Exemplo n.º 1
0
DWORD
GetUserAttributes(
    HANDLE hDirectory,
    PSTR pszUserSID,
    PSTR pszDomainName,
    PGPUSER_AD_ATTRS * ppUserADAttrs
    )
{
    DWORD dwError = MAC_AD_ERROR_SUCCESS;
    PSTR pszDirectoryRoot = NULL;
    PSTR szAttributeList[] = {"*", NULL};
    CHAR szQuery[1024];
    LDAPMessage *pUserMessage = NULL;
    LDAPMessage *pDomainMessage = NULL;
    long lCount = 0;
    PGPUSER_AD_ATTRS pUserADAttrs = NULL;

    dwError = ADUConvertDomainToDN(pszDomainName, &pszDirectoryRoot);
    BAIL_ON_MAC_ERROR(dwError);

    sprintf(szQuery, "(objectsid=%s)", pszUserSID);

    dwError = LwLdapDirectorySearch(
        hDirectory,
        pszDirectoryRoot,
        LDAP_SCOPE_SUBTREE,
        szQuery,
        szAttributeList,
        &pUserMessage);
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapCountEntries(
        hDirectory,
        pUserMessage,
        &lCount
        );
    BAIL_ON_MAC_ERROR(dwError);

    if (lCount < 0) {
        dwError = MAC_AD_ERROR_INVALID_NAME;
    } else if (lCount == 0) {
        dwError = MAC_AD_ERROR_INVALID_NAME;
    } else if (lCount > 1) {
        dwError = MAC_AD_ERROR_INVALID_NAME;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapDirectorySearch(
        hDirectory,
        pszDirectoryRoot,
        LDAP_SCOPE_BASE,
        "(objectClass=*)",
        szAttributeList,
        &pDomainMessage);
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapCountEntries(
        hDirectory,
        pDomainMessage,
        &lCount
        );
    BAIL_ON_MAC_ERROR(dwError);

    if (lCount < 0) {
        dwError = MAC_AD_ERROR_INVALID_NAME;
    } else if (lCount == 0) {
        dwError = MAC_AD_ERROR_INVALID_NAME;
    } else if (lCount > 1) {
        dwError = MAC_AD_ERROR_INVALID_NAME;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwAllocateMemory(sizeof(GPUSER_AD_ATTRS), (PVOID *) &pUserADAttrs);
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwAllocateString(pszDomainName, &pUserADAttrs->pszADDomain);
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "displayName",
                              &pUserADAttrs->pszDisplayName);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "givenName",
                              &pUserADAttrs->pszFirstName);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "sn",
                              &pUserADAttrs->pszLastName);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "userPrincipalName",
                              &pUserADAttrs->pszKerberosPrincipal);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "mail",
                              &pUserADAttrs->pszEMailAddress);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "msExchHomeServerName",
                              &pUserADAttrs->pszMSExchHomeServerName);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "homeMDB",
                              &pUserADAttrs->pszMSExchHomeMDB);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "telephoneNumber",
                              &pUserADAttrs->pszTelephoneNumber);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "facsimileTelephoneNumber",
                              &pUserADAttrs->pszFaxTelephoneNumber);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "mobile",
                              &pUserADAttrs->pszMobileTelephoneNumber);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "streetAddress",
                              &pUserADAttrs->pszStreetAddress);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "postOfficeBox",
                              &pUserADAttrs->pszPostOfficeBox);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "l",
                              &pUserADAttrs->pszCity);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "st",
                              &pUserADAttrs->pszState);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "postalCode",
                              &pUserADAttrs->pszPostalCode);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "co",
                              &pUserADAttrs->pszCountry);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "title",
                              &pUserADAttrs->pszTitle);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "company",
                              &pUserADAttrs->pszCompany);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "department",
                              &pUserADAttrs->pszDepartment);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "homeDirectory",
                              &pUserADAttrs->pszHomeDirectory);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "homeDrive",
                              &pUserADAttrs->pszHomeDrive);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "pwdLastSet",
                              &pUserADAttrs->pszPasswordLastSet);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pUserMessage,
                              "userAccountControl",
                              &pUserADAttrs->pszUserAccountControl);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    /* The settings below are found on the domain container for the user */
    dwError = LwLdapGetString(hDirectory,
                              pDomainMessage,
                              "maxPwdAge",
                              &pUserADAttrs->pszMaxMinutesUntilChangePassword);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pDomainMessage,
                              "minPwdAge",
                              &pUserADAttrs->pszMinMinutesUntilChangePassword);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pDomainMessage,
                              "lockoutThreshhold",
                              &pUserADAttrs->pszMaxFailedLoginAttempts);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pDomainMessage,
                              "pwdHistoryLength",
                              &pUserADAttrs->pszAllowedPasswordHistory);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                              pDomainMessage,
                              "minPwdLength",
                              &pUserADAttrs->pszMinCharsAllowedInPassword);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = MAC_AD_ERROR_SUCCESS;
    }
    BAIL_ON_MAC_ERROR(dwError);

    *ppUserADAttrs = pUserADAttrs;
    pUserADAttrs = NULL;

error:

    FreeUserAttributes(pUserADAttrs);

    if (pszDirectoryRoot) {
        LwFreeString(pszDirectoryRoot);
    }

    if (pUserMessage) {
        ldap_msgfree(pUserMessage);
    }

    if (pDomainMessage) {
        ldap_msgfree(pDomainMessage);
    }

    return dwError;
}
Exemplo n.º 2
0
DWORD
ADUGetAllMCXPolicies(
    HANDLE hDirectory,
    PCSTR pszDN,
    PGROUP_POLICY_OBJECT * ppGroupPolicyObjects
    )
{
    DWORD dwError = MAC_AD_ERROR_SUCCESS;
    PSTR szAttributeList[] = { "distinguishedName", NULL };
    PGROUP_POLICY_OBJECT pGPObjectList = NULL;
    PGROUP_POLICY_OBJECT pGPObject = NULL;
    LDAPMessage* pMessage = NULL;
    LDAPMessage* pLDAPMessage = NULL;
    DWORD dwCount = 0;
    PSTR pszValue = NULL;

    dwError = LwLdapDirectorySearch(
        hDirectory,
        pszDN,
        LDAP_SCOPE_ONELEVEL,
        (PSTR)"(&(objectclass=groupPolicyContainer)(|(gPCMachineExtensionNames=*{B9BF896E-F9EB-49B5-8E67-11E2EDAED06C}*)(gPCUserExtensionNames=*{07E500C4-20FD-4829-8F38-B5FF63FA0493}*)))",
        szAttributeList,
        &pMessage);
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapCountEntries(
        hDirectory,
        pMessage,
        &dwCount
        );
    BAIL_ON_MAC_ERROR(dwError);

    if (dwCount > 0)
    {
        pLDAPMessage = LwLdapFirstEntry(hDirectory, pMessage);
    }

    while(pLDAPMessage != NULL)
    {
        dwError = LwLdapGetString(hDirectory,
                                   pLDAPMessage,
                                   "distinguishedName",
                                   &pszValue);
        BAIL_ON_MAC_ERROR(dwError);

        dwError = LwAllocateMemory(sizeof(GROUP_POLICY_OBJECT), (PVOID*)&pGPObject);
        BAIL_ON_MAC_ERROR(dwError);

        pGPObject->pszPolicyDN = pszValue;
        pszValue = NULL;

        if (pGPObjectList != NULL)
        {
            pGPObject->pNext = pGPObjectList;
            pGPObjectList = pGPObject;
        }
        else
        {
            pGPObjectList = pGPObject;
        }

        pGPObject = NULL;

        pLDAPMessage = LwLdapNextEntry(hDirectory, pLDAPMessage);
    }

    if (*ppGroupPolicyObjects != NULL)
    {
        (*ppGroupPolicyObjects)->pNext = pGPObjectList;
    }
    else
    {
        *ppGroupPolicyObjects = pGPObjectList;
    }

    if (pMessage)
    {
        ldap_msgfree(pMessage);
    }

    if (pLDAPMessage)
    {
        ldap_msgfree(pLDAPMessage);
    }

    return dwError;

cleanup:

    if (pMessage)
    {
        ldap_msgfree(pMessage);
    }

    if (pLDAPMessage)
    {
        ldap_msgfree(pLDAPMessage);
    }

    LW_SAFE_FREE_STRING(pszValue);
    ADU_SAFE_FREE_GPO_LIST (pGPObject);
    ADU_SAFE_FREE_GPO_LIST (pGPObjectList);

    return dwError;

error:

    if (ppGroupPolicyObjects)
        *ppGroupPolicyObjects = NULL;

    goto cleanup;
}
Exemplo n.º 3
0
DWORD
ADUGetPolicyInformation(
    HANDLE hDirectory,
    PCSTR pszPolicyDN,
    PGROUP_POLICY_OBJECT pGroupPolicyObject
    )
{
    DWORD dwError = MAC_AD_ERROR_SUCCESS;
    PSTR szAttributeList[] =
        {ADU_DISPLAY_NAME_ATTR,
         ADU_FLAGS_ATTR,
         ADU_FILESYS_PATH_ATTR,
         ADU_FUNCTIONALITY_VERSION_ATTR,
         ADU_MACHINE_EXTENSION_NAMES_ATTR,
         ADU_USER_EXTENSION_NAMES_ATTR,
         ADU_WQL_FILTER_ATTR,
         ADU_VERSION_NUMBER_ATTR,
         NULL
        };
    LDAPMessage* pMessage = NULL;
    DWORD dwCount = 0;
    PSTR  pszValue = NULL;
    DWORD dwValue = 0;

    dwError = LwLdapDirectorySearch(
        hDirectory,
        pszPolicyDN,
        LDAP_SCOPE_BASE,
        (PSTR)"(objectclass=*)",
        szAttributeList,
        &pMessage);
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapCountEntries(
        hDirectory,
        pMessage,
        &dwCount
        );
    BAIL_ON_MAC_ERROR(dwError);

    if (dwCount < 0) {
        dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
    } else if (dwCount == 0) {
        dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
    } else if (dwCount > 1) {
        dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                               pMessage,
                               ADU_DISPLAY_NAME_ATTR,
                               &pszValue);
    BAIL_ON_MAC_ERROR(dwError);
    pGroupPolicyObject->pszDisplayName = pszValue;
    pszValue = NULL;

    dwError = LwLdapGetUInt32(hDirectory,
                               pMessage,
                               ADU_FLAGS_ATTR,
                               &dwValue);
    BAIL_ON_MAC_ERROR(dwError);
    pGroupPolicyObject->dwFlags = dwValue;

    dwError = LwLdapGetString(hDirectory,
                               pMessage,
                               ADU_FILESYS_PATH_ATTR,
                               &pszValue);
    BAIL_ON_MAC_ERROR(dwError);
    pGroupPolicyObject->pszgPCFileSysPath = pszValue;
    pszValue = NULL;

    dwError = LwLdapGetUInt32(hDirectory,
                               pMessage,
                               ADU_FUNCTIONALITY_VERSION_ATTR,
                               &dwValue);
    BAIL_ON_MAC_ERROR(dwError);
    pGroupPolicyObject->gPCFunctionalityVersion = dwValue;

    dwError = LwLdapGetString(hDirectory,
                               pMessage,
                               ADU_MACHINE_EXTENSION_NAMES_ATTR,
                               &pszValue);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = 0;
    }
    BAIL_ON_MAC_ERROR(dwError);
    pGroupPolicyObject->pszgPCMachineExtensionNames = pszValue;
    pszValue = NULL;

    dwError = LwLdapGetString(hDirectory,
                               pMessage,
                               ADU_USER_EXTENSION_NAMES_ATTR,
                               &pszValue);
    if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
    {
        dwError = 0;
    }
    BAIL_ON_MAC_ERROR(dwError);
    pGroupPolicyObject->pszgPCUserExtensionNames = pszValue;
    pszValue = NULL;

    dwError = LwLdapGetUInt32(hDirectory,
                               pMessage,
                               ADU_VERSION_NUMBER_ATTR,
                               &dwValue);
    BAIL_ON_MAC_ERROR(dwError);
    pGroupPolicyObject->dwVersion = dwValue;

cleanup:

    LW_SAFE_FREE_STRING(pszValue);

    if (pMessage) {
        ldap_msgfree(pMessage);
    }

    return dwError;

error:

    LOG_ERROR("Failed to find policy or read GPO attributes for policy (%s)", pszPolicyDN);

    goto cleanup;
}
Exemplo n.º 4
0
DWORD
ADUGetMCXPolicy(
    HANDLE hDirectory,
    PCSTR pszDN,
    PCSTR pszGPOName,
    PGROUP_POLICY_OBJECT * ppGPO
    )
{
    DWORD dwError = MAC_AD_ERROR_SUCCESS;
    PSTR szAttributeList[] = { "distinguishedName", NULL };
    char szQuery[512] = {0};
    PGROUP_POLICY_OBJECT pGPObject = NULL;
    LDAPMessage* pMessage = NULL;
    DWORD dwCount = 0;
    PSTR pszValue = NULL;

    sprintf(szQuery, "(&(objectclass=groupPolicyContainer)(%s=%s))", ADU_DISPLAY_NAME_ATTR, pszGPOName);

    dwError = LwLdapDirectorySearch(
        hDirectory,
        pszDN,
        LDAP_SCOPE_ONELEVEL,
        szQuery,
        szAttributeList,
        &pMessage);
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapCountEntries(
        hDirectory,
        pMessage,
        &dwCount
        );
    BAIL_ON_MAC_ERROR(dwError);

    if (dwCount < 0) {
        dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
    } else if (dwCount == 0) {
        dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
    } else if (dwCount > 1) {
        dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
    }
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwLdapGetString(hDirectory,
                               pMessage,
                               "distinguishedName",
                               &pszValue);
    BAIL_ON_MAC_ERROR(dwError);

    dwError = LwAllocateMemory(sizeof(GROUP_POLICY_OBJECT), (PVOID*)&pGPObject);
    BAIL_ON_MAC_ERROR(dwError);

    pGPObject->pszPolicyDN = pszValue;
    pszValue = NULL;

    *ppGPO = pGPObject;
    pGPObject = NULL;

cleanup:

    if (pMessage) {
        ldap_msgfree(pMessage);
    }

    LW_SAFE_FREE_STRING(pszValue);
    ADU_SAFE_FREE_GPO_LIST (pGPObject);

    return dwError;

error:

    if (ppGPO)
        *ppGPO = NULL;

    goto cleanup;
}