2003-06-05 06:34:30 +04:00
/*
2005-09-30 21:13:37 +04:00
Unix SMB / CIFS mplementation .
2003-06-05 06:34:30 +04:00
LDAP protocol helper functions for SAMBA
Copyright ( C ) Gerald Carter 2001 - 2003
2009-05-31 13:14:06 +04:00
2003-06-05 06:34:30 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
2003-06-05 06:34:30 +04:00
( at your option ) any later version .
2009-05-31 13:14:06 +04:00
2003-06-05 06:34:30 +04:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2009-05-31 13:14:06 +04:00
2003-06-05 06:34:30 +04:00
You should have received a copy of the GNU General Public License
2007-07-10 04:52:41 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2009-05-31 13:14:06 +04:00
2003-06-05 06:34:30 +04:00
*/
# ifndef _SMBLDAP_H
# define _SMBLDAP_H
2005-08-13 16:05:54 +04:00
struct smbldap_state ;
2011-02-24 13:56:08 +03:00
# include "smb_ldap.h"
2003-06-25 16:51:58 +04:00
# ifdef HAVE_LDAP
2003-06-05 06:34:30 +04:00
/* specify schema versions between 2.2. and 3.0 */
# define SCHEMAVER_SAMBAACCOUNT 1
# define SCHEMAVER_SAMBASAMACCOUNT 2
/* objectclass names */
# define LDAP_OBJ_SAMBASAMACCOUNT "sambaSamAccount"
# define LDAP_OBJ_SAMBAACCOUNT "sambaAccount"
# define LDAP_OBJ_GROUPMAP "sambaGroupMapping"
# define LDAP_OBJ_DOMINFO "sambaDomain"
# define LDAP_OBJ_IDPOOL "sambaUnixIdPool"
# define LDAP_OBJ_IDMAP_ENTRY "sambaIdmapEntry"
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
# define LDAP_OBJ_SID_ENTRY "sambaSidEntry"
2005-09-30 21:13:37 +04:00
# define LDAP_OBJ_TRUST_PASSWORD "sambaTrustPassword"
2007-09-11 20:50:32 +04:00
# define LDAP_OBJ_TRUSTDOM_PASSWORD "sambaTrustedDomainPassword"
2010-07-16 13:01:49 +04:00
# define LDAP_OBJ_TRUSTED_DOMAIN "sambaTrustedDomain"
2003-06-05 06:34:30 +04:00
# define LDAP_OBJ_ACCOUNT "account"
# define LDAP_OBJ_POSIXACCOUNT "posixAccount"
# define LDAP_OBJ_POSIXGROUP "posixGroup"
2003-06-06 17:48:39 +04:00
# define LDAP_OBJ_OU "organizationalUnit"
2003-06-05 06:34:30 +04:00
/* some generic attributes that get reused a lot */
# define LDAP_ATTRIBUTE_SID "sambaSID"
# define LDAP_ATTRIBUTE_UIDNUMBER "uidNumber"
# define LDAP_ATTRIBUTE_GIDNUMBER "gidNumber"
2004-04-07 16:43:44 +04:00
# define LDAP_ATTRIBUTE_SID_LIST "sambaSIDList"
2003-06-05 06:34:30 +04:00
/* attribute map table indexes */
# define LDAP_ATTR_LIST_END 0
# define LDAP_ATTR_UID 1
# define LDAP_ATTR_UIDNUMBER 2
# define LDAP_ATTR_GIDNUMBER 3
# define LDAP_ATTR_UNIX_HOME 4
# define LDAP_ATTR_PWD_LAST_SET 5
# define LDAP_ATTR_PWD_CAN_CHANGE 6
# define LDAP_ATTR_PWD_MUST_CHANGE 7
# define LDAP_ATTR_LOGON_TIME 8
# define LDAP_ATTR_LOGOFF_TIME 9
# define LDAP_ATTR_KICKOFF_TIME 10
# define LDAP_ATTR_CN 11
# define LDAP_ATTR_DISPLAY_NAME 12
# define LDAP_ATTR_HOME_PATH 13
# define LDAP_ATTR_LOGON_SCRIPT 14
# define LDAP_ATTR_PROFILE_PATH 15
# define LDAP_ATTR_DESC 16
# define LDAP_ATTR_USER_WKS 17
# define LDAP_ATTR_USER_SID 18
# define LDAP_ATTR_USER_RID 18
# define LDAP_ATTR_PRIMARY_GROUP_SID 19
# define LDAP_ATTR_PRIMARY_GROUP_RID 20
# define LDAP_ATTR_LMPW 21
# define LDAP_ATTR_NTPW 22
# define LDAP_ATTR_DOMAIN 23
# define LDAP_ATTR_OBJCLASS 24
# define LDAP_ATTR_ACB_INFO 25
# define LDAP_ATTR_NEXT_USERRID 26
# define LDAP_ATTR_NEXT_GROUPRID 27
# define LDAP_ATTR_DOM_SID 28
# define LDAP_ATTR_HOME_DRIVE 29
# define LDAP_ATTR_GROUP_SID 30
# define LDAP_ATTR_GROUP_TYPE 31
2003-06-06 17:48:39 +04:00
# define LDAP_ATTR_SID 32
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
# define LDAP_ATTR_ALGORITHMIC_RID_BASE 33
# define LDAP_ATTR_NEXT_RID 34
2003-09-19 03:53:48 +04:00
# define LDAP_ATTR_BAD_PASSWORD_COUNT 35
# define LDAP_ATTR_LOGON_COUNT 36
2003-12-04 07:52:00 +03:00
# define LDAP_ATTR_MUNGED_DIAL 37
2004-02-23 05:47:33 +03:00
# define LDAP_ATTR_BAD_PASSWORD_TIME 38
2005-09-30 21:13:37 +04:00
# define LDAP_ATTR_PWD_HISTORY 39
2004-07-08 02:46:51 +04:00
# define LDAP_ATTR_SID_LIST 40
2005-09-30 21:13:37 +04:00
# define LDAP_ATTR_MOD_TIMESTAMP 41
# define LDAP_ATTR_LOGON_HOURS 42
# define LDAP_ATTR_TRUST_PASSWD_FLAGS 43
2006-06-09 17:04:47 +04:00
# define LDAP_ATTR_SN 44
2005-09-30 21:13:37 +04:00
2004-04-07 16:43:44 +04:00
2003-06-05 06:34:30 +04:00
typedef struct _attrib_map_entry {
int attrib ;
const char * name ;
} ATTRIB_MAP_ENTRY ;
2003-06-21 04:45:03 +04:00
2003-06-05 06:34:30 +04:00
/* structures */
extern ATTRIB_MAP_ENTRY attrib_map_v22 [ ] ;
2004-09-20 15:02:14 +04:00
extern ATTRIB_MAP_ENTRY attrib_map_to_delete_v22 [ ] ;
2003-06-05 06:34:30 +04:00
extern ATTRIB_MAP_ENTRY attrib_map_v30 [ ] ;
2004-09-20 15:02:14 +04:00
extern ATTRIB_MAP_ENTRY attrib_map_to_delete_v30 [ ] ;
2003-06-05 06:34:30 +04:00
extern ATTRIB_MAP_ENTRY dominfo_attr_list [ ] ;
extern ATTRIB_MAP_ENTRY groupmap_attr_list [ ] ;
extern ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete [ ] ;
extern ATTRIB_MAP_ENTRY idpool_attr_list [ ] ;
extern ATTRIB_MAP_ENTRY sidmap_attr_list [ ] ;
2005-09-30 21:13:37 +04:00
extern ATTRIB_MAP_ENTRY trustpw_attr_list [ ] ;
2003-06-05 06:34:30 +04:00
2003-06-07 00:31:19 +04:00
/* Function declarations -- not included in proto.h so we don't
have to worry about LDAP structure types */
2005-08-13 16:05:54 +04:00
NTSTATUS smbldap_init ( TALLOC_CTX * mem_ctx ,
2007-03-11 19:49:16 +03:00
struct event_context * event_ctx ,
2005-08-13 16:05:54 +04:00
const char * location ,
struct smbldap_state * * smbldap_state ) ;
2003-06-07 00:31:19 +04:00
const char * get_attr_key2string ( ATTRIB_MAP_ENTRY table [ ] , int key ) ;
2006-02-04 01:19:41 +03:00
const char * * get_attr_list ( TALLOC_CTX * mem_ctx , ATTRIB_MAP_ENTRY table [ ] ) ;
2003-06-21 04:45:03 +04:00
void smbldap_set_mod ( LDAPMod * * * modlist , int modop , const char * attribute , const char * value ) ;
2003-06-25 16:51:58 +04:00
void smbldap_make_mod ( LDAP * ldap_struct , LDAPMessage * existing ,
LDAPMod * * * mods ,
const char * attribute , const char * newval ) ;
2007-10-19 04:40:25 +04:00
bool smbldap_get_single_attribute ( LDAP * ldap_struct , LDAPMessage * entry ,
2004-03-11 19:32:19 +03:00
const char * attribute , char * value ,
int max_len ) ;
2005-08-13 16:05:54 +04:00
int smbldap_modify ( struct smbldap_state * ldap_state ,
const char * dn ,
LDAPMod * attrs [ ] ) ;
2003-06-07 00:31:19 +04:00
2003-06-25 16:51:58 +04:00
/**
* Struct to keep the state for all the ldap stuff
*
*/
struct smbldap_state {
LDAP * ldap_struct ;
2004-11-06 01:53:35 +03:00
pid_t pid ;
2010-09-07 03:04:10 +04:00
time_t last_ping ; /* monotonic */
2003-06-25 16:51:58 +04:00
/* retrive-once info */
const char * uri ;
2006-12-12 17:52:13 +03:00
/* credentials */
2007-10-19 04:40:25 +04:00
bool anonymous ;
2003-06-25 16:51:58 +04:00
char * bind_dn ;
char * bind_secret ;
2006-12-12 17:52:13 +03:00
2007-10-19 04:40:25 +04:00
bool paged_results ;
2003-06-25 16:51:58 +04:00
unsigned int num_failures ;
2003-07-17 15:24:54 +04:00
2010-09-07 03:04:10 +04:00
time_t last_use ; /* monotonic */
2007-03-11 19:49:16 +03:00
struct event_context * event_context ;
struct timed_event * idle_event ;
2003-12-26 01:42:15 +03:00
2010-09-07 03:04:10 +04:00
struct timeval last_rebind ; /* monotonic */
2003-06-25 16:51:58 +04:00
} ;
2003-06-07 00:31:19 +04:00
2005-03-05 04:22:53 +03:00
/* struct used by both pdb_ldap.c and pdb_nds.c */
2010-09-03 11:39:45 +04:00
struct ipasam_privates ;
2005-03-05 04:22:53 +03:00
struct ldapsam_privates {
struct smbldap_state * smbldap_state ;
/* Former statics */
LDAPMessage * result ;
LDAPMessage * entry ;
int index ;
const char * domain_name ;
2010-05-21 05:25:01 +04:00
struct dom_sid domain_sid ;
2005-03-05 04:22:53 +03:00
/* configuration items */
int schema_ver ;
char * domain_dn ;
/* Is this NDS ldap? */
int is_nds_ldap ;
2010-07-14 17:08:02 +04:00
/* Is this IPA ldap? */
int is_ipa_ldap ;
2010-09-03 11:39:45 +04:00
struct ipasam_privates * ipasam_privates ;
2010-07-14 17:08:02 +04:00
2005-03-05 04:22:53 +03:00
/* ldap server location parameter */
char * location ;
2010-02-03 13:32:41 +03:00
struct {
char * filter ;
LDAPMessage * result ;
} search_cache ;
2005-03-05 04:22:53 +03:00
} ;
2005-08-13 16:05:54 +04:00
/* Functions shared between pdb_ldap.c and pdb_nds.c. */
2006-02-12 00:27:08 +03:00
NTSTATUS pdb_init_ldapsam_compat ( struct pdb_methods * * pdb_method , const char * location ) ;
2005-08-13 16:05:54 +04:00
void private_data_free_fn ( void * * result ) ;
int ldapsam_search_suffix_by_name ( struct ldapsam_privates * ldap_state ,
const char * user ,
LDAPMessage * * result ,
const char * * attr ) ;
2006-02-12 00:27:08 +03:00
NTSTATUS pdb_init_ldapsam ( struct pdb_methods * * pdb_method , const char * location ) ;
2006-02-04 01:19:41 +03:00
const char * * get_userattr_list ( TALLOC_CTX * mem_ctx , int schema_ver ) ;
char * smbldap_talloc_single_attribute ( LDAP * ldap_struct , LDAPMessage * entry ,
const char * attribute ,
TALLOC_CTX * mem_ctx ) ;
2010-01-05 15:30:19 +03:00
char * smbldap_talloc_first_attribute ( LDAP * ldap_struct , LDAPMessage * entry ,
const char * attribute ,
TALLOC_CTX * mem_ctx ) ;
2009-03-12 19:23:17 +03:00
char * smbldap_talloc_smallest_attribute ( LDAP * ldap_struct , LDAPMessage * entry ,
const char * attribute ,
TALLOC_CTX * mem_ctx ) ;
2009-05-29 23:27:53 +04:00
bool smbldap_talloc_single_blob ( TALLOC_CTX * mem_ctx , LDAP * ld ,
LDAPMessage * msg , const char * attrib ,
DATA_BLOB * blob ) ;
2009-05-28 03:02:40 +04:00
bool smbldap_pull_sid ( LDAP * ld , LDAPMessage * msg , const char * attrib ,
struct dom_sid * sid ) ;
2006-02-04 01:19:41 +03:00
void talloc_autofree_ldapmsg ( TALLOC_CTX * mem_ctx , LDAPMessage * result ) ;
void talloc_autofree_ldapmod ( TALLOC_CTX * mem_ctx , LDAPMod * * mod ) ;
2009-03-18 07:29:02 +03:00
char * smbldap_talloc_dn ( TALLOC_CTX * mem_ctx , LDAP * ld ,
2006-02-04 01:19:41 +03:00
LDAPMessage * entry ) ;
2011-02-16 16:31:30 +03:00
LDAP * priv2ld ( struct ldapsam_privates * priv ) ;
2006-02-04 01:19:41 +03:00
2010-08-26 16:07:20 +04:00
/* The following definitions come from lib/smbldap.c */
int smb_ldap_start_tls ( LDAP * ldap_struct , int version ) ;
int smb_ldap_setup_full_conn ( LDAP * * ldap_struct , const char * uri ) ;
int smbldap_search ( struct smbldap_state * ldap_state ,
const char * base , int scope , const char * filter ,
const char * attrs [ ] , int attrsonly ,
LDAPMessage * * res ) ;
int smbldap_search_paged ( struct smbldap_state * ldap_state ,
const char * base , int scope , const char * filter ,
const char * * attrs , int attrsonly , int pagesize ,
LDAPMessage * * res , void * * cookie ) ;
int smbldap_modify ( struct smbldap_state * ldap_state , const char * dn , LDAPMod * attrs [ ] ) ;
int smbldap_add ( struct smbldap_state * ldap_state , const char * dn , LDAPMod * attrs [ ] ) ;
int smbldap_delete ( struct smbldap_state * ldap_state , const char * dn ) ;
int smbldap_extended_operation ( struct smbldap_state * ldap_state ,
LDAP_CONST char * reqoid , struct berval * reqdata ,
LDAPControl * * serverctrls , LDAPControl * * clientctrls ,
char * * retoidp , struct berval * * retdatap ) ;
int smbldap_search_suffix ( struct smbldap_state * ldap_state ,
const char * filter , const char * * search_attr ,
LDAPMessage * * result ) ;
void smbldap_free_struct ( struct smbldap_state * * ldap_state ) ;
NTSTATUS smbldap_init ( TALLOC_CTX * mem_ctx , struct event_context * event_ctx ,
const char * location ,
struct smbldap_state * * smbldap_state ) ;
bool smbldap_has_control ( LDAP * ld , const char * control ) ;
bool smbldap_has_extension ( LDAP * ld , const char * extension ) ;
bool smbldap_has_naming_context ( LDAP * ld , const char * naming_context ) ;
bool smbldap_set_creds ( struct smbldap_state * ldap_state , bool anon , const char * dn , const char * secret ) ;
/* The following definitions come from lib/smbldap_util.c */
NTSTATUS smbldap_search_domain_info ( struct smbldap_state * ldap_state ,
LDAPMessage * * result , const char * domain_name ,
bool try_add ) ;
2005-08-13 16:05:54 +04:00
# endif /* HAVE_LDAP */
2003-06-25 16:51:58 +04:00
2008-05-26 13:29:24 +04:00
# define LDAP_DEFAULT_TIMEOUT 15
# define LDAP_CONNECTION_DEFAULT_TIMEOUT 2
2005-04-15 17:41:49 +04:00
# define LDAP_PAGE_SIZE 1024
2003-06-25 16:51:58 +04:00
2010-07-02 02:32:52 +04:00
# define ADS_PAGE_CTL_OID "1.2.840.113556.1.4.319"
2011-03-06 11:31:40 +03:00
/*
* Work around versions of the LDAP client libs that don ' t have the OIDs
* defined , or have them defined under the old name .
* This functionality is really a factor of the server , not the client
*
*/
# if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD)
# define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD
# elif !defined(LDAP_EXOP_MODIFY_PASSWD)
# define LDAP_EXOP_MODIFY_PASSWD "1.3.6.1.4.1.4203.1.11.1"
# endif
# if defined(LDAP_EXOP_X_MODIFY_PASSWD_ID) && !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
# define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_EXOP_X_MODIFY_PASSWD_ID
# elif !defined(LDAP_EXOP_MODIFY_PASSWD_ID)
# define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U)
# endif
# if defined(LDAP_EXOP_X_MODIFY_PASSWD_NEW) && !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
# define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_EXOP_X_MODIFY_PASSWD_NEW
# elif !defined(LDAP_EXOP_MODIFY_PASSWD_NEW)
# define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U)
# endif
2004-07-01 20:35:43 +04:00
# endif /* _SMBLDAP_H */
