2
header for ads (active directory) library routines
4
basically this is a wrapper around ldap
7
enum wb_posix_mapping {
8
WB_POSIX_MAP_UNKNOWN = -1,
9
WB_POSIX_MAP_TEMPLATE = 0,
11
WB_POSIX_MAP_RFC2307 = 2,
12
WB_POSIX_MAP_UNIXINFO = 3
16
void *ld; /* the active ldap structure */
17
struct in_addr ldap_ip; /* the ip of the active connection, if any */
18
time_t last_attempt; /* last attempt to reconnect */
21
int is_mine; /* do I own this structure's memory? */
23
/* info needed to find the server */
28
int foreign; /* set to 1 if connecting to a foreign realm */
31
/* info needed to authenticate */
43
/* info derived from the servers config */
47
char *ldap_server_name;
51
/* info derived from the servers schema */
53
enum wb_posix_mapping map_type;
54
char *posix_homedir_attr;
55
char *posix_shell_attr;
56
char *posix_uidnumber_attr;
57
char *posix_gidnumber_attr;
58
char *posix_gecos_attr;
63
/* there are 5 possible types of errors the ads subsystem can produce */
64
enum ads_error_type {ENUM_ADS_ERROR_KRB5, ENUM_ADS_ERROR_GSS,
65
ENUM_ADS_ERROR_LDAP, ENUM_ADS_ERROR_SYSTEM, ENUM_ADS_ERROR_NT};
68
enum ads_error_type error_type;
73
/* For error_type = ENUM_ADS_ERROR_GSS minor_status describe GSS API error */
74
/* Where rc represents major_status of GSS API error */
79
typedef LDAPMod **ADS_MODLIST;
81
typedef void **ADS_MODLIST;
84
/* macros to simplify error returning */
85
#define ADS_ERROR(rc) ADS_ERROR_LDAP(rc)
86
#define ADS_ERROR_LDAP(rc) ads_build_error(ENUM_ADS_ERROR_LDAP, rc, 0)
87
#define ADS_ERROR_SYSTEM(rc) ads_build_error(ENUM_ADS_ERROR_SYSTEM, rc?rc:EINVAL, 0)
88
#define ADS_ERROR_KRB5(rc) ads_build_error(ENUM_ADS_ERROR_KRB5, rc, 0)
89
#define ADS_ERROR_GSS(rc, minor) ads_build_error(ENUM_ADS_ERROR_GSS, rc, minor)
90
#define ADS_ERROR_NT(rc) ads_build_nt_error(ENUM_ADS_ERROR_NT,rc)
92
#define ADS_ERR_OK(status) ((status.error_type == ENUM_ADS_ERROR_NT) ? NT_STATUS_IS_OK(status.err.nt_status):(status.err.rc == 0))
93
#define ADS_SUCCESS ADS_ERROR(0)
95
#define ADS_ERROR_HAVE_NO_MEMORY(x) do { \
97
return ADS_ERROR(LDAP_NO_MEMORY);\
102
/* time between reconnect attempts */
103
#define ADS_RECONNECT_TIME 5
105
/* ldap control oids */
106
#define ADS_PAGE_CTL_OID "1.2.840.113556.1.4.319"
107
#define ADS_NO_REFERRALS_OID "1.2.840.113556.1.4.1339"
108
#define ADS_SERVER_SORT_OID "1.2.840.113556.1.4.473"
109
#define ADS_PERMIT_MODIFY_OID "1.2.840.113556.1.4.1413"
110
#define ADS_ASQ_OID "1.2.840.113556.1.4.1504"
111
#define ADS_EXTENDED_DN_OID "1.2.840.113556.1.4.529"
113
/* ldap attribute oids (Services for Unix) */
114
#define ADS_ATTR_SFU_UIDNUMBER_OID "1.2.840.113556.1.6.18.1.310"
115
#define ADS_ATTR_SFU_GIDNUMBER_OID "1.2.840.113556.1.6.18.1.311"
116
#define ADS_ATTR_SFU_HOMEDIR_OID "1.2.840.113556.1.6.18.1.344"
117
#define ADS_ATTR_SFU_SHELL_OID "1.2.840.113556.1.6.18.1.312"
118
#define ADS_ATTR_SFU_GECOS_OID "1.2.840.113556.1.6.18.1.337"
120
/* ldap attribute oids (RFC2307) */
121
#define ADS_ATTR_RFC2307_UIDNUMBER_OID "1.3.6.1.1.1.1.0"
122
#define ADS_ATTR_RFC2307_GIDNUMBER_OID "1.3.6.1.1.1.1.1"
123
#define ADS_ATTR_RFC2307_HOMEDIR_OID "1.3.6.1.1.1.1.3"
124
#define ADS_ATTR_RFC2307_SHELL_OID "1.3.6.1.1.1.1.4"
125
#define ADS_ATTR_RFC2307_GECOS_OID "1.3.6.1.1.1.1.2"
127
/* ldap bitwise searches */
128
#define ADS_LDAP_MATCHING_RULE_BIT_AND "1.2.840.113556.1.4.803"
129
#define ADS_LDAP_MATCHING_RULE_BIT_OR "1.2.840.113556.1.4.804"
131
/* UserFlags for userAccountControl */
132
#define UF_SCRIPT 0x00000001
133
#define UF_ACCOUNTDISABLE 0x00000002
134
#define UF_UNUSED_1 0x00000004
135
#define UF_HOMEDIR_REQUIRED 0x00000008
137
#define UF_LOCKOUT 0x00000010
138
#define UF_PASSWD_NOTREQD 0x00000020
139
#define UF_PASSWD_CANT_CHANGE 0x00000040
140
#define UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED 0x00000080
142
#define UF_TEMP_DUPLICATE_ACCOUNT 0x00000100
143
#define UF_NORMAL_ACCOUNT 0x00000200
144
#define UF_UNUSED_2 0x00000400
145
#define UF_INTERDOMAIN_TRUST_ACCOUNT 0x00000800
147
#define UF_WORKSTATION_TRUST_ACCOUNT 0x00001000
148
#define UF_SERVER_TRUST_ACCOUNT 0x00002000
149
#define UF_UNUSED_3 0x00004000
150
#define UF_UNUSED_4 0x00008000
152
#define UF_DONT_EXPIRE_PASSWD 0x00010000
153
#define UF_MNS_LOGON_ACCOUNT 0x00020000
154
#define UF_SMARTCARD_REQUIRED 0x00040000
155
#define UF_TRUSTED_FOR_DELEGATION 0x00080000
157
#define UF_NOT_DELEGATED 0x00100000
158
#define UF_USE_DES_KEY_ONLY 0x00200000
159
#define UF_DONT_REQUIRE_PREAUTH 0x00400000
160
#define UF_PASSWORD_EXPIRED 0x00800000
162
#define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000
163
#define UF_NO_AUTH_DATA_REQUIRED 0x02000000
164
#define UF_UNUSED_8 0x04000000
165
#define UF_UNUSED_9 0x08000000
167
#define UF_UNUSED_10 0x10000000
168
#define UF_UNUSED_11 0x20000000
169
#define UF_UNUSED_12 0x40000000
170
#define UF_UNUSED_13 0x80000000
172
#define UF_MACHINE_ACCOUNT_MASK (\
173
UF_INTERDOMAIN_TRUST_ACCOUNT |\
174
UF_WORKSTATION_TRUST_ACCOUNT |\
175
UF_SERVER_TRUST_ACCOUNT \
178
#define UF_ACCOUNT_TYPE_MASK (\
179
UF_TEMP_DUPLICATE_ACCOUNT |\
181
UF_INTERDOMAIN_TRUST_ACCOUNT |\
182
UF_WORKSTATION_TRUST_ACCOUNT |\
183
UF_SERVER_TRUST_ACCOUNT \
186
#define UF_SETTABLE_BITS (\
189
UF_HOMEDIR_REQUIRED |\
192
UF_PASSWD_CANT_CHANGE |\
193
UF_ACCOUNT_TYPE_MASK | \
194
UF_DONT_EXPIRE_PASSWD | \
195
UF_MNS_LOGON_ACCOUNT |\
196
UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED |\
197
UF_SMARTCARD_REQUIRED |\
198
UF_TRUSTED_FOR_DELEGATION |\
200
UF_USE_DES_KEY_ONLY |\
201
UF_DONT_REQUIRE_PREAUTH \
205
#define ATYPE_NORMAL_ACCOUNT 0x30000000 /* 805306368 */
206
#define ATYPE_WORKSTATION_TRUST 0x30000001 /* 805306369 */
207
#define ATYPE_INTERDOMAIN_TRUST 0x30000002 /* 805306370 */
208
#define ATYPE_SECURITY_GLOBAL_GROUP 0x10000000 /* 268435456 */
209
#define ATYPE_DISTRIBUTION_GLOBAL_GROUP 0x10000001 /* 268435457 */
210
#define ATYPE_DISTRIBUTION_UNIVERSAL_GROUP ATYPE_DISTRIBUTION_GLOBAL_GROUP
211
#define ATYPE_SECURITY_LOCAL_GROUP 0x20000000 /* 536870912 */
212
#define ATYPE_DISTRIBUTION_LOCAL_GROUP 0x20000001 /* 536870913 */
214
#define ATYPE_ACCOUNT ATYPE_NORMAL_ACCOUNT /* 0x30000000 805306368 */
215
#define ATYPE_GLOBAL_GROUP ATYPE_SECURITY_GLOBAL_GROUP /* 0x10000000 268435456 */
216
#define ATYPE_LOCAL_GROUP ATYPE_SECURITY_LOCAL_GROUP /* 0x20000000 536870912 */
219
#define GROUP_TYPE_BUILTIN_LOCAL_GROUP 0x00000001
220
#define GROUP_TYPE_ACCOUNT_GROUP 0x00000002
221
#define GROUP_TYPE_RESOURCE_GROUP 0x00000004
222
#define GROUP_TYPE_UNIVERSAL_GROUP 0x00000008
223
#define GROUP_TYPE_APP_BASIC_GROUP 0x00000010
224
#define GROUP_TYPE_APP_QUERY_GROUP 0x00000020
225
#define GROUP_TYPE_SECURITY_ENABLED 0x80000000
227
#define GTYPE_SECURITY_BUILTIN_LOCAL_GROUP ( /* 0x80000005 -2147483643 */ \
228
GROUP_TYPE_BUILTIN_LOCAL_GROUP| \
229
GROUP_TYPE_RESOURCE_GROUP| \
230
GROUP_TYPE_SECURITY_ENABLED \
232
#define GTYPE_SECURITY_DOMAIN_LOCAL_GROUP ( /* 0x80000004 -2147483644 */ \
233
GROUP_TYPE_RESOURCE_GROUP| \
234
GROUP_TYPE_SECURITY_ENABLED \
236
#define GTYPE_SECURITY_GLOBAL_GROUP ( /* 0x80000002 -2147483646 */ \
237
GROUP_TYPE_ACCOUNT_GROUP| \
238
GROUP_TYPE_SECURITY_ENABLED \
240
#define GTYPE_DISTRIBUTION_GLOBAL_GROUP 0x00000002 /* 2 */
241
#define GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP 0x00000004 /* 4 */
242
#define GTYPE_DISTRIBUTION_UNIVERSAL_GROUP 0x00000008 /* 8 */
244
#define ADS_PINGS 0x0000FFFF /* Ping response */
245
#define ADS_DNS_CONTROLLER 0x20000000 /* DomainControllerName is a DNS name*/
246
#define ADS_DNS_DOMAIN 0x40000000 /* DomainName is a DNS name */
247
#define ADS_DNS_FOREST 0x80000000 /* DnsForestName is a DNS name */
249
/* DomainCntrollerAddressType */
250
#define ADS_INET_ADDRESS 0x00000001
251
#define ADS_NETBIOS_ADDRESS 0x00000002
254
/* ads auth control flags */
255
#define ADS_AUTH_DISABLE_KERBEROS 0x01
256
#define ADS_AUTH_NO_BIND 0x02
257
#define ADS_AUTH_ANON_BIND 0x04
258
#define ADS_AUTH_SIMPLE_BIND 0x08
259
#define ADS_AUTH_ALLOW_NTLMSSP 0x10
261
/* Kerberos environment variable names */
262
#define KRB5_ENV_CCNAME "KRB5CCNAME"
264
/* Heimdal uses a slightly different name */
265
#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
266
#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
269
/* The older versions of heimdal that don't have this
270
define don't seem to use it anyway. I'm told they
271
always use a subkey */
272
#ifndef HAVE_AP_OPTS_USE_SUBKEY
273
#define AP_OPTS_USE_SUBKEY 0
276
#define WELL_KNOWN_GUID_COMPUTERS "AA312825768811D1ADED00C04FD8D5CD"
277
#define WELL_KNOWN_GUID_USERS "A9D1CA15768811D1ADED00C04FD8D5CD"
279
#ifndef KRB5_ADDR_NETBIOS
280
#define KRB5_ADDR_NETBIOS 0x14
283
#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
284
#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
289
#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
290
krb5_address **addrs;
291
#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
292
krb5_addresses *addrs;
294
#error UNKNOWN_KRB5_ADDRESS_TYPE
296
} smb_krb5_addresses;
299
enum ads_extended_dn_flags {
300
ADS_EXTENDED_DN_HEX_STRING = 0,
301
ADS_EXTENDED_DN_STRING = 1 /* not supported on win2k */
304
/* this is probably not very well suited to pass other controls generically but
305
* is good enough for the extended dn control where it is only used for atm */