s3-pdb_ipa: Add ipasam_create_user()

Signed-off-by: Günther Deschner <gd@samba.org>
author: Sumit Bose <sbose@redhat.com> 2011-04-04 13:23:05 +0200
committer: Günther Deschner <gd@samba.org> 2011-04-06 11:53:56 +0200
commit: 2ee1d09f33a1076549e1d331ba23a31384aae150 (patch)
tree: 9421ce7eb31136fdfeec59d6090ecfa754ca23e4 /source3
parent: c47df017dda71f9eecea74575c7d7292e543e5ec (diff)
download: samba-2ee1d09f33a1076549e1d331ba23a31384aae150.tar.gz
samba-2ee1d09f33a1076549e1d331ba23a31384aae150.tar.bz2
samba-2ee1d09f33a1076549e1d331ba23a31384aae150.zip
1 files changed, 297 insertions, 44 deletions
diff --git a/source3/passdb/pdb_ipa.c b/source3/passdb/pdb_ipa.c
index 636a6b3423..622705f40b 100644
--- a/source3/passdb/pdb_ipa.c
+++ b/source3/passdb/pdb_ipa.c
@@ -22,6 +22,7 @@
 #include "passdb.h"
 #include "libcli/security/dom_sid.h"
 #include "../librpc/ndr/libndr.h"
+#include "librpc/gen_ndr/samr.h"
 
 #include "smbldap.h"
 
@@ -38,17 +39,31 @@
 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
 #define LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO "sambaTrustForestTrustInfo"
+#define LDAP_ATTRIBUTE_OBJECTCLASS "objectClass"
 
 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
 
+#define LDAP_OBJ_IPAOBJECT "ipaObject"
+#define LDAP_OBJ_IPAHOST "ipaHost"
+#define LDAP_OBJ_POSIXACCOUNT "posixAccount"
+
+#define HAS_KRB_PRINCIPAL (1<<0)
+#define HAS_KRB_PRINCIPAL_AUX (1<<1)
+#define HAS_IPAOBJECT (1<<2)
+#define HAS_IPAHOST (1<<3)
+#define HAS_POSIXACCOUNT (1<<4)
+
 struct ipasam_privates {
 	bool server_is_ipa;
 	NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *,
 					    struct samu *sampass);
 	NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *,
 					       struct samu *sampass);
+	NTSTATUS (*ldapsam_create_user)(struct pdb_methods *my_methods,
+					TALLOC_CTX *tmp_ctx, const char *name,
+					uint32_t acb_info, uint32_t *rid);
 };
 
 static bool ipasam_get_trusteddom_pw(struct pdb_methods *methods,
@@ -689,7 +704,7 @@ static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pd
 {
 	struct pdb_domain_info *info;
 	NTSTATUS status;
-	struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)pdb_methods->private_data;
+	struct ldapsam_privates *ldap_state = pdb_methods->private_data;
 
 	info = talloc(mem_ctx, struct pdb_domain_info);
 	if (info == NULL) {
@@ -779,63 +794,216 @@ static NTSTATUS modify_ipa_password_exop(struct ldapsam_privates *ldap_state,
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS ipasam_add_objectclasses(struct ldapsam_privates *ldap_state,
-					 struct samu *sampass)
+static NTSTATUS ipasam_get_objectclasses(struct ldapsam_privates *ldap_state,
+					 const char *dn, LDAPMessage *entry,
+					 uint32_t *has_objectclass)
 {
+	char **objectclasses;
+	size_t c;
+
+	objectclasses = ldap_get_values(priv2ld(ldap_state), entry,
+					LDAP_ATTRIBUTE_OBJECTCLASS);
+	if (objectclasses == NULL) {
+		DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn));
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
+	*has_objectclass = 0;
+	for (c = 0; objectclasses[c] != NULL; c++) {
+		if (strequal(objectclasses[c], LDAP_OBJ_KRB_PRINCIPAL)) {
+			*has_objectclass |= HAS_KRB_PRINCIPAL;
+		} else if (strequal(objectclasses[c],
+			   LDAP_OBJ_KRB_PRINCIPAL_AUX)) {
+			*has_objectclass |= HAS_KRB_PRINCIPAL_AUX;
+		} else if (strequal(objectclasses[c], LDAP_OBJ_IPAOBJECT)) {
+			*has_objectclass |= HAS_IPAOBJECT;
+		} else if (strequal(objectclasses[c], LDAP_OBJ_IPAHOST)) {
+			*has_objectclass |= HAS_IPAHOST;
+		} else if (strequal(objectclasses[c], LDAP_OBJ_POSIXACCOUNT)) {
+			*has_objectclass |= HAS_POSIXACCOUNT;
+		}
+	}
+	ldap_value_free(objectclasses);
+
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS find_user(struct ldapsam_privates *ldap_state, const char *name,
+			  char **_dn, uint32_t *_has_objectclass)
+{
+	int ret;
+	char *username;
+	char *filter;
+	LDAPMessage *result = NULL;
+	LDAPMessage *entry = NULL;
+	int num_result;
 	char *dn;
+	uint32_t has_objectclass;
+	NTSTATUS status;
+
+	username = escape_ldap_string(talloc_tos(), name);
+	if (username == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	filter = talloc_asprintf(talloc_tos(), "(&(uid=%s)(objectClass=%s))",
+				 username, LDAP_OBJ_POSIXACCOUNT);
+	if (filter == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	TALLOC_FREE(username);
+
+	ret = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL,
+				    &result);
+	if (ret != LDAP_SUCCESS) {
+		DEBUG(0, ("smbldap_search_suffix failed.\n"));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	num_result = ldap_count_entries(priv2ld(ldap_state), result);
+
+	if (num_result != 1) {
+		if (num_result == 0) {
+			status = NT_STATUS_NO_SUCH_USER;
+		} else {
+			DEBUG (0, ("find_user: More than one user with name [%s] ?!\n",
+				   name));
+			status = NT_STATUS_INTERNAL_DB_CORRUPTION;
+		}
+		goto done;
+	}
+
+	entry = ldap_first_entry(priv2ld(ldap_state), result);
+	if (!entry) {
+		DEBUG(0,("find_user: Out of memory!\n"));
+		status = NT_STATUS_UNSUCCESSFUL;
+		goto done;
+	}
+
+	dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
+	if (!dn) {
+		DEBUG(0,("find_user: Out of memory!\n"));
+		status = NT_STATUS_NO_MEMORY;
+		goto done;
+	}
+
+	status = ipasam_get_objectclasses(ldap_state, dn, entry, &has_objectclass);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
+	}
+
+	*_dn = dn;
+	*_has_objectclass = has_objectclass;
+
+	status = NT_STATUS_OK;
+
+done:
+	ldap_msgfree(result);
+
+	return status;
+}
+
+static NTSTATUS ipasam_add_posix_account_objectclass(struct ldapsam_privates *ldap_state,
+						     int ldap_op,
+						     const char *dn,
+						     const char *username)
+{
+	int ret;
+	LDAPMod **mods = NULL;
+	NTSTATUS status;
+
+	smbldap_set_mod(&mods, LDAP_MOD_ADD,
+			"objectclass", "posixAccount");
+	smbldap_set_mod(&mods, LDAP_MOD_ADD,
+			"cn", username);
+	smbldap_set_mod(&mods, LDAP_MOD_ADD,
+			"gidNumber", "12345");
+	smbldap_set_mod(&mods, LDAP_MOD_ADD,
+			"homeDirectory", "/dev/null");
+
+	if (ldap_op == LDAP_MOD_ADD) {
+	    ret = smbldap_add(ldap_state->smbldap_state, dn, mods);
+	} else {
+	    ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
+	}
+	ldap_mods_free(mods, 1);
+	if (ret != LDAP_SUCCESS) {
+		DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
+			  username, dn));
+		return status;
+	}
+
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS ipasam_add_ipa_objectclasses(struct ldapsam_privates *ldap_state,
+					     const char *dn, const char *name,
+					     const char *domain,
+					     uint32_t acct_flags,
+					     uint32_t has_objectclass)
+{
 	LDAPMod **mods = NULL;
+	NTSTATUS status;
 	int ret;
 	char *princ;
-	const char *domain;
-	char *domain_with_dot;
 
-	dn = get_account_dn(pdb_get_username(sampass));
-	if (dn == NULL) {
-		return NT_STATUS_INVALID_PARAMETER;
+	if (!(has_objectclass & HAS_KRB_PRINCIPAL)); {
+		smbldap_set_mod(&mods, LDAP_MOD_ADD,
+				LDAP_ATTRIBUTE_OBJECTCLASS,
+				LDAP_OBJ_KRB_PRINCIPAL);
 	}
 
-	princ = talloc_asprintf(talloc_tos(), "%s@%s", pdb_get_username(sampass), lp_realm());
+	princ = talloc_asprintf(talloc_tos(), "%s@%s", name, lp_realm());
 	if (princ == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	domain = pdb_get_domain(sampass);
-	if (domain == NULL) {
-		return NT_STATUS_INVALID_PARAMETER;
+	smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
+
+	if (!(has_objectclass & HAS_KRB_PRINCIPAL_AUX)); {
+		smbldap_set_mod(&mods, LDAP_MOD_ADD,
+				LDAP_ATTRIBUTE_OBJECTCLASS,
+				LDAP_OBJ_KRB_PRINCIPAL_AUX);
 	}
 
-	domain_with_dot = talloc_asprintf(talloc_tos(), "%s.", domain);
-	if (domain_with_dot == NULL) {
-		return NT_STATUS_NO_MEMORY;
+	if (!(has_objectclass & HAS_IPAOBJECT)) {
+		smbldap_set_mod(&mods, LDAP_MOD_ADD,
+				LDAP_ATTRIBUTE_OBJECTCLASS, LDAP_OBJ_IPAOBJECT);
 	}
 
-	smbldap_set_mod(&mods, LDAP_MOD_ADD,
-			"objectclass", LDAP_OBJ_KRB_PRINCIPAL);
-	smbldap_set_mod(&mods, LDAP_MOD_ADD,
-			LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
-	smbldap_set_mod(&mods, LDAP_MOD_ADD,
-			"objectclass", LDAP_OBJ_KRB_PRINCIPAL_AUX);
-	smbldap_set_mod(&mods, LDAP_MOD_ADD,
-			"objectclass", "ipaHost");
-	smbldap_set_mod(&mods, LDAP_MOD_ADD,
-			"fqdn", domain);
-	smbldap_set_mod(&mods, LDAP_MOD_ADD,
-			"objectclass", "posixAccount");
-	smbldap_set_mod(&mods, LDAP_MOD_ADD,
-			"cn", pdb_get_username(sampass));
+	if ((acct_flags != 0) &&
+	    (((acct_flags & ACB_NORMAL) && name[strlen(name)-1] == '$') ||
+	    ((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))) {
+
+		if (!(has_objectclass & HAS_IPAHOST)) {
+			smbldap_set_mod(&mods, LDAP_MOD_ADD,
+					LDAP_ATTRIBUTE_OBJECTCLASS,
+					LDAP_OBJ_IPAHOST);
+		}
+
+		if (domain == NULL) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
+		smbldap_set_mod(&mods, LDAP_MOD_ADD,
+				"fqdn", domain);
+	}
+
+	if (!(has_objectclass & HAS_POSIXACCOUNT)) {
+		smbldap_set_mod(&mods, LDAP_MOD_ADD,
+				"objectclass", "posixAccount");
+	}
+	smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
 	smbldap_set_mod(&mods, LDAP_MOD_ADD,
 			"gidNumber", "12345");
 	smbldap_set_mod(&mods, LDAP_MOD_ADD,
 			"homeDirectory", "/dev/null");
-	smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", domain);
-	smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", domain_with_dot);
 
 	ret = smbldap_modify(ldap_state->smbldap_state, dn, mods);
-	ldap_mods_free(mods, true);
+	ldap_mods_free(mods, 1);
 	if (ret != LDAP_SUCCESS) {
 		DEBUG(1, ("failed to modify/add user with uid = %s (dn = %s)\n",
-			  pdb_get_username(sampass),dn));
-		return NT_STATUS_LDAP(ret);
+			  name, dn));
+		return status;
 	}
 
 	return NT_STATUS_OK;
@@ -846,25 +1014,52 @@ static NTSTATUS pdb_ipasam_add_sam_account(struct pdb_methods *pdb_methods,
 {
 	NTSTATUS status;
 	struct ldapsam_privates *ldap_state;
+	const char *name;
+	char *dn;
+	uint32_t has_objectclass;
 
 	ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
 
-	status =ldap_state->ipasam_privates->ldapsam_add_sam_account(pdb_methods,
-								     sampass);
+	status = ldap_state->ipasam_privates->ldapsam_add_sam_account(pdb_methods,
+								      sampass);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 
-	status = ipasam_add_objectclasses(ldap_state, sampass);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
+	if (ldap_state->ipasam_privates->server_is_ipa) {
+		name = pdb_get_username(sampass);
+		if (name == NULL || *name == '\0') {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
+		status = find_user(ldap_state, name, &dn, &has_objectclass);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
 
-	if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
-		status = modify_ipa_password_exop(ldap_state, sampass);
+		status = ipasam_add_ipa_objectclasses(ldap_state, dn, name,
+						      pdb_get_domain(sampass),
+						      pdb_get_acct_ctrl(sampass),
+						      has_objectclass);
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
+
+		if (!(has_objectclass & HAS_POSIXACCOUNT)) {
+			status = ipasam_add_posix_account_objectclass(ldap_state,
+								      LDAP_MOD_REPLACE,
+								      dn, name);
+			if (!NT_STATUS_IS_OK(status)) {
+				return status;
+			}
+		}
+
+		if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
+			status = modify_ipa_password_exop(ldap_state, sampass);
+			if (!NT_STATUS_IS_OK(status)) {
+				return status;
+			}
+		}
 	}
 
 	return NT_STATUS_OK;
@@ -883,13 +1078,64 @@ static NTSTATUS pdb_ipasam_update_sam_account(struct pdb_methods *pdb_methods,
 		return status;
 	}
 
-	if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
-		status = modify_ipa_password_exop(ldap_state, sampass);
+	if (ldap_state->ipasam_privates->server_is_ipa) {
+		if (pdb_get_init_flags(sampass, PDB_PLAINTEXT_PW) == PDB_CHANGED) {
+			status = modify_ipa_password_exop(ldap_state, sampass);
+			if (!NT_STATUS_IS_OK(status)) {
+				return status;
+			}
+		}
+	}
+
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS ipasam_create_user(struct pdb_methods *pdb_methods,
+				   TALLOC_CTX *tmp_ctx, const char *name,
+				   uint32_t acb_info, uint32_t *rid)
+{
+	NTSTATUS status;
+	struct ldapsam_privates *ldap_state;
+	int ldap_op = LDAP_MOD_REPLACE;
+	char *dn;
+	uint32_t has_objectclass = 0;
+
+	ldap_state = (struct ldapsam_privates *)(pdb_methods->private_data);
+
+	if (name == NULL || *name == '\0') {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	status = find_user(ldap_state, name, &dn, &has_objectclass);
+	if (NT_STATUS_IS_OK(status)) {
+		ldap_op = LDAP_MOD_REPLACE;
+	} else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+		ldap_op = LDAP_MOD_ADD;
+	} else {
+		return status;
+	}
+
+	if (!(has_objectclass & HAS_POSIXACCOUNT)) {
+		status = ipasam_add_posix_account_objectclass(ldap_state, ldap_op,
+							      dn, name);
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
 	}
 
+	status = ldap_state->ipasam_privates->ldapsam_create_user(pdb_methods,
+								  tmp_ctx, name,
+								  acb_info, rid);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	status = ipasam_add_ipa_objectclasses(ldap_state, dn, name, lp_realm(),
+					      acb_info, has_objectclass);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
 	return NT_STATUS_OK;
 }
 
@@ -917,10 +1163,17 @@ static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char
 					priv2ld(ldap_state), IPA_KEYTAB_SET_OID);
 	ldap_state->ipasam_privates->ldapsam_add_sam_account = (*pdb_method)->add_sam_account;
 	ldap_state->ipasam_privates->ldapsam_update_sam_account = (*pdb_method)->update_sam_account;
+	ldap_state->ipasam_privates->ldapsam_create_user = (*pdb_method)->create_user;
 
 	(*pdb_method)->add_sam_account = pdb_ipasam_add_sam_account;
 	(*pdb_method)->update_sam_account = pdb_ipasam_update_sam_account;
 
+	if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
+		if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
+			(*pdb_method)->create_user = ipasam_create_user;
+		}
+	}
+
 	(*pdb_method)->capabilities = pdb_ipasam_capabilities;
 	(*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;
author	Sumit Bose <sbose@redhat.com>	2011-04-04 13:23:05 +0200
committer	Günther Deschner <gd@samba.org>	2011-04-06 11:53:56 +0200
commit	2ee1d09f33a1076549e1d331ba23a31384aae150 (patch)
tree	9421ce7eb31136fdfeec59d6090ecfa754ca23e4 /source3
parent	c47df017dda71f9eecea74575c7d7292e543e5ec (diff)
download	samba-2ee1d09f33a1076549e1d331ba23a31384aae150.tar.gz samba-2ee1d09f33a1076549e1d331ba23a31384aae150.tar.bz2 samba-2ee1d09f33a1076549e1d331ba23a31384aae150.zip