DWORD
GetUserAttributes(
HANDLE hDirectory,
PSTR pszUserSID,
PSTR pszDomainName,
PGPUSER_AD_ATTRS * ppUserADAttrs
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PSTR pszDirectoryRoot = NULL;
PSTR szAttributeList[] = {"*", NULL};
CHAR szQuery[1024];
LDAPMessage *pUserMessage = NULL;
LDAPMessage *pDomainMessage = NULL;
long lCount = 0;
PGPUSER_AD_ATTRS pUserADAttrs = NULL;
dwError = ADUConvertDomainToDN(pszDomainName, &pszDirectoryRoot);
BAIL_ON_MAC_ERROR(dwError);
sprintf(szQuery, "(objectsid=%s)", pszUserSID);
dwError = LwLdapDirectorySearch(
hDirectory,
pszDirectoryRoot,
LDAP_SCOPE_SUBTREE,
szQuery,
szAttributeList,
&pUserMessage);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapCountEntries(
hDirectory,
pUserMessage,
&lCount
);
BAIL_ON_MAC_ERROR(dwError);
if (lCount < 0) {
dwError = MAC_AD_ERROR_INVALID_NAME;
} else if (lCount == 0) {
dwError = MAC_AD_ERROR_INVALID_NAME;
} else if (lCount > 1) {
dwError = MAC_AD_ERROR_INVALID_NAME;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapDirectorySearch(
hDirectory,
pszDirectoryRoot,
LDAP_SCOPE_BASE,
"(objectClass=*)",
szAttributeList,
&pDomainMessage);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapCountEntries(
hDirectory,
pDomainMessage,
&lCount
);
BAIL_ON_MAC_ERROR(dwError);
if (lCount < 0) {
dwError = MAC_AD_ERROR_INVALID_NAME;
} else if (lCount == 0) {
dwError = MAC_AD_ERROR_INVALID_NAME;
} else if (lCount > 1) {
dwError = MAC_AD_ERROR_INVALID_NAME;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateMemory(sizeof(GPUSER_AD_ATTRS), (PVOID *) &pUserADAttrs);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateString(pszDomainName, &pUserADAttrs->pszADDomain);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"displayName",
&pUserADAttrs->pszDisplayName);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"givenName",
&pUserADAttrs->pszFirstName);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"sn",
&pUserADAttrs->pszLastName);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"userPrincipalName",
&pUserADAttrs->pszKerberosPrincipal);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"mail",
&pUserADAttrs->pszEMailAddress);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"msExchHomeServerName",
&pUserADAttrs->pszMSExchHomeServerName);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"homeMDB",
&pUserADAttrs->pszMSExchHomeMDB);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"telephoneNumber",
&pUserADAttrs->pszTelephoneNumber);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"facsimileTelephoneNumber",
&pUserADAttrs->pszFaxTelephoneNumber);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"mobile",
&pUserADAttrs->pszMobileTelephoneNumber);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"streetAddress",
&pUserADAttrs->pszStreetAddress);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"postOfficeBox",
&pUserADAttrs->pszPostOfficeBox);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"l",
&pUserADAttrs->pszCity);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"st",
&pUserADAttrs->pszState);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"postalCode",
&pUserADAttrs->pszPostalCode);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"co",
&pUserADAttrs->pszCountry);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"title",
&pUserADAttrs->pszTitle);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"company",
&pUserADAttrs->pszCompany);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"department",
&pUserADAttrs->pszDepartment);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"homeDirectory",
&pUserADAttrs->pszHomeDirectory);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"homeDrive",
&pUserADAttrs->pszHomeDrive);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"pwdLastSet",
&pUserADAttrs->pszPasswordLastSet);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"userAccountControl",
&pUserADAttrs->pszUserAccountControl);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
/* The settings below are found on the domain container for the user */
dwError = LwLdapGetString(hDirectory,
pDomainMessage,
"maxPwdAge",
&pUserADAttrs->pszMaxMinutesUntilChangePassword);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pDomainMessage,
"minPwdAge",
&pUserADAttrs->pszMinMinutesUntilChangePassword);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pDomainMessage,
"lockoutThreshhold",
&pUserADAttrs->pszMaxFailedLoginAttempts);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pDomainMessage,
"pwdHistoryLength",
&pUserADAttrs->pszAllowedPasswordHistory);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pDomainMessage,
"minPwdLength",
&pUserADAttrs->pszMinCharsAllowedInPassword);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
*ppUserADAttrs = pUserADAttrs;
pUserADAttrs = NULL;
error:
FreeUserAttributes(pUserADAttrs);
if (pszDirectoryRoot) {
LwFreeString(pszDirectoryRoot);
}
if (pUserMessage) {
ldap_msgfree(pUserMessage);
}
if (pDomainMessage) {
ldap_msgfree(pDomainMessage);
}
return dwError;
}
DWORD
ADUGetAllMCXPolicies(
HANDLE hDirectory,
PCSTR pszDN,
PGROUP_POLICY_OBJECT * ppGroupPolicyObjects
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PSTR szAttributeList[] = { "distinguishedName", NULL };
PGROUP_POLICY_OBJECT pGPObjectList = NULL;
PGROUP_POLICY_OBJECT pGPObject = NULL;
LDAPMessage* pMessage = NULL;
LDAPMessage* pLDAPMessage = NULL;
DWORD dwCount = 0;
PSTR pszValue = NULL;
dwError = LwLdapDirectorySearch(
hDirectory,
pszDN,
LDAP_SCOPE_ONELEVEL,
(PSTR)"(&(objectclass=groupPolicyContainer)(|(gPCMachineExtensionNames=*{B9BF896E-F9EB-49B5-8E67-11E2EDAED06C}*)(gPCUserExtensionNames=*{07E500C4-20FD-4829-8F38-B5FF63FA0493}*)))",
szAttributeList,
&pMessage);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapCountEntries(
hDirectory,
pMessage,
&dwCount
);
BAIL_ON_MAC_ERROR(dwError);
if (dwCount > 0)
{
pLDAPMessage = LwLdapFirstEntry(hDirectory, pMessage);
}
while(pLDAPMessage != NULL)
{
dwError = LwLdapGetString(hDirectory,
pLDAPMessage,
"distinguishedName",
&pszValue);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateMemory(sizeof(GROUP_POLICY_OBJECT), (PVOID*)&pGPObject);
BAIL_ON_MAC_ERROR(dwError);
pGPObject->pszPolicyDN = pszValue;
pszValue = NULL;
if (pGPObjectList != NULL)
{
pGPObject->pNext = pGPObjectList;
pGPObjectList = pGPObject;
}
else
{
pGPObjectList = pGPObject;
}
pGPObject = NULL;
pLDAPMessage = LwLdapNextEntry(hDirectory, pLDAPMessage);
}
if (*ppGroupPolicyObjects != NULL)
{
(*ppGroupPolicyObjects)->pNext = pGPObjectList;
}
else
{
*ppGroupPolicyObjects = pGPObjectList;
}
if (pMessage)
{
ldap_msgfree(pMessage);
}
if (pLDAPMessage)
{
ldap_msgfree(pLDAPMessage);
}
return dwError;
cleanup:
if (pMessage)
{
ldap_msgfree(pMessage);
}
if (pLDAPMessage)
{
ldap_msgfree(pLDAPMessage);
}
LW_SAFE_FREE_STRING(pszValue);
ADU_SAFE_FREE_GPO_LIST (pGPObject);
ADU_SAFE_FREE_GPO_LIST (pGPObjectList);
return dwError;
error:
if (ppGroupPolicyObjects)
*ppGroupPolicyObjects = NULL;
goto cleanup;
}
DWORD
ADUGetPolicyInformation(
HANDLE hDirectory,
PCSTR pszPolicyDN,
PGROUP_POLICY_OBJECT pGroupPolicyObject
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PSTR szAttributeList[] =
{ADU_DISPLAY_NAME_ATTR,
ADU_FLAGS_ATTR,
ADU_FILESYS_PATH_ATTR,
ADU_FUNCTIONALITY_VERSION_ATTR,
ADU_MACHINE_EXTENSION_NAMES_ATTR,
ADU_USER_EXTENSION_NAMES_ATTR,
ADU_WQL_FILTER_ATTR,
ADU_VERSION_NUMBER_ATTR,
NULL
};
LDAPMessage* pMessage = NULL;
DWORD dwCount = 0;
PSTR pszValue = NULL;
DWORD dwValue = 0;
dwError = LwLdapDirectorySearch(
hDirectory,
pszPolicyDN,
LDAP_SCOPE_BASE,
(PSTR)"(objectclass=*)",
szAttributeList,
&pMessage);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapCountEntries(
hDirectory,
pMessage,
&dwCount
);
BAIL_ON_MAC_ERROR(dwError);
if (dwCount < 0) {
dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
} else if (dwCount == 0) {
dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
} else if (dwCount > 1) {
dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pMessage,
ADU_DISPLAY_NAME_ATTR,
&pszValue);
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->pszDisplayName = pszValue;
pszValue = NULL;
dwError = LwLdapGetUInt32(hDirectory,
pMessage,
ADU_FLAGS_ATTR,
&dwValue);
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->dwFlags = dwValue;
dwError = LwLdapGetString(hDirectory,
pMessage,
ADU_FILESYS_PATH_ATTR,
&pszValue);
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->pszgPCFileSysPath = pszValue;
pszValue = NULL;
dwError = LwLdapGetUInt32(hDirectory,
pMessage,
ADU_FUNCTIONALITY_VERSION_ATTR,
&dwValue);
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->gPCFunctionalityVersion = dwValue;
dwError = LwLdapGetString(hDirectory,
pMessage,
ADU_MACHINE_EXTENSION_NAMES_ATTR,
&pszValue);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = 0;
}
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->pszgPCMachineExtensionNames = pszValue;
pszValue = NULL;
dwError = LwLdapGetString(hDirectory,
pMessage,
ADU_USER_EXTENSION_NAMES_ATTR,
&pszValue);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = 0;
}
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->pszgPCUserExtensionNames = pszValue;
pszValue = NULL;
dwError = LwLdapGetUInt32(hDirectory,
pMessage,
ADU_VERSION_NUMBER_ATTR,
&dwValue);
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->dwVersion = dwValue;
cleanup:
LW_SAFE_FREE_STRING(pszValue);
if (pMessage) {
ldap_msgfree(pMessage);
}
return dwError;
error:
LOG_ERROR("Failed to find policy or read GPO attributes for policy (%s)", pszPolicyDN);
goto cleanup;
}
DWORD
ADUGetMCXPolicy(
HANDLE hDirectory,
PCSTR pszDN,
PCSTR pszGPOName,
PGROUP_POLICY_OBJECT * ppGPO
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PSTR szAttributeList[] = { "distinguishedName", NULL };
char szQuery[512] = {0};
PGROUP_POLICY_OBJECT pGPObject = NULL;
LDAPMessage* pMessage = NULL;
DWORD dwCount = 0;
PSTR pszValue = NULL;
sprintf(szQuery, "(&(objectclass=groupPolicyContainer)(%s=%s))", ADU_DISPLAY_NAME_ATTR, pszGPOName);
dwError = LwLdapDirectorySearch(
hDirectory,
pszDN,
LDAP_SCOPE_ONELEVEL,
szQuery,
szAttributeList,
&pMessage);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapCountEntries(
hDirectory,
pMessage,
&dwCount
);
BAIL_ON_MAC_ERROR(dwError);
if (dwCount < 0) {
dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
} else if (dwCount == 0) {
dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
} else if (dwCount > 1) {
dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pMessage,
"distinguishedName",
&pszValue);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateMemory(sizeof(GROUP_POLICY_OBJECT), (PVOID*)&pGPObject);
BAIL_ON_MAC_ERROR(dwError);
pGPObject->pszPolicyDN = pszValue;
pszValue = NULL;
*ppGPO = pGPObject;
pGPObject = NULL;
cleanup:
if (pMessage) {
ldap_msgfree(pMessage);
}
LW_SAFE_FREE_STRING(pszValue);
ADU_SAFE_FREE_GPO_LIST (pGPObject);
return dwError;
error:
if (ppGPO)
*ppGPO = NULL;
goto cleanup;
}