r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).

Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
author: Günther Deschner <gd@samba.org> 2005-01-22 03:37:09 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 10:55:08 -0500
commit: b4afdc08d5336e4a337e453443d7af1d8655a31a (patch)
tree: 3d2e3351c4e767cbd05006b349006bb427ed3ec1 /source3/passdb
parent: 686ceda3c3d3510f873d44c7bbb89d9134e0cf88 (diff)
download: samba-b4afdc08d5336e4a337e453443d7af1d8655a31a.tar.gz
samba-b4afdc08d5336e4a337e453443d7af1d8655a31a.tar.bz2
samba-b4afdc08d5336e4a337e453443d7af1d8655a31a.zip
4 files changed, 324 insertions, 14 deletions
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 1f5e4be6cf..bd76941c61 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -1897,7 +1897,7 @@ BOOL init_sam_from_buffer_v2(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
 	}
 
 	/* Change from V1 is addition of password history field. */
-	account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+	pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
 	if (pwHistLen) {
 		char *pw_hist = SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
 		if (!pw_hist) {
@@ -2105,7 +2105,7 @@ uint32 init_buffer_from_sam_v2 (uint8 **buf, const SAM_ACCOUNT *sampass, BOOL si
 		nt_pw_len = 0;
 	}
 
-	account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+	pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
 	nt_pw_hist =  pdb_get_pw_history(sampass, &nt_pw_hist_len);
 	if (pwHistLen && nt_pw_hist && nt_pw_hist_len) {
 		nt_pw_hist_len *= PW_HISTORY_ENTRY_LEN;
@@ -2314,8 +2314,8 @@ BOOL pdb_update_bad_password_count(SAM_ACCOUNT *sampass, BOOL *updated)
 		return True;
 	}
 
-	if (!account_policy_get(AP_RESET_COUNT_TIME, &resettime)) {
-		DEBUG(0, ("pdb_update_bad_password_count: account_policy_get failed.\n"));
+	if (!pdb_get_account_policy(AP_RESET_COUNT_TIME, &resettime)) {
+		DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
 		return False;
 	}
 
@@ -2356,8 +2356,8 @@ BOOL pdb_update_autolock_flag(SAM_ACCOUNT *sampass, BOOL *updated)
 		return True;
 	}
 
-	if (!account_policy_get(AP_LOCK_ACCOUNT_DURATION, &duration)) {
-		DEBUG(0, ("pdb_update_autolock_flag: account_policy_get failed.\n"));
+	if (!pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &duration)) {
+		DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
 		return False;
 	}
 
@@ -2405,9 +2405,9 @@ BOOL pdb_increment_bad_password_count(SAM_ACCOUNT *sampass)
 		return False;
 
 	/* Retrieve the account lockout policy */
-	if (!account_policy_get(AP_BAD_ATTEMPT_LOCKOUT,
+	if (!pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
 				&account_policy_lockout)) {
-		DEBUG(0, ("pdb_increment_bad_password_count: account_policy_get failed.\n"));
+		DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n"));
 		return False;
 	}
 
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 92e2cee710..3430969e71 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -1123,7 +1123,7 @@ BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass)
 	if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
 		return False;
 
-	if (!account_policy_get(AP_MAX_PASSWORD_AGE, &expire) 
+	if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &expire) 
 	    || (expire==(uint32)-1) || (expire == 0)) {
 		if (!pdb_set_pass_must_change_time (sampass, get_time_t_max(), PDB_CHANGED))
 			return False;
@@ -1134,7 +1134,7 @@ BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass)
 			return False;
 	}
 	
-	if (!account_policy_get(AP_MIN_PASSWORD_AGE, &min_age) 
+	if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age) 
 	    || (min_age==(uint32)-1)) {
 		if (!pdb_set_pass_can_change_time (sampass, 0, PDB_CHANGED))
 			return False;
@@ -1189,7 +1189,7 @@ BOOL pdb_set_plaintext_passwd (SAM_ACCOUNT *sampass, const char *plaintext)
 	if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) {
 		uchar *pwhistory;
 		uint32 pwHistLen;
-		account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+		pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
 		if (pwHistLen != 0){
 			uint32 current_history_len;
 			/* We need to make sure we don't have a race condition here - the
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index ea097c10f6..bc4df4f2a3 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -620,6 +620,35 @@ static NTSTATUS context_enum_alias_memberships(struct pdb_context *context,
 		enum_alias_memberships(context->pdb_methods, members,
 				       num_members, aliases, num);
 }
+
+static NTSTATUS context_get_account_policy(struct pdb_context *context,
+					   int policy_index, int *value)
+{
+	NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+	if ((!context) || (!context->pdb_methods)) {
+		DEBUG(0, ("invalid pdb_context specified!\n"));
+		return ret;
+	}
+
+	return context->pdb_methods->get_account_policy(context->pdb_methods,
+							policy_index, value);
+}
+
+static NTSTATUS context_set_account_policy(struct pdb_context *context,
+					   int policy_index, int value)
+{
+	NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+	if ((!context) || (!context->pdb_methods)) {
+		DEBUG(0, ("invalid pdb_context specified!\n"));
+		return ret;
+	}
+
+	return context->pdb_methods->set_account_policy(context->pdb_methods,
+							policy_index, value);
+}
+
 	
 /******************************************************************
   Free and cleanup a pdb context, any associated data and anything
@@ -749,6 +778,9 @@ static NTSTATUS make_pdb_context(struct pdb_context **context)
 	(*context)->pdb_enum_aliasmem = context_enum_aliasmem;
 	(*context)->pdb_enum_alias_memberships = context_enum_alias_memberships;
 
+	(*context)->pdb_get_account_policy = context_get_account_policy;
+	(*context)->pdb_set_account_policy = context_set_account_policy;
+
 	(*context)->free_fn = free_pdb_context;
 
 	return NT_STATUS_OK;
@@ -1201,6 +1233,30 @@ BOOL pdb_enum_alias_memberships(const DOM_SID *members, int num_members,
 							  aliases, num));
 }
 
+BOOL pdb_get_account_policy(int policy_index, int *value)
+{
+	struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+	if (!pdb_context) {
+		return False;
+	}
+
+	return NT_STATUS_IS_OK(pdb_context->
+			       pdb_get_account_policy(pdb_context, policy_index, value));
+}
+
+BOOL pdb_set_account_policy(int policy_index, int value)
+{
+	struct pdb_context *pdb_context = pdb_get_static_context(False);
+
+	if (!pdb_context) {
+		return False;
+	}
+
+	return NT_STATUS_IS_OK(pdb_context->
+			       pdb_set_account_policy(pdb_context, policy_index, value));
+}
+
 /***************************************************************
   Initialize the static context (at smbd startup etc). 
 
@@ -1258,6 +1314,16 @@ static void pdb_default_endsampwent(struct pdb_methods *methods)
 	return; /* NT_STATUS_NOT_IMPLEMENTED; */
 }
 
+static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, int policy_index, int *value)
+{
+	return account_policy_get(policy_index, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+}
+
+static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, int policy_index, int value)
+{
+	return account_policy_set(policy_index, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+}
+
 NTSTATUS make_pdb_methods(TALLOC_CTX *mem_ctx, PDB_METHODS **methods) 
 {
 	*methods = TALLOC_P(mem_ctx, struct pdb_methods);
@@ -1295,6 +1361,8 @@ NTSTATUS make_pdb_methods(TALLOC_CTX *mem_ctx, PDB_METHODS **methods)
 	(*methods)->del_aliasmem = pdb_default_del_aliasmem;
 	(*methods)->enum_aliasmem = pdb_default_enum_aliasmem;
 	(*methods)->enum_alias_memberships = pdb_default_alias_memberships;
+	(*methods)->get_account_policy = pdb_default_get_account_policy;
+	(*methods)->set_account_policy = pdb_default_set_account_policy;
 
 	return NT_STATUS_OK;
 }
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 8b7661d9a3..2691965364 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -727,7 +727,7 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
 		ZERO_STRUCT(smbntpwd);
 	}
 
-	account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+	pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
 	if (pwHistLen > 0){
 		uint8 *pwhist = NULL;
 		int i;
@@ -1071,7 +1071,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
 
 		if (need_update(sampass, PDB_PWHISTORY)) {
 			int pwHistLen = 0;
-			account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
+			pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
 			if (pwHistLen == 0) {
 				/* Remove any password history from the LDAP store. */
 				memset(temp, '0', 64); /* NOTE !!!! '0' *NOT '\0' */
@@ -1136,7 +1136,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
 		uint16 badcount = pdb_get_bad_password_count(sampass);
 		time_t badtime = pdb_get_bad_password_time(sampass);
 		uint32 pol;
-		account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &pol);
+		pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &pol);
 
 		DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
 			(unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
@@ -2878,6 +2878,245 @@ static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS ldapsam_get_account_policy(struct pdb_methods *methods, int policy_index, int *value)
+{
+	NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
+	LDAPMessage *result = NULL;
+	LDAPMessage *entry = NULL;
+	int count;
+	int rc;
+	pstring filter, base;
+	char **vals;
+	const char *policy_string = NULL;
+	int tmp_val;
+	BOOL found_tdb = False;
+
+	struct ldapsam_privates *ldap_state =
+		(struct ldapsam_privates *)methods->private_data;
+
+	char *attrs[] = {
+		(char *)get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), 
+		(char *)get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), 
+		NULL 
+	};
+
+	if (cache_account_policy_get(policy_index, value)) {
+		DEBUG(11,("ldapsam_get_account_policy: got valid value from cache\n"));
+		return NT_STATUS_OK;
+	}
+
+	policy_string = decode_account_policy_name(policy_index);
+	if (!policy_string) {
+		DEBUG(0,("ldapsam_get_account_policy: invalid policy index: %d\n", policy_index));
+		return ntstatus;
+	}
+
+	pstr_sprintf(filter, "(&(objectclass=%s)(%s=%s))",
+		     LDAP_OBJ_ACCOUNT_POLICY, 
+		     get_attr_key2string(acctpol_attr_list,
+					 LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string);
+
+	pstr_sprintf(base, "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), 
+		get_global_sam_name(), lp_ldap_suffix());
+
+search:		
+	rc = smbldap_search(ldap_state->smbldap_state, base,
+			    LDAP_SCOPE_ONE, filter, attrs, 0, &result);
+
+	if (rc != LDAP_SUCCESS) 
+		return ntstatus;
+
+	count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
+				   result);
+
+	/* handle deleted ldap-entries (migrate on the fly, use a default as last resort) - gd */
+	if (count < 1 && !found_tdb) {
+
+		found_tdb = False;
+
+		DEBUG(3,("ldapsam_get_account_policy: no entry for that policy in ldap found\n"));
+
+		if (!account_policy_get(policy_index, &tmp_val)) {
+			DEBUG(10,("ldapsam_get_account_policy: failed to get account_policy from tdb\n"));
+			found_tdb = True;
+		}
+
+		if (!found_tdb && !account_policy_get_default(policy_index, &tmp_val)) {
+			ldap_msgfree(result);
+			return ntstatus;
+		}
+
+		if (!pdb_set_account_policy(policy_index, tmp_val)) {
+			DEBUG(1,("ldapsam_get_account_policy: failed to set account_policy\n"));
+			ldap_msgfree(result);
+			return ntstatus;
+		}
+
+		DEBUG(3,("ldapsam_get_account_policy: set account policy value based on %s value.\n", 
+			found_tdb ? "tdb":"default"));
+
+		ldap_msgfree(result);
+		goto search;
+	}
+
+	entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
+
+	if (!entry) {
+		ldap_msgfree(result);
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	vals = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, 
+		get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL));
+
+	if (vals == NULL) 
+		goto out;
+
+	*value = (uint32)atol(vals[0]);
+
+	if (!cache_account_policy_set(policy_index, *value)) {
+		DEBUG(0,("ldapsam_get_account_policy: failed to update local tdb as a cache\n"));
+		return ntstatus;
+	}
+
+	ntstatus = NT_STATUS_OK;
+
+out:
+	ldap_value_free(vals);
+	ldap_msgfree(result);
+
+	return ntstatus;
+}
+
+static NTSTATUS ldapsam_set_account_policy(struct pdb_methods *methods, int policy_index, int value)
+{
+	NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
+	LDAPMessage *result = NULL;
+	LDAPMessage *entry = NULL;
+	int count;
+	int rc;
+	pstring filter, base, dn;
+	int modop;
+	LDAPMod **mods = NULL;
+	fstring value_string;
+	char *old_dn = NULL;
+	const char *policy_string = NULL;
+	const char *policy_description = NULL;
+
+	struct ldapsam_privates *ldap_state =
+		(struct ldapsam_privates *)methods->private_data;
+
+	char *attrs[] = {
+		(char *)get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), 
+		(char *)get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), 
+		NULL 
+	};
+
+	policy_string = decode_account_policy_name(policy_index);
+	if (!policy_string) {
+		DEBUG(0,("ldapsam_set_account_policy: invalid policy\n"));
+		return ntstatus;
+	}
+
+	policy_description = account_policy_get_comment(policy_index);
+	if (!policy_description) {
+		DEBUG(0,("ldapsam_set_account_policy: no description for policy found\n"));
+		return ntstatus;
+	}
+
+	pstr_sprintf(filter, "(&(objectclass=%s)(%s=%s))",
+		     LDAP_OBJ_ACCOUNT_POLICY, 
+		     get_attr_key2string(acctpol_attr_list,
+					 LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string);
+
+	pstr_sprintf(base, "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), 
+		get_global_sam_name(), lp_ldap_suffix());
+		
+	rc = smbldap_search(ldap_state->smbldap_state, base,
+			    LDAP_SCOPE_ONE, filter, attrs, 0, &result);
+
+	if (rc != LDAP_SUCCESS) 
+		return ntstatus;
+
+	count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
+
+	slprintf(value_string, sizeof(value_string) - 1, "%i", value);
+
+	if (count == 1) {
+
+		modop = LDAP_MOD_REPLACE;
+
+		entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
+
+		if (!entry) {
+			ldap_msgfree(result);
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+
+		old_dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
+		if (!old_dn) {
+			ldap_msgfree(result);
+			return ntstatus;
+		}
+
+		smbldap_set_mod(&mods, modop,
+			get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), 
+			value_string);
+
+		rc = smbldap_modify(ldap_state->smbldap_state, old_dn, mods);
+
+	} else {
+
+		modop = LDAP_MOD_ADD;
+
+		pstr_sprintf(dn, "%s=%s,%s=%s,%s",
+ 			get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string,
+			get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), get_global_sam_name(),
+			lp_ldap_suffix());
+
+		smbldap_set_mod( &mods, modop, "objectClass", LDAP_OBJ_ACCOUNT_POLICY );
+
+		smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods, 
+			get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), 
+			policy_string);
+
+		smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods, 
+			get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), 
+			value_string);
+
+		smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods, 
+			"description", 
+			policy_description);
+
+		rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
+	}
+
+	ldap_mods_free(mods, True);
+	ldap_msgfree(result);
+
+	if (rc != LDAP_SUCCESS) {
+		char *ld_error = NULL;
+		ldap_get_option(ldap_state->smbldap_state->ldap_struct,
+				LDAP_OPT_ERROR_STRING,&ld_error);
+		
+		DEBUG(0, ("ldapsam_set_account_policy: Could not set account policy "
+			  "for %s, error: %s (%s)\n", dn, ldap_err2string(rc),
+			  ld_error?ld_error:"unknown"));
+		SAFE_FREE(ld_error);
+		SAFE_FREE(old_dn);
+		return ntstatus;
+	}
+
+	SAFE_FREE(old_dn);
+
+	if (!cache_account_policy_set(policy_index, value)) {
+		DEBUG(0,("ldapsam_set_account_policy: failed to update local tdb cache\n"));
+		return ntstatus;
+	}
+
+	return NT_STATUS_OK;
+}
+
 /**********************************************************************
  Housekeeping
  *********************************************************************/
@@ -2932,6 +3171,9 @@ static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **
 	(*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
 	(*pdb_method)->enum_group_memberships = ldapsam_enum_group_memberships;
 
+	(*pdb_method)->get_account_policy = ldapsam_get_account_policy;
+	(*pdb_method)->set_account_policy = ldapsam_set_account_policy;
+
 	/* TODO: Setup private data and free */
 
 	ldap_state = TALLOC_ZERO_P(pdb_context->mem_ctx, struct ldapsam_privates);
author	Günther Deschner <gd@samba.org>	2005-01-22 03:37:09 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 10:55:08 -0500
commit	b4afdc08d5336e4a337e453443d7af1d8655a31a (patch)
tree	3d2e3351c4e767cbd05006b349006bb427ed3ec1 /source3/passdb
parent	686ceda3c3d3510f873d44c7bbb89d9134e0cf88 (diff)
download	samba-b4afdc08d5336e4a337e453443d7af1d8655a31a.tar.gz samba-b4afdc08d5336e4a337e453443d7af1d8655a31a.tar.bz2 samba-b4afdc08d5336e4a337e453443d7af1d8655a31a.zip