sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code
bca29e5377
samba-mirror/source3/passdb/pdb_ldap.c

2523 lines
80 KiB
C
Raw Normal View History

Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/*
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Unix SMB/CIFS mplementation.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
LDAP protocol helper functions for SAMBA
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
Copyright (C) Jean Fran<EFBFBD>ois Micouleau 1998
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Copyright (C) Gerald Carter 2001-2003
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
Copyright (C) Shahms King 2001
Patch to move functions directly from pdb_ldap.c into lib/smbldap.c The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-25 16:51:58 +04:00
Copyright (C) Andrew Bartlett 2002-2003
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
Copyright (C) Stefan (metze) Metzmacher 2002-2003
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
/* TODO:
* persistent connections: if using NSS LDAP, many connections are made
* however, using only one within Samba would be nice
*
* Clean up SSL stuff, compile on OpenLDAP 1.x, 2.x, and Netscape SDK
*
* Other LDAP based login attributes: accountExpires, etc.
* (should be the domain of Samba proper, but the sam_password/SAM_ACCOUNT
* structures don't have fields for some of these attributes)
*
* SSL is done, but can't get the certificate based authentication to work
* against on my test platform (Linux 2.4, OpenLDAP 2.x)
*/
/* NOTE: this will NOT work against an Active Directory server
* due to the fact that the two password fields cannot be retrieved
* from a server; recommend using security = domain in this situation
* and/or winbind
*/
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
#include "includes.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
#include <lber.h>
#include <ldap.h>
Patch to move functions directly from pdb_ldap.c into lib/smbldap.c The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-25 16:51:58 +04:00
/*
* Work around versions of the LDAP client libs that don't have the OIDs
* defined, or have them defined under the old name.
* This functionality is really a factor of the server, not the client
*
*/
This define does not always seem to be present, so define it if need be. Andrew Bartlett (This used to be commit 007143e2435904d941a62934986ac54e343f4936)
2003-04-23 15:03:08 +04:00
support LDAP_EXOP_MODIFY_PASSWORD (not experiemental in OpenLDAP 2.1) (This used to be commit 50fdc938222112b5470d05d8cd15386bd0a112df)
2003-06-07 02:50:54 +04:00
#if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
#define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
#elif !defined(LDAP_EXOP_MODIFY_PASSWD)
Make pdb_ldap.c compile with SUN iPlanet headers. Whether this works will be tested soon, but this fix is somewhat obvious. Volker (This used to be commit 227882d6f79fb5909998996e1be08df723c49e8e)
2003-10-02 13:26:51 +04:00
#define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
support LDAP_EXOP_MODIFY_PASSWORD (not experiemental in OpenLDAP 2.1) (This used to be commit 50fdc938222112b5470d05d8cd15386bd0a112df)
2003-06-07 02:50:54 +04:00
#endif
#if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
#elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
#endif
#if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
#elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
#endif
Patch to move functions directly from pdb_ldap.c into lib/smbldap.c The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-25 16:51:58 +04:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
#ifndef SAM_ACCOUNT
#define SAM_ACCOUNT struct sam_passwd
#endif
working draft of the idmap_ldap code. Includes sambaUnixIdPool objectclass Still needs cleaning up wrt to name space. More changes to come, but at least we now have a a working distributed winbindd solution. (This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)
2003-06-05 06:34:30 +04:00
#include "smbldap.h"
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
struct ldapsam_privates {
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
struct smbldap_state *smbldap_state;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
/* Former statics */
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
LDAPMessage *result;
LDAPMessage *entry;
merge from 2.2 (This used to be commit 5b28a7c59c392c6352cb8915a13806ca772d8cac)
2002-03-01 18:17:10 +03:00
int index;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
const char *domain_name;
DOM_SID domain_sid;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
/* configuration items */
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
int schema_ver;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
};
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Free a LDAPMessage (one is stored on the SAM_ACCOUNT).
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
**********************************************************************/
static void private_data_free_fn(void **result)
{
Fix two memleaks in pdb_ldap.c. Whoever put the private.backend_private_data_free_fn thingy into SAM_ACCOUNT, could you please revisit my change to pdb_get_set.c and comment on my comment there? Thanks, Volker (This used to be commit 922ec277d1c80b5532f5cac0ee99ae7cd20f83f1)
2003-07-18 13:05:30 +04:00
ldap_msgfree(*result);
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
*result = NULL;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Get the attribute name given a user schame version.
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
**********************************************************************/
static const char* get_userattr_key2string( int schema_ver, int key )
{
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBAACCOUNT:
return get_attr_key2string( attrib_map_v22, key );
case SCHEMAVER_SAMBASAMACCOUNT:
return get_attr_key2string( attrib_map_v30, key );
default:
DEBUG(0,("get_userattr_key2string: unknown schema version specified\n"));
break;
}
return NULL;
}
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Return the list of attribute names given a user schema version.
**********************************************************************/
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
static char** get_userattr_list( int schema_ver )
{
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBAACCOUNT:
return get_attr_list( attrib_map_v22 );
case SCHEMAVER_SAMBASAMACCOUNT:
return get_attr_list( attrib_map_v30 );
default:
DEBUG(0,("get_userattr_list: unknown schema version specified!\n"));
break;
}
return NULL;
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/*******************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Generate the LDAP search filter for the objectclass based on the
version of the schema we are using.
******************************************************************/
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
static const char* get_objclass_filter( int schema_ver )
{
static fstring objclass_filter;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch( schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBAACCOUNT:
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
case SCHEMAVER_SAMBASAMACCOUNT:
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
fstr_sprintf( objclass_filter, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
default:
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("get_objclass_filter: Invalid schema version specified!\n"));
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
}
return objclass_filter;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/*******************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Run the search by name.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
******************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state,
const char *user,
LDAPMessage ** result, char **attr)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
pstring filter;
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
char *escape_user = escape_ldap_string_alloc(user);
if (!escape_user) {
return LDAP_NO_MEMORY;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/*
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
* in the filter expression, replace %u with the real name
* so in ldap filter, %u MUST exist :-)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*/
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&%s%s)", lp_ldap_filter(),
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_objclass_filter(ldap_state->schema_ver));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
/*
* have to use this here because $ is filtered out
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
* in pstring_sub
*/
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
all_string_sub(filter, "%u", escape_user, sizeof(pstring));
SAFE_FREE(escape_user);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
return smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
/*******************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Run the search by rid.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
******************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state,
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
uint32 rid, LDAPMessage ** result,
char **attr)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
pstring filter;
int rc;
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&(rid=%i)%s)", rid,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_objclass_filter(ldap_state->schema_ver));
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
return rc;
}
/*******************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Run the search by SID.
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
******************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state,
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
const DOM_SID *sid, LDAPMessage ** result,
char **attr)
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
{
pstring filter;
int rc;
fstring sid_string;
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&(%s=%s)%s)",
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
sid_to_string(sid_string, sid),
get_objclass_filter(ldap_state->schema_ver));
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, attr, result);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
return rc;
}
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
/*******************************************************************
Delete complete object or objectclass and attrs from
Merge from HEAD: This adds 'ldap delete dn' as the recommended parameter for the 'ldap del only sam attr' functionality. So we are compatiple to the current SuSE patches as well as to TNG... ;-) Volker (This used to be commit 53b5704ff21de6fce097d74dd7f235d3ceccec66)
2003-03-23 12:18:33 +03:00
object found in search_result depending on lp_ldap_delete_dn
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
******************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
LDAPMessage *result,
const char *objectclass,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
char **attrs)
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
{
int rc;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *entry = NULL;
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
LDAPMod **mods = NULL;
char *name, *dn;
BerElement *ptr = NULL;
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
if (rc != 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_delete_entry: Entry must exist exactly once!\n"));
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
if (!dn) {
return NT_STATUS_UNSUCCESSFUL;
}
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
Merge from HEAD: This adds 'ldap delete dn' as the recommended parameter for the 'ldap del only sam attr' functionality. So we are compatiple to the current SuSE patches as well as to TNG... ;-) Volker (This used to be commit 53b5704ff21de6fce097d74dd7f235d3ceccec66)
2003-03-23 12:18:33 +03:00
if (lp_ldap_delete_dn()) {
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
NTSTATUS ret = NT_STATUS_OK;
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_delete(ldap_state->smbldap_state, dn);
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
if (rc != LDAP_SUCCESS) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_delete_entry: Could not delete object %s\n", dn));
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
ret = NT_STATUS_UNSUCCESSFUL;
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(dn);
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
return ret;
}
/* Ok, delete only the SAM attributes */
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
for (name = ldap_first_attribute(ldap_state->smbldap_state->ldap_struct, entry, &ptr);
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
name != NULL;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
name = ldap_next_attribute(ldap_state->smbldap_state->ldap_struct, entry, ptr)) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
char **attrib;
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
/* We are only allowed to delete the attributes that
really exist. */
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
for (attrib = attrs; *attrib != NULL; attrib++) {
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
if (StrCaseCmp(*attrib, name) == 0) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(10, ("ldapsam_delete_entry: deleting attribute %s\n", name));
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_set_mod(&mods, LDAP_MOD_DELETE, name, NULL);
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
}
}
ldap_memfree(name);
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
if (ptr != NULL) {
ber_free(ptr, 0);
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
* break out more common code used between pdb_ldap and idmap_ldap * remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06 17:48:39 +04:00
ldap_mods_free(mods, True);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
if (rc != LDAP_SUCCESS) {
char *ld_error = NULL;
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
&ld_error);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_delete_entry: Could not delete attributes for %s, error: %s (%s)\n",
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
dn, ldap_err2string(rc), ld_error?ld_error:"unknown"));
SAFE_FREE(ld_error);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(dn);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
return NT_STATUS_UNSUCCESSFUL;
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(dn);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
return NT_STATUS_OK;
}
moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-11 09:33:40 +04:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/* New Interface is being implemented here */
remove 'ldap trust ids' since there was no way for it to work now (This used to be commit 3724063f1518c25e33ba6b65cd3bb1e36cec51fa)
2003-08-28 01:17:10 +04:00
#if 0 /* JERRY - not uesed anymore */
Merge of my 'ldap trust ids' patch from HEAD. This hopefully provides a peformance boost by not hitting getpwnam() for every entry in an enumeration, instead reteriving entries directly (if available). idra has reviewed this patch. Andrew Bartlett (This used to be commit 8abe71c4d7a796001c5765f4dd88c2e6f5637802)
2002-11-02 15:13:44 +03:00
/**********************************************************************
Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
*********************************************************************/
static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
SAM_ACCOUNT * sampass,
And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12 22:12:31 +04:00
LDAPMessage * entry,
gid_t *gid)
Merge of my 'ldap trust ids' patch from HEAD. This hopefully provides a peformance boost by not hitting getpwnam() for every entry in an enumeration, instead reteriving entries directly (if available). idra has reviewed this patch. Andrew Bartlett (This used to be commit 8abe71c4d7a796001c5765f4dd88c2e6f5637802)
2002-11-02 15:13:44 +03:00
{
pstring homedir;
pstring temp;
char **ldap_values;
char **values;
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
if ((ldap_values = ldap_get_values (ldap_state->smbldap_state->ldap_struct, entry, "objectClass")) == NULL) {
Merge of my 'ldap trust ids' patch from HEAD. This hopefully provides a peformance boost by not hitting getpwnam() for every entry in an enumeration, instead reteriving entries directly (if available). idra has reviewed this patch. Andrew Bartlett (This used to be commit 8abe71c4d7a796001c5765f4dd88c2e6f5637802)
2002-11-02 15:13:44 +03:00
DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
return False;
}
for (values=ldap_values;*values;values++) {
Put strcasecmp/strncasecmp on the banned list (except for needed calls in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
2003-10-23 03:38:20 +04:00
if (strequal(*values, LDAP_OBJ_POSIXACCOUNT )) {
Merge of my 'ldap trust ids' patch from HEAD. This hopefully provides a peformance boost by not hitting getpwnam() for every entry in an enumeration, instead reteriving entries directly (if available). idra has reviewed this patch. Andrew Bartlett (This used to be commit 8abe71c4d7a796001c5765f4dd88c2e6f5637802)
2002-11-02 15:13:44 +03:00
break;
}
}
if (!*values) { /*end of array, no posixAccount */
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
DEBUG(10, ("user does not have %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
Merge of my 'ldap trust ids' patch from HEAD. This hopefully provides a peformance boost by not hitting getpwnam() for every entry in an enumeration, instead reteriving entries directly (if available). idra has reviewed this patch. Andrew Bartlett (This used to be commit 8abe71c4d7a796001c5765f4dd88c2e6f5637802)
2002-11-02 15:13:44 +03:00
ldap_value_free(ldap_values);
return False;
}
ldap_value_free(ldap_values);
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if ( !smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_UNIX_HOME), homedir) )
{
Merge of my 'ldap trust ids' patch from HEAD. This hopefully provides a peformance boost by not hitting getpwnam() for every entry in an enumeration, instead reteriving entries directly (if available). idra has reviewed this patch. Andrew Bartlett (This used to be commit 8abe71c4d7a796001c5765f4dd88c2e6f5637802)
2002-11-02 15:13:44 +03:00
return False;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
}
Merge of my 'ldap trust ids' patch from HEAD. This hopefully provides a peformance boost by not hitting getpwnam() for every entry in an enumeration, instead reteriving entries directly (if available). idra has reviewed this patch. Andrew Bartlett (This used to be commit 8abe71c4d7a796001c5765f4dd88c2e6f5637802)
2002-11-02 15:13:44 +03:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if ( !smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_GIDNUMBER), temp) )
{
Merge of my 'ldap trust ids' patch from HEAD. This hopefully provides a peformance boost by not hitting getpwnam() for every entry in an enumeration, instead reteriving entries directly (if available). idra has reviewed this patch. Andrew Bartlett (This used to be commit 8abe71c4d7a796001c5765f4dd88c2e6f5637802)
2002-11-02 15:13:44 +03:00
return False;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
}
Merge of my 'ldap trust ids' patch from HEAD. This hopefully provides a peformance boost by not hitting getpwnam() for every entry in an enumeration, instead reteriving entries directly (if available). idra has reviewed this patch. Andrew Bartlett (This used to be commit 8abe71c4d7a796001c5765f4dd88c2e6f5637802)
2002-11-02 15:13:44 +03:00
Fix pointer return bug in get_unix_attributes() (This used to be commit 7aa54f0a7f3bcfb5d9560ca3bb88e1549b7ce421)
2003-05-14 04:58:41 +04:00
*gid = (gid_t)atol(temp);
Merge of my 'ldap trust ids' patch from HEAD. This hopefully provides a peformance boost by not hitting getpwnam() for every entry in an enumeration, instead reteriving entries directly (if available). idra has reviewed this patch. Andrew Bartlett (This used to be commit 8abe71c4d7a796001c5765f4dd88c2e6f5637802)
2002-11-02 15:13:44 +03:00
pdb_set_unix_homedir(sampass, homedir, PDB_SET);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
DEBUG(10, ("user has %s attributes\n", LDAP_OBJ_POSIXACCOUNT));
Merge of my 'ldap trust ids' patch from HEAD. This hopefully provides a peformance boost by not hitting getpwnam() for every entry in an enumeration, instead reteriving entries directly (if available). idra has reviewed this patch. Andrew Bartlett (This used to be commit 8abe71c4d7a796001c5765f4dd88c2e6f5637802)
2002-11-02 15:13:44 +03:00
return True;
}
remove 'ldap trust ids' since there was no way for it to work now (This used to be commit 3724063f1518c25e33ba6b65cd3bb1e36cec51fa)
2003-08-28 01:17:10 +04:00
#endif
Merge of my 'ldap trust ids' patch from HEAD. This hopefully provides a peformance boost by not hitting getpwnam() for every entry in an enumeration, instead reteriving entries directly (if available). idra has reviewed this patch. Andrew Bartlett (This used to be commit 8abe71c4d7a796001c5765f4dd88c2e6f5637802)
2002-11-02 15:13:44 +03:00
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
static time_t ldapsam_get_entry_timestamp(
struct ldapsam_privates *ldap_state,
LDAPMessage * entry)
{
pstring temp;
struct tm tm;
if (!smbldap_get_single_pstring(
ldap_state->smbldap_state->ldap_struct, entry,
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_MOD_TIMESTAMP),
temp))
return (time_t) 0;
strptime(temp, "%Y%m%d%H%M%SZ", &tm);
tzset();
Use timegm, or our already existing replacement instead of timezone, as some platforms (FreeBSD in this case) don't define timezone according to posix. This is what I wanted to do anyway. Spotted by Andrzej Tobola <san@iem.pw.edu.pl> (This used to be commit bc13e35db0b8b265f87553d4df1c7326710cb3fa)
2004-03-25 21:25:41 +03:00
return timegm(&tm);
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Initialize SAM_ACCOUNT from an LDAP query.
(Based on init_sam_from_buffer in pdb_tdb.c)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
SAM_ACCOUNT * sampass,
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
LDAPMessage * entry)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
time_t logon_time,
logoff_time,
kickoff_time,
pass_last_set_time,
pass_can_change_time,
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
pass_must_change_time,
ldap_entry_time,
bad_password_time;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
pstring username,
domain,
nt_username,
fullname,
homedir,
dir_drive,
logon_script,
profile_path,
acct_desc,
workstations;
support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800 (This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-12-04 07:52:00 +03:00
char munged_dial[2048];
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
uint32 user_rid;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
uint8 smblmpwd[LM_HASH_LEN],
smbntpwd[NT_HASH_LEN];
initialize acct_ctrl variable before it is used remove ldap_msgfree(result); as result is unitialized at this point (This used to be commit 1102a6f8cdf295d564df5447a223b354be72895d)
2003-01-15 19:41:29 +03:00
uint16 acct_ctrl = 0,
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
logon_divs;
The "unknown_5" 32 bit field in the user structs is actually 2 16-bit fields, bad_password_count and logon_count. Ensure this is stored/fetched in the various SAMs. As it replaces the unknown_5 field this fits exactly into the tdb SAM without any binary problems. It also is added to the LDAP SAM as two extra attributes. It breaks compatibility with the experimental SAMs xml and mysql. The maintainers of these SAMs must fix them so upgrades like this can be done transparently. I will insist on the "experimental" status until this is solved. Jeremy. (This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
2003-09-19 03:53:48 +04:00
uint16 bad_password_count = 0,
logon_count = 0;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
uint32 hours_len;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
uint8 hours[MAX_HOURS_LEN];
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
pstring temp;
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
LOGIN_CACHE *cache_entry = NULL;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
/*
* do a little initialization
*/
username[0] = '\0';
domain[0] = '\0';
nt_username[0] = '\0';
fullname[0] = '\0';
homedir[0] = '\0';
dir_drive[0] = '\0';
logon_script[0] = '\0';
profile_path[0] = '\0';
acct_desc[0] = '\0';
munged_dial[0] = '\0';
workstations[0] = '\0';
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (sampass == NULL || ldap_state == NULL || entry == NULL) {
util_sid.c - respect a const variabile (addedd strdup) cli_reg.c - indentation pdb_ldap.c - some checks on init fns parameters pdb_tdb.c - some checks on init fns parameters + make sure we close the db on failure (This used to be commit 49f5cb7a3df6d673f86e6769319aa657e30d8380)
2001-12-30 22:21:25 +03:00
DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n"));
return False;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
if (ldap_state->smbldap_state->ldap_struct == NULL) {
DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->ldap_struct is NULL!\n"));
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return False;
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, "uid", username)) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("init_sam_from_ldap: No uid attribute found for this user!\n"));
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
return False;
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("init_sam_from_ldap: Entry found for user: %s\n", username));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
merge from 2.2 (This used to be commit 96c9df577bcffeec1b7d516a5431e54e679bd6b4)
2001-10-10 21:04:23 +04:00
pstrcpy(nt_username, username);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
pstrcpy(domain, ldap_state->domain_name);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_username(sampass, username, PDB_SET);
pdb_set_domain(sampass, domain, PDB_DEFAULT);
pdb_set_nt_username(sampass, nt_username, PDB_SET);
fix bug #108; sambaSambaAccount string attributes are case insensitive; don't try to change a string that only differs in case (This used to be commit 01ef08352007487040edefcc0b99ca79823cbddf)
2003-05-22 21:07:41 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/* deal with different attributes between the schema first */
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) {
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), temp)) {
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), temp)) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
pdb_set_group_sid_from_string(sampass, temp, PDB_SET);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
} else {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
} else {
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), temp)) {
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
user_rid = (uint32)atol(temp);
pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_RID), temp)) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
} else {
uint32 group_rid;
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
group_rid = (uint32)atol(temp);
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
/* for some reason, we often have 0 as a primary group RID.
Make sure that we treat this just as a 'default' value */
if ( group_rid > 0 )
pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
else
pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
}
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("init_sam_from_ldap: no %s or %s attribute found for this user %s\n",
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
username));
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
return False;
}
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
pass_last_set_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
logon_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_logon_time(sampass, logon_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
logoff_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
kickoff_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
pass_can_change_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
pass_must_change_time = (time_t) atol(temp);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/* recommend that 'gecos' and 'displayName' should refer to the same
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
* attribute OID. userFullName depreciated, only used by Samba
* primary rules of LDAP: don't make a new attribute when one is already defined
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
* that fits your needs; using cn then displayName rather than 'userFullName'
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*/
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), fullname)) {
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_CN), fullname)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_fullname(sampass, fullname, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
} else {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_fullname(sampass, fullname, PDB_SET);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
remove getpwnam() calls from init_sam_from_xxx(). This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-11 20:52:10 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), dir_drive))
{
pdb_set_dir_drive( sampass,
talloc_sub_basic(sampass->mem_ctx, username, lp_logon_drive()),
PDB_DEFAULT );
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
} else {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
merge from 2.2 (This used to be commit 96c9df577bcffeec1b7d516a5431e54e679bd6b4)
2001-10-10 21:04:23 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
remove getpwnam() calls from init_sam_from_xxx(). This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-11 20:52:10 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), homedir))
{
pdb_set_homedir( sampass,
talloc_sub_basic(sampass->mem_ctx, username, lp_logon_home()),
PDB_DEFAULT );
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
} else {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_homedir(sampass, homedir, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
merge from 2.2 (This used to be commit 96c9df577bcffeec1b7d516a5431e54e679bd6b4)
2001-10-10 21:04:23 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
remove getpwnam() calls from init_sam_from_xxx(). This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-11 20:52:10 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), logon_script))
{
pdb_set_logon_script( sampass,
talloc_sub_basic(sampass->mem_ctx, username, lp_logon_script()),
PDB_DEFAULT );
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
} else {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_logon_script(sampass, logon_script, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
merge from 2.2 (This used to be commit 96c9df577bcffeec1b7d516a5431e54e679bd6b4)
2001-10-10 21:04:23 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
remove getpwnam() calls from init_sam_from_xxx(). This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-11 20:52:10 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), profile_path))
{
pdb_set_profile_path( sampass,
talloc_sub_basic( sampass->mem_ctx, username, lp_logon_path()),
PDB_DEFAULT );
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
} else {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_profile_path(sampass, profile_path, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
remove getpwnam() calls from init_sam_from_xxx(). This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-11 20:52:10 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), acct_desc))
{
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_acct_desc(sampass, acct_desc, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), workstations)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */;
} else {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_workstations(sampass, workstations, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800 (This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-12-04 07:52:00 +03:00
if (!smbldap_get_single_attribute(ldap_state->smbldap_state->ldap_struct, entry,
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL), munged_dial, sizeof(munged_dial))) {
support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800 (This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-12-04 07:52:00 +03:00
/* leave as default */;
} else {
pdb_set_munged_dial(sampass, munged_dial, PDB_SET);
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/* FIXME: hours stuff should be cleaner */
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
logon_divs = 168;
hours_len = 21;
memset(hours, 0xff, hours_len);
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
pdb_gethexpwd(temp, smblmpwd);
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
memset((char *)temp, '\0', strlen(temp)+1);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (!pdb_set_lanman_passwd(sampass, smblmpwd, PDB_SET))
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
return False;
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
ZERO_STRUCT(smblmpwd);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), temp)) {
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
/* leave as default */
} else {
pdb_gethexpwd(temp, smbntpwd);
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
memset((char *)temp, '\0', strlen(temp)+1);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (!pdb_set_nt_passwd(sampass, smbntpwd, PDB_SET))
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
return False;
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
ZERO_STRUCT(smbntpwd);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring (ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), temp)) {
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
acct_ctrl |= ACB_NORMAL;
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
} else {
acct_ctrl = pdb_decode_acct_ctrl(temp);
if (acct_ctrl == 0)
acct_ctrl |= ACB_NORMAL;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
Fix up major logic reversal flaws in pdb_ldap. WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-04-08 05:52:44 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_hours_len(sampass, hours_len, PDB_SET);
pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800 (This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-12-04 07:52:00 +03:00
/* pdb_set_munged_dial(sampass, munged_dial, PDB_SET); */
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
The "unknown_5" 32 bit field in the user structs is actually 2 16-bit fields, bad_password_count and logon_count. Ensure this is stored/fetched in the various SAMs. As it replaces the unknown_5 field this fits exactly into the tdb SAM without any binary problems. It also is added to the LDAP SAM as two extra attributes. It breaks compatibility with the experimental SAMs xml and mysql. The maintainers of these SAMs must fix them so upgrades like this can be done transparently. I will insist on the "experimental" status until this is solved. Jeremy. (This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
2003-09-19 03:53:48 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_COUNT), temp)) {
/* leave as default */
} else {
bad_password_count = (uint32) atol(temp);
pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
}
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_BAD_PASSWORD_TIME), temp)) {
/* leave as default */
} else {
bad_password_time = (time_t) atol(temp);
pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
The "unknown_5" 32 bit field in the user structs is actually 2 16-bit fields, bad_password_count and logon_count. Ensure this is stored/fetched in the various SAMs. As it replaces the unknown_5 field this fits exactly into the tdb SAM without any binary problems. It also is added to the LDAP SAM as two extra attributes. It breaks compatibility with the experimental SAMs xml and mysql. The maintainers of these SAMs must fix them so upgrades like this can be done transparently. I will insist on the "experimental" status until this is solved. Jeremy. (This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
2003-09-19 03:53:48 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_COUNT), temp)) {
/* leave as default */
} else {
logon_count = (uint32) atol(temp);
pdb_set_logon_count(sampass, logon_count, PDB_SET);
}
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
/* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_set_hours(sampass, hours, PDB_SET);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
/* check the timestamp of the cache vs ldap entry */
if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state,
entry)))
return True;
/* see if we have newer updates */
if (!(cache_entry = login_cache_read(sampass))) {
Fix gcc warnings. Fix mkproto with new type. Jeremy. (This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
2004-03-19 04:29:14 +03:00
DEBUG (9, ("No cache entry, bad count = %u, bad time = %u\n",
(unsigned int)pdb_get_bad_password_count(sampass),
(unsigned int)pdb_get_bad_password_time(sampass)));
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
return True;
}
Fix gcc warnings. Fix mkproto with new type. Jeremy. (This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
2004-03-19 04:29:14 +03:00
DEBUG(7, ("ldap time is %u, cache time is %u, bad time = %u\n",
(unsigned int)ldap_entry_time, (unsigned int)cache_entry->entry_timestamp,
(unsigned int)cache_entry->bad_password_time));
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
if (ldap_entry_time > cache_entry->entry_timestamp) {
/* cache is older than directory , so
we need to delete the entry but allow the
fields to be written out */
login_cache_delentry(sampass);
} else {
/* read cache in */
pdb_set_acct_ctrl(sampass,
pdb_get_acct_ctrl(sampass) |
(cache_entry->acct_ctrl & ACB_AUTOLOCK),
PDB_SET);
pdb_set_bad_password_count(sampass,
cache_entry->bad_password_count,
PDB_SET);
pdb_set_bad_password_time(sampass,
cache_entry->bad_password_time,
PDB_SET);
}
SAFE_FREE(cache_entry);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
return True;
}
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Initialize SAM_ACCOUNT from an LDAP query.
(Based on init_buffer_from_sam in pdb_tdb.c)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
LDAPMessage *existing,
- Merge a memory leak fix from HEAD - change update behaviour for new RIDs: - store the new RID into the SAM_ACCOUNT, so that the caller get's it back automaticly - use this to make the code paths simpiler for the normal 'need_update' code. We must always store a RID if we intend to use the sambaAccount objectClass Andrew Bartlett (This used to be commit 5edeee5116b9c775a1bded1d53cb2b22c7a2765f)
2003-04-23 04:59:19 +04:00
LDAPMod *** mods, SAM_ACCOUNT * sampass,
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
BOOL (*need_update)(const SAM_ACCOUNT *,
enum pdb_elements))
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
pstring temp;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
uint32 rid;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
util_sid.c - respect a const variabile (addedd strdup) cli_reg.c - indentation pdb_ldap.c - some checks on init fns parameters pdb_tdb.c - some checks on init fns parameters + make sure we close the db on failure (This used to be commit 49f5cb7a3df6d673f86e6769319aa657e30d8380)
2001-12-30 22:21:25 +03:00
if (mods == NULL || sampass == NULL) {
DEBUG(0, ("init_ldap_from_sam: NULL parameters found!\n"));
return False;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*mods = NULL;
/*
* took out adding "objectclass: sambaAccount"
* do this on a per-mod basis
*/
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_USERNAME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
"uid", pdb_get_username(sampass));
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("init_ldap_from_sam: Setting entry for user: %s\n", pdb_get_username(sampass)));
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
- Merge a memory leak fix from HEAD - change update behaviour for new RIDs: - store the new RID into the SAM_ACCOUNT, so that the caller get's it back automaticly - use this to make the code paths simpiler for the normal 'need_update' code. We must always store a RID if we intend to use the sambaAccount objectClass Andrew Bartlett (This used to be commit 5edeee5116b9c775a1bded1d53cb2b22c7a2765f)
2003-04-23 04:59:19 +04:00
/* only update the RID if we actually need to */
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if (need_update(sampass, PDB_USERSID)) {
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
fstring sid_string;
fstring dom_sid_string;
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
const DOM_SID *user_sid = pdb_get_user_sid(sampass);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( ldap_state->schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBAACCOUNT:
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (!sid_peek_check_rid(&ldap_state->domain_sid, user_sid, &rid)) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("init_ldap_from_sam: User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
sid_to_string(sid_string, user_sid),
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
return False;
}
slprintf(temp, sizeof(temp) - 1, "%i", rid);
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID),
temp);
break;
case SCHEMAVER_SAMBASAMACCOUNT:
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
sid_to_string(sid_string, user_sid));
break;
default:
DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
break;
}
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
/* we don't need to store the primary group RID - so leaving it
'free' to hang off the unix primary group makes life easier */
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if (need_update(sampass, PDB_GROUPSID)) {
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
fstring sid_string;
fstring dom_sid_string;
const DOM_SID *group_sid = pdb_get_group_sid(sampass);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( ldap_state->schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBAACCOUNT:
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (!sid_peek_check_rid(&ldap_state->domain_sid, group_sid, &rid)) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("init_ldap_from_sam: User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
sid_to_string(sid_string, group_sid),
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
sid_to_string(dom_sid_string, &ldap_state->domain_sid)));
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
return False;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
slprintf(temp, sizeof(temp) - 1, "%i", rid);
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_PRIMARY_GROUP_RID), temp);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
case SCHEMAVER_SAMBASAMACCOUNT:
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
get_userattr_key2string(ldap_state->schema_ver,
LDAP_ATTR_PRIMARY_GROUP_SID), sid_to_string(sid_string, group_sid));
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
default:
DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n"));
break;
}
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/* displayName, cn, and gecos should all be the same
Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-10-01 17:10:57 +04:00
* most easily accomplished by giving them the same OID
* gecos isn't set here b/c it should be handled by the
* add-user script
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
* We change displayName only and fall back to cn if
* it does not exist.
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
*/
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_FULLNAME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME),
pdb_get_fullname(sampass));
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_ACCTDESC))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC),
pdb_get_acct_desc(sampass));
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_WORKSTATIONS))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS),
pdb_get_workstations(sampass));
support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800 (This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-12-04 07:52:00 +03:00
if (need_update(sampass, PDB_MUNGEDDIAL))
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_MUNGED_DIAL),
pdb_get_munged_dial(sampass));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_SMBHOME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH),
pdb_get_homedir(sampass));
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_DRIVE))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE),
pdb_get_dir_drive(sampass));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_LOGONSCRIPT))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT),
pdb_get_logon_script(sampass));
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_PROFILE))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH),
pdb_get_profile_path(sampass));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_LOGONTIME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_LOGOFFTIME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_KICKOFFTIME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_CANCHANGETIME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_MUSTCHANGETIME))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp);
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
|| (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) {
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
if (need_update(sampass, PDB_LMPASSWD)) {
Fix const warning (This used to be commit 7a36cc4ac0ff4d9c42eb9ddaf41bf33b4e8cd7c6)
2004-02-04 14:41:22 +03:00
const uchar *lm_pw = pdb_get_lanman_passwd(sampass);
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
if (lm_pw) {
pdb_sethexpwd(temp, lm_pw,
pdb_get_acct_ctrl(sampass));
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
temp);
} else {
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW),
NULL);
}
}
if (need_update(sampass, PDB_NTPASSWD)) {
Fix const warning (This used to be commit 7a36cc4ac0ff4d9c42eb9ddaf41bf33b4e8cd7c6)
2004-02-04 14:41:22 +03:00
const uchar *nt_pw = pdb_get_nt_passwd(sampass);
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
if (nt_pw) {
pdb_sethexpwd(temp, nt_pw,
pdb_get_acct_ctrl(sampass));
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
temp);
} else {
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW),
NULL);
}
}
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
if (need_update(sampass, PDB_PASSLASTSET)) {
slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass));
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET),
temp);
If we are setting the NT or LM password to NULL, remove the attribute rather than writing XXXXX Andrew Bartlett (This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
2004-01-31 02:37:38 +03:00
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
/* FIXME: Hours stuff goes in LDAP */
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
if (need_update(sampass, PDB_ACCTCTRL))
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO),
pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
/* password lockout cache:
- If we are now autolocking or clearing, we write to ldap
- If we are clearing, we delete the cache entry
- If the count is > 0, we update the cache
This even means when autolocking, we cache, just in case the
update doesn't work, and we have to cache the autolock flag */
if (need_update(sampass, PDB_BAD_PASSWORD_COUNT)) /* &&
need_update(sampass, PDB_BAD_PASSWORD_TIME)) */ {
uint16 badcount = pdb_get_bad_password_count(sampass);
time_t badtime = pdb_get_bad_password_time(sampass);
uint32 pol;
account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &pol);
Fix gcc warnings. Fix mkproto with new type. Jeremy. (This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
2004-03-19 04:29:14 +03:00
DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
(unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
if ((badcount >= pol) || (badcount == 0)) {
Fix gcc warnings. Fix mkproto with new type. Jeremy. (This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
2004-03-19 04:29:14 +03:00
DEBUG(7, ("making mods to update ldap, count=%u, time=%u\n",
(unsigned int)badcount, (unsigned int)badtime));
slprintf (temp, sizeof (temp) - 1, "%li", (long)badcount);
Password lockout for LDAP backend. Caches autolock flag, bad count, and bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 22:22:51 +03:00
smbldap_make_mod(
ldap_state->smbldap_state->ldap_struct,
existing, mods,
get_userattr_key2string(
ldap_state->schema_ver,
LDAP_ATTR_BAD_PASSWORD_COUNT),
temp);
slprintf (temp, sizeof (temp) - 1, "%li", badtime);
smbldap_make_mod(
ldap_state->smbldap_state->ldap_struct,
existing, mods,
get_userattr_key2string(
ldap_state->schema_ver,
LDAP_ATTR_BAD_PASSWORD_TIME),
temp);
}
if (badcount == 0) {
DEBUG(7, ("bad password count is reset, deleting login cache entry for %s\n", pdb_get_nt_username(sampass)));
login_cache_delentry(sampass);
} else {
LOGIN_CACHE cache_entry ={time(NULL),
pdb_get_acct_ctrl(sampass),
badcount, badtime};
DEBUG(7, ("Updating bad password count and time in login cache\n"));
login_cache_write(sampass, cache_entry);
}
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
return True;
}
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Connect to LDAP server for password enumeration.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
int rc;
pstring filter;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
char **attr_list;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf( filter, "(&%s%s)", lp_ldap_filter(),
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
get_objclass_filter(ldap_state->schema_ver));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
all_string_sub(filter, "%u", "*", sizeof(pstring));
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
attr_list = get_userattr_list(ldap_state->schema_ver);
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_search_suffix(ldap_state->smbldap_state, filter,
attr_list, &ldap_state->result);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
free_attr_list( attr_list );
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
if (rc != LDAP_SUCCESS) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_setsampwent: LDAP search failed: %s\n", ldap_err2string(rc)));
DEBUG(3, ("ldapsam_setsampwent: Query was: %s, %s\n", lp_ldap_suffix(), filter));
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_msgfree(ldap_state->result);
ldap_state->result = NULL;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_state->result)));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_state->result);
ldap_state->index = 0;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
End enumeration of the LDAP password list.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
static void ldapsam_endsampwent(struct pdb_methods *my_methods)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (ldap_state->result) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_msgfree(ldap_state->result);
ldap_state->result = NULL;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
}
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Get the next entry in the LDAP password database.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
static NTSTATUS ldapsam_getsampwent(struct pdb_methods *my_methods, SAM_ACCOUNT *user)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
BOOL bret = False;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
while (!bret) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
if (!ldap_state->entry)
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return ret;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_state->index++;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
bret = init_sam_from_ldap(ldap_state, user, ldap_state->entry);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
ldap_state->entry);
merge from 2.2 (This used to be commit 5b28a7c59c392c6352cb8915a13806ca772d8cac)
2002-03-01 18:17:10 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Get SAM_ACCOUNT entry from LDAP by username.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT *user, const char *sname)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
int count;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
char ** attr_list;
int rc;
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
attr_list = get_userattr_list( ldap_state->schema_ver );
rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
free_attr_list( attr_list );
if ( rc != LDAP_SUCCESS )
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_NO_SUCH_USER;
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
if (count < 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(4, ("ldapsam_getsampwnam: Unable to locate user [%s] count=%d\n", sname, count));
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
ldap_msgfree(result);
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
return NT_STATUS_NO_SUCH_USER;
} else if (count > 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("ldapsam_getsampwnam: Duplicate entries for this user [%s] Failing. count=%d\n", sname, count));
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
ldap_msgfree(result);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_NO_SUCH_USER;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
if (entry) {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (!init_sam_from_ldap(ldap_state, user, entry)) {
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
DEBUG(1,("ldapsam_getsampwnam: init_sam_from_ldap failed for user '%s'!\n", sname));
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_msgfree(result);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_NO_SUCH_USER;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
pdb_set_backend_private_data(user, result,
private_data_free_fn,
my_methods, PDB_CHANGED);
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
ret = NT_STATUS_OK;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
} else {
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
ldap_msgfree(result);
}
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return ret;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
static int ldapsam_get_ldap_user_by_sid(struct ldapsam_privates *ldap_state,
const DOM_SID *sid, LDAPMessage **result)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
int rc = -1;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
char ** attr_list;
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
uint32 rid;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( ldap_state->schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBASAMACCOUNT:
attr_list = get_userattr_list(ldap_state->schema_ver);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
free_attr_list( attr_list );
if ( rc != LDAP_SUCCESS )
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
return rc;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
case SCHEMAVER_SAMBAACCOUNT:
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (!sid_peek_check_rid(&ldap_state->domain_sid, sid, &rid)) {
return rc;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
}
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
attr_list = get_userattr_list(ldap_state->schema_ver);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
rc = ldapsam_search_suffix_by_rid(ldap_state, rid, result, attr_list );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
free_attr_list( attr_list );
if ( rc != LDAP_SUCCESS )
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
return rc;
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
break;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
return rc;
}
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Get SAM_ACCOUNT entry from LDAP by SID.
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid)
{
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
int count;
int rc;
fstring sid_string;
rc = ldapsam_get_ldap_user_by_sid(ldap_state,
sid, &result);
if (rc != LDAP_SUCCESS)
return NT_STATUS_NO_SUCH_USER;
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if (count < 1) {
DEBUG(4, ("ldapsam_getsampwsid: Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string, sid),
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
count));
Try to fix memory leaks found by valgrind in pdb_ldap code. Andrew Bartlett (This used to be commit decadfcc8205ed5611d74141e301569ef8b1d9f4)
2003-06-07 07:22:37 +04:00
ldap_msgfree(result);
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
return NT_STATUS_NO_SUCH_USER;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
} else if (count > 1) {
DEBUG(1, ("ldapsam_getsampwsid: More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid),
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
count));
Try to fix memory leaks found by valgrind in pdb_ldap code. Andrew Bartlett (This used to be commit decadfcc8205ed5611d74141e301569ef8b1d9f4)
2003-06-07 07:22:37 +04:00
ldap_msgfree(result);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_NO_SUCH_USER;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
if (!entry) {
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
ldap_msgfree(result);
Fix ldapsam_getsampwsid to correctly only say 'no such user' when indeed there is no such user... Thanks to jerry for spotting this. Also clean up the function a bit, to avoid this happening again... Andrew Bartlett (This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
2003-07-06 10:18:54 +04:00
return NT_STATUS_NO_SUCH_USER;
}
if (!init_sam_from_ldap(ldap_state, user, entry)) {
DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n"));
ldap_msgfree(result);
return NT_STATUS_NO_SUCH_USER;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
Fix ldapsam_getsampwsid to correctly only say 'no such user' when indeed there is no such user... Thanks to jerry for spotting this. Also clean up the function a bit, to avoid this happening again... Andrew Bartlett (This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
2003-07-06 10:18:54 +04:00
pdb_set_backend_private_data(user, result,
private_data_free_fn,
my_methods, PDB_CHANGED);
return NT_STATUS_OK;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
}
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
/********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Do the actual modification - also change a plaintext passord if
it it set.
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
**********************************************************************/
static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
SAM_ACCOUNT *newpwd, char *dn,
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
LDAPMod **mods, int ldap_op,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
BOOL (*need_update)(const SAM_ACCOUNT *, enum pdb_elements))
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
{
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
int rc;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (!my_methods || !newpwd || !dn) {
return NT_STATUS_INVALID_PARAMETER;
}
if (!mods) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
/* may be password change below however */
} else {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch(ldap_op) {
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
case LDAP_MOD_ADD:
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
smbldap_set_mod(&mods, LDAP_MOD_ADD,
"objectclass",
LDAP_OBJ_ACCOUNT);
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_add(ldap_state->smbldap_state,
dn, mods);
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
break;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
case LDAP_MOD_REPLACE:
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_modify(ldap_state->smbldap_state,
dn ,mods);
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
break;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
default:
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
ldap_op));
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
return NT_STATUS_INVALID_PARAMETER;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
if (rc!=LDAP_SUCCESS) {
Ensure we don't segfault if ldap doesn't fill in the ld_error string (merge from HEAD). Andrew Bartlett (This used to be commit be27fa2986767fca1876ea5f886d9fb4c7000660)
2003-04-05 09:11:50 +04:00
char *ld_error = NULL;
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
&ld_error);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("ldapsam_modify_entry: Failed to %s user dn= %s with: %s\n\t%s\n",
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
ldap_op == LDAP_MOD_ADD ? "add" : "modify",
dn, ldap_err2string(rc),
Ensure we don't segfault if ldap doesn't fill in the ld_error string (merge from HEAD). Andrew Bartlett (This used to be commit be27fa2986767fca1876ea5f886d9fb4c7000660)
2003-04-05 09:11:50 +04:00
ld_error?ld_error:"unknown"));
SAFE_FREE(ld_error);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
(lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
need_update(newpwd, PDB_PLAINTEXT_PW) &&
(pdb_get_plaintext_passwd(newpwd)!=NULL)) {
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
BerElement *ber;
struct berval *bv;
char *retoid;
struct berval *retdata;
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
char *utf8_password;
After a quick run with the 'weird' charset, squash a few bugs in our new 'UF8-safe' LDAP code. I hope I've caught all the places where we were pushing strings into or out of LDAP now. Andrew Bartlett (This used to be commit 70bf7a5f71f71aeb5338723d1f5b32a89d5c4f91)
2003-04-26 17:29:37 +04:00
char *utf8_dn;
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) {
return NT_STATUS_NO_MEMORY;
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
After a quick run with the 'weird' charset, squash a few bugs in our new 'UF8-safe' LDAP code. I hope I've caught all the places where we were pushing strings into or out of LDAP now. Andrew Bartlett (This used to be commit 70bf7a5f71f71aeb5338723d1f5b32a89d5c4f91)
2003-04-26 17:29:37 +04:00
if (push_utf8_allocate(&utf8_dn, dn) == (size_t)-1) {
return NT_STATUS_NO_MEMORY;
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
if ((ber = ber_alloc_t(LBER_USE_DER))==NULL) {
DEBUG(0,("ber_alloc_t returns NULL\n"));
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
SAFE_FREE(utf8_password);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
ber_printf (ber, "{");
support LDAP_EXOP_MODIFY_PASSWORD (not experiemental in OpenLDAP 2.1) (This used to be commit 50fdc938222112b5470d05d8cd15386bd0a112df)
2003-06-07 02:50:54 +04:00
ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, utf8_dn);
ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, utf8_password);
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
ber_printf (ber, "N}");
if ((rc = ber_flatten (ber, &bv))<0) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_modify_entry: ber_flatten returns a value <0\n"));
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
ber_free(ber,1);
After a quick run with the 'weird' charset, squash a few bugs in our new 'UF8-safe' LDAP code. I hope I've caught all the places where we were pushing strings into or out of LDAP now. Andrew Bartlett (This used to be commit 70bf7a5f71f71aeb5338723d1f5b32a89d5c4f91)
2003-04-26 17:29:37 +04:00
SAFE_FREE(utf8_dn);
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
SAFE_FREE(utf8_password);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
After a quick run with the 'weird' charset, squash a few bugs in our new 'UF8-safe' LDAP code. I hope I've caught all the places where we were pushing strings into or out of LDAP now. Andrew Bartlett (This used to be commit 70bf7a5f71f71aeb5338723d1f5b32a89d5c4f91)
2003-04-26 17:29:37 +04:00
SAFE_FREE(utf8_dn);
Based on a patch by Alex Deiter <tiamat@komi.mts.ru>, make sure that we convert to and from UTF8 when talking to our LDAP server in pdb_ldap. Andrew Bartlett (This used to be commit 759ba40b12a28caea87c0d8b3baea8bb69c92c89)
2003-04-25 09:59:49 +04:00
SAFE_FREE(utf8_password);
ber_free(ber, 1);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
if ((rc = smbldap_extended_operation(ldap_state->smbldap_state,
LDAP_EXOP_MODIFY_PASSWD,
bv, NULL, NULL, &retoid,
&retdata)) != LDAP_SUCCESS) {
Show the error message for failure to set the ldap password. (For 'ldap password sync = yes') Andrew Bartlett (This used to be commit 5b682aef678cc9ee135852d7ee6b8c159902fab7)
2003-12-26 03:43:48 +03:00
char *ld_error = NULL;
ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
&ld_error);
DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n",
pdb_get_username(newpwd), ldap_err2string(rc), ld_error?ld_error:"unknown"));
SAFE_FREE(ld_error);
ber_bvfree(bv);
return NT_STATUS_UNSUCCESSFUL;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
} else {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(3,("ldapsam_modify_entry: LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
#ifdef DEBUG_PASSWORD
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(100,("ldapsam_modify_entry: LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
#endif
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
ber_bvfree(retdata);
ber_memfree(retoid);
}
ber_bvfree(bv);
}
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK;
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Delete entry from LDAP for username.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * sam_acct)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
This is another *BIG* change... Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
const char *sname;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
int rc;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
NTSTATUS ret;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
char **attr_list;
fstring objclass;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This is another *BIG* change... Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
if (!sam_acct) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_delete_sam_account: sam_acct was NULL!\n"));
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_INVALID_PARAMETER;
This is another *BIG* change... Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
}
sname = pdb_get_username(sam_acct);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG (3, ("ldapsam_delete_sam_account: Deleting user %s from LDAP.\n", sname));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
attr_list= get_userattr_list( ldap_state->schema_ver );
rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
if (rc != LDAP_SUCCESS) {
free_attr_list( attr_list );
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_NO_SUCH_USER;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( ldap_state->schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBASAMACCOUNT:
fstrcpy( objclass, LDAP_OBJ_SAMBASAMACCOUNT );
break;
case SCHEMAVER_SAMBAACCOUNT:
fstrcpy( objclass, LDAP_OBJ_SAMBAACCOUNT );
break;
default:
fstrcpy( objclass, "UNKNOWN" );
DEBUG(0,("ldapsam_delete_sam_account: Unknown schema version specified!\n"));
break;
}
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
ret = ldapsam_delete_entry(ldap_state, result, objclass, attr_list );
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
ldap_msgfree(result);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
free_attr_list( attr_list );
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
return ret;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Helper function to determine for update_sam_account whether
we need LDAP modification.
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
static BOOL element_is_changed(const SAM_ACCOUNT *sampass,
enum pdb_elements element)
{
return IS_SAM_CHANGED(sampass, element);
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Update SAM_ACCOUNT.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
int rc = 0;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
char *dn;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
LDAPMod **mods = NULL;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
char **attr_list;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
result = pdb_get_backend_private_data(newpwd, my_methods);
if (!result) {
attr_list = get_userattr_list(ldap_state->schema_ver);
rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list );
free_attr_list( attr_list );
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
if (rc != LDAP_SUCCESS) {
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
return NT_STATUS_UNSUCCESSFUL;
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
}
Fixes to our LDAP/vampire codepaths: - Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 13:46:12 +04:00
pdb_set_backend_private_data(newpwd, result, private_data_free_fn, my_methods, PDB_CHANGED);
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_update_sam_account: No user to modify!\n"));
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
if (!dn) {
return NT_STATUS_UNSUCCESSFUL;
}
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(4, ("ldapsam_update_sam_account: user %s to be modified has dn: %s\n", pdb_get_username(newpwd), dn));
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
element_is_changed)) {
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
DEBUG(0, ("ldapsam_update_sam_account: init_ldap_from_sam failed!\n"));
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(dn);
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
if (mods != NULL)
ldap_mods_free(mods,True);
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
if (mods == NULL) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(4,("ldapsam_update_sam_account: mods is empty: nothing to update for user: %s\n",
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
pdb_get_username(newpwd)));
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(dn);
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
return NT_STATUS_OK;
}
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
* break out more common code used between pdb_ldap and idmap_ldap * remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06 17:48:39 +04:00
ldap_mods_free(mods,True);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(dn);
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
Try to get meaningful errors out of ldap more often - get the error string from the server, not just the error code translation. Andrew Bartlett (This used to be commit 92415441fdc0f7d7c8b338d4cd4bbbba5418f88e)
2003-03-28 12:59:11 +03:00
if (!NT_STATUS_IS_OK(ret)) {
Ensure we don't segfault if ldap doesn't fill in the ld_error string (merge from HEAD). Andrew Bartlett (This used to be commit be27fa2986767fca1876ea5f886d9fb4c7000660)
2003-04-05 09:11:50 +04:00
char *ld_error = NULL;
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
Try to get meaningful errors out of ldap more often - get the error string from the server, not just the error code translation. Andrew Bartlett (This used to be commit 92415441fdc0f7d7c8b338d4cd4bbbba5418f88e)
2003-03-28 12:59:11 +03:00
&ld_error);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_update_sam_account: failed to modify user with uid = %s, error: %s (%s)\n",
Ensure we don't segfault if ldap doesn't fill in the ld_error string (merge from HEAD). Andrew Bartlett (This used to be commit be27fa2986767fca1876ea5f886d9fb4c7000660)
2003-04-05 09:11:50 +04:00
pdb_get_username(newpwd), ld_error?ld_error:"(unknwon)", ldap_err2string(rc)));
Try to get meaningful errors out of ldap more often - get the error string from the server, not just the error code translation. Andrew Bartlett (This used to be commit 92415441fdc0f7d7c8b338d4cd4bbbba5418f88e)
2003-03-28 12:59:11 +03:00
SAFE_FREE(ld_error);
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return ret;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("ldapsam_update_sam_account: successfully modified uid = %s in the LDAP database\n",
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
pdb_get_username(newpwd)));
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Helper function to determine for update_sam_account whether
we need LDAP modification.
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
*********************************************************************/
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass,
enum pdb_elements element)
{
return (IS_SAM_SET(sampass, element) ||
IS_SAM_CHANGED(sampass, element));
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
/**********************************************************************
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
Add SAM_ACCOUNT to LDAP.
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
*********************************************************************/
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd)
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
{
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
int rc;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
pstring dn;
LDAPMod **mods = NULL;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
int ldap_op = LDAP_MOD_REPLACE;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
uint32 num_result;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
char **attr_list;
char *escape_user;
const char *username = pdb_get_username(newpwd);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
const DOM_SID *sid = pdb_get_user_sid(newpwd);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
pstring filter;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
fstring sid_string;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Minor fixes: - Fix warnings in loadparm.c - Remove the unused 'passdb modules path' paramater - Make pdb_ldap use $ termination rather than the workstation trust account flag becouse some 'machine' accounts appear as normal accounts at creation time. Also covers domains etc. Andrew Bartlett (This used to be commit 8c82a3daf777bcd4cd4388d30222e370fe800819)
2002-03-23 11:32:25 +03:00
if (!username || !*username) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_add_sam_account: Cannot add user without a username!\n"));
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_INVALID_PARAMETER;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/* free this list after the second search or in case we exit on failure */
attr_list = get_userattr_list(ldap_state->schema_ver);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list);
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
if (rc != LDAP_SUCCESS) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
free_attr_list( attr_list );
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_add_sam_account: User '%s' already in the base, with samba attributes\n",
Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some misc libads fixes. Andrew Bartlett (This used to be commit 9c3a1710efba9fa4160004a554687d4b85927bb1)
2003-02-01 10:59:29 +03:00
username));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
ldap_msgfree(result);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
free_attr_list( attr_list );
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
ldap_msgfree(result);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
result = NULL;
if (element_is_set_or_changed(newpwd, PDB_USERSID)) {
rc = ldapsam_get_ldap_user_by_sid(ldap_state,
sid, &result);
if (rc == LDAP_SUCCESS) {
if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 0) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_add_sam_account: SID '%s' already in the base, with samba attributes\n",
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
sid_to_string(sid_string, sid)));
free_attr_list( attr_list );
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
ldap_msgfree(result);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
return NT_STATUS_UNSUCCESSFUL;
}
ldap_msgfree(result);
}
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Add some debug statments to our vampire code - try to make it easier to track down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 14:39:41 +04:00
/* does the entry already exist but without a samba attributes?
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
we need to return the samba attributes here */
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
escape_user = escape_ldap_string_alloc( username );
pstrcpy( filter, lp_ldap_filter() );
all_string_sub( filter, "%u", escape_user, sizeof(filter) );
SAFE_FREE( escape_user );
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_search_suffix(ldap_state->smbldap_state,
filter, attr_list, &result);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if ( rc != LDAP_SUCCESS ) {
free_attr_list( attr_list );
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
return NT_STATUS_UNSUCCESSFUL;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
if (num_result > 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
free_attr_list( attr_list );
Minor fixes: - Fix warnings in loadparm.c - Remove the unused 'passdb modules path' paramater - Make pdb_ldap use $ termination rather than the workstation trust account flag becouse some 'machine' accounts appear as normal accounts at creation time. Also covers domains etc. Andrew Bartlett (This used to be commit 8c82a3daf777bcd4cd4388d30222e370fe800819)
2002-03-23 11:32:25 +03:00
ldap_msgfree(result);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
}
/* Check if we need to update an existing entry */
if (num_result == 1) {
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
char *tmp;
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
ldap_op = LDAP_MOD_REPLACE;
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
if (!tmp) {
free_attr_list( attr_list );
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
slprintf (dn, sizeof (dn) - 1, "%s", tmp);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(tmp);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
} else if (ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT) {
/* There might be a SID for this account already - say an idmap entry */
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&(%s=%s)(|(objectClass=%s)(objectClass=%s)))",
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
sid_to_string(sid_string, sid),
LDAP_OBJ_IDMAP_ENTRY,
LDAP_OBJ_SID_ENTRY);
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
/* free old result before doing a new search */
if (result != NULL) {
ldap_msgfree(result);
result = NULL;
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
rc = smbldap_search_suffix(ldap_state->smbldap_state,
filter, attr_list, &result);
if ( rc != LDAP_SUCCESS ) {
free_attr_list( attr_list );
return NT_STATUS_UNSUCCESSFUL;
}
num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
if (num_result > 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG (0, ("ldapsam_add_sam_account: More than one user with that uid exists: bailing out!\n"));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
free_attr_list( attr_list );
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
/* Check if we need to update an existing entry */
if (num_result == 1) {
char *tmp;
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(3,("ldapsam_add_sam_account: User exists without samba attributes: adding them\n"));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
ldap_op = LDAP_MOD_REPLACE;
entry = ldap_first_entry (ldap_state->smbldap_state->ldap_struct, result);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
tmp = smbldap_get_dn (ldap_state->smbldap_state->ldap_struct, entry);
if (!tmp) {
free_attr_list( attr_list );
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
slprintf (dn, sizeof (dn) - 1, "%s", tmp);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(tmp);
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
}
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
free_attr_list( attr_list );
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (num_result == 0) {
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
/* Check if we need to add an entry */
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(3,("ldapsam_add_sam_account: Adding new user\n"));
some merges from 2.2. Still need to merge in changes from pdb_tdb.c but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-31 03:06:51 +03:00
ldap_op = LDAP_MOD_ADD;
Minor fixes: - Fix warnings in loadparm.c - Remove the unused 'passdb modules path' paramater - Make pdb_ldap use $ termination rather than the workstation trust account flag becouse some 'machine' accounts appear as normal accounts at creation time. Also covers domains etc. Andrew Bartlett (This used to be commit 8c82a3daf777bcd4cd4388d30222e370fe800819)
2002-03-23 11:32:25 +03:00
if (username[strlen(username)-1] == '$') {
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_machine_suffix ());
} else {
slprintf (dn, sizeof (dn) - 1, "uid=%s,%s", username, lp_ldap_user_suffix ());
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
This is no functional change. It just makes pdb_ldap.c a bit easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
2003-03-27 17:31:46 +03:00
if (!init_ldap_from_sam(ldap_state, entry, &mods, newpwd,
element_is_set_or_changed)) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
DEBUG(0, ("ldapsam_add_sam_account: init_ldap_from_sam failed!\n"));
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
ldap_msgfree(result);
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
if (mods != NULL)
ldap_mods_free(mods,True);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFY anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
2003-03-22 22:16:36 +03:00
ldap_msgfree(result);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
if (mods == NULL) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_add_sam_account: mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd)));
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
return NT_STATUS_UNSUCCESSFUL;
Merge tridge's fixes to pdb_ldap (don't look for number of results in a failed query) and my fixes to those fixes to use better NT_STATUS codes. Andrew Bartlett (This used to be commit 6040171cabe3ca215149708a6244e24bc9c2c4fa)
2002-11-27 00:00:18 +03:00
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
switch ( ldap_state->schema_ver ) {
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
case SCHEMAVER_SAMBAACCOUNT:
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
case SCHEMAVER_SAMBASAMACCOUNT:
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
break;
default:
DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
break;
}
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
Remove ldapsam_search_one_user_by_uid from pdb_ldap. sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-04-23 03:14:49 +04:00
ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
Found out a good number of NT_STATUS_IS_ERR used the wrong way. As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-22 14:09:52 +04:00
if (!NT_STATUS_IS_OK(ret)) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_add_sam_account: failed to modify/add user with uid = %s (dn = %s)\n",
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
pdb_get_username(newpwd),dn));
* break out more common code used between pdb_ldap and idmap_ldap * remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06 17:48:39 +04:00
ldap_mods_free(mods, True);
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return ret;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2,("ldapsam_add_sam_account: added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
* break out more common code used between pdb_ldap and idmap_ldap * remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06 17:48:39 +04:00
ldap_mods_free(mods, True);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
sync with HEAD (This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK;
Fixup passdb stuff to add new nisplus and ldap backends. Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
2001-09-26 00:21:21 +04:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
const char *filter,
LDAPMessage ** result)
{
int scope = LDAP_SCOPE_SUBTREE;
int rc;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
char **attr_list;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
attr_list = get_attr_list(groupmap_attr_list);
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_search(ldap_state->smbldap_state,
lp_ldap_group_suffix (), scope,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
filter, attr_list, 0, result);
free_attr_list( attr_list );
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (rc != LDAP_SUCCESS) {
Ensure we don't segfault if ldap doesn't fill in the ld_error string (merge from HEAD). Andrew Bartlett (This used to be commit be27fa2986767fca1876ea5f886d9fb4c7000660)
2003-04-05 09:11:50 +04:00
char *ld_error = NULL;
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
Try to get meaningful errors out of ldap more often - get the error string from the server, not just the error code translation. Andrew Bartlett (This used to be commit 92415441fdc0f7d7c8b338d4cd4bbbba5418f88e)
2003-03-28 12:59:11 +03:00
&ld_error);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
DEBUG(0, ("ldapsam_search_one_group: "
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
"Problem during the LDAP search: LDAP error: %s (%s)\n",
Ensure we don't segfault if ldap doesn't fill in the ld_error string (merge from HEAD). Andrew Bartlett (This used to be commit be27fa2986767fca1876ea5f886d9fb4c7000660)
2003-04-05 09:11:50 +04:00
ld_error?ld_error:"(unknown)", ldap_err2string(rc)));
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
DEBUGADD(3, ("ldapsam_search_one_group: Query was: %s, %s\n",
* break out more common code used between pdb_ldap and idmap_ldap * remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06 17:48:39 +04:00
lp_ldap_group_suffix(), filter));
Try to get meaningful errors out of ldap more often - get the error string from the server, not just the error code translation. Andrew Bartlett (This used to be commit 92415441fdc0f7d7c8b338d4cd4bbbba5418f88e)
2003-03-28 12:59:11 +03:00
SAFE_FREE(ld_error);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
return rc;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state,
GROUP_MAP *map, LDAPMessage *entry)
{
pstring temp;
if (ldap_state == NULL || map == NULL || entry == NULL ||
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
ldap_state->smbldap_state->ldap_struct == NULL) {
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
DEBUG(0, ("init_group_from_ldap: NULL parameters found!\n"));
return False;
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER), temp)) {
DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GIDNUMBER)));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return False;
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("init_group_from_ldap: Entry found for group: %s\n", temp));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Metzes change: > Hi Volker, > > if 'displayName' is not available we should fallback to 'cn' for map->nt_name > 'cn' is used as unix group name by nss_ldap. > > and if nt_name is not available we should fail (so does this patch) Volker (This used to be commit 7ae9c2500e3ac5f671d41077327156f1f3767fff)
2003-03-23 11:41:05 +03:00
map->gid = (gid_t)atol(temp);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID), temp)) {
DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_SID)));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return False;
}
Check the return value of string_to_sid in a few more places. (But string_to_sid also needs to be less permissive on what it thinks are valid sids...) Andrew Bartlett (This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)
2003-12-26 06:14:31 +03:00
if (!string_to_sid(&map->sid, temp)) {
DEBUG(1, ("SID string [%s] could not be read as a valid SID\n", temp));
return False;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), temp)) {
DEBUG(0, ("init_group_from_ldap: Mandatory attribute %s not found\n",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_GROUP_TYPE)));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return False;
}
get rid of some sompiler warnings on IRIX (This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
2003-08-15 05:42:30 +04:00
map->sid_name_use = (enum SID_NAME_USE)atol(temp);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if ((map->sid_name_use < SID_NAME_USER) ||
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
(map->sid_name_use > SID_NAME_UNKNOWN)) {
DEBUG(0, ("init_group_from_ldap: Unknown Group type: %d\n", map->sid_name_use));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return False;
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), temp)) {
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
temp[0] = '\0';
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_CN), temp))
{
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("init_group_from_ldap: Attributes cn not found either \
for gidNumber(%lu)\n",(unsigned long)map->gid));
Metzes change: > Hi Volker, > > if 'displayName' is not available we should fallback to 'cn' for map->nt_name > 'cn' is used as unix group name by nss_ldap. > > and if nt_name is not available we should fail (so does this patch) Volker (This used to be commit 7ae9c2500e3ac5f671d41077327156f1f3767fff)
2003-03-23 11:41:05 +03:00
return False;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
fstrcpy(map->nt_name, temp);
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), temp)) {
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
temp[0] = '\0';
}
fstrcpy(map->comment, temp);
return True;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
static BOOL init_ldap_from_group(LDAP *ldap_struct,
LDAPMessage *existing,
LDAPMod ***mods,
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
const GROUP_MAP *map)
{
pstring tmp;
if (mods == NULL || map == NULL) {
DEBUG(0, ("init_ldap_from_group: NULL parameters found!\n"));
return False;
}
*mods = NULL;
sid_to_string(tmp, &map->sid);
Check the return value of string_to_sid in a few more places. (But string_to_sid also needs to be less permissive on what it thinks are valid sids...) Andrew Bartlett (This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)
2003-12-26 06:14:31 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_struct, existing, mods,
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID), tmp);
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(tmp, "%i", map->sid_name_use);
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_struct, existing, mods,
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_TYPE), tmp);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_struct, existing, mods,
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), map->nt_name);
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_make_mod(ldap_struct, existing, mods,
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
get_attr_key2string( groupmap_attr_list, LDAP_ATTR_DESC), map->comment);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return True;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
const char *filter,
GROUP_MAP *map)
{
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
int count;
if (ldapsam_search_one_group(ldap_state, filter, &result)
!= LDAP_SUCCESS) {
return NT_STATUS_NO_SUCH_GROUP;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (count < 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(4, ("ldapsam_getgroup: Did not find group\n"));
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
ldap_msgfree(result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_NO_SUCH_GROUP;
}
if (count > 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("ldapsam_getgroup: Duplicate entries for filter %s: count=%d\n",
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
filter, count));
Fix memleaks (This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-15 21:00:11 +04:00
ldap_msgfree(result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_NO_SUCH_GROUP;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (!entry) {
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
if (!init_group_from_ldap(ldap_state, map, entry)) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(1, ("ldapsam_getgroup: init_group_from_ldap failed for group filter %s\n",
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
filter));
ldap_msgfree(result);
return NT_STATUS_NO_SUCH_GROUP;
}
ldap_msgfree(result);
return NT_STATUS_OK;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
DOM_SID sid)
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
pstring filter;
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
LDAP_OBJ_GROUPMAP,
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GROUP_SID),
sid_string_static(&sid));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return ldapsam_getgroup(methods, filter, map);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
gid_t gid)
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
pstring filter;
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
LDAP_OBJ_GROUPMAP,
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
Fixup a bunch of printf-style functions and debugs to use unsigned long when displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-22 08:31:20 +04:00
(unsigned long)gid);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return ldapsam_getgroup(methods, filter, map);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
const char *name)
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
pstring filter;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
char *escape_name = escape_ldap_string_alloc(name);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if (!escape_name) {
return NT_STATUS_NO_MEMORY;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
LDAP_OBJ_GROUPMAP,
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_DISPLAY_NAME), escape_name,
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_CN), escape_name);
SAFE_FREE(escape_name);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return ldapsam_getgroup(methods, filter, map);
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state,
gid_t gid,
LDAPMessage **result)
{
pstring filter;
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
LDAP_OBJ_POSIXGROUP,
get_attr_key2string(groupmap_attr_list, LDAP_ATTR_GIDNUMBER),
Fixup a bunch of printf-style functions and debugs to use unsigned long when displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-22 08:31:20 +04:00
(unsigned long)gid);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return ldapsam_search_one_group(ldap_state, filter, result);
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
GROUP_MAP *map)
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
LDAPMessage *result = NULL;
LDAPMod **mods = NULL;
and so it begins.... * remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-07 09:11:10 +04:00
int count;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
char *tmp;
pstring dn;
LDAPMessage *entry;
GROUP_MAP dummy;
int rc;
if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods, &dummy,
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
map->gid))) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_add_group_mapping_entry: Group %ld already exists in LDAP\n", (unsigned long)map->gid));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
if (rc != LDAP_SUCCESS) {
Fix memleak (This used to be commit 42a59d691019ee328920be25a1c505037f74151f)
2003-07-16 17:57:53 +04:00
ldap_msgfree(result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
and so it begins.... * remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-07 09:11:10 +04:00
count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
Fix memleak (This used to be commit 42a59d691019ee328920be25a1c505037f74151f)
2003-07-16 17:57:53 +04:00
if ( count == 0 ) {
ldap_msgfree(result);
and so it begins.... * remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-07 09:11:10 +04:00
return NT_STATUS_UNSUCCESSFUL;
Fix memleak (This used to be commit 42a59d691019ee328920be25a1c505037f74151f)
2003-07-16 17:57:53 +04:00
}
and so it begins.... * remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-07 09:11:10 +04:00
if (count > 1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("ldapsam_add_group_mapping_entry: Group %lu must exist exactly once in LDAP\n",
Fixup a bunch of printf-style functions and debugs to use unsigned long when displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-22 08:31:20 +04:00
(unsigned long)map->gid));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
tmp = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
if (!tmp) {
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
pstrcpy(dn, tmp);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(tmp);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
result, &mods, map)) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_add_group_mapping_entry: init_ldap_from_group failed!\n"));
* break out more common code used between pdb_ldap and idmap_ldap * remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06 17:48:39 +04:00
ldap_mods_free(mods, True);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
ldap_msgfree(result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
ldap_msgfree(result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (mods == NULL) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_add_group_mapping_entry: mods is empty\n"));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP );
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
* break out more common code used between pdb_ldap and idmap_ldap * remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06 17:48:39 +04:00
ldap_mods_free(mods, True);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (rc != LDAP_SUCCESS) {
Ensure we don't segfault if ldap doesn't fill in the ld_error string (merge from HEAD). Andrew Bartlett (This used to be commit be27fa2986767fca1876ea5f886d9fb4c7000660)
2003-04-05 09:11:50 +04:00
char *ld_error = NULL;
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
Try to get meaningful errors out of ldap more often - get the error string from the server, not just the error code translation. Andrew Bartlett (This used to be commit 92415441fdc0f7d7c8b338d4cd4bbbba5418f88e)
2003-03-28 12:59:11 +03:00
&ld_error);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_add_group_mapping_entry: failed to add group %lu error: %s (%s)\n", (unsigned long)map->gid,
Ensure we don't segfault if ldap doesn't fill in the ld_error string (merge from HEAD). Andrew Bartlett (This used to be commit be27fa2986767fca1876ea5f886d9fb4c7000660)
2003-04-05 09:11:50 +04:00
ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
Try to get meaningful errors out of ldap more often - get the error string from the server, not just the error code translation. Andrew Bartlett (This used to be commit 92415441fdc0f7d7c8b338d4cd4bbbba5418f88e)
2003-03-28 12:59:11 +03:00
SAFE_FREE(ld_error);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_UNSUCCESSFUL;
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("ldapsam_add_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_OK;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
GROUP_MAP *map)
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)methods->private_data;
int rc;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
char *dn = NULL;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
LDAPMod **mods = NULL;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
rc = ldapsam_search_one_group_by_gid(ldap_state, map->gid, &result);
if (rc != LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_update_group_mapping_entry: No group to modify!\n"));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
if (!init_ldap_from_group(ldap_state->smbldap_state->ldap_struct,
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
result, &mods, map)) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_update_group_mapping_entry: init_ldap_from_group failed\n"));
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
ldap_msgfree(result);
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
if (mods != NULL)
ldap_mods_free(mods,True);
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
return NT_STATUS_UNSUCCESSFUL;
}
if (mods == NULL) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(4, ("ldapsam_update_group_mapping_entry: mods is empty: nothing to do\n"));
Patch from Aurlien Degrmont <adegremont@idealx.com>. "entry" is dependent on "result", don't free result first. Jeremy. (This used to be commit c61a230c5ab7250c0812b422e0a533fbf5efbf17)
2003-10-31 22:16:59 +03:00
ldap_msgfree(result);
If nothing to do, return success. Fix from Aur?lien Degr?mont <adegremont@idealx.com> Jeremy. (This used to be commit aa668a0206b027923a333417309cb483c5a64265)
2003-10-30 23:09:13 +03:00
return NT_STATUS_OK;
This fixes group updates in LDAP the same way as user updates are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
2003-03-30 20:40:41 +04:00
}
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
if (!dn) {
Patch from Aurlien Degrmont <adegremont@idealx.com>. "entry" is dependent on "result", don't free result first. Jeremy. (This used to be commit c61a230c5ab7250c0812b422e0a533fbf5efbf17)
2003-10-31 22:16:59 +03:00
ldap_msgfree(result);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
return NT_STATUS_UNSUCCESSFUL;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
SAFE_FREE(dn);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
* break out more common code used between pdb_ldap and idmap_ldap * remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06 17:48:39 +04:00
ldap_mods_free(mods, True);
Patch from Aurlien Degrmont <adegremont@idealx.com>. "entry" is dependent on "result", don't free result first. Jeremy. (This used to be commit c61a230c5ab7250c0812b422e0a533fbf5efbf17)
2003-10-31 22:16:59 +03:00
ldap_msgfree(result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (rc != LDAP_SUCCESS) {
Ensure we don't segfault if ldap doesn't fill in the ld_error string (merge from HEAD). Andrew Bartlett (This used to be commit be27fa2986767fca1876ea5f886d9fb4c7000660)
2003-04-05 09:11:50 +04:00
char *ld_error = NULL;
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
Try to get meaningful errors out of ldap more often - get the error string from the server, not just the error code translation. Andrew Bartlett (This used to be commit 92415441fdc0f7d7c8b338d4cd4bbbba5418f88e)
2003-03-28 12:59:11 +03:00
&ld_error);
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_update_group_mapping_entry: failed to modify group %lu error: %s (%s)\n", (unsigned long)map->gid,
Ensure we don't segfault if ldap doesn't fill in the ld_error string (merge from HEAD). Andrew Bartlett (This used to be commit be27fa2986767fca1876ea5f886d9fb4c7000660)
2003-04-05 09:11:50 +04:00
ld_error ? ld_error : "(unknown)", ldap_err2string(rc)));
Try to get meaningful errors out of ldap more often - get the error string from the server, not just the error code translation. Andrew Bartlett (This used to be commit 92415441fdc0f7d7c8b338d4cd4bbbba5418f88e)
2003-03-28 12:59:11 +03:00
SAFE_FREE(ld_error);
Patch from Aurlien Degrmont <adegremont@idealx.com>. "entry" is dependent on "result", don't free result first. Jeremy. (This used to be commit c61a230c5ab7250c0812b422e0a533fbf5efbf17)
2003-10-31 22:16:59 +03:00
return NT_STATUS_UNSUCCESSFUL;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("ldapsam_update_group_mapping_entry: successfully modified group %lu in LDAP\n", (unsigned long)map->gid));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_OK;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods,
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
DOM_SID sid)
{
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)methods->private_data;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
pstring sidstring, filter;
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
LDAPMessage *result = NULL;
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
int rc;
NTSTATUS ret;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
char **attr_list;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
sid_to_string(sidstring, &sid);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID, sidstring);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
rc = ldapsam_search_one_group(ldap_state, filter, &result);
if (rc != LDAP_SUCCESS) {
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
return NT_STATUS_NO_SUCH_GROUP;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
fix group mapping in LDAP under new schema (This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14 09:28:16 +04:00
attr_list = get_attr_list( groupmap_attr_list_to_delete );
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
ret = ldapsam_delete_entry(ldap_state, result, LDAP_OBJ_GROUPMAP, attr_list);
free_attr_list ( attr_list );
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
ldap_msgfree(result);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
Merge from HEAD. Volker (This used to be commit f42032060812e9bf409042c790e71fefb40ff17a)
2003-03-19 21:21:44 +03:00
return ret;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, BOOL update)
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
{
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
fstring filter;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
int rc;
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
char **attr_list;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23 16:33:59 +04:00
pstr_sprintf( filter, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
attr_list = get_attr_list( groupmap_attr_list );
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
rc = smbldap_search(ldap_state->smbldap_state, lp_ldap_group_suffix(),
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
LDAP_SCOPE_SUBTREE, filter,
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
attr_list, 0, &ldap_state->result);
free_attr_list( attr_list );
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (rc != LDAP_SUCCESS) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_setsamgrent: LDAP search failed: %s\n", ldap_err2string(rc)));
DEBUG(3, ("ldapsam_setsamgrent: Query was: %s, %s\n", lp_ldap_group_suffix(), filter));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_msgfree(ldap_state->result);
ldap_state->result = NULL;
return NT_STATUS_UNSUCCESSFUL;
}
DEBUG(2, ("ldapsam_setsampwent: %d entries in the base!\n",
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_state->result)));
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_state->entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, ldap_state->result);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_state->index = 0;
return NT_STATUS_OK;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static void ldapsam_endsamgrent(struct pdb_methods *my_methods)
{
void function cannot return a value (besides the function called was a void) (This used to be commit 55681422e97ede0ff9446925c7678d6254b13878)
2003-03-20 01:38:37 +03:00
ldapsam_endsampwent(my_methods);
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
GROUP_MAP *map)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
BOOL bret = False;
while (!bret) {
if (!ldap_state->entry)
return ret;
ldap_state->index++;
bret = init_group_from_ldap(ldap_state, map, ldap_state->entry);
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_state->entry = ldap_next_entry(ldap_state->smbldap_state->ldap_struct,
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
ldap_state->entry);
}
return NT_STATUS_OK;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
*********************************************************************/
Back out some of my sync changes (This used to be commit b1ad91101d10d1fa635cfbb1684f8b598280cee0)
2002-11-10 02:28:40 +03:00
static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
enum SID_NAME_USE sid_name_use,
GROUP_MAP **rmap, int *num_entries,
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
BOOL unix_only)
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
{
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
GROUP_MAP map;
GROUP_MAP *mapt;
int entries = 0;
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
*num_entries = 0;
*rmap = NULL;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (!NT_STATUS_IS_OK(ldapsam_setsamgrent(methods, False))) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("ldapsam_enum_group_mapping: Unable to open passdb\n"));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
return NT_STATUS_ACCESS_DENIED;
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
}
get rid of some sompiler warnings on IRIX (This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
2003-08-15 05:42:30 +04:00
while (NT_STATUS_IS_OK(ldapsam_getsamgrent(methods, &map))) {
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
if (sid_name_use != SID_NAME_UNKNOWN &&
sid_name_use != map.sid_name_use) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(11,("ldapsam_enum_group_mapping: group %s is not of the requested type\n", map.nt_name));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
continue;
}
if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(11,("ldapsam_enum_group_mapping: group %s is non mapped\n", map.nt_name));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
continue;
}
sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-08-17 21:00:51 +04:00
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
mapt=(GROUP_MAP *)Realloc((*rmap), (entries+1)*sizeof(GROUP_MAP));
if (!mapt) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0,("ldapsam_enum_group_mapping: Unable to enlarge group map!\n"));
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
SAFE_FREE(*rmap);
return NT_STATUS_UNSUCCESSFUL;
}
else
(*rmap) = mapt;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
mapt[entries] = map;
entries += 1;
}
ldapsam_endsamgrent(methods);
*num_entries = entries;
return NT_STATUS_OK;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
/**********************************************************************
Housekeeping
*********************************************************************/
static void free_private_data(void **vp)
{
struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp;
smbldap_free_struct(&(*ldap_state)->smbldap_state);
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
if ((*ldap_state)->result != NULL) {
ldap_msgfree((*ldap_state)->result);
(*ldap_state)->result = NULL;
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
*ldap_state = NULL;
/* No need to free any further, as it is talloc()ed */
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
/**********************************************************************
Intitalise the parts of the pdb_context that are common to all pdb_ldap modes
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
*********************************************************************/
static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method,
const char *location)
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
{
NTSTATUS nt_status;
struct ldapsam_privates *ldap_state;
if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) {
return nt_status;
}
(*pdb_method)->name = "ldapsam";
(*pdb_method)->setsampwent = ldapsam_setsampwent;
(*pdb_method)->endsampwent = ldapsam_endsampwent;
(*pdb_method)->getsampwent = ldapsam_getsampwent;
(*pdb_method)->getsampwnam = ldapsam_getsampwnam;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
(*pdb_method)->getsampwsid = ldapsam_getsampwsid;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
(*pdb_method)->add_sam_account = ldapsam_add_sam_account;
(*pdb_method)->update_sam_account = ldapsam_update_sam_account;
(*pdb_method)->delete_sam_account = ldapsam_delete_sam_account;
Put group mapping into LDAP. Volker (This used to be commit da83d97eb50c3c3a67985e22410842100207431f)
2003-03-19 12:43:23 +03:00
Merge from HEAD: - change auth_sam to use the initialisation flags to determine if the password attributes are set - add const to secrets.c, cliconnect.c - passdb: fix spelling in pdb_ldap, add group mapping back to smbpasswd - SAMR: add debugs to show what fails for group enum. Andrew Bartlett (This used to be commit 4e74d00b3634abf52aa24bfaa6dbe88202aa57a1)
2002-11-09 02:08:59 +03:00
(*pdb_method)->getgrsid = ldapsam_getgrsid;
(*pdb_method)->getgrgid = ldapsam_getgrgid;
(*pdb_method)->getgrnam = ldapsam_getgrnam;
(*pdb_method)->add_group_mapping_entry = ldapsam_add_group_mapping_entry;
(*pdb_method)->update_group_mapping_entry = ldapsam_update_group_mapping_entry;
(*pdb_method)->delete_group_mapping_entry = ldapsam_delete_group_mapping_entry;
(*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
/* TODO: Setup private data and free */
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
ldap_state = talloc_zero(pdb_context->mem_ctx, sizeof(*ldap_state));
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
if (!ldap_state) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("pdb_init_ldapsam_common: talloc() failed for ldapsam private_data!\n"));
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
return NT_STATUS_NO_MEMORY;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
if (!NT_STATUS_IS_OK(nt_status =
smbldap_init(pdb_context->mem_ctx, location,
&ldap_state->smbldap_state)));
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
readding reverted changes during idmap merge (noticed by Andrew b.) (This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14 22:36:54 +04:00
ldap_state->domain_name = talloc_strdup(pdb_context->mem_ctx, get_global_sam_name());
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
if (!ldap_state->domain_name) {
return NT_STATUS_NO_MEMORY;
}
(*pdb_method)->private_data = ldap_state;
(*pdb_method)->free_private_data = free_private_data;
return NT_STATUS_OK;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
Initialise the 'compat' mode for pdb_ldap
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
*********************************************************************/
A new pdb_ldap! This patch removes 'non unix account range' (same as idra's change in HEAD), and uses the winbind uid range instead. More importanly, this patch changes the LDAP schema to use 'ntSid' instead of 'rid' as the primary attribute. This makes it in common with the group mapping code, and should allow it to be used closely with a future idmap_ldap. Existing installations can use the existing functionality by using the ldapsam_compat backend, and users who compile with --with-ldapsam will get this by default. More importantly, this patch adds a 'sambaDomain' object to our schema - which contains 2 'next rid' attributes, the domain name and the domain sid. Yes, there are *2* next rid attributes. The problem is that we don't 'own' the entire RID space - we can only allocate RIDs that could be 'algorithmic' RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be mapped by IDMAP, not the algorithm. Andrew Bartlett (This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
2003-04-28 14:20:55 +04:00
static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
{
NTSTATUS nt_status;
struct ldapsam_privates *ldap_state;
Fix pdb_ldap segfaults, and wrong default values for ldapsam_compat. Reviewed by vl, metze. Andrew Bartlett (This used to be commit 9804ad458ad35c9ea7de3e2e86bf8b2f85ae6533)
2003-06-24 18:23:34 +04:00
#ifdef WITH_LDAP_SAMCONFIG
if (!location) {
Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-10-01 17:10:57 +04:00
int ldap_port = lp_ldap_port();
Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-11-02 06:47:48 +03:00
/* remap default port if not using SSL (ie clear or TLS) */
if ( (lp_ldap_ssl() != LDAP_SSL_ON) && (ldap_port == 636) ) {
Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-10-01 17:10:57 +04:00
ldap_port = 389;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
location = talloc_asprintf(pdb_context->mem_ctx, "%s://%s:%d", lp_ldap_ssl() == LDAP_SSL_ON ? "ldaps" : "ldap", lp_ldap_server(), ldap_port);
if (!location) {
Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-10-01 17:10:57 +04:00
return NT_STATUS_NO_MEMORY;
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
}
Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-10-01 17:10:57 +04:00
#endif
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
return nt_status;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
(*pdb_method)->name = "ldapsam_compat";
ldap_state = (*pdb_method)->private_data;
ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
return NT_STATUS_OK;
}
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
/**********************************************************************
This patch works towards to goal of common code shared between idmap_ldap and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 04:45:03 +04:00
Initialise the normal mode for pdb_ldap
*****LDAP schema changes***** New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14 07:32:20 +04:00
*********************************************************************/
And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12 22:12:31 +04:00
static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
{
NTSTATUS nt_status;
struct ldapsam_privates *ldap_state;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
uint32 alg_rid_base;
pstring alg_rid_base_string;
moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-11 09:33:40 +04:00
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
DOM_SID ldap_domain_sid;
DOM_SID secrets_domain_sid;
pstring domain_sid_string;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12 22:12:31 +04:00
if (!NT_STATUS_IS_OK(nt_status = pdb_init_ldapsam_common(pdb_context, pdb_method, location))) {
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
return nt_status;
}
And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12 22:12:31 +04:00
(*pdb_method)->name = "ldapsam";
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
ldap_state = (*pdb_method)->private_data;
moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-11 09:33:40 +04:00
ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
/* Try to setup the Domain Name, Domain SID, algorithmic rid base */
moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-11 09:33:40 +04:00
nt_status = smbldap_search_domain_info(ldap_state->smbldap_state, &result,
I *hate* global variables... OK, what was happening here was that we would invalidate global_sam_sid when we set the sid into secrets.tdb, to force a re-read. The problem was, we would do *two* writes into the TDB, and the second one (in the PDC/BDC case) would be of a NULL pointer. This caused smbd startups to fail, on a blank TDB. By using a local variable in the pdb_generate_sam_sid() code, we avoid this particular trap. I've also added better debugging for the case where this all matters, which is particularly for LDAP, where it finds out a domain SID from the sambaDomain object. Andrew Bartlett (This used to be commit 86ad04d26d3065a99b08afaaf2914968a9e701c5)
2004-02-26 01:01:02 +03:00
ldap_state->domain_name, True);
moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-11 09:33:40 +04:00
if ( !NT_STATUS_IS_OK(nt_status) ) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(2, ("pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain\n"));
DEBUGADD(2, ("pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, \
and will risk BDCs having inconsistant SIDs\n"));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
sid_copy(&ldap_state->domain_sid, get_global_sam_sid());
return NT_STATUS_OK;
}
/* Given that the above might fail, everything below this must be optional */
entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
if (!entry) {
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
DEBUG(0, ("pdb_init_ldapsam: Could not get domain info entry\n"));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID),
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
domain_sid_string)) {
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
BOOL found_sid;
Check the return value of string_to_sid in a few more places. (But string_to_sid also needs to be less permissive on what it thinks are valid sids...) Andrew Bartlett (This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)
2003-12-26 06:14:31 +03:00
if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) {
DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be read as a valid SID\n", domain_sid_string));
return NT_STATUS_INVALID_PARAMETER;
}
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
found_sid = secrets_fetch_domain_sid(ldap_state->domain_name, &secrets_domain_sid);
if (!found_sid || !sid_equal(&secrets_domain_sid, &ldap_domain_sid)) {
I *hate* global variables... OK, what was happening here was that we would invalidate global_sam_sid when we set the sid into secrets.tdb, to force a re-read. The problem was, we would do *two* writes into the TDB, and the second one (in the PDC/BDC case) would be of a NULL pointer. This caused smbd startups to fail, on a blank TDB. By using a local variable in the pdb_generate_sam_sid() code, we avoid this particular trap. I've also added better debugging for the case where this all matters, which is particularly for LDAP, where it finds out a domain SID from the sambaDomain object. Andrew Bartlett (This used to be commit 86ad04d26d3065a99b08afaaf2914968a9e701c5)
2004-02-26 01:01:02 +03:00
fstring new_sid_str, old_sid_str;
DEBUG(1, ("pdb_init_ldapsam: Resetting SID for domain %s based on pdb_ldap results %s -> %s\n",
ldap_state->domain_name,
sid_to_string(old_sid_str, &secrets_domain_sid),
sid_to_string(new_sid_str, &ldap_domain_sid)));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
/* reset secrets.tdb sid */
secrets_store_domain_sid(ldap_state->domain_name, &ldap_domain_sid);
I *hate* global variables... OK, what was happening here was that we would invalidate global_sam_sid when we set the sid into secrets.tdb, to force a re-read. The problem was, we would do *two* writes into the TDB, and the second one (in the PDC/BDC case) would be of a NULL pointer. This caused smbd startups to fail, on a blank TDB. By using a local variable in the pdb_generate_sam_sid() code, we avoid this particular trap. I've also added better debugging for the case where this all matters, which is particularly for LDAP, where it finds out a domain SID from the sambaDomain object. Andrew Bartlett (This used to be commit 86ad04d26d3065a99b08afaaf2914968a9e701c5)
2004-02-26 01:01:02 +03:00
DEBUG(1, ("New global sam SID: %s\n", sid_to_string(new_sid_str, get_global_sam_sid())));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
}
sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
}
Get MungedDial actually working with full TS strings in it for pdb_ldap. I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-11 19:32:19 +03:00
if (smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry,
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ALGORITHMIC_RID_BASE),
Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-11 02:33:06 +04:00
alg_rid_base_string)) {
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
alg_rid_base = (uint32)atol(alg_rid_base_string);
if (alg_rid_base != algorithmic_rid_base()) {
fix more memory leaks in the LDAP backend code; patches from metze (This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-14 06:28:03 +03:00
DEBUG(0, ("The value of 'algorithmic RID base' has changed since the LDAP\n"
"database was initialised. Aborting. \n"));
This patch cleans up some of our ldap code, for better behaviour: We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
}
ldap_msgfree(result);
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
return NT_STATUS_OK;
}
Make the version numbers ints (patch from metze) (This used to be commit dbe36b4c43dceddea9f14161c6cf7b34709287c8)
2003-05-01 03:06:44 +04:00
NTSTATUS pdb_ldap_init(void)
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
{
And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12 22:12:31 +04:00
NTSTATUS nt_status;
if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam", pdb_init_ldapsam)))
return nt_status;
if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "ldapsam_compat", pdb_init_ldapsam_compat)))
return nt_status;
Make the version numbers ints (patch from metze) (This used to be commit dbe36b4c43dceddea9f14161c6cf7b34709287c8)
2003-05-01 03:06:44 +04:00
return NT_STATUS_OK;
This patch merges my private LDAP tree into HEAD. The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-02 13:16:28 +03:00
}
Copy Permalink