summaryrefslogtreecommitdiff
path: root/source3/passdb
diff options
context:
space:
mode:
Diffstat (limited to 'source3/passdb')
-rw-r--r--source3/passdb/pdb_get_set.c4
-rw-r--r--source3/passdb/pdb_ldap.c1032
-rw-r--r--source3/passdb/pdb_plugin.c78
-rw-r--r--source3/passdb/pdb_unix.c131
-rw-r--r--source3/passdb/pdb_xml.c8
-rw-r--r--source3/passdb/secrets.c18
6 files changed, 966 insertions, 305 deletions
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index a86d936263..80b4bb4dc3 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -490,7 +490,7 @@ BOOL pdb_set_init_flags (SAM_ACCOUNT *sampass, enum pdb_elements element, enum p
DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
return False;
}
- DEBUG(10, ("element %d -> now SET\n", element));
+ DEBUG(11, ("element %d -> now SET\n", element));
break;
case PDB_DEFAULT:
default:
@@ -502,7 +502,7 @@ BOOL pdb_set_init_flags (SAM_ACCOUNT *sampass, enum pdb_elements element, enum p
DEBUG(0,("Can't set flag: %d in set_flags.\n",element));
return False;
}
- DEBUG(11, ("element %d -> now DEFAULT\n", element));
+ DEBUG(10, ("element %d -> now DEFAULT\n", element));
break;
}
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 6d747ef911..4390e9d5ba 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -6,7 +6,6 @@
Copyright (C) Shahms King 2001
Copyright (C) Andrew Bartlett 2002
Copyright (C) Stefan (metze) Metzmacher 2002
- Copyright (C) Jim McDonough 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -52,13 +51,106 @@
#include <lber.h>
#include <ldap.h>
-#include "smb_ldap.h"
+#ifndef LDAP_OPT_SUCCESS
+#define LDAP_OPT_SUCCESS 0
+#endif
#ifndef SAM_ACCOUNT
#define SAM_ACCOUNT struct sam_passwd
#endif
-static uint32 ldapsam_get_next_available_nua_rid(struct smb_ldap_privates *ldap_state);
+struct ldapsam_privates {
+
+ /* Former statics */
+ LDAP *ldap_struct;
+ LDAPMessage *result;
+ LDAPMessage *entry;
+ int index;
+
+ time_t last_ping;
+ /* retrive-once info */
+ const char *uri;
+
+ BOOL permit_non_unix_accounts;
+
+ uint32 low_nua_rid;
+ uint32 high_nua_rid;
+
+ char *bind_dn;
+ char *bind_secret;
+
+ unsigned int num_failures;
+};
+
+#define LDAPSAM_DONT_PING_TIME 10 /* ping only all 10 seconds */
+
+static struct ldapsam_privates *static_ldap_state;
+
+static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state);
+
+/*******************************************************************
+ find the ldap password
+******************************************************************/
+static BOOL fetch_ldapsam_pw(char **dn, char** pw)
+{
+ char *key = NULL;
+ size_t size;
+
+ *dn = smb_xstrdup(lp_ldap_admin_dn());
+
+ if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, *dn) < 0) {
+ SAFE_FREE(*dn);
+ DEBUG(0, ("fetch_ldapsam_pw: asprintf failed!\n"));
+ }
+
+ *pw=secrets_fetch(key, &size);
+ SAFE_FREE(key);
+
+ if (!size) {
+ /* Upgrade 2.2 style entry */
+ char *p;
+ char* old_style_key = strdup(*dn);
+ char *data;
+ fstring old_style_pw;
+
+ if (!old_style_key) {
+ DEBUG(0, ("fetch_ldapsam_pw: strdup failed!\n"));
+ return False;
+ }
+
+ for (p=old_style_key; *p; p++)
+ if (*p == ',') *p = '/';
+
+ data=secrets_fetch(old_style_key, &size);
+ if (!size && size < sizeof(old_style_pw)) {
+ DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
+ SAFE_FREE(old_style_key);
+ SAFE_FREE(*dn);
+ return False;
+ }
+
+ strncpy(old_style_pw, data, size);
+ old_style_pw[size] = 0;
+
+ SAFE_FREE(data);
+
+ if (!secrets_store_ldap_pw(*dn, old_style_pw)) {
+ DEBUG(0,("fetch_ldap_pw: ldap secret could not be upgraded!\n"));
+ SAFE_FREE(old_style_key);
+ SAFE_FREE(*dn);
+ return False;
+ }
+ if (!secrets_delete(old_style_key)) {
+ DEBUG(0,("fetch_ldap_pw: old ldap secret could not be deleted!\n"));
+ }
+
+ SAFE_FREE(old_style_key);
+
+ *pw = smb_xstrdup(old_style_pw);
+ }
+
+ return True;
+}
static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
"logoffTime", "kickoffTime", "cn",
@@ -74,16 +166,531 @@ static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
"homeDirectory", NULL };
/*******************************************************************
+ open a connection to the ldap server.
+******************************************************************/
+static int ldapsam_open_connection (struct ldapsam_privates *ldap_state, LDAP ** ldap_struct)
+{
+ int rc = LDAP_SUCCESS;
+ int version;
+ BOOL ldap_v3 = False;
+
+#ifdef HAVE_LDAP_INITIALIZE
+ DEBUG(10, ("ldapsam_open_connection: %s\n", ldap_state->uri));
+
+ if ((rc = ldap_initialize(ldap_struct, ldap_state->uri)) != LDAP_SUCCESS) {
+ DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
+ return rc;
+ }
+
+#else
+
+ /* Parse the string manually */
+
+ {
+ int port = 0;
+ fstring protocol;
+ fstring host;
+ const char *p = ldap_state->uri;
+ SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
+
+ /* skip leading "URL:" (if any) */
+ if ( strncasecmp( p, "URL:", 4 ) == 0 ) {
+ p += 4;
+ }
+
+ sscanf(p, "%10[^:]://%254s[^:]:%d", protocol, host, &port);
+
+ if (port == 0) {
+ if (strequal(protocol, "ldap")) {
+ port = LDAP_PORT;
+ } else if (strequal(protocol, "ldaps")) {
+ port = LDAPS_PORT;
+ } else {
+ DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
+ }
+ }
+
+ if ((*ldap_struct = ldap_init(host, port)) == NULL) {
+ DEBUG(0, ("ldap_init failed !\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+
+ if (strequal(protocol, "ldaps")) {
+#ifdef LDAP_OPT_X_TLS
+ int tls = LDAP_OPT_X_TLS_HARD;
+ if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
+ {
+ DEBUG(0, ("Failed to setup a TLS session\n"));
+ }
+
+ DEBUG(3,("LDAPS option set...!\n"));
+#else
+ DEBUG(0,("ldapsam_open_connection: Secure connection not supported by LDAP client libraries!\n"));
+ return LDAP_OPERATIONS_ERROR;
+#endif
+ }
+ }
+#endif
+
+ if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS)
+ {
+ if (version != LDAP_VERSION3)
+ {
+ version = LDAP_VERSION3;
+ if (ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS) {
+ ldap_v3 = True;
+ }
+ } else {
+ ldap_v3 = True;
+ }
+ }
+
+ if (lp_ldap_ssl() == LDAP_SSL_START_TLS) {
+#ifdef LDAP_OPT_X_TLS
+ if (ldap_v3) {
+ if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS)
+ {
+ DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
+ ldap_err2string(rc)));
+ return rc;
+ }
+ DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
+ } else {
+
+ DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+#else
+ DEBUG(0,("ldapsam_open_connection: StartTLS not supported by LDAP client libraries!\n"));
+ return LDAP_OPERATIONS_ERROR;
+#endif
+ }
+
+ DEBUG(2, ("ldapsam_open_connection: connection opened\n"));
+ return rc;
+}
+
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ This version takes a void* that we can shove useful stuff in :-)
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+#else
+static int rebindproc_with_state (LDAP * ld, char **whop, char **credp,
+ int *methodp, int freeit, void *arg)
+{
+ struct ldapsam_privates *ldap_state = arg;
+
+ /** @TODO Should we be doing something to check what servers we rebind to?
+ Could we get a referral to a machine that we don't want to give our
+ username and password to? */
+
+ if (freeit) {
+ SAFE_FREE(*whop);
+ memset(*credp, '\0', strlen(*credp));
+ SAFE_FREE(*credp);
+ } else {
+ DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
+ ldap_state->bind_dn));
+
+ *whop = strdup(ldap_state->bind_dn);
+ if (!*whop) {
+ return LDAP_NO_MEMORY;
+ }
+ *credp = strdup(ldap_state->bind_secret);
+ if (!*credp) {
+ SAFE_FREE(*whop);
+ return LDAP_NO_MEMORY;
+ }
+ *methodp = LDAP_AUTH_SIMPLE;
+ }
+ return 0;
+}
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ This version takes a void* that we can shove useful stuff in :-)
+ and actually does the connection.
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+static int rebindproc_connect_with_state (LDAP *ldap_struct,
+ LDAP_CONST char *url,
+ ber_tag_t request,
+ ber_int_t msgid, void *arg)
+{
+ struct ldapsam_privates *ldap_state = arg;
+ int rc;
+ DEBUG(5,("rebindproc_connect_with_state: Rebinding as \"%s\"\n",
+ ldap_state->bind_dn));
+
+ /** @TODO Should we be doing something to check what servers we rebind to?
+ Could we get a referral to a machine that we don't want to give our
+ username and password to? */
+
+ rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+
+ return rc;
+}
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ Add a rebind function for authenticated referrals
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+#else
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+static int rebindproc (LDAP *ldap_struct, char **whop, char **credp,
+ int *method, int freeit )
+{
+ return rebindproc_with_state(ldap_struct, whop, credp,
+ method, freeit, static_ldap_state);
+
+}
+# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ this also does the connection, but no void*.
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
+ ber_int_t msgid)
+{
+ return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid,
+ static_ldap_state);
+}
+# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ connect to the ldap server under system privilege.
+******************************************************************/
+static int ldapsam_connect_system(struct ldapsam_privates *ldap_state, LDAP * ldap_struct)
+{
+ int rc;
+ char *ldap_dn;
+ char *ldap_secret;
+
+ /* The rebind proc needs this *HACK*. We are not multithreaded, so
+ this will work, but it's not nice. */
+ static_ldap_state = ldap_state;
+
+ /* get the password */
+ if (!fetch_ldapsam_pw(&ldap_dn, &ldap_secret))
+ {
+ DEBUG(0, ("ldap_connect_system: Failed to retrieve password from secrets.tdb\n"));
+ return LDAP_INVALID_CREDENTIALS;
+ }
+
+ ldap_state->bind_dn = ldap_dn;
+ ldap_state->bind_secret = ldap_secret;
+
+ /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
+ (OpenLDAP) doesnt' seem to support it */
+
+ DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
+ ldap_state->uri, ldap_dn));
+
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+ ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);
+# endif
+# if LDAP_SET_REBIND_PROC_ARGS == 3
+ ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void *)ldap_state);
+# endif
+#else /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+ ldap_set_rebind_proc(ldap_struct, &rebindproc);
+# endif
+# if LDAP_SET_REBIND_PROC_ARGS == 3
+ ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void *)ldap_state);
+# endif
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+ rc = ldap_simple_bind_s(ldap_struct, ldap_dn, ldap_secret);
+
+ if (rc != LDAP_SUCCESS) {
+ char *ld_error = NULL;
+ ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+ &ld_error);
+ DEBUG(ldap_state->num_failures ? 2 : 0,
+ ("failed to bind to server with dn= %s Error: %s\n\t%s\n",
+ ldap_dn ? ld_error : "(unknown)", ldap_err2string(rc),
+ ld_error));
+ SAFE_FREE(ld_error);
+ ldap_state->num_failures++;
+ return rc;
+ }
+
+ ldap_state->num_failures = 0;
+
+ DEBUG(3, ("ldap_connect_system: succesful connection to the LDAP server\n"));
+ return rc;
+}
+
+/**********************************************************************
+Connect to LDAP server
+*********************************************************************/
+static int ldapsam_open(struct ldapsam_privates *ldap_state)
+{
+ int rc;
+ SMB_ASSERT(ldap_state);
+
+#ifndef NO_LDAP_SECURITY
+ if (geteuid() != 0) {
+ DEBUG(0, ("ldapsam_open: cannot access LDAP when not root..\n"));
+ return LDAP_INSUFFICIENT_ACCESS;
+ }
+#endif
+
+ if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + LDAPSAM_DONT_PING_TIME) < time(NULL))) {
+ struct sockaddr_un addr;
+ socklen_t len = sizeof(addr);
+ int sd;
+ if (ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_DESC, &sd) == 0 &&
+ getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
+ /* the other end has died. reopen. */
+ ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
+ ldap_state->ldap_struct = NULL;
+ ldap_state->last_ping = (time_t)0;
+ } else {
+ ldap_state->last_ping = time(NULL);
+ }
+ }
+
+ if (ldap_state->ldap_struct != NULL) {
+ DEBUG(5,("ldapsam_open: allready connected to the LDAP server\n"));
+ return LDAP_SUCCESS;
+ }
+
+ if ((rc = ldapsam_open_connection(ldap_state, &ldap_state->ldap_struct))) {
+ return rc;
+ }
+
+ if ((rc = ldapsam_connect_system(ldap_state, ldap_state->ldap_struct))) {
+ ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
+ ldap_state->ldap_struct = NULL;
+ return rc;
+ }
+
+
+ ldap_state->last_ping = time(NULL);
+ DEBUG(4,("The LDAP server is succesful connected\n"));
+
+ return LDAP_SUCCESS;
+}
+
+/**********************************************************************
+Disconnect from LDAP server
+*********************************************************************/
+static NTSTATUS ldapsam_close(struct ldapsam_privates *ldap_state)
+{
+ if (!ldap_state)
+ return NT_STATUS_INVALID_PARAMETER;
+
+ if (ldap_state->ldap_struct != NULL) {
+ ldap_unbind_ext(ldap_state->ldap_struct, NULL, NULL);
+ ldap_state->ldap_struct = NULL;
+ }
+
+ DEBUG(5,("The connection to the LDAP server was closed\n"));
+ /* maybe free the results here --metze */
+
+ return NT_STATUS_OK;
+}
+
+static int ldapsam_retry_open(struct ldapsam_privates *ldap_state, int *attempts)
+{
+ int rc;
+
+ SMB_ASSERT(ldap_state && attempts);
+
+ if (*attempts != 0) {
+ unsigned int sleep_time;
+ uint8 rand_byte = 128; /* a reasonable place to start */
+
+ generate_random_buffer(&rand_byte, 1, False);
+
+ sleep_time = (((*attempts)*(*attempts))/2)*rand_byte*2;
+ /* we retry after (0.5, 1, 2, 3, 4.5, 6) seconds
+ on average.
+ */
+ DEBUG(3, ("Sleeping for %u milliseconds before reconnecting\n",
+ sleep_time));
+ msleep(sleep_time);
+ }
+ (*attempts)++;
+
+ if ((rc = ldapsam_open(ldap_state))) {
+ DEBUG(1,("Connection to LDAP Server failed for the %d try!\n",*attempts));
+ return rc;
+ }
+
+ return LDAP_SUCCESS;
+}
+
+
+static int ldapsam_search(struct ldapsam_privates *ldap_state,
+ const char *base, int scope, const char *filter,
+ const char *attrs[], int attrsonly,
+ LDAPMessage **res)
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+ char *utf8_filter;
+
+ SMB_ASSERT(ldap_state);
+
+ if (push_utf8_allocate(&utf8_filter, filter) == (size_t)-1) {
+ return LDAP_NO_MEMORY;
+ }
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
+
+ if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_search_s(ldap_state->ldap_struct, base, scope,
+ utf8_filter, (char **)attrs, attrsonly, res);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
+ ldapsam_close(ldap_state);
+ }
+
+ SAFE_FREE(utf8_filter);
+ return rc;
+}
+
+static int ldapsam_modify(struct ldapsam_privates *ldap_state, const char *dn, LDAPMod *attrs[])
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+ char *utf8_dn;
+
+ SMB_ASSERT(ldap_state);
+
+ if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
+ return LDAP_NO_MEMORY;
+ }
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
+
+ if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
+ ldapsam_close(ldap_state);
+ }
+
+ SAFE_FREE(utf8_dn);
+ return rc;
+}
+
+static int ldapsam_add(struct ldapsam_privates *ldap_state, const char *dn, LDAPMod *attrs[])
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+ char *utf8_dn;
+
+ SMB_ASSERT(ldap_state);
+
+ if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
+ return LDAP_NO_MEMORY;
+ }
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
+
+ if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_add_s(ldap_state->ldap_struct, utf8_dn, attrs);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
+ ldapsam_close(ldap_state);
+ }
+
+ SAFE_FREE(utf8_dn);
+ return rc;
+}
+
+static int ldapsam_delete(struct ldapsam_privates *ldap_state, char *dn)
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+ char *utf8_dn;
+
+ SMB_ASSERT(ldap_state);
+
+ if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
+ return LDAP_NO_MEMORY;
+ }
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
+
+ if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_delete_s(ldap_state->ldap_struct, utf8_dn);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
+ ldapsam_close(ldap_state);
+ }
+
+ SAFE_FREE(utf8_dn);
+ return rc;
+}
+
+#ifdef LDAP_EXOP_X_MODIFY_PASSWD
+static int ldapsam_extended_operation(struct ldapsam_privates *ldap_state, LDAP_CONST char *reqoid, struct berval *reqdata, LDAPControl **serverctrls, LDAPControl **clientctrls, char **retoidp, struct berval **retdatap)
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+
+ if (!ldap_state)
+ return (-1);
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
+
+ if ((rc = ldapsam_retry_open(ldap_state,&attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid, reqdata, serverctrls, clientctrls, retoidp, retdatap);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("%s: LDAP server is down!\n",FUNCTION_MACRO));
+ ldapsam_close(ldap_state);
+ }
+
+ return rc;
+}
+#endif
+
+/*******************************************************************
run the search by name.
******************************************************************/
-static int ldapsam_search_one_user (struct smb_ldap_privates *ldap_state, const char *filter, LDAPMessage ** result)
+static int ldapsam_search_one_user (struct ldapsam_privates *ldap_state, const char *filter, LDAPMessage ** result)
{
int scope = LDAP_SCOPE_SUBTREE;
int rc;
DEBUG(2, ("ldapsam_search_one_user: searching for:[%s]\n", filter));
- rc = smb_ldap_search(ldap_state, lp_ldap_suffix (), scope, filter, attr, 0, result);
+ rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope, filter, attr, 0, result);
if (rc != LDAP_SUCCESS) {
char *ld_error = NULL;
@@ -102,7 +709,7 @@ static int ldapsam_search_one_user (struct smb_ldap_privates *ldap_state, const
/*******************************************************************
run the search by name.
******************************************************************/
-static int ldapsam_search_one_user_by_name (struct smb_ldap_privates *ldap_state, const char *user,
+static int ldapsam_search_one_user_by_name (struct ldapsam_privates *ldap_state, const char *user,
LDAPMessage ** result)
{
pstring filter;
@@ -131,67 +738,146 @@ static int ldapsam_search_one_user_by_name (struct smb_ldap_privates *ldap_state
}
/*******************************************************************
- run the search by uid.
+ run the search by rid.
******************************************************************/
-static int ldapsam_search_one_user_by_uid(struct smb_ldap_privates *ldap_state,
- int uid,
- LDAPMessage ** result)
+static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state,
+ uint32 rid,
+ LDAPMessage ** result)
{
- struct passwd *user;
pstring filter;
- char *escape_user;
+ int rc;
- /* Get the username from the system and look that up in the LDAP */
-
- if ((user = getpwuid_alloc(uid)) == NULL) {
- DEBUG(3,("ldapsam_search_one_user_by_uid: Failed to locate uid [%d]\n", uid));
- return LDAP_NO_SUCH_OBJECT;
- }
+ /* check if the user rid exsists, if not, try searching on the uid */
- pstrcpy(filter, lp_ldap_filter());
+ snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
+ rc = ldapsam_search_one_user(ldap_state, filter, result);
- escape_user = escape_ldap_string_alloc(user->pw_name);
- if (!escape_user) {
- passwd_free(&user);
- return LDAP_NO_MEMORY;
- }
-
- all_string_sub(filter, "%u", escape_user, sizeof(pstring));
-
- passwd_free(&user);
- SAFE_FREE(escape_user);
-
- return ldapsam_search_one_user(ldap_state, filter, result);
+ return rc;
}
/*******************************************************************
- run the search by rid.
+search an attribute and return the first value found.
******************************************************************/
-static int ldapsam_search_one_user_by_rid (struct smb_ldap_privates *ldap_state,
- uint32 rid,
- LDAPMessage ** result)
+static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
+ const char *attribute, pstring value)
{
- pstring filter;
- int rc;
+ char **values;
+ value[0] = '\0';
- /* check if the user rid exsists, if not, try searching on the uid */
+ if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
+ DEBUG (10, ("get_single_attribute: [%s] = [<does not exist>]\n", attribute));
+
+ return False;
+ }
- snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
- rc = ldapsam_search_one_user(ldap_state, filter, result);
+ if (convert_string(CH_UTF8, CH_UNIX,
+ values[0], -1,
+ value, sizeof(pstring)) == (size_t)-1)
+ {
+ DEBUG(1, ("get_single_attribute: string conversion of [%s] = [%s] failed!\n",
+ attribute, values[0]));
+ ldap_value_free(values);
+ return False;
+ }
- if (rc != LDAP_SUCCESS)
- rc = ldapsam_search_one_user_by_uid(ldap_state,
- fallback_pdb_user_rid_to_uid(rid),
- result);
+ ldap_value_free(values);
+#ifdef DEBUG_PASSWORDS
+ DEBUG (100, ("get_single_attribute: [%s] = [%s]\n", attribute, value));
+#endif
+ return True;
+}
- return rc;
+/************************************************************************
+Routine to manage the LDAPMod structure array
+manage memory used by the array, by each struct, and values
+
+************************************************************************/
+static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
+{
+ LDAPMod **mods;
+ int i;
+ int j;
+
+ mods = *modlist;
+
+ if (attribute == NULL || *attribute == '\0')
+ return;
+
+#if 0
+ /* Why do we need this??? -- vl */
+ if (value == NULL || *value == '\0')
+ return;
+#endif
+
+ if (mods == NULL)
+ {
+ mods = (LDAPMod **) malloc(sizeof(LDAPMod *));
+ if (mods == NULL)
+ {
+ DEBUG(0, ("make_a_mod: out of memory!\n"));
+ return;
+ }
+ mods[0] = NULL;
+ }
+
+ for (i = 0; mods[i] != NULL; ++i) {
+ if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute))
+ break;
+ }
+
+ if (mods[i] == NULL)
+ {
+ mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *));
+ if (mods == NULL)
+ {
+ DEBUG(0, ("make_a_mod: out of memory!\n"));
+ return;
+ }
+ mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
+ if (mods[i] == NULL)
+ {
+ DEBUG(0, ("make_a_mod: out of memory!\n"));
+ return;
+ }
+ mods[i]->mod_op = modop;
+ mods[i]->mod_values = NULL;
+ mods[i]->mod_type = strdup(attribute);
+ mods[i + 1] = NULL;
+ }
+
+ if (value != NULL)
+ {
+ char *utf8_value = NULL;
+
+ j = 0;
+ if (mods[i]->mod_values != NULL) {
+ for (; mods[i]->mod_values[j] != NULL; j++);
+ }
+ mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,
+ (j + 2) * sizeof (char *));
+
+ if (mods[i]->mod_values == NULL) {
+ DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
+ return;
+ }
+
+ if (push_utf8_allocate(&utf8_value, value) == (size_t)-1) {
+ DEBUG (0, ("make_a_mod: String conversion failure!\n"));
+ return;
+ }
+
+ mods[i]->mod_values[j] = utf8_value;
+
+ mods[i]->mod_values[j + 1] = NULL;
+ }
+ *modlist = mods;
}
/*******************************************************************
Delete complete object or objectclass and attrs from
object found in search_result depending on lp_ldap_delete_dn
******************************************************************/
-static NTSTATUS ldapsam_delete_entry(struct smb_ldap_privates *ldap_state,
+static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
LDAPMessage *result,
const char *objectclass,
const char **attrs)
@@ -214,7 +900,7 @@ static NTSTATUS ldapsam_delete_entry(struct smb_ldap_privates *ldap_state,
if (lp_ldap_delete_dn()) {
NTSTATUS ret = NT_STATUS_OK;
- rc = smb_ldap_delete(ldap_state, dn);
+ rc = ldapsam_delete(ldap_state, dn);
if (rc != LDAP_SUCCESS) {
DEBUG(0, ("Could not delete object %s\n", dn));
@@ -238,7 +924,7 @@ static NTSTATUS ldapsam_delete_entry(struct smb_ldap_privates *ldap_state,
for (attrib = attrs; *attrib != NULL; attrib++) {
if (StrCaseCmp(*attrib, name) == 0) {
DEBUG(10, ("deleting attribute %s\n", name));
- smb_ldap_make_a_mod(&mods, LDAP_MOD_DELETE, name, NULL);
+ make_a_mod(&mods, LDAP_MOD_DELETE, name, NULL);
}
}
@@ -249,9 +935,9 @@ static NTSTATUS ldapsam_delete_entry(struct smb_ldap_privates *ldap_state,
ber_free(ptr, 0);
}
- smb_ldap_make_a_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
+ make_a_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
- rc = smb_ldap_modify(ldap_state, dn, mods);
+ rc = ldapsam_modify(ldap_state, dn, mods);
ldap_mods_free(mods, 1);
if (rc != LDAP_SUCCESS) {
@@ -275,7 +961,7 @@ static NTSTATUS ldapsam_delete_entry(struct smb_ldap_privates *ldap_state,
/**********************************************************************
Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
*********************************************************************/
-static BOOL get_unix_attributes (struct smb_ldap_privates *ldap_state,
+static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
SAM_ACCOUNT * sampass,
LDAPMessage * entry)
{
@@ -304,15 +990,15 @@ static BOOL get_unix_attributes (struct smb_ldap_privates *ldap_state,
}
ldap_value_free(ldap_values);
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir))
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir))
return False;
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp))
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp))
return False;
uid = (uid_t)atol(temp);
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
return False;
gid = (gid_t)atol(temp);
@@ -330,7 +1016,7 @@ static BOOL get_unix_attributes (struct smb_ldap_privates *ldap_state,
Initialize SAM_ACCOUNT from an LDAP query
(Based on init_sam_from_buffer in pdb_tdb.c)
*********************************************************************/
-static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
+static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
SAM_ACCOUNT * sampass,
LDAPMessage * entry)
{
@@ -352,8 +1038,7 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
munged_dial,
workstations;
struct passwd *pw;
- uint32 user_rid,
- group_rid;
+ uint32 user_rid;
uint8 smblmpwd[LM_HASH_LEN],
smbntpwd[NT_HASH_LEN];
uint16 acct_ctrl = 0,
@@ -391,7 +1076,7 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
return False;
}
- smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "uid", username);
+ get_single_attribute(ldap_state->ldap_struct, entry, "uid", username);
DEBUG(2, ("Entry found for user: %s\n", username));
pstrcpy(nt_username, username);
@@ -403,19 +1088,19 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
pdb_set_domain(sampass, domain, PDB_DEFAULT);
pdb_set_nt_username(sampass, nt_username, PDB_SET);
- smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "rid", temp);
+ get_single_attribute(ldap_state->ldap_struct, entry, "rid", temp);
user_rid = (uint32)atol(temp);
pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) {
- group_rid = 0;
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) {
+ pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
} else {
+ uint32 group_rid;
group_rid = (uint32)atol(temp);
pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
}
-
/*
* If so configured, try and get the values from LDAP
*/
@@ -444,7 +1129,8 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
}
}
- if (group_rid == 0 && pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT) {
+ if ((pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT)
+ && (pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT)) {
GROUP_MAP map;
gid = pdb_get_gid(sampass);
/* call the mapping code here */
@@ -456,42 +1142,42 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
}
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "pwdLastSet", temp)) {
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdLastSet", temp)) {
/* leave as default */
} else {
pass_last_set_time = (time_t) atol(temp);
pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "logonTime", temp)) {
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "logonTime", temp)) {
/* leave as default */
} else {
logon_time = (time_t) atol(temp);
pdb_set_logon_time(sampass, logon_time, PDB_SET);
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "logoffTime", temp)) {
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "logoffTime", temp)) {
/* leave as default */
} else {
logoff_time = (time_t) atol(temp);
pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "kickoffTime", temp)) {
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "kickoffTime", temp)) {
/* leave as default */
} else {
kickoff_time = (time_t) atol(temp);
pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "pwdCanChange", temp)) {
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdCanChange", temp)) {
/* leave as default */
} else {
pass_can_change_time = (time_t) atol(temp);
pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "pwdMustChange", temp)) {
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdMustChange", temp)) {
/* leave as default */
} else {
pass_must_change_time = (time_t) atol(temp);
@@ -504,9 +1190,9 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
* that fits your needs; using cn then displayName rather than 'userFullName'
*/
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry,
+ if (!get_single_attribute(ldap_state->ldap_struct, entry,
"displayName", fullname)) {
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry,
+ if (!get_single_attribute(ldap_state->ldap_struct, entry,
"cn", fullname)) {
/* leave as default */
} else {
@@ -516,7 +1202,7 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
pdb_set_fullname(sampass, fullname, PDB_SET);
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "homeDrive", dir_drive)) {
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDrive", dir_drive)) {
pdb_set_dir_drive(sampass, talloc_sub_specified(sampass->mem_ctx,
lp_logon_drive(),
username, domain,
@@ -526,7 +1212,7 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "smbHome", homedir)) {
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "smbHome", homedir)) {
pdb_set_homedir(sampass, talloc_sub_specified(sampass->mem_ctx,
lp_logon_home(),
username, domain,
@@ -536,7 +1222,7 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
pdb_set_homedir(sampass, homedir, PDB_SET);
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "scriptPath", logon_script)) {
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "scriptPath", logon_script)) {
pdb_set_logon_script(sampass, talloc_sub_specified(sampass->mem_ctx,
lp_logon_script(),
username, domain,
@@ -546,7 +1232,7 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
pdb_set_logon_script(sampass, logon_script, PDB_SET);
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "profilePath", profile_path)) {
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "profilePath", profile_path)) {
pdb_set_profile_path(sampass, talloc_sub_specified(sampass->mem_ctx,
lp_logon_path(),
username, domain,
@@ -556,13 +1242,13 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
pdb_set_profile_path(sampass, profile_path, PDB_SET);
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "description", acct_desc)) {
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "description", acct_desc)) {
/* leave as default */
} else {
pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "userWorkstations", workstations)) {
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "userWorkstations", workstations)) {
/* leave as default */;
} else {
pdb_set_workstations(sampass, workstations, PDB_SET);
@@ -574,7 +1260,7 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
hours_len = 21;
memset(hours, 0xff, hours_len);
- if (!smb_ldap_get_single_attribute (ldap_state->ldap_struct, entry, "lmPassword", temp)) {
+ if (!get_single_attribute (ldap_state->ldap_struct, entry, "lmPassword", temp)) {
/* leave as default */
} else {
pdb_gethexpwd(temp, smblmpwd);
@@ -584,7 +1270,7 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
ZERO_STRUCT(smblmpwd);
}
- if (!smb_ldap_get_single_attribute (ldap_state->ldap_struct, entry, "ntPassword", temp)) {
+ if (!get_single_attribute (ldap_state->ldap_struct, entry, "ntPassword", temp)) {
/* leave as default */
} else {
pdb_gethexpwd(temp, smbntpwd);
@@ -594,7 +1280,7 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
ZERO_STRUCT(smbntpwd);
}
- if (!smb_ldap_get_single_attribute (ldap_state->ldap_struct, entry, "acctFlags", temp)) {
+ if (!get_single_attribute (ldap_state->ldap_struct, entry, "acctFlags", temp)) {
acct_ctrl |= ACB_NORMAL;
} else {
acct_ctrl = pdb_decode_acct_ctrl(temp);
@@ -620,19 +1306,6 @@ static BOOL init_sam_from_ldap (struct smb_ldap_privates *ldap_state,
}
/**********************************************************************
- An LDAP modification is needed in two cases:
- * If we are updating the record AND the attribute is CHANGED.
- * If we are adding the record AND it is SET or CHANGED (ie not default)
-*********************************************************************/
-static BOOL need_ldap_mod(BOOL pdb_add, const SAM_ACCOUNT * sampass, enum pdb_elements element) {
- if (pdb_add) {
- return (!IS_SAM_DEFAULT(sampass, element));
- } else {
- return IS_SAM_CHANGED(sampass, element);
- }
-}
-
-/**********************************************************************
Set attribute to newval in LDAP, regardless of what value the
attribute had in LDAP before.
*********************************************************************/
@@ -662,7 +1335,7 @@ static void make_ldap_mod(LDAP *ldap_struct, LDAPMessage *existing,
the old value, should it exist. */
if ((newval != NULL) && (strlen(newval) > 0)) {
- smb_ldap_make_a_mod(mods, LDAP_MOD_ADD, attribute, newval);
+ make_a_mod(mods, LDAP_MOD_ADD, attribute, newval);
}
if (values == NULL) {
@@ -677,7 +1350,7 @@ static void make_ldap_mod(LDAP *ldap_struct, LDAPMessage *existing,
deny the complete operation if somebody changed the
attribute behind our back. */
- smb_ldap_make_a_mod(mods, LDAP_MOD_DELETE, attribute, values[0]);
+ make_a_mod(mods, LDAP_MOD_DELETE, attribute, values[0]);
ldap_value_free(values);
}
@@ -685,9 +1358,9 @@ static void make_ldap_mod(LDAP *ldap_struct, LDAPMessage *existing,
Initialize SAM_ACCOUNT from an LDAP query
(Based on init_buffer_from_sam in pdb_tdb.c)
*********************************************************************/
-static BOOL init_ldap_from_sam (struct smb_ldap_privates *ldap_state,
+static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
LDAPMessage *existing,
- LDAPMod *** mods, const SAM_ACCOUNT * sampass,
+ LDAPMod *** mods, SAM_ACCOUNT * sampass,
BOOL (*need_update)(const SAM_ACCOUNT *,
enum pdb_elements))
{
@@ -732,15 +1405,23 @@ static BOOL init_ldap_from_sam (struct smb_ldap_privates *ldap_state,
ldap_mods_free(*mods, 1);
return False;
}
+
+ /* now that we have figured out the RID, always store it, as
+ the schema requires it */
+ if (!pdb_set_user_sid_from_rid(sampass, rid, PDB_CHANGED)) {
+ DEBUG(0, ("Could not store RID back onto SAM_ACCOUNT for user %s!\n",
+ pdb_get_username(sampass)));
+ ldap_mods_free(*mods, 1);
+ return False;
+ }
}
+ /* only update the RID if we actually need to */
slprintf(temp, sizeof(temp) - 1, "%i", rid);
-
if (need_update(sampass, PDB_USERSID))
make_ldap_mod(ldap_state->ldap_struct, existing, mods,
"rid", temp);
-
rid = pdb_get_group_rid(sampass);
if (rid == 0) {
@@ -871,7 +1552,7 @@ static BOOL init_ldap_from_sam (struct smb_ldap_privates *ldap_state,
/**********************************************************************
Connect to LDAP server and find the next available RID.
*********************************************************************/
-static uint32 check_nua_rid_is_avail(struct smb_ldap_privates *ldap_state, uint32 top_rid)
+static uint32 check_nua_rid_is_avail(struct ldapsam_privates *ldap_state, uint32 top_rid)
{
LDAPMessage *result;
uint32 final_rid = (top_rid & (~USER_RID_TYPE)) + RID_MULTIPLIER;
@@ -902,7 +1583,7 @@ static uint32 check_nua_rid_is_avail(struct smb_ldap_privates *ldap_state, uint3
/**********************************************************************
Extract the RID from an LDAP entry
*********************************************************************/
-static uint32 entry_to_user_rid(struct smb_ldap_privates *ldap_state, LDAPMessage *entry) {
+static uint32 entry_to_user_rid(struct ldapsam_privates *ldap_state, LDAPMessage *entry) {
uint32 rid;
SAM_ACCOUNT *user = NULL;
if (!NT_STATUS_IS_OK(pdb_init_sam(&user))) {
@@ -925,7 +1606,7 @@ static uint32 entry_to_user_rid(struct smb_ldap_privates *ldap_state, LDAPMessag
/**********************************************************************
Connect to LDAP server and find the next available RID.
*********************************************************************/
-static uint32 search_top_nua_rid(struct smb_ldap_privates *ldap_state)
+static uint32 search_top_nua_rid(struct ldapsam_privates *ldap_state)
{
int rc;
pstring filter;
@@ -946,7 +1627,7 @@ static uint32 search_top_nua_rid(struct smb_ldap_privates *ldap_state)
#endif
DEBUG(2, ("ldapsam_get_next_available_nua_rid: searching for:[%s]\n", final_filter));
- rc = smb_ldap_search(ldap_state, lp_ldap_suffix(),
+ rc = ldapsam_search(ldap_state, lp_ldap_suffix(),
LDAP_SCOPE_SUBTREE, final_filter, attr, 0,
&result);
@@ -995,7 +1676,7 @@ static uint32 search_top_nua_rid(struct smb_ldap_privates *ldap_state)
/**********************************************************************
Connect to LDAP server and find the next available RID.
*********************************************************************/
-static uint32 ldapsam_get_next_available_nua_rid(struct smb_ldap_privates *ldap_state) {
+static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state) {
uint32 next_nua_rid;
uint32 top_nua_rid;
@@ -1012,14 +1693,14 @@ Connect to LDAP server for password enumeration
*********************************************************************/
static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
{
- struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
int rc;
pstring filter;
pstrcpy(filter, lp_ldap_filter());
all_string_sub(filter, "%u", "*", sizeof(pstring));
- rc = smb_ldap_search(ldap_state, lp_ldap_suffix(),
+ rc = ldapsam_search(ldap_state, lp_ldap_suffix(),
LDAP_SCOPE_SUBTREE, filter, attr, 0,
&ldap_state->result);
@@ -1047,7 +1728,7 @@ End enumeration of the LDAP password list
*********************************************************************/
static void ldapsam_endsampwent(struct pdb_methods *my_methods)
{
- struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
if (ldap_state->result) {
ldap_msgfree(ldap_state->result);
ldap_state->result = NULL;
@@ -1060,9 +1741,13 @@ Get the next entry in the LDAP password database
static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
BOOL bret = False;
+ /* The rebind proc needs this *HACK*. We are not multithreaded, so
+ this will work, but it's not nice. */
+ static_ldap_state = ldap_state;
+
while (!bret) {
if (!ldap_state->entry)
return ret;
@@ -1083,7 +1768,7 @@ Get SAM_ACCOUNT entry from LDAP by username
static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
LDAPMessage *result;
LDAPMessage *entry;
int count;
@@ -1127,8 +1812,8 @@ Get SAM_ACCOUNT entry from LDAP by rid
static NTSTATUS ldapsam_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT *user, uint32 rid)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- struct smb_ldap_privates *ldap_state =
- (struct smb_ldap_privates *)my_methods->private_data;
+ struct ldapsam_privates *ldap_state =
+ (struct ldapsam_privates *)my_methods->private_data;
LDAPMessage *result;
LDAPMessage *entry;
int count;
@@ -1181,9 +1866,11 @@ it it set.
static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
SAM_ACCOUNT *newpwd, char *dn,
- LDAPMod **mods, int ldap_op, BOOL pdb_add)
+ LDAPMod **mods, int ldap_op,
+ BOOL (*need_update)(const SAM_ACCOUNT *,
+ enum pdb_elements))
{
- struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
int rc;
if (!my_methods || !newpwd || !dn) {
@@ -1197,11 +1884,11 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
switch(ldap_op)
{
case LDAP_MOD_ADD:
- smb_ldap_make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "account");
- rc = smb_ldap_add(ldap_state, dn, mods);
+ make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "account");
+ rc = ldapsam_add(ldap_state, dn, mods);
break;
case LDAP_MOD_REPLACE:
- rc = smb_ldap_modify(ldap_state, dn ,mods);
+ rc = ldapsam_modify(ldap_state, dn ,mods);
break;
default:
DEBUG(0,("Wrong LDAP operation type: %d!\n", ldap_op));
@@ -1223,38 +1910,57 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
}
#ifdef LDAP_EXOP_X_MODIFY_PASSWD
- if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))&&
- (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_OFF)&&
- need_ldap_mod(pdb_add, newpwd, PDB_PLAINTEXT_PW)&&
+ if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
+ (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
+ need_update(newpwd, PDB_PLAINTEXT_PW) &&
(pdb_get_plaintext_passwd(newpwd)!=NULL)) {
BerElement *ber;
struct berval *bv;
char *retoid;
struct berval *retdata;
+ char *utf8_password;
+ char *utf8_dn;
+
+ if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
+ return NT_STATUS_NO_MEMORY;
+ }
if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
DEBUG(0,("ber_alloc_t returns NULL\n"));
+ SAFE_FREE(utf8_password);
return NT_STATUS_UNSUCCESSFUL;
}
+
ber_printf (ber, "{");
- ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID,dn);
- ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, pdb_get_plaintext_passwd(newpwd));
+ ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID, utf8_dn);
+ ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, utf8_password);
ber_printf (ber, "N}");
if ((rc = ber_flatten (ber, &bv))<0) {
DEBUG(0,("ber_flatten returns a value <0\n"));
+ ber_free(ber,1);
+ SAFE_FREE(utf8_dn);
+ SAFE_FREE(utf8_password);
return NT_STATUS_UNSUCCESSFUL;
}
- ber_free(ber,1);
+ SAFE_FREE(utf8_dn);
+ SAFE_FREE(utf8_password);
+ ber_free(ber, 1);
- if ((rc = smb_ldap_extended_operation(ldap_state, LDAP_EXOP_X_MODIFY_PASSWD,
+ if ((rc = ldapsam_extended_operation(ldap_state, LDAP_EXOP_X_MODIFY_PASSWD,
bv, NULL, NULL, &retoid, &retdata))!=LDAP_SUCCESS) {
DEBUG(0,("LDAP Password could not be changed for user %s: %s\n",
pdb_get_username(newpwd),ldap_err2string(rc)));
} else {
DEBUG(3,("LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
-
+#ifdef DEBUG_PASSWORD
+ DEBUG(100,("LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
+#endif
ber_bvfree(retdata);
ber_memfree(retoid);
}
@@ -1271,7 +1977,7 @@ Delete entry from LDAP for username
*********************************************************************/
static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * sam_acct)
{
- struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
const char *sname;
int rc;
LDAPMessage *result;
@@ -1318,7 +2024,7 @@ Update SAM_ACCOUNT
static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
int rc;
char *dn;
LDAPMessage *result;
@@ -1355,7 +2061,7 @@ static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_A
return NT_STATUS_OK;
}
- ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, False);
+ ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
ldap_mods_free(mods,1);
if (!NT_STATUS_IS_OK(ret)) {
@@ -1390,7 +2096,7 @@ Add SAM_ACCOUNT to LDAP
static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
int rc;
pstring filter;
LDAPMessage *result = NULL;
@@ -1468,9 +2174,9 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO
return NT_STATUS_UNSUCCESSFUL;
}
- smb_ldap_make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
+ make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
- ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, True);
+ ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
if (NT_STATUS_IS_ERR(ret)) {
DEBUG(0,("failed to modify/add user with uid = %s (dn = %s)\n",
pdb_get_username(newpwd),dn));
@@ -1485,15 +2191,15 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO
static void free_private_data(void **vp)
{
- struct smb_ldap_privates **ldap_state = (struct smb_ldap_privates **)vp;
+ struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
- smb_ldap_close(*ldap_state);
+ ldapsam_close(*ldap_state);
if ((*ldap_state)->bind_secret) {
memset((*ldap_state)->bind_secret, '\0', strlen((*ldap_state)->bind_secret));
}
- smb_ldap_close(*ldap_state);
+ ldapsam_close(*ldap_state);
SAFE_FREE((*ldap_state)->bind_dn);
SAFE_FREE((*ldap_state)->bind_secret);
@@ -1508,7 +2214,7 @@ static const char *group_attr[] = {"cn", "ntSid", "ntGroupType",
"displayName", "description",
NULL };
-static int ldapsam_search_one_group (struct smb_ldap_privates *ldap_state,
+static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
const char *filter,
LDAPMessage ** result)
{
@@ -1517,7 +2223,7 @@ static int ldapsam_search_one_group (struct smb_ldap_privates *ldap_state,
DEBUG(2, ("ldapsam_search_one_group: searching for:[%s]\n", filter));
- rc = smb_ldap_search(ldap_state, lp_ldap_suffix (), scope,
+ rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope,
filter, group_attr, 0, result);
if (rc != LDAP_SUCCESS) {
@@ -1535,7 +2241,7 @@ static int ldapsam_search_one_group (struct smb_ldap_privates *ldap_state,
return rc;
}
-static BOOL init_group_from_ldap(struct smb_ldap_privates *ldap_state,
+static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
GROUP_MAP *map, LDAPMessage *entry)
{
pstring temp;
@@ -1546,7 +2252,7 @@ static BOOL init_group_from_ldap(struct smb_ldap_privates *ldap_state,
return False;
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber",
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber",
temp)) {
DEBUG(0, ("Mandatory attribute gidNumber not found\n"));
return False;
@@ -1555,14 +2261,14 @@ static BOOL init_group_from_ldap(struct smb_ldap_privates *ldap_state,
map->gid = (gid_t)atol(temp);
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "ntSid",
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "ntSid",
temp)) {
DEBUG(0, ("Mandatory attribute ntSid not found\n"));
return False;
}
string_to_sid(&map->sid, temp);
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "ntGroupType",
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "ntGroupType",
temp)) {
DEBUG(0, ("Mandatory attribute ntGroupType not found\n"));
return False;
@@ -1575,11 +2281,11 @@ static BOOL init_group_from_ldap(struct smb_ldap_privates *ldap_state,
return False;
}
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "displayName",
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "displayName",
temp)) {
DEBUG(3, ("Attribute displayName not found\n"));
temp[0] = '\0';
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "cn",
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "cn",
temp)) {
DEBUG(0, ("Attributes cn not found either "
"for gidNumber(%i)\n",map->gid));
@@ -1588,7 +2294,7 @@ static BOOL init_group_from_ldap(struct smb_ldap_privates *ldap_state,
}
fstrcpy(map->nt_name, temp);
- if (!smb_ldap_get_single_attribute(ldap_state->ldap_struct, entry, "description",
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "description",
temp)) {
DEBUG(3, ("Attribute description not found\n"));
temp[0] = '\0';
@@ -1630,8 +2336,8 @@ static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
const char *filter,
GROUP_MAP *map)
{
- struct smb_ldap_privates *ldap_state =
- (struct smb_ldap_privates *)methods->private_data;
+ struct ldapsam_privates *ldap_state =
+ (struct ldapsam_privates *)methods->private_data;
LDAPMessage *result;
LDAPMessage *entry;
int count;
@@ -1710,7 +2416,7 @@ static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
return ldapsam_getgroup(methods, filter, map);
}
-static int ldapsam_search_one_group_by_gid(struct smb_ldap_privates *ldap_state,
+static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state,
gid_t gid,
LDAPMessage **result)
{
@@ -1725,8 +2431,8 @@ static int ldapsam_search_one_group_by_gid(struct smb_ldap_privates *ldap_state,
static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
GROUP_MAP *map)
{
- struct smb_ldap_privates *ldap_state =
- (struct smb_ldap_privates *)methods->private_data;
+ struct ldapsam_privates *ldap_state =
+ (struct ldapsam_privates *)methods->private_data;
LDAPMessage *result = NULL;
LDAPMod **mods = NULL;
@@ -1776,10 +2482,10 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
return NT_STATUS_UNSUCCESSFUL;
}
- smb_ldap_make_a_mod(&mods, LDAP_MOD_ADD, "objectClass",
+ make_a_mod(&mods, LDAP_MOD_ADD, "objectClass",
"sambaGroupMapping");
- rc = smb_ldap_modify(ldap_state, dn, mods);
+ rc = ldapsam_modify(ldap_state, dn, mods);
ldap_mods_free(mods, 1);
if (rc != LDAP_SUCCESS) {
@@ -1799,8 +2505,8 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
GROUP_MAP *map)
{
- struct smb_ldap_privates *ldap_state =
- (struct smb_ldap_privates *)methods->private_data;
+ struct ldapsam_privates *ldap_state =
+ (struct ldapsam_privates *)methods->private_data;
int rc;
char *dn;
LDAPMessage *result;
@@ -1836,7 +2542,7 @@ static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
return NT_STATUS_UNSUCCESSFUL;
}
- rc = smb_ldap_modify(ldap_state, dn, mods);
+ rc = ldapsam_modify(ldap_state, dn, mods);
ldap_mods_free(mods, 1);
@@ -1856,8 +2562,8 @@ static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
DOM_SID sid)
{
- struct smb_ldap_privates *ldap_state =
- (struct smb_ldap_privates *)methods->private_data;
+ struct ldapsam_privates *ldap_state =
+ (struct ldapsam_privates *)methods->private_data;
pstring sidstring, filter;
LDAPMessage *result;
int rc;
@@ -1885,12 +2591,12 @@ static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods,
BOOL update)
{
- struct smb_ldap_privates *ldap_state =
- (struct smb_ldap_privates *)my_methods->private_data;
+ struct ldapsam_privates *ldap_state =
+ (struct ldapsam_privates *)my_methods->private_data;
const char *filter = "(objectClass=sambaGroupMapping)";
int rc;
- rc = smb_ldap_search(ldap_state, lp_ldap_suffix(),
+ rc = ldapsam_search(ldap_state, lp_ldap_suffix(),
LDAP_SCOPE_SUBTREE, filter,
group_attr, 0, &ldap_state->result);
@@ -1922,9 +2628,13 @@ static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
GROUP_MAP *map)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- struct smb_ldap_privates *ldap_state = (struct smb_ldap_privates *)my_methods->private_data;
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
BOOL bret = False;
+ /* The rebind proc needs this *HACK*. We are not multithreaded, so
+ this will work, but it's not nice. */
+ static_ldap_state = ldap_state;
+
while (!bret) {
if (!ldap_state->entry)
return ret;
@@ -1992,7 +2702,7 @@ static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
{
NTSTATUS nt_status;
- struct smb_ldap_privates *ldap_state;
+ struct ldapsam_privates *ldap_state;
if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
return nt_status;
@@ -2019,7 +2729,7 @@ NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, co
/* TODO: Setup private data and free */
- ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct smb_ldap_privates));
+ ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct ldapsam_privates));
if (!ldap_state) {
DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
@@ -2057,7 +2767,7 @@ NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, co
NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
{
NTSTATUS nt_status;
- struct smb_ldap_privates *ldap_state;
+ struct ldapsam_privates *ldap_state;
uint32 low_nua_uid, high_nua_uid;
if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location))) {
diff --git a/source3/passdb/pdb_plugin.c b/source3/passdb/pdb_plugin.c
new file mode 100644
index 0000000000..ea67da23a5
--- /dev/null
+++ b/source3/passdb/pdb_plugin.c
@@ -0,0 +1,78 @@
+/*
+ Unix SMB/CIFS implementation.
+ Loadable passdb module interface.
+ Copyright (C) Jelmer Vernooij 2002
+ Copyright (C) Andrew Bartlett 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_PASSDB
+
+NTSTATUS pdb_init_plugin(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
+{
+ void * dl_handle;
+ char *plugin_location, *plugin_name, *p;
+ pdb_init_function plugin_init;
+ int (*plugin_version)(void);
+
+ if (location == NULL) {
+ DEBUG(0, ("The plugin module needs an argument!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ plugin_name = smb_xstrdup(location);
+ p = strchr(plugin_name, ':');
+ if (p) {
+ *p = 0;
+ plugin_location = p+1;
+ trim_string(plugin_location, " ", " ");
+ } else plugin_location = NULL;
+ trim_string(plugin_name, " ", " ");
+
+ DEBUG(5, ("Trying to load sam plugin %s\n", plugin_name));
+ dl_handle = sys_dlopen(plugin_name, RTLD_NOW );
+ if (!dl_handle) {
+ DEBUG(0, ("Failed to load sam plugin %s using sys_dlopen (%s)\n", plugin_name, sys_dlerror()));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ plugin_version = sys_dlsym(dl_handle, "pdb_version");
+ if (!plugin_version) {
+ sys_dlclose(dl_handle);
+ DEBUG(0, ("Failed to find function 'pdb_version' using sys_dlsym in sam plugin %s (%s)\n", plugin_name, sys_dlerror()));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (plugin_version() != PASSDB_INTERFACE_VERSION) {
+ sys_dlclose(dl_handle);
+ DEBUG(0, ("Wrong PASSDB_INTERFACE_VERSION! sam plugin has version %d and version %d is needed! Please update!\n",
+ plugin_version(),PASSDB_INTERFACE_VERSION));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ plugin_init = sys_dlsym(dl_handle, "pdb_init");
+ if (!plugin_init) {
+ sys_dlclose(dl_handle);
+ DEBUG(0, ("Failed to find function 'pdb_init' using sys_dlsym in sam plugin %s (%s)\n", plugin_name, sys_dlerror()));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ DEBUG(5, ("Starting sam plugin %s with location %s\n", plugin_name, plugin_location));
+ return plugin_init(pdb_context, pdb_method, plugin_location);
+}
diff --git a/source3/passdb/pdb_unix.c b/source3/passdb/pdb_unix.c
deleted file mode 100644
index ed83024248..0000000000
--- a/source3/passdb/pdb_unix.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
- * Unix password backend for samba
- * Copyright (C) Jelmer Vernooij 2002
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free
- * Software Foundation; either version 2 of the License, or (at your option)
- * any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- * more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 675
- * Mass Ave, Cambridge, MA 02139, USA.
- */
-
-#include "includes.h"
-
-/******************************************************************
- Lookup a name in the SAM database
- ******************************************************************/
-
-static NTSTATUS unixsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *user, const char *sname)
-{
- struct passwd *pass;
- if (!methods) {
- DEBUG(0,("invalid methods\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
- if (!sname) {
- DEBUG(0,("invalid name specified"));
- return NT_STATUS_UNSUCCESSFUL;
- }
- pass = Get_Pwnam(sname);
-
- return pdb_fill_sam_pw(user, pass);
-}
-
-
-/***************************************************************************
- Search by rid
- **************************************************************************/
-
-static NTSTATUS unixsam_getsampwrid (struct pdb_methods *methods,
- SAM_ACCOUNT *user, uint32 rid)
-{
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct passwd *pass = NULL;
- const char *guest_account = lp_guestaccount();
- if (!(guest_account && *guest_account)) {
- DEBUG(1, ("NULL guest account!?!?\n"));
- return nt_status;
- }
-
- if (!methods) {
- DEBUG(0,("invalid methods\n"));
- return nt_status;
- }
-
- if (rid == DOMAIN_USER_RID_GUEST) {
- pass = getpwnam_alloc(guest_account);
- if (!pass) {
- DEBUG(1, ("guest account %s does not seem to exist...\n", guest_account));
- return nt_status;
- }
- } else if (pdb_rid_is_user(rid)) {
- pass = getpwuid_alloc(fallback_pdb_user_rid_to_uid (rid));
- }
-
- if (pass == NULL) {
- return nt_status;
- }
-
- nt_status = pdb_fill_sam_pw(user, pass);
- passwd_free(&pass);
-
- return nt_status;
-}
-
-static NTSTATUS unixsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
-{
- uint32 rid;
- if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
- return NT_STATUS_UNSUCCESSFUL;
- return unixsam_getsampwrid(my_methods, user, rid);
-}
-
-/***************************************************************************
- Updates a SAM_ACCOUNT
-
- This isn't a particulary practical option for pdb_unix. We certainly don't
- want to twidde the filesystem, so what should we do?
-
- Current plan is to transparently add the account. It should appear
- as if the pdb_unix version was modified, but its actually stored somehwere.
- ****************************************************************************/
-
-static NTSTATUS unixsam_update_sam_account (struct pdb_methods *methods, SAM_ACCOUNT *newpwd)
-{
- return methods->parent->pdb_add_sam_account(methods->parent, newpwd);
-}
-
-NTSTATUS pdb_init_unixsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
-{
- NTSTATUS nt_status;
-
- if (!pdb_context) {
- DEBUG(0, ("invalid pdb_context specified\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
- return nt_status;
- }
-
- (*pdb_method)->name = "unixsam";
- (*pdb_method)->update_sam_account = unixsam_update_sam_account;
- (*pdb_method)->getsampwnam = unixsam_getsampwnam;
- (*pdb_method)->getsampwsid = unixsam_getsampwsid;
-
- /* There's not very much to initialise here */
- return NT_STATUS_OK;
-}
-
-int pdb_unix_init(void)
-{
- return smb_register_passdb("unixsam", pdb_init_unixsam, PASSDB_INTERFACE_VERSION);
-}
diff --git a/source3/passdb/pdb_xml.c b/source3/passdb/pdb_xml.c
index bde2d14a85..4a8f622cce 100644
--- a/source3/passdb/pdb_xml.c
+++ b/source3/passdb/pdb_xml.c
@@ -47,7 +47,7 @@ static char * iota(int a) {
return tmp;
}
-static BOOL parsePass(xmlDocPtr doc, xmlNsPtr ns, xmlNodePtr cur, SAM_ACCOUNT * u)
+BOOL parsePass(xmlDocPtr doc, xmlNsPtr ns, xmlNodePtr cur, SAM_ACCOUNT * u)
{
pstring temp;
@@ -76,7 +76,7 @@ static BOOL parsePass(xmlDocPtr doc, xmlNsPtr ns, xmlNodePtr cur, SAM_ACCOUNT *
return True;
}
-static BOOL parseUser(xmlDocPtr doc, xmlNsPtr ns, xmlNodePtr cur, SAM_ACCOUNT * u)
+BOOL parseUser(xmlDocPtr doc, xmlNsPtr ns, xmlNodePtr cur, SAM_ACCOUNT * u)
{
char *tmp;
DOM_SID sid;
@@ -239,7 +239,7 @@ typedef struct pdb_xml {
xmlNsPtr ns;
} pdb_xml;
-static xmlNodePtr parseSambaXMLFile(struct pdb_xml *data)
+xmlNodePtr parseSambaXMLFile(struct pdb_xml *data)
{
xmlNodePtr cur;
@@ -524,7 +524,7 @@ static NTSTATUS xmlsam_init(PDB_CONTEXT * pdb_context, PDB_METHODS ** pdb_method
return nt_status;
}
- (*pdb_method)->name = "xmlsam";
+ (*pdb_method)->name = "xml";
(*pdb_method)->setsampwent = xmlsam_setsampwent;
(*pdb_method)->endsampwent = xmlsam_endsampwent;
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index 138a9231fd..5df0edc29a 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -303,6 +303,8 @@ BOOL secrets_fetch_trusted_domain_password(const char *domain, char** pwd,
/* unpack trusted domain password */
pass_len = tdb_trusted_dom_pass_unpack(pass_buf, size, &pass);
+ SAFE_FREE(pass_buf);
+
if (pass_len != size) {
DEBUG(5, ("Invalid secrets size. Unpacked data doesn't match trusted_dom_pass structure.\n"));
return False;
@@ -573,7 +575,12 @@ NTSTATUS secrets_get_trusted_domains(TALLOC_CTX* ctx, int* enum_ctx, unsigned in
NTSTATUS status;
if (!secrets_init()) return NT_STATUS_ACCESS_DENIED;
-
+
+ if (!pass) {
+ DEBUG(0, ("talloc_zero failed!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
*num_domains = 0;
start_idx = *enum_ctx;
@@ -610,17 +617,14 @@ NTSTATUS secrets_get_trusted_domains(TALLOC_CTX* ctx, int* enum_ctx, unsigned in
packed_pass = secrets_fetch(secrets_key, &size);
packed_size = tdb_trusted_dom_pass_unpack(packed_pass, size, pass);
-
+ /* packed representation isn't needed anymore */
+ SAFE_FREE(packed_pass);
+
if (size != packed_size) {
DEBUG(2, ("Secrets record %s is invalid!\n", secrets_key));
- if (size) SAFE_FREE(packed_pass);
-
continue;
}
- /* packed representation isn't needed anymore */
- SAFE_FREE(packed_pass);
-
pull_ucs2_fstring(dom_name, pass->uni_name);
DEBUG(18, ("Fetched secret record num %d.\nDomain name: %s, SID: %s\n",
idx, dom_name, sid_string_static(&pass->domain_sid)));
generated by cgit (git 2.34.1) at 2024-08-20 23:11:57 +0000