sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code
5214cb6782
samba-mirror/source3/passdb/pdb_ldap.c

5753 lines
162 KiB
C
Raw Normal View History

Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/*
r4736: small set of merges from rtunk to minimize the diffs (This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2005-01-14 22:26:13 +03:00
Unix SMB/CIFS implementation.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
LDAP protocol helper functions for SAMBA
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
Copyright (C) Jean Fran<EFBFBD>ois Micouleau 1998
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Copyright (C) Gerald Carter 2001-2003
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
Copyright (C) Shahms King 2001
Patch to move functions directly from pdb_ldap.c into lib/smbldap.c The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-25 16:51:58 +04:00
Copyright (C) Andrew Bartlett 2002-2003
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
Copyright (C) Stefan (metze) Metzmacher 2002-2003
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
Copyright (C) Simo Sorce 2006
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
/* TODO:
* persistent connections: if using NSS LDAP, many connections are made
* however, using only one within Samba would be nice
*
* Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
*
* Other LDAP based login attributes: accountExpires, etc.
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
* (should be the domain of Samba proper, but the sam_password/struct samu
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
* structures don't have fields for some of these attributes)
*
* SSL is done, but can't get the certificate based authentication to work
* against on my test platform (Linux 2.4, OpenLDAP 2.x)
*/
/* NOTE: this will NOT work against an Active Directory server
* due to the fact that the two password fields cannot be retrieved
* from a server; recommend using security = domain in this situation
* and/or winbind
*/
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
#include "includes.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
#include <lber.h>
#include <ldap.h>
Patch to move functions directly from pdb_ldap.c into lib/smbldap.c The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-25 16:51:58 +04:00
/*
* Work around versions of the LDAP client libs that don't have the OIDs
* defined, or have them defined under the old name.
* This functionality is really a factor of the server, not the client
*
*/
This define does not always seem to be present, so define it if need be. Andrew Bartlett (This used to be commit 007143e2435904d941a62934986ac54e343f4936)
2003-04-23 15:03:08 +04:00
support LDAP_EXOP_MODIFY_PASSWORD (not experiemental in OpenLDAP 2.1) (This used to be commit 50fdc938222112b5470d05d8cd15386bd0a112df)
2003-06-07 02:50:54 +04:00
#if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
#define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
#elif !defined(LDAP_EXOP_MODIFY_PASSWD)
Make pdb_ldap.c compile with SUN iPlanet headers. Whether this works will be tested soon, but this fix is somewhat obvious. Volker (This used to be commit 227882d6f79fb5909998996e1be08df723c49e8e)
2003-10-02 13:26:51 +04:00
#define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
support LDAP_EXOP_MODIFY_PASSWORD (not experiemental in OpenLDAP 2.1) (This used to be commit 50fdc938222112b5470d05d8cd15386bd0a112df)
2003-06-07 02:50:54 +04:00
#endif
#if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
#elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
#endif
#if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
#elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
#endif
Patch to move functions directly from pdb_ldap.c into lib/smbldap.c The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-25 16:51:58 +04:00
working draft of the idmap_ldap code. Includes sambaUnixIdPool objectclass Still needs cleaning up wrt to name space. More changes to come, but at least we now have a a working distributed winbindd solution. (This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)
2003-06-05 06:34:30 +04:00
#include "smbldap.h"
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
/**********************************************************************
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
Simple helper function to make stuff better readable
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
**********************************************************************/
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static LDAP *priv2ld(struct ldapsam_privates *priv)
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
{
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return priv->smbldap_state->ldap_struct;
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Get the attribute name given a user schame version.
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
**********************************************************************/
static const char* get_userattr_key2string( int schema_ver, int key )
{
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBAACCOUNT:
return get_attr_key2string( attrib_map_v22, key );
case SCHEMAVER_SAMBASAMACCOUNT:
return get_attr_key2string( attrib_map_v30, key );
default:
DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
break;
}
return NULL;
}
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Return the list of attribute names given a user schema version.
**********************************************************************/
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char** get_userattr_list( TALLOC_CTX *mem_ctx, int schema_ver )
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
{
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBAACCOUNT:
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return get_attr_list( mem_ctx, attrib_map_v22 );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBASAMACCOUNT:
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return get_attr_list( mem_ctx, attrib_map_v30 );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
default:
DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
break;
}
return NULL;
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r2444: Based on jmcd's patch, implement special lists for the ldap user attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2004-09-20 15:02:14 +04:00
/**************************************************************************
Return the list of attribute names to delete given a user schema version.
**************************************************************************/
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static const char** get_userattr_delete_list( TALLOC_CTX *mem_ctx,
int schema_ver )
r2444: Based on jmcd's patch, implement special lists for the ldap user attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2004-09-20 15:02:14 +04:00
{
switch ( schema_ver ) {
case SCHEMAVER_SAMBAACCOUNT:
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return get_attr_list( mem_ctx,
attrib_map_to_delete_v22 );
r2444: Based on jmcd's patch, implement special lists for the ldap user attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2004-09-20 15:02:14 +04:00
case SCHEMAVER_SAMBASAMACCOUNT:
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return get_attr_list( mem_ctx,
attrib_map_to_delete_v30 );
r2444: Based on jmcd's patch, implement special lists for the ldap user attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2004-09-20 15:02:14 +04:00
default:
r2923: Fix some obvious copy/paste leftover debug-messages. Guenther (This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
2004-10-12 01:09:36 +04:00
DEBUG(0,("get_userattr_delete_list: unknown schema version specified!\n"));
r2444: Based on jmcd's patch, implement special lists for the ldap user attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2004-09-20 15:02:14 +04:00
break;
}
return NULL;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/*******************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Generate the LDAP search filter for the objectclass based on the
version of the schema we are using.
******************************************************************/
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
static const char* get_objclass_filter( int schema_ver )
{
static fstring objclass_filter;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch( schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBAACCOUNT:
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
case SCHEMAVER_SAMBASAMACCOUNT:
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
default:
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
}
return objclass_filter;
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
/*****************************************************************
Scan a sequence number off OpenLDAP's syncrepl contextCSN
******************************************************************/
static NTSTATUS ldapsam_get_seq_num(struct pdb_methods *my_methods, time_t *seq_num)
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
LDAPMessage *msg = NULL;
LDAPMessage *entry = NULL;
TALLOC_CTX *mem_ctx;
char **values = NULL;
int rc, num_result, num_values, rid;
pstring suffix;
fstring tok;
const char *p;
const char **attrs;
/* Unfortunatly there is no proper way to detect syncrepl-support in
* smbldap_connect_system(). The syncrepl OIDs are submitted for publication
* but do not show up in the root-DSE yet. Neither we can query the
* subschema-context for the syncProviderSubentry or syncConsumerSubentry
* objectclass. Currently we require lp_ldap_suffix() to show up as
* namingContext. - Guenther
*/
if (!lp_parm_bool(-1, "ldapsam", "syncrepl_seqnum", False)) {
return ntstatus;
}
if (!seq_num) {
DEBUG(3,("ldapsam_get_seq_num: no sequence_number\n"));
return ntstatus;
}
r15633: Minor smbldap/pdb_ldap cleanup Guenther (This used to be commit 1b5a712467ab8f35211b59bb703a42bdc5e0dfc0)
2006-05-16 17:26:49 +04:00
if (!smbldap_has_naming_context(ldap_state->smbldap_state->ldap_struct, lp_ldap_suffix())) {
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
DEBUG(3,("ldapsam_get_seq_num: DIT not configured to hold %s "
"as top-level namingContext\n", lp_ldap_suffix()));
return ntstatus;
}
mem_ctx = talloc_init("ldapsam_get_seq_num");
if (mem_ctx == NULL)
return NT_STATUS_NO_MEMORY;
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if ((attrs = TALLOC_ARRAY(mem_ctx, const char *, 2)) == NULL) {
ntstatus = NT_STATUS_NO_MEMORY;
goto done;
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
/* if we got a syncrepl-rid (up to three digits long) we speak with a consumer */
rid = lp_parm_int(-1, "ldapsam", "syncrepl_rid", -1);
if (rid > 0) {
/* consumer syncreplCookie: */
/* csn=20050126161620Z#0000001#00#00000 */
attrs[0] = talloc_strdup(mem_ctx, "syncreplCookie");
attrs[1] = NULL;
pstr_sprintf( suffix, "cn=syncrepl%d,%s", rid, lp_ldap_suffix());
} else {
/* provider contextCSN */
/* 20050126161620Z#000009#00#000000 */
attrs[0] = talloc_strdup(mem_ctx, "contextCSN");
attrs[1] = NULL;
pstr_sprintf( suffix, "cn=ldapsync,%s", lp_ldap_suffix());
}
rc = smbldap_search(ldap_state->smbldap_state, suffix,
LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0, &msg);
if (rc != LDAP_SUCCESS) {
goto done;
}
num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg);
if (num_result != 1) {
DEBUG(3,("ldapsam_get_seq_num: Expected one entry, got %d\n", num_result));
goto done;
}
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg);
if (entry == NULL) {
DEBUG(3,("ldapsam_get_seq_num: Could not retrieve entry\n"));
goto done;
}
values = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, attrs[0]);
if (values == NULL) {
DEBUG(3,("ldapsam_get_seq_num: no values\n"));
goto done;
}
num_values = ldap_count_values(values);
if (num_values == 0) {
DEBUG(3,("ldapsam_get_seq_num: not a single value\n"));
goto done;
}
p = values[0];
if (!next_token(&p, tok, "#", sizeof(tok))) {
DEBUG(0,("ldapsam_get_seq_num: failed to parse sequence number\n"));
goto done;
}
p = tok;
if (!strncmp(p, "csn=", strlen("csn=")))
p += strlen("csn=");
DEBUG(10,("ldapsam_get_seq_num: got %s: %s\n", attrs[0], p));
*seq_num = generalized_to_unix_time(p);
/* very basic sanity check */
if (*seq_num <= 0) {
DEBUG(3,("ldapsam_get_seq_num: invalid sequence number: %d\n",
(int)*seq_num));
goto done;
}
ntstatus = NT_STATUS_OK;
done:
if (values != NULL)
ldap_value_free(values);
if (msg != NULL)
ldap_msgfree(msg);
if (mem_ctx)
talloc_destroy(mem_ctx);
return ntstatus;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/*******************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Run the search by name.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
******************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
int ldapsam_search_suffix_by_name(struct ldapsam_privates *ldap_state,
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
const char *user,
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
LDAPMessage ** result,
const char **attr)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
pstring filter;
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
char *escape_user = escape_ldap_string_alloc(user);
if (!escape_user) {
return LDAP_NO_MEMORY;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/*
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
* in the filter expression, replace %u with the real name
* so in ldap filter, %u MUST exist :-)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*/
r7142: removing 'ldap filter' smb.conf option (This used to be commit e2f8eeb4e26e8f7bec4d9dc820b86a7b548f82da)
2005-05-31 20:09:58 +04:00
pstr_sprintf(filter, "(&%s%s)", "(uid=%u)",
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_objclass_filter(ldap_state->schema_ver));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
/*
* have to use this here because $ is filtered out
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
* in pstring_sub
*/
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
all_string_sub(filter, "%u", escape_user, sizeof(pstring));
SAFE_FREE(escape_user);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
return smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
/*******************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Run the search by rid.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
******************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state,
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
uint32 rid, LDAPMessage ** result,
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attr)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
pstring filter;
int rc;
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&(rid=%i)%s)", rid,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_objclass_filter(ldap_state->schema_ver));
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
return rc;
}
/*******************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Run the search by SID.
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
******************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
const DOM_SID *sid, LDAPMessage ** result,
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attr)
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
{
pstring filter;
int rc;
fstring sid_string;
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&(%s=%s)%s)",
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
sid_to_string(sid_string, sid),
get_objclass_filter(ldap_state->schema_ver));
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
return rc;
}
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
/*******************************************************************
Delete complete object or objectclass and attrs from
Merge from HEAD: This adds 'ldap delete dn' as the recommended parameter for the 'ldap del only sam attr' functionality. So we are compatiple to the current SuSE patches as well as to TNG... ;-) Volker (This used to be commit 53b5704ff21de6fce097d74dd7f235d3ceccec66)
2003-03-23 12:18:33 +03:00
object found in search_result depending on lp_ldap_delete_dn
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
******************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static int ldapsam_delete_entry(struct ldapsam_privates *priv,
TALLOC_CTX *mem_ctx,
LDAPMessage *entry,
const char *objectclass,
const char **attrs)
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
{
LDAPMod **mods = NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
char *name;
const char *dn;
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
BerElement *ptr = NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry);
if (dn == NULL) {
return LDAP_NO_MEMORY;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
}
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
Merge from HEAD: This adds 'ldap delete dn' as the recommended parameter for the 'ldap del only sam attr' functionality. So we are compatiple to the current SuSE patches as well as to TNG... ;-) Volker (This used to be commit 53b5704ff21de6fce097d74dd7f235d3ceccec66)
2003-03-23 12:18:33 +03:00
if (lp_ldap_delete_dn()) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return smbldap_delete(priv->smbldap_state, dn);
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
}
/* Ok, delete only the SAM attributes */
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
for (name = ldap_first_attribute(priv2ld(priv), entry, &ptr);
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
name != NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
name = ldap_next_attribute(priv2ld(priv), entry, ptr)) {
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attrib;
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
/* We are only allowed to delete the attributes that
really exist. */
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
for (attrib = attrs; *attrib != NULL; attrib++) {
r2444: Based on jmcd's patch, implement special lists for the ldap user attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2004-09-20 15:02:14 +04:00
if (strequal(*attrib, name)) {
DEBUG(10, ("ldapsam_delete_entry: deleting "
"attribute %s\n", name));
smbldap_set_mod(&mods, LDAP_MOD_DELETE, name,
NULL);
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
}
}
ldap_memfree(name);
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
if (ptr != NULL) {
ber_free(ptr, 0);
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
talloc_autofree_ldapmod(mem_ctx, mods);
return smbldap_modify(priv->smbldap_state, dn, mods);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
}
moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-11 09:33:40 +04:00
r13601: * Remove unused code from pdb_ldap.c * Add a 'struct passwd *' to the struct samu for later reference (I know this may be controversial but its easily reverted which is is why I'm checking this is as a seaparate patch before I get too deep). * Remove unix_homedir from struct samu {} and update the pdb wrapper functions associated with it. (This used to be commit 92c251fdf0f1f566cfeca3c75ba2284b644aef5d)
2006-02-21 22:22:49 +03:00
static time_t ldapsam_get_entry_timestamp( struct ldapsam_privates *ldap_state, LDAPMessage * entry)
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
{
pstring temp;
struct tm tm;
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
get_userattr_key2string(ldap_state->schema_ver,LDAP_ATTR_MOD_TIMESTAMP),
temp))
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
return (time_t) 0;
strptime(temp, "%Y%m%d%H%M%SZ", &tm);
tzset();
Use timegm, or our already existing replacement instead of timezone, as some platforms (FreeBSD in this case) don't define timezone according to posix. This is what I wanted to do anyway. Spotted by Andrzej Tobola <san@iem.pw.edu.pl> (This used to be commit bc13e35db0b8b265f87553d4df1c7326710cb3fa)
2004-03-25 21:25:41 +03:00
return timegm(&tm);
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/**********************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Initialize struct samu from an LDAP query.
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
(Based on init_sam_from_buffer in pdb_tdb.c)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
static BOOL init_sam_from_ldap(struct ldapsam_privates *ldap_state,
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
struct samu * sampass,
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
LDAPMessage * entry)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
time_t logon_time,
logoff_time,
kickoff_time,
pass_last_set_time,
pass_can_change_time,
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
pass_must_change_time,
ldap_entry_time,
bad_password_time;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
pstring username,
domain,
nt_username,
fullname,
homedir,
dir_drive,
logon_script,
profile_path,
acct_desc,
workstations;
support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800 (This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-12-04 07:52:00 +03:00
char munged_dial[2048];
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
uint32 user_rid;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
uint8 smblmpwd[LM_HASH_LEN],
smbntpwd[NT_HASH_LEN];
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
BOOL use_samba_attrs = True;
r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16. * Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
2006-02-27 13:32:45 +03:00
uint32 acct_ctrl = 0;
uint16 logon_divs;
The "unknown_5" 32 bit field in the user structs is actually 2 16-bit fields, bad_password_count and logon_count. Ensure this is stored/fetched in the various SAMs. As it replaces the unknown_5 field this fits exactly into the tdb SAM without any binary problems. It also is added to the LDAP SAM as two extra attributes. It breaks compatibility with the experimental SAMs xml and mysql. The maintainers of these SAMs must fix them so upgrades like this can be done transparently. I will insist on the "experimental" status until this is solved. Jeremy. (This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
2003-09-19 03:53:48 +04:00
uint16 bad_password_count = 0,
logon_count = 0;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
uint32 hours_len;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
uint8 hours[MAX_HOURS_LEN];
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
pstring temp;
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
LOGIN_CACHE *cache_entry = NULL;
r5957: BUGS 2478, 2093: compiler warning patches from Jason Mader (This used to be commit b0f43460822eb5175c854959181de05307d73415)
2005-03-22 20:08:09 +03:00
uint32 pwHistLen;
r4860: fix silly limitation in ldapsam and tdbsam. Expand variables in the profile path, logon home and logon script values (This used to be commit 504ea4ac68f47b71542a88b17cbb6b546e1cb881)
2005-01-20 01:50:27 +03:00
pstring tmpstring;
r11999: Re-add "passdb expand explicit". We came to the conclusion that changing the default is something that has to wait one or two more releases, but it will happen one way or the other. Volker (This used to be commit 30fcdf84d8943e630af78a96320607c42e4d15aa)
2005-12-01 17:46:56 +03:00
BOOL expand_explicit = lp_passdb_expand_explicit();
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
/*
* do a little initialization
*/
username[0] = '\0';
domain[0] = '\0';
nt_username[0] = '\0';
fullname[0] = '\0';
homedir[0] = '\0';
dir_drive[0] = '\0';
logon_script[0] = '\0';
profile_path[0] = '\0';
acct_desc[0] = '\0';
munged_dial[0] = '\0';
workstations[0] = '\0';
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (sampass == NULL || ldap_state == NULL || entry == NULL) {
util_sid.c - respect a const variabile (addedd strdup) cli_reg.c - indentation pdb_ldap.c - some checks on init fns parameters pdb_tdb.c - some checks on init fns parameters + make sure we close the db on failure (This used to be commit 49f5cb7a3df6d673f86e6769319aa657e30d8380)
2001-12-30 22:21:25 +03:00
DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
return False;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (priv2ld(ldap_state) == NULL) {
DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->"
"ldap_struct is NULL!\n"));
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return False;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (!smbldap_get_single_pstring(priv2ld(ldap_state), entry, "uid",
username)) {
DEBUG(1, ("init_sam_from_ldap: No uid attribute found for "
"this user!\n"));
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
return False;
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
merge from 2.2 (This used to be commit 96c9df577bcffeec1b7d516a5431e54e679bd6b4)
2001-10-10 21:04:23 +04:00
pstrcpy(nt_username, username);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
pstrcpy(domain, ldap_state->domain_name);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_username(sampass, username, PDB_SET);
pdb_set_domain(sampass, domain, PDB_DEFAULT);
pdb_set_nt_username(sampass, nt_username, PDB_SET);
fix bug #108; sambaSambaAccount string attributes are case insensitive; don't try to change a string that only differs in case (This used to be commit 01ef08352007487040edefcc0b99ca79823cbddf)
2003-05-22 21:07:41 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/* deal with different attributes between the schema first */
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), temp)) {
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
} else {
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), temp)) {
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
user_rid = (uint32)atol(temp);
pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
}
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
username));
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
return False;
}
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
pass_last_set_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
logon_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_logon_time(sampass, logon_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
logoff_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
kickoff_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
pass_can_change_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
pass_must_change_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/* recommend that 'gecos' and 'displayName' should refer to the same
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
* attribute OID. userFullName depreciated, only used by Samba
* primary rules of LDAP: don't make a new attribute when one is already defined
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
* that fits your needs; using cn then displayName rather than 'userFullName'
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*/
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), fullname)) {
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_CN), fullname)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_fullname(sampass, fullname, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
} else {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_fullname(sampass, fullname, PDB_SET);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
remove getpwnam() calls from init_sam_from_xxx(). This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-11 20:52:10 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), dir_drive))
{
r4860: fix silly limitation in ldapsam and tdbsam. Expand variables in the profile path, logon home and logon script values (This used to be commit 504ea4ac68f47b71542a88b17cbb6b546e1cb881)
2005-01-20 01:50:27 +03:00
pdb_set_dir_drive( sampass, lp_logon_drive(), PDB_DEFAULT );
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
} else {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
merge from 2.2 (This used to be commit 96c9df577bcffeec1b7d516a5431e54e679bd6b4)
2001-10-10 21:04:23 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
remove getpwnam() calls from init_sam_from_xxx(). This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-11 20:52:10 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), homedir))
{
pdb_set_homedir( sampass,
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
talloc_sub_basic(sampass, username, domain,
lp_logon_home()),
remove getpwnam() calls from init_sam_from_xxx(). This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-11 20:52:10 +04:00
PDB_DEFAULT );
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
} else {
r4860: fix silly limitation in ldapsam and tdbsam. Expand variables in the profile path, logon home and logon script values (This used to be commit 504ea4ac68f47b71542a88b17cbb6b546e1cb881)
2005-01-20 01:50:27 +03:00
pstrcpy( tmpstring, homedir );
r11999: Re-add "passdb expand explicit". We came to the conclusion that changing the default is something that has to wait one or two more releases, but it will happen one way or the other. Volker (This used to be commit 30fcdf84d8943e630af78a96320607c42e4d15aa)
2005-12-01 17:46:56 +03:00
if (expand_explicit) {
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
standard_sub_basic( username, domain, tmpstring,
r11999: Re-add "passdb expand explicit". We came to the conclusion that changing the default is something that has to wait one or two more releases, but it will happen one way or the other. Volker (This used to be commit 30fcdf84d8943e630af78a96320607c42e4d15aa)
2005-12-01 17:46:56 +03:00
sizeof(tmpstring) );
}
r4860: fix silly limitation in ldapsam and tdbsam. Expand variables in the profile path, logon home and logon script values (This used to be commit 504ea4ac68f47b71542a88b17cbb6b546e1cb881)
2005-01-20 01:50:27 +03:00
pdb_set_homedir(sampass, tmpstring, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
merge from 2.2 (This used to be commit 96c9df577bcffeec1b7d516a5431e54e679bd6b4)
2001-10-10 21:04:23 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
remove getpwnam() calls from init_sam_from_xxx(). This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-11 20:52:10 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), logon_script))
{
pdb_set_logon_script( sampass,
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
talloc_sub_basic(sampass, username, domain,
lp_logon_script()),
remove getpwnam() calls from init_sam_from_xxx(). This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-11 20:52:10 +04:00
PDB_DEFAULT );
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
} else {
r4860: fix silly limitation in ldapsam and tdbsam. Expand variables in the profile path, logon home and logon script values (This used to be commit 504ea4ac68f47b71542a88b17cbb6b546e1cb881)
2005-01-20 01:50:27 +03:00
pstrcpy( tmpstring, logon_script );
r11999: Re-add "passdb expand explicit". We came to the conclusion that changing the default is something that has to wait one or two more releases, but it will happen one way or the other. Volker (This used to be commit 30fcdf84d8943e630af78a96320607c42e4d15aa)
2005-12-01 17:46:56 +03:00
if (expand_explicit) {
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
standard_sub_basic( username, domain, tmpstring,
r11999: Re-add "passdb expand explicit". We came to the conclusion that changing the default is something that has to wait one or two more releases, but it will happen one way or the other. Volker (This used to be commit 30fcdf84d8943e630af78a96320607c42e4d15aa)
2005-12-01 17:46:56 +03:00
sizeof(tmpstring) );
}
r4860: fix silly limitation in ldapsam and tdbsam. Expand variables in the profile path, logon home and logon script values (This used to be commit 504ea4ac68f47b71542a88b17cbb6b546e1cb881)
2005-01-20 01:50:27 +03:00
pdb_set_logon_script(sampass, tmpstring, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
merge from 2.2 (This used to be commit 96c9df577bcffeec1b7d516a5431e54e679bd6b4)
2001-10-10 21:04:23 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
remove getpwnam() calls from init_sam_from_xxx(). This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-11 20:52:10 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), profile_path))
{
pdb_set_profile_path( sampass,
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
talloc_sub_basic( sampass, username, domain,
lp_logon_path()),
remove getpwnam() calls from init_sam_from_xxx(). This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-11 20:52:10 +04:00
PDB_DEFAULT );
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
} else {
r4860: fix silly limitation in ldapsam and tdbsam. Expand variables in the profile path, logon home and logon script values (This used to be commit 504ea4ac68f47b71542a88b17cbb6b546e1cb881)
2005-01-20 01:50:27 +03:00
pstrcpy( tmpstring, profile_path );
r11999: Re-add "passdb expand explicit". We came to the conclusion that changing the default is something that has to wait one or two more releases, but it will happen one way or the other. Volker (This used to be commit 30fcdf84d8943e630af78a96320607c42e4d15aa)
2005-12-01 17:46:56 +03:00
if (expand_explicit) {
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
standard_sub_basic( username, domain, tmpstring,
r11999: Re-add "passdb expand explicit". We came to the conclusion that changing the default is something that has to wait one or two more releases, but it will happen one way or the other. Volker (This used to be commit 30fcdf84d8943e630af78a96320607c42e4d15aa)
2005-12-01 17:46:56 +03:00
sizeof(tmpstring) );
}
r4860: fix silly limitation in ldapsam and tdbsam. Expand variables in the profile path, logon home and logon script values (This used to be commit 504ea4ac68f47b71542a88b17cbb6b546e1cb881)
2005-01-20 01:50:27 +03:00
pdb_set_profile_path(sampass, tmpstring, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
remove getpwnam() calls from init_sam_from_xxx(). This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-11 20:52:10 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), acct_desc))
{
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), workstations)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */;
} else {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_workstations(sampass, workstations, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800 (This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-12-04 07:52:00 +03:00
if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL), munged_dial, sizeof(munged_dial))) {
support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800 (This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-12-04 07:52:00 +03:00
/* leave as default */;
} else {
pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/* FIXME: hours stuff should be cleaner */
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
logon_divs = 168;
hours_len = 21;
memset(hours, 0xff, hours_len);
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
if (ldap_state->is_nds_ldap) {
char *user_dn;
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
size_t pwd_len;
r5957: BUGS 2478, 2093: compiler warning patches from Jason Mader (This used to be commit b0f43460822eb5175c854959181de05307d73415)
2005-03-22 20:08:09 +03:00
char clear_text_pw[512];
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
/* Make call to Novell eDirectory ldap extension to get clear text password.
NOTE: This will only work if we have an SSL connection to eDirectory. */
user_dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
if (user_dn != NULL) {
DEBUG(3, ("init_sam_from_ldap: smbldap_get_dn(%s) returned '%s'\n", username, user_dn));
pwd_len = sizeof(clear_text_pw);
if (pdb_nds_get_password(ldap_state->smbldap_state, user_dn, &pwd_len, clear_text_pw) == LDAP_SUCCESS) {
nt_lm_owf_gen(clear_text_pw, smbntpwd, smblmpwd);
r16121: Fix a eDir related memory leak. Guenther (This used to be commit 322f1664df553d95fcdfc24f19bd7f34ce9b834b)
2006-06-09 16:55:07 +04:00
if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET)) {
SAFE_FREE(user_dn);
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
return False;
r16121: Fix a eDir related memory leak. Guenther (This used to be commit 322f1664df553d95fcdfc24f19bd7f34ce9b834b)
2006-06-09 16:55:07 +04:00
}
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
ZERO_STRUCT(smblmpwd);
r16121: Fix a eDir related memory leak. Guenther (This used to be commit 322f1664df553d95fcdfc24f19bd7f34ce9b834b)
2006-06-09 16:55:07 +04:00
if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET)) {
SAFE_FREE(user_dn);
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
return False;
r16121: Fix a eDir related memory leak. Guenther (This used to be commit 322f1664df553d95fcdfc24f19bd7f34ce9b834b)
2006-06-09 16:55:07 +04:00
}
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
ZERO_STRUCT(smbntpwd);
use_samba_attrs = False;
}
r16121: Fix a eDir related memory leak. Guenther (This used to be commit 322f1664df553d95fcdfc24f19bd7f34ce9b834b)
2006-06-09 16:55:07 +04:00
SAFE_FREE(user_dn);
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
} else {
DEBUG(0, ("init_sam_from_ldap: failed to get user_dn for '%s'\n", username));
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
if (use_samba_attrs) {
if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), temp)) {
/* leave as default */
} else {
pdb_gethexpwd(temp, smblmpwd);
memset((char *)temp, '\0', strlen(temp)+1);
if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
return False;
ZERO_STRUCT(smblmpwd);
}
if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), temp)) {
/* leave as default */
} else {
pdb_gethexpwd(temp, smbntpwd);
memset((char *)temp, '\0', strlen(temp)+1);
if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
return False;
ZERO_STRUCT(smbntpwd);
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
}
pwHistLen = 0;
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
if (pwHistLen > 0){
uint8 *pwhist = NULL;
int i;
r15649: Allow to store 24 password history entries in ldapsam (same limit as on Windows). Fixes bug #1914. Guenther (This used to be commit b5a5d0b24ea5320cb2f28dbefe81ddf5c58baf77)
2006-05-17 02:03:05 +04:00
char history_string[MAX_PW_HISTORY_LEN*64];
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
r15649: Allow to store 24 password history entries in ldapsam (same limit as on Windows). Fixes bug #1914. Guenther (This used to be commit b5a5d0b24ea5320cb2f28dbefe81ddf5c58baf77)
2006-05-17 02:03:05 +04:00
pwHistLen = MIN(pwHistLen, MAX_PW_HISTORY_LEN);
r2819: Make 'password history'-behaviour in ldapsam more consistent. Currently we cannot store more then 15 password history entries (windows NT4 allows to store 24) in ldapsam. When choosing more then "15" with pdbedit -P "password history", we fail to initialize the password history upon password change and overwrite the history, effectively using a password history of "1". We do already decrease any history-policy larger then 15 to 15 while storing the password history list attribute in ldap. Guenther (This used to be commit a4b47e71475a06c2e2287613b00648c5f53ae52c)
2004-10-04 19:53:33 +04:00
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
if ((pwhist = SMB_MALLOC_ARRAY(uint8, pwHistLen * PW_HISTORY_ENTRY_LEN)) == NULL){
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
DEBUG(0, ("init_sam_from_ldap: malloc failed!\n"));
return False;
}
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
r15649: Allow to store 24 password history entries in ldapsam (same limit as on Windows). Fixes bug #1914. Guenther (This used to be commit b5a5d0b24ea5320cb2f28dbefe81ddf5c58baf77)
2006-05-17 02:03:05 +04:00
if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY),
history_string, sizeof(history_string))) {
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
/* leave as default - zeros */
} else {
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
BOOL hex_failed = False;
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
for (i = 0; i < pwHistLen; i++){
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
/* Get the 16 byte salt. */
r15649: Allow to store 24 password history entries in ldapsam (same limit as on Windows). Fixes bug #1914. Guenther (This used to be commit b5a5d0b24ea5320cb2f28dbefe81ddf5c58baf77)
2006-05-17 02:03:05 +04:00
if (!pdb_gethexpwd(&history_string[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN])) {
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
hex_failed = True;
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
break;
}
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
/* Get the 16 byte MD5 hash of salt+passwd. */
r15649: Allow to store 24 password history entries in ldapsam (same limit as on Windows). Fixes bug #1914. Guenther (This used to be commit b5a5d0b24ea5320cb2f28dbefe81ddf5c58baf77)
2006-05-17 02:03:05 +04:00
if (!pdb_gethexpwd(&history_string[(i*64)+32],
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
&pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN])) {
hex_failed = True;
break;
}
}
if (hex_failed) {
DEBUG(0,("init_sam_from_ldap: Failed to get password history for user %s\n",
username));
memset(pwhist, '\0', pwHistLen * PW_HISTORY_ENTRY_LEN);
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
}
}
if (!pdb_set_pw_history(sampass, pwhist, pwHistLen, PDB_SET)){
SAFE_FREE(pwhist);
return False;
}
SAFE_FREE(pwhist);
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), temp)) {
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
acct_ctrl |= ACB_NORMAL;
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
} else {
acct_ctrl = pdb_decode_acct_ctrl(temp);
if (acct_ctrl == 0)
acct_ctrl |= ACB_NORMAL;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_hours_len(sampass, hours_len, PDB_SET);
pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
The "unknown_5" 32 bit field in the user structs is actually 2 16-bit fields, bad_password_count and logon_count. Ensure this is stored/fetched in the various SAMs. As it replaces the unknown_5 field this fits exactly into the tdb SAM without any binary problems. It also is added to the LDAP SAM as two extra attributes. It breaks compatibility with the experimental SAMs xml and mysql. The maintainers of these SAMs must fix them so upgrades like this can be done transparently. I will insist on the "experimental" status until this is solved. Jeremy. (This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
2003-09-19 03:53:48 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_COUNT), temp)) {
/* leave as default */
} else {
bad_password_count = (uint32) atol(temp);
pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
}
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_TIME), temp)) {
/* leave as default */
} else {
bad_password_time = (time_t) atol(temp);
pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
The "unknown_5" 32 bit field in the user structs is actually 2 16-bit fields, bad_password_count and logon_count. Ensure this is stored/fetched in the various SAMs. As it replaces the unknown_5 field this fits exactly into the tdb SAM without any binary problems. It also is added to the LDAP SAM as two extra attributes. It breaks compatibility with the experimental SAMs xml and mysql. The maintainers of these SAMs must fix them so upgrades like this can be done transparently. I will insist on the "experimental" status until this is solved. Jeremy. (This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
2003-09-19 03:53:48 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_COUNT), temp)) {
/* leave as default */
} else {
logon_count = (uint32) atol(temp);
pdb_set_logon_count(sampass, logon_count, PDB_SET);
}
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
/* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
r1810: Patch from Richard Renard <rrenard@idealx.com> to store logon hours attributes in an LDAP database. Jeremy. (This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
2004-08-13 22:02:58 +04:00
if(!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_HOURS), temp)) {
/* leave as default */
} else {
pdb_gethexhours(temp, hours);
memset((char *)temp, '\0', strlen(temp) +1);
pdb_set_hours(sampass, hours, PDB_SET);
ZERO_STRUCT(hours);
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
if (smbldap_get_single_pstring(priv2ld(ldap_state), entry,
"uidNumber", temp)) {
/* We've got a uid, feed the cache */
uid_t uid = strtoul(temp, NULL, 10);
store_uid_sid_cache(pdb_get_user_sid(sampass), uid);
}
}
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
/* check the timestamp of the cache vs ldap entry */
if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state,
entry)))
return True;
/* see if we have newer updates */
if (!(cache_entry = login_cache_read(sampass))) {
Fix gcc warnings. Fix mkproto with new type. Jeremy. (This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
2004-03-19 04:29:14 +03:00
DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
(unsigned int)pdb_get_bad_password_count(sampass),
(unsigned int)pdb_get_bad_password_time(sampass)));
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
return True;
}
Fix gcc warnings. Fix mkproto with new type. Jeremy. (This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
2004-03-19 04:29:14 +03:00
DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
(unsigned int)ldap_entry_time, (unsigned int)cache_entry->entry_timestamp,
(unsigned int)cache_entry->bad_password_time));
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
if (ldap_entry_time > cache_entry->entry_timestamp) {
/* cache is older than directory , so
we need to delete the entry but allow the
fields to be written out */
login_cache_delentry(sampass);
} else {
/* read cache in */
pdb_set_acct_ctrl(sampass,
pdb_get_acct_ctrl(sampass) |
(cache_entry->acct_ctrl & ACB_AUTOLOCK),
PDB_SET);
pdb_set_bad_password_count(sampass,
cache_entry->bad_password_count,
PDB_SET);
pdb_set_bad_password_time(sampass,
cache_entry->bad_password_time,
PDB_SET);
}
SAFE_FREE(cache_entry);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
return True;
}
/**********************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Initialize the ldap db from a struct samu. Called on update.
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
(Based on init_buffer_from_sam in pdb_tdb.c)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
LDAPMessage *existing,
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
LDAPMod *** mods, struct samu * sampass,
BOOL (*need_update)(const struct samu *,
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
enum pdb_elements))
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
pstring temp;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
uint32 rid;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
util_sid.c - respect a const variabile (addedd strdup) cli_reg.c - indentation pdb_ldap.c - some checks on init fns parameters pdb_tdb.c - some checks on init fns parameters + make sure we close the db on failure (This used to be commit 49f5cb7a3df6d673f86e6769319aa657e30d8380)
2001-12-30 22:21:25 +03:00
if (mods == NULL || sampass == NULL) {
DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
return False;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*mods = NULL;
/*
* took out adding "objectclass: sambaAccount"
* do this on a per-mod basis
*/
r14756: Make smbpasswd -a root work for eDirectory where there is no "account" structural objectclass. Guenther (This used to be commit 7eefeaad352597b6f97160b1abc0dc032c0b46b2)
2006-03-29 18:52:03 +04:00
if (need_update(sampass, PDB_USERNAME)) {
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
"uid", pdb_get_username(sampass));
r14756: Make smbpasswd -a root work for eDirectory where there is no "account" structural objectclass. Guenther (This used to be commit 7eefeaad352597b6f97160b1abc0dc032c0b46b2)
2006-03-29 18:52:03 +04:00
if (ldap_state->is_nds_ldap) {
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
"cn", pdb_get_username(sampass));
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
"sn", pdb_get_username(sampass));
}
}
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
- Merge a memory leak fix from HEAD - change update behaviour for new RIDs: - store the new RID into the SAM_ACCOUNT, so that the caller get's it back automaticly - use this to make the code paths simpiler for the normal 'need_update' code. We must always store a RID if we intend to use the sambaAccount objectClass Andrew Bartlett (This used to be commit 5edeee5116b9c775a1bded1d53cb2b22c7a2765f)
2003-04-23 04:59:19 +04:00
/* only update the RID if we actually need to */
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if (need_update(sampass, PDB_USERSID)) {
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
fstring sid_string;
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
const DOM_SID *user_sid = pdb_get_user_sid(sampass);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( ldap_state->schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBAACCOUNT:
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
sid_string_static(user_sid),
sid_string_static(&ldap_state->domain_sid)));
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
return False;
}
slprintf(temp, sizeof(temp) - 1, "%i", rid);
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
temp);
break;
case SCHEMAVER_SAMBASAMACCOUNT:
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
sid_to_string(sid_string, user_sid));
break;
default:
DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
break;
}
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
/* we don't need to store the primary group RID - so leaving it
'free' to hang off the unix primary group makes life easier */
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if (need_update(sampass, PDB_GROUPSID)) {
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
fstring sid_string;
const DOM_SID *group_sid = pdb_get_group_sid(sampass);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( ldap_state->schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBAACCOUNT:
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
sid_string_static(group_sid),
sid_string_static(&ldap_state->domain_sid)));
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
return False;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
slprintf(temp, sizeof(temp) - 1, "%i", rid);
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_PRIMARY_GROUP_RID), temp);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
case SCHEMAVER_SAMBASAMACCOUNT:
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_string(sid_string, group_sid));
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
default:
DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
break;
}
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/* displayName, cn, and gecos should all be the same
Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-10-01 17:10:57 +04:00
* most easily accomplished by giving them the same OID
* gecos isn't set here b/c it should be handled by the
* add-user script
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
* We change displayName only and fall back to cn if
* it does not exist.
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
*/
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_FULLNAME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
pdb_get_fullname(sampass));
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_ACCTDESC))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
pdb_get_acct_desc(sampass));
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_WORKSTATIONS))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
pdb_get_workstations(sampass));
support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800 (This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-12-04 07:52:00 +03:00
if (need_update(sampass, PDB_MUNGEDDIAL))
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL),
pdb_get_munged_dial(sampass));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_SMBHOME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
pdb_get_homedir(sampass));
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_DRIVE))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
pdb_get_dir_drive(sampass));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_LOGONSCRIPT))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
pdb_get_logon_script(sampass));
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_PROFILE))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
pdb_get_profile_path(sampass));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_LOGONTIME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_LOGOFFTIME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_KICKOFFTIME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
r19058: Implement "user cannot change password", and complete "user must change password at next logon" code. The "password last set time" of zero now means "user must change password", because that's how windows seems to use it. The "can change" and "must change" times are now calculated based on the "last set" time and policies. We use the "can change" field now to indicate that a user cannot change a password by putting MAX_TIME_T in it (so long as "last set" time isn't zero). Based on this, we set the password-can-change bit in the faked secdesc. (This used to be commit 21abbeaee9b7f7cff1d34d048463c30cda44a2e3)
2006-10-03 21:14:18 +04:00
slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time_noncalc(sampass));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_CANCHANGETIME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_MUSTCHANGETIME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
|| (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
if (need_update(sampass, PDB_LMPASSWD)) {
Fix const warning (This used to be commit 7a36cc4ac0ff4d9c42eb9ddaf41bf33b4e8cd7c6)
2004-02-04 14:41:22 +03:00
const uchar *lm_pw = pdb_get_lanman_passwd(sampass);
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
if (lm_pw) {
pdb_sethexpwd(temp, lm_pw,
pdb_get_acct_ctrl(sampass));
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
temp);
} else {
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
NULL);
}
}
if (need_update(sampass, PDB_NTPASSWD)) {
Fix const warning (This used to be commit 7a36cc4ac0ff4d9c42eb9ddaf41bf33b4e8cd7c6)
2004-02-04 14:41:22 +03:00
const uchar *nt_pw = pdb_get_nt_passwd(sampass);
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
if (nt_pw) {
pdb_sethexpwd(temp, nt_pw,
pdb_get_acct_ctrl(sampass));
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
temp);
} else {
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
NULL);
}
}
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
if (need_update(sampass, PDB_PWHISTORY)) {
r5957: BUGS 2478, 2093: compiler warning patches from Jason Mader (This used to be commit b0f43460822eb5175c854959181de05307d73415)
2005-03-22 20:08:09 +03:00
uint32 pwHistLen = 0;
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
if (pwHistLen == 0) {
/* Remove any password history from the LDAP store. */
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
memset(temp, '0', 64); /* NOTE !!!! '0' *NOT '\0' */
temp[64] = '\0';
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
} else {
r5957: BUGS 2478, 2093: compiler warning patches from Jason Mader (This used to be commit b0f43460822eb5175c854959181de05307d73415)
2005-03-22 20:08:09 +03:00
int i;
uint32 currHistLen = 0;
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
const uint8 *pwhist = pdb_get_pw_history(sampass, &currHistLen);
if (pwhist != NULL) {
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
/* We can only store (sizeof(pstring)-1)/64 password history entries. */
pwHistLen = MIN(pwHistLen, ((sizeof(temp)-1)/64));
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
for (i=0; i< pwHistLen && i < currHistLen; i++) {
r1733: Fix hashed password history for LDAP backends. Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2004-08-11 22:39:29 +04:00
/* Store the salt. */
pdb_sethexpwd(&temp[i*64], &pwhist[i*PW_HISTORY_ENTRY_LEN], 0);
/* Followed by the md5 hash of salt + md4 hash */
pdb_sethexpwd(&temp[(i*64)+32],
&pwhist[(i*PW_HISTORY_ENTRY_LEN)+PW_HISTORY_SALT_LEN], 0);
r1388: Adding password history code for ldap backend, based on a patch from "Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2004-07-08 02:46:51 +04:00
DEBUG(100, ("temp=%s\n", temp));
}
}
}
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_HISTORY),
temp);
}
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
if (need_update(sampass, PDB_PASSLASTSET)) {
slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
temp);
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
r1810: Patch from Richard Renard <rrenard@idealx.com> to store logon hours attributes in an LDAP database. Jeremy. (This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
2004-08-13 22:02:58 +04:00
if (need_update(sampass, PDB_HOURS)) {
r5957: BUGS 2478, 2093: compiler warning patches from Jason Mader (This used to be commit b0f43460822eb5175c854959181de05307d73415)
2005-03-22 20:08:09 +03:00
const uint8 *hours = pdb_get_hours(sampass);
r1810: Patch from Richard Renard <rrenard@idealx.com> to store logon hours attributes in an LDAP database. Jeremy. (This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
2004-08-13 22:02:58 +04:00
if (hours) {
pdb_sethexhours(temp, hours);
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct,
existing,
mods,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_LOGON_HOURS),
temp);
}
}
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_ACCTCTRL))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
/* password lockout cache:
- If we are now autolocking or clearing, we write to ldap
- If we are clearing, we delete the cache entry
- If the count is > 0, we update the cache
This even means when autolocking, we cache, just in case the
update doesn't work, and we have to cache the autolock flag */
if (need_update(sampass, PDB_BAD_PASSWORD_COUNT)) /* &&
need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
uint16 badcount = pdb_get_bad_password_count(sampass);
time_t badtime = pdb_get_bad_password_time(sampass);
uint32 pol;
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &pol);
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
Fix gcc warnings. Fix mkproto with new type. Jeremy. (This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
2004-03-19 04:29:14 +03:00
DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
(unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
if ((badcount >= pol) || (badcount == 0)) {
Fix gcc warnings. Fix mkproto with new type. Jeremy. (This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
2004-03-19 04:29:14 +03:00
DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
(unsigned int)badcount, (unsigned int)badtime));
slprintf (temp, sizeof (temp) - 1, "%li", (long)badcount);
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
smbldap_make_mod(
ldap_state->smbldap_state->ldap_struct,
existing, mods,
get_userattr_key2string(
ldap_state->schema_ver,
LDAP_ATTR_BAD_PASSWORD_COUNT),
temp);
slprintf (temp, sizeof (temp) - 1, "%li", badtime);
smbldap_make_mod(
ldap_state->smbldap_state->ldap_struct,
existing, mods,
get_userattr_key2string(
ldap_state->schema_ver,
LDAP_ATTR_BAD_PASSWORD_TIME),
temp);
}
if (badcount == 0) {
DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
login_cache_delentry(sampass);
} else {
r910: Fix for bug #1385 found by Jason Mader <jason@ncac.gwu.edu>. Don't use non-consts in a structure initialization. Jeremy. (This used to be commit 455ed258b3457ad5b7d3dad14b64781ab98f00dc)
2004-05-26 21:45:12 +04:00
LOGIN_CACHE cache_entry;
cache_entry.entry_timestamp = time(NULL);
cache_entry.acct_ctrl = pdb_get_acct_ctrl(sampass);
cache_entry.bad_password_count = badcount;
cache_entry.bad_password_time = badtime;
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
DEBUG(7, ("Updating bad password count and time in login cache\n"));
login_cache_write(sampass, cache_entry);
}
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
return True;
}
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Connect to LDAP server for password enumeration.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16. * Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
2006-02-27 13:32:45 +03:00
static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update, uint32 acb_mask)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
int rc;
r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries(). This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2005-01-19 19:13:26 +03:00
pstring filter, suffix;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attr_list;
r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries(). This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2005-01-19 19:13:26 +03:00
BOOL machine_mask = False, user_mask = False;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
r7142: removing 'ldap filter' smb.conf option (This used to be commit e2f8eeb4e26e8f7bec4d9dc820b86a7b548f82da)
2005-05-31 20:09:58 +04:00
pstr_sprintf( filter, "(&%s%s)", "(uid=%u)",
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_objclass_filter(ldap_state->schema_ver));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
all_string_sub(filter, "%u", "*", sizeof(pstring));
r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries(). This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2005-01-19 19:13:26 +03:00
machine_mask = ((acb_mask != 0) && (acb_mask & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)));
user_mask = ((acb_mask != 0) && (acb_mask & ACB_NORMAL));
if (machine_mask) {
pstrcpy(suffix, lp_ldap_machine_suffix());
} else if (user_mask) {
pstrcpy(suffix, lp_ldap_user_suffix());
} else {
pstrcpy(suffix, lp_ldap_suffix());
}
DEBUG(10,("ldapsam_setsampwent: LDAP Query for acb_mask 0x%x will use suffix %s\n",
acb_mask, suffix));
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attr_list = get_userattr_list(NULL, ldap_state->schema_ver);
r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries(). This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2005-01-19 19:13:26 +03:00
rc = smbldap_search(ldap_state->smbldap_state, suffix, LDAP_SCOPE_SUBTREE, filter,
attr_list, 0, &ldap_state->result);
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
if (rc != LDAP_SUCCESS) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_setsampwent: LDAP search failed: %s\n", ldap_err2string(rc)));
r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries(). This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2005-01-19 19:13:26 +03:00
DEBUG(3, ("ldapsam_setsampwent: Query was: %s, %s\n", suffix, filter));
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_msgfree(ldap_state->result);
ldap_state->result = NULL;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries(). This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2005-01-19 19:13:26 +03:00
DEBUG(2, ("ldapsam_setsampwent: %d entries in the base %s\n",
ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
ldap_state->result), suffix));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_state->result);
ldap_state->index = 0;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
End enumeration of the LDAP password list.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
static void ldapsam_endsampwent(struct pdb_methods *my_methods)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (ldap_state->result) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_msgfree(ldap_state->result);
ldap_state->result = NULL;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
}
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Get the next entry in the LDAP password database.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods,
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
struct samu *user)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)my_methods->private_data;
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
BOOL bret = False;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
while (!bret) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
if (!ldap_state->entry)
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return ret;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_state->index++;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
bret = init_sam_from_ldap(ldap_state, user, ldap_state->entry);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
ldap_state->entry = ldap_next_entry(priv2ld(ldap_state),
ldap_state->entry);
merge from 2.2 (This used to be commit 5b28a7c59c392c6352cb8915a13806ca772d8cac)
2002-03-01 18:17:10 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static void append_attr(TALLOC_CTX *mem_ctx, const char ***attr_list,
const char *new_attr)
r1108: Index: pdb_ldap.c =================================================================== --- pdb_ldap.c (revision 1095) +++ pdb_ldap.c (working copy) @@ -1134,6 +1134,19 @@ return NT_STATUS_OK; } +static void append_attr(char ***attr_list, const char *new_attr) +{ + int i; + + for (i=0; (*attr_list)[i] != NULL; i++) + ; + + (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2)); + SMB_ASSERT((*attr_list) != NULL); + (*attr_list)[i] = strdup(new_attr); + (*attr_list)[i+1] = NULL; +} + /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username. *********************************************************************/ @@ -1149,6 +1162,7 @@ int rc; attr_list = get_userattr_list( ldap_state->schema_ver ); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); free_attr_list( attr_list ); @@ -1194,6 +1208,7 @@ switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBASAMACCOUNT: attr_list = get_userattr_list(ldap_state->schema_ver); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list); free_attr_list( attr_list ); Index: login_cache.c =================================================================== --- login_cache.c (revision 1095) +++ login_cache.c (working copy) @@ -95,10 +95,13 @@ &entry->bad_password_count, &entry->bad_password_time) == -1) { DEBUG(7, ("No cache entry found\n")); + SAFE_FREE(entry); SAFE_FREE(databuf.dptr); return NULL; } + SAFE_FREE(databuf.dptr); + DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n", (unsigned int)entry->entry_timestamp, entry->acct_ctrl, entry->bad_password_count, (unsigned int)entry->bad_password_time)); (This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
2004-06-10 21:42:16 +04:00
{
int i;
r2374: Fix from Vince Brimhall vbrimhall@novell.com for ldapsam_compat. Be robust against NULL attributes. Jeremy. (This used to be commit 727fc341b578577c112e97b0ef6f4c7f8bd15f66)
2004-09-17 05:13:47 +04:00
if (new_attr == NULL) {
return;
}
for (i=0; (*attr_list)[i] != NULL; i++) {
r1108: Index: pdb_ldap.c =================================================================== --- pdb_ldap.c (revision 1095) +++ pdb_ldap.c (working copy) @@ -1134,6 +1134,19 @@ return NT_STATUS_OK; } +static void append_attr(char ***attr_list, const char *new_attr) +{ + int i; + + for (i=0; (*attr_list)[i] != NULL; i++) + ; + + (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2)); + SMB_ASSERT((*attr_list) != NULL); + (*attr_list)[i] = strdup(new_attr); + (*attr_list)[i+1] = NULL; +} + /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username. *********************************************************************/ @@ -1149,6 +1162,7 @@ int rc; attr_list = get_userattr_list( ldap_state->schema_ver ); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); free_attr_list( attr_list ); @@ -1194,6 +1208,7 @@ switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBASAMACCOUNT: attr_list = get_userattr_list(ldap_state->schema_ver); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list); free_attr_list( attr_list ); Index: login_cache.c =================================================================== --- login_cache.c (revision 1095) +++ login_cache.c (working copy) @@ -95,10 +95,13 @@ &entry->bad_password_count, &entry->bad_password_time) == -1) { DEBUG(7, ("No cache entry found\n")); + SAFE_FREE(entry); SAFE_FREE(databuf.dptr); return NULL; } + SAFE_FREE(databuf.dptr); + DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n", (unsigned int)entry->entry_timestamp, entry->acct_ctrl, entry->bad_password_count, (unsigned int)entry->bad_password_time)); (This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
2004-06-10 21:42:16 +04:00
;
r2374: Fix from Vince Brimhall vbrimhall@novell.com for ldapsam_compat. Be robust against NULL attributes. Jeremy. (This used to be commit 727fc341b578577c112e97b0ef6f4c7f8bd15f66)
2004-09-17 05:13:47 +04:00
}
r1108: Index: pdb_ldap.c =================================================================== --- pdb_ldap.c (revision 1095) +++ pdb_ldap.c (working copy) @@ -1134,6 +1134,19 @@ return NT_STATUS_OK; } +static void append_attr(char ***attr_list, const char *new_attr) +{ + int i; + + for (i=0; (*attr_list)[i] != NULL; i++) + ; + + (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2)); + SMB_ASSERT((*attr_list) != NULL); + (*attr_list)[i] = strdup(new_attr); + (*attr_list)[i+1] = NULL; +} + /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username. *********************************************************************/ @@ -1149,6 +1162,7 @@ int rc; attr_list = get_userattr_list( ldap_state->schema_ver ); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); free_attr_list( attr_list ); @@ -1194,6 +1208,7 @@ switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBASAMACCOUNT: attr_list = get_userattr_list(ldap_state->schema_ver); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list); free_attr_list( attr_list ); Index: login_cache.c =================================================================== --- login_cache.c (revision 1095) +++ login_cache.c (working copy) @@ -95,10 +95,13 @@ &entry->bad_password_count, &entry->bad_password_time) == -1) { DEBUG(7, ("No cache entry found\n")); + SAFE_FREE(entry); SAFE_FREE(databuf.dptr); return NULL; } + SAFE_FREE(databuf.dptr); + DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n", (unsigned int)entry->entry_timestamp, entry->acct_ctrl, entry->bad_password_count, (unsigned int)entry->bad_password_time)); (This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
2004-06-10 21:42:16 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
(*attr_list) = TALLOC_REALLOC_ARRAY(mem_ctx, (*attr_list),
const char *, i+2);
r1108: Index: pdb_ldap.c =================================================================== --- pdb_ldap.c (revision 1095) +++ pdb_ldap.c (working copy) @@ -1134,6 +1134,19 @@ return NT_STATUS_OK; } +static void append_attr(char ***attr_list, const char *new_attr) +{ + int i; + + for (i=0; (*attr_list)[i] != NULL; i++) + ; + + (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2)); + SMB_ASSERT((*attr_list) != NULL); + (*attr_list)[i] = strdup(new_attr); + (*attr_list)[i+1] = NULL; +} + /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username. *********************************************************************/ @@ -1149,6 +1162,7 @@ int rc; attr_list = get_userattr_list( ldap_state->schema_ver ); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); free_attr_list( attr_list ); @@ -1194,6 +1208,7 @@ switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBASAMACCOUNT: attr_list = get_userattr_list(ldap_state->schema_ver); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list); free_attr_list( attr_list ); Index: login_cache.c =================================================================== --- login_cache.c (revision 1095) +++ login_cache.c (working copy) @@ -95,10 +95,13 @@ &entry->bad_password_count, &entry->bad_password_time) == -1) { DEBUG(7, ("No cache entry found\n")); + SAFE_FREE(entry); SAFE_FREE(databuf.dptr); return NULL; } + SAFE_FREE(databuf.dptr); + DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n", (unsigned int)entry->entry_timestamp, entry->acct_ctrl, entry->bad_password_count, (unsigned int)entry->bad_password_time)); (This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
2004-06-10 21:42:16 +04:00
SMB_ASSERT((*attr_list) != NULL);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
(*attr_list)[i] = talloc_strdup((*attr_list), new_attr);
r1108: Index: pdb_ldap.c =================================================================== --- pdb_ldap.c (revision 1095) +++ pdb_ldap.c (working copy) @@ -1134,6 +1134,19 @@ return NT_STATUS_OK; } +static void append_attr(char ***attr_list, const char *new_attr) +{ + int i; + + for (i=0; (*attr_list)[i] != NULL; i++) + ; + + (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2)); + SMB_ASSERT((*attr_list) != NULL); + (*attr_list)[i] = strdup(new_attr); + (*attr_list)[i+1] = NULL; +} + /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username. *********************************************************************/ @@ -1149,6 +1162,7 @@ int rc; attr_list = get_userattr_list( ldap_state->schema_ver ); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); free_attr_list( attr_list ); @@ -1194,6 +1208,7 @@ switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBASAMACCOUNT: attr_list = get_userattr_list(ldap_state->schema_ver); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list); free_attr_list( attr_list ); Index: login_cache.c =================================================================== --- login_cache.c (revision 1095) +++ login_cache.c (working copy) @@ -95,10 +95,13 @@ &entry->bad_password_count, &entry->bad_password_time) == -1) { DEBUG(7, ("No cache entry found\n")); + SAFE_FREE(entry); SAFE_FREE(databuf.dptr); return NULL; } + SAFE_FREE(databuf.dptr); + DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n", (unsigned int)entry->entry_timestamp, entry->acct_ctrl, entry->bad_password_count, (unsigned int)entry->bad_password_time)); (This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
2004-06-10 21:42:16 +04:00
(*attr_list)[i+1] = NULL;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/**********************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Get struct samu entry from LDAP by username.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, struct samu *user, const char *sname)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
int count;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char ** attr_list;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
int rc;
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
attr_list = get_userattr_list( user, ldap_state->schema_ver );
append_attr(user, &attr_list,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_MOD_TIMESTAMP));
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
append_attr(user, &attr_list, "uidNumber");
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result,
attr_list);
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
if ( rc != LDAP_SUCCESS )
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_NO_SUCH_USER;
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
if (count < 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
ldap_msgfree(result);
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
return NT_STATUS_NO_SUCH_USER;
} else if (count > 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
ldap_msgfree(result);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_NO_SUCH_USER;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
if (entry) {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (!init_sam_from_ldap(ldap_state, user, entry)) {
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_msgfree(result);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_NO_SUCH_USER;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
pdb_set_backend_private_data(user, result, NULL,
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
my_methods, PDB_CHANGED);
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
talloc_autofree_ldapmsg(user, result);
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
ret = NT_STATUS_OK;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
} else {
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
ldap_msgfree(result);
}
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return ret;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state,
const DOM_SID *sid, LDAPMessage **result)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
int rc = -1;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char ** attr_list;
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
uint32 rid;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( ldap_state->schema_ver ) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
case SCHEMAVER_SAMBASAMACCOUNT: {
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
return LDAP_NO_MEMORY;
}
attr_list = get_userattr_list(tmp_ctx,
ldap_state->schema_ver);
append_attr(tmp_ctx, &attr_list,
get_userattr_key2string(
ldap_state->schema_ver,
LDAP_ATTR_MOD_TIMESTAMP));
append_attr(tmp_ctx, &attr_list, "uidNumber");
rc = ldapsam_search_suffix_by_sid(ldap_state, sid,
result, attr_list);
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(tmp_ctx);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
if ( rc != LDAP_SUCCESS )
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
return rc;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBAACCOUNT:
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) {
return rc;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
}
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attr_list = get_userattr_list(NULL,
ldap_state->schema_ver);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list );
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
if ( rc != LDAP_SUCCESS )
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
return rc;
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
break;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
return rc;
}
/**********************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Get struct samu entry from LDAP by SID.
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, struct samu * user, const DOM_SID *sid)
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
int count;
int rc;
fstring sid_string;
rc = ldapsam_get_ldap_user_by_sid(ldap_state,
sid, &result);
if (rc != LDAP_SUCCESS)
return NT_STATUS_NO_SUCH_USER;
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if (count < 1) {
DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string, sid),
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
count));
Try to fix memory leaks found by valgrind in pdb_ldap code. Andrew Bartlett (This used to be commit decadfcc8205ed5611d74141e301569ef8b1d9f4)
2003-06-07 07:22:37 +04:00
ldap_msgfree(result);
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
return NT_STATUS_NO_SUCH_USER;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
} else if (count > 1) {
DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid),
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
count));
Try to fix memory leaks found by valgrind in pdb_ldap code. Andrew Bartlett (This used to be commit decadfcc8205ed5611d74141e301569ef8b1d9f4)
2003-06-07 07:22:37 +04:00
ldap_msgfree(result);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_NO_SUCH_USER;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if (!entry) {
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
ldap_msgfree(result);
Fix ldapsam_getsampwsid to correctly only say 'no such user' when indeed there is no such user... Thanks to jerry for spotting this. Also clean up the function a bit, to avoid this happening again... Andrew Bartlett (This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
2003-07-06 10:18:54 +04:00
return NT_STATUS_NO_SUCH_USER;
}
if (!init_sam_from_ldap(ldap_state, user, entry)) {
r2923: Fix some obvious copy/paste leftover debug-messages. Guenther (This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
2004-10-12 01:09:36 +04:00
DEBUG(1,("ldapsam_getsampwsid: init_sam_from_ldap failed!\n"));
Fix ldapsam_getsampwsid to correctly only say 'no such user' when indeed there is no such user... Thanks to jerry for spotting this. Also clean up the function a bit, to avoid this happening again... Andrew Bartlett (This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
2003-07-06 10:18:54 +04:00
ldap_msgfree(result);
return NT_STATUS_NO_SUCH_USER;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
Fix ldapsam_getsampwsid to correctly only say 'no such user' when indeed there is no such user... Thanks to jerry for spotting this. Also clean up the function a bit, to avoid this happening again... Andrew Bartlett (This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
2003-07-06 10:18:54 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
pdb_set_backend_private_data(user, result, NULL,
Fix ldapsam_getsampwsid to correctly only say 'no such user' when indeed there is no such user... Thanks to jerry for spotting this. Also clean up the function a bit, to avoid this happening again... Andrew Bartlett (This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
2003-07-06 10:18:54 +04:00
my_methods, PDB_CHANGED);
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
talloc_autofree_ldapmsg(user, result);
Fix ldapsam_getsampwsid to correctly only say 'no such user' when indeed there is no such user... Thanks to jerry for spotting this. Also clean up the function a bit, to avoid this happening again... Andrew Bartlett (This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
2003-07-06 10:18:54 +04:00
return NT_STATUS_OK;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
}
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
/********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Do the actual modification - also change a plaintext passord if
it it set.
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
**********************************************************************/
static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
struct samu *newpwd, char *dn,
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
LDAPMod **mods, int ldap_op,
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
BOOL (*need_update)(const struct samu *, enum pdb_elements))
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
{
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
int rc;
r13979: We've dereferenced my_methods already, so there's no point in checking for != NULL. Coverity #149. Volker (This used to be commit d38e05329a77650d8fbb8611ca148964f62c9ba4)
2006-03-07 22:24:28 +03:00
if (!newpwd || !dn) {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_INVALID_PARAMETER;
}
if (!mods) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
/* may be password change below however */
} else {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch(ldap_op) {
r14756: Make smbpasswd -a root work for eDirectory where there is no "account" structural objectclass. Guenther (This used to be commit 7eefeaad352597b6f97160b1abc0dc032c0b46b2)
2006-03-29 18:52:03 +04:00
case LDAP_MOD_ADD:
if (ldap_state->is_nds_ldap) {
smbldap_set_mod(&mods, LDAP_MOD_ADD,
"objectclass",
"inetOrgPerson");
} else {
smbldap_set_mod(&mods, LDAP_MOD_ADD,
"objectclass",
LDAP_OBJ_ACCOUNT);
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_add(ldap_state->smbldap_state,
dn, mods);
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
break;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
case LDAP_MOD_REPLACE:
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_modify(ldap_state->smbldap_state,
dn ,mods);
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
break;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
default:
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
ldap_op));
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
return NT_STATUS_INVALID_PARAMETER;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
if (rc!=LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
(lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
need_update(newpwd, PDB_PLAINTEXT_PW) &&
(pdb_get_plaintext_passwd(newpwd)!=NULL)) {
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
BerElement *ber;
struct berval *bv;
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
char *retoid = NULL;
struct berval *retdata = NULL;
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
char *utf8_password;
After a quick run with the 'weird' charset, squash a few bugs in our new 'UF8-safe' LDAP code. I hope I've caught all the places where we were pushing strings into or out of LDAP now. Andrew Bartlett (This used to be commit 70bf7a5f71f71aeb5338723d1f5b32a89d5c4f91)
2003-04-26 17:29:37 +04:00
char *utf8_dn;
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
if (!ldap_state->is_nds_ldap) {
r15633: Minor smbldap/pdb_ldap cleanup Guenther (This used to be commit 1b5a712467ab8f35211b59bb703a42bdc5e0dfc0)
2006-05-16 17:26:49 +04:00
if (!smbldap_has_extension(ldap_state->smbldap_state->ldap_struct,
LDAP_EXOP_MODIFY_PASSWD)) {
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
DEBUG(2, ("ldap password change requested, but LDAP "
"server does not support it -- ignoring\n"));
return NT_STATUS_OK;
}
r2619: Only issue the ldap extended password change operation if the ldap server supports it. This might be a fix for bugs 1823 and 1545, notifying both. Also ignore object class violation errors from the extended operation. We don't have the userPassword field in sambaSamAccount, and if we have such broken setup with user in /etc/passwd and only samba attribs in ldap, we fail this :-) Volker (This used to be commit a32ea3bc881f516fb733cb4767ae5cf22d658b12)
2004-09-25 14:12:34 +04:00
}
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
return NT_STATUS_NO_MEMORY;
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
After a quick run with the 'weird' charset, squash a few bugs in our new 'UF8-safe' LDAP code. I hope I've caught all the places where we were pushing strings into or out of LDAP now. Andrew Bartlett (This used to be commit 70bf7a5f71f71aeb5338723d1f5b32a89d5c4f91)
2003-04-26 17:29:37 +04:00
if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
r19943: Fix bug 4267 -- Thanks to David! (This used to be commit 714971b34aad01cd855484d550c41bc0265ef051)
2006-11-29 09:15:28 +03:00
SAFE_FREE(utf8_password);
After a quick run with the 'weird' charset, squash a few bugs in our new 'UF8-safe' LDAP code. I hope I've caught all the places where we were pushing strings into or out of LDAP now. Andrew Bartlett (This used to be commit 70bf7a5f71f71aeb5338723d1f5b32a89d5c4f91)
2003-04-26 17:29:37 +04:00
return NT_STATUS_NO_MEMORY;
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
DEBUG(0,("ber_alloc_t returns NULL\n"));
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
SAFE_FREE(utf8_password);
r19943: Fix bug 4267 -- Thanks to David! (This used to be commit 714971b34aad01cd855484d550c41bc0265ef051)
2006-11-29 09:15:28 +03:00
SAFE_FREE(utf8_dn);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
ber_printf (ber, "{");
support LDAP_EXOP_MODIFY_PASSWORD (not experiemental in OpenLDAP 2.1) (This used to be commit 50fdc938222112b5470d05d8cd15386bd0a112df)
2003-06-07 02:50:54 +04:00
ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn);
ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password);
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
ber_printf (ber, "N}");
if ((rc = ber_flatten (ber, &bv))<0) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
ber_free(ber,1);
After a quick run with the 'weird' charset, squash a few bugs in our new 'UF8-safe' LDAP code. I hope I've caught all the places where we were pushing strings into or out of LDAP now. Andrew Bartlett (This used to be commit 70bf7a5f71f71aeb5338723d1f5b32a89d5c4f91)
2003-04-26 17:29:37 +04:00
SAFE_FREE(utf8_dn);
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
SAFE_FREE(utf8_password);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
After a quick run with the 'weird' charset, squash a few bugs in our new 'UF8-safe' LDAP code. I hope I've caught all the places where we were pushing strings into or out of LDAP now. Andrew Bartlett (This used to be commit 70bf7a5f71f71aeb5338723d1f5b32a89d5c4f91)
2003-04-26 17:29:37 +04:00
SAFE_FREE(utf8_dn);
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
SAFE_FREE(utf8_password);
ber_free(ber, 1);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
if (!ldap_state->is_nds_ldap) {
rc = smbldap_extended_operation(ldap_state->smbldap_state,
LDAP_EXOP_MODIFY_PASSWD,
bv, NULL, NULL, &retoid,
&retdata);
} else {
rc = pdb_nds_set_password(ldap_state->smbldap_state, dn,
pdb_get_plaintext_passwd(newpwd));
}
if (rc != LDAP_SUCCESS) {
Show the error message for failure to set the ldap password. (For 'ldap password sync = yes') Andrew Bartlett (This used to be commit 5b682aef678cc9ee135852d7ee6b8c159902fab7)
2003-12-26 03:43:48 +03:00
char *ld_error = NULL;
r2619: Only issue the ldap extended password change operation if the ldap server supports it. This might be a fix for bugs 1823 and 1545, notifying both. Also ignore object class violation errors from the extended operation. We don't have the userPassword field in sambaSamAccount, and if we have such broken setup with user in /etc/passwd and only samba attribs in ldap, we fail this :-) Volker (This used to be commit a32ea3bc881f516fb733cb4767ae5cf22d658b12)
2004-09-25 14:12:34 +04:00
if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
DEBUG(3, ("Could not set userPassword "
"attribute due to an objectClass "
"violation -- ignoring\n"));
ber_bvfree(bv);
return NT_STATUS_OK;
}
Show the error message for failure to set the ldap password. (For 'ldap password sync = yes') Andrew Bartlett (This used to be commit 5b682aef678cc9ee135852d7ee6b8c159902fab7)
2003-12-26 03:43:48 +03:00
ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
&ld_error);
DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
SAFE_FREE(ld_error);
ber_bvfree(bv);
return NT_STATUS_UNSUCCESSFUL;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
} else {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
#ifdef DEBUG_PASSWORD
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
#endif
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
if (retdata)
ber_bvfree(retdata);
if (retoid)
r12400: one line patch for Sun LDAP libs pointed out by Nicholas Brealey <nick@brealey.org> (This used to be commit 5121d3806992da79d194717ef7a9da810b5ff679)
2005-12-20 21:20:39 +03:00
ldap_memfree(retoid);
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
ber_bvfree(bv);
}
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Delete entry from LDAP for username.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods,
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
struct samu * sam_acct)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
struct ldapsam_privates *priv =
(struct ldapsam_privates *)my_methods->private_data;
This is another *BIG* change... Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
const char *sname;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
int rc;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
LDAPMessage *msg, *entry;
NTSTATUS result = NT_STATUS_NO_MEMORY;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attr_list;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
TALLOC_CTX *mem_ctx;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This is another *BIG* change... Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
if (!sam_acct) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_INVALID_PARAMETER;
This is another *BIG* change... Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
}
sname = pdb_get_username(sam_acct);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(3, ("ldapsam_delete_sam_account: Deleting user %s from "
"LDAP.\n", sname));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
goto done;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attr_list = get_userattr_delete_list(mem_ctx, priv->schema_ver );
if (attr_list == NULL) {
goto done;
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = ldapsam_search_suffix_by_name(priv, sname, &msg, attr_list);
if ((rc != LDAP_SUCCESS) ||
(ldap_count_entries(priv2ld(priv), msg) != 1) ||
((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
DEBUG(5, ("Could not find user %s\n", sname));
result = NT_STATUS_NO_SUCH_USER;
goto done;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = ldapsam_delete_entry(
priv, mem_ctx, entry,
priv->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ?
LDAP_OBJ_SAMBASAMACCOUNT : LDAP_OBJ_SAMBAACCOUNT,
attr_list);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
result = (rc == LDAP_SUCCESS) ?
NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
done:
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return result;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Helper function to determine for update_sam_account whether
we need LDAP modification.
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
static BOOL element_is_changed(const struct samu *sampass,
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
enum pdb_elements element)
{
return IS_SAM_CHANGED(sampass, element);
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/**********************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Update struct samu.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
int rc = 0;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
char *dn;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
LDAPMod **mods = NULL;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attr_list;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
result = (LDAPMessage *)pdb_get_backend_private_data(newpwd, my_methods);
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
if (!result) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attr_list = get_userattr_list(NULL, ldap_state->schema_ver);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (pdb_get_username(newpwd) == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
if (rc != LDAP_SUCCESS) {
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
return NT_STATUS_UNSUCCESSFUL;
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
pdb_set_backend_private_data(newpwd, result, NULL,
my_methods, PDB_CHANGED);
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
talloc_autofree_ldapmsg(newpwd, result);
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
if (!dn) {
return NT_STATUS_UNSUCCESSFUL;
}
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
element_is_changed)) {
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(dn);
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
if (mods != NULL)
ldap_mods_free(mods,True);
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
if (mods == NULL) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
pdb_get_username(newpwd)));
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(dn);
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
return NT_STATUS_OK;
}
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
* break out more common code used between pdb_ldap and idmap_ldap * remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06 17:48:39 +04:00
ldap_mods_free(mods,True);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(dn);
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
r16427: Fix bug # 3848. Thanks to Wilco Baan Hofman for testing the release candidate! Volker (This used to be commit adf2dcce09ae29a8c1677b25e1cd5f022b804d01)
2006-06-21 00:05:39 +04:00
/*
* We need to set the backend private data to NULL here. For example
* setuserinfo level 25 does a pdb_update_sam_account twice on the
* same one, and with the explicit delete / add logic for attribute
* values the second time we would use the wrong "old" value which
* does not exist in LDAP anymore. Thus the LDAP server would refuse
* the update.
* The existing LDAPMessage is still being auto-freed by the
* destructor.
*/
pdb_set_backend_private_data(newpwd, NULL, NULL, my_methods,
PDB_CHANGED);
Try to get meaningful errors out of ldap more often - get the error string from the server, not just the error code translation. Andrew Bartlett (This used to be commit 92415441fdc0f7d7c8b338d4cd4bbbba5418f88e)
2003-03-28 12:59:11 +03:00
if (!NT_STATUS_IS_OK(ret)) {
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return ret;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
pdb_get_username(newpwd)));
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
/***************************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Renames a struct samu
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
- The "rename user script" has full responsibility for changing everything
***************************************************************************/
static NTSTATUS ldapsam_rename_sam_account(struct pdb_methods *my_methods,
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
struct samu *old_acct,
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
const char *newname)
{
const char *oldname;
int rc;
pstring rename_script;
r17150: MMC User & group plugins fixes: * Make sure to lower case all usernames before calling the create, delete, or rename hooks. * Preserve case for usernames in passdb * Flush the getpwnam cache after renaming a user * Add become/unbecome root block in _samr_delete_dom_user() when trying to verify the account's existence. (This used to be commit bbe11b7a950e7d85001f042bbd1ea3bf33ecda7b)
2006-07-20 00:59:04 +04:00
fstring oldname_lower, newname_lower;
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
if (!old_acct) {
DEBUG(0, ("ldapsam_rename_sam_account: old_acct was NULL!\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (!newname) {
DEBUG(0, ("ldapsam_rename_sam_account: newname was NULL!\n"));
return NT_STATUS_INVALID_PARAMETER;
}
oldname = pdb_get_username(old_acct);
/* rename the posix user */
pstrcpy(rename_script, lp_renameuser_script());
if (!(*rename_script))
return NT_STATUS_ACCESS_DENIED;
DEBUG (3, ("ldapsam_rename_sam_account: Renaming user %s to %s.\n",
oldname, newname));
r17150: MMC User & group plugins fixes: * Make sure to lower case all usernames before calling the create, delete, or rename hooks. * Preserve case for usernames in passdb * Flush the getpwnam cache after renaming a user * Add become/unbecome root block in _samr_delete_dom_user() when trying to verify the account's existence. (This used to be commit bbe11b7a950e7d85001f042bbd1ea3bf33ecda7b)
2006-07-20 00:59:04 +04:00
/* We have to allow the account name to end with a '$'.
Also, follow the semantics in _samr_create_user() and lower case the
posix name but preserve the case in passdb */
fstrcpy( oldname_lower, oldname );
strlower_m( oldname_lower );
fstrcpy( newname_lower, newname );
strlower_m( newname_lower );
string_sub2(rename_script, "%unew", newname_lower, sizeof(pstring),
r13622: Allow to rename machine accounts in a Samba Domain. This still uses the "rename user script" to do the rename of the posix machine account (this might be changed later). Fixes #2331. Guenther (This used to be commit b2eac2e6eb6ddd1bcb4ed5172e7cd64144c18d16)
2006-02-22 13:28:02 +03:00
True, False, True);
r17150: MMC User & group plugins fixes: * Make sure to lower case all usernames before calling the create, delete, or rename hooks. * Preserve case for usernames in passdb * Flush the getpwnam cache after renaming a user * Add become/unbecome root block in _samr_delete_dom_user() when trying to verify the account's existence. (This used to be commit bbe11b7a950e7d85001f042bbd1ea3bf33ecda7b)
2006-07-20 00:59:04 +04:00
string_sub2(rename_script, "%uold", oldname_lower, sizeof(pstring),
r13622: Allow to rename machine accounts in a Samba Domain. This still uses the "rename user script" to do the rename of the posix machine account (this might be changed later). Fixes #2331. Guenther (This used to be commit b2eac2e6eb6ddd1bcb4ed5172e7cd64144c18d16)
2006-02-22 13:28:02 +03:00
True, False, True);
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
rc = smbrun(rename_script, NULL);
DEBUG(rc ? 0 : 3,("Running the command `%s' gave %d\n",
rename_script, rc));
r18703: Fix the annoying effect that happens when nscd is running: We usually do not get the results from user/group script modifications immediately. A lot of users do add nscd restart/refresh commands into their scripts to workaround that while we could flush the nscd caches directly using libnscd. Guenther (This used to be commit 7db6ce295afbedfada7b207ad56566d2195a0d21)
2006-09-20 04:15:50 +04:00
if (rc == 0) {
smb_nscd_flush_user_cache();
}
r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on tdb as well to make naming consistent. (This used to be commit ee91eb9a39cc5e3edd9e97eb040e7557930e4e62)
2005-10-21 00:40:47 +04:00
if (rc)
return NT_STATUS_UNSUCCESSFUL;
return NT_STATUS_OK;
}
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Helper function to determine for update_sam_account whether
we need LDAP modification.
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
static BOOL element_is_set_or_changed(const struct samu *sampass,
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
enum pdb_elements element)
{
return (IS_SAM_SET(sampass, element) ||
IS_SAM_CHANGED(sampass, element));
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/**********************************************************************
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
Add struct samu to LDAP.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, struct samu * newpwd)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
int rc;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
pstring dn;
LDAPMod **mods = NULL;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
int ldap_op = LDAP_MOD_REPLACE;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
uint32 num_result;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attr_list;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
char *escape_user;
const char *username = pdb_get_username(newpwd);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
const DOM_SID *sid = pdb_get_user_sid(newpwd);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
pstring filter;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
fstring sid_string;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Minor fixes: - Fix warnings in loadparm.c - Remove the unused 'passdb modules path' paramater - Make pdb_ldap use $ termination rather than the workstation trust account flag becouse some 'machine' accounts appear as normal accounts at creation time. Also covers domains etc. Andrew Bartlett (This used to be commit 8c82a3daf777bcd4cd4388d30222e370fe800819)
2002-03-23 11:32:25 +03:00
if (!username || !*username) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_INVALID_PARAMETER;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/* free this list after the second search or in case we exit on failure */
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attr_list = get_userattr_list(NULL, ldap_state->schema_ver);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
if (rc != LDAP_SUCCESS) {
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
username));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
ldap_msgfree(result);
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
ldap_msgfree(result);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
result = NULL;
if (element_is_set_or_changed(newpwd, PDB_USERSID)) {
rc = ldapsam_get_ldap_user_by_sid(ldap_state,
sid, &result);
if (rc == LDAP_SUCCESS) {
if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_add_sam_account: SID '%s' already in the base, with samba attributes\n",
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
sid_to_string(sid_string, sid)));
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
ldap_msgfree(result);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
return NT_STATUS_UNSUCCESSFUL;
}
ldap_msgfree(result);
}
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
/* does the entry already exist but without a samba attributes?
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
we need to return the samba attributes here */
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
escape_user = escape_ldap_string_alloc( username );
r7142: removing 'ldap filter' smb.conf option (This used to be commit e2f8eeb4e26e8f7bec4d9dc820b86a7b548f82da)
2005-05-31 20:09:58 +04:00
pstrcpy( filter, "(uid=%u)" );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
all_string_sub( filter, "%u", escape_user, sizeof(filter) );
SAFE_FREE( escape_user );
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_search_suffix(ldap_state->smbldap_state,
filter, attr_list, &result);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if ( rc != LDAP_SUCCESS ) {
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_UNSUCCESSFUL;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
if (num_result > 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
Minor fixes: - Fix warnings in loadparm.c - Remove the unused 'passdb modules path' paramater - Make pdb_ldap use $ termination rather than the workstation trust account flag becouse some 'machine' accounts appear as normal accounts at creation time. Also covers domains etc. Andrew Bartlett (This used to be commit 8c82a3daf777bcd4cd4388d30222e370fe800819)
2002-03-23 11:32:25 +03:00
ldap_msgfree(result);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
}
/* Check if we need to update an existing entry */
if (num_result == 1) {
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
char *tmp;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
ldap_op = LDAP_MOD_REPLACE;
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
if (!tmp) {
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
slprintf (dn, sizeof (dn) - 1, "%s", tmp);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(tmp);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
} else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
/* There might be a SID for this account already - say an idmap entry */
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
sid_to_string(sid_string, sid),
LDAP_OBJ_IDMAP_ENTRY,
LDAP_OBJ_SID_ENTRY);
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
/* free old result before doing a new search */
if (result != NULL) {
ldap_msgfree(result);
result = NULL;
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
rc = smbldap_search_suffix(ldap_state->smbldap_state,
filter, attr_list, &result);
if ( rc != LDAP_SUCCESS ) {
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
return NT_STATUS_UNSUCCESSFUL;
}
num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
if (num_result > 1) {
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
DEBUG (0, ("ldapsam_add_sam_account: More than one user with specified Sid exists: bailing out!\n"));
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
/* Check if we need to update an existing entry */
if (num_result == 1) {
char *tmp;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
ldap_op = LDAP_MOD_REPLACE;
entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
if (!tmp) {
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
slprintf (dn, sizeof (dn) - 1, "%s", tmp);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(tmp);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
}
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE( attr_list );
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (num_result == 0) {
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
char *escape_username;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
/* Check if we need to add an entry */
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
ldap_op = LDAP_MOD_ADD;
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
escape_username = escape_rdn_val_string_alloc(username);
if (!escape_username) {
DEBUG(0, ("Out of memory!\n"));
ldap_msgfree(result);
return NT_STATUS_NO_MEMORY;
}
Minor fixes: - Fix warnings in loadparm.c - Remove the unused 'passdb modules path' paramater - Make pdb_ldap use $ termination rather than the workstation trust account flag becouse some 'machine' accounts appear as normal accounts at creation time. Also covers domains etc. Andrew Bartlett (This used to be commit 8c82a3daf777bcd4cd4388d30222e370fe800819)
2002-03-23 11:32:25 +03:00
if (username[strlen(username)-1] == '$') {
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", escape_username, lp_ldap_machine_suffix ());
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
} else {
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", escape_username, lp_ldap_user_suffix ());
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
SAFE_FREE(escape_username);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
element_is_set_or_changed)) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
ldap_msgfree(result);
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
if (mods != NULL)
ldap_mods_free(mods,True);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
ldap_msgfree(result);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (mods == NULL) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( ldap_state->schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBAACCOUNT:
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
case SCHEMAVER_SAMBASAMACCOUNT:
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
default:
DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
break;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
Found out a good number of NT_STATUS_IS_ERR used the wrong way. As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-22 14:09:52 +04:00
if (!NT_STATUS_IS_OK(ret)) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_get_username(newpwd),dn));
* break out more common code used between pdb_ldap and idmap_ldap * remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06 17:48:39 +04:00
ldap_mods_free(mods, True);
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return ret;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
* break out more common code used between pdb_ldap and idmap_ldap * remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06 17:48:39 +04:00
ldap_mods_free(mods, True);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
const char *filter,
LDAPMessage ** result)
{
int scope = LDAP_SCOPE_SUBTREE;
int rc;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attr_list;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attr_list = get_attr_list(NULL, groupmap_attr_list);
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_search(ldap_state->smbldap_state,
lp_ldap_group_suffix (), scope,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
filter, attr_list, 0, result);
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(attr_list);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return rc;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
GROUP_MAP *map, LDAPMessage *entry)
{
pstring temp;
if (ldap_state == NULL || map == NULL || entry == NULL ||
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
ldap_state->smbldap_state->ldap_struct == NULL) {
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
return False;
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER), temp)) {
DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return False;
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Metzes change: > Hi Volker, > > if 'displayName' is not available we should fallback to 'cn' for map->nt_name > 'cn' is used as unix group name by nss_ldap. > > and if nt_name is not available we should fail (so does this patch) Volker (This used to be commit 7ae9c2500e3ac5f671d41077327156f1f3767fff)
2003-03-23 11:41:05 +03:00
map->gid = (gid_t)atol(temp);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID), temp)) {
DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return False;
}
Check the return value of string_to_sid in a few more places. (But string_to_sid also needs to be less permissive on what it thinks are valid sids...) Andrew Bartlett (This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)
2003-12-26 06:14:31 +03:00
if (!string_to_sid(&map->sid, temp)) {
DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
return False;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), temp)) {
DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return False;
}
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
map->sid_name_use = (enum lsa_SidType)atol(temp);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if ((map->sid_name_use < SID_NAME_USER) ||
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
(map->sid_name_use > SID_NAME_UNKNOWN)) {
DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return False;
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), temp)) {
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
temp[0] = '\0';
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_CN), temp))
{
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
for gidNumber(%lu)\n",(unsigned long)map->gid));
Metzes change: > Hi Volker, > > if 'displayName' is not available we should fallback to 'cn' for map->nt_name > 'cn' is used as unix group name by nss_ldap. > > and if nt_name is not available we should fail (so does this patch) Volker (This used to be commit 7ae9c2500e3ac5f671d41077327156f1f3767fff)
2003-03-23 11:41:05 +03:00
return False;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
fstrcpy(map->nt_name, temp);
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), temp)) {
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
temp[0] = '\0';
}
fstrcpy(map->comment, temp);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
store_gid_sid_cache(&map->sid, map->gid);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
return True;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
const char *filter,
GROUP_MAP *map)
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
int count;
if (ldapsam_search_one_group(ldap_state, filter, &result)
!= LDAP_SUCCESS) {
return NT_STATUS_NO_SUCH_GROUP;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
count = ldap_count_entries(priv2ld(ldap_state), result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (count < 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(4, ("ldapsam_getgroup: Did not find group\n"));
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
ldap_msgfree(result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_NO_SUCH_GROUP;
}
if (count > 1) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: "
"count=%d\n", filter, count));
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
ldap_msgfree(result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_NO_SUCH_GROUP;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
entry = ldap_first_entry(priv2ld(ldap_state), result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (!entry) {
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
if (!init_group_from_ldap(ldap_state, map, entry)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for "
"group filter %s\n", filter));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_msgfree(result);
return NT_STATUS_NO_SUCH_GROUP;
}
ldap_msgfree(result);
return NT_STATUS_OK;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
r17554: Cleanup (This used to be commit 761cbd52f0cff6b864c506ec03c94039b6101ef9)
2006-08-15 18:07:15 +04:00
DOM_SID sid)
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
pstring filter;
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
LDAP_OBJ_GROUPMAP,
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
r17554: Cleanup (This used to be commit 761cbd52f0cff6b864c506ec03c94039b6101ef9)
2006-08-15 18:07:15 +04:00
sid_string_static(&sid));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return ldapsam_getgroup(methods, filter, map);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
gid_t gid)
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
pstring filter;
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
LDAP_OBJ_GROUPMAP,
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
(unsigned long)gid);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return ldapsam_getgroup(methods, filter, map);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
const char *name)
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
pstring filter;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
char *escape_name = escape_ldap_string_alloc(name);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (!escape_name) {
return NT_STATUS_NO_MEMORY;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
LDAP_OBJ_GROUPMAP,
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN), escape_name);
SAFE_FREE(escape_name);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return ldapsam_getgroup(methods, filter, map);
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
static BOOL ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
LDAPMessage *entry,
const DOM_SID *domain_sid,
uint32 *rid)
{
fstring str;
DOM_SID sid;
if (!smbldap_get_single_attribute(ldap_struct, entry, "sambaSID",
str, sizeof(str)-1)) {
DEBUG(10, ("Could not find sambaSID attribute\n"));
return False;
}
if (!string_to_sid(&sid, str)) {
DEBUG(10, ("Could not convert string %s to sid\n", str));
return False;
}
if (sid_compare_domain(&sid, domain_sid) != 0) {
DEBUG(10, ("SID %s is not in expected domain %s\n",
str, sid_string_static(domain_sid)));
return False;
}
if (!sid_peek_rid(&sid, rid)) {
DEBUG(10, ("Could not peek into RID\n"));
return False;
}
return True;
}
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
static NTSTATUS ldapsam_enum_group_members(struct pdb_methods *methods,
TALLOC_CTX *mem_ctx,
const DOM_SID *group,
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
uint32 **pp_member_rids,
size_t *p_num_members)
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
struct smbldap_state *conn = ldap_state->smbldap_state;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
const char *id_attrs[] = { "memberUid", "gidNumber", NULL };
const char *sid_attrs[] = { "sambaSID", NULL };
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
LDAPMessage *result = NULL;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
LDAPMessage *entry;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
char *filter;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
char **values = NULL;
char **memberuid;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
char *gidstr;
int rc, count;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*pp_member_rids = NULL;
*p_num_members = 0;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
filter = talloc_asprintf(mem_ctx,
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(&(objectClass=%s)"
"(objectClass=%s)"
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
"(sambaSID=%s))",
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
LDAP_OBJ_POSIXGROUP,
LDAP_OBJ_GROUPMAP,
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
sid_string_static(group));
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_search(conn, lp_ldap_group_suffix(),
LDAP_SCOPE_SUBTREE, filter, id_attrs, 0,
&result);
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
if (rc != LDAP_SUCCESS)
goto done;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
talloc_autofree_ldapmsg(mem_ctx, result);
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
count = ldap_count_entries(conn->ldap_struct, result);
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
if (count > 1) {
DEBUG(1, ("Found more than one groupmap entry for %s\n",
sid_string_static(group)));
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
goto done;
}
if (count == 0) {
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
ret = NT_STATUS_NO_SUCH_GROUP;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
goto done;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
entry = ldap_first_entry(conn->ldap_struct, result);
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
if (entry == NULL)
goto done;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
if (!gidstr) {
DEBUG (0, ("ldapsam_enum_group_members: Unable to find the group's gid!\n"));
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
goto done;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
values = ldap_get_values(conn->ldap_struct, entry, "memberUid");
if (values) {
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
r19083: Fix objectclass (This used to be commit 6c4d68d84987a88f91bca976a0396dff720043e5)
2006-10-05 10:29:06 +04:00
filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(|", LDAP_OBJ_SAMBASAMACCOUNT);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
goto done;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
for (memberuid = values; *memberuid != NULL; memberuid += 1) {
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
char *escape_memberuid;
escape_memberuid = escape_ldap_string_alloc(*memberuid);
if (escape_memberuid == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
filter = talloc_asprintf_append(filter, "(uid=%s)", escape_memberuid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (filter == NULL) {
r21608: Fix a couple of memleaks in error code paths before Coverity finds them :-) Jeremy. (This used to be commit cbe725f1b09f3d0edbdf823e0862edf21e16d336)
2007-03-01 04:17:36 +03:00
SAFE_FREE(escape_memberuid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
SAFE_FREE(escape_memberuid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
}
filter = talloc_asprintf_append(filter, "))");
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
rc = smbldap_search(conn, lp_ldap_user_suffix(),
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
&result);
if (rc != LDAP_SUCCESS)
goto done;
count = ldap_count_entries(conn->ldap_struct, result);
DEBUG(10,("ldapsam_enum_group_members: found %d accounts\n", count));
talloc_autofree_ldapmsg(mem_ctx, result);
for (entry = ldap_first_entry(conn->ldap_struct, result);
entry != NULL;
entry = ldap_next_entry(conn->ldap_struct, entry))
{
char *sidstr;
DOM_SID sid;
uint32 rid;
sidstr = smbldap_talloc_single_attribute(conn->ldap_struct,
entry, "sambaSID",
mem_ctx);
if (!sidstr) {
DEBUG(0, ("Severe DB error, sambaSamAccount can't miss "
"the sambaSID attribute\n"));
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto done;
}
if (!string_to_sid(&sid, sidstr))
goto done;
if (!sid_check_is_in_our_domain(&sid)) {
DEBUG(0, ("Inconsistent SAM -- group member uid not "
"in our domain\n"));
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto done;
}
sid_peek_rid(&sid, &rid);
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
p_num_members)) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
}
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
filter = talloc_asprintf(mem_ctx,
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(&(objectClass=%s)"
"(gidNumber=%s))",
LDAP_OBJ_SAMBASAMACCOUNT,
gidstr);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_search(conn, lp_ldap_user_suffix(),
LDAP_SCOPE_SUBTREE, filter, sid_attrs, 0,
&result);
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
if (rc != LDAP_SUCCESS)
goto done;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
talloc_autofree_ldapmsg(mem_ctx, result);
for (entry = ldap_first_entry(conn->ldap_struct, result);
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
entry != NULL;
entry = ldap_next_entry(conn->ldap_struct, entry))
{
uint32 rid;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!ldapsam_extract_rid_from_entry(conn->ldap_struct,
entry,
get_global_sam_sid(),
&rid)) {
DEBUG(0, ("Severe DB error, sambaSamAccount can't miss "
"the sambaSID attribute\n"));
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
goto done;
}
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
if (!add_rid_to_array_unique(mem_ctx, rid, pp_member_rids,
p_num_members)) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
ret = NT_STATUS_OK;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
done:
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (values)
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
ldap_value_free(values);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
return ret;
r5467: Optimize _samr_query_groupmem with LDAP backend for large domains. Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2005-02-20 16:47:16 +03:00
}
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
TALLOC_CTX *mem_ctx,
r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2006-02-20 23:09:36 +03:00
struct samu *user,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DOM_SID **pp_sids,
gid_t **pp_gids,
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
size_t *p_num_groups)
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
struct smbldap_state *conn = ldap_state->smbldap_state;
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
char *filter;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char *attrs[] = { "gidNumber", "sambaSID", NULL };
r3871: Fix memleak (This used to be commit dbfdde5f63f34fbe4ba1d794fcfc120178ff039a)
2004-11-19 14:59:56 +03:00
char *escape_name;
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
int rc, count;
LDAPMessage *result = NULL;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
LDAPMessage *entry;
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
size_t num_sids, num_gids;
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
char *gidstr;
gid_t primary_gid = -1;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*pp_sids = NULL;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
num_sids = 0;
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (pdb_get_username(user) == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
escape_name = escape_ldap_string_alloc(pdb_get_username(user));
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
if (escape_name == NULL)
r3883: Fix error return -- thanks to rsharpe (This used to be commit 2d952c86c7e92fff48b4773ab46987d905b214cc)
2004-11-20 00:01:23 +03:00
return NT_STATUS_NO_MEMORY;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
/* retrieve the users primary gid */
filter = talloc_asprintf(mem_ctx,
"(&(objectClass=%s)(uid=%s))",
LDAP_OBJ_SAMBASAMACCOUNT,
escape_name);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
rc = smbldap_search(conn, lp_ldap_user_suffix(),
LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
if (rc != LDAP_SUCCESS)
goto done;
talloc_autofree_ldapmsg(mem_ctx, result);
count = ldap_count_entries(priv2ld(ldap_state), result);
switch (count) {
case 0:
DEBUG(1, ("User account [%s] not found!\n", pdb_get_username(user)));
ret = NT_STATUS_NO_SUCH_USER;
goto done;
case 1:
entry = ldap_first_entry(priv2ld(ldap_state), result);
gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", mem_ctx);
if (!gidstr) {
DEBUG (1, ("Unable to find the member's gid!\n"));
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto done;
}
primary_gid = strtoul(gidstr, NULL, 10);
break;
default:
r20402: Fix spelling: samba bug #4292 debian #402392 (This used to be commit e43aa4e03d8d2d3ffa3a0383b0b0835dd1a51cda)
2006-12-29 11:25:51 +03:00
DEBUG(1, ("found more than one account with the same user name ?!\n"));
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
ret = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto done;
}
filter = talloc_asprintf(mem_ctx,
"(&(objectClass=%s)(|(memberUid=%s)(gidNumber=%d)))",
LDAP_OBJ_POSIXGROUP, escape_name, primary_gid);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
rc = smbldap_search(conn, lp_ldap_group_suffix(),
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
if (rc != LDAP_SUCCESS)
goto done;
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
talloc_autofree_ldapmsg(mem_ctx, result);
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
num_gids = 0;
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*pp_gids = NULL;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
num_sids = 0;
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*pp_sids = NULL;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
/* We need to add the primary group as the first gid/sid */
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
if (!add_gid_to_array_unique(mem_ctx, primary_gid, pp_gids, &num_gids)) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
/* This sid will be replaced later */
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
if (!add_sid_to_array_unique(mem_ctx, &global_sid_NULL, pp_sids, &num_sids)) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
for (entry = ldap_first_entry(conn->ldap_struct, result);
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
entry != NULL;
entry = ldap_next_entry(conn->ldap_struct, entry))
{
fstring str;
DOM_SID sid;
gid_t gid;
char *end;
if (!smbldap_get_single_attribute(conn->ldap_struct,
entry, "sambaSID",
str, sizeof(str)-1))
r4851: Preleminary fix for ldapsam_enum_group_memberships when ldapsam:trusted=True. Don't bail out when ldap-search returns pure posixgroups (w.o. samba group-mapping). This way those unix-memberships do not appear in user and nt user token. Volker, could you please look over that one? Guenther (This used to be commit 853a8b7f1c0b00b2e4433d1281f3c9bfcaf980a6)
2005-01-19 20:42:33 +03:00
continue;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
if (!string_to_sid(&sid, str))
goto done;
if (!smbldap_get_single_attribute(conn->ldap_struct,
entry, "gidNumber",
str, sizeof(str)-1))
r4851: Preleminary fix for ldapsam_enum_group_memberships when ldapsam:trusted=True. Don't bail out when ldap-search returns pure posixgroups (w.o. samba group-mapping). This way those unix-memberships do not appear in user and nt user token. Volker, could you please look over that one? Guenther (This used to be commit 853a8b7f1c0b00b2e4433d1281f3c9bfcaf980a6)
2005-01-19 20:42:33 +03:00
continue;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
gid = strtoul(str, &end, 10);
if (PTR_DIFF(end, str) != strlen(str))
goto done;
if (gid == primary_gid) {
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
sid_copy(&(*pp_sids)[0], &sid);
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
} else {
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
if (!add_gid_to_array_unique(mem_ctx, gid, pp_gids,
&num_gids)) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
if (!add_sid_to_array_unique(mem_ctx, &sid, pp_sids,
&num_sids)) {
ret = NT_STATUS_NO_MEMORY;
goto done;
}
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
}
}
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
if (sid_compare(&global_sid_NULL, &(*pp_sids)[0]) == 0) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(3, ("primary group of [%s] not found\n",
pdb_get_username(user)));
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
goto done;
}
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*p_num_groups = num_sids;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
ret = NT_STATUS_OK;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
done:
SAFE_FREE(escape_name);
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
return ret;
r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2004-11-12 18:49:47 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
* Augment a posixGroup object with a sambaGroupMapping domgroup
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
*********************************************************************/
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_map_posixgroup(TALLOC_CTX *mem_ctx,
struct ldapsam_privates *ldap_state,
GROUP_MAP *map)
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
{
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *filter, *dn;
LDAPMessage *msg, *entry;
LDAPMod **mods;
int rc;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
filter = talloc_asprintf(mem_ctx,
"(&(objectClass=posixGroup)(gidNumber=%u))",
map->gid);
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
get_attr_list(mem_ctx, groupmap_attr_list),
&msg);
talloc_autofree_ldapmsg(mem_ctx, msg);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if ((rc != LDAP_SUCCESS) ||
(ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) != 1) ||
((entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg)) == NULL)) {
return NT_STATUS_NO_SUCH_GROUP;
}
dn = smbldap_talloc_dn(mem_ctx, ldap_state->smbldap_state->ldap_struct, entry);
if (dn == NULL) {
return NT_STATUS_NO_MEMORY;
}
mods = NULL;
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass",
"sambaGroupMapping");
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaSid",
sid_string_static(&map->sid));
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "sambaGroupType",
talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "displayName",
map->nt_name);
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "description",
map->comment);
talloc_autofree_ldapmod(mem_ctx, mods);
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
if (rc != LDAP_SUCCESS) {
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
GROUP_MAP *map)
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
LDAPMessage *msg = NULL;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
LDAPMod **mods = NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *attrs[] = { NULL };
char *filter;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
char *dn;
TALLOC_CTX *mem_ctx;
NTSTATUS result;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DOM_SID sid;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
int rc;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return NT_STATUS_NO_MEMORY;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
filter = talloc_asprintf(mem_ctx, "(sambaSid=%s)",
sid_string_static(&map->sid));
if (filter == NULL) {
result = NT_STATUS_NO_MEMORY;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_suffix(),
LDAP_SCOPE_SUBTREE, filter, attrs, True, &msg);
talloc_autofree_ldapmsg(mem_ctx, msg);
and so it begins.... * remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-07 09:11:10 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if ((rc == LDAP_SUCCESS) &&
(ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) > 0)) {
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(3, ("SID %s already present in LDAP, refusing to add "
"group mapping entry\n",
sid_string_static(&map->sid)));
result = NT_STATUS_GROUP_EXISTS;
goto done;
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
switch (map->sid_name_use) {
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
case SID_NAME_DOM_GRP:
/* To map a domain group we need to have a posix group
to attach to. */
result = ldapsam_map_posixgroup(mem_ctx, ldap_state, map);
goto done;
break;
case SID_NAME_ALIAS:
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
if (!sid_check_is_in_our_domain(&map->sid)
&& !sid_check_is_in_builtin(&map->sid) )
{
DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n",
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
sid_string_static(&map->sid)));
result = NT_STATUS_INVALID_PARAMETER;
goto done;
}
break;
and so it begins.... * remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-07 09:11:10 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
default:
DEBUG(3, ("Got invalid use '%s' for mapping\n",
sid_type_lookup(map->sid_name_use)));
result = NT_STATUS_INVALID_PARAMETER;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* Domain groups have been mapped in a separate routine, we have to
* create an alias now */
if (map->gid == -1) {
DEBUG(10, ("Refusing to map gid==-1\n"));
result = NT_STATUS_INVALID_PARAMETER;
goto done;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (pdb_gid_to_sid(map->gid, &sid)) {
DEBUG(3, ("Gid %d is already mapped to SID %s, refusing to "
"add\n", map->gid, sid_string_static(&sid)));
result = NT_STATUS_GROUP_EXISTS;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* Ok, enough checks done. It's still racy to go ahead now, but that's
* the best we can get out of LDAP. */
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
dn = talloc_asprintf(mem_ctx, "sambaSid=%s,%s",
sid_string_static(&map->sid),
lp_ldap_group_suffix());
if (dn == NULL) {
result = NT_STATUS_NO_MEMORY;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mods = NULL;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass",
"sambaSidEntry");
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "objectClass",
"sambaGroupMapping");
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaSid",
sid_string_static(&map->sid));
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "sambaGroupType",
talloc_asprintf(mem_ctx, "%d", map->sid_name_use));
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "displayName",
map->nt_name);
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "description",
map->comment);
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, NULL, &mods, "gidNumber",
talloc_asprintf(mem_ctx, "%u", map->gid));
talloc_autofree_ldapmod(mem_ctx, mods);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
result = (rc == LDAP_SUCCESS) ?
NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
done:
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return result;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
* Update a group mapping entry. We're quite strict about what can be changed:
* Only the description and displayname may be changed. It simply does not
* make any sense to change the SID, gid or the type in a mapping.
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
GROUP_MAP *map)
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
int rc;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *filter, *dn;
LDAPMessage *msg = NULL;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *entry = NULL;
LDAPMod **mods = NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
TALLOC_CTX *mem_ctx;
NTSTATUS result;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return NT_STATUS_NO_MEMORY;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* Make 100% sure that sid, gid and type are not changed by looking up
* exactly the values we're given in LDAP. */
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)"
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
"(sambaSid=%s)(gidNumber=%u)"
"(sambaGroupType=%d))",
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
LDAP_OBJ_GROUPMAP,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
sid_string_static(&map->sid), map->gid,
map->sid_name_use);
if (filter == NULL) {
result = NT_STATUS_NO_MEMORY;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
get_attr_list(mem_ctx, groupmap_attr_list),
&msg);
talloc_autofree_ldapmsg(mem_ctx, msg);
if ((rc != LDAP_SUCCESS) ||
(ldap_count_entries(ldap_state->smbldap_state->ldap_struct, msg) != 1) ||
((entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, msg)) == NULL)) {
result = NT_STATUS_NO_SUCH_GROUP;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
dn = smbldap_talloc_dn(mem_ctx, ldap_state->smbldap_state->ldap_struct, entry);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (dn == NULL) {
result = NT_STATUS_NO_MEMORY;
goto done;
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mods = NULL;
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "displayName",
map->nt_name);
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, entry, &mods, "description",
map->comment);
talloc_autofree_ldapmod(mem_ctx, mods);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (mods == NULL) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: "
"nothing to do\n"));
result = NT_STATUS_OK;
goto done;
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (rc != LDAP_SUCCESS) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
result = NT_STATUS_ACCESS_DENIED;
goto done;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified "
"group %lu in LDAP\n", (unsigned long)map->gid));
result = NT_STATUS_OK;
done:
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return result;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
DOM_SID sid)
{
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
struct ldapsam_privates *priv =
(struct ldapsam_privates *)methods->private_data;
LDAPMessage *msg, *entry;
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
int rc;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
NTSTATUS result;
TALLOC_CTX *mem_ctx;
char *filter;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return NT_STATUS_NO_MEMORY;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=%s))",
LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID,
sid_string_static(&sid));
if (filter == NULL) {
result = NT_STATUS_NO_MEMORY;
goto done;
}
rc = smbldap_search_suffix(priv->smbldap_state, filter,
get_attr_list(mem_ctx, groupmap_attr_list),
&msg);
talloc_autofree_ldapmsg(mem_ctx, msg);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if ((rc != LDAP_SUCCESS) ||
(ldap_count_entries(priv2ld(priv), msg) != 1) ||
((entry = ldap_first_entry(priv2ld(priv), msg)) == NULL)) {
result = NT_STATUS_NO_SUCH_GROUP;
goto done;
}
rc = ldapsam_delete_entry(priv, mem_ctx, entry, LDAP_OBJ_GROUPMAP,
get_attr_list(mem_ctx,
groupmap_attr_list_to_delete));
if ((rc == LDAP_NAMING_VIOLATION) ||
(rc == LDAP_OBJECT_CLASS_VIOLATION)) {
const char *attrs[] = { "sambaGroupType", "description",
"displayName", "sambaSIDList",
NULL };
/* Second try. Don't delete the sambaSID attribute, this is
for "old" entries that are tacked on a winbind
sambaIdmapEntry. */
rc = ldapsam_delete_entry(priv, mem_ctx, entry,
LDAP_OBJ_GROUPMAP, attrs);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if ((rc == LDAP_NAMING_VIOLATION) ||
(rc == LDAP_OBJECT_CLASS_VIOLATION)) {
const char *attrs[] = { "sambaGroupType", "description",
"displayName", "sambaSIDList",
"gidNumber", NULL };
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* Third try. This is a post-3.0.21 alias (containing only
* sambaSidEntry and sambaGroupMapping classes), we also have
* to delete the gidNumber attribute, only the sambaSidEntry
* remains */
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = ldapsam_delete_entry(priv, mem_ctx, entry,
LDAP_OBJ_GROUPMAP, attrs);
}
result = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
done:
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return result;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods,
BOOL update)
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
{
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)my_methods->private_data;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
fstring filter;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
int rc;
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char **attr_list;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf( filter, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attr_list = get_attr_list( NULL, groupmap_attr_list );
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
LDAP_SCOPE_SUBTREE, filter,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
attr_list, 0, &ldap_state->result);
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(attr_list);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (rc != LDAP_SUCCESS) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n",
ldap_err2string(rc)));
DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n",
lp_ldap_group_suffix(), filter));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_msgfree(ldap_state->result);
ldap_state->result = NULL;
return NT_STATUS_UNSUCCESSFUL;
}
r2923: Fix some obvious copy/paste leftover debug-messages. Guenther (This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
2004-10-12 01:09:36 +04:00
DEBUG(2, ("ldapsam_setsamgrent: %d entries in the base!\n",
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_state->result)));
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
ldap_state->entry =
ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
ldap_state->result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_state->index = 0;
return NT_STATUS_OK;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
{
void function cannot return a value (besides the function called was a void) (This used to be commit 55681422e97ede0ff9446925c7678d6254b13878)
2003-03-20 01:38:37 +03:00
ldapsam_endsampwent(my_methods);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
GROUP_MAP *map)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)my_methods->private_data;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
BOOL bret = False;
while (!bret) {
if (!ldap_state->entry)
return ret;
ldap_state->index++;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
bret = init_group_from_ldap(ldap_state, map,
ldap_state->entry);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
ldap_state->entry =
ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
ldap_state->entry);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
return NT_STATUS_OK;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
const DOM_SID *domsid, enum lsa_SidType sid_name_use,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
GROUP_MAP **pp_rmap,
size_t *p_num_entries,
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
BOOL unix_only)
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
GROUP_MAP map;
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
size_t entries = 0;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*p_num_entries = 0;
*pp_rmap = NULL;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open "
"passdb\n"));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_ACCESS_DENIED;
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
}
get rid of some sompiler warnings on IRIX (This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
2003-08-15 05:42:30 +04:00
while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, &map))) {
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (sid_name_use != SID_NAME_UNKNOWN &&
sid_name_use != map.sid_name_use) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
"not of the requested type\n", map.nt_name));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
continue;
}
if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(11,("ldapsam_enum_group_mapping: group %s is "
"non mapped\n", map.nt_name));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
continue;
}
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
r13915: Fixed a very interesting class of realloc() bugs found by Coverity. realloc can return NULL in one of two cases - (1) the realloc failed, (2) realloc succeeded but the new size requested was zero, in which case this is identical to a free() call. The error paths dealing with these two cases should be different, but mostly weren't. Secondly the standard idiom for dealing with realloc when you know the new size is non-zero is the following : tmp = realloc(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } However, there were *many* *many* places in Samba where we were using the old (broken) idiom of : p = realloc(p, size) if (!p) { return error; } which will leak the memory pointed to by p on realloc fail. This commit (hopefully) fixes all these cases by moving to a standard idiom of : p = SMB_REALLOC(p, size) if (!p) { return error; } Where if the realloc returns null due to the realloc failing or size == 0 we *guarentee* that the storage pointed to by p has been freed. This allows me to remove a lot of code that was dealing with the standard (more verbose) method that required a tmp pointer. This is almost always what you want. When a realloc fails you never usually want the old memory, you want to free it and get into your error processing asap. For the 11 remaining cases where we really do need to keep the old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR, which can be used as follows : tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the pointer p, even on size == 0 or realloc fail. All this is done by a hidden extra argument to Realloc(), BOOL free_old_on_error which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR macros (and their array counterparts). It remains to be seen what this will do to our Coverity bug count :-). Jeremy. (This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
2006-03-07 09:31:04 +03:00
(*pp_rmap)=SMB_REALLOC_ARRAY((*pp_rmap), GROUP_MAP, entries+1);
if (!(*pp_rmap)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0,("ldapsam_enum_group_mapping: Unable to "
"enlarge group map!\n"));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13915: Fixed a very interesting class of realloc() bugs found by Coverity. realloc can return NULL in one of two cases - (1) the realloc failed, (2) realloc succeeded but the new size requested was zero, in which case this is identical to a free() call. The error paths dealing with these two cases should be different, but mostly weren't. Secondly the standard idiom for dealing with realloc when you know the new size is non-zero is the following : tmp = realloc(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } However, there were *many* *many* places in Samba where we were using the old (broken) idiom of : p = realloc(p, size) if (!p) { return error; } which will leak the memory pointed to by p on realloc fail. This commit (hopefully) fixes all these cases by moving to a standard idiom of : p = SMB_REALLOC(p, size) if (!p) { return error; } Where if the realloc returns null due to the realloc failing or size == 0 we *guarentee* that the storage pointed to by p has been freed. This allows me to remove a lot of code that was dealing with the standard (more verbose) method that required a tmp pointer. This is almost always what you want. When a realloc fails you never usually want the old memory, you want to free it and get into your error processing asap. For the 11 remaining cases where we really do need to keep the old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR, which can be used as follows : tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the pointer p, even on size == 0 or realloc fail. All this is done by a hidden extra argument to Realloc(), BOOL free_old_on_error which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR macros (and their array counterparts). It remains to be seen what this will do to our Coverity bug count :-). Jeremy. (This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
2006-03-07 09:31:04 +03:00
(*pp_rmap)[entries] = map;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
entries += 1;
}
ldapsam_endsamgrent(methods);
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*p_num_entries = entries;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_OK;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
static NTSTATUS ldapsam_modify_aliasmem(struct pdb_methods *methods,
const DOM_SID *alias,
const DOM_SID *member,
int modop)
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
char *dn;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
int count;
LDAPMod **mods = NULL;
int rc;
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType type = SID_NAME_USE_NONE;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
pstring filter;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (sid_check_is_in_builtin(alias)) {
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
type = SID_NAME_ALIAS;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
if (sid_check_is_in_our_domain(alias)) {
type = SID_NAME_ALIAS;
}
if (type == SID_NAME_USE_NONE) {
DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
sid_string_static(alias)));
return NT_STATUS_NO_SUCH_ALIAS;
}
pstr_sprintf(filter,
"(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
LDAP_OBJ_GROUPMAP, sid_string_static(alias),
type);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
if (ldapsam_search_one_group(ldap_state, filter,
&result) != LDAP_SUCCESS)
return NT_STATUS_NO_SUCH_ALIAS;
count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
result);
if (count < 1) {
r2923: Fix some obvious copy/paste leftover debug-messages. Guenther (This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
2004-10-12 01:09:36 +04:00
DEBUG(4, ("ldapsam_modify_aliasmem: Did not find alias\n"));
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
ldap_msgfree(result);
return NT_STATUS_NO_SUCH_ALIAS;
}
if (count > 1) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(1, ("ldapsam_modify_aliasmem: Duplicate entries for "
"filter %s: count=%d\n", filter, count));
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
ldap_msgfree(result);
return NT_STATUS_NO_SUCH_ALIAS;
}
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
result);
if (!entry) {
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
if (!dn) {
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
smbldap_set_mod(&mods, modop,
get_attr_key2string(groupmap_attr_list,
LDAP_ATTR_SID_LIST),
sid_string_static(member));
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
ldap_mods_free(mods, True);
ldap_msgfree(result);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
SAFE_FREE(dn);
if (rc == LDAP_TYPE_OR_VALUE_EXISTS) {
return NT_STATUS_MEMBER_IN_ALIAS;
}
if (rc == LDAP_NO_SUCH_ATTRIBUTE) {
return NT_STATUS_MEMBER_NOT_IN_ALIAS;
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
if (rc != LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
}
return NT_STATUS_OK;
}
static NTSTATUS ldapsam_add_aliasmem(struct pdb_methods *methods,
const DOM_SID *alias,
const DOM_SID *member)
{
return ldapsam_modify_aliasmem(methods, alias, member, LDAP_MOD_ADD);
}
static NTSTATUS ldapsam_del_aliasmem(struct pdb_methods *methods,
const DOM_SID *alias,
const DOM_SID *member)
{
return ldapsam_modify_aliasmem(methods, alias, member,
LDAP_MOD_DELETE);
}
static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const DOM_SID *alias,
DOM_SID **pp_members,
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
size_t *p_num_members)
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
int count;
char **values;
int i;
pstring filter;
r12129: Fix uninitialized variables. Volker (This used to be commit 8a7d6eb2c081c0d74b62aa76dc243946df62ced2)
2005-12-08 18:34:38 +03:00
size_t num_members = 0;
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType type = SID_NAME_USE_NONE;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*pp_members = NULL;
*p_num_members = 0;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (sid_check_is_in_builtin(alias)) {
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
type = SID_NAME_ALIAS;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
if (sid_check_is_in_our_domain(alias)) {
type = SID_NAME_ALIAS;
}
if (type == SID_NAME_USE_NONE) {
DEBUG(5, ("SID %s is neither in builtin nor in our domain!\n",
sid_string_static(alias)));
return NT_STATUS_NO_SUCH_ALIAS;
}
pstr_sprintf(filter,
"(&(objectClass=%s)(sambaSid=%s)(sambaGroupType=%d))",
LDAP_OBJ_GROUPMAP, sid_string_static(alias),
type);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
if (ldapsam_search_one_group(ldap_state, filter,
&result) != LDAP_SUCCESS)
return NT_STATUS_NO_SUCH_ALIAS;
count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
result);
if (count < 1) {
r2923: Fix some obvious copy/paste leftover debug-messages. Guenther (This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
2004-10-12 01:09:36 +04:00
DEBUG(4, ("ldapsam_enum_aliasmem: Did not find alias\n"));
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
ldap_msgfree(result);
return NT_STATUS_NO_SUCH_ALIAS;
}
if (count > 1) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(1, ("ldapsam_enum_aliasmem: Duplicate entries for "
"filter %s: count=%d\n", filter, count));
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
ldap_msgfree(result);
return NT_STATUS_NO_SUCH_ALIAS;
}
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
result);
if (!entry) {
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
values = ldap_get_values(ldap_state->smbldap_state->ldap_struct,
entry,
get_attr_key2string(groupmap_attr_list,
LDAP_ATTR_SID_LIST));
if (values == NULL) {
ldap_msgfree(result);
return NT_STATUS_OK;
}
count = ldap_count_values(values);
for (i=0; i<count; i++) {
DOM_SID member;
if (!string_to_sid(&member, values[i]))
continue;
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
if (!add_sid_to_array(NULL, &member, pp_members, &num_members)) {
ldap_value_free(values);
ldap_msgfree(result);
return NT_STATUS_NO_MEMORY;
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
}
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
*p_num_members = num_members;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
ldap_value_free(values);
ldap_msgfree(result);
return NT_STATUS_OK;
}
static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
r6080: Port some of the non-critical changes from HEAD to 3_0. The main one is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2005-03-27 20:33:04 +04:00
TALLOC_CTX *mem_ctx,
const DOM_SID *domain_sid,
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
const DOM_SID *members,
r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2005-10-18 07:24:00 +04:00
size_t num_members,
uint32 **pp_alias_rids,
size_t *p_num_alias_rids)
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
LDAP *ldap_struct;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2005-02-17 17:27:34 +03:00
const char *attrs[] = { LDAP_ATTRIBUTE_SID, NULL };
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
int i;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
int rc;
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
char *filter;
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType type = SID_NAME_USE_NONE;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (sid_check_is_builtin(domain_sid)) {
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
type = SID_NAME_ALIAS;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (sid_check_is_domain(domain_sid)) {
type = SID_NAME_ALIAS;
}
if (type == SID_NAME_USE_NONE) {
DEBUG(5, ("SID %s is neither builtin nor domain!\n",
sid_string_static(domain_sid)));
return NT_STATUS_UNSUCCESSFUL;
}
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
filter = talloc_asprintf(mem_ctx,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
"(&(|(objectclass=%s)(sambaGroupType=%d))(|",
LDAP_OBJ_GROUPMAP, type);
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
for (i=0; i<num_members; i++)
filter = talloc_asprintf(mem_ctx, "%s(sambaSIDList=%s)",
filter,
sid_string_static(&members[i]));
filter = talloc_asprintf(mem_ctx, "%s))", filter);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
if (rc != LDAP_SUCCESS)
return NT_STATUS_UNSUCCESSFUL;
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
ldap_struct = ldap_state->smbldap_state->ldap_struct;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
for (entry = ldap_first_entry(ldap_struct, result);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
entry != NULL;
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
entry = ldap_next_entry(ldap_struct, entry))
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
{
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
fstring sid_str;
DOM_SID sid;
r6080: Port some of the non-critical changes from HEAD to 3_0. The main one is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2005-03-27 20:33:04 +04:00
uint32 rid;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
if (!smbldap_get_single_attribute(ldap_struct, entry,
LDAP_ATTRIBUTE_SID,
sid_str,
sizeof(sid_str)-1))
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
continue;
r3566: Completely replace the queryuseraliases call. The previous implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2004-11-06 02:34:00 +03:00
if (!string_to_sid(&sid, sid_str))
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
continue;
r6080: Port some of the non-critical changes from HEAD to 3_0. The main one is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2005-03-27 20:33:04 +04:00
if (!sid_peek_check_rid(domain_sid, &sid, &rid))
continue;
r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2006-12-09 05:58:18 +03:00
if (!add_rid_to_array_unique(mem_ctx, rid, pp_alias_rids,
p_num_alias_rids)) {
ldap_msgfree(result);
return NT_STATUS_NO_MEMORY;
}
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
}
ldap_msgfree(result);
return NT_STATUS_OK;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_set_account_policy_in_ldap(struct pdb_methods *methods,
int policy_index,
uint32 value)
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
{
NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
int rc;
LDAPMod **mods = NULL;
fstring value_string;
const char *policy_attr = NULL;
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
r12398: adding Guenther's account policy migration fix (This used to be commit be32f10609f2274903cb3b2c6b84c9aa62962151)
2005-12-20 18:10:41 +03:00
DEBUG(10,("ldapsam_set_account_policy_in_ldap\n"));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (!ldap_state->domain_dn) {
return NT_STATUS_INVALID_PARAMETER;
}
policy_attr = get_account_policy_attr(policy_index);
if (policy_attr == NULL) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0,("ldapsam_set_account_policy_in_ldap: invalid "
"policy\n"));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
return ntstatus;
}
slprintf(value_string, sizeof(value_string) - 1, "%i", value);
smbldap_set_mod(&mods, LDAP_MOD_REPLACE, policy_attr, value_string);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
rc = smbldap_modify(ldap_state->smbldap_state, ldap_state->domain_dn,
mods);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
ldap_mods_free(mods, True);
if (rc != LDAP_SUCCESS) {
return ntstatus;
}
if (!cache_account_policy_set(policy_index, value)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0,("ldapsam_set_account_policy_in_ldap: failed to "
"update local tdb cache\n"));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
return ntstatus;
}
return NT_STATUS_OK;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_set_account_policy(struct pdb_methods *methods,
int policy_index, uint32 value)
r12398: adding Guenther's account policy migration fix (This used to be commit be32f10609f2274903cb3b2c6b84c9aa62962151)
2005-12-20 18:10:41 +03:00
{
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return ldapsam_set_account_policy_in_ldap(methods, policy_index,
value);
r12398: adding Guenther's account policy migration fix (This used to be commit be32f10609f2274903cb3b2c6b84c9aa62962151)
2005-12-20 18:10:41 +03:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_get_account_policy_from_ldap(struct pdb_methods *methods,
int policy_index,
uint32 *value)
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
{
NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
int count;
int rc;
char **vals = NULL;
const char *policy_attr = NULL;
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
const char *attrs[2];
DEBUG(10,("ldapsam_get_account_policy_from_ldap\n"));
if (!ldap_state->domain_dn) {
return NT_STATUS_INVALID_PARAMETER;
}
policy_attr = get_account_policy_attr(policy_index);
if (!policy_attr) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0,("ldapsam_get_account_policy_from_ldap: invalid "
"policy index: %d\n", policy_index));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
return ntstatus;
}
attrs[0] = policy_attr;
attrs[1] = NULL;
rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
LDAP_SCOPE_BASE, "(objectclass=*)", attrs, 0,
&result);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (rc != LDAP_SUCCESS) {
return ntstatus;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
count = ldap_count_entries(priv2ld(ldap_state), result);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (count < 1) {
goto out;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
entry = ldap_first_entry(priv2ld(ldap_state), result);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (entry == NULL) {
goto out;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
vals = ldap_get_values(priv2ld(ldap_state), entry, policy_attr);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (vals == NULL) {
goto out;
}
*value = (uint32)atol(vals[0]);
ntstatus = NT_STATUS_OK;
out:
if (vals)
ldap_value_free(vals);
ldap_msgfree(result);
return ntstatus;
}
/* wrapper around ldapsam_get_account_policy_from_ldap(), handles tdb as cache
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
- if user hasn't decided to use account policies inside LDAP just reuse the
old tdb values
r12398: adding Guenther's account policy migration fix (This used to be commit be32f10609f2274903cb3b2c6b84c9aa62962151)
2005-12-20 18:10:41 +03:00
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
- if there is a valid cache entry, return that
- if there is an LDAP entry, update cache and return
- otherwise set to default, update cache and return
Guenther
*/
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static NTSTATUS ldapsam_get_account_policy(struct pdb_methods *methods,
int policy_index, uint32 *value)
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
{
NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
if (cache_account_policy_get(policy_index, value)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(11,("ldapsam_get_account_policy: got valid value from "
"cache\n"));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
return NT_STATUS_OK;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
ntstatus = ldapsam_get_account_policy_from_ldap(methods, policy_index,
value);
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
if (NT_STATUS_IS_OK(ntstatus)) {
goto update_cache;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(10,("ldapsam_get_account_policy: failed to retrieve from "
"ldap\n"));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
#if 0
/* should we automagically migrate old tdb value here ? */
if (account_policy_get(policy_index, value))
goto update_ldap;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(10,("ldapsam_get_account_policy: no tdb for %d, trying "
"default\n", policy_index));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
#endif
if (!account_policy_get_default(policy_index, value)) {
return ntstatus;
}
/* update_ldap: */
ntstatus = ldapsam_set_account_policy(methods, policy_index, *value);
if (!NT_STATUS_IS_OK(ntstatus)) {
return ntstatus;
}
update_cache:
if (!cache_account_policy_set(policy_index, *value)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0,("ldapsam_get_account_policy: failed to update local "
"tdb as a cache\n"));
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
return NT_STATUS_UNSUCCESSFUL;
}
return NT_STATUS_OK;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
const DOM_SID *domain_sid,
int num_rids,
uint32 *rids,
r11922: Looks bigger than it is: There's no point in allocating arrays in samr_lookup_rids twice. It was done in the srv_samr_nt.c code as well as in the pdb module. Remove the latter, this might happen more often. Volker (This used to be commit 57f0cf8cdd6928f4759036e5dd53d41736aa910d)
2005-11-27 01:04:28 +03:00
const char **names,
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType *attrs)
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
LDAPMessage *msg = NULL;
LDAPMessage *entry;
char *allsids = NULL;
int i, rc, num_mapped;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
NTSTATUS result = NT_STATUS_NO_MEMORY;
TALLOC_CTX *mem_ctx;
LDAP *ld;
BOOL is_builtin;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
goto done;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (!sid_check_is_builtin(domain_sid) &&
!sid_check_is_domain(domain_sid)) {
result = NT_STATUS_INVALID_PARAMETER;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
goto done;
}
for (i=0; i<num_rids; i++)
r11922: Looks bigger than it is: There's no point in allocating arrays in samr_lookup_rids twice. It was done in the srv_samr_nt.c code as well as in the pdb module. Remove the latter, this might happen more often. Volker (This used to be commit 57f0cf8cdd6928f4759036e5dd53d41736aa910d)
2005-11-27 01:04:28 +03:00
attrs[i] = SID_NAME_UNKNOWN;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
allsids = talloc_strdup(mem_ctx, "");
if (allsids == NULL) {
goto done;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
for (i=0; i<num_rids; i++) {
DOM_SID sid;
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
sid_compose(&sid, domain_sid, rids[i]);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
allsids = talloc_asprintf_append(allsids, "(sambaSid=%s)",
sid_string_static(&sid));
if (allsids == NULL) {
goto done;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
}
/* First look for users */
{
char *filter;
const char *ldap_attrs[] = { "uid", "sambaSid", NULL };
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
filter = talloc_asprintf(
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
mem_ctx, ("(&(objectClass=%s)(|%s))"),
LDAP_OBJ_SAMBASAMACCOUNT, allsids);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (filter == NULL) {
goto done;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
rc = smbldap_search(ldap_state->smbldap_state,
lp_ldap_user_suffix(),
LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
&msg);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
talloc_autofree_ldapmsg(mem_ctx, msg);
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
}
if (rc != LDAP_SUCCESS)
goto done;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
ld = ldap_state->smbldap_state->ldap_struct;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
num_mapped = 0;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
for (entry = ldap_first_entry(ld, msg);
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
entry != NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
entry = ldap_next_entry(ld, entry)) {
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
uint32 rid;
int rid_index;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *name;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
&rid)) {
DEBUG(2, ("Could not find sid from ldap entry\n"));
continue;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
name = smbldap_talloc_single_attribute(ld, entry, "uid",
names);
if (name == NULL) {
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
DEBUG(2, ("Could not retrieve uid attribute\n"));
continue;
}
for (rid_index = 0; rid_index < num_rids; rid_index++) {
if (rid == rids[rid_index])
break;
}
if (rid_index == num_rids) {
DEBUG(2, ("Got a RID not asked for: %d\n", rid));
continue;
}
r11922: Looks bigger than it is: There's no point in allocating arrays in samr_lookup_rids twice. It was done in the srv_samr_nt.c code as well as in the pdb module. Remove the latter, this might happen more often. Volker (This used to be commit 57f0cf8cdd6928f4759036e5dd53d41736aa910d)
2005-11-27 01:04:28 +03:00
attrs[rid_index] = SID_NAME_USER;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
names[rid_index] = name;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
num_mapped += 1;
}
if (num_mapped == num_rids) {
/* No need to look for groups anymore -- we're done */
result = NT_STATUS_OK;
goto done;
}
/* Same game for groups */
{
char *filter;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *ldap_attrs[] = { "cn", "displayName", "sambaSid",
"sambaGroupType", NULL };
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
filter = talloc_asprintf(
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
mem_ctx, "(&(objectClass=%s)(|%s))",
LDAP_OBJ_GROUPMAP, allsids);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (filter == NULL) {
goto done;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
rc = smbldap_search(ldap_state->smbldap_state,
lp_ldap_group_suffix(),
LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
&msg);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
talloc_autofree_ldapmsg(mem_ctx, msg);
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
}
if (rc != LDAP_SUCCESS)
goto done;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* ldap_struct might have changed due to a reconnect */
ld = ldap_state->smbldap_state->ldap_struct;
/* For consistency checks, we already checked we're only domain or builtin */
is_builtin = sid_check_is_builtin(domain_sid);
for (entry = ldap_first_entry(ld, msg);
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
entry != NULL;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
entry = ldap_next_entry(ld, entry))
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
{
uint32 rid;
int rid_index;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *attr;
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType type;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
const char *dn = smbldap_talloc_dn(mem_ctx, ld, entry);
attr = smbldap_talloc_single_attribute(ld, entry, "sambaGroupType",
mem_ctx);
if (attr == NULL) {
DEBUG(2, ("Could not extract type from ldap entry %s\n",
dn));
continue;
}
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
type = (enum lsa_SidType)atol(attr);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* Consistency checks */
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
if ((is_builtin && (type != SID_NAME_ALIAS)) ||
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
(!is_builtin && ((type != SID_NAME_ALIAS) &&
(type != SID_NAME_DOM_GRP)))) {
DEBUG(2, ("Rejecting invalid group mapping entry %s\n", dn));
}
if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
&rid)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(2, ("Could not find sid from ldap entry %s\n", dn));
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
continue;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
attr = smbldap_talloc_single_attribute(ld, entry, "displayName", names);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (attr == NULL) {
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
DEBUG(10, ("Could not retrieve 'displayName' attribute from %s\n",
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
dn));
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
attr = smbldap_talloc_single_attribute(ld, entry, "cn", names);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
if (attr == NULL) {
DEBUG(2, ("Could not retrieve naming attribute from %s\n",
dn));
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
continue;
}
for (rid_index = 0; rid_index < num_rids; rid_index++) {
if (rid == rids[rid_index])
break;
}
if (rid_index == num_rids) {
DEBUG(2, ("Got a RID not asked for: %d\n", rid));
continue;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
attrs[rid_index] = type;
names[rid_index] = attr;
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
num_mapped += 1;
}
result = NT_STATUS_NONE_MAPPED;
if (num_mapped > 0)
result = (num_mapped == num_rids) ?
NT_STATUS_OK : STATUS_SOME_UNMAPPED;
done:
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2005-03-22 23:50:29 +03:00
return result;
}
r13389: get_ldap_filter is only used once, make it static (This used to be commit d3b66fb8712e41a331ccfb0f52f187382769b41e)
2006-02-08 13:36:13 +03:00
static char *get_ldap_filter(TALLOC_CTX *mem_ctx, const char *username)
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
{
char *filter = NULL;
char *escaped = NULL;
char *result = NULL;
asprintf(&filter, "(&%s(objectclass=sambaSamAccount))",
r7142: removing 'ldap filter' smb.conf option (This used to be commit e2f8eeb4e26e8f7bec4d9dc820b86a7b548f82da)
2005-05-31 20:09:58 +04:00
"(uid=%u)");
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
if (filter == NULL) goto done;
escaped = escape_ldap_string_alloc(username);
if (escaped == NULL) goto done;
r12313: Introduce yet another copy of the string_sub function: talloc_string_sub. Someone with time on his hands could convert all the callers of all_string_sub to this. realloc_string_sub is *only* called from within substitute.c, it could be moved there I think. Volker (This used to be commit be6c9012da174d5d5116e5172a53bbe6486d6c38)
2005-12-18 21:06:15 +03:00
result = talloc_string_sub(mem_ctx, filter, "%u", username);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
done:
SAFE_FREE(filter);
SAFE_FREE(escaped);
return result;
}
const char **talloc_attrs(TALLOC_CTX *mem_ctx, ...)
{
int i, num = 0;
va_list ap;
const char **result;
va_start(ap, mem_ctx);
while (va_arg(ap, const char *) != NULL)
num += 1;
va_end(ap);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if ((result = TALLOC_ARRAY(mem_ctx, const char *, num+1)) == NULL) {
return NULL;
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
va_start(ap, mem_ctx);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
for (i=0; i<num; i++) {
result[i] = talloc_strdup(result, va_arg(ap, const char*));
if (result[i] == NULL) {
talloc_free(result);
return NULL;
}
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
va_end(ap);
result[num] = NULL;
return result;
}
struct ldap_search_state {
struct smbldap_state *connection;
r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16. * Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
2006-02-27 13:32:45 +03:00
uint32 acct_flags;
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
uint16 group_type;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
const char *base;
int scope;
const char *filter;
const char **attrs;
int attrsonly;
void *pagedresults_cookie;
LDAPMessage *entries, *current_entry;
BOOL (*ldap2displayentry)(struct ldap_search_state *state,
TALLOC_CTX *mem_ctx,
LDAP *ld, LDAPMessage *entry,
struct samr_displayentry *result);
};
static BOOL ldapsam_search_firstpage(struct pdb_search *search)
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldap_search_state *state =
(struct ldap_search_state *)search->private_data;
r6748: With reconnects, state->connection->ldap_struct can change in smbldap_search and friends. This should be a fix for bug 2701. Thanks to jht for giving me access to his box! Volker (This used to be commit 85320c12578f183d4ed0450949e0aee8d020e036)
2005-05-12 12:33:27 +04:00
LDAP *ld;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
int rc = LDAP_OPERATIONS_ERROR;
state->entries = NULL;
if (state->connection->paged_results) {
rc = smbldap_search_paged(state->connection, state->base,
state->scope, state->filter,
state->attrs, state->attrsonly,
lp_ldap_page_size(), &state->entries,
&state->pagedresults_cookie);
}
if ((rc != LDAP_SUCCESS) || (state->entries == NULL)) {
if (state->entries != NULL) {
/* Left over from unsuccessful paged attempt */
ldap_msgfree(state->entries);
state->entries = NULL;
}
rc = smbldap_search(state->connection, state->base,
state->scope, state->filter, state->attrs,
state->attrsonly, &state->entries);
if ((rc != LDAP_SUCCESS) || (state->entries == NULL))
return False;
/* Ok, the server was lying. It told us it could do paged
* searches when it could not. */
state->connection->paged_results = False;
}
r6748: With reconnects, state->connection->ldap_struct can change in smbldap_search and friends. This should be a fix for bug 2701. Thanks to jht for giving me access to his box! Volker (This used to be commit 85320c12578f183d4ed0450949e0aee8d020e036)
2005-05-12 12:33:27 +04:00
ld = state->connection->ldap_struct;
if ( ld == NULL) {
DEBUG(5, ("Don't have an LDAP connection right after a "
"search\n"));
return False;
}
state->current_entry = ldap_first_entry(ld, state->entries);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
if (state->current_entry == NULL) {
ldap_msgfree(state->entries);
state->entries = NULL;
}
return True;
}
static BOOL ldapsam_search_nextpage(struct pdb_search *search)
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldap_search_state *state =
(struct ldap_search_state *)search->private_data;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
int rc;
if (!state->connection->paged_results) {
/* There is no next page when there are no paged results */
return False;
}
rc = smbldap_search_paged(state->connection, state->base,
state->scope, state->filter, state->attrs,
state->attrsonly, lp_ldap_page_size(),
&state->entries,
&state->pagedresults_cookie);
if ((rc != LDAP_SUCCESS) || (state->entries == NULL))
return False;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
state->current_entry = ldap_first_entry(state->connection->ldap_struct, state->entries);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
if (state->current_entry == NULL) {
ldap_msgfree(state->entries);
state->entries = NULL;
}
return True;
}
r6367: Slim down pdb_interface.c a bit. next_entry and search_end are function pointers now. Yes, Jeremy, this is about re-inventing C++... :-) Volker (This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2005-04-18 20:07:49 +04:00
static BOOL ldapsam_search_next_entry(struct pdb_search *search,
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
struct samr_displayentry *entry)
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldap_search_state *state =
(struct ldap_search_state *)search->private_data;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
BOOL result;
retry:
if ((state->entries == NULL) && (state->pagedresults_cookie == NULL))
return False;
if ((state->entries == NULL) &&
!ldapsam_search_nextpage(search))
return False;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
result = state->ldap2displayentry(state, search->mem_ctx, state->connection->ldap_struct,
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
state->current_entry, entry);
if (!result) {
char *dn;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
dn = ldap_get_dn(state->connection->ldap_struct, state->current_entry);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
DEBUG(5, ("Skipping entry %s\n", dn != NULL ? dn : "<NULL>"));
if (dn != NULL) ldap_memfree(dn);
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
state->current_entry = ldap_next_entry(state->connection->ldap_struct, state->current_entry);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
if (state->current_entry == NULL) {
ldap_msgfree(state->entries);
state->entries = NULL;
}
if (!result) goto retry;
return True;
}
r6367: Slim down pdb_interface.c a bit. next_entry and search_end are function pointers now. Yes, Jeremy, this is about re-inventing C++... :-) Volker (This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2005-04-18 20:07:49 +04:00
static void ldapsam_search_end(struct pdb_search *search)
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldap_search_state *state =
(struct ldap_search_state *)search->private_data;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
int rc;
if (state->pagedresults_cookie == NULL)
return;
if (state->entries != NULL)
ldap_msgfree(state->entries);
state->entries = NULL;
state->current_entry = NULL;
if (!state->connection->paged_results)
return;
/* Tell the LDAP server we're not interested in the rest anymore. */
rc = smbldap_search_paged(state->connection, state->base, state->scope,
state->filter, state->attrs,
state->attrsonly, 0, &state->entries,
&state->pagedresults_cookie);
if (rc != LDAP_SUCCESS)
DEBUG(5, ("Could not end search properly\n"));
return;
}
static BOOL ldapuser2displayentry(struct ldap_search_state *state,
TALLOC_CTX *mem_ctx,
LDAP *ld, LDAPMessage *entry,
struct samr_displayentry *result)
{
char **vals;
DOM_SID sid;
r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16. * Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
2006-02-27 13:32:45 +03:00
uint32 acct_flags;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
vals = ldap_get_values(ld, entry, "sambaAcctFlags");
if ((vals == NULL) || (vals[0] == NULL)) {
DEBUG(5, ("\"sambaAcctFlags\" not found\n"));
return False;
}
acct_flags = pdb_decode_acct_ctrl(vals[0]);
ldap_value_free(vals);
if ((state->acct_flags != 0) &&
((state->acct_flags & acct_flags) == 0))
return False;
result->acct_flags = acct_flags;
result->account_name = "";
result->fullname = "";
result->description = "";
vals = ldap_get_values(ld, entry, "uid");
if ((vals == NULL) || (vals[0] == NULL)) {
DEBUG(5, ("\"uid\" not found\n"));
return False;
}
pull_utf8_talloc(mem_ctx,
CONST_DISCARD(char **, &result->account_name),
vals[0]);
ldap_value_free(vals);
vals = ldap_get_values(ld, entry, "displayName");
if ((vals == NULL) || (vals[0] == NULL))
DEBUG(8, ("\"displayName\" not found\n"));
else
pull_utf8_talloc(mem_ctx,
CONST_DISCARD(char **, &result->fullname),
vals[0]);
ldap_value_free(vals);
vals = ldap_get_values(ld, entry, "description");
if ((vals == NULL) || (vals[0] == NULL))
DEBUG(8, ("\"description\" not found\n"));
else
pull_utf8_talloc(mem_ctx,
CONST_DISCARD(char **, &result->description),
vals[0]);
ldap_value_free(vals);
if ((result->account_name == NULL) ||
(result->fullname == NULL) ||
(result->description == NULL)) {
DEBUG(0, ("talloc failed\n"));
return False;
}
vals = ldap_get_values(ld, entry, "sambaSid");
if ((vals == NULL) || (vals[0] == NULL)) {
DEBUG(0, ("\"objectSid\" not found\n"));
return False;
}
if (!string_to_sid(&sid, vals[0])) {
DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
ldap_value_free(vals);
return False;
}
ldap_value_free(vals);
if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0, ("sid %s does not belong to our domain\n",
sid_string_static(&sid)));
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
return False;
}
return True;
}
static BOOL ldapsam_search_users(struct pdb_methods *methods,
struct pdb_search *search,
r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16. * Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
2006-02-27 13:32:45 +03:00
uint32 acct_flags)
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
struct ldap_search_state *state;
state = TALLOC_P(search->mem_ctx, struct ldap_search_state);
if (state == NULL) {
DEBUG(0, ("talloc failed\n"));
return False;
}
state->connection = ldap_state->smbldap_state;
if ((acct_flags != 0) && ((acct_flags & ACB_NORMAL) != 0))
state->base = lp_ldap_user_suffix();
else if ((acct_flags != 0) &&
r8542: - (re-)add better search-semantics: look for Interdomain trust accounts below the machine-suffix (this is where we create them)) to avoid digging through thousands of user-accounts just to find a handful of trust-accounts in the enumdomusers-samr-call. - don't access freed data in DEBUG-statement Guenther (This used to be commit 793c82c0172c4f834e43d04bf3f9d39858761e88)
2005-07-18 17:16:52 +04:00
((acct_flags & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) != 0))
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
state->base = lp_ldap_machine_suffix();
else
state->base = lp_ldap_suffix();
state->acct_flags = acct_flags;
state->base = talloc_strdup(search->mem_ctx, state->base);
state->scope = LDAP_SCOPE_SUBTREE;
state->filter = get_ldap_filter(search->mem_ctx, "*");
state->attrs = talloc_attrs(search->mem_ctx, "uid", "sambaSid",
"displayName", "description",
"sambaAcctFlags", NULL);
state->attrsonly = 0;
state->pagedresults_cookie = NULL;
state->entries = NULL;
state->ldap2displayentry = ldapuser2displayentry;
if ((state->filter == NULL) || (state->attrs == NULL)) {
DEBUG(0, ("talloc failed\n"));
return False;
}
r7882: Looks like a large patch - but what it actually does is make Samba safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2005-06-25 00:25:18 +04:00
search->private_data = state;
r6367: Slim down pdb_interface.c a bit. next_entry and search_end are function pointers now. Yes, Jeremy, this is about re-inventing C++... :-) Volker (This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2005-04-18 20:07:49 +04:00
search->next_entry = ldapsam_search_next_entry;
search->search_end = ldapsam_search_end;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
return ldapsam_search_firstpage(search);
}
static BOOL ldapgroup2displayentry(struct ldap_search_state *state,
TALLOC_CTX *mem_ctx,
LDAP *ld, LDAPMessage *entry,
struct samr_displayentry *result)
{
char **vals;
DOM_SID sid;
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
uint16 group_type;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
result->account_name = "";
result->fullname = "";
result->description = "";
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
vals = ldap_get_values(ld, entry, "sambaGroupType");
if ((vals == NULL) || (vals[0] == NULL)) {
DEBUG(5, ("\"sambaGroupType\" not found\n"));
r12645: Fix some memleaks. This will also be in the trunk checkin that comes next. Volker (This used to be commit dc167037b0f3bada390dfdb820cb84ed9a4cfdcf)
2005-12-31 13:57:43 +03:00
if (vals != NULL) {
ldap_value_free(vals);
}
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
return False;
}
group_type = atoi(vals[0]);
if ((state->group_type != 0) &&
((state->group_type != group_type))) {
r12645: Fix some memleaks. This will also be in the trunk checkin that comes next. Volker (This used to be commit dc167037b0f3bada390dfdb820cb84ed9a4cfdcf)
2005-12-31 13:57:43 +03:00
ldap_value_free(vals);
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
return False;
}
r12645: Fix some memleaks. This will also be in the trunk checkin that comes next. Volker (This used to be commit dc167037b0f3bada390dfdb820cb84ed9a4cfdcf)
2005-12-31 13:57:43 +03:00
ldap_value_free(vals);
r9660: real fix for group enumeration bug in 3.0.20; only affected the ldapsam code (This used to be commit 62f9fb5e3a9bce539c9fedc5fdec1b8741a922c7)
2005-08-26 22:57:32 +04:00
/* display name is the NT group name */
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
vals = ldap_get_values(ld, entry, "displayName");
r9661: fallback to cn attribubte if displayName is not available (This used to be commit b1524999e0b4fc99d213fc6e56182a8fa8e88ef1)
2005-08-26 23:15:19 +04:00
if ((vals == NULL) || (vals[0] == NULL)) {
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
DEBUG(8, ("\"displayName\" not found\n"));
r9661: fallback to cn attribubte if displayName is not available (This used to be commit b1524999e0b4fc99d213fc6e56182a8fa8e88ef1)
2005-08-26 23:15:19 +04:00
/* fallback to the 'cn' attribute */
vals = ldap_get_values(ld, entry, "cn");
if ((vals == NULL) || (vals[0] == NULL)) {
DEBUG(5, ("\"cn\" not found\n"));
return False;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
pull_utf8_talloc(mem_ctx,
CONST_DISCARD(char **, &result->account_name),
vals[0]);
r9661: fallback to cn attribubte if displayName is not available (This used to be commit b1524999e0b4fc99d213fc6e56182a8fa8e88ef1)
2005-08-26 23:15:19 +04:00
}
else {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
pull_utf8_talloc(mem_ctx,
CONST_DISCARD(char **, &result->account_name),
vals[0]);
r9661: fallback to cn attribubte if displayName is not available (This used to be commit b1524999e0b4fc99d213fc6e56182a8fa8e88ef1)
2005-08-26 23:15:19 +04:00
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
ldap_value_free(vals);
vals = ldap_get_values(ld, entry, "description");
if ((vals == NULL) || (vals[0] == NULL))
DEBUG(8, ("\"description\" not found\n"));
else
pull_utf8_talloc(mem_ctx,
CONST_DISCARD(char **, &result->description),
vals[0]);
ldap_value_free(vals);
if ((result->account_name == NULL) ||
(result->fullname == NULL) ||
(result->description == NULL)) {
DEBUG(0, ("talloc failed\n"));
return False;
}
vals = ldap_get_values(ld, entry, "sambaSid");
if ((vals == NULL) || (vals[0] == NULL)) {
DEBUG(0, ("\"objectSid\" not found\n"));
r12645: Fix some memleaks. This will also be in the trunk checkin that comes next. Volker (This used to be commit dc167037b0f3bada390dfdb820cb84ed9a4cfdcf)
2005-12-31 13:57:43 +03:00
if (vals != NULL) {
ldap_value_free(vals);
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
return False;
}
if (!string_to_sid(&sid, vals[0])) {
DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
return False;
}
ldap_value_free(vals);
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
switch (group_type) {
case SID_NAME_DOM_GRP:
case SID_NAME_ALIAS:
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)
&& !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid))
{
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0, ("%s is not in our domain\n",
sid_string_static(&sid)));
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
return False;
}
break;
default:
DEBUG(0,("unkown group type: %d\n", group_type));
return False;
}
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
return True;
}
static BOOL ldapsam_search_grouptype(struct pdb_methods *methods,
struct pdb_search *search,
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
const DOM_SID *sid,
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType type)
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
struct ldap_search_state *state;
state = TALLOC_P(search->mem_ctx, struct ldap_search_state);
if (state == NULL) {
DEBUG(0, ("talloc failed\n"));
return False;
}
state->connection = ldap_state->smbldap_state;
state->base = talloc_strdup(search->mem_ctx, lp_ldap_group_suffix());
state->connection = ldap_state->smbldap_state;
state->scope = LDAP_SCOPE_SUBTREE;
state->filter = talloc_asprintf(search->mem_ctx,
"(&(objectclass=sambaGroupMapping)"
r15444: Fix from Jim to ensure we do a wildcard search for SID's starting with the global SAM sid, not an exact search. Jeremy. (This used to be commit 755c272ebf5d0f4de15178814f998d1ec5ecb718)
2006-05-04 23:24:20 +04:00
"(sambaGroupType=%d)(sambaSID=%s*))",
r14452: Sorry. Need more coffee.... * Fix sprintf() args when createing the group search filter. (This used to be commit 0b7549997a3739b2c1500e7838ebaaa249dbfaf4)
2006-03-15 19:09:24 +03:00
type, sid_string_static(sid));
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
state->attrs = talloc_attrs(search->mem_ctx, "cn", "sambaSid",
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
"displayName", "description",
"sambaGroupType", NULL);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
state->attrsonly = 0;
state->pagedresults_cookie = NULL;
state->entries = NULL;
r8787: Make enumeration of builtin-aliases work again. Guenther (This used to be commit 0c8859474da609c69435c2acdfa4fa012d87eed3)
2005-07-27 01:57:49 +04:00
state->group_type = type;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
state->ldap2displayentry = ldapgroup2displayentry;
if ((state->filter == NULL) || (state->attrs == NULL)) {
DEBUG(0, ("talloc failed\n"));
return False;
}
r7882: Looks like a large patch - but what it actually does is make Samba safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2005-06-25 00:25:18 +04:00
search->private_data = state;
r6367: Slim down pdb_interface.c a bit. next_entry and search_end are function pointers now. Yes, Jeremy, this is about re-inventing C++... :-) Volker (This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2005-04-18 20:07:49 +04:00
search->next_entry = ldapsam_search_next_entry;
search->search_end = ldapsam_search_end;
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
return ldapsam_search_firstpage(search);
}
static BOOL ldapsam_search_groups(struct pdb_methods *methods,
struct pdb_search *search)
{
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
return ldapsam_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
}
static BOOL ldapsam_search_aliases(struct pdb_methods *methods,
struct pdb_search *search,
const DOM_SID *sid)
{
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS groups in the ${MACHINESID} and S_1-5-32 domains correctly, I had to add a substr search on sambaSID. * add substr matching rule to OpenLDAP schema (we need to update the other schema as will since this is a pretty important change). Sites will need to - install the new schema - add 'indea sambaSID sub' to slapd.conf - run slapindex * remove uses of SID_NAME_WKN_GRP in pdb_ldap.c (This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
2006-03-15 19:00:34 +03:00
return ldapsam_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
r6351: This is quite a large and intrusive patch, but there are not many pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2005-04-15 17:41:49 +04:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
static BOOL ldapsam_rid_algorithm(struct pdb_methods *methods)
{
return False;
}
static NTSTATUS ldapsam_get_new_rid(struct ldapsam_privates *priv,
uint32 *rid)
{
struct smbldap_state *smbldap_state = priv->smbldap_state;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
LDAPMod **mods = NULL;
NTSTATUS status;
char *value;
int rc;
uint32 nextRid = 0;
r15571: Fix Coverity bug #285 (This used to be commit 2cf503d7da08319f318217f6fe8f85c18bf0dffb)
2006-05-13 21:28:21 +04:00
const char *dn;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
TALLOC_CTX *mem_ctx;
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return NT_STATUS_NO_MEMORY;
}
status = smbldap_search_domain_info(smbldap_state, &result,
get_global_sam_name(), False);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("Could not get domain info: %s\n",
nt_errstr(status)));
goto done;
}
talloc_autofree_ldapmsg(mem_ctx, result);
entry = ldap_first_entry(priv2ld(priv), result);
if (entry == NULL) {
DEBUG(0, ("Could not get domain info entry\n"));
status = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto done;
}
/* Find the largest of the three attributes "sambaNextRid",
"sambaNextGroupRid" and "sambaNextUserRid". I gave up on the
concept of differentiating between user and group rids, and will
use only "sambaNextRid" in the future. But for compatibility
reasons I look if others have chosen different strategies -- VL */
value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"sambaNextRid", mem_ctx);
if (value != NULL) {
uint32 tmp = (uint32)strtoul(value, NULL, 10);
nextRid = MAX(nextRid, tmp);
}
value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"sambaNextUserRid", mem_ctx);
if (value != NULL) {
uint32 tmp = (uint32)strtoul(value, NULL, 10);
nextRid = MAX(nextRid, tmp);
}
value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"sambaNextGroupRid", mem_ctx);
if (value != NULL) {
uint32 tmp = (uint32)strtoul(value, NULL, 10);
nextRid = MAX(nextRid, tmp);
}
if (nextRid == 0) {
nextRid = BASE_RID-1;
}
nextRid += 1;
smbldap_make_mod(priv2ld(priv), entry, &mods, "sambaNextRid",
talloc_asprintf(mem_ctx, "%d", nextRid));
talloc_autofree_ldapmod(mem_ctx, mods);
r15571: Fix Coverity bug #285 (This used to be commit 2cf503d7da08319f318217f6fe8f85c18bf0dffb)
2006-05-13 21:28:21 +04:00
if ((dn = smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry)) == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
rc = smbldap_modify(smbldap_state, dn, mods);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* ACCESS_DENIED is used as a placeholder for "the modify failed,
* please retry" */
status = (rc == LDAP_SUCCESS) ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
done:
if (NT_STATUS_IS_OK(status)) {
*rid = nextRid;
}
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return status;
}
r15895: Ensure all new rid allocation goes through the same function (deals with races). Jeremy. (This used to be commit 4962548dfe8ec2854e209217066556f339d3186e)
2006-05-26 04:13:06 +04:00
static NTSTATUS ldapsam_new_rid_internal(struct pdb_methods *methods, uint32 *rid)
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
{
int i;
for (i=0; i<10; i++) {
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
NTSTATUS result = ldapsam_get_new_rid(
(struct ldapsam_privates *)methods->private_data, rid);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (NT_STATUS_IS_OK(result)) {
r15895: Ensure all new rid allocation goes through the same function (deals with races). Jeremy. (This used to be commit 4962548dfe8ec2854e209217066556f339d3186e)
2006-05-26 04:13:06 +04:00
return result;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
if (!NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
r15895: Ensure all new rid allocation goes through the same function (deals with races). Jeremy. (This used to be commit 4962548dfe8ec2854e209217066556f339d3186e)
2006-05-26 04:13:06 +04:00
return result;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
/* The ldap update failed (maybe a race condition), retry */
}
/* Tried 10 times, fail. */
r15895: Ensure all new rid allocation goes through the same function (deals with races). Jeremy. (This used to be commit 4962548dfe8ec2854e209217066556f339d3186e)
2006-05-26 04:13:06 +04:00
return NT_STATUS_ACCESS_DENIED;
}
static BOOL ldapsam_new_rid(struct pdb_methods *methods, uint32 *rid)
{
NTSTATUS result = ldapsam_new_rid_internal(methods, rid);
return NT_STATUS_IS_OK(result) ? True : False;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
static BOOL ldapsam_sid_to_id(struct pdb_methods *methods,
const DOM_SID *sid,
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
union unid_t *id, enum lsa_SidType *type)
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
{
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
struct ldapsam_privates *priv =
(struct ldapsam_privates *)methods->private_data;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
char *filter;
const char *attrs[] = { "sambaGroupType", "gidNumber", "uidNumber",
NULL };
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
BOOL ret = False;
char *value;
int rc;
TALLOC_CTX *mem_ctx;
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return False;
}
filter = talloc_asprintf(mem_ctx,
"(&(sambaSid=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(|(objectClass=%s)(objectClass=%s)))",
sid_string_static(sid),
LDAP_OBJ_GROUPMAP, LDAP_OBJ_SAMBASAMACCOUNT);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (filter == NULL) {
DEBUG(5, ("talloc_asprintf failed\n"));
goto done;
}
rc = smbldap_search_suffix(priv->smbldap_state, filter,
attrs, &result);
if (rc != LDAP_SUCCESS) {
goto done;
}
talloc_autofree_ldapmsg(mem_ctx, result);
if (ldap_count_entries(priv2ld(priv), result) != 1) {
DEBUG(10, ("Got %d entries, expected one\n",
ldap_count_entries(priv2ld(priv), result)));
goto done;
}
entry = ldap_first_entry(priv2ld(priv), result);
value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"sambaGroupType", mem_ctx);
if (value != NULL) {
const char *gid_str;
/* It's a group */
gid_str = smbldap_talloc_single_attribute(
priv2ld(priv), entry, "gidNumber", mem_ctx);
if (gid_str == NULL) {
DEBUG(1, ("%s has sambaGroupType but no gidNumber\n",
smbldap_talloc_dn(mem_ctx, priv2ld(priv),
entry)));
goto done;
}
id->gid = strtoul(gid_str, NULL, 10);
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
*type = (enum lsa_SidType)strtoul(value, NULL, 10);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
ret = True;
goto done;
}
/* It must be a user */
value = smbldap_talloc_single_attribute(priv2ld(priv), entry,
"uidNumber", mem_ctx);
if (value == NULL) {
DEBUG(1, ("Could not find uidNumber in %s\n",
smbldap_talloc_dn(mem_ctx, priv2ld(priv), entry)));
goto done;
}
id->uid = strtoul(value, NULL, 10);
*type = SID_NAME_USER;
ret = True;
done:
r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2006-02-20 20:59:58 +03:00
TALLOC_FREE(mem_ctx);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return ret;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/*
* The following functions is called only if
* ldapsam:trusted and ldapsam:editposix are
* set to true
*/
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/*
* ldapsam_create_user creates a new
* posixAccount and sambaSamAccount object
* in the ldap users subtree
*
* The uid is allocated by winbindd.
*/
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
static NTSTATUS ldapsam_create_user(struct pdb_methods *my_methods,
TALLOC_CTX *tmp_ctx, const char *name,
uint32 acb_info, uint32 *rid)
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
LDAPMessage *entry = NULL;
LDAPMessage *result = NULL;
uint32 num_result;
BOOL is_machine = False;
BOOL add_posix = False;
LDAPMod **mods = NULL;
struct samu *user;
char *filter;
char *username;
char *homedir;
char *gidstr;
char *uidstr;
char *shell;
const char *dn = NULL;
DOM_SID group_sid;
DOM_SID user_sid;
gid_t gid = -1;
uid_t uid = -1;
NTSTATUS ret;
int rc;
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
if (((acb_info & ACB_NORMAL) && name[strlen(name)-1] == '$') ||
acb_info & ACB_WSTRUST ||
acb_info & ACB_SVRTRUST ||
acb_info & ACB_DOMTRUST) {
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
is_machine = True;
r4994: Patch from abartlet: When migrating account policies to ldapsam, handle the fact that an admin might have changed the default location of the sambaDomain-object after installation. Guenther (This used to be commit 78c3c7127444b8f9959f4d6ce9e540271869d70f)
2005-01-26 02:30:05 +03:00
}
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
username = escape_ldap_string_alloc(name);
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
filter = talloc_asprintf(tmp_ctx, "(&(uid=%s)(objectClass=%s))",
username, LDAP_OBJ_POSIXACCOUNT);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
SAFE_FREE(username);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_create_user: ldap search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
talloc_autofree_ldapmsg(tmp_ctx, result);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
num_result = ldap_count_entries(priv2ld(ldap_state), result);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (num_result > 1) {
DEBUG (0, ("ldapsam_create_user: More than one user with name [%s] ?!\n", name));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (num_result == 1) {
char *tmp;
/* check if it is just a posix account.
* or if there is a sid attached to this entry
*/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "sambaSID", tmp_ctx);
if (tmp) {
DEBUG (1, ("ldapsam_create_user: The user [%s] already exist!\n", name));
return NT_STATUS_USER_EXISTS;
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* it is just a posix account, retrieve the dn for later use */
dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
if (!dn) {
DEBUG(0,("ldapsam_create_user: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
}
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (num_result == 0) {
add_posix = True;
}
/* Create the basic samu structure and generate the mods for the ldap commit */
r15895: Ensure all new rid allocation goes through the same function (deals with races). Jeremy. (This used to be commit 4962548dfe8ec2854e209217066556f339d3186e)
2006-05-26 04:13:06 +04:00
if (!NT_STATUS_IS_OK((ret = ldapsam_new_rid_internal(my_methods, rid)))) {
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
DEBUG(1, ("ldapsam_create_user: Could not allocate a new RID\n"));
return ret;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
sid_compose(&user_sid, get_global_sam_sid(), *rid);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
user = samu_new(tmp_ctx);
if (!user) {
DEBUG(1,("ldapsam_create_user: Unable to allocate user struct\n"));
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!pdb_set_username(user, name, PDB_SET)) {
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
return NT_STATUS_UNSUCCESSFUL;
}
if (!pdb_set_domain(user, get_global_sam_name(), PDB_SET)) {
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
return NT_STATUS_UNSUCCESSFUL;
}
if (is_machine) {
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
if (acb_info & ACB_NORMAL) {
if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_SET)) {
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
return NT_STATUS_UNSUCCESSFUL;
}
} else {
if (!pdb_set_acct_ctrl(user, acb_info, PDB_SET)) {
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
return NT_STATUS_UNSUCCESSFUL;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
}
} else {
if (!pdb_set_acct_ctrl(user, ACB_NORMAL | ACB_DISABLED, PDB_SET)) {
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
return NT_STATUS_UNSUCCESSFUL;
}
}
r13460: by popular demand.... * remove pdb_context data structure * set default group for DOMAIN_RID_GUEST user as RID 513 (just like Windows) * Allow RID 513 to resolve to always resolve to a name * Remove auto mapping of guest account primary group given the previous 2 changes (This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285)
2006-02-12 00:27:08 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!pdb_set_user_sid(user, &user_sid, PDB_SET)) {
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
return NT_STATUS_UNSUCCESSFUL;
r13460: by popular demand.... * remove pdb_context data structure * set default group for DOMAIN_RID_GUEST user as RID 513 (just like Windows) * Allow RID 513 to resolve to always resolve to a name * Remove auto mapping of guest account primary group given the previous 2 changes (This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285)
2006-02-12 00:27:08 +03:00
}
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!init_ldap_from_sam(ldap_state, NULL, &mods, user, element_is_set_or_changed)) {
DEBUG(1,("ldapsam_create_user: Unable to fill user structs\n"));
return NT_STATUS_UNSUCCESSFUL;
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
}
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
if (ldap_state->schema_ver != SCHEMAVER_SAMBASAMACCOUNT) {
DEBUG(1,("ldapsam_create_user: Unsupported schema version\n"));
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
}
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SAMBASAMACCOUNT);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (add_posix) {
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
char *escape_name;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
DEBUG(3,("ldapsam_create_user: Creating new posix user\n"));
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* retrieve the Domain Users group gid */
if (!sid_compose(&group_sid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS) ||
!sid_to_gid(&group_sid, &gid)) {
DEBUG (0, ("ldapsam_create_user: Unable to get the Domain Users gid: bailing out!\n"));
return NT_STATUS_INVALID_PRIMARY_GROUP;
}
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* lets allocate a new userid for this user */
if (!winbind_allocate_uid(&uid)) {
DEBUG (0, ("ldapsam_create_user: Unable to allocate a new user id: bailing out!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (is_machine) {
/* TODO: choose a more appropriate default for machines */
homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), "SMB_workstations_home", ldap_state->domain_name, uid, gid);
shell = talloc_strdup(tmp_ctx, "/bin/false");
} else {
homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), name, ldap_state->domain_name, uid, gid);
shell = talloc_sub_specified(tmp_ctx, lp_template_shell(), name, ldap_state->domain_name, uid, gid);
}
uidstr = talloc_asprintf(tmp_ctx, "%d", uid);
gidstr = talloc_asprintf(tmp_ctx, "%d", gid);
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
escape_name = escape_rdn_val_string_alloc(name);
if (!escape_name) {
DEBUG (0, ("ldapsam_create_user: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (is_machine) {
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", escape_name, lp_ldap_machine_suffix ());
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
} else {
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", escape_name, lp_ldap_user_suffix ());
Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-10-01 17:10:57 +04:00
}
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
SAFE_FREE(escape_name);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!homedir || !shell || !uidstr || !gidstr || !dn) {
DEBUG (0, ("ldapsam_create_user: Out of memory!\n"));
Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-10-01 17:10:57 +04:00
return NT_STATUS_NO_MEMORY;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", homedir);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
talloc_autofree_ldapmod(tmp_ctx, mods);
r13460: by popular demand.... * remove pdb_context data structure * set default group for DOMAIN_RID_GUEST user as RID 513 (just like Windows) * Allow RID 513 to resolve to always resolve to a name * Remove auto mapping of guest account primary group given the previous 2 changes (This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285)
2006-02-12 00:27:08 +03:00
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (add_posix) {
rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
} else {
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
}
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_create_user: failed to create a new user [%s] (dn = %s)\n", name ,dn));
return NT_STATUS_UNSUCCESSFUL;
}
DEBUG(2,("ldapsam_create_user: added account [%s] in the LDAP database\n", name));
flush_pwnam_cache();
return NT_STATUS_OK;
}
static NTSTATUS ldapsam_delete_user(struct pdb_methods *my_methods, TALLOC_CTX *tmp_ctx, struct samu *sam_acct)
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
int num_result;
const char *dn;
char *filter;
int rc;
DEBUG(0,("ldapsam_delete_user: Attempt to delete user [%s]\n", pdb_get_username(sam_acct)));
filter = talloc_asprintf(tmp_ctx,
"(&(uid=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(objectClass=%s)"
"(objectClass=%s))",
pdb_get_username(sam_acct),
LDAP_OBJ_POSIXACCOUNT,
LDAP_OBJ_SAMBASAMACCOUNT);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_delete_user: user search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
talloc_autofree_ldapmsg(tmp_ctx, result);
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result == 0) {
DEBUG(0,("ldapsam_delete_user: user not found!\n"));
return NT_STATUS_NO_SUCH_USER;
}
if (num_result > 1) {
DEBUG (0, ("ldapsam_delete_user: More than one user with name [%s] ?!\n", pdb_get_username(sam_acct)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
/* it is just a posix account, retrieve the dn for later use */
dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
if (!dn) {
DEBUG(0,("ldapsam_delete_user: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
rc = smbldap_delete(ldap_state->smbldap_state, dn);
if (rc != LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
}
flush_pwnam_cache();
return NT_STATUS_OK;
}
/*
* ldapsam_create_group creates a new
* posixGroup and sambaGroupMapping object
* in the ldap groups subtree
*
* The gid is allocated by winbindd.
*/
static NTSTATUS ldapsam_create_dom_group(struct pdb_methods *my_methods,
TALLOC_CTX *tmp_ctx,
const char *name,
uint32 *rid)
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
NTSTATUS ret;
LDAPMessage *entry = NULL;
LDAPMessage *result = NULL;
uint32 num_result;
BOOL is_new_entry = False;
LDAPMod **mods = NULL;
char *filter;
char *groupsidstr;
char *groupname;
char *grouptype;
char *gidstr;
const char *dn = NULL;
DOM_SID group_sid;
gid_t gid = -1;
int rc;
groupname = escape_ldap_string_alloc(name);
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
filter = talloc_asprintf(tmp_ctx, "(&(cn=%s)(objectClass=%s))",
groupname, LDAP_OBJ_POSIXGROUP);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
SAFE_FREE(groupname);
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_create_group: ldap search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
talloc_autofree_ldapmsg(tmp_ctx, result);
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result > 1) {
DEBUG (0, ("ldapsam_create_group: There exists more than one group with name [%s]: bailing out!\n", name));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (num_result == 1) {
char *tmp;
/* check if it is just a posix group.
* or if there is a sid attached to this entry
*/
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "sambaSID", tmp_ctx);
if (tmp) {
DEBUG (1, ("ldapsam_create_group: The group [%s] already exist!\n", name));
return NT_STATUS_GROUP_EXISTS;
}
/* it is just a posix group, retrieve the gid and the dn for later use */
tmp = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
if (!tmp) {
DEBUG (1, ("ldapsam_create_group: Couldn't retrieve the gidNumber for [%s]?!?!\n", name));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
gid = strtoul(tmp, NULL, 10);
dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
if (!dn) {
DEBUG(0,("ldapsam_create_group: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
}
if (num_result == 0) {
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
char *escape_name;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
DEBUG(3,("ldapsam_create_user: Creating new posix group\n"));
is_new_entry = True;
/* lets allocate a new groupid for this group */
if (!winbind_allocate_gid(&gid)) {
DEBUG (0, ("ldapsam_create_group: Unable to allocate a new group id: bailing out!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
gidstr = talloc_asprintf(tmp_ctx, "%d", gid);
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
escape_name = escape_rdn_val_string_alloc(name);
if (!escape_name) {
DEBUG (0, ("ldapsam_create_group: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
dn = talloc_asprintf(tmp_ctx, "cn=%s,%s", escape_name, lp_ldap_group_suffix());
SAFE_FREE(escape_name);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (!gidstr || !dn) {
DEBUG (0, ("ldapsam_create_group: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXGROUP);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
}
r15895: Ensure all new rid allocation goes through the same function (deals with races). Jeremy. (This used to be commit 4962548dfe8ec2854e209217066556f339d3186e)
2006-05-26 04:13:06 +04:00
if (!NT_STATUS_IS_OK((ret = ldapsam_new_rid_internal(my_methods, rid)))) {
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
DEBUG(1, ("ldapsam_create_group: Could not allocate a new RID\n"));
return ret;
}
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
sid_compose(&group_sid, get_global_sam_sid(), *rid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
groupsidstr = talloc_strdup(tmp_ctx, sid_string_static(&group_sid));
grouptype = talloc_asprintf(tmp_ctx, "%d", SID_NAME_DOM_GRP);
if (!groupsidstr || !grouptype) {
DEBUG(0,("ldapsam_create_group: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaSid", groupsidstr);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "sambaGroupType", grouptype);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "displayName", name);
talloc_autofree_ldapmod(tmp_ctx, mods);
if (is_new_entry) {
rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
#if 0
if (rc == LDAP_OBJECT_CLASS_VIOLATION) {
/* This call may fail with rfc2307bis schema */
/* Retry adding a structural class */
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", "????");
rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
}
#endif
} else {
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
}
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_create_group: failed to create a new group [%s] (dn = %s)\n", name ,dn));
return NT_STATUS_UNSUCCESSFUL;
}
DEBUG(2,("ldapsam_create_group: added group [%s] in the LDAP database\n", name));
return NT_STATUS_OK;
}
static NTSTATUS ldapsam_delete_dom_group(struct pdb_methods *my_methods, TALLOC_CTX *tmp_ctx, uint32 rid)
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
int num_result;
const char *dn;
char *gidstr;
char *filter;
DOM_SID group_sid;
int rc;
/* get the group sid */
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
sid_compose(&group_sid, get_global_sam_sid(), rid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
filter = talloc_asprintf(tmp_ctx,
"(&(sambaSID=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(objectClass=%s)"
"(objectClass=%s))",
sid_string_static(&group_sid),
LDAP_OBJ_POSIXGROUP,
LDAP_OBJ_GROUPMAP);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(1,("ldapsam_delete_dom_group: group search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
talloc_autofree_ldapmsg(tmp_ctx, result);
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result == 0) {
DEBUG(1,("ldapsam_delete_dom_group: group not found!\n"));
return NT_STATUS_NO_SUCH_GROUP;
}
if (num_result > 1) {
DEBUG (0, ("ldapsam_delete_dom_group: More than one group with the same SID ?!\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
/* here it is, retrieve the dn for later use */
dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
if (!dn) {
DEBUG(0,("ldapsam_delete_dom_group: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
if (!gidstr) {
DEBUG (0, ("ldapsam_delete_dom_group: Unable to find the group's gid!\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
/* check no user have this group marked as primary group */
filter = talloc_asprintf(tmp_ctx,
"(&(gidNumber=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(objectClass=%s)"
"(objectClass=%s))",
gidstr,
LDAP_OBJ_POSIXACCOUNT,
LDAP_OBJ_SAMBASAMACCOUNT);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(1,("ldapsam_delete_dom_group: accounts search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
talloc_autofree_ldapmsg(tmp_ctx, result);
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result != 0) {
DEBUG(3,("ldapsam_delete_dom_group: Can't delete group, it is a primary group for %d users\n", num_result));
return NT_STATUS_MEMBERS_PRIMARY_GROUP;
}
rc = smbldap_delete(ldap_state->smbldap_state, dn);
if (rc != LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
}
return NT_STATUS_OK;
}
static NTSTATUS ldapsam_change_groupmem(struct pdb_methods *my_methods,
TALLOC_CTX *tmp_ctx,
uint32 group_rid,
uint32 member_rid,
int modop)
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
LDAPMessage *entry = NULL;
LDAPMessage *result = NULL;
uint32 num_result;
LDAPMod **mods = NULL;
char *filter;
char *uidstr;
const char *dn = NULL;
DOM_SID group_sid;
DOM_SID member_sid;
int rc;
switch (modop) {
case LDAP_MOD_ADD:
DEBUG(1,("ldapsam_change_groupmem: add new member(rid=%d) to a domain group(rid=%d)", member_rid, group_rid));
break;
case LDAP_MOD_DELETE:
DEBUG(1,("ldapsam_change_groupmem: delete member(rid=%d) from a domain group(rid=%d)", member_rid, group_rid));
break;
default:
return NT_STATUS_UNSUCCESSFUL;
}
/* get member sid */
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
sid_compose(&member_sid, get_global_sam_sid(), member_rid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* get the group sid */
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
sid_compose(&group_sid, get_global_sam_sid(), group_rid);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
filter = talloc_asprintf(tmp_ctx,
"(&(sambaSID=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(objectClass=%s)"
"(objectClass=%s))",
sid_string_static(&member_sid),
LDAP_OBJ_POSIXACCOUNT,
LDAP_OBJ_SAMBASAMACCOUNT);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* get the member uid */
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(1,("ldapsam_change_groupmem: member search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
talloc_autofree_ldapmsg(tmp_ctx, result);
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result == 0) {
DEBUG(1,("ldapsam_change_groupmem: member not found!\n"));
return NT_STATUS_NO_SUCH_MEMBER;
}
if (num_result > 1) {
DEBUG (0, ("ldapsam_change_groupmem: More than one account with the same SID ?!\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
if (modop == LDAP_MOD_DELETE) {
/* check if we are trying to remove the member from his primary group */
char *gidstr;
gid_t user_gid, group_gid;
gidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "gidNumber", tmp_ctx);
if (!gidstr) {
DEBUG (0, ("ldapsam_change_groupmem: Unable to find the member's gid!\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
user_gid = strtoul(gidstr, NULL, 10);
if (!sid_to_gid(&group_sid, &group_gid)) {
DEBUG (0, ("ldapsam_change_groupmem: Unable to get group gid from SID!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
if (user_gid == group_gid) {
DEBUG (3, ("ldapsam_change_groupmem: can't remove user from it's own primary group!\n"));
return NT_STATUS_MEMBERS_PRIMARY_GROUP;
}
}
/* here it is, retrieve the uid for later use */
uidstr = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, "uid", tmp_ctx);
if (!uidstr) {
DEBUG (0, ("ldapsam_change_groupmem: Unable to find the member's name!\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
filter = talloc_asprintf(tmp_ctx,
"(&(sambaSID=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(objectClass=%s)"
"(objectClass=%s))",
sid_string_static(&group_sid),
LDAP_OBJ_POSIXGROUP,
LDAP_OBJ_GROUPMAP);
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
/* get the group */
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(1,("ldapsam_change_groupmem: group search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
talloc_autofree_ldapmsg(tmp_ctx, result);
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result == 0) {
DEBUG(1,("ldapsam_change_groupmem: group not found!\n"));
return NT_STATUS_NO_SUCH_GROUP;
}
if (num_result > 1) {
DEBUG (0, ("ldapsam_change_groupmem: More than one group with the same SID ?!\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
/* here it is, retrieve the dn for later use */
dn = smbldap_talloc_dn(tmp_ctx, priv2ld(ldap_state), entry);
if (!dn) {
DEBUG(0,("ldapsam_change_groupmem: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
smbldap_set_mod(&mods, modop, "memberUid", uidstr);
talloc_autofree_ldapmod(tmp_ctx, mods);
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
if (rc != LDAP_SUCCESS) {
if (rc == LDAP_TYPE_OR_VALUE_EXISTS && modop == LDAP_MOD_ADD) {
DEBUG(1,("ldapsam_change_groupmem: member is already in group, add failed!\n"));
return NT_STATUS_MEMBER_IN_GROUP;
}
if (rc == LDAP_NO_SUCH_ATTRIBUTE && modop == LDAP_MOD_DELETE) {
DEBUG(1,("ldapsam_change_groupmem: member is not in group, delete failed!\n"));
return NT_STATUS_MEMBER_NOT_IN_GROUP;
}
return NT_STATUS_UNSUCCESSFUL;
}
return NT_STATUS_OK;
}
static NTSTATUS ldapsam_add_groupmem(struct pdb_methods *my_methods,
TALLOC_CTX *tmp_ctx,
uint32 group_rid,
uint32 member_rid)
{
return ldapsam_change_groupmem(my_methods, tmp_ctx, group_rid, member_rid, LDAP_MOD_ADD);
}
static NTSTATUS ldapsam_del_groupmem(struct pdb_methods *my_methods,
TALLOC_CTX *tmp_ctx,
uint32 group_rid,
uint32 member_rid)
{
return ldapsam_change_groupmem(my_methods, tmp_ctx, group_rid, member_rid, LDAP_MOD_DELETE);
}
static NTSTATUS ldapsam_set_primary_group(struct pdb_methods *my_methods,
TALLOC_CTX *mem_ctx,
struct samu *sampass)
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
LDAPMessage *entry = NULL;
LDAPMessage *result = NULL;
uint32 num_result;
LDAPMod **mods = NULL;
char *filter;
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
char *escape_username;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
char *gidstr;
const char *dn = NULL;
gid_t gid;
int rc;
DEBUG(0,("ldapsam_set_primary_group: Attempt to set primary group for user [%s]\n", pdb_get_username(sampass)));
if (!sid_to_gid(pdb_get_group_sid(sampass), &gid)) {
DEBUG(0,("ldapsam_set_primary_group: failed to retieve gid from user's group SID!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
gidstr = talloc_asprintf(mem_ctx, "%d", gid);
if (!gidstr) {
DEBUG(0,("ldapsam_set_primary_group: Out of Memory!\n"));
return NT_STATUS_NO_MEMORY;
}
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
escape_username = escape_ldap_string_alloc(pdb_get_username(sampass));
if (escape_username== NULL) {
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
filter = talloc_asprintf(mem_ctx,
"(&(uid=%s)"
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
"(objectClass=%s)"
"(objectClass=%s))",
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
escape_username,
r13843: Merge in net sam provision and some pdb_ldap fixes (This used to be commit 705d8118081784e9907648fd1daaaa5ec0285972)
2006-03-05 20:49:30 +03:00
LDAP_OBJ_POSIXACCOUNT,
LDAP_OBJ_SAMBASAMACCOUNT);
r21606: Implement escaping function for ldap RDN values Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-03-01 03:49:28 +03:00
SAFE_FREE(escape_username);
r16334: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, 1107, 1109, 1111 Volker (This used to be commit d3f5acb16e14ec394f1af41fa2f9e27fdca937db)
2006-06-17 11:20:47 +04:00
if (filter == NULL) {
return NT_STATUS_NO_MEMORY;
}
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_set_primary_group: user search failed!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
talloc_autofree_ldapmsg(mem_ctx, result);
num_result = ldap_count_entries(priv2ld(ldap_state), result);
if (num_result == 0) {
DEBUG(0,("ldapsam_set_primary_group: user not found!\n"));
return NT_STATUS_NO_SUCH_USER;
}
if (num_result > 1) {
DEBUG (0, ("ldapsam_set_primary_group: More than one user with name [%s] ?!\n", pdb_get_username(sampass)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
entry = ldap_first_entry(priv2ld(ldap_state), result);
if (!entry) {
return NT_STATUS_UNSUCCESSFUL;
}
/* retrieve the dn for later use */
dn = smbldap_talloc_dn(mem_ctx, priv2ld(ldap_state), entry);
if (!dn) {
DEBUG(0,("ldapsam_set_primary_group: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
/* remove the old one, and add the new one, this way we do not risk races */
smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "gidNumber", gidstr);
if (mods == NULL) {
return NT_STATUS_OK;
}
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldapsam_set_primary_group: failed to modify [%s] primary group to [%s]\n",
pdb_get_username(sampass), gidstr));
return NT_STATUS_UNSUCCESSFUL;
}
flush_pwnam_cache();
return NT_STATUS_OK;
}
/**********************************************************************
Housekeeping
*********************************************************************/
static void free_private_data(void **vp)
{
struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
smbldap_free_struct(&(*ldap_state)->smbldap_state);
if ((*ldap_state)->result != NULL) {
ldap_msgfree((*ldap_state)->result);
(*ldap_state)->result = NULL;
}
if ((*ldap_state)->domain_dn != NULL) {
SAFE_FREE((*ldap_state)->domain_dn);
}
*ldap_state = NULL;
/* No need to free any further, as it is talloc()ed */
}
/*********************************************************************
Intitalise the parts of the pdb_methods structure that are common to
all pdb_ldap modes
*********************************************************************/
static NTSTATUS pdb_init_ldapsam_common(struct pdb_methods **pdb_method, const char *location)
{
NTSTATUS nt_status;
struct ldapsam_privates *ldap_state;
if (!NT_STATUS_IS_OK(nt_status = make_pdb_method( pdb_method ))) {
return nt_status;
}
(*pdb_method)->name = "ldapsam";
(*pdb_method)->setsampwent = ldapsam_setsampwent;
(*pdb_method)->endsampwent = ldapsam_endsampwent;
(*pdb_method)->getsampwent = ldapsam_getsampwent;
(*pdb_method)->getsampwnam = ldapsam_getsampwnam;
(*pdb_method)->getsampwsid = ldapsam_getsampwsid;
(*pdb_method)->add_sam_account = ldapsam_add_sam_account;
(*pdb_method)->update_sam_account = ldapsam_update_sam_account;
(*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
(*pdb_method)->rename_sam_account = ldapsam_rename_sam_account;
(*pdb_method)->getgrsid = ldapsam_getgrsid;
(*pdb_method)->getgrgid = ldapsam_getgrgid;
(*pdb_method)->getgrnam = ldapsam_getgrnam;
(*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry;
(*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry;
(*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry;
(*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
(*pdb_method)->get_account_policy = ldapsam_get_account_policy;
(*pdb_method)->set_account_policy = ldapsam_set_account_policy;
(*pdb_method)->get_seq_num = ldapsam_get_seq_num;
(*pdb_method)->rid_algorithm = ldapsam_rid_algorithm;
(*pdb_method)->new_rid = ldapsam_new_rid;
/* TODO: Setup private data and free */
if ( !(ldap_state = TALLOC_ZERO_P(*pdb_method, struct ldapsam_privates)) ) {
DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n"));
return NT_STATUS_NO_MEMORY;
}
nt_status = smbldap_init(*pdb_method, location, &ldap_state->smbldap_state);
if ( !NT_STATUS_IS_OK(nt_status) ) {
return nt_status;
}
if ( !(ldap_state->domain_name = talloc_strdup(*pdb_method, get_global_sam_name()) ) ) {
return NT_STATUS_NO_MEMORY;
}
(*pdb_method)->private_data = ldap_state;
(*pdb_method)->free_private_data = free_private_data;
return NT_STATUS_OK;
}
/**********************************************************************
Initialise the 'compat' mode for pdb_ldap
*********************************************************************/
NTSTATUS pdb_init_ldapsam_compat(struct pdb_methods **pdb_method, const char *location)
{
NTSTATUS nt_status;
struct ldapsam_privates *ldap_state;
char *uri = talloc_strdup( NULL, location );
r17271: Fix a regression in the ldapsam uri syntax. Allow multiple LDAP URIs to be grouped by "" (This used to be commit 21d69dcb3c5361f94d15b2d186e1aae6e246a24e)
2006-07-27 16:20:19 +04:00
trim_char( uri, '\"', '\"' );
nt_status = pdb_init_ldapsam_common( pdb_method, uri );
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if ( uri )
r13460: by popular demand.... * remove pdb_context data structure * set default group for DOMAIN_RID_GUEST user as RID 513 (just like Windows) * Allow RID 513 to resolve to always resolve to a name * Remove auto mapping of guest account primary group given the previous 2 changes (This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285)
2006-02-12 00:27:08 +03:00
TALLOC_FREE( uri );
r17271: Fix a regression in the ldapsam uri syntax. Allow multiple LDAP URIs to be grouped by "" (This used to be commit 21d69dcb3c5361f94d15b2d186e1aae6e246a24e)
2006-07-27 16:20:19 +04:00
if ( !NT_STATUS_IS_OK(nt_status) ) {
return nt_status;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
(*pdb_method)->name = "ldapsam_compat";
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
return NT_STATUS_OK;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
Initialise the normal mode for pdb_ldap
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
*********************************************************************/
r13460: by popular demand.... * remove pdb_context data structure * set default group for DOMAIN_RID_GUEST user as RID 513 (just like Windows) * Allow RID 513 to resolve to always resolve to a name * Remove auto mapping of guest account primary group given the previous 2 changes (This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285)
2006-02-12 00:27:08 +03:00
NTSTATUS pdb_init_ldapsam(struct pdb_methods **pdb_method, const char *location)
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
{
NTSTATUS nt_status;
struct ldapsam_privates *ldap_state;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
uint32 alg_rid_base;
pstring alg_rid_base_string;
moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-11 09:33:40 +04:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
DOM_SID ldap_domain_sid;
DOM_SID secrets_domain_sid;
pstring domain_sid_string;
r4994: Patch from abartlet: When migrating account policies to ldapsam, handle the fact that an admin might have changed the default location of the sambaDomain-object after installation. Guenther (This used to be commit 78c3c7127444b8f9959f4d6ce9e540271869d70f)
2005-01-26 02:30:05 +03:00
char *dn;
r17271: Fix a regression in the ldapsam uri syntax. Allow multiple LDAP URIs to be grouped by "" (This used to be commit 21d69dcb3c5361f94d15b2d186e1aae6e246a24e)
2006-07-27 16:20:19 +04:00
char *uri = talloc_strdup( NULL, location );
trim_char( uri, '\"', '\"' );
nt_status = pdb_init_ldapsam_common(pdb_method, uri);
if ( uri )
TALLOC_FREE( uri );
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (!NT_STATUS_IS_OK(nt_status)) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
return nt_status;
}
And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12 22:12:31 +04:00
(*pdb_method)->name = "ldapsam";
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
(*pdb_method)->add_aliasmem = ldapsam_add_aliasmem;
(*pdb_method)->del_aliasmem = ldapsam_del_aliasmem;
(*pdb_method)->enum_aliasmem = ldapsam_enum_aliasmem;
(*pdb_method)->enum_alias_memberships = ldapsam_alias_memberships;
r6367: Slim down pdb_interface.c a bit. next_entry and search_end are function pointers now. Yes, Jeremy, this is about re-inventing C++... :-) Volker (This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2005-04-18 20:07:49 +04:00
(*pdb_method)->search_users = ldapsam_search_users;
(*pdb_method)->search_groups = ldapsam_search_groups;
(*pdb_method)->search_aliases = ldapsam_search_aliases;
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (lp_parm_bool(-1, "ldapsam", "trusted", False)) {
(*pdb_method)->enum_group_members = ldapsam_enum_group_members;
(*pdb_method)->enum_group_memberships =
ldapsam_enum_group_memberships;
(*pdb_method)->lookup_rids = ldapsam_lookup_rids;
(*pdb_method)->sid_to_id = ldapsam_sid_to_id;
r13776: Merge in the editposix ldapsam optimization (This used to be commit a374546c7e8dfc17eb2346c518d1d89f28c32feb)
2006-03-01 23:47:36 +03:00
if (lp_parm_bool(-1, "ldapsam", "editposix", False)) {
(*pdb_method)->create_user = ldapsam_create_user;
(*pdb_method)->delete_user = ldapsam_delete_user;
(*pdb_method)->create_dom_group = ldapsam_create_dom_group;
(*pdb_method)->delete_dom_group = ldapsam_delete_dom_group;
(*pdb_method)->add_groupmem = ldapsam_add_groupmem;
(*pdb_method)->del_groupmem = ldapsam_del_groupmem;
(*pdb_method)->set_unix_primary_group = ldapsam_set_primary_group;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-11 09:33:40 +04:00
ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
/* Try to setup the Domain Name, Domain SID, algorithmic rid base */
moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-11 09:33:40 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
nt_status = smbldap_search_domain_info(ldap_state->smbldap_state,
&result,
I *hate* global variables... OK, what was happening here was that we would invalidate global_sam_sid when we set the sid into secrets.tdb, to force a re-read. The problem was, we would do *two* writes into the TDB, and the second one (in the PDC/BDC case) would be of a NULL pointer. This caused smbd startups to fail, on a blank TDB. By using a local variable in the pdb_generate_sam_sid() code, we avoid this particular trap. I've also added better debugging for the case where this all matters, which is particularly for LDAP, where it finds out a domain SID from the sambaDomain object. Andrew Bartlett (This used to be commit 86ad04d26d3065a99b08afaaf2914968a9e701c5)
2004-02-26 01:01:02 +03:00
ldap_state->domain_name, True);
moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-11 09:33:40 +04:00
if ( !NT_STATUS_IS_OK(nt_status) ) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(2, ("pdb_init_ldapsam: WARNING: Could not get domain "
"info, nor add one to the domain\n"));
DEBUGADD(2, ("pdb_init_ldapsam: Continuing on regardless, "
"will be unable to allocate new users/groups, "
"and will risk BDCs having inconsistant SIDs\n"));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
return NT_STATUS_OK;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
/* Given that the above might fail, everything below this must be
* optional */
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
result);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (!entry) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0, ("pdb_init_ldapsam: Could not get domain info "
"entry\n"));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
r4994: Patch from abartlet: When migrating account policies to ldapsam, handle the fact that an admin might have changed the default location of the sambaDomain-object after installation. Guenther (This used to be commit 78c3c7127444b8f9959f4d6ce9e540271869d70f)
2005-01-26 02:30:05 +03:00
dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
if (!dn) {
r21609: Fix memory leaks in error code paths (and one in winbindd_group.c). Patch from Zack Kirsch <zack.kirsch@isilon.com>. Jeremy. (This used to be commit df07a662e32367a52c1e8473475423db2ff5bc51)
2007-03-01 05:43:33 +03:00
ldap_msgfree(result);
r4994: Patch from abartlet: When migrating account policies to ldapsam, handle the fact that an admin might have changed the default location of the sambaDomain-object after installation. Guenther (This used to be commit 78c3c7127444b8f9959f4d6ce9e540271869d70f)
2005-01-26 02:30:05 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
ldap_state->domain_dn = smb_xstrdup(dn);
r5481: Fix a memleak (This used to be commit 36bcfc5dae99868fc94ca01f902fec3d19926f5e)
2005-02-21 14:11:13 +03:00
ldap_memfree(dn);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (smbldap_get_single_pstring(
ldap_state->smbldap_state->ldap_struct,
entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_USER_SID),
domain_sid_string)) {
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
BOOL found_sid;
Check the return value of string_to_sid in a few more places. (But string_to_sid also needs to be less permissive on what it thinks are valid sids...) Andrew Bartlett (This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)
2003-12-26 06:14:31 +03:00
if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be "
"read as a valid SID\n", domain_sid_string));
r21609: Fix memory leaks in error code paths (and one in winbindd_group.c). Patch from Zack Kirsch <zack.kirsch@isilon.com>. Jeremy. (This used to be commit df07a662e32367a52c1e8473475423db2ff5bc51)
2007-03-01 05:43:33 +03:00
ldap_msgfree(result);
Check the return value of string_to_sid in a few more places. (But string_to_sid also needs to be less permissive on what it thinks are valid sids...) Andrew Bartlett (This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)
2003-12-26 06:14:31 +03:00
return NT_STATUS_INVALID_PARAMETER;
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
found_sid = secrets_fetch_domain_sid(ldap_state->domain_name,
&secrets_domain_sid);
if (!found_sid || !sid_equal(&secrets_domain_sid,
&ldap_domain_sid)) {
I *hate* global variables... OK, what was happening here was that we would invalidate global_sam_sid when we set the sid into secrets.tdb, to force a re-read. The problem was, we would do *two* writes into the TDB, and the second one (in the PDC/BDC case) would be of a NULL pointer. This caused smbd startups to fail, on a blank TDB. By using a local variable in the pdb_generate_sam_sid() code, we avoid this particular trap. I've also added better debugging for the case where this all matters, which is particularly for LDAP, where it finds out a domain SID from the sambaDomain object. Andrew Bartlett (This used to be commit 86ad04d26d3065a99b08afaaf2914968a9e701c5)
2004-02-26 01:01:02 +03:00
fstring new_sid_str, old_sid_str;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain "
"%s based on pdb_ldap results %s -> %s\n",
ldap_state->domain_name,
sid_to_string(old_sid_str,
&secrets_domain_sid),
sid_to_string(new_sid_str,
&ldap_domain_sid)));
I *hate* global variables... OK, what was happening here was that we would invalidate global_sam_sid when we set the sid into secrets.tdb, to force a re-read. The problem was, we would do *two* writes into the TDB, and the second one (in the PDC/BDC case) would be of a NULL pointer. This caused smbd startups to fail, on a blank TDB. By using a local variable in the pdb_generate_sam_sid() code, we avoid this particular trap. I've also added better debugging for the case where this all matters, which is particularly for LDAP, where it finds out a domain SID from the sambaDomain object. Andrew Bartlett (This used to be commit 86ad04d26d3065a99b08afaaf2914968a9e701c5)
2004-02-26 01:01:02 +03:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
/* reset secrets.tdb sid */
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
secrets_store_domain_sid(ldap_state->domain_name,
&ldap_domain_sid);
DEBUG(1, ("New global sam SID: %s\n",
sid_to_string(new_sid_str,
get_global_sam_sid())));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (smbldap_get_single_pstring(
ldap_state->smbldap_state->ldap_struct,
entry,
get_attr_key2string( dominfo_attr_list,
LDAP_ATTR_ALGORITHMIC_RID_BASE ),
alg_rid_base_string)) {
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
alg_rid_base = (uint32)atol(alg_rid_base_string);
if (alg_rid_base != algorithmic_rid_base()) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0, ("The value of 'algorithmic RID base' has "
"changed since the LDAP\n"
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
"database was initialised. Aborting. \n"));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
}
ldap_msgfree(result);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
return NT_STATUS_OK;
}
Make the version numbers ints (patch from metze) (This used to be commit dbe36b4c43dceddea9f14161c6cf7b34709287c8)
2003-05-01 03:06:44 +04:00
NTSTATUS pdb_ldap_init(void)
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
{
And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12 22:12:31 +04:00
NTSTATUS nt_status;
if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam)))
return nt_status;
if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat)))
return nt_status;
r5655: Added support for Novell NDS universal password. Code donated by Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2005-03-05 04:22:53 +03:00
/* Let pdb_nds register backends */
pdb_nds_init();
Make the version numbers ints (patch from metze) (This used to be commit dbe36b4c43dceddea9f14161c6cf7b34709287c8)
2003-05-01 03:06:44 +04:00
return NT_STATUS_OK;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Copy Permalink