int
ldap_turn_s(
LDAP *ld,
int mutual,
LDAP_CONST char* identifier,
LDAPControl **sctrls,
LDAPControl **cctrls )
{
#ifdef LDAP_EXOP_X_TURN
BerElement *turnvalber = NULL;
struct berval *turnvalp = NULL;
int rc;
turnvalber = ber_alloc_t( LBER_USE_DER );
if( mutual ) {
ber_printf( turnvalber, "{bs}", 0xFF, identifier );
} else {
ber_printf( turnvalber, "{s}", identifier );
}
ber_flatten( turnvalber, &turnvalp );
rc = ldap_extended_operation_s( ld, LDAP_EXOP_X_TURN,
turnvalp, sctrls, cctrls, NULL, NULL );
ber_free( turnvalber, 1 );
return rc;
#else
return LDAP_CONTROL_NOT_FOUND;
#endif
}
int
ldap_txn_start_s(
LDAP *ld,
LDAPControl **sctrls,
LDAPControl **cctrls,
struct berval **txnid )
{
assert( txnid != NULL );
return ldap_extended_operation_s( ld, LDAP_EXOP_X_TXN_START,
NULL, sctrls, cctrls, NULL, txnid );
}
/***********************************************************************
* ldap_extended_operation_sW (WLDAP32.@)
*
* Perform an extended operation (synchronous mode).
*
* PARAMS
* ld [I] Pointer to an LDAP context.
* oid [I] OID of the extended operation.
* data [I] Data needed by the operation.
* serverctrls [I] Array of LDAP server controls.
* clientctrls [I] Array of LDAP client controls.
* retoid [O] OID of the server response message.
* retdata [O] Data returned by the server.
*
* RETURNS
* Success: LDAP_SUCCESS
* Failure: An LDAP error code.
*
* NOTES
* The data parameter should be set to NULL if the operation
* requires no data. The serverctrls, clientctrls, retoid and
* and retdata parameters are also optional. Set to NULL if not
* used. Free retoid and retdata after use with ldap_memfree.
*/
ULONG CDECL ldap_extended_operation_sW( WLDAP32_LDAP *ld, PWCHAR oid, struct WLDAP32_berval *data,
PLDAPControlW *serverctrls, PLDAPControlW *clientctrls, PWCHAR *retoid,
struct WLDAP32_berval **retdata )
{
ULONG ret = WLDAP32_LDAP_NOT_SUPPORTED;
#ifdef HAVE_LDAP
char *oidU = NULL, *retoidU = NULL;
LDAPControl **serverctrlsU = NULL, **clientctrlsU = NULL;
ret = WLDAP32_LDAP_NO_MEMORY;
TRACE( "(%p, %s, %p, %p, %p, %p, %p)\n", ld, debugstr_w(oid), data, serverctrls,
clientctrls, retoid, retdata );
if (!ld) return WLDAP32_LDAP_PARAM_ERROR;
if (oid) {
oidU = strWtoU( oid );
if (!oidU) goto exit;
}
if (serverctrls) {
serverctrlsU = controlarrayWtoU( serverctrls );
if (!serverctrlsU) goto exit;
}
if (clientctrls) {
clientctrlsU = controlarrayWtoU( clientctrls );
if (!clientctrlsU) goto exit;
}
ret = map_error( ldap_extended_operation_s( ld, oid ? oidU : "", (struct berval *)data, serverctrlsU,
clientctrlsU, &retoidU, (struct berval **)retdata ));
if (retoid && retoidU) {
*retoid = strUtoW( retoidU );
if (!*retoid) ret = WLDAP32_LDAP_NO_MEMORY;
ldap_memfree( retoidU );
}
exit:
strfreeU( oidU );
controlarrayfreeU( serverctrlsU );
controlarrayfreeU( clientctrlsU );
#endif
return ret;
}
int
ldap_cancel_s(
LDAP *ld,
int cancelid,
LDAPControl **sctrls,
LDAPControl **cctrls )
{
BerElement *cancelidber = NULL;
struct berval *cancelidvalp = NULL;
int rc;
cancelidber = ber_alloc_t( LBER_USE_DER );
ber_printf( cancelidber, "{i}", cancelid );
ber_flatten( cancelidber, &cancelidvalp );
rc = ldap_extended_operation_s( ld, LDAP_EXOP_CANCEL,
cancelidvalp, sctrls, cctrls, NULL, NULL );
ber_free( cancelidber, 1 );
return rc;
}
int
ldap_start_tls_s ( LDAP *ld,
LDAPControl **serverctrls,
LDAPControl **clientctrls )
{
#ifndef HAVE_TLS
return LDAP_NOT_SUPPORTED;
#else
int rc;
char *rspoid = NULL;
struct berval *rspdata = NULL;
/* XXYYZ: this initiates operation only on default connection! */
if ( ldap_tls_inplace( ld ) ) {
return LDAP_LOCAL_ERROR;
}
rc = ldap_extended_operation_s( ld, LDAP_EXOP_START_TLS,
NULL, serverctrls, clientctrls, &rspoid, &rspdata );
if ( rspoid != NULL ) {
LDAP_FREE(rspoid);
}
if ( rspdata != NULL ) {
ber_bvfree( rspdata );
}
if ( rc == LDAP_SUCCESS ) {
rc = ldap_int_tls_start( ld, ld->ld_defconn, NULL );
}
return rc;
#endif
}
/** Attempt to retrieve the universal password from Novell eDirectory
*
* @param[in] ld LDAP handle.
* @param[in] dn of user we want to retrieve the password for.
* @param[out] password Where to write the retrieved password.
* @param[out] passlen Length of data written to the password buffer.
* @return 0 on success and < 0 on failure.
*/
int nmasldap_get_password(LDAP *ld, char const *dn, char *password, size_t *passlen)
{
int err = 0;
struct berval *request_bv = NULL;
char *reply_oid = NULL;
struct berval *reply_bv = NULL;
int server_version;
size_t bufsize;
char buffer[256];
/* Validate parameters. */
if (!dn || !*dn || !passlen || !ld) {
return NMAS_E_INVALID_PARAMETER;
}
err = ber_encode_request_data(dn, &request_bv);
if (err) goto finish;
/* Call the ldap_extended_operation (synchronously) */
err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, request_bv, NULL, NULL, &reply_oid, &reply_bv);
if (err) goto finish;
/* Make sure there is a return OID */
if (!reply_oid) {
err = NMAS_E_NOT_SUPPORTED;
goto finish;
}
/* Is this what we were expecting to get back. */
if (strcmp(reply_oid, NMASLDAP_GET_PASSWORD_RESPONSE) != 0) {
err = NMAS_E_NOT_SUPPORTED;
goto finish;
}
/* Do we have a good returned berval? */
if (!reply_bv) {
/*
* No; returned berval means we experienced a rather
* drastic error. Return operations error.
*/
err = NMAS_E_SYSTEM_RESOURCES;
goto finish;
}
bufsize = sizeof(buffer);
err = ber_decode_login_data(reply_bv, &server_version, buffer, &bufsize);
if (err) goto finish;
if (server_version != NMAS_LDAP_EXT_VERSION) {
err = NMAS_E_INVALID_VERSION;
goto finish;
}
if (bufsize > *passlen) {
err = NMAS_E_BUFFER_OVERFLOW;
goto finish;
}
memcpy(password, buffer, bufsize);
password[bufsize] = '\0';
*passlen = bufsize;
finish:
if (reply_bv) {
ber_bvfree(reply_bv);
}
/* Free the return OID string if one was returned. */
if (reply_oid) {
ldap_memfree(reply_oid);
}
/* Free memory allocated while building the request ber and berval. */
if (request_bv) {
ber_bvfree(request_bv);
}
return err;
}
int
ldap_txn_end_s(
LDAP *ld,
int commit,
struct berval *txnid,
LDAPControl **sctrls,
LDAPControl **cctrls,
int *retidp )
{
int rc;
BerElement *txnber = NULL;
struct berval *txnval = NULL;
struct berval *retdata = NULL;
if ( retidp != NULL ) *retidp = -1;
txnber = ber_alloc_t( LBER_USE_DER );
if( commit ) {
ber_printf( txnber, "{ON}", txnid );
} else {
ber_printf( txnber, "{bON}", commit, txnid );
}
ber_flatten( txnber, &txnval );
rc = ldap_extended_operation_s( ld, LDAP_EXOP_X_TXN_END,
txnval, sctrls, cctrls, NULL, &retdata );
ber_free( txnber, 1 );
/* parse retdata */
if( retdata != NULL ) {
BerElement *ber;
ber_tag_t tag;
ber_int_t retid;
if( retidp == NULL ) goto done;
ber = ber_init( retdata );
if( ber == NULL ) {
rc = ld->ld_errno = LDAP_NO_MEMORY;
goto done;
}
tag = ber_scanf( ber, "i", &retid );
ber_free( ber, 1 );
if ( tag != LBER_INTEGER ) {
rc = ld->ld_errno = LDAP_DECODING_ERROR;
goto done;
}
*retidp = (int) retid;
done:
ber_bvfree( retdata );
}
return rc;
}
/* -----------------------------------------------------------------------
* nmasldap_get_password()
* ==============================
*
* Description:
* This API attempts to get the universal password
*
* ------------------------------------------------------------------------ */
int nmasldap_get_password(
LDAP *ld,
char *objectDN,
size_t *pwdSize, // in bytes
char *pwd )
{
int err = 0;
struct berval *requestBV = NULL;
char *replyOID = NULL;
struct berval *replyBV = NULL;
int serverVersion;
char *pwdBuf;
size_t pwdBufLen, bufferLen;
#ifdef NOT_N_PLAT_NLM
int currentThreadGroupID;
#endif
/* Validate char parameters. */
if(objectDN == NULL || (strlen(objectDN) == 0) || pwdSize == NULL || ld == NULL)
{
return NMAS_E_INVALID_PARAMETER;
}
bufferLen = pwdBufLen = *pwdSize;
pwdBuf = (char *)malloc(pwdBufLen+2);
if(pwdBuf == NULL)
{
return NMAS_E_INSUFFICIENT_MEMORY;
}
#ifdef NOT_N_PLAT_NLM
currentThreadGroupID = SetThreadGroupID(nmasLDAPThreadGroupID);
#endif
err = berEncodePasswordData(&requestBV, objectDN, NULL, NULL);
if(err)
{
goto Cleanup;
}
/* Call the ldap_extended_operation (synchronously) */
if((err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV)))
{
goto Cleanup;
}
/* Make sure there is a return OID */
if(!replyOID)
{
err = NMAS_E_NOT_SUPPORTED;
goto Cleanup;
}
/* Is this what we were expecting to get back. */
if(strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE))
{
err = NMAS_E_NOT_SUPPORTED;
goto Cleanup;
}
/* Do we have a good returned berval? */
if(!replyBV)
{
/*
* No; returned berval means we experienced a rather drastic error.
* Return operations error.
*/
err = NMAS_E_SYSTEM_RESOURCES;
goto Cleanup;
}
err = berDecodeLoginData(replyBV, &serverVersion, &pwdBufLen, pwdBuf);
if(serverVersion != NMAS_LDAP_EXT_VERSION)
{
err = NMAS_E_INVALID_VERSION;
goto Cleanup;
}
if (!err && pwdBufLen != 0)
{
if (*pwdSize >= pwdBufLen+1 && pwd != NULL)
{
memcpy(pwd, pwdBuf, pwdBufLen);
pwd[pwdBufLen] = 0; /* add null termination */
}
*pwdSize = pwdBufLen; /* does not include null termination */
}
Cleanup:
if(replyBV)
{
ber_bvfree(replyBV);
}
/* Free the return OID string if one was returned. */
if(replyOID)
{
ldap_memfree(replyOID);
}
/* Free memory allocated while building the request ber and berval. */
if(requestBV)
{
ber_bvfree(requestBV);
}
if (pwdBuf != NULL)
{
memset(pwdBuf, 0, bufferLen);
free(pwdBuf);
}
#ifdef NOT_N_PLAT_NLM
SetThreadGroupID(currentThreadGroupID);
#endif
/* Return the appropriate error/success code. */
return err;
} /* end of nmasldap_get_password */
static int
process( void *arg )
{
char *rbuf, *saved_rbuf, *start, *p, *q;
FILE *rfp = NULL;
int rc, use_ldif, deref;
LDAPControl *ldctrl;
#ifdef SOLARIS_LDAP_CMD
LDAP *ld;
#endif /* SOLARIS_LDAP_CMD */
ld = ldaptool_ldap_init( 0 );
if ( !ldaptool_not ) {
deref = LDAP_DEREF_NEVER; /* this seems prudent */
ldap_set_option( ld, LDAP_OPT_DEREF, &deref );
}
ldaptool_bind( ld );
if (( ldctrl = ldaptool_create_manage_dsait_control()) != NULL ) {
ldaptool_add_control_to_array( ldctrl, ldaptool_request_ctrls);
}
if ((ldctrl = ldaptool_create_proxyauth_control(ld)) !=NULL) {
ldaptool_add_control_to_array( ldctrl, ldaptool_request_ctrls);
}
rc = 0;
/* turn on bulk import?*/
if (bulkimport_suffix) {
struct berval bv, *retdata;
char *retoid;
bv.bv_val = bulkimport_suffix;
bv.bv_len = strlen(bulkimport_suffix);
if ((rc = ldap_extended_operation_s(ld,
BULKIMPORT_START_OID, &bv, NULL,
NULL, &retoid, &retdata)) != 0) {
fprintf(stderr, gettext("Error: unable to service "
"extended operation request\n\t'%s' for "
"bulk import\n\t(error:%d:'%s')\n"),
BULKIMPORT_START_OID, rc, ldap_err2string(rc));
return (rc);
}
if (retoid)
ldap_memfree(retoid);
if (retdata)
ber_bvfree(retdata);
}
while (( rc == 0 || contoper ) &&
( rbuf = read_one_record( ldaptool_fp )) != NULL ) {
/*
* we assume record is ldif/slapd.replog if the first line
* has a colon that appears to the left of any equal signs, OR
* if the first line consists entirely of digits (an entry id)
*/
use_ldif = ( p = strchr( rbuf, ':' )) != NULL &&
( q = strchr( rbuf, '\n' )) != NULL && p < q &&
(( q = strchr( rbuf, '=' )) == NULL || p < q );
start = rbuf;
saved_rbuf = strdup( rbuf );
if ( !use_ldif && ( q = strchr( rbuf, '\n' )) != NULL ) {
for ( p = rbuf; p < q; ++p ) {
if ( !isdigit( *p )) {
break;
}
}
if ( p >= q ) {
use_ldif = 1;
start = q + 1;
}
}
#ifdef SOLARIS_LDAP_CMD
if ( use_ldif ) {
rc = process_ldif_rec( ld, start );
} else {
rc = process_ldapmod_rec( ld, start );
}
#else
if ( use_ldif ) {
rc = process_ldif_rec( start );
} else {
rc = process_ldapmod_rec( start );
}
#endif /* SOLARIS_LDAP_CMD */
if ( rc != LDAP_SUCCESS && rejfile != NULL ) {
/* Write this record to the reject file */
int newfile = 0;
struct stat stbuf;
if ( stat( rejfile, &stbuf ) < 0 ) {
if ( errno == ENOENT ) {
newfile = 1;
}
}
if (( rfp = ldaptool_open_file( rejfile, "a" )) == NULL ) {
fprintf( stderr, gettext("Cannot open error file \"%s\" - "
"erroneous entries will not be saved\n"), rejfile );
rejfile = NULL;
} else {
if ( newfile == 0 ) {
fputs( "\n", rfp );
}
fprintf( rfp, gettext("# Error: %s\n"), ldap_err2string( rc ));
fputs( saved_rbuf, rfp );
fclose( rfp );
rfp = NULL;
}
}
free( rbuf );
free( saved_rbuf );
}
ldaptool_reset_control_array( ldaptool_request_ctrls );
/* turn off bulk import?*/
if (bulkimport_suffix) {
struct berval bv, *retdata;
char *retoid;
bv.bv_val = "";
bv.bv_len = 0;
if ((rc = ldap_extended_operation_s(ld,
BULKIMPORT_STOP_OID, &bv, NULL,
NULL, &retoid, &retdata)) != 0) {
fprintf(stderr, gettext("Error: unable to service "
"extended operation request\n\t '%s' for "
"bulk import\n\t(rc:%d:'%s')\n"),
BULKIMPORT_STOP_OID, rc, ldap_err2string(rc));
return (rc);
}
if (retoid)
ldap_memfree(retoid);
if (retdata)
ber_bvfree(retdata);
}
#ifdef SOLARIS_LDAP_CMD
mutex_lock(&read_mutex);
#endif
ldaptool_cleanup( ld );
#ifdef SOLARIS_LDAP_CMD
mutex_unlock(&read_mutex);
#endif
return( rc );
}
/* If we only have a bindpw then try to join in a bit of a degraded mode.
* This is going to duplicate some of the server-side code to determine
* the state of the entry.
*/
static int
join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bindpw, const char *basedn, const char **princ, const char **subject, int quiet)
{
LDAP *ld;
char *filter = NULL;
int rval = 0;
char *oidresult = NULL;
struct berval valrequest;
struct berval *valresult = NULL;
int rc, ret;
char *ldap_base = NULL;
char *search_base = NULL;
*binddn = NULL;
*princ = NULL;
*subject = NULL;
if (NULL != basedn) {
ldap_base = strdup(basedn);
if (!ldap_base) {
if (!quiet)
fprintf(stderr, _("Out of memory!\n"));
rval = 3;
goto done;
}
} else {
if (get_root_dn(ipaserver, &ldap_base) != 0) {
if (!quiet)
fprintf(stderr, _("Unable to determine root DN of %s\n"),
ipaserver);
rval = 14;
goto done;
}
}
ret = asprintf(binddn, "fqdn=%s,cn=computers,cn=accounts,%s", hostname, ldap_base);
if (ret == -1)
{
if (!quiet)
fprintf(stderr, _("Out of memory!\n"));
rval = 3;
goto done;
}
ld = connect_ldap(ipaserver, *binddn, bindpw);
if (!ld) {
if (!quiet)
fprintf(stderr, _("Incorrect password.\n"));
rval = 15;
goto done;
}
if (get_subject(ld, ldap_base, subject, quiet) != 0) {
if (!quiet)
fprintf(stderr,
_("Unable to determine certificate subject of %s\n"),
ipaserver);
/* Not a critical failure */
}
valrequest.bv_val = (char *)hostname;
valrequest.bv_len = strlen(hostname);
if ((rc = ldap_extended_operation_s(ld, JOIN_OID, &valrequest, NULL, NULL, &oidresult, &valresult)) != LDAP_SUCCESS) {
char *s = NULL;
#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, &s);
#else
ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &s);
#endif
if (!quiet)
fprintf(stderr, _("Enrollment failed. %s\n"), s);
if (debug) {
fprintf(stderr, "ldap_extended_operation_s failed: %s",
ldap_err2string(rc));
}
rval = 13;
goto ldap_done;
}
/* Get the value from the result returned by the server. */
*princ = strdup(valresult->bv_val);
ldap_done:
free(filter);
free(search_base);
free(ldap_base);
if (ld != NULL) {
ldap_unbind_ext(ld, NULL, NULL);
}
done:
if (valresult) ber_bvfree(valresult);
if (oidresult) free(oidresult);
return rval;
}
