2 files changed, 95 insertions, 33 deletions

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 7c87a51684..883d271980 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -216,6 +216,7 @@ typedef struct
 	char *szLdapSuffix;
 	char *szLdapFilter;
 	char *szLdapAdminDn;
+	BOOL ldap_trust_ids;
 	char *szAclCompat;
 	int ldap_passwd_sync; 
 	BOOL bMsAddPrinterWizard;
@@ -1008,6 +1009,7 @@ static struct parm_struct parm_table[] = {
 	{"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"ldap passwd sync", P_ENUM, P_GLOBAL, &Globals.ldap_passwd_sync, NULL, enum_ldap_passwd_sync, FLAG_ADVANCED | FLAG_DEVELOPER},
+	{"ldap trust ids", P_BOOL, P_GLOBAL, &Globals.ldap_trust_ids, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 
 	{"Miscellaneous Options", P_SEP, P_SEPARATOR},
 	{"add share command", P_STRING, P_GLOBAL, &Globals.szAddShareCommand, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -1602,6 +1604,7 @@ FN_GLOBAL_STRING(lp_ldap_filter, &Globals.szLdapFilter)
 FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
 FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
 FN_GLOBAL_INTEGER(lp_ldap_passwd_sync, &Globals.ldap_passwd_sync)
+FN_GLOBAL_BOOL(lp_ldap_trust_ids, &Globals.ldap_trust_ids)
 FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand)
 FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand)
 FN_GLOBAL_STRING(lp_delete_share_cmd, &Globals.szDeleteShareCommand)
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 9ab10b8c08..866c4f6b76 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -146,15 +146,17 @@ static BOOL fetch_ldapsam_pw(char **dn, char** pw)
 }
 
 static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
-		"logoffTime", "kickoffTime", "cn",
-		"pwdCanChange", "pwdMustChange",
-		"displayName", "homeDrive",
-		"smbHome", "scriptPath",
-		"profilePath", "description",
-		"userWorkstations", "rid",
-		"primaryGroupID", "lmPassword",
-		"ntPassword", "acctFlags",
-		"domain", NULL };
+			     "logoffTime", "kickoffTime", "cn",
+			     "pwdCanChange", "pwdMustChange",
+			     "displayName", "homeDrive",
+			     "smbHome", "scriptPath",
+			     "profilePath", "description",
+			     "userWorkstations", "rid",
+			     "primaryGroupID", "lmPassword",
+			     "ntPassword", "acctFlags",
+			     "domain", "objectClass", 
+			     "uidNumber", "gidNumber", 
+			     "homeDirectory", NULL };
 
 /*******************************************************************
  open a connection to the ldap server.
@@ -818,6 +820,60 @@ static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, c
 /* New Interface is being implemented here */
 
 /**********************************************************************
+Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
+*********************************************************************/
+static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state, 
+				SAM_ACCOUNT * sampass,
+				LDAPMessage * entry)
+{
+	pstring  homedir;
+	pstring  temp;
+	uid_t uid;
+	gid_t gid;
+	char **ldap_values;
+	char **values;
+
+	if ((ldap_values = ldap_get_values (ldap_state->ldap_struct, entry, "objectClass")) == NULL) {
+		DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
+		return False;
+	}
+
+	for (values=ldap_values;*values;values++) {
+		if (strcasecmp(*values, "posixAccount") == 0) {
+			break;
+		}
+	}
+	
+	if (!*values) { /*end of array, no posixAccount */
+		DEBUG(10, ("user does not have posixAcccount attributes\n"));
+		ldap_value_free(ldap_values);
+		return False;
+	}
+	ldap_value_free(ldap_values);
+
+	if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir)) 
+		return False;
+	
+	if (!get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp))
+		return False;
+	
+	uid = (uid_t)atol(temp);
+	
+	if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
+		return False;
+	
+	gid = (gid_t)atol(temp);
+
+	pdb_set_unix_homedir(sampass, homedir, PDB_SET);
+	pdb_set_uid(sampass, uid, PDB_SET);
+	pdb_set_gid(sampass, gid, PDB_SET);
+	
+	DEBUG(10, ("user has posixAcccount attributes\n"));
+	return True;
+}
+
+
+/**********************************************************************
 Initialize SAM_ACCOUNT from an LDAP query
 (Based on init_sam_from_buffer in pdb_tdb.c)
 *********************************************************************/
@@ -906,40 +962,43 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
 		pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
 	}
 
-	if ((ldap_state->permit_non_unix_accounts) 
-	    && (user_rid >= ldap_state->low_nua_rid)
-	    && (user_rid <= ldap_state->high_nua_rid)) {
+
+
+	if (lp_ldap_trust_ids() && (get_unix_attributes(ldap_state,sampass, entry))) {
 		
 	} else {
-		
+
 		/* These values MAY be in LDAP, but they can also be retrieved through 
 		 *  sys_getpw*() which is how we're doing it 
 		 */
 	
 		pw = getpwnam_alloc(username);
 		if (pw == NULL) {
-			DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
-			return False;
-		}
-		uid = pw->pw_uid;
-		gid = pw->pw_gid;
-
-		pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
-
-		passwd_free(&pw);
+			if (! ldap_state->permit_non_unix_accounts) {
+				DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
+				return False;
+			}
+		} else {
+			uid = pw->pw_uid;
+			pdb_set_uid(sampass, uid, PDB_SET);
+			gid = pw->pw_gid;
+			pdb_set_gid(sampass, gid, PDB_SET);
+			
+			pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
 
-		pdb_set_uid(sampass, uid, PDB_SET);
-		pdb_set_gid(sampass, gid, PDB_SET);
+			passwd_free(&pw);
+		}
+	}
 
-		if (group_rid == 0) {
-			GROUP_MAP map;
-			/* call the mapping code here */
-			if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
-				pdb_set_group_sid(sampass, &map.sid, PDB_SET);
-			} 
-			else {
-				pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
-			}
+	if (group_rid == 0 && pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT) {
+		GROUP_MAP map;
+		gid = pdb_get_gid(sampass);
+		/* call the mapping code here */
+		if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
+			pdb_set_group_sid(sampass, &map.sid, PDB_SET);
+		} 
+		else {
+			pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
 		}
 	}