Página inicial Explorar Ajuda
Entrar
RONCC
/
Big-Data-HPC-Platform
Observar 1
Favorito 0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Tree: 29d6d0268e
Branches Tags
Big-Data-HPC...
/
system
/
security
/
LdapSecurity
/
ldapconnection.cpp

ldapconnection.cpp 172 KB
Histórico Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012 
  1. /*##############################################################################
    2. 

  2. 

  3.     Copyright (C) 2011 HPCC Systems.
    4. 

  4. 

  5.     All rights reserved. This program is free software: you can redistribute it and/or modify
    6. 

  6.     it under the terms of the GNU Affero General Public License as
    7. 

  7.     published by the Free Software Foundation, either version 3 of the
    8. 

  8.     License, or (at your option) any later version.
    9. 

  9. 

  10.     This program is distributed in the hope that it will be useful,
    11. 

  11.     but WITHOUT ANY WARRANTY; without even the implied warranty of
    12. 

  12.     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13. 

  13.     GNU Affero General Public License for more details.
    14. 

  14. 

  15.     You should have received a copy of the GNU Affero General Public License
    16. 

  16.     along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17. 

  17. ############################################################################## */
    18. 

  18. 

  19. // LDAP prototypes use char* where they should be using const char *, resulting in lots of spurious warnings
    20. 

  20. #pragma warning( disable : 4786 )
    21. 

  21. #ifdef __GNUC__
    22. 

  22. #pragma GCC diagnostic ignored "-Wwrite-strings"
    23. 

  23. #endif
    24. 

  24. 

  25. #include "permissions.ipp"
    26. 

  26. #include "aci.ipp"
    27. 

  27. #include "ldapsecurity.ipp"
    28. 

  28. #include "jsmartsock.hpp"
    29. 

  29. #include "jrespool.tpp"
    30. 

  30. 

  31. #undef new
    32. 

  32. #include <map>
    33. 

  33. #include <string>
    34. 

  34. #include <set>
    35. 

  35. #if defined(_DEBUG) && defined(_WIN32) && !defined(USING_MPATROL)
    36. 

  36.  #define new new(_NORMAL_BLOCK, __FILE__, __LINE__)
    37. 

  37. #endif
    38. 

  38. #ifdef _WIN32
    39. 

  39. #include <lm.h>
    40. 

  40. #define LdapRename ldap_rename_ext_s
    41. 

  41.     LDAPMessage* (*LdapFirstEntry)(LDAP*, LDAPMessage*) = &ldap_first_entry;
    42. 

  42.     LDAPMessage* (*LdapNextEntry)(LDAP* ld, LDAPMessage* entry) = &ldap_next_entry;
    43. 

  43. #else
    44. 

  44. #define LdapRename ldap_rename_s
    45. 

  45.     LDAPMessage* (__stdcall *LdapFirstEntry)(LDAP*, LDAPMessage*) = &ldap_first_message;
    46. 

  46.     LDAPMessage* (__stdcall *LdapNextEntry)(LDAP* ld, LDAPMessage* entry) = &ldap_next_message;
    47. 

  47. #endif
    48. 

  48. 

  49. #define LDAPSEC_MAX_RETRIES 2
    50. 

  50. #define LDAPSEC_RETRY_WAIT  3
    51. 

  51. 

  52. #ifdef _WIN32 
    53. 

  53. #define LDAP_NO_ATTRS "1.1"
    54. 

  54. #endif
    55. 

  55. 

  56. class CLoadBalancer : public CInterface, implements IInterface
    57. 

  57. {
    58. 

  58. private:
    59. 

  59.     StringArray hostArray;
    60. 

  60.     unsigned    nextIndex;
    61. 

  61.     Mutex       m_mutex;
    62. 

  62. 

  63. public:
    64. 

  64.     IMPLEMENT_IINTERFACE
    65. 

  65. 

  66.     CLoadBalancer(const char* addrlist)
    67. 

  67.     {
    68. 

  68.         char *copyFullText = strdup(addrlist);
    69. 

  69.         char *saveptr;
    70. 

  70.         char *ip = strtok_r(copyFullText, "|", &saveptr);
    71. 

  71.         while (ip != NULL)
    72. 

  72.         {
    73. 

  73.             if (isdigit(*ip))
    74. 

  74.             {
    75. 

  75.                 char *dash = strrchr(ip, '-');
    76. 

  76.                 if (dash)
    77. 

  77.                 {
    78. 

  78.                     *dash = 0;
    79. 

  79.                     int last = atoi(dash+1);
    80. 

  80.                     char *dot = strrchr(ip, '.');
    81. 

  81.                     *dot = 0;
    82. 

  82.                     int first = atoi(dot+1);
    83. 

  83.                     for (int i = first; i <= last; i++)
    84. 

  84.                     {
    85. 

  85.                         StringBuffer t;
    86. 

  86.                         t.append(ip).append('.').append(i);
    87. 

  87.                         hostArray.append(t.str());
    88. 

  88.                     }
    89. 

  89.                 }
    90. 

  90.                 else
    91. 

  91.                 {
    92. 

  92.                     hostArray.append(ip);
    93. 

  93.                 }
    94. 

  94.             }
    95. 

  95.             else
    96. 

  96.             {
    97. 

  97.                 hostArray.append(ip);
    98. 

  98.             }
    99. 

  99.             ip = strtok_r(NULL, "|", &saveptr);
    100. 

  100.         }
    101. 

  101.         free(copyFullText);
    102. 

  102. 

  103.         if(hostArray.length() == 0)
    104. 

  104.         {
    105. 

  105.             throw MakeStringException(-1, "No valid ldap server address specified");
    106. 

  106.         }
    107. 

  107. 

  108.         Owned<IRandomNumberGenerator> random = createRandomNumberGenerator();
    109. 

  109.         random->seed((unsigned)get_cycles_now());
    110. 

  110. 

  111.         unsigned i = hostArray.ordinality();
    112. 

  112.         while (i > 1)
    113. 

  113.         {
    114. 

  114.             unsigned j = random->next() % i;
    115. 

  115.             i--;
    116. 

  116.             hostArray.swap(i, j);
    117. 

  117.         }
    118. 

  118. 

  119.         nextIndex = 0;
    120. 

  120. 

  121.         for(unsigned ind = 0; ind < hostArray.length(); ind++)
    122. 

  122.         {
    123. 

  123.             DBGLOG("Added ldap server %s", hostArray.item(ind));
    124. 

  124.         }
    125. 

  125.     }
    126. 

  126. 

  127.     virtual ~CLoadBalancer()
    128. 

  128.     {
    129. 

  129.     }
    130. 

  130. 

  131.     const char* next()
    132. 

  132.     {
    133. 

  133.         unsigned curindex = 0;
    134. 

  134.         
    135. 

  135.         {
    136. 

  136.             synchronized block(m_mutex);
    137. 

  137.             curindex = nextIndex;
    138. 

  138.             ++nextIndex %= hostArray.ordinality();
    139. 

  139.         }
    140. 

  140. 

  141.         return (hostArray.item(curindex));
    142. 

  142.     }
    143. 

  143. };
    144. 

  144. 

  145. bool LdapServerDown(int rc)
    146. 

  146. {
    147. 

  147.     return rc==LDAP_SERVER_DOWN||rc==LDAP_UNAVAILABLE||rc==LDAP_TIMEOUT;
    148. 

  148. }
    149. 

  149. 

  150. class CLdapConfig : public CInterface, implements ILdapConfig
    151. 

  151. {
    152. 

  152. private:
    153. 

  153.     LdapServerType       m_serverType; 
    154. 

  154. 

  155.     Owned<IPropertyTree> m_cfg;
    156. 

  156. 

  157.     Owned<CLoadBalancer> m_ldaphosts;
    158. 

  158.     int                  m_ldapport;
    159. 

  159.     int                  m_ldap_secure_port;
    160. 

  160.     StringBuffer         m_protocol;
    161. 

  161.     StringBuffer         m_basedn;
    162. 

  162.     StringBuffer         m_domain;
    163. 

  163.     StringBuffer         m_authmethod;
    164. 

  164. 

  165.     StringBuffer         m_user_basedn;
    166. 

  166.     StringBuffer         m_group_basedn;
    167. 

  167.     StringBuffer         m_resource_basedn;
    168. 

  168.     StringBuffer         m_filescope_basedn;
    169. 

  169.     StringBuffer         m_workunitscope_basedn;
    170. 

  170.     StringBuffer         m_sudoers_basedn;
    171. 

  171.     StringBuffer         m_template_name;
    172. 

  172. 

  173.     StringBuffer         m_sysuser;
    174. 

  174.     StringBuffer         m_sysuser_commonname;
    175. 

  175.     StringBuffer         m_sysuser_password;
    176. 

  176.     StringBuffer         m_sysuser_basedn;
    177. 

  177. 

  178.     bool                 m_sysuser_specified;
    179. 

  179.     StringBuffer         m_sysuser_dn;
    180. 

  180. 

  181.     int                  m_maxConnections;
    182. 

  182.     
    183. 

  183.     StringBuffer         m_sdfieldname;
    184. 

  184. public:
    185. 

  185.     IMPLEMENT_IINTERFACE
    186. 

  186. 

  187.     CLdapConfig(IPropertyTree* cfg)
    188. 

  188.     {
    189. 

  189.         int version = LDAP_VERSION3;
    190. 

  190.         ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
    191. 

  191. 

  192.         m_serverType = ACTIVE_DIRECTORY;
    193. 

  193. 

  194.         m_cfg.set(cfg);
    195. 

  195. 

  196.         StringBuffer hostsbuf;
    197. 

  197.         cfg->getProp(".//@ldapAddress", hostsbuf);
    198. 

  198.         if(hostsbuf.length() == 0)
    199. 

  199.         {
    200. 

  200.             throw MakeStringException(-1, "ldapAddress not found in config");
    201. 

  201.         }
    202. 

  202.         m_ldaphosts.setown(new CLoadBalancer(hostsbuf.str()));
    203. 

  203. 

  204.         cfg->getProp(".//@ldapProtocol", m_protocol);
    205. 

  205.         if(m_protocol.length() == 0)
    206. 

  206.         {
    207. 

  207.             m_protocol.append("ldap");
    208. 

  208.         }
    209. 

  209.         
    210. 

  210.         StringBuffer portbuf;
    211. 

  211.         cfg->getProp(".//@ldapPort", portbuf);
    212. 

  212.         if(portbuf.length() == 0)
    213. 

  213.             m_ldapport = 389;
    214. 

  214.         else
    215. 

  215.             m_ldapport = atoi(portbuf.str());
    216. 

  216. 

  217.         portbuf.clear();
    218. 

  218.         cfg->getProp(".//@ldapSecurePort", portbuf);
    219. 

  219.         if(portbuf.length() == 0)
    220. 

  220.             m_ldap_secure_port = 636;
    221. 

  221.         else
    222. 

  222.             m_ldap_secure_port = atoi(portbuf.str());
    223. 

  223. 

  224.         StringBuffer hostbuf, dcbuf;
    225. 

  225.         int rc = 0;
    226. 

  226.         getLdapHost(hostbuf);
    227. 

  227.         for(int retries = 0; retries <= LDAPSEC_MAX_RETRIES; retries++)
    228. 

  228.         {
    229. 

  229.             rc = LdapUtils::getServerInfo(hostbuf.str(), m_ldapport, dcbuf, m_serverType, cfg->queryProp(".//@ldapDomain"));
    230. 

  230.             if(!LdapServerDown(rc) || retries > LDAPSEC_MAX_RETRIES)
    231. 

  231.                 break;
    232. 

  232.             sleep(LDAPSEC_RETRY_WAIT);
    233. 

  233.             if(retries < LDAPSEC_MAX_RETRIES)
    234. 

  234.             {
    235. 

  235.                 DBGLOG("Server %s temporarily unreachable.", hostbuf.str());
    236. 

  236.                 // Retrying next ldap sever, might be the same server
    237. 

  237.                 hostbuf.clear();
    238. 

  238.                 getLdapHost(hostbuf);
    239. 

  239.                 DBGLOG("Retrying with %s...", hostbuf.str());
    240. 

  240.             }
    241. 

  241.         }
    242. 

  242.         if(rc != LDAP_SUCCESS)
    243. 

  243.         {
    244. 

  244.             throw MakeStringException(-1, "getServerInfo error - %s", ldap_err2string(rc));
    245. 

  245.         }
    246. 

  246.         const char* basedn = cfg->queryProp(".//@commonBasedn");
    247. 

  247.         if(basedn == NULL || *basedn == '\0')
    248. 

  248.         {
    249. 

  249.             basedn = dcbuf.str();
    250. 

  250.         }
    251. 

  251.         LdapUtils::cleanupDn(basedn, m_basedn);
    252. 

  252. 

  253.         StringBuffer user_basedn;
    254. 

  254.         cfg->getProp(".//@usersBasedn", user_basedn);
    255. 

  255.         if(user_basedn.length() == 0)
    256. 

  256.         {
    257. 

  257.             throw MakeStringException(-1, "users basedn not found in config");
    258. 

  258.         }
    259. 

  259.         LdapUtils::normalizeDn(user_basedn.str(), m_basedn.str(), m_user_basedn);
    260. 

  260.         
    261. 

  261.         StringBuffer group_basedn;
    262. 

  262.         cfg->getProp(".//@groupsBasedn", group_basedn);
    263. 

  263.         if(group_basedn.length() == 0)
    264. 

  264.         {
    265. 

  265.             throw MakeStringException(-1, "groups basedn not found in config");
    266. 

  266.         }
    267. 

  267.         LdapUtils::normalizeDn(group_basedn.str(), m_basedn.str(), m_group_basedn);
    268. 

  268. 

  269.         StringBuffer dnbuf;
    270. 

  270.         cfg->getProp(".//@modulesBasedn", dnbuf);
    271. 

  271.         if(dnbuf.length() == 0)
    272. 

  272.             cfg->getProp(".//@resourcesBasedn", dnbuf);
    273. 

  273.         if(dnbuf.length() > 0)
    274. 

  274.             LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_resource_basedn);
    275. 

  275. 

  276.         dnbuf.clear();
    277. 

  277.         cfg->getProp(".//@filesBasedn", dnbuf);
    278. 

  278.         if(dnbuf.length() > 0)
    279. 

  279.             LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_filescope_basedn);
    280. 

  280. 

  281.         dnbuf.clear();
    282. 

  282.         cfg->getProp(".//@workunitsBasedn", dnbuf);
    283. 

  283.         if(dnbuf.length() > 0)
    284. 

  284.             LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_workunitscope_basedn);
    285. 

  285.         
    286. 

  286.         if(m_resource_basedn.length() + m_filescope_basedn.length() + m_workunitscope_basedn.length() == 0)
    287. 

  287.         {
    288. 

  288.             throw MakeStringException(-1, "One of the following basedns need to be defined: modulesBasedn, resourcesBasedn, filesBasedn or workunitScopesBasedn.");
    289. 

  289.         }
    290. 

  290. 

  291.         dnbuf.clear();
    292. 

  292.         cfg->getProp(".//@sudoersBasedn", dnbuf);
    293. 

  293.         if(dnbuf.length() == 0)
    294. 

  294.             dnbuf.append("ou=SUDOers");
    295. 

  295.         LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_sudoers_basedn);
    296. 

  296. 

  297.         cfg->getProp(".//@templateName", m_template_name);
    298. 

  298.         cfg->getProp(".//@authMethod", m_authmethod);
    299. 

  299.         cfg->getProp(".//@ldapDomain", m_domain);
    300. 

  300.         if(m_domain.length() == 0)
    301. 

  301.         {
    302. 

  302.             const char* dptr = strchr(m_basedn.str(), '=');
    303. 

  303.             if(dptr != NULL)
    304. 

  304.             {
    305. 

  305.                 dptr++;
    306. 

  306.                 while(*dptr != 0 && *dptr != ',')
    307. 

  307.                 {
    308. 

  308.                     char c = *dptr++;
    309. 

  309.                     m_domain.append(c);
    310. 

  310.                 }
    311. 

  311.             }
    312. 

  312.         }
    313. 

  313. 

  314.         m_sysuser_specified = true;
    315. 

  315.         cfg->getProp(".//@systemUser", m_sysuser);
    316. 

  316.         if(m_sysuser.length() == 0)
    317. 

  317.         {
    318. 

  318.             m_sysuser_specified = false;
    319. 

  319.         }
    320. 

  320. 

  321.         cfg->getProp(".//@systemCommonName", m_sysuser_commonname);
    322. 

  322.         if(m_sysuser_specified && (m_sysuser_commonname.length() == 0))
    323. 

  323.         {
    324. 

  324.             throw MakeStringException(-1, "SystemUser commonname is empty");
    325. 

  325.         }
    326. 

  326. 

  327.         StringBuffer passbuf;
    328. 

  328.         cfg->getProp(".//@systemPassword", passbuf);
    329. 

  329.         decrypt(m_sysuser_password, passbuf.str());
    330. 

  330. 

  331.         StringBuffer sysuser_basedn;
    332. 

  332.         cfg->getProp(".//@systemBasedn", sysuser_basedn);
    333. 

  333. 

  334.         if(sysuser_basedn.length() == 0)
    335. 

  335.         {
    336. 

  336.             if(m_serverType == ACTIVE_DIRECTORY)
    337. 

  337.                 LdapUtils::normalizeDn( "cn=Users", m_basedn.str(), m_sysuser_basedn);
    338. 

  338.             else if(m_serverType == IPLANET)
    339. 

  339.                 m_sysuser_basedn.append("ou=administrators,ou=topologymanagement,o=netscaperoot");
    340. 

  340.             else if(m_serverType == OPEN_LDAP)
    341. 

  341.                 m_sysuser_basedn.append(m_basedn.str());
    342. 

  342.         }
    343. 

  343.         else
    344. 

  344.         {
    345. 

  345.             if(m_serverType == ACTIVE_DIRECTORY)
    346. 

  346.                 LdapUtils::normalizeDn(sysuser_basedn.str(), m_basedn.str(), m_sysuser_basedn);
    347. 

  347.             else
    348. 

  348.                 m_sysuser_basedn.append(sysuser_basedn.str());
    349. 

  349.         }
    350. 

  350. 

  351.         if(m_sysuser_specified)
    352. 

  352.         {
    353. 

  353.             if(m_serverType == IPLANET)
    354. 

  354.                 m_sysuser_dn.append("uid=").append(m_sysuser.str()).append(",").append(m_sysuser_basedn.str());
    355. 

  355.             else if(m_serverType == ACTIVE_DIRECTORY)
    356. 

  356.                 m_sysuser_dn.append("cn=").append(m_sysuser_commonname.str()).append(",").append(m_sysuser_basedn.str());
    357. 

  357.             else if(m_serverType == OPEN_LDAP)
    358. 

  358.                 m_sysuser_dn.append("cn=").append(m_sysuser_commonname.str()).append(",").append(m_sysuser_basedn.str());
    359. 

  359.         }
    360. 

  360. 

  361.         m_maxConnections = cfg->getPropInt(".//@maxConnections", DEFAULT_LDAP_POOL_SIZE);
    362. 

  362.         if(m_maxConnections <= 0)
    363. 

  363.             m_maxConnections = DEFAULT_LDAP_POOL_SIZE;
    364. 

  364. 

  365.         if(m_serverType == ACTIVE_DIRECTORY)
    366. 

  366.             m_sdfieldname.append("ntSecurityDescriptor");
    367. 

  367.         else if(m_serverType == IPLANET)
    368. 

  368.             m_sdfieldname.append("aci");
    369. 

  369.         else if(m_serverType == OPEN_LDAP)
    370. 

  370.             m_sdfieldname.append("OpenLDAPaci");
    371. 

  371. 

  372.     }
    373. 

  373. 

  374.     virtual LdapServerType getServerType()
    375. 

  375.     {
    376. 

  376.         return m_serverType;
    377. 

  377.     }
    378. 

  378. 

  379.     virtual const char* getSdFieldName()
    380. 

  380.     {
    381. 

  381.         return m_sdfieldname.str();
    382. 

  382.     }
    383. 

  383. 

  384.     virtual StringBuffer& getLdapHost(StringBuffer& hostbuf)
    385. 

  385.     {
    386. 

  386.         hostbuf.clear();
    387. 

  387.         try
    388. 

  388.         {
    389. 

  389.             hostbuf.append(m_ldaphosts->next());
    390. 

  390.         }
    391. 

  391.         catch(IException* e)
    392. 

  392.         {
    393. 

  393.             StringBuffer emsg;
    394. 

  394.             e->errorMessage(emsg);
    395. 

  395.             DBGLOG("getLdapHost exception - %s", emsg.str());
    396. 

  396.             e->Release();
    397. 

  397.         }
    398. 

  398.         catch(...)
    399. 

  399.         {
    400. 

  400.             DBGLOG("getLdapHost unknown exception");
    401. 

  401.         }
    402. 

  402. 

  403.         return hostbuf;
    404. 

  404.     }
    405. 

  405. 

  406.     virtual void markDown(const char* ldaphost)
    407. 

  407.     {
    408. 

  408.         //SocketEndpoint ep(ldaphost, 0);
    409. 

  409.         //m_ldaphosts->setStatus(ep, false);
    410. 

  410.     }
    411. 

  411. 

  412.     virtual int getLdapPort()
    413. 

  413.     {
    414. 

  414.         return m_ldapport;
    415. 

  415.     }
    416. 

  416. 

  417.     virtual int getLdapSecurePort()
    418. 

  418.     {
    419. 

  419.         return m_ldap_secure_port;
    420. 

  420.     }
    421. 

  421. 

  422.     virtual const char* getProtocol()
    423. 

  423.     {
    424. 

  424.         return m_protocol.str();
    425. 

  425.     }
    426. 

  426. 

  427. 

  428.     virtual const char* getBasedn()
    429. 

  429.     {
    430. 

  430.         return m_basedn.str();
    431. 

  431.     }
    432. 

  432. 

  433.     virtual const char* getDomain()
    434. 

  434.     {
    435. 

  435.         return m_domain.str();
    436. 

  436.     }
    437. 

  437. 

  438.     virtual const char* getAuthMethod()
    439. 

  439.     {
    440. 

  440.         return m_authmethod.str();
    441. 

  441.     }
    442. 

  442. 

  443.     virtual const char* getUserBasedn()
    444. 

  444.     {
    445. 

  445.         return m_user_basedn.str();
    446. 

  446.     }
    447. 

  447. 

  448.     virtual const char* getGroupBasedn()
    449. 

  449.     {
    450. 

  450.         return m_group_basedn.str();
    451. 

  451.     }
    452. 

  452. 

  453.     virtual const char* getResourceBasedn(SecResourceType rtype)
    454. 

  454.     {
    455. 

  455.         if(rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE)
    456. 

  456.             return m_resource_basedn.str();
    457. 

  457.         else if(rtype == RT_FILE_SCOPE)
    458. 

  458.             return m_filescope_basedn.str();
    459. 

  459.         else if(rtype == RT_WORKUNIT_SCOPE)
    460. 

  460.             return m_workunitscope_basedn.str();
    461. 

  461.         else if(rtype == RT_SUDOERS)
    462. 

  462.             return m_sudoers_basedn.str();
    463. 

  463.         else
    464. 

  464.             return m_resource_basedn.str();
    465. 

  465.     }
    466. 

  466. 

  467.     virtual const char* getTemplateName()
    468. 

  468.     {
    469. 

  469.         return m_template_name.str();
    470. 

  470.     }
    471. 

  471. 

  472.     virtual const char* getSysUser()
    473. 

  473.     {
    474. 

  474.         return m_sysuser.str();
    475. 

  475.     }
    476. 

  476. 

  477.     virtual const char* getSysUserDn()
    478. 

  478.     {
    479. 

  479.         return m_sysuser_dn.str();
    480. 

  480.     }
    481. 

  481. 

  482.     virtual const char* getSysUserCommonName()
    483. 

  483.     {
    484. 

  484.         return m_sysuser_commonname.str();
    485. 

  485.     }
    486. 

  486. 

  487.     virtual const char* getSysUserPassword()
    488. 

  488.     {
    489. 

  489.         return m_sysuser_password.str();
    490. 

  490.     }
    491. 

  491. 

  492.     virtual const char* getSysUserBasedn()
    493. 

  493.     {
    494. 

  494.         return m_sysuser_basedn.str();
    495. 

  495.     }
    496. 

  496. 

  497.     virtual bool sysuserSpecified()
    498. 

  498.     {
    499. 

  499.         return m_sysuser_specified;
    500. 

  500.     }
    501. 

  501. 

  502.     virtual int getMaxConnections()
    503. 

  503.     {
    504. 

  504.         return m_maxConnections;
    505. 

  505.     }
    506. 

  506. 

  507.     // For now, only sets default resourcebasedn, since it's only used by ESP services
    508. 

  508.     virtual void setResourceBasedn(const char* rbasedn, SecResourceType rtype)
    509. 

  509.     {
    510. 

  510.         if(rbasedn == NULL || rbasedn[0] == '\0')
    511. 

  511.             return;
    512. 

  512. 

  513.         if(rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE)
    514. 

  514.         {
    515. 

  515.             LdapUtils::normalizeDn(rbasedn, m_basedn.str(), m_resource_basedn);
    516. 

  516.         }
    517. 

  517.         else if(rtype == RT_FILE_SCOPE)
    518. 

  518.         {
    519. 

  519.             LdapUtils::normalizeDn(rbasedn, m_basedn.str(), m_filescope_basedn);
    520. 

  520.         }
    521. 

  521.         else if(rtype == RT_WORKUNIT_SCOPE)
    522. 

  522.         {
    523. 

  523.             LdapUtils::normalizeDn(rbasedn, m_basedn.str(), m_workunitscope_basedn);
    524. 

  524.         }
    525. 

  525.         else
    526. 

  526.         {
    527. 

  527.             LdapUtils::normalizeDn(rbasedn, m_basedn.str(), m_resource_basedn);
    528. 

  528.         }
    529. 

  529.     }
    530. 

  530. 

  531.     virtual void getDefaultSysUserBasedn(StringBuffer& sysuser_basedn)
    532. 

  532.     {
    533. 

  533.         if(m_serverType == ACTIVE_DIRECTORY)
    534. 

  534.             LdapUtils::normalizeDn( "cn=Users", m_basedn.str(), sysuser_basedn);
    535. 

  535.         else if(m_serverType == IPLANET)
    536. 

  536.             sysuser_basedn.append("ou=administrators,ou=topologymanagement,o=netscaperoot");
    537. 

  537.     }
    538. 

  538. };
    539. 

  539. 

  540. 

  541. class CLdapConnection : public CInterface, implements ILdapConnection
    542. 

  542. {
    543. 

  543. private:
    544. 

  544.     LDAP                *m_ld;
    545. 

  545.     Owned<CLdapConfig>   m_ldapconfig;
    546. 

  546. 

  547.     time_t               m_lastaccesstime;
    548. 

  548.     bool                 m_connected;
    549. 

  549. 

  550. public:
    551. 

  551.     IMPLEMENT_IINTERFACE
    552. 

  552. 

  553.     CLdapConnection(CLdapConfig* ldapconfig)
    554. 

  554.     {
    555. 

  555.         m_ldapconfig.setown(LINK(ldapconfig));
    556. 

  556.         m_ld = NULL;
    557. 

  557.         m_connected = false;
    558. 

  558.         m_lastaccesstime = 0;
    559. 

  559.     }
    560. 

  560. 

  561.     ~CLdapConnection()
    562. 

  562.     {
    563. 

  563.         if(m_ld != NULL)
    564. 

  564.         {
    565. 

  565.             ldap_unbind(m_ld);
    566. 

  566.         }
    567. 

  567.     }
    568. 

  568. 

  569.     virtual int connect(const char* ldapserver, const char* protocol)
    570. 

  570.     {
    571. 

  571.         if(!ldapserver || *ldapserver == '\0')
    572. 

  572.             return -1;
    573. 

  573. 

  574.         m_ld = LdapUtils::LdapInit(protocol, ldapserver, m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort());
    575. 

  575.         int rc = LDAP_SUCCESS;
    576. 

  576.         if(m_ldapconfig->sysuserSpecified())
    577. 

  577.             rc =  LdapUtils::LdapBind(m_ld, m_ldapconfig->getDomain(), m_ldapconfig->getSysUser(), m_ldapconfig->getSysUserPassword(), m_ldapconfig->getSysUserDn(), m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    578. 

  578.         else
    579. 

  579.             rc =  LdapUtils::LdapBind(m_ld, m_ldapconfig->getDomain(), NULL, NULL, NULL, m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    580. 

  580. 

  581.         if(rc == LDAP_SUCCESS)
    582. 

  582.         {
    583. 

  583.             time(&m_lastaccesstime);
    584. 

  584.             m_connected = true;
    585. 

  585.             DBGLOG("Connected to LdapServer %s using protocol %s", ldapserver, protocol);
    586. 

  586.         }
    587. 

  587.         else
    588. 

  588.         {
    589. 

  589.             DBGLOG("LDAP: sysuser bind failed - %s", ldap_err2string(rc));
    590. 

  590.             ldap_unbind(m_ld);
    591. 

  591.             m_ld = NULL;
    592. 

  592.         }
    593. 

  593. 

  594.         return rc;
    595. 

  595.     }
    596. 

  596. 

  597.     virtual bool connect(bool force_ssl = false)
    598. 

  598.     {
    599. 

  599.         StringBuffer hostbuf;
    600. 

  600.         m_ldapconfig->getLdapHost(hostbuf);
    601. 

  601.         int rc = LDAP_SERVER_DOWN;
    602. 

  602.         const char* proto;
    603. 

  603.         if(force_ssl)
    604. 

  604.             proto = "ldaps";
    605. 

  605.         else
    606. 

  606.             proto = m_ldapconfig->getProtocol();
    607. 

  607.         
    608. 

  608.         for(int retries = 0; retries <= LDAPSEC_MAX_RETRIES; retries++)
    609. 

  609.         {
    610. 

  610.             rc = connect(hostbuf.str(), proto);
    611. 

  611.             if(!LdapServerDown(rc) || retries > LDAPSEC_MAX_RETRIES)
    612. 

  612.                 break;
    613. 

  613.             sleep(LDAPSEC_RETRY_WAIT);
    614. 

  614.             if(retries < LDAPSEC_MAX_RETRIES)
    615. 

  615.                 DBGLOG("Server temporarily unreachable, retrying ...");
    616. 

  616.             // Retrying next ldap sever, might be the same server
    617. 

  617.             hostbuf.clear();
    618. 

  618.             m_ldapconfig->getLdapHost(hostbuf);
    619. 

  619.         }
    620. 

  620. 

  621.         if(rc == LDAP_SERVER_DOWN)
    622. 

  622.         {
    623. 

  623.             StringBuffer dc;
    624. 

  624.             LdapUtils::getDcName(m_ldapconfig->getDomain(), dc);
    625. 

  625.             if(dc.length() > 0)
    626. 

  626.             {
    627. 

  627.                 WARNLOG("Using automatically obtained LDAP Server %s", dc.str());
    628. 

  628.                 rc = connect(dc.str(), proto);
    629. 

  629.             }
    630. 

  630.         }
    631. 

  631.         if(rc == LDAP_SUCCESS)
    632. 

  632.             return true;
    633. 

  633.         else
    634. 

  634.             return false;
    635. 

  635.     }
    636. 

  636. 

  637.     virtual LDAP* getLd()
    638. 

  638.     {
    639. 

  639.         return m_ld;
    640. 

  640.     }
    641. 

  641. 

  642.     virtual bool validate()
    643. 

  643.     {
    644. 

  644.         time_t now;
    645. 

  645.         time(&now);
    646. 

  646. 

  647.         if(!m_connected)
    648. 

  648.             return connect();
    649. 

  649.         else if(now - m_lastaccesstime <= 300)
    650. 

  650.             return true;
    651. 

  651.         else
    652. 

  652.         {
    653. 

  653.             bool ok = false;
    654. 

  654.             LDAPMessage* msg = NULL;
    655. 

  655.             
    656. 

  656.             TIMEVAL timeOut = {LDAPTIMEOUT,0};
    657. 

  657.             int err = ldap_search_ext_s(m_ld, NULL, LDAP_SCOPE_BASE, "objectClass=*", NULL, 0, NULL, NULL, &timeOut, 1, &msg);
    658. 

  658. 

  659.             if(err == LDAP_SUCCESS)
    660. 

  660.             {
    661. 

  661.                 ok = true;
    662. 

  662.             }
    663. 

  663. 

  664.             if(msg != NULL)
    665. 

  665.                 ldap_msgfree(msg);
    666. 

  666.             
    667. 

  667.             if(!ok)
    668. 

  668.             {
    669. 

  669.                 if(m_ld != NULL)
    670. 

  670.                 {
    671. 

  671.                     ldap_unbind(m_ld);
    672. 

  672.                     m_ld = NULL;
    673. 

  673.                     m_connected = false;
    674. 

  674.                 }
    675. 

  675.                 DBGLOG("cached connection invalid, creating a new connection");
    676. 

  676.                 return connect();
    677. 

  677.             }
    678. 

  678.             else
    679. 

  679.             {
    680. 

  680.                 time(&m_lastaccesstime);
    681. 

  681.             }
    682. 

  682.         }
    683. 

  683. 

  684.         return true;
    685. 

  685.     }
    686. 

  686. };
    687. 

  687. 

  688. class CLdapConnectionPool : public CInterface, implements ILdapConnectionPool
    689. 

  689. {
    690. 

  690. private:
    691. 

  691.     int m_maxsize;
    692. 

  692.     int m_currentsize;
    693. 

  693.     IArrayOf<ILdapConnection> m_connections;
    694. 

  694.     Monitor m_monitor;
    695. 

  695.     Owned<CLdapConfig> m_ldapconfig;
    696. 

  696. 

  697. public:
    698. 

  698.     IMPLEMENT_IINTERFACE
    699. 

  699. 

  700.     CLdapConnectionPool(CLdapConfig* ldapconfig)
    701. 

  701.     {
    702. 

  702.         m_ldapconfig.setown(LINK(ldapconfig));
    703. 

  703.         m_maxsize = m_ldapconfig->getMaxConnections();
    704. 

  704.         m_currentsize = 0;
    705. 

  705.         // Set LDAP version to 3
    706. 

  706.         int version = LDAP_VERSION3;
    707. 

  707.         ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
    708. 

  708.     }
    709. 

  709. 

  710.     virtual ILdapConnection* getConnection()
    711. 

  711.     {
    712. 

  712.         synchronized block(m_monitor);
    713. 

  713.         ForEachItemIn(x, m_connections)
    714. 

  714.         {
    715. 

  715.             CLdapConnection* curcon = (CLdapConnection*)&(m_connections.item(x));
    716. 

  716.             if(curcon != NULL && !curcon->IsShared())
    717. 

  717.             {
    718. 

  718.                 //PrintLog("Reusing an LDAP connection");
    719. 

  719.                 if(curcon->validate())
    720. 

  720.                     return LINK(curcon);
    721. 

  721.                 else
    722. 

  722.                     throw MakeStringException(-1, "Connecting/authenticating to ldap server in re-validation failed");
    723. 

  723.             }
    724. 

  724.         }
    725. 

  725. 

  726.         //PrintLog("Creating new connection");
    727. 

  727.         CLdapConnection* newcon = new CLdapConnection(m_ldapconfig.get());
    728. 

  728.         if(newcon != NULL)
    729. 

  729.         {
    730. 

  730.             if(!newcon->connect())
    731. 

  731.             {
    732. 

  732.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server failed");
    733. 

  733.             }
    734. 

  734.             
    735. 

  735.             if(m_currentsize <= m_maxsize)
    736. 

  736.             {
    737. 

  737.                 m_connections.append(*newcon);
    738. 

  738.                 m_currentsize++;
    739. 

  739.                 return LINK(newcon);
    740. 

  740.             }
    741. 

  741.             else
    742. 

  742.             {
    743. 

  743.                 return newcon;
    744. 

  744.             }
    745. 

  745.         }
    746. 

  746.         else
    747. 

  747.         {
    748. 

  748.             throw MakeStringException(-1, "Failed to create new ldap connection");
    749. 

  749.         }
    750. 

  750.     }
    751. 

  751. 

  752.     virtual ILdapConnection* getSSLConnection()
    753. 

  753.     {
    754. 

  754.         CLdapConnection* newcon = new CLdapConnection(m_ldapconfig.get());
    755. 

  755.         if(newcon != NULL)
    756. 

  756.         {
    757. 

  757.             if(!newcon->connect(true))
    758. 

  758.             {
    759. 

  759.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server via ldaps failed");
    760. 

  760.             }
    761. 

  761.             return newcon;
    762. 

  762.         }
    763. 

  763.         else
    764. 

  764.         {
    765. 

  765.             throw MakeStringException(-1, "Failed to create new ldap connection");
    766. 

  766.         }
    767. 

  767.     }
    768. 

  768. 

  769. };
    770. 

  770. 

  771. #define LDAP_CONNECTION_TIMEOUT INFINITE
    772. 

  772. 

  773. //------------ New Connection Pool Implementation ------------//
    774. 

  774. class CLdapConnectionManager : public CInterface, implements IResourceFactory<CLdapConnection>
    775. 

  775. {
    776. 

  776.     Owned<CLdapConfig>   m_ldapconfig;
    777. 

  777.     
    778. 

  778. public:
    779. 

  779.     IMPLEMENT_IINTERFACE;
    780. 

  780.     
    781. 

  781.     CLdapConnectionManager(CLdapConfig* ldapconfig)
    782. 

  782.     {
    783. 

  783.         m_ldapconfig.setown(LINK(ldapconfig));
    784. 

  784.     }
    785. 

  785. 

  786.     CLdapConnection* createResource()
    787. 

  787.     {
    788. 

  788.         CLdapConnection* newcon = new CLdapConnection(m_ldapconfig.get());
    789. 

  789.         if(newcon != NULL)
    790. 

  790.         {
    791. 

  791.             if(!newcon->connect())
    792. 

  792.             {
    793. 

  793.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server failed");
    794. 

  794.             }
    795. 

  795.             
    796. 

  796.             return newcon;
    797. 

  797.         }
    798. 

  798.         else
    799. 

  799.         {
    800. 

  800.             throw MakeStringException(-1, "Failed to create new ldap connection");
    801. 

  801.         }
    802. 

  802.     }
    803. 

  803. };
    804. 

  804. 

  805. class CLdapConnectionPool2 : public CInterface, implements ILdapConnectionPool
    806. 

  806. {
    807. 

  807. private:
    808. 

  808.     int m_maxsize;
    809. 

  809.     Owned<CLdapConfig> m_ldapconfig;
    810. 

  810.     Owned<CResourcePool<CLdapConnection> > m_connections;
    811. 

  811. public:
    812. 

  812.     IMPLEMENT_IINTERFACE
    813. 

  813. 

  814.     CLdapConnectionPool2(CLdapConfig* ldapconfig)
    815. 

  815.     {
    816. 

  816.         m_ldapconfig.setown(LINK(ldapconfig));
    817. 

  817.         m_maxsize = m_ldapconfig->getMaxConnections();
    818. 

  818.         // Set LDAP version to 3
    819. 

  819.         int version = LDAP_VERSION3;
    820. 

  820.         ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
    821. 

  821. 

  822.         m_connections.setown(new CResourcePool<CLdapConnection>);
    823. 

  823.         Owned<CLdapConnectionManager> poolMgr = new CLdapConnectionManager(ldapconfig);
    824. 

  824.         m_connections->init(m_maxsize, poolMgr.get());
    825. 

  825.     }
    826. 

  826. 

  827.     virtual ILdapConnection* getConnection()
    828. 

  828.     {
    829. 

  829.         Owned<CLdapConnection> con;
    830. 

  830.         try
    831. 

  831.         {
    832. 

  832.             con.setown(m_connections->get(LDAP_CONNECTION_TIMEOUT));
    833. 

  833.         }
    834. 

  834.         catch(IException* e)
    835. 

  835.         {
    836. 

  836.             StringBuffer emsg;
    837. 

  837.             e->errorMessage(emsg);
    838. 

  838.             DBGLOG("getConnection exception - %s", emsg.str());
    839. 

  839.             e->Release();
    840. 

  840.         }
    841. 

  841.         catch(...)
    842. 

  842.         {
    843. 

  843.             DBGLOG("getConnection unknown exception");
    844. 

  844.         }
    845. 

  845. 

  846.         if(con.get())
    847. 

  847.         {
    848. 

  848.             if(con->validate())
    849. 

  849.                 return con.getLink();
    850. 

  850.             else
    851. 

  851.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server in re-validation failed");
    852. 

  852.         }
    853. 

  853.         else
    854. 

  854.                 throw MakeStringException(-1, "Failed to get an LDAP Connection.");
    855. 

  855.     }
    856. 

  856. 

  857.     virtual ILdapConnection* getSSLConnection()
    858. 

  858.     {
    859. 

  859.         CLdapConnection* newcon = new CLdapConnection(m_ldapconfig.get());
    860. 

  860.         if(newcon != NULL)
    861. 

  861.         {
    862. 

  862.             if(!newcon->connect(true))
    863. 

  863.             {
    864. 

  864.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server via ldaps failed");
    865. 

  865.             }
    866. 

  866.             return newcon;
    867. 

  867.         }
    868. 

  868.         else
    869. 

  869.         {
    870. 

  870.             throw MakeStringException(-1, "Failed to create new ldap connection");
    871. 

  871.         }
    872. 

  872.     }
    873. 

  873. };
    874. 

  874. 

  875. 

  876. struct ltstr
    877. 

  877. {
    878. 

  878.     bool operator()(const char* s1, const char* s2) const { return strcmp(s1, s2) < 0; }
    879. 

  879. };
    880. 

  880. 

  881. class CLdapClient : public CInterface, implements ILdapClient
    882. 

  882. {
    883. 

  883. private:
    884. 

  884.     Owned<ILdapConnectionPool> m_connections;
    885. 

  885.     IPermissionProcessor* m_pp;     
    886. 

  886.     //int                  m_defaultFileScopePermission;
    887. 

  887.     //int                  m_defaultWorkunitScopePermission;
    888. 

  888.     Owned<CLdapConfig>   m_ldapconfig;
    889. 

  889.     StringBuffer         m_pwscheme;
    890. 

  890. 

  891. public:
    892. 

  892.     IMPLEMENT_IINTERFACE
    893. 

  893. 

  894.     CLdapClient(IPropertyTree* cfg)
    895. 

  895.     {
    896. 

  896.         m_ldapconfig.setown(new CLdapConfig(cfg));
    897. 

  897.         if(cfg && cfg->getPropBool("@useRealConnectionPool", false))
    898. 

  898.             m_connections.setown(new CLdapConnectionPool2(m_ldapconfig.get())); 
    899. 

  899.         else
    900. 

  900.             m_connections.setown(new CLdapConnectionPool(m_ldapconfig.get()));  
    901. 

  901.         m_pp = NULL;
    902. 

  902.         //m_defaultFileScopePermission = -2;
    903. 

  903.         //m_defaultWorkunitScopePermission = -2;
    904. 

  904.     }
    905. 

  905. 

  906.     virtual void init(IPermissionProcessor* pp)
    907. 

  907.     {
    908. 

  908.         m_pp = pp;
    909. 

  909.         if(m_ldapconfig->getServerType() == OPEN_LDAP)
    910. 

  910.         {
    911. 

  911.             try
    912. 

  912.             {
    913. 

  913.                 addDC(m_ldapconfig->getBasedn());
    914. 

  914.             }
    915. 

  915.             catch(...)
    916. 

  916.             {
    917. 

  917.             }
    918. 

  918.             try
    919. 

  919.             {
    920. 

  920.                 addGroup("Directory Administrators", m_ldapconfig->getBasedn());
    921. 

  921.             }
    922. 

  922.             catch(...)
    923. 

  923.             {
    924. 

  924.             }
    925. 

  925.         }
    926. 

  926.         createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_DEFAULT), PT_DEFAULT);
    927. 

  927.         createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE), PT_DEFAULT);
    928. 

  928.         createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_WORKUNIT_SCOPE), PT_DEFAULT);
    929. 

  929.         createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_SUDOERS), PT_DEFAULT);
    930. 

  930. 

  931.         createLdapBasedn(NULL, m_ldapconfig->getUserBasedn(), PT_DEFAULT);
    932. 

  932.         createLdapBasedn(NULL, m_ldapconfig->getGroupBasedn(), PT_DEFAULT);
    933. 

  933.     }
    934. 

  934. 

  935.     virtual LdapServerType getServerType()
    936. 

  936.     {
    937. 

  937.         return m_ldapconfig->getServerType();
    938. 

  938.     }
    939. 

  939. 

  940.     virtual ILdapConfig* getLdapConfig()
    941. 

  941.     {
    942. 

  942.         return m_ldapconfig.get();
    943. 

  943.     }
    944. 

  944. 

  945.     virtual void setResourceBasedn(const char* rbasedn, SecResourceType rtype)
    946. 

  946.     {
    947. 

  947.         m_ldapconfig->setResourceBasedn(rbasedn, rtype);
    948. 

  948.         createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(rtype), PT_DEFAULT);
    949. 

  949.     }
    950. 

  950. 

  951.     virtual bool authenticate(ISecUser& user)
    952. 

  952.     {
    953. 

  953.         {
    954. 

  954.             char        *attribute, **values;       
    955. 

  955.             BerElement  *ber;
    956. 

  956. 

  957.             const char* username = user.getName();
    958. 

  958.             const char* password = user.credentials().getPassword();
    959. 

  959.             if(!username || !*username || !password || !*password)
    960. 

  960.                 return false;
    961. 

  961. 

  962.             const char* sysuser = m_ldapconfig->getSysUser();
    963. 

  963.             if(sysuser && *sysuser && (strcmp(username, sysuser) == 0))
    964. 

  964.             {
    965. 

  965.                 if(strcmp(password, m_ldapconfig->getSysUserPassword()) == 0)
    966. 

  966.                 {
    967. 

  967.                     user.setFullName(m_ldapconfig->getSysUserCommonName());
    968. 

  968.                     user.setAuthenticated(true);
    969. 

  969.                     return true;
    970. 

  970.                 }
    971. 

  971.                 else
    972. 

  972.                 {
    973. 

  973.                     return false;
    974. 

  974.                 }
    975. 

  975.             }
    976. 

  976. 

  977.             StringBuffer filter;
    978. 

  978.             // Retrieve user's dn with system connection
    979. 

  979.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    980. 

  980.                 filter.append("sAMAccountName=");
    981. 

  981.             else
    982. 

  982.                 filter.append("uid=");
    983. 

  983.             filter.append(username);
    984. 

  984.             LDAPMessage *res;
    985. 

  985.             char* attrs[] = {"cn", NULL};
    986. 

  986. 

  987.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    988. 

  988.             LDAP* sys_ld = ((CLdapConnection*)lconn.get())->getLd();
    989. 

  989. 

  990.             TIMEVAL timeOut = {LDAPTIMEOUT,0};
    991. 

  991.             int result = ldap_search_ext_s(sys_ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &res);
    992. 

  992. 

  993.             if(result != LDAP_SUCCESS)
    994. 

  994.             {
    995. 

  995.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( result ), filter.str(), m_ldapconfig->getUserBasedn());
    996. 

  996.                 return false;
    997. 

  997.             }
    998. 

  998. 

  999.             unsigned entries = ldap_count_entries(sys_ld, res);
    1000. 

  1000.             if(entries == 0)
    1001. 

  1001.             {
    1002. 

  1002.                 TIMEVAL timeOut = {LDAPTIMEOUT,0};
    1003. 

  1003.                 result = ldap_search_ext_s(sys_ld, (char*)m_ldapconfig->getSysUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &res);
    1004. 

  1004.                 if(result != LDAP_SUCCESS)
    1005. 

  1005.                 {
    1006. 

  1006.                     DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( result ), filter.str(), m_ldapconfig->getSysUserBasedn());
    1007. 

  1007.                     return false;
    1008. 

  1008.                 }
    1009. 

  1009. 

  1010.                 entries = ldap_count_entries(sys_ld, res);
    1011. 

  1011.                 if(entries == 0)
    1012. 

  1012.                 {
    1013. 

  1013.                     DBGLOG("LDAP: User %s not found", username);
    1014. 

  1014.                     return false;
    1015. 

  1015.                 }
    1016. 

  1016.             }
    1017. 

  1017. 

  1018.             LDAPMessage *entry = LdapFirstEntry(sys_ld, res);
    1019. 

  1019.             if(entry == NULL)
    1020. 

  1020.             {
    1021. 

  1021.                 DBGLOG("LDAP: Can't find entry for user %s", username);
    1022. 

  1022.                 return false;
    1023. 

  1023.             }
    1024. 

  1024. 

  1025.             for ( attribute = ldap_first_attribute(sys_ld, res, &ber ); attribute != NULL; attribute = ldap_next_attribute(sys_ld, res, ber))
    1026. 

  1026.             {
    1027. 

  1027.                 if((stricmp(attribute, "cn") == 0) && (values = ldap_get_values(sys_ld, entry, attribute)) != NULL )
    1028. 

  1028.                 {
    1029. 

  1029.                     //set the FullName
    1030. 

  1030.                     if(values[0] != NULL)
    1031. 

  1031.                         user.setFullName(values[0]);
    1032. 

  1032.                     ldap_value_free( values );
    1033. 

  1033.                     break;
    1034. 

  1034.                 }
    1035. 

  1035.             }
    1036. 

  1036.             ber_free(ber, 0);
    1037. 

  1037. 

  1038.             char *userdn = ldap_get_dn(sys_ld, entry);
    1039. 

  1039.             if(userdn == NULL || strlen(userdn) == 0)
    1040. 

  1040.             {
    1041. 

  1041.                 DBGLOG("LDAP: dn not found for user %s", username);
    1042. 

  1042.                 ldap_msgfree(entry);
    1043. 

  1043.                 return false;
    1044. 

  1044.             }
    1045. 

  1045. 

  1046.             StringBuffer userdnbuf;
    1047. 

  1047.             userdnbuf.append(userdn);
    1048. 

  1048.             ldap_msgfree(entry);
    1049. 

  1049.             ldap_memfree(userdn);
    1050. 

  1050. 

  1051.             StringBuffer hostbuf;
    1052. 

  1052.             m_ldapconfig->getLdapHost(hostbuf);
    1053. 

  1053.             int rc = LDAP_SERVER_DOWN;
    1054. 

  1054. 

  1055.             for(int retries = 0; retries <= LDAPSEC_MAX_RETRIES; retries++)
    1056. 

  1056.             {
    1057. 

  1057.                 DBGLOG("LdapBind for user %s (retries=%d).", username, retries);
    1058. 

  1058.                 {
    1059. 

  1059.                     LDAP* user_ld = LdapUtils::LdapInit(m_ldapconfig->getProtocol(), hostbuf.str(), m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort());
    1060. 

  1060.                     rc = LdapUtils::LdapBind(user_ld, m_ldapconfig->getDomain(), username, password, userdnbuf.str(), m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    1061. 

  1061.                     ldap_unbind(user_ld);
    1062. 

  1062.                 }
    1063. 

  1063.                 DBGLOG("finished LdapBind for user %s", username);
    1064. 

  1064.                 if(!LdapServerDown(rc) || retries > LDAPSEC_MAX_RETRIES)
    1065. 

  1065.                     break;
    1066. 

  1066.                 sleep(LDAPSEC_RETRY_WAIT);
    1067. 

  1067.                 if(retries < LDAPSEC_MAX_RETRIES)
    1068. 

  1068.                     DBGLOG("Server temporarily unreachable, retrying ...");
    1069. 

  1069.                 // Retrying next ldap sever, might be the same server
    1070. 

  1070.                 hostbuf.clear();
    1071. 

  1071.                 m_ldapconfig->getLdapHost(hostbuf);
    1072. 

  1072.             }
    1073. 

  1073. 

  1074.             if(rc == LDAP_SERVER_DOWN)
    1075. 

  1075.             {
    1076. 

  1076.                 StringBuffer dc;
    1077. 

  1077.                 LdapUtils::getDcName(NULL, dc);
    1078. 

  1078.                 if(dc.length() > 0)
    1079. 

  1079.                 {
    1080. 

  1080.                     WARNLOG("Using automatically obtained LDAP Server %s", dc.str());
    1081. 

  1081.                     LDAP* user_ld = LdapUtils::LdapInit(m_ldapconfig->getProtocol(), dc.str(), m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort());
    1082. 

  1082.                     rc = LdapUtils::LdapBind(user_ld, m_ldapconfig->getDomain(), username, password, userdnbuf.str(), m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    1083. 

  1083.                     ldap_unbind(user_ld);
    1084. 

  1084.                 }
    1085. 

  1085.             }
    1086. 

  1086.             if(rc != LDAP_SUCCESS)
    1087. 

  1087.             {
    1088. 

  1088.                 DBGLOG("LDAP: Authentication for user %s failed - %s", username, ldap_err2string(rc));
    1089. 

  1089.                 return false;
    1090. 

  1090.             }
    1091. 

  1091.             user.setAuthenticated(true);
    1092. 

  1092.         }
    1093. 

  1093.         //Always retrieve user info(SID, UID, fullname, etc) for Active Directory, when the user first logs in.
    1094. 

  1094.         if((m_ldapconfig->getServerType() == ACTIVE_DIRECTORY) && (m_pp != NULL))
    1095. 

  1095.             m_pp->retrieveUserInfo(user);
    1096. 

  1096. 

  1097.         return true;
    1098. 

  1098.     };
    1099. 

  1099. 

  1100.     virtual bool authorize(SecResourceType rtype, ISecUser& user, IArrayOf<ISecResource>& resources)
    1101. 

  1101.     {
    1102. 

  1102.         bool ok = false;
    1103. 

  1103.         const char* basedn = m_ldapconfig->getResourceBasedn(rtype);
    1104. 

  1104.         if(basedn == NULL || *basedn == '\0')
    1105. 

  1105.         {
    1106. 

  1106.             DBGLOG("corresponding basedn is not defined for authorize");
    1107. 

  1107.             return false;
    1108. 

  1108.         }
    1109. 

  1109. 

  1110.         const char* username = user.getName();
    1111. 

  1111.         if(!username || !*username)
    1112. 

  1112.             return false;
    1113. 

  1113. 

  1114.         const char* sysuser = m_ldapconfig->getSysUser();
    1115. 

  1115.         if(sysuser && *sysuser && (strcmp(username, sysuser) == 0))
    1116. 

  1116.         {
    1117. 

  1117.             ForEachItemIn(x, resources)
    1118. 

  1118.             {
    1119. 

  1119.                 ISecResource* res = &resources.item(x);
    1120. 

  1120.                 if(!res)
    1121. 

  1121.                     continue;
    1122. 

  1122.                 if(rtype == RT_MODULE)
    1123. 

  1123.                 {
    1124. 

  1124.                     StringBuffer filter;
    1125. 

  1125.                     if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1126. 

  1126.                         filter.append("name=");
    1127. 

  1127.                     else
    1128. 

  1128.                         filter.append("ou=");
    1129. 

  1129.                     filter.append(res->getName());
    1130. 

  1130.                     int count = countEntries(m_ldapconfig->getResourceBasedn(rtype), (char*)filter.str(), 10);
    1131. 

  1131.                     if(count != 0)
    1132. 

  1132.                         res->setAccessFlags(SecAccess_Full);
    1133. 

  1133.                     else
    1134. 

  1134.                         res->setAccessFlags(-1);
    1135. 

  1135.                 }
    1136. 

  1136.                 else
    1137. 

  1137.                     res->setAccessFlags(SecAccess_Full);
    1138. 

  1138.             }
    1139. 

  1139.             return true;
    1140. 

  1140.         }
    1141. 

  1141. 

  1142.         if(rtype == RT_FILE_SCOPE)
    1143. 

  1143.         {
    1144. 

  1144.             int defaultFileScopePermission = -2;
    1145. 

  1145.             //if(m_defaultFileScopePermission == -2)
    1146. 

  1146.             {
    1147. 

  1147.                 const char* basebasedn = strchr(basedn, ',') + 1;
    1148. 

  1148.                 StringBuffer baseresource;
    1149. 

  1149.                 baseresource.append(basebasedn-basedn-4, basedn+3);
    1150. 

  1150.                 IArrayOf<ISecResource> base_resources;
    1151. 

  1151.                 base_resources.append(*(new CLdapSecResource(baseresource.str())));
    1152. 

  1152.                 bool baseok = authorizeScope(user, base_resources, basebasedn);
    1153. 

  1153.                 if(baseok)
    1154. 

  1154.                 {
    1155. 

  1155.                     //m_defaultFileScopePermission = base_resources.item(0).getAccessFlags();
    1156. 

  1156.                     defaultFileScopePermission = base_resources.item(0).getAccessFlags();
    1157. 

  1157.                 }
    1158. 

  1158.             }
    1159. 

  1159.             IArrayOf<ISecResource> non_emptylist;
    1160. 

  1160.             ForEachItemIn(x, resources)
    1161. 

  1161.             {
    1162. 

  1162.                 ISecResource& res = resources.item(x);
    1163. 

  1163.                 const char* res_name = res.getName();
    1164. 

  1164.                 if(res_name == NULL || *res_name == '\0')
    1165. 

  1165.                     res.setAccessFlags(defaultFileScopePermission); //res.setAccessFlags(m_defaultFileScopePermission);
    1166. 

  1166.                 else 
    1167. 

  1167.                     non_emptylist.append(*LINK(&res));
    1168. 

  1168.             }
    1169. 

  1169. 

  1170.             ok = authorizeScope(user, non_emptylist, basedn);
    1171. 

  1171.             //if(ok && m_defaultFileScopePermission != -2)
    1172. 

  1172.             if(ok && defaultFileScopePermission != -2)
    1173. 

  1173.             {
    1174. 

  1174.                 ForEachItemIn(x, non_emptylist)
    1175. 

  1175.                 {
    1176. 

  1176.                     ISecResource& res = non_emptylist.item(x);
    1177. 

  1177.                     if(res.getAccessFlags() == -1)
    1178. 

  1178.                         res.setAccessFlags(defaultFileScopePermission); //res.setAccessFlags(m_defaultFileScopePermission);
    1179. 

  1179.                 }
    1180. 

  1180.             }
    1181. 

  1181. 

  1182.             return ok;
    1183. 

  1183.         }
    1184. 

  1184.         else if(rtype == RT_WORKUNIT_SCOPE)
    1185. 

  1185.         {
    1186. 

  1186.             int defaultWorkunitScopePermission = -2;
    1187. 

  1187.             //if(m_defaultWorkunitScopePermission == -2)
    1188. 

  1188.             {
    1189. 

  1189.                 const char* basebasedn = strchr(basedn, ',') + 1;
    1190. 

  1190.                 StringBuffer baseresource;
    1191. 

  1191.                 baseresource.append(basebasedn-basedn-4, basedn+3);
    1192. 

  1192.                 IArrayOf<ISecResource> base_resources;
    1193. 

  1193.                 base_resources.append(*(new CLdapSecResource(baseresource.str())));
    1194. 

  1194.                 bool baseok = authorizeScope(user, base_resources, basebasedn);
    1195. 

  1195.                 if(baseok)
    1196. 

  1196.                 {
    1197. 

  1197.                     defaultWorkunitScopePermission = base_resources.item(0).getAccessFlags();
    1198. 

  1198.                 }
    1199. 

  1199.             }
    1200. 

  1200.             IArrayOf<ISecResource> non_emptylist;
    1201. 

  1201.             ForEachItemIn(x, resources)
    1202. 

  1202.             {
    1203. 

  1203.                 ISecResource& res = resources.item(x);
    1204. 

  1204.                 const char* res_name = res.getName();
    1205. 

  1205.                 if(res_name == NULL || *res_name == '\0')
    1206. 

  1206.                     res.setAccessFlags(defaultWorkunitScopePermission);
    1207. 

  1207.                 else 
    1208. 

  1208.                     non_emptylist.append(*LINK(&res));
    1209. 

  1209.             }
    1210. 

  1210.             ok = authorizeScope(user, non_emptylist, basedn);
    1211. 

  1211.             if(ok && defaultWorkunitScopePermission != -2)
    1212. 

  1212.             {
    1213. 

  1213.                 ForEachItemIn(x, non_emptylist)
    1214. 

  1214.                 {
    1215. 

  1215.                     ISecResource& res = non_emptylist.item(x);
    1216. 

  1216.                     if(res.getAccessFlags() == -1)
    1217. 

  1217.                         res.setAccessFlags(defaultWorkunitScopePermission);
    1218. 

  1218.                 }
    1219. 

  1219.             }
    1220. 

  1220. 

  1221.             return ok;
    1222. 

  1222.         }
    1223. 

  1223.         else
    1224. 

  1224.         {
    1225. 

  1225.             IArrayOf<CSecurityDescriptor> sdlist;
    1226. 

  1226.             ForEachItemIn(x, resources)
    1227. 

  1227.             {
    1228. 

  1228.                 ISecResource& res = resources.item(x);
    1229. 

  1229.                 const char* resourcename = res.getName();
    1230. 

  1230.                 CSecurityDescriptor* sd = new CSecurityDescriptor(resourcename);
    1231. 

  1231.                 sdlist.append(*sd);
    1232. 

  1232.             }
    1233. 

  1233. 

  1234.             getSecurityDescriptors(rtype, sdlist);
    1235. 

  1235.             if(m_pp != NULL)
    1236. 

  1236.                 ok = m_pp->getPermissions(user, sdlist, resources);
    1237. 

  1237.             return ok;
    1238. 

  1238.         }
    1239. 

  1239.     }
    1240. 

  1240. 

  1241.     // Returns true if all resources are correctly added, otherwise returns false.
    1242. 

  1242.     virtual bool addResources(SecResourceType rtype, ISecUser& user, IArrayOf<ISecResource>& resources, SecPermissionType ptype, const char* basedn)
    1243. 

  1243.     {
    1244. 

  1244.         bool ret = true;
    1245. 

  1245. 

  1246.         for(unsigned i = 0; i < resources.length(); i++)
    1247. 

  1247.         {
    1248. 

  1248.             ISecResource* resource = &resources.item(i);
    1249. 

  1249.             if(resource != NULL)
    1250. 

  1250.             {
    1251. 

  1251.                 bool oneret = addResource(rtype, user, resource, ptype, basedn);
    1252. 

  1252.                 ret = ret && oneret; 
    1253. 

  1253.             }
    1254. 

  1254.         }
    1255. 

  1255. 

  1256.         return ret;
    1257. 

  1257.     }
    1258. 

  1258. 

  1259.     virtual bool getUserInfo(ISecUser& user, const char* infotype)
    1260. 

  1260.     {
    1261. 

  1261.         char        *attribute, **values;
    1262. 

  1262.         BerElement  *ber;
    1263. 

  1263.         LDAPMessage *searchResult, *message;
    1264. 

  1264. 

  1265.         const char* username = user.getName();
    1266. 

  1266. 

  1267.         if(username == NULL || strlen(username) == 0)
    1268. 

  1268.         {
    1269. 

  1269.             DBGLOG("LDAP: getUserInfo : username is empty");
    1270. 

  1270.             return false;
    1271. 

  1271.         }
    1272. 

  1272.         
    1273. 

  1273.         if(infotype && stricmp(infotype, "sudoers") == 0)
    1274. 

  1274.         {
    1275. 

  1275.             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    1276. 

  1276. 

  1277.             TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    1278. 

  1278.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    1279. 

  1279.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    1280. 

  1280. 

  1281.             StringBuffer filter("sudoUser=");
    1282. 

  1282.             filter.append(username);
    1283. 

  1283.             char  *attrs[] = {"sudoHost", "sudoCommand", "sudoOption", NULL};
    1284. 

  1284.             const char* basedn = m_ldapconfig->getResourceBasedn(RT_SUDOERS);
    1285. 

  1285.             int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult);
    1286. 

  1286. 

  1287.             if ( rc != LDAP_SUCCESS )
    1288. 

  1288.             {
    1289. 

  1289.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basedn);
    1290. 

  1290.                 ldapuser->setSudoersEnabled(false);
    1291. 

  1291.                 ldapuser->setInSudoers(false);
    1292. 

  1292.                 return false;
    1293. 

  1293.             }
    1294. 

  1294.             
    1295. 

  1295.             ldapuser->setSudoersEnabled(true);
    1296. 

  1296. 

  1297.             unsigned entries = ldap_count_entries(ld, searchResult);
    1298. 

  1298.             if(entries == 0)
    1299. 

  1299.             {
    1300. 

  1300.                 ldapuser->setInSudoers(false);
    1301. 

  1301.                 return true;
    1302. 

  1302.             }
    1303. 

  1303. 

  1304.             message = LdapFirstEntry(ld, searchResult);
    1305. 

  1305.             if(message == NULL)
    1306. 

  1306.             {
    1307. 

  1307.                 ldapuser->setInSudoers(false);
    1308. 

  1308.                 return true;
    1309. 

  1309.             }
    1310. 

  1310. 

  1311.             ldapuser->setInSudoers(true);
    1312. 

  1312. 

  1313.             for ( attribute = ldap_first_attribute( ld,searchResult,&ber ); attribute != NULL; attribute = ldap_next_attribute(ld, searchResult,ber))
    1314. 

  1314.             {
    1315. 

  1315.                 if(stricmp(attribute, "sudoHost") == 0)
    1316. 

  1316.                 {
    1317. 

  1317.                     if (( values = ldap_get_values(ld, message, attribute)) != NULL )
    1318. 

  1318.                     {
    1319. 

  1319.                         if(values[0] != NULL)
    1320. 

  1320.                             ldapuser->setSudoHost(values[0]);
    1321. 

  1321.                         ldap_value_free( values );
    1322. 

  1322.                     }
    1323. 

  1323.                 }
    1324. 

  1324.                 else if(stricmp(attribute, "sudoCommand") == 0)
    1325. 

  1325.                 {
    1326. 

  1326.                     if (( values = ldap_get_values(ld, message, attribute)) != NULL )
    1327. 

  1327.                     {
    1328. 

  1328.                         if(values[0] != NULL)
    1329. 

  1329.                             ldapuser->setSudoCommand(values[0]);
    1330. 

  1330.                         ldap_value_free(values);
    1331. 

  1331.                     }
    1332. 

  1332.                 }
    1333. 

  1333.                 else if(stricmp(attribute, "sudoOption") == 0)
    1334. 

  1334.                 {
    1335. 

  1335.                     if (( values = ldap_get_values(ld, message, attribute)) != NULL )
    1336. 

  1336.                     {
    1337. 

  1337.                         if(values[0] != NULL)
    1338. 

  1338.                             ldapuser->setSudoOption(values[0]);
    1339. 

  1339.                         ldap_value_free(values);
    1340. 

  1340.                     }
    1341. 

  1341.                 }
    1342. 

  1342.             }
    1343. 

  1343.             ber_free(ber, 0);
    1344. 

  1344.             ldap_msgfree(searchResult);
    1345. 

  1345. 

  1346.             return true;
    1347. 

  1347.         }
    1348. 

  1348.         else
    1349. 

  1349.         {
    1350. 

  1350.             StringBuffer filter;
    1351. 

  1351.             const char* basedn = m_ldapconfig->getUserBasedn();
    1352. 

  1352.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1353. 

  1353.             {
    1354. 

  1354.                 filter.append("sAMAccountName=");
    1355. 

  1355.             }
    1356. 

  1356.             else
    1357. 

  1357.             {
    1358. 

  1358.                 filter.append("uid=");
    1359. 

  1359.                 if(stricmp(username, m_ldapconfig->getSysUser()) == 0)
    1360. 

  1360.                     basedn = m_ldapconfig->getSysUserBasedn();
    1361. 

  1361.             }
    1362. 

  1362. 

  1363.             filter.append(user.getName());
    1364. 

  1364. 

  1365.             TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    1366. 

  1366.             
    1367. 

  1367.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    1368. 

  1368.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    1369. 

  1369. 

  1370.             char        *attrs[] = {"cn", "givenName", "sn", "gidnumber", "uidnumber", "homedirectory", "loginshell", "objectClass", NULL};
    1371. 

  1371.             int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult );
    1372. 

  1372. 

  1373.             if ( rc != LDAP_SUCCESS )
    1374. 

  1374.             {
    1375. 

  1375.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basedn);
    1376. 

  1376.                 return false;
    1377. 

  1377.             }
    1378. 

  1378. 

  1379.             ((CLdapSecUser*)&user)->setPosixenabled(false);
    1380. 

  1380.             // Go through the search results by checking message types
    1381. 

  1381.             for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    1382. 

  1382.             {
    1383. 

  1383.                 for ( attribute = ldap_first_attribute( ld,searchResult,&ber );
    1384. 

  1384.                     attribute != NULL; 
    1385. 

  1385.                     attribute = ldap_next_attribute( ld, searchResult,ber))
    1386. 

  1386.                 {
    1387. 

  1387.                     if(stricmp(attribute, "cn") == 0)
    1388. 

  1388.                     {
    1389. 

  1389.                         if (( values = ldap_get_values( ld, message, attribute)) != NULL )
    1390. 

  1390.                         {
    1391. 

  1391.                             //set the FullName
    1392. 

  1392.                             if(values[0] != NULL)
    1393. 

  1393.                                 user.setFullName(values[0]);
    1394. 

  1394.                             ldap_value_free( values );
    1395. 

  1395.                         }
    1396. 

  1396.                     }
    1397. 

  1397.                     else if(stricmp(attribute, "givenName") == 0)
    1398. 

  1398.                     {
    1399. 

  1399.                         if (( values = ldap_get_values( ld, message, attribute)) != NULL )
    1400. 

  1400.                         {
    1401. 

  1401.                             //set the firstname
    1402. 

  1402.                             if(values[0] != NULL)
    1403. 

  1403.                                 user.setFirstName(values[0]);
    1404. 

  1404.                             ldap_value_free( values );
    1405. 

  1405.                         }
    1406. 

  1406.                     }
    1407. 

  1407.                     else if(stricmp(attribute, "sn") == 0)
    1408. 

  1408.                     {
    1409. 

  1409.                         if (( values = ldap_get_values( ld, message, attribute)) != NULL )
    1410. 

  1410.                         {
    1411. 

  1411.                             //set lastname
    1412. 

  1412.                             if(values[0] != NULL)
    1413. 

  1413.                                 user.setLastName(values[0]);
    1414. 

  1414.                             ldap_value_free( values );
    1415. 

  1415.                         }
    1416. 

  1416.                     }
    1417. 

  1417.                     else if(stricmp(attribute, "gidnumber") == 0)
    1418. 

  1418.                     {
    1419. 

  1419.                         if (( values = ldap_get_values( ld, message, attribute)) != NULL )
    1420. 

  1420.                         {
    1421. 

  1421.                             if(values[0] != NULL)
    1422. 

  1422.                                 ((CLdapSecUser*)&user)->setGidnumber(values[0]);
    1423. 

  1423.                             ldap_value_free( values );
    1424. 

  1424.                         }
    1425. 

  1425.                     }
    1426. 

  1426.                     else if(stricmp(attribute, "uidnumber") == 0)
    1427. 

  1427.                     {
    1428. 

  1428.                         if (( values = ldap_get_values( ld, message, attribute)) != NULL )
    1429. 

  1429.                         {
    1430. 

  1430.                             if(values[0] != NULL)
    1431. 

  1431.                                 ((CLdapSecUser*)&user)->setUidnumber(values[0]);
    1432. 

  1432.                             ldap_value_free( values );
    1433. 

  1433.                         }
    1434. 

  1434.                     }
    1435. 

  1435.                     else if(stricmp(attribute, "homedirectory") == 0)
    1436. 

  1436.                     {
    1437. 

  1437.                         if (( values = ldap_get_values( ld, message, attribute)) != NULL )
    1438. 

  1438.                         {
    1439. 

  1439.                             if(values[0] != NULL)
    1440. 

  1440.                                 ((CLdapSecUser*)&user)->setHomedirectory(values[0]);
    1441. 

  1441.                             ldap_value_free( values );
    1442. 

  1442.                         }
    1443. 

  1443.                     }
    1444. 

  1444.                     else if(stricmp(attribute, "loginshell") == 0)
    1445. 

  1445.                     {
    1446. 

  1446.                         if (( values = ldap_get_values( ld, message, attribute)) != NULL )
    1447. 

  1447.                         {
    1448. 

  1448.                             if(values[0] != NULL)
    1449. 

  1449.                                 ((CLdapSecUser*)&user)->setLoginshell(values[0]);
    1450. 

  1450.                             ldap_value_free( values );
    1451. 

  1451.                         }
    1452. 

  1452.                     }
    1453. 

  1453.                     else if(stricmp(attribute, "objectClass") == 0)
    1454. 

  1454.                     {
    1455. 

  1455.                         if (( values = ldap_get_values( ld, message, attribute)) != NULL )
    1456. 

  1456.                         {
    1457. 

  1457.                             int valind = 0;
    1458. 

  1458.                             while(values[valind])
    1459. 

  1459.                             {
    1460. 

  1460.                                 if(values[valind] && stricmp(values[valind], "posixAccount") == 0)
    1461. 

  1461.                                 {
    1462. 

  1462.                                     ((CLdapSecUser*)&user)->setPosixenabled(true);
    1463. 

  1463.                                     break;
    1464. 

  1464.                                 }
    1465. 

  1465.                                 valind++;
    1466. 

  1466.                             }
    1467. 

  1467.                             ldap_value_free( values );
    1468. 

  1468.                         }
    1469. 

  1469.                     }
    1470. 

  1470.                 }
    1471. 

  1471.                 ber_free(ber, 0);
    1472. 

  1472.             }
    1473. 

  1473.             ldap_msgfree( searchResult );
    1474. 

  1474.             return true;
    1475. 

  1475.         }
    1476. 

  1476.     }
    1477. 

  1477. 

  1478.     ISecUser* lookupUser(unsigned uid)
    1479. 

  1479.     {
    1480. 

  1480.         StringBuffer sysuser;
    1481. 

  1481.         sysuser.append(m_ldapconfig->getSysUser());
    1482. 

  1482.         if(sysuser.length() == 0)
    1483. 

  1483.         {
    1484. 

  1484. #ifdef _WIN32
    1485. 

  1485.             char uname[128];
    1486. 

  1486.             unsigned long len = 128;
    1487. 

  1487.             int rc = GetUserName(uname, &len);
    1488. 

  1488.             if(rc != 0)
    1489. 

  1489.                 sysuser.append(len, uname);
    1490. 

  1490.             else
    1491. 

  1491.                 throw MakeStringException(-1, "Error getting current user's username, error code = %d", rc);
    1492. 

  1492. #else
    1493. 

  1493.             throw MakeStringException(-1, "systemUser not found in config");
    1494. 

  1494. #endif
    1495. 

  1495.         }
    1496. 

  1496.         
    1497. 

  1497.         MemoryBuffer usersidbuf;
    1498. 

  1498.         StringBuffer usersidstr;
    1499. 

  1499. 

  1500.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1501. 

  1501.         {
    1502. 

  1502.             if(m_pp != NULL)
    1503. 

  1503.                 m_pp->lookupSid(sysuser.str(), usersidbuf);
    1504. 

  1504.             if(usersidbuf.length() == 0)
    1505. 

  1505.             {
    1506. 

  1506.                 throw MakeStringException(-1, "system user %s's SID not found", sysuser.str());
    1507. 

  1507.             }
    1508. 

  1508. 

  1509.             int sidlen = usersidbuf.length();
    1510. 

  1510.             char* uidbuf = (char*)&uid;
    1511. 

  1511.             for(int i = 0; i < 4; i++)
    1512. 

  1512.             {
    1513. 

  1513.                 usersidbuf.writeDirect(sidlen -4 + i, 1, (uidbuf + 3 - i));
    1514. 

  1514.             }
    1515. 

  1515.             LdapUtils::bin2str(usersidbuf, usersidstr);
    1516. 

  1516.         }
    1517. 

  1517.         else
    1518. 

  1518.         {
    1519. 

  1519.             usersidbuf.append(uid);
    1520. 

  1520.         }
    1521. 

  1521. 

  1522.         char        *attribute, **values;       
    1523. 

  1523.         BerElement  *ber;
    1524. 

  1524.         LDAPMessage *searchResult, *message;
    1525. 

  1525. 

  1526.         StringBuffer filter;
    1527. 

  1527.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1528. 

  1528.         {
    1529. 

  1529.             filter.append("objectSid=").append(usersidstr.str());
    1530. 

  1530.         }
    1531. 

  1531.         else
    1532. 

  1532.         {
    1533. 

  1533.             filter.appendf("entryid=%d", uid);
    1534. 

  1534.         }
    1535. 

  1535. 

  1536.         TIMEVAL timeOut = {LDAPTIMEOUT,0}; 
    1537. 

  1537. 

  1538.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    1539. 

  1539.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    1540. 

  1540. 

  1541.         char* act_fieldname;
    1542. 

  1542.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1543. 

  1543.         {
    1544. 

  1544.             act_fieldname = "sAMAccountName";
    1545. 

  1545.         }
    1546. 

  1546.         else
    1547. 

  1547.         {
    1548. 

  1548.             act_fieldname = "uid";
    1549. 

  1549.         }
    1550. 

  1550.             
    1551. 

  1551.         char        *attrs[] = {"cn", act_fieldname, NULL};
    1552. 

  1552.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult );
    1553. 

  1553. 

  1554.         if ( rc != LDAP_SUCCESS )
    1555. 

  1555.         {
    1556. 

  1556.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    1557. 

  1557.             return NULL;
    1558. 

  1558.         }
    1559. 

  1559. 

  1560.         if(ldap_count_entries(ld, searchResult) < 1)
    1561. 

  1561.         {
    1562. 

  1562.             DBGLOG("No entries are found for user with uid %0X", uid);
    1563. 

  1563.             return NULL;
    1564. 

  1564.         }
    1565. 

  1565. 

  1566.         CLdapSecUser* ldapuser = new CLdapSecUser("", "");
    1567. 

  1567. 

  1568.         // Go through the search results by checking message types
    1569. 

  1569.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    1570. 

  1570.         {
    1571. 

  1571.             for ( attribute = ldap_first_attribute( ld,searchResult,&ber );
    1572. 

  1572.                 attribute != NULL; 
    1573. 

  1573.                 attribute = ldap_next_attribute( ld, searchResult,ber))
    1574. 

  1574.             {
    1575. 

  1575.                 if (( values = ldap_get_values( ld, message, attribute)) 
    1576. 

  1576.                     != NULL )
    1577. 

  1577.                 {
    1578. 

  1578.                     if(values[0] != NULL)
    1579. 

  1579.                     {
    1580. 

  1580.                         if(stricmp(attribute, "cn") == 0)
    1581. 

  1581.                             ldapuser->setFullName(values[0]);
    1582. 

  1582.                         else if(stricmp(attribute, act_fieldname) == 0)
    1583. 

  1583.                             ldapuser->setName(values[0]);
    1584. 

  1584.                     }
    1585. 

  1585.                     ldap_value_free( values );
    1586. 

  1586.                 }
    1587. 

  1587.             }
    1588. 

  1588.             ber_free(ber, 0);
    1589. 

  1589.         }
    1590. 

  1590.         ldap_msgfree( searchResult );
    1591. 

  1591.         
    1592. 

  1592.         ldapuser->setUserID(uid);
    1593. 

  1593.         ldapuser->setUserSid(usersidbuf.length(), usersidbuf.toByteArray());
    1594. 

  1594.         
    1595. 

  1595.         // Since we've got the SID for the user, cache it for later uses.
    1596. 

  1596.         MemoryBuffer mb;
    1597. 

  1597.         if(m_pp != NULL)
    1598. 

  1598.             m_pp->getCachedSid(ldapuser->getName(), mb);
    1599. 

  1599.         if(mb.length() == 0)
    1600. 

  1600.         {
    1601. 

  1601.             m_pp->cacheSid(ldapuser->getName(), usersidbuf.length(), usersidbuf.toByteArray());
    1602. 

  1602.         }
    1603. 

  1603. 

  1604.         return ldapuser;
    1605. 

  1605.     }
    1606. 

  1606. 

  1607.     bool lookupAccount(MemoryBuffer& sidbuf, StringBuffer& account_name, ACT_TYPE& act_type)
    1608. 

  1608.     {
    1609. 

  1609.         char        *attribute, **values;       
    1610. 

  1610.         BerElement  *ber;
    1611. 

  1611.         LDAPMessage *searchResult, *message;
    1612. 

  1612. 

  1613.         char* act_fieldname;
    1614. 

  1614. 

  1615.         StringBuffer filter;
    1616. 

  1616.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1617. 

  1617.         {
    1618. 

  1618.             act_fieldname = "sAMAccountName";
    1619. 

  1619.             StringBuffer usersidstr;
    1620. 

  1620.             LdapUtils::bin2str(sidbuf, usersidstr);
    1621. 

  1621.             filter.append("objectSid=").append(usersidstr.str());
    1622. 

  1622.         }
    1623. 

  1623.         else
    1624. 

  1624.         {
    1625. 

  1625.             unsigned* uid = (unsigned*)sidbuf.toByteArray();
    1626. 

  1626.             filter.appendf("entryid=%d", *uid);
    1627. 

  1627.             act_fieldname = "uid";
    1628. 

  1628.         }
    1629. 

  1629. 

  1630.         TIMEVAL timeOut = {LDAPTIMEOUT,0}; 
    1631. 

  1631. 

  1632.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    1633. 

  1633.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    1634. 

  1634.         
    1635. 

  1635.         char  *attrs[] = {"cn", act_fieldname, "objectClass", NULL};
    1636. 

  1636.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult );
    1637. 

  1637. 

  1638.         if ( rc != LDAP_SUCCESS )
    1639. 

  1639.         {
    1640. 

  1640.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    1641. 

  1641.             return false;
    1642. 

  1642.         }
    1643. 

  1643. 

  1644.         if(ldap_count_entries(ld, searchResult) < 1)
    1645. 

  1645.         {
    1646. 

  1646.             rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getGroupBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult );
    1647. 

  1647.             if(ldap_count_entries(ld, searchResult) < 1)
    1648. 

  1648.             {
    1649. 

  1649.                 rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getSysUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult );
    1650. 

  1650.                 //DBGLOG("No entries are found");
    1651. 

  1651.                 return false;
    1652. 

  1652.             }
    1653. 

  1653.         }
    1654. 

  1654. 

  1655.         StringBuffer act_name;
    1656. 

  1656.         StringBuffer cnbuf;
    1657. 

  1657. 

  1658.         // Go through the search results by checking message types
    1659. 

  1659.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    1660. 

  1660.         {
    1661. 

  1661.             for ( attribute = ldap_first_attribute( ld,searchResult,&ber );
    1662. 

  1662.                 attribute != NULL; 
    1663. 

  1663.                 attribute = ldap_next_attribute( ld, searchResult,ber))
    1664. 

  1664.             {
    1665. 

  1665.                 if (( values = ldap_get_values( ld, message, attribute)) 
    1666. 

  1666.                     != NULL )
    1667. 

  1667.                 {
    1668. 

  1668.                     if(stricmp(attribute, act_fieldname) == 0)
    1669. 

  1669.                     {
    1670. 

  1670.                         if(values[0] != NULL)
    1671. 

  1671.                         {
    1672. 

  1672.                             act_name.clear().append(values[0]);
    1673. 

  1673.                         }
    1674. 

  1674.                     }
    1675. 

  1675.                     else if(stricmp(attribute, "cn") == 0)
    1676. 

  1676.                     {
    1677. 

  1677.                         if(values[0] != NULL)
    1678. 

  1678.                         {
    1679. 

  1679.                             cnbuf.clear().append(values[0]);
    1680. 

  1680.                         }
    1681. 

  1681.                     }
    1682. 

  1682.                     else if(stricmp(attribute, "objectClass") == 0)
    1683. 

  1683.                     {
    1684. 

  1684.                         int i = 0;
    1685. 

  1685.                         while(values[i] != NULL)
    1686. 

  1686.                         {
    1687. 

  1687.                             if(stricmp(values[i], "person") == 0)
    1688. 

  1688.                                 act_type = USER_ACT;
    1689. 

  1689.                             if(stricmp(values[i], "group") == 0)
    1690. 

  1690.                                 act_type = GROUP_ACT;
    1691. 

  1691.                             i++;
    1692. 

  1692.                         }
    1693. 

  1693.                     }
    1694. 

  1694.                     ldap_value_free( values );
    1695. 

  1695.                 }
    1696. 

  1696.             }
    1697. 

  1697.             ber_free(ber, 0);
    1698. 

  1698.         }
    1699. 

  1699. 

  1700.         if(act_type == USER_ACT)
    1701. 

  1701.             account_name.append(act_name.str());
    1702. 

  1702.         else
    1703. 

  1703.             account_name.append(cnbuf.str());
    1704. 

  1704. 

  1705.         ldap_msgfree( searchResult );       
    1706. 

  1706.         return true;
    1707. 

  1707.     }
    1708. 

  1708. 

  1709.     virtual void lookupSid(const char* basedn, const char* filter, MemoryBuffer& act_sid)
    1710. 

  1710.     {
    1711. 

  1711.         char        *attribute;       
    1712. 

  1712.         struct berval** bvalues = NULL;
    1713. 

  1713.         BerElement  *ber;
    1714. 

  1714.         LDAPMessage *searchResult, *message;
    1715. 

  1715. 

  1716.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    1717. 

  1717. 

  1718.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    1719. 

  1719.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    1720. 

  1720. 

  1721.         char* fieldname;
    1722. 

  1722.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1723. 

  1723.             fieldname = "objectSid";
    1724. 

  1724.         else
    1725. 

  1725.             fieldname = "entryid";
    1726. 

  1726. 

  1727.         char        *attrs[] = {fieldname, NULL};
    1728. 

  1728.         int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter, attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult );
    1729. 

  1729. 

  1730.         if ( rc != LDAP_SUCCESS )
    1731. 

  1731.         {
    1732. 

  1732.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter, basedn);
    1733. 

  1733.             return;
    1734. 

  1734.         }
    1735. 

  1735. 

  1736.         message = LdapFirstEntry( ld, searchResult);
    1737. 

  1737.         if(searchResult != NULL)
    1738. 

  1738.         {
    1739. 

  1739.             for ( attribute = ldap_first_attribute( ld,searchResult,&ber );
    1740. 

  1740.                 attribute != NULL; 
    1741. 

  1741.                 attribute = ldap_next_attribute( ld, searchResult,ber))
    1742. 

  1742.             {
    1743. 

  1743.                 if(stricmp(attribute, fieldname) != 0)
    1744. 

  1744.                     continue;
    1745. 

  1745.                 if (( bvalues = ldap_get_values_len( ld, message, attribute)) != NULL )
    1746. 

  1746.                 {
    1747. 

  1747.                     struct berval* val = bvalues[0];
    1748. 

  1748.                     if(val != NULL)
    1749. 

  1749.                     {
    1750. 

  1750.                         int len = val->bv_len;
    1751. 

  1751.                         act_sid.append(val->bv_len, val->bv_val);
    1752. 

  1752.                     }
    1753. 

  1753.                     ldap_value_free_len(bvalues);
    1754. 

  1754.                     break;
    1755. 

  1755.                 }
    1756. 

  1756.             }
    1757. 

  1757.             ber_free(ber, 0);
    1758. 

  1758.             ldap_msgfree( searchResult );
    1759. 

  1759.         }
    1760. 

  1760.     }
    1761. 

  1761. 

  1762.     virtual void lookupSid(const char* act_name, MemoryBuffer& act_sid, ACT_TYPE act_type)
    1763. 

  1763.     {
    1764. 

  1764.         StringBuffer filter;
    1765. 

  1765.         const char* basedn;
    1766. 

  1766.         if(act_type == USER_ACT)
    1767. 

  1767.         {
    1768. 

  1768.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1769. 

  1769.                 filter.append("sAMAccountName=").append(act_name);
    1770. 

  1770.             else
    1771. 

  1771.                 filter.append("uid=").append(act_name);
    1772. 

  1772. 

  1773.             basedn = m_ldapconfig->getUserBasedn();
    1774. 

  1774.             lookupSid(basedn, filter.str(), act_sid);
    1775. 

  1775.             if(act_sid.length() == 0)
    1776. 

  1776.             {
    1777. 

  1777.                 StringBuffer basebuf;
    1778. 

  1778.                 if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1779. 

  1779.                     basebuf.append("cn=Users,").append(m_ldapconfig->getBasedn());
    1780. 

  1780.                 else if(stricmp(act_name, m_ldapconfig->getSysUser()) == 0)
    1781. 

  1781.                     basebuf.append(m_ldapconfig->getSysUserBasedn());
    1782. 

  1782.                 else
    1783. 

  1783.                     basebuf.append("ou=People,").append(m_ldapconfig->getBasedn());
    1784. 

  1784. 

  1785.                 lookupSid(basebuf.str(), filter.str(), act_sid);
    1786. 

  1786.             }
    1787. 

  1787.         }
    1788. 

  1788.         else
    1789. 

  1789.         {
    1790. 

  1790.             filter.append("cn=").append(act_name);
    1791. 

  1791.             basedn = m_ldapconfig->getGroupBasedn();
    1792. 

  1792.             lookupSid(basedn, filter.str(), act_sid);
    1793. 

  1793.             if(act_sid.length() == 0)
    1794. 

  1794.             {
    1795. 

  1795.                 StringBuffer basebuf;
    1796. 

  1796.                 basebuf.append("cn=Users,").append(m_ldapconfig->getBasedn());
    1797. 

  1797.                 lookupSid(basebuf.str(), filter.str(), act_sid);
    1798. 

  1798.                 if(act_sid.length() == 0)
    1799. 

  1799.                 {
    1800. 

  1800.                     basebuf.clear();
    1801. 

  1801.                     basebuf.append("cn=Builtin,").append(m_ldapconfig->getBasedn());
    1802. 

  1802.                     lookupSid(basebuf.str(), filter.str(), act_sid);
    1803. 

  1803.                 }
    1804. 

  1804.             }       
    1805. 

  1805.         }
    1806. 

  1806. 

  1807.     }
    1808. 

  1808. 

  1809.     virtual void setPermissionProcessor(IPermissionProcessor* pp)
    1810. 

  1810.     {
    1811. 

  1811.         m_pp = pp;
    1812. 

  1812.     }
    1813. 

  1813. 

  1814.     virtual bool retrieveUsers(IUserArray& users)
    1815. 

  1815.     {
    1816. 

  1816.         return retrieveUsers("", users);
    1817. 

  1817.     }
    1818. 

  1818. 

  1819.     virtual bool retrieveUsers(const char* searchstr, IUserArray& users)
    1820. 

  1820.     {
    1821. 

  1821.         char        *attribute, **values;       
    1822. 

  1822.         struct berval** bvalues = NULL;
    1823. 

  1823.         BerElement  *ber;
    1824. 

  1824.         LDAPMessage *searchResult, *message;
    1825. 

  1825. 

  1826.         StringBuffer filter;
    1827. 

  1827.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1828. 

  1828.             filter.append("objectClass=User");
    1829. 

  1829.         else
    1830. 

  1830.             filter.append("objectClass=inetorgperson");
    1831. 

  1831. 

  1832.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    1833. 

  1833. 

  1834.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    1835. 

  1835.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    1836. 

  1836. 

  1837.         char* act_fieldname;
    1838. 

  1838.         char* sid_fieldname;
    1839. 

  1839.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1840. 

  1840.         {
    1841. 

  1841.             act_fieldname = "sAMAccountName";
    1842. 

  1842.             sid_fieldname = "objectSid";
    1843. 

  1843.         }
    1844. 

  1844.         else
    1845. 

  1845.         {
    1846. 

  1846.             act_fieldname = "uid";
    1847. 

  1847.             sid_fieldname = "entryid";
    1848. 

  1848.         }
    1849. 

  1849. 

  1850.         if(searchstr && *searchstr && strcmp(searchstr, "*") != 0)
    1851. 

  1851.         {
    1852. 

  1852.             filter.insert(0, "(&(");
    1853. 

  1853.             filter.appendf(")(|(%s=*%s*)(%s=*%s*)(%s=*%s*)))", act_fieldname, searchstr, "givenName", searchstr, "sn", searchstr);
    1854. 

  1854.         }
    1855. 

  1855. 

  1856.         char        *attrs[] = {act_fieldname, sid_fieldname, "cn", NULL};
    1857. 

  1857.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult );
    1858. 

  1858. 

  1859.         if ( rc != LDAP_SUCCESS )
    1860. 

  1860.         {
    1861. 

  1861.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    1862. 

  1862.             return false;
    1863. 

  1863.         }
    1864. 

  1864. 

  1865. 

  1866.         // Go through the search results by checking message types
    1867. 

  1867.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    1868. 

  1868.         {
    1869. 

  1869.             Owned<ISecUser> user = new CLdapSecUser("", "");
    1870. 

  1870.             for ( attribute = ldap_first_attribute( ld,searchResult,&ber );
    1871. 

  1871.                 attribute != NULL; 
    1872. 

  1872.                 attribute = ldap_next_attribute( ld, searchResult,ber))
    1873. 

  1873.             {
    1874. 

  1874.                 if(stricmp(attribute, "cn") == 0)
    1875. 

  1875.                 {
    1876. 

  1876.                     if (( values = ldap_get_values( ld, message, attribute)) 
    1877. 

  1877.                         != NULL )
    1878. 

  1878.                     {
    1879. 

  1879.                         //set the FullName
    1880. 

  1880.                         if(values[0] != NULL)
    1881. 

  1881.                             user->setFullName(values[0]);
    1882. 

  1882.                         ldap_value_free( values );
    1883. 

  1883.                     }
    1884. 

  1884.                 }
    1885. 

  1885.                 else if(stricmp(attribute, act_fieldname) == 0)
    1886. 

  1886.                 {
    1887. 

  1887.                     if (( values = ldap_get_values( ld, message, attribute)) 
    1888. 

  1888.                         != NULL )
    1889. 

  1889.                     {
    1890. 

  1890.                         //set the FullName
    1891. 

  1891.                         if(values[0] != NULL)
    1892. 

  1892.                             user->setName(values[0]);
    1893. 

  1893.                         ldap_value_free( values );
    1894. 

  1894.                     }
    1895. 

  1895.                 }
    1896. 

  1896.                 else if(stricmp(attribute, sid_fieldname) == 0)
    1897. 

  1897.                 {
    1898. 

  1898.                     if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1899. 

  1899.                     {
    1900. 

  1900.                         if (( bvalues = ldap_get_values_len( ld, message, attribute)) != NULL )
    1901. 

  1901.                         {
    1902. 

  1902.                             struct berval* val = bvalues[0];
    1903. 

  1903.                             if(val != NULL)
    1904. 

  1904.                             {
    1905. 

  1905.                                 unsigned uid = val->bv_val[val->bv_len - 4];
    1906. 

  1906.                                 int i;
    1907. 

  1907.                                 for(i = 3; i > 0; i--)
    1908. 

  1908.                                 {
    1909. 

  1909.                                     uid = (uid << 8) + val->bv_val[val->bv_len - i];
    1910. 

  1910.                                 }
    1911. 

  1911.                                 ((CLdapSecUser*)user.get())->setUserID(uid);
    1912. 

  1912.                             }
    1913. 

  1913.                             ldap_value_free_len(bvalues);
    1914. 

  1914.                         }
    1915. 

  1915.                     }
    1916. 

  1916.                     else
    1917. 

  1917.                     {
    1918. 

  1918.                         if (( values = ldap_get_values( ld, message, attribute)) 
    1919. 

  1919.                             != NULL )
    1920. 

  1920.                         {
    1921. 

  1921.                             //set the FullName
    1922. 

  1922.                             if(values[0] != NULL)
    1923. 

  1923.                                 ((CLdapSecUser*)user.get())->setUserID(atoi(values[0]));
    1924. 

  1924.                             ldap_value_free( values );
    1925. 

  1925.                         }
    1926. 

  1926.                     }
    1927. 

  1927.                 }
    1928. 

  1928.             }
    1929. 

  1929.             ber_free(ber, 0);
    1930. 

  1930.             users.append(*LINK(user.get()));
    1931. 

  1931.         }
    1932. 

  1932.         ldap_msgfree( searchResult );
    1933. 

  1933.         return true;
    1934. 

  1934.     }
    1935. 

  1935. 

  1936.     virtual bool userInGroup(const char* userdn, const char* groupdn)
    1937. 

  1937.     {
    1938. 

  1938.         const char* fldname;
    1939. 

  1939.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1940. 

  1940.             fldname = "member";
    1941. 

  1941.         else
    1942. 

  1942.             fldname = "uniquemember";
    1943. 

  1943. 

  1944.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    1945. 

  1945.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    1946. 

  1946. 

  1947.         int rc = ldap_compare_s(ld, (char*)groupdn, (char*)fldname, (char*)userdn);
    1948. 

  1948.         if(rc == LDAP_COMPARE_TRUE)
    1949. 

  1949.             return true;
    1950. 

  1950.         else
    1951. 

  1951.             return false;
    1952. 

  1952.     }
    1953. 

  1953. 

  1954.     // Update user's firstname, lastname (plus displayname for active directory).
    1955. 

  1955.     virtual bool updateUser(const char* type, ISecUser& user)
    1956. 

  1956.     {
    1957. 

  1957.         const char* username = user.getName();
    1958. 

  1958.         if(!username || !*username)
    1959. 

  1959.             return false;
    1960. 

  1960. 

  1961.         StringBuffer userdn;
    1962. 

  1962.         getUserDN(username, userdn);
    1963. 

  1963.         
    1964. 

  1964.         int rc = LDAP_SUCCESS;
    1965. 

  1965. 

  1966.         if(!type || !*type || stricmp(type, "names") == 0)
    1967. 

  1967.         {
    1968. 

  1968.             StringBuffer cnbuf;
    1969. 

  1969.             const char* fname = user.getFirstName();
    1970. 

  1970.             const char* lname = user.getLastName();
    1971. 

  1971.             if(fname && *fname && lname && *lname)
    1972. 

  1972.             {
    1973. 

  1973.                 cnbuf.append(fname).append(" ").append(lname);
    1974. 

  1974.             }
    1975. 

  1975.             else
    1976. 

  1976.                 throw MakeStringException(-1, "Please specify both firstname and lastname");
    1977. 

  1977. 

  1978.             char *gn_values[] = { (char*)fname, NULL };
    1979. 

  1979.             LDAPMod gn_attr = {
    1980. 

  1980.                 LDAP_MOD_REPLACE,
    1981. 

  1981.                 "givenName",
    1982. 

  1982.                 gn_values
    1983. 

  1983.             };
    1984. 

  1984. 

  1985.             char *sn_values[] = { (char*)lname, NULL };
    1986. 

  1986.             LDAPMod sn_attr = {
    1987. 

  1987.                 LDAP_MOD_REPLACE,
    1988. 

  1988.                 "sn",
    1989. 

  1989.                 sn_values
    1990. 

  1990.             };
    1991. 

  1991. 

  1992.             char *cn_values[] = {(char*)cnbuf.str(), NULL };
    1993. 

  1993.             LDAPMod cn_attr = 
    1994. 

  1994.             {
    1995. 

  1995.                 LDAP_MOD_REPLACE,
    1996. 

  1996.                 "cn",
    1997. 

  1997.                 cn_values
    1998. 

  1998.             };
    1999. 

  1999. 

  2000.             char *dispname_values[] = {(char*)cnbuf.str(), NULL };
    2001. 

  2001.             LDAPMod dispname_attr = 
    2002. 

  2002.             {
    2003. 

  2003.                 LDAP_MOD_REPLACE,
    2004. 

  2004.                 "displayName",
    2005. 

  2005.                 dispname_values
    2006. 

  2006.             };
    2007. 

  2007. 

  2008.             LDAPMod *attrs[4];
    2009. 

  2009.             int ind = 0;
    2010. 

  2010.         
    2011. 

  2011.             attrs[ind++] = &gn_attr;
    2012. 

  2012.             attrs[ind++] = &sn_attr;
    2013. 

  2013. 

  2014.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2015. 

  2015.             {
    2016. 

  2016.                 attrs[ind++] = &dispname_attr;
    2017. 

  2017.             }
    2018. 

  2018.             else
    2019. 

  2019.             {
    2020. 

  2020.                 attrs[ind++] = &cn_attr;
    2021. 

  2021.             }
    2022. 

  2022.             
    2023. 

  2023.             attrs[ind] = NULL;
    2024. 

  2024.             
    2025. 

  2025.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2026. 

  2026.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2027. 

  2027. 

  2028.             rc = ldap_modify_s(ld, (char*)userdn.str(), attrs);
    2029. 

  2029.             if (rc == LDAP_SUCCESS && m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2030. 

  2030.             {
    2031. 

  2031.                 StringBuffer newrdn("cn=");
    2032. 

  2032.                 newrdn.append(cnbuf.str());
    2033. 

  2033.                 rc = LdapRename(ld, (char*)userdn.str(), (char*)newrdn.str(), NULL, true, NULL, NULL);
    2034. 

  2034.             }
    2035. 

  2035.         }
    2036. 

  2036.         else if(stricmp(type, "posixenable") == 0)
    2037. 

  2037.         {
    2038. 

  2038.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2039. 

  2039.                 throw MakeStringException(-1, "posixAccount isn't applicable to Active Directory");
    2040. 

  2040. 

  2041.             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    2042. 

  2042. 

  2043.             char* oc_values[] = {"posixAccount", NULL};
    2044. 

  2044.             LDAPMod oc_attr = {
    2045. 

  2045.                 LDAP_MOD_ADD,
    2046. 

  2046.                 "objectclass",
    2047. 

  2047.                 oc_values
    2048. 

  2048.             };
    2049. 

  2049. 

  2050.             char* oc1_values[] = {"shadowAccount", NULL};
    2051. 

  2051.             LDAPMod oc1_attr = {
    2052. 

  2052.                 LDAP_MOD_ADD,
    2053. 

  2053.                 "objectclass",
    2054. 

  2054.                 oc1_values
    2055. 

  2055.             };
    2056. 

  2056. 

  2057.             char *gidnum_values[] = { (char*)ldapuser->getGidnumber(), NULL };
    2058. 

  2058.             LDAPMod gidnum_attr = {
    2059. 

  2059.                 LDAP_MOD_REPLACE,
    2060. 

  2060.                 "gidnumber",
    2061. 

  2061.                 gidnum_values
    2062. 

  2062.             };
    2063. 

  2063. 

  2064.             char *uidnum_values[] = { (char*)ldapuser->getUidnumber(), NULL };
    2065. 

  2065.             LDAPMod uidnum_attr = {
    2066. 

  2066.                 LDAP_MOD_REPLACE,
    2067. 

  2067.                 "uidnumber",
    2068. 

  2068.                 uidnum_values
    2069. 

  2069.             };
    2070. 

  2070. 

  2071.             char *homedir_values[] = {(char*)ldapuser->getHomedirectory(), NULL };
    2072. 

  2072.             LDAPMod homedir_attr = 
    2073. 

  2073.             {
    2074. 

  2074.                 LDAP_MOD_REPLACE,
    2075. 

  2075.                 "homedirectory",
    2076. 

  2076.                 homedir_values
    2077. 

  2077.             };
    2078. 

  2078. 

  2079.             char *loginshell_values[] = {(char*)ldapuser->getLoginshell(), NULL };
    2080. 

  2080.             LDAPMod loginshell_attr = 
    2081. 

  2081.             {
    2082. 

  2082.                 LDAP_MOD_REPLACE,
    2083. 

  2083.                 "loginshell",
    2084. 

  2084.                 loginshell_values
    2085. 

  2085.             };
    2086. 

  2086. 

  2087.             LDAPMod *attrs[7];
    2088. 

  2088.             int ind = 0;
    2089. 

  2089.         
    2090. 

  2090.             attrs[ind++] = &gidnum_attr;
    2091. 

  2091.             attrs[ind++] = &uidnum_attr;
    2092. 

  2092.             attrs[ind++] = &homedir_attr;
    2093. 

  2093.             attrs[ind++] = &loginshell_attr;
    2094. 

  2094.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2095. 

  2095.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2096. 

  2096.             int compresult = ldap_compare_s(ld, (char*)userdn.str(), (char*)"objectclass", (char*)"posixAccount");
    2097. 

  2097.             if(compresult != LDAP_COMPARE_TRUE)
    2098. 

  2098.                 attrs[ind++] = &oc_attr;
    2099. 

  2099.             compresult = ldap_compare_s(ld, (char*)userdn.str(), (char*)"objectclass", (char*)"shadowAccount");
    2100. 

  2100.             if(compresult != LDAP_COMPARE_TRUE)
    2101. 

  2101.                 attrs[ind++] = &oc1_attr;
    2102. 

  2102.             attrs[ind] = NULL;
    2103. 

  2103.             rc = ldap_modify_s(ld, (char*)userdn.str(), attrs);
    2104. 

  2104.         }
    2105. 

  2105.         else if(stricmp(type, "posixdisable") == 0)
    2106. 

  2106.         {
    2107. 

  2107.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2108. 

  2108.                 throw MakeStringException(-1, "posixAccount isn't applicable to Active Directory");
    2109. 

  2109. 

  2110.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2111. 

  2111.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2112. 

  2112.             int compresult = ldap_compare_s(ld, (char*)userdn.str(), (char*)"objectclass", (char*)"posixAccount");
    2113. 

  2113.             if(compresult != LDAP_COMPARE_TRUE)
    2114. 

  2114.             {
    2115. 

  2115.                 rc = LDAP_SUCCESS;
    2116. 

  2116.             }
    2117. 

  2117.             else
    2118. 

  2118.             {
    2119. 

  2119. 

  2120.                 CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    2121. 

  2121. 

  2122.                 char* oc_values[] = {"posixAccount", NULL};
    2123. 

  2123.                 LDAPMod oc_attr = {
    2124. 

  2124.                     LDAP_MOD_DELETE,
    2125. 

  2125.                     "objectclass",
    2126. 

  2126.                     oc_values
    2127. 

  2127.                 };
    2128. 

  2128. 

  2129.                 char* oc1_values[] = {"shadowAccount", NULL};
    2130. 

  2130.                 LDAPMod oc1_attr = {
    2131. 

  2131.                     LDAP_MOD_DELETE,
    2132. 

  2132.                     "objectclass",
    2133. 

  2133.                     oc1_values
    2134. 

  2134.                 };
    2135. 

  2135. 

  2136.                 char *gidnum_values[] = { NULL };
    2137. 

  2137.                 LDAPMod gidnum_attr = {
    2138. 

  2138.                     LDAP_MOD_DELETE,
    2139. 

  2139.                     "gidnumber",
    2140. 

  2140.                     gidnum_values
    2141. 

  2141.                 };
    2142. 

  2142. 

  2143.                 char *uidnum_values[] = {NULL };
    2144. 

  2144.                 LDAPMod uidnum_attr = {
    2145. 

  2145.                     LDAP_MOD_DELETE,
    2146. 

  2146.                     "uidnumber",
    2147. 

  2147.                     uidnum_values
    2148. 

  2148.                 };
    2149. 

  2149. 

  2150.                 char *homedir_values[] = { NULL };
    2151. 

  2151.                 LDAPMod homedir_attr = 
    2152. 

  2152.                 {
    2153. 

  2153.                     LDAP_MOD_DELETE,
    2154. 

  2154.                     "homedirectory",
    2155. 

  2155.                     homedir_values
    2156. 

  2156.                 };
    2157. 

  2157. 

  2158.                 char *loginshell_values[] = { NULL };
    2159. 

  2159.                 LDAPMod loginshell_attr = 
    2160. 

  2160.                 {
    2161. 

  2161.                     LDAP_MOD_DELETE,
    2162. 

  2162.                     "loginshell",
    2163. 

  2163.                     loginshell_values
    2164. 

  2164.                 };
    2165. 

  2165. 

  2166.                 LDAPMod *attrs[7];
    2167. 

  2167.                 int ind = 0;
    2168. 

  2168.             
    2169. 

  2169.                 attrs[ind++] = &gidnum_attr;
    2170. 

  2170.                 attrs[ind++] = &uidnum_attr;
    2171. 

  2171.                 attrs[ind++] = &homedir_attr;
    2172. 

  2172.                 attrs[ind++] = &loginshell_attr;
    2173. 

  2173.                 attrs[ind++] = &oc_attr;
    2174. 

  2174.                 attrs[ind++] = &oc1_attr;
    2175. 

  2175.                 attrs[ind] = NULL;
    2176. 

  2176. 

  2177.                 rc = ldap_modify_s(ld, (char*)userdn.str(), attrs);
    2178. 

  2178.             }
    2179. 

  2179.         }
    2180. 

  2180.         else if(stricmp(type, "sudoersadd") == 0)
    2181. 

  2181.         {
    2182. 

  2182.             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    2183. 

  2183. 

  2184.             char *cn_values[] = {(char*)username, NULL };
    2185. 

  2185.             LDAPMod cn_attr = 
    2186. 

  2186.             {
    2187. 

  2187.                 LDAP_MOD_ADD,
    2188. 

  2188.                 "cn",
    2189. 

  2189.                 cn_values
    2190. 

  2190.             };
    2191. 

  2191. 

  2192.             char *oc_values[] = {"sudoRole", NULL };
    2193. 

  2193.             LDAPMod oc_attr =
    2194. 

  2194.             {
    2195. 

  2195.                 LDAP_MOD_ADD,
    2196. 

  2196.                 "objectClass",
    2197. 

  2197.                 oc_values
    2198. 

  2198.             };
    2199. 

  2199. 

  2200.             char *user_values[] = {(char*)username, NULL };
    2201. 

  2201.             LDAPMod user_attr = 
    2202. 

  2202.             {
    2203. 

  2203.                 LDAP_MOD_ADD,
    2204. 

  2204.                 "sudoUser",
    2205. 

  2205.                 user_values
    2206. 

  2206.             };
    2207. 

  2207. 

  2208.             char* sudoHost = (char*)ldapuser->getSudoHost();
    2209. 

  2209.             char* sudoCommand = (char*)ldapuser->getSudoCommand();
    2210. 

  2210.             char* sudoOption = (char*)ldapuser->getSudoOption();
    2211. 

  2211. 

  2212.             char *host_values[] = {sudoHost, NULL };
    2213. 

  2213.             LDAPMod host_attr = 
    2214. 

  2214.             {
    2215. 

  2215.                 LDAP_MOD_ADD,
    2216. 

  2216.                 "sudoHost",
    2217. 

  2217.                 host_values
    2218. 

  2218.             };
    2219. 

  2219.             char *cmd_values[] = {sudoCommand, NULL };
    2220. 

  2220.             LDAPMod cmd_attr = 
    2221. 

  2221.             {
    2222. 

  2222.                 LDAP_MOD_ADD,
    2223. 

  2223.                 "sudoCommand",
    2224. 

  2224.                 cmd_values
    2225. 

  2225.             };
    2226. 

  2226.             char *option_values[] = {sudoOption, NULL };
    2227. 

  2227.             LDAPMod option_attr = 
    2228. 

  2228.             {
    2229. 

  2229.                 LDAP_MOD_ADD,
    2230. 

  2230.                 "sudoOption",
    2231. 

  2231.                 option_values
    2232. 

  2232.             };
    2233. 

  2233. 

  2234.             LDAPMod *attrs[8];
    2235. 

  2235.             int ind = 0;
    2236. 

  2236.             
    2237. 

  2237.             attrs[ind++] = &cn_attr;
    2238. 

  2238.             attrs[ind++] = &oc_attr;
    2239. 

  2239.             attrs[ind++] = &user_attr;
    2240. 

  2240.             if(sudoHost && *sudoHost)
    2241. 

  2241.                 attrs[ind++] = &host_attr;
    2242. 

  2242.             if(sudoCommand && *sudoCommand)
    2243. 

  2243.                 attrs[ind++] = &cmd_attr;
    2244. 

  2244.             if(sudoOption && *sudoOption)
    2245. 

  2245.                 attrs[ind++] = &option_attr;
    2246. 

  2246. 

  2247.             attrs[ind] = NULL;
    2248. 

  2248. 

  2249.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2250. 

  2250.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2251. 

  2251.             StringBuffer dn;
    2252. 

  2252.             dn.append("cn=").append(username).append(",").append(m_ldapconfig->getResourceBasedn(RT_SUDOERS));
    2253. 

  2253.             int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    2254. 

  2254.             if ( rc != LDAP_SUCCESS )
    2255. 

  2255.             {
    2256. 

  2256.                 if(rc == LDAP_ALREADY_EXISTS)
    2257. 

  2257.                 {
    2258. 

  2258.                     throw MakeStringException(-1, "can't add %s to sudoers, already exists", username);
    2259. 

  2259.                 }
    2260. 

  2260.                 else
    2261. 

  2261.                 {
    2262. 

  2262.                     DBGLOG("error adding %s to sudoers: %s", username, ldap_err2string( rc ));
    2263. 

  2263.                     throw MakeStringException(-1, "error adding %s to sudoers: %s", username, ldap_err2string( rc ));
    2264. 

  2264.                 }
    2265. 

  2265.             }
    2266. 

  2266.         }
    2267. 

  2267.         else if(stricmp(type, "sudoersdelete") == 0)
    2268. 

  2268.         {
    2269. 

  2269.             StringBuffer dn;
    2270. 

  2270.             dn.append("cn=").append(username).append(",").append(m_ldapconfig->getResourceBasedn(RT_SUDOERS));
    2271. 

  2271. 

  2272.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2273. 

  2273.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2274. 

  2274.             
    2275. 

  2275.             int rc = ldap_delete_s(ld, (char*)dn.str());
    2276. 

  2276. 

  2277.             if ( rc != LDAP_SUCCESS )
    2278. 

  2278.             {
    2279. 

  2279.                 throw MakeStringException(-1, "Error deleting user %s from sudoers: %s", username, ldap_err2string(rc));
    2280. 

  2280.             }
    2281. 

  2281.         }
    2282. 

  2282.         else if(stricmp(type, "sudoersupdate") == 0)
    2283. 

  2283.         {
    2284. 

  2284.             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    2285. 

  2285.             
    2286. 

  2286.             char* sudoHost = (char*)ldapuser->getSudoHost();
    2287. 

  2287.             char* sudoCommand = (char*)ldapuser->getSudoCommand();
    2288. 

  2288.             char* sudoOption = (char*)ldapuser->getSudoOption();
    2289. 

  2289. 

  2290.             char *host_values[] = {(sudoHost&&*sudoHost)?sudoHost:NULL, NULL };
    2291. 

  2291.             LDAPMod host_attr = 
    2292. 

  2292.             {
    2293. 

  2293.                 LDAP_MOD_REPLACE,
    2294. 

  2294.                 "sudoHost",
    2295. 

  2295.                 host_values
    2296. 

  2296.             };
    2297. 

  2297.             
    2298. 

  2298.             char *cmd_values[] = {(sudoCommand&&*sudoCommand)?sudoCommand:NULL, NULL };
    2299. 

  2299.             LDAPMod cmd_attr = 
    2300. 

  2300.             {
    2301. 

  2301.                 LDAP_MOD_REPLACE,
    2302. 

  2302.                 "sudoCommand",
    2303. 

  2303.                 cmd_values
    2304. 

  2304.             };
    2305. 

  2305.             
    2306. 

  2306.             char *option_values[] = {(sudoOption&&*sudoOption)?sudoOption:NULL, NULL };
    2307. 

  2307.             LDAPMod option_attr = 
    2308. 

  2308.             {
    2309. 

  2309.                 LDAP_MOD_REPLACE,
    2310. 

  2310.                 "sudoOption",
    2311. 

  2311.                 option_values
    2312. 

  2312.             };
    2313. 

  2313. 

  2314.             LDAPMod *attrs[4];
    2315. 

  2315.             int ind = 0;
    2316. 

  2316.             
    2317. 

  2317.             attrs[ind++] = &host_attr;
    2318. 

  2318.             attrs[ind++] = &cmd_attr;
    2319. 

  2319.             attrs[ind++] = &option_attr;
    2320. 

  2320. 

  2321.             attrs[ind] = NULL;
    2322. 

  2322. 

  2323.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2324. 

  2324.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2325. 

  2325.             StringBuffer dn;
    2326. 

  2326.             dn.append("cn=").append(username).append(",").append(m_ldapconfig->getResourceBasedn(RT_SUDOERS));
    2327. 

  2327.             int rc = ldap_modify_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    2328. 

  2328.             if ( rc != LDAP_SUCCESS )
    2329. 

  2329.             {
    2330. 

  2330.                 DBGLOG("error modifying sudoers for user %s: %s", username, ldap_err2string( rc ));
    2331. 

  2331.                 throw MakeStringException(-1, "error modifying sudoers for user %s: %s", username, ldap_err2string( rc ));
    2332. 

  2332.             }
    2333. 

  2333.         }
    2334. 

  2334. 

  2335.         if (rc == LDAP_SUCCESS )
    2336. 

  2336.             DBGLOG("User %s successfully updated", username);
    2337. 

  2337.         else
    2338. 

  2338.             throw MakeStringException(-1, "Error updating user %s - %s", username, ldap_err2string( rc ));
    2339. 

  2339. 

  2340.         return true;
    2341. 

  2341.     }
    2342. 

  2342. 

  2343.     virtual bool changePasswordSSL(const char* username, const char* newPassword)
    2344. 

  2344.     {
    2345. 

  2345.         Owned<ILdapConnection> lconn;
    2346. 

  2346.         try
    2347. 

  2347.         {
    2348. 

  2348.             lconn.setown(m_connections->getSSLConnection());
    2349. 

  2349.         }
    2350. 

  2350.         catch(IException*)
    2351. 

  2351.         {
    2352. 

  2352.             throw MakeStringException(-1, "Failed to set user %s's password because of not being able to create an SSL conenction to the ldap server. To set an Active Directory user's password from Linux, you need to enable SSL on the Active Directory ldap server", username);
    2353. 

  2353.         }
    2354. 

  2354. 

  2355.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2356. 

  2356. 

  2357.         char        *attribute, **values = NULL;       
    2358. 

  2358.         BerElement  *ber;
    2359. 

  2359.         LDAPMessage *searchResult, *message;
    2360. 

  2360. 

  2361.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    2362. 

  2362. 

  2363.         StringBuffer filter;
    2364. 

  2364.         filter.append("sAMAccountName=").append(username);
    2365. 

  2365. 

  2366.         char        *attrs[] = {"cn", NULL};
    2367. 

  2367.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult );
    2368. 

  2368. 

  2369.         if ( rc != LDAP_SUCCESS )
    2370. 

  2370.         {
    2371. 

  2371.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    2372. 

  2372.             return false;
    2373. 

  2373.         }
    2374. 

  2374. 

  2375.         StringBuffer userdn;
    2376. 

  2376.         message = LdapFirstEntry( ld, searchResult);
    2377. 

  2377.         if(searchResult != NULL)
    2378. 

  2378.         {
    2379. 

  2379.             for ( attribute = ldap_first_attribute( ld,searchResult,&ber );
    2380. 

  2380.                 attribute != NULL; 
    2381. 

  2381.                 attribute = ldap_next_attribute( ld, searchResult,ber))
    2382. 

  2382.             {
    2383. 

  2383.                 if(stricmp(attribute, "cn") != 0)
    2384. 

  2384.                     continue;
    2385. 

  2385.                 if (( values = ldap_get_values( ld, message, attribute))  != NULL )
    2386. 

  2386.                 {
    2387. 

  2387.                     char* val = values[0];
    2388. 

  2388.                     userdn.append("cn=").append(val).append(",").append(m_ldapconfig->getUserBasedn());
    2389. 

  2389.                     ldap_value_free( values );
    2390. 

  2390.                     break;
    2391. 

  2391.                 }
    2392. 

  2392.             }
    2393. 

  2393.             ber_free(ber, 0);
    2394. 

  2394.             ldap_msgfree( searchResult );
    2395. 

  2395.         }
    2396. 

  2396. 

  2397.         if(userdn.length() == 0)
    2398. 

  2398.         {
    2399. 

  2399.             throw MakeStringException(-1, "can't find dn for user %s", username);
    2400. 

  2400.         }
    2401. 

  2401. 

  2402.         LDAPMod modPassword;
    2403. 

  2403.         LDAPMod *modEntry[2];
    2404. 

  2404.         struct berval pwdBerVal;
    2405. 

  2405.         struct berval *pwd_attr[2];
    2406. 

  2406.         unsigned short pszPasswordWithQuotes[1024];
    2407. 

  2407. 

  2408.         modEntry[0] = &modPassword;
    2409. 

  2409.         modEntry[1] = NULL;
    2410. 

  2410. 

  2411.         modPassword.mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
    2412. 

  2412.         modPassword.mod_type =  "unicodePwd";
    2413. 

  2413.         modPassword.mod_vals.modv_bvals = pwd_attr;
    2414. 

  2414. 

  2415.         pwd_attr[0] = &pwdBerVal;
    2416. 

  2416.         pwd_attr[1]= NULL;
    2417. 

  2417. 

  2418.         StringBuffer quotedPasswd("\"");
    2419. 

  2419.         quotedPasswd.append(newPassword).append("\"");
    2420. 

  2420.         ConvertCToW(pszPasswordWithQuotes, quotedPasswd);
    2421. 

  2421. 

  2422.         pwdBerVal.bv_len = quotedPasswd.length() * sizeof(unsigned short);
    2423. 

  2423.         pwdBerVal.bv_val = (char*)pszPasswordWithQuotes;
    2424. 

  2424. 

  2425.         rc = ldap_modify_s(ld, (char*)userdn.str(), modEntry);
    2426. 

  2426. 

  2427.         if (rc == LDAP_SUCCESS )
    2428. 

  2428.             DBGLOG("User %s's password has been changed successfully", username);
    2429. 

  2429.         else
    2430. 

  2430.         {
    2431. 

  2431.             StringBuffer errmsg;
    2432. 

  2432.             errmsg.appendf("Error setting password for %s - (%d) %s.", username, rc, ldap_err2string( rc ));
    2433. 

  2433.             if(rc == LDAP_UNWILLING_TO_PERFORM)
    2434. 

  2434.                 errmsg.append(" The ldap server refused to execute the password change action, one of the reasons might be that the new password you entered doesn't satisfy the policy requirement.");
    2435. 

  2435. 

  2436.             throw MakeStringException(-1, "%s", errmsg.str());
    2437. 

  2437.         }
    2438. 

  2438. 

  2439.         return true;
    2440. 

  2440.     }
    2441. 

  2441. 

  2442.     virtual bool updateUser(ISecUser& user, const char* newPassword)
    2443. 

  2443.     {
    2444. 

  2444.         const char* username = user.getName();
    2445. 

  2445.         if(!username || !*username)
    2446. 

  2446.             return false;
    2447. 

  2447.         return updateUser(username, newPassword);
    2448. 

  2448.     }
    2449. 

  2449. 

  2450.     virtual bool updateUser(const char* username, const char* newPassword)
    2451. 

  2451.     {
    2452. 

  2452.         if(!username || !*username)
    2453. 

  2453.             return false;
    2454. 

  2454.         
    2455. 

  2455.         const char* sysuser = m_ldapconfig->getSysUser();
    2456. 

  2456.         if(sysuser && *sysuser && strcmp(username, sysuser) == 0)
    2457. 

  2457.             throw MakeStringException(-1, "You can't change password of the system user.");
    2458. 

  2458. 

  2459.         LdapServerType servertype = m_ldapconfig->getServerType();
    2460. 

  2460.         bool ret = true;
    2461. 

  2461.         if(servertype == ACTIVE_DIRECTORY)
    2462. 

  2462.         {
    2463. 

  2463. #ifdef _WIN32
    2464. 

  2464.             DWORD nStatus = 0;
    2465. 

  2465.             // The application has to run on the same domain as ldap host, and under an administrative user.
    2466. 

  2466.             USER_INFO_1003 usriSetPassword;
    2467. 

  2467.             StringBuffer fullserver("\\\\");
    2468. 

  2468.             StringBuffer server;
    2469. 

  2469.             m_ldapconfig->getLdapHost(server);
    2470. 

  2470.             fullserver.append(server.str());
    2471. 

  2471.             LPWSTR whost = (LPWSTR)alloca((fullserver.length() +1) * sizeof(WCHAR));
    2472. 

  2472.             ConvertCToW(whost, fullserver.str());
    2473. 

  2473. 

  2474.             LPWSTR wusername = (LPWSTR)alloca((strlen(username) + 1) * sizeof(WCHAR));
    2475. 

  2475.             ConvertCToW(wusername, username);
    2476. 

  2476.             LPWSTR wnewpasswd = (LPWSTR)alloca((strlen(newPassword) + 1) * sizeof(WCHAR));
    2477. 

  2477.             ConvertCToW(wnewpasswd, newPassword);
    2478. 

  2478.             usriSetPassword.usri1003_password  = wnewpasswd;
    2479. 

  2479.             nStatus = NetUserSetInfo(whost, wusername,  1003, (LPBYTE)&usriSetPassword, NULL);
    2480. 

  2480. 

  2481.             if (nStatus == NERR_Success)
    2482. 

  2482.             {
    2483. 

  2483.                 DBGLOG("User %s's password has been changed successfully", username);
    2484. 

  2484.                 return true;
    2485. 

  2485.             }
    2486. 

  2486.             else
    2487. 

  2487.             {
    2488. 

  2488.                 StringBuffer errcode, errmsg;
    2489. 

  2489. 

  2490.                 if(nStatus == ERROR_ACCESS_DENIED)
    2491. 

  2491.                 {
    2492. 

  2492.                     errcode.append("ERROR_ACCESS_DENIED");
    2493. 

  2493.                     errmsg.append("The user does not have access to the requested information.");
    2494. 

  2494.                 }
    2495. 

  2495.                 else if(nStatus == ERROR_INVALID_PASSWORD)
    2496. 

  2496.                 {
    2497. 

  2497.                     errcode.append("ERROR_INVALID_PASSWORD");
    2498. 

  2498.                     errmsg.append("The user has entered an invalid password.");
    2499. 

  2499.                 }
    2500. 

  2500.                 else if(nStatus == NERR_InvalidComputer)
    2501. 

  2501.                 {
    2502. 

  2502.                     errcode.append("NERR_InvalidComputer");
    2503. 

  2503.                     errmsg.append("The computer name is invalid.");
    2504. 

  2504.                 }
    2505. 

  2505.                 else if(nStatus == NERR_NotPrimary)
    2506. 

  2506.                 {
    2507. 

  2507.                     errcode.append("NERR_NotPrimary");
    2508. 

  2508.                     errmsg.append("The operation is allowed only on the primary domain controller of the domain.");
    2509. 

  2509.                 }
    2510. 

  2510.                 else if(nStatus == NERR_UserNotFound)
    2511. 

  2511.                 {
    2512. 

  2512.                     errcode.append("NERR_UserNotFound");
    2513. 

  2513.                     errmsg.append("The user name could not be found.");
    2514. 

  2514.                 }
    2515. 

  2515.                 else if(nStatus == NERR_PasswordTooShort)
    2516. 

  2516.                 {
    2517. 

  2517.                     errcode.append("NERR_PasswordTooShort");
    2518. 

  2518.                     errmsg.append("The password is shorter than required. ");
    2519. 

  2519.                 }
    2520. 

  2520.                 else if(nStatus == ERROR_LOGON_FAILURE)
    2521. 

  2521.                 {
    2522. 

  2522.                     errcode.append("ERROR_LOGON_FAILURE");
    2523. 

  2523.                     errmsg.append("To be able to reset password this way, esp has to run under an administrative user on the same domain as the active directory. ");
    2524. 

  2524.                 }
    2525. 

  2525.                 else
    2526. 

  2526.                 {
    2527. 

  2527.                     errcode.appendf("%d", nStatus);
    2528. 

  2528.                     errmsg.append("");
    2529. 

  2529.                 }
    2530. 

  2530.                 // For certain errors just return, other errors try changePasswordSSL.
    2531. 

  2531.                 if(nStatus == ERROR_INVALID_PASSWORD || nStatus == NERR_UserNotFound || nStatus == NERR_PasswordTooShort)
    2532. 

  2532.                     throw MakeStringException(-1, "An error has occurred while setting password with NetUserSetInfo for %s: %s - %s\n", username, errcode.str(), errmsg.str());
    2533. 

  2533.                 else
    2534. 

  2534.                     DBGLOG("An error has occurred while setting password with NetUserSetInfo for %s: %s - %s\n", username, errcode.str(), errmsg.str());
    2535. 

  2535.             }
    2536. 

  2536.             DBGLOG("Trying changePasswordSSL to change password over regular SSL connection.");
    2537. 

  2537. #endif
    2538. 

  2538.             changePasswordSSL(username, newPassword);
    2539. 

  2539.         }
    2540. 

  2540.         else 
    2541. 

  2541.         {
    2542. 

  2542.             StringBuffer filter;
    2543. 

  2543.             filter.append("uid=").append(username);
    2544. 

  2544. 

  2545.             char        **values = NULL;       
    2546. 

  2546.             LDAPMessage *searchResult, *message;
    2547. 

  2547. 

  2548.             TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    2549. 

  2549. 

  2550.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2551. 

  2551.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2552. 

  2552. 

  2553.             char        *attrs[] = {LDAP_NO_ATTRS, NULL};
    2554. 

  2554.             int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult );
    2555. 

  2555. 

  2556.             if ( rc != LDAP_SUCCESS )
    2557. 

  2557.             {
    2558. 

  2558.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    2559. 

  2559.                 return false;
    2560. 

  2560.             }
    2561. 

  2561. 

  2562.             StringBuffer userdn;
    2563. 

  2563.             message = LdapFirstEntry( ld, searchResult);
    2564. 

  2564.             if(message != NULL)
    2565. 

  2565.                 userdn.append(ldap_get_dn(ld, message));
    2566. 

  2566.             
    2567. 

  2567.             ldap_msgfree( searchResult );
    2568. 

  2568. 

  2569.             char* passwdvalue[] = { (char*)newPassword, NULL };
    2570. 

  2570.             LDAPMod pmod = 
    2571. 

  2571.             {
    2572. 

  2572.                 LDAP_MOD_REPLACE,
    2573. 

  2573.                 "userpassword", 
    2574. 

  2574.                 passwdvalue
    2575. 

  2575.             };
    2576. 

  2576. 

  2577.             LDAPMod* pmods[] = {&pmod, NULL};
    2578. 

  2578.             rc = ldap_modify_s(ld, (char*)userdn.str(), pmods);
    2579. 

  2579. 

  2580.             if (rc == LDAP_SUCCESS )
    2581. 

  2581.                 DBGLOG("User %s's password has been changed successfully", username);
    2582. 

  2582.             else
    2583. 

  2583.             {
    2584. 

  2584.                 StringBuffer errmsg;
    2585. 

  2585.                 errmsg.appendf("Error changing password for %s - (%d) %s.", username, rc, ldap_err2string( rc ));
    2586. 

  2586.                 if(rc == LDAP_UNWILLING_TO_PERFORM)
    2587. 

  2587.                     errmsg.append(" The ldap server refused to execute the password change action, one of the reasons might be that the new password you entered doesn't satisfy the policy requirement.");
    2588. 

  2588. 

  2589.                 throw MakeStringException(-1, "%s", errmsg.str());
    2590. 

  2590.             }
    2591. 

  2591.         }
    2592. 

  2592.         return true;
    2593. 

  2593.     }
    2594. 

  2594. 

  2595.     virtual bool getResources(SecResourceType rtype, const char * basedn, const char* prefix, IArrayOf<ISecResource>& resources)
    2596. 

  2596.     {
    2597. 

  2597.         char        *attribute, **values;       
    2598. 

  2598.         struct berval** bvalues = NULL;
    2599. 

  2599.         BerElement  *ber;
    2600. 

  2600.         LDAPMessage *searchResult, *message;
    2601. 

  2601. 

  2602.         StringBuffer basednbuf;
    2603. 

  2603.         LdapUtils::normalizeDn(basedn, m_ldapconfig->getBasedn(), basednbuf);
    2604. 

  2604.         StringBuffer filter("objectClass=*");
    2605. 

  2605. 

  2606.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    2607. 

  2607. 

  2608.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    2609. 

  2609.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2610. 

  2610. 

  2611.         const char* fldname;
    2612. 

  2612.         LdapServerType servertype = m_ldapconfig->getServerType();
    2613. 

  2613.         if(servertype == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    2614. 

  2614.             fldname = "name";
    2615. 

  2615.         else
    2616. 

  2616.             fldname = "ou";
    2617. 

  2617.         char        *attrs[] = {(char*)fldname, "description", NULL};
    2618. 

  2618.         int rc = ldap_search_ext_s(ld, (char*)basednbuf.str(), LDAP_SCOPE_ONELEVEL, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult );
    2619. 

  2619. 

  2620.         if ( rc != LDAP_SUCCESS )
    2621. 

  2621.         {
    2622. 

  2622.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basednbuf.str());
    2623. 

  2623.             return false;
    2624. 

  2624.         }
    2625. 

  2625. 

  2626.         // Go through the search results by checking message types
    2627. 

  2627.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    2628. 

  2628.         {
    2629. 

  2629.             StringBuffer descbuf;
    2630. 

  2630.             StringBuffer curname;
    2631. 

  2631.             for ( attribute = ldap_first_attribute( ld,searchResult,&ber );
    2632. 

  2632.                 attribute != NULL; 
    2633. 

  2633.                 attribute = ldap_next_attribute( ld, searchResult,ber))
    2634. 

  2634.             {
    2635. 

  2635.                 if (( values = ldap_get_values( ld, message, attribute)) 
    2636. 

  2636.                     != NULL )
    2637. 

  2637.                 {
    2638. 

  2638.                     char* val = values[0];
    2639. 

  2639.                     if(val != NULL)
    2640. 

  2640.                     {
    2641. 

  2641.                         if(stricmp(attribute, fldname) == 0)
    2642. 

  2642.                         {
    2643. 

  2643.                             curname.append(val);
    2644. 

  2644.                         }
    2645. 

  2645.                         else if(stricmp(attribute, "description") == 0)
    2646. 

  2646.                         {
    2647. 

  2647.                             descbuf.append(val);
    2648. 

  2648.                         }
    2649. 

  2649.                     }
    2650. 

  2650.                     ldap_value_free( values );
    2651. 

  2651.                 }
    2652. 

  2652. 

  2653.             }
    2654. 

  2654. 

  2655.             if(curname.length() == 0)
    2656. 

  2656.                 continue;
    2657. 

  2657.             StringBuffer resourcename;
    2658. 

  2658.             if(prefix != NULL && *prefix != '\0')
    2659. 

  2659.                 resourcename.append(prefix);
    2660. 

  2660.             resourcename.append(curname.str());
    2661. 

  2661.             CLdapSecResource* resource = new CLdapSecResource(resourcename.str());
    2662. 

  2662.             resource->setDescription(descbuf.str());
    2663. 

  2663.             resources.append(*resource);
    2664. 

  2664.             if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    2665. 

  2665.             {
    2666. 

  2666.                 StringBuffer nextbasedn;
    2667. 

  2667.                 nextbasedn.append("ou=").append(curname.str()).append(",").append(basedn);
    2668. 

  2668.                 StringBuffer nextprefix;
    2669. 

  2669.                 if(prefix != NULL && *prefix != '\0')
    2670. 

  2670.                     nextprefix.append(prefix);
    2671. 

  2671.                 nextprefix.append(curname.str()).append("::");
    2672. 

  2672.                 getResources(rtype, nextbasedn.str(), nextprefix.str(), resources);
    2673. 

  2673.             }
    2674. 

  2674.             ber_free(ber, 0);
    2675. 

  2675.         }
    2676. 

  2676.         ldap_msgfree( searchResult );
    2677. 

  2677.         return true;
    2678. 

  2678.     }
    2679. 

  2679. 

  2680.     virtual bool getResourcesEx(SecResourceType rtype, const char * basedn, const char* prefix, const char* searchstr, IArrayOf<ISecResource>& resources)
    2681. 

  2681.     {
    2682. 

  2682.         char        *attribute, **values;       
    2683. 

  2683.         struct berval** bvalues = NULL;
    2684. 

  2684.         BerElement  *ber;
    2685. 

  2685.         LDAPMessage *searchResult, *message;
    2686. 

  2686. 

  2687.         StringBuffer basednbuf;
    2688. 

  2688.         LdapUtils::normalizeDn(basedn, m_ldapconfig->getBasedn(), basednbuf);
    2689. 

  2689.         StringBuffer filter("objectClass=*");
    2690. 

  2690.         if(searchstr && *searchstr && strcmp(searchstr, "*") != 0)
    2691. 

  2691.         {
    2692. 

  2692.             filter.insert(0, "(&(");
    2693. 

  2693.             filter.appendf(")(|(%s=*%s*)))", "uNCName", searchstr);
    2694. 

  2694.         }
    2695. 

  2695. 

  2696.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    2697. 

  2697. 

  2698.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    2699. 

  2699.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2700. 

  2700. 

  2701.         const char* fldname;
    2702. 

  2702.         LdapServerType servertype = m_ldapconfig->getServerType();
    2703. 

  2703.         if(servertype == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    2704. 

  2704.             fldname = "name";
    2705. 

  2705.         else
    2706. 

  2706.             fldname = "ou";
    2707. 

  2707.         char        *attrs[] = {(char*)fldname, "description", NULL};
    2708. 

  2708.         int rc = ldap_search_ext_s(ld, (char*)basednbuf.str(), LDAP_SCOPE_ONELEVEL, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult );
    2709. 

  2709. 

  2710.         if ( rc != LDAP_SUCCESS )
    2711. 

  2711.         {
    2712. 

  2712.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basednbuf.str());
    2713. 

  2713.             return false;
    2714. 

  2714.         }
    2715. 

  2715. 

  2716.         // Go through the search results by checking message types
    2717. 

  2717.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    2718. 

  2718.         {
    2719. 

  2719.             StringBuffer descbuf;
    2720. 

  2720.             StringBuffer curname;
    2721. 

  2721.             for ( attribute = ldap_first_attribute( ld,searchResult,&ber );
    2722. 

  2722.                 attribute != NULL; 
    2723. 

  2723.                 attribute = ldap_next_attribute( ld, searchResult,ber))
    2724. 

  2724.             {
    2725. 

  2725.                 if (( values = ldap_get_values( ld, message, attribute)) 
    2726. 

  2726.                     != NULL )
    2727. 

  2727.                 {
    2728. 

  2728.                     char* val = values[0];
    2729. 

  2729.                     if(val != NULL)
    2730. 

  2730.                     {
    2731. 

  2731.                         if(stricmp(attribute, fldname) == 0)
    2732. 

  2732.                         {
    2733. 

  2733.                             curname.append(val);
    2734. 

  2734.                         }
    2735. 

  2735.                         else if(stricmp(attribute, "description") == 0)
    2736. 

  2736.                         {
    2737. 

  2737.                             descbuf.append(val);
    2738. 

  2738.                         }
    2739. 

  2739.                     }
    2740. 

  2740.                     ldap_value_free( values );
    2741. 

  2741.                 }
    2742. 

  2742. 

  2743.             }
    2744. 

  2744. 

  2745.             if(curname.length() == 0)
    2746. 

  2746.                 continue;
    2747. 

  2747.             StringBuffer resourcename;
    2748. 

  2748.             if(prefix != NULL && *prefix != '\0')
    2749. 

  2749.                 resourcename.append(prefix);
    2750. 

  2750.             resourcename.append(curname.str());
    2751. 

  2751.             CLdapSecResource* resource = new CLdapSecResource(resourcename.str());
    2752. 

  2752.             resource->setDescription(descbuf.str());
    2753. 

  2753.             resources.append(*resource);
    2754. 

  2754.             if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    2755. 

  2755.             {
    2756. 

  2756.                 StringBuffer nextbasedn;
    2757. 

  2757.                 nextbasedn.append("ou=").append(curname.str()).append(",").append(basedn);
    2758. 

  2758.                 StringBuffer nextprefix;
    2759. 

  2759.                 if(prefix != NULL && *prefix != '\0')
    2760. 

  2760.                     nextprefix.append(prefix);
    2761. 

  2761.                 nextprefix.append(curname.str()).append("::");
    2762. 

  2762.                 getResources(rtype, nextbasedn.str(), nextprefix.str(), resources);
    2763. 

  2763.             }
    2764. 

  2764.             ber_free(ber, 0);
    2765. 

  2765.         }
    2766. 

  2766.         ldap_msgfree( searchResult );
    2767. 

  2767.         return true;
    2768. 

  2768.     }
    2769. 

  2769. 

  2770.     virtual bool getPermissionsArray(const char* basedn, SecResourceType rtype, const char* name, IArrayOf<CPermission>& permissions)
    2771. 

  2771.     {
    2772. 

  2772.         StringBuffer basednbuf;
    2773. 

  2773.         LdapUtils::normalizeDn(basedn, m_ldapconfig->getBasedn(), basednbuf);
    2774. 

  2774.         Owned<CSecurityDescriptor> sd = new CSecurityDescriptor(name);
    2775. 

  2775.         IArrayOf<CSecurityDescriptor> sdlist;
    2776. 

  2776.         sdlist.append(*LINK(sd));
    2777. 

  2777.         if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    2778. 

  2778.             getSecurityDescriptorsScope(sdlist, basednbuf.str());
    2779. 

  2779.         else
    2780. 

  2780.             getSecurityDescriptors(sdlist, basednbuf.str());
    2781. 

  2781. 

  2782.         m_pp->getPermissionsArray(sd.get(), permissions);
    2783. 

  2783. 

  2784.         return true;
    2785. 

  2785.     }
    2786. 

  2786. 

  2787.     virtual void getAllGroups(StringArray & groups)
    2788. 

  2788.     {
    2789. 

  2789.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2790. 

  2790.         {
    2791. 

  2791.             groups.append("Authenticated Users");
    2792. 

  2792.             groups.append("Administrators");
    2793. 

  2793.         }
    2794. 

  2794.         else
    2795. 

  2795.         {
    2796. 

  2796.             groups.append("Directory Administrators");
    2797. 

  2797.         }
    2798. 

  2798. 

  2799.         char        *attribute, **values;       
    2800. 

  2800.         struct berval** bvalues = NULL;
    2801. 

  2801.         BerElement  *ber;
    2802. 

  2802.         LDAPMessage *searchResult, *message;
    2803. 

  2803. 

  2804.         StringBuffer filter;
    2805. 

  2805. 

  2806.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2807. 

  2807.             filter.append("objectClass=group");
    2808. 

  2808.         else
    2809. 

  2809.             filter.append("objectClass=groupofuniquenames");
    2810. 

  2810. 

  2811.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    2812. 

  2812. 

  2813.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    2814. 

  2814.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2815. 

  2815. 

  2816.         char        *attrs[] = {"cn", NULL};
    2817. 

  2817.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getGroupBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult );
    2818. 

  2818. 

  2819.         if ( rc != LDAP_SUCCESS )
    2820. 

  2820.         {
    2821. 

  2821.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getGroupBasedn());
    2822. 

  2822.             return;
    2823. 

  2823.         }
    2824. 

  2824. 

  2825.         // Go through the search results by checking message types
    2826. 

  2826.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    2827. 

  2827.         {
    2828. 

  2828.             for ( attribute = ldap_first_attribute( ld,searchResult,&ber );
    2829. 

  2829.                 attribute != NULL; 
    2830. 

  2830.                 attribute = ldap_next_attribute( ld, searchResult,ber))
    2831. 

  2831.             {
    2832. 

  2832.                 if(stricmp(attribute, "cn") == 0)
    2833. 

  2833.                 {
    2834. 

  2834.                     if (( values = ldap_get_values( ld, message, attribute)) 
    2835. 

  2835.                         != NULL )
    2836. 

  2836.                     {
    2837. 

  2837.                         //set the FullName
    2838. 

  2838.                         if(values[0] != NULL)
    2839. 

  2839.                             groups.append(values[0]);
    2840. 

  2840.                         ldap_value_free( values );
    2841. 

  2841.                     }
    2842. 

  2842.                 }
    2843. 

  2843.             
    2844. 

  2844.             }
    2845. 

  2845.         }
    2846. 

  2846.         ldap_msgfree( searchResult );
    2847. 

  2847.     }
    2848. 

  2848. 

  2849.     virtual bool changePermission(CPermissionAction& action)
    2850. 

  2850.     {
    2851. 

  2851.         StringBuffer basednbuf;
    2852. 

  2852.         LdapUtils::normalizeDn(action.m_basedn.str(), m_ldapconfig->getBasedn(), basednbuf);
    2853. 

  2853.         Owned<CSecurityDescriptor> sd = new CSecurityDescriptor(action.m_rname.str());
    2854. 

  2854.         IArrayOf<CSecurityDescriptor> sdlist;
    2855. 

  2855.         sdlist.append(*LINK(sd));
    2856. 

  2856.         if(action.m_rtype == RT_FILE_SCOPE || action.m_rtype == RT_WORKUNIT_SCOPE)
    2857. 

  2857.             getSecurityDescriptorsScope(sdlist, basednbuf.str());
    2858. 

  2858.         else
    2859. 

  2859.             getSecurityDescriptors(sdlist, basednbuf.str());
    2860. 

  2860. 

  2861.         if(m_ldapconfig->getServerType() != ACTIVE_DIRECTORY)
    2862. 

  2862.         {
    2863. 

  2863.             StringBuffer act_dn;
    2864. 

  2864.             if(action.m_account_type == GROUP_ACT)
    2865. 

  2865.                 getGroupDN(action.m_account_name.str(), act_dn);
    2866. 

  2866.             else
    2867. 

  2867.                 getUserDN(action.m_account_name.str(), act_dn);
    2868. 

  2868.             
    2869. 

  2869.             action.m_account_name.clear().append(act_dn.str());
    2870. 

  2870.         }
    2871. 

  2871. 

  2872.         Owned<CSecurityDescriptor> newsd = m_pp->changePermission(sd.get(), action);
    2873. 

  2873. 

  2874.         StringBuffer normdnbuf;
    2875. 

  2875.         LdapServerType servertype = m_ldapconfig->getServerType();
    2876. 

  2876.         name2dn(action.m_rtype, action.m_rname.str(), action.m_basedn.str(), normdnbuf);
    2877. 

  2877. 

  2878.         char *empty_values[] = { NULL };
    2879. 

  2879. 

  2880.         int numberOfSegs = m_pp->sdSegments(newsd.get());
    2881. 

  2881. 

  2882.         LDAPMod *attrs[2];
    2883. 

  2883.         LDAPMod sd_attr;
    2884. 

  2884.         if(newsd->getDescriptor().length() > 0)
    2885. 

  2885.         {
    2886. 

  2886.             struct berval** sd_values = (struct berval**)alloca(sizeof(struct berval*)*(numberOfSegs+1));
    2887. 

  2887.             MemoryBuffer& sdbuf = newsd->getDescriptor();
    2888. 

  2888. 

  2889.             // Active Directory acutally has only one segment.
    2890. 

  2890.             if(servertype == ACTIVE_DIRECTORY)
    2891. 

  2891.             {
    2892. 

  2892.                 struct berval* sd_val = (struct berval*)alloca(sizeof(struct berval));
    2893. 

  2893.                 sd_val->bv_len = sdbuf.length();
    2894. 

  2894.                 sd_val->bv_val = (char*)sdbuf.toByteArray();
    2895. 

  2895.                 sd_values[0] = sd_val;
    2896. 

  2896.                 sd_values[1] = NULL;
    2897. 

  2897. 

  2898.                 sd_attr.mod_type = "nTSecurityDescriptor";
    2899. 

  2899.             }
    2900. 

  2900.             else
    2901. 

  2901.             {
    2902. 

  2902.                 const char* bbptr = sdbuf.toByteArray();
    2903. 

  2903.                 const char* bptr = sdbuf.toByteArray();
    2904. 

  2904.                 int sdbuflen = sdbuf.length();
    2905. 

  2905.                 int segind;
    2906. 

  2906.                 for(segind = 0; segind < numberOfSegs; segind++)
    2907. 

  2907.                 {
    2908. 

  2908.                     if(bptr - bbptr >= sdbuflen)
    2909. 

  2909.                         break;
    2910. 

  2910.                     while(*bptr == '\0' && (bptr - bbptr) < sdbuflen)
    2911. 

  2911.                         bptr++;
    2912. 

  2912. 

  2913.                     const char* eptr = bptr;
    2914. 

  2914.                     while(*eptr != '\0' && (eptr - bbptr) < sdbuflen)
    2915. 

  2915.                         eptr++;
    2916. 

  2916. 

  2917.                     struct berval* sd_val = (struct berval*)alloca(sizeof(struct berval));
    2918. 

  2918.                     sd_val->bv_len = eptr - bptr;
    2919. 

  2919.                     sd_val->bv_val = (char*)bptr;
    2920. 

  2920.                     sd_values[segind] = sd_val;
    2921. 

  2921. 

  2922.                     bptr = eptr + 1;
    2923. 

  2923.                 }
    2924. 

  2924.                 sd_values[segind] = NULL;
    2925. 

  2925. 

  2926.                 sd_attr.mod_type = (char*)m_ldapconfig->getSdFieldName();
    2927. 

  2927.             }
    2928. 

  2928.             sd_attr.mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
    2929. 

  2929.             sd_attr.mod_vals.modv_bvals = sd_values;
    2930. 

  2930. 

  2931.             attrs[0] = &sd_attr;
    2932. 

  2932.         }
    2933. 

  2933.         else
    2934. 

  2934.         {
    2935. 

  2935.             if(m_ldapconfig->getServerType() == OPEN_LDAP)
    2936. 

  2936.                 throw MakeStringException(-1, "removing all permissions for openldap is currently not supported");
    2937. 

  2937. 

  2938.             sd_attr.mod_op = LDAP_MOD_DELETE;
    2939. 

  2939.             sd_attr.mod_type = (char*)m_ldapconfig->getSdFieldName();
    2940. 

  2940.             sd_attr.mod_vals.modv_strvals = empty_values;
    2941. 

  2941.             attrs[0] = &sd_attr;
    2942. 

  2942.         }
    2943. 

  2943. 

  2944.         attrs[1] = NULL;
    2945. 

  2945. 

  2946.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    2947. 

  2947.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2948. 

  2948.         int rc = ldap_modify_s(ld, (char*)normdnbuf.str(), attrs);
    2949. 

  2949.         if ( rc != LDAP_SUCCESS )
    2950. 

  2950.         {
    2951. 

  2951.             throw MakeStringException(-1, "ldap_modify_s error: %d %s", rc, ldap_err2string( rc ));
    2952. 

  2952.         }
    2953. 

  2953. 

  2954.         return true;
    2955. 

  2955.     }
    2956. 

  2956. 

  2957.     virtual void getGroups(const char *user, StringArray& groups)
    2958. 

  2958.     {
    2959. 

  2959.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2960. 

  2960.         {
    2961. 

  2961.             char        *attribute, **values;       
    2962. 

  2962.             BerElement  *ber;
    2963. 

  2963.             LDAPMessage *searchResult, *message;
    2964. 

  2964. 

  2965.             if(user == NULL || strlen(user) == 0)
    2966. 

  2966.                 return;
    2967. 

  2967.             StringBuffer filter("sAMAccountName=");
    2968. 

  2968.             filter.append(user);
    2969. 

  2969. 

  2970.             TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    2971. 

  2971. 

  2972.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2973. 

  2973.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2974. 

  2974. 

  2975.             char        *attrs[] = {"memberOf", NULL};
    2976. 

  2976.             int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult );
    2977. 

  2977. 

  2978.             if ( rc != LDAP_SUCCESS )
    2979. 

  2979.             {
    2980. 

  2980.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    2981. 

  2981.                 return;
    2982. 

  2982.             }
    2983. 

  2983.             
    2984. 

  2984.             unsigned entries = ldap_count_entries(ld, searchResult);
    2985. 

  2985.             if(entries == 0)
    2986. 

  2986.             {
    2987. 

  2987.                 rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getSysUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult );
    2988. 

  2988. 

  2989.                 if ( rc != LDAP_SUCCESS )
    2990. 

  2990.                 {
    2991. 

  2991.                     DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getSysUserBasedn());
    2992. 

  2992.                     return;
    2993. 

  2993.                 }
    2994. 

  2994.             }
    2995. 

  2995. 

  2996.             // Go through the search results by checking message types
    2997. 

  2997.             for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    2998. 

  2998.             {
    2999. 

  2999.                 for ( attribute = ldap_first_attribute( ld,searchResult,&ber );
    3000. 

  3000.                     attribute != NULL; 
    3001. 

  3001.                     attribute = ldap_next_attribute( ld, searchResult,ber))
    3002. 

  3002.                 {
    3003. 

  3003.                     if(stricmp(attribute, "memberOf") != 0)
    3004. 

  3004.                         continue;
    3005. 

  3005.                     if (( values = ldap_get_values( ld, message, attribute)) 
    3006. 

  3006.                         != NULL )
    3007. 

  3007.                     {
    3008. 

  3008.                         for (int i = 0; values[ i ] != NULL; i++ )
    3009. 

  3009.                         {
    3010. 

  3010.                             char* val = values[i];
    3011. 

  3011.                             char* comma = strchr(val, ',');
    3012. 

  3012.                             StringBuffer groupname;
    3013. 

  3013.                             groupname.append(comma - val -3, val+3);
    3014. 

  3014.                             groups.append(groupname.str());
    3015. 

  3015.                         }
    3016. 

  3016. 

  3017.                         ldap_value_free( values );
    3018. 

  3018.                     }
    3019. 

  3019.                 }
    3020. 

  3020.                 ber_free(ber, 0);
    3021. 

  3021.             }
    3022. 

  3022.             ldap_msgfree( searchResult );
    3023. 

  3023.         }
    3024. 

  3024.         else
    3025. 

  3025.         {
    3026. 

  3026.             StringArray allgroups;
    3027. 

  3027.             getAllGroups(allgroups);
    3028. 

  3028.             for(unsigned i = 0; i < allgroups.length(); i++)
    3029. 

  3029.             {
    3030. 

  3030.                 const char* grp = allgroups.item(i);
    3031. 

  3031.                 StringBuffer grpdn, usrdn;
    3032. 

  3032.                 getUserDN(user, usrdn);
    3033. 

  3033.                 getGroupDN(grp, grpdn);
    3034. 

  3034.                 if(userInGroup(usrdn.str(), grpdn.str()))
    3035. 

  3035.                 {
    3036. 

  3036.                     groups.append(grp);
    3037. 

  3037.                 }
    3038. 

  3038.             }
    3039. 

  3039.         }       
    3040. 

  3040.     }
    3041. 

  3041. 

  3042.     virtual void changeUserGroup(const char* action, const char* username, const char* groupname)
    3043. 

  3043.     {
    3044. 

  3044.         StringBuffer userdn, groupdn;
    3045. 

  3045.         getUserDN(username, userdn);
    3046. 

  3046.         getGroupDN(groupname, groupdn);
    3047. 

  3047.         // Not needed for Active Directory
    3048. 

  3048.         // changeUserMemberOf(action, userdn.str(), groupdn.str());
    3049. 

  3049.         changeGroupMember(action, groupdn.str(), userdn.str());
    3050. 

  3050.     }
    3051. 

  3051. 

  3052.     virtual bool deleteUser(ISecUser* user)
    3053. 

  3053.     {
    3054. 

  3054.         if(user == NULL)
    3055. 

  3055.             return false;
    3056. 

  3056.         const char* username = user->getName();
    3057. 

  3057.         if(username == NULL || *username == '\0')
    3058. 

  3058.             return false;
    3059. 

  3059. 

  3060.         StringBuffer userdn;
    3061. 

  3061.         getUserDN(username, userdn);
    3062. 

  3062.         
    3063. 

  3063.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3064. 

  3064.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3065. 

  3065.         
    3066. 

  3066.         int rc = ldap_delete_s(ld, (char*)userdn.str());
    3067. 

  3067. 

  3068.         if ( rc != LDAP_SUCCESS )
    3069. 

  3069.         {
    3070. 

  3070.             throw MakeStringException(-1, "error deleting user %s: %s", username, ldap_err2string(rc));
    3071. 

  3071.         }
    3072. 

  3072. 

  3073.         StringArray grps;
    3074. 

  3074.         getGroups(username, grps);
    3075. 

  3075.         ForEachItemIn(x, grps)
    3076. 

  3076.         {
    3077. 

  3077.             const char* grp = grps.item(x);
    3078. 

  3078.             if(!grp || !*grp)
    3079. 

  3079.                 continue;
    3080. 

  3080.             changeUserGroup("delete", username, grp);
    3081. 

  3081.         }
    3082. 

  3082.         
    3083. 

  3083.         return true;
    3084. 

  3084.     }
    3085. 

  3085. 

  3086.     virtual void addGroup(const char* groupname)
    3087. 

  3087.     {
    3088. 

  3088.         if(groupname == NULL || *groupname == '\0')
    3089. 

  3089.             throw MakeStringException(-1, "Can't add group, groupname is empty");
    3090. 

  3090. 

  3091.         addGroup(groupname, m_ldapconfig->getGroupBasedn());
    3092. 

  3092.     }
    3093. 

  3093. 

  3094.     virtual void addGroup(const char* groupname, const char* basedn)
    3095. 

  3095.     {
    3096. 

  3096.         if(groupname == NULL || *groupname == '\0')
    3097. 

  3097.             return;
    3098. 

  3098. 

  3099.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3100. 

  3100.         {
    3101. 

  3101.             if(stricmp(groupname, "Administrators") == 0)
    3102. 

  3102.                 throw MakeStringException(-1, "Can't add group %s, it's reserved by the system.", groupname);
    3103. 

  3103.         }
    3104. 

  3104.         else
    3105. 

  3105.         {
    3106. 

  3106.             if(stricmp(groupname, "Directory Administrators") == 0)
    3107. 

  3107.                 throw MakeStringException(-1, "Can't add group %s, it's reserved by the system.", groupname);
    3108. 

  3108.         }
    3109. 

  3109. 

  3110.         StringBuffer dn;
    3111. 

  3111.         dn.append("cn=").append(groupname).append(",").append(basedn);
    3112. 

  3112. 

  3113.         char* oc_name;
    3114. 

  3114.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3115. 

  3115.         {
    3116. 

  3116.             oc_name = "group";
    3117. 

  3117.         }
    3118. 

  3118.         else
    3119. 

  3119.         {
    3120. 

  3120.             oc_name = "groupofuniquenames";
    3121. 

  3121.         }
    3122. 

  3122. 

  3123.         char *cn_values[] = {(char*)groupname, NULL };
    3124. 

  3124.         LDAPMod cn_attr = 
    3125. 

  3125.         {
    3126. 

  3126.             LDAP_MOD_ADD,
    3127. 

  3127.             "cn",
    3128. 

  3128.             cn_values
    3129. 

  3129.         };
    3130. 

  3130. 

  3131.         char *oc_values[] = {oc_name, NULL };
    3132. 

  3132.         LDAPMod oc_attr =
    3133. 

  3133.         {
    3134. 

  3134.             LDAP_MOD_ADD,
    3135. 

  3135.             "objectClass",
    3136. 

  3136.             oc_values
    3137. 

  3137.         };
    3138. 

  3138. 

  3139.         char *act_values[] = {(char*)groupname, NULL};
    3140. 

  3140.         LDAPMod act_attr = 
    3141. 

  3141.         {
    3142. 

  3142.             LDAP_MOD_ADD,
    3143. 

  3143.             "sAMAccountName",
    3144. 

  3144.             act_values
    3145. 

  3145.         };
    3146. 

  3146. 

  3147.         char *member_values[] = {"", NULL};
    3148. 

  3148.         LDAPMod member_attr = 
    3149. 

  3149.         {
    3150. 

  3150.             LDAP_MOD_ADD,
    3151. 

  3151.             "uniqueMember",
    3152. 

  3152.             member_values
    3153. 

  3153.         };
    3154. 

  3154. 

  3155.         LDAPMod *attrs[5];
    3156. 

  3156.         int ind = 0;
    3157. 

  3157.         
    3158. 

  3158.         attrs[ind++] = &cn_attr;
    3159. 

  3159.         attrs[ind++] = &oc_attr;
    3160. 

  3160.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3161. 

  3161.         {
    3162. 

  3162.             attrs[ind++] = &act_attr;
    3163. 

  3163.         }
    3164. 

  3164.         if(m_ldapconfig->getServerType() == OPEN_LDAP)
    3165. 

  3165.         {
    3166. 

  3166.             attrs[ind++] = &member_attr;
    3167. 

  3167.         }
    3168. 

  3168. 

  3169.         attrs[ind] = NULL;
    3170. 

  3170. 

  3171.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3172. 

  3172.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3173. 

  3173.         int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    3174. 

  3174.         if ( rc != LDAP_SUCCESS )
    3175. 

  3175.         {
    3176. 

  3176.             if(rc == LDAP_ALREADY_EXISTS)
    3177. 

  3177.             {
    3178. 

  3178.                 throw MakeStringException(-1, "can't add group %s, already exists", groupname);
    3179. 

  3179.             }
    3180. 

  3180.             else
    3181. 

  3181.             {
    3182. 

  3182.                 DBGLOG("error addGroup %s, ldap_add_ext_s error: %s", groupname, ldap_err2string( rc ));
    3183. 

  3183.                 throw MakeStringException(-1, "error addGroup %s, ldap_add_ext_s error: %s", groupname, ldap_err2string( rc ));
    3184. 

  3184.             }
    3185. 

  3185.         }
    3186. 

  3186. 

  3187.     }
    3188. 

  3188. 

  3189.     virtual void deleteGroup(const char* groupname)
    3190. 

  3190.     {
    3191. 

  3191.         if(groupname == NULL || *groupname == '\0')
    3192. 

  3192.             throw MakeStringException(-1, "group name can't be empty");
    3193. 

  3193. 

  3194.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3195. 

  3195.         {
    3196. 

  3196.             if(stricmp(groupname, "Administrators") == 0 || stricmp(groupname, "Authenticated Users") == 0)
    3197. 

  3197.                 throw MakeStringException(-1, "you can't delete Authenticated Users or Administrators group");
    3198. 

  3198.         }
    3199. 

  3199.         else
    3200. 

  3200.         {
    3201. 

  3201.             if(stricmp(groupname, "Directory Administrators") == 0)
    3202. 

  3202.                 throw MakeStringException(-1, "you can't delete Directory Administrators group");
    3203. 

  3203.         }
    3204. 

  3204. 

  3205.         StringBuffer dn;
    3206. 

  3206.         getGroupDN(groupname, dn);
    3207. 

  3207.         
    3208. 

  3208.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3209. 

  3209.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3210. 

  3210.         
    3211. 

  3211.         int rc = ldap_delete_s(ld, (char*)dn.str());
    3212. 

  3212. 

  3213.         if ( rc != LDAP_SUCCESS )
    3214. 

  3214.         {
    3215. 

  3215.             throw MakeStringException(-1, "error deleting group %s: %s", groupname, ldap_err2string(rc));
    3216. 

  3216.         }
    3217. 

  3217.     }
    3218. 

  3218. 

  3219.     virtual void getGroupMembers(const char* groupname, StringArray & users)
    3220. 

  3220.     {
    3221. 

  3221.         char        *attribute, **values;       
    3222. 

  3222.         BerElement  *ber;
    3223. 

  3223.         LDAPMessage *searchResult, *message;
    3224. 

  3224. 

  3225.         if(groupname == NULL || strlen(groupname) == 0)
    3226. 

  3226.             throw MakeStringException(-1, "group name can't be empty");
    3227. 

  3227. 

  3228.         StringBuffer grpdn;
    3229. 

  3229.         getGroupDN(groupname, grpdn);
    3230. 

  3230.         StringBuffer filter;
    3231. 

  3231.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3232. 

  3232.         {
    3233. 

  3233.             filter.append("distinguishedName=").append(grpdn.str());
    3234. 

  3234.         }
    3235. 

  3235.         else if(m_ldapconfig->getServerType() == IPLANET)
    3236. 

  3236.         {
    3237. 

  3237.             filter.append("entrydn=").append(grpdn.str());
    3238. 

  3238.         }
    3239. 

  3239.         else if(m_ldapconfig->getServerType() == OPEN_LDAP)
    3240. 

  3240.         {
    3241. 

  3241.             filter.append("cn=").append(groupname);
    3242. 

  3242.         }
    3243. 

  3243. 

  3244.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    3245. 

  3245. 

  3246.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3247. 

  3247.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3248. 

  3248. 

  3249.         const char* memfieldname;
    3250. 

  3250. 

  3251.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3252. 

  3252.         {
    3253. 

  3253.             memfieldname = "member";
    3254. 

  3254.         }
    3255. 

  3255.         else
    3256. 

  3256.         {
    3257. 

  3257.             memfieldname = "uniquemember";
    3258. 

  3258.         }
    3259. 

  3259. 

  3260.         char        *attrs[] = {(char*)memfieldname, NULL};
    3261. 

  3261.         StringBuffer groupbasedn;
    3262. 

  3262.         getGroupBaseDN(groupname, groupbasedn);
    3263. 

  3263.         int rc = ldap_search_ext_s(ld, (char*)groupbasedn.str(),LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult );
    3264. 

  3264. 

  3265.         if ( rc != LDAP_SUCCESS )
    3266. 

  3266.         {
    3267. 

  3267.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getBasedn());
    3268. 

  3268.             return;
    3269. 

  3269.         }
    3270. 

  3270.         
    3271. 

  3271.         unsigned entries = ldap_count_entries(ld, searchResult);
    3272. 

  3272.         if(entries == 0)
    3273. 

  3273.         {
    3274. 

  3274.             throw MakeStringException(-1, "group %s not found", groupname);
    3275. 

  3275.         }
    3276. 

  3276. 

  3277.         // Go through the search results by checking message types
    3278. 

  3278.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    3279. 

  3279.         {
    3280. 

  3280.             for ( attribute = ldap_first_attribute( ld,searchResult,&ber );
    3281. 

  3281.                 attribute != NULL; 
    3282. 

  3282.                 attribute = ldap_next_attribute( ld, searchResult,ber))
    3283. 

  3283.             {
    3284. 

  3284.                 if (( values = ldap_get_values( ld, message, attribute)) 
    3285. 

  3285.                     != NULL )
    3286. 

  3286.                 {
    3287. 

  3287.                     for (int i = 0; values[ i ] != NULL; i++ )
    3288. 

  3288.                     {
    3289. 

  3289.                         char* val = values[i];
    3290. 

  3290.                         StringBuffer uid;
    3291. 

  3291.                         getUidFromDN(val, uid);
    3292. 

  3292.                         if(uid.length() > 0)
    3293. 

  3293.                             users.append(uid.str());
    3294. 

  3294.                     }
    3295. 

  3295. 

  3296.                     ldap_value_free( values );
    3297. 

  3297.                 }
    3298. 

  3298.             }
    3299. 

  3299.             ber_free(ber, 0);
    3300. 

  3300.         }
    3301. 

  3301.         ldap_msgfree( searchResult );
    3302. 

  3302. 

  3303.     }
    3304. 

  3304.     
    3305. 

  3305.     virtual void deleteResource(SecResourceType rtype, const char* name, const char* basedn)
    3306. 

  3306.     {
    3307. 

  3307.         if(basedn == NULL || *basedn == '\0')
    3308. 

  3308.             basedn = m_ldapconfig->getResourceBasedn(rtype);
    3309. 

  3309. 

  3310.         StringBuffer dn;
    3311. 

  3311.         name2dn(rtype, name, basedn, dn);
    3312. 

  3312. 

  3313.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3314. 

  3314.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3315. 

  3315.         
    3316. 

  3316.         int rc = ldap_delete_s(ld, (char*)dn.str());
    3317. 

  3317. 

  3318.         if ( rc != LDAP_SUCCESS )
    3319. 

  3319.         {
    3320. 

  3320.             DBGLOG("error deleting %s: %s", dn.str(), ldap_err2string(rc));
    3321. 

  3321.             //throw MakeStringException(-1, "error deleting %s: %s", dn.str(), ldap_err2string(rc));
    3322. 

  3322.         }
    3323. 

  3323.         
    3324. 

  3324.     }
    3325. 

  3325. 

  3326.     virtual void renameResource(SecResourceType rtype, const char* oldname, const char* newname, const char* basedn)
    3327. 

  3327.     {
    3328. 

  3328.         if(oldname == NULL || *oldname == '\0' || newname == NULL || *newname == '\0')
    3329. 

  3329.             throw MakeStringException(-1, "please specfiy old and new names");
    3330. 

  3330. 

  3331.         if(basedn == NULL || *basedn == '\0')
    3332. 

  3332.             basedn = m_ldapconfig->getResourceBasedn(rtype);
    3333. 

  3333. 

  3334.         StringBuffer olddn, newrdn;
    3335. 

  3335.         name2dn(rtype, oldname, basedn, olddn);
    3336. 

  3336.         name2rdn(rtype, newname, newrdn);
    3337. 

  3337.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3338. 

  3338.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3339. 

  3339. 

  3340.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    3341. 

  3341.         {
    3342. 

  3342.             char* uncname_values[] = {(char*)newname, NULL};
    3343. 

  3343.             LDAPMod uncname_attr =
    3344. 

  3344.             {
    3345. 

  3345.                 LDAP_MOD_REPLACE,
    3346. 

  3346.                 "uNCName",
    3347. 

  3347.                 uncname_values
    3348. 

  3348.             };
    3349. 

  3349. 

  3350.             LDAPMod *attrs[2];
    3351. 

  3351.             attrs[0] = &uncname_attr;
    3352. 

  3352.             attrs[1] = NULL;
    3353. 

  3353. 

  3354.             int rc = ldap_modify_s(ld, (char*)olddn.str(), attrs);
    3355. 

  3355. 

  3356.             if (rc != LDAP_SUCCESS )
    3357. 

  3357.             {
    3358. 

  3358.                 DBGLOG("Error changing unc %s to %s - %s", oldname, newname, ldap_err2string( rc ));
    3359. 

  3359.                 //throw MakeStringException(-1, "Error changing unc %s to %s - %s", oldname, newname, ldap_err2string( rc ));
    3360. 

  3360.             }
    3361. 

  3361.         }
    3362. 

  3362. 

  3363. #ifdef _WIN32
    3364. 

  3364.         int rc = ldap_rename_ext_s(ld, (char*)olddn.str(), (char*)newrdn.str(), NULL, true, NULL, NULL);
    3365. 

  3365. #else
    3366. 

  3366.         int rc = ldap_rename_s(ld, (char*)olddn.str(), (char*)newrdn.str(), NULL, true, NULL, NULL);
    3367. 

  3367. #endif
    3368. 

  3368.         if (rc != LDAP_SUCCESS )
    3369. 

  3369.         {
    3370. 

  3370.             DBGLOG("Error renaming %s to %s - %s", oldname, newname, ldap_err2string( rc ));
    3371. 

  3371.             //throw MakeStringException(-1, "Error renaming %s to %s - %s", oldname, newname, ldap_err2string( rc ));
    3372. 

  3372.         }
    3373. 

  3373.     }
    3374. 

  3374. 

  3375.     virtual void copyResource(SecResourceType rtype, const char* oldname, const char* newname, const char* basedn)
    3376. 

  3376.     {
    3377. 

  3377.         if(oldname == NULL || *oldname == '\0' || newname == NULL || *newname == '\0')
    3378. 

  3378.             throw MakeStringException(-1, "please specfiy old and new names");
    3379. 

  3379. 

  3380.         if(basedn == NULL || *basedn == '\0')
    3381. 

  3381.             basedn = m_ldapconfig->getResourceBasedn(rtype);
    3382. 

  3382. 

  3383.         Owned<CSecurityDescriptor> sd = new CSecurityDescriptor(oldname);
    3384. 

  3384.         IArrayOf<CSecurityDescriptor> sdlist;
    3385. 

  3385.         sdlist.append(*LINK(sd));
    3386. 

  3386.         if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    3387. 

  3387.             getSecurityDescriptorsScope(sdlist, basedn);
    3388. 

  3388.         else
    3389. 

  3389.             getSecurityDescriptors(sdlist, basedn);
    3390. 

  3390. 

  3391.         if(sd->getDescriptor().length() == 0)
    3392. 

  3392.             throw MakeStringException(-1, "error copying %s to %s, %s doesn't exist", oldname, newname, oldname);
    3393. 

  3393.         
    3394. 

  3394.         ISecUser* user = NULL;
    3395. 

  3395.         CLdapSecResource resource(newname);
    3396. 

  3396.         addResource(rtype, *user, &resource, PT_DEFAULT, basedn, sd.get(), false);
    3397. 

  3397.     }
    3398. 

  3398. 

  3399.     void normalizeDn(const char* dn, StringBuffer& ndn)
    3400. 

  3400.     {
    3401. 

  3401.         LdapUtils::normalizeDn(dn, m_ldapconfig->getBasedn(), ndn);
    3402. 

  3402.     }
    3403. 

  3403. 

  3404.     virtual bool isSuperUser(ISecUser* user)
    3405. 

  3405.     {
    3406. 

  3406.         if(user == NULL || user->getName() == NULL)
    3407. 

  3407.             return false;
    3408. 

  3408.         const char* username = user->getName();
    3409. 

  3409.         const char* sysuser = m_ldapconfig->getSysUser();
    3410. 

  3410.         if(sysuser != NULL && stricmp(sysuser, username) == 0)
    3411. 

  3411.             return true;
    3412. 

  3412.         StringBuffer userdn, admingrpdn;
    3413. 

  3413.         getUserDN(username, userdn);
    3414. 

  3414.         getAdminGroupDN(admingrpdn);
    3415. 

  3415.         return userInGroup(userdn.str(), admingrpdn.str());
    3416. 

  3416.     }
    3417. 

  3417. 

  3418.     virtual ILdapConfig* queryConfig()
    3419. 

  3419.     {
    3420. 

  3420.         return m_ldapconfig.get();
    3421. 

  3421.     }
    3422. 

  3422. 

  3423.     virtual int countUsers(const char* searchstr, int limit)
    3424. 

  3424.     {
    3425. 

  3425.         StringBuffer filter;
    3426. 

  3426.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3427. 

  3427.             filter.append("objectClass=User");
    3428. 

  3428.         else
    3429. 

  3429.             filter.append("objectClass=inetorgperson");
    3430. 

  3430. 

  3431.         if(searchstr && *searchstr && strcmp(searchstr, "*") != 0)
    3432. 

  3432.         {
    3433. 

  3433.             filter.insert(0, "(&(");
    3434. 

  3434.             filter.appendf(")(|(%s=*%s*)(%s=*%s*)(%s=*%s*)))", (m_ldapconfig->getServerType()==ACTIVE_DIRECTORY)?"sAMAcccountName":"uid", searchstr, "givenName", searchstr, "sn", searchstr);
    3435. 

  3435.         }
    3436. 

  3436. 

  3437.         return countEntries(m_ldapconfig->getUserBasedn(), filter.str(), limit);
    3438. 

  3438.     }
    3439. 

  3439. 

  3440.     virtual int countResources(const char* basedn, const char* searchstr, int limit)
    3441. 

  3441.     {
    3442. 

  3442.         StringBuffer filter;
    3443. 

  3443.         filter.append("objectClass=*");
    3444. 

  3444. 

  3445.         if(searchstr && *searchstr && strcmp(searchstr, "*") != 0)
    3446. 

  3446.         {
    3447. 

  3447.             filter.insert(0, "(&(");
    3448. 

  3448.             filter.appendf(")(|(%s=*%s*)))", "uNCName", searchstr);
    3449. 

  3449.         }
    3450. 

  3450. 

  3451.         return countEntries(basedn, filter.str(), limit);
    3452. 

  3452.     }
    3453. 

  3453. 

  3454.     virtual int countEntries(const char* basedn, const char* filter, int limit)
    3455. 

  3455.     {
    3456. 

  3456.         struct berval** bvalues = NULL;
    3457. 

  3457.         LDAPMessage *searchResult;
    3458. 

  3458. 

  3459.         TIMEVAL timeOut = {LDAPTIMEOUT,0};
    3460. 

  3460. 

  3461.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3462. 

  3462.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3463. 

  3463. 

  3464.         char *attrs[] = { LDAP_NO_ATTRS, NULL };
    3465. 

  3465.         int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter, attrs, 0, NULL, NULL, &timeOut, limit, &searchResult );
    3466. 

  3466. 

  3467.         if ( rc != LDAP_SUCCESS )
    3468. 

  3468.         {
    3469. 

  3469.             if(rc == LDAP_SIZELIMIT_EXCEEDED)
    3470. 

  3470.                 return -1;
    3471. 

  3471.             else
    3472. 

  3472.                 throw MakeStringException(-1, "ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter, basedn);
    3473. 

  3473.         }
    3474. 

  3474. 

  3475.         int entries = ldap_count_entries(ld, searchResult);
    3476. 

  3476.         ldap_msgfree( searchResult );
    3477. 

  3477.         return entries;
    3478. 

  3478.     }
    3479. 

  3479. 

  3480.     virtual const char* getPasswordStorageScheme()
    3481. 

  3481.     {
    3482. 

  3482.         if(m_pwscheme.length() == 0)
    3483. 

  3483.         {
    3484. 

  3484.             if(m_ldapconfig->getServerType() == IPLANET)
    3485. 

  3485.             {
    3486. 

  3486.                 LDAPMessage *msg;
    3487. 

  3487.                 Owned<ILdapConnection> lconn = m_connections->getConnection();
    3488. 

  3488.                 LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3489. 

  3489.                 
    3490. 

  3490.                 char* pw_attrs[] = {"nsslapd-rootpwstoragescheme", NULL};
    3491. 

  3491.                 int err = ldap_search_s(ld, "cn=config", LDAP_SCOPE_BASE, "objectClass=*", pw_attrs, false, &msg);
    3492. 

  3492.                 if(err != LDAP_SUCCESS)
    3493. 

  3493.                 {
    3494. 

  3494.                     DBGLOG("ldap_search_s error: %s", ldap_err2string( err ));
    3495. 

  3495.                     return NULL;
    3496. 

  3496.                 }
    3497. 

  3497.                 LDAPMessage* entry = LdapFirstEntry(ld, msg);
    3498. 

  3498.                 if(entry != NULL)
    3499. 

  3499.                 {
    3500. 

  3500.                     char** vals = ldap_get_values(ld, entry, "nsslapd-rootpwstoragescheme");
    3501. 

  3501.                     if(vals != NULL)
    3502. 

  3502.                     {
    3503. 

  3503.                         if(vals[0] != NULL)
    3504. 

  3504.                             m_pwscheme.append(vals[0]);
    3505. 

  3505. 

  3506.                         ldap_value_free(vals);
    3507. 

  3507.                     }
    3508. 

  3508.                 }
    3509. 

  3509.                 ldap_msgfree(msg);
    3510. 

  3510.             }
    3511. 

  3511.         }
    3512. 

  3512.         
    3513. 

  3513.         if(m_pwscheme.length() == 0)
    3514. 

  3514.             return NULL;
    3515. 

  3515.         else
    3516. 

  3516.             return m_pwscheme.str();
    3517. 

  3517.     }
    3518. 

  3518. 

  3519. private:
    3520. 

  3520. 

  3521.     virtual void addDC(const char* dc)
    3522. 

  3522.     {
    3523. 

  3523.         if(dc == NULL || *dc == '\0')
    3524. 

  3524.             return;
    3525. 

  3525. 

  3526.         StringBuffer dcname;
    3527. 

  3527.         LdapUtils::getName(dc, dcname);
    3528. 

  3528. 

  3529.         char *dc_values[] = {(char*)dcname.str(), NULL };
    3530. 

  3530.         LDAPMod dc_attr = 
    3531. 

  3531.         {
    3532. 

  3532.             LDAP_MOD_ADD,
    3533. 

  3533.             "dc",
    3534. 

  3534.             dc_values
    3535. 

  3535.         };
    3536. 

  3536. 

  3537.         char *o_values[] = {(char*)dcname.str(), NULL };
    3538. 

  3538.         LDAPMod o_attr = 
    3539. 

  3539.         {
    3540. 

  3540.             LDAP_MOD_ADD,
    3541. 

  3541.             "o",
    3542. 

  3542.             o_values
    3543. 

  3543.         };
    3544. 

  3544. 

  3545.         char *oc_values[] = {"organization", "dcObject", NULL };
    3546. 

  3546.         LDAPMod oc_attr =
    3547. 

  3547.         {
    3548. 

  3548.             LDAP_MOD_ADD,
    3549. 

  3549.             "objectClass",
    3550. 

  3550.             oc_values
    3551. 

  3551.         };
    3552. 

  3552.         
    3553. 

  3553.         LDAPMod *attrs[4];
    3554. 

  3554.         attrs[0] = &oc_attr;
    3555. 

  3555.         attrs[1] = &o_attr;
    3556. 

  3556.         attrs[2] = &dc_attr;
    3557. 

  3557.         attrs[3] = NULL;
    3558. 

  3558. 

  3559.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3560. 

  3560.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3561. 

  3561.         int rc = ldap_add_ext_s(ld, (char*)dc, attrs, NULL, NULL);
    3562. 

  3562.         if ( rc != LDAP_SUCCESS )
    3563. 

  3563.         {
    3564. 

  3564.             if(rc == LDAP_ALREADY_EXISTS)
    3565. 

  3565.             {
    3566. 

  3566.                 throw MakeStringException(-1, "can't add dc %s, already exists", dc);
    3567. 

  3567.             }
    3568. 

  3568.             else
    3569. 

  3569.             {
    3570. 

  3570.                 DBGLOG("error addDC %s, ldap_add_ext_s error: 0x%0x %s", dc, rc, ldap_err2string( rc ));
    3571. 

  3571.                 throw MakeStringException(-1, "error addDC %s, ldap_add_ext_s error: %s", dc, ldap_err2string( rc ));
    3572. 

  3572.             }
    3573. 

  3573.         }
    3574. 

  3574.     }
    3575. 

  3575. 

  3576.     virtual void getUserDN(const char* username, StringBuffer& userdn)
    3577. 

  3577.     {
    3578. 

  3578.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3579. 

  3579.         {
    3580. 

  3580.             StringBuffer filter;
    3581. 

  3581.             filter.append("sAMAccountName=");
    3582. 

  3582.             filter.append(username);
    3583. 

  3583. 

  3584.             char        *attribute, **values = NULL;       
    3585. 

  3585.             BerElement  *ber;
    3586. 

  3586.             LDAPMessage *searchResult, *message;
    3587. 

  3587. 

  3588.             TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    3589. 

  3589. 

  3590.             char *dn_fieldname;
    3591. 

  3591.             dn_fieldname = "distinguishedName";
    3592. 

  3592. 

  3593.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    3594. 

  3594.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3595. 

  3595. 

  3596.             char        *attrs[] = {dn_fieldname, NULL};
    3597. 

  3597.             int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult );
    3598. 

  3598. 

  3599.             if ( rc != LDAP_SUCCESS )
    3600. 

  3600.             {
    3601. 

  3601.                 throw MakeStringException(-1, "ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    3602. 

  3602.             }
    3603. 

  3603. 

  3604.             unsigned entries = ldap_count_entries(ld, searchResult);
    3605. 

  3605.             if(entries == 0)
    3606. 

  3606.             {
    3607. 

  3607.                 int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getSysUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult );
    3608. 

  3608. 

  3609.                 if ( rc != LDAP_SUCCESS )
    3610. 

  3610.                 {
    3611. 

  3611.                     throw MakeStringException(-1, "ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getSysUserBasedn());
    3612. 

  3612.                 }
    3613. 

  3613.             }
    3614. 

  3614. 

  3615.             message = LdapFirstEntry( ld, searchResult);
    3616. 

  3616.             if(searchResult != NULL)
    3617. 

  3617.             {
    3618. 

  3618.                 attribute = ldap_first_attribute( ld,searchResult,&ber );
    3619. 

  3619.                 if(attribute != NULL)
    3620. 

  3620.                 {
    3621. 

  3621.                     if (( values = ldap_get_values( ld, message, attribute))  != NULL )
    3622. 

  3622.                     {
    3623. 

  3623.                         char* val = values[0];
    3624. 

  3624.                         userdn.append(val);
    3625. 

  3625.                         ldap_value_free( values );
    3626. 

  3626.                     }
    3627. 

  3627.                 }
    3628. 

  3628.                 ber_free(ber, 0);
    3629. 

  3629.                 ldap_msgfree( searchResult );
    3630. 

  3630.             }
    3631. 

  3631.             if(userdn.length() == 0)
    3632. 

  3632.                 throw MakeStringException(-1, "user %s can't be found", username);
    3633. 

  3633.         }
    3634. 

  3634.         else
    3635. 

  3635.         {
    3636. 

  3636.             if(stricmp(username, "anyone") == 0)
    3637. 

  3637.                 userdn.append(username);
    3638. 

  3638.             else
    3639. 

  3639.                 userdn.append("uid=").append(username).append(",").append(m_ldapconfig->getUserBasedn());
    3640. 

  3640.         }
    3641. 

  3641. 

  3642.     }
    3643. 

  3643.     
    3644. 

  3644.     virtual void getUidFromDN(const char* dn, StringBuffer& uid)
    3645. 

  3645.     {
    3646. 

  3646.         if(dn == NULL || *dn == '\0')
    3647. 

  3647.             return;
    3648. 

  3648. 

  3649.         if(m_ldapconfig->getServerType() != ACTIVE_DIRECTORY)
    3650. 

  3650.         {
    3651. 

  3651.         
    3652. 

  3652.             const char* comma = strchr(dn, ',');
    3653. 

  3653.             // DN is in the format of "uid=uuu,ou=ooo,dc=dd"
    3654. 

  3654.             uid.append(comma - dn - 4, dn + 4);
    3655. 

  3655.             return;
    3656. 

  3656.         }
    3657. 

  3657. 

  3658.         StringBuffer filter;
    3659. 

  3659.         filter.append("distinguishedName=").append(dn);
    3660. 

  3660. 

  3661.         char        *attribute, **values = NULL;       
    3662. 

  3662.         BerElement  *ber;
    3663. 

  3663.         LDAPMessage *searchResult, *message;
    3664. 

  3664. 

  3665.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    3666. 

  3666. 

  3667.         char *uid_fieldname = "sAMAccountName";
    3668. 

  3668. 

  3669.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3670. 

  3670.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3671. 

  3671. 

  3672.         char        *attrs[] = {uid_fieldname, NULL};
    3673. 

  3673.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult );
    3674. 

  3674. 

  3675.         if ( rc != LDAP_SUCCESS )
    3676. 

  3676.         {
    3677. 

  3677.             throw MakeStringException(-1, "ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    3678. 

  3678.         }
    3679. 

  3679. 

  3680.         message = LdapFirstEntry( ld, searchResult);
    3681. 

  3681.         if(searchResult != NULL)
    3682. 

  3682.         {
    3683. 

  3683.             attribute = ldap_first_attribute( ld,searchResult,&ber );
    3684. 

  3684.             if(attribute != NULL)
    3685. 

  3685.             {
    3686. 

  3686.                 if (( values = ldap_get_values( ld, message, attribute))  != NULL )
    3687. 

  3687.                 {
    3688. 

  3688.                     char* val = values[0];
    3689. 

  3689.                     uid.append(val);
    3690. 

  3690.                     ldap_value_free( values );
    3691. 

  3691.                 }
    3692. 

  3692.             }
    3693. 

  3693.             ber_free(ber, 0);
    3694. 

  3694.             ldap_msgfree( searchResult );
    3695. 

  3695.         }
    3696. 

  3696.     }
    3697. 

  3697. 

  3698.     virtual void getGroupDN(const char* groupname, StringBuffer& groupdn)
    3699. 

  3699.     {
    3700. 

  3700.         if(groupname == NULL)
    3701. 

  3701.             return;
    3702. 

  3702.         LdapServerType stype = m_ldapconfig->getServerType();
    3703. 

  3703.         groupdn.append("cn=").append(groupname).append(",");
    3704. 

  3704.         if(stype == ACTIVE_DIRECTORY && stricmp(groupname, "Administrators") == 0)
    3705. 

  3705.         {
    3706. 

  3706.             groupdn.append("cn=Builtin,").append(m_ldapconfig->getBasedn());
    3707. 

  3707.         }
    3708. 

  3708.         else if((stype == IPLANET || stype == OPEN_LDAP) && stricmp(groupname, "Directory Administrators") == 0)
    3709. 

  3709.         {
    3710. 

  3710.             groupdn.append(m_ldapconfig->getBasedn());
    3711. 

  3711.         }
    3712. 

  3712.         else
    3713. 

  3713.         {
    3714. 

  3714.             groupdn.append(m_ldapconfig->getGroupBasedn());
    3715. 

  3715.         }
    3716. 

  3716.     }
    3717. 

  3717. 

  3718.     virtual void getGroupBaseDN(const char* groupname, StringBuffer& groupbasedn)
    3719. 

  3719.     {
    3720. 

  3720.         if(groupname == NULL)
    3721. 

  3721.             return;
    3722. 

  3722.         LdapServerType stype = m_ldapconfig->getServerType();
    3723. 

  3723.         if(stype == ACTIVE_DIRECTORY && stricmp(groupname, "Administrators") == 0)
    3724. 

  3724.         {
    3725. 

  3725.             groupbasedn.append("cn=Builtin,").append(m_ldapconfig->getBasedn());
    3726. 

  3726.         }
    3727. 

  3727.         else if((stype == IPLANET || stype == OPEN_LDAP) && stricmp(groupname, "Directory Administrators") == 0)
    3728. 

  3728.         {
    3729. 

  3729.             groupbasedn.append(m_ldapconfig->getBasedn());
    3730. 

  3730.         }
    3731. 

  3731.         else
    3732. 

  3732.         {
    3733. 

  3733.             groupbasedn.append(m_ldapconfig->getGroupBasedn());
    3734. 

  3734.         }
    3735. 

  3735.     }
    3736. 

  3736. 

  3737.     virtual void getAdminGroupDN(StringBuffer& groupdn)
    3738. 

  3738.     {
    3739. 

  3739.         LdapServerType stype = m_ldapconfig->getServerType();
    3740. 

  3740.         if(stype == ACTIVE_DIRECTORY)
    3741. 

  3741.         {
    3742. 

  3742.             groupdn.append("cn=Administrators,cn=Builtin,").append(m_ldapconfig->getBasedn());
    3743. 

  3743.         }
    3744. 

  3744.         else if(stype == IPLANET)
    3745. 

  3745.         {
    3746. 

  3746.             groupdn.append("cn=Directory Administrators,").append(m_ldapconfig->getBasedn());
    3747. 

  3747.         }
    3748. 

  3748.         else if(stype == OPEN_LDAP)
    3749. 

  3749.         {
    3750. 

  3750.             groupdn.append("cn=Directory Administrators,").append(m_ldapconfig->getBasedn());
    3751. 

  3751.         }
    3752. 

  3752.     }
    3753. 

  3753. 

  3754.     virtual void changeUserMemberOf(const char* action, const char* userdn, const char* groupdn)
    3755. 

  3755.     {
    3756. 

  3756.         char *grp_values[] = {(char*)groupdn, NULL};
    3757. 

  3757.         LDAPMod grp_attr = {
    3758. 

  3758.             (action != NULL && stricmp(action, "delete") == 0)?LDAP_MOD_DELETE:LDAP_MOD_ADD,
    3759. 

  3759.             "memberOf",
    3760. 

  3760.             grp_values
    3761. 

  3761.         };
    3762. 

  3762. 

  3763.         LDAPMod *grp_attrs[2];
    3764. 

  3764.         grp_attrs[0] = &grp_attr;
    3765. 

  3765.         grp_attrs[1] = NULL;
    3766. 

  3766. 

  3767.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3768. 

  3768.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3769. 

  3769. 

  3770.         int rc = ldap_modify_ext_s(ld, (char*)userdn, grp_attrs, NULL, NULL);
    3771. 

  3771.         if ( rc != LDAP_SUCCESS )
    3772. 

  3772.         {
    3773. 

  3773.             throw MakeStringException(-1, "error changing group for user %s, ldap_modify_ext_s error: %s", userdn, ldap_err2string( rc ));
    3774. 

  3774.         }
    3775. 

  3775.     }
    3776. 

  3776. 

  3777.     virtual void changeGroupMember(const char* action, const char* groupdn, const char* userdn)
    3778. 

  3778.     {
    3779. 

  3779.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3780. 

  3780.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3781. 

  3781. 

  3782.         const char* memberfieldname;
    3783. 

  3783.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3784. 

  3784.         {
    3785. 

  3785.             memberfieldname = "member";
    3786. 

  3786.         }
    3787. 

  3787.         else
    3788. 

  3788.         {
    3789. 

  3789.             memberfieldname = "uniquemember";
    3790. 

  3790.         }
    3791. 

  3791. 

  3792.         char *member_values[] = {(char*)userdn, NULL};
    3793. 

  3793.         LDAPMod member_attr = {
    3794. 

  3794.             (action != NULL && stricmp(action, "delete") == 0)?LDAP_MOD_DELETE:LDAP_MOD_ADD,
    3795. 

  3795.             (char*)memberfieldname,
    3796. 

  3796.             member_values
    3797. 

  3797.         };
    3798. 

  3798. 

  3799.         LDAPMod *member_attrs[2];
    3800. 

  3800.         member_attrs[0] = &member_attr;
    3801. 

  3801.         member_attrs[1] = NULL;
    3802. 

  3802. 

  3803.         int rc = ldap_modify_ext_s(ld, (char*)groupdn, member_attrs, NULL, NULL);
    3804. 

  3804.         if ( rc != LDAP_SUCCESS )
    3805. 

  3805.         {
    3806. 

  3806.             if (action != NULL && stricmp(action, "delete") == 0)
    3807. 

  3807.                 throw MakeStringException(-1, "Failed in deleting member from group: ldap_modify_ext_s error: %s; userdn: %s; groupdn: %s", ldap_err2string( rc ), userdn, groupdn);
    3808. 

  3808.             else
    3809. 

  3809.                 throw MakeStringException(-1, "Failed in adding member to group, ldap_modify_ext_s error: %s; userdn: %s; groupdn: %s", ldap_err2string( rc ), userdn, groupdn);
    3810. 

  3810.         }
    3811. 

  3811.     }
    3812. 

  3812. 

  3813.     void ConvertCToW(unsigned short* pszDest, const CHAR* pszSrc)
    3814. 

  3814.     {
    3815. 

  3815.         unsigned i = 0;
    3816. 

  3816.         for(i = 0; i < strlen(pszSrc); i++)
    3817. 

  3817.             pszDest[i] = (unsigned short) pszSrc[i];
    3818. 

  3818.         pszDest[i] = (unsigned short)'\0';
    3819. 

  3819.     }
    3820. 

  3820. 

  3821. 

  3822.     virtual bool authorizeScope(ISecUser& user, IArrayOf<ISecResource>& resources, const char* basedn)
    3823. 

  3823.     {
    3824. 

  3824.         IArrayOf<CSecurityDescriptor> sdlist;
    3825. 

  3825.         std::set<const char*, ltstr> scopeset;
    3826. 

  3826.         ForEachItemIn(x, resources)
    3827. 

  3827.         {
    3828. 

  3828.             ISecResource& res = resources.item(x);
    3829. 

  3829.             const char* resourcename = res.getName();
    3830. 

  3830.             if(resourcename == NULL || *resourcename == '\0')
    3831. 

  3831.                 continue;
    3832. 

  3832. 

  3833.             // Add one extra Volume type SecurityDescriptor for each resource for ActiveDirectory.
    3834. 

  3834.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3835. 

  3835.             {
    3836. 

  3836.                 CSecurityDescriptor* sd = new CSecurityDescriptor(resourcename);
    3837. 

  3837.                 sd->setObjectClass("Volume");
    3838. 

  3838.                 sdlist.append(*sd);
    3839. 

  3839.             }
    3840. 

  3840. 

  3841.             scopeset.insert(resourcename);
    3842. 

  3842.             int len = strlen(resourcename);
    3843. 

  3843.             const char* curptr = resourcename + len - 1;
    3844. 

  3844.             while(curptr > resourcename)
    3845. 

  3845.             {
    3846. 

  3846.                 while(curptr > resourcename && *curptr != ':')
    3847. 

  3847.                     curptr--;
    3848. 

  3848.                 bool foundcolon=false;
    3849. 

  3849.                 while(curptr >resourcename && *curptr == ':')
    3850. 

  3850.                 {
    3851. 

  3851.                     curptr--;
    3852. 

  3852.                     foundcolon = true;
    3853. 

  3853.                 }
    3854. 

  3854.                 if(curptr > resourcename || foundcolon)
    3855. 

  3855.                 {
    3856. 

  3856.                     int curlen = curptr - resourcename + 1;
    3857. 

  3857.                     char* curscope = (char*)alloca(curlen + 1);
    3858. 

  3858.                     strncpy(curscope, resourcename, curlen);
    3859. 

  3859.                     curscope[curlen] = 0;
    3860. 

  3860.                     scopeset.insert(curscope);
    3861. 

  3861.                 }
    3862. 

  3862.             }
    3863. 

  3863.         }
    3864. 

  3864. 

  3865.         if(scopeset.size() == 0)
    3866. 

  3866.             return true;
    3867. 

  3867. 

  3868.         std::set<const char*, ltstr>::iterator iter;
    3869. 

  3869.         for(iter = scopeset.begin(); iter != scopeset.end(); iter++)
    3870. 

  3870.         {
    3871. 

  3871.             const char* curscope = *iter;
    3872. 

  3872.             CSecurityDescriptor* sd = new CSecurityDescriptor(*iter);
    3873. 

  3873.             sd->setObjectClass("organizationalUnit");
    3874. 

  3874.             sdlist.append(*sd);
    3875. 

  3875.         }
    3876. 

  3876. 

  3877.         getSecurityDescriptorsScope(sdlist, basedn);
    3878. 

  3878. 

  3879.         IArrayOf<CSecurityDescriptor> matched_sdlist;
    3880. 

  3880.         ForEachItemIn(y, resources)
    3881. 

  3881.         {
    3882. 

  3882.             ISecResource& res = resources.item(y);
    3883. 

  3883.             const char* rname = res.getName();
    3884. 

  3884.             if(rname == NULL || *rname == '\0')
    3885. 

  3885.                 throw MakeStringException(-1, "resource name can't be empty inside authorizeScope");
    3886. 

  3886. 

  3887.             CSecurityDescriptor* matchedsd = NULL;
    3888. 

  3888.             ForEachItemIn(z, sdlist)
    3889. 

  3889.             {
    3890. 

  3890.                 CSecurityDescriptor& sd = sdlist.item(z);
    3891. 

  3891.                 const char* sdname = sd.getName();
    3892. 

  3892.                 if(sdname ==  NULL || *sdname == '\0')
    3893. 

  3893.                     continue;
    3894. 

  3894.                 if(strncmp(sdname, rname, strlen(sdname)) == 0 
    3895. 

  3895.                     && (matchedsd == NULL 
    3896. 

  3896.                         || ((matchedsd->getDescriptor().length() == 0 && sd.getDescriptor().length() > 0) 
    3897. 

  3897.                         || (sd.getDescriptor().length() > 0 && strlen(sdname) > strlen(matchedsd->getName())))))
    3898. 

  3898.                     matchedsd = &sd;
    3899. 

  3899.             }
    3900. 

  3900.             if(matchedsd != NULL)
    3901. 

  3901.                 matched_sdlist.append(*LINK(matchedsd));
    3902. 

  3902.             else
    3903. 

  3903.                 matched_sdlist.append(*(new CSecurityDescriptor(rname)));
    3904. 

  3904.         }
    3905. 

  3905. 

  3906.         bool ok = false;
    3907. 

  3907.         if(m_pp != NULL)
    3908. 

  3908.             ok = m_pp->getPermissions(user, matched_sdlist, resources);
    3909. 

  3909.         return ok;
    3910. 

  3910.     }
    3911. 

  3911. 

  3912.     virtual void getSecurityDescriptors(SecResourceType rtype, IArrayOf<CSecurityDescriptor>& sdlist)
    3913. 

  3913.     {
    3914. 

  3914.         int len = sdlist.length();
    3915. 

  3915.         if(len == 0)
    3916. 

  3916.             return;
    3917. 

  3917. 

  3918.         const char* rbasedn = m_ldapconfig->getResourceBasedn(rtype);
    3919. 

  3919.         if(rbasedn == NULL || *rbasedn == '\0')
    3920. 

  3920.         {
    3921. 

  3921.             DBGLOG("corresponding resource basedn is not defined");
    3922. 

  3922.             return;
    3923. 

  3923.         }
    3924. 

  3924.             
    3925. 

  3925.         std::map<std::string, IArrayOf<CSecurityDescriptor>*> sdmap;
    3926. 

  3926. 

  3927.         for(int i = 0; i < len; i++)
    3928. 

  3928.         {
    3929. 

  3929.             CSecurityDescriptor& sd = sdlist.item(i);
    3930. 

  3930.             const char* relativeBasedn = sd.getRelativeBasedn();
    3931. 

  3931.             StringBuffer basedn;
    3932. 

  3932.             if(relativeBasedn != NULL)
    3933. 

  3933.                 basedn.append(relativeBasedn).append(",");
    3934. 

  3934.             basedn.append(rbasedn);
    3935. 

  3935. 

  3936.             std::map<std::string, IArrayOf<CSecurityDescriptor>*>::iterator sdit = sdmap.find(basedn.str());
    3937. 

  3937.             if(sdit == sdmap.end())
    3938. 

  3938.             {
    3939. 

  3939.                 IArrayOf<CSecurityDescriptor>* newlist = new IArrayOf<CSecurityDescriptor>;
    3940. 

  3940.                 newlist->append(*LINK(&sd));
    3941. 

  3941.                 sdmap[basedn.str()] = newlist;
    3942. 

  3942.             }
    3943. 

  3943.             else
    3944. 

  3944.             {
    3945. 

  3945.                 (*sdit).second->append(*LINK(&sd));
    3946. 

  3946.             }
    3947. 

  3947.         }
    3948. 

  3948. 

  3949.         for(std::map<std::string, IArrayOf<CSecurityDescriptor>*>::iterator cur = sdmap.begin(); cur != sdmap.end(); cur++)
    3950. 

  3950.         {
    3951. 

  3951.             getSecurityDescriptors(*((*cur).second), (*cur).first.c_str());
    3952. 

  3952.             delete (*cur).second;
    3953. 

  3953.         }
    3954. 

  3954. 

  3955.     }
    3956. 

  3956. 

  3957.     virtual void getSecurityDescriptors(IArrayOf<CSecurityDescriptor>& sdlist, const char* basedn)
    3958. 

  3958.     {
    3959. 

  3959.         char        *attribute, **values;
    3960. 

  3960.         BerElement  *ber;
    3961. 

  3961.         struct berval** bvalues = NULL;
    3962. 

  3962.         LDAPMessage *searchResult, *message;
    3963. 

  3963.         int i;
    3964. 

  3964.         
    3965. 

  3965.         const char *id_fieldname;
    3966. 

  3966.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3967. 

  3967.         {
    3968. 

  3968.             id_fieldname = "name";
    3969. 

  3969.         }
    3970. 

  3970.         else
    3971. 

  3971.         {
    3972. 

  3972.             id_fieldname = "ou";
    3973. 

  3973.         }
    3974. 

  3974.         const char *des_fieldname = m_ldapconfig->getSdFieldName();
    3975. 

  3975. 

  3976.         int len = sdlist.length();
    3977. 

  3977.         if(len == 0)
    3978. 

  3978.             return;
    3979. 

  3979. 

  3980.         StringBuffer filter;
    3981. 

  3981.         filter.append("(|");
    3982. 

  3982.         for(i = 0; i < len; i++)
    3983. 

  3983.         {
    3984. 

  3984.             CSecurityDescriptor& sd = sdlist.item(i);
    3985. 

  3985.             StringBuffer namebuf;
    3986. 

  3986.             namebuf.append(sd.getName());
    3987. 

  3987.             namebuf.trim();
    3988. 

  3988.             if(namebuf.length() > 0)
    3989. 

  3989.             {
    3990. 

  3990.                 filter.append("(").append(id_fieldname).append("=").append(namebuf.str()).append(")");;
    3991. 

  3991.             }
    3992. 

  3992.         }
    3993. 

  3993.         filter.append(")");
    3994. 

  3994. 

  3995.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    3996. 

  3996.         
    3997. 

  3997.         char* attrs[] = {(char*)id_fieldname, (char*)des_fieldname, NULL};
    3998. 

  3998.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3999. 

  3999.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4000. 

  4000.         int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult );     /* returned results */
    4001. 

  4001.         
    4002. 

  4002.         if ( rc != LDAP_SUCCESS )
    4003. 

  4003.         {
    4004. 

  4004.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basedn);
    4005. 

  4005.             return;
    4006. 

  4006.         }
    4007. 

  4007. 

  4008.         // Go through the search results by checking message types
    4009. 

  4009.         for(message = LdapFirstEntry(ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    4010. 

  4010.         {
    4011. 

  4011.             StringBuffer resourcename;
    4012. 

  4012.             for ( attribute = ldap_first_attribute( ld,searchResult,&ber ); attribute != NULL; 
    4013. 

  4013.                     attribute = ldap_next_attribute( ld, searchResult,ber))
    4014. 

  4014.             {
    4015. 

  4015.                 if(stricmp(attribute, id_fieldname) == 0)
    4016. 

  4016.                 {
    4017. 

  4017.                     if (( values = ldap_get_values( ld, message, attribute)) != NULL )
    4018. 

  4018.                     {
    4019. 

  4019.                         char* val = values[0];
    4020. 

  4020.                         resourcename.append(val);
    4021. 

  4021.                     }
    4022. 

  4022.                     ldap_value_free( values );
    4023. 

  4023.                 }
    4024. 

  4024.                 else if(stricmp(attribute, des_fieldname) == 0) 
    4025. 

  4025.                 {
    4026. 

  4026.                     bvalues = ldap_get_values_len( ld, message, attribute); 
    4027. 

  4027.                 }
    4028. 

  4028.                 ldap_memfree( attribute );
    4029. 

  4029.             }
    4030. 

  4030.             for(i = 0; i < len; i++)
    4031. 

  4031.             {
    4032. 

  4032.                 CSecurityDescriptor& sd = sdlist.item(i);
    4033. 

  4033.                 if(resourcename.length() > 0 && stricmp(resourcename.str(), sd.getName()) == 0)
    4034. 

  4034.                 {
    4035. 

  4035.                     if(bvalues != NULL)
    4036. 

  4036.                     {
    4037. 

  4037.                         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4038. 

  4038.                         {
    4039. 

  4039.                             struct berval* val = bvalues[0];
    4040. 

  4040.                             if(val != NULL)
    4041. 

  4041.                             {
    4042. 

  4042.                                 CSecurityDescriptor& sd = sdlist.item(i);
    4043. 

  4043.                                 sd.setDescriptor(val->bv_len, val->bv_val);
    4044. 

  4044.                             }
    4045. 

  4045.                         }
    4046. 

  4046.                         else
    4047. 

  4047.                         {
    4048. 

  4048.                             MemoryBuffer allvals;
    4049. 

  4049.                             int valseq = 0;
    4050. 

  4050.                             struct berval* val = bvalues[valseq++];
    4051. 

  4051.                             while(val != NULL)
    4052. 

  4052.                             {
    4053. 

  4053.                                 if(val->bv_len > 0)
    4054. 

  4054.                                 {
    4055. 

  4055.                                     allvals.append(val->bv_len, val->bv_val);
    4056. 

  4056.                                     allvals.append('\0'); // my separator between ACIs
    4057. 

  4057.                                 }
    4058. 

  4058.                                 val = bvalues[valseq++];
    4059. 

  4059.                             }
    4060. 

  4060.                             if(allvals.length() > 0)
    4061. 

  4061.                             {
    4062. 

  4062.                                 CSecurityDescriptor& sd = sdlist.item(i);
    4063. 

  4063.                                 sd.setDescriptor(allvals.length(), (void*)allvals.toByteArray());
    4064. 

  4064.                             }
    4065. 

  4065.                         }
    4066. 

  4066.                     }
    4067. 

  4067.                     break;
    4068. 

  4068.                 }
    4069. 

  4069.             }
    4070. 

  4070. 

  4071.             if(bvalues != NULL)
    4072. 

  4072.             {
    4073. 

  4073.                 ldap_value_free_len( bvalues );
    4074. 

  4074.                 bvalues = NULL;
    4075. 

  4075.             }
    4076. 

  4076. 

  4077.             ber_free(ber, 0);
    4078. 

  4078.         }
    4079. 

  4079.         ldap_msgfree( searchResult );
    4080. 

  4080.     }
    4081. 

  4081. 

  4082.     virtual void getSecurityDescriptorsScope(IArrayOf<CSecurityDescriptor>& sdlist, const char* basedn)
    4083. 

  4083.     {
    4084. 

  4084.         char        *attribute;
    4085. 

  4085.         BerElement  *ber;
    4086. 

  4086.         struct berval** bvalues = NULL;
    4087. 

  4087.         LDAPMessage *searchResult, *message;
    4088. 

  4088.         int i;
    4089. 

  4089. 

  4090.         int len = sdlist.length();
    4091. 

  4091.         if(len == 0)
    4092. 

  4092.             return;
    4093. 

  4093. 

  4094.         LdapServerType servertype = m_ldapconfig->getServerType();
    4095. 

  4095. 

  4096.         char *sd_fieldname = (char*)m_ldapconfig->getSdFieldName();
    4097. 

  4097. 

  4098.         StringBuffer filter;
    4099. 

  4099.         filter.append("(|");
    4100. 

  4100.         for(i = 0; i < len; i++)
    4101. 

  4101.         {
    4102. 

  4102.             CSecurityDescriptor& sd = sdlist.item(i);
    4103. 

  4103.             StringBuffer namebuf;
    4104. 

  4104.             namebuf.append(sd.getName());
    4105. 

  4105.             namebuf.trim();
    4106. 

  4106.             if(namebuf.length() > 0)
    4107. 

  4107.             {
    4108. 

  4108.                 const char* resourcename = namebuf.str();
    4109. 

  4109.                 int len = namebuf.length();
    4110. 

  4110.                 const char* curptr = resourcename + len - 1;
    4111. 

  4111.                 StringBuffer dn, cn;
    4112. 

  4112.                 bool isleaf = true;
    4113. 

  4113.                 while(curptr > resourcename)
    4114. 

  4114.                 {
    4115. 

  4115.                     const char* lastptr = curptr;
    4116. 

  4116.                     while(curptr > resourcename && *curptr != ':')
    4117. 

  4117.                         curptr--;
    4118. 

  4118.                     int curlen;
    4119. 

  4119.                     const char* curscope;
    4120. 

  4120.                     if(*curptr == ':')
    4121. 

  4121.                     {
    4122. 

  4122.                         curlen = lastptr - curptr;
    4123. 

  4123.                         curscope = curptr + 1;
    4124. 

  4124.                     }
    4125. 

  4125.                     else
    4126. 

  4126.                     {
    4127. 

  4127.                         curlen = lastptr - curptr + 1;
    4128. 

  4128.                         curscope = curptr;
    4129. 

  4129.                     }
    4130. 

  4130.                     if(isleaf && (sd.getObjectClass() != NULL) && (stricmp(sd.getObjectClass(), "Volume") == 0))
    4131. 

  4131.                     {
    4132. 

  4132.                         cn.append(curlen, curscope);
    4133. 

  4133.                         dn.append("cn=").append(curlen, curscope).append(",");
    4134. 

  4134.                     }
    4135. 

  4135.                     else
    4136. 

  4136.                     {
    4137. 

  4137.                         cn.append(curlen, curscope);
    4138. 

  4138.                         dn.append("ou=").append(curlen, curscope).append(",");
    4139. 

  4139.                     }
    4140. 

  4140.                     
    4141. 

  4141.                     isleaf = false;
    4142. 

  4142. 

  4143.                     if (curptr == resourcename) //handle a single char as the top scope, such as x::abc
    4144. 

  4144.                         break;
    4145. 

  4145. 

  4146.                     while(curptr >resourcename && *curptr == ':')
    4147. 

  4147.                         curptr--;
    4148. 

  4148. 

  4149.                     if (curptr == resourcename && *curptr != ':') //handle a single char as the top scope, such as x::abc
    4150. 

  4150.                     {
    4151. 

  4151.                         dn.append("ou=").append(1, curptr).append(",");
    4152. 

  4152.                     }
    4153. 

  4153.                 }
    4154. 

  4154.                 dn.append(basedn);
    4155. 

  4155. 

  4156.                 if(servertype == ACTIVE_DIRECTORY)
    4157. 

  4157.                 {
    4158. 

  4158.                     filter.append("(distinguishedName=").append(dn.str()).append(")");
    4159. 

  4159.                 }
    4160. 

  4160.                 else if(servertype == IPLANET)
    4161. 

  4161.                 {
    4162. 

  4162.                     filter.append("(entrydn=").append(dn.str()).append(")");
    4163. 

  4163.                 }
    4164. 

  4164.                 else if(servertype == OPEN_LDAP)
    4165. 

  4165.                 {
    4166. 

  4166.                     filter.append("(ou=").append(cn.str()).append(")");
    4167. 

  4167.                 }
    4168. 

  4168.                 sd.setDn(dn.str());
    4169. 

  4169.             }
    4170. 

  4170.         }
    4171. 

  4171.         filter.append(")");
    4172. 

  4172. 

  4173.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    4174. 

  4174.         
    4175. 

  4175.         char* attrs[] = {sd_fieldname, NULL};
    4176. 

  4176.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4177. 

  4177.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4178. 

  4178.         int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult );     /* returned results */
    4179. 

  4179.         
    4180. 

  4180.         if ( rc != LDAP_SUCCESS )
    4181. 

  4181.         {
    4182. 

  4182.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basedn);
    4183. 

  4183.             return;
    4184. 

  4184.         }
    4185. 

  4185. 

  4186.         // Go through the search results by checking message types
    4187. 

  4187.         for(message = LdapFirstEntry(ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    4188. 

  4188.         {
    4189. 

  4189.             StringBuffer dn;
    4190. 

  4190.             dn.append(ldap_get_dn(ld, message));
    4191. 

  4191.             for ( attribute = ldap_first_attribute( ld,searchResult,&ber ); attribute != NULL; 
    4192. 

  4192.                     attribute = ldap_next_attribute( ld, searchResult,ber))
    4193. 

  4193.             {
    4194. 

  4194.                 if(stricmp(attribute, sd_fieldname) == 0) 
    4195. 

  4195.                 {
    4196. 

  4196.                     bvalues = ldap_get_values_len( ld, message, attribute); 
    4197. 

  4197.                 }
    4198. 

  4198.                 ldap_memfree( attribute );
    4199. 

  4199.             }
    4200. 

  4200.             for(i = 0; i < len; i++)
    4201. 

  4201.             {
    4202. 

  4202.                 CSecurityDescriptor& sd = sdlist.item(i);
    4203. 

  4203.                 if(dn.length() > 0 && stricmp(dn.str(), sd.getDn()) == 0)
    4204. 

  4204.                 {
    4205. 

  4205.                     if(bvalues != NULL)
    4206. 

  4206.                     {
    4207. 

  4207.                         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4208. 

  4208.                         {
    4209. 

  4209.                             struct berval* val = bvalues[0];
    4210. 

  4210.                             if(val != NULL)
    4211. 

  4211.                             {
    4212. 

  4212.                                 CSecurityDescriptor& sd = sdlist.item(i);
    4213. 

  4213.                                 sd.setDescriptor(val->bv_len, val->bv_val);
    4214. 

  4214.                             }
    4215. 

  4215.                         }
    4216. 

  4216.                         else
    4217. 

  4217.                         {
    4218. 

  4218.                             MemoryBuffer allvals;
    4219. 

  4219.                             int valseq = 0;
    4220. 

  4220.                             struct berval* val = bvalues[valseq++];
    4221. 

  4221.                             while(val != NULL)
    4222. 

  4222.                             {
    4223. 

  4223.                                 if(val->bv_len > 0)
    4224. 

  4224.                                 {
    4225. 

  4225.                                     allvals.append(val->bv_len, val->bv_val);
    4226. 

  4226.                                     allvals.append('\0'); // my separator between ACIs
    4227. 

  4227.                                 }
    4228. 

  4228.                                 val = bvalues[valseq++];
    4229. 

  4229.                             }
    4230. 

  4230.                             if(allvals.length() > 0)
    4231. 

  4231.                             {
    4232. 

  4232.                                 CSecurityDescriptor& sd = sdlist.item(i);
    4233. 

  4233.                                 sd.setDescriptor(allvals.length(), (void*)allvals.toByteArray());
    4234. 

  4234.                             }
    4235. 

  4235.                         }
    4236. 

  4236. 

  4237.                     }
    4238. 

  4238.                     break;
    4239. 

  4239.                 }
    4240. 

  4240.             }
    4241. 

  4241. 

  4242.             if(bvalues != NULL)
    4243. 

  4243.             {
    4244. 

  4244.                 ldap_value_free_len( bvalues );
    4245. 

  4245.                 bvalues = NULL;
    4246. 

  4246.             }
    4247. 

  4247. 

  4248.             ber_free(ber, 0);
    4249. 

  4249.         }
    4250. 

  4250.         ldap_msgfree( searchResult );
    4251. 

  4251.     }
    4252. 

  4252. 

  4253.     virtual void createLdapBasedn(ISecUser* user, const char* basedn, SecPermissionType ptype)
    4254. 

  4254.     {
    4255. 

  4255.         if(basedn == NULL || basedn[0] == '\0')
    4256. 

  4256.             return;
    4257. 

  4257. 

  4258.         const char* ptr = strstr(basedn, "ou=");
    4259. 

  4259.         if(ptr == NULL)
    4260. 

  4260.             return;
    4261. 

  4261.         ptr += 3;
    4262. 

  4262. 

  4263.         StringBuffer oubuf;
    4264. 

  4264.         const char* comma = strchr(ptr, ',');
    4265. 

  4265.         if(comma == NULL)
    4266. 

  4266.         {
    4267. 

  4267.             oubuf.append(ptr);
    4268. 

  4268.             ptr = NULL;
    4269. 

  4269.         }
    4270. 

  4270.         else
    4271. 

  4271.         {
    4272. 

  4272.             oubuf.append(comma - ptr, ptr);
    4273. 

  4273.             ptr = comma + 1;
    4274. 

  4274.         }
    4275. 

  4275. 

  4276.         if(ptr != NULL)
    4277. 

  4277.             createLdapBasedn(user, ptr, ptype);
    4278. 

  4278. 

  4279.         addOrganizationalUnit(user, oubuf.str(), ptr, ptype);
    4280. 

  4280. 

  4281.     }
    4282. 

  4282. 

  4283.     virtual bool addOrganizationalUnit(ISecUser* user, const char* name, const char* basedn, SecPermissionType ptype)
    4284. 

  4284.     {
    4285. 

  4285.         if(name == NULL || basedn == NULL)
    4286. 

  4286.             return false;
    4287. 

  4287. 

  4288.         if(strchr(name, '/') != NULL || strchr(name, '=') != NULL)
    4289. 

  4289.             return false;
    4290. 

  4290. 

  4291.         StringBuffer dn;
    4292. 

  4292.         dn.append("ou=").append(name).append(",").append(basedn);
    4293. 

  4293. 

  4294.         char *ou_values[] = {(char*)name, NULL };
    4295. 

  4295.         LDAPMod ou_attr = 
    4296. 

  4296.         {
    4297. 

  4297.             LDAP_MOD_ADD,
    4298. 

  4298.             "ou",
    4299. 

  4299.             ou_values
    4300. 

  4300.         };
    4301. 

  4301. 

  4302.         char *name_values[] = {(char*)name, NULL };
    4303. 

  4303.         LDAPMod name_attr = 
    4304. 

  4304.         {
    4305. 

  4305.             LDAP_MOD_ADD,
    4306. 

  4306.             "name",
    4307. 

  4307.             name_values
    4308. 

  4308.         };
    4309. 

  4309. 

  4310.         char *oc_values[] = {"OrganizationalUnit", NULL };
    4311. 

  4311.         LDAPMod oc_attr =
    4312. 

  4312.         {
    4313. 

  4313.             LDAP_MOD_ADD,
    4314. 

  4314.             "objectClass",
    4315. 

  4315.             oc_values
    4316. 

  4316.         };
    4317. 

  4317. 

  4318.         MemoryBuffer sdbuf;
    4319. 

  4319.         Owned<CSecurityDescriptor> default_sd = NULL;
    4320. 

  4320.         if(m_pp !=  NULL)
    4321. 

  4321.             default_sd.setown(m_pp->createDefaultSD(*user, name, ptype));
    4322. 

  4322.         if(default_sd != NULL)
    4323. 

  4323.             sdbuf.append(default_sd->getDescriptor());
    4324. 

  4324. 

  4325.         LDAPMod *attrs[6];
    4326. 

  4326.         int ind = 0;
    4327. 

  4327.         attrs[ind++] = &ou_attr;
    4328. 

  4328.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4329. 

  4329.         {       
    4330. 

  4330.             attrs[ind++] = &name_attr;
    4331. 

  4331.         }
    4332. 

  4332.         attrs[ind++] = &oc_attr;
    4333. 

  4333. 

  4334.         LDAPMod sd_attr;
    4335. 

  4335.         struct berval sd_val;
    4336. 

  4336.         sd_val.bv_len = sdbuf.length();
    4337. 

  4337.         sd_val.bv_val = (char*)sdbuf.toByteArray();
    4338. 

  4338.         struct berval* sd_values[] = {&sd_val, NULL};
    4339. 

  4339.         sd_attr.mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES;
    4340. 

  4340.         
    4341. 

  4341.         sd_attr.mod_type = (char*)m_ldapconfig->getSdFieldName();
    4342. 

  4342. 

  4343.         sd_attr.mod_vals.modv_bvals = sd_values;
    4344. 

  4344. 

  4345.         if(sdbuf.length() > 0)
    4346. 

  4346.             attrs[ind++] = &sd_attr;
    4347. 

  4347. 

  4348.         attrs[ind] = NULL;
    4349. 

  4349. 

  4350.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4351. 

  4351.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4352. 

  4352.         int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    4353. 

  4353.         if ( rc != LDAP_SUCCESS )
    4354. 

  4354.         {
    4355. 

  4355.             if(rc == LDAP_ALREADY_EXISTS)
    4356. 

  4356.             {
    4357. 

  4357.                 //WARNLOG("Can't insert ou=%s,%s to Ldap Server, already exists", name, basedn);
    4358. 

  4358.                 return false;
    4359. 

  4359.             }
    4360. 

  4360.             else
    4361. 

  4361.             {
    4362. 

  4362.                 throw MakeStringException(-1, "ldap_add_ext_s error for ou=%s,%s: %d %s", name, basedn, rc, ldap_err2string( rc ));
    4363. 

  4363.             }
    4364. 

  4364.         }
    4365. 

  4365. 

  4366.         return true;
    4367. 

  4367.     }
    4368. 

  4368. 

  4369.     virtual void name2dn(SecResourceType rtype, const char* resourcename, const char* basedn, StringBuffer& ldapname)
    4370. 

  4370.     {
    4371. 

  4371.         StringBuffer namebuf;
    4372. 

  4372. 

  4373.         const char* bptr = resourcename;
    4374. 

  4374.         const char* sep = strstr(resourcename, "::");
    4375. 

  4375.         while(sep != NULL)
    4376. 

  4376.         {
    4377. 

  4377.             if(sep > bptr)
    4378. 

  4378.             {
    4379. 

  4379.                 StringBuffer onebuf;
    4380. 

  4380.                 onebuf.append("ou=").append(sep-bptr, bptr).append(",");
    4381. 

  4381.                 namebuf.insert(0, onebuf.str());
    4382. 

  4382.             }
    4383. 

  4383. 

  4384.             bptr = sep + 2;
    4385. 

  4385.             sep = strstr(bptr, "::");
    4386. 

  4386.         }
    4387. 

  4387.         if(*bptr != '\0')
    4388. 

  4388.         {
    4389. 

  4389.             StringBuffer onebuf;
    4390. 

  4390.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    4391. 

  4391.                 onebuf.append("cn");
    4392. 

  4392.             else
    4393. 

  4393.                 onebuf.append("ou");
    4394. 

  4394.             onebuf.append("=").append(bptr).append(",");
    4395. 

  4395.             namebuf.insert(0, onebuf.str());
    4396. 

  4396.         }
    4397. 

  4397. 

  4398.         namebuf.append(basedn);
    4399. 

  4399.         LdapUtils::normalizeDn(namebuf.str(), m_ldapconfig->getBasedn(), ldapname);
    4400. 

  4400.     }
    4401. 

  4401. 

  4402.     virtual void name2rdn(SecResourceType rtype, const char* resourcename, StringBuffer& ldapname)
    4403. 

  4403.     {
    4404. 

  4404.         if(resourcename == NULL || *resourcename == '\0')
    4405. 

  4405.             return;
    4406. 

  4406. 

  4407.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    4408. 

  4408.             ldapname.append("cn=");
    4409. 

  4409.         else
    4410. 

  4410.             ldapname.append("ou=");
    4411. 

  4411.         
    4412. 

  4412.         const char* prevptr = resourcename;
    4413. 

  4413.         const char* nextptr = strstr(resourcename, "::");
    4414. 

  4414.         while(nextptr != NULL)
    4415. 

  4415.         {
    4416. 

  4416.             prevptr = nextptr + 2;
    4417. 

  4417.             nextptr = strstr(prevptr, "::");
    4418. 

  4418.         }
    4419. 

  4419.         if(prevptr != NULL && *prevptr != '\0')
    4420. 

  4420.             ldapname.append(prevptr);
    4421. 

  4421.     }
    4422. 

  4422. 

  4423.     virtual bool addResource(SecResourceType rtype, ISecUser& user, ISecResource* resource, SecPermissionType ptype, const char* basedn)
    4424. 

  4424.     {
    4425. 

  4425.         Owned<CSecurityDescriptor> template_sd = NULL;
    4426. 

  4426.         const char* templatename = m_ldapconfig->getTemplateName();
    4427. 

  4427.         if(templatename != NULL && *templatename != '\0')
    4428. 

  4428.         {
    4429. 

  4429.             IArrayOf<CSecurityDescriptor> sdlist;
    4430. 

  4430.             template_sd.setown(new CSecurityDescriptor(templatename));
    4431. 

  4431.             sdlist.append(*LINK(template_sd));
    4432. 

  4432.             if(basedn && *basedn)
    4433. 

  4433.                 getSecurityDescriptors(sdlist, basedn);
    4434. 

  4434.             else
    4435. 

  4435.                 getSecurityDescriptors(rtype, sdlist);
    4436. 

  4436.         }
    4437. 

  4437. 

  4438.         Owned<CSecurityDescriptor> default_sd = NULL;
    4439. 

  4439.         if(template_sd != NULL && template_sd->getDescriptor().length() > 0)
    4440. 

  4440.         {
    4441. 

  4441.             MemoryBuffer template_sd_buf;
    4442. 

  4442.             template_sd_buf.append(template_sd->getDescriptor());
    4443. 

  4443.             if(m_pp != NULL)
    4444. 

  4444.                 default_sd.setown(m_pp->createDefaultSD(user, resource, template_sd_buf));
    4445. 

  4445.         }
    4446. 

  4446.         else
    4447. 

  4447.         {
    4448. 

  4448.             if(m_pp !=  NULL)
    4449. 

  4449.                 default_sd.setown(m_pp->createDefaultSD(user, resource, ptype));
    4450. 

  4450.         }
    4451. 

  4451. 

  4452.         return addResource(rtype, user, resource, ptype, basedn, default_sd.get());
    4453. 

  4453.     }
    4454. 

  4454. 

  4455.     virtual bool addResource(SecResourceType rtype, ISecUser& user, ISecResource* resource, SecPermissionType ptype, const char* basedn, CSecurityDescriptor* default_sd, bool lessException=true)
    4456. 

  4456.     {
    4457. 

  4457.         if(resource == NULL)
    4458. 

  4458.             return true;
    4459. 

  4459. 

  4460.         char* resourcename = (char*)resource->getName();
    4461. 

  4461.         if(resourcename == NULL)
    4462. 

  4462.         {
    4463. 

  4463.             DBGLOG("can't add resource, empty resource name");
    4464. 

  4464.             return false;
    4465. 

  4465.         }
    4466. 

  4466. 

  4467.         const char* rbasedn;
    4468. 

  4468.         StringBuffer rbasednbuf;
    4469. 

  4469.         if(basedn == NULL)
    4470. 

  4470.             rbasedn = m_ldapconfig->getResourceBasedn(rtype);
    4471. 

  4471.         else
    4472. 

  4472.         {
    4473. 

  4473.             LdapUtils::normalizeDn(basedn, m_ldapconfig->getBasedn(), rbasednbuf);
    4474. 

  4474.             rbasedn = rbasednbuf.str();
    4475. 

  4475.         }
    4476. 

  4476.         if(rbasedn == NULL || *rbasedn == '\0')
    4477. 

  4477.         {
    4478. 

  4478.             DBGLOG("Can't add resource, corresponding resource basedn is not defined");
    4479. 

  4479.             return false;
    4480. 

  4480.         }
    4481. 

  4481. 

  4482.         if(strchr(resourcename, '/') != NULL || strchr(resourcename, '=') != NULL)
    4483. 

  4483.             return false;
    4484. 

  4484. 

  4485.         if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    4486. 

  4486.         {
    4487. 

  4487.             StringBuffer extbuf;
    4488. 

  4488.             name2dn(rtype, resourcename, rbasedn, extbuf);
    4489. 

  4489.             createLdapBasedn(&user, extbuf.str(), ptype);
    4490. 

  4490.             return true;
    4491. 

  4491.         }
    4492. 

  4492. 

  4493.         LdapServerType servertype = m_ldapconfig->getServerType();
    4494. 

  4494. 

  4495.         char* description = (char*)((CLdapSecResource*)resource)->getDescription();
    4496. 

  4496. 

  4497.         StringBuffer dn;
    4498. 

  4498.         
    4499. 

  4499.         char *fieldname, *oc_name;
    4500. 

  4500.         if(servertype == ACTIVE_DIRECTORY)
    4501. 

  4501.         {
    4502. 

  4502.             fieldname = "cn";
    4503. 

  4503.             oc_name = "Volume";
    4504. 

  4504.         }
    4505. 

  4505.         else
    4506. 

  4506.         {
    4507. 

  4507.             fieldname = "ou";
    4508. 

  4508.             oc_name = "OrganizationalUnit";
    4509. 

  4509.         }
    4510. 

  4510. 

  4511.         dn.append(fieldname).append("=").append(resourcename).append(",");
    4512. 

  4512.         dn.append(rbasedn);
    4513. 

  4513. 

  4514.         char *cn_values[] = {resourcename, NULL };
    4515. 

  4515.         LDAPMod cn_attr = 
    4516. 

  4516.         {
    4517. 

  4517.             LDAP_MOD_ADD,
    4518. 

  4518.             fieldname,
    4519. 

  4519.             cn_values
    4520. 

  4520.         };
    4521. 

  4521.         char *oc_values[] = {oc_name, NULL };
    4522. 

  4522.         LDAPMod oc_attr =
    4523. 

  4523.         {
    4524. 

  4524.             LDAP_MOD_ADD,
    4525. 

  4525.             "objectClass",
    4526. 

  4526.             oc_values
    4527. 

  4527.         };
    4528. 

  4528.         char* uncname_values[] = {resourcename, NULL};
    4529. 

  4529.         LDAPMod uncname_attr =
    4530. 

  4530.         {
    4531. 

  4531.             LDAP_MOD_ADD,
    4532. 

  4532.             "uNCName",
    4533. 

  4533.             uncname_values
    4534. 

  4534.         };
    4535. 

  4535. 

  4536.         StringBuffer descriptionbuf;
    4537. 

  4537.         if(description  && *description)
    4538. 

  4538.             descriptionbuf.append(description);
    4539. 

  4539.         else
    4540. 

  4540.             descriptionbuf.appendf("Access to %s", resourcename);
    4541. 

  4541. 

  4542.         char* description_values[] = {(char*)descriptionbuf.str(), NULL};
    4543. 

  4543.         LDAPMod description_attr =
    4544. 

  4544.         {
    4545. 

  4545.             LDAP_MOD_ADD,
    4546. 

  4546.             "description",
    4547. 

  4547.             description_values
    4548. 

  4548.         };
    4549. 

  4549. 

  4550.         Owned<CSecurityDescriptor> template_sd = NULL;
    4551. 

  4551.         const char* templatename = m_ldapconfig->getTemplateName();
    4552. 

  4552.         if(templatename != NULL && *templatename != '\0')
    4553. 

  4553.         {
    4554. 

  4554.             IArrayOf<CSecurityDescriptor> sdlist;
    4555. 

  4555.             template_sd.setown(new CSecurityDescriptor(templatename));
    4556. 

  4556.             sdlist.append(*LINK(template_sd));
    4557. 

  4557.             getSecurityDescriptors(rtype, sdlist);
    4558. 

  4558.         }
    4559. 

  4559. 

  4560.         int numberOfSegs = 0;
    4561. 

  4561.         if(default_sd != NULL)
    4562. 

  4562.         {
    4563. 

  4563.             numberOfSegs = m_pp->sdSegments(default_sd);
    4564. 

  4564.         }
    4565. 

  4565. 

  4566.         LDAPMod **attrs = (LDAPMod**)(alloca((5+numberOfSegs)*sizeof(LDAPMod*)));
    4567. 

  4567. 

  4568.         int ind = 0;
    4569. 

  4569.         attrs[ind++] = &cn_attr;
    4570. 

  4570.         attrs[ind++] = &oc_attr;
    4571. 

  4571.         attrs[ind++] = &description_attr;
    4572. 

  4572. 

  4573.         if(servertype == ACTIVE_DIRECTORY)
    4574. 

  4574.         {
    4575. 

  4575.             attrs[ind++] = &uncname_attr;
    4576. 

  4576.         }
    4577. 

  4577. 

  4578.         LDAPMod sd_attr;
    4579. 

  4579. 

  4580.         if(default_sd != NULL)
    4581. 

  4581.         {
    4582. 

  4582.             struct berval** sd_values = (struct berval**)alloca(sizeof(struct berval*)*(numberOfSegs+1));
    4583. 

  4583.             MemoryBuffer& sdbuf = default_sd->getDescriptor();
    4584. 

  4584. 

  4585.             // Active Directory acutally has only one segment.
    4586. 

  4586.             if(servertype == ACTIVE_DIRECTORY)
    4587. 

  4587.             {
    4588. 

  4588.                 struct berval* sd_val = (struct berval*)alloca(sizeof(struct berval));
    4589. 

  4589.                 sd_val->bv_len = sdbuf.length();
    4590. 

  4590.                 sd_val->bv_val = (char*)sdbuf.toByteArray();
    4591. 

  4591.                 sd_values[0] = sd_val;
    4592. 

  4592.                 sd_values[1] = NULL;
    4593. 

  4593. 

  4594.                 sd_attr.mod_type = "ntSecurityDescriptor";
    4595. 

  4595.             }
    4596. 

  4596.             else
    4597. 

  4597.             {
    4598. 

  4598.                 const char* bbptr = sdbuf.toByteArray();
    4599. 

  4599.                 const char* bptr = sdbuf.toByteArray();
    4600. 

  4600.                 int sdbuflen = sdbuf.length();
    4601. 

  4601.                 int segind;
    4602. 

  4602.                 for(segind = 0; segind < numberOfSegs; segind++)
    4603. 

  4603.                 {
    4604. 

  4604.                     if(bptr - bbptr >= sdbuflen)
    4605. 

  4605.                         break;
    4606. 

  4606.                     while(*bptr == '\0' && (bptr - bbptr) < sdbuflen)
    4607. 

  4607.                         bptr++;
    4608. 

  4608. 

  4609.                     const char* eptr = bptr;
    4610. 

  4610.                     while(*eptr != '\0' && (eptr - bbptr) < sdbuflen)
    4611. 

  4611.                         eptr++;
    4612. 

  4612. 

  4613.                     struct berval* sd_val = (struct berval*)alloca(sizeof(struct berval));
    4614. 

  4614.                     sd_val->bv_len = eptr - bptr;
    4615. 

  4615.                     sd_val->bv_val = (char*)bptr;
    4616. 

  4616.                     sd_values[segind] = sd_val;
    4617. 

  4617. 

  4618.                     bptr = eptr + 1;
    4619. 

  4619.                 }
    4620. 

  4620.                 sd_values[segind] = NULL;
    4621. 

  4621. 

  4622.                 sd_attr.mod_type = (char*)m_ldapconfig->getSdFieldName();
    4623. 

  4623.             }
    4624. 

  4624.             sd_attr.mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES;
    4625. 

  4625.             sd_attr.mod_vals.modv_bvals = sd_values;
    4626. 

  4626. 

  4627.             attrs[ind++] = &sd_attr;
    4628. 

  4628.         }
    4629. 

  4629.         attrs[ind] = NULL;
    4630. 

  4630. 

  4631.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4632. 

  4632.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4633. 

  4633.         int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    4634. 

  4634.         if ( rc != LDAP_SUCCESS )
    4635. 

  4635.         {
    4636. 

  4636.             if(rc == LDAP_ALREADY_EXISTS)
    4637. 

  4637.             {
    4638. 

  4638.                 //WARNLOG("Can't insert %s to Ldap Server, already exists", resourcename);
    4639. 

  4639.                 if(lessException)
    4640. 

  4640.                     return false;
    4641. 

  4641.                 else
    4642. 

  4642.                     throw MakeStringException(-1, "Can't insert %s, already exists", resourcename);
    4643. 

  4643.             }
    4644. 

  4644.             else
    4645. 

  4645.             {
    4646. 

  4646.                 throw MakeStringException(-1, "ldap_add_ext_s error for %s: %d %s", resourcename, rc, ldap_err2string( rc ));
    4647. 

  4647.             }
    4648. 

  4648.         }
    4649. 

  4649. 

  4650.         return true;
    4651. 

  4651.     }
    4652. 

  4652. 

  4653.     virtual bool enableUser(ISecUser* user, const char* dn, LDAP* ld)
    4654. 

  4654.     {
    4655. 

  4655.         const char* username = user->getName();
    4656. 

  4656. 

  4657.         StringBuffer filter;
    4658. 

  4658.         filter.append("sAMAccountName=").append(username);
    4659. 

  4659. 

  4660.         char        *attribute, **values = NULL;       
    4661. 

  4661.         BerElement  *ber;
    4662. 

  4662.         LDAPMessage *searchResult, *message;
    4663. 

  4663. 

  4664.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    4665. 

  4665. 

  4666.         char        *attrs[] = {"userAccountControl", NULL};
    4667. 

  4667.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult );
    4668. 

  4668. 

  4669.         if ( rc != LDAP_SUCCESS )
    4670. 

  4670.         {
    4671. 

  4671.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    4672. 

  4672.             return false;
    4673. 

  4673.         }
    4674. 

  4674. 

  4675.         StringBuffer act_ctrl;
    4676. 

  4676.         message = LdapFirstEntry( ld, searchResult);
    4677. 

  4677.         if(searchResult != NULL)
    4678. 

  4678.         {
    4679. 

  4679.             for ( attribute = ldap_first_attribute( ld,searchResult,&ber );
    4680. 

  4680.                 attribute != NULL; 
    4681. 

  4681.                 attribute = ldap_next_attribute( ld, searchResult,ber))
    4682. 

  4682.             {
    4683. 

  4683.                 if(stricmp(attribute, "userAccountControl") != 0)
    4684. 

  4684.                     continue;
    4685. 

  4685.                 if (( values = ldap_get_values( ld, message, attribute))  != NULL )
    4686. 

  4686.                 {
    4687. 

  4687.                     char* val = values[0];
    4688. 

  4688.                     act_ctrl.append(val);
    4689. 

  4689.                     ldap_value_free( values );
    4690. 

  4690.                     break;
    4691. 

  4691.                 }
    4692. 

  4692.             }
    4693. 

  4693.             ber_free(ber, 0);
    4694. 

  4694.             ldap_msgfree( searchResult );
    4695. 

  4695.         }
    4696. 

  4696. 

  4697.         if(act_ctrl.length() == 0)
    4698. 

  4698.         {
    4699. 

  4699.             DBGLOG("enableUser: userAccountControl doesn't exist");
    4700. 

  4700.             return false;
    4701. 

  4701.         }
    4702. 

  4702. 

  4703.         unsigned act_ctrl_val = atoi(act_ctrl.str());
    4704. 

  4704. 

  4705.         // UF_ACCOUNTDISABLE 0x0002
    4706. 

  4706.         act_ctrl_val &= 0xFFFFFFFD;
    4707. 

  4707.         
    4708. 

  4708.         // UF_DONT_EXPIRE_PASSWD 0x10000
    4709. 

  4709.         act_ctrl_val |= 0x10000;
    4710. 

  4710. 

  4711.         StringBuffer new_act_ctrl;
    4712. 

  4712.         new_act_ctrl.append(act_ctrl_val);
    4713. 

  4713. 

  4714.         char *ctrl_values[] = {(char*)new_act_ctrl.str(), NULL};
    4715. 

  4715.         LDAPMod ctrl_attr = {
    4716. 

  4716.             LDAP_MOD_REPLACE,
    4717. 

  4717.             "userAccountControl",
    4718. 

  4718.             ctrl_values
    4719. 

  4719.         };
    4720. 

  4720.         LDAPMod *cattrs[2];
    4721. 

  4721.         cattrs[0] = &ctrl_attr;
    4722. 

  4722.         cattrs[1] = NULL;
    4723. 

  4723. 

  4724.         rc = ldap_modify_ext_s(ld, (char*)dn, cattrs, NULL, NULL);
    4725. 

  4725.         if ( rc != LDAP_SUCCESS )
    4726. 

  4726.         {
    4727. 

  4727.             throw MakeStringException(-1, "error enableUser %s, ldap_modify_ext_s error: %s", username, ldap_err2string( rc ));
    4728. 

  4728.         }
    4729. 

  4729. 

  4730.         // set the password.
    4731. 

  4731.         Owned<ISecUser> tmpuser = new CLdapSecUser(user->getName(), "");
    4732. 

  4732.         const char* passwd = user->credentials().getPassword();
    4733. 

  4733.         if(passwd == NULL || *passwd == '\0')
    4734. 

  4734.             passwd = "password";
    4735. 

  4735. 

  4736.         updateUser(*tmpuser, passwd);
    4737. 

  4737. 

  4738.         return true;
    4739. 

  4739.     }
    4740. 

  4740. 

  4741. 

  4742.     virtual bool addUser(ISecUser& user)
    4743. 

  4743.     {
    4744. 

  4744.         const char* username = user.getName();
    4745. 

  4745.         if(username == NULL || *username == '\0')
    4746. 

  4746.         {
    4747. 

  4747.             DBGLOG("Can't add user, username not set");
    4748. 

  4748.             return false;
    4749. 

  4749.         }
    4750. 

  4750. 

  4751.         const char* fname = user.getFirstName();
    4752. 

  4752.         const char* lname = user.getLastName();
    4753. 

  4753.         if((lname == NULL || *lname == '\0') && (fname == NULL || *fname == '\0' || m_ldapconfig->getServerType() == IPLANET))
    4754. 

  4754.             lname = username;
    4755. 

  4755. 

  4756.         const char* fullname = user.getFullName();
    4757. 

  4757.         StringBuffer fullname_buf;
    4758. 

  4758.         if(fullname == NULL || *fullname == '\0')
    4759. 

  4759.         {
    4760. 

  4760.             if(fname != NULL && *fname != '\0')
    4761. 

  4761.             {
    4762. 

  4762.                 fullname_buf.append(fname);
    4763. 

  4763.                 if(lname != NULL && *lname != '\0')
    4764. 

  4764.                     fullname_buf.append(" ");
    4765. 

  4765.             }
    4766. 

  4766.             if(lname != NULL && *lname  != '\0')
    4767. 

  4767.                 fullname_buf.append(lname);
    4768. 

  4768. 

  4769.             if(fullname_buf.length() == 0)
    4770. 

  4770.             {
    4771. 

  4771.                 fullname_buf.append(username);
    4772. 

  4772.             }
    4773. 

  4773.             fullname = fullname_buf.str();
    4774. 

  4774.         }
    4775. 

  4775. 

  4776.         StringBuffer dn;
    4777. 

  4777.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4778. 

  4778.         {
    4779. 

  4779.             dn.append("cn=").append(fullname).append(",");
    4780. 

  4780.         }
    4781. 

  4781.         else
    4782. 

  4782.         {
    4783. 

  4783.             dn.append("uid=").append(user.getName()).append(",");
    4784. 

  4784.         }
    4785. 

  4785.         dn.append(m_ldapconfig->getUserBasedn());
    4786. 

  4786. 

  4787.         char* oc_name;
    4788. 

  4788.         char* act_fieldname;
    4789. 

  4789.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4790. 

  4790.         {
    4791. 

  4791.             oc_name = "User";
    4792. 

  4792.             act_fieldname = "sAMAccountName";
    4793. 

  4793.         }
    4794. 

  4794.         else
    4795. 

  4795.         {
    4796. 

  4796.             oc_name = "inetorgperson";
    4797. 

  4797.             act_fieldname = "uid";
    4798. 

  4798.         }
    4799. 

  4799. 

  4800.         char *cn_values[] = {(char*)fullname, NULL };
    4801. 

  4801.         LDAPMod cn_attr = 
    4802. 

  4802.         {
    4803. 

  4803.             LDAP_MOD_ADD,
    4804. 

  4804.             "cn",
    4805. 

  4805.             cn_values
    4806. 

  4806.         };
    4807. 

  4807. 

  4808.         char *oc_values[] = {oc_name, NULL};
    4809. 

  4809.         LDAPMod oc_attr =
    4810. 

  4810.         {
    4811. 

  4811.             LDAP_MOD_ADD,
    4812. 

  4812.             "objectClass",
    4813. 

  4813.             oc_values
    4814. 

  4814.         };
    4815. 

  4815. 

  4816.         char *gn_values[] = { (char*)fname, NULL };
    4817. 

  4817.         LDAPMod gn_attr = {
    4818. 

  4818.             LDAP_MOD_ADD,
    4819. 

  4819.             "givenName",
    4820. 

  4820.             gn_values
    4821. 

  4821.         };
    4822. 

  4822. 

  4823.         char *sn_values[] = { (char*)lname, NULL };
    4824. 

  4824.         LDAPMod sn_attr = {
    4825. 

  4825.             LDAP_MOD_ADD,
    4826. 

  4826.             "sn",
    4827. 

  4827.             sn_values
    4828. 

  4828.         };
    4829. 

  4829. 

  4830.         char* actname_values[] = {(char*)username, NULL};
    4831. 

  4831.         LDAPMod actname_attr =
    4832. 

  4832.         {
    4833. 

  4833.             LDAP_MOD_ADD,
    4834. 

  4834.             act_fieldname,
    4835. 

  4835.             actname_values
    4836. 

  4836.         };
    4837. 

  4837. 

  4838.         const char* passwd = user.credentials().getPassword();
    4839. 

  4839.         if(passwd == NULL || *passwd == '\0')
    4840. 

  4840.             passwd = "password";
    4841. 

  4841.         char* passwd_values[] = {(char*)passwd, NULL};
    4842. 

  4842.         LDAPMod passwd_attr =
    4843. 

  4843.         {
    4844. 

  4844.             LDAP_MOD_ADD,
    4845. 

  4845.             "userpassword",
    4846. 

  4846.             passwd_values
    4847. 

  4847.         };
    4848. 

  4848. 

  4849.         char *dispname_values[] = {(char*)fullname, NULL };
    4850. 

  4850.         LDAPMod dispname_attr = 
    4851. 

  4851.         {
    4852. 

  4852.             LDAP_MOD_ADD,
    4853. 

  4853.             "displayName",
    4854. 

  4854.             dispname_values
    4855. 

  4855.         };
    4856. 

  4856. 

  4857.         char* username_values[] = {(char*)username, NULL};
    4858. 

  4858.         LDAPMod username_attr =
    4859. 

  4859.         {
    4860. 

  4860.             LDAP_MOD_ADD,
    4861. 

  4861.             "userPrincipalName",
    4862. 

  4862.             username_values
    4863. 

  4863.         };
    4864. 

  4864. 

  4865.         LDAPMod *attrs[8];
    4866. 

  4866.         int ind = 0;
    4867. 

  4867.         
    4868. 

  4868.         attrs[ind++] = &cn_attr;
    4869. 

  4869.         attrs[ind++] = &oc_attr;
    4870. 

  4870.         if(fname != NULL && *fname != '\0')
    4871. 

  4871.             attrs[ind++] = &gn_attr;
    4872. 

  4872.         if(lname != NULL && *lname != '\0')
    4873. 

  4873.             attrs[ind++] = &sn_attr;
    4874. 

  4874.         attrs[ind++] = &actname_attr;
    4875. 

  4875. 

  4876.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4877. 

  4877.         {
    4878. 

  4878.             attrs[ind++] = &username_attr;
    4879. 

  4879.             attrs[ind++] = &dispname_attr;
    4880. 

  4880.         }
    4881. 

  4881.         else
    4882. 

  4882.         {
    4883. 

  4883.             attrs[ind++] = &passwd_attr;
    4884. 

  4884.         }
    4885. 

  4885. 

  4886.         attrs[ind] = NULL;
    4887. 

  4887. 

  4888.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4889. 

  4889.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4890. 

  4890.         int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    4891. 

  4891.         if ( rc != LDAP_SUCCESS )
    4892. 

  4892.         {
    4893. 

  4893.             if(rc == LDAP_ALREADY_EXISTS)
    4894. 

  4894.             {
    4895. 

  4895.                 DBGLOG("can't add user %s, already exists", username);
    4896. 

  4896.                 throw MakeStringException(-1, "can't add user %s, already exists", username);
    4897. 

  4897.             }
    4898. 

  4898.             else
    4899. 

  4899.             {
    4900. 

  4900.                 DBGLOG("error addUser %s, ldap_add_ext_s error: %s", username, ldap_err2string( rc ));
    4901. 

  4901.                 throw MakeStringException(-1, "error addUser %s, ldap_add_ext_s error: %s", username, ldap_err2string( rc ));
    4902. 

  4902.             }
    4903. 

  4903.         }
    4904. 

  4904. 

  4905.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4906. 

  4906.         {
    4907. 

  4907.             try
    4908. 

  4908.             {
    4909. 

  4909.                 return enableUser(&user, dn.str(), ld);
    4910. 

  4910.             }
    4911. 

  4911.             catch(...)
    4912. 

  4912.             {
    4913. 

  4913.                 deleteUser(&user);
    4914. 

  4914.                 throw;
    4915. 

  4915.             }
    4916. 

  4916.         }
    4917. 

  4917. 

  4918.         return true;
    4919. 

  4919.     }
    4920. 

  4920. };
    4921. 

  4921. 

  4922. int LdapUtils::getServerInfo(const char* ldapserver, int ldapport, StringBuffer& domainDN, LdapServerType& stype, const char* domainname)
    4923. 

  4923. {
    4924. 

  4924.     stype = LDAPSERVER_UNKNOWN;
    4925. 

  4925.     LDAP* ld = LdapInit("ldap", ldapserver, ldapport, 636); 
    4926. 

  4926.     if(ld == NULL)
    4927. 

  4927.     {
    4928. 

  4928.         ERRLOG("ldap init error");
    4929. 

  4929.         return false;
    4930. 

  4930.     }
    4931. 

  4931.     
    4932. 

  4932.     int err = LdapSimpleBind(ld, NULL, NULL);
    4933. 

  4933.     if(err != LDAP_SUCCESS)
    4934. 

  4934.     {
    4935. 

  4935.         DBGLOG("ldap anonymous bind error (%d) - %s", err, ldap_err2string(err));
    4936. 

  4936. 

  4937.         // for new versions of openldap, version 2.2.*
    4938. 

  4938.         if(err == LDAP_PROTOCOL_ERROR)
    4939. 

  4939.             DBGLOG("If you're trying to connect to an OpenLdap server, make sure you have \"allow bind_v2\" enabled in slapd.conf");
    4940. 

  4940. 

  4941.         return err;
    4942. 

  4942.     }
    4943. 

  4943. 

  4944.     LDAPMessage* msg = NULL;
    4945. 

  4945.     char* attrs[] = {"namingContexts", NULL};
    4946. 

  4946.     err = ldap_search_s(ld, NULL, LDAP_SCOPE_BASE, "objectClass=*", attrs, false, &msg);
    4947. 

  4947.     if(err != LDAP_SUCCESS)
    4948. 

  4948.     {
    4949. 

  4949.         DBGLOG("ldap_search_s error: %s", ldap_err2string( err ));
    4950. 

  4950.         return err;
    4951. 

  4951.     }
    4952. 

  4952.     LDAPMessage* entry = LdapFirstEntry(ld, msg);
    4953. 

  4953.     if(entry != NULL)
    4954. 

  4954.     {
    4955. 

  4955.         char** domains = ldap_get_values(ld, entry, "namingContexts");
    4956. 

  4956.         if(domains != NULL)
    4957. 

  4957.         {
    4958. 

  4958.             int i = 0;
    4959. 

  4959.             char* curdn;
    4960. 

  4960.             StringBuffer onedn;
    4961. 

  4961.             while((curdn = domains[i]) != NULL)
    4962. 

  4962.             {
    4963. 

  4963.                 if(*curdn != '\0' && (strncmp(curdn, "dc=", 3) == 0 || strncmp(curdn, "DC=", 3) == 0))
    4964. 

  4964.                 {
    4965. 

  4965.                     if(domainDN.length() == 0)
    4966. 

  4966.                     {
    4967. 

  4967.                         StringBuffer curdomain;
    4968. 

  4968.                         LdapUtils::getName(curdn, curdomain);
    4969. 

  4969.                         if(onedn.length() == 0)
    4970. 

  4970.                             onedn.append(curdomain.str());
    4971. 

  4971.                         if(!domainname || !*domainname || stricmp(curdomain.str(), domainname) == 0)
    4972. 

  4972.                             domainDN.append(curdn);
    4973. 

  4973.                     }
    4974. 

  4974.                 }
    4975. 

  4975.                 else if(*curdn != '\0' && strcmp(curdn, "o=NetscapeRoot") == 0)
    4976. 

  4976.                     stype = IPLANET;
    4977. 

  4977.                 i++;
    4978. 

  4978.             }
    4979. 

  4979.             
    4980. 

  4980.             if(domainDN.length() == 0)
    4981. 

  4981.                 domainDN.append(onedn.str());
    4982. 

  4982. 

  4983.             ldap_value_free(domains);
    4984. 

  4984. 

  4985.             if(stype == LDAPSERVER_UNKNOWN)
    4986. 

  4986.             {
    4987. 

  4987.                 if(i <= 1)
    4988. 

  4988.                     stype = OPEN_LDAP;
    4989. 

  4989.                 else
    4990. 

  4990.                     stype = ACTIVE_DIRECTORY;
    4991. 

  4991.             }
    4992. 

  4992.         }
    4993. 

  4993.     }
    4994. 

  4994.     ldap_msgfree(msg);
    4995. 

  4995.     ldap_unbind(ld);
    4996. 

  4996. 

  4997.     return err;
    4998. 

  4998. }
    4999. 

  4999. 

  5000. #ifdef _WIN32
    5001. 

  5001. bool verifyServerCert(LDAP* ld, PCCERT_CONTEXT pServerCert)
    5002. 

  5002. {
    5003. 

  5003.     return true;
    5004. 

  5004. }
    5005. 

  5005. #endif
    5006. 

  5006. 

  5007. ILdapClient* createLdapClient(IPropertyTree* cfg)
    5008. 

  5008. {
    5009. 

  5009.     return new CLdapClient(cfg);
    5010. 

  5010. }
    5011. 

  5011. 

  5012.