DWORD
VmAfdQueryCACertAndCrlAttributes(
LDAP* pLotus,
PVMAFD_CERT_ARRAY* ppCertificates,
PVMAFD_CRL_FILE_CONTAINER* ppCrls
)
{
DWORD dwError = 0;
PSTR pszFilter = "(objectClass=vmwCertificationAuthority)";
PSTR pszAttrCert = "cACertificate";
PSTR pszAttrCrl = "certificateRevocationList";
PSTR pszSearchBaseDN = NULL;
PSTR pszDomainName = NULL;
LDAPMessage* pSearchResult = NULL;
LDAPMessage* pCAResult = NULL;
PCHAR attrs[] = { pszAttrCert, pszAttrCrl, NULL};
int nCertCount = 0;
int nCrlCount = 0;
PVMAFD_CERT_ARRAY pCertArray = NULL;
PVMAFD_CRL_FILE_CONTAINER pCrlContainer = NULL;
struct berval** ppValues = NULL;
if (!ppCertificates || !ppCrls)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR(dwError);
}
dwError = VmAfdGetDefaultDomainName(
pLotus,
&pszDomainName);
BAIL_ON_VMAFD_ERROR(dwError);
dwError = VmAfdAllocateStringPrintf(
&pszSearchBaseDN,
"cn=Configuration,%s",
pszDomainName);
BAIL_ON_VMAFD_ERROR(dwError);
dwError = ldap_search_ext_s(
pLotus,
pszSearchBaseDN,
LDAP_SCOPE_SUBTREE,
pszFilter,
attrs,
0, /* get values and attrs */
NULL,
NULL,
NULL,
0,
&pSearchResult);
BAIL_ON_VMAFD_ERROR(dwError);
for ( pCAResult = ldap_first_entry(pLotus, pSearchResult);
pCAResult != NULL;
pCAResult = ldap_next_entry(pLotus, pCAResult))
{
nCertCount += VmAfdCountResultAttribute(
pLotus, pCAResult, pszAttrCert);
nCrlCount += VmAfdCountResultAttribute(
pLotus, pCAResult, pszAttrCrl);
}
dwError = VmAfdAllocateMemory(
sizeof(VMAFD_CERT_ARRAY),
(PVOID*)&pCertArray);
BAIL_ON_VMAFD_ERROR(dwError);
pCertArray->dwCount = nCertCount;
dwError = VmAfdAllocateMemory(
sizeof(VMAFD_CRL_FILE_CONTAINER),
(PVOID*)&pCrlContainer);
BAIL_ON_VMAFD_ERROR(dwError);
pCrlContainer->dwCount = nCrlCount;
if (nCertCount || nCrlCount)
{
int certIndex = 0;
int crlIndex = 0;
if (nCertCount)
{
dwError = VmAfdAllocateMemory(
sizeof(VMAFD_CERT_CONTAINER) * nCertCount,
(PVOID*)&pCertArray->certificates);
BAIL_ON_VMAFD_ERROR(dwError);
}
if (nCrlCount)
{
dwError = VmAfdAllocateMemory(
sizeof(VMAFD_CRL_DATA) * nCrlCount,
(PVOID*)&pCrlContainer->crls);
BAIL_ON_VMAFD_ERROR(dwError);
}
for ( pCAResult = ldap_first_entry(pLotus, pSearchResult);
pCAResult != NULL;
pCAResult = ldap_next_entry(pLotus, pCAResult))
{
// Copy certs
ppValues = ldap_get_values_len(
pLotus,
pCAResult,
pszAttrCert);
if (ppValues)
{
int i = 0;
while(ppValues[i])
{
dwError = VmAfdAllocateMemory(
sizeof(CHAR) * ppValues[i]->bv_len + 1,
(PVOID)&pCertArray->certificates[certIndex].pCert);
BAIL_ON_VMAFD_ERROR(dwError);
memcpy(
(PVOID) pCertArray->certificates[certIndex].pCert,
(PVOID) ppValues[i]->bv_val,
(size_t) ppValues[i]->bv_len);
i++;
certIndex++;
}
ldap_value_free_len(ppValues);
ppValues = NULL;
}
// Copy CRLs
ppValues = ldap_get_values_len(
pLotus,
pCAResult,
pszAttrCrl);
if (ppValues)
{
int i = 0;
while(ppValues[i])
{
dwError = VmAfdAllocateMemory(
sizeof(CHAR) * ppValues[i]->bv_len + 1,
(PVOID)&pCrlContainer->crls[crlIndex].buffer);
BAIL_ON_VMAFD_ERROR(dwError);
memcpy(
(PVOID) pCrlContainer->crls[crlIndex].buffer,
(PVOID) ppValues[i]->bv_val,
(size_t) ppValues[i]->bv_len);
i++;
crlIndex++;
}
ldap_value_free_len(ppValues);
ppValues = NULL;
}
}
}
*ppCertificates = pCertArray;
*ppCrls = pCrlContainer;
cleanup:
VMAFD_SAFE_FREE_MEMORY(pszSearchBaseDN);
VMAFD_SAFE_FREE_MEMORY(pszDomainName);
if (ppValues != NULL)
{
ldap_value_free_len(ppValues);
ppValues = NULL;
}
if(pSearchResult != NULL)
{
ldap_msgfree(pSearchResult);
}
return dwError;
error:
*ppCertificates = NULL;
VMAFD_SAFE_FREE_MEMORY(pCrlContainer);
if (ppCertificates)
{
*ppCertificates = NULL;
}
if(ppCrls)
{
*ppCrls = NULL;
}
if (pCertArray )
{
VecsFreeCertArray(pCertArray);
}
goto cleanup;
}
DWORD
VmAfdGetDSERootAttribute(
LDAP* pLotus,
PSTR pszAttribute,
PSTR* ppAttrValue
)
{
DWORD dwError = 0; // LDAP_SUCCESS
PCHAR pDcFilter = "(objectClass=*)";
PCHAR pDcAttr[] = { pszAttribute, NULL };
PSTR pAttribute = NULL;
BerElement* pBer = NULL;
BerValue** ppValue = NULL;
LDAPMessage* pSearchResult = NULL;
LDAPMessage* pResults = NULL;
dwError = ldap_search_ext_s(
pLotus,
"",
LDAP_SCOPE_BASE,
pDcFilter,
pDcAttr,
0,
NULL,
NULL,
NULL,
0,
&pSearchResult);
BAIL_ON_VMAFD_ERROR(dwError);
if (ldap_count_entries(pLotus, pSearchResult) != 1)
{
dwError = ERROR_INVALID_STATE;
BAIL_ON_VMAFD_ERROR(dwError);
}
pResults = ldap_first_entry(pLotus, pSearchResult);
if (pResults == NULL)
{
ldap_get_option(pLotus, LDAP_OPT_ERROR_NUMBER, &dwError);
BAIL_ON_VMAFD_ERROR(dwError);
}
pAttribute = ldap_first_attribute(pLotus,pResults,&pBer);
if (pAttribute == NULL)
{
ldap_get_option(pLotus, LDAP_OPT_ERROR_NUMBER, &dwError);
BAIL_ON_VMAFD_ERROR(dwError);
}
ppValue = ldap_get_values_len(pLotus, pResults, pAttribute);
if (ppValue == NULL)
{
ldap_get_option(pLotus, LDAP_OPT_ERROR_NUMBER, &dwError);
BAIL_ON_VMAFD_ERROR(dwError);
}
dwError = VmAfdAllocateStringA(ppValue[0]->bv_val, ppAttrValue);
BAIL_ON_VMAFD_ERROR(dwError);
cleanup:
if (ppValue != NULL)
{
ldap_value_free_len(ppValue);
}
if (pAttribute != NULL)
{
ldap_memfree(pAttribute);
}
if (pBer != NULL)
{
ber_free(pBer,0);
}
if (pSearchResult != NULL)
{
ldap_msgfree(pSearchResult);
}
return dwError;
error:
*ppAttrValue = NULL;
goto cleanup;
}
DWORD
VmAfdLDAPConnect(
PSTR pszHostName,
DWORD dwPort,
PCSTR pszUpn,
PCSTR pszPassword,
LDAP** ppLotus
)
{
DWORD dwError = 0;
LDAP* pDirectory = NULL;
PSTR pszLdapURI = NULL;
if (dwPort == 0)
{
dwPort = LDAP_PORT;
}
if (VmAfdIsIPV6AddrFormat(pszHostName))
{
dwError = VmAfdAllocateStringPrintf(
&pszLdapURI,
"ldap://[%s]:%d",
pszHostName,
dwPort);
}
else
{
dwError = VmAfdAllocateStringPrintf(
&pszLdapURI,
"ldap://%s:%d",
pszHostName,
dwPort);
}
BAIL_ON_VMAFD_ERROR(dwError);
dwError = VmDirSafeLDAPBind(
&pDirectory,
pszHostName,
pszUpn,
pszPassword);
BAIL_ON_VMAFD_ERROR(dwError);
*ppLotus = pDirectory;
cleanup:
VMAFD_SAFE_FREE_MEMORY(pszLdapURI);
return dwError;
error:
*ppLotus = NULL;
if (pDirectory != NULL)
{
ldap_unbind_ext(pDirectory, NULL, NULL);
}
goto cleanup;
}
int _tmain(int argc, _TCHAR* targv[])
#endif
{
DWORD dwError = 0;
int retCode = 0;
PCSTR pszErrorMsg = NULL;
PSTR pszErrorDesc = NULL;
#ifdef _WIN32
char** allocArgv = NULL;
PSTR* argv = NULL;
#ifdef UNICODE
dwError = VmAfdAllocateArgsAFromArgsW( argc, targv, &allocArgv );
BAIL_ON_VMAFD_ERROR(dwError);
argv = allocArgv;
#else /* ifndef UNICODE */
argv = targv; // non-unicode => targv is char
#endif /* ifdef UNICODE */
#else /* ifndef _WIN32 */
setlocale(LC_ALL, "");
#endif /* ifdef _WIN32 */
dwError = ProcessArgs(argc, argv);
BAIL_ON_VMAFD_ERROR(dwError);
cleanup:
VMAFD_SAFE_FREE_STRINGA(pszErrorDesc);
return dwError;
error:
switch (dwError)
{
case ERROR_CANNOT_CONNECT_VMAFD:
retCode = 20;
pszErrorMsg = "Could not connect to the local service VMware AFD.\nVerify VMware AFD is running.";
break;
case VMDIR_ERROR_CANNOT_CONNECT_VMDIR:
retCode = 21;
pszErrorMsg = "Could not connect to the local service VMware Directory Service.\nVerify VMware Directory Service is running.";
break;
case ERROR_INVALID_CONFIGURATION:
retCode = 22;
pszErrorMsg = "Configuration is not correct.\nFirst boot scripts need to be executed.";
break;
case VMDIR_ERROR_SERVER_DOWN:
retCode = 23;
pszErrorMsg = "Could not connect to VMware Directory Service via LDAP.\nVerify VMware Directory Service is running on the appropriate system and is reachable from this host.";
break;
case VMDIR_ERROR_USER_INVALID_CREDENTIAL:
retCode = 24;
pszErrorMsg = "Authentication to VMware Directory Service failed.\nVerify the username and password.";
break;
case ERROR_ACCESS_DENIED:
retCode = 25;
pszErrorMsg = "Authorization failed.\nVerify account has proper administrative privileges.";
break;
case ERROR_INVALID_DOMAINNAME:
retCode = 26;
pszErrorMsg = "Failed to join the domain.\nThe domain name specified is invalid.";
break;
case ERROR_NO_SUCH_DOMAIN:
retCode = 27;
pszErrorMsg = "Failed to join the domain.\nA domain controller for the domain could not be located. Verify the DNS settings pertaining to this domain name.";
break;
case ERROR_PASSWORD_RESTRICTION:
retCode = 28;
pszErrorMsg = "Failed to join the domain.\nA required password was not specified or did not match complexity requirements.";
break;
case ERROR_HOST_DOWN:
retCode = 29;
pszErrorMsg = "Failed to join the domain.\nThe required service on the domain controller is unreachable.";
break;
default:
retCode = 1;
}
if (retCode != 1)
{
fprintf(
stderr,
"domain-join failed, error= %s %u\n",
pszErrorMsg,
dwError);
}
else
{
if (!VmAfdGetErrorString(dwError, &pszErrorDesc))
{
fprintf(stderr, "domain-join failed. Error %u: %s \n", dwError, pszErrorDesc);
}
else
{
fprintf(stderr, "domain-join failed with error: %u\n", dwError);
}
}
goto cleanup;
}
static
DWORD
ProcessLeave(
int argc,
char* argv[]
)
{
typedef enum
{
PARSE_MODE_OPEN = 0,
PARSE_MODE_ACCOUNT,
PARSE_MODE_PASSWORD
} PARSE_MODE;
DWORD dwError = 0;
DWORD idx = 0;
DWORD dwLeaveFlags = 0;
PSTR pszLogin = NULL;
PSTR pszPassword = NULL;
PSTR pszPasswordNew = NULL;
PARSE_MODE mode = PARSE_MODE_OPEN;
for (; idx < argc; idx++)
{
PSTR pszArg = argv[idx];
switch (mode)
{
case PARSE_MODE_OPEN:
if (!VmAfdStringCompareA(pszArg, "--username", TRUE))
{
mode = PARSE_MODE_ACCOUNT;
}
else if (!VmAfdStringCompareA(pszArg, "--password", TRUE))
{
mode = PARSE_MODE_PASSWORD;
}
else if (!VmAfdStringCompareA(pszArg, "--force", TRUE))
{
dwLeaveFlags = dwLeaveFlags | VMAFD_DOMAIN_LEAVE_FLAGS_FORCE;
mode = PARSE_MODE_OPEN;
}
else
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR(dwError);
}
break;
case PARSE_MODE_ACCOUNT:
pszLogin = pszArg;
mode = PARSE_MODE_OPEN;
break;
case PARSE_MODE_PASSWORD:
pszPassword = pszArg;
mode = PARSE_MODE_OPEN;
break;
default:
dwError = ERROR_INVALID_STATE;
BAIL_ON_VMAFD_ERROR(dwError);
break;
}
}
if (pszLogin && !pszPassword)
{
dwError = ReadPassword(&pszPasswordNew);
BAIL_ON_VMAFD_ERROR(dwError);
pszPassword = pszPasswordNew;
}
dwError = VmAfdLeaveDomain( pszLogin, pszPassword, dwLeaveFlags );
BAIL_ON_VMAFD_ERROR(dwError);
cleanup:
VMAFD_SAFE_FREE_MEMORY(pszPasswordNew);
return dwError;
error:
goto cleanup;
}
static
DWORD
ProcessJoin(
int argc,
char* argv[]
)
{
typedef enum
{
PARSE_MODE_OPEN = 0,
PARSE_MODE_ACCOUNT,
PARSE_MODE_PASSWORD,
PARSE_MODE_ORGUNIT,
PARSE_MODE_SITENAME
} PARSE_MODE;
DWORD dwError = 0;
DWORD idx = 0;
PSTR pszLogin = NULL;
PSTR pszPassword = NULL;
PSTR pszPasswordNew = NULL;
PSTR pszDomain = NULL;
PSTR pszOrgUnit = NULL;
PSTR pszSiteName = NULL;
PARSE_MODE mode = PARSE_MODE_OPEN;
if (!argc)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR(dwError);
}
for (; idx < argc; idx++)
{
PSTR pszArg = argv[idx];
switch (mode)
{
case PARSE_MODE_OPEN:
if (!VmAfdStringCompareA(pszArg, "--username", TRUE))
{
mode = PARSE_MODE_ACCOUNT;
}
else if (!VmAfdStringCompareA(pszArg, "--password", TRUE))
{
mode = PARSE_MODE_PASSWORD;
}
else if (!VmAfdStringCompareA(pszArg, "--orgunit", TRUE))
{
mode = PARSE_MODE_ORGUNIT;
}
else if (!VmAfdStringCompareA(pszArg, "--site", TRUE))
{
mode = PARSE_MODE_SITENAME;
}
else
{
if (pszDomain)
{
dwError = ERROR_INVALID_COMMAND_LINE;
BAIL_ON_VMAFD_ERROR(dwError);
}
pszDomain = pszArg;
}
break;
case PARSE_MODE_ACCOUNT:
pszLogin = pszArg;
mode = PARSE_MODE_OPEN;
break;
case PARSE_MODE_PASSWORD:
pszPassword = pszArg;
mode = PARSE_MODE_OPEN;
break;
case PARSE_MODE_ORGUNIT:
pszOrgUnit = pszArg;
mode = PARSE_MODE_OPEN;
break;
case PARSE_MODE_SITENAME:
pszSiteName = pszArg;
mode = PARSE_MODE_OPEN;
break;
default:
dwError = ERROR_INVALID_STATE;
BAIL_ON_VMAFD_ERROR(dwError);
break;
}
}
if (!pszPassword)
{
dwError = ReadPassword(&pszPasswordNew);
BAIL_ON_VMAFD_ERROR(dwError);
pszPassword = pszPasswordNew;
}
if (!pszDomain)
{
dwError = ERROR_NO_SUCH_DOMAIN;
BAIL_ON_VMAFD_ERROR(dwError);
}
if (!pszLogin)
{
pszLogin = "******";
}
else if (strchr(pszLogin, (int)'@') != NULL)
{
fprintf(stderr, "Error: Username may not include domain\n");
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR(dwError);
}
dwError = VmAfdJoinDomainWithSite(
pszDomain,
pszLogin,
pszPassword,
pszOrgUnit,
pszSiteName);
BAIL_ON_VMAFD_ERROR(dwError);
cleanup:
VMAFD_SAFE_FREE_MEMORY(pszPasswordNew);
return dwError;
error:
goto cleanup;
}
static
DWORD
ProcessArgs(
int argc,
char* argv[]
)
{
DWORD dwError = 0;
DWORD iArg = 0;
DWORD dwArgsLeft = argc;
PSTR pszArg = NULL;
if (!argc || !argv)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR(dwError);
}
iArg++; // skip first argument
dwArgsLeft--;
if (!dwArgsLeft)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_VMAFD_ERROR(dwError);
}
pszArg = argv[iArg++];
dwArgsLeft--;
if (!VmAfdStringCompareA(pszArg, "help", TRUE))
{
ShowUsage();
}
else if (!VmAfdStringCompareA(pszArg, "join", TRUE))
{
dwError = ProcessJoin(
dwArgsLeft,
dwArgsLeft > 0 ? &argv[iArg] : NULL);
}
else if (!VmAfdStringCompareA(pszArg, "leave", TRUE))
{
dwError = ProcessLeave(
dwArgsLeft,
dwArgsLeft > 0 ? &argv[iArg] : NULL);
}
else if (!VmAfdStringCompareA(pszArg, "info", TRUE))
{
dwError = ProcessInfo(
dwArgsLeft,
dwArgsLeft > 0 ? &argv[iArg] : NULL);
}
else
{
dwError = ERROR_INVALID_PARAMETER;
}
BAIL_ON_VMAFD_ERROR(dwError);
cleanup:
return dwError;
error:
if (dwError == ERROR_INVALID_PARAMETER ||
dwError == ERROR_INVALID_COMMAND_LINE)
{
ShowUsage();
}
goto cleanup;
}
