2 Unix SMB/CIFS implementation.
3 IPA helper functions for SAMBA
4 Copyright (C) Sumit Bose <sbose@redhat.com> 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #define LDAP_TRUST_CONTAINER "ou=system"
26 #define LDAP_ATTRIBUTE_CN "cn"
27 #define LDAP_ATTRIBUTE_TRUST_TYPE "sambaTrustType"
28 #define LDAP_ATTRIBUTE_TRUST_ATTRIBUTES "sambaTrustAttributes"
29 #define LDAP_ATTRIBUTE_TRUST_DIRECTION "sambaTrustDirection"
30 #define LDAP_ATTRIBUTE_TRUST_PARTNER "sambaTrustPartner"
31 #define LDAP_ATTRIBUTE_FLAT_NAME "sambaFlatName"
32 #define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "sambaTrustAuthOutgoing"
33 #define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "sambaTrustAuthIncoming"
34 #define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "sambaSecurityIdentifier"
36 static bool ipasam_get_trusteddom_pw(struct pdb_methods *methods,
40 time_t *pass_last_set_time)
45 static bool ipasam_set_trusteddom_pw(struct pdb_methods *methods,
48 const struct dom_sid *sid)
53 static bool ipasam_del_trusteddom_pw(struct pdb_methods *methods,
59 static char *trusted_domain_dn(struct ldapsam_privates *ldap_state,
62 return talloc_asprintf(talloc_tos(), "%s=%s,%s,%s",
63 LDAP_ATTRIBUTE_CN, domain,
64 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
67 static char *trusted_domain_base_dn(struct ldapsam_privates *ldap_state)
69 return talloc_asprintf(talloc_tos(), "%s,%s",
70 LDAP_TRUST_CONTAINER, ldap_state->domain_dn);
73 static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state,
75 const char *domain, LDAPMessage **entry)
80 LDAPMessage *result = NULL;
83 filter = talloc_asprintf(talloc_tos(),
84 "(&(objectClass=%s)(|(sambaFlatName=%s)(cn=%s)(sambaTrustPartner=%s)))",
85 LDAP_OBJ_TRUSTED_DOMAIN, domain, domain, domain);
90 base_dn = trusted_domain_base_dn(ldap_state);
91 if (base_dn == NULL) {
96 rc = smbldap_search(ldap_state->smbldap_state, base_dn,
97 LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result);
101 if (result != NULL) {
102 talloc_autofree_ldapmsg(mem_ctx, result);
105 if (rc == LDAP_NO_SUCH_OBJECT) {
110 if (rc != LDAP_SUCCESS) {
114 num_result = ldap_count_entries(priv2ld(ldap_state), result);
116 if (num_result > 1) {
117 DEBUG(1, ("get_trusted_domain_int: more than one "
118 "%s object for domain '%s'?!\n",
119 LDAP_OBJ_TRUSTED_DOMAIN, domain));
123 if (num_result == 0) {
124 DEBUG(1, ("get_trusted_domain_int: no "
125 "%s object for domain %s.\n",
126 LDAP_OBJ_TRUSTED_DOMAIN, domain));
129 *entry = ldap_first_entry(priv2ld(ldap_state), result);
135 static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state,
144 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
147 DEBUG(9, ("Attribute %s not present.\n", attr));
152 l = strtoul(dummy, &endptr, 10);
155 if (l < 0 || l > UINT32_MAX || *endptr != '\0') {
164 static void get_data_blob_from_ldap_msg(TALLOC_CTX *mem_ctx,
165 struct ldapsam_privates *ldap_state,
166 LDAPMessage *entry, const char *attr,
172 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry, attr,
175 DEBUG(9, ("Attribute %s not present.\n", attr));
178 blob = base64_decode_data_blob(dummy);
179 if (blob.length == 0) {
182 _blob->length = blob.length;
183 _blob->data = talloc_steal(mem_ctx, blob.data);
189 static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
190 struct ldapsam_privates *ldap_state,
192 struct pdb_trusted_domain **_td)
196 struct pdb_trusted_domain *td;
202 td = talloc_zero(mem_ctx, struct pdb_trusted_domain);
207 /* All attributes are MAY */
209 dummy = smbldap_talloc_single_attribute(priv2ld(ldap_state), entry,
210 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
213 DEBUG(9, ("Attribute %s not present.\n",
214 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER));
215 ZERO_STRUCT(td->security_identifier);
217 res = string_to_sid(&td->security_identifier, dummy);
224 get_data_blob_from_ldap_msg(td, ldap_state, entry,
225 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
226 &td->trust_auth_incoming);
228 get_data_blob_from_ldap_msg(td, ldap_state, entry,
229 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
230 &td->trust_auth_outgoing);
232 td->netbios_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
234 LDAP_ATTRIBUTE_FLAT_NAME,
236 if (td->netbios_name == NULL) {
237 DEBUG(9, ("Attribute %s not present.\n",
238 LDAP_ATTRIBUTE_FLAT_NAME));
241 td->domain_name = smbldap_talloc_single_attribute(priv2ld(ldap_state),
243 LDAP_ATTRIBUTE_TRUST_PARTNER,
245 if (td->domain_name == NULL) {
246 DEBUG(9, ("Attribute %s not present.\n",
247 LDAP_ATTRIBUTE_TRUST_PARTNER));
250 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
251 LDAP_ATTRIBUTE_TRUST_DIRECTION,
252 &td->trust_direction);
257 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
258 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
259 &td->trust_attributes);
264 res = get_uint32_t_from_ldap_msg(ldap_state, entry,
265 LDAP_ATTRIBUTE_TRUST_TYPE,
276 static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods,
279 struct pdb_trusted_domain **td)
281 struct ldapsam_privates *ldap_state =
282 (struct ldapsam_privates *)methods->private_data;
283 LDAPMessage *entry = NULL;
285 DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain));
287 if (!get_trusted_domain_int(ldap_state, talloc_tos(), domain, &entry)) {
288 return NT_STATUS_UNSUCCESSFUL;
291 DEBUG(5, ("ipasam_get_trusted_domain: no such trusted domain: "
293 return NT_STATUS_NO_SUCH_DOMAIN;
296 if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) {
297 return NT_STATUS_UNSUCCESSFUL;
303 static bool smbldap_make_mod_uint32_t(LDAP *ldap_struct, LDAPMessage *entry,
304 LDAPMod ***mods, const char *attribute,
309 dummy = talloc_asprintf(talloc_tos(), "%lu", (unsigned long) val);
313 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
319 static bool smbldap_make_mod_blob(LDAP *ldap_struct, LDAPMessage *entry,
320 LDAPMod ***mods, const char *attribute,
325 dummy = base64_encode_data_blob(talloc_tos(), blob);
330 smbldap_make_mod(ldap_struct, entry, mods, attribute, dummy);
336 static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
338 const struct pdb_trusted_domain *td)
340 struct ldapsam_privates *ldap_state =
341 (struct ldapsam_privates *)methods->private_data;
342 LDAPMessage *entry = NULL;
345 char *trusted_dn = NULL;
348 DEBUG(10, ("ipasam_set_trusted_domain called for domain %s\n", domain));
350 res = get_trusted_domain_int(ldap_state, talloc_tos(), domain, &entry);
352 return NT_STATUS_UNSUCCESSFUL;
356 smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass",
357 LDAP_OBJ_TRUSTED_DOMAIN);
359 if (td->netbios_name != NULL) {
360 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
361 LDAP_ATTRIBUTE_FLAT_NAME,
365 if (td->domain_name != NULL) {
366 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
367 LDAP_ATTRIBUTE_TRUST_PARTNER,
371 if (!is_null_sid(&td->security_identifier)) {
372 smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
373 LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
374 sid_string_tos(&td->security_identifier));
377 if (td->trust_type != 0) {
378 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
379 &mods, LDAP_ATTRIBUTE_TRUST_TYPE,
382 return NT_STATUS_UNSUCCESSFUL;
386 if (td->trust_attributes != 0) {
387 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
389 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
390 td->trust_attributes);
392 return NT_STATUS_UNSUCCESSFUL;
396 if (td->trust_direction != 0) {
397 res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry,
399 LDAP_ATTRIBUTE_TRUST_DIRECTION,
400 td->trust_direction);
402 return NT_STATUS_UNSUCCESSFUL;
406 if (td->trust_auth_outgoing.data != NULL) {
407 res = smbldap_make_mod_blob(priv2ld(ldap_state), entry,
409 LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING,
410 td->trust_auth_outgoing);
412 return NT_STATUS_UNSUCCESSFUL;
416 if (td->trust_auth_incoming.data != NULL) {
417 res = smbldap_make_mod_blob(priv2ld(ldap_state), entry,
419 LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING,
420 td->trust_auth_incoming);
422 return NT_STATUS_UNSUCCESSFUL;
426 talloc_autofree_ldapmod(talloc_tos(), mods);
428 trusted_dn = trusted_domain_dn(ldap_state, domain);
429 if (trusted_dn == NULL) {
430 return NT_STATUS_NO_MEMORY;
433 ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods);
435 ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods);
438 if (ret != LDAP_SUCCESS) {
439 DEBUG(1, ("error writing trusted domain data!\n"));
440 return NT_STATUS_UNSUCCESSFUL;
445 static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
449 struct ldapsam_privates *ldap_state =
450 (struct ldapsam_privates *)methods->private_data;
451 LDAPMessage *entry = NULL;
454 if (!get_trusted_domain_int(ldap_state, talloc_tos(), domain, &entry)) {
455 return NT_STATUS_UNSUCCESSFUL;
459 DEBUG(5, ("ipasam_del_trusted_domain: no such trusted domain: "
461 return NT_STATUS_NO_SUCH_DOMAIN;
464 dn = smbldap_talloc_dn(talloc_tos(), priv2ld(ldap_state), entry);
466 DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n"));
467 return NT_STATUS_NO_MEMORY;
470 ret = smbldap_delete(ldap_state->smbldap_state, dn);
471 if (ret != LDAP_SUCCESS) {
472 return NT_STATUS_UNSUCCESSFUL;
478 static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods,
480 uint32_t *num_domains,
481 struct pdb_trusted_domain ***domains)
484 struct ldapsam_privates *ldap_state =
485 (struct ldapsam_privates *)methods->private_data;
486 char *base_dn = NULL;
488 int scope = LDAP_SCOPE_SUBTREE;
489 LDAPMessage *result = NULL;
490 LDAPMessage *entry = NULL;
492 filter = talloc_asprintf(talloc_tos(), "(objectClass=%s)",
493 LDAP_OBJ_TRUSTED_DOMAIN);
494 if (filter == NULL) {
495 return NT_STATUS_NO_MEMORY;
498 base_dn = trusted_domain_base_dn(ldap_state);
499 if (base_dn == NULL) {
501 return NT_STATUS_NO_MEMORY;
504 rc = smbldap_search(ldap_state->smbldap_state, base_dn, scope, filter,
507 TALLOC_FREE(base_dn);
509 if (result != NULL) {
510 talloc_autofree_ldapmsg(mem_ctx, result);
513 if (rc == LDAP_NO_SUCH_OBJECT) {
519 if (rc != LDAP_SUCCESS) {
520 return NT_STATUS_UNSUCCESSFUL;
524 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct pdb_trusted_domain *, 1))) {
525 DEBUG(1, ("talloc failed\n"));
526 return NT_STATUS_NO_MEMORY;
529 for (entry = ldap_first_entry(priv2ld(ldap_state), result);
531 entry = ldap_next_entry(priv2ld(ldap_state), entry))
533 struct pdb_trusted_domain *dom_info;
535 if (!fill_pdb_trusted_domain(*domains, ldap_state, entry,
537 return NT_STATUS_UNSUCCESSFUL;
540 ADD_TO_ARRAY(*domains, struct pdb_trusted_domain *, dom_info,
541 domains, num_domains);
543 if (*domains == NULL) {
544 DEBUG(1, ("talloc failed\n"));
545 return NT_STATUS_NO_MEMORY;
549 DEBUG(5, ("ipasam_enum_trusted_domains: got %d domains\n", *num_domains));
553 static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods,
555 uint32_t *num_domains,
556 struct trustdom_info ***domains)
559 struct pdb_trusted_domain **td;
562 status = ipasam_enum_trusted_domains(methods, talloc_tos(),
564 if (!NT_STATUS_IS_OK(status)) {
568 if (*num_domains == 0) {
572 if (!(*domains = TALLOC_ARRAY(mem_ctx, struct trustdom_info *,
574 DEBUG(1, ("talloc failed\n"));
575 return NT_STATUS_NO_MEMORY;
578 for (i = 0; i < *num_domains; i++) {
579 struct trustdom_info *dom_info;
581 dom_info = TALLOC_P(*domains, struct trustdom_info);
582 if (dom_info == NULL) {
583 DEBUG(1, ("talloc failed\n"));
584 return NT_STATUS_NO_MEMORY;
587 dom_info->name = talloc_steal(mem_ctx, td[i]->netbios_name);
588 sid_copy(&dom_info->sid, &td[i]->security_identifier);
590 (*domains)[i] = dom_info;
596 static NTSTATUS pdb_init_IPA_ldapsam(struct pdb_methods **pdb_method, const char *location)
598 struct ldapsam_privates *ldap_state;
600 NTSTATUS nt_status = pdb_init_ldapsam(pdb_method, location);
602 (*pdb_method)->name = "IPA_ldapsam";
604 ldap_state = (struct ldapsam_privates *)((*pdb_method)->private_data);
605 ldap_state->is_ipa_ldap = true;
607 (*pdb_method)->get_trusteddom_pw = ipasam_get_trusteddom_pw;
608 (*pdb_method)->set_trusteddom_pw = ipasam_set_trusteddom_pw;
609 (*pdb_method)->del_trusteddom_pw = ipasam_del_trusteddom_pw;
610 (*pdb_method)->enum_trusteddoms = ipasam_enum_trusteddoms;
612 (*pdb_method)->get_trusted_domain = ipasam_get_trusted_domain;
613 (*pdb_method)->set_trusted_domain = ipasam_set_trusted_domain;
614 (*pdb_method)->del_trusted_domain = ipasam_del_trusted_domain;
615 (*pdb_method)->enum_trusted_domains = ipasam_enum_trusted_domains;
620 NTSTATUS pdb_ipa_init(void)
624 if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "IPA_ldapsam", pdb_init_IPA_ldapsam)))