3
# adssearch.pl - query an Active Directory server and
4
# display objects in a human readable format
6
# Copyright (C) Guenther Deschner <gd@samba.org> 2003-2005
8
# TODO: add range retrieval
9
# write sddl-converter, decode userParameters
11
# apparently only win2k3 allows simple-binds with machine-accounts.
12
# make sasl support independent from Authen::SASL::Cyrus v >0.11
16
use Net::LDAP::Control;
17
use Net::LDAP::Constant qw(LDAP_REFERRAL);
20
use POSIX qw(strftime);
27
my $class = 'Authen::SASL';
28
$pref_version = "0.32";
29
if ( eval "require $class;" ) {
32
if ( eval "Net::LDAP->VERSION($pref_version);" ) {
37
# users may set defaults here
45
my $tdbdump = "/usr/bin/tdbdump";
46
my $testparm = "/usr/bin/testparm";
47
my $net = "/usr/bin/net";
48
my $dig = "/usr/bin/dig";
49
my $nmblookup = "/usr/bin/nmblookup";
50
my $secrets_tdb = "/etc/samba/secrets.tdb";
51
my $klist = "/usr/bin/klist";
52
my $kinit = "/usr/bin/kinit";
53
my $ads_h = "/home/gd/ads.h";
64
$opt_display_extendeddn,
65
$opt_display_metadata,
92
'base|b=s' => \$opt_base,
93
'D|DN=s' => \$opt_binddn,
94
'debug=i' => \$opt_debug,
95
'domain_scope' => \$opt_domain_scope,
96
'extendeddn|e:i' => \$opt_display_extendeddn,
97
'fastbind' => \$opt_fastbind,
99
'host|h=s' => \$opt_host,
100
'machine|P' => \$opt_machine,
101
'metadata|m' => \$opt_display_metadata,
102
'nodiffs' => \$opt_notify_nodiffs,
103
'notify|n' => \$opt_notify,
104
'paging:i' => \$opt_paging,
105
'password|w=s' => \$opt_password,
106
'port=i' => \$opt_port,
107
'rawdisplay' => \$opt_display_raw,
108
'realm|R=s' => \$opt_realm,
109
'rootDSE' => \$opt_dump_rootdse,
110
'saslmech|Y=s' => \$opt_saslmech,
111
'schema|c' => \$opt_dump_schema,
112
'scope|s=s' => \$opt_scope,
113
'simpleauth|x' => \$opt_simpleauth,
114
'tls|Z' => \$opt_starttls,
115
'user|U=s' => \$opt_user,
116
'verbose|v' => \$opt_verbose,
117
'wknguid' => \$opt_dump_wknguid,
118
'workgroup|k=s' => \$opt_workgroup,
122
if (!@ARGV && !$opt_dump_schema && !$opt_dump_rootdse && !$opt_notify || $opt_help) {
127
if ($opt_fastbind && !$opt_simpleauth) {
128
printf("LDAP fast bind can only be performed with simple binds\n");
144
my (@ctrls, @ctrls_s);
145
my ($ctl_paged, $cookie);
146
my ($page_count, $total_entry_count);
147
my ($sasl_hd, $async_ldap_hd, $sync_ldap_hd);
151
my (%ads_atype, %ads_gtype, %ads_grouptype, %ads_uf);
153
# fixed values and vars
156
my $tabsize = "\t\t\t";
159
my $scope = $opt_scope || "sub";
160
my $port = $opt_port;
163
"LDAP_SERVER_NOTIFICATION_OID" => "1.2.840.113556.1.4.528",
164
"LDAP_SERVER_EXTENDED_DN_OID" => "1.2.840.113556.1.4.529",
165
"LDAP_PAGED_RESULT_OID_STRING" => "1.2.840.113556.1.4.319",
166
"LDAP_SERVER_SD_FLAGS_OID" => "1.2.840.113556.1.4.801",
167
"LDAP_SERVER_SORT_OID" => "1.2.840.113556.1.4.473",
168
"LDAP_SERVER_RESP_SORT_OID" => "1.2.840.113556.1.4.474",
169
"LDAP_CONTROL_VLVREQUEST" => "2.16.840.1.113730.3.4.9",
170
"LDAP_CONTROL_VLVRESPONSE" => "2.16.840.1.113730.3.4.10",
171
"LDAP_SERVER_RANGE_RETRIEVAL" => "1.2.840.113556.1.4.802", #unsure
172
"LDAP_SERVER_SHOW_DELETED_OID" => "1.2.840.113556.1.4.417",
173
"LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID" => "1.2.840.113556.1.4.521",
174
"LDAP_SERVER_LAZY_COMMIT_OID" => "1.2.840.113556.1.4.619",
175
"LDAP_SERVER_TREE_DELETE_OID" => "1.2.840.113556.1.4.805",
176
"LDAP_SERVER_DIRSYNC_OID" => "1.2.840.113556.1.4.841",
177
"LDAP_SERVER_VERIFY_NAME_OID" => "1.2.840.113556.1.4.1338",
178
"LDAP_SERVER_DOMAIN_SCOPE_OID" => "1.2.840.113556.1.4.1339",
179
"LDAP_SERVER_SEARCH_OPTIONS_OID" => "1.2.840.113556.1.4.1340",
180
"LDAP_SERVER_PERMISSIVE_MODIFY_OID" => "1.2.840.113556.1.4.1413",
181
"LDAP_SERVER_ASQ_OID" => "1.2.840.113556.1.4.1504",
182
"NONE (Get stats control)" => "1.2.840.113556.1.4.970",
183
"LDAP_SERVER_QUOTA_CONTROL_OID" => "1.2.840.113556.1.4.1852",
186
my %ads_capabilities = (
187
"LDAP_CAP_ACTIVE_DIRECTORY_OID" => "1.2.840.113556.1.4.800",
188
"LDAP_CAP_ACTIVE_DIRECTORY_V51_OID" => "1.2.840.113556.1.4.1670",
189
"LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID" => "1.2.840.113556.1.4.1791",
192
my %ads_extensions = (
193
"LDAP_START_TLS_OID" => "1.3.6.1.4.1.1466.20037",
194
"LDAP_TTL_EXTENDED_OP_OID" => "1.3.6.1.4.1.1466.101.119.1",
195
"LDAP_SERVER_FAST_BIND_OID" => "1.2.840.113556.1.4.1781",
196
"NONE (TTL refresh extended op)" => "1.3.6.1.4.1.1466.101.119.1",
199
my %ads_matching_rules = (
200
"LDAP_MATCHING_RULE_BIT_AND" => "1.2.840.113556.1.4.803",
201
"LDAP_MATCHING_RULE_BIT_OR" => "1.2.840.113556.1.4.804",
205
"WELL_KNOWN_GUID_COMPUTERS" => "AA312825768811D1ADED00C04FD8D5CD",
206
"WELL_KNOWN_GUID_DOMAIN_CONTROLLERS" => "A361B2FFFFD211D1AA4B00C04FD7D83A",
207
"WELL_KNOWN_GUID_SYSTEM" => "AB1D30F3768811D1ADED00C04FD8D5CD",
208
"WELL_KNOWN_GUID_USERS" => "A9D1CA15768811D1ADED00C04FD8D5CD",
211
my %ads_systemflags = (
212
"FLAG_DONT_REPLICATE" => 0x00000001, # 1
213
"FLAG_REPLICATE_TO_GC" => 0x00000002, # 2
214
"FLAG_ATTRIBUTE_CONSTRUCT" => 0x00000004, # 4
215
"FLAG_CATEGORY_1_OBJECT" => 0x00000010, # 16
216
"FLAG_DELETE_WITHOUT_TOMBSTONE" => 0x02000000, # 33554432
217
"FLAG_DOMAIN_DISALLOW_MOVE" => 0x04000000, # 67108864
218
"FLAG_DOMAIN_DISALLOW_RENAME" => 0x08000000, # 134217728
219
#"FLAG_CONFIG_CAN_MOVE_RESTRICTED" => 0x10000000, # 268435456 # only setable on creation
220
#"FLAG_CONFIG_CAN_MOVE" => 0x20000000, # 536870912 # only setable on creation
221
#"FLAG_CONFIG_CAN_RENAME" => 0x40000000, # 1073741824 # only setable on creation
222
"FLAG_DISALLOW_DELETE" => 0x80000000, # 2147483648
225
my %ads_mixed_domain = (
226
"NATIVE_LEVEL_DOMAIN" => 0,
227
"MIXED_LEVEL_DOMAIN" => 1,
231
"DS_BEHAVIOR_WIN2000" => 0, # untested
232
"DS_BEHAVIOR_WIN2003" => 2,
235
my %ads_instance_type = (
236
"DS_INSTANCETYPE_IS_NC_HEAD" => 0x1,
238
"IT_NC_ABOVE" => 0x8,
242
"ACCOUNT_NEVER_EXPIRES" => 0x000000, # 0
243
"ACCOUNT_OK" => 0x800000, # 8388608
244
"ACCOUNT_LOCKED_OUT" => 0x800010, # 8388624
247
my %ads_gpoptions = (
248
"GPOPTIONS_INHERIT" => 0,
249
"GPOPTIONS_BLOCK_INHERITANCE" => 1,
252
my %ads_gplink_opts = (
253
"GPLINK_OPT_NONE" => 0,
254
"GPLINK_OPT_DISABLED" => 1,
255
"GPLINK_OPT_ENFORCED" => 2,
259
"GPFLAGS_ALL_ENABLED" => 0,
260
"GPFLAGS_USER_SETTINGS_DISABLED" => 1,
261
"GPFLAGS_MACHINE_SETTINGS_DISABLED" => 2,
262
"GPFLAGS_ALL_DISABLED" => 3,
265
my %ads_serverstate = (
266
"SERVER_ENABLED" => 1,
267
"SERVER_DISABLED" => 2,
270
my %ads_sdeffective = (
271
"OWNER_SECURITY_INFORMATION" => 0x01,
272
"DACL_SECURITY_INFORMATION" => 0x04,
273
"SACL_SECURITY_INFORMATION" => 0x10,
276
my %ads_trustattrs = (
277
"TRUST_ATTRIBUTE_NON_TRANSITIVE" => 1,
278
"TRUST_ATTRIBUTE_TREE_PARENT" => 2,
279
"TRUST_ATTRIBUTE_TREE_ROOT" => 3,
280
"TRUST_ATTRIBUTE_UPLEVEL_ONLY" => 4,
283
my %ads_trustdirection = (
284
"TRUST_DIRECTION_INBOUND" => 1,
285
"TRUST_DIRECTION_OUTBOUND" => 2,
286
"TRUST_DIRECTION_BIDIRECTIONAL" => 3,
289
my %ads_trusttype = (
290
"TRUST_TYPE_DOWNLEVEL" => 1,
291
"TRUST_TYPE_UPLEVEL" => 2,
292
"TRUST_TYPE_KERBEROS" => 3,
293
"TRUST_TYPE_DCE" => 4,
296
my %ads_pwdproperties = (
297
"DOMAIN_PASSWORD_COMPLEX" => 1,
298
"DOMAIN_PASSWORD_NO_ANON_CHANGE" => 2,
299
"DOMAIN_PASSWORD_NO_CLEAR_CHANGE" => 4,
300
"DOMAIN_LOCKOUT_ADMINS" => 8,
301
"DOMAIN_PASSWORD_STORE_CLEARTEXT" => 16,
302
"DOMAIN_REFUSE_PASSWORD_CHANGE" => 32,
305
my %ads_uascompat = (
306
"LANMAN_USER_ACCOUNT_SYSTEM_NOLIMITS" => 0,
307
"LANMAN_USER_ACCOUNT_SYSTEM_COMPAT" => 1,
311
"REPLICA_SET_SYSVOL" => 2, # unsure
312
"REPLICA_SET_DFS" => 1, # unsure
313
"REPLICA_SET_OTHER" => 0, # unsure
316
my %ads_gp_cse_extensions = (
317
"Administrative Templates Extension" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
318
"Disk Quotas" => "3610EDA5-77EF-11D2-8DC5-00C04FA31A66",
319
"EFS Recovery" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
320
"Folder Redirection" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
321
"IP Security" => "E437BC1C-AA7D-11D2-A382-00C04F991E27",
322
"Internet Explorer Maintenance" => "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B",
323
"QoS Packet Scheduler" => "426031c0-0b47-4852-b0ca-ac3d37bfcb39",
324
"Scripts" => "42B5FAAE-6536-11D2-AE5A-0000F87571E3",
325
"Security" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
326
"Software Installation" => "C6DC5466-785A-11D2-84D0-00C04FB169F7",
330
my %ads_gpcextensions = (
331
"Administrative Templates" => "0F6B957D-509E-11D1-A7CC-0000F87571E3",
332
"Certificates" => "53D6AB1D-2488-11D1-A28C-00C04FB94F17",
333
"EFS recovery policy processing" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
334
"Folder Redirection policy processing" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
335
"Folder Redirection" => "88E729D6-BDC1-11D1-BD2A-00C04FB9603F",
336
"Registry policy processing" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
337
"Remote Installation Services" => "3060E8CE-7020-11D2-842D-00C04FA372D4",
338
"Security Settings" => "803E14A0-B4FB-11D0-A0D0-00A0C90F574B",
339
"Security policy processing" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
340
"unknown" => "3060E8D0-7020-11D2-842D-00C04FA372D4",
341
"unknown2" => "53D6AB1B-2488-11D1-A28C-00C04FB94F17",
344
my %ads_gpo_default_guids = (
345
"Default Domain Policy" => "31B2F340-016D-11D2-945F-00C04FB984F9",
346
"Default Domain Controllers Policy" => "6AC1786C-016F-11D2-945F-00C04fB984F9",
347
"mist" => "61718096-3D3F-4398-8318-203A48976F9E",
351
"CtxCfgPresent" => \&dump_int,
352
"CtxCfgFlags1" => \&dump_int,
353
"CtxCallback" => \&dump_string,
354
"CtxShadow" => \&dump_string,
355
"CtxMaxConnectionTime" => \&dump_int,
356
"CtxMaxDisconnectionTime"=> \&dump_int,
357
"CtxMaxIdleTime" => \&dump_int,
358
"CtxKeyboardLayout" => \&dump_int,
359
"CtxMinEncryptionLevel" => \&dump_int,
360
"CtxWorkDirectory" => \&dump_string,
361
"CtxNWLogonServer" => \&dump_string,
362
"CtxWFHomeDir" => \&dump_string,
363
"CtxWFHomeDirDrive" => \&dump_string,
364
"CtxWFProfilePath" => \&dump_string,
365
"CtxInitialProgram" => \&dump_string,
366
"CtxCallbackNumber" => \&dump_string,
369
$SIG{__WARN__} = sub {
377
# if there is data missing, we try to autodetect with samba-tools (if installed)
378
# this might fill up workgroup, machine, realm
382
$workgroup = $workgroup || $opt_workgroup || "";
385
$server = process_servername($opt_host) ||
386
detect_server($workgroup,$opt_realm) ||
387
die "please define server to query with -h host\n";
392
get_base_from_rootdse($server,$dse);
395
$realm = $opt_realm ||
396
get_realm_from_rootdse($server,$dse);
399
my @sasl_mechs = get_sasl_mechs_from_rootdse($server,$dse);
400
my $sasl_mech = "GSSAPI";
402
$sasl_mech = sprintf("%s", (check_sasl_mech($opt_saslmech) == 0)?uc($opt_saslmech):"");
406
my $sasl_bind = 1 if (!$opt_simpleauth);
409
my $user = check_user($opt_user) || $ENV{'USER'} || "";
412
my $upn = sprintf("%s", gen_upn($opt_machine ? "$machine\$" : $user, $realm));
415
$binddn = $opt_binddn || $upn;
418
$password = $password || $opt_password;
420
$password = $opt_machine ? get_machine_password($workgroup) : get_password();
424
"Token-Groups-No-GC-Acceptable" => \&dump_sid, #wrong name
425
"accountExpires" => \&dump_nttime,
426
"badPasswordTime" => \&dump_nttime,
427
"creationTime" => \&dump_nttime,
428
"currentTime" => \&dump_timestr,
429
"domainControllerFunctionality" => \&dump_ds_func,
430
"domainFunctionality" => \&dump_ds_func,
431
"fRSReplicaSetGUID" => \&dump_guid,
432
"fRSReplicaSetType" => \&dump_frstype,
433
"fRSVersionGUID" => \&dump_guid,
434
"flags" => \&dump_gpflags, # fixme: possibly only on gpos!
435
"forceLogoff" => \&dump_nttime_abs,
436
"forestFunctionality" => \&dump_ds_func,
437
# "gPCMachineExtensionNames" => \&dump_gpcextensions,
438
# "gPCUserExtensionNames" => \&dump_gpcextensions,
439
"gPLink" => \&dump_gplink,
440
"gPOptions" => \&dump_gpoptions,
441
"groupType" => \&dump_gtype,
442
"instanceType" => \&dump_instance_type,
443
"lastLogon" => \&dump_nttime,
444
"lastLogonTimestamp" => \&dump_nttime,
445
"lockOutObservationWindow" => \&dump_nttime_abs,
446
"lockoutDuration" => \&dump_nttime_abs,
447
"lockoutTime" => \&dump_nttime,
448
# "logonHours" => \&dump_logonhours,
449
"maxPwdAge" => \&dump_nttime_abs,
450
"minPwdAge" => \&dump_nttime_abs,
451
"modifyTimeStamp" => \&dump_timestr,
452
"msDS-Behavior-Version" => \&dump_ds_func, #unsure
453
"msDS-User-Account-Control-Computed" => \&dump_uacc,
454
"mS-DS-CreatorSID" => \&dump_sid,
455
# "msRADIUSFramedIPAddress" => \&dump_ipaddr,
456
# "msRASSavedFramedIPAddress" => \&dump_ipaddr,
457
"netbootGUID" => \&dump_guid,
458
"nTMixedDomain" => \&dump_mixed_domain,
459
"nTSecurityDescriptor" => \&dump_secdesc,
460
"objectGUID" => \&dump_guid,
461
"objectSid" => \&dump_sid,
463
"pKTGuid" => \&dump_guid,
464
"pwdLastSet" => \&dump_nttime,
465
"pwdProperties" => \&dump_pwdproperties,
466
"sAMAccountType" => \&dump_atype,
467
"sDRightsEffective" => \&dump_sdeffective,
468
"securityIdentifier" => \&dump_sid,
469
"serverState" => \&dump_serverstate,
470
"supportedCapabilities", => \&dump_capabilities,
471
"supportedControl", => \&dump_controls,
472
"supportedExtension", => \&dump_extension,
473
"systemFlags" => \&dump_systemflags,
474
"tokenGroups", => \&dump_sid,
475
"tokenGroupsGlobalAndUniversal" => \&dump_sid,
476
"tokenGroupsNoGCAcceptable" => \&dump_sid,
477
"trustAttributes" => \&dump_trustattr,
478
"trustDirection" => \&dump_trustdirection,
479
"trustType" => \&dump_trusttype,
480
"uASCompat" => \&dump_uascompat,
481
"userAccountControl" => \&dump_uac,
482
"userCertificate" => \&dump_cert,
483
"userFlags" => \&dump_uf,
484
"userParameters" => \&dump_munged_dial,
485
"whenChanged" => \&dump_timestr,
486
"whenCreated" => \&dump_timestr,
487
# "dSCorePropagationData" => \&dump_timestr,
497
print "usage: $0 [--asq] [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n";
498
print "\t--asq [attribute]\n\t\tAttribute to use for a attribute scoped query (LDAP_SERVER_ASQ_OID)\n";
499
print "\t--base|-b [base]\n\t\tUse base [base]\n";
500
print "\t--debug [level]\n\t\tUse debuglevel (for Net::LDAP)\n";
501
print "\t--domain_scope\n\t\tLimit LDAP search to local domain (LDAP_SERVER_DOMAIN_SCOPE_OID)\n";
502
print "\t--DN|-D [binddn]\n\t\tUse binddn or principal\n";
503
print "\t--extendeddn|-e [value]\n\t\tDisplay extended dn (LDAP_SERVER_EXTENDED_DN_OID)\n";
504
print "\t--fastbind\n\t\tDo LDAP fast bind using LDAP_SERVER_FAST_BIND_OID extension\n";
505
print "\t--help\n\t\tDisplay help page\n";
506
print "\t--host|-h [host]\n\t\tQuery Host [host] (either a hostname or an LDAP uri)\n";
507
print "\t--machine|-P\n\t\tUse samba3 machine account stored in $secrets_tdb (needs root access)\n";
508
print "\t--metdata|-m\n\t\tDisplay replication metadata\n";
509
print "\t--nodiffs\n\t\tDisplay no diffs but full entry dump when running in notify mode\n";
510
print "\t--notify|-n\n\t\tActivate asynchronous change notification (LDAP_SERVER_NOTIFICATION_OID)\n";
511
print "\t--paging [pagesize]\n\t\tUse paged results when searching\n";
512
print "\t--password|-w [password]\n\t\tUse [password] for binddn\n";
513
print "\t--port [port]\n\t\tUse [port] when connecting ADS\n";
514
print "\t--rawdisplay\n\t\tDo not interpret values\n";
515
print "\t--realm|-R [realm]\n\t\tUse [realm] when trying to construct bind-principal\n";
516
print "\t--rootdse\n\t\tDisplay RootDSE (anonymously)\n";
517
print "\t--saslmech|-Y [saslmech]\n\t\tUse SASL Mechanism [saslmech] when binding\n";
518
print "\t--schema|-c\n\t\tDisplay DSE-Schema\n";
519
print "\t--scope|-s [scope]\n\t\tUse scope [scope] (sub, base, one)\n";
520
print "\t--simpleauth|-x\n\t\tUse simple bind (otherwise SASL binds are performed)\n";
521
print "\t--starttls|-Z\n\t\tUse Start TLS extended operation to secure LDAP traffic\n";
522
print "\t--user|-U [user]\n\t\tUse [user]\n";
523
print "\t--wknguid\n\t\tDisplay well known guids\n";
524
print "\t--workgroup|-k [workgroup]\n\t\tWhen LDAP-Server is not known try to find a Domain-Controller for [workgroup]\n";
528
my ($mod,$attr,$value) = @_;
529
my $ofh = select(STDOUT);
535
@<<<< @>>>>>>>>>>>>>>>>>>>>>>>: @*
541
my ($mod,$attr,$value) = @_;
542
my $ofh = select(STDOUT);
548
@<<<< @>>>>>>>>>>>>>>>>>>>>>>>: ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
550
~~ ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
557
my $workgroup = shift;
562
# try net cache (nbt records)
563
if ( -x $net && $workgroup ) {
564
my $key = sprintf("NBT/%s#1C", uc($workgroup));
565
chomp($result = `$net cache search $key 2>&1 /dev/null`);
566
$result =~ s/^.*Value: //;
568
return $result if $result;
569
printf("%10s query failed for [%s]\n", "net cache", $key);
572
# try dns SRV entries
573
if ( -x $dig && $realm ) {
574
my $key = sprintf("_ldap._tcp.%s", lc($realm));
575
chomp($result = `$dig $key SRV +short +search | egrep "^[0-9]" | head -1`);
578
return $result if $result;
579
printf("%10s query failed for [%s]\n", "dns", $key);
582
# try netbios broadcast query
583
if ( -x $nmblookup && $workgroup ) {
584
my $key = sprintf("%s#1C", uc($workgroup));
585
my $pattern = sprintf("%s<1c>", uc($workgroup));
586
chomp($result = `$nmblookup $key -d 0 | grep '$pattern'`);
588
return $result if $result;
589
printf("%10s query failed for [%s]\n", "nmblookup", $key);
597
if (! -x $testparm) { return -1; }
600
open(TESTPARM, "$testparm -s -v 2> /dev/null |");
601
while (my $line = <TESTPARM>) {
603
if ($line =~ /netbios name/) {
604
($tmp, $machine) = split(/=/, $line);
605
$machine =~ s/\s+|\t+//g;
607
if ($line =~ /realm/) {
608
($tmp, $realm) = split(/=/, $line);
609
$realm =~ s/\s+|\t+//g;
611
if ($line =~ /workgroup/) {
612
($tmp, $workgroup) = split(/=/, $line);
613
$workgroup =~ s/\s+|\t+//g;
623
if ($machine && $realm) {
624
return sprintf("%s\@%s", lc($machine), uc($realm));
630
if (!$password && $opt_simpleauth && check_ticket($user)) {
631
return prompt_password($user);
637
my $user = shift || prompt_user();
641
sub get_machine_password {
643
my $workgroup = shift || "";
644
$workgroup = uc($workgroup);
647
-x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
648
-r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
650
# get machine-password
651
my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup);
652
open(SECRETS,"$tdbdump $secrets_tdb |");
653
while(my $line = <SECRETS>) {
657
($line,$password) = split(/"/, $line);
660
if ($line =~ /$key/) {
667
print "Successfully autodetected machine password for workgroup: $workgroup\n";
670
warn "No machine password available for $workgroup\n";
675
sub prompt_password {
677
my $acct = shift || "";
679
($acct, $password) = split(/\%/, $acct);
683
print "Enter password for $acct:";
684
my $password = <STDIN>;
693
print "Enter Username:";
702
# works only for heimdal
703
return system("$klist -t");
708
my $KRB5_CONFIG = "/tmp/.krb5.conf.telads-$<";
710
open(KRB5CONF, "> $KRB5_CONFIG") || die "cannot write $KRB5_CONFIG";
711
printf KRB5CONF "# autogenerated by $0\n";
712
printf KRB5CONF "[libdefaults]\n\tdefault_realm = %s\n\tclockskew = %d\n", uc($realm), 60*60;
713
printf KRB5CONF "[realms]\n\t%s = {\n\t\tkdc = %s\n\t}\n", uc($realm), $server;
716
if ( system("KRB5_CONFIG=$KRB5_CONFIG $kinit $user") != 0) {
724
my $acct = shift || "";
726
($acct, $password) = split(/\%/, $acct);
731
sub check_root_dse($$$@) {
734
my $server = shift || "";
735
$dse = shift || get_dse($server) || return -1;
736
my $attr = shift || die "unknown query";
739
my $dse_list = $dse->get_value($attr, asref => '1');
740
my @dse_array = @$dse_list;
742
foreach my $i (@array) {
743
# we could use -> supported_control but this
744
# is only available in newer versions of perl-ldap
745
# if ( ! $dse->supported_control( $i ) ) {
746
if ( grep(/$i->type()/, @dse_array) ) {
747
printf("required \"$attr\": %s is not supported by ADS-server.\n", $i->type());
754
sub check_ctrls ($$@) {
758
return check_root_dse($server, $dse, "supportedControl", @array);
761
sub check_exts ($$@) {
765
return check_root_dse($server, $dse, "supportedExtension", @array);
768
sub get_base_from_rootdse {
770
my $server = shift || "";
771
$dse = shift || get_dse($server,$async_ldap_hd) || return -1;
772
return $dse->get_value('defaultNamingContext');
775
sub get_realm_from_rootdse {
777
my $server = shift || "";
778
$dse = shift || get_dse($server,$async_ldap_hd) || return -1;
779
my $service = $dse->get_value('ldapServiceName') || "";
781
my ($t,$realm) = split(/\@/, $service);
784
die "very odd: could not get realm";
788
sub get_sasl_mechs_from_rootdse {
790
my $server = shift || "";
791
$dse = shift || get_dse($server,$async_ldap_hd) || return -1;
792
my $mechs = $dse->get_value('supportedSASLMechanisms', asref => 1);
798
my $server = shift || return undef;
799
$async_ldap_hd = shift || get_ldap_hd($server,1);
800
if (!$async_ldap_hd) {
801
print "oh, no connection\n";
804
my $mesg = $async_ldap_hd->bind() || die "cannot bind\n";
805
if ($mesg->code) { die "failed to bind\n"; };
806
my $dse = $async_ldap_hd->root_dse( attrs => ['*', "supportedExtension", "supportedFeatures" ] );
811
sub process_servername {
813
my $name = shift || return "";
814
if ($name =~ /^ldaps:\/\//i ) {
815
$name =~ s#^ldaps://##i;
816
$uri = sprintf("%s://%s", "ldaps", $name);
818
$name =~ s#^ldap://##i;
819
$uri = sprintf("%s://%s", "ldap", $name);
826
my $server = shift || return undef;
827
my $async = shift || "0";
829
die "uri unavailable" if (!$uri);
830
if ($uri =~ /^ldaps:\/\//i ) {
831
$port = $port || 636;
833
$hd = Net::LDAPS->new( $server, async => $async, port => $port ) ||
834
die "host $server not available: $!";
836
$port = $port || 389;
837
$hd = Net::LDAP->new( $server, async => $async, port => $port ) ||
838
die "host $server not available: $!";
840
$hd->debug($opt_debug);
842
$hd->start_tls( verify => 'none' );
851
print "no sasl support\n";
856
if ($sasl_mech && $sasl_mech eq "GSSAPI") {
857
my $user = sprintf("%s\@%s", $user, uc($realm));
858
if (check_ticket($user) != 0 && get_ticket($user) != 0) {
859
print "Could not get Kerberos ticket for user [$user]\n";
863
$hd = Authen::SASL->new( mechanism => 'GSSAPI' ) || die "nope";
864
my $conn = $hd->client_new("ldap", $server);
866
if ($conn->code == -1) {
867
printf "%s\n", $conn->error();
871
} elsif ($sasl_mech) {
873
# here comes generic sasl code
874
$hd = Authen::SASL->new( mechanism => $sasl_mech,
877
pass => \&get_password
882
print "no supported SASL mechanism found (@sasl_mechs).\n";
883
print "falling back to simple bind.\n";
890
sub check_sasl_mech {
891
my $mech_check = shift;
893
foreach my $mech (@sasl_mechs) {
894
$have_mech = 1 if ($mech eq uc($mech_check));
905
-e "$ads_h" || die "cannot open samba3 ads.h ($ads_h): $!";
907
while (my $line = <ADSH>) {
909
if ($line =~ /#define.UF.*0x/) {
910
my ($tmp, $name, $val) = split(/\s+/,$line);
911
next if ($name =~ /UNUSED/);
912
# $ads_uf{$name} = sprintf("%d", hex $val);
913
$ads_uf{$name} = hex $val;
915
if ($line =~ /#define.GROUP_TYPE.*0x/) {
916
my ($tmp, $name, $val) = split(/\s+/,$line);
917
$ads_grouptype{$name} = hex $val;
919
if ($line =~ /#define.ATYPE.*0x/) {
920
my ($tmp, $name, $val) = split(/\s+/,$line);
922
(exists $ads_atype{$val}) ? $ads_atype{$val} : hex $val;
924
if ($line =~ /#define.GTYPE.*0x/) {
926
my ($tmp, $name, @val) = split(/\s+/,$line);
927
foreach my $tempval (@val) {
928
if ($tempval =~ /^0x/) {
934
$ads_gtype{$name} = sprintf("%d", hex $val);
941
sub store_result ($) {
945
$entry_store{$entry->dn} = $entry;
948
sub display_result_diff ($) {
950
my $entry_new = shift;
951
return if ( !$entry_new);
953
if ( !exists $entry_store{$entry_new->dn}) {
954
print "can't display any differences yet. full dump...\n";
955
display_entry_generic($entry_new);
959
my $entry_old = $entry_store{$entry_new->dn};
961
foreach my $attr (sort $entry_new->attributes) {
962
if ( $entry_new->exists($attr) && ! $entry_old->exists($attr)) {
963
display_attr_generic("add:\t", $entry_new, $attr);
968
foreach my $attr (sort $entry_old->attributes) {
969
if (! $entry_new->exists($attr) && $entry_old->exists($attr)) {
970
display_attr_generic("del:\t", $entry_old, $attr);
974
# now check for all values if they have changed, display changes
975
my ($old_vals, $new_vals, @old_vals, @new_vals, %old, %new);
977
$old_vals = $entry_old->get_value($attr, asref => 1);
978
@old_vals = @$old_vals;
979
$new_vals = $entry_new->get_value($attr, asref => 1);
980
@new_vals = @$new_vals;
982
if (scalar(@old_vals) == 1 && scalar(@new_vals) == 1) {
983
if ($old_vals[0] ne $new_vals[0]) {
984
display_attr_generic("old:\t", $entry_old, $attr);
985
display_attr_generic("new:\t", $entry_new, $attr);
990
# handle multivalued diffs
991
foreach my $val (@old_vals) { $old{$val} = "dummy"; };
992
foreach my $val (@new_vals) { $new{$val} = "dummy"; };
993
foreach my $val (sort keys %new) {
994
if (!exists $old{$val}) {
995
display_value_generic("add:\t", $attr, $val);
998
foreach my $val (sort keys %old) {
999
if (!exists $new{$val}) {
1000
display_value_generic("del:\t", $attr, $val);
1008
sub sid2string ($) {
1010
# Fix from Michael James <michael@james.st>
1011
my $binary_sid = shift;
1012
my($sid_rev, $num_auths, $id1, $id2, @ids) = unpack("H2 H2 n N V*", $binary_sid);
1013
my $sid_string = join("-", "S", hex($sid_rev), ($id1<<32)+$id2, @ids);
1018
sub string_to_guid {
1020
return undef unless $string =~ /([0-9,a-z]{8})-([0-9,a-z]{4})-([0-9,a-z]{4})-([0-9,a-z]{2})([0-9,a-z]{2})-([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})/i;
1022
return pack("I", hex $1) .
1031
pack("C", hex $10) .
1034
# print "$1\n$2\n$3\n$4\n$5\n$6\n$7\n$8\n$9\n$10\n$11\n";
1037
sub bindstring_to_guid {
1039
return pack("H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2",
1058
sub guid_to_string {
1060
my $string = sprintf "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X",
1062
unpack("S", substr($guid, 4, 2)),
1063
unpack("S", substr($guid, 6, 2)),
1064
unpack("C", substr($guid, 8, 1)),
1065
unpack("C", substr($guid, 9, 1)),
1066
unpack("C", substr($guid, 10, 1)),
1067
unpack("C", substr($guid, 11, 1)),
1068
unpack("C", substr($guid, 12, 1)),
1069
unpack("C", substr($guid, 13, 1)),
1070
unpack("C", substr($guid, 14, 1)),
1071
unpack("C", substr($guid, 15, 1));
1075
sub guid_to_bindstring {
1077
return unpack("H" . 2 * length($guid), $guid),
1081
print "Dumping Well known GUIDs:\n";
1082
foreach my $wknguid (keys %wknguids) {
1084
my $guid = bindstring_to_guid($wknguids{$wknguid});
1085
my $str = guid_to_string($guid);
1086
my $back = guid_to_bindstring($guid);
1088
printf "wkguid: %s\n", $wknguid;
1089
printf "bind_string format: %s\n", $wknguids{$wknguid};
1090
printf "string format: %s\n", guid_to_string($guid);
1091
printf "back to bind_string:%s\n", guid_to_bindstring($guid);
1093
printf "use base: \"<WKGUID=%s,%s>\"\n", guid_to_bindstring($guid), $base;
1097
sub gen_bitmask_string_format($%) {
1101
foreach my $key (sort keys %tmp) {
1102
push(@list, sprintf("%s %s", $tmp{$key}, $key));
1104
return join("\n$mod$tabsize",@list);
1108
sub nt_to_unixtime ($) {
1109
# the number of 100 nanosecond intervals since jan. 1. 1601 (utc)
1111
$t64 =~ s/(.+).{7,7}/$1/;
1112
$t64 -= 11644473600;
1118
my $mod = shift || die "no mod";
1122
foreach my $key (keys %header) {
1123
if ($header{$key} eq $val) {
1124
$tmp{"($val)"} = $key;
1129
if (!$found) { $tmp{$val} = ""; };
1130
return gen_bitmask_string_format($mod,%tmp);
1134
my $op = shift || die "no op";
1136
my $mod = shift || die "no mod";
1140
foreach my $key (sort keys %header) { # sort by val !
1142
$tmp{$key} = ( $val & $header{$key} ) ? $set:$unset;
1143
} elsif ($op eq "==") {
1144
$tmp{$key} = ( $val == $header{$key} ) ? $set:$unset;
1146
print "unknown operator: $op\n";
1150
return gen_bitmask_string_format($mod,%tmp);
1153
sub dump_bitmask_and {
1154
return dump_bitmask("&",@_);
1157
sub dump_bitmask_equal {
1158
return dump_bitmask("==",@_);
1162
return dump_bitmask_and(@_,%ads_uf); # ads_uf ?
1165
sub dump_uascompat {
1166
return dump_bitmask_equal(@_,%ads_uascompat);
1169
sub dump_gpoptions {
1170
return dump_bitmask_equal(@_,%ads_gpoptions);
1174
return dump_bitmask_equal(@_,%ads_gpflags);
1178
return dump_bitmask_equal(@_,%ads_uacc);
1182
return dump_bitmask_and(@_,%ads_uf);
1186
my $ret = dump_bitmask_and(@_,%ads_grouptype);
1187
$ret .= "\n$tabsize\t";
1188
$ret .= dump_bitmask_equal(@_,%ads_gtype);
1193
return dump_bitmask_equal(@_,%ads_atype);
1197
return dump_equal(@_,%ads_controls);
1200
sub dump_capabilities {
1201
return dump_equal(@_,%ads_capabilities);
1204
sub dump_extension {
1205
return dump_equal(@_,%ads_extensions);
1208
sub dump_systemflags {
1209
return dump_bitmask_and(@_,%ads_systemflags);
1212
sub dump_instance_type {
1213
return dump_bitmask_and(@_,%ads_instance_type);
1217
return dump_bitmask_equal(@_,%ads_ds_func);
1220
sub dump_serverstate {
1221
return dump_bitmask_equal(@_,%ads_serverstate);
1224
sub dump_sdeffective {
1225
return dump_bitmask_and(@_,%ads_sdeffective);
1228
sub dump_trustattr {
1229
return dump_bitmask_equal(@_,%ads_trustattrs);
1232
sub dump_trusttype {
1233
return dump_bitmask_equal(@_,%ads_trusttype);
1236
sub dump_trustdirection {
1237
return dump_bitmask_equal(@_,%ads_trustdirection);
1240
sub dump_pwdproperties {
1241
return dump_bitmask_and(@_,%ads_pwdproperties);
1245
return dump_bitmask_equal(@_,%ads_frstypes)
1248
sub dump_mixed_domain {
1249
return dump_bitmask_equal(@_,%ads_mixed_domain);
1253
my $bin_sid = shift;
1254
return sid2string($bin_sid);
1259
return guid_to_string($guid);
1264
return "FIXME: write sddl-converter!";
1270
return sprintf("%s (%s)", "never", $nttime);
1272
my $localtime = localtime(nt_to_unixtime($nttime));
1273
return sprintf("%s (%s)", $localtime, $nttime);
1276
sub dump_nttime_abs {
1277
if ($_[0] == 9223372036854775807) {
1278
return sprintf("%s (%s)", "now", $_[0]);
1280
if ($_[0] == -9223372036854775808 || $_[0] == 0) { # 0x7FFFFFFFFFFFFFFF
1281
return sprintf("%s (%s)", "never", $_[0]);
1283
# FIXME: actually *do* abs time !
1284
return dump_nttime($_[0]);
1289
if ($time eq "16010101000010.0Z") {
1290
return sprintf("%s (%s)", "never", $time);
1292
my ($year,$mon,$mday,$hour,$min,$sec,$zone) =
1293
unpack('a4 a2 a2 a2 a2 a2 a4', $time);
1295
my $localtime = localtime(timegm($sec,$min,$hour,$mday,$mon,$year));
1296
return sprintf("%s (%s)", $localtime, $time);
1304
return sprintf("%d", $_[0]);
1307
sub dump_munged_dial {
1309
return "FIXME! decode this";
1315
open(OPENSSL, "| /usr/bin/openssl x509 -text -inform der");
1316
print OPENSSL $cert;
1324
printf("%s: ", $pkt);
1325
printf("%02X", $pkt);
1332
my $gplink_mod = $gplink;
1333
my @links = split("\\]\\[", $gplink_mod);
1334
foreach my $link (@links) {
1335
$link =~ s/^\[|\]$//g;
1336
my ($ldap_link, $opt) = split(";", $link);
1337
my @array = ( "$opt", "\t" );
1338
printf("%slink: %s, opt: %s\n", $tabsize, $ldap_link, dump_bitmask_and(@array, %ads_gplink_opts));
1343
sub construct_filter {
1347
if (!$tmp || $opt_notify) {
1348
return "(objectclass=*)";
1351
if ($tmp && $tmp !~ /^.*\=/) {
1352
return "(ANR=$tmp)";
1356
# (&(objectCategory=person)
1357
# (userAccountControl:$ads_matching_rules{LDAP_MATCHING_RULE_BIT_AND}:=2))
1360
sub construct_attrs {
1369
push(@attrs,"uSNChanged");
1372
if ($opt_display_metadata) {
1373
push(@attrs,"msDS-ReplAttributeMetaData");
1374
push(@attrs,"replPropertyMetaData");
1378
push(@attrs,"nTSecurityDescriptor");
1379
push(@attrs,"msDS-KeyVersionNumber");
1380
push(@attrs,"msDS-User-Account-Control-Computed");
1381
push(@attrs,"modifyTimeStamp");
1390
printf "%10s: %s\n", "uri", $uri;
1391
printf "%10s: %s\n", "port", $port;
1392
printf "%10s: %s\n", "base", $base;
1393
printf "%10s: %s\n", $sasl_bind ? "principal" : "binddn", $sasl_bind ? $upn : $binddn;
1394
printf "%10s: %s\n", "password", $password;
1395
printf "%10s: %s\n", "bind-type", $sasl_bind ? "SASL" : "simple";
1396
printf "%10s: %s\n", "sasl-mech", $sasl_mech if ($sasl_mech);
1397
printf "%10s: %s\n", "filter", $filter;
1398
printf "%10s: %s\n", "scope", $scope;
1399
printf "%10s: %s\n", "attrs", join(", ", @attrs);
1400
printf "%10s: %s\n", "controls", join(", ", @ctrls_s);
1401
printf "%10s: %s\n", "page_size", $opt_paging if ($opt_paging);
1402
printf "%10s: %s\n", "start_tls", $opt_starttls ? "yes" : "no";
1408
# setup attribute-scoped query control
1409
my $asq_asn = Convert::ASN1->new;
1411
q< asq ::= SEQUENCE {
1412
sourceAttribute OCTET_STRING
1416
my $ctl_asq_val = $asq_asn->encode( sourceAttribute => $opt_asq);
1417
my $ctl_asq = Net::LDAP::Control->new(
1418
type => $ads_controls{'LDAP_SERVER_ASQ_OID'},
1420
value => $ctl_asq_val);
1423
# setup extended dn control
1424
my $asn_extended_dn = Convert::ASN1->new;
1425
$asn_extended_dn->prepare(
1426
q< ExtendedDn ::= SEQUENCE {
1432
# only w2k3 accepts '1' and needs the ctl_val, w2k does not accept a ctl_val
1433
my $ctl_extended_dn_val = $asn_extended_dn->encode( mode => $opt_display_extendeddn);
1434
my $ctl_extended_dn = Net::LDAP::Control->new(
1435
type => $ads_controls{'LDAP_SERVER_EXTENDED_DN_OID'},
1437
value => $opt_display_extendeddn ? $ctl_extended_dn_val : "");
1439
# setup notify control
1440
my $ctl_notification = Net::LDAP::Control->new(
1441
type => $ads_controls{'LDAP_SERVER_NOTIFICATION_OID'},
1442
critical => 'true');
1445
# setup paging control
1446
$ctl_paged = Net::LDAP::Control->new(
1447
type => $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'},
1449
size => $opt_paging ? $opt_paging : 1000);
1451
# setup domscope control
1452
my $ctl_domscope = Net::LDAP::Control->new(
1453
type => $ads_controls{'LDAP_SERVER_DOMAIN_SCOPE_OID'},
1457
if (defined($opt_paging)) {
1458
push(@ctrls, $ctl_paged);
1459
push(@ctrls_s, "LDAP_PAGED_RESULT_OID_STRING" );
1462
if (defined($opt_display_extendeddn)) {
1463
push(@ctrls, $ctl_extended_dn);
1464
push(@ctrls_s, "LDAP_SERVER_EXTENDED_DN_OID");
1467
push(@ctrls, $ctl_notification);
1468
push(@ctrls_s, "LDAP_SERVER_NOTIFICATION_OID");
1472
push(@ctrls, $ctl_asq);
1473
push(@ctrls_s, "LDAP_SERVER_ASQ_OID");
1476
if ($opt_domain_scope) {
1477
push(@ctrls, $ctl_domscope);
1478
push(@ctrls_s, "LDAP_SERVER_DOMAIN_SCOPE_OID");
1484
sub display_value_generic ($$$) {
1486
my ($mod,$attr,$value) = @_;
1487
return unless (defined($value) and defined($attr));
1489
if ( ! $opt_display_raw && exists $attr_handler{$attr} ) {
1490
$value = $attr_handler{$attr}($value,$mod);
1491
write_ads_list($mod,$attr,$value);
1494
write_ads($mod,$attr,$value);
1497
sub display_attr_generic ($$$) {
1499
my ($mod,$entry,$attr) = @_;
1500
return if (!$attr || !$entry);
1502
my $ref = $entry->get_value($attr, asref => 1);
1505
foreach my $value ( sort @values) {
1506
display_value_generic($mod,$attr,$value);
1510
sub display_entry_generic ($) {
1513
return if (!$entry);
1515
foreach my $attr ( sort $entry->attributes) {
1516
display_attr_generic("\t",$entry,$attr);
1520
sub display_ldap_err ($) {
1524
my ($package, $filename, $line, $subroutine) = caller(0);
1526
print "got error from ADS:\n";
1527
printf("%s(%d): ERROR (%s): %s\n",
1528
$subroutine, $line, $msg->code, $msg->error);
1532
sub process_result {
1534
my ($msg,$entry) = @_;
1536
if (!defined($msg)) {
1541
display_ldap_err($msg);
1545
if (!defined($entry)) {
1549
if ($entry->isa('Net::LDAP::Reference')) {
1550
foreach my $ref ($entry->references) {
1551
print "\ngot Reference: [$ref]\n";
1556
print "\nfound entry: ".$entry->dn."\n".("-" x 80)."\n";
1558
display_entry_generic($entry);
1561
sub default_callback {
1563
my ($res,$obj) = @_;
1565
if ($res->code == LDAP_REFERRAL) {
1570
return process_result($res,$obj);
1574
sub error_callback {
1576
my ($msg,$entry) = @_;
1583
display_ldap_err($msg);
1589
sub notify_callback {
1591
my ($msg, $obj) = @_;
1593
if (! defined($obj)) {
1597
if ($obj->isa('Net::LDAP::Reference')) {
1598
foreach my $ref ($obj->references) {
1599
print "\ngot Reference: [$ref]\n";
1606
my $async_entry = $async_search->pop_entry;
1608
if (!$async_entry->dn) {
1609
print "very weird. entry has no dn\n";
1613
printf("\ngot changenotify for dn: [%s]\n%s\n", $async_entry->dn, ("-" x 80));
1615
my $new_usn = $async_entry->get_value('uSNChanged');
1617
die "odd, no usnChanged attribute???";
1619
if (!$usn || $new_usn > $usn) {
1621
if ($opt_notify_nodiffs) {
1622
display_entry_generic($async_entry);
1624
display_result_diff($async_entry);
1627
store_result($async_entry);
1633
my $async_ldap_hd = shift || return undef;
1634
my $sasl_bind = shift;
1638
print "this version of Net::LDAP does not have proper SASL support.\n";
1639
print "Need at least perl-ldap V. $pref_version\n";
1641
$sasl_hd = get_sasl_hd();
1643
print "failed to create SASL handle\n";
1646
$mesg = $async_ldap_hd->bind(
1648
callback => \&error_callback
1649
) || die "doesnt work";
1652
$mesg = $async_ldap_hd->bind(
1654
password => $password,
1655
callback => $opt_fastbind ? undef : \&error_callback
1656
) || die "doesnt work";
1659
display_ldap_err($mesg) if (!$opt_fastbind);
1665
sub do_fast_bind() {
1669
my $hd = get_ldap_hd($server,1);
1671
my $mesg = $hd->extension(
1672
name => $ads_extensions{'LDAP_SERVER_FAST_BIND_OID'});
1675
display_ldap_err($mesg);
1679
my $ret = do_bind($hd, undef);
1682
printf("bind using 'LDAP_SERVER_FAST_BIND_OID' %s\n",
1683
$ret == 0 ? "succeeded" : "failed");
1689
if ($async_ldap_hd) {
1690
$async_ldap_hd->unbind;
1692
if ($sync_ldap_hd) {
1693
$sync_ldap_hd->unbind;
1697
###############################################################################
1701
if ($opt_fastbind) {
1703
if (check_exts($server,$dse,"LDAP_SERVER_FAST_BIND_OID") == -1) {
1704
print "LDAP_SERVER_FAST_BIND_OID not supported by this server\n";
1708
# fast bind can only bind, not search
1709
exit do_fast_bind();
1712
$filter = construct_filter($query);
1713
@attrs = construct_attrs(@attrs);
1714
@ctrls = gen_controls();
1716
if (check_ctrls($server,$dse,@ctrls) == -1) {
1717
print "not all required LDAP Controls are supported by this server\n";
1721
if ($opt_dump_rootdse) {
1722
print "Dumping Root-DSE:\n";
1723
display_entry_generic($dse);
1727
if ($opt_dump_wknguid) {
1732
if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
1738
if ($opt_dump_schema) {
1739
print "Dumping Schema:\n";
1740
my $ads_schema = $async_ldap_hd->schema;
1747
$async_search = $async_ldap_hd->search(
1750
attrs => [ @attrs ],
1751
control => [ @ctrls ],
1752
callback => \&default_callback,
1754
) || die "cannot search";
1756
if ($async_search->code == LDAP_REFERRAL) {
1757
foreach my $ref ($async_search->referrals) {
1758
print "\ngot Referral: [$ref]\n";
1759
$async_ldap_hd->unbind();
1760
$async_ldap_hd = get_ldap_hd($ref, 1);
1761
if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
1762
$async_ldap_hd->unbind();
1765
print "\nsuccessful rebind to: [$ref]\n";
1768
next; # repeat the query
1773
print "Base [$base] is registered now for change-notify\n";
1774
print "\nWaiting for change-notify...\n";
1776
my $sync_ldap_hd = get_ldap_hd($server,0);
1777
if (do_bind($sync_ldap_hd, $sasl_bind) == -1) {
1781
my $sync_search = $sync_ldap_hd->search(
1784
attrs => [ @attrs ],
1785
callback => \¬ify_callback,
1787
) || die "cannot search";
1791
$total_entry_count += $async_search->count;
1793
print "-" x 80 . "\n";
1794
printf("Got %d Entries in Page %d \n\n",
1795
$async_search->count, $page_count);
1796
my ($resp) = $async_search->control(
1797
$ads_controls{'LDAP_PAGED_RESULT_OID_STRING'} ) or last;
1798
last unless ref $resp && $ctl_paged->cookie($resp->cookie);
1801
if ($async_search->entries == 0) {
1802
print "No entries found with filter $filter\n";
1804
print "Got $total_entry_count Entries in $page_count Pages\n" if ($opt_paging);