1199
1111
dir_entry* cached_dir_entries_getgroupbycn(gchar*cn){
1200
1112
return dir_entry_list_getgroupbycn(cached_dir_entries,cn);
1116
* Get the list of samba domains from the ldap server.
1118
* This function queries the LDAP server for all entries
1119
* containing the sambaDomain objectclass, and returns
1120
* a list of sambaDomainName values.
1123
app_get_sambadomains_from_ldap (connection_profile * usethisone, gchar **warning)
1125
//conn should already be connected, or else undefined behaviour!!!
1129
GList *sambaDomains = NULL;
1132
LDAPMessage *searchresults = NULL;
1133
LDAPMessage *entry = NULL;
1135
char **value_collection = NULL;
1138
BerElement *attributehandler;
1139
gchar *attributetoreturn[2];
1140
attributetoreturn[0] = SAMBA_DOMAIN_NAME;
1141
attributetoreturn[1] = NULL;
1143
g_print ("\no Fetching samba domains from directory with base %s\n", usethisone->treeroot);
1145
/* check for a connection */
1146
h = connection_profile_get_ldap_handler (usethisone);
1151
ldap_search_s (h, usethisone->treeroot, LDAP_SCOPE_SUBTREE, "(objectclass=" SAMBA_DOMAIN ")", attributetoreturn, 0,
1155
warning[0] = g_strconcat("While searching for Samba domains, an LDAP error\noccurred: ", ldap_err2string (ldap_errors), NULL);
1156
if (ldap_errors == LDAP_SERVER_DOWN) {
1157
connection_profile_invalidate(usethisone);
1162
/* loop through any entries found */
1163
entry = ldap_first_entry (h, searchresults);
1165
attribute = ldap_first_attribute (h, entry, &attributehandler);
1166
value_collection = ldap_get_values (h, entry, attribute);
1167
g_assert (value_collection);
1168
sambaDomains = g_list_append (sambaDomains, g_strdup (value_collection[0]));
1169
g_print (" - Found samba domain: %s\n", value_collection[0]);
1170
ldap_value_free (value_collection);
1171
entry = ldap_next_entry (h, entry);
1173
ldap_msgfree (searchresults);
1175
return (sambaDomains);
1179
* Get a list of possible well known windows domain groups.
1183
app_get_sambagroupmappingdropdown ()
1186
GList *sambaDomainMappings = NULL;
1188
sambaDomainMappings = g_list_append (sambaDomainMappings, g_strdup (DOMAIN_NONE));
1189
sambaDomainMappings = g_list_append (sambaDomainMappings, g_strdup (DOMAIN_ADMINS));
1190
sambaDomainMappings = g_list_append (sambaDomainMappings, g_strdup (DOMAIN_USERS));
1191
sambaDomainMappings = g_list_append (sambaDomainMappings, g_strdup (DOMAIN_GUESTS));
1192
sambaDomainMappings = g_list_append (sambaDomainMappings, g_strdup (DOMAIN_COMPUTERS));
1193
sambaDomainMappings = g_list_append (sambaDomainMappings, g_strdup (DOMAIN_CONTROLLERS));
1194
sambaDomainMappings = g_list_append (sambaDomainMappings, g_strdup (DOMAIN_CERTIFICATE_ADMINS));
1195
sambaDomainMappings = g_list_append (sambaDomainMappings, g_strdup (DOMAIN_SCHEMA_ADMINS));
1196
sambaDomainMappings = g_list_append (sambaDomainMappings, g_strdup (DOMAIN_ENTERPRISE_ADMINS));
1197
sambaDomainMappings = g_list_append (sambaDomainMappings, g_strdup (DOMAIN_POLICY_ADMINS));
1199
return (sambaDomainMappings);
1205
* If the provided group is a well known windows group, return the rid
1206
* of that group, otherwise return zero.
1208
int app_get_sambaridfromgroupmapping (gchar *sambaDomainMapping) {
1213
if (sambaDomainMapping == NULL) {
1217
if (!strcmp(sambaDomainMapping, DOMAIN_ADMINS)) {
1218
rid = DOMAIN_ADMINS_RID;
1220
if (!strcmp(sambaDomainMapping, DOMAIN_USERS)) {
1221
rid = DOMAIN_USERS_RID;
1223
if (!strcmp(sambaDomainMapping, DOMAIN_GUESTS)) {
1224
rid = DOMAIN_GUESTS_RID;
1226
if (!strcmp(sambaDomainMapping, DOMAIN_COMPUTERS)) {
1227
rid = DOMAIN_COMPUTERS_RID;
1229
if (!strcmp(sambaDomainMapping, DOMAIN_CONTROLLERS)) {
1230
rid = DOMAIN_CONTROLLERS_RID;
1232
if (!strcmp(sambaDomainMapping, DOMAIN_CERTIFICATE_ADMINS)) {
1233
rid = DOMAIN_CERTIFICATE_ADMINS_RID;
1235
if (!strcmp(sambaDomainMapping, DOMAIN_SCHEMA_ADMINS)) {
1236
rid = DOMAIN_SCHEMA_ADMINS_RID;
1238
if (!strcmp(sambaDomainMapping, DOMAIN_POLICY_ADMINS)) {
1239
rid = DOMAIN_POLICY_ADMINS_RID;
1248
* From the SID of the group, return the well known group it corresponds
1249
* to. If the SID is not identified as a well known group, then return
1252
gchar * app_get_sambagroupmappingfromsid (gchar *sid) {
1258
return (g_strdup(DOMAIN_NONE));
1261
/* get the rid from the SID */
1263
for (i = strlen(sid); i > 0; i--) {
1264
if (sid[i] == '-') {
1268
rid = - atoi(sid + i);
1271
case DOMAIN_ADMINS_RID: return DOMAIN_ADMINS;
1272
case DOMAIN_USERS_RID: return DOMAIN_USERS;
1273
case DOMAIN_GUESTS_RID: return DOMAIN_GUESTS;
1274
case DOMAIN_COMPUTERS_RID: return DOMAIN_COMPUTERS;
1275
case DOMAIN_CONTROLLERS_RID: return DOMAIN_CONTROLLERS;
1276
case DOMAIN_CERTIFICATE_ADMINS_RID: return DOMAIN_CERTIFICATE_ADMINS;
1277
case DOMAIN_SCHEMA_ADMINS_RID: return DOMAIN_SCHEMA_ADMINS;
1278
case DOMAIN_POLICY_ADMINS_RID: return DOMAIN_POLICY_ADMINS;
1287
* Calculate the sambaSID attribute
1289
* This function queries the LDAP server for the given
1290
* sambaDomain objectclass specified by the sambaDomainName
1293
* If the specified rid is zero, the given uid is multiplied by
1294
* two and is added to the value of sambaAlgorithmicRidBase, which in
1295
* turn is tacked onto the end of sambaSID, giving the resulting value
1296
* for sambaSID for this object.
1298
* If group is given the value "1", then one will be added to the uid
1299
* to make it a group id. Group ids are odd numbers.
1302
app_get_sambasid_from_ldap (connection_profile * usethisone, gchar *sambaDomain, int rid, gchar *uidnumber, int group, gchar **warning)
1304
//conn should already be connected, or else undefined behaviour!!!
1309
LDAPMessage *searchresults = NULL;
1310
LDAPMessage *entry = NULL;
1312
char **value_collection = NULL;
1316
gchar *sambaAlgorithmicRidBase = NULL;
1317
gchar *sambaSID = NULL;
1318
gchar *userSambaSID = NULL;
1320
BerElement *attributehandler;
1321
gchar *attributetoreturn[3];
1322
attributetoreturn[0] = SAMBA_ALGORITHMIC_RID_BASE;
1323
attributetoreturn[1] = SAMBA_SID;
1324
attributetoreturn[2] = NULL;
1326
filter = g_strconcat ("(&(objectclass=" SAMBA_DOMAIN ")(" SAMBA_DOMAIN_NAME "=", sambaDomain, "))", NULL);
1327
g_print ("\no Fetching sambaDomain %s from directory with base\n \"%s\" using filter:\n \"%s\"\n\n", sambaDomain, usethisone->treeroot, filter);
1329
/* check for a connection */
1330
h = connection_profile_get_ldap_handler (usethisone);
1335
ldap_search_s (h, usethisone->treeroot, LDAP_SCOPE_SUBTREE, filter, attributetoreturn, 0,
1339
warning[0] = g_strconcat("While searching for Samba domain '", sambaDomain, "',\nan LDAP error occurred: ", ldap_err2string (ldap_errors), NULL);
1340
if (ldap_errors == LDAP_SERVER_DOWN) {
1341
connection_profile_invalidate(usethisone);
1346
/* loop through any entries found, extract attributes */
1347
entry = ldap_first_entry (h, searchresults);
1349
attribute = ldap_first_attribute (h, entry, &attributehandler);
1351
value_collection = ldap_get_values (h, entry, attribute);
1352
g_assert (value_collection);
1353
g_print (" - Processing: %s\n", attribute);
1354
if (g_strcasecmp (attribute, SAMBA_ALGORITHMIC_RID_BASE) == 0) {
1355
sambaAlgorithmicRidBase = g_strdup(value_collection[0]);
1356
g_print (" - Found sambaAlgorithmicRidBase: %s\n", sambaAlgorithmicRidBase);
1358
else if (g_strcasecmp (attribute, SAMBA_SID) == 0) {
1359
sambaSID = g_strdup(value_collection[0]);
1360
g_print (" - Found sambaSID: %s\n", sambaSID);
1362
ldap_value_free (value_collection);
1363
attribute = ldap_next_attribute (h, entry, attributehandler);
1365
entry = ldap_next_entry (h, entry);
1368
ldap_msgfree (searchresults);
1373
warning[0] = g_strconcat("A Samba domain '", sambaDomain, "' was found, but this object has\nno sambaSID attribute associated with it.\n", NULL);
1374
g_print (" - %s\n", *warning);
1377
if (!sambaAlgorithmicRidBase) {
1378
warning[0] = g_strconcat("A Samba domain '", sambaDomain, "' was found, but this object has\nno sambaAlgorithmicRidBase attribute associated with it.\n", NULL);
1379
g_print (" - %s\n", *warning);
1383
/* create sambaSID of user or group */
1384
sprintf(buffer, "%d", rid > 0 ? rid : (2*atoi(uidnumber) + atoi(sambaAlgorithmicRidBase) + group));
1385
userSambaSID = g_strconcat(sambaSID, "-", buffer, NULL);
1387
g_free(sambaAlgorithmicRidBase);
1388
g_print (" - Returned SID %s\n", userSambaSID);
1389
return userSambaSID;
1393
* Get the domain by sambaSID
1395
* This function queries the LDAP server for the given
1396
* sambaDomain objectclass specified by the sambaSID
1399
* The sambaSID is first stripped of the userid component, then a
1400
* search is conducted of the LDAP server for the name of the domain
1401
* corresponding to the given SID.
1403
* If no domain is found, NULL is returned.
1406
app_get_sambadomain_by_sambasid_from_ldap (connection_profile * usethisone, gchar *sid, gchar **warning)
1408
//conn should already be connected, or else undefined behaviour!!!
1413
LDAPMessage *searchresults = NULL;
1414
LDAPMessage *entry = NULL;
1416
char **value_collection = NULL;
1420
gchar *sambaDomainName = NULL;
1421
BerElement *attributehandler;
1422
gchar *attributetoreturn[2];
1423
attributetoreturn[0] = SAMBA_DOMAIN_NAME;
1424
attributetoreturn[1] = NULL;
1434
/* first, strip off the end of the SID */
1435
sambaSID = g_strdup(sid);
1436
i = strlen(sambaSID);
1438
if (sambaSID[i] == '-') {
1444
/* now, search for the domain corresponding to the sambaSID */
1445
filter = g_strconcat ("(&(objectclass=" SAMBA_DOMAIN ")(" SAMBA_SID "=", sambaSID, "))", NULL);
1446
g_print ("\no Fetching sambaDomain with sambaSID %s\n from directory with base %s using filter:\n %s\n\n", sid, usethisone->treeroot, filter);
1449
/* check for a connection */
1450
h = connection_profile_get_ldap_handler (usethisone);
1455
ldap_search_s (h, usethisone->treeroot, LDAP_SCOPE_SUBTREE, filter, attributetoreturn, 0,
1462
warning[0] = g_strconcat("While searching for domains matching the sambaSID '", sid, "',\nan LDAP error occurred: ", ldap_err2string (ldap_errors), NULL);
1463
if (ldap_errors == LDAP_SERVER_DOWN) {
1464
connection_profile_invalidate(usethisone);
1469
/* only consider the first entry */
1470
entry = ldap_first_entry (h, searchresults);
1472
warning[0] = g_strconcat("While searching for domains matching the sambaSID '", sid, "',\nno domains were found. This is probably caused by your domain object not being accessible beneath\n", usethisone->treeroot, ". Please fix your Windows domain configuration.", NULL);
1473
ldap_msgfree (searchresults);
1477
/* find the attribute we were looking for */
1478
attribute = ldap_first_attribute (h, entry, &attributehandler);
1480
warning[0] = g_strconcat("While searching for domains matching the sambaSID '", sid, "',\nthe domain was found, but it did not contain the attribute ", SAMBA_DOMAIN_NAME, ".\nPlease fix your Windows domain configuration.", NULL);
1481
ldap_msgfree (searchresults);
1485
value_collection = ldap_get_values (h, entry, attribute);
1486
g_assert (value_collection);
1487
sambaDomainName = g_strdup (value_collection[0]);
1488
g_print (" - Samba domain found: %s\n", value_collection[0]);
1489
ldap_value_free (value_collection);
1491
/* any further entries is a sign of trouble */
1492
if (ldap_next_entry (h, searchresults)) {
1493
warning[0] = g_strconcat("While searching for domains matching the sambaSID '", sid, "',\nmore than one domain was found. This is probably caused by a misconfiguration\nof your Samba domain within your LDAP server.", NULL);
1496
ldap_msgfree (searchresults);
1499
return sambaDomainName;
1504
* Pretty printing for LDAP errors
1506
* This function pops up a warning dialog box, based on the errors
1507
* returned by the LDAP server, if any.
1509
void app_handle_ldap_error(int rc, gchar **warning) {
1510
char *message = NULL;
1513
case LDAP_SUCCESS: break;
1514
case LDAP_OBJECT_CLASS_VIOLATION: {
1515
message = "A required field is empty, has invalid characters, or your directory does not\nsupport a required object class. Please complete missing fields, correct invalid\ncharacters and check if your directory has support for needed object classes.";
1518
case LDAP_NO_SUCH_OBJECT: {
1519
message = "Your directory seems to be empty. Directory administrator requires a directory\nwith at least one group and one organizational unit. Visit PADL.com and look for\nthe MigrationTools which will help you populate your directory server.";
1522
case LDAP_INVALID_SYNTAX: {
1523
message = "You specified invalid characters in one of the entry boxes (such as letters\nwhere only numbers are accepted). Please go back and correct errors.";
1526
case LDAP_UNDEFINED_TYPE: {
1527
message = "Your directory server appears not to support a required object class. Please tweak\ncompatibility options in Settings->Preferences or disable object class checking.";
1530
case LDAP_PROTOCOL_ERROR: {
1531
message = "Your directory server appears not to support the current operation. If you were\ntrying to set a password, it could be due to your server not supporting the\nLDAP_EXOP_MODIFY_PASSWD extended operation. Please tweak compatibility\noptions in Settings->Preferences->When changing passwords.";
1535
message = ldap_err2string (rc);
1540
if (message || (warning && *warning)) {
1541
gtk_widget_show (create_messagebox_with_message (g_strconcat(warning && *warning ? *warning : "", warning && *warning ? "\n" : "", message ? message : "", NULL)));