int
ldap_create_assertion_control(
LDAP *ld,
char *assertion,
int iscritical,
LDAPControl **ctrlp )
{
struct berval value;
if ( ctrlp == NULL ) {
ld->ld_errno = LDAP_PARAM_ERROR;
return ld->ld_errno;
}
ld->ld_errno = ldap_create_assertion_control_value( ld,
assertion, &value );
if ( ld->ld_errno == LDAP_SUCCESS ) {
ld->ld_errno = ldap_control_create( LDAP_CONTROL_ASSERT,
iscritical, &value, 0, ctrlp );
if ( ld->ld_errno != LDAP_SUCCESS ) {
LDAP_FREE( value.bv_val );
}
}
return ld->ld_errno;
}
int
ldap_create_sort_control(
LDAP *ld,
LDAPSortKey **keyList,
int isCritical,
LDAPControl **ctrlp )
{
struct berval value;
assert( ld != NULL );
assert( LDAP_VALID( ld ) );
if ( ld == NULL ) {
return LDAP_PARAM_ERROR;
}
if ( ctrlp == NULL ) {
ld->ld_errno = LDAP_PARAM_ERROR;
return ld->ld_errno;
}
ld->ld_errno = ldap_create_sort_control_value( ld, keyList, &value );
if ( ld->ld_errno == LDAP_SUCCESS ) {
ld->ld_errno = ldap_control_create( LDAP_CONTROL_SORTREQUEST,
isCritical, &value, 0, ctrlp );
if ( ld->ld_errno != LDAP_SUCCESS ) {
LDAP_FREE( value.bv_val );
}
}
return ld->ld_errno;
}
/*
* NOTE: this API is bad; it could be much more efficient...
*/
int
ldap_create_session_tracking_control(
LDAP *ld,
char *sessionSourceIp,
char *sessionSourceName,
char *formatOID,
struct berval *sessionTrackingIdentifier,
LDAPControl **ctrlp )
{
struct berval value;
if ( ctrlp == NULL ) {
ld->ld_errno = LDAP_PARAM_ERROR;
return ld->ld_errno;
}
ld->ld_errno = ldap_create_session_tracking_value( ld,
sessionSourceIp, sessionSourceName, formatOID,
sessionTrackingIdentifier, &value );
if ( ld->ld_errno == LDAP_SUCCESS ) {
ld->ld_errno = ldap_control_create( LDAP_CONTROL_X_SESSION_TRACKING,
0, &value, 0, ctrlp );
if ( ld->ld_errno != LDAP_SUCCESS ) {
LDAP_FREE( value.bv_val );
}
}
return ld->ld_errno;
}
int
ldap_create_vlv_control(
LDAP *ld,
LDAPVLVInfo *vlvinfop,
LDAPControl **ctrlp )
{
struct berval value;
if ( ctrlp == NULL ) {
ld->ld_errno = LDAP_PARAM_ERROR;
return ld->ld_errno;
}
ld->ld_errno = ldap_create_vlv_control_value( ld, vlvinfop, &value );
if ( ld->ld_errno == LDAP_SUCCESS ) {
ld->ld_errno = ldap_control_create( LDAP_CONTROL_VLVREQUEST,
1, &value, 0, ctrlp );
if ( ld->ld_errno != LDAP_SUCCESS ) {
LDAP_FREE( value.bv_val );
}
}
return ld->ld_errno;
}
int
ldap_create_deref_control(
LDAP *ld,
LDAPDerefSpec *ds,
int iscritical,
LDAPControl **ctrlp )
{
struct berval value;
if ( ctrlp == NULL ) {
ld->ld_errno = LDAP_PARAM_ERROR;
return ld->ld_errno;
}
ld->ld_errno = ldap_create_deref_control_value( ld, ds, &value );
if ( ld->ld_errno == LDAP_SUCCESS ) {
ld->ld_errno = ldap_control_create( LDAP_CONTROL_PAGEDRESULTS,
iscritical, &value, 0, ctrlp );
if ( ld->ld_errno != LDAP_SUCCESS ) {
LDAP_FREE( value.bv_val );
}
}
return ld->ld_errno;
}
int
ldap_create_page_control(
LDAP *ld,
ber_int_t pagesize,
struct berval *cookie,
int iscritical,
LDAPControl **ctrlp )
{
struct berval value;
if ( ctrlp == NULL ) {
ld->ld_errno = LDAP_PARAM_ERROR;
return ld->ld_errno;
}
ld->ld_errno = ldap_create_page_control_value( ld,
pagesize, cookie, &value );
if ( ld->ld_errno == LDAP_SUCCESS ) {
ld->ld_errno = ldap_control_create( LDAP_CONTROL_PAGEDRESULTS,
iscritical, &value, 0, ctrlp );
if ( ld->ld_errno != LDAP_SUCCESS ) {
LDAP_FREE( value.bv_val );
}
}
return ld->ld_errno;
}
int
ldap_create_passwordpolicy_control( LDAP *ld,
LDAPControl **ctrlp )
{
assert( ld != NULL );
assert( LDAP_VALID( ld ) );
assert( ctrlp != NULL );
ld->ld_errno = ldap_control_create( LDAP_CONTROL_PASSWORDPOLICYREQUEST,
0, NULL, 0, ctrlp );
return ld->ld_errno;
}
int sss_ldap_control_create(const char *oid, int iscritical,
struct berval *value, int dupval,
LDAPControl **ctrlp)
{
#ifdef HAVE_LDAP_CONTROL_CREATE
return ldap_control_create(oid, iscritical, value, dupval, ctrlp);
#else
LDAPControl *lc = NULL;
if (oid == NULL || ctrlp == NULL) {
return LDAP_PARAM_ERROR;
}
lc = calloc(sizeof(LDAPControl), 1);
if (lc == NULL) {
return LDAP_NO_MEMORY;
}
lc->ldctl_oid = strdup(oid);
if (lc->ldctl_oid == NULL) {
free(lc);
return LDAP_NO_MEMORY;
}
if (value != NULL && value->bv_val != NULL) {
if (dupval == 0) {
lc->ldctl_value = *value;
} else {
ber_dupbv(&lc->ldctl_value, value);
if (lc->ldctl_value.bv_val == NULL) {
free(lc->ldctl_oid);
free(lc);
return LDAP_NO_MEMORY;
}
}
}
lc->ldctl_iscritical = iscritical;
*ctrlp = lc;
return LDAP_SUCCESS;
#endif
}
/* Create an LDAP_SERVER_EXTENDED_DN control. */
int _ldap_create_extended_dn_control(LDAP *ld, int format, LDAPControl **edn_ctrl) {
int rc = -1;
BerElement *ber = NULL;
struct berval *value = NULL;
LDAPControl *ctrl = NULL;
ber = ber_alloc_t(LBER_USE_DER);
if (ber == NULL) return LDAP_NO_MEMORY;
/* Transcode the data into a berval struct. */
ber_printf(ber, "{i}", format);
rc = ber_flatten(ber, &value);
ber_free(ber, 1);
if (rc != 0) return rc;
rc = ldap_control_create(LDAP_SERVER_EXTENDED_DN_OID, 0, value, 1, &ctrl);
ber_bvfree(value);
if (rc != LDAP_SUCCESS) return rc;
*edn_ctrl = ctrl;
return LDAP_SUCCESS;
}
krb5_error_code ipadb_deref_search(struct ipadb_context *ipactx,
char *base_dn, int scope,
char *filter,
char **entry_attrs,
char **deref_attr_names,
char **deref_attrs,
LDAPMessage **res)
{
struct berval derefval = { 0, NULL };
LDAPControl *ctrl[2] = { NULL, NULL };
LDAPDerefSpec *ds;
krb5_error_code kerr;
int times;
int ret;
int c, i;
bool retry;
for (c = 0; deref_attr_names[c]; c++) {
/* count */ ;
}
ds = calloc(c+1, sizeof(LDAPDerefSpec));
if (!ds) {
return ENOMEM;
}
for (i = 0; deref_attr_names[i]; i++) {
ds[i].derefAttr = deref_attr_names[i];
ds[i].attributes = deref_attrs;
}
ds[c].derefAttr = NULL;
ret = ldap_create_deref_control_value(ipactx->lcontext, ds, &derefval);
if (ret != LDAP_SUCCESS) {
kerr = ENOMEM;
goto done;
}
ret = ldap_control_create(LDAP_CONTROL_X_DEREF,
1, &derefval, 1, &ctrl[0]);
if (ret != LDAP_SUCCESS) {
kerr = ENOMEM;
goto done;
}
/* retry once if connection errors (tot. max. 2 tries) */
times = 2;
ret = LDAP_SUCCESS;
retry = true;
while (retry) {
times--;
ret = ipadb_check_connection(ipactx);
if (ret != 0)
break;
ret = ldap_search_ext_s(ipactx->lcontext, base_dn,
scope, filter,
entry_attrs, 0,
ctrl, NULL,
&std_timeout, LDAP_NO_LIMIT,
res);
retry = ipadb_need_retry(ipactx, ret) && times > 0;
if (retry) {
/* Free result before next try */
ldap_msgfree(*res);
}
}
kerr = ipadb_simple_ldap_to_kerr(ret);
done:
ldap_control_free(ctrl[0]);
ldap_memfree(derefval.bv_val);
free(ds);
return kerr;
}
DWORD
LwLdapDirectoryExtendedDNSearch(
IN HANDLE hDirectory,
IN PCSTR pszObjectDN,
IN PCSTR pszQuery,
IN PSTR* ppszAttributeList,
IN int scope,
OUT LDAPMessage** ppMessage
)
{
DWORD dwError = LW_ERROR_SUCCESS;
CHAR ExtDNCriticality = 'T';
LDAPControl *pExtDNControl = NULL;
LDAPControl *ppInputControls[2] = { NULL, NULL };
LDAPMessage* pMessage = NULL;
struct berval value = {0};
// Setup the extended DN control, in order to be windows 2000 compatible,
// Do not specify control value, hence, the return result will always be in hexadecimal string format.
value.bv_len = 0;
value.bv_val = NULL;
dwError = ldap_control_create(LDAP_CONTROL_X_EXTENDED_DN,
ExtDNCriticality,
&value,
0,
&pExtDNControl);
BAIL_ON_LDAP_ERROR(dwError);
ppInputControls[0] = pExtDNControl;
dwError = LwLdapDirectorySearchEx(
hDirectory,
pszObjectDN,
scope,
pszQuery,
ppszAttributeList,
ppInputControls,
0,
&pMessage);
BAIL_ON_LW_ERROR(dwError);
LW_ASSERT(pMessage != NULL);
*ppMessage = pMessage;
cleanup:
ppInputControls[0] = NULL;
if (pExtDNControl)
{
ldap_control_free(pExtDNControl);
}
return (dwError);
error:
if (pMessage)
{
ldap_msgfree(pMessage);
}
*ppMessage = NULL;
goto cleanup;
}
