if not already, in either case return current
848	version
849	*******************************************************************/
850
851	int smb_ldap_upgrade_conn(LDAP ldap_struct, int new_version)
852	{
853	int version;
854	int rc;
855
856	/* assume the worst */
857	*new_version = LDAP_VERSION2;
858
859	rc = ldap_get_option(ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
860	if (rc) {
861	return rc;
862	}
863
864	if (version == LDAP_VERSION3) {
865	*new_version = LDAP_VERSION3;
866	return LDAP_SUCCESS;
867	}
868
869	/* try upgrade */
870	version = LDAP_VERSION3;
871	rc = ldap_set_option (ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
872	if (rc) {
873	return rc;
874	}
875
876	*new_version = LDAP_VERSION3;
877	return LDAP_SUCCESS;
878	}
879
880	/*******************************************************************
881	open a connection to the ldap server (just until the bind)
882	******************************************************************/
883
884	int smb_ldap_setup_full_conn(LDAP *ldap_struct, const char uri)
885	{
886	int rc, version;
887
888	rc = smb_ldap_setup_conn(ldap_struct, uri);
889	if (rc) {
890	return rc;
891	}
892
893	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
894	if (rc) {
895	return rc;
896	}
897
898	rc = smb_ldap_start_tls(*ldap_struct, version);
899	if (rc) {
900	return rc;
901	}
902
903	return LDAP_SUCCESS;
904	}
905
906	/*******************************************************************
907	open a connection to the ldap server.
908	******************************************************************/
909	static int smbldap_open_connection (struct smbldap_state *ldap_state)
910
911	{
912	int rc = LDAP_SUCCESS;
913	int version;
914	int deref;
915	LDAP **ldap_struct = &ldap_state->ldap_struct;
916
917	rc = smb_ldap_setup_conn(ldap_struct, ldap_state->uri);
918	if (rc) {
919	return rc;
920	}
921
922	/* Store the LDAP pointer in a lookup list */
923
924	smbldap_store_state(*ldap_struct, ldap_state);
925
926	/* Upgrade to LDAPv3 if possible */
927
928	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
929	if (rc) {
930	return rc;
931	}
932
933	/* Start TLS if required */
934
935	rc = smb_ldap_start_tls(*ldap_struct, version);
936	if (rc) {
937	return rc;
938	}
939
940	/* Set alias dereferencing method */
941	deref = lp_ldap_deref();
942	if (deref != -1) {
943	if (ldap_set_option (*ldap_struct, LDAP_OPT_DEREF, &deref) != LDAP_OPT_SUCCESS) {
944	DEBUG(1,("smbldap_open_connection: Failed to set dereferencing method: %d\n", deref));
945	} else {
946	DEBUG(5,("Set dereferencing method: %d\n", deref));
947	}
948	}
949
950	DEBUG(2, ("smbldap_open_connection: connection opened\n"));
951	return rc;
952	}
953
954	/*******************************************************************
955	a rebind function for authenticated referrals
956	This version takes a void* that we can shove useful stuff in :-)
957	******************************************************************/
958	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
959	#else
960	static int rebindproc_with_state (LDAP * ld, char whop, char credp,
961	int methodp, int freeit, void arg)
962	{
963	struct smbldap_state *ldap_state = arg;
964
965	/** @TODO Should we be doing something to check what servers we rebind to?
966	Could we get a referral to a machine that we don't want to give our
967	username and password to? */
968
969	if (freeit) {
970	SAFE_FREE(*whop);
971	if (*credp) {
972	memset(credp, '\0', strlen(credp));
973	}
974	SAFE_FREE(*credp);
975	} else {
976	DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
977	ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
978
979	if (ldap_state->anonymous) {
980	*whop = NULL;
981	*credp = NULL;
982	} else {
983	*whop = SMB_STRDUP(ldap_state->bind_dn);
984	if (!*whop) {
985	return LDAP_NO_MEMORY;
986	}
987	*credp = SMB_STRDUP(ldap_state->bind_secret);
988	if (!*credp) {
989	SAFE_FREE(*whop);
990	return LDAP_NO_MEMORY;
991	}
992	}
993	*methodp = LDAP_AUTH_SIMPLE;
994	}
995
996	GetTimeOfDay(&ldap_state->last_rebind);
997
998	return 0;
999	}
1000	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1001
1002	/*******************************************************************
1003	a rebind function for authenticated referrals
1004	This version takes a void* that we can shove useful stuff in :-)
1005	and actually does the connection.
1006	******************************************************************/
1007	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1008	static int rebindproc_connect_with_state (LDAP *ldap_struct,
1009	LDAP_CONST char *url,
1010	ber_tag_t request,
1011	ber_int_t msgid, void *arg)
1012	{
1013	struct smbldap_state *ldap_state =
1014	(struct smbldap_state *)arg;
1015	int rc;
1016	int version;
1017
1018	DEBUG(5,("rebindproc_connect_with_state: Rebinding to %s as \"%s\"\n",
1019	url, ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
1020
1021	/* call START_TLS again (ldaps:// is handled by the OpenLDAP library
1022	* itself) before rebinding to another LDAP server to avoid to expose
1023	* our credentials. At least try to secure the connection - Guenther */
1024
1025	smb_ldap_upgrade_conn(ldap_struct, &version);
1026	smb_ldap_start_tls(ldap_struct, version);
1027
1028	/** @TODO Should we be doing something to check what servers we rebind to?
1029	Could we get a referral to a machine that we don't want to give our
1030	username and password to? */
1031
1032	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
1033
1034	/* only set the last rebind timestamp when we did rebind after a
1035	* non-read LDAP operation. That way we avoid the replication sleep
1036	* after a simple redirected search operation - Guenther */
1037
1038	switch (request) {
1039
1040	case LDAP_REQ_MODIFY:
1041	case LDAP_REQ_ADD:
1042	case LDAP_REQ_DELETE:
1043	case LDAP_REQ_MODDN:
1044	case LDAP_REQ_EXTENDED:
1045	DEBUG(10,("rebindproc_connect_with_state: "
1046	"setting last_rebind timestamp "
1047	"(req: 0x%02x)\n", (unsigned int)request));
1048	GetTimeOfDay(&ldap_state->last_rebind);
1049	break;
1050	default:
1051	ZERO_STRUCT(ldap_state->last_rebind);
1052	break;
1053	}
1054
1055	return rc;
1056	}
1057	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1058
1059	/*******************************************************************
1060	Add a rebind function for authenticated referrals
1061	******************************************************************/
1062	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1063	#else
1064	# if LDAP_SET_REBIND_PROC_ARGS == 2
1065	static int rebindproc (LDAP ldap_struct, char whop, char *credp,
1066	int *method, int freeit )
1067	{
1068	struct smbldap_state *ldap_state = smbldap_find_state(ldap_struct);
1069
1070	return rebindproc_with_state(ldap_struct, whop, credp,
1071	method, freeit, ldap_state);
1072	}
1073	# endif /LDAP_SET_REBIND_PROC_ARGS == 2/
1074	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1075
1076	/*******************************************************************
1077	a rebind function for authenticated referrals
1078	this also does the connection, but no void*.
1079	******************************************************************/
1080	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1081	# if LDAP_SET_REBIND_PROC_ARGS == 2
1082	static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
1083	ber_int_t msgid)
1084	{
1085	struct smbldap_state *ldap_state = smbldap_find_state(ld);
1086
1087	return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid,
1088	ldap_state);
1089	}
1090	# endif /LDAP_SET_REBIND_PROC_ARGS == 2/
1091	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1092
1093	/*******************************************************************
1094	connect to the ldap server under system privilege.
1095	******************************************************************/
1096	static int smbldap_connect_system(struct smbldap_state *ldap_state)
1097	{
1098	LDAP *ldap_struct = ldap_state->ldap_struct;
1099	int rc;
1100	int version;
1101
1102	if (!ldap_state->anonymous && !ldap_state->bind_dn) {
1103	char *bind_dn = NULL;
1104	char *bind_secret = NULL;
1105
1106	/* get the default dn and password only if they are not set already */
1107	if (!fetch_ldap_pw(&bind_dn, &bind_secret)) {
1108	DEBUG(0, ("ldap_connect_system: Failed to retrieve password from secrets.tdb\n"));
1109	rc = LDAP_INVALID_CREDENTIALS;
1110	goto done;
1111	}
1112	smbldap_set_creds(ldap_state, false, bind_dn, bind_secret);
1113	SAFE_FREE(bind_dn);
1114	memset(bind_secret, '\0', strlen(bind_secret));
1115	SAFE_FREE(bind_secret);
1116	}
1117
1118	/* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
1119	(OpenLDAP) doesnt' seem to support it */
1120
1121	DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
1122	ldap_state->uri, ldap_state->bind_dn));
1123
1124	#ifdef HAVE_LDAP_SET_REBIND_PROC
1125	#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
1126	# if LDAP_SET_REBIND_PROC_ARGS == 2
1127	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);
1128	# endif
1129	# if LDAP_SET_REBIND_PROC_ARGS == 3
1130	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void *)ldap_state);
1131	# endif
1132	#else /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1133	# if LDAP_SET_REBIND_PROC_ARGS == 2
1134	ldap_set_rebind_proc(ldap_struct, &rebindproc);
1135	# endif
1136	# if LDAP_SET_REBIND_PROC_ARGS == 3
1137	ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void *)ldap_state);
1138	# endif
1139	#endif /defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)/
1140	#endif
1141
1142	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
1143
1144	if (rc != LDAP_SUCCESS) {
1145	char *ld_error = NULL;
1146	ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
1147	&ld_error);
1148	DEBUG(ldap_state->num_failures ? 2 : 0,
1149	("failed to bind to server %s with dn=\"%s\" Error: %s\n\t%s\n",
1150	ldap_state->uri,
1151	ldap_state->bind_dn ? ldap_state->bind_dn : "[Anonymous bind]",
1152	ldap_err2string(rc),
1153	ld_error ? ld_error : "(unknown)"));
1154	SAFE_FREE(ld_error);
1155	ldap_state->num_failures++;
1156	goto done;
1157	}
1158
1159	ldap_state->num_failures = 0;
1160	ldap_state->paged_results = False;
1161
1162	ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
1163
1164	if (smbldap_has_control(ldap_state->ldap_struct, ADS_PAGE_CTL_OID) && version == 3) {
1165	ldap_state->paged_results = True;
1166	}
1167
1168	DEBUG(3, ("ldap_connect_system: successful connection to the LDAP server\n"));
1169	DEBUGADD(10, ("ldap_connect_system: LDAP server %s support paged results\n",
1170	ldap_state->paged_results ? "does" : "does not"));
1171	done:
1172	if (rc != 0) {
1173	ldap_unbind(ldap_struct);
1174	ldap_state->ldap_struct = NULL;
1175	}
1176	return rc;
1177	}
1178
1179	static void smbldap_idle_fn(struct event_context *event_ctx,
1180	struct timed_event *te,
1181	struct timeval now,
1182	void *private_data);
1183
1184	/**********************************************************************
1185	Connect to LDAP server (called before every ldap operation)
1186	*********************************************************************/
1187	static int smbldap_open(struct smbldap_state *ldap_state)
1188	{
1189	int rc, opt_rc;
1190	bool reopen = False;
1191	SMB_ASSERT(ldap_state);
1192
1193	if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + SMBLDAP_DONT_PING_TIME) < time(NULL))) {
1194
1195	#ifdef HAVE_UNIXSOCKET
1196	struct sockaddr_un addr;
1197	#else
1198	struct sockaddr addr;
1199	#endif
1200	socklen_t len = sizeof(addr);
1201	int sd;
1202
1203	opt_rc = ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_DESC, &sd);
1204	if (opt_rc == 0 && (getpeername(sd, (struct sockaddr *) &addr, &len)) < 0 )
1205	reopen = True;
1206
1207	#ifdef HAVE_UNIXSOCKET
1208	if (opt_rc == 0 && addr.sun_family == AF_UNIX)
1209	reopen = True;
1210	#endif
1211	if (reopen) {
1212	/* the other end has died. reopen. */
1213	ldap_unbind(ldap_state->ldap_struct);
1214	ldap_state->ldap_struct = NULL;
1215	ldap_state->last_ping = (time_t)0;
1216	} else {
1217	ldap_state->last_ping = time(NULL);
1218	}
1219	}
1220
1221	if (ldap_state->ldap_struct != NULL) {
1222	DEBUG(11,("smbldap_open: already connected to the LDAP server\n"));
1223	return LDAP_SUCCESS;
1224	}
1225
1226	if ((rc = smbldap_open_connection(ldap_state))) {
1227	return rc;
1228	}
1229
1230	if ((rc = smbldap_connect_system(ldap_state))) {
1231	return rc;
1232	}
1233
1234
1235	ldap_state->last_ping = time(NULL);
1236	ldap_state->pid = sys_getpid();
1237
1238	TALLOC_FREE(ldap_state->idle_event);
1239
1240	if (ldap_state->event_context != NULL) {
1241	ldap_state->idle_event = event_add_timed(
1242	ldap_state->event_context, ldap_state,
1243	timeval_current_ofs(SMBLDAP_IDLE_TIME, 0),
1244	smbldap_idle_fn, ldap_state);
1245	}
1246
1247	DEBUG(4,("The LDAP server is successfully connected\n"));
1248
1249	return LDAP_SUCCESS;
1250	}
1251
1252	/**********************************************************************
1253	Disconnect from LDAP server
1254	*********************************************************************/
1255	static NTSTATUS smbldap_close(struct smbldap_state *ldap_state)
1256	{
1257	if (!ldap_state)
1258	return NT_STATUS_INVALID_PARAMETER;
1259
1260	if (ldap_state->ldap_struct != NULL) {
1261	ldap_unbind(ldap_state->ldap_struct);
1262	ldap_state->ldap_struct = NULL;
1263	}
1264
1265	smbldap_delete_state(ldap_state);
1266
1267	TALLOC_FREE(ldap_state->idle_event);
1268
1269	DEBUG(5,("The connection to the LDAP server was closed\n"));
1270	/* maybe free the results here --metze */
1271
1272	return NT_STATUS_OK;
1273	}
1274
1275	static bool got_alarm;
1276
1277	static void (*old_handler)(int);
1278
1279	static void gotalarm_sig(int dummy)
1280	{
1281	got_alarm = True;
1282	}
1283
1284	static int another_ldap_try(struct smbldap_state ldap_state, int rc,
1285	int *attempts, time_t endtime)
1286	{
1287	time_t now = time(NULL);
1288	int open_rc = LDAP_SERVER_DOWN;
1289
1290	if (*rc != LDAP_SERVER_DOWN)
1291	goto no_next;
1292
1293	if (now >= endtime) {
1294	smbldap_close(ldap_state);
1295	*rc = LDAP_TIMEOUT;
1296	goto no_next;
1297	}
1298
1299	if (*attempts == 0) {
1300	got_alarm = False;
1301	old_handler = CatchSignal(SIGALRM, gotalarm_sig);
1302	alarm(endtime - now);
1303
1304	if (ldap_state->pid != sys_getpid())
1305	smbldap_close(ldap_state);
1306	}
1307
1308	while (1) {
1309
1310	if (*attempts != 0)
1311	smb_msleep(1000);
1312
1313	*attempts += 1;
1314
1315	open_rc = smbldap_open(ldap_state);
1316
1317	if (open_rc == LDAP_SUCCESS) {
1318	ldap_state->last_use = now;
1319	return True;
1320	}
1321
1322	if (open_rc == LDAP_INSUFFICIENT_ACCESS) {
1323	/* The fact that we are non-root or any other
1324	* access-denied condition will not change in the next
1325	* round of trying */
1326	*rc = open_rc;
1327	break;
1328	}
1329
1330	if (got_alarm) {
1331	*rc = LDAP_TIMEOUT;
1332	break;
1333	}
1334
1335	if (open_rc != LDAP_SUCCESS) {
1336	DEBUG(1, ("Connection to LDAP server failed for the "
1337	"%d try!\n", *attempts));
1338	}
1339	}
1340
1341	no_next:
1342	CatchSignal(SIGALRM, old_handler);
1343	alarm(0);
1344	ldap_state->last_use = now;
1345	return False;
1346	}
1347
1348	/*********************************************************************
1349	********************************************************************/
1350
1351	static int smbldap_search_ext(struct smbldap_state *ldap_state,
1352	const char base, int scope, const char filter,
1353	const char *attrs[], int attrsonly,
1354	LDAPControl sctrls, LDAPControl cctrls,
1355	int sizelimit, LDAPMessage **res)
1356	{
1357	int rc = LDAP_SERVER_DOWN;
1358	int attempts = 0;
1359	char *utf8_filter;
1360	time_t endtime = time(NULL)+lp_ldap_timeout();
1361	struct timeval timeout;
1362	size_t converted_size;
1363
1364	SMB_ASSERT(ldap_state);
1365
1366	DEBUG(5,("smbldap_search_ext: base => [%s], filter => [%s], "
1367	"scope => [%d]\n", base, filter, scope));
1368
1369	if (ldap_state->last_rebind.tv_sec > 0) {
1370	struct timeval tval;
1371	int64_t tdiff = 0;
1372	int sleep_time = 0;
1373
1374	ZERO_STRUCT(tval);
1375	GetTimeOfDay(&tval);
1376
1377	tdiff = usec_time_diff(&tval, &ldap_state->last_rebind);
1378	tdiff /= 1000; /* Convert to milliseconds. */
1379
1380	sleep_time = lp_ldap_replication_sleep()-(int)tdiff;
1381	sleep_time = MIN(sleep_time, MAX_LDAP_REPLICATION_SLEEP_TIME);
1382
1383	if (sleep_time > 0) {
1384	/* we wait for the LDAP replication */
1385	DEBUG(5,("smbldap_search_ext: waiting %d milliseconds "
1386	"for LDAP replication.\n",sleep_time));
1387	smb_msleep(sleep_time);
1388	DEBUG(5,("smbldap_search_ext: go on!\n"));
1389	}
1390	ZERO_STRUCT(ldap_state->last_rebind);
1391	}
1392
1393	if (!push_utf8_talloc(talloc_tos(), &utf8_filter, filter, &converted_size)) {
1394	return LDAP_NO_MEMORY;
1395	}
1396
1397	/* Setup timeout for the ldap_search_ext_s call - local and remote. */
1398	timeout.tv_sec = lp_ldap_timeout();
1399	timeout.tv_usec = 0;
1400
1401	/* Setup alarm timeout.... Do we need both of these ? JRA.
1402	* Yes, I think we do need both of these. The server timeout only
1403	* covers the case where the server's operation takes too long. It
1404	* does not cover the case where the request hangs on its way to the
1405	* server. The server side timeout is not strictly necessary, it's
1406	* just a bit more kind to the server. VL. */
1407
1408	got_alarm = 0;
1409	CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
1410	alarm(lp_ldap_timeout());
1411	/* End setup timeout. */
1412
1413	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1414	rc = ldap_search_ext_s(ldap_state->ldap_struct, base, scope,
1415	utf8_filter,
1416	CONST_DISCARD(char **, attrs),
1417	attrsonly, sctrls, cctrls, &timeout,
1418	sizelimit, res);
1419	if (rc != LDAP_SUCCESS) {
1420	char *ld_error = NULL;
1421	int ld_errno;
1422
1423	ldap_get_option(ldap_state->ldap_struct,
1424	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1425
1426	ldap_get_option(ldap_state->ldap_struct,
1427	LDAP_OPT_ERROR_STRING, &ld_error);
1428	DEBUG(10, ("Failed search for base: %s, error: %d (%s) "
1429	"(%s)\n", base, ld_errno,
1430	ldap_err2string(rc),
1431	ld_error ? ld_error : "unknown"));
1432	SAFE_FREE(ld_error);
1433
1434	if (ld_errno == LDAP_SERVER_DOWN) {
1435	ldap_unbind(ldap_state->ldap_struct);
1436	ldap_state->ldap_struct = NULL;
1437	}
1438	}
1439	}
1440
1441	TALLOC_FREE(utf8_filter);
1442
1443	/* Teardown timeout. */
1444	CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
1445	alarm(0);
1446
1447	if (got_alarm != 0)
1448	return LDAP_TIMELIMIT_EXCEEDED;
1449
1450	return rc;
1451	}
1452
1453	int smbldap_search(struct smbldap_state *ldap_state,
1454	const char base, int scope, const char filter,
1455	const char *attrs[], int attrsonly,
1456	LDAPMessage **res)
1457	{
1458	return smbldap_search_ext(ldap_state, base, scope, filter, attrs,
1459	attrsonly, NULL, NULL, LDAP_NO_LIMIT, res);
1460	}
1461
1462	int smbldap_search_paged(struct smbldap_state *ldap_state,
1463	const char base, int scope, const char filter,
1464	const char **attrs, int attrsonly, int pagesize,
1465	LDAPMessage res, void cookie)
1466	{
1467	LDAPControl pr;
1468	LDAPControl **rcontrols;
1469	LDAPControl *controls[2] = { NULL, NULL};
1470	BerElement *cookie_be = NULL;
1471	struct berval *cookie_bv = NULL;
1472	int tmp = 0, i, rc;
1473	bool critical = True;
1474
1475	*res = NULL;
1476
1477	DEBUG(3,("smbldap_search_paged: base => [%s], filter => [%s],"
1478	"scope => [%d], pagesize => [%d]\n",
1479	base, filter, scope, pagesize));
1480
1481	cookie_be = ber_alloc_t(LBER_USE_DER);
1482	if (cookie_be == NULL) {
1483	DEBUG(0,("smbldap_create_page_control: ber_alloc_t returns "
1484	"NULL\n"));
1485	return LDAP_NO_MEMORY;
1486	}
1487
1488	/* construct cookie */
1489	if (*cookie != NULL) {
1490	ber_printf(cookie_be, "{iO}", (ber_int_t) pagesize, *cookie);
1491	ber_bvfree((struct berval )cookie); /* don't need it from last time */
1492	*cookie = NULL;
1493	} else {
1494	ber_printf(cookie_be, "{io}", (ber_int_t) pagesize, "", 0);
1495	}
1496	ber_flatten(cookie_be, &cookie_bv);
1497
1498	pr.ldctl_oid = CONST_DISCARD(char *, ADS_PAGE_CTL_OID);
1499	pr.ldctl_iscritical = (char) critical;
1500	pr.ldctl_value.bv_len = cookie_bv->bv_len;
1501	pr.ldctl_value.bv_val = cookie_bv->bv_val;
1502
1503	controls[0] = &pr;
1504	controls[1] = NULL;
1505
1506	rc = smbldap_search_ext(ldap_state, base, scope, filter, attrs,
1507	0, controls, NULL, LDAP_NO_LIMIT, res);
1508
1509	ber_free(cookie_be, 1);
1510	ber_bvfree(cookie_bv);
1511
1512	if (rc != 0) {
1513	DEBUG(3,("smbldap_search_paged: smbldap_search_ext(%s) "
1514	"failed with [%s]\n", filter, ldap_err2string(rc)));
1515	goto done;
1516	}
1517
1518	DEBUG(3,("smbldap_search_paged: search was successful\n"));
1519
1520	rc = ldap_parse_result(ldap_state->ldap_struct, *res, NULL, NULL,
1521	NULL, NULL, &rcontrols, 0);
1522	if (rc != 0) {
1523	DEBUG(3,("smbldap_search_paged: ldap_parse_result failed " \
1524	"with [%s]\n", ldap_err2string(rc)));
1525	goto done;
1526	}
1527
1528	if (rcontrols == NULL)
1529	goto done;
1530
1531	for (i=0; rcontrols[i]; i++) {
1532
1533	if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) != 0)
1534	continue;
1535
1536	cookie_be = ber_init(&rcontrols[i]->ldctl_value);
1537	ber_scanf(cookie_be,"{iO}", &tmp, &cookie_bv);
1538	/* the berval is the cookie, but must be freed when it is all
1539	done */
1540	if (cookie_bv->bv_len)
1541	*cookie=ber_bvdup(cookie_bv);
1542	else
1543	*cookie=NULL;
1544	ber_bvfree(cookie_bv);
1545	ber_free(cookie_be, 1);
1546	break;
1547	}
1548	ldap_controls_free(rcontrols);
1549	done:
1550	return rc;
1551	}
1552
1553	int smbldap_modify(struct smbldap_state ldap_state, const char dn, LDAPMod *attrs[])
1554	{
1555	int rc = LDAP_SERVER_DOWN;
1556	int attempts = 0;
1557	char *utf8_dn;
1558	time_t endtime = time(NULL)+lp_ldap_timeout();
1559	size_t converted_size;
1560
1561	SMB_ASSERT(ldap_state);
1562
1563	DEBUG(5,("smbldap_modify: dn => [%s]\n", dn ));
1564
1565	if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1566	return LDAP_NO_MEMORY;
1567	}
1568
1569	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1570	rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
1571	if (rc != LDAP_SUCCESS) {
1572	char *ld_error = NULL;
1573	int ld_errno;
1574
1575	ldap_get_option(ldap_state->ldap_struct,
1576	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1577
1578	ldap_get_option(ldap_state->ldap_struct,
1579	LDAP_OPT_ERROR_STRING, &ld_error);
1580	DEBUG(10, ("Failed to modify dn: %s, error: %d (%s) "
1581	"(%s)\n", dn, ld_errno,
1582	ldap_err2string(rc),
1583	ld_error ? ld_error : "unknown"));
1584	SAFE_FREE(ld_error);
1585
1586	if (ld_errno == LDAP_SERVER_DOWN) {
1587	ldap_unbind(ldap_state->ldap_struct);
1588	ldap_state->ldap_struct = NULL;
1589	}
1590	}
1591	}
1592
1593	TALLOC_FREE(utf8_dn);
1594	return rc;
1595	}
1596
1597	int smbldap_add(struct smbldap_state ldap_state, const char dn, LDAPMod *attrs[])
1598	{
1599	int rc = LDAP_SERVER_DOWN;
1600	int attempts = 0;
1601	char *utf8_dn;
1602	time_t endtime = time(NULL)+lp_ldap_timeout();
1603	size_t converted_size;
1604
1605	SMB_ASSERT(ldap_state);
1606
1607	DEBUG(5,("smbldap_add: dn => [%s]\n", dn ));
1608
1609	if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1610	return LDAP_NO_MEMORY;
1611	}
1612
1613	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1614	rc = ldap_add_s(ldap_state->ldap_struct, utf8_dn, attrs);
1615	if (rc != LDAP_SUCCESS) {
1616	char *ld_error = NULL;
1617	int ld_errno;
1618
1619	ldap_get_option(ldap_state->ldap_struct,
1620	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1621
1622	ldap_get_option(ldap_state->ldap_struct,
1623	LDAP_OPT_ERROR_STRING, &ld_error);
1624	DEBUG(10, ("Failed to add dn: %s, error: %d (%s) "
1625	"(%s)\n", dn, ld_errno,
1626	ldap_err2string(rc),
1627	ld_error ? ld_error : "unknown"));
1628	SAFE_FREE(ld_error);
1629
1630	if (ld_errno == LDAP_SERVER_DOWN) {
1631	ldap_unbind(ldap_state->ldap_struct);
1632	ldap_state->ldap_struct = NULL;
1633	}
1634	}
1635	}
1636
1637	TALLOC_FREE(utf8_dn);
1638	return rc;
1639	}
1640
1641	int smbldap_delete(struct smbldap_state ldap_state, const char dn)
1642	{
1643	int rc = LDAP_SERVER_DOWN;
1644	int attempts = 0;
1645	char *utf8_dn;
1646	time_t endtime = time(NULL)+lp_ldap_timeout();
1647	size_t converted_size;
1648
1649	SMB_ASSERT(ldap_state);
1650
1651	DEBUG(5,("smbldap_delete: dn => [%s]\n", dn ));
1652
1653	if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
1654	return LDAP_NO_MEMORY;
1655	}
1656
1657	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1658	rc = ldap_delete_s(ldap_state->ldap_struct, utf8_dn);
1659	if (rc != LDAP_SUCCESS) {
1660	char *ld_error = NULL;
1661	int ld_errno;
1662
1663	ldap_get_option(ldap_state->ldap_struct,
1664	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1665
1666	ldap_get_option(ldap_state->ldap_struct,
1667	LDAP_OPT_ERROR_STRING, &ld_error);
1668	DEBUG(10, ("Failed to delete dn: %s, error: %d (%s) "
1669	"(%s)\n", dn, ld_errno,
1670	ldap_err2string(rc),
1671	ld_error ? ld_error : "unknown"));
1672	SAFE_FREE(ld_error);
1673
1674	if (ld_errno == LDAP_SERVER_DOWN) {
1675	ldap_unbind(ldap_state->ldap_struct);
1676	ldap_state->ldap_struct = NULL;
1677	}
1678	}
1679	}
1680
1681	TALLOC_FREE(utf8_dn);
1682	return rc;
1683	}
1684
1685	int smbldap_extended_operation(struct smbldap_state *ldap_state,
1686	LDAP_CONST char reqoid, struct berval reqdata,
1687	LDAPControl serverctrls, LDAPControl clientctrls,
1688	char retoidp, struct berval retdatap)
1689	{
1690	int rc = LDAP_SERVER_DOWN;
1691	int attempts = 0;
1692	time_t endtime = time(NULL)+lp_ldap_timeout();
1693
1694	if (!ldap_state)
1695	return (-1);
1696
1697	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
1698	rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid,
1699	reqdata, serverctrls,
1700	clientctrls, retoidp, retdatap);
1701	if (rc != LDAP_SUCCESS) {
1702	char *ld_error = NULL;
1703	int ld_errno;
1704
1705	ldap_get_option(ldap_state->ldap_struct,
1706	LDAP_OPT_ERROR_NUMBER, &ld_errno);
1707
1708	ldap_get_option(ldap_state->ldap_struct,
1709	LDAP_OPT_ERROR_STRING, &ld_error);
1710	DEBUG(10, ("Extended operation failed with error: "
1711	"%d (%s) (%s)\n", ld_errno,
1712	ldap_err2string(rc),
1713	ld_error ? ld_error : "unknown"));
1714	SAFE_FREE(ld_error);
1715
1716	if (ld_errno == LDAP_SERVER_DOWN) {
1717	ldap_unbind(ldap_state->ldap_struct);
1718	ldap_state->ldap_struct = NULL;
1719	}
1720	}
1721	}
1722
1723	return rc;
1724	}
1725
1726	/*******************************************************************
1727	run the search by name.
1728	******************************************************************/
1729	int smbldap_search_suffix (struct smbldap_state *ldap_state,
1730	const char filter, const char *search_attr,
1731	LDAPMessage ** result)
1732	{
1733	return smbldap_search(ldap_state, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE,
1734	filter, search_attr, 0, result);
1735	}
1736
1737	static void smbldap_idle_fn(struct event_context *event_ctx,
1738	struct timed_event *te,
1739	struct timeval now,
1740	void *private_data)
1741	{
1742	struct smbldap_state state = (struct smbldap_state )private_data;
1743
1744	TALLOC_FREE(state->idle_event);
1745
1746	if (state->ldap_struct == NULL) {
1747	DEBUG(10,("ldap connection not connected...\n"));
1748	return;
1749	}
1750
1751	if ((state->last_use+SMBLDAP_IDLE_TIME) > now.tv_sec) {
1752	DEBUG(10,("ldap connection not idle...\n"));
1753
1754	state->idle_event = event_add_timed(
1755	event_ctx, state,
1756	timeval_add(&now, SMBLDAP_IDLE_TIME, 0),
1757	smbldap_idle_fn,
1758	private_data);
1759	return;
1760	}
1761
1762	DEBUG(7,("ldap connection idle...closing connection\n"));
1763	smbldap_close(state);
1764	}
1765
1766	/**********************************************************************
1767	Housekeeping
1768	*********************************************************************/
1769
1770	void smbldap_free_struct(struct smbldap_state **ldap_state)
1771	{
1772	smbldap_close(*ldap_state);
1773
1774	if ((*ldap_state)->bind_secret) {
1775	memset((ldap_state)->bind_secret, '\0', strlen((ldap_state)->bind_secret));
1776	}
1777
1778	SAFE_FREE((*ldap_state)->bind_dn);
1779	SAFE_FREE((*ldap_state)->bind_secret);
1780
1781	TALLOC_FREE(*ldap_state);
1782
1783	/* No need to free any further, as it is talloc()ed */
1784	}
1785
1786	static int smbldap_state_destructor(struct smbldap_state *state)
1787	{
1788	smbldap_free_struct(&state);
1789	return 0;
1790	}
1791
1792
1793	/**********************************************************************
1794	Intitalise the 'general' ldap structures, on which ldap operations may be conducted
1795	*********************************************************************/
1796
1797	NTSTATUS smbldap_init(TALLOC_CTX mem_ctx, struct event_context event_ctx,
1798	const char *location,
1799	struct smbldap_state **smbldap_state)
1800	{
1801	*smbldap_state = TALLOC_ZERO_P(mem_ctx, struct smbldap_state);
1802	if (!*smbldap_state) {
1803	DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
1804	return NT_STATUS_NO_MEMORY;
1805	}
1806
1807	if (location) {
1808	(*smbldap_state)->uri = talloc_strdup(mem_ctx, location);
1809	} else {
1810	(*smbldap_state)->uri = "ldap://localhost";
1811	}
1812
1813	(*smbldap_state)->event_context = event_ctx;
1814
1815	talloc_set_destructor(*smbldap_state, smbldap_state_destructor);
1816	return NT_STATUS_OK;
1817	}
1818
1819	char smbldap_talloc_dn(TALLOC_CTX mem_ctx, LDAP *ld,
1820	LDAPMessage *entry)
1821	{
1822	char utf8_dn, unix_dn;
1823	size_t converted_size;
1824
1825	utf8_dn = ldap_get_dn(ld, entry);
1826	if (!utf8_dn) {
1827	DEBUG (5, ("smbldap_talloc_dn: ldap_get_dn failed\n"));
1828	return NULL;
1829	}
1830	if (!pull_utf8_talloc(mem_ctx, &unix_dn, utf8_dn, &converted_size)) {
1831	DEBUG (0, ("smbldap_talloc_dn: String conversion failure utf8 "
1832	"[%s]\n", utf8_dn));
1833	return NULL;
1834	}
1835	ldap_memfree(utf8_dn);
1836	return unix_dn;
1837	}
1838
1839	/*******************************************************************
1840	Check if root-dse has a certain Control or Extension
1841	********************************************************************/
1842
1843	static bool smbldap_check_root_dse(LDAP ld, const char attrs, const char value)
1844	{
1845	LDAPMessage *msg = NULL;
1846	LDAPMessage *entry = NULL;
1847	char **values = NULL;
1848	int rc, num_result, num_values, i;
1849	bool result = False;
1850
1851	if (!attrs[0]) {
1852	DEBUG(3,("smbldap_check_root_dse: nothing to look for\n"));
1853	return False;
1854	}
1855
1856	if (!strequal(attrs[0], "supportedExtension") &&
1857	!strequal(attrs[0], "supportedControl") &&
1858	!strequal(attrs[0], "namingContexts")) {
1859	DEBUG(3,("smbldap_check_root_dse: no idea what to query root-dse for: %s ?\n", attrs[0]));
1860	return False;
1861	}
1862
1863	rc = ldap_search_s(ld, "", LDAP_SCOPE_BASE,
1864	"(objectclass=)", CONST_DISCARD(char *, attrs), 0 , &msg);
1865
1866	if (rc != LDAP_SUCCESS) {
1867	DEBUG(3,("smbldap_check_root_dse: Could not search rootDSE\n"));
1868	return False;
1869	}
1870
1871	num_result = ldap_count_entries(ld, msg);
1872
1873	if (num_result != 1) {
1874	DEBUG(3,("smbldap_check_root_dse: Expected one rootDSE, got %d\n", num_result));
1875	goto done;
1876	}
1877
1878	entry = ldap_first_entry(ld, msg);
1879
1880	if (entry == NULL) {
1881	DEBUG(3,("smbldap_check_root_dse: Could not retrieve rootDSE\n"));
1882	goto done;
1883	}
1884
1885	values = ldap_get_values(ld, entry, attrs[0]);
1886
1887	if (values == NULL) {
1888	DEBUG(5,("smbldap_check_root_dse: LDAP Server does not support any %s\n", attrs[0]));
1889	goto done;
1890	}
1891
1892	num_values = ldap_count_values(values);
1893
1894	if (num_values == 0) {
1895	DEBUG(5,("smbldap_check_root_dse: LDAP Server does not have any %s\n", attrs[0]));
1896	goto done;
1897	}
1898
1899	for (i=0; i<num_values; i++) {
1900	if (strcmp(values[i], value) == 0)
1901	result = True;
1902	}
1903
1904
1905	done:
1906	if (values != NULL)
1907	ldap_value_free(values);
1908	if (msg != NULL)
1909	ldap_msgfree(msg);
1910
1911	return result;
1912
1913	}
1914
1915	/*******************************************************************
1916	Check if LDAP-Server supports a certain Control (OID in string format)
1917	********************************************************************/
1918
1919	bool smbldap_has_control(LDAP ld, const char control)
1920	{
1921	const char *attrs[] = { "supportedControl", NULL };
1922	return smbldap_check_root_dse(ld, attrs, control);
1923	}
1924
1925	/*******************************************************************
1926	Check if LDAP-Server supports a certain Extension (OID in string format)
1927	********************************************************************/
1928
1929	bool smbldap_has_extension(LDAP ld, const char extension)
1930	{
1931	const char *attrs[] = { "supportedExtension", NULL };
1932	return smbldap_check_root_dse(ld, attrs, extension);
1933	}
1934
1935	/*******************************************************************
1936	Check if LDAP-Server holds a given namingContext
1937	********************************************************************/
1938
1939	bool smbldap_has_naming_context(LDAP ld, const char naming_context)
1940	{
1941	const char *attrs[] = { "namingContexts", NULL };
1942	return smbldap_check_root_dse(ld, attrs, naming_context);
1943	}
1944
1945	bool smbldap_set_creds(struct smbldap_state ldap_state, bool anon, const char dn, const char *secret)
1946	{
1947	ldap_state->anonymous = anon;
1948
1949	/* free any previously set credential */
1950
1951	SAFE_FREE(ldap_state->bind_dn);
1952	if (ldap_state->bind_secret) {
1953	/* make sure secrets are zeroed out of memory */
1954	memset(ldap_state->bind_secret, '\0', strlen(ldap_state->bind_secret));
1955	SAFE_FREE(ldap_state->bind_secret);
1956	}
1957
1958	if ( ! anon) {
1959	ldap_state->bind_dn = SMB_STRDUP(dn);
1960	ldap_state->bind_secret = SMB_STRDUP(secret);
1961	}
1962
1963	return True;
1964	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: