From a4b00668e656024ebb2b19e4d93dba1a3d334229 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 22 Apr 2003 23:14:49 +0000
Subject: Remove ldapsam_search_one_user_by_uid from pdb_ldap.

sambaAccount requires the rid to be present, and doing this fallback is quite
dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite
often not the case.

Also finish of vl's work on 'use a function pointer, not embedded logic' to
tell lower levels that they should/should not attempt to set the user's password
into LDAP with the extended operation.

Andrew Bartlett
(This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
---
 source3/passdb/passdb.c   |  5 ++-
 source3/passdb/pdb_ldap.c | 85 +++++++++++------------------------------------
 2 files changed, 22 insertions(+), 68 deletions(-)

(limited to 'source3')

diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 5e6466ff0a..b868d27065 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -646,9 +646,8 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use
 	if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
 		return False;
 	}
-		
-	/* This now does the 'generic' mapping in pdb_unix */
-	/* 'guest' is also handled there */
+	
+	/* see if the passdb can help us with the name of the user */
 	if (pdb_getsampwsid(sam_account, sid)) {
 		fstrcpy(name, pdb_get_username(sam_account));
 		*psid_name_use = SID_NAME_USER;
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 8a2378f91b..6646b3836a 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -710,40 +710,6 @@ static int ldapsam_search_one_user_by_name (struct ldapsam_privates *ldap_state,
 	return ldapsam_search_one_user(ldap_state, filter, result);
 }
 
-/*******************************************************************
- run the search by uid.
-******************************************************************/
-static int ldapsam_search_one_user_by_uid(struct ldapsam_privates *ldap_state, 
-					  int uid,
-					  LDAPMessage ** result)
-{
-	struct passwd *user;
-	pstring filter;
-	char *escape_user;
-
-	/* Get the username from the system and look that up in the LDAP */
-	
-	if ((user = getpwuid_alloc(uid)) == NULL) {
-		DEBUG(3,("ldapsam_search_one_user_by_uid: Failed to locate uid [%d]\n", uid));
-		return LDAP_NO_SUCH_OBJECT;
-	}
-	
-	pstrcpy(filter, lp_ldap_filter());
-	
-	escape_user = escape_ldap_string_alloc(user->pw_name);
-	if (!escape_user) {
-		passwd_free(&user);
-		return LDAP_NO_MEMORY;
-	}
-
-	all_string_sub(filter, "%u", escape_user, sizeof(pstring));
-
-	passwd_free(&user);
-	SAFE_FREE(escape_user);
-
-	return ldapsam_search_one_user(ldap_state, filter, result);
-}
-
 /*******************************************************************
  run the search by rid.
 ******************************************************************/
@@ -759,11 +725,6 @@ static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state,
 	snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
 	rc = ldapsam_search_one_user(ldap_state, filter, result);
 	
-	if (rc != LDAP_SUCCESS)
-		rc = ldapsam_search_one_user_by_uid(ldap_state,
-						    fallback_pdb_user_rid_to_uid(rid), 
-						    result);
-
 	return rc;
 }
 
@@ -1299,21 +1260,6 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
 	return True;
 }
 
-/**********************************************************************
-  An LDAP modification is needed in two cases:
-  * If we are updating the record AND the attribute is CHANGED.
-  * If we are adding   the record AND it is SET or CHANGED (ie not default)
-*********************************************************************/
-#ifdef LDAP_EXOP_X_MODIFY_PASSWD
-static BOOL need_ldap_mod(BOOL pdb_add, const SAM_ACCOUNT * sampass, enum pdb_elements element) {
-	if (pdb_add) {
-		return (!IS_SAM_DEFAULT(sampass, element));
-	} else {
-		return IS_SAM_CHANGED(sampass, element);
-	}
-}
-#endif
-
 /**********************************************************************
   Set attribute to newval in LDAP, regardless of what value the
   attribute had in LDAP before.
@@ -1414,13 +1360,18 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
 			ldap_mods_free(*mods, 1);
 			return False;
 		}
-	}
-
-	slprintf(temp, sizeof(temp) - 1, "%i", rid);
 
-	if (need_update(sampass, PDB_USERSID))
+		slprintf(temp, sizeof(temp) - 1, "%i", rid);
+		
 		make_ldap_mod(ldap_state->ldap_struct, existing, mods,
 			      "rid", temp);
+	} else {
+		slprintf(temp, sizeof(temp) - 1, "%i", rid);
+
+		if (need_update(sampass, PDB_USERSID))
+			make_ldap_mod(ldap_state->ldap_struct, existing, mods,
+				      "rid", temp);
+	}
 
 
 	rid = pdb_get_group_rid(sampass);
@@ -1867,7 +1818,9 @@ it it set.
 
 static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, 
 				     SAM_ACCOUNT *newpwd, char *dn,
-				     LDAPMod **mods, int ldap_op, BOOL pdb_add)
+				     LDAPMod **mods, int ldap_op, 
+				     BOOL (*need_update)(const SAM_ACCOUNT *,
+							 enum pdb_elements))
 {
 	struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
 	int rc;
@@ -1909,9 +1862,9 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
 	}
 	
 #ifdef LDAP_EXOP_X_MODIFY_PASSWD
-	if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))&&
-		(lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_OFF)&&
-		need_ldap_mod(pdb_add, newpwd, PDB_PLAINTEXT_PW)&&
+	if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
+		(lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
+		need_update(newpwd, PDB_PLAINTEXT_PW) &&
 		(pdb_get_plaintext_passwd(newpwd)!=NULL)) {
 		BerElement *ber;
 		struct berval *bv;
@@ -1940,7 +1893,9 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
 				pdb_get_username(newpwd),ldap_err2string(rc)));
 		} else {
 			DEBUG(3,("LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
-    
+#ifdef DEBUG_PASSWORD
+			DEBUG(100,("LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
+#endif    
 			ber_bvfree(retdata);
 			ber_memfree(retoid);
 		}
@@ -2041,7 +1996,7 @@ static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_A
 		return NT_STATUS_OK;
 	}
 	
-	ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, False);
+	ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
 	ldap_mods_free(mods,1);
 
 	if (!NT_STATUS_IS_OK(ret)) {
@@ -2156,7 +2111,7 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO
 	
 	make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
 
-	ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, True);
+	ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
 	if (NT_STATUS_IS_ERR(ret)) {
 		DEBUG(0,("failed to modify/add user with uid = %s (dn = %s)\n",
 			 pdb_get_username(newpwd),dn));
-- 
cgit