diff options
author | Andrew Bartlett <abartlet@samba.org> | 2003-04-22 23:14:49 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2003-04-22 23:14:49 +0000 |
commit | a4b00668e656024ebb2b19e4d93dba1a3d334229 (patch) | |
tree | 8e3253f066c8b97e1a31af263f803d4141dc3461 /source3 | |
parent | d67465284164caf5a033a8640f780af0d4c7fea5 (diff) | |
download | samba-a4b00668e656024ebb2b19e4d93dba1a3d334229.tar.gz samba-a4b00668e656024ebb2b19e4d93dba1a3d334229.tar.bz2 samba-a4b00668e656024ebb2b19e4d93dba1a3d334229.zip |
Remove ldapsam_search_one_user_by_uid from pdb_ldap.
sambaAccount requires the rid to be present, and doing this fallback is quite
dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite
often not the case.
Also finish of vl's work on 'use a function pointer, not embedded logic' to
tell lower levels that they should/should not attempt to set the user's password
into LDAP with the extended operation.
Andrew Bartlett
(This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/passdb/passdb.c | 5 | ||||
-rw-r--r-- | source3/passdb/pdb_ldap.c | 85 |
2 files changed, 22 insertions, 68 deletions
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 5e6466ff0a..b868d27065 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -646,9 +646,8 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) { return False; } - - /* This now does the 'generic' mapping in pdb_unix */ - /* 'guest' is also handled there */ + + /* see if the passdb can help us with the name of the user */ if (pdb_getsampwsid(sam_account, sid)) { fstrcpy(name, pdb_get_username(sam_account)); *psid_name_use = SID_NAME_USER; diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index 8a2378f91b..6646b3836a 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -711,40 +711,6 @@ static int ldapsam_search_one_user_by_name (struct ldapsam_privates *ldap_state, } /******************************************************************* - run the search by uid. -******************************************************************/ -static int ldapsam_search_one_user_by_uid(struct ldapsam_privates *ldap_state, - int uid, - LDAPMessage ** result) -{ - struct passwd *user; - pstring filter; - char *escape_user; - - /* Get the username from the system and look that up in the LDAP */ - - if ((user = getpwuid_alloc(uid)) == NULL) { - DEBUG(3,("ldapsam_search_one_user_by_uid: Failed to locate uid [%d]\n", uid)); - return LDAP_NO_SUCH_OBJECT; - } - - pstrcpy(filter, lp_ldap_filter()); - - escape_user = escape_ldap_string_alloc(user->pw_name); - if (!escape_user) { - passwd_free(&user); - return LDAP_NO_MEMORY; - } - - all_string_sub(filter, "%u", escape_user, sizeof(pstring)); - - passwd_free(&user); - SAFE_FREE(escape_user); - - return ldapsam_search_one_user(ldap_state, filter, result); -} - -/******************************************************************* run the search by rid. ******************************************************************/ static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state, @@ -759,11 +725,6 @@ static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state, snprintf(filter, sizeof(filter) - 1, "rid=%i", rid); rc = ldapsam_search_one_user(ldap_state, filter, result); - if (rc != LDAP_SUCCESS) - rc = ldapsam_search_one_user_by_uid(ldap_state, - fallback_pdb_user_rid_to_uid(rid), - result); - return rc; } @@ -1300,21 +1261,6 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, } /********************************************************************** - An LDAP modification is needed in two cases: - * If we are updating the record AND the attribute is CHANGED. - * If we are adding the record AND it is SET or CHANGED (ie not default) -*********************************************************************/ -#ifdef LDAP_EXOP_X_MODIFY_PASSWD -static BOOL need_ldap_mod(BOOL pdb_add, const SAM_ACCOUNT * sampass, enum pdb_elements element) { - if (pdb_add) { - return (!IS_SAM_DEFAULT(sampass, element)); - } else { - return IS_SAM_CHANGED(sampass, element); - } -} -#endif - -/********************************************************************** Set attribute to newval in LDAP, regardless of what value the attribute had in LDAP before. *********************************************************************/ @@ -1414,13 +1360,18 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, ldap_mods_free(*mods, 1); return False; } - } - - slprintf(temp, sizeof(temp) - 1, "%i", rid); - if (need_update(sampass, PDB_USERSID)) + slprintf(temp, sizeof(temp) - 1, "%i", rid); + make_ldap_mod(ldap_state->ldap_struct, existing, mods, "rid", temp); + } else { + slprintf(temp, sizeof(temp) - 1, "%i", rid); + + if (need_update(sampass, PDB_USERSID)) + make_ldap_mod(ldap_state->ldap_struct, existing, mods, + "rid", temp); + } rid = pdb_get_group_rid(sampass); @@ -1867,7 +1818,9 @@ it it set. static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, SAM_ACCOUNT *newpwd, char *dn, - LDAPMod **mods, int ldap_op, BOOL pdb_add) + LDAPMod **mods, int ldap_op, + BOOL (*need_update)(const SAM_ACCOUNT *, + enum pdb_elements)) { struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; int rc; @@ -1909,9 +1862,9 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, } #ifdef LDAP_EXOP_X_MODIFY_PASSWD - if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))&& - (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_OFF)&& - need_ldap_mod(pdb_add, newpwd, PDB_PLAINTEXT_PW)&& + if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) && + (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) && + need_update(newpwd, PDB_PLAINTEXT_PW) && (pdb_get_plaintext_passwd(newpwd)!=NULL)) { BerElement *ber; struct berval *bv; @@ -1940,7 +1893,9 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, pdb_get_username(newpwd),ldap_err2string(rc))); } else { DEBUG(3,("LDAP Password changed for user %s\n",pdb_get_username(newpwd))); - +#ifdef DEBUG_PASSWORD + DEBUG(100,("LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd))); +#endif ber_bvfree(retdata); ber_memfree(retoid); } @@ -2041,7 +1996,7 @@ static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_A return NT_STATUS_OK; } - ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, False); + ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed); ldap_mods_free(mods,1); if (!NT_STATUS_IS_OK(ret)) { @@ -2156,7 +2111,7 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount"); - ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, True); + ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed); if (NT_STATUS_IS_ERR(ret)) { DEBUG(0,("failed to modify/add user with uid = %s (dn = %s)\n", pdb_get_username(newpwd),dn)); |