The Samba-Bugzilla – Attachment 999 Details for
Bug 2402
Add support for NDS Universal Password
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
New file: (pdb_nds.c) NDS extension for pdb_ldap.c
pdb_nds.c (text/plain), 23.02 KB, created by
Vince Brimhall
on 2005-03-01 14:49:35 UTC
(
hide
)
Description:
New file: (pdb_nds.c) NDS extension for pdb_ldap.c
Filename:
MIME Type:
Creator:
Vince Brimhall
Created:
2005-03-01 14:49:35 UTC
Size:
23.02 KB
patch
obsolete
>/* > Unix SMB/CIFS mplementation. > NDS LDAP helper functions for SAMBA > Copyright (C) Vince Brimhall 2004-2005 > > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License as published by > the Free Software Foundation; either version 2 of the License, or > (at your option) any later version. > > This program is distributed in the hope that it will be useful, > but WITHOUT ANY WARRANTY; without even the implied warranty of > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > GNU General Public License for more details. > > You should have received a copy of the GNU General Public License > along with this program; if not, write to the Free Software > Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. > >*/ > >#include "includes.h" > >#include <lber.h> >#include <ldap.h> >#include <wchar.h> >#include <ldap_utf8.h> > >#include "smbldap.h" > >#define NMASLDAP_GET_LOGIN_CONFIG_REQUEST "2.16.840.1.113719.1.39.42.100.3" >#define NMASLDAP_GET_LOGIN_CONFIG_RESPONSE "2.16.840.1.113719.1.39.42.100.4" >#define NMASLDAP_SET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.11" >#define NMASLDAP_SET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.12" >#define NMASLDAP_GET_PASSWORD_REQUEST "2.16.840.1.113719.1.39.42.100.13" >#define NMASLDAP_GET_PASSWORD_RESPONSE "2.16.840.1.113719.1.39.42.100.14" > >#define NMAS_LDAP_EXT_VERSION 1 > > >/********************************************************************** > Take the request BER value and input data items and BER encodes the > data into the BER value >**********************************************************************/ >int berEncodePasswordData( > struct berval **requestBV, > char *objectDN, > char *password, > char *password2) >{ > int err = 0, rc=0; > BerElement *requestBer = NULL; > > char * utf8ObjPtr = NULL; > int utf8ObjSize = 0; > char * utf8PwdPtr = NULL; > int utf8PwdSize = 0; > char * utf8Pwd2Ptr = NULL; > int utf8Pwd2Size = 0; > > > /* Convert objectDN and tag strings from Unicode to UTF-8 */ > utf8ObjSize = strlen(objectDN)+1; > utf8ObjPtr = objectDN; > > if (password != NULL) > { > utf8PwdSize = strlen(password)+1; > utf8PwdPtr = password; > } > > if (password2 != NULL) > { > utf8Pwd2Size = strlen(password2)+1; > utf8Pwd2Ptr = password2; > } > > /* Allocate a BerElement for the request parameters. */ > if((requestBer = ber_alloc()) == NULL) > { > err = LDAP_ENCODING_ERROR; > goto Cleanup; > } > > if (password != NULL && password2 != NULL) > { > /* BER encode the NMAS Version, the objectDN, and the password */ > rc = ber_printf(requestBer, "{iooo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize, utf8Pwd2Ptr, utf8Pwd2Size); > } > else if (password != NULL) > { > /* BER encode the NMAS Version, the objectDN, and the password */ > rc = ber_printf(requestBer, "{ioo}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize); > } > else > { > /* BER encode the NMAS Version and the objectDN */ > rc = ber_printf(requestBer, "{io}", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize); > } > > if (rc < 0) > { > err = LDAP_ENCODING_ERROR; > goto Cleanup; > } > else > { > err = 0; > } > > /* Convert the BER we just built to a berval that we'll send with the extended request. */ > if(ber_flatten(requestBer, requestBV) == LBER_ERROR) > { > err = LDAP_ENCODING_ERROR; > goto Cleanup; > } > >Cleanup: > > if(requestBer) > { > ber_free(requestBer, 1); > } > > return err; >} > > >/********************************************************************** > Take the request BER value and input data items and BER encodes the > data into the BER value >**********************************************************************/ >int berEncodeLoginData( > struct berval **requestBV, > char *objectDN, > unsigned int methodIDLen, > unsigned int *methodID, > char *tag, > size_t putDataLen, > void *putData) >{ > int err = 0; > BerElement *requestBer = NULL; > > unsigned int i; > unsigned int elemCnt = methodIDLen / sizeof(unsigned int); > > char *utf8ObjPtr=NULL; > int utf8ObjSize = 0; > > char *utf8TagPtr = NULL; > int utf8TagSize = 0; > > utf8ObjPtr = objectDN; > utf8ObjSize = strlen(utf8ObjPtr)+1; > > utf8TagPtr = tag; > utf8TagSize = strlen(utf8TagPtr)+1; > > /* Allocate a BerElement for the request parameters. */ > if((requestBer = ber_alloc()) == NULL) > { > err = LDAP_ENCODING_ERROR; > goto Cleanup; > } > > /* BER encode the NMAS Version and the objectDN */ > err = (ber_printf(requestBer, "{io", NMAS_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize) < 0) ? LDAP_ENCODING_ERROR : 0; > > /* BER encode the MethodID Length and value */ > if (!err) > { > err = (ber_printf(requestBer, "{i{", methodIDLen) < 0) ? LDAP_ENCODING_ERROR : 0; > } > > for (i = 0; !err && i < elemCnt; i++) > { > err = (ber_printf(requestBer, "i", methodID[i]) < 0) ? LDAP_ENCODING_ERROR : 0; > } > > if (!err) > { > err = (ber_printf(requestBer, "}}", 0) < 0) ? LDAP_ENCODING_ERROR : 0; > } > > if(putData) > { > /* BER Encode the the tag and data */ > err = (ber_printf(requestBer, "oio}", utf8TagPtr, utf8TagSize, putDataLen, putData, putDataLen) < 0) ? LDAP_ENCODING_ERROR : 0; > } > else > { > /* BER Encode the the tag */ > err = (ber_printf(requestBer, "o}", utf8TagPtr, utf8TagSize) < 0) ? LDAP_ENCODING_ERROR : 0; > } > > if (err) > { > goto Cleanup; > } > > /* Convert the BER we just built to a berval that we'll send with the extended request. */ > if(ber_flatten(requestBer, requestBV) == LBER_ERROR) > { > err = LDAP_ENCODING_ERROR; > goto Cleanup; > } > >Cleanup: > > if(requestBer) > { > ber_free(requestBer, 1); > } > > return err; >} > > >/********************************************************************** > Takes the reply BER Value and decodes the NMAS server version and > return code and if a non null retData buffer was supplied, tries to > decode the the return data and length >**********************************************************************/ >int berDecodeLoginData( > struct berval *replyBV, > int *serverVersion, > size_t *retDataLen, > void *retData ) >{ > int rc=0, err = 0; > BerElement *replyBer = NULL; > char *retOctStr = NULL; > size_t retOctStrLen = 0; > > if((replyBer = ber_init(replyBV)) == NULL) > { > err = LDAP_OPERATIONS_ERROR; > goto Cleanup; > } > > if(retData) > { > retOctStrLen = *retDataLen + 1; > retOctStr = (char *)malloc(retOctStrLen); > if(!retOctStr) > { > err = LDAP_OPERATIONS_ERROR; > goto Cleanup; > } > > if( (rc = ber_scanf(replyBer, "{iis}", serverVersion, &err, retOctStr, &retOctStrLen)) != -1) > { > if (*retDataLen >= retOctStrLen) > { > memcpy(retData, retOctStr, retOctStrLen); > } > else if (!err) > { > err = LDAP_NO_MEMORY; > } > > *retDataLen = retOctStrLen; > } > else if (!err) > { > err = LDAP_DECODING_ERROR; > } > } > else > { > if( (rc = ber_scanf(replyBer, "{ii}", serverVersion, &err)) == -1) > { > if (!err) > { > err = LDAP_DECODING_ERROR; > } > } > } > >Cleanup: > > if(replyBer) > { > ber_free(replyBer, 1); > } > > if (retOctStr != NULL) > { > memset(retOctStr, 0, retOctStrLen); > free(retOctStr); > } > > return err; >} > > >/********************************************************************** > Retrieves data in the login configuration of the specified object > that is tagged with the specified methodID and tag. >**********************************************************************/ >int getLoginConfig( > LDAP *ld, > char *objectDN, > unsigned int methodIDLen, > unsigned int *methodID, > char *tag, > size_t *dataLen, > void *data ) >{ > int err = 0; > struct berval *requestBV = NULL; > char *replyOID = NULL; > struct berval *replyBV = NULL; > int serverVersion = 0; > > /* Validate unicode parameters. */ > if((strlen(objectDN) == 0) || ld == NULL) > { > return LDAP_NO_SUCH_ATTRIBUTE; > } > > err = berEncodeLoginData(&requestBV, objectDN, methodIDLen, methodID, tag, 0, NULL); > if(err) > { > goto Cleanup; > } > > /* Call the ldap_extended_operation (synchronously) */ > if((err = ldap_extended_operation_s(ld, NMASLDAP_GET_LOGIN_CONFIG_REQUEST, > requestBV, NULL, NULL, &replyOID, &replyBV))) > { > goto Cleanup; > } > > /* Make sure there is a return OID */ > if(!replyOID) > { > err = LDAP_NOT_SUPPORTED; > goto Cleanup; > } > > /* Is this what we were expecting to get back. */ > if(strcmp(replyOID, NMASLDAP_GET_LOGIN_CONFIG_RESPONSE)) > { > err = LDAP_NOT_SUPPORTED; > goto Cleanup; > } > > /* Do we have a good returned berval? */ > if(!replyBV) > { > /* No; returned berval means we experienced a rather drastic error. */ > /* Return operations error. */ > err = LDAP_OPERATIONS_ERROR; > goto Cleanup; > } > > err = berDecodeLoginData(replyBV, &serverVersion, dataLen, data); > > if(serverVersion != NMAS_LDAP_EXT_VERSION) > { > err = LDAP_OPERATIONS_ERROR; > goto Cleanup; > } > >Cleanup: > > if(replyBV) > { > ber_bvfree(replyBV); > } > > /* Free the return OID string if one was returned. */ > if(replyOID) > { > ldap_memfree(replyOID); > } > > /* Free memory allocated while building the request ber and berval. */ > if(requestBV) > { > ber_bvfree(requestBV); > } > > /* Return the appropriate error/success code. */ > return err; >} > > >/********************************************************************** > Attempts to get the Simple Password >**********************************************************************/ >int nmasldap_get_simple_pwd( > LDAP *ld, > char *objectDN, > size_t pwdLen, > char *pwd ) >{ > int err = 0; > unsigned int methodID = 0; > unsigned int methodIDLen = sizeof(methodID); > char tag[] = {'P','A','S','S','W','O','R','D',' ','H','A','S','H',0}; > char *pwdBuf=NULL; > size_t pwdBufLen, bufferLen; > > bufferLen = pwdBufLen = pwdLen+2; > pwdBuf = (char *)malloc(pwdBufLen); /* digest and null */ > if(pwdBuf == NULL) > { > return LDAP_NO_MEMORY; > } > > err = getLoginConfig(ld, objectDN, methodIDLen, &methodID, tag, &pwdBufLen, pwdBuf); > if (err == 0) > { > if (pwdBufLen !=0) > { > pwdBuf[pwdBufLen] = 0; /* null terminate */ > > switch (pwdBuf[0]) > { > case 1: /* cleartext password */ > break; > case 2: /* SHA1 HASH */ > case 3: /* MD5_ID */ > case 4: /* UNIXCrypt_ID */ > case 8: /* SSHA_ID */ > default: /* Unknown digest */ > err = LDAP_INAPPROPRIATE_AUTH; /* only return clear text */ > break; > } > > if (!err) > { > if (pwdLen >= pwdBufLen-1) > { > memcpy(pwd, &pwdBuf[1], pwdBufLen-1); /* skip digest tag and include null */ > } > else > { > err = LDAP_NO_MEMORY; > } > } > } > } > > if (pwdBuf != NULL) > { > memset(pwdBuf, 0, bufferLen); > free(pwdBuf); > } > > return err; >} > > >/********************************************************************** > Attempts to set the Universal Password >**********************************************************************/ >int nmasldap_set_password( > LDAP *ld, > char *objectDN, > char *pwd ) >{ > int err = 0; > > struct berval *requestBV = NULL; > char *replyOID = NULL; > struct berval *replyBV = NULL; > int serverVersion; > > /* Validate char parameters. */ > if(objectDN == NULL || (strlen(objectDN) == 0) || pwd == NULL || ld == NULL) > { > return LDAP_NO_SUCH_ATTRIBUTE; > } > > err = berEncodePasswordData(&requestBV, objectDN, pwd, NULL); > if(err) > { > goto Cleanup; > } > > /* Call the ldap_extended_operation (synchronously) */ > if((err = ldap_extended_operation_s(ld, NMASLDAP_SET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV))) > { > goto Cleanup; > } > > /* Make sure there is a return OID */ > if(!replyOID) > { > err = LDAP_NOT_SUPPORTED; > goto Cleanup; > } > > /* Is this what we were expecting to get back. */ > if(strcmp(replyOID, NMASLDAP_SET_PASSWORD_RESPONSE)) > { > err = LDAP_NOT_SUPPORTED; > goto Cleanup; > } > > /* Do we have a good returned berval? */ > if(!replyBV) > { > /* No; returned berval means we experienced a rather drastic error. */ > /* Return operations error. */ > err = LDAP_OPERATIONS_ERROR; > goto Cleanup; > } > > err = berDecodeLoginData(replyBV, &serverVersion, NULL, NULL); > > if(serverVersion != NMAS_LDAP_EXT_VERSION) > { > err = LDAP_OPERATIONS_ERROR; > goto Cleanup; > } > >Cleanup: > > if(replyBV) > { > ber_bvfree(replyBV); > } > > /* Free the return OID string if one was returned. */ > if(replyOID) > { > ldap_memfree(replyOID); > } > > /* Free memory allocated while building the request ber and berval. */ > if(requestBV) > { > ber_bvfree(requestBV); > } > > /* Return the appropriate error/success code. */ > return err; >} > >/********************************************************************** > Attempts to get the Universal Password >**********************************************************************/ >int nmasldap_get_password( > LDAP *ld, > char *objectDN, > size_t *pwdSize, /* in bytes */ > char *pwd ) >{ > int err = 0; > > struct berval *requestBV = NULL; > char *replyOID = NULL; > struct berval *replyBV = NULL; > int serverVersion; > char *pwdBuf; > size_t pwdBufLen, bufferLen; > > /* Validate char parameters. */ > if(objectDN == NULL || (strlen(objectDN) == 0) || pwdSize == NULL || ld == NULL) > { > return LDAP_NO_SUCH_ATTRIBUTE; > } > > bufferLen = pwdBufLen = *pwdSize; > pwdBuf = (char *)malloc(pwdBufLen+2); > if(pwdBuf == NULL) > { > return LDAP_NO_MEMORY; > } > > err = berEncodePasswordData(&requestBV, objectDN, NULL, NULL); > if(err) > { > goto Cleanup; > } > > /* Call the ldap_extended_operation (synchronously) */ > if((err = ldap_extended_operation_s(ld, NMASLDAP_GET_PASSWORD_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV))) > { > goto Cleanup; > } > > /* Make sure there is a return OID */ > if(!replyOID) > { > err = LDAP_NOT_SUPPORTED; > goto Cleanup; > } > > /* Is this what we were expecting to get back. */ > if(strcmp(replyOID, NMASLDAP_GET_PASSWORD_RESPONSE)) > { > err = LDAP_NOT_SUPPORTED; > goto Cleanup; > } > > /* Do we have a good returned berval? */ > if(!replyBV) > { > /* No; returned berval means we experienced a rather drastic error. */ > /* Return operations error. */ > err = LDAP_OPERATIONS_ERROR; > goto Cleanup; > } > > err = berDecodeLoginData(replyBV, &serverVersion, &pwdBufLen, pwdBuf); > > if(serverVersion != NMAS_LDAP_EXT_VERSION) > { > err = LDAP_OPERATIONS_ERROR; > goto Cleanup; > } > > if (!err && pwdBufLen != 0) > { > if (*pwdSize >= pwdBufLen+1 && pwd != NULL) > { > memcpy(pwd, pwdBuf, pwdBufLen); > pwd[pwdBufLen] = 0; /* add null termination */ > } > *pwdSize = pwdBufLen; /* does not include null termination */ > } > >Cleanup: > > if(replyBV) > { > ber_bvfree(replyBV); > } > > /* Free the return OID string if one was returned. */ > if(replyOID) > { > ldap_memfree(replyOID); > } > > /* Free memory allocated while building the request ber and berval. */ > if(requestBV) > { > ber_bvfree(requestBV); > } > > if (pwdBuf != NULL) > { > memset(pwdBuf, 0, bufferLen); > free(pwdBuf); > } > > /* Return the appropriate error/success code. */ > return err; >} > > >/********************************************************************** > Get the user's password from NDS. > *********************************************************************/ >int pdb_nds_get_password( > struct smbldap_state *ldap_state, > char *object_dn, > int *pwd_len, > char *pwd ) >{ > LDAP *ld = ldap_state->ldap_struct; > int rc = -1; > > rc = nmasldap_get_password(ld, object_dn, pwd_len, pwd); > if (rc == LDAP_SUCCESS) { >#ifdef DEBUG_PASSWORD > DEBUG(100,("nmasldap_get_password returned %s for %s\n", pwd, object_dn)); >#endif > DEBUG(5, ("NDS Universal Password retrieved for %s\n", object_dn)); > } else { > DEBUG(3, ("NDS Universal Password NOT retrieved for %s\n", object_dn)); > } > > if (rc != LDAP_SUCCESS) { > rc = nmasldap_get_simple_pwd(ld, object_dn, *pwd_len, pwd); > if (rc == LDAP_SUCCESS) { >#ifdef DEBUG_PASSWORD > DEBUG(100,("nmasldap_get_simple_pwd returned %s for %s\n", pwd, object_dn)); >#endif > DEBUG(5, ("NDS Simple Password retrieved for %s\n", object_dn)); > } else { > /* We couldn't get the password */ > DEBUG(3, ("NDS Simple Password NOT retrieved for %s\n", object_dn)); > return LDAP_INVALID_CREDENTIALS; > } > } > > /* We got the password */ > return LDAP_SUCCESS; >} > > >/********************************************************************** > Set the users NDS, Universal and Simple passwords. > ********************************************************************/ >int pdb_nds_set_password( > struct smbldap_state *ldap_state, > char *object_dn, > const char *pwd ) >{ > LDAP *ld = ldap_state->ldap_struct; > int rc = -1; > LDAPMod **tmpmods = NULL; > > rc = nmasldap_set_password(ld, object_dn, (char *)pwd); > if (rc == LDAP_SUCCESS) { > DEBUG(5,("NDS Universal Password changed for user %s\n", object_dn)); > } else { > /* This will fail if Universal Password is not enabled for the user's context */ > DEBUG(3,("NDS Universal Password could not be changed for user %s: %d\n", > object_dn, rc)); > } > > /* Set eDirectory Password */ > smbldap_set_mod(&tmpmods, LDAP_MOD_REPLACE, "userPassword", pwd); > rc = smbldap_modify(ldap_state, object_dn, tmpmods); > > return rc; >} > >/********************************************************************** > Allow ldap server to update internal login attempt counters by > performing a simple bind. If the samba authentication failed attempt > the bind with a bogus, randomly generated password to count the > failed attempt. If the bind fails even though samba authentication > succeeded, this would indicate that the user's account is disabled, > time restrictions are in place or some other password policy > violation. >*********************************************************************/ > >static NTSTATUS pdb_nds_update_login_attempts(struct pdb_methods *methods, > SAM_ACCOUNT *sam_acct, BOOL success) >{ > if ((!methods) || (!sam_acct)) { > DEBUG(3,("pdb_nds_update_login_attempts: invalid parameter.\n")); > return NT_STATUS_MEMORY_NOT_ALLOCATED; > } > > struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)methods->private_data; > > if (ldap_state) { > DEBUG(5,("pdb_nds_update_login_attempts: %s login for %s\n", > success ? "Successful" : "Failed", pdb_get_username(sam_acct))); > > /* Attempt simple bind with user credentials to update eDirectory > password policy */ > int rc = 0; > char *dn; > LDAPMessage *result = NULL; > LDAPMessage *entry = NULL; > LDAPMod **mods = NULL; > char **attr_list; > size_t pwd_len; > uchar clear_text_pw[512]; > const char *username = pdb_get_username(sam_acct); > > result = pdb_get_backend_private_data(sam_acct, methods); > if (!result) { > attr_list = get_userattr_list(ldap_state->schema_ver); > rc = ldapsam_search_suffix_by_name(ldap_state, username, &result, attr_list ); > free_attr_list( attr_list ); > if (rc != LDAP_SUCCESS) { > return NT_STATUS_OBJECT_NAME_NOT_FOUND; > } > pdb_set_backend_private_data(sam_acct, result, private_data_free_fn, methods, PDB_CHANGED); > } > > if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) == 0) { > DEBUG(0, ("pdb_nds_update_login_attempts: No user to modify!\n")); > return NT_STATUS_OBJECT_NAME_NOT_FOUND; > } > > entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result); > dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry); > if (!dn) { > return NT_STATUS_OBJECT_NAME_NOT_FOUND; > } > > DEBUG(3, ("pdb_nds_update_login_attempts: found dn '%s'\n", username, dn)); > > pwd_len = sizeof(clear_text_pw); > if (success == True) { > if (pdb_nds_get_password(ldap_state->smbldap_state, dn, &pwd_len, clear_text_pw) == LDAP_SUCCESS) { > /* */ > } > } else { > generate_random_buffer(clear_text_pw, 24); > clear_text_pw[24] = '\0'; > DEBUG(5,("pdb_nds_update_login_attempts: using random password %s\n", clear_text_pw)); > } > > /* Parse the location string */ > const char *p = ldap_state->location; > LDAP *ld = NULL; > int ldap_port = 0; > char protocol[12]; > char ldap_server[256]; > > /* skip leading "URL:" (if any) */ > if ( strnequal( p, "URL:", 4 ) ) { > p += 4; > } > > sscanf(p, "%10[^:]://%254[^:/]:%d", protocol, ldap_server, &ldap_port); > > if (ldap_port == 0) { > if (strequal(protocol, "ldap")) { > ldap_port = LDAP_PORT; > } else if (strequal(protocol, "ldaps")) { > ldap_port = LDAPS_PORT; > } else { > DEBUG(0, ("unrecognised protocol (%s)!\n", protocol)); > } > } > > ld = ldap_init(ldap_server, ldap_port); > > if(ld != NULL) { > int version; > > /* LDAP version 3 required for ldap_sasl */ > if (ldap_get_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS) { > if (version != LDAP_VERSION3) { > version = LDAP_VERSION3; > if (ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version) == LDAP_OPT_SUCCESS) { > DEBUG(4, ("pdb_nds_update_login_attempts: Set protocol version to LDAP_VERSION3\n")); > } > } > } > > /* Turn on ssl if required */ > if(strequal(protocol, "ldaps")) { > int tls = LDAP_OPT_X_TLS_HARD; > if (ldap_set_option (ld, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS) { > DEBUG(1, ("pdb_nds_update_login_attempts: Failed to setup a TLS session\n")); > } else { > DEBUG(4, ("pdb_nds_update_login_attempts: Activated TLS on session\n")); > } > } > } > > /* Attempt simple bind with real or bogus password */ > rc = ldap_simple_bind_s(ld, dn, clear_text_pw); > if (rc == LDAP_SUCCESS) { > DEBUG(5,("pdb_nds_update_login_attempts: ldap_simple_bind_s Successful for %s\n", username)); > ldap_unbind_ext(ld, NULL, NULL); > } else { > DEBUG(5,("pdb_nds_update_login_attempts: ldap_simple_bind_s Failed for %s\n", username)); > NTSTATUS nt_status = NT_STATUS_ACCOUNT_RESTRICTION; > switch(rc) { > case LDAP_INVALID_CREDENTIALS: > nt_status = NT_STATUS_WRONG_PASSWORD; > break; > default: > break; > } > return nt_status; > } > } > > return NT_STATUS_OK; >} > >/********************************************************************** > Intitalise the parts of the pdb_context that are common to NDS_ldapsam modes > *********************************************************************/ > >static NTSTATUS pdb_init_NDS_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) >{ > struct ldapsam_privates *ldap_state = (*pdb_method)->private_data; > > /* Mark this as eDirectory ldap */ > ldap_state->is_nds_ldap = True; > > /* Add pdb_nds specific method for updating login attempts. */ > (*pdb_method)->update_login_attempts = pdb_nds_update_login_attempts; > > /* Save location for use in pdb_nds_update_login_attempts */ > ldap_state->location = strdup(location); > > return NT_STATUS_OK; >} > > >/********************************************************************** > Initialise the 'nds compat' mode for pdb_ldap > *********************************************************************/ > >static NTSTATUS pdb_init_NDS_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) >{ > NTSTATUS nt_status = pdb_init_ldapsam_compat(pdb_context, pdb_method, location); > > (*pdb_method)->name = "NDS_ldapsam_compat"; > > pdb_init_NDS_ldapsam_common(pdb_context, pdb_method, location); > > return nt_status; >} > > >/********************************************************************** > Initialise the 'nds' normal mode for pdb_ldap > *********************************************************************/ > >static NTSTATUS pdb_init_NDS_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) >{ > NTSTATUS nt_status = pdb_init_ldapsam(pdb_context, pdb_method, location); > > (*pdb_method)->name = "NDS_ldapsam"; > > pdb_init_NDS_ldapsam_common(pdb_context, pdb_method, location); > > return nt_status; >} > >NTSTATUS pdb_nds_init(void) >{ > NTSTATUS nt_status; > if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "NDS_ldapsam", pdb_init_NDS_ldapsam))) > return nt_status; > > if (!NT_STATUS_IS_OK(nt_status = smb_register_passdb(PASSDB_INTERFACE_VERSION, "NDS_ldapsam_compat", pdb_init_NDS_ldapsam_compat))) > return nt_status; > > return NT_STATUS_OK; >}
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 2402
:
997
|
998
| 999