sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code
46968fc60f
samba-mirror/source3/passdb/pdb_ldap.c

6744 lines
179 KiB
C
Raw Normal View History

Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/*
r4736: small set of merges from rtunk to minimize the diffs (This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2005-01-14 22:26:13 +03:00
Unix SMB/CIFS implementation.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
LDAP protocol helper functions for SAMBA
[GLUE] Rsync SAMBA_3_2_0 SVN r25598 in order to create the v3-2-test branch. (This used to be commit 5c6c8e1fe93f340005110a7833946191659d88ab)
2007-10-11 00:34:30 +04:00
Copyright (C) Jean Fran<EFBFBD>ois Micouleau 1998
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Copyright (C) Gerald Carter 2001-2003
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
Copyright (C) Shahms King 2001
Patch to move functions directly from pdb_ldap.c into lib/smbldap.c The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-25 16:51:58 +04:00
Copyright (C) Andrew Bartlett 2002-2003
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
Copyright (C) Stefan (metze) Metzmacher 2002-2003
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
Copyright (C) Simo Sorce 2006
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-07-09 23:25:36 +04:00
the Free Software Foundation; either version 3 of the License, or
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
(at your option) any later version.
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
You should have received a copy of the GNU General Public License
r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-07-10 04:52:41 +04:00
along with this program. If not, see <http://www.gnu.org/licenses/>.
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*/
/* TODO:
* persistent connections: if using NSS LDAP, many connections are made
* however, using only one within Samba would be nice
*
* Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
*
* Other LDAP based login attributes: accountExpires, etc.
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
* (should be the domain of Samba proper, but the sam_password/struct samu
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
* structures don't have fields for some of these attributes)
*
* SSL is done, but can't get the certificate based authentication to work
* against on my test platform (Linux 2.4, OpenLDAP 2.x)
*/
/* NOTE: this will NOT work against an Active Directory server
* due to the fact that the two password fields cannot be retrieved
* from a server; recommend using security = domain in this situation
* and/or winbind
*/
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
#include "includes.h"
s3-passdb: add passdb.h where needed. Guenther
2011-03-18 20:58:37 +03:00
#include "passdb.h"
Rework Samba3 to use new libcli/auth code (partial) This commit is mostly to cope with the removal of SamOemHash (replaced by arcfour_crypt()) and other collisions (such as changed function arguments compared to Samba3). We still provide creds_hash3 until Samba3 uses the credentials code in netlogon server Andrew Bartlett
2009-03-16 13:27:58 +03:00
#include "../libcli/auth/libcli_auth.h"
s3-secrets: only include secrets.h when needed. Guenther
2010-08-05 04:25:37 +04:00
#include "secrets.h"
s3-idmap: only include idmap headers where needed. Guenther
2010-08-18 20:13:42 +04:00
#include "idmap_cache.h"
libcli/security Provide a common, top level libcli/security/security.h This will reduce the noise from merges of the rest of the libcli/security code, without this commit changing what code is actually used. This includes (along with other security headers) dom_sid.h and security_token.h Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-10-12 08:27:50 +04:00
#include "../libcli/security/security.h"
lib/util/util_pw: share more code between lib/util/util_pw.c and source3/lib/username.c Guenther
2011-03-02 18:11:00 +03:00
#include "../lib/util/util_pw.h"
s3-winbind: remove global inclusion of libwbclient. Guenther
2011-02-25 00:30:16 +03:00
#include "lib/winbind_util.h"
s3-passdb: Change pdb_sid_to_id() to return struct unixid This will make it easier to consistantly pass a struct unixid all the way up and down the idmap stack, and allow ID_TYPE_BOTH to be handled correctly. Andrew Bartlett Signed-off-by: Michael Adam <obnox@samba.org>
2012-03-16 02:16:23 +04:00
#include "librpc/gen_ndr/idmap.h"
lib/param: Move all enum declarations to lib/param This is in preperation for the parameter table being made common. Andrew Bartlett Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2012-07-23 06:47:01 +04:00
#include "lib/param/loadparm.h"
s3:passdb:pdb_ldap: pre-validate sid with sid_check_object_is_for_passdb() instead of sid_check_sid_is_in_our_sam). This allows for builtin sids, wellknown sids and "Unix User" and "Unix Group" domains. This broadens up the check moved here in commit 02e25b2a43ae02205a3412f862a1482d24b70aa4. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 04:42:38 +04:00
#include "lib/util_sid_passdb.h"
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
#include <lber.h>
#include <ldap.h>
Patch to move functions directly from pdb_ldap.c into lib/smbldap.c The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-25 16:51:58 +04:00
working draft of the idmap_ldap code. Includes sambaUnixIdPool objectclass Still needs cleaning up wrt to name space. More changes to come, but at least we now have a a working distributed winbindd solution. (This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)
2003-06-05 06:34:30 +04:00
#include "smbldap.h"
s3-passdb: split out passdb/pdb_ldap.h. Guenther
2011-10-10 23:45:42 +04:00
#include "passdb/pdb_ldap.h"
s3-passdb: split out passdb/pdb_nds.h. Guenther
2011-10-10 23:48:35 +04:00
#include "passdb/pdb_nds.h"
s3: move smbldap_util to pdb_ldap_util. Guenther
2011-10-17 20:00:01 +04:00
#include "passdb/pdb_ldap_util.h"
s3-passdb: split out passdb/pdb_ldap_schema.c Guenther
2011-10-17 20:03:31 +04:00
#include "passdb/pdb_ldap_schema.h"
working draft of the idmap_ldap code. Includes sambaUnixIdPool objectclass Still needs cleaning up wrt to name space. More changes to come, but at least we now have a a working distributed winbindd solution. (This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)
2003-06-05 06:34:30 +04:00
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
/**********************************************************************
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
Simple helper function to make stuff better readable
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
**********************************************************************/
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
s3-passdb: make priv2ld() public Signed-off-by: Günther Deschner <gd@samba.org>
2010-07-15 18:52:32 +04:00
LDAP *priv2ld(struct ldapsam_privates *priv)
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
{
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
return smbldap_get_ldap(priv->smbldap_state);
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Get the attribute name given a user schame version.
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
**********************************************************************/
static const char* get_userattr_key2string( int schema_ver, int key )
{
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBASAMACCOUNT:
return get_attr_key2string( attrib_map_v30, key );
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
default:
DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
break;
}
return NULL;
}
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Return the list of attribute names given a user schema version.
**********************************************************************/
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char** get_userattr_list( TALLOC_CTX *mem_ctx, int schema_ver )
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
{
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBASAMACCOUNT:
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return get_attr_list( mem_ctx, attrib_map_v30 );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
default:
DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
break;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
return NULL;
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r2444: Based on jmcd's patch, implement special lists for the ldap user attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2004-09-20 15:02:14 +04:00
/**************************************************************************
Return the list of attribute names to delete given a user schema version.
**************************************************************************/
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static const char** get_userattr_delete_list( TALLOC_CTX *mem_ctx,
int schema_ver )
r2444: Based on jmcd's patch, implement special lists for the ldap user attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2004-09-20 15:02:14 +04:00
{
switch ( schema_ver ) {
case SCHEMAVER_SAMBASAMACCOUNT:
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return get_attr_list( mem_ctx,
attrib_map_to_delete_v30 );
r2444: Based on jmcd's patch, implement special lists for the ldap user attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2004-09-20 15:02:14 +04:00
default:
r2923: Fix some obvious copy/paste leftover debug-messages. Guenther (This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
2004-10-12 01:09:36 +04:00
DEBUG(0,("get_userattr_delete_list: unknown schema version specified!\n"));
r2444: Based on jmcd's patch, implement special lists for the ldap user attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2004-09-20 15:02:14 +04:00
break;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r2444: Based on jmcd's patch, implement special lists for the ldap user attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2004-09-20 15:02:14 +04:00
return NULL;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/*******************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Generate the LDAP search filter for the objectclass based on the
version of the schema we are using.
******************************************************************/
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
static const char* get_objclass_filter( int schema_ver )
{
static pstring removal (This used to be commit 5490e2d77233f594a42cb32eda8215014db544e3)
2007-11-04 20:15:37 +03:00
fstring objclass_filter;
char *result;
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch( schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBASAMACCOUNT:
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
default:
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
static pstring removal (This used to be commit 5490e2d77233f594a42cb32eda8215014db544e3)
2007-11-04 20:15:37 +03:00
objclass_filter[0] = '\0';
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
static pstring removal (This used to be commit 5490e2d77233f594a42cb32eda8215014db544e3)
2007-11-04 20:15:37 +03:00
result = talloc_strdup(talloc_tos(), objclass_filter);
SMB_ASSERT(result != NULL);
return result;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
/*****************************************************************
Scan a sequence number off OpenLDAP's syncrepl contextCSN
******************************************************************/
static NTSTATUS ldapsam_get_seq_num(struct pdb_methods *my_methods, time_t *seq_num)
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
LDAPMessage *msg = NULL;
LDAPMessage *entry = NULL;
TALLOC_CTX *mem_ctx;
char **values = NULL;
int rc, num_result, num_values, rid;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *suffix = NULL;
Remove next_token - all uses must now be next_token_talloc. No more temptations to use static length strings. Jeremy. (This used to be commit ec003f39369910dee852b7cafb883ddaa321c2de)
2007-12-08 04:32:32 +03:00
char *tok;
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
const char *p;
const char **attrs;
/* Unfortunatly there is no proper way to detect syncrepl-support in
* smbldap_connect_system(). The syncrepl OIDs are submitted for publication
* but do not show up in the root-DSE yet. Neither we can query the
* subschema-context for the syncProviderSubentry or syncConsumerSubentry
* objectclass. Currently we require lp_ldap_suffix() to show up as
* namingContext. - Guenther
*/
if (!lp_parm_bool(-1, "ldapsam", "syncrepl_seqnum", False)) {
return ntstatus;
}
if (!seq_num) {
DEBUG(3,("ldapsam_get_seq_num: no sequence_number\n"));
return ntstatus;
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
if (!smbldap_has_naming_context(
smbldap_get_ldap(ldap_state->smbldap_state),
lp_ldap_suffix(talloc_tos()))) {
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
DEBUG(3,("ldapsam_get_seq_num: DIT not configured to hold %s "
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
"as top-level namingContext\n", lp_ldap_suffix(talloc_tos())));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
return ntstatus;
}
mem_ctx = talloc_init("ldapsam_get_seq_num");
if (mem_ctx == NULL)
return NT_STATUS_NO_MEMORY;
s3-talloc Change TALLOC_ARRAY() to talloc_array() Using the standard macro makes it easier to move code into common, as TALLOC_ARRAY isn't standard talloc.
2011-06-07 05:30:12 +04:00
if ((attrs = talloc_array(mem_ctx, const char *, 2)) == NULL) {
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
ntstatus = NT_STATUS_NO_MEMORY;
goto done;
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
/* if we got a syncrepl-rid (up to three digits long) we speak with a consumer */
rid = lp_parm_int(-1, "ldapsam", "syncrepl_rid", -1);
if (rid > 0) {
/* consumer syncreplCookie: */
/* csn=20050126161620Z#0000001#00#00000 */
attrs[0] = talloc_strdup(mem_ctx, "syncreplCookie");
attrs[1] = NULL;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
suffix = talloc_asprintf(mem_ctx,
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
"cn=syncrepl%d,%s", rid, lp_ldap_suffix(talloc_tos()));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!suffix) {
ntstatus = NT_STATUS_NO_MEMORY;
goto done;
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
} else {
/* provider contextCSN */
/* 20050126161620Z#000009#00#000000 */
attrs[0] = talloc_strdup(mem_ctx, "contextCSN");
attrs[1] = NULL;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
suffix = talloc_asprintf(mem_ctx,
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
"cn=ldapsync,%s", lp_ldap_suffix(talloc_tos()));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!suffix) {
ntstatus = NT_STATUS_NO_MEMORY;
goto done;
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
}
rc = smbldap_search(ldap_state->smbldap_state, suffix,
LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0, &msg);
if (rc != LDAP_SUCCESS) {
goto done;
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
num_result = ldap_count_entries(
smbldap_get_ldap(ldap_state->smbldap_state), msg);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (num_result != 1) {
DEBUG(3,("ldapsam_get_seq_num: Expected one entry, got %d\n", num_result));
goto done;
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
entry = ldap_first_entry(
smbldap_get_ldap(ldap_state->smbldap_state), msg);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (entry == NULL) {
DEBUG(3,("ldapsam_get_seq_num: Could not retrieve entry\n"));
goto done;
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
values = ldap_get_values(
smbldap_get_ldap(ldap_state->smbldap_state), entry, attrs[0]);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (values == NULL) {
DEBUG(3,("ldapsam_get_seq_num: no values\n"));
goto done;
}
num_values = ldap_count_values(values);
if (num_values == 0) {
DEBUG(3,("ldapsam_get_seq_num: not a single value\n"));
goto done;
}
p = values[0];
Remove next_token - all uses must now be next_token_talloc. No more temptations to use static length strings. Jeremy. (This used to be commit ec003f39369910dee852b7cafb883ddaa321c2de)
2007-12-08 04:32:32 +03:00
if (!next_token_talloc(mem_ctx, &p, &tok, "#")) {
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
DEBUG(0,("ldapsam_get_seq_num: failed to parse sequence number\n"));
goto done;
}
p = tok;
if (!strncmp(p, "csn=", strlen("csn=")))
p += strlen("csn=");
DEBUG(10,("ldapsam_get_seq_num: got %s: %s\n", attrs[0], p));
*seq_num = generalized_to_unix_time(p);
/* very basic sanity check */
if (*seq_num <= 0) {
DEBUG(3,("ldapsam_get_seq_num: invalid sequence number: %d\n",
(int)*seq_num));
goto done;
}
ntstatus = NT_STATUS_OK;
done:
if (values != NULL)
ldap_value_free(values);
if (msg != NULL)
ldap_msgfree(msg);
if (mem_ctx)
talloc_destroy(mem_ctx);
return ntstatus;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/*******************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Run the search by name.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
******************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
int ldapsam_search_suffix_by_name(struct ldapsam_privates *ldap_state,
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
const char *user,
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
LDAPMessage ** result,
const char **attr)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *filter = NULL;
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
char *escape_user = escape_ldap_string(talloc_tos(), user);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
int ret = -1;
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
if (!escape_user) {
return LDAP_NO_MEMORY;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/*
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
* in the filter expression, replace %u with the real name
* so in ldap filter, %u MUST exist :-)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*/
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
filter = talloc_asprintf(talloc_tos(), "(&%s%s)", "(uid=%u)",
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_objclass_filter(ldap_state->schema_ver));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!filter) {
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
TALLOC_FREE(escape_user);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
return LDAP_NO_MEMORY;
}
/*
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
* have to use this here because $ is filtered out
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
* in string_sub
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*/
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
filter = talloc_all_string_sub(talloc_tos(),
filter, "%u", escape_user);
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
TALLOC_FREE(escape_user);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!filter) {
return LDAP_NO_MEMORY;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
ret = smbldap_search_suffix(ldap_state->smbldap_state,
filter, attr, result);
TALLOC_FREE(filter);
return ret;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
/*******************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Run the search by SID.
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
******************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *sid, LDAPMessage ** result,
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
const char **attr)
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
{
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *filter = NULL;
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
int rc;
fstring sid_string;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
filter = talloc_asprintf(talloc_tos(), "(&(%s=%s)%s)",
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_USER_SID),
s/sid_to_string/sid_to_fstring/ least surprise for callers (This used to be commit eb523ba77697346a365589101aac379febecd546)
2007-12-16 00:47:30 +03:00
sid_to_fstring(sid_string, sid),
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_objclass_filter(ldap_state->schema_ver));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!filter) {
return LDAP_NO_MEMORY;
}
rc = smbldap_search_suffix(ldap_state->smbldap_state,
filter, attr, result);
TALLOC_FREE(filter);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
return rc;
}
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
/*******************************************************************
Delete complete object or objectclass and attrs from
Merge from HEAD: This adds 'ldap delete dn' as the recommended parameter for the 'ldap del only sam attr' functionality. So we are compatiple to the current SuSE patches as well as to TNG... ;-) Volker (This used to be commit 53b5704ff21de6fce097d74dd7f235d3ceccec66)
2003-03-23 12:18:33 +03:00
object found in search_result depending on lp_ldap_delete_dn
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
******************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static int ldapsam_delete_entry(struct ldapsam_privates *priv,
TALLOC_CTX *mem_ctx,
LDAPMessage *entry,
const char *objectclass,
const char **attrs)
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
{
LDAPMod **mods = NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
char *name;
const char *dn;
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
BerElement *ptr = NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry);
if (dn == NULL) {
return LDAP_NO_MEMORY;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
}
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
Merge from HEAD: This adds 'ldap delete dn' as the recommended parameter for the 'ldap del only sam attr' functionality. So we are compatiple to the current SuSE patches as well as to TNG... ;-) Volker (This used to be commit 53b5704ff21de6fce097d74dd7f235d3ceccec66)
2003-03-23 12:18:33 +03:00
if (lp_ldap_delete_dn()) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return smbldap_delete(priv->smbldap_state, dn);
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
}
/* Ok, delete only the SAM attributes */
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
for (name = ldap_first_attribute(priv2ld(priv), entry, &ptr);
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
name != NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
name = ldap_next_attribute(priv2ld(priv), entry, ptr)) {
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attrib;
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
/* We are only allowed to delete the attributes that
really exist. */
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
for (attrib = attrs; *attrib != NULL; attrib++) {
r2444: Based on jmcd's patch, implement special lists for the ldap user attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2004-09-20 15:02:14 +04:00
if (strequal(*attrib, name)) {
DEBUG(10, ("ldapsam_delete_entry: deleting "
"attribute %s\n", name));
smbldap_set_mod(&mods, LDAP_MOD_DELETE, name,
NULL);
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
}
}
ldap_memfree(name);
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
if (ptr != NULL) {
ber_free(ptr, 0);
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmod(mem_ctx, mods);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return smbldap_modify(priv->smbldap_state, dn, mods);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
r13601: * Remove unused code from pdb_ldap.c * Add a 'struct passwd *' to the struct samu for later reference (I know this may be controversial but its easily reverted which is is why I'm checking this is as a seaparate patch before I get too deep). * Remove unix_homedir from struct samu {} and update the pdb wrapper functions associated with it. (This used to be commit 92c251fdf0f1f566cfeca3c75ba2284b644aef5d)
2006-02-21 22:22:49 +03:00
static time_t ldapsam_get_entry_timestamp( struct ldapsam_privates *ldap_state, LDAPMessage * entry)
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
{
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *temp;
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
struct tm tm;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
temp = smbldap_talloc_single_attribute(
smbldap_get_ldap(ldap_state->smbldap_state), entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_MOD_TIMESTAMP),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
talloc_tos());
if (!temp) {
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
return (time_t) 0;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
}
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
r23194: cherry pick two fixes from SAMBA_3_0_26 * strptime() failure check * make legcacy sid/uid/gid calls static (This used to be commit 3c9fb1c6f3263c0ce6edbf2a8824c153317a84a3)
2007-05-29 17:20:40 +04:00
if ( !strptime(temp, "%Y%m%d%H%M%SZ", &tm)) {
DEBUG(2,("ldapsam_get_entry_timestamp: strptime failed on: %s\n",
(char*)temp));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(temp);
r23194: cherry pick two fixes from SAMBA_3_0_26 * strptime() failure check * make legcacy sid/uid/gid calls static (This used to be commit 3c9fb1c6f3263c0ce6edbf2a8824c153317a84a3)
2007-05-29 17:20:40 +04:00
return (time_t) 0;
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(temp);
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
tzset();
Use timegm, or our already existing replacement instead of timezone, as some platforms (FreeBSD in this case) don't define timezone according to posix. This is what I wanted to do anyway. Spotted by Andrzej Tobola <san@iem.pw.edu.pl> (This used to be commit bc13e35db0b8b265f87553d4df1c7326710cb3fa)
2004-03-25 21:25:41 +03:00
return timegm(&tm);
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/**********************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Initialize struct samu from an LDAP query.
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
(Based on init_sam_from_buffer in pdb_tdb.c)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state,
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
struct samu * sampass,
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
LDAPMessage * entry)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
time_t logon_time,
logoff_time,
kickoff_time,
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pass_last_set_time,
pass_can_change_time,
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
ldap_entry_time,
bad_password_time;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *username = NULL,
*domain = NULL,
*nt_username = NULL,
*fullname = NULL,
*homedir = NULL,
*dir_drive = NULL,
*logon_script = NULL,
*profile_path = NULL,
*acct_desc = NULL,
*workstations = NULL,
*munged_dial = NULL;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t user_rid;
Convert all uses of uint32/16/8 to _t in source3/passdb. Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-09 23:34:31 +03:00
uint8_t smblmpwd[LM_HASH_LEN],
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
smbntpwd[NT_HASH_LEN];
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool use_samba_attrs = True;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t acct_ctrl = 0;
uint16_t logon_divs;
uint16_t bad_password_count = 0,
The "unknown_5" 32 bit field in the user structs is actually 2 16-bit fields, bad_password_count and logon_count. Ensure this is stored/fetched in the various SAMs. As it replaces the unknown_5 field this fits exactly into the tdb SAM without any binary problems. It also is added to the LDAP SAM as two extra attributes. It breaks compatibility with the experimental SAMs xml and mysql. The maintainers of these SAMs must fix them so upgrades like this can be done transparently. I will insist on the "experimental" status until this is solved. Jeremy. (This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
2003-09-19 03:53:48 +04:00
logon_count = 0;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t hours_len;
Convert all uses of uint32/16/8 to _t in source3/passdb. Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-09 23:34:31 +03:00
uint8_t hours[MAX_HOURS_LEN];
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *temp = NULL;
s3: Make login_cache_read take a pointer, avoid a malloc
2010-03-17 00:18:52 +03:00
struct login_cache cache_entry;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t pwHistLen;
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool expand_explicit = lp_passdb_expand_explicit();
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
bool ret = false;
TALLOC_CTX *ctx = talloc_init("init_sam_from_ldap");
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!ctx) {
return false;
}
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (sampass == NULL || ldap_state == NULL || entry == NULL) {
util_sid.c - respect a const variabile (addedd strdup) cli_reg.c - indentation pdb_ldap.c - some checks on init fns parameters pdb_tdb.c - some checks on init fns parameters + make sure we close the db on failure (This used to be commit 49f5cb7a3df6d673f86e6769319aa657e30d8380)
2001-12-30 22:21:25 +03:00
DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
goto fn_exit;
util_sid.c - respect a const variabile (addedd strdup) cli_reg.c - indentation pdb_ldap.c - some checks on init fns parameters pdb_tdb.c - some checks on init fns parameters + make sure we close the db on failure (This used to be commit 49f5cb7a3df6d673f86e6769319aa657e30d8380)
2001-12-30 22:21:25 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (priv2ld(ldap_state) == NULL) {
DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->"
"ldap_struct is NULL!\n"));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
goto fn_exit;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
s3:pdb_ldap: restore Samba 3.0.x behavior and use the first "uid" value. See bug #6157 for more details. metze Signed-off-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 25806f43ddee7e2653e907eea2c6fcc075960fa1)
2010-01-05 15:30:42 +03:00
if (!(username = smbldap_talloc_first_attribute(priv2ld(ldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
"uid",
ctx))) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(1, ("init_sam_from_ldap: No uid attribute found for "
"this user!\n"));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
goto fn_exit;
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
nt_username = talloc_strdup(ctx, username);
if (!nt_username) {
goto fn_exit;
}
domain = talloc_strdup(ctx, ldap_state->domain_name);
if (!domain) {
goto fn_exit;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_username(sampass, username, PDB_SET);
pdb_set_domain(sampass, domain, PDB_DEFAULT);
pdb_set_nt_username(sampass, nt_username, PDB_SET);
fix bug #108; sambaSambaAccount string attributes are case insensitive; don't try to change a string that only differs in case (This used to be commit 01ef08352007487040edefcc0b99ca79823cbddf)
2003-05-22 21:07:41 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/* deal with different attributes between the schema first */
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if ((temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_USER_SID),
ctx))!=NULL) {
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
} else {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if ((temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_USER_RID),
ctx))!=NULL) {
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
user_rid = (uint32_t)atol(temp);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
}
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
s3: Hide some uses of pdb_get_init_flags (which I would love to remove...)
2010-02-05 17:40:12 +03:00
if (IS_SAM_DEFAULT(sampass, PDB_USERSID)) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_USER_SID),
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_USER_RID),
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
username));
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
return False;
}
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_PWD_LAST_SET),
ctx);
if (temp) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
pass_last_set_time = (time_t) atol(temp);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pdb_set_pass_last_set_time(sampass,
pass_last_set_time, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_LOGON_TIME),
ctx);
if (temp) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
logon_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_logon_time(sampass, logon_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_LOGOFF_TIME),
ctx);
if (temp) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
logoff_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_KICKOFF_TIME),
ctx);
if (temp) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
kickoff_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_PWD_CAN_CHANGE),
ctx);
if (temp) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
pass_can_change_time = (time_t) atol(temp);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pdb_set_pass_can_change_time(sampass,
pass_can_change_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/* recommend that 'gecos' and 'displayName' should refer to the same
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
* attribute OID. userFullName depreciated, only used by Samba
* primary rules of LDAP: don't make a new attribute when one is already defined
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
* that fits your needs; using cn then displayName rather than 'userFullName'
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*/
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
fullname = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_DISPLAY_NAME),
ctx);
if (fullname) {
pdb_set_fullname(sampass, fullname, PDB_SET);
} else {
fullname = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_CN),
ctx);
if (fullname) {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_fullname(sampass, fullname, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
dir_drive = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_HOME_DRIVE),
ctx);
if (dir_drive) {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
} else {
pdb_set_dir_drive( sampass, lp_logon_drive(), PDB_DEFAULT );
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
merge from 2.2 (This used to be commit 96c9df577bcffeec1b7d516a5431e54e679bd6b4)
2001-10-10 21:04:23 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
homedir = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_HOME_PATH),
ctx);
if (homedir) {
r11999: Re-add "passdb expand explicit". We came to the conclusion that changing the default is something that has to wait one or two more releases, but it will happen one way or the other. Volker (This used to be commit 30fcdf84d8943e630af78a96320607c42e4d15aa)
2005-12-01 17:46:56 +03:00
if (expand_explicit) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
homedir = talloc_sub_basic(ctx,
username,
domain,
homedir);
if (!homedir) {
goto fn_exit;
}
r11999: Re-add "passdb expand explicit". We came to the conclusion that changing the default is something that has to wait one or two more releases, but it will happen one way or the other. Volker (This used to be commit 30fcdf84d8943e630af78a96320607c42e4d15aa)
2005-12-01 17:46:56 +03:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pdb_set_homedir(sampass, homedir, PDB_SET);
} else {
pdb_set_homedir(sampass,
talloc_sub_basic(ctx, username, domain,
lp_logon_home()),
PDB_DEFAULT);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
merge from 2.2 (This used to be commit 96c9df577bcffeec1b7d516a5431e54e679bd6b4)
2001-10-10 21:04:23 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
logon_script = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_LOGON_SCRIPT),
ctx);
if (logon_script) {
r11999: Re-add "passdb expand explicit". We came to the conclusion that changing the default is something that has to wait one or two more releases, but it will happen one way or the other. Volker (This used to be commit 30fcdf84d8943e630af78a96320607c42e4d15aa)
2005-12-01 17:46:56 +03:00
if (expand_explicit) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
logon_script = talloc_sub_basic(ctx,
username,
domain,
logon_script);
if (!logon_script) {
goto fn_exit;
}
r11999: Re-add "passdb expand explicit". We came to the conclusion that changing the default is something that has to wait one or two more releases, but it will happen one way or the other. Volker (This used to be commit 30fcdf84d8943e630af78a96320607c42e4d15aa)
2005-12-01 17:46:56 +03:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pdb_set_logon_script(sampass, logon_script, PDB_SET);
} else {
pdb_set_logon_script(sampass,
talloc_sub_basic(ctx, username, domain,
lp_logon_script()),
PDB_DEFAULT );
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
merge from 2.2 (This used to be commit 96c9df577bcffeec1b7d516a5431e54e679bd6b4)
2001-10-10 21:04:23 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
profile_path = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_PROFILE_PATH),
ctx);
if (profile_path) {
r11999: Re-add "passdb expand explicit". We came to the conclusion that changing the default is something that has to wait one or two more releases, but it will happen one way or the other. Volker (This used to be commit 30fcdf84d8943e630af78a96320607c42e4d15aa)
2005-12-01 17:46:56 +03:00
if (expand_explicit) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
profile_path = talloc_sub_basic(ctx,
username,
domain,
profile_path);
if (!profile_path) {
goto fn_exit;
}
r11999: Re-add "passdb expand explicit". We came to the conclusion that changing the default is something that has to wait one or two more releases, but it will happen one way or the other. Volker (This used to be commit 30fcdf84d8943e630af78a96320607c42e4d15aa)
2005-12-01 17:46:56 +03:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pdb_set_profile_path(sampass, profile_path, PDB_SET);
} else {
pdb_set_profile_path(sampass,
talloc_sub_basic(ctx, username, domain,
lp_logon_path()),
PDB_DEFAULT );
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
acct_desc = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_DESC),
ctx);
if (acct_desc) {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
workstations = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_USER_WKS),
ctx);
if (workstations) {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_workstations(sampass, workstations, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
munged_dial = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_MUNGED_DIAL),
ctx);
if (munged_dial) {
support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800 (This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-12-04 07:52:00 +03:00
pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/* FIXME: hours stuff should be cleaner */
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
logon_divs = 168;
hours_len = 21;
memset(hours, 0xff, hours_len);
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
if (ldap_state->is_nds_ldap) {
char *user_dn;
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
size_t pwd_len;
r5957: BUGS 2478, 2093: compiler warning patches from Jason Mader (This used to be commit b0f43460822eb5175c854959181de05307d73415)
2005-03-22 20:08:09 +03:00
char clear_text_pw[512];
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
/* Make call to Novell eDirectory ldap extension to get clear text password.
NOTE: This will only work if we have an SSL connection to eDirectory. */
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
user_dn = smbldap_talloc_dn(
ctx, smbldap_get_ldap(ldap_state->smbldap_state),
entry);
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
if (user_dn != NULL) {
s3:smbldap Remove smbldap_get_dn This removes one more caller to pull_utf8_allocate() Signed-off-by: Günther Deschner <gd@samba.org>
2009-03-18 07:29:02 +03:00
DEBUG(3, ("init_sam_from_ldap: smbldap_talloc_dn(ctx, %s) returned '%s'\n", username, user_dn));
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
pwd_len = sizeof(clear_text_pw);
if (pdb_nds_get_password(ldap_state->smbldap_state, user_dn, &pwd_len, clear_text_pw) == LDAP_SUCCESS) {
nt_lm_owf_gen(clear_text_pw, smbntpwd, smblmpwd);
r16121: Fix a eDir related memory leak. Guenther (This used to be commit 322f1664df553d95fcdfc24f19bd7f34ce9b834b)
2006-06-09 16:55:07 +04:00
if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
s3:smbldap Remove smbldap_get_dn This removes one more caller to pull_utf8_allocate() Signed-off-by: Günther Deschner <gd@samba.org>
2009-03-18 07:29:02 +03:00
TALLOC_FREE(user_dn);
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
return False;
r16121: Fix a eDir related memory leak. Guenther (This used to be commit 322f1664df553d95fcdfc24f19bd7f34ce9b834b)
2006-06-09 16:55:07 +04:00
}
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
ZERO_STRUCT(smblmpwd);
r16121: Fix a eDir related memory leak. Guenther (This used to be commit 322f1664df553d95fcdfc24f19bd7f34ce9b834b)
2006-06-09 16:55:07 +04:00
if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
s3:smbldap Remove smbldap_get_dn This removes one more caller to pull_utf8_allocate() Signed-off-by: Günther Deschner <gd@samba.org>
2009-03-18 07:29:02 +03:00
TALLOC_FREE(user_dn);
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
return False;
r16121: Fix a eDir related memory leak. Guenther (This used to be commit 322f1664df553d95fcdfc24f19bd7f34ce9b834b)
2006-06-09 16:55:07 +04:00
}
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
ZERO_STRUCT(smbntpwd);
use_samba_attrs = False;
}
r16121: Fix a eDir related memory leak. Guenther (This used to be commit 322f1664df553d95fcdfc24f19bd7f34ce9b834b)
2006-06-09 16:55:07 +04:00
s3:smbldap Remove smbldap_get_dn This removes one more caller to pull_utf8_allocate() Signed-off-by: Günther Deschner <gd@samba.org>
2009-03-18 07:29:02 +03:00
TALLOC_FREE(user_dn);
r16121: Fix a eDir related memory leak. Guenther (This used to be commit 322f1664df553d95fcdfc24f19bd7f34ce9b834b)
2006-06-09 16:55:07 +04:00
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
} else {
DEBUG(0, ("init_sam_from_ldap: failed to get user_dn for '%s'\n", username));
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
if (use_samba_attrs) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_LMPW),
ctx);
if (temp) {
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
pdb_gethexpwd(temp, smblmpwd);
memset((char *)temp, '\0', strlen(temp)+1);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
goto fn_exit;
}
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
ZERO_STRUCT(smblmpwd);
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_NTPW),
ctx);
if (temp) {
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
pdb_gethexpwd(temp, smbntpwd);
memset((char *)temp, '\0', strlen(temp)+1);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
goto fn_exit;
}
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
ZERO_STRUCT(smbntpwd);
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
}
pwHistLen = 0;
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
if (pwHistLen > 0){
Convert all uses of uint32/16/8 to _t in source3/passdb. Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-09 23:34:31 +03:00
uint8_t *pwhist = NULL;
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
int i;
s3-talloc Change TALLOC_ARRAY() to talloc_array() Using the standard macro makes it easier to move code into common, as TALLOC_ARRAY isn't standard talloc.
2011-06-07 05:30:12 +04:00
char *history_string = talloc_array(ctx, char,
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
MAX_PW_HISTORY_LEN*64);
if (!history_string) {
goto fn_exit;
}
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
r15649: Allow to store 24 password history entries in ldapsam (same limit as on Windows). Fixes bug #1914. Guenther (This used to be commit b5a5d0b24ea5320cb2f28dbefe81ddf5c58baf77)
2006-05-17 02:03:05 +04:00
pwHistLen = MIN(pwHistLen, MAX_PW_HISTORY_LEN);
r2819: Make 'password history'-behaviour in ldapsam more consistent. Currently we cannot store more then 15 password history entries (windows NT4 allows to store 24) in ldapsam. When choosing more then "15" with pdbedit -P "password history", we fail to initialize the password history upon password change and overwrite the history, effectively using a password history of "1". We do already decrease any history-policy larger then 15 to 15 while storing the password history list attribute in ldap. Guenther (This used to be commit a4b47e71475a06c2e2287613b00648c5f53ae52c)
2004-10-04 19:53:33 +04:00
Convert all uses of uint32/16/8 to _t in source3/passdb. Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-09 23:34:31 +03:00
pwhist = talloc_zero_array(ctx, uint8_t,
passdb: Use talloc_zero_array Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net> Autobuild-User(master): Martin Schwenke <martins@samba.org> Autobuild-Date(master): Sat Sep 20 08:29:31 CEST 2014 on sn-devel-104
2014-09-20 04:08:44 +04:00
pwHistLen * PW_HISTORY_ENTRY_LEN);
s3:pdb_ldap:init_sam_from_ldap: untangle an assignment from the check to enhance readability and denbuggability. Michael
2010-01-05 20:22:25 +03:00
if (pwhist == NULL) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
DEBUG(0, ("init_sam_from_ldap: talloc failed!\n"));
goto fn_exit;
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (smbldap_get_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_PWD_HISTORY),
history_string,
MAX_PW_HISTORY_LEN*64)) {
bool hex_failed = false;
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
for (i = 0; i < pwHistLen; i++){
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
/* Get the 16 byte salt. */
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!pdb_gethexpwd(&history_string[i*64],
&pwhist[i*PW_HISTORY_ENTRY_LEN])) {
hex_failed = true;
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
break;
}
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
/* Get the 16 byte MD5 hash of salt+passwd. */
r15649: Allow to store 24 password history entries in ldapsam (same limit as on Windows). Fixes bug #1914. Guenther (This used to be commit b5a5d0b24ea5320cb2f28dbefe81ddf5c58baf77)
2006-05-17 02:03:05 +04:00
if (!pdb_gethexpwd(&history_string[(i*64)+32],
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
&pwhist[(i*PW_HISTORY_ENTRY_LEN)+
PW_HISTORY_SALT_LEN])) {
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
hex_failed = True;
break;
}
}
if (hex_failed) {
pdb_ldap: Raise level for debug message to avoid log file flooding. (This used to be commit 9b863a10da8762f715c16f147d6cd1e79422d248)
2008-07-24 11:45:02 +04:00
DEBUG(2,("init_sam_from_ldap: Failed to get password history for user %s\n",
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
username));
memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
}
}
if (!pdb_set_pw_history(sampass, pwhist, pwHistLen, PDB_SET)){
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
goto fn_exit;
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
}
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_ACB_INFO),
ctx);
if (temp) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
acct_ctrl = pdb_decode_acct_ctrl(temp);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (acct_ctrl == 0) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
acct_ctrl |= ACB_NORMAL;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
}
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
} else {
acct_ctrl |= ACB_NORMAL;
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_hours_len(sampass, hours_len, PDB_SET);
pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_BAD_PASSWORD_COUNT),
ctx);
if (temp) {
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
bad_password_count = (uint32_t) atol(temp);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pdb_set_bad_password_count(sampass,
bad_password_count, PDB_SET);
The "unknown_5" 32 bit field in the user structs is actually 2 16-bit fields, bad_password_count and logon_count. Ensure this is stored/fetched in the various SAMs. As it replaces the unknown_5 field this fits exactly into the tdb SAM without any binary problems. It also is added to the LDAP SAM as two extra attributes. It breaks compatibility with the experimental SAMs xml and mysql. The maintainers of these SAMs must fix them so upgrades like this can be done transparently. I will insist on the "experimental" status until this is solved. Jeremy. (This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
2003-09-19 03:53:48 +04:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_BAD_PASSWORD_TIME),
ctx);
if (temp) {
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
bad_password_time = (time_t) atol(temp);
pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_LOGON_COUNT),
ctx);
if (temp) {
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
logon_count = (uint32_t) atol(temp);
The "unknown_5" 32 bit field in the user structs is actually 2 16-bit fields, bad_password_count and logon_count. Ensure this is stored/fetched in the various SAMs. As it replaces the unknown_5 field this fits exactly into the tdb SAM without any binary problems. It also is added to the LDAP SAM as two extra attributes. It breaks compatibility with the experimental SAMs xml and mysql. The maintainers of these SAMs must fix them so upgrades like this can be done transparently. I will insist on the "experimental" status until this is solved. Jeremy. (This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
2003-09-19 03:53:48 +04:00
pdb_set_logon_count(sampass, logon_count, PDB_SET);
}
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
/* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_LOGON_HOURS),
ctx);
if (temp) {
r1810: Patch from Richard Renard <rrenard@idealx.com> to store logon hours attributes in an LDAP database. Jeremy. (This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
2004-08-13 22:02:58 +04:00
pdb_gethexhours(temp, hours);
memset((char *)temp, '\0', strlen(temp) +1);
s3: Add "len" to pdb_set_hours
2011-02-16 18:47:23 +03:00
pdb_set_hours(sampass, hours, hours_len, PDB_SET);
r1810: Patch from Richard Renard <rrenard@idealx.com> to store logon hours attributes in an LDAP database. Jeremy. (This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
2004-08-13 22:02:58 +04:00
ZERO_STRUCT(hours);
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
s3:pdb_ldap: try to build the full unix_pw structure with ldapsam:trusted support And also store the gid_to_sid mappings in the idmap_cache. metze
2010-02-04 19:19:57 +03:00
struct passwd unix_pw;
bool have_uid = false;
bool have_gid = false;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid mapped_gsid;
const struct dom_sid *primary_gsid;
s3-idmap: convert most idmap_cache callers to unixid API This will eventually allow the struct unixid to be passed all the way up and down the stack. Andrew Bartlett Signed-off-by: Michael Adam <obnox@samba.org>
2012-03-23 14:11:33 +04:00
struct unixid id;
s3:pdb_ldap: try to build the full unix_pw structure with ldapsam:trusted support And also store the gid_to_sid mappings in the idmap_cache. metze
2010-02-04 19:19:57 +03:00
ZERO_STRUCT(unix_pw);
unix_pw.pw_name = username;
unix_pw.pw_passwd = discard_const_p(char, "x");
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
priv2ld(ldap_state),
entry,
"uidNumber",
ctx);
if (temp) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* We've got a uid, feed the cache */
s3:pdb_ldap: try to build the full unix_pw structure with ldapsam:trusted support And also store the gid_to_sid mappings in the idmap_cache. metze
2010-02-04 19:19:57 +03:00
unix_pw.pw_uid = strtoul(temp, NULL, 10);
have_uid = true;
}
temp = smbldap_talloc_single_attribute(
priv2ld(ldap_state),
entry,
"gidNumber",
ctx);
if (temp) {
/* We've got a uid, feed the cache */
unix_pw.pw_gid = strtoul(temp, NULL, 10);
have_gid = true;
}
unix_pw.pw_gecos = smbldap_talloc_single_attribute(
priv2ld(ldap_state),
entry,
"gecos",
ctx);
pdb: Fix segfault in pdb_ldap for missing gecos Bug: https://bugzilla.samba.org/show_bug.cgi?id=11530 Signed-off-by: Luca Olivetti <luca@wetron.es> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Fri Feb 5 16:47:00 CET 2016 on sn-devel-144
2016-02-05 14:02:51 +03:00
if (unix_pw.pw_gecos == NULL) {
s3:pdb_ldap: try to build the full unix_pw structure with ldapsam:trusted support And also store the gid_to_sid mappings in the idmap_cache. metze
2010-02-04 19:19:57 +03:00
unix_pw.pw_gecos = fullname;
}
unix_pw.pw_dir = smbldap_talloc_single_attribute(
priv2ld(ldap_state),
entry,
"homeDirectory",
ctx);
pdb: Fix segfault in pdb_ldap for missing gecos Bug: https://bugzilla.samba.org/show_bug.cgi?id=11530 Signed-off-by: Luca Olivetti <luca@wetron.es> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Fri Feb 5 16:47:00 CET 2016 on sn-devel-144
2016-02-05 14:02:51 +03:00
if (unix_pw.pw_dir == NULL) {
s3:pdb_ldap: try to build the full unix_pw structure with ldapsam:trusted support And also store the gid_to_sid mappings in the idmap_cache. metze
2010-02-04 19:19:57 +03:00
unix_pw.pw_dir = discard_const_p(char, "");
}
unix_pw.pw_shell = smbldap_talloc_single_attribute(
priv2ld(ldap_state),
entry,
"loginShell",
ctx);
pdb: Fix segfault in pdb_ldap for missing gecos Bug: https://bugzilla.samba.org/show_bug.cgi?id=11530 Signed-off-by: Luca Olivetti <luca@wetron.es> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Fri Feb 5 16:47:00 CET 2016 on sn-devel-144
2016-02-05 14:02:51 +03:00
if (unix_pw.pw_shell == NULL) {
s3:pdb_ldap: try to build the full unix_pw structure with ldapsam:trusted support And also store the gid_to_sid mappings in the idmap_cache. metze
2010-02-04 19:19:57 +03:00
unix_pw.pw_shell = discard_const_p(char, "");
}
if (have_uid && have_gid) {
sampass->unix_pw = tcopy_passwd(sampass, &unix_pw);
} else {
sampass->unix_pw = Get_Pwnam_alloc(sampass, unix_pw.pw_name);
}
if (sampass->unix_pw == NULL) {
DEBUG(0,("init_sam_from_ldap: Failed to find Unix account for %s\n",
pdb_get_username(sampass)));
goto fn_exit;
}
s3-idmap: convert most idmap_cache callers to unixid API This will eventually allow the struct unixid to be passed all the way up and down the stack. Andrew Bartlett Signed-off-by: Michael Adam <obnox@samba.org>
2012-03-23 14:11:33 +04:00
id.id = sampass->unix_pw->pw_uid;
id.type = ID_TYPE_UID;
idmap_cache_set_sid2unixid(pdb_get_user_sid(sampass), &id);
s3:pdb_ldap: try to build the full unix_pw structure with ldapsam:trusted support And also store the gid_to_sid mappings in the idmap_cache. metze
2010-02-04 19:19:57 +03:00
gid_to_sid(&mapped_gsid, sampass->unix_pw->pw_gid);
primary_gsid = pdb_get_group_sid(sampass);
s3-util_sid: use shared dom_sid_compare_auth and dom_sid_equal_X functions. Guenther
2010-08-26 17:48:50 +04:00
if (primary_gsid && dom_sid_equal(primary_gsid, &mapped_gsid)) {
s3-idmap: convert most idmap_cache callers to unixid API This will eventually allow the struct unixid to be passed all the way up and down the stack. Andrew Bartlett Signed-off-by: Michael Adam <obnox@samba.org>
2012-03-23 14:11:33 +04:00
id.id = sampass->unix_pw->pw_gid;
id.type = ID_TYPE_GID;
idmap_cache_set_sid2unixid(primary_gsid, &id);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
}
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
/* check the timestamp of the cache vs ldap entry */
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state,
entry))) {
ret = true;
goto fn_exit;
}
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
/* see if we have newer updates */
s3: Make login_cache_read take a pointer, avoid a malloc
2010-03-17 00:18:52 +03:00
if (!login_cache_read(sampass, &cache_entry)) {
Fix gcc warnings. Fix mkproto with new type. Jeremy. (This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
2004-03-19 04:29:14 +03:00
DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
(unsigned int)pdb_get_bad_password_count(sampass),
(unsigned int)pdb_get_bad_password_time(sampass)));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
ret = true;
goto fn_exit;
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
(unsigned int)ldap_entry_time,
s3: Make login_cache_read take a pointer, avoid a malloc
2010-03-17 00:18:52 +03:00
(unsigned int)cache_entry.entry_timestamp,
(unsigned int)cache_entry.bad_password_time));
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
s3: Make login_cache_read take a pointer, avoid a malloc
2010-03-17 00:18:52 +03:00
if (ldap_entry_time > cache_entry.entry_timestamp) {
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
/* cache is older than directory , so
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
we need to delete the entry but allow the
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
fields to be written out */
login_cache_delentry(sampass);
} else {
/* read cache in */
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pdb_set_acct_ctrl(sampass,
pdb_get_acct_ctrl(sampass) |
s3: Make login_cache_read take a pointer, avoid a malloc
2010-03-17 00:18:52 +03:00
(cache_entry.acct_ctrl & ACB_AUTOLOCK),
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
PDB_SET);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pdb_set_bad_password_count(sampass,
s3: Make login_cache_read take a pointer, avoid a malloc
2010-03-17 00:18:52 +03:00
cache_entry.bad_password_count,
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
PDB_SET);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pdb_set_bad_password_time(sampass,
s3: Make login_cache_read take a pointer, avoid a malloc
2010-03-17 00:18:52 +03:00
cache_entry.bad_password_time,
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
PDB_SET);
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
ret = true;
fn_exit:
TALLOC_FREE(ctx);
return ret;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
/**********************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Initialize the ldap db from a struct samu. Called on update.
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
(Based on init_buffer_from_sam in pdb_tdb.c)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
static bool init_ldap_from_sam (struct ldapsam_privates *ldap_state,
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
LDAPMessage *existing,
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
LDAPMod *** mods, struct samu * sampass,
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool (*need_update)(const struct samu *,
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
enum pdb_elements))
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *temp = NULL;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
util_sid.c - respect a const variabile (addedd strdup) cli_reg.c - indentation pdb_ldap.c - some checks on init fns parameters pdb_tdb.c - some checks on init fns parameters + make sure we close the db on failure (This used to be commit 49f5cb7a3df6d673f86e6769319aa657e30d8380)
2001-12-30 22:21:25 +03:00
if (mods == NULL || sampass == NULL) {
DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
return False;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*mods = NULL;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
/*
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
* took out adding "objectclass: sambaAccount"
* do this on a per-mod basis
*/
r14756: Make smbpasswd -a root work for eDirectory where there is no "account" structural objectclass. Guenther (This used to be commit 7eefeaad352597b6f97160b1abc0dc032c0b46b2)
2006-03-29 18:52:03 +04:00
if (need_update(sampass, PDB_USERNAME)) {
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
"uid", pdb_get_username(sampass));
r14756: Make smbpasswd -a root work for eDirectory where there is no "account" structural objectclass. Guenther (This used to be commit 7eefeaad352597b6f97160b1abc0dc032c0b46b2)
2006-03-29 18:52:03 +04:00
if (ldap_state->is_nds_ldap) {
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(
smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
"cn", pdb_get_username(sampass));
smbldap_make_mod(
smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
"sn", pdb_get_username(sampass));
r14756: Make smbpasswd -a root work for eDirectory where there is no "account" structural objectclass. Guenther (This used to be commit 7eefeaad352597b6f97160b1abc0dc032c0b46b2)
2006-03-29 18:52:03 +04:00
}
}
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
- Merge a memory leak fix from HEAD - change update behaviour for new RIDs: - store the new RID into the SAM_ACCOUNT, so that the caller get's it back automaticly - use this to make the code paths simpiler for the normal 'need_update' code. We must always store a RID if we intend to use the sambaAccount objectClass Andrew Bartlett (This used to be commit 5edeee5116b9c775a1bded1d53cb2b22c7a2765f)
2003-04-23 04:59:19 +04:00
/* only update the RID if we actually need to */
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if (need_update(sampass, PDB_USERSID)) {
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
fstring sid_string;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *user_sid = pdb_get_user_sid(sampass);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( ldap_state->schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBASAMACCOUNT:
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(
smbldap_get_ldap(
ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
s/sid_to_string/sid_to_fstring/ least surprise for callers (This used to be commit eb523ba77697346a365589101aac379febecd546)
2007-12-16 00:47:30 +03:00
sid_to_fstring(sid_string, user_sid));
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
default:
DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
break;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
}
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
/* we don't need to store the primary group RID - so leaving it
'free' to hang off the unix primary group makes life easier */
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if (need_update(sampass, PDB_GROUPSID)) {
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
fstring sid_string;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *group_sid = pdb_get_group_sid(sampass);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( ldap_state->schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBASAMACCOUNT:
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(
smbldap_get_ldap(
ldap_state->smbldap_state),
existing, mods,
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
get_userattr_key2string(ldap_state->schema_ver,
s/sid_to_string/sid_to_fstring/ least surprise for callers (This used to be commit eb523ba77697346a365589101aac379febecd546)
2007-12-16 00:47:30 +03:00
LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_fstring(sid_string, group_sid));
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
default:
DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
break;
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/* displayName, cn, and gecos should all be the same
Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-10-01 17:10:57 +04:00
* most easily accomplished by giving them the same OID
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
* gecos isn't set here b/c it should be handled by the
Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-10-01 17:10:57 +04:00
* add-user script
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
* We change displayName only and fall back to cn if
* it does not exist.
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
*/
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_FULLNAME))
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
pdb_get_fullname(sampass));
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_ACCTDESC))
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
pdb_get_acct_desc(sampass));
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_WORKSTATIONS))
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
pdb_get_workstations(sampass));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800 (This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-12-04 07:52:00 +03:00
if (need_update(sampass, PDB_MUNGEDDIAL))
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800 (This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-12-04 07:52:00 +03:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL),
pdb_get_munged_dial(sampass));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_SMBHOME))
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
pdb_get_homedir(sampass));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_DRIVE))
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
pdb_get_dir_drive(sampass));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_LOGONSCRIPT))
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
pdb_get_logon_script(sampass));
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_PROFILE))
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
pdb_get_profile_path(sampass));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Fix printf warnings found on systems where time_t <> long int. Jeremy.
2009-02-20 00:36:20 +03:00
if (asprintf(&temp, "%li", (long int)pdb_get_logon_time(sampass)) < 0) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
return false;
}
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_LOGONTIME))
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
SAFE_FREE(temp);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
Fix printf warnings found on systems where time_t <> long int. Jeremy.
2009-02-20 00:36:20 +03:00
if (asprintf(&temp, "%li", (long int)pdb_get_logoff_time(sampass)) < 0) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
return false;
}
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_LOGOFFTIME))
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
SAFE_FREE(temp);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
Fix printf warnings found on systems where time_t <> long int. Jeremy.
2009-02-20 00:36:20 +03:00
if (asprintf(&temp, "%li", (long int)pdb_get_kickoff_time(sampass)) < 0) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
return false;
}
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_KICKOFFTIME))
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
SAFE_FREE(temp);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
Fix printf warnings found on systems where time_t <> long int. Jeremy.
2009-02-20 00:36:20 +03:00
if (asprintf(&temp, "%li", (long int)pdb_get_pass_can_change_time_noncalc(sampass)) < 0) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
return false;
}
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_CANCHANGETIME))
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
SAFE_FREE(temp);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
|| (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
if (need_update(sampass, PDB_LMPASSWD)) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
const uchar *lm_pw = pdb_get_lanman_passwd(sampass);
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
if (lm_pw) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char pwstr[34];
pdb_sethexpwd(pwstr, lm_pw,
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
pdb_get_acct_ctrl(sampass));
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(
smbldap_get_ldap(
ldap_state->smbldap_state),
existing, mods,
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pwstr);
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
} else {
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(
smbldap_get_ldap(
ldap_state->smbldap_state),
existing, mods,
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
NULL);
}
}
if (need_update(sampass, PDB_NTPASSWD)) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
const uchar *nt_pw = pdb_get_nt_passwd(sampass);
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
if (nt_pw) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char pwstr[34];
pdb_sethexpwd(pwstr, nt_pw,
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
pdb_get_acct_ctrl(sampass));
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(
smbldap_get_ldap(
ldap_state->smbldap_state),
existing, mods,
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pwstr);
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
} else {
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(
smbldap_get_ldap(
ldap_state->smbldap_state),
existing, mods,
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
NULL);
}
}
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
if (need_update(sampass, PDB_PWHISTORY)) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *pwstr = NULL;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t pwHistLen = 0;
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pwstr = SMB_MALLOC_ARRAY(char, 1024);
if (!pwstr) {
return false;
}
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
if (pwHistLen == 0) {
/* Remove any password history from the LDAP store. */
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
memset(pwstr, '0', 64); /* NOTE !!!! '0' *NOT '\0' */
pwstr[64] = '\0';
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
} else {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
int i;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t currHistLen = 0;
Convert all uses of uint32/16/8 to _t in source3/passdb. Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-09 23:34:31 +03:00
const uint8_t *pwhist = pdb_get_pw_history(sampass, &currHistLen);
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
if (pwhist != NULL) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
/* We can only store (1024-1/64 password history entries. */
pwHistLen = MIN(pwHistLen, ((1024-1)/64));
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
for (i=0; i< pwHistLen && i < currHistLen; i++) {
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
/* Store the salt. */
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pdb_sethexpwd(&pwstr[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN], 0);
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
/* Followed by the md5 hash of salt + md4 hash */
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pdb_sethexpwd(&pwstr[(i*64)+32],
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
&pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN], 0);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
DEBUG(100, ("pwstr=%s\n", pwstr));
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
}
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(
smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
pwstr);
SAFE_FREE(pwstr);
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
}
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
if (need_update(sampass, PDB_PASSLASTSET)) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (asprintf(&temp, "%li",
Fix printf warnings found on systems where time_t <> long int. Jeremy.
2009-02-20 00:36:20 +03:00
(long int)pdb_get_pass_last_set_time(sampass)) < 0) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
return false;
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(
smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
temp);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
SAFE_FREE(temp);
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
r1810: Patch from Richard Renard <rrenard@idealx.com> to store logon hours attributes in an LDAP database. Jeremy. (This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
2004-08-13 22:02:58 +04:00
if (need_update(sampass, PDB_HOURS)) {
Convert all uses of uint32/16/8 to _t in source3/passdb. Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-09 23:34:31 +03:00
const uint8_t *hours = pdb_get_hours(sampass);
r1810: Patch from Richard Renard <rrenard@idealx.com> to store logon hours attributes in an LDAP database. Jeremy. (This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
2004-08-13 22:02:58 +04:00
if (hours) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char hourstr[44];
pdb_sethexhours(hourstr, hours);
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(
smbldap_get_ldap(ldap_state->smbldap_state),
r1810: Patch from Richard Renard <rrenard@idealx.com> to store logon hours attributes in an LDAP database. Jeremy. (This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
2004-08-13 22:02:58 +04:00
existing,
mods,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_LOGON_HOURS),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
hourstr);
r1810: Patch from Richard Renard <rrenard@idealx.com> to store logon hours attributes in an LDAP database. Jeremy. (This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
2004-08-13 22:02:58 +04:00
}
}
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_ACCTCTRL))
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(
smbldap_get_ldap(ldap_state->smbldap_state),
existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
/* password lockout cache:
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
- If we are now autolocking or clearing, we write to ldap
- If we are clearing, we delete the cache entry
- If the count is > 0, we update the cache
This even means when autolocking, we cache, just in case the
update doesn't work, and we have to cache the autolock flag */
if (need_update(sampass, PDB_BAD_PASSWORD_COUNT)) /* &&
need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint16_t badcount = pdb_get_bad_password_count(sampass);
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
time_t badtime = pdb_get_bad_password_time(sampass);
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t pol;
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &pol);
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
Fix gcc warnings. Fix mkproto with new type. Jeremy. (This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
2004-03-19 04:29:14 +03:00
DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
(unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
if ((badcount >= pol) || (badcount == 0)) {
Fix gcc warnings. Fix mkproto with new type. Jeremy. (This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
2004-03-19 04:29:14 +03:00
DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
(unsigned int)badcount, (unsigned int)badtime));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (asprintf(&temp, "%li", (long)badcount) < 0) {
return false;
}
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
smbldap_make_mod(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
existing, mods,
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
get_userattr_key2string(
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
ldap_state->schema_ver,
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
LDAP_ATTR_BAD_PASSWORD_COUNT),
temp);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
SAFE_FREE(temp);
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
Fix printf warnings found on systems where time_t <> long int. Jeremy.
2009-02-20 00:36:20 +03:00
if (asprintf(&temp, "%li", (long int)badtime) < 0) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
return false;
}
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
smbldap_make_mod(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
existing, mods,
get_userattr_key2string(
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
ldap_state->schema_ver,
LDAP_ATTR_BAD_PASSWORD_TIME),
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
temp);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
SAFE_FREE(temp);
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
}
if (badcount == 0) {
DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
login_cache_delentry(sampass);
} else {
s3: Remove a typedef
2010-03-17 00:08:37 +03:00
struct login_cache cache_entry;
r910: Fix for bug #1385 found by Jason Mader <jason@ncac.gwu.edu>. Don't use non-consts in a structure initialization. Jeremy. (This used to be commit 455ed258b3457ad5b7d3dad14b64781ab98f00dc)
2004-05-26 21:45:12 +04:00
cache_entry.entry_timestamp = time(NULL);
cache_entry.acct_ctrl = pdb_get_acct_ctrl(sampass);
cache_entry.bad_password_count = badcount;
cache_entry.bad_password_time = badtime;
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
DEBUG(7, ("Updating bad password count and time in login cache\n"));
s3: Make login_cache_write take a pointer
2010-03-17 00:22:21 +03:00
login_cache_write(sampass, &cache_entry);
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
}
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
return True;
}
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
End enumeration of the LDAP password list.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
static void ldapsam_endsampwent(struct pdb_methods *my_methods)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (ldap_state->result) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_msgfree(ldap_state->result);
ldap_state->result = NULL;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static void append_attr(TALLOC_CTX *mem_ctx, const char ***attr_list,
const char *new_attr)
r1108: Index: pdb_ldap.c =================================================================== --- pdb_ldap.c (revision 1095) +++ pdb_ldap.c (working copy) @@ -1134,6 +1134,19 @@ return NT_STATUS_OK; } +static void append_attr(char ***attr_list, const char *new_attr) +{ + int i; + + for (i=0; (*attr_list)[i] != NULL; i++) + ; + + (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2)); + SMB_ASSERT((*attr_list) != NULL); + (*attr_list)[i] = strdup(new_attr); + (*attr_list)[i+1] = NULL; +} + /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username. *********************************************************************/ @@ -1149,6 +1162,7 @@ int rc; attr_list = get_userattr_list( ldap_state->schema_ver ); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); free_attr_list( attr_list ); @@ -1194,6 +1208,7 @@ switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBASAMACCOUNT: attr_list = get_userattr_list(ldap_state->schema_ver); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list); free_attr_list( attr_list ); Index: login_cache.c =================================================================== --- login_cache.c (revision 1095) +++ login_cache.c (working copy) @@ -95,10 +95,13 @@ &entry->bad_password_count, &entry->bad_password_time) == -1) { DEBUG(7, ("No cache entry found\n")); + SAFE_FREE(entry); SAFE_FREE(databuf.dptr); return NULL; } + SAFE_FREE(databuf.dptr); + DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n", (unsigned int)entry->entry_timestamp, entry->acct_ctrl, entry->bad_password_count, (unsigned int)entry->bad_password_time)); (This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
2004-06-10 21:42:16 +04:00
{
int i;
r2374: Fix from Vince Brimhall vbrimhall@novell.com for ldapsam_compat. Be robust against NULL attributes. Jeremy. (This used to be commit 727fc341b578577c112e97b0ef6f4c7f8bd15f66)
2004-09-17 05:13:47 +04:00
if (new_attr == NULL) {
return;
}
for (i=0; (*attr_list)[i] != NULL; i++) {
r1108: Index: pdb_ldap.c =================================================================== --- pdb_ldap.c (revision 1095) +++ pdb_ldap.c (working copy) @@ -1134,6 +1134,19 @@ return NT_STATUS_OK; } +static void append_attr(char ***attr_list, const char *new_attr) +{ + int i; + + for (i=0; (*attr_list)[i] != NULL; i++) + ; + + (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2)); + SMB_ASSERT((*attr_list) != NULL); + (*attr_list)[i] = strdup(new_attr); + (*attr_list)[i+1] = NULL; +} + /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username. *********************************************************************/ @@ -1149,6 +1162,7 @@ int rc; attr_list = get_userattr_list( ldap_state->schema_ver ); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); free_attr_list( attr_list ); @@ -1194,6 +1208,7 @@ switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBASAMACCOUNT: attr_list = get_userattr_list(ldap_state->schema_ver); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list); free_attr_list( attr_list ); Index: login_cache.c =================================================================== --- login_cache.c (revision 1095) +++ login_cache.c (working copy) @@ -95,10 +95,13 @@ &entry->bad_password_count, &entry->bad_password_time) == -1) { DEBUG(7, ("No cache entry found\n")); + SAFE_FREE(entry); SAFE_FREE(databuf.dptr); return NULL; } + SAFE_FREE(databuf.dptr); + DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n", (unsigned int)entry->entry_timestamp, entry->acct_ctrl, entry->bad_password_count, (unsigned int)entry->bad_password_time)); (This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
2004-06-10 21:42:16 +04:00
;
r2374: Fix from Vince Brimhall vbrimhall@novell.com for ldapsam_compat. Be robust against NULL attributes. Jeremy. (This used to be commit 727fc341b578577c112e97b0ef6f4c7f8bd15f66)
2004-09-17 05:13:47 +04:00
}
r1108: Index: pdb_ldap.c =================================================================== --- pdb_ldap.c (revision 1095) +++ pdb_ldap.c (working copy) @@ -1134,6 +1134,19 @@ return NT_STATUS_OK; } +static void append_attr(char ***attr_list, const char *new_attr) +{ + int i; + + for (i=0; (*attr_list)[i] != NULL; i++) + ; + + (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2)); + SMB_ASSERT((*attr_list) != NULL); + (*attr_list)[i] = strdup(new_attr); + (*attr_list)[i+1] = NULL; +} + /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username. *********************************************************************/ @@ -1149,6 +1162,7 @@ int rc; attr_list = get_userattr_list( ldap_state->schema_ver ); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); free_attr_list( attr_list ); @@ -1194,6 +1208,7 @@ switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBASAMACCOUNT: attr_list = get_userattr_list(ldap_state->schema_ver); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list); free_attr_list( attr_list ); Index: login_cache.c =================================================================== --- login_cache.c (revision 1095) +++ login_cache.c (working copy) @@ -95,10 +95,13 @@ &entry->bad_password_count, &entry->bad_password_time) == -1) { DEBUG(7, ("No cache entry found\n")); + SAFE_FREE(entry); SAFE_FREE(databuf.dptr); return NULL; } + SAFE_FREE(databuf.dptr); + DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n", (unsigned int)entry->entry_timestamp, entry->acct_ctrl, entry->bad_password_count, (unsigned int)entry->bad_password_time)); (This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
2004-06-10 21:42:16 +04:00
s3-talloc Change TALLOC_REALLOC_ARRAY() to talloc_realloc() Using the standard macro makes it easier to move code into common, as TALLOC_REALLOC_ARRAY isn't standard talloc. Andrew Bartlett
2011-06-07 05:10:15 +04:00
(*attr_list) = talloc_realloc(mem_ctx, (*attr_list),
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *, i+2);
r1108: Index: pdb_ldap.c =================================================================== --- pdb_ldap.c (revision 1095) +++ pdb_ldap.c (working copy) @@ -1134,6 +1134,19 @@ return NT_STATUS_OK; } +static void append_attr(char ***attr_list, const char *new_attr) +{ + int i; + + for (i=0; (*attr_list)[i] != NULL; i++) + ; + + (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2)); + SMB_ASSERT((*attr_list) != NULL); + (*attr_list)[i] = strdup(new_attr); + (*attr_list)[i+1] = NULL; +} + /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username. *********************************************************************/ @@ -1149,6 +1162,7 @@ int rc; attr_list = get_userattr_list( ldap_state->schema_ver ); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); free_attr_list( attr_list ); @@ -1194,6 +1208,7 @@ switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBASAMACCOUNT: attr_list = get_userattr_list(ldap_state->schema_ver); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list); free_attr_list( attr_list ); Index: login_cache.c =================================================================== --- login_cache.c (revision 1095) +++ login_cache.c (working copy) @@ -95,10 +95,13 @@ &entry->bad_password_count, &entry->bad_password_time) == -1) { DEBUG(7, ("No cache entry found\n")); + SAFE_FREE(entry); SAFE_FREE(databuf.dptr); return NULL; } + SAFE_FREE(databuf.dptr); + DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n", (unsigned int)entry->entry_timestamp, entry->acct_ctrl, entry->bad_password_count, (unsigned int)entry->bad_password_time)); (This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
2004-06-10 21:42:16 +04:00
SMB_ASSERT((*attr_list) != NULL);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
(*attr_list)[i] = talloc_strdup((*attr_list), new_attr);
r1108: Index: pdb_ldap.c =================================================================== --- pdb_ldap.c (revision 1095) +++ pdb_ldap.c (working copy) @@ -1134,6 +1134,19 @@ return NT_STATUS_OK; } +static void append_attr(char ***attr_list, const char *new_attr) +{ + int i; + + for (i=0; (*attr_list)[i] != NULL; i++) + ; + + (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2)); + SMB_ASSERT((*attr_list) != NULL); + (*attr_list)[i] = strdup(new_attr); + (*attr_list)[i+1] = NULL; +} + /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username. *********************************************************************/ @@ -1149,6 +1162,7 @@ int rc; attr_list = get_userattr_list( ldap_state->schema_ver ); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); free_attr_list( attr_list ); @@ -1194,6 +1208,7 @@ switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBASAMACCOUNT: attr_list = get_userattr_list(ldap_state->schema_ver); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list); free_attr_list( attr_list ); Index: login_cache.c =================================================================== --- login_cache.c (revision 1095) +++ login_cache.c (working copy) @@ -95,10 +95,13 @@ &entry->bad_password_count, &entry->bad_password_time) == -1) { DEBUG(7, ("No cache entry found\n")); + SAFE_FREE(entry); SAFE_FREE(databuf.dptr); return NULL; } + SAFE_FREE(databuf.dptr); + DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n", (unsigned int)entry->entry_timestamp, entry->acct_ctrl, entry->bad_password_count, (unsigned int)entry->bad_password_time)); (This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
2004-06-10 21:42:16 +04:00
(*attr_list)[i+1] = NULL;
}
s3:pdb_ldap: try to build the full unix_pw structure with ldapsam:trusted support And also store the gid_to_sid mappings in the idmap_cache. metze
2010-02-04 19:19:57 +03:00
static void ldapsam_add_unix_attributes(TALLOC_CTX *mem_ctx,
const char ***attr_list)
{
append_attr(mem_ctx, attr_list, "uidNumber");
append_attr(mem_ctx, attr_list, "gidNumber");
append_attr(mem_ctx, attr_list, "homeDirectory");
append_attr(mem_ctx, attr_list, "loginShell");
append_attr(mem_ctx, attr_list, "gecos");
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/**********************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Get struct samu entry from LDAP by username.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, struct samu *user, const char *sname)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
int count;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char ** attr_list;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
int rc;
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
attr_list = get_userattr_list( user, ldap_state->schema_ver );
append_attr(user, &attr_list,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_MOD_TIMESTAMP));
s3:pdb_ldap: try to build the full unix_pw structure with ldapsam:trusted support And also store the gid_to_sid mappings in the idmap_cache. metze
2010-02-04 19:19:57 +03:00
ldapsam_add_unix_attributes(user, &attr_list);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result,
attr_list);
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
if ( rc != LDAP_SUCCESS )
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_NO_SUCH_USER;
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
count = ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
result);
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
if (count < 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
ldap_msgfree(result);
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
return NT_STATUS_NO_SUCH_USER;
} else if (count > 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
ldap_msgfree(result);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_NO_SUCH_USER;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
entry = ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
result);
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
if (entry) {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (!init_sam_from_ldap(ldap_state, user, entry)) {
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_msgfree(result);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_NO_SUCH_USER;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
pdb_set_backend_private_data(user, result, NULL,
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
my_methods, PDB_CHANGED);
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(user, result);
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
ret = NT_STATUS_OK;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
} else {
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
ldap_msgfree(result);
}
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return ret;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *sid, LDAPMessage **result)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
int rc = -1;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char ** attr_list;
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( ldap_state->schema_ver ) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
case SCHEMAVER_SAMBASAMACCOUNT: {
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
return LDAP_NO_MEMORY;
}
attr_list = get_userattr_list(tmp_ctx,
ldap_state->schema_ver);
append_attr(tmp_ctx, &attr_list,
get_userattr_key2string(
ldap_state->schema_ver,
LDAP_ATTR_MOD_TIMESTAMP));
s3:pdb_ldap: try to build the full unix_pw structure with ldapsam:trusted support And also store the gid_to_sid mappings in the idmap_cache. metze
2010-02-04 19:19:57 +03:00
ldapsam_add_unix_attributes(tmp_ctx, &attr_list);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = ldapsam_search_suffix_by_sid(ldap_state, sid,
result, attr_list);
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(tmp_ctx);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
if ( rc != LDAP_SUCCESS )
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
return rc;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
s3-passdb: Remove obsolte ldapsam_compat support.
2012-06-22 18:27:56 +04:00
default:
DEBUG(0,("Invalid schema version specified\n"));
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
break;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
return rc;
}
/**********************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Get struct samu entry from LDAP by SID.
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const struct dom_sid *sid)
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
int count;
int rc;
rc = ldapsam_get_ldap_user_by_sid(ldap_state,
sid, &result);
if (rc != LDAP_SUCCESS)
return NT_STATUS_NO_SUCH_USER;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
count = ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
result);
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if (count < 1) {
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] "
"count=%d\n", sid_string_dbg(sid), count));
Try to fix memory leaks found by valgrind in pdb_ldap code. Andrew Bartlett (This used to be commit decadfcc8205ed5611d74141e301569ef8b1d9f4)
2003-06-07 07:22:37 +04:00
ldap_msgfree(result);
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
return NT_STATUS_NO_SUCH_USER;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
} else if (count > 1) {
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID "
"[%s]. Failing. count=%d\n", sid_string_dbg(sid),
count));
Try to fix memory leaks found by valgrind in pdb_ldap code. Andrew Bartlett (This used to be commit decadfcc8205ed5611d74141e301569ef8b1d9f4)
2003-06-07 07:22:37 +04:00
ldap_msgfree(result);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_NO_SUCH_USER;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
entry = ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
result);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if (!entry) {
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
ldap_msgfree(result);
Fix ldapsam_getsampwsid to correctly only say 'no such user' when indeed there is no such user... Thanks to jerry for spotting this. Also clean up the function a bit, to avoid this happening again... Andrew Bartlett (This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
2003-07-06 10:18:54 +04:00
return NT_STATUS_NO_SUCH_USER;
}
if (!init_sam_from_ldap(ldap_state, user, entry)) {
r2923: Fix some obvious copy/paste leftover debug-messages. Guenther (This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
2004-10-12 01:09:36 +04:00
DEBUG(1,("ldapsam_getsampwsid: init_sam_from_ldap failed!\n"));
Fix ldapsam_getsampwsid to correctly only say 'no such user' when indeed there is no such user... Thanks to jerry for spotting this. Also clean up the function a bit, to avoid this happening again... Andrew Bartlett (This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
2003-07-06 10:18:54 +04:00
ldap_msgfree(result);
return NT_STATUS_NO_SUCH_USER;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
Fix ldapsam_getsampwsid to correctly only say 'no such user' when indeed there is no such user... Thanks to jerry for spotting this. Also clean up the function a bit, to avoid this happening again... Andrew Bartlett (This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
2003-07-06 10:18:54 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
pdb_set_backend_private_data(user, result, NULL,
Fix ldapsam_getsampwsid to correctly only say 'no such user' when indeed there is no such user... Thanks to jerry for spotting this. Also clean up the function a bit, to avoid this happening again... Andrew Bartlett (This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
2003-07-06 10:18:54 +04:00
my_methods, PDB_CHANGED);
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(user, result);
Fix ldapsam_getsampwsid to correctly only say 'no such user' when indeed there is no such user... Thanks to jerry for spotting this. Also clean up the function a bit, to avoid this happening again... Andrew Bartlett (This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
2003-07-06 10:18:54 +04:00
return NT_STATUS_OK;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
}
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
/********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Do the actual modification - also change a plaintext passord if
it it set.
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
**********************************************************************/
static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
struct samu *newpwd, char *dn,
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
LDAPMod **mods, int ldap_op,
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool (*need_update)(const struct samu *, enum pdb_elements))
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
{
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
int rc;
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13979: We've dereferenced my_methods already, so there's no point in checking for != NULL. Coverity #149. Volker (This used to be commit d38e05329a77650d8fbb8611ca148964f62c9ba4)
2006-03-07 22:24:28 +03:00
if (!newpwd || !dn) {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_INVALID_PARAMETER;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
(lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
need_update(newpwd, PDB_PLAINTEXT_PW) &&
(pdb_get_plaintext_passwd(newpwd)!=NULL)) {
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
BerElement *ber;
struct berval *bv;
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
char *retoid = NULL;
struct berval *retdata = NULL;
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
char *utf8_password;
After a quick run with the 'weird' charset, squash a few bugs in our new 'UF8-safe' LDAP code. I hope I've caught all the places where we were pushing strings into or out of LDAP now. Andrew Bartlett (This used to be commit 70bf7a5f71f71aeb5338723d1f5b32a89d5c4f91)
2003-04-26 17:29:37 +04:00
char *utf8_dn;
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
size_t converted_size;
Fix bug 5886 Ok, that's a very long-standing one. I finally got around to install a recent OpenLDAP and test the different variants of setting a NULL password etc. Thanks all for your patience! Volker
2009-07-15 01:12:59 +04:00
int ret;
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
if (!ldap_state->is_nds_ldap) {
r15633: Minor smbldap/pdb_ldap cleanup Guenther (This used to be commit 1b5a712467ab8f35211b59bb703a42bdc5e0dfc0)
2006-05-16 17:26:49 +04:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
if (!smbldap_has_extension(
smbldap_get_ldap(
ldap_state->smbldap_state),
LDAP_EXOP_MODIFY_PASSWD)) {
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
DEBUG(2, ("ldap password change requested, but LDAP "
"server does not support it -- ignoring\n"));
return NT_STATUS_OK;
}
r2619: Only issue the ldap extended password change operation if the ldap server supports it. This might be a fix for bugs 1823 and 1545, notifying both. Also ignore object class violation errors from the extended operation. We don't have the userPassword field in sambaSamAccount, and if we have such broken setup with user in /etc/passwd and only samba attribs in ldap, we fail this :-) Volker (This used to be commit a32ea3bc881f516fb733cb4767ae5cf22d658b12)
2004-09-25 14:12:34 +04:00
}
Convert Samba3 to use the common lib/util/charset API This removes calls to push_*_allocate() and pull_*_allocate(), as well as convert_string_allocate, as they are not in the common API To allow transition to a common charcnv in future, provide Samba4-like strupper functions in source3/lib/charcnv.c (the actual implementation remains distinct, but the API is now shared) Andrew Bartlett
2009-03-19 04:20:11 +03:00
if (!push_utf8_talloc(talloc_tos(), &utf8_password,
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
pdb_get_plaintext_passwd(newpwd),
&converted_size))
{
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
return NT_STATUS_NO_MEMORY;
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
Convert Samba3 to use the common lib/util/charset API This removes calls to push_*_allocate() and pull_*_allocate(), as well as convert_string_allocate, as they are not in the common API To allow transition to a common charcnv in future, provide Samba4-like strupper functions in source3/lib/charcnv.c (the actual implementation remains distinct, but the API is now shared) Andrew Bartlett
2009-03-19 04:20:11 +03:00
if (!push_utf8_talloc(talloc_tos(), &utf8_dn, dn, &converted_size)) {
TALLOC_FREE(utf8_password);
After a quick run with the 'weird' charset, squash a few bugs in our new 'UF8-safe' LDAP code. I hope I've caught all the places where we were pushing strings into or out of LDAP now. Andrew Bartlett (This used to be commit 70bf7a5f71f71aeb5338723d1f5b32a89d5c4f91)
2003-04-26 17:29:37 +04:00
return NT_STATUS_NO_MEMORY;
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
DEBUG(0,("ber_alloc_t returns NULL\n"));
Convert Samba3 to use the common lib/util/charset API This removes calls to push_*_allocate() and pull_*_allocate(), as well as convert_string_allocate, as they are not in the common API To allow transition to a common charcnv in future, provide Samba4-like strupper functions in source3/lib/charcnv.c (the actual implementation remains distinct, but the API is now shared) Andrew Bartlett
2009-03-19 04:20:11 +03:00
TALLOC_FREE(utf8_password);
TALLOC_FREE(utf8_dn);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
Coverity fixes (This used to be commit 3fc85d22590550f0539215d020e4411bf5b14363)
2008-03-15 01:26:28 +03:00
if ((ber_printf (ber, "{") < 0) ||
Fix bug 5886 Ok, that's a very long-standing one. I finally got around to install a recent OpenLDAP and test the different variants of setting a NULL password etc. Thanks all for your patience! Volker
2009-07-15 01:12:59 +04:00
(ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID,
utf8_dn) < 0)) {
DEBUG(0,("ldapsam_modify_entry: ber_printf returns a "
"value <0\n"));
ber_free(ber,1);
TALLOC_FREE(utf8_dn);
TALLOC_FREE(utf8_password);
return NT_STATUS_UNSUCCESSFUL;
}
if ((utf8_password != NULL) && (*utf8_password != '\0')) {
ret = ber_printf(ber, "ts}",
LDAP_TAG_EXOP_MODIFY_PASSWD_NEW,
utf8_password);
} else {
ret = ber_printf(ber, "}");
}
if (ret < 0) {
DEBUG(0,("ldapsam_modify_entry: ber_printf returns a "
"value <0\n"));
ber_free(ber,1);
TALLOC_FREE(utf8_dn);
TALLOC_FREE(utf8_password);
return NT_STATUS_UNSUCCESSFUL;
Coverity fixes (This used to be commit 3fc85d22590550f0539215d020e4411bf5b14363)
2008-03-15 01:26:28 +03:00
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
if ((rc = ber_flatten (ber, &bv))<0) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
ber_free(ber,1);
Convert Samba3 to use the common lib/util/charset API This removes calls to push_*_allocate() and pull_*_allocate(), as well as convert_string_allocate, as they are not in the common API To allow transition to a common charcnv in future, provide Samba4-like strupper functions in source3/lib/charcnv.c (the actual implementation remains distinct, but the API is now shared) Andrew Bartlett
2009-03-19 04:20:11 +03:00
TALLOC_FREE(utf8_dn);
TALLOC_FREE(utf8_password);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
Convert Samba3 to use the common lib/util/charset API This removes calls to push_*_allocate() and pull_*_allocate(), as well as convert_string_allocate, as they are not in the common API To allow transition to a common charcnv in future, provide Samba4-like strupper functions in source3/lib/charcnv.c (the actual implementation remains distinct, but the API is now shared) Andrew Bartlett
2009-03-19 04:20:11 +03:00
TALLOC_FREE(utf8_dn);
TALLOC_FREE(utf8_password);
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
ber_free(ber, 1);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
if (!ldap_state->is_nds_ldap) {
rc = smbldap_extended_operation(ldap_state->smbldap_state,
LDAP_EXOP_MODIFY_PASSWD,
bv, NULL, NULL, &retoid,
&retdata);
} else {
rc = pdb_nds_set_password(ldap_state->smbldap_state, dn,
pdb_get_plaintext_passwd(newpwd));
}
if (rc != LDAP_SUCCESS) {
Show the error message for failure to set the ldap password. (For 'ldap password sync = yes') Andrew Bartlett (This used to be commit 5b682aef678cc9ee135852d7ee6b8c159902fab7)
2003-12-26 03:43:48 +03:00
char *ld_error = NULL;
r2619: Only issue the ldap extended password change operation if the ldap server supports it. This might be a fix for bugs 1823 and 1545, notifying both. Also ignore object class violation errors from the extended operation. We don't have the userPassword field in sambaSamAccount, and if we have such broken setup with user in /etc/passwd and only samba attribs in ldap, we fail this :-) Volker (This used to be commit a32ea3bc881f516fb733cb4767ae5cf22d658b12)
2004-09-25 14:12:34 +04:00
if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
DEBUG(3, ("Could not set userPassword "
"attribute due to an objectClass "
"violation -- ignoring\n"));
ber_bvfree(bv);
return NT_STATUS_OK;
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
ldap_get_option(
smbldap_get_ldap(ldap_state->smbldap_state),
LDAP_OPT_ERROR_STRING,
Show the error message for failure to set the ldap password. (For 'ldap password sync = yes') Andrew Bartlett (This used to be commit 5b682aef678cc9ee135852d7ee6b8c159902fab7)
2003-12-26 03:43:48 +03:00
&ld_error);
DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
SAFE_FREE(ld_error);
ber_bvfree(bv);
Fix for bug #5163 from Laurent Pinchart <pinchart@skynet.be> Failure to change password in ldap is mapped to NT_STATUS_UNSUCCESSFUL unconditionally. Jeremy. (This used to be commit 9369d6e907a49da1fbf2a5690118412b8d1a0383)
2008-01-03 05:20:23 +03:00
#if defined(LDAP_CONSTRAINT_VIOLATION)
if (rc == LDAP_CONSTRAINT_VIOLATION)
return NT_STATUS_PASSWORD_RESTRICTION;
#endif
Show the error message for failure to set the ldap password. (For 'ldap password sync = yes') Andrew Bartlett (This used to be commit 5b682aef678cc9ee135852d7ee6b8c159902fab7)
2003-12-26 03:43:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
} else {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
#ifdef DEBUG_PASSWORD
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
#endif
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
if (retdata)
ber_bvfree(retdata);
if (retoid)
r12400: one line patch for Sun LDAP libs pointed out by Nicholas Brealey <nick@brealey.org> (This used to be commit 5121d3806992da79d194717ef7a9da810b5ff679)
2005-12-20 21:20:39 +03:00
ldap_memfree(retoid);
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
ber_bvfree(bv);
}
s3:pdb_ldap: change LDAP password before samba password hashes this way we can catch up with password change refuses from ldap password policy overlays and abort the password change early. Thanks to Andy Hanton <andyhanton@gmail.com> for the initial patch.
2010-07-06 20:39:26 +04:00
if (!mods) {
DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
/* may be password change below however */
} else {
switch(ldap_op) {
case LDAP_MOD_ADD:
if (ldap_state->is_nds_ldap) {
smbldap_set_mod(&mods, LDAP_MOD_ADD,
"objectclass",
"inetOrgPerson");
} else {
smbldap_set_mod(&mods, LDAP_MOD_ADD,
"objectclass",
LDAP_OBJ_ACCOUNT);
}
rc = smbldap_add(ldap_state->smbldap_state,
dn, mods);
break;
case LDAP_MOD_REPLACE:
rc = smbldap_modify(ldap_state->smbldap_state,
dn ,mods);
break;
default:
DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
ldap_op));
return NT_STATUS_INVALID_PARAMETER;
}
if (rc!=LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
}
}
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Delete entry from LDAP for username.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods,
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
struct samu * sam_acct)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
struct ldapsam_privates *priv =
(struct ldapsam_privates *)my_methods->private_data;
This is another *BIG* change... Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
const char *sname;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
int rc;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
LDAPMessage *msg, *entry;
NTSTATUS result = NT_STATUS_NO_MEMORY;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attr_list;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
TALLOC_CTX *mem_ctx;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This is another *BIG* change... Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
if (!sam_acct) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_INVALID_PARAMETER;
This is another *BIG* change... Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
}
sname = pdb_get_username(sam_acct);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(3, ("ldapsam_delete_sam_account: Deleting user %s from "
"LDAP.\n", sname));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
goto done;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attr_list = get_userattr_delete_list(mem_ctx, priv->schema_ver );
if (attr_list == NULL) {
goto done;
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = ldapsam_search_suffix_by_name(priv, sname, &msg, attr_list);
if ((rc != LDAP_SUCCESS) ||
(ldap_count_entries(priv2ld(priv), msg) != 1) ||
((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
DEBUG(5, ("Could not find user %s\n", sname));
result = NT_STATUS_NO_SUCH_USER;
goto done;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = ldapsam_delete_entry(
priv, mem_ctx, entry,
priv->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ?
s3-passdb: Remove obsolte ldapsam_compat support.
2012-06-22 18:27:56 +04:00
LDAP_OBJ_SAMBASAMACCOUNT : 0,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attr_list);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
result = (rc == LDAP_SUCCESS) ?
NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
done:
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return result;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
/**********************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Update struct samu.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
int rc = 0;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
char *dn;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
LDAPMod **mods = NULL;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attr_list;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
result = (LDAPMessage *)pdb_get_backend_private_data(newpwd, my_methods);
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
if (!result) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attr_list = get_userattr_list(NULL, ldap_state->schema_ver);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (pdb_get_username(newpwd) == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
if (rc != LDAP_SUCCESS) {
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
return NT_STATUS_UNSUCCESSFUL;
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
pdb_set_backend_private_data(newpwd, result, NULL,
my_methods, PDB_CHANGED);
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(newpwd, result);
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
if (ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
result) == 0) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
entry = ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
result);
dn = smbldap_talloc_dn(talloc_tos(),
smbldap_get_ldap(ldap_state->smbldap_state),
entry);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if (!dn) {
return NT_STATUS_UNSUCCESSFUL;
}
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
s3-passdb Make pdb_element_is_changed available to all passdb modules This will allow pdb_samba4 to use this Andrew Bartlett
2011-08-11 09:39:47 +04:00
pdb_element_is_changed)) {
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
s3:smbldap Remove smbldap_get_dn This removes one more caller to pull_utf8_allocate() Signed-off-by: Günther Deschner <gd@samba.org>
2009-03-18 07:29:02 +03:00
TALLOC_FREE(dn);
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
if (mods != NULL)
ldap_mods_free(mods,True);
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
Fix bug 4901 (This used to be commit 1dd8fa9a521046f1de8173ac00224706c5249665)
2008-03-14 20:01:06 +03:00
if ((lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_ONLY)
&& (mods == NULL)) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
pdb_get_username(newpwd)));
s3:smbldap Remove smbldap_get_dn This removes one more caller to pull_utf8_allocate() Signed-off-by: Günther Deschner <gd@samba.org>
2009-03-18 07:29:02 +03:00
TALLOC_FREE(dn);
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
return NT_STATUS_OK;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
s3-passdb Make pdb_element_is_changed available to all passdb modules This will allow pdb_samba4 to use this Andrew Bartlett
2011-08-11 09:39:47 +04:00
ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, pdb_element_is_changed);
Fix bug 4901 (This used to be commit 1dd8fa9a521046f1de8173ac00224706c5249665)
2008-03-14 20:01:06 +03:00
if (mods != NULL) {
ldap_mods_free(mods,True);
}
s3:smbldap Remove smbldap_get_dn This removes one more caller to pull_utf8_allocate() Signed-off-by: Günther Deschner <gd@samba.org>
2009-03-18 07:29:02 +03:00
TALLOC_FREE(dn);
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
r16427: Fix bug # 3848. Thanks to Wilco Baan Hofman for testing the release candidate! Volker (This used to be commit adf2dcce09ae29a8c1677b25e1cd5f022b804d01)
2006-06-21 00:05:39 +04:00
/*
* We need to set the backend private data to NULL here. For example
* setuserinfo level 25 does a pdb_update_sam_account twice on the
* same one, and with the explicit delete / add logic for attribute
* values the second time we would use the wrong "old" value which
* does not exist in LDAP anymore. Thus the LDAP server would refuse
* the update.
* The existing LDAPMessage is still being auto-freed by the
* destructor.
*/
pdb_set_backend_private_data(newpwd, NULL, NULL, my_methods,
PDB_CHANGED);
Try to get meaningful errors out of ldap more often - get the error string from the server, not just the error code translation. Andrew Bartlett (This used to be commit 92415441fdc0f7d7c8b338d4cd4bbbba5418f88e)
2003-03-28 12:59:11 +03:00
if (!NT_STATUS_IS_OK(ret)) {
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return ret;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
pdb_get_username(newpwd)));
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
/***************************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Renames a struct samu
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
- The "rename user script" has full responsibility for changing everything
***************************************************************************/
s3-pdb_ldap: Fix bug #4296: Clean up group membership while deleting a user. Note that this only is tried with editposix=yes. Guenther
2009-06-24 02:33:44 +04:00
static NTSTATUS ldapsam_del_groupmem(struct pdb_methods *my_methods,
TALLOC_CTX *tmp_ctx,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t group_rid,
uint32_t member_rid);
s3-pdb_ldap: Fix bug #4296: Clean up group membership while deleting a user. Note that this only is tried with editposix=yes. Guenther
2009-06-24 02:33:44 +04:00
static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
TALLOC_CTX *mem_ctx,
struct samu *user,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid **pp_sids,
s3-pdb_ldap: Fix bug #4296: Clean up group membership while deleting a user. Note that this only is tried with editposix=yes. Guenther
2009-06-24 02:33:44 +04:00
gid_t **pp_gids,
s3:auth: change num_groups to from size_t to uint32_t This will help with the change from UNIX_USER_TOKEN to security_unix_token metze
2011-02-21 12:30:28 +03:00
uint32_t *p_num_groups);
s3-pdb_ldap: Fix bug #4296: Clean up group membership while deleting a user. Note that this only is tried with editposix=yes. Guenther
2009-06-24 02:33:44 +04:00
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
static NTSTATUS ldapsam_rename_sam_account(struct pdb_methods *my_methods,
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
struct samu *old_acct,
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
const char *newname)
{
const char *oldname;
int rc;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *rename_script = NULL;
r17150: MMC User & group plugins fixes: * Make sure to lower case all usernames before calling the create, delete, or rename hooks. * Preserve case for usernames in passdb * Flush the getpwnam cache after renaming a user * Add become/unbecome root block in _samr_delete_dom_user() when trying to verify the account's existence. (This used to be commit bbe11b7a950e7d85001f042bbd1ea3bf33ecda7b)
2006-07-20 00:59:04 +04:00
fstring oldname_lower, newname_lower;
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
if (!old_acct) {
DEBUG(0, ("ldapsam_rename_sam_account: old_acct was NULL!\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (!newname) {
DEBUG(0, ("ldapsam_rename_sam_account: newname was NULL!\n"));
return NT_STATUS_INVALID_PARAMETER;
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
oldname = pdb_get_username(old_acct);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
/* rename the posix user */
param: rename lp function and variable from "renameuser_script" to "rename_user_script" Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2014-02-04 06:09:11 +04:00
rename_script = lp_rename_user_script(talloc_tos());
Fix memleak in ldapsam_rename_sam_account() found by IBM checker. The check for out of memory was the wrong way round. Michael (This used to be commit d7a7b793203b986823859ac5171d2d4c30e52415)
2008-01-10 00:09:55 +03:00
if (rename_script == NULL) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
return NT_STATUS_NO_MEMORY;
}
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!(*rename_script)) {
Finally remove all malloc()'s from the substitute code. Now totally talloc() based. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Jan 27 03:43:21 CET 2012 on sn-devel-104
2012-01-27 05:10:44 +04:00
TALLOC_FREE(rename_script);
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
return NT_STATUS_ACCESS_DENIED;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
}
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
DEBUG (3, ("ldapsam_rename_sam_account: Renaming user %s to %s.\n",
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
oldname, newname));
r17150: MMC User & group plugins fixes: * Make sure to lower case all usernames before calling the create, delete, or rename hooks. * Preserve case for usernames in passdb * Flush the getpwnam cache after renaming a user * Add become/unbecome root block in _samr_delete_dom_user() when trying to verify the account's existence. (This used to be commit bbe11b7a950e7d85001f042bbd1ea3bf33ecda7b)
2006-07-20 00:59:04 +04:00
/* We have to allow the account name to end with a '$'.
Also, follow the semantics in _samr_create_user() and lower case the
posix name but preserve the case in passdb */
fstrcpy( oldname_lower, oldname );
Correctly check for errors in strlower_m() returns.
2012-08-09 04:01:00 +04:00
if (!strlower_m( oldname_lower )) {
return NT_STATUS_INVALID_PARAMETER;
}
r17150: MMC User & group plugins fixes: * Make sure to lower case all usernames before calling the create, delete, or rename hooks. * Preserve case for usernames in passdb * Flush the getpwnam cache after renaming a user * Add become/unbecome root block in _samr_delete_dom_user() when trying to verify the account's existence. (This used to be commit bbe11b7a950e7d85001f042bbd1ea3bf33ecda7b)
2006-07-20 00:59:04 +04:00
fstrcpy( newname_lower, newname );
Correctly check for errors in strlower_m() returns.
2012-08-09 04:01:00 +04:00
if (!strlower_m( newname_lower )) {
return NT_STATUS_INVALID_PARAMETER;
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
rename_script = realloc_string_sub2(rename_script,
"%unew",
newname_lower,
true,
true);
s3-ldapsam: Fix Bug 5957: do not abort rename process on valid rename script. Guenther (cherry picked from commit 26139344fd0fac4fdd2a6752628b252fbd9b7450) (cherry picked from commit 866efa63a26f75bbf17cd4bebf639594e2feafba)
2008-12-09 19:28:15 +03:00
if (!rename_script) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
return NT_STATUS_NO_MEMORY;
}
rename_script = realloc_string_sub2(rename_script,
"%uold",
oldname_lower,
true,
true);
Update smbrun to allow for settings environment variables. Signed-off-by: Trever L. Adams <trever.adams@gmail.com> Reviewed-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Oct 13 04:26:26 CEST 2016 on sn-devel-144
2016-10-12 18:55:15 +03:00
rc = smbrun(rename_script, NULL, NULL);
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
DEBUG(rc ? 0 : 3,("Running the command `%s' gave %d\n",
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
rename_script, rc));
Finally remove all malloc()'s from the substitute code. Now totally talloc() based. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Jan 27 03:43:21 CET 2012 on sn-devel-104
2012-01-27 05:10:44 +04:00
TALLOC_FREE(rename_script);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
r18703: Fix the annoying effect that happens when nscd is running: We usually do not get the results from user/group script modifications immediately. A lot of users do add nscd restart/refresh commands into their scripts to workaround that while we could flush the nscd caches directly using libnscd. Guenther (This used to be commit 7db6ce295afbedfada7b207ad56566d2195a0d21)
2006-09-20 04:15:50 +04:00
if (rc == 0) {
smb_nscd_flush_user_cache();
}
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
if (rc)
return NT_STATUS_UNSUCCESSFUL;
return NT_STATUS_OK;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/**********************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Add struct samu to LDAP.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
int rc;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
LDAPMod **mods = NULL;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
int ldap_op = LDAP_MOD_REPLACE;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t num_result;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attr_list;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *escape_user = NULL;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
const char *username = pdb_get_username(newpwd);
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *sid = pdb_get_user_sid(newpwd);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *filter = NULL;
char *dn = NULL;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
TALLOC_CTX *ctx = talloc_init("ldapsam_add_sam_account");
if (!ctx) {
return NT_STATUS_NO_MEMORY;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Minor fixes: - Fix warnings in loadparm.c - Remove the unused 'passdb modules path' paramater - Make pdb_ldap use $ termination rather than the workstation trust account flag becouse some 'machine' accounts appear as normal accounts at creation time. Also covers domains etc. Andrew Bartlett (This used to be commit 8c82a3daf777bcd4cd4388d30222e370fe800819)
2002-03-23 11:32:25 +03:00
if (!username || !*username) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
status = NT_STATUS_INVALID_PARAMETER;
goto fn_exit;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/* free this list after the second search or in case we exit on failure */
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
attr_list = get_userattr_list(ctx, ldap_state->schema_ver);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
if (rc != LDAP_SUCCESS) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
goto fn_exit;
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
if (ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
result) != 0) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
username));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
goto fn_exit;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
ldap_msgfree(result);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
result = NULL;
s3-passdb Make pdb_element_is_changed available to all passdb modules This will allow pdb_samba4 to use this Andrew Bartlett
2011-08-11 09:39:47 +04:00
if (pdb_element_is_set_or_changed(newpwd, PDB_USERSID)) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
rc = ldapsam_get_ldap_user_by_sid(ldap_state,
sid, &result);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (rc == LDAP_SUCCESS) {
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
if (ldap_count_entries(
smbldap_get_ldap(
ldap_state->smbldap_state),
result) != 0) {
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
DEBUG(0,("ldapsam_add_sam_account: SID '%s' "
"already in the base, with samba "
"attributes\n", sid_string_dbg(sid)));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
goto fn_exit;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
ldap_msgfree(result);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
result = NULL;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
/* does the entry already exist but without a samba attributes?
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
we need to return the samba attributes here */
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
escape_user = escape_ldap_string(talloc_tos(), username);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
filter = talloc_strdup(attr_list, "(uid=%u)");
if (!filter) {
status = NT_STATUS_NO_MEMORY;
goto fn_exit;
}
filter = talloc_all_string_sub(attr_list, filter, "%u", escape_user);
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
TALLOC_FREE(escape_user);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!filter) {
status = NT_STATUS_NO_MEMORY;
goto fn_exit;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state,
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
filter, attr_list, &result);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if ( rc != LDAP_SUCCESS ) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
goto fn_exit;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
num_result = ldap_count_entries(
smbldap_get_ldap(ldap_state->smbldap_state), result);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
if (num_result > 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
goto fn_exit;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
/* Check if we need to update an existing entry */
if (num_result == 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
ldap_op = LDAP_MOD_REPLACE;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
entry = ldap_first_entry(
smbldap_get_ldap(ldap_state->smbldap_state), result);
dn = smbldap_talloc_dn(
ctx, smbldap_get_ldap(ldap_state->smbldap_state),
entry);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!dn) {
status = NT_STATUS_NO_MEMORY;
goto fn_exit;
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
} else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
/* There might be a SID for this account already - say an idmap entry */
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
filter = talloc_asprintf(ctx,
"(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_USER_SID),
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03)
2007-12-15 23:10:58 +03:00
sid_string_talloc(ctx, sid),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
LDAP_OBJ_IDMAP_ENTRY,
LDAP_OBJ_SID_ENTRY);
if (!filter) {
status = NT_STATUS_NO_MEMORY;
goto fn_exit;
}
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
/* free old result before doing a new search */
if (result != NULL) {
ldap_msgfree(result);
result = NULL;
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state,
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
filter, attr_list, &result);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if ( rc != LDAP_SUCCESS ) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
goto fn_exit;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
num_result = ldap_count_entries(
smbldap_get_ldap(ldap_state->smbldap_state), result);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (num_result > 1) {
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
DEBUG (0, ("ldapsam_add_sam_account: More than one user with specified Sid exists: bailing out!\n"));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
goto fn_exit;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
/* Check if we need to update an existing entry */
if (num_result == 1) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
ldap_op = LDAP_MOD_REPLACE;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
entry = ldap_first_entry (
smbldap_get_ldap(ldap_state->smbldap_state),
result);
dn = smbldap_talloc_dn (
ctx,
smbldap_get_ldap(ldap_state->smbldap_state),
entry);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!dn) {
status = NT_STATUS_NO_MEMORY;
goto fn_exit;
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
}
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (num_result == 0) {
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
char *escape_username;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
/* Check if we need to add an entry */
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
ldap_op = LDAP_MOD_ADD;
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
escape_username = escape_rdn_val_string_alloc(username);
if (!escape_username) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
status = NT_STATUS_NO_MEMORY;
goto fn_exit;
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
}
Minor fixes: - Fix warnings in loadparm.c - Remove the unused 'passdb modules path' paramater - Make pdb_ldap use $ termination rather than the workstation trust account flag becouse some 'machine' accounts appear as normal accounts at creation time. Also covers domains etc. Andrew Bartlett (This used to be commit 8c82a3daf777bcd4cd4388d30222e370fe800819)
2002-03-23 11:32:25 +03:00
if (username[strlen(username)-1] == '$') {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
dn = talloc_asprintf(ctx,
"uid=%s,%s",
escape_username,
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
lp_ldap_machine_suffix(talloc_tos()));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
} else {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
dn = talloc_asprintf(ctx,
"uid=%s,%s",
escape_username,
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
lp_ldap_user_suffix(talloc_tos()));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
SAFE_FREE(escape_username);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (!dn) {
status = NT_STATUS_NO_MEMORY;
goto fn_exit;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
s3-passdb Make pdb_element_is_changed available to all passdb modules This will allow pdb_samba4 to use this Andrew Bartlett
2011-08-11 09:39:47 +04:00
pdb_element_is_set_or_changed)) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (mods != NULL) {
ldap_mods_free(mods, true);
}
goto fn_exit;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (mods == NULL) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
goto fn_exit;
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( ldap_state->schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBASAMACCOUNT:
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
default:
DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
break;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
s3-passdb Make pdb_element_is_changed available to all passdb modules This will allow pdb_samba4 to use this Andrew Bartlett
2011-08-11 09:39:47 +04:00
ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, pdb_element_is_set_or_changed);
Found out a good number of NT_STATUS_IS_ERR used the wrong way. As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-22 14:09:52 +04:00
if (!NT_STATUS_IS_OK(ret)) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_get_username(newpwd),dn));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
ldap_mods_free(mods, true);
goto fn_exit;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
ldap_mods_free(mods, true);
status = NT_STATUS_OK;
fn_exit:
TALLOC_FREE(ctx);
if (result) {
ldap_msgfree(result);
}
return status;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
const char *filter,
LDAPMessage ** result)
{
int scope = LDAP_SCOPE_SUBTREE;
int rc;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attr_list;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attr_list = get_attr_list(NULL, groupmap_attr_list);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
rc = smbldap_search(ldap_state->smbldap_state,
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
lp_ldap_suffix (talloc_tos()), scope,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
filter, attr_list, 0, result);
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(attr_list);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return rc;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool init_group_from_ldap(struct ldapsam_privates *ldap_state,
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
GROUP_MAP *map, LDAPMessage *entry)
{
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *temp = NULL;
TALLOC_CTX *ctx = talloc_init("init_group_from_ldap");
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (ldap_state == NULL || map == NULL || entry == NULL ||
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state) == NULL) {
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(ctx);
return false;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_attr_key2string(groupmap_attr_list,
LDAP_ATTR_GIDNUMBER),
ctx);
if (!temp) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(ctx);
return false;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Metzes change: > Hi Volker, > > if 'displayName' is not available we should fallback to 'cn' for map->nt_name > 'cn' is used as unix group name by nss_ldap. > > and if nt_name is not available we should fail (so does this patch) Volker (This used to be commit 7ae9c2500e3ac5f671d41077327156f1f3767fff)
2003-03-23 11:41:05 +03:00
map->gid = (gid_t)atol(temp);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(temp);
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_attr_key2string(groupmap_attr_list,
LDAP_ATTR_GROUP_SID),
ctx);
if (!temp) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(ctx);
return false;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
Check the return value of string_to_sid in a few more places. (But string_to_sid also needs to be less permissive on what it thinks are valid sids...) Andrew Bartlett (This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)
2003-12-26 06:14:31 +03:00
if (!string_to_sid(&map->sid, temp)) {
DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(ctx);
return false;
Check the return value of string_to_sid in a few more places. (But string_to_sid also needs to be less permissive on what it thinks are valid sids...) Andrew Bartlett (This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)
2003-12-26 06:14:31 +03:00
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(temp);
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_attr_key2string(groupmap_attr_list,
LDAP_ATTR_GROUP_TYPE),
ctx);
if (!temp) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(ctx);
return false;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
map->sid_name_use = (enum lsa_SidType)atol(temp);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if ((map->sid_name_use < SID_NAME_USER) ||
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
(map->sid_name_use > SID_NAME_UNKNOWN)) {
DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(ctx);
return false;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(temp);
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_attr_key2string(groupmap_attr_list,
LDAP_ATTR_DISPLAY_NAME),
ctx);
if (!temp) {
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_attr_key2string(groupmap_attr_list,
LDAP_ATTR_CN),
ctx);
if (!temp) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
for gidNumber(%lu)\n",(unsigned long)map->gid));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(ctx);
return false;
Metzes change: > Hi Volker, > > if 'displayName' is not available we should fallback to 'cn' for map->nt_name > 'cn' is used as unix group name by nss_ldap. > > and if nt_name is not available we should fail (so does this patch) Volker (This used to be commit 7ae9c2500e3ac5f671d41077327156f1f3767fff)
2003-03-23 11:41:05 +03:00
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
s3-group-mapping: Remove fstrings from GROUP_MAP. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
2011-09-27 01:55:47 +04:00
map->nt_name = talloc_strdup(map, temp);
if (!map->nt_name) {
TALLOC_FREE(ctx);
return false;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(temp);
temp = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
get_attr_key2string(groupmap_attr_list,
LDAP_ATTR_DESC),
ctx);
if (!temp) {
temp = talloc_strdup(ctx, "");
if (!temp) {
TALLOC_FREE(ctx);
return false;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
s3-group-mapping: Remove fstrings from GROUP_MAP. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
2011-09-27 01:55:47 +04:00
map->comment = talloc_strdup(map, temp);
if (!map->comment) {
TALLOC_FREE(ctx);
return false;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (lp_parm_bool(-1, "ldapsam", "trusted", false)) {
s3-idmap: convert most idmap_cache callers to unixid API This will eventually allow the struct unixid to be passed all the way up and down the stack. Andrew Bartlett Signed-off-by: Michael Adam <obnox@samba.org>
2012-03-23 14:11:33 +04:00
struct unixid id;
id.id = map->gid;
id.type = ID_TYPE_GID;
idmap_cache_set_sid2unixid(&map->sid, &id);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(ctx);
return true;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
const char *filter,
GROUP_MAP *map)
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
int count;
if (ldapsam_search_one_group(ldap_state, filter, &result)
!= LDAP_SUCCESS) {
return NT_STATUS_NO_SUCH_GROUP;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
count = ldap_count_entries(priv2ld(ldap_state), result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (count < 1) {
Improve debug message Fix bug 5056, thanks to debian package maintainer (This used to be commit 5b4ba4bfc54e2fa468abe15383e5b33eb5bd1324)
2007-11-26 16:30:50 +03:00
DEBUG(4, ("ldapsam_getgroup: Did not find group, filter was "
"%s\n", filter));
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
ldap_msgfree(result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_NO_SUCH_GROUP;
}
if (count > 1) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: "
"count=%d\n", filter, count));
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
ldap_msgfree(result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_NO_SUCH_GROUP;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
entry = ldap_first_entry(priv2ld(ldap_state), result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (!entry) {
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
if (!init_group_from_ldap(ldap_state, map, entry)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for "
"group filter %s\n", filter));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_msgfree(result);
return NT_STATUS_NO_SUCH_GROUP;
}
ldap_msgfree(result);
return NT_STATUS_OK;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid sid)
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
{
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *filter = NULL;
NTSTATUS status;
Replace sid_string_static with sid_to_string This adds 28 fstrings on the stack, but I think an fstring on the stack is still far better than a static one. (This used to be commit c7c885078be8fd3024c186044ac28275d7609679)
2007-12-16 00:00:39 +03:00
fstring tmp;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (asprintf(&filter, "(&(objectClass=%s)(%s=%s))",
LDAP_OBJ_GROUPMAP,
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
s/sid_to_string/sid_to_fstring/ least surprise for callers (This used to be commit eb523ba77697346a365589101aac379febecd546)
2007-12-16 00:47:30 +03:00
sid_to_fstring(tmp, &sid)) < 0) {
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
return NT_STATUS_NO_MEMORY;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
status = ldapsam_getgroup(methods, filter, map);
SAFE_FREE(filter);
return status;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
gid_t gid)
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
{
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *filter = NULL;
NTSTATUS status;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (asprintf(&filter, "(&(objectClass=%s)(%s=%lu))",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
LDAP_OBJ_GROUPMAP,
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
(unsigned long)gid) < 0) {
return NT_STATUS_NO_MEMORY;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
status = ldapsam_getgroup(methods, filter, map);
SAFE_FREE(filter);
return status;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
const char *name)
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
{
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *filter = NULL;
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
char *escape_name = escape_ldap_string(talloc_tos(), name);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
NTSTATUS status;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (!escape_name) {
return NT_STATUS_NO_MEMORY;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (asprintf(&filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
LDAP_OBJ_GROUPMAP,
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN),
escape_name) < 0) {
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
TALLOC_FREE(escape_name);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
return NT_STATUS_NO_MEMORY;
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
TALLOC_FREE(escape_name);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
status = ldapsam_getgroup(methods, filter, map);
SAFE_FREE(filter);
return status;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
LDAPMessage *entry,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *domain_sid,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t *rid)
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
{
fstring str;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid sid;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
if (!smbldap_get_single_attribute(ldap_struct, entry, "sambaSID",
str, sizeof(str)-1)) {
DEBUG(10, ("Could not find sambaSID attribute\n"));
return False;
}
if (!string_to_sid(&sid, str)) {
DEBUG(10, ("Could not convert string %s to sid\n", str));
return False;
}
s3-util_sid: use shared dom_sid_compare_auth and dom_sid_equal_X functions. Guenther
2010-08-26 17:48:50 +04:00
if (dom_sid_compare_domain(&sid, domain_sid) != 0) {
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
DEBUG(10, ("SID %s is not in expected domain %s\n",
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
str, sid_string_dbg(domain_sid)));
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
return False;
}
if (!sid_peek_rid(&sid, rid)) {
DEBUG(10, ("Could not peek into RID\n"));
return False;
}
return True;
}
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
static NTSTATUS ldapsam_enum_group_members(struct pdb_methods *methods,
TALLOC_CTX *mem_ctx,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *group,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t **pp_member_rids,
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
size_t *p_num_members)
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
struct smbldap_state *conn = ldap_state->smbldap_state;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
const char *id_attrs[] = { "memberUid", "gidNumber", NULL };
const char *sid_attrs[] = { "sambaSID", NULL };
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
LDAPMessage *result = NULL;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
LDAPMessage *entry;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
char *filter;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
char **values = NULL;
char **memberuid;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
char *gidstr;
int rc, count;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*pp_member_rids = NULL;
*p_num_members = 0;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
filter = talloc_asprintf(mem_ctx,
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(&(objectClass=%s)"
"(objectClass=%s)"
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
"(sambaSID=%s))",
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
LDAP_OBJ_POSIXGROUP,
LDAP_OBJ_GROUPMAP,
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03)
2007-12-15 23:10:58 +03:00
sid_string_talloc(mem_ctx, group));
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
LDAP_SCOPE_SUBTREE, filter, id_attrs, 0,
&result);
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
if (rc != LDAP_SUCCESS)
goto done;
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
count = ldap_count_entries(smbldap_get_ldap(conn), result);
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
if (count > 1) {
DEBUG(1, ("Found more than one groupmap entry for %s\n",
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
sid_string_dbg(group)));
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
goto done;
}
if (count == 0) {
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
ret = NT_STATUS_NO_SUCH_GROUP;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
goto done;
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
entry = ldap_first_entry(smbldap_get_ldap(conn), result);
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
if (entry == NULL)
goto done;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
if (!gidstr) {
DEBUG (0, ("ldapsam_enum_group_members: Unable to find the group's gid!\n"));
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
goto done;
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
values = ldap_get_values(smbldap_get_ldap(conn), entry, "memberUid");
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
s3:ldap: don't search when no values where found
2009-10-31 02:45:09 +03:00
if ((values != NULL) && (values[0] != NULL)) {
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
r19083: Fix objectclass (This used to be commit 6c4d68d84987a88f91bca976a0396dff720043e5)
2006-10-05 10:29:06 +04:00
filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(|", LDAP_OBJ_SAMBASAMACCOUNT);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
goto done;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
for (memberuid = values; *memberuid != NULL; memberuid += 1) {
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
char *escape_memberuid;
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
escape_memberuid = escape_ldap_string(talloc_tos(),
*memberuid);
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
if (escape_memberuid == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r25165: Use talloc_asprintf_append_buffer with an unmodified string. Jeremy. (This used to be commit fe30a523dfc77cc373145624246fd3ad5c62b9ac)
2007-09-14 21:42:10 +04:00
filter = talloc_asprintf_append_buffer(filter, "(uid=%s)", escape_memberuid);
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
TALLOC_FREE(escape_memberuid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
}
r25165: Use talloc_asprintf_append_buffer with an unmodified string. Jeremy. (This used to be commit fe30a523dfc77cc373145624246fd3ad5c62b9ac)
2007-09-14 21:42:10 +04:00
filter = talloc_asprintf_append_buffer(filter, "))");
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
&result);
if (rc != LDAP_SUCCESS)
goto done;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
count = ldap_count_entries(smbldap_get_ldap(conn), result);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
DEBUG(10,("ldapsam_enum_group_members: found %d accounts\n", count));
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
for (entry = ldap_first_entry(smbldap_get_ldap(conn), result);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
entry != NULL;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
entry = ldap_next_entry(smbldap_get_ldap(conn), entry))
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
{
char *sidstr;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid sid;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t rid;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
sidstr = smbldap_talloc_single_attribute(
smbldap_get_ldap(conn), entry, "sambaSID",
mem_ctx);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!sidstr) {
Use LDAP macros instead of attribute names. Karolin (This used to be commit 7dae8b04f126d0ac86a452dcf373a690ee687ead)
2008-07-18 15:15:05 +04:00
DEBUG(0, ("Severe DB error, %s can't miss the sambaSID"
"attribute\n", LDAP_OBJ_SAMBASAMACCOUNT));
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto done;
}
if (!string_to_sid(&sid, sidstr))
goto done;
s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam() This does not check whether the given sid is in our domain, but but whether it belongs to the local sam, which is a different thing on a domain member server. Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
2012-07-12 18:00:59 +04:00
if (!sid_check_is_in_our_sam(&sid)) {
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
DEBUG(0, ("Inconsistent SAM -- group member uid not "
"in our domain\n"));
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto done;
}
sid_peek_rid(&sid, &rid);
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
p_num_members)) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
}
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
filter = talloc_asprintf(mem_ctx,
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(&(objectClass=%s)"
"(gidNumber=%s))",
LDAP_OBJ_SAMBASAMACCOUNT,
gidstr);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
&result);
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
if (rc != LDAP_SUCCESS)
goto done;
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
for (entry = ldap_first_entry(smbldap_get_ldap(conn), result);
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
entry != NULL;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
entry = ldap_next_entry(smbldap_get_ldap(conn), entry))
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
{
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t rid;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
if (!ldapsam_extract_rid_from_entry(smbldap_get_ldap(conn),
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
entry,
get_global_sam_sid(),
&rid)) {
Use LDAP macros instead of attribute names. Karolin (This used to be commit 7dae8b04f126d0ac86a452dcf373a690ee687ead)
2008-07-18 15:15:05 +04:00
DEBUG(0, ("Severe DB error, %s can't miss the samba SID" "attribute\n", LDAP_OBJ_SAMBASAMACCOUNT));
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
goto done;
}
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
p_num_members)) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
ret = NT_STATUS_OK;
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
done:
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (values)
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
ldap_value_free(values);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
return ret;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
}
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
TALLOC_CTX *mem_ctx,
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
struct samu *user,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid **pp_sids,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
gid_t **pp_gids,
s3:auth: change num_groups to from size_t to uint32_t This will help with the change from UNIX_USER_TOKEN to security_unix_token metze
2011-02-21 12:30:28 +03:00
uint32_t *p_num_groups)
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
struct smbldap_state *conn = ldap_state->smbldap_state;
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
char *filter;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char *attrs[] = { "gidNumber", "sambaSID", NULL };
r3871: Fix memleak (This used to be commit dbfdde5f63f34fbe4ba1d794fcfc120178ff039a)
2004-11-19 14:59:56 +03:00
char *escape_name;
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
int rc, count;
LDAPMessage *result = NULL;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
LDAPMessage *entry;
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
s3-auth Change type of num_sids to uint32_t size_t is overkill here, and in struct security_token in the num_sids is uint32_t. This includes a change to the prototype of add_sid_to_array() and add_sid_to_array_unique(), which has had a number of consequnetial changes as I try to sort out all the callers using a pointer to the number of sids. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-26 14:54:13 +04:00
uint32_t num_sids;
s3:auth: change num_groups to from size_t to uint32_t This will help with the change from UNIX_USER_TOKEN to security_unix_token metze
2011-02-21 12:30:28 +03:00
uint32_t num_gids;
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
char *gidstr;
gid_t primary_gid = -1;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*pp_sids = NULL;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
num_sids = 0;
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (pdb_get_username(user) == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
escape_name = escape_ldap_string(talloc_tos(), pdb_get_username(user));
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
if (escape_name == NULL)
r3883: Fix error return -- thanks to rsharpe (This used to be commit 2d952c86c7e92fff48b4773ab46987d905b214cc)
2004-11-20 00:01:23 +03:00
return NT_STATUS_NO_MEMORY;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
s3:pdb_ldap: don't search for the users primary group, if we already know it metze
2010-02-05 18:20:21 +03:00
if (user->unix_pw) {
primary_gid = user->unix_pw->pw_gid;
} else {
/* retrieve the users primary gid */
filter = talloc_asprintf(mem_ctx,
"(&(objectClass=%s)(uid=%s))",
LDAP_OBJ_SAMBASAMACCOUNT,
escape_name);
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
s3:pdb_ldap: don't search for the users primary group, if we already know it metze
2010-02-05 18:20:21 +03:00
LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
s3:pdb_ldap: don't search for the users primary group, if we already know it metze
2010-02-05 18:20:21 +03:00
if (rc != LDAP_SUCCESS)
goto done;
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
s3:pdb_ldap: don't search for the users primary group, if we already know it metze
2010-02-05 18:20:21 +03:00
count = ldap_count_entries(priv2ld(ldap_state), result);
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
s3:pdb_ldap: don't search for the users primary group, if we already know it metze
2010-02-05 18:20:21 +03:00
switch (count) {
case 0:
DEBUG(1, ("User account [%s] not found!\n", pdb_get_username(user)));
ret = NT_STATUS_NO_SUCH_USER;
goto done;
case 1:
entry = ldap_first_entry(priv2ld(ldap_state), result);
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
s3:pdb_ldap: don't search for the users primary group, if we already know it metze
2010-02-05 18:20:21 +03:00
gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
if (!gidstr) {
DEBUG (1, ("Unable to find the member's gid!\n"));
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto done;
}
primary_gid = strtoul(gidstr, NULL, 10);
break;
default:
DEBUG(1, ("found more than one account with the same user name ?!\n"));
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto done;
}
}
filter = talloc_asprintf(mem_ctx,
Fix a bunch of compiler warnings about wrong format types. Should make Solaris 10 builds look cleaner. Jeremy.
2009-05-12 08:56:57 +04:00
"(&(objectClass=%s)(|(memberUid=%s)(gidNumber=%u)))",
LDAP_OBJ_POSIXGROUP, escape_name, (unsigned int)primary_gid);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
rc = smbldap_search(conn, lp_ldap_suffix(talloc_tos()),
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
if (rc != LDAP_SUCCESS)
goto done;
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
num_gids = 0;
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*pp_gids = NULL;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
num_sids = 0;
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*pp_sids = NULL;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
/* We need to add the primary group as the first gid/sid */
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
if (!add_gid_to_array_unique(mem_ctx, primary_gid, pp_gids, &num_gids)) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
/* This sid will be replaced later */
Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS. Michael (This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a)
2008-01-09 02:11:31 +03:00
ret = add_sid_to_array_unique(mem_ctx, &global_sid_NULL, pp_sids,
&num_sids);
if (!NT_STATUS_IS_OK(ret)) {
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
goto done;
}
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
for (entry = ldap_first_entry(smbldap_get_ldap(conn), result);
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
entry != NULL;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
entry = ldap_next_entry(smbldap_get_ldap(conn), entry))
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
{
fstring str;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid sid;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
gid_t gid;
char *end;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
if (!smbldap_get_single_attribute(smbldap_get_ldap(conn),
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
entry, "sambaSID",
str, sizeof(str)-1))
r4851: Preleminary fix for ldapsam_enum_group_memberships when ldapsam:trusted=True. Don't bail out when ldap-search returns pure posixgroups (w.o. samba group-mapping). This way those unix-memberships do not appear in user and nt user token. Volker, could you please look over that one? Guenther (This used to be commit 853a8b7f1c0b00b2e4433d1281f3c9bfcaf980a6)
2005-01-19 20:42:33 +03:00
continue;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
if (!string_to_sid(&sid, str))
goto done;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
if (!smbldap_get_single_attribute(smbldap_get_ldap(conn),
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
entry, "gidNumber",
str, sizeof(str)-1))
r4851: Preleminary fix for ldapsam_enum_group_memberships when ldapsam:trusted=True. Don't bail out when ldap-search returns pure posixgroups (w.o. samba group-mapping). This way those unix-memberships do not appear in user and nt user token. Volker, could you please look over that one? Guenther (This used to be commit 853a8b7f1c0b00b2e4433d1281f3c9bfcaf980a6)
2005-01-19 20:42:33 +03:00
continue;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
gid = strtoul(str, &end, 10);
if (PTR_DIFF(end, str) != strlen(str))
goto done;
if (gid == primary_gid) {
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
sid_copy(&(*pp_sids)[0], &sid);
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
} else {
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
if (!add_gid_to_array_unique(mem_ctx, gid, pp_gids,
&num_gids)) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS. Michael (This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a)
2008-01-09 02:11:31 +03:00
ret = add_sid_to_array_unique(mem_ctx, &sid, pp_sids,
&num_sids);
if (!NT_STATUS_IS_OK(ret)) {
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
goto done;
}
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
}
}
s3-util_sid: use shared dom_sid_compare_auth and dom_sid_equal_X functions. Guenther
2010-08-26 17:48:50 +04:00
if (dom_sid_compare(&global_sid_NULL, &(*pp_sids)[0]) == 0) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(3, ("primary group of [%s] not found\n",
pdb_get_username(user)));
s3: Fix bug 8567 -- segfault in dom_sid_compare The underlying problem was that with ldapsam:trusted we require the a group mapping for the primary group of every user, including root. Autobuild-User: Volker Lendecke <vl@samba.org> Autobuild-Date: Mon Feb 20 22:36:23 CET 2012 on sn-devel-104
2012-02-19 15:49:55 +04:00
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
goto done;
}
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*p_num_groups = num_sids;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
ret = NT_STATUS_OK;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
done:
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
TALLOC_FREE(escape_name);
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
return ret;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
* Augment a posixGroup object with a sambaGroupMapping domgroup
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
*********************************************************************/
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_map_posixgroup(TALLOC_CTX *mem_ctx,
struct ldapsam_privates *ldap_state,
GROUP_MAP *map)
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
{
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *filter, *dn;
LDAPMessage *msg, *entry;
LDAPMod **mods;
int rc;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
filter = talloc_asprintf(mem_ctx,
Use LDAP macros instead of attribute names. Karolin (This used to be commit 7dae8b04f126d0ac86a452dcf373a690ee687ead)
2008-07-18 15:15:05 +04:00
"(&(objectClass=%s)(gidNumber=%u))",
Fix a bunch of compiler warnings about wrong format types. Should make Solaris 10 builds look cleaner. Jeremy.
2009-05-12 08:56:57 +04:00
LDAP_OBJ_POSIXGROUP, (unsigned int)map->gid);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
get_attr_list(mem_ctx, groupmap_attr_list),
&msg);
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if ((rc != LDAP_SUCCESS) ||
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
(ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
msg) != 1) ||
((entry = ldap_first_entry(
smbldap_get_ldap(ldap_state->smbldap_state),
msg)) == NULL)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return NT_STATUS_NO_SUCH_GROUP;
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
dn = smbldap_talloc_dn(mem_ctx,
smbldap_get_ldap(ldap_state->smbldap_state),
entry);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (dn == NULL) {
return NT_STATUS_NO_MEMORY;
}
mods = NULL;
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass",
Use LDAP macros instead of attribute names. Karolin (This used to be commit 7dae8b04f126d0ac86a452dcf373a690ee687ead)
2008-07-18 15:15:05 +04:00
LDAP_OBJ_GROUPMAP);
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), entry,
&mods, "sambaSid",
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit 0a911d38b8f4be382a9df60f9c6de0c500464b3a)
2007-12-15 23:49:15 +03:00
sid_string_talloc(mem_ctx, &map->sid));
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), entry,
&mods, "sambaGroupType",
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), entry,
&mods, "displayName",
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
map->nt_name);
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), entry,
&mods, "description",
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
map->comment);
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmod(mem_ctx, mods);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
if (rc != LDAP_SUCCESS) {
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
GROUP_MAP *map)
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
LDAPMessage *msg = NULL;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
LDAPMod **mods = NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *attrs[] = { NULL };
char *filter;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
char *dn;
TALLOC_CTX *mem_ctx;
NTSTATUS result;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid sid;
idmap: unify passdb *id_to_sid methods Instead of passing down gid or uid, a pointer to a unixid is now sent down. This acts as an in-out variable so that the idmap functions can correctly receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720 Change-Id: I11409a0f498e61a3c0a6ae606dd7af1135e6b066 Pair-programmed-with: Andrew Bartlett <abarlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-11-25 04:45:26 +03:00
struct unixid id;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
int rc;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return NT_STATUS_NO_MEMORY;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
filter = talloc_asprintf(mem_ctx, "(sambaSid=%s)",
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03)
2007-12-15 23:10:58 +03:00
sid_string_talloc(mem_ctx, &map->sid));
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (filter == NULL) {
result = NT_STATUS_NO_MEMORY;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(talloc_tos()),
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
LDAP_SCOPE_SUBTREE, filter, attrs, True, &msg);
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
and so it begins.... * remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-07 09:11:10 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if ((rc == LDAP_SUCCESS) &&
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
(ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
msg) > 0)) {
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(3, ("SID %s already present in LDAP, refusing to add "
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
"group mapping entry\n", sid_string_dbg(&map->sid)));
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
result = NT_STATUS_GROUP_EXISTS;
goto done;
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
switch (map->sid_name_use) {
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
case SID_NAME_DOM_GRP:
/* To map a domain group we need to have a posix group
to attach to. */
result = ldapsam_map_posixgroup(mem_ctx, ldap_state, map);
goto done;
break;
case SID_NAME_ALIAS:
s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam() This does not check whether the given sid is in our domain, but but whether it belongs to the local sam, which is a different thing on a domain member server. Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
2012-07-12 18:00:59 +04:00
if (!sid_check_is_in_our_sam(&map->sid)
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
&& !sid_check_is_in_builtin(&map->sid) )
{
DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n",
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
sid_string_dbg(&map->sid)));
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
result = NT_STATUS_INVALID_PARAMETER;
goto done;
}
break;
and so it begins.... * remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-07 09:11:10 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
default:
DEBUG(3, ("Got invalid use '%s' for mapping\n",
sid_type_lookup(map->sid_name_use)));
result = NT_STATUS_INVALID_PARAMETER;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* Domain groups have been mapped in a separate routine, we have to
* create an alias now */
if (map->gid == -1) {
DEBUG(10, ("Refusing to map gid==-1\n"));
result = NT_STATUS_INVALID_PARAMETER;
goto done;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
idmap: unify passdb *id_to_sid methods Instead of passing down gid or uid, a pointer to a unixid is now sent down. This acts as an in-out variable so that the idmap functions can correctly receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720 Change-Id: I11409a0f498e61a3c0a6ae606dd7af1135e6b066 Pair-programmed-with: Andrew Bartlett <abarlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-11-25 04:45:26 +03:00
id.id = map->gid;
id.type = ID_TYPE_GID;
if (pdb_id_to_sid(&id, &sid)) {
Fix a bunch of compiler warnings about wrong format types. Should make Solaris 10 builds look cleaner. Jeremy.
2009-05-12 08:56:57 +04:00
DEBUG(3, ("Gid %u is already mapped to SID %s, refusing to "
"add\n", (unsigned int)map->gid, sid_string_dbg(&sid)));
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
result = NT_STATUS_GROUP_EXISTS;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* Ok, enough checks done. It's still racy to go ahead now, but that's
* the best we can get out of LDAP. */
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
dn = talloc_asprintf(mem_ctx, "sambaSid=%s,%s",
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03)
2007-12-15 23:10:58 +03:00
sid_string_talloc(mem_ctx, &map->sid),
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
lp_ldap_group_suffix(talloc_tos()));
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (dn == NULL) {
result = NT_STATUS_NO_MEMORY;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mods = NULL;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
&mods, "objectClass", LDAP_OBJ_SID_ENTRY);
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
&mods, "objectClass", LDAP_OBJ_GROUPMAP);
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
&mods, "sambaSid",
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03)
2007-12-15 23:10:58 +03:00
sid_string_talloc(mem_ctx, &map->sid));
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
&mods, "sambaGroupType",
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
&mods, "displayName",
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
map->nt_name);
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
&mods, "description",
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
map->comment);
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), NULL,
&mods, "gidNumber",
talloc_asprintf(mem_ctx, "%u",
(unsigned int)map->gid));
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmod(mem_ctx, mods);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
result = (rc == LDAP_SUCCESS) ?
NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
done:
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return result;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
* Update a group mapping entry. We're quite strict about what can be changed:
* Only the description and displayname may be changed. It simply does not
* make any sense to change the SID, gid or the type in a mapping.
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
GROUP_MAP *map)
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
int rc;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *filter, *dn;
LDAPMessage *msg = NULL;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *entry = NULL;
LDAPMod **mods = NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
TALLOC_CTX *mem_ctx;
NTSTATUS result;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return NT_STATUS_NO_MEMORY;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* Make 100% sure that sid, gid and type are not changed by looking up
* exactly the values we're given in LDAP. */
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)"
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
"(sambaSid=%s)(gidNumber=%u)"
"(sambaGroupType=%d))",
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
LDAP_OBJ_GROUPMAP,
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03)
2007-12-15 23:10:58 +03:00
sid_string_talloc(mem_ctx, &map->sid),
Fix a bunch of compiler warnings about wrong format types. Should make Solaris 10 builds look cleaner. Jeremy.
2009-05-12 08:56:57 +04:00
(unsigned int)map->gid, map->sid_name_use);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (filter == NULL) {
result = NT_STATUS_NO_MEMORY;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
get_attr_list(mem_ctx, groupmap_attr_list),
&msg);
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if ((rc != LDAP_SUCCESS) ||
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
(ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
msg) != 1) ||
((entry = ldap_first_entry(
smbldap_get_ldap(ldap_state->smbldap_state),
msg)) == NULL)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
result = NT_STATUS_NO_SUCH_GROUP;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
dn = smbldap_talloc_dn(
mem_ctx, smbldap_get_ldap(ldap_state->smbldap_state), entry);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (dn == NULL) {
result = NT_STATUS_NO_MEMORY;
goto done;
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mods = NULL;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), entry,
&mods, "displayName", map->nt_name);
smbldap_make_mod(smbldap_get_ldap(ldap_state->smbldap_state), entry,
&mods, "description", map->comment);
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmod(mem_ctx, mods);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (mods == NULL) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: "
"nothing to do\n"));
result = NT_STATUS_OK;
goto done;
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (rc != LDAP_SUCCESS) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
result = NT_STATUS_ACCESS_DENIED;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified "
"group %lu in LDAP\n", (unsigned long)map->gid));
result = NT_STATUS_OK;
done:
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return result;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid sid)
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
{
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
struct ldapsam_privates *priv =
(struct ldapsam_privates *)methods->private_data;
LDAPMessage *msg, *entry;
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
int rc;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
NTSTATUS result;
TALLOC_CTX *mem_ctx;
char *filter;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return NT_STATUS_NO_MEMORY;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=%s))",
LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID,
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03)
2007-12-15 23:10:58 +03:00
sid_string_talloc(mem_ctx, &sid));
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (filter == NULL) {
result = NT_STATUS_NO_MEMORY;
goto done;
}
rc = smbldap_search_suffix(priv->smbldap_state, filter,
get_attr_list(mem_ctx, groupmap_attr_list),
&msg);
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if ((rc != LDAP_SUCCESS) ||
(ldap_count_entries(priv2ld(priv), msg) != 1) ||
((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
result = NT_STATUS_NO_SUCH_GROUP;
goto done;
}
rc = ldapsam_delete_entry(priv, mem_ctx, entry, LDAP_OBJ_GROUPMAP,
get_attr_list(mem_ctx,
groupmap_attr_list_to_delete));
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if ((rc == LDAP_NAMING_VIOLATION) ||
s3/ldap: also handle DirX return codes
2009-05-07 19:50:34 +04:00
(rc == LDAP_NOT_ALLOWED_ON_RDN) ||
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
(rc == LDAP_OBJECT_CLASS_VIOLATION)) {
const char *attrs[] = { "sambaGroupType", "description",
"displayName", "sambaSIDList",
NULL };
/* Second try. Don't delete the sambaSID attribute, this is
for "old" entries that are tacked on a winbind
sambaIdmapEntry. */
rc = ldapsam_delete_entry(priv, mem_ctx, entry,
LDAP_OBJ_GROUPMAP, attrs);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if ((rc == LDAP_NAMING_VIOLATION) ||
s3/ldap: also handle DirX return codes
2009-05-07 19:50:34 +04:00
(rc == LDAP_NOT_ALLOWED_ON_RDN) ||
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
(rc == LDAP_OBJECT_CLASS_VIOLATION)) {
const char *attrs[] = { "sambaGroupType", "description",
"displayName", "sambaSIDList",
"gidNumber", NULL };
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* Third try. This is a post-3.0.21 alias (containing only
* sambaSidEntry and sambaGroupMapping classes), we also have
* to delete the gidNumber attribute, only the sambaSidEntry
* remains */
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = ldapsam_delete_entry(priv, mem_ctx, entry,
LDAP_OBJ_GROUPMAP, attrs);
}
result = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
done:
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return result;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods,
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool update)
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
{
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)my_methods->private_data;
Remove unused prototype for smbldap_get_single_pstring(). Don't use pstr_sprintf() on an fstring - change to talloc. Jeremy. (This used to be commit 6cae4b5fa1bcb848cb2a28daaafeefd6bcd08274)
2007-11-28 09:22:35 +03:00
char *filter = NULL;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
int rc;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attr_list;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Remove unused prototype for smbldap_get_single_pstring(). Don't use pstr_sprintf() on an fstring - change to talloc. Jeremy. (This used to be commit 6cae4b5fa1bcb848cb2a28daaafeefd6bcd08274)
2007-11-28 09:22:35 +03:00
filter = talloc_asprintf(NULL, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
if (!filter) {
return NT_STATUS_NO_MEMORY;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attr_list = get_attr_list( NULL, groupmap_attr_list );
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(talloc_tos()),
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
LDAP_SCOPE_SUBTREE, filter,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
attr_list, 0, &ldap_state->result);
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(attr_list);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (rc != LDAP_SUCCESS) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n",
ldap_err2string(rc)));
DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n",
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
lp_ldap_suffix(talloc_tos()), filter));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_msgfree(ldap_state->result);
ldap_state->result = NULL;
Remove unused prototype for smbldap_get_single_pstring(). Don't use pstr_sprintf() on an fstring - change to talloc. Jeremy. (This used to be commit 6cae4b5fa1bcb848cb2a28daaafeefd6bcd08274)
2007-11-28 09:22:35 +03:00
TALLOC_FREE(filter);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
Remove unused prototype for smbldap_get_single_pstring(). Don't use pstr_sprintf() on an fstring - change to talloc. Jeremy. (This used to be commit 6cae4b5fa1bcb848cb2a28daaafeefd6bcd08274)
2007-11-28 09:22:35 +03:00
TALLOC_FREE(filter);
r2923: Fix some obvious copy/paste leftover debug-messages. Guenther (This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
2004-10-12 01:09:36 +04:00
DEBUG(2, ("ldapsam_setsamgrent: %d entries in the base!\n",
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
ldap_count_entries(
smbldap_get_ldap(ldap_state->smbldap_state),
ldap_state->result)));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
ldap_state->entry =
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
ldap_state->result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_state->index = 0;
return NT_STATUS_OK;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
{
void function cannot return a value (besides the function called was a void) (This used to be commit 55681422e97ede0ff9446925c7678d6254b13878)
2003-03-20 01:38:37 +03:00
ldapsam_endsampwent(my_methods);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
GROUP_MAP *map)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)my_methods->private_data;
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool bret = False;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
while (!bret) {
if (!ldap_state->entry)
return ret;
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_state->index++;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
bret = init_group_from_ldap(ldap_state, map,
ldap_state->entry);
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
ldap_state->entry = ldap_next_entry(
smbldap_get_ldap(ldap_state->smbldap_state),
ldap_state->entry);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
return NT_STATUS_OK;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *domsid, enum lsa_SidType sid_name_use,
s3-group-mapping: Remove fstrings from GROUP_MAP. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
2011-09-27 01:55:47 +04:00
GROUP_MAP ***pp_rmap,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
size_t *p_num_entries,
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool unix_only)
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
{
s3-group-mapping: Remove fstrings from GROUP_MAP. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
2011-09-27 01:55:47 +04:00
GROUP_MAP *map = NULL;
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
size_t entries = 0;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*p_num_entries = 0;
s3-passdb Initialise the correct level of pointer dereference *pp_rmap may be NULL or un-initialised data. This was introduced by 995d1567265be178b4e45f79ea4562a7041ffa52. Andrew Bartlett
2011-11-09 01:11:32 +04:00
*pp_rmap = NULL;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open "
"passdb\n"));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_ACCESS_DENIED;
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
}
s3-group-mapping: Remove fstrings from GROUP_MAP. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
2011-09-27 01:55:47 +04:00
while (true) {
map = talloc_zero(NULL, GROUP_MAP);
if (!map) {
return NT_STATUS_NO_MEMORY;
}
if (!NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, map))) {
TALLOC_FREE(map);
break;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (sid_name_use != SID_NAME_UNKNOWN &&
s3-group-mapping: Remove fstrings from GROUP_MAP. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
2011-09-27 01:55:47 +04:00
sid_name_use != map->sid_name_use) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
s3-group-mapping: Remove fstrings from GROUP_MAP. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
2011-09-27 01:55:47 +04:00
"not of the requested type\n",
map->nt_name));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
continue;
}
s3-group-mapping: Remove fstrings from GROUP_MAP. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
2011-09-27 01:55:47 +04:00
if (unix_only == ENUM_ONLY_MAPPED && map->gid == -1) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
s3-group-mapping: Remove fstrings from GROUP_MAP. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
2011-09-27 01:55:47 +04:00
"non mapped\n", map->nt_name));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
continue;
}
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
s3-group-mapping: Remove fstrings from GROUP_MAP. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
2011-09-27 01:55:47 +04:00
*pp_rmap = talloc_realloc(NULL, *pp_rmap,
GROUP_MAP *, entries + 1);
r13915: Fixed a very interesting class of realloc() bugs found by Coverity. realloc can return NULL in one of two cases - (1) the realloc failed, (2) realloc succeeded but the new size requested was zero, in which case this is identical to a free() call. The error paths dealing with these two cases should be different, but mostly weren't. Secondly the standard idiom for dealing with realloc when you know the new size is non-zero is the following : tmp = realloc(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } However, there were *many* *many* places in Samba where we were using the old (broken) idiom of : p = realloc(p, size) if (!p) { return error; } which will leak the memory pointed to by p on realloc fail. This commit (hopefully) fixes all these cases by moving to a standard idiom of : p = SMB_REALLOC(p, size) if (!p) { return error; } Where if the realloc returns null due to the realloc failing or size == 0 we *guarentee* that the storage pointed to by p has been freed. This allows me to remove a lot of code that was dealing with the standard (more verbose) method that required a tmp pointer. This is almost always what you want. When a realloc fails you never usually want the old memory, you want to free it and get into your error processing asap. For the 11 remaining cases where we really do need to keep the old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR, which can be used as follows : tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the pointer p, even on size == 0 or realloc fail. All this is done by a hidden extra argument to Realloc(), BOOL free_old_on_error which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR macros (and their array counterparts). It remains to be seen what this will do to our Coverity bug count :-). Jeremy. (This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
2006-03-07 09:31:04 +03:00
if (!(*pp_rmap)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0,("ldapsam_enum_group_mapping: Unable to "
"enlarge group map!\n"));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
s3-group-mapping: Remove fstrings from GROUP_MAP. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
2011-09-27 01:55:47 +04:00
(*pp_rmap)[entries] = talloc_move((*pp_rmap), &map);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
entries += 1;
}
s3-group-mapping: Remove fstrings from GROUP_MAP. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
2011-09-27 01:55:47 +04:00
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldapsam_endsamgrent(methods);
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*p_num_entries = entries;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_OK;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
static NTSTATUS ldapsam_modify_aliasmem(struct pdb_methods *methods,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *alias,
const struct dom_sid *member,
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
int modop)
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *dn = NULL;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
int count;
LDAPMod **mods = NULL;
int rc;
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType type = SID_NAME_USE_NONE;
Replace sid_string_static with sid_to_string This adds 28 fstrings on the stack, but I think an fstring on the stack is still far better than a static one. (This used to be commit c7c885078be8fd3024c186044ac28275d7609679)
2007-12-16 00:00:39 +03:00
fstring tmp;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *filter = NULL;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (sid_check_is_in_builtin(alias)) {
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
type = SID_NAME_ALIAS;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam() This does not check whether the given sid is in our domain, but but whether it belongs to the local sam, which is a different thing on a domain member server. Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
2012-07-12 18:00:59 +04:00
if (sid_check_is_in_our_sam(alias)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
type = SID_NAME_ALIAS;
}
if (type == SID_NAME_USE_NONE) {
DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
sid_string_dbg(alias)));
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return NT_STATUS_NO_SUCH_ALIAS;
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (asprintf(&filter,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
"(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
s/sid_to_string/sid_to_fstring/ least surprise for callers (This used to be commit eb523ba77697346a365589101aac379febecd546)
2007-12-16 00:47:30 +03:00
LDAP_OBJ_GROUPMAP, sid_to_fstring(tmp, alias),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
type) < 0) {
return NT_STATUS_NO_MEMORY;
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
if (ldapsam_search_one_group(ldap_state, filter,
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
&result) != LDAP_SUCCESS) {
SAFE_FREE(filter);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
return NT_STATUS_NO_SUCH_ALIAS;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
count = ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
result);
if (count < 1) {
r2923: Fix some obvious copy/paste leftover debug-messages. Guenther (This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
2004-10-12 01:09:36 +04:00
DEBUG(4, ("ldapsam_modify_aliasmem: Did not find alias\n"));
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
ldap_msgfree(result);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
SAFE_FREE(filter);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
return NT_STATUS_NO_SUCH_ALIAS;
}
if (count > 1) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(1, ("ldapsam_modify_aliasmem: Duplicate entries for "
"filter %s: count=%d\n", filter, count));
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
ldap_msgfree(result);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
SAFE_FREE(filter);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
return NT_STATUS_NO_SUCH_ALIAS;
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
SAFE_FREE(filter);
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
entry = ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
result);
if (!entry) {
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
dn = smbldap_talloc_dn(talloc_tos(),
smbldap_get_ldap(ldap_state->smbldap_state),
entry);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
if (!dn) {
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
smbldap_set_mod(&mods, modop,
get_attr_key2string(groupmap_attr_list,
LDAP_ATTR_SID_LIST),
s/sid_to_string/sid_to_fstring/ least surprise for callers (This used to be commit eb523ba77697346a365589101aac379febecd546)
2007-12-16 00:47:30 +03:00
sid_to_fstring(tmp, member));
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
ldap_mods_free(mods, True);
ldap_msgfree(result);
s3:smbldap Remove smbldap_get_dn This removes one more caller to pull_utf8_allocate() Signed-off-by: Günther Deschner <gd@samba.org>
2009-03-18 07:29:02 +03:00
TALLOC_FREE(dn);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (rc == LDAP_TYPE_OR_VALUE_EXISTS) {
return NT_STATUS_MEMBER_IN_ALIAS;
}
if (rc == LDAP_NO_SUCH_ATTRIBUTE) {
return NT_STATUS_MEMBER_NOT_IN_ALIAS;
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
if (rc != LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
}
return NT_STATUS_OK;
}
static NTSTATUS ldapsam_add_aliasmem(struct pdb_methods *methods,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *alias,
const struct dom_sid *member)
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
{
return ldapsam_modify_aliasmem(methods, alias, member, LDAP_MOD_ADD);
}
static NTSTATUS ldapsam_del_aliasmem(struct pdb_methods *methods,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *alias,
const struct dom_sid *member)
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
{
return ldapsam_modify_aliasmem(methods, alias, member,
LDAP_MOD_DELETE);
}
static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *alias,
Pass a talloc_ctx to pdb_enum_aliasmem
2009-06-08 21:43:01 +04:00
TALLOC_CTX *mem_ctx,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid **pp_members,
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
size_t *p_num_members)
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
int count;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char **values = NULL;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
int i;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *filter = NULL;
s3-auth Change type of num_sids to uint32_t size_t is overkill here, and in struct security_token in the num_sids is uint32_t. This includes a change to the prototype of add_sid_to_array() and add_sid_to_array_unique(), which has had a number of consequnetial changes as I try to sort out all the callers using a pointer to the number of sids. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-26 14:54:13 +04:00
uint32_t num_members = 0;
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType type = SID_NAME_USE_NONE;
Replace sid_string_static with sid_to_string This adds 28 fstrings on the stack, but I think an fstring on the stack is still far better than a static one. (This used to be commit c7c885078be8fd3024c186044ac28275d7609679)
2007-12-16 00:00:39 +03:00
fstring tmp;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*pp_members = NULL;
*p_num_members = 0;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (sid_check_is_in_builtin(alias)) {
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
type = SID_NAME_ALIAS;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam() This does not check whether the given sid is in our domain, but but whether it belongs to the local sam, which is a different thing on a domain member server. Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
2012-07-12 18:00:59 +04:00
if (sid_check_is_in_our_sam(alias)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
type = SID_NAME_ALIAS;
}
if (type == SID_NAME_USE_NONE) {
DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
sid_string_dbg(alias)));
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return NT_STATUS_NO_SUCH_ALIAS;
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (asprintf(&filter,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
"(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
s/sid_to_string/sid_to_fstring/ least surprise for callers (This used to be commit eb523ba77697346a365589101aac379febecd546)
2007-12-16 00:47:30 +03:00
LDAP_OBJ_GROUPMAP, sid_to_fstring(tmp, alias),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
type) < 0) {
return NT_STATUS_NO_MEMORY;
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
if (ldapsam_search_one_group(ldap_state, filter,
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
&result) != LDAP_SUCCESS) {
SAFE_FREE(filter);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
return NT_STATUS_NO_SUCH_ALIAS;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
count = ldap_count_entries(smbldap_get_ldap(ldap_state->smbldap_state),
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
result);
if (count < 1) {
r2923: Fix some obvious copy/paste leftover debug-messages. Guenther (This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
2004-10-12 01:09:36 +04:00
DEBUG(4, ("ldapsam_enum_aliasmem: Did not find alias\n"));
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
ldap_msgfree(result);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
SAFE_FREE(filter);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
return NT_STATUS_NO_SUCH_ALIAS;
}
if (count > 1) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(1, ("ldapsam_enum_aliasmem: Duplicate entries for "
"filter %s: count=%d\n", filter, count));
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
ldap_msgfree(result);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
SAFE_FREE(filter);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
return NT_STATUS_NO_SUCH_ALIAS;
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
SAFE_FREE(filter);
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
entry = ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
result);
if (!entry) {
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
values = ldap_get_values(smbldap_get_ldap(ldap_state->smbldap_state),
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
entry,
get_attr_key2string(groupmap_attr_list,
LDAP_ATTR_SID_LIST));
if (values == NULL) {
ldap_msgfree(result);
return NT_STATUS_OK;
}
count = ldap_count_values(values);
for (i=0; i<count; i++) {
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid member;
Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS. Michael (This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a)
2008-01-09 02:11:31 +03:00
NTSTATUS status;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
if (!string_to_sid(&member, values[i]))
continue;
Pass a talloc_ctx to pdb_enum_aliasmem
2009-06-08 21:43:01 +04:00
status = add_sid_to_array(mem_ctx, &member, pp_members,
Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS. Michael (This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a)
2008-01-09 02:11:31 +03:00
&num_members);
if (!NT_STATUS_IS_OK(status)) {
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
ldap_value_free(values);
ldap_msgfree(result);
Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS. Michael (This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a)
2008-01-09 02:11:31 +03:00
return status;
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
}
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*p_num_members = num_members;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
ldap_value_free(values);
ldap_msgfree(result);
return NT_STATUS_OK;
}
static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
r6080: Port some of the non-critical changes from HEAD to 3_0. The main one is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2005-03-27 20:33:04 +04:00
TALLOC_CTX *mem_ctx,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *domain_sid,
const struct dom_sid *members,
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
size_t num_members,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t **pp_alias_rids,
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
size_t *p_num_alias_rids)
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
LDAP *ldap_struct;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char *attrs[] = { LDAP_ATTRIBUTE_SID, NULL };
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
int i;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
int rc;
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
char *filter;
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType type = SID_NAME_USE_NONE;
s3:pdb_ldap: optimize ldapsam_alias_memberships() and cache ldap searches. ldapsam_alias_memberships() does the same LDAP search twice, triggered via add_aliases() from create_local_nt_token(). This happens when no domain aliases are used. metze
2010-02-03 13:32:41 +03:00
bool is_builtin = false;
bool sid_added = false;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
s3-pdb_ldap: Make ldapsam_alias_memberships behave like the tdbsam equivalent. This lets samr_GetAliasMembership return with NT_STATUS_OK when called with 0 sids (just what w2k3 does). Guenther
2009-08-03 18:28:59 +04:00
*pp_alias_rids = NULL;
*p_num_alias_rids = 0;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (sid_check_is_builtin(domain_sid)) {
s3:pdb_ldap: optimize ldapsam_alias_memberships() and cache ldap searches. ldapsam_alias_memberships() does the same LDAP search twice, triggered via add_aliases() from create_local_nt_token(). This happens when no domain aliases are used. metze
2010-02-03 13:32:41 +03:00
is_builtin = true;
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
type = SID_NAME_ALIAS;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
s3: rename sid_check_is_domain() to sid_check_is_our_sam() This does not check whether the given sid is the domain sid, but whether it is the sid of the local sam, which is different for a domain member server.
2012-07-12 17:55:21 +04:00
if (sid_check_is_our_sam(domain_sid)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
type = SID_NAME_ALIAS;
}
if (type == SID_NAME_USE_NONE) {
DEBUG(5, ("SID %s is neither builtin nor domain!\n",
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
sid_string_dbg(domain_sid)));
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
s3-pdb_ldap: Make ldapsam_alias_memberships behave like the tdbsam equivalent. This lets samr_GetAliasMembership return with NT_STATUS_OK when called with 0 sids (just what w2k3 does). Guenther
2009-08-03 18:28:59 +04:00
if (num_members == 0) {
return NT_STATUS_OK;
}
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
filter = talloc_asprintf(mem_ctx,
s3: change ldap filter to what really was intended
2010-02-10 15:48:11 +03:00
"(&(objectclass=%s)(sambaGroupType=%d)(|",
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
LDAP_OBJ_GROUPMAP, type);
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
for (i=0; i<num_members; i++)
filter = talloc_asprintf(mem_ctx, "%s(sambaSIDList=%s)",
filter,
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03)
2007-12-15 23:10:58 +03:00
sid_string_talloc(mem_ctx,
&members[i]));
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
filter = talloc_asprintf(mem_ctx, "%s))", filter);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
s3:pdb_ldap: optimize ldapsam_alias_memberships() and cache ldap searches. ldapsam_alias_memberships() does the same LDAP search twice, triggered via add_aliases() from create_local_nt_token(). This happens when no domain aliases are used. metze
2010-02-03 13:32:41 +03:00
if (is_builtin &&
ldap_state->search_cache.filter &&
strcmp(ldap_state->search_cache.filter, filter) == 0) {
filter = talloc_move(filter, &ldap_state->search_cache.filter);
result = ldap_state->search_cache.result;
ldap_state->search_cache.result = NULL;
} else {
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(talloc_tos()),
s3:pdb_ldap: optimize ldapsam_alias_memberships() and cache ldap searches. ldapsam_alias_memberships() does the same LDAP search twice, triggered via add_aliases() from create_local_nt_token(). This happens when no domain aliases are used. metze
2010-02-03 13:32:41 +03:00
LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
if (rc != LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(filter, result);
s3:pdb_ldap: optimize ldapsam_alias_memberships() and cache ldap searches. ldapsam_alias_memberships() does the same LDAP search twice, triggered via add_aliases() from create_local_nt_token(). This happens when no domain aliases are used. metze
2010-02-03 13:32:41 +03:00
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
ldap_struct = smbldap_get_ldap(ldap_state->smbldap_state);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
for (entry = ldap_first_entry(ldap_struct, result);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
entry != NULL;
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
entry = ldap_next_entry(ldap_struct, entry))
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
{
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
fstring sid_str;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid sid;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t rid;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
if (!smbldap_get_single_attribute(ldap_struct, entry,
LDAP_ATTRIBUTE_SID,
sid_str,
sizeof(sid_str)-1))
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
continue;
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
if (!string_to_sid(&sid, sid_str))
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
continue;
r6080: Port some of the non-critical changes from HEAD to 3_0. The main one is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2005-03-27 20:33:04 +04:00
if (!sid_peek_check_rid(domain_sid, &sid, &rid))
continue;
s3:pdb_ldap: optimize ldapsam_alias_memberships() and cache ldap searches. ldapsam_alias_memberships() does the same LDAP search twice, triggered via add_aliases() from create_local_nt_token(). This happens when no domain aliases are used. metze
2010-02-03 13:32:41 +03:00
sid_added = true;
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
if (!add_rid_to_array_unique(mem_ctx, rid, pp_alias_rids,
p_num_alias_rids)) {
return NT_STATUS_NO_MEMORY;
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
}
s3:pdb_ldap: optimize ldapsam_alias_memberships() and cache ldap searches. ldapsam_alias_memberships() does the same LDAP search twice, triggered via add_aliases() from create_local_nt_token(). This happens when no domain aliases are used. metze
2010-02-03 13:32:41 +03:00
if (!is_builtin && !sid_added) {
TALLOC_FREE(ldap_state->search_cache.filter);
/*
* Note: result is a talloc child of filter because of the
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
* smbldap_talloc_autofree_ldapmsg() usage
s3:pdb_ldap: optimize ldapsam_alias_memberships() and cache ldap searches. ldapsam_alias_memberships() does the same LDAP search twice, triggered via add_aliases() from create_local_nt_token(). This happens when no domain aliases are used. metze
2010-02-03 13:32:41 +03:00
*/
ldap_state->search_cache.filter = talloc_move(ldap_state, &filter);
ldap_state->search_cache.result = result;
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
return NT_STATUS_OK;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_set_account_policy_in_ldap(struct pdb_methods *methods,
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
enum pdb_policy_type type,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t value)
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
{
NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
int rc;
LDAPMod **mods = NULL;
fstring value_string;
const char *policy_attr = NULL;
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
r12398: adding Guenther's account policy migration fix (This used to be commit be32f10609f2274903cb3b2c6b84c9aa62962151)
2005-12-20 18:10:41 +03:00
DEBUG(10,("ldapsam_set_account_policy_in_ldap\n"));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (!ldap_state->domain_dn) {
return NT_STATUS_INVALID_PARAMETER;
}
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
policy_attr = get_account_policy_attr(type);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (policy_attr == NULL) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0,("ldapsam_set_account_policy_in_ldap: invalid "
"policy\n"));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
return ntstatus;
}
slprintf(value_string, sizeof(value_string) - 1, "%i", value);
smbldap_set_mod(&mods, LDAP_MOD_REPLACE, policy_attr, value_string);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = smbldap_modify(ldap_state->smbldap_state, ldap_state->domain_dn,
mods);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
ldap_mods_free(mods, True);
if (rc != LDAP_SUCCESS) {
return ntstatus;
}
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
if (!cache_account_policy_set(type, value)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0,("ldapsam_set_account_policy_in_ldap: failed to "
"update local tdb cache\n"));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
return ntstatus;
}
return NT_STATUS_OK;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_set_account_policy(struct pdb_methods *methods,
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
enum pdb_policy_type type,
uint32_t value)
r12398: adding Guenther's account policy migration fix (This used to be commit be32f10609f2274903cb3b2c6b84c9aa62962151)
2005-12-20 18:10:41 +03:00
{
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
return ldapsam_set_account_policy_in_ldap(methods, type,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
value);
r12398: adding Guenther's account policy migration fix (This used to be commit be32f10609f2274903cb3b2c6b84c9aa62962151)
2005-12-20 18:10:41 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_get_account_policy_from_ldap(struct pdb_methods *methods,
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
enum pdb_policy_type type,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t *value)
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
{
NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
int count;
int rc;
char **vals = NULL;
ѕ3:ldap: search for account policies in objectclass sambaDomain, not *
2009-10-30 23:50:41 +03:00
char *filter;
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
const char *policy_attr = NULL;
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
const char *attrs[2];
DEBUG(10,("ldapsam_get_account_policy_from_ldap\n"));
if (!ldap_state->domain_dn) {
return NT_STATUS_INVALID_PARAMETER;
}
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
policy_attr = get_account_policy_attr(type);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (!policy_attr) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0,("ldapsam_get_account_policy_from_ldap: invalid "
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
"policy index: %d\n", type));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
return ntstatus;
}
attrs[0] = policy_attr;
attrs[1] = NULL;
s3-pdb_ldap: fix memleak. Guenther
2010-04-29 02:52:17 +04:00
filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)", LDAP_OBJ_DOMINFO);
ѕ3:ldap: search for account policies in objectclass sambaDomain, not *
2009-10-30 23:50:41 +03:00
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn,
ѕ3:ldap: search for account policies in objectclass sambaDomain, not *
2009-10-30 23:50:41 +03:00
LDAP_SCOPE_BASE, filter, attrs, 0,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
&result);
s3-pdb_ldap: fix memleak. Guenther
2010-04-29 02:52:17 +04:00
TALLOC_FREE(filter);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (rc != LDAP_SUCCESS) {
return ntstatus;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
count = ldap_count_entries(priv2ld(ldap_state), result);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (count < 1) {
goto out;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
entry = ldap_first_entry(priv2ld(ldap_state), result);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (entry == NULL) {
goto out;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
vals = ldap_get_values(priv2ld(ldap_state), entry, policy_attr);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (vals == NULL) {
goto out;
}
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
*value = (uint32_t)atol(vals[0]);
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
ntstatus = NT_STATUS_OK;
out:
if (vals)
ldap_value_free(vals);
ldap_msgfree(result);
return ntstatus;
}
/* wrapper around ldapsam_get_account_policy_from_ldap(), handles tdb as cache
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
- if user hasn't decided to use account policies inside LDAP just reuse the
old tdb values
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
- if there is a valid cache entry, return that
- if there is an LDAP entry, update cache and return
- otherwise set to default, update cache and return
Guenther
*/
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_get_account_policy(struct pdb_methods *methods,
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
enum pdb_policy_type type,
uint32_t *value)
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
{
NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
if (cache_account_policy_get(type, value)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(11,("ldapsam_get_account_policy: got valid value from "
"cache\n"));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
return NT_STATUS_OK;
}
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
ntstatus = ldapsam_get_account_policy_from_ldap(methods, type,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
value);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (NT_STATUS_IS_OK(ntstatus)) {
goto update_cache;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(10,("ldapsam_get_account_policy: failed to retrieve from "
"ldap\n"));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
#if 0
/* should we automagically migrate old tdb value here ? */
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
if (account_policy_get(type, value))
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
goto update_ldap;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(10,("ldapsam_get_account_policy: no tdb for %d, trying "
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
"default\n", type));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
#endif
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
if (!account_policy_get_default(type, value)) {
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
return ntstatus;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
/* update_ldap: */
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
ntstatus = ldapsam_set_account_policy(methods, type, *value);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (!NT_STATUS_IS_OK(ntstatus)) {
return ntstatus;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
update_cache:
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
s3-account_policy: add pdb_policy_type enum. Guenther
2009-07-14 01:53:49 +04:00
if (!cache_account_policy_set(type, *value)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0,("ldapsam_get_account_policy: failed to update local "
"tdb as a cache\n"));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
return NT_STATUS_UNSUCCESSFUL;
}
return NT_STATUS_OK;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *domain_sid,
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
int num_rids,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t *rids,
r11922: Looks bigger than it is: There's no point in allocating arrays in samr_lookup_rids twice. It was done in the srv_samr_nt.c code as well as in the pdb module. Remove the latter, this might happen more often. Volker (This used to be commit 57f0cf8cdd6928f4759036e5dd53d41736aa910d)
2005-11-27 01:04:28 +03:00
const char **names,
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType *attrs)
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
LDAPMessage *msg = NULL;
LDAPMessage *entry;
char *allsids = NULL;
int i, rc, num_mapped;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
NTSTATUS result = NT_STATUS_NO_MEMORY;
TALLOC_CTX *mem_ctx;
LDAP *ld;
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool is_builtin;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
goto done;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (!sid_check_is_builtin(domain_sid) &&
s3: rename sid_check_is_domain() to sid_check_is_our_sam() This does not check whether the given sid is the domain sid, but whether it is the sid of the local sam, which is different for a domain member server.
2012-07-12 17:55:21 +04:00
!sid_check_is_our_sam(domain_sid)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
result = NT_STATUS_INVALID_PARAMETER;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
goto done;
}
s3-samr: fix return code of _samr_LookupRids when run with pdb_ldap. when _samr_LookupRids is called with no rids, it needs to return NT_STATUS_NONE_MAPPED (not NT_STATUS_NO_MEMORY). Found by RPC-SAMR torture test. Guenther
2009-06-07 04:02:26 +04:00
if (num_rids == 0) {
result = NT_STATUS_NONE_MAPPED;
goto done;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
for (i=0; i<num_rids; i++)
r11922: Looks bigger than it is: There's no point in allocating arrays in samr_lookup_rids twice. It was done in the srv_samr_nt.c code as well as in the pdb module. Remove the latter, this might happen more often. Volker (This used to be commit 57f0cf8cdd6928f4759036e5dd53d41736aa910d)
2005-11-27 01:04:28 +03:00
attrs[i] = SID_NAME_UNKNOWN;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
allsids = talloc_strdup(mem_ctx, "");
if (allsids == NULL) {
goto done;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
for (i=0; i<num_rids; i++) {
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid sid;
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
sid_compose(&sid, domain_sid, rids[i]);
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit 0a911d38b8f4be382a9df60f9c6de0c500464b3a)
2007-12-15 23:49:15 +03:00
allsids = talloc_asprintf_append_buffer(
allsids, "(sambaSid=%s)",
sid_string_talloc(mem_ctx, &sid));
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (allsids == NULL) {
goto done;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
}
/* First look for users */
{
char *filter;
const char *ldap_attrs[] = { "uid", "sambaSid", NULL };
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
filter = talloc_asprintf(
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
mem_ctx, ("(&(objectClass=%s)(|%s))"),
LDAP_OBJ_SAMBASAMACCOUNT, allsids);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (filter == NULL) {
goto done;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
rc = smbldap_search(ldap_state->smbldap_state,
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
lp_ldap_user_suffix(talloc_tos()),
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
&msg);
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
}
if (rc != LDAP_SUCCESS)
goto done;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
ld = smbldap_get_ldap(ldap_state->smbldap_state);
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
num_mapped = 0;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
for (entry = ldap_first_entry(ld, msg);
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
entry != NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
entry = ldap_next_entry(ld, entry)) {
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t rid;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
int rid_index;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *name;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
&rid)) {
DEBUG(2, ("Could not find sid from ldap entry\n"));
continue;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
name = smbldap_talloc_single_attribute(ld, entry, "uid",
names);
if (name == NULL) {
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
DEBUG(2, ("Could not retrieve uid attribute\n"));
continue;
}
for (rid_index = 0; rid_index < num_rids; rid_index++) {
if (rid == rids[rid_index])
break;
}
if (rid_index == num_rids) {
DEBUG(2, ("Got a RID not asked for: %d\n", rid));
continue;
}
r11922: Looks bigger than it is: There's no point in allocating arrays in samr_lookup_rids twice. It was done in the srv_samr_nt.c code as well as in the pdb module. Remove the latter, this might happen more often. Volker (This used to be commit 57f0cf8cdd6928f4759036e5dd53d41736aa910d)
2005-11-27 01:04:28 +03:00
attrs[rid_index] = SID_NAME_USER;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
names[rid_index] = name;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
num_mapped += 1;
}
if (num_mapped == num_rids) {
/* No need to look for groups anymore -- we're done */
result = NT_STATUS_OK;
goto done;
}
/* Same game for groups */
{
char *filter;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *ldap_attrs[] = { "cn", "displayName", "sambaSid",
"sambaGroupType", NULL };
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
filter = talloc_asprintf(
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
mem_ctx, "(&(objectClass=%s)(|%s))",
LDAP_OBJ_GROUPMAP, allsids);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (filter == NULL) {
goto done;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
rc = smbldap_search(ldap_state->smbldap_state,
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
lp_ldap_suffix(talloc_tos()),
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
&msg);
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
}
if (rc != LDAP_SUCCESS)
goto done;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* ldap_struct might have changed due to a reconnect */
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
ld = smbldap_get_ldap(ldap_state->smbldap_state);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* For consistency checks, we already checked we're only domain or builtin */
is_builtin = sid_check_is_builtin(domain_sid);
for (entry = ldap_first_entry(ld, msg);
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
entry != NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
entry = ldap_next_entry(ld, entry))
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
{
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t rid;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
int rid_index;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *attr;
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType type;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *dn = smbldap_talloc_dn(mem_ctx, ld, entry);
attr = smbldap_talloc_single_attribute(ld, entry, "sambaGroupType",
mem_ctx);
if (attr == NULL) {
DEBUG(2, ("Could not extract type from ldap entry %s\n",
dn));
continue;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
type = (enum lsa_SidType)atol(attr);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* Consistency checks */
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
if ((is_builtin && (type != SID_NAME_ALIAS)) ||
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
(!is_builtin && ((type != SID_NAME_ALIAS) &&
(type != SID_NAME_DOM_GRP)))) {
DEBUG(2, ("Rejecting invalid group mapping entry %s\n", dn));
}
if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
&rid)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(2, ("Could not find sid from ldap entry %s\n", dn));
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
continue;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
attr = smbldap_talloc_single_attribute(ld, entry, "displayName", names);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (attr == NULL) {
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
DEBUG(10, ("Could not retrieve 'displayName' attribute from %s\n",
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
dn));
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
attr = smbldap_talloc_single_attribute(ld, entry, "cn", names);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
if (attr == NULL) {
DEBUG(2, ("Could not retrieve naming attribute from %s\n",
dn));
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
continue;
}
for (rid_index = 0; rid_index < num_rids; rid_index++) {
if (rid == rids[rid_index])
break;
}
if (rid_index == num_rids) {
DEBUG(2, ("Got a RID not asked for: %d\n", rid));
continue;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attrs[rid_index] = type;
names[rid_index] = attr;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
num_mapped += 1;
}
result = NT_STATUS_NONE_MAPPED;
if (num_mapped > 0)
result = (num_mapped == num_rids) ?
NT_STATUS_OK : STATUS_SOME_UNMAPPED;
done:
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
return result;
}
r13389: get_ldap_filter is only used once, make it static (This used to be commit d3b66fb8712e41a331ccfb0f52f187382769b41e)
2006-02-08 13:36:13 +03:00
static char *get_ldap_filter(TALLOC_CTX *mem_ctx, const char *username)
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
{
char *filter = NULL;
char *escaped = NULL;
char *result = NULL;
Fix more ‘asprintf’, declared with attribute warn_unused_result. Jeremy.
2008-12-23 21:42:25 +03:00
if (asprintf(&filter, "(&%s(objectclass=%s))",
"(uid=%u)", LDAP_OBJ_SAMBASAMACCOUNT) < 0) {
goto done;
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
escaped = escape_ldap_string(talloc_tos(), username);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
if (escaped == NULL) goto done;
r12313: Introduce yet another copy of the string_sub function: talloc_string_sub. Someone with time on his hands could convert all the callers of all_string_sub to this. realloc_string_sub is *only* called from within substitute.c, it could be moved there I think. Volker (This used to be commit be6c9012da174d5d5116e5172a53bbe6486d6c38)
2005-12-18 21:06:15 +03:00
result = talloc_string_sub(mem_ctx, filter, "%u", username);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
done:
SAFE_FREE(filter);
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
TALLOC_FREE(escaped);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
return result;
}
s3: Make talloc_attrs() static
2010-07-05 14:36:19 +04:00
static const char **talloc_attrs(TALLOC_CTX *mem_ctx, ...)
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
{
int i, num = 0;
va_list ap;
const char **result;
va_start(ap, mem_ctx);
while (va_arg(ap, const char *) != NULL)
num += 1;
va_end(ap);
s3-talloc Change TALLOC_ARRAY() to talloc_array() Using the standard macro makes it easier to move code into common, as TALLOC_ARRAY isn't standard talloc.
2011-06-07 05:30:12 +04:00
if ((result = talloc_array(mem_ctx, const char *, num+1)) == NULL) {
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
return NULL;
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
va_start(ap, mem_ctx);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
for (i=0; i<num; i++) {
result[i] = talloc_strdup(result, va_arg(ap, const char*));
if (result[i] == NULL) {
talloc_free(result);
Memory leaks and other fixes found by Coverity
2009-01-20 02:09:51 +03:00
va_end(ap);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
return NULL;
}
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
va_end(ap);
result[num] = NULL;
return result;
}
struct ldap_search_state {
struct smbldap_state *connection;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t acct_flags;
uint16_t group_type;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
const char *base;
int scope;
const char *filter;
const char **attrs;
int attrsonly;
void *pagedresults_cookie;
LDAPMessage *entries, *current_entry;
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool (*ldap2displayentry)(struct ldap_search_state *state,
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
TALLOC_CTX *mem_ctx,
LDAP *ld, LDAPMessage *entry,
struct samr_displayentry *result);
};
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapsam_search_firstpage(struct pdb_search *search)
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldap_search_state *state =
(struct ldap_search_state *)search->private_data;
r6748: With reconnects, state->connection->ldap_struct can change in smbldap_search and friends. This should be a fix for bug 2701. Thanks to jht for giving me access to his box! Volker (This used to be commit 85320c12578f183d4ed0450949e0aee8d020e036)
2005-05-12 12:33:27 +04:00
LDAP *ld;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
int rc = LDAP_OPERATIONS_ERROR;
state->entries = NULL;
if (state->connection->paged_results) {
rc = smbldap_search_paged(state->connection, state->base,
state->scope, state->filter,
state->attrs, state->attrsonly,
lp_ldap_page_size(), &state->entries,
&state->pagedresults_cookie);
}
if ((rc != LDAP_SUCCESS) || (state->entries == NULL)) {
if (state->entries != NULL) {
/* Left over from unsuccessful paged attempt */
ldap_msgfree(state->entries);
state->entries = NULL;
}
rc = smbldap_search(state->connection, state->base,
state->scope, state->filter, state->attrs,
state->attrsonly, &state->entries);
if ((rc != LDAP_SUCCESS) || (state->entries == NULL))
return False;
/* Ok, the server was lying. It told us it could do paged
* searches when it could not. */
state->connection->paged_results = False;
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
ld = smbldap_get_ldap(state->connection);
r6748: With reconnects, state->connection->ldap_struct can change in smbldap_search and friends. This should be a fix for bug 2701. Thanks to jht for giving me access to his box! Volker (This used to be commit 85320c12578f183d4ed0450949e0aee8d020e036)
2005-05-12 12:33:27 +04:00
if ( ld == NULL) {
DEBUG(5, ("Don't have an LDAP connection right after a "
"search\n"));
return False;
}
state->current_entry = ldap_first_entry(ld, state->entries);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
return True;
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapsam_search_nextpage(struct pdb_search *search)
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldap_search_state *state =
(struct ldap_search_state *)search->private_data;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
int rc;
if (!state->connection->paged_results) {
/* There is no next page when there are no paged results */
return False;
}
rc = smbldap_search_paged(state->connection, state->base,
state->scope, state->filter, state->attrs,
state->attrsonly, lp_ldap_page_size(),
&state->entries,
&state->pagedresults_cookie);
if ((rc != LDAP_SUCCESS) || (state->entries == NULL))
return False;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
state->current_entry = ldap_first_entry(
smbldap_get_ldap(state->connection), state->entries);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
if (state->current_entry == NULL) {
ldap_msgfree(state->entries);
state->entries = NULL;
s3:pdb_ldap: Fix large paged search. Fix bug #6981 (Paged Search with DirX LDAP server broken). (cherry picked from commit 0a3b576c0a4298cbe600ad8943e401e3a0639359)
2009-05-18 18:04:04 +04:00
return false;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
}
return True;
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapsam_search_next_entry(struct pdb_search *search,
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
struct samr_displayentry *entry)
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldap_search_state *state =
(struct ldap_search_state *)search->private_data;
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool result;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
retry:
if ((state->entries == NULL) && (state->pagedresults_cookie == NULL))
return False;
if ((state->entries == NULL) &&
!ldapsam_search_nextpage(search))
return False;
s3: Fix another aspect of bug 7262 and make paged results work again
2010-07-06 18:55:14 +04:00
if (state->current_entry == NULL) {
return false;
}
Shape up pdb_search a bit by making it a talloc ctx with a destructor
2009-02-12 19:48:52 +03:00
result = state->ldap2displayentry(state, search,
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(state->connection),
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
state->current_entry, entry);
if (!result) {
char *dn;
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
dn = ldap_get_dn(smbldap_get_ldap(state->connection),
state->current_entry);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
DEBUG(5, ("Skipping entry %s\n", dn != NULL ? dn : "<NULL>"));
if (dn != NULL) ldap_memfree(dn);
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
state->current_entry = ldap_next_entry(
smbldap_get_ldap(state->connection), state->current_entry);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
if (state->current_entry == NULL) {
ldap_msgfree(state->entries);
state->entries = NULL;
}
if (!result) goto retry;
return True;
}
r6367: Slim down pdb_interface.c a bit. next_entry and search_end are function pointers now. Yes, Jeremy, this is about re-inventing C++... :-) Volker (This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2005-04-18 20:07:49 +04:00
static void ldapsam_search_end(struct pdb_search *search)
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldap_search_state *state =
(struct ldap_search_state *)search->private_data;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
int rc;
if (state->pagedresults_cookie == NULL)
return;
if (state->entries != NULL)
ldap_msgfree(state->entries);
state->entries = NULL;
state->current_entry = NULL;
if (!state->connection->paged_results)
return;
/* Tell the LDAP server we're not interested in the rest anymore. */
rc = smbldap_search_paged(state->connection, state->base, state->scope,
state->filter, state->attrs,
state->attrsonly, 0, &state->entries,
&state->pagedresults_cookie);
if (rc != LDAP_SUCCESS)
DEBUG(5, ("Could not end search properly\n"));
return;
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapuser2displayentry(struct ldap_search_state *state,
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
TALLOC_CTX *mem_ctx,
LDAP *ld, LDAPMessage *entry,
struct samr_displayentry *result)
{
char **vals;
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
size_t converted_size;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid sid;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t acct_flags;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
vals = ldap_get_values(ld, entry, "sambaAcctFlags");
if ((vals == NULL) || (vals[0] == NULL)) {
pdb_ldap: Do not skip accounts without a sambaAcctFlags value We allow this to mean a sambaAcctFlags value of zero in other parts of the code and by allowing these users to show up in a search, we can read and correct them during the classicupgrade, rather than not know they exist at all. Most parts of the code do not look for ACB_NORMAL, which is why these users appear to work. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-04-11 11:21:33 +04:00
acct_flags = ACB_NORMAL;
} else {
acct_flags = pdb_decode_acct_ctrl(vals[0]);
ldap_value_free(vals);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
}
if ((state->acct_flags != 0) &&
((state->acct_flags & acct_flags) == 0))
return False;
result->acct_flags = acct_flags;
result->account_name = "";
result->fullname = "";
result->description = "";
vals = ldap_get_values(ld, entry, "uid");
if ((vals == NULL) || (vals[0] == NULL)) {
DEBUG(5, ("\"uid\" not found\n"));
return False;
}
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
if (!pull_utf8_talloc(mem_ctx,
More const fixes. Remove CONST_DISCARD.
2011-05-06 03:19:49 +04:00
discard_const_p(char *, &result->account_name),
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
vals[0], &converted_size))
{
DEBUG(0,("ldapuser2displayentry: pull_utf8_talloc failed: %s",
strerror(errno)));
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
ldap_value_free(vals);
vals = ldap_get_values(ld, entry, "displayName");
if ((vals == NULL) || (vals[0] == NULL))
DEBUG(8, ("\"displayName\" not found\n"));
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
else if (!pull_utf8_talloc(mem_ctx,
More const fixes. Remove CONST_DISCARD.
2011-05-06 03:19:49 +04:00
discard_const_p(char *, &result->fullname),
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
vals[0], &converted_size))
{
DEBUG(0,("ldapuser2displayentry: pull_utf8_talloc failed: %s",
strerror(errno)));
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
ldap_value_free(vals);
vals = ldap_get_values(ld, entry, "description");
if ((vals == NULL) || (vals[0] == NULL))
DEBUG(8, ("\"description\" not found\n"));
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
else if (!pull_utf8_talloc(mem_ctx,
More const fixes. Remove CONST_DISCARD.
2011-05-06 03:19:49 +04:00
discard_const_p(char *, &result->description),
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
vals[0], &converted_size))
{
DEBUG(0,("ldapuser2displayentry: pull_utf8_talloc failed: %s",
strerror(errno)));
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
ldap_value_free(vals);
if ((result->account_name == NULL) ||
(result->fullname == NULL) ||
(result->description == NULL)) {
DEBUG(0, ("talloc failed\n"));
return False;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
vals = ldap_get_values(ld, entry, "sambaSid");
if ((vals == NULL) || (vals[0] == NULL)) {
DEBUG(0, ("\"objectSid\" not found\n"));
return False;
}
if (!string_to_sid(&sid, vals[0])) {
DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
ldap_value_free(vals);
return False;
}
ldap_value_free(vals);
if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0, ("sid %s does not belong to our domain\n",
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
sid_string_dbg(&sid)));
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
return False;
}
return True;
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapsam_search_users(struct pdb_methods *methods,
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
struct pdb_search *search,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t acct_flags)
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
struct ldap_search_state *state;
Shape up pdb_search a bit by making it a talloc ctx with a destructor
2009-02-12 19:48:52 +03:00
state = talloc(search, struct ldap_search_state);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
if (state == NULL) {
DEBUG(0, ("talloc failed\n"));
return False;
}
state->connection = ldap_state->smbldap_state;
if ((acct_flags != 0) && ((acct_flags & ACB_NORMAL) != 0))
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
state->base = lp_ldap_user_suffix(talloc_tos());
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
else if ((acct_flags != 0) &&
r8542: - (re-)add better search-semantics: look for Interdomain trust accounts below the machine-suffix (this is where we create them)) to avoid digging through thousands of user-accounts just to find a handful of trust-accounts in the enumdomusers-samr-call. - don't access freed data in DEBUG-statement Guenther (This used to be commit 793c82c0172c4f834e43d04bf3f9d39858761e88)
2005-07-18 17:16:52 +04:00
((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
state->base = lp_ldap_machine_suffix(talloc_tos());
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
else
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
state->base = lp_ldap_suffix(talloc_tos());
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
state->acct_flags = acct_flags;
Shape up pdb_search a bit by making it a talloc ctx with a destructor
2009-02-12 19:48:52 +03:00
state->base = talloc_strdup(search, state->base);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
state->scope = LDAP_SCOPE_SUBTREE;
Shape up pdb_search a bit by making it a talloc ctx with a destructor
2009-02-12 19:48:52 +03:00
state->filter = get_ldap_filter(search, "*");
state->attrs = talloc_attrs(search, "uid", "sambaSid",
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
"displayName", "description",
"sambaAcctFlags", NULL);
state->attrsonly = 0;
state->pagedresults_cookie = NULL;
state->entries = NULL;
state->ldap2displayentry = ldapuser2displayentry;
if ((state->filter == NULL) || (state->attrs == NULL)) {
DEBUG(0, ("talloc failed\n"));
return False;
}
r7882: Looks like a large patch - but what it actually does is make Samba safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2005-06-25 00:25:18 +04:00
search->private_data = state;
r6367: Slim down pdb_interface.c a bit. next_entry and search_end are function pointers now. Yes, Jeremy, this is about re-inventing C++... :-) Volker (This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2005-04-18 20:07:49 +04:00
search->next_entry = ldapsam_search_next_entry;
search->search_end = ldapsam_search_end;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
return ldapsam_search_firstpage(search);
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapgroup2displayentry(struct ldap_search_state *state,
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
TALLOC_CTX *mem_ctx,
LDAP *ld, LDAPMessage *entry,
struct samr_displayentry *result)
{
char **vals;
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
size_t converted_size;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid sid;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint16_t group_type;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
result->account_name = "";
result->fullname = "";
result->description = "";
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
vals = ldap_get_values(ld, entry, "sambaGroupType");
if ((vals == NULL) || (vals[0] == NULL)) {
DEBUG(5, ("\"sambaGroupType\" not found\n"));
r12645: Fix some memleaks. This will also be in the trunk checkin that comes next. Volker (This used to be commit dc167037b0f3bada390dfdb820cb84ed9a4cfdcf)
2005-12-31 13:57:43 +03:00
if (vals != NULL) {
ldap_value_free(vals);
}
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
return False;
}
group_type = atoi(vals[0]);
if ((state->group_type != 0) &&
((state->group_type != group_type))) {
r12645: Fix some memleaks. This will also be in the trunk checkin that comes next. Volker (This used to be commit dc167037b0f3bada390dfdb820cb84ed9a4cfdcf)
2005-12-31 13:57:43 +03:00
ldap_value_free(vals);
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
return False;
}
r12645: Fix some memleaks. This will also be in the trunk checkin that comes next. Volker (This used to be commit dc167037b0f3bada390dfdb820cb84ed9a4cfdcf)
2005-12-31 13:57:43 +03:00
ldap_value_free(vals);
r9660: real fix for group enumeration bug in 3.0.20; only affected the ldapsam code (This used to be commit 62f9fb5e3a9bce539c9fedc5fdec1b8741a922c7)
2005-08-26 22:57:32 +04:00
/* display name is the NT group name */
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
vals = ldap_get_values(ld, entry, "displayName");
r9661: fallback to cn attribubte if displayName is not available (This used to be commit b1524999e0b4fc99d213fc6e56182a8fa8e88ef1)
2005-08-26 23:15:19 +04:00
if ((vals == NULL) || (vals[0] == NULL)) {
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
DEBUG(8, ("\"displayName\" not found\n"));
r9661: fallback to cn attribubte if displayName is not available (This used to be commit b1524999e0b4fc99d213fc6e56182a8fa8e88ef1)
2005-08-26 23:15:19 +04:00
/* fallback to the 'cn' attribute */
vals = ldap_get_values(ld, entry, "cn");
if ((vals == NULL) || (vals[0] == NULL)) {
DEBUG(5, ("\"cn\" not found\n"));
return False;
}
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
if (!pull_utf8_talloc(mem_ctx,
More const fixes. Remove CONST_DISCARD.
2011-05-06 03:19:49 +04:00
discard_const_p(char *,
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
&result->account_name),
vals[0], &converted_size))
{
DEBUG(0,("ldapgroup2displayentry: pull_utf8_talloc "
"failed: %s", strerror(errno)));
}
r9661: fallback to cn attribubte if displayName is not available (This used to be commit b1524999e0b4fc99d213fc6e56182a8fa8e88ef1)
2005-08-26 23:15:19 +04:00
}
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
else if (!pull_utf8_talloc(mem_ctx,
More const fixes. Remove CONST_DISCARD.
2011-05-06 03:19:49 +04:00
discard_const_p(char *,
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
&result->account_name),
vals[0], &converted_size))
{
DEBUG(0,("ldapgroup2displayentry: pull_utf8_talloc failed: %s",
strerror(errno)));
r9661: fallback to cn attribubte if displayName is not available (This used to be commit b1524999e0b4fc99d213fc6e56182a8fa8e88ef1)
2005-08-26 23:15:19 +04:00
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
ldap_value_free(vals);
vals = ldap_get_values(ld, entry, "description");
if ((vals == NULL) || (vals[0] == NULL))
DEBUG(8, ("\"description\" not found\n"));
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
else if (!pull_utf8_talloc(mem_ctx,
More const fixes. Remove CONST_DISCARD.
2011-05-06 03:19:49 +04:00
discard_const_p(char *, &result->description),
Cleanup size_t return values in callers of convert_string_allocate This patch is the second iteration of an inside-out conversion to cleanup functions in charcnv.c returning size_t == -1 to indicate failure. (This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
2008-04-30 01:36:24 +04:00
vals[0], &converted_size))
{
DEBUG(0,("ldapgroup2displayentry: pull_utf8_talloc failed: %s",
strerror(errno)));
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
ldap_value_free(vals);
if ((result->account_name == NULL) ||
(result->fullname == NULL) ||
(result->description == NULL)) {
DEBUG(0, ("talloc failed\n"));
return False;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
vals = ldap_get_values(ld, entry, "sambaSid");
if ((vals == NULL) || (vals[0] == NULL)) {
DEBUG(0, ("\"objectSid\" not found\n"));
r12645: Fix some memleaks. This will also be in the trunk checkin that comes next. Volker (This used to be commit dc167037b0f3bada390dfdb820cb84ed9a4cfdcf)
2005-12-31 13:57:43 +03:00
if (vals != NULL) {
ldap_value_free(vals);
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
return False;
}
if (!string_to_sid(&sid, vals[0])) {
DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
return False;
}
ldap_value_free(vals);
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
switch (group_type) {
case SID_NAME_DOM_GRP:
case SID_NAME_ALIAS:
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)
&& !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid))
{
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0, ("%s is not in our domain\n",
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
sid_string_dbg(&sid)));
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
return False;
}
break;
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
default:
Fix some types Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Feb 28 23:30:06 CET 2011 on sn-devel-104
2011-03-01 00:04:29 +03:00
DEBUG(0,("unknown group type: %d\n", group_type));
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
return False;
}
Fix some uninitialized variable references via ndr_print (This used to be commit 26fb3fea812867f8b0dfe6a1be59e4922ed86e45)
2008-07-10 20:20:30 +04:00
result->acct_flags = 0;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
return True;
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapsam_search_grouptype(struct pdb_methods *methods,
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
struct pdb_search *search,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *sid,
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType type)
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
struct ldap_search_state *state;
Replace sid_string_static with sid_to_string This adds 28 fstrings on the stack, but I think an fstring on the stack is still far better than a static one. (This used to be commit c7c885078be8fd3024c186044ac28275d7609679)
2007-12-16 00:00:39 +03:00
fstring tmp;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
Shape up pdb_search a bit by making it a talloc ctx with a destructor
2009-02-12 19:48:52 +03:00
state = talloc(search, struct ldap_search_state);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
if (state == NULL) {
DEBUG(0, ("talloc failed\n"));
return False;
}
state->connection = ldap_state->smbldap_state;
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
state->base = lp_ldap_suffix(search);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
state->connection = ldap_state->smbldap_state;
state->scope = LDAP_SCOPE_SUBTREE;
Shape up pdb_search a bit by making it a talloc ctx with a destructor
2009-02-12 19:48:52 +03:00
state->filter = talloc_asprintf(search, "(&(objectclass=%s)"
Use LDAP macros instead of attribute names. Karolin (This used to be commit 7dae8b04f126d0ac86a452dcf373a690ee687ead)
2008-07-18 15:15:05 +04:00
"(sambaGroupType=%d)(sambaSID=%s*))",
LDAP_OBJ_GROUPMAP,
type, sid_to_fstring(tmp, sid));
Shape up pdb_search a bit by making it a talloc ctx with a destructor
2009-02-12 19:48:52 +03:00
state->attrs = talloc_attrs(search, "cn", "sambaSid",
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
"displayName", "description",
"sambaGroupType", NULL);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
state->attrsonly = 0;
state->pagedresults_cookie = NULL;
state->entries = NULL;
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
state->group_type = type;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
state->ldap2displayentry = ldapgroup2displayentry;
if ((state->filter == NULL) || (state->attrs == NULL)) {
DEBUG(0, ("talloc failed\n"));
return False;
}
r7882: Looks like a large patch - but what it actually does is make Samba safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2005-06-25 00:25:18 +04:00
search->private_data = state;
r6367: Slim down pdb_interface.c a bit. next_entry and search_end are function pointers now. Yes, Jeremy, this is about re-inventing C++... :-) Volker (This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2005-04-18 20:07:49 +04:00
search->next_entry = ldapsam_search_next_entry;
search->search_end = ldapsam_search_end;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
return ldapsam_search_firstpage(search);
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapsam_search_groups(struct pdb_methods *methods,
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
struct pdb_search *search)
{
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
return ldapsam_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapsam_search_aliases(struct pdb_methods *methods,
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
struct pdb_search *search,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *sid)
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
{
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
return ldapsam_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
}
Turn the pdb_rid_algorithm into a capabilities call that returns flags
2009-06-28 19:36:12 +04:00
static uint32_t ldapsam_capabilities(struct pdb_methods *methods)
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
{
Turn the pdb_rid_algorithm into a capabilities call that returns flags
2009-06-28 19:36:12 +04:00
return PDB_CAP_STORE_RIDS;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
static NTSTATUS ldapsam_get_new_rid(struct ldapsam_privates *priv,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t *rid)
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
{
struct smbldap_state *smbldap_state = priv->smbldap_state;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
LDAPMod **mods = NULL;
NTSTATUS status;
char *value;
int rc;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t nextRid = 0;
r15571: Fix Coverity bug #285 (This used to be commit 2cf503d7da08319f318217f6fe8f85c18bf0dffb)
2006-05-13 21:28:21 +04:00
const char *dn;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
TALLOC_CTX *mem_ctx;
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return NT_STATUS_NO_MEMORY;
}
status = smbldap_search_domain_info(smbldap_state, &result,
get_global_sam_name(), False);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("Could not get domain info: %s\n",
nt_errstr(status)));
goto done;
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
entry = ldap_first_entry(priv2ld(priv), result);
if (entry == NULL) {
DEBUG(0, ("Could not get domain info entry\n"));
status = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto done;
}
/* Find the largest of the three attributes "sambaNextRid",
"sambaNextGroupRid" and "sambaNextUserRid". I gave up on the
concept of differentiating between user and group rids, and will
use only "sambaNextRid" in the future. But for compatibility
reasons I look if others have chosen different strategies -- VL */
value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"sambaNextRid", mem_ctx);
if (value != NULL) {
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t tmp = (uint32_t)strtoul(value, NULL, 10);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
nextRid = MAX(nextRid, tmp);
}
value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"sambaNextUserRid", mem_ctx);
if (value != NULL) {
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t tmp = (uint32_t)strtoul(value, NULL, 10);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
nextRid = MAX(nextRid, tmp);
}
value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"sambaNextGroupRid", mem_ctx);
if (value != NULL) {
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t tmp = (uint32_t)strtoul(value, NULL, 10);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
nextRid = MAX(nextRid, tmp);
}
if (nextRid == 0) {
nextRid = BASE_RID-1;
}
nextRid += 1;
smbldap_make_mod(priv2ld(priv), entry, &mods, "sambaNextRid",
talloc_asprintf(mem_ctx, "%d", nextRid));
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmod(mem_ctx, mods);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
r15571: Fix Coverity bug #285 (This used to be commit 2cf503d7da08319f318217f6fe8f85c18bf0dffb)
2006-05-13 21:28:21 +04:00
if ((dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry)) == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
rc = smbldap_modify(smbldap_state, dn, mods);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* ACCESS_DENIED is used as a placeholder for "the modify failed,
* please retry" */
status = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
done:
if (NT_STATUS_IS_OK(status)) {
*rid = nextRid;
}
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return status;
}
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
static NTSTATUS ldapsam_new_rid_internal(struct pdb_methods *methods, uint32_t *rid)
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
{
int i;
for (i=0; i<10; i++) {
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
NTSTATUS result = ldapsam_get_new_rid(
(struct ldapsam_privates *)methods->private_data, rid);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (NT_STATUS_IS_OK(result)) {
r15895: Ensure all new rid allocation goes through the same function (deals with races). Jeremy. (This used to be commit 4962548dfe8ec2854e209217066556f339d3186e)
2006-05-26 04:13:06 +04:00
return result;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
if (!NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
r15895: Ensure all new rid allocation goes through the same function (deals with races). Jeremy. (This used to be commit 4962548dfe8ec2854e209217066556f339d3186e)
2006-05-26 04:13:06 +04:00
return result;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
/* The ldap update failed (maybe a race condition), retry */
}
/* Tried 10 times, fail. */
r15895: Ensure all new rid allocation goes through the same function (deals with races). Jeremy. (This used to be commit 4962548dfe8ec2854e209217066556f339d3186e)
2006-05-26 04:13:06 +04:00
return NT_STATUS_ACCESS_DENIED;
}
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
static bool ldapsam_new_rid(struct pdb_methods *methods, uint32_t *rid)
r15895: Ensure all new rid allocation goes through the same function (deals with races). Jeremy. (This used to be commit 4962548dfe8ec2854e209217066556f339d3186e)
2006-05-26 04:13:06 +04:00
{
NTSTATUS result = ldapsam_new_rid_internal(methods, rid);
return NT_STATUS_IS_OK(result) ? True : False;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapsam_sid_to_id(struct pdb_methods *methods,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *sid,
s3-passdb: Change pdb_sid_to_id() to return struct unixid This will make it easier to consistantly pass a struct unixid all the way up and down the idmap stack, and allow ID_TYPE_BOTH to be handled correctly. Andrew Bartlett Signed-off-by: Michael Adam <obnox@samba.org>
2012-03-16 02:16:23 +04:00
struct unixid *id)
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldapsam_privates *priv =
(struct ldapsam_privates *)methods->private_data;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
char *filter;
const char *attrs[] = { "sambaGroupType", "gidNumber", "uidNumber",
NULL };
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool ret = False;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
char *value;
int rc;
TALLOC_CTX *mem_ctx;
s3:passdb:pdb_ldap: treat "Unix User" and "Unix Group" in sid_to_id() Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 04:44:49 +04:00
ret = pdb_sid_to_id_unix_users_and_groups(sid, id);
if (ret == true) {
return true;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return False;
}
filter = talloc_asprintf(mem_ctx,
"(&(sambaSid=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(|(objectClass=%s)(objectClass=%s)))",
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03)
2007-12-15 23:10:58 +03:00
sid_string_talloc(mem_ctx, sid),
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
LDAP_OBJ_GROUPMAP, LDAP_OBJ_SAMBASAMACCOUNT);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (filter == NULL) {
DEBUG(5, ("talloc_asprintf failed\n"));
goto done;
}
rc = smbldap_search_suffix(priv->smbldap_state, filter,
attrs, &result);
if (rc != LDAP_SUCCESS) {
goto done;
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (ldap_count_entries(priv2ld(priv), result) != 1) {
DEBUG(10, ("Got %d entries, expected one\n",
ldap_count_entries(priv2ld(priv), result)));
goto done;
}
entry = ldap_first_entry(priv2ld(priv), result);
value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"sambaGroupType", mem_ctx);
if (value != NULL) {
const char *gid_str;
/* It's a group */
gid_str = smbldap_talloc_single_attribute(
priv2ld(priv), entry, "gidNumber", mem_ctx);
if (gid_str == NULL) {
DEBUG(1, ("%s has sambaGroupType but no gidNumber\n",
smbldap_talloc_dn(mem_ctx, priv2ld(priv),
entry)));
goto done;
}
s3-passdb: Change pdb_sid_to_id() to return struct unixid This will make it easier to consistantly pass a struct unixid all the way up and down the idmap stack, and allow ID_TYPE_BOTH to be handled correctly. Andrew Bartlett Signed-off-by: Michael Adam <obnox@samba.org>
2012-03-16 02:16:23 +04:00
id->id = strtoul(gid_str, NULL, 10);
id->type = ID_TYPE_GID;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
ret = True;
goto done;
}
/* It must be a user */
value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"uidNumber", mem_ctx);
if (value == NULL) {
DEBUG(1, ("Could not find uidNumber in %s\n",
smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry)));
goto done;
}
s3-passdb: Change pdb_sid_to_id() to return struct unixid This will make it easier to consistantly pass a struct unixid all the way up and down the idmap stack, and allow ID_TYPE_BOTH to be handled correctly. Andrew Bartlett Signed-off-by: Michael Adam <obnox@samba.org>
2012-03-16 02:16:23 +04:00
id->id = strtoul(value, NULL, 10);
id->type = ID_TYPE_UID;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
ret = True;
done:
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return ret;
}
s3: shortcut uid_to_sid when "ldapsam:trusted = yes" The normal uid_to_sid behaviour is to call sys_getpwuid() to get the name for the given uid and then call the getsampwnam passdb method for the resulting name. In the ldapsam:trusted case we can reduce the uid_to_sid operation to one simple search for the uidNumber attribute and only get the sambaSID attribute from the correspoinding LDAP object. This reduces the number of ldap roundtrips for this operation. Michael
2009-11-16 13:37:18 +03:00
/**
* Find the SID for a uid.
* This is shortcut is only used if ldapsam:trusted is set to true.
*/
static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid *sid)
s3: shortcut uid_to_sid when "ldapsam:trusted = yes" The normal uid_to_sid behaviour is to call sys_getpwuid() to get the name for the given uid and then call the getsampwnam passdb method for the resulting name. In the ldapsam:trusted case we can reduce the uid_to_sid operation to one simple search for the uidNumber attribute and only get the sambaSID attribute from the correspoinding LDAP object. This reduces the number of ldap roundtrips for this operation. Michael
2009-11-16 13:37:18 +03:00
{
struct ldapsam_privates *priv =
(struct ldapsam_privates *)methods->private_data;
char *filter;
const char *attrs[] = { "sambaSID", NULL };
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
bool ret = false;
char *user_sid_string;
s3: Remove some pointless uses of string_sid_talloc
2010-01-23 15:18:00 +03:00
struct dom_sid user_sid;
s3: shortcut uid_to_sid when "ldapsam:trusted = yes" The normal uid_to_sid behaviour is to call sys_getpwuid() to get the name for the given uid and then call the getsampwnam passdb method for the resulting name. In the ldapsam:trusted case we can reduce the uid_to_sid operation to one simple search for the uidNumber attribute and only get the sambaSID attribute from the correspoinding LDAP object. This reduces the number of ldap roundtrips for this operation. Michael
2009-11-16 13:37:18 +03:00
int rc;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
filter = talloc_asprintf(tmp_ctx,
"(&(uidNumber=%u)"
"(objectClass=%s)"
"(objectClass=%s))",
(unsigned int)uid,
LDAP_OBJ_POSIXACCOUNT,
LDAP_OBJ_SAMBASAMACCOUNT);
if (filter == NULL) {
DEBUG(3, ("talloc_asprintf failed\n"));
goto done;
}
rc = smbldap_search_suffix(priv->smbldap_state, filter, attrs, &result);
if (rc != LDAP_SUCCESS) {
goto done;
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
s3: shortcut uid_to_sid when "ldapsam:trusted = yes" The normal uid_to_sid behaviour is to call sys_getpwuid() to get the name for the given uid and then call the getsampwnam passdb method for the resulting name. In the ldapsam:trusted case we can reduce the uid_to_sid operation to one simple search for the uidNumber attribute and only get the sambaSID attribute from the correspoinding LDAP object. This reduces the number of ldap roundtrips for this operation. Michael
2009-11-16 13:37:18 +03:00
if (ldap_count_entries(priv2ld(priv), result) != 1) {
DEBUG(3, ("ERROR: Got %d entries for uid %u, expected one\n",
ldap_count_entries(priv2ld(priv), result),
(unsigned int)uid));
goto done;
}
entry = ldap_first_entry(priv2ld(priv), result);
user_sid_string = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"sambaSID", tmp_ctx);
if (user_sid_string == NULL) {
DEBUG(1, ("Could not find sambaSID in object '%s'\n",
smbldap_talloc_dn(tmp_ctx, priv2ld(priv), entry)));
goto done;
}
s3: Remove some pointless uses of string_sid_talloc
2010-01-23 15:18:00 +03:00
if (!string_to_sid(&user_sid, user_sid_string)) {
s3: shortcut uid_to_sid when "ldapsam:trusted = yes" The normal uid_to_sid behaviour is to call sys_getpwuid() to get the name for the given uid and then call the getsampwnam passdb method for the resulting name. In the ldapsam:trusted case we can reduce the uid_to_sid operation to one simple search for the uidNumber attribute and only get the sambaSID attribute from the correspoinding LDAP object. This reduces the number of ldap roundtrips for this operation. Michael
2009-11-16 13:37:18 +03:00
DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
user_sid_string));
goto done;
}
s3: Remove some pointless uses of string_sid_talloc
2010-01-23 15:18:00 +03:00
sid_copy(sid, &user_sid);
s3: shortcut uid_to_sid when "ldapsam:trusted = yes" The normal uid_to_sid behaviour is to call sys_getpwuid() to get the name for the given uid and then call the getsampwnam passdb method for the resulting name. In the ldapsam:trusted case we can reduce the uid_to_sid operation to one simple search for the uidNumber attribute and only get the sambaSID attribute from the correspoinding LDAP object. This reduces the number of ldap roundtrips for this operation. Michael
2009-11-16 13:37:18 +03:00
ret = true;
done:
TALLOC_FREE(tmp_ctx);
return ret;
}
s3: shortcut gid_to_sid when "ldapsam:trusted = yes" The normal gid_to_sid behaviour is to call sys_getgrgid() to get the name for the given gid and then call the getsamgrnam passdb method for the resulting name. In the ldapsam:trusted case we can reduce the gid_to_sid operation to one simple search for the gidNumber attribute and only get the sambaSID attribute from the correspoinding LDAP object. This reduces the number of ldap roundtrips for this operation. metze
2010-01-31 00:28:19 +03:00
/**
* Find the SID for a gid.
* This is shortcut is only used if ldapsam:trusted is set to true.
*/
static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid *sid)
s3: shortcut gid_to_sid when "ldapsam:trusted = yes" The normal gid_to_sid behaviour is to call sys_getgrgid() to get the name for the given gid and then call the getsamgrnam passdb method for the resulting name. In the ldapsam:trusted case we can reduce the gid_to_sid operation to one simple search for the gidNumber attribute and only get the sambaSID attribute from the correspoinding LDAP object. This reduces the number of ldap roundtrips for this operation. metze
2010-01-31 00:28:19 +03:00
{
struct ldapsam_privates *priv =
(struct ldapsam_privates *)methods->private_data;
char *filter;
const char *attrs[] = { "sambaSID", NULL };
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
bool ret = false;
char *group_sid_string;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid group_sid;
s3: shortcut gid_to_sid when "ldapsam:trusted = yes" The normal gid_to_sid behaviour is to call sys_getgrgid() to get the name for the given gid and then call the getsamgrnam passdb method for the resulting name. In the ldapsam:trusted case we can reduce the gid_to_sid operation to one simple search for the gidNumber attribute and only get the sambaSID attribute from the correspoinding LDAP object. This reduces the number of ldap roundtrips for this operation. metze
2010-01-31 00:28:19 +03:00
int rc;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
filter = talloc_asprintf(tmp_ctx,
"(&(gidNumber=%u)"
"(objectClass=%s))",
(unsigned int)gid,
LDAP_OBJ_GROUPMAP);
if (filter == NULL) {
DEBUG(3, ("talloc_asprintf failed\n"));
goto done;
}
rc = smbldap_search_suffix(priv->smbldap_state, filter, attrs, &result);
if (rc != LDAP_SUCCESS) {
goto done;
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
s3: shortcut gid_to_sid when "ldapsam:trusted = yes" The normal gid_to_sid behaviour is to call sys_getgrgid() to get the name for the given gid and then call the getsamgrnam passdb method for the resulting name. In the ldapsam:trusted case we can reduce the gid_to_sid operation to one simple search for the gidNumber attribute and only get the sambaSID attribute from the correspoinding LDAP object. This reduces the number of ldap roundtrips for this operation. metze
2010-01-31 00:28:19 +03:00
if (ldap_count_entries(priv2ld(priv), result) != 1) {
DEBUG(3, ("ERROR: Got %d entries for gid %u, expected one\n",
ldap_count_entries(priv2ld(priv), result),
(unsigned int)gid));
goto done;
}
entry = ldap_first_entry(priv2ld(priv), result);
group_sid_string = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"sambaSID", tmp_ctx);
if (group_sid_string == NULL) {
DEBUG(1, ("Could not find sambaSID in object '%s'\n",
smbldap_talloc_dn(tmp_ctx, priv2ld(priv), entry)));
goto done;
}
if (!string_to_sid(&group_sid, group_sid_string)) {
DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
group_sid_string));
goto done;
}
sid_copy(sid, &group_sid);
ret = true;
done:
TALLOC_FREE(tmp_ctx);
return ret;
}
idmap: unify passdb *id_to_sid methods Instead of passing down gid or uid, a pointer to a unixid is now sent down. This acts as an in-out variable so that the idmap functions can correctly receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720 Change-Id: I11409a0f498e61a3c0a6ae606dd7af1135e6b066 Pair-programmed-with: Andrew Bartlett <abarlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-11-25 04:45:26 +03:00
static bool ldapsam_id_to_sid(struct pdb_methods *methods, struct unixid *id,
struct dom_sid *sid)
{
switch (id->type) {
case ID_TYPE_UID:
return ldapsam_uid_to_sid(methods, id->id, sid);
case ID_TYPE_GID:
return ldapsam_gid_to_sid(methods, id->id, sid);
default:
return false;
}
}
s3: shortcut uid_to_sid when "ldapsam:trusted = yes" The normal uid_to_sid behaviour is to call sys_getpwuid() to get the name for the given uid and then call the getsampwnam passdb method for the resulting name. In the ldapsam:trusted case we can reduce the uid_to_sid operation to one simple search for the uidNumber attribute and only get the sambaSID attribute from the correspoinding LDAP object. This reduces the number of ldap roundtrips for this operation. Michael
2009-11-16 13:37:18 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/*
s3:pdb_ldap: fix a comment typo Michael
2009-11-16 13:01:53 +03:00
* The following functions are called only if
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
* ldapsam:trusted and ldapsam:editposix are
* set to true
*/
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/*
* ldapsam_create_user creates a new
* posixAccount and sambaSamAccount object
* in the ldap users subtree
*
* The uid is allocated by winbindd.
*/
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
static NTSTATUS ldapsam_create_user(struct pdb_methods *my_methods,
TALLOC_CTX *tmp_ctx, const char *name,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t acb_info, uint32_t *rid)
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
LDAPMessage *entry = NULL;
LDAPMessage *result = NULL;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t num_result;
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool is_machine = False;
bool add_posix = False;
passdb: Patch memory leak in pdb_ldap.c Moved the call to the talloc autofree function to as early a point as possible. init_ldap_from_sam() already calls smbldap_set_mod(), and there's a chance that the init will fail after having already allocated memory for &mods. Coverity-Id: 1167997 Change-Id: Ic26bfb3c530f90aa885e447b8409deba49708d64 Reviewed-by: Ira Cooper <ira@samba.org> Signed-off-by: Jose A. Rivera <jarrpa@redhat.com> Reviewed-by: Simo Sorce <idra@samba.org>
2014-02-18 17:35:37 +04:00
bool init_okay = False;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
LDAPMod **mods = NULL;
struct samu *user;
char *filter;
char *username;
char *homedir;
char *gidstr;
char *uidstr;
char *shell;
const char *dn = NULL;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid group_sid;
struct dom_sid user_sid;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
gid_t gid = -1;
uid_t uid = -1;
NTSTATUS ret;
int rc;
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
if (((acb_info & ACB_NORMAL) && name[strlen(name)-1] == '$') ||
acb_info & ACB_WSTRUST ||
acb_info & ACB_SVRTRUST ||
acb_info & ACB_DOMTRUST) {
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
is_machine = True;
r4994: Patch from abartlet: When migrating account policies to ldapsam, handle the fact that an admin might have changed the default location of the sambaDomain-object after installation. Guenther (This used to be commit 78c3c7127444b8f9959f4d6ce9e540271869d70f)
2005-01-26 02:30:05 +03:00
}
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
username = escape_ldap_string(talloc_tos(), name);
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
filter = talloc_asprintf(tmp_ctx, "(&(uid=%s)(objectClass=%s))",
username, LDAP_OBJ_POSIXACCOUNT);
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
TALLOC_FREE(username);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_create_user: ldap search failed!\n"));
Give a nice error message if trying to join with a non-privileged user (This used to be commit 347772fc39d9c7a96fcc72c9707696cc6abd89d7)
2008-07-10 12:47:46 +04:00
return NT_STATUS_ACCESS_DENIED;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
num_result = ldap_count_entries(priv2ld(ldap_state), result);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (num_result > 1) {
DEBUG (0, ("ldapsam_create_user: More than one user with name [%s] ?!\n", name));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (num_result == 1) {
char *tmp;
/* check if it is just a posix account.
* or if there is a sid attached to this entry
*/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "sambaSID", tmp_ctx);
if (tmp) {
DEBUG (1, ("ldapsam_create_user: The user [%s] already exist!\n", name));
return NT_STATUS_USER_EXISTS;
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* it is just a posix account, retrieve the dn for later use */
dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
if (!dn) {
DEBUG(0,("ldapsam_create_user: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (num_result == 0) {
add_posix = True;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* Create the basic samu structure and generate the mods for the ldap commit */
r15895: Ensure all new rid allocation goes through the same function (deals with races). Jeremy. (This used to be commit 4962548dfe8ec2854e209217066556f339d3186e)
2006-05-26 04:13:06 +04:00
if (!NT_STATUS_IS_OK((ret = ldapsam_new_rid_internal(my_methods, rid)))) {
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
DEBUG(1, ("ldapsam_create_user: Could not allocate a new RID\n"));
return ret;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
sid_compose(&user_sid, get_global_sam_sid(), *rid);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
user = samu_new(tmp_ctx);
if (!user) {
DEBUG(1,("ldapsam_create_user: Unable to allocate user struct\n"));
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!pdb_set_username(user, name, PDB_SET)) {
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
return NT_STATUS_UNSUCCESSFUL;
}
if (!pdb_set_domain(user, get_global_sam_name(), PDB_SET)) {
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
return NT_STATUS_UNSUCCESSFUL;
}
if (is_machine) {
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
if (acb_info & ACB_NORMAL) {
if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_SET)) {
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
return NT_STATUS_UNSUCCESSFUL;
}
} else {
if (!pdb_set_acct_ctrl(user, acb_info, PDB_SET)) {
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
return NT_STATUS_UNSUCCESSFUL;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
}
} else {
if (!pdb_set_acct_ctrl(user, ACB_NORMAL | ACB_DISABLED, PDB_SET)) {
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
return NT_STATUS_UNSUCCESSFUL;
}
}
r13460: by popular demand.... * remove pdb_context data structure * set default group for DOMAIN_RID_GUEST user as RID 513 (just like Windows) * Allow RID 513 to resolve to always resolve to a name * Remove auto mapping of guest account primary group given the previous 2 changes (This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285)
2006-02-12 00:27:08 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!pdb_set_user_sid(user, &user_sid, PDB_SET)) {
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
return NT_STATUS_UNSUCCESSFUL;
r13460: by popular demand.... * remove pdb_context data structure * set default group for DOMAIN_RID_GUEST user as RID 513 (just like Windows) * Allow RID 513 to resolve to always resolve to a name * Remove auto mapping of guest account primary group given the previous 2 changes (This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285)
2006-02-12 00:27:08 +03:00
}
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
passdb: Patch memory leak in pdb_ldap.c Moved the call to the talloc autofree function to as early a point as possible. init_ldap_from_sam() already calls smbldap_set_mod(), and there's a chance that the init will fail after having already allocated memory for &mods. Coverity-Id: 1167997 Change-Id: Ic26bfb3c530f90aa885e447b8409deba49708d64 Reviewed-by: Ira Cooper <ira@samba.org> Signed-off-by: Jose A. Rivera <jarrpa@redhat.com> Reviewed-by: Simo Sorce <idra@samba.org>
2014-02-18 17:35:37 +04:00
init_okay = init_ldap_from_sam(ldap_state, entry, &mods, user, pdb_element_is_set_or_changed);
if (!init_okay) {
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
pdb_ldap: Don't use autofree if "mods" still changes This will prevent some use-after-free's, potentially it might for example fix bugzilla 11851. Not directly related, but it's a crash related to ldap-backed user creation. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-04 12:51:33 +03:00
ldap_mods_free(mods, true);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
return NT_STATUS_UNSUCCESSFUL;
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
}
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
if (ldap_state->schema_ver != SCHEMAVER_SAMBASAMACCOUNT) {
DEBUG(1,("ldapsam_create_user: Unsupported schema version\n"));
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
}
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (add_posix) {
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
char *escape_name;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
DEBUG(3,("ldapsam_create_user: Creating new posix user\n"));
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* retrieve the Domain Users group gid */
s3-rpc_misc: clean out include/rpc_misc.h. Well known rids don't really belong into an rpc header, just use the ones defined in security.idl. Guenther
2010-05-18 00:04:24 +04:00
if (!sid_compose(&group_sid, get_global_sam_sid(), DOMAIN_RID_USERS) ||
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
!sid_to_gid(&group_sid, &gid)) {
DEBUG (0, ("ldapsam_create_user: Unable to get the Domain Users gid: bailing out!\n"));
pdb_ldap: Don't use autofree if "mods" still changes This will prevent some use-after-free's, potentially it might for example fix bugzilla 11851. Not directly related, but it's a crash related to ldap-backed user creation. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-04 12:51:33 +03:00
ldap_mods_free(mods, true);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
return NT_STATUS_INVALID_PRIMARY_GROUP;
}
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* lets allocate a new userid for this user */
if (!winbind_allocate_uid(&uid)) {
DEBUG (0, ("ldapsam_create_user: Unable to allocate a new user id: bailing out!\n"));
pdb_ldap: Don't use autofree if "mods" still changes This will prevent some use-after-free's, potentially it might for example fix bugzilla 11851. Not directly related, but it's a crash related to ldap-backed user creation. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-04 12:51:33 +03:00
ldap_mods_free(mods, true);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (is_machine) {
/* TODO: choose a more appropriate default for machines */
s3-lib: Add grpname to talloc_sub_specified(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=2191 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2013-11-18 17:58:04 +04:00
homedir = talloc_sub_specified(tmp_ctx,
lp_template_homedir(),
"SMB_workstations_home",
NULL,
ldap_state->domain_name,
uid,
gid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
shell = talloc_strdup(tmp_ctx, "/bin/false");
} else {
s3-lib: Add grpname to talloc_sub_specified(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=2191 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2013-11-18 17:58:04 +04:00
homedir = talloc_sub_specified(tmp_ctx,
lp_template_homedir(),
name,
NULL,
ldap_state->domain_name,
uid,
gid);
shell = talloc_sub_specified(tmp_ctx,
lp_template_shell(),
name,
NULL,
ldap_state->domain_name,
uid,
gid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
}
Fix the last few format arg missmatches I missed. Jeremy.
2009-05-12 21:38:00 +04:00
uidstr = talloc_asprintf(tmp_ctx, "%u", (unsigned int)uid);
gidstr = talloc_asprintf(tmp_ctx, "%u", (unsigned int)gid);
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
escape_name = escape_rdn_val_string_alloc(name);
if (!escape_name) {
DEBUG (0, ("ldapsam_create_user: Out of memory!\n"));
pdb_ldap: Don't use autofree if "mods" still changes This will prevent some use-after-free's, potentially it might for example fix bugzilla 11851. Not directly related, but it's a crash related to ldap-backed user creation. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-04 12:51:33 +03:00
ldap_mods_free(mods, true);
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (is_machine) {
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", escape_name, lp_ldap_machine_suffix (talloc_tos()));
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
} else {
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", escape_name, lp_ldap_user_suffix (talloc_tos()));
Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-10-01 17:10:57 +04:00
}
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
SAFE_FREE(escape_name);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!homedir || !shell || !uidstr || !gidstr || !dn) {
DEBUG (0, ("ldapsam_create_user: Out of memory!\n"));
pdb_ldap: Don't use autofree if "mods" still changes This will prevent some use-after-free's, potentially it might for example fix bugzilla 11851. Not directly related, but it's a crash related to ldap-backed user creation. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-04 12:51:33 +03:00
ldap_mods_free(mods, true);
Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-10-01 17:10:57 +04:00
return NT_STATUS_NO_MEMORY;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", homedir);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
passdb: Patch memory leak in pdb_ldap.c Moved the call to the talloc autofree function to as early a point as possible. init_ldap_from_sam() already calls smbldap_set_mod(), and there's a chance that the init will fail after having already allocated memory for &mods. Coverity-Id: 1167997 Change-Id: Ic26bfb3c530f90aa885e447b8409deba49708d64 Reviewed-by: Ira Cooper <ira@samba.org> Signed-off-by: Jose A. Rivera <jarrpa@redhat.com> Reviewed-by: Simo Sorce <idra@samba.org>
2014-02-18 17:35:37 +04:00
if (add_posix) {
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
} else {
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
}
pdb_ldap: Don't use autofree if "mods" still changes This will prevent some use-after-free's, potentially it might for example fix bugzilla 11851. Not directly related, but it's a crash related to ldap-backed user creation. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-04 12:51:33 +03:00
ldap_mods_free(mods, true);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_create_user: failed to create a new user [%s] (dn = %s)\n", name ,dn));
return NT_STATUS_UNSUCCESSFUL;
}
DEBUG(2,("ldapsam_create_user: added account [%s] in the LDAP database\n", name));
flush_pwnam_cache();
return NT_STATUS_OK;
}
static NTSTATUS ldapsam_delete_user(struct pdb_methods *my_methods, TALLOC_CTX *tmp_ctx, struct samu *sam_acct)
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
int num_result;
const char *dn;
char *filter;
int rc;
DEBUG(0,("ldapsam_delete_user: Attempt to delete user [%s]\n", pdb_get_username(sam_acct)));
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
filter = talloc_asprintf(tmp_ctx,
"(&(uid=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(objectClass=%s)"
"(objectClass=%s))",
pdb_get_username(sam_acct),
LDAP_OBJ_POSIXACCOUNT,
LDAP_OBJ_SAMBASAMACCOUNT);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_delete_user: user search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result == 0) {
DEBUG(0,("ldapsam_delete_user: user not found!\n"));
return NT_STATUS_NO_SUCH_USER;
}
if (num_result > 1) {
DEBUG (0, ("ldapsam_delete_user: More than one user with name [%s] ?!\n", pdb_get_username(sam_acct)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
/* it is just a posix account, retrieve the dn for later use */
dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
if (!dn) {
DEBUG(0,("ldapsam_delete_user: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
s3-pdb_ldap: Fix bug #4296: Clean up group membership while deleting a user. Note that this only is tried with editposix=yes. Guenther
2009-06-24 02:33:44 +04:00
/* try to remove memberships first */
{
NTSTATUS status;
struct dom_sid *sids = NULL;
gid_t *gids = NULL;
s3:auth: change num_groups to from size_t to uint32_t This will help with the change from UNIX_USER_TOKEN to security_unix_token metze
2011-02-21 12:30:28 +03:00
uint32_t num_groups = 0;
s3-pdb_ldap: Fix bug #4296: Clean up group membership while deleting a user. Note that this only is tried with editposix=yes. Guenther
2009-06-24 02:33:44 +04:00
int i;
uint32_t user_rid = pdb_get_user_rid(sam_acct);
status = ldapsam_enum_group_memberships(my_methods,
tmp_ctx,
sam_acct,
&sids,
&gids,
&num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto delete_dn;
}
for (i=0; i < num_groups; i++) {
uint32_t group_rid;
sid_peek_rid(&sids[i], &group_rid);
ldapsam_del_groupmem(my_methods,
tmp_ctx,
group_rid,
user_rid);
}
}
delete_dn:
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_delete(ldap_state->smbldap_state, dn);
if (rc != LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
}
flush_pwnam_cache();
return NT_STATUS_OK;
}
/*
* ldapsam_create_group creates a new
* posixGroup and sambaGroupMapping object
* in the ldap groups subtree
*
* The gid is allocated by winbindd.
*/
static NTSTATUS ldapsam_create_dom_group(struct pdb_methods *my_methods,
TALLOC_CTX *tmp_ctx,
const char *name,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t *rid)
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
NTSTATUS ret;
LDAPMessage *entry = NULL;
LDAPMessage *result = NULL;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t num_result;
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool is_new_entry = False;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
LDAPMod **mods = NULL;
char *filter;
char *groupsidstr;
char *groupname;
char *grouptype;
char *gidstr;
const char *dn = NULL;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid group_sid;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
gid_t gid = -1;
int rc;
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
groupname = escape_ldap_string(talloc_tos(), name);
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
filter = talloc_asprintf(tmp_ctx, "(&(cn=%s)(objectClass=%s))",
groupname, LDAP_OBJ_POSIXGROUP);
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
TALLOC_FREE(groupname);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_create_group: ldap search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result > 1) {
DEBUG (0, ("ldapsam_create_group: There exists more than one group with name [%s]: bailing out!\n", name));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (num_result == 1) {
char *tmp;
/* check if it is just a posix group.
* or if there is a sid attached to this entry
*/
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "sambaSID", tmp_ctx);
if (tmp) {
DEBUG (1, ("ldapsam_create_group: The group [%s] already exist!\n", name));
return NT_STATUS_GROUP_EXISTS;
}
/* it is just a posix group, retrieve the gid and the dn for later use */
tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
if (!tmp) {
DEBUG (1, ("ldapsam_create_group: Couldn't retrieve the gidNumber for [%s]?!?!\n", name));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
gid = strtoul(tmp, NULL, 10);
dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
if (!dn) {
DEBUG(0,("ldapsam_create_group: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
}
if (num_result == 0) {
s3:pdb_ldap: move some code in ldapsam_create_dom_group() to make the flow more similar to ldapsam_create_user(). This prepares for calling winbind_sid_to_gid() instead of winbind_allocate_gid(): we need the group_sid for this... Michael
2009-01-22 14:01:16 +03:00
is_new_entry = true;
}
if (!NT_STATUS_IS_OK((ret = ldapsam_new_rid_internal(my_methods, rid)))) {
DEBUG(1, ("ldapsam_create_group: Could not allocate a new RID\n"));
return ret;
}
sid_compose(&group_sid, get_global_sam_sid(), *rid);
groupsidstr = talloc_strdup(tmp_ctx, sid_string_talloc(tmp_ctx,
&group_sid));
grouptype = talloc_asprintf(tmp_ctx, "%d", SID_NAME_DOM_GRP);
if (!groupsidstr || !grouptype) {
DEBUG(0,("ldapsam_create_group: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", groupsidstr);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", grouptype);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
if (is_new_entry) {
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
char *escape_name;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
DEBUG(3,("ldapsam_create_user: Creating new posix group\n"));
/* lets allocate a new groupid for this group */
if (!winbind_allocate_gid(&gid)) {
DEBUG (0, ("ldapsam_create_group: Unable to allocate a new group id: bailing out!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
Fix the last few format arg missmatches I missed. Jeremy.
2009-05-12 21:38:00 +04:00
gidstr = talloc_asprintf(tmp_ctx, "%u", (unsigned int)gid);
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
escape_name = escape_rdn_val_string_alloc(name);
if (!escape_name) {
DEBUG (0, ("ldapsam_create_group: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *. They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 09:37:23 +04:00
dn = talloc_asprintf(tmp_ctx, "cn=%s,%s", escape_name, lp_ldap_group_suffix(talloc_tos()));
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
SAFE_FREE(escape_name);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!gidstr || !dn) {
DEBUG (0, ("ldapsam_create_group: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmod(tmp_ctx, mods);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (is_new_entry) {
rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
#if 0
if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
/* This call may fail with rfc2307bis schema */
/* Retry adding a structural class */
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "????");
rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
}
#endif
} else {
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
}
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_create_group: failed to create a new group [%s] (dn = %s)\n", name ,dn));
return NT_STATUS_UNSUCCESSFUL;
}
DEBUG(2,("ldapsam_create_group: added group [%s] in the LDAP database\n", name));
return NT_STATUS_OK;
}
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
static NTSTATUS ldapsam_delete_dom_group(struct pdb_methods *my_methods, TALLOC_CTX *tmp_ctx, uint32_t rid)
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
int num_result;
const char *dn;
char *gidstr;
char *filter;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid group_sid;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
int rc;
/* get the group sid */
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
sid_compose(&group_sid, get_global_sam_sid(), rid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
filter = talloc_asprintf(tmp_ctx,
"(&(sambaSID=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(objectClass=%s)"
"(objectClass=%s))",
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03)
2007-12-15 23:10:58 +03:00
sid_string_talloc(tmp_ctx, &group_sid),
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
LDAP_OBJ_POSIXGROUP,
LDAP_OBJ_GROUPMAP);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(1,("ldapsam_delete_dom_group: group search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result == 0) {
DEBUG(1,("ldapsam_delete_dom_group: group not found!\n"));
return NT_STATUS_NO_SUCH_GROUP;
}
if (num_result > 1) {
DEBUG (0, ("ldapsam_delete_dom_group: More than one group with the same SID ?!\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
/* here it is, retrieve the dn for later use */
dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
if (!dn) {
DEBUG(0,("ldapsam_delete_dom_group: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
if (!gidstr) {
DEBUG (0, ("ldapsam_delete_dom_group: Unable to find the group's gid!\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
/* check no user have this group marked as primary group */
filter = talloc_asprintf(tmp_ctx,
"(&(gidNumber=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(objectClass=%s)"
"(objectClass=%s))",
gidstr,
LDAP_OBJ_POSIXACCOUNT,
LDAP_OBJ_SAMBASAMACCOUNT);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(1,("ldapsam_delete_dom_group: accounts search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result != 0) {
DEBUG(3,("ldapsam_delete_dom_group: Can't delete group, it is a primary group for %d users\n", num_result));
return NT_STATUS_MEMBERS_PRIMARY_GROUP;
}
rc = smbldap_delete(ldap_state->smbldap_state, dn);
if (rc != LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
}
return NT_STATUS_OK;
}
static NTSTATUS ldapsam_change_groupmem(struct pdb_methods *my_methods,
TALLOC_CTX *tmp_ctx,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t group_rid,
uint32_t member_rid,
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
int modop)
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
LDAPMessage *entry = NULL;
LDAPMessage *result = NULL;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t num_result;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
LDAPMod **mods = NULL;
char *filter;
char *uidstr;
const char *dn = NULL;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid group_sid;
struct dom_sid member_sid;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
int rc;
switch (modop) {
case LDAP_MOD_ADD:
DEBUG(1,("ldapsam_change_groupmem: add new member(rid=%d) to a domain group(rid=%d)", member_rid, group_rid));
break;
case LDAP_MOD_DELETE:
DEBUG(1,("ldapsam_change_groupmem: delete member(rid=%d) from a domain group(rid=%d)", member_rid, group_rid));
break;
default:
return NT_STATUS_UNSUCCESSFUL;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* get member sid */
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
sid_compose(&member_sid, get_global_sam_sid(), member_rid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* get the group sid */
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
sid_compose(&group_sid, get_global_sam_sid(), group_rid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
filter = talloc_asprintf(tmp_ctx,
"(&(sambaSID=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(objectClass=%s)"
"(objectClass=%s))",
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03)
2007-12-15 23:10:58 +03:00
sid_string_talloc(tmp_ctx, &member_sid),
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
LDAP_OBJ_POSIXACCOUNT,
LDAP_OBJ_SAMBASAMACCOUNT);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* get the member uid */
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(1,("ldapsam_change_groupmem: member search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result == 0) {
DEBUG(1,("ldapsam_change_groupmem: member not found!\n"));
return NT_STATUS_NO_SUCH_MEMBER;
}
if (num_result > 1) {
DEBUG (0, ("ldapsam_change_groupmem: More than one account with the same SID ?!\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
if (modop == LDAP_MOD_DELETE) {
/* check if we are trying to remove the member from his primary group */
char *gidstr;
gid_t user_gid, group_gid;
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
if (!gidstr) {
DEBUG (0, ("ldapsam_change_groupmem: Unable to find the member's gid!\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
user_gid = strtoul(gidstr, NULL, 10);
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!sid_to_gid(&group_sid, &group_gid)) {
DEBUG (0, ("ldapsam_change_groupmem: Unable to get group gid from SID!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
if (user_gid == group_gid) {
Fix bug 5055 (This used to be commit 8bcd2df841bae63e7d58c35d4728b7d853471697)
2007-11-26 17:28:13 +03:00
DEBUG (3, ("ldapsam_change_groupmem: can't remove user from its own primary group!\n"));
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
return NT_STATUS_MEMBERS_PRIMARY_GROUP;
}
}
/* here it is, retrieve the uid for later use */
uidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "uid", tmp_ctx);
if (!uidstr) {
DEBUG (0, ("ldapsam_change_groupmem: Unable to find the member's name!\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
filter = talloc_asprintf(tmp_ctx,
"(&(sambaSID=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(objectClass=%s)"
"(objectClass=%s))",
Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03)
2007-12-15 23:10:58 +03:00
sid_string_talloc(tmp_ctx, &group_sid),
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
LDAP_OBJ_POSIXGROUP,
LDAP_OBJ_GROUPMAP);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* get the group */
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(1,("ldapsam_change_groupmem: group search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result == 0) {
DEBUG(1,("ldapsam_change_groupmem: group not found!\n"));
return NT_STATUS_NO_SUCH_GROUP;
}
if (num_result > 1) {
DEBUG (0, ("ldapsam_change_groupmem: More than one group with the same SID ?!\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
/* here it is, retrieve the dn for later use */
dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
if (!dn) {
DEBUG(0,("ldapsam_change_groupmem: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
smbldap_set_mod(&mods, modop, "memberUid", uidstr);
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmod(tmp_ctx, mods);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
if (rc != LDAP_SUCCESS) {
if (rc == LDAP_TYPE_OR_VALUE_EXISTS && modop == LDAP_MOD_ADD) {
DEBUG(1,("ldapsam_change_groupmem: member is already in group, add failed!\n"));
return NT_STATUS_MEMBER_IN_GROUP;
}
if (rc == LDAP_NO_SUCH_ATTRIBUTE && modop == LDAP_MOD_DELETE) {
DEBUG(1,("ldapsam_change_groupmem: member is not in group, delete failed!\n"));
return NT_STATUS_MEMBER_NOT_IN_GROUP;
}
return NT_STATUS_UNSUCCESSFUL;
}
Fix some nonempty blank lines
2009-05-31 13:14:06 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
return NT_STATUS_OK;
}
static NTSTATUS ldapsam_add_groupmem(struct pdb_methods *my_methods,
TALLOC_CTX *tmp_ctx,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t group_rid,
uint32_t member_rid)
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
{
return ldapsam_change_groupmem(my_methods, tmp_ctx, group_rid, member_rid, LDAP_MOD_ADD);
}
static NTSTATUS ldapsam_del_groupmem(struct pdb_methods *my_methods,
TALLOC_CTX *tmp_ctx,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t group_rid,
uint32_t member_rid)
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
{
return ldapsam_change_groupmem(my_methods, tmp_ctx, group_rid, member_rid, LDAP_MOD_DELETE);
}
static NTSTATUS ldapsam_set_primary_group(struct pdb_methods *my_methods,
TALLOC_CTX *mem_ctx,
struct samu *sampass)
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
LDAPMessage *entry = NULL;
LDAPMessage *result = NULL;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t num_result;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
LDAPMod **mods = NULL;
char *filter;
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
char *escape_username;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
char *gidstr;
const char *dn = NULL;
gid_t gid;
int rc;
DEBUG(0,("ldapsam_set_primary_group: Attempt to set primary group for user [%s]\n", pdb_get_username(sampass)));
if (!sid_to_gid(pdb_get_group_sid(sampass), &gid)) {
Fix typo. retieve -> retrieve Karolin (This used to be commit 37c64130701ab13b6f34998ac17fec2d128c2e08)
2008-07-14 18:40:36 +04:00
DEBUG(0,("ldapsam_set_primary_group: failed to retrieve gid from user's group SID!\n"));
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
Fix the last few format arg missmatches I missed. Jeremy.
2009-05-12 21:38:00 +04:00
gidstr = talloc_asprintf(mem_ctx, "%u", (unsigned int)gid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!gidstr) {
DEBUG(0,("ldapsam_set_primary_group: Out of Memory!\n"));
return NT_STATUS_NO_MEMORY;
}
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
escape_username = escape_ldap_string(talloc_tos(),
pdb_get_username(sampass));
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
if (escape_username== NULL) {
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
filter = talloc_asprintf(mem_ctx,
"(&(uid=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(objectClass=%s)"
"(objectClass=%s))",
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
escape_username,
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
LDAP_OBJ_POSIXACCOUNT,
LDAP_OBJ_SAMBASAMACCOUNT);
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
Make escape_ldap_string take a talloc context
2009-07-10 00:03:52 +04:00
TALLOC_FREE(escape_username);
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_set_primary_group: user search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result == 0) {
DEBUG(0,("ldapsam_set_primary_group: user not found!\n"));
return NT_STATUS_NO_SUCH_USER;
}
if (num_result > 1) {
DEBUG (0, ("ldapsam_set_primary_group: More than one user with name [%s] ?!\n", pdb_get_username(sampass)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
/* retrieve the dn for later use */
dn = smbldap_talloc_dn(mem_ctx, priv2ld(ldap_state), entry);
if (!dn) {
DEBUG(0,("ldapsam_set_primary_group: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
/* remove the old one, and add the new one, this way we do not risk races */
smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "gidNumber", gidstr);
if (mods == NULL) {
return NT_STATUS_OK;
}
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_set_primary_group: failed to modify [%s] primary group to [%s]\n",
pdb_get_username(sampass), gidstr));
return NT_STATUS_UNSUCCESSFUL;
}
flush_pwnam_cache();
return NT_STATUS_OK;
}
r25091: Start adding support for storing trusted domain passwords in LDAP (for passdb backen = ldapsam). At a first step, add the hooks, calling the secrets_ functions. Michael (This used to be commit 9c03cdf3a449149c50451a44deb420341e65af34)
2007-09-11 20:38:31 +04:00
/**********************************************************************
trusted domains functions
*********************************************************************/
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
static char *trusteddom_dn(struct ldapsam_privates *ldap_state,
const char *domain)
{
return talloc_asprintf(talloc_tos(), "sambaDomainName=%s,%s", domain,
ldap_state->domain_dn);
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool get_trusteddom_pw_int(struct ldapsam_privates *ldap_state,
Fix some memleaks regarding trustdom passwords (This used to be commit 3d2913d599a4cd773614110ec7b7493aa7adb547)
2008-07-10 20:21:03 +04:00
TALLOC_CTX *mem_ctx,
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
const char *domain, LDAPMessage **entry)
{
int rc;
char *filter;
int scope = LDAP_SCOPE_SUBTREE;
const char **attrs = NULL; /* NULL: get all attrs */
int attrsonly = 0; /* 0: return values too */
LDAPMessage *result = NULL;
char *trusted_dn;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t num_result;
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
filter = talloc_asprintf(talloc_tos(),
"(&(objectClass=%s)(sambaDomainName=%s))",
LDAP_OBJ_TRUSTDOM_PASSWORD, domain);
trusted_dn = trusteddom_dn(ldap_state, domain);
if (trusted_dn == NULL) {
return False;
}
rc = smbldap_search(ldap_state->smbldap_state, trusted_dn, scope,
filter, attrs, attrsonly, &result);
Fix some memleaks regarding trustdom passwords (This used to be commit 3d2913d599a4cd773614110ec7b7493aa7adb547)
2008-07-10 20:21:03 +04:00
if (result != NULL) {
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
Fix some memleaks regarding trustdom passwords (This used to be commit 3d2913d599a4cd773614110ec7b7493aa7adb547)
2008-07-10 20:21:03 +04:00
}
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
if (rc == LDAP_NO_SUCH_OBJECT) {
*entry = NULL;
return True;
}
if (rc != LDAP_SUCCESS) {
return False;
}
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result > 1) {
DEBUG(1, ("ldapsam_get_trusteddom_pw: more than one "
Use LDAP macros instead of attribute names. Karolin (This used to be commit 7dae8b04f126d0ac86a452dcf373a690ee687ead)
2008-07-18 15:15:05 +04:00
"%s object for domain '%s'?!\n",
LDAP_OBJ_TRUSTDOM_PASSWORD, domain));
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
return False;
}
if (num_result == 0) {
DEBUG(1, ("ldapsam_get_trusteddom_pw: no "
Use LDAP macros instead of attribute names. Karolin (This used to be commit 7dae8b04f126d0ac86a452dcf373a690ee687ead)
2008-07-18 15:15:05 +04:00
"%s object for domain %s.\n",
LDAP_OBJ_TRUSTDOM_PASSWORD, domain));
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
*entry = NULL;
} else {
*entry = ldap_first_entry(priv2ld(ldap_state), result);
}
return True;
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapsam_get_trusteddom_pw(struct pdb_methods *methods,
r25091: Start adding support for storing trusted domain passwords in LDAP (for passdb backen = ldapsam). At a first step, add the hooks, calling the secrets_ functions. Michael (This used to be commit 9c03cdf3a449149c50451a44deb420341e65af34)
2007-09-11 20:38:31 +04:00
const char *domain,
char** pwd,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid *sid,
r25091: Start adding support for storing trusted domain passwords in LDAP (for passdb backen = ldapsam). At a first step, add the hooks, calling the secrets_ functions. Michael (This used to be commit 9c03cdf3a449149c50451a44deb420341e65af34)
2007-09-11 20:38:31 +04:00
time_t *pass_last_set_time)
{
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
LDAPMessage *entry = NULL;
DEBUG(10, ("ldapsam_get_trusteddom_pw called for domain %s\n", domain));
Fix some memleaks regarding trustdom passwords (This used to be commit 3d2913d599a4cd773614110ec7b7493aa7adb547)
2008-07-10 20:21:03 +04:00
if (!get_trusteddom_pw_int(ldap_state, talloc_tos(), domain, &entry) ||
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
(entry == NULL))
{
return False;
}
/* password */
if (pwd != NULL) {
char *pwd_str;
pwd_str = smbldap_talloc_single_attribute(priv2ld(ldap_state),
entry, "sambaClearTextPassword", talloc_tos());
if (pwd_str == NULL) {
return False;
}
/* trusteddom_pw routines do not use talloc yet... */
*pwd = SMB_STRDUP(pwd_str);
if (*pwd == NULL) {
return False;
}
}
/* last change time */
if (pass_last_set_time != NULL) {
char *time_str;
time_str = smbldap_talloc_single_attribute(priv2ld(ldap_state),
entry, "sambaPwdLastSet", talloc_tos());
if (time_str == NULL) {
return False;
}
*pass_last_set_time = (time_t)atol(time_str);
}
/* domain sid */
if (sid != NULL) {
char *sid_str;
s3: Remove some pointless uses of string_sid_talloc
2010-01-23 15:18:00 +03:00
struct dom_sid dom_sid;
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
sid_str = smbldap_talloc_single_attribute(priv2ld(ldap_state),
entry, "sambaSID",
talloc_tos());
if (sid_str == NULL) {
return False;
}
s3: Remove some pointless uses of string_sid_talloc
2010-01-23 15:18:00 +03:00
if (!string_to_sid(&dom_sid, sid_str)) {
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
return False;
}
s3: Remove some pointless uses of string_sid_talloc
2010-01-23 15:18:00 +03:00
sid_copy(sid, &dom_sid);
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
}
r25091: Start adding support for storing trusted domain passwords in LDAP (for passdb backen = ldapsam). At a first step, add the hooks, calling the secrets_ functions. Michael (This used to be commit 9c03cdf3a449149c50451a44deb420341e65af34)
2007-09-11 20:38:31 +04:00
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
return True;
r25091: Start adding support for storing trusted domain passwords in LDAP (for passdb backen = ldapsam). At a first step, add the hooks, calling the secrets_ functions. Michael (This used to be commit 9c03cdf3a449149c50451a44deb420341e65af34)
2007-09-11 20:38:31 +04:00
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapsam_set_trusteddom_pw(struct pdb_methods *methods,
r25091: Start adding support for storing trusted domain passwords in LDAP (for passdb backen = ldapsam). At a first step, add the hooks, calling the secrets_ functions. Michael (This used to be commit 9c03cdf3a449149c50451a44deb420341e65af34)
2007-09-11 20:38:31 +04:00
const char* domain,
const char* pwd,
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
const struct dom_sid *sid)
r25091: Start adding support for storing trusted domain passwords in LDAP (for passdb backen = ldapsam). At a first step, add the hooks, calling the secrets_ functions. Michael (This used to be commit 9c03cdf3a449149c50451a44deb420341e65af34)
2007-09-11 20:38:31 +04:00
{
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
LDAPMessage *entry = NULL;
LDAPMod **mods = NULL;
char *prev_pwd = NULL;
char *trusted_dn = NULL;
int rc;
DEBUG(10, ("ldapsam_set_trusteddom_pw called for domain %s\n", domain));
/*
* get the current entry (if there is one) in order to put the
* current password into the previous password attribute
*/
Fix some memleaks regarding trustdom passwords (This used to be commit 3d2913d599a4cd773614110ec7b7493aa7adb547)
2008-07-10 20:21:03 +04:00
if (!get_trusteddom_pw_int(ldap_state, talloc_tos(), domain, &entry)) {
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
return False;
}
mods = NULL;
smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
Use LDAP macros instead of attribute names. Karolin (This used to be commit 7dae8b04f126d0ac86a452dcf373a690ee687ead)
2008-07-18 15:15:05 +04:00
LDAP_OBJ_TRUSTDOM_PASSWORD);
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaDomainName",
domain);
smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaSID",
sid_string_tos(sid));
smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "sambaPwdLastSet",
Fix printf warnings found on systems where time_t <> long int. Jeremy.
2009-02-20 00:36:20 +03:00
talloc_asprintf(talloc_tos(), "%li", (long int)time(NULL)));
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
"sambaClearTextPassword", pwd);
Fix some memleaks regarding trustdom passwords (This used to be commit 3d2913d599a4cd773614110ec7b7493aa7adb547)
2008-07-10 20:21:03 +04:00
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
if (entry != NULL) {
prev_pwd = smbldap_talloc_single_attribute(priv2ld(ldap_state),
entry, "sambaClearTextPassword", talloc_tos());
if (prev_pwd != NULL) {
smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
"sambaPreviousClearTextPassword",
prev_pwd);
}
}
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmod(talloc_tos(), mods);
s3-pdb_ldap: fix crash bug in ldapsam_set_trusteddom_pw(). Thanks Volker for the hint. Guenther
2009-10-20 20:35:16 +04:00
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
trusted_dn = trusteddom_dn(ldap_state, domain);
if (trusted_dn == NULL) {
return False;
}
if (entry == NULL) {
rc = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
} else {
rc = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
}
if (rc != LDAP_SUCCESS) {
DEBUG(1, ("error writing trusted domain password!\n"));
return False;
}
return True;
r25091: Start adding support for storing trusted domain passwords in LDAP (for passdb backen = ldapsam). At a first step, add the hooks, calling the secrets_ functions. Michael (This used to be commit 9c03cdf3a449149c50451a44deb420341e65af34)
2007-09-11 20:38:31 +04:00
}
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
static bool ldapsam_del_trusteddom_pw(struct pdb_methods *methods,
r25091: Start adding support for storing trusted domain passwords in LDAP (for passdb backen = ldapsam). At a first step, add the hooks, calling the secrets_ functions. Michael (This used to be commit 9c03cdf3a449149c50451a44deb420341e65af34)
2007-09-11 20:38:31 +04:00
const char *domain)
{
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
int rc;
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
LDAPMessage *entry = NULL;
const char *trusted_dn;
Fix some memleaks regarding trustdom passwords (This used to be commit 3d2913d599a4cd773614110ec7b7493aa7adb547)
2008-07-10 20:21:03 +04:00
if (!get_trusteddom_pw_int(ldap_state, talloc_tos(), domain, &entry)) {
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
return False;
}
if (entry == NULL) {
DEBUG(5, ("ldapsam_del_trusteddom_pw: no such trusted domain: "
"%s\n", domain));
return True;
}
trusted_dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state),
entry);
if (trusted_dn == NULL) {
DEBUG(0,("ldapsam_del_trusteddom_pw: Out of memory!\n"));
return False;
}
rc = smbldap_delete(ldap_state->smbldap_state, trusted_dn);
if (rc != LDAP_SUCCESS) {
return False;
}
return True;
r25091: Start adding support for storing trusted domain passwords in LDAP (for passdb backen = ldapsam). At a first step, add the hooks, calling the secrets_ functions. Michael (This used to be commit 9c03cdf3a449149c50451a44deb420341e65af34)
2007-09-11 20:38:31 +04:00
}
static NTSTATUS ldapsam_enum_trusteddoms(struct pdb_methods *methods,
TALLOC_CTX *mem_ctx,
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t *num_domains,
r25091: Start adding support for storing trusted domain passwords in LDAP (for passdb backen = ldapsam). At a first step, add the hooks, calling the secrets_ functions. Michael (This used to be commit 9c03cdf3a449149c50451a44deb420341e65af34)
2007-09-11 20:38:31 +04:00
struct trustdom_info ***domains)
{
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
int rc;
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
char *filter;
int scope = LDAP_SCOPE_SUBTREE;
const char *attrs[] = { "sambaDomainName", "sambaSID", NULL };
int attrsonly = 0; /* 0: return values too */
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
LDAP_OBJ_TRUSTDOM_PASSWORD);
rc = smbldap_search(ldap_state->smbldap_state,
ldap_state->domain_dn,
scope,
filter,
attrs,
attrsonly,
&result);
Fix some memleaks regarding trustdom passwords (This used to be commit 3d2913d599a4cd773614110ec7b7493aa7adb547)
2008-07-10 20:21:03 +04:00
if (result != NULL) {
s3-smbldap: use smbldap_ prefixed functions
2012-09-06 19:53:00 +04:00
smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
Fix some memleaks regarding trustdom passwords (This used to be commit 3d2913d599a4cd773614110ec7b7493aa7adb547)
2008-07-10 20:21:03 +04:00
}
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
if (rc != LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
}
*num_domains = 0;
s3-talloc Change TALLOC_ARRAY() to talloc_array() Using the standard macro makes it easier to move code into common, as TALLOC_ARRAY isn't standard talloc.
2011-06-07 05:30:12 +04:00
if (!(*domains = talloc_array(mem_ctx, struct trustdom_info *, 1))) {
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
DEBUG(1, ("talloc failed\n"));
return NT_STATUS_NO_MEMORY;
}
for (entry = ldap_first_entry(priv2ld(ldap_state), result);
entry != NULL;
entry = ldap_next_entry(priv2ld(ldap_state), entry))
{
char *dom_name, *dom_sid_str;
struct trustdom_info *dom_info;
s3-talloc Change TALLOC_P() to talloc() Using the standard macro makes it easier to move code into common, as TALLOC_P isn't standard talloc.
2011-06-07 05:38:41 +04:00
dom_info = talloc(*domains, struct trustdom_info);
r25092: Add support for storing trusted domain passwords in LDAP for passdb backend = ldapsam. Along with reproducing the functionality of the secrets.tdb code, I have prepared the handling of the previous trust password (in case we are contacting a dc which does not yet know of a recent password change). This information has still to be propagated to the outside, but this requires a change of the api and also a change of the secrets.tdb code. Michael (This used to be commit 6c3c20e6c4a2b04de8111f2c79b431f0775c2a0f)
2007-09-11 20:50:32 +04:00
if (dom_info == NULL) {
DEBUG(1, ("talloc failed\n"));
return NT_STATUS_NO_MEMORY;
}
dom_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
entry,
"sambaDomainName",
talloc_tos());
if (dom_name == NULL) {
DEBUG(1, ("talloc failed\n"));
return NT_STATUS_NO_MEMORY;
}
dom_info->name = dom_name;
dom_sid_str = smbldap_talloc_single_attribute(
priv2ld(ldap_state), entry, "sambaSID",
talloc_tos());
if (dom_sid_str == NULL) {
DEBUG(1, ("talloc failed\n"));
return NT_STATUS_NO_MEMORY;
}
if (!string_to_sid(&dom_info->sid, dom_sid_str)) {
DEBUG(1, ("Error calling string_to_sid on SID %s\n",
dom_sid_str));
return NT_STATUS_UNSUCCESSFUL;
}
ADD_TO_ARRAY(*domains, struct trustdom_info *, dom_info,
domains, num_domains);
if (*domains == NULL) {
DEBUG(1, ("talloc failed\n"));
return NT_STATUS_NO_MEMORY;
}
}
DEBUG(5, ("ldapsam_enum_trusteddoms: got %d domains\n", *num_domains));
return NT_STATUS_OK;
r25091: Start adding support for storing trusted domain passwords in LDAP (for passdb backen = ldapsam). At a first step, add the hooks, calling the secrets_ functions. Michael (This used to be commit 9c03cdf3a449149c50451a44deb420341e65af34)
2007-09-11 20:38:31 +04:00
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/**********************************************************************
Housekeeping
*********************************************************************/
static void free_private_data(void **vp)
{
struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
smbldap_free_struct(&(*ldap_state)->smbldap_state);
if ((*ldap_state)->result != NULL) {
ldap_msgfree((*ldap_state)->result);
(*ldap_state)->result = NULL;
}
if ((*ldap_state)->domain_dn != NULL) {
SAFE_FREE((*ldap_state)->domain_dn);
}
*ldap_state = NULL;
/* No need to free any further, as it is talloc()ed */
}
/*********************************************************************
Intitalise the parts of the pdb_methods structure that are common to
all pdb_ldap modes
*********************************************************************/
static NTSTATUS pdb_init_ldapsam_common(struct pdb_methods **pdb_method, const char *location)
{
NTSTATUS nt_status;
struct ldapsam_privates *ldap_state;
s3-smbldap: extend smbldap_init() with binddn/bindsecret arguments. Guenther
2011-11-16 02:56:38 +04:00
char *bind_dn = NULL;
char *bind_secret = NULL;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!NT_STATUS_IS_OK(nt_status = make_pdb_method( pdb_method ))) {
return nt_status;
}
(*pdb_method)->name = "ldapsam";
(*pdb_method)->getsampwnam = ldapsam_getsampwnam;
(*pdb_method)->getsampwsid = ldapsam_getsampwsid;
(*pdb_method)->add_sam_account = ldapsam_add_sam_account;
(*pdb_method)->update_sam_account = ldapsam_update_sam_account;
(*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
(*pdb_method)->rename_sam_account = ldapsam_rename_sam_account;
(*pdb_method)->getgrsid = ldapsam_getgrsid;
(*pdb_method)->getgrgid = ldapsam_getgrgid;
(*pdb_method)->getgrnam = ldapsam_getgrnam;
(*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry;
(*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry;
(*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry;
(*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
(*pdb_method)->get_account_policy = ldapsam_get_account_policy;
(*pdb_method)->set_account_policy = ldapsam_set_account_policy;
(*pdb_method)->get_seq_num = ldapsam_get_seq_num;
Turn the pdb_rid_algorithm into a capabilities call that returns flags
2009-06-28 19:36:12 +04:00
(*pdb_method)->capabilities = ldapsam_capabilities;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
(*pdb_method)->new_rid = ldapsam_new_rid;
r25091: Start adding support for storing trusted domain passwords in LDAP (for passdb backen = ldapsam). At a first step, add the hooks, calling the secrets_ functions. Michael (This used to be commit 9c03cdf3a449149c50451a44deb420341e65af34)
2007-09-11 20:38:31 +04:00
(*pdb_method)->get_trusteddom_pw = ldapsam_get_trusteddom_pw;
(*pdb_method)->set_trusteddom_pw = ldapsam_set_trusteddom_pw;
(*pdb_method)->del_trusteddom_pw = ldapsam_del_trusteddom_pw;
(*pdb_method)->enum_trusteddoms = ldapsam_enum_trusteddoms;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* TODO: Setup private data and free */
s3-talloc Change TALLOC_ZERO_P() to talloc_zero() Using the standard macro makes it easier to move code into common, as TALLOC_ZERO_P isn't standard talloc.
2011-06-07 05:44:43 +04:00
if ( !(ldap_state = talloc_zero(*pdb_method, struct ldapsam_privates)) ) {
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n"));
return NT_STATUS_NO_MEMORY;
}
s3-smbldap: extend smbldap_init() with binddn/bindsecret arguments. Guenther
2011-11-16 02:56:38 +04:00
if (!fetch_ldap_pw(&bind_dn, &bind_secret)) {
DEBUG(0, ("pdb_init_ldapsam_common: Failed to retrieve LDAP password from secrets.tdb\n"));
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
s3-smbldap: extend smbldap_init() with binddn/bindsecret arguments. Guenther
2011-11-16 02:56:38 +04:00
nt_status = smbldap_init(*pdb_method, pdb_get_tevent_context(),
location, false, bind_dn, bind_secret,
&ldap_state->smbldap_state);
memset(bind_secret, '\0', strlen(bind_secret));
SAFE_FREE(bind_secret);
SAFE_FREE(bind_dn);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if ( !NT_STATUS_IS_OK(nt_status) ) {
return nt_status;
}
if ( !(ldap_state->domain_name = talloc_strdup(*pdb_method, get_global_sam_name()) ) ) {
return NT_STATUS_NO_MEMORY;
}
(*pdb_method)->private_data = ldap_state;
(*pdb_method)->free_private_data = free_private_data;
return NT_STATUS_OK;
}
s3:passdb/pdb_ldap make the module handle well-known overwrite the passdb defaults and let this module handle well-knowns Signed-off-by: Christian Ambach <ambi@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-06-18 12:43:38 +04:00
static bool ldapsam_is_responsible_for_wellknown(struct pdb_methods *m)
{
return true;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
Initialise the normal mode for pdb_ldap
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
*********************************************************************/
Rename pdb_ldap to pdb_ldapsam This patch moves pdb_ldap to pdb_ldapsam unconditionally and makes possible to load ldapsam.so dynamically Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-01-28 19:16:42 +04:00
NTSTATUS pdb_ldapsam_init_common(struct pdb_methods **pdb_method,
const char *location)
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
{
NTSTATUS nt_status;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
struct ldapsam_privates *ldap_state = NULL;
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
uint32_t alg_rid_base;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *alg_rid_base_string = NULL;
moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-11 09:33:40 +04:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
s3:dom_sid Global replace of DOM_SID with struct dom_sid This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 05:25:01 +04:00
struct dom_sid ldap_domain_sid;
struct dom_sid secrets_domain_sid;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
char *domain_sid_string = NULL;
char *dn = NULL;
r17271: Fix a regression in the ldapsam uri syntax. Allow multiple LDAP URIs to be grouped by "" (This used to be commit 21d69dcb3c5361f94d15b2d186e1aae6e246a24e)
2006-07-27 16:20:19 +04:00
char *uri = talloc_strdup( NULL, location );
trim_char( uri, '\"', '\"' );
nt_status = pdb_init_ldapsam_common(pdb_method, uri);
s3: Remove a pointless if-statement
2010-01-12 15:53:01 +03:00
TALLOC_FREE(uri);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (!NT_STATUS_IS_OK(nt_status)) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
return nt_status;
}
And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12 22:12:31 +04:00
(*pdb_method)->name = "ldapsam";
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
(*pdb_method)->add_aliasmem = ldapsam_add_aliasmem;
(*pdb_method)->del_aliasmem = ldapsam_del_aliasmem;
(*pdb_method)->enum_aliasmem = ldapsam_enum_aliasmem;
(*pdb_method)->enum_alias_memberships = ldapsam_alias_memberships;
r6367: Slim down pdb_interface.c a bit. next_entry and search_end are function pointers now. Yes, Jeremy, this is about re-inventing C++... :-) Volker (This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2005-04-18 20:07:49 +04:00
(*pdb_method)->search_users = ldapsam_search_users;
(*pdb_method)->search_groups = ldapsam_search_groups;
(*pdb_method)->search_aliases = ldapsam_search_aliases;
s3:passdb/pdb_ldap make the module handle well-known overwrite the passdb defaults and let this module handle well-knowns Signed-off-by: Christian Ambach <ambi@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-06-18 12:43:38 +04:00
(*pdb_method)->is_responsible_for_wellknown =
ldapsam_is_responsible_for_wellknown;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
(*pdb_method)->enum_group_members = ldapsam_enum_group_members;
(*pdb_method)->enum_group_memberships =
ldapsam_enum_group_memberships;
(*pdb_method)->lookup_rids = ldapsam_lookup_rids;
(*pdb_method)->sid_to_id = ldapsam_sid_to_id;
idmap: unify passdb *id_to_sid methods Instead of passing down gid or uid, a pointer to a unixid is now sent down. This acts as an in-out variable so that the idmap functions can correctly receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720 Change-Id: I11409a0f498e61a3c0a6ae606dd7af1135e6b066 Pair-programmed-with: Andrew Bartlett <abarlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-11-25 04:45:26 +03:00
(*pdb_method)->id_to_sid = ldapsam_id_to_sid;
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
(*pdb_method)->create_user = ldapsam_create_user;
(*pdb_method)->delete_user = ldapsam_delete_user;
(*pdb_method)->create_dom_group = ldapsam_create_dom_group;
(*pdb_method)->delete_dom_group = ldapsam_delete_dom_group;
(*pdb_method)->add_groupmem = ldapsam_add_groupmem;
(*pdb_method)->del_groupmem = ldapsam_del_groupmem;
(*pdb_method)->set_unix_primary_group = ldapsam_set_primary_group;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-11 09:33:40 +04:00
ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
/* Try to setup the Domain Name, Domain SID, algorithmic rid base */
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
nt_status = smbldap_search_domain_info(ldap_state->smbldap_state,
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
&result,
I *hate* global variables... OK, what was happening here was that we would invalidate global_sam_sid when we set the sid into secrets.tdb, to force a re-read. The problem was, we would do *two* writes into the TDB, and the second one (in the PDC/BDC case) would be of a NULL pointer. This caused smbd startups to fail, on a blank TDB. By using a local variable in the pdb_generate_sam_sid() code, we avoid this particular trap. I've also added better debugging for the case where this all matters, which is particularly for LDAP, where it finds out a domain SID from the sambaDomain object. Andrew Bartlett (This used to be commit 86ad04d26d3065a99b08afaaf2914968a9e701c5)
2004-02-26 01:01:02 +03:00
ldap_state->domain_name, True);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-11 09:33:40 +04:00
if ( !NT_STATUS_IS_OK(nt_status) ) {
s3/ldap: don't continue if we couldn't get the domain info on startup while some things work without the domain info, some important things don't, which is highly irritating. As even calls like EnumTrustDom fail and thus clients' domain logins fail we are sufficiently broken to refuse to go on. Autobuild-User: Björn Jacke <bj@sernet.de> Autobuild-Date: Thu Aug 18 12:48:37 CEST 2011 on sn-devel-104
2011-08-15 16:46:12 +04:00
DEBUG(0, ("pdb_init_ldapsam: WARNING: Could not get domain "
"info, nor add one to the domain. "
"We cannot work reliably without it.\n"));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* Given that the above might fail, everything below this must be
* optional */
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
entry = ldap_first_entry(smbldap_get_ldap(ldap_state->smbldap_state),
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
result);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (!entry) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0, ("pdb_init_ldapsam: Could not get domain info "
"entry\n"));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
dn = smbldap_talloc_dn(talloc_tos(),
smbldap_get_ldap(ldap_state->smbldap_state),
entry);
r4994: Patch from abartlet: When migrating account policies to ldapsam, handle the fact that an admin might have changed the default location of the sambaDomain-object after installation. Guenther (This used to be commit 78c3c7127444b8f9959f4d6ce9e540271869d70f)
2005-01-26 02:30:05 +03:00
if (!dn) {
r21609: Fix memory leaks in error code paths (and one in winbindd_group.c). Patch from Zack Kirsch <zack.kirsch@isilon.com>. Jeremy. (This used to be commit df07a662e32367a52c1e8473475423db2ff5bc51)
2007-03-01 05:43:33 +03:00
ldap_msgfree(result);
r4994: Patch from abartlet: When migrating account policies to ldapsam, handle the fact that an admin might have changed the default location of the sambaDomain-object after installation. Guenther (This used to be commit 78c3c7127444b8f9959f4d6ce9e540271869d70f)
2005-01-26 02:30:05 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
ldap_state->domain_dn = smb_xstrdup(dn);
s3:smbldap Remove smbldap_get_dn This removes one more caller to pull_utf8_allocate() Signed-off-by: Günther Deschner <gd@samba.org>
2009-03-18 07:29:02 +03:00
TALLOC_FREE(dn);
r5481: Fix a memleak (This used to be commit 36bcfc5dae99868fc94ca01f902fec3d19926f5e)
2005-02-21 14:11:13 +03:00
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
domain_sid_string = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
get_userattr_key2string(ldap_state->schema_ver,
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
LDAP_ATTR_USER_SID),
Fix crash bug in pdb_init_ldapsam(). Karolin, this needs to be in 3-2-stable. Guenther (This used to be commit 0d73bde6de4391e7aec862424762473441fa0905)
2008-03-04 13:02:26 +03:00
talloc_tos());
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (domain_sid_string) {
RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-19 04:40:25 +04:00
bool found_sid;
Check the return value of string_to_sid in a few more places. (But string_to_sid also needs to be less permissive on what it thinks are valid sids...) Andrew Bartlett (This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)
2003-12-26 06:14:31 +03:00
if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be "
"read as a valid SID\n", domain_sid_string));
r21609: Fix memory leaks in error code paths (and one in winbindd_group.c). Patch from Zack Kirsch <zack.kirsch@isilon.com>. Jeremy. (This used to be commit df07a662e32367a52c1e8473475423db2ff5bc51)
2007-03-01 05:43:33 +03:00
ldap_msgfree(result);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(domain_sid_string);
Check the return value of string_to_sid in a few more places. (But string_to_sid also needs to be less permissive on what it thinks are valid sids...) Andrew Bartlett (This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)
2003-12-26 06:14:31 +03:00
return NT_STATUS_INVALID_PARAMETER;
}
s3-passdb: convert pdb_ldap to use secrets wrappers
2012-09-05 19:49:39 +04:00
found_sid = PDB_secrets_fetch_domain_sid(ldap_state->domain_name,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
&secrets_domain_sid);
s3-util_sid: use shared dom_sid_compare_auth and dom_sid_equal_X functions. Guenther
2010-08-26 17:48:50 +04:00
if (!found_sid || !dom_sid_equal(&secrets_domain_sid,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
&ldap_domain_sid)) {
DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain "
"%s based on pdb_ldap results %s -> %s\n",
ldap_state->domain_name,
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
sid_string_dbg(&secrets_domain_sid),
sid_string_dbg(&ldap_domain_sid)));
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
/* reset secrets.tdb sid */
s3-passdb: convert pdb_ldap to use secrets wrappers
2012-09-05 19:49:39 +04:00
PDB_secrets_store_domain_sid(ldap_state->domain_name,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
&ldap_domain_sid);
DEBUG(1, ("New global sam SID: %s\n",
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
sid_string_dbg(get_global_sam_sid())));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(domain_sid_string);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
alg_rid_base_string = smbldap_talloc_single_attribute(
smbldap: Introduce "smbldap_get_ldap" This is a pretty big boiler-plate change. I've renamed the struct member temporarily to find all accessors. Not sure where this leads in the end, but the goal is to make struct smbldap_struct private to smbldap.c Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
2017-04-19 14:29:31 +03:00
smbldap_get_ldap(ldap_state->smbldap_state),
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
entry,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
get_attr_key2string( dominfo_attr_list,
LDAP_ATTR_ALGORITHMIC_RID_BASE ),
Fix crash bug in pdb_init_ldapsam(). Karolin, this needs to be in 3-2-stable. Guenther (This used to be commit 0d73bde6de4391e7aec862424762473441fa0905)
2008-03-04 13:02:26 +03:00
talloc_tos());
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
if (alg_rid_base_string) {
s3:passdb Remove use of uint8 uint16 and uint32 in favour of C99 types Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 04:38:04 +04:00
alg_rid_base = (uint32_t)atol(alg_rid_base_string);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (alg_rid_base != algorithmic_rid_base()) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0, ("The value of 'algorithmic RID base' has "
"changed since the LDAP\n"
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
"database was initialised. Aborting. \n"));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
ldap_msgfree(result);
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(alg_rid_base_string);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
return NT_STATUS_UNSUCCESSFUL;
}
Remove smbldap_get_single_pstring() and all pstrings from pdb_ldap.c. I don't have an LDAP passdb setup here, so I'm going to need some help on testing this. Jeremy. (This used to be commit 00760451b6c2b65f3a8a9187789ca4f270b622a2)
2007-11-15 03:05:42 +03:00
TALLOC_FREE(alg_rid_base_string);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
ldap_msgfree(result);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
return NT_STATUS_OK;
}
Rename pdb_ldap to pdb_ldapsam This patch moves pdb_ldap to pdb_ldapsam unconditionally and makes possible to load ldapsam.so dynamically Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-01-28 19:16:42 +04:00
NTSTATUS pdb_ldapsam_init(void)
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
{
And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12 22:12:31 +04:00
NTSTATUS nt_status;
Rename pdb_ldap to pdb_ldapsam This patch moves pdb_ldap to pdb_ldapsam unconditionally and makes possible to load ldapsam.so dynamically Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-01-28 19:16:42 +04:00
nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION,
"ldapsam",
pdb_ldapsam_init_common);
if (!NT_STATUS_IS_OK(nt_status)) {
And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12 22:12:31 +04:00
return nt_status;
Rename pdb_ldap to pdb_ldapsam This patch moves pdb_ldap to pdb_ldapsam unconditionally and makes possible to load ldapsam.so dynamically Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-01-28 19:16:42 +04:00
}
And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12 22:12:31 +04:00
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
/* Let pdb_nds register backends */
pdb_nds_init();
Make the version numbers ints (patch from metze) (This used to be commit dbe36b4c43dceddea9f14161c6cf7b34709287c8)
2003-05-01 03:06:44 +04:00
return NT_STATUS_OK;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Copy Permalink