/* Unix SMB/CIFS implementation. LDAP protocol helper functions for SAMBA Copyright (C) Gerald Carter 2001 Copyright (C) Shahms King 2001 Copyright (C) Jean Fran�ois Micouleau 1998 Copyright (C) Andrew Bartlett 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ #include "includes.h" #ifdef WITH_LDAP_SAM /* TODO: * persistent connections: if using NSS LDAP, many connections are made * however, using only one within Samba would be nice * * Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK * * Other LDAP based login attributes: accountExpires, etc. * (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT * structures don't have fields for some of these attributes) * * SSL is done, but can't get the certificate based authentication to work * against on my test platform (Linux 2.4, OpenLDAP 2.x) */ /* NOTE: this will NOT work against an Active Directory server * due to the fact that the two password fields cannot be retrieved * from a server; recommend using security = domain in this situation * and/or winbind */ #include <lber.h> #include <ldap.h> #ifndef SAM_ACCOUNT #define SAM_ACCOUNT struct sam_passwd #endif struct ldapsam_privates { /* Former statics */ LDAP *ldap_struct; LDAPMessage *result; LDAPMessage *entry; int index; /* retrive-once info */ const char *uri; BOOL permit_non_unix_accounts; uint32 low_nua_rid; uint32 high_nua_rid; }; static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state); /******************************************************************* Converts NT user RID to a UNIX uid. ********************************************************************/ static uid_t pdb_user_rid_to_uid(uint32 user_rid) { return (uid_t)(((user_rid & (~USER_RID_TYPE))- 1000)/RID_MULTIPLIER); } /******************************************************************* converts UNIX uid to an NT User RID. ********************************************************************/ static uint32 pdb_uid_to_user_rid(uid_t uid) { return (((((uint32)uid)*RID_MULTIPLIER) + 1000) | USER_RID_TYPE); } /******************************************************************* find the ldap password ******************************************************************/ static BOOL fetch_ldapsam_pw(char *dn, char* pw, int len) { fstring key; char *p; void *data = NULL; size_t size; pstrcpy(key, dn); for (p=key; *p; p++) if (*p == ',') *p = '/'; data=secrets_fetch(key, &size); if (!size) { DEBUG(0,("fetch_ldap_pw: no ldap secret retrieved!\n")); return False; } if (size > len-1) { DEBUG(0,("fetch_ldap_pw: ldap secret is too long (%d > %d)!\n", size, len-1)); return False; } memcpy(pw, data, size); pw[size] = '\0'; return True; } /******************************************************************* open a connection to the ldap server. ******************************************************************/ static BOOL ldapsam_open_connection (struct ldapsam_privates *ldap_state, LDAP ** ldap_struct) { if (geteuid() != 0) { DEBUG(0, ("ldap_open_connection: cannot access LDAP when not root..\n")); return False; } #if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000) DEBUG(10, ("ldapsam_open_connection: %s\n", ldap_state->uri)); if (ldap_initialize(ldap_struct, ldap_state->uri) != LDAP_SUCCESS) { DEBUG(0, ("ldap_initialize: %s\n", strerror(errno))); return (False); } #else /* Parse the string manually */ { int rc; int tls = LDAP_OPT_X_TLS_HARD; int port = 0; int version; fstring protocol; fstring host; const char *p = ldap_state->uri; SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254); /* skip leading "URL:" (if any) */ if ( strncasecmp( p, "URL:", 4 ) == 0 ) { p += 4; } sscanf(p, "%10[^:]://%254s[^:]:%d", protocol, host, &port); if (port == 0) { if (strequal(protocol, "ldap")) { port = LDAP_PORT; } else if (strequal(protocol, "ldaps")) { port = LDAPS_PORT; } else { DEBUG(0, ("unrecognised protocol (%s)!\n", protocol)); } } if ((*ldap_struct = ldap_init(host, port)) == NULL) { DEBUG(0, ("ldap_init failed !\n")); return False; } /* Connect to older servers using SSL and V2 rather than Start TLS */ if (ldap_get_option(*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS) { if (version != LDAP_VERSION2) { version = LDAP_VERSION2; ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version); } } if (strequal(protocol, "ldaps")) { if (lp_ldap_ssl() == LDAP_SSL_START_TLS) { if (ldap_get_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS) { if (version < LDAP_VERSION3) { version = LDAP_VERSION3; ldap_set_option (*ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version); } } if ((rc = ldap_start_tls_s (*ldap_struct, NULL, NULL)) != LDAP_SUCCESS) { DEBUG(0,("Failed to issue the StartTLS instruction: %s\n", ldap_err2string(rc))); return False; } DEBUG (2, ("StartTLS issued: using a TLS connection\n")); } else { if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) { DEBUG(0, ("Failed to setup a TLS session\n")); } } } else { /* * No special needs to setup options prior to the LDAP * bind (which should be called next via ldap_connect_system() */ } } #endif DEBUG(2, ("ldap_open_connection: connection opened\n")); return True; } /******************************************************************* connect to the ldap server under system privilege. ******************************************************************/ static BOOL ldapsam_connect_system(struct ldapsam_privates *ldap_state, LDAP * ldap_struct) { int rc; static BOOL got_pw = False; static pstring ldap_secret; /* get the password if we don't have it already */ if (!got_pw && !(got_pw=fetch_ldapsam_pw(lp_ldap_admin_dn(), ldap_secret, sizeof(pstring)))) { DEBUG(0, ("ldap_connect_system: Failed to retrieve password for %s from secrets.tdb\n", lp_ldap_admin_dn())); return False; } /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite (OpenLDAP) doesnt' seem to support it */ DEBUG(10,("ldap_connect_system: Binding to ldap server as \"%s\"\n", lp_ldap_admin_dn())); if ((rc = ldap_simple_bind_s(ldap_struct, lp_ldap_admin_dn(), ldap_secret)) != LDAP_SUCCESS) { DEBUG(0, ("Bind failed: %s\n", ldap_err2string(rc))); return False; } DEBUG(2, ("ldap_connect_system: succesful connection to the LDAP server\n")); return True; } /******************************************************************* run the search by name. ******************************************************************/ static int ldapsam_search_one_user (struct ldapsam_privates *ldap_state, LDAP * ldap_struct, const char *filter, LDAPMessage ** result) { int scope = LDAP_SCOPE_SUBTREE; int rc; DEBUG(2, ("ldapsam_search_one_user: searching for:[%s]\n", filter)); rc = ldap_search_s(ldap_struct, lp_ldap_suffix (), scope, filter, NULL, 0, result); if (rc != LDAP_SUCCESS) { DEBUG(0,("ldapsam_search_one_user: Problem during the LDAP search: %s\n", ldap_err2string (rc))); DEBUG(3,("ldapsam_search_one_user: Query was: %s, %s\n", lp_ldap_suffix(), filter)); } return rc; } /******************************************************************* run the search by name. ******************************************************************/ static int ldapsam_search_one_user_by_name (struct ldapsam_privates *ldap_state, LDAP * ldap_struct, const char *user, LDAPMessage ** result) { pstring filter; /* * in the filter expression, replace %u with the real name * so in ldap filter, %u MUST exist :-) */ pstrcpy(filter, lp_ldap_filter()); /* * have to use this here because $ is filtered out * in pstring_sub */ all_string_sub(filter, "%u", user, sizeof(pstring)); return ldapsam_search_one_user(ldap_state, ldap_struct, filter, result); } /******************************************************************* run the search by uid. ******************************************************************/ static int ldapsam_search_one_user_by_uid(struct ldapsam_privates *ldap_state, LDAP * ldap_struct, int uid, LDAPMessage ** result) { struct passwd *user; pstring filter; /* Get the username from the system and look that up in the LDAP */ if ((user = getpwuid_alloc(uid)) == NULL) { DEBUG(3,("ldapsam_search_one_user_by_uid: Failed to locate uid [%d]\n", uid)); return LDAP_NO_SUCH_OBJECT; } pstrcpy(filter, lp_ldap_filter()); all_string_sub(filter, "%u", user->pw_name, sizeof(pstring)); passwd_free(&user); return ldapsam_search_one_user(ldap_state, ldap_struct, filter, result); } /******************************************************************* run the search by rid. ******************************************************************/ static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state, LDAP * ldap_struct, uint32 rid, LDAPMessage ** result) { pstring filter; int rc; /* check if the user rid exsists, if not, try searching on the uid */ snprintf(filter, sizeof(filter) - 1, "rid=%i", rid); rc = ldapsam_search_one_user(ldap_state, ldap_struct, filter, result); if (rc != LDAP_SUCCESS) rc = ldapsam_search_one_user_by_uid(ldap_state, ldap_struct, pdb_user_rid_to_uid(rid), result); return rc; } /******************************************************************* search an attribute and return the first value found. ******************************************************************/ static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry, char *attribute, char *value) { char **values; if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) { value = NULL; DEBUG (10, ("get_single_attribute: [%s] = [<does not exist>]\n", attribute)); return False; } pstrcpy(value, values[0]); ldap_value_free(values); #ifdef DEBUG_PASSWORDS DEBUG (100, ("get_single_attribute: [%s] = [%s]\n", attribute, value)); #endif return True; } /************************************************************************ Routine to manage the LDAPMod structure array manage memory used by the array, by each struct, and values ************************************************************************/ static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value) { LDAPMod **mods; int i; int j; mods = *modlist; if (attribute == NULL || *attribute == '\0') return; if (value == NULL || *value == '\0') return; if (mods == NULL) { mods = (LDAPMod **) malloc(sizeof(LDAPMod *)); if (mods == NULL) { DEBUG(0, ("make_a_mod: out of memory!\n")); return; } mods[0] = NULL; } for (i = 0; mods[i] != NULL; ++i) { if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute)) break; } if (mods[i] == NULL) { mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *)); if (mods == NULL) { DEBUG(0, ("make_a_mod: out of memory!\n")); return; } mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod)); if (mods[i] == NULL) { DEBUG(0, ("make_a_mod: out of memory!\n")); return; } mods[i]->mod_op = modop; mods[i]->mod_values = NULL; mods[i]->mod_type = strdup(attribute); mods[i + 1] = NULL; } if (value != NULL) { j = 0; if (mods[i]->mod_values != NULL) { for (; mods[i]->mod_values[j] != NULL; j++); } mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values, (j + 2) * sizeof (char *)); if (mods[i]->mod_values == NULL) { DEBUG (0, ("make_a_mod: Memory allocation failure!\n")); return; } mods[i]->mod_values[j] = strdup(value); mods[i]->mod_values[j + 1] = NULL; } *modlist = mods; } /* New Interface is being implemented here */ /********************************************************************** Initialize SAM_ACCOUNT from an LDAP query (Based on init_sam_from_buffer in pdb_tdb.c) *********************************************************************/ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, SAM_ACCOUNT * sampass, LDAP * ldap_struct, LDAPMessage * entry) { time_t logon_time, logoff_time, kickoff_time, pass_last_set_time, pass_can_change_time, pass_must_change_time; pstring username, domain, nt_username, fullname, homedir, dir_drive, logon_script, profile_path, acct_desc, munged_dial, workstations; struct passwd *pw; uint32 user_rid, group_rid; uint8 smblmpwd[16], smbntpwd[16]; uint16 acct_ctrl, logon_divs; uint32 hours_len; uint8 hours[MAX_HOURS_LEN]; pstring temp; uid_t uid = -1; gid_t gid = getegid(); /* * do a little initialization */ username[0] = '\0'; domain[0] = '\0'; nt_username[0] = '\0'; fullname[0] = '\0'; homedir[0] = '\0'; dir_drive[0] = '\0'; logon_script[0] = '\0'; profile_path[0] = '\0'; acct_desc[0] = '\0'; munged_dial[0] = '\0'; workstations[0] = '\0'; if (sampass == NULL || ldap_struct == NULL || entry == NULL) { DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n")); return False; } get_single_attribute(ldap_struct, entry, "uid", username); DEBUG(2, ("Entry found for user: %s\n", username)); pstrcpy(nt_username, username); pstrcpy(domain, lp_workgroup()); get_single_attribute(ldap_struct, entry, "rid", temp); user_rid = (uint32)atol(temp); if (!get_single_attribute(ldap_struct, entry, "primaryGroupID", temp)) { group_rid = 0; } else { group_rid = (uint32)atol(temp); } if ((ldap_state->permit_non_unix_accounts) && (user_rid >= ldap_state->low_nua_rid) && (user_rid <= ldap_state->high_nua_rid)) { } else { /* These values MAY be in LDAP, but they can also be retrieved through * sys_getpw*() which is how we're doing it */ pw = getpwnam_alloc(username); if (pw == NULL) { DEBUG (2,("init_sam_from_ldap: User [%s] does not ave a uid!\n", username)); return False; } uid = pw->pw_uid; gid = pw->pw_gid; passwd_free(&pw); pdb_set_uid(sampass, uid); pdb_set_gid(sampass, gid); if (group_rid == 0) { GROUP_MAP map; /* call the mapping code here */ if(get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) { sid_peek_rid(&map.sid, &group_rid); } else { group_rid=pdb_gid_to_group_rid(gid); } } } get_single_attribute(ldap_struct, entry, "pwdLastSet", temp); pass_last_set_time = (time_t) atol(temp); if (!get_single_attribute(ldap_struct, entry, "logonTime", temp)) { logon_time = (time_t) atol(temp); pdb_set_logon_time(sampass, logon_time, True); } if (!get_single_attribute(ldap_struct, entry, "logoffTime", temp)) { logoff_time = (time_t) atol(temp); pdb_set_logoff_time(sampass, logoff_time, True); } if (!get_single_attribute(ldap_struct, entry, "kickoffTime", temp)) { kickoff_time = (time_t) atol(temp); pdb_set_kickoff_time(sampass, kickoff_time, True); } if (!get_single_attribute(ldap_struct, entry, "pwdCanChange", temp)) { pass_can_change_time = (time_t) atol(temp); pdb_set_pass_can_change_time(sampass, pass_can_change_time, True); } if (!get_single_attribute(ldap_struct, entry, "pwdMustChange", temp)) { pass_must_change_time = (time_t) atol(temp); pdb_set_pass_must_change_time(sampass, pass_must_change_time, True); } /* recommend that 'gecos' and 'displayName' should refer to the same * attribute OID. userFullName depreciated, only used by Samba * primary rules of LDAP: don't make a new attribute when one is already defined * that fits your needs; using cn then displayName rather than 'userFullName' */ if (!get_single_attribute(ldap_struct, entry, "cn", fullname)) { get_single_attribute(ldap_struct, entry, "displayName", fullname); } if (!get_single_attribute(ldap_struct, entry, "homeDrive", dir_drive)) { pstrcpy(dir_drive, lp_logon_drive()); standard_sub_advanced(-1, username, "", gid, username, dir_drive); DEBUG(5,("homeDrive fell back to %s\n",dir_drive)); pdb_set_dir_drive(sampass, dir_drive, False); } else pdb_set_dir_drive(sampass, dir_drive, True); if (!get_single_attribute(ldap_struct, entry, "smbHome", homedir)) { pstrcpy(homedir, lp_logon_home()); standard_sub_advanced(-1, username, "", gid, username, homedir); DEBUG(5,("smbHome fell back to %s\n",homedir)); pdb_set_homedir(sampass, homedir, False); } else pdb_set_homedir(sampass, homedir, True); if (!get_single_attribute(ldap_struct, entry, "scriptPath", logon_script)) { pstrcpy(logon_script, lp_logon_script()); standard_sub_advanced(-1, username, "", gid, username, logon_script); DEBUG(5,("scriptPath fell back to %s\n",logon_script)); pdb_set_logon_script(sampass, logon_script, False); } else pdb_set_logon_script(sampass, logon_script, True); if (!get_single_attribute(ldap_struct, entry, "profilePath", profile_path)) { pstrcpy(profile_path, lp_logon_path()); standard_sub_advanced(-1, username, "", gid, username, profile_path); DEBUG(5,("profilePath fell back to %s\n",profile_path)); pdb_set_profile_path(sampass, profile_path, False); } else pdb_set_profile_path(sampass, profile_path, True); get_single_attribute(ldap_struct, entry, "description", acct_desc); get_single_attribute(ldap_struct, entry, "userWorkstations", workstations); /* FIXME: hours stuff should be cleaner */ logon_divs = 168; hours_len = 21; memset(hours, 0xff, hours_len); get_single_attribute (ldap_struct, entry, "lmPassword", temp); pdb_gethexpwd(temp, smblmpwd); memset((char *)temp, '\0', sizeof(temp)); get_single_attribute (ldap_struct, entry, "ntPassword", temp); pdb_gethexpwd(temp, smbntpwd); memset((char *)temp, '\0', sizeof(temp)); get_single_attribute (ldap_struct, entry, "acctFlags", temp); acct_ctrl = pdb_decode_acct_ctrl(temp); if (acct_ctrl == 0) acct_ctrl |= ACB_NORMAL; pdb_set_acct_ctrl(sampass, acct_ctrl); pdb_set_pass_last_set_time(sampass, pass_last_set_time); pdb_set_hours_len(sampass, hours_len); pdb_set_logon_divs(sampass, logon_divs); pdb_set_user_rid(sampass, user_rid); pdb_set_group_rid(sampass, group_rid); pdb_set_username(sampass, username); pdb_set_domain(sampass, domain); pdb_set_nt_username(sampass, nt_username); pdb_set_fullname(sampass, fullname); pdb_set_acct_desc(sampass, acct_desc); pdb_set_workstations(sampass, workstations); pdb_set_munged_dial(sampass, munged_dial); if (!pdb_set_nt_passwd(sampass, smbntpwd)) return False; if (!pdb_set_lanman_passwd(sampass, smblmpwd)) return False; /* pdb_set_unknown_3(sampass, unknown3); */ /* pdb_set_unknown_5(sampass, unknown5); */ /* pdb_set_unknown_6(sampass, unknown6); */ pdb_set_hours(sampass, hours); return True; } /********************************************************************** Initialize SAM_ACCOUNT from an LDAP query (Based on init_buffer_from_sam in pdb_tdb.c) *********************************************************************/ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, LDAPMod *** mods, int ldap_op, const SAM_ACCOUNT * sampass) { pstring temp; uint32 rid; if (mods == NULL || sampass == NULL) { DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n")); return False; } *mods = NULL; /* * took out adding "objectclass: sambaAccount" * do this on a per-mod basis */ make_a_mod(mods, ldap_op, "uid", pdb_get_username(sampass)); DEBUG(2, ("Setting entry for user: %s\n", pdb_get_username(sampass))); if ( pdb_get_user_rid(sampass) ) { rid = pdb_get_user_rid(sampass); } else if (IS_SAM_SET(sampass, FLAG_SAM_UID)) { rid = pdb_uid_to_user_rid(pdb_get_uid(sampass)); } else if (ldap_state->permit_non_unix_accounts) { rid = ldapsam_get_next_available_nua_rid(ldap_state); if (rid == 0) { DEBUG(0, ("NO user RID specified on account %s, and findining next available NUA RID failed, cannot store!\n", pdb_get_username(sampass))); return False; } } else { DEBUG(0, ("NO user RID specified on account %s, cannot store!\n", pdb_get_username(sampass))); return False; } slprintf(temp, sizeof(temp) - 1, "%i", rid); make_a_mod(mods, ldap_op, "rid", temp); if ( pdb_get_group_rid(sampass) ) { rid = pdb_get_group_rid(sampass); } else if (IS_SAM_SET(sampass, FLAG_SAM_GID)) { rid = pdb_gid_to_group_rid(pdb_get_gid(sampass)); } else if (ldap_state->permit_non_unix_accounts) { rid = DOMAIN_GROUP_RID_USERS; } else { DEBUG(0, ("NO group RID specified on account %s, cannot store!\n", pdb_get_username(sampass))); return False; } slprintf(temp, sizeof(temp) - 1, "%i", rid); make_a_mod(mods, ldap_op, "primaryGroupID", temp); slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass)); make_a_mod(mods, ldap_op, "pwdLastSet", temp); /* displayName, cn, and gecos should all be the same * most easily accomplished by giving them the same OID * gecos isn't set here b/c it should be handled by the * add-user script */ make_a_mod(mods, ldap_op, "displayName", pdb_get_fullname(sampass)); make_a_mod(mods, ldap_op, "cn", pdb_get_fullname(sampass)); make_a_mod(mods, ldap_op, "description", pdb_get_acct_desc(sampass)); make_a_mod(mods, ldap_op, "userWorkstations", pdb_get_workstations(sampass)); /* * Only updates fields which have been set (not defaults from smb.conf) */ if (IS_SAM_SET(sampass, FLAG_SAM_SMBHOME)) make_a_mod(mods, ldap_op, "smbHome", pdb_get_homedir(sampass)); if (IS_SAM_SET(sampass, FLAG_SAM_DRIVE)) make_a_mod(mods, ldap_op, "homeDrive", pdb_get_dirdrive(sampass)); if (IS_SAM_SET(sampass, FLAG_SAM_LOGONSCRIPT)) make_a_mod(mods, ldap_op, "scriptPath", pdb_get_logon_script(sampass)); if (IS_SAM_SET(sampass, FLAG_SAM_PROFILE)) make_a_mod(mods, ldap_op, "profilePath", pdb_get_profile_path(sampass)); if (IS_SAM_SET(sampass, FLAG_SAM_LOGONTIME)) { slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass)); make_a_mod(mods, ldap_op, "logonTime", temp); } if (IS_SAM_SET(sampass, FLAG_SAM_LOGOFFTIME)) { slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass)); make_a_mod(mods, ldap_op, "logoffTime", temp); } if (IS_SAM_SET(sampass, FLAG_SAM_KICKOFFTIME)) { slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass)); make_a_mod(mods, ldap_op, "kickoffTime", temp); } if (IS_SAM_SET(sampass, FLAG_SAM_CANCHANGETIME)) { slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass)); make_a_mod(mods, ldap_op, "pwdCanChange", temp); } if (IS_SAM_SET(sampass, FLAG_SAM_MUSTCHANGETIME)) { slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass)); make_a_mod(mods, ldap_op, "pwdMustChange", temp); } /* FIXME: Hours stuff goes in LDAP */ pdb_sethexpwd (temp, pdb_get_lanman_passwd(sampass), pdb_get_acct_ctrl(sampass)); make_a_mod (mods, ldap_op, "lmPassword", temp); pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass), pdb_get_acct_ctrl(sampass)); make_a_mod (mods, ldap_op, "ntPassword", temp); make_a_mod (mods, ldap_op, "acctFlags", pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN)); return True; } /********************************************************************** Connect to LDAP server and find the next available RID. *********************************************************************/ static uint32 check_nua_rid_is_avail(struct ldapsam_privates *ldap_state, uint32 top_rid, LDAP *ldap_struct) { LDAPMessage *result; uint32 final_rid = (top_rid & (~USER_RID_TYPE)) + RID_MULTIPLIER; if (top_rid == 0) { return 0; } if (final_rid < ldap_state->low_nua_rid || final_rid > ldap_state->high_nua_rid) { return 0; } if (ldapsam_search_one_user_by_rid(ldap_state, ldap_struct, final_rid, &result) != LDAP_SUCCESS) { DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the confirmation search failed!\n", final_rid, final_rid)); final_rid = 0; ldap_msgfree(result); } if (ldap_count_entries(ldap_struct, result) != 0) { DEBUG(0, ("Cannot allocate NUA RID %d (0x%x), as the RID is already in use!!\n", final_rid, final_rid)); final_rid = 0; ldap_msgfree(result); } DEBUG(5, ("NUA RID %d (0x%x), declared valid\n", final_rid, final_rid)); return final_rid; } /********************************************************************** Extract the RID from an LDAP entry *********************************************************************/ static uint32 entry_to_user_rid(struct ldapsam_privates *ldap_state, LDAPMessage *entry, LDAP *ldap_struct) { uint32 rid; SAM_ACCOUNT *user = NULL; if (!NT_STATUS_IS_OK(pdb_init_sam(&user))) { return 0; } if (init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) { rid = pdb_get_user_rid(user); } else { rid =0; } pdb_free_sam(&user); if (rid >= ldap_state->low_nua_rid && rid <= ldap_state->high_nua_rid) { return rid; } return 0; } /********************************************************************** Connect to LDAP server and find the next available RID. *********************************************************************/ static uint32 search_top_nua_rid(struct ldapsam_privates *ldap_state, LDAP *ldap_struct) { int rc; pstring filter; LDAPMessage *result; LDAPMessage *entry; char *final_filter = NULL; uint32 top_rid = 0; uint32 count; uint32 rid; pstrcpy(filter, lp_ldap_filter()); all_string_sub(filter, "%u", "*", sizeof(pstring)); #if 0 asprintf(&final_filter, "(&(%s)(&(rid>=%d)(rid<=%d)))", filter, ldap_state->low_nua_rid, ldap_state->high_nua_rid); #else final_filter = strdup(filter); #endif DEBUG(2, ("ldapsam_get_next_available_nua_rid: searching for:[%s]\n", final_filter)); rc = ldap_search_s(ldap_struct, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE, final_filter, NULL, 0, &result); if (rc != LDAP_SUCCESS) { DEBUG(3, ("LDAP search failed! cannot find base for NUA RIDs: %s\n", ldap_err2string(rc))); DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter)); free(final_filter); ldap_msgfree(result); result = NULL; return 0; } count = ldap_count_entries(ldap_struct, result); DEBUG(2, ("search_top_nua_rid: %d entries in the base!\n", count)); if (count == 0) { DEBUG(3, ("LDAP search returned no records, assuming no non-unix-accounts present!: %s\n", ldap_err2string(rc))); DEBUGADD(3, ("Query was: %s, %s\n", lp_ldap_suffix(), final_filter)); free(final_filter); ldap_msgfree(result); result = NULL; return ldap_state->low_nua_rid; } free(final_filter); entry = ldap_first_entry(ldap_struct,result); top_rid = entry_to_user_rid(ldap_state, entry, ldap_struct); while ((entry = ldap_next_entry(ldap_struct, entry))) { rid = entry_to_user_rid(ldap_state, entry, ldap_struct); if (rid > top_rid) { top_rid = rid; } } ldap_msgfree(result); return top_rid; } /********************************************************************** Connect to LDAP server and find the next available RID. *********************************************************************/ static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state) { LDAP *ldap_struct; uint32 next_nua_rid; uint32 top_nua_rid; if (!ldapsam_open_connection(ldap_state, &ldap_struct)) { return 0; } if (!ldapsam_connect_system(ldap_state, ldap_struct)) { ldap_unbind(ldap_struct); return 0; } top_nua_rid = search_top_nua_rid(ldap_state, ldap_struct); next_nua_rid = check_nua_rid_is_avail(ldap_state, top_nua_rid, ldap_struct); ldap_unbind(ldap_struct); return next_nua_rid; } /********************************************************************** Connect to LDAP server for password enumeration *********************************************************************/ static BOOL ldapsam_setsampwent(struct pdb_context *context, BOOL update) { struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; int rc; pstring filter; if (!ldapsam_open_connection(ldap_state, &ldap_state->ldap_struct)) { return False; } if (!ldapsam_connect_system(ldap_state, ldap_state->ldap_struct)) { ldap_unbind(ldap_state->ldap_struct); return False; } pstrcpy(filter, lp_ldap_filter()); all_string_sub(filter, "%u", "*", sizeof(pstring)); rc = ldap_search_s(ldap_state->ldap_struct, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE, filter, NULL, 0, &ldap_state->result); if (rc != LDAP_SUCCESS) { DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc))); DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter)); ldap_msgfree(ldap_state->result); ldap_unbind(ldap_state->ldap_struct); ldap_state->ldap_struct = NULL; ldap_state->result = NULL; return False; } DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n", ldap_count_entries(ldap_state->ldap_struct, ldap_state->result))); ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct, ldap_state->result); ldap_state->index = 0; return True; } /********************************************************************** End enumeration of the LDAP password list *********************************************************************/ static void ldapsam_endsampwent(struct pdb_context *context) { struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; if (ldap_state->ldap_struct && ldap_state->result) { ldap_msgfree(ldap_state->result); ldap_unbind(ldap_state->ldap_struct); ldap_state->ldap_struct = NULL; ldap_state->result = NULL; } } /********************************************************************** Get the next entry in the LDAP password database *********************************************************************/ static BOOL ldapsam_getsampwent(struct pdb_context *context, SAM_ACCOUNT * user) { struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; BOOL ret = False; while (!ret) { if (!ldap_state->entry) return False; ldap_state->index++; ret = init_sam_from_ldap(ldap_state, user, ldap_state->ldap_struct, ldap_state->entry); ldap_state->entry = ldap_next_entry(ldap_state->ldap_struct, ldap_state->entry); } return True; } /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username *********************************************************************/ static BOOL ldapsam_getsampwnam(struct pdb_context *context, SAM_ACCOUNT * user, const char *sname) { struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; LDAP *ldap_struct; LDAPMessage *result; LDAPMessage *entry; if (!ldapsam_open_connection(ldap_state, &ldap_struct)) return False; if (!ldapsam_connect_system(ldap_state, ldap_struct)) { ldap_unbind(ldap_struct); return False; } if (ldapsam_search_one_user_by_name(ldap_state, ldap_struct, sname, &result) != LDAP_SUCCESS) { ldap_unbind(ldap_struct); return False; } if (ldap_count_entries(ldap_struct, result) < 1) { DEBUG(4, ("We don't find this user [%s] count=%d\n", sname, ldap_count_entries(ldap_struct, result))); ldap_unbind(ldap_struct); return False; } entry = ldap_first_entry(ldap_struct, result); if (entry) { if (!init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) { DEBUG(0,("ldapsam_getsampwnam: init_sam_from_ldap failed!\n")); ldap_msgfree(result); ldap_unbind(ldap_struct); return False; } ldap_msgfree(result); ldap_unbind(ldap_struct); return True; } else { ldap_msgfree(result); ldap_unbind(ldap_struct); return False; } } /********************************************************************** Get SAM_ACCOUNT entry from LDAP by rid *********************************************************************/ static BOOL ldapsam_getsampwrid(struct pdb_context *context, SAM_ACCOUNT * user, uint32 rid) { struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; LDAP *ldap_struct; LDAPMessage *result; LDAPMessage *entry; if (!ldapsam_open_connection(ldap_state, &ldap_struct)) return False; if (!ldapsam_connect_system(ldap_state, ldap_struct)) { ldap_unbind(ldap_struct); return False; } if (ldapsam_search_one_user_by_rid(ldap_state, ldap_struct, rid, &result) != LDAP_SUCCESS) { ldap_unbind(ldap_struct); return False; } if (ldap_count_entries(ldap_struct, result) < 1) { DEBUG(0, ("We don't find this rid [%i] count=%d\n", rid, ldap_count_entries(ldap_struct, result))); ldap_unbind(ldap_struct); return False; } entry = ldap_first_entry(ldap_struct, result); if (entry) { if (!init_sam_from_ldap(ldap_state, user, ldap_struct, entry)) { DEBUG(0,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n")); ldap_msgfree(result); ldap_unbind(ldap_struct); return False; } ldap_msgfree(result); ldap_unbind(ldap_struct); return True; } else { ldap_msgfree(result); ldap_unbind(ldap_struct); return False; } } /********************************************************************** get rid by uid *********************************************************************/ static uint32 ldapsam_uid_to_user_rid(struct pdb_context *context, uid_t uid) { return fallback_pdb_uid_to_user_rid(uid); } /********************************************************************** get uid by rid *********************************************************************/ static uid_t ldapsam_user_rid_to_uid(struct pdb_context *context, uint32 rid) { return fallback_pdb_user_rid_to_uid(rid); } /********************************************************************** Delete entry from LDAP for username *********************************************************************/ static BOOL ldapsam_delete_sam_account(struct pdb_context *context, const SAM_ACCOUNT * sam_acct) { struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; const char *sname; int rc; char *dn; LDAP *ldap_struct; LDAPMessage *entry; LDAPMessage *result; if (!sam_acct) { DEBUG(0, ("sam_acct was NULL!\n")); return False; } sname = pdb_get_username(sam_acct); if (!ldapsam_open_connection(ldap_state, &ldap_struct)) return False; DEBUG (3, ("Deleting user %s from LDAP.\n", sname)); if (!ldapsam_connect_system(ldap_state, ldap_struct)) { ldap_unbind (ldap_struct); DEBUG(0, ("Failed to delete user %s from LDAP.\n", sname)); return False; } rc = ldapsam_search_one_user_by_name(ldap_state, ldap_struct, sname, &result); if (ldap_count_entries (ldap_struct, result) == 0) { DEBUG (0, ("User doesn't exit!\n")); ldap_msgfree (result); ldap_unbind (ldap_struct); return False; } entry = ldap_first_entry (ldap_struct, result); dn = ldap_get_dn (ldap_struct, entry); rc = ldap_delete_s (ldap_struct, dn); ldap_memfree (dn); if (rc != LDAP_SUCCESS) { char *ld_error; ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error); DEBUG (0,("failed to delete user with uid = %s with: %s\n\t%s\n", sname, ldap_err2string (rc), ld_error)); free (ld_error); ldap_unbind (ldap_struct); return False; } DEBUG (2,("successfully deleted uid = %s from the LDAP database\n", sname)); ldap_unbind (ldap_struct); return True; } /********************************************************************** Update SAM_ACCOUNT *********************************************************************/ static BOOL ldapsam_update_sam_account(struct pdb_context *context, const SAM_ACCOUNT * newpwd) { struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; int rc; char *dn; LDAP *ldap_struct; LDAPMessage *result; LDAPMessage *entry; LDAPMod **mods; if (!ldapsam_open_connection(ldap_state, &ldap_struct)) /* open a connection to the server */ return False; if (!ldapsam_connect_system(ldap_state, ldap_struct)) /* connect as system account */ { ldap_unbind(ldap_struct); return False; } rc = ldapsam_search_one_user_by_name(ldap_state, ldap_struct, pdb_get_username(newpwd), &result); if (ldap_count_entries(ldap_struct, result) == 0) { DEBUG(0, ("No user to modify!\n")); ldap_msgfree(result); ldap_unbind(ldap_struct); return False; } if (!init_ldap_from_sam(ldap_state, &mods, LDAP_MOD_REPLACE, newpwd)) { DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n")); ldap_msgfree(result); ldap_unbind(ldap_struct); return False; } entry = ldap_first_entry(ldap_struct, result); dn = ldap_get_dn(ldap_struct, entry); rc = ldap_modify_s(ldap_struct, dn, mods); if (rc != LDAP_SUCCESS) { char *ld_error; ldap_get_option(ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error); DEBUG(0, ("failed to modify user with uid = %s with: %s\n\t%s\n", pdb_get_username(newpwd), ldap_err2string(rc), ld_error)); free(ld_error); ldap_unbind(ldap_struct); return False; } DEBUG(2, ("successfully modified uid = %s in the LDAP database\n", pdb_get_username(newpwd))); ldap_mods_free(mods, 1); ldap_unbind(ldap_struct); return True; } /********************************************************************** Add SAM_ACCOUNT to LDAP *********************************************************************/ static BOOL ldapsam_add_sam_account(struct pdb_context *context, const SAM_ACCOUNT * newpwd) { struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)context->pdb_selected->private_data; int rc; pstring filter; LDAP *ldap_struct = NULL; LDAPMessage *result = NULL; pstring dn; LDAPMod **mods = NULL; int ldap_op; uint32 num_result; if (!ldapsam_open_connection(ldap_state, &ldap_struct)) /* open a connection to the server */ { return False; } if (!ldapsam_connect_system(ldap_state, ldap_struct)) /* connect as system account */ { ldap_unbind(ldap_struct); return False; } rc = ldapsam_search_one_user_by_name (ldap_state, ldap_struct, pdb_get_username(newpwd), &result); if (ldap_count_entries(ldap_struct, result) != 0) { DEBUG(0,("User already in the base, with samba properties\n")); ldap_msgfree(result); ldap_unbind(ldap_struct); return False; } ldap_msgfree(result); slprintf (filter, sizeof (filter) - 1, "uid=%s", pdb_get_username(newpwd)); rc = ldapsam_search_one_user(ldap_state, ldap_struct, filter, &result); num_result = ldap_count_entries(ldap_struct, result); if (num_result > 1) { DEBUG (0, ("More than one user with that uid exists: bailing out!\n")); return False; } /* Check if we need to update an existing entry */ if (num_result == 1) { char *tmp; LDAPMessage *entry; DEBUG(3,("User exists without samba properties: adding them\n")); ldap_op = LDAP_MOD_REPLACE; entry = ldap_first_entry (ldap_struct, result); tmp = ldap_get_dn (ldap_struct, entry); slprintf (dn, sizeof (dn) - 1, "%s", tmp); ldap_memfree (tmp); } else { /* Check if we need to add an entry */ DEBUG(3,("Adding new user\n")); ldap_op = LDAP_MOD_ADD; if ( pdb_get_acct_ctrl( newpwd ) & ACB_WSTRUST ) { slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", pdb_get_username(newpwd), lp_ldap_machine_suffix ()); } else { slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", pdb_get_username(newpwd), lp_ldap_user_suffix ()); } } ldap_msgfree(result); if (!init_ldap_from_sam(ldap_state, &mods, ldap_op, newpwd)) { DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n")); ldap_mods_free(mods, 1); ldap_unbind(ldap_struct); return False; } make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount"); if (ldap_op == LDAP_MOD_REPLACE) { rc = ldap_modify_s(ldap_struct, dn, mods); } else { rc = ldap_add_s(ldap_struct, dn, mods); } if (rc != LDAP_SUCCESS) { char *ld_error; ldap_get_option (ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error); DEBUG(0,("failed to modify/add user with uid = %s (dn = %s) with: %s\n\t%s\n", pdb_get_username(newpwd), dn, ldap_err2string (rc), ld_error)); free(ld_error); ldap_mods_free(mods, 1); ldap_unbind(ldap_struct); return False; } DEBUG(2,("added: uid = %s in the LDAP database\n", pdb_get_username(newpwd))); ldap_mods_free(mods, 1); ldap_unbind(ldap_struct); return True; } static void free_private_data(void **vp) { struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp; if ((*ldap_state)->ldap_struct) { ldap_unbind((*ldap_state)->ldap_struct); } *ldap_state = NULL; /* No need to free any further, as it is talloc()ed */ } NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) { NTSTATUS nt_status; struct ldapsam_privates *ldap_state; if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) { return nt_status; } (*pdb_method)->name = "ldapsam"; (*pdb_method)->setsampwent = ldapsam_setsampwent; (*pdb_method)->endsampwent = ldapsam_endsampwent; (*pdb_method)->getsampwent = ldapsam_getsampwent; (*pdb_method)->getsampwnam = ldapsam_getsampwnam; (*pdb_method)->getsampwrid = ldapsam_getsampwrid; (*pdb_method)->add_sam_account = ldapsam_add_sam_account; (*pdb_method)->update_sam_account = ldapsam_update_sam_account; (*pdb_method)->delete_sam_account = ldapsam_delete_sam_account; (*pdb_method)->uid_to_user_rid = ldapsam_uid_to_user_rid; (*pdb_method)->user_rid_to_uid = ldapsam_user_rid_to_uid; /* TODO: Setup private data and free */ ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(struct ldapsam_privates)); if (!ldap_state) { DEBUG(0, ("talloc() failed for ldapsam private_data!\n")); return NT_STATUS_NO_MEMORY; } if (location) { ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location); } else { ldap_state->uri = "ldap://localhost"; return NT_STATUS_INVALID_PARAMETER; } (*pdb_method)->private_data = ldap_state; (*pdb_method)->free_private_data = free_private_data; return NT_STATUS_OK; } NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) { NTSTATUS nt_status; struct ldapsam_privates *ldap_state; uint32 low_nua_uid, high_nua_uid; if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location))) { return nt_status; } (*pdb_method)->name = "ldapsam_nua"; ldap_state = (*pdb_method)->private_data; ldap_state->permit_non_unix_accounts = True; if (!lp_non_unix_account_range(&low_nua_uid, &high_nua_uid)) { DEBUG(0, ("cannot use ldapsam_nua without 'non unix account range' in smb.conf!\n")); return NT_STATUS_UNSUCCESSFUL; } ldap_state->low_nua_rid=pdb_uid_to_user_rid(low_nua_uid); ldap_state->high_nua_rid=pdb_uid_to_user_rid(high_nua_uid); return NT_STATUS_OK; } #else NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) { DEBUG(0, ("ldapsam not compiled in!\n")); return NT_STATUS_UNSUCCESSFUL; } NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) { DEBUG(0, ("ldapsam_nua not compiled in!\n")); return NT_STATUS_UNSUCCESSFUL; } #endif