int ad_mod_replace_binary(char *dn, char *attribute, char *data, int data_length) {
LDAP *ds;
LDAPMod *attrs[2];
LDAPMod attr;
struct berval *values[2];
struct berval ber_data;
int result;
ds=ad_login();
if(!ds) return ad_error_code;
ber_data.bv_val = data;
ber_data.bv_len = data_length;
values[0] = &ber_data;
values[1] = NULL;
attr.mod_op = LDAP_MOD_REPLACE|LDAP_MOD_BVALUES;
attr.mod_type = attribute;
attr.mod_bvalues = values;
attrs[0] = &attr;
attrs[1] = NULL;
result = ldap_modify_s(ds, dn, attrs);
if(result!=LDAP_SUCCESS) {
snprintf(ad_error_msg, MAX_ERR_LENGTH, "Error in ad_mod_replace_binary, ldap_mod_s: %s\n", ldap_err2string(result));
ad_error_code=AD_LDAP_OPERATION_FAILURE;
} else {
ad_error_code=AD_SUCCESS;
}
return ad_error_code;
}
int ldap_delfromgroup(char *account, const char *group)
{
LDAPMod **mods;
int num_mods;
int rc, i;
if(!admin_bind && LDAP_SUCCESS != ( rc = ldap_do_admin_bind())) {
log_module(MAIN_LOG, LOG_ERROR, "failed to bind as admin");
return rc;
}
mods = make_mods_group(account, LDAP_MOD_DELETE, &num_mods);
if(!mods) {
log_module(MAIN_LOG, LOG_ERROR, "Error building mods for delfromgroup");
return LDAP_OTHER;
}
rc = ldap_modify_s(ld, group, mods);
if(rc != LDAP_SUCCESS && rc != LDAP_NO_SUCH_ATTRIBUTE) {
log_module(MAIN_LOG, LOG_ERROR, "Error removing %s from group %s: %s", account, group, ldap_err2string(rc));
return rc;
}
for(i = 0; i < num_mods; i++) {
free(mods[i]->mod_type);
free(mods[i]);
}
free(mods);
return rc;
}
char *
gfarm_generic_info_modify(
void *key,
LDAPMod **modv,
const struct gfarm_generic_info_ops *ops)
{
int rv;
char *dn = ops->make_dn(key);
char *error;
if (dn == NULL)
return (GFARM_ERR_NO_MEMORY);
if ((error = gfarm_ldap_check()) != NULL)
return (error);
rv = ldap_modify_s(gfarm_ldap_server, dn, modv);
free(dn);
switch (rv) {
case LDAP_SUCCESS:
return (NULL);
case LDAP_NO_SUCH_OBJECT:
return (GFARM_ERR_NO_SUCH_OBJECT);
case LDAP_ALREADY_EXISTS:
return (GFARM_ERR_ALREADY_EXISTS);
default:
return (ldap_err2string(rv));
}
}
/* set the given attribute to the given value. If value is NULL, unset it */
static
idmap_stat
idmap_ad_set(idmap_nm_handle_t *p, char *dn, char *attr, char *value)
{
idmap_stat rc = IDMAP_SUCCESS;
int ldap_rc;
char *new_values[2] = {NULL, NULL};
LDAPMod *mods[2] = {NULL, NULL};
mods[0] = (LDAPMod *)calloc(1, sizeof (LDAPMod));
mods[0]->mod_type = strdup(attr);
if (value != NULL) {
mods[0]->mod_op = LDAP_MOD_REPLACE;
new_values[0] = strdup(value);
mods[0]->mod_values = new_values;
} else {
mods[0]->mod_op = LDAP_MOD_DELETE;
mods[0]->mod_values = NULL;
}
ldap_rc = ldap_modify_s(p->ad, dn, mods);
if (ldap_rc != LDAP_SUCCESS) {
namemap_log(
gettext("Ldap modify of %s, attribute %s failed. (%s)"),
dn, attr, ldap_err2string(ldap_rc));
rc = IDMAP_ERR_INTERNAL;
}
ldap_mods_free(mods, 0);
return (rc);
}
status
ChangePasswd(LDAP *ld, char *user, char *passwd)
{
LDAPMod *attributes[2];
LDAPMod attribute1;
char * pass_value[] = {passwd,NULL};
char *dn = GetClientDN(user);
/* userPassword */
attribute1.mod_op = LDAP_MOD_REPLACE;
attribute1.mod_type = "userPassword";
attribute1.mod_vals.modv_strvals = pass_value;
attributes[0] = &attribute1;
attributes[1] = NULL;
if ( ldap_modify_s(ld, dn, attributes) != LDAP_SUCCESS ) {
fprintf(stderr,"LDAP ERROR: No pudo cambiarse la clave del cliente\n");
return ERROR;
}
free(dn);
return OK;
}
/* ARGSUSED */
int _ns_ldap_modify_s(char *service, int flags,
char *dn, LDAPMod **mods)
{
LDAP *ld = __s_api_getLDAPconn(flags);
return (ldap_modify_s(ld, dn, mods));
}
int ad_mod_delete(char *dn, char *attribute, char *value) {
LDAP *ds;
LDAPMod *attrs[2];
LDAPMod attr;
char *values[2];
int result;
ds=ad_login();
if(!ds) return ad_error_code;
values[0] = value;
values[1] = NULL;
attr.mod_op = LDAP_MOD_DELETE;
attr.mod_type = attribute;
attr.mod_values = values;
attrs[0] = &attr;
attrs[1] = NULL;
result = ldap_modify_s(ds, dn, attrs);
if(result!=LDAP_SUCCESS) {
snprintf(ad_error_msg, MAX_ERR_LENGTH, "Error in ad_mod_replace, ldap_mod_s: %s\n", ldap_err2string(result));
ad_error_code=AD_LDAP_OPERATION_FAILURE;
} else {
ad_error_code=AD_SUCCESS;
}
return ad_error_code;
}
int ldap_add2group(char *account, const char *group)
{
LDAPMod **mods;
int num_mods;
int rc, i;
if(!admin_bind && LDAP_SUCCESS != ( rc = ldap_do_admin_bind())) {
log_module(MAIN_LOG, LOG_ERROR, "failed to bind as admin");
return rc;
}
mods = make_mods_group(account, LDAP_MOD_ADD, &num_mods);
if(!mods) {
log_module(MAIN_LOG, LOG_ERROR, "Error building mods for add2group");
return LDAP_OTHER;
}
rc = ldap_modify_s(ld, group, mods);
if(rc != LDAP_SUCCESS && rc != LDAP_TYPE_OR_VALUE_EXISTS) {
log_module(MAIN_LOG, LOG_ERROR, "Error adding %s to group %s: %s", account, group, ldap_err2string(rc));
return rc;
}
for(i = 0; i < num_mods; i++) {
free(mods[i]->mod_type);
free(mods[i]);
}
free(mods);
return rc;
}
int
main( int argc, char **argv )
{
LDAP *ld;
LDAPMod mod0, mod1, *mods[ 3 ];
char *vals0[ 2 ], *vals1[ 2 ], buf[ 128 ];
time_t now;
/* get an LDAP session handle and authenticate */
if ( (ld = ldap_init( MY_HOST, MY_PORT )) == NULL ) {
perror( "ldap_init" );
return( 1 );
}
if ( ldap_simple_bind_s( ld, MGR_DN, MGR_PW ) != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_simple_bind_s" );
return( 1 );
}
/* construct the list of modifications to make */
mod0.mod_op = LDAP_MOD_REPLACE;
mod0.mod_type = "mail";
vals0[0] = "*****@*****.**";
vals0[1] = NULL;
mod0.mod_values = vals0;
mod1.mod_op = LDAP_MOD_ADD;
mod1.mod_type = "description";
time( &now );
sprintf( buf, "This entry was modified with the modattrs program on %s",
ctime( &now ));
/* Get rid of \n which ctime put on the end of the time string */
if ( buf[ strlen( buf ) - 1 ] == '\n' ) {
buf[ strlen( buf ) - 1 ] = '\0';
}
vals1[ 0 ] = buf;
vals1[ 1 ] = NULL;
mod1.mod_values = vals1;
mods[ 0 ] = &mod0;
mods[ 1 ] = &mod1;
mods[ 2 ] = NULL;
/* make the change and clean up after ourselves */
if ( ldap_modify_s( ld, ENTRYDN, mods ) != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_modify_s" );
return( 1 );
}
ldap_unbind( ld );
printf( "modification was successful\n" );
return( 0 );
}
/* Sets the depot status. */
void set_depot_attr (LDAP *ldap, char *dn, char *attr, char *value)
{
LDAPMod **mods;
mods = (LDAPMod **) malloc (2 * sizeof (LDAPMod *));
mods[0] = (LDAPMod *) malloc (sizeof (LDAPMod));
mods[1] = NULL;
mods[0]->mod_op = LDAP_MOD_REPLACE;
mods[0]->mod_type = strdup (attr);
mods[0]->mod_values = (char **) malloc (2 * sizeof (char *));
mods[0]->mod_values[0] = strdup (value);
mods[0]->mod_values[1] = NULL;
ldap_modify_s (ldap, dn, mods);
ldap_mods_free(mods, 1);
}
NTSTATUS kuhl_m_sid_add(int argc, wchar_t * argv[])
{
PLDAP ld;
DWORD dwErr;
PCWCHAR szName;
PWCHAR domain = NULL;
PLDAPMessage pMessage = NULL;
BERVAL NewSid;
PBERVAL pNewSid[2] = {&NewSid, NULL};
LDAPMod Modification = {LDAP_MOD_ADD | LDAP_MOD_BVALUES, L"sIDHistory"};
PLDAPMod pModification[2] = {&Modification, NULL};
Modification.mod_vals.modv_bvals = pNewSid;
if(kull_m_string_args_byName(argc, argv, L"new", &szName, NULL))
{
if(ConvertStringSidToSid(szName, (PSID *) &NewSid.bv_val) || kull_m_token_getSidDomainFromName(szName, (PSID *) &NewSid.bv_val, &domain, NULL, NULL))
{
if(IsValidSid((PSID) NewSid.bv_val))
{
NewSid.bv_len = GetLengthSid((PSID) NewSid.bv_val);
if(kuhl_m_sid_quickSearch(argc, argv, TRUE, NULL, &ld, &pMessage))
{
kprintf(L"\n * Will try to add \'%s\' this new SID:\'", Modification.mod_type);
kull_m_string_displaySID(NewSid.bv_val);
kprintf(L"\': ");
dwErr = ldap_modify_s(ld, ldap_get_dn(ld, pMessage), pModification);
if(dwErr == LDAP_SUCCESS)
kprintf(L"OK!\n");
else PRINT_ERROR(L"ldap_modify_s 0x%x (%u)\n", dwErr, dwErr);
if(pMessage)
ldap_msgfree(pMessage);
ldap_unbind(ld);
}
}
else PRINT_ERROR(L"Invalid SID\n");
LocalFree(NewSid.bv_val);
if(domain)
LocalFree(domain);
}
else PRINT_ERROR_AUTO(L"ConvertStringSidToSid / kull_m_token_getSidDomainFromName");
}
else PRINT_ERROR(L"/new:sid or /new:resolvable_name is needed");
return STATUS_SUCCESS;
}
/* Save OpServ level to LDAP
*
* level - OpServ level
*
* A level of <0 will be treated as 0
*/
int ldap_do_oslevel(const char *account, int level, int oldlevel)
{
LDAPMod **mods;
static char *oslevel_vals[] = { NULL, NULL };
char dn[MAXLEN], temp[MAXLEN];
int rc;
if(!admin_bind && LDAP_SUCCESS != ( rc = ldap_do_admin_bind())) {
log_module(MAIN_LOG, LOG_ERROR, "failed to bind as admin");
return rc;
}
if (level < 0) {
level = 0;
}
snprintf(temp, MAXLEN-1, "%d", (level ? level : oldlevel));
oslevel_vals[0] = (char *) temp;
if(!(nickserv_conf.ldap_field_oslevel && *nickserv_conf.ldap_field_oslevel))
return 0;
snprintf(dn, MAXLEN-1, nickserv_conf.ldap_dn_fmt, account);
mods = ( LDAPMod ** ) malloc(( 1 ) * sizeof( LDAPMod * ));
mods[0] = (LDAPMod *) malloc(sizeof(LDAPMod));
memset(mods[0], 0, sizeof(LDAPMod));
mods[0]->mod_op = (level ? LDAP_MOD_REPLACE : LDAP_MOD_DELETE);
mods[0]->mod_type = strdup(nickserv_conf.ldap_field_oslevel);
mods[0]->mod_values = oslevel_vals;
mods[1] = NULL;
rc = ldap_modify_s(ld, dn, mods);
if(rc != LDAP_SUCCESS) {
log_module(MAIN_LOG, LOG_ERROR, "Error modifying ldap OpServ level: %s -- %s", account, ldap_err2string(rc));
//return rc;
}
free(mods[0]->mod_type);
free(mods[0]);
free(mods);
return rc;
}
static int dm_ldap_mod_field(u64_t user_idnr, const char *fieldname, const char *newvalue)
{
LDAPMod *mods[2], modField;
char *newvalues[2], *dn;
int err;
LDAP *_ldap_conn = ldap_con_get();
if (! user_idnr) {
TRACE(TRACE_ERR, "no user_idnr specified");
return FALSE;
}
if (! fieldname) {
TRACE(TRACE_ERR, "no fieldname specified");
return FALSE;
}
if (! newvalue) {
TRACE(TRACE_ERR, "no new value specified");
return FALSE;
}
if (! (dn = dm_ldap_user_getdn(user_idnr)))
return FALSE;
newvalues[0] = (char *)newvalue;
newvalues[1] = NULL;
modField.mod_op = LDAP_MOD_REPLACE;
modField.mod_type = (char *)fieldname;
modField.mod_values = newvalues;
mods[0] = &modField;
mods[1] = NULL;
err = ldap_modify_s(_ldap_conn, dn, mods);
if (err) {
TRACE(TRACE_ERR,"dn: %s, %s: %s [%s]", dn, fieldname, newvalue, ldap_err2string(err));
ldap_memfree(dn);
return FALSE;
}
TRACE(TRACE_DEBUG,"dn: %s, %s: %s", dn, fieldname, newvalue);
ldap_memfree(dn);
return TRUE;
}
void LDAPSession::modifyStringValue ( string dn,
const list<LDAPStringValue>& values )
{
list<LDAPStringValue>::const_iterator it=values.begin();
list<LDAPStringValue>::const_iterator end=values.end();
int i=0;
LDAPMod** mods= ( LDAPMod** ) malloc (
sizeof ( LDAPMod* ) *values.size() +1 );
for ( ;it!=end;++it )
{
mods[i]= ( LDAPMod* ) malloc ( sizeof ( LDAPMod ) );
mods[i]->mod_op=LDAP_MOD_REPLACE;
mods[i]->mod_type= ( char* ) malloc (
sizeof ( char ) *
( *it ).attr.length() );
strcpy ( mods[i]->mod_type, ( *it ).attr.c_str() );
list<string>::const_iterator sit= ( *it ).value.begin();
list<string>::const_iterator send= ( *it ).value.end();
int j=0;
mods[i]->mod_vals.modv_strvals= ( char** ) malloc (
sizeof ( char* ) *
( *it ).value.size() +1 );
for ( ;sit!=send;++sit )
{
mods[i]->mod_vals.modv_strvals[j]=
( char* ) malloc ( sizeof ( char ) *
( *sit ).length() );
strcpy ( mods[i]->mod_vals.modv_strvals[j],
( *sit ).c_str() );
++j;
}
mods[i]->mod_vals.modv_strvals[j]=0l;
++i;
}
mods[i]=0l;
int errc= ldap_modify_s ( ld,dn.c_str(),mods );
if ( errc != LDAP_SUCCESS )
throw LDAPExeption ( "ldap_modify_s",ldap_err2string ( errc ) );
ldap_mods_free ( mods,1 );
}
/* ad_setpass sets the password for the given user
returns AD_SUCCESS on success */
int ad_setpass(char *dn, char *password) {
LDAP *ds;
char quoted_password[MAX_PASSWORD_LENGTH+2];
char unicode_password[(MAX_PASSWORD_LENGTH+2)*2];
int i;
LDAPMod *attrs[2];
LDAPMod attr1;
struct berval *bervalues[2];
struct berval pw;
int result;
ds=ad_login();
if(!ds) return ad_error_code;
/* put quotes around the password */
snprintf(quoted_password, sizeof(quoted_password), "\"%s\"", password);
/* unicode the password string */
memset(unicode_password, 0, sizeof(unicode_password));
for(i=0; i<strlen(quoted_password); i++)
unicode_password[i*2]=quoted_password[i];
pw.bv_val = unicode_password;
pw.bv_len = strlen(quoted_password)*2;
bervalues[0]=&pw;
bervalues[1]=NULL;
attr1.mod_type="unicodePwd";
attr1.mod_op = LDAP_MOD_REPLACE|LDAP_MOD_BVALUES;
attr1.mod_bvalues = bervalues;
attrs[0]=&attr1;
attrs[1]=NULL;
result = ldap_modify_s(ds, dn, attrs);
if(result!=LDAP_SUCCESS) {
snprintf(ad_error_msg, MAX_ERR_LENGTH, "Error in ldap_modify for password: %s", ldap_err2string(result));
ad_error_code=AD_LDAP_OPERATION_FAILURE;
} else {
ad_error_code=AD_SUCCESS;
}
return ad_error_code;
}
/* Save email or password to server
*
* password - UNENCRYPTED password. This function encrypts if libs are available
* email - email address
*
* NULL to make no change
*/
int ldap_do_modify(const char *account, const char *password, const char *email)
{
char dn[MAXLEN];
LDAPMod **mods;
int rc, i;
int num_mods;
char *passbuf = NULL;
if(!admin_bind && LDAP_SUCCESS != ( rc = ldap_do_admin_bind())) {
log_module(MAIN_LOG, LOG_ERROR, "failed to bind as admin");
return rc;
}
if(password) {
passbuf = make_password(password);
}
snprintf(dn, MAXLEN-1, nickserv_conf.ldap_dn_fmt, account);
mods = make_mods_modify(passbuf, email, &num_mods);
if(!mods) {
log_module(MAIN_LOG, LOG_ERROR, "Error building mods for ldap_do_modify");
return LDAP_OTHER;
}
rc = ldap_modify_s(ld, dn, mods);
if(rc != LDAP_SUCCESS) {
log_module(MAIN_LOG, LOG_ERROR, "Error modifying ldap account: %s -- %s", account, ldap_err2string(rc));
// return rc;
}
for(i = 0; i < num_mods; i++) {
free(mods[i]->mod_type);
free(mods[i]);
}
free(mods);
if(passbuf)
free(passbuf);
return rc;
}
DWORD
LwLdapModify(
HANDLE hDirectory,
PCSTR pszDN,
LDAPMod** ppMods
)
{
PLW_LDAP_DIRECTORY_CONTEXT pDirectory = NULL;
DWORD dwError = 0;
pDirectory = (PLW_LDAP_DIRECTORY_CONTEXT)hDirectory;
dwError = ldap_modify_s(
pDirectory->ld,
pszDN,
ppMods);
BAIL_ON_LDAP_ERROR(dwError);
cleanup:
return dwError;
error:
goto cleanup;
}
NTSTATUS kuhl_m_sid_clear(int argc, wchar_t * argv[])
{
PLDAP ld;
DWORD dwErr;
PLDAPMessage pMessage = NULL;
LDAPMod Modification = {LDAP_MOD_DELETE, L"sIDHistory", NULL};
PLDAPMod pModification[2] = {&Modification, NULL};
if(kuhl_m_sid_quickSearch(argc, argv, TRUE, NULL, &ld, &pMessage))
{
kprintf(L"\n * Will try to clear \'%s\': ", Modification.mod_type);
dwErr = ldap_modify_s(ld, ldap_get_dn(ld, pMessage), pModification);
if(dwErr == LDAP_SUCCESS)
kprintf(L"OK!\n");
else if(dwErr == LDAP_NO_SUCH_ATTRIBUTE)
PRINT_ERROR(L"No sIDHistory attribute\n");
else PRINT_ERROR(L"ldap_modify_s 0x%x (%u)\n", dwErr, dwErr);
if(pMessage)
ldap_msgfree(pMessage);
ldap_unbind(ld);
}
return STATUS_SUCCESS;
}
int
meta_back_modify(
Backend *be,
Connection *conn,
Operation *op,
struct berval *dn,
struct berval *ndn,
Modifications *modlist
)
{
struct metainfo *li = ( struct metainfo * )be->be_private;
struct metaconn *lc;
LDAPMod **modv;
LDAPMod *mods;
Modifications *ml;
int candidate = -1, i;
char *mdn;
struct berval mapped;
lc = meta_back_getconn( li, conn, op, META_OP_REQUIRE_SINGLE,
ndn, &candidate );
if ( !lc || !meta_back_dobind( lc, op )
|| !meta_back_is_valid( lc, candidate ) ) {
send_ldap_result( conn, op, LDAP_OTHER,
NULL, NULL, NULL, NULL );
return -1;
}
/*
* Rewrite the modify dn, if needed
*/
switch ( rewrite_session( li->targets[ candidate ]->rwinfo,
"modifyDn", dn->bv_val, conn, &mdn ) ) {
case REWRITE_REGEXEC_OK:
if ( mdn == NULL ) {
mdn = ( char * )dn->bv_val;
}
#ifdef NEW_LOGGING
LDAP_LOG( BACK_META, DETAIL1,
"[rw] modifyDn: \"%s\" -> \"%s\"\n", dn->bv_val, mdn, 0 );
#else /* !NEW_LOGGING */
Debug( LDAP_DEBUG_ARGS, "rw> modifyDn: \"%s\" -> \"%s\"\n%s",
dn->bv_val, mdn, "" );
#endif /* !NEW_LOGGING */
break;
case REWRITE_REGEXEC_UNWILLING:
send_ldap_result( conn, op, LDAP_UNWILLING_TO_PERFORM,
NULL, "Operation not allowed", NULL, NULL );
return -1;
case REWRITE_REGEXEC_ERR:
send_ldap_result( conn, op, LDAP_OTHER,
NULL, "Rewrite error", NULL, NULL );
return -1;
}
for ( i = 0, ml = modlist; ml; i++ ,ml = ml->sml_next )
;
mods = ch_malloc( sizeof( LDAPMod )*i );
if ( mods == NULL ) {
if ( mdn != dn->bv_val ) {
free( mdn );
}
return -1;
}
modv = ( LDAPMod ** )ch_malloc( ( i + 1 )*sizeof( LDAPMod * ) );
if ( modv == NULL ) {
free( mods );
if ( mdn != dn->bv_val ) {
free( mdn );
}
return -1;
}
for ( i = 0, ml = modlist; ml; ml = ml->sml_next ) {
int j;
if ( ml->sml_desc->ad_type->sat_no_user_mod ) {
continue;
}
ldap_back_map( &li->targets[ candidate ]->at_map,
&ml->sml_desc->ad_cname, &mapped,
BACKLDAP_MAP );
if ( mapped.bv_val == NULL || mapped.bv_val[0] == '\0' ) {
continue;
}
modv[ i ] = &mods[ i ];
mods[ i ].mod_op = ml->sml_op | LDAP_MOD_BVALUES;
mods[ i ].mod_type = mapped.bv_val;
/*
* FIXME: dn-valued attrs should be rewritten
* to allow their use in ACLs at the back-ldap
* level.
*/
if ( strcmp( ml->sml_desc->ad_type->sat_syntax->ssyn_oid,
SLAPD_DN_SYNTAX ) == 0 ) {
ldap_dnattr_rewrite(
li->targets[ candidate ]->rwinfo,
ml->sml_bvalues, conn );
}
if ( ml->sml_bvalues != NULL ){
for (j = 0; ml->sml_bvalues[ j ].bv_val; j++);
mods[ i ].mod_bvalues = (struct berval **)ch_malloc((j+1) *
sizeof(struct berval *));
for (j = 0; ml->sml_bvalues[ j ].bv_val; j++)
mods[ i ].mod_bvalues[ j ] = &ml->sml_bvalues[j];
mods[ i ].mod_bvalues[ j ] = NULL;
} else {
mods[ i ].mod_bvalues = NULL;
}
i++;
}
modv[ i ] = 0;
ldap_modify_s( lc->conns[ candidate ].ld, mdn, modv );
if ( mdn != dn->bv_val ) {
free( mdn );
}
for ( i=0; modv[ i ]; i++)
free( modv[ i ]->mod_bvalues );
free( mods );
free( modv );
return meta_back_op_result( lc, op );
}
static int auth_ldap_do3(const char *attrname,
const char *user, const char *pass,
int (*callback)(struct authinfo *, void *),
void *arg, const char *newpass,
const char *authaddr)
{
char *newpass_crypt=0;
const char *attributes[10], *ldap_attributes[10];
struct timeval timeout;
LDAPMessage *result;
LDAPMessage *entry;
char *filter, *dn;
int i, j;
struct authinfo auth;
char *homeDir=0;
char *mailDir=0;
char *userPassword=0;
char *cryptPassword=0;
char *cn=0;
uid_t au;
gid_t ag;
int rc;
char *quota=0;
int additionalFilter = 0;
int hasAdditionalFilter = 0;
hasAdditionalFilter = my_ldap.filter != 0;
memset(&auth, 0, sizeof(auth));
if (hasAdditionalFilter)
{
/* To add the additional filter, we need to add on the
* additional size for "(&)" and the other filter. So
* filter+3
*/
additionalFilter = strlen(my_ldap.filter) + 3;
}
if ((filter=malloc(additionalFilter+strlen(attrname)+strlen(user)+
(my_ldap.domain ? strlen(my_ldap.domain):0)+
sizeof ("(=@)"))) == 0)
{
perror("malloc");
return 1;
}
strcpy(filter, "\0");
if (hasAdditionalFilter)
{
strcat(filter, "(&");
strcat(filter, my_ldap.filter);
}
strcat(strcat(strcat(strcat(filter, "("), attrname), "="), user);
if ( my_ldap.domain && my_ldap.domain[0] && strchr(user, '@') == 0 )
strcat(strcat(filter, "@"), my_ldap.domain);
strcat(filter, ")");
if (hasAdditionalFilter)
{
strcat(filter, ")");
}
timeout.tv_sec=my_ldap.timeout;
timeout.tv_usec=0;
read_env("LDAP_HOMEDIR", &attributes[0], "", 0, "homeDir");
read_env("LDAP_MAILDIR", &attributes[1], "", 0, 0);
read_env("LDAP_FULLNAME", &attributes[2], "", 0, "cn");
read_env("LDAP_CLEARPW", &attributes[3], "", 0, 0);
read_env("LDAP_CRYPTPW", &attributes[4], "", 0, 0);
read_env("LDAP_UID", &attributes[5], "", 0, 0);
read_env("LDAP_GID", &attributes[6], "", 0, 0);
attributes[7]=my_ldap.mail;
read_env("LDAP_MAILDIRQUOTA", &attributes[8], "", 0, 0);
j=0;
for (i=0; i<9; i++)
{
if (attributes[i])
ldap_attributes[j++]=attributes[i];
}
ldap_attributes[j]=0;
if (ldaperror(ldap_search_st(my_ldap_fp,
(char *)my_ldap.basedn,LDAP_SCOPE_SUBTREE,
filter, (char **)ldap_attributes, 0,
&timeout, &result)
!= LDAP_SUCCESS))
{
free(filter);
if (my_ldap_fp) return (-1);
return (1);
}
free(filter);
/* If we are more than one result, reject */
if (ldap_count_entries(my_ldap_fp,result)!=1)
{
ldap_msgfree(result);
return -1;
}
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"Nombre de résulat: %d\n",ldap_count_entries(my_ldap_fp,result));
#endif
dn = ldap_get_dn(my_ldap_fp, result);
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"DN: %s\n",dn);
#endif
if (dn == NULL)
{
ldap_perror(my_ldap_fp, "ldap_get_dn");
return -1;
}
/* Get the pointer on this result */
entry=ldap_first_entry(my_ldap_fp,result);
if (entry==NULL)
{
ldap_perror(my_ldap_fp,"ldap_first_entry");
free(dn);
return -1;
}
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"after ldap_first_entry\n");
#endif
/* Copy the directory and the password into struct */
copy_value(my_ldap_fp,entry,attributes[0],&homeDir, user);
if (attributes[1])
copy_value(my_ldap_fp,entry,attributes[1],&mailDir, user);
copy_value(my_ldap_fp,entry,attributes[2],&cn, user);
if (attributes[3])
copy_value(my_ldap_fp,entry,attributes[3],&userPassword, user);
if (attributes[4])
copy_value(my_ldap_fp,entry,attributes[4],&cryptPassword, user);
au=my_ldap.uid;
ag=my_ldap.gid;
if (attributes[5])
{
char *p=0;
unsigned long n;
copy_value(my_ldap_fp, entry, attributes[5], &p, user);
if (p) {
if (sscanf(p, "%lu", &n) > 0)
au= (uid_t)n;
free(p);
}
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"au= %d\n",au);
#endif
}
if (attributes[6])
{
char *p=0;
unsigned long n;
copy_value(my_ldap_fp, entry, attributes[6], &p, user);
if (p) {
if (sscanf(p, "%lu", &n) > 0)
ag= (gid_t)n;
free(p);
}
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"ag= %d\n",ag);
#endif
}
if (attributes[8])
copy_value(my_ldap_fp,entry,attributes[8],"a, user);
if (homeDir != 0 && my_ldap.mailroot != 0 && *my_ldap.mailroot)
{
char *new_mailroot=malloc(strlen(homeDir)+
strlen(my_ldap.mailroot)+2);
if (!new_mailroot)
{
syslog(LOG_DAEMON|LOG_CRIT, "authldap: malloc failed");
rc= -1;
}
else
{
strcat(strcat(strcpy(new_mailroot, my_ldap.mailroot),
"/"), homeDir);
free(homeDir);
homeDir=new_mailroot;
}
}
auth.sysusername=user;
auth.sysuserid= &au;
auth.sysgroupid= ag;
auth.homedir=homeDir;
auth.address=authaddr;
auth.fullname=cn;
auth.maildir=mailDir;
auth.clearpasswd=userPassword;
auth.passwd=cryptPassword;
auth.quota=quota;
if (auth.sysusername == 0)
auth.sysusername=auth.address="";
if (homeDir == 0)
auth.homedir="";
rc=0;
if (au == 0 || ag == 0)
{
syslog(LOG_DAEMON|LOG_CRIT,
"authlib: refuse to authenticate %s: uid=%d, gid=%d\n",
user, au, ag);
rc= 1;
}
if (pass)
{
if (my_ldap.authbind)
{
LDAP *bindp=ldapconnect();
if (!bindp)
rc=1;
else
{
#if HAVE_LDAP_TLS
if(my_ldap.tls && enable_tls_on(bindp)) {
#if HAVE_SYSLOG_H
syslog(LOG_DAEMON|LOG_CRIT, "authlib: LDAP_TLS enabled but I'm unable to start tls, check your config\n");
#endif
rc = 1;
} else {
#endif
switch (ldap_simple_bind_s(bindp, dn, (char *)pass))
{
case LDAP_SUCCESS:
break;
case LDAP_INVALID_CREDENTIALS:
rc = -1;
break;
default:
rc = 1;
break;
}
#if HAVE_LDAP_TLS
}
#endif
ldap_unbind(bindp);
}
if (rc == 0 && newpass)
{
if ((newpass_crypt=authcryptpasswd(newpass,
NULL))
== 0)
rc= -1;
}
}
else
{
if (auth.clearpasswd)
{
if (strcmp(pass,auth.clearpasswd))
rc= -1;
}
else
{
const char *p=auth.passwd;
if (p && strncasecmp(p, "{crypt}", 7) == 0)
p += 7; /* For authcheckpassword */
if (!p || authcheckpassword(pass, p))
rc= -1;
}
if (rc == 0 && newpass && auth.passwd)
{
if ((newpass_crypt=authcryptpasswd(newpass,
auth.passwd)
) == 0)
rc= -1;
}
}
}
if (rc == 0 && newpass)
{
LDAPMod *mods[3];
int mod_index=0;
LDAPMod mod_clear, mod_crypt;
char *mod_clear_vals[2], *mod_crypt_vals[2];
if (attributes[3])
{
mods[mod_index]= &mod_clear;
mod_clear.mod_op=LDAP_MOD_REPLACE;
mod_clear.mod_type=(char *)attributes[3];
mod_clear.mod_values=mod_clear_vals;
mod_clear_vals[0]=(char *)newpass;
mod_clear_vals[1]=NULL;
++mod_index;
}
if (attributes[4] && newpass_crypt)
{
mods[mod_index]= &mod_crypt;
mod_crypt.mod_op=LDAP_MOD_REPLACE;
mod_crypt.mod_type=(char *)attributes[4];
mod_crypt.mod_values=mod_crypt_vals;
mod_crypt_vals[0]=newpass_crypt;
mod_crypt_vals[1]=NULL;
++mod_index;
}
if (mod_index == 0)
rc= -1;
else
{
mods[mod_index]=0;
if (ldap_modify_s(my_ldap_fp, dn, mods))
{
rc= -1;
}
}
}
if (newpass_crypt)
free(newpass_crypt);
free (dn);
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"before callback rc=%d\n",rc);
#endif
if (rc == 0 && callback)
rc= (*callback)(&auth, arg);
#if DEBUG_LDAP
syslog(LOG_DAEMON|LOG_CRIT,"after callback rc=%d\n",rc);
#endif
ldap_msgfree(result);
if (homeDir) free(homeDir);
if (mailDir) free(mailDir);
if (userPassword) free(userPassword);
if (cryptPassword) free(cryptPassword);
if (cn) free(cn);
if (quota) free(quota);
return (rc);
}
static krb5_error_code
LDAP_store(krb5_context context, HDB * db, unsigned flags,
hdb_entry * entry)
{
LDAPMod **mods = NULL;
krb5_error_code ret;
const char *errfn;
int rc;
LDAPMessage *msg = NULL, *e = NULL;
char *dn = NULL, *name = NULL;
ret = LDAP_principal2message(context, db, entry->principal, &msg);
if (ret == 0)
e = ldap_first_entry(HDB2LDAP(db), msg);
ret = krb5_unparse_name(context, entry->principal, &name);
if (ret) {
free(name);
return ret;
}
ret = hdb_seal_keys(context, db, entry);
if (ret)
goto out;
/* turn new entry into LDAPMod array */
ret = LDAP_entry2mods(context, db, entry, e, &mods);
if (ret)
goto out;
if (e == NULL) {
ret = asprintf(&dn, "krb5PrincipalName=%s,%s", name, HDB2CREATE(db));
if (ret < 0) {
krb5_set_error_string(context, "asprintf: out of memory");
ret = ENOMEM;
goto out;
}
} else if (flags & HDB_F_REPLACE) {
/* Entry exists, and we're allowed to replace it. */
dn = ldap_get_dn(HDB2LDAP(db), e);
} else {
/* Entry exists, but we're not allowed to replace it. Bail. */
ret = HDB_ERR_EXISTS;
goto out;
}
/* write entry into directory */
if (e == NULL) {
/* didn't exist before */
rc = ldap_add_s(HDB2LDAP(db), dn, mods);
errfn = "ldap_add_s";
} else {
/* already existed, send deltas only */
rc = ldap_modify_s(HDB2LDAP(db), dn, mods);
errfn = "ldap_modify_s";
}
if (check_ldap(context, db, rc)) {
char *ld_error = NULL;
ldap_get_option(HDB2LDAP(db), LDAP_OPT_ERROR_STRING,
&ld_error);
krb5_set_error_string(context, "%s: %s (dn=%s) %s: %s",
errfn, name, dn, ldap_err2string(rc), ld_error);
ret = HDB_ERR_CANT_LOCK_DB;
} else
ret = 0;
out:
/* free stuff */
if (dn)
free(dn);
if (msg)
ldap_msgfree(msg);
if (mods)
ldap_mods_free(mods, 1);
if (name)
free(name);
return ret;
}
int
ldapModifyEntry (RDFT rdf, RDF_Resource parent, RDF_Resource child, PRBool addFlag)
{
RDF_Cursor c;
RDF_Resource newParent, r;
char *urivals[2];
LDAP *ld;
LDAPMod urimod, *mods[2];
LDAPURLDesc *ldURL=NULL;
int err;
char *errStr, *parentID;
parentID = resourceID(parent);
if (containerp(child))
{
if (newParent = ldapNewContainer(parentID))
{
if ((c = RDF_GetSources(rdf->rdf->rdf, child,
gCoreVocab->RDF_parent, RDF_RESOURCE_TYPE, 1)) != NULL)
{
while ((r = RDF_NextValue(c)) != NULL)
{
err = ldapModifyEntry(rdf, newParent, r, addFlag);
if (err)
{
/* XXX MAJOR rollback issues!
Punt for now! */
return(err);
}
}
}
else
{
return(-1);
}
}
else
{
return(-1);
}
}
ldap_url_parse(parentID, &ldURL);
if (ldURL == NULL) return(-1);
ld = ldap_init (ldURL->lud_host, ldURL->lud_port);
if (ld == NULL)
{
ldap_free_urldesc(ldURL);
return(-1);
}
if ((err = ldap_simple_bind_s(ld, ADMIN_ID, ADMIN_PW)) /* XXX */
!= LDAP_SUCCESS)
{
if ((errStr = ldap_err2string(err)) != NULL)
{
XP_MakeHTMLAlert(NULL, errStr);
}
ldap_unbind(ld);
ldap_free_urldesc(ldURL);
return(-1);
}
urivals[0] = resourceID(child);
urivals[1] = NULL;
urimod.mod_op = ((addFlag == true) ? LDAP_MOD_ADD : LDAP_MOD_DELETE);
urimod.mod_type = "labeledURI";
urimod.mod_values = urivals;
mods[0] = &urimod;
mods[1] = NULL;
err = ldap_modify_s(ld, ldURL->lud_dn, mods);
if (err != LDAP_SUCCESS)
{
if ((errStr = ldap_err2string(err)) != NULL)
{
XP_MakeHTMLAlert(NULL, errStr);
}
}
ldap_unbind(ld);
ldap_free_urldesc(ldURL);
return(err);
}
/*
* Create or update an LDAP server binding entry.
*/
static void rpc_ns__ldap_export_server_element_ext(LDAP *ld,
char *dn,
rpc_if_handle_t if_spec,
rpc_binding_vector_p_t vec,
int modop,
unsigned32 *status
)
{
unsigned_char_p_t uuid = NULL;
unsigned_char_p_t interfaceID = NULL;
rpc_if_id_t if_id;
LDAPMod *modV[4];
LDAPMod modRpcNsInterfaceID, modRpcNsBindings, modObjectClass;
char **valueRpcNsBindings = NULL;
char *valueRpcNsInterfaceID[2], *valueObjectClass[3];
int rc;
unsigned i;
rpc_if_inq_id(if_spec, &if_id, status);
if (*status != rpc_s_ok) {
goto out;
}
/* Get the interface ID */
uuid_to_string(&if_id.uuid, &uuid, status);
if (*status != rpc_s_ok) {
goto out;
}
RPC_MEM_ALLOC(interfaceID, unsigned_char_p_t,
strlen(uuid) + sizeof(",65535.65535"),
RPC_C_MEM_NSRESOLUTION, RPC_C_MEM_WAITOK);
sprintf(interfaceID, "%s,%hu.%hu", uuid,
if_id.vers_major, if_id.vers_minor);
valueRpcNsInterfaceID[0] = interfaceID;
valueRpcNsInterfaceID[1] = NULL;
modRpcNsInterfaceID.mod_op = LDAP_MOD_ADD;
modRpcNsInterfaceID.mod_type = "rpcNsInterfaceID";
modRpcNsInterfaceID.mod_values = valueRpcNsInterfaceID;
RPC_MEM_ALLOC(valueRpcNsBindings, char **,
(vec->count * sizeof(char *)),
RPC_C_MEM_NSRESOLUTION, RPC_C_MEM_WAITOK);
memset(valueRpcNsBindings, 0, (vec->count * sizeof(unsigned_char_p_t)));
for (i = 0; i < vec->count; i++) {
rpc_binding_to_string_binding(vec->binding_h[i],
(unsigned_char_p_t *)&valueRpcNsBindings[i], status);
if (*status != rpc_s_ok) {
goto out;
}
}
valueRpcNsBindings[vec->count] = NULL;
modRpcNsBindings.mod_op = modop;
modRpcNsBindings.mod_type = "rpcNsBindings";
modRpcNsBindings.mod_values = valueRpcNsBindings;
valueObjectClass[0] = "rpcServerElement";
valueObjectClass[1] = "rpcEntry";
valueObjectClass[2] = "top";
modObjectClass.mod_op = modop;
modObjectClass.mod_type = "objectClass";
modObjectClass.mod_values = valueObjectClass;
modV[0] = &modRpcNsInterfaceID;
modV[1] = &modRpcNsBindings;
modV[2] = &modObjectClass;
modV[3] = NULL;
if (modop == LDAP_MOD_ADD) {
rc = ldap_add_s(ld, dn, modV);
} else {
rc = ldap_modify_s(ld, dn, modV);
}
*status = (rc == LDAP_SUCCESS) ? rpc_s_ok : rpc_s_update_failed;
out:
if (uuid != NULL)
free(uuid);
if (interfaceID != NULL)
free(interfaceID);
if (valueRpcNsBindings != NULL) {
char **p;
for (p = valueRpcNsBindings; *valueRpcNsBindings != NULL; p++) {
unsigned_char_p_t tmp = (unsigned_char_p_t)*p;
rpc_string_free(&tmp, status);
}
RPC_MEM_FREE(valueRpcNsBindings, RPC_C_MEM_NSRESOLUTION);
}
}
/*
* Expects the following structure to modify an entry:
*
* An array of mappings. Each mapping has the following fields:
*
* string|int op
* modop is one of:
* "add" (LDAP_MOD_ADD),
* "delete" (LDAP_MOD_DELETE),
* "replace" (LDAP_MOD_REPLACE)
*
* string type
* The type name of the attribute to modify (e.g. userPassword).
*
* string|array(string) values
* Value(s) to be used in this operation.
*/
static void
f_ldap_modify(INT32 args)
{
struct array *arr;
struct pike_string *dn;
struct mapping *m;
LDAPMod **mods;
int i, ret;
struct svalue *val;
if (!THIS->bound)
Pike_error("OpenLDAP.Client: attempting operation on an unbound connection\n");
get_all_args("OpenLDAP.Client->modify()", args, "%S%a", &dn, &arr);
mods = (LDAPMod**)calloc((arr->size + 1), sizeof(LDAPMod*));
if (!mods)
Pike_error("OpenLDAP.Client: OUT OF MEMORY!\n");
for (i = 0; i < arr->size; i++) {
mods[i] = (LDAPMod*)calloc(1, sizeof(LDAPMod));
if (!mods[i])
Pike_error("OpenLDAP.Client: OUT OF MEMORY!\n");
if (arr->item[i].type != T_MAPPING)
Pike_error("OpenLDAP.Client->modify(): array member is not a mapping.\n");
m = arr->item[i].u.mapping;
val = low_mapping_string_lookup(m, modify_op);
if (!val)
Pike_error("OpenLDAP.Client->modify(): invalid modification mapping. "
"Missing the '%s' field\n", "op");
if (val->type == T_INT) {
mods[i]->mod_op = val->u.integer;
} else if (val->type == T_STRING && val->u.string->size_shift == 0) {
if (c_compare_string(val->u.string, MOD_ADD_STR, sizeof(MOD_ADD_STR)))
mods[i]->mod_op = LDAP_MOD_ADD;
else if (c_compare_string(val->u.string, MOD_DELETE_STR, sizeof(MOD_DELETE_STR)))
mods[i]->mod_op = LDAP_MOD_DELETE;
else if (c_compare_string(val->u.string, MOD_REPLACE_STR, sizeof(MOD_REPLACE_STR)))
mods[i]->mod_op = LDAP_MOD_REPLACE;
} else {
Pike_error("OpenLDAP.Client->modify(): invalid 'op' value in modification mapping.\n");
}
mods[i]->mod_op |= LDAP_MOD_BVALUES;
val = low_mapping_string_lookup(m, modify_type);
if (!val)
Pike_error("OpenLDAP.Client->modify(): invalid modification mapping. "
"Missing the '%s' field\n", "type");
if (val->type != T_STRING || val->u.string->size_shift > 0)
Pike_error("OpenLDAP.Client->modify(): invalid modification mapping. "
"The '%s' field is not an 8-bit string\n", "type");
mods[i]->mod_type = val->u.string->str;
val = low_mapping_string_lookup(m, modify_values);
if (!val)
Pike_error("OpenLDAP.Client->modify(): invalid modification mapping. "
"Missing the '%s' field\n", "values");
if (val->type != T_ARRAY)
Pike_error("OpenLDAP.Client->modify(): invalid modification mapping. "
"The '%s' field is not an array\n", "values");
mods[i]->mod_bvalues = make_berval_array(val);
}
ret = ldap_modify_s(THIS->conn, dn->str, mods);
if (ret != LDAP_SUCCESS)
Pike_error("OpenLDAP.Client->modify(): %s\n",
ldap_err2string(ret));
free_mods(mods);
pop_n_elems(args);
}
