Home Explore Help
Sign In
RONCC
/
Big-Data-HPC-Platform
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: a4edfc0ec4
Branches Tags
Big-Data-HPC...
/
system
/
security
/
LdapSecurity
/
ldapconnection.cpp

ldapconnection.cpp 233 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152415341544155415641574158415941604161416241634164416541664167416841694170417141724173417441754176417741784179418041814182418341844185418641874188418941904191419241934194419541964197419841994200420142024203420442054206420742084209421042114212421342144215421642174218421942204221422242234224422542264227422842294230423142324233423442354236423742384239424042414242424342444245424642474248424942504251425242534254425542564257425842594260426142624263426442654266426742684269427042714272427342744275427642774278427942804281428242834284428542864287428842894290429142924293429442954296429742984299430043014302430343044305430643074308430943104311431243134314431543164317431843194320432143224323432443254326432743284329433043314332433343344335433643374338433943404341434243434344434543464347434843494350435143524353435443554356435743584359436043614362436343644365436643674368436943704371437243734374437543764377437843794380438143824383438443854386438743884389439043914392439343944395439643974398439944004401440244034404440544064407440844094410441144124413441444154416441744184419442044214422442344244425442644274428442944304431443244334434443544364437443844394440444144424443444444454446444744484449445044514452445344544455445644574458445944604461446244634464446544664467446844694470447144724473447444754476447744784479448044814482448344844485448644874488448944904491449244934494449544964497449844994500450145024503450445054506450745084509451045114512451345144515451645174518451945204521452245234524452545264527452845294530453145324533453445354536453745384539454045414542454345444545454645474548454945504551455245534554455545564557455845594560456145624563456445654566456745684569457045714572457345744575457645774578457945804581458245834584458545864587458845894590459145924593459445954596459745984599460046014602460346044605460646074608460946104611461246134614461546164617461846194620462146224623462446254626462746284629463046314632463346344635463646374638463946404641464246434644464546464647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677467846794680468146824683468446854686468746884689469046914692469346944695469646974698469947004701470247034704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734473547364737473847394740474147424743474447454746474747484749475047514752475347544755475647574758475947604761476247634764476547664767476847694770477147724773477447754776477747784779478047814782478347844785478647874788478947904791479247934794479547964797479847994800480148024803480448054806480748084809481048114812481348144815481648174818481948204821482248234824482548264827482848294830483148324833483448354836483748384839484048414842484348444845484648474848484948504851485248534854485548564857485848594860486148624863486448654866486748684869487048714872487348744875487648774878487948804881488248834884488548864887488848894890489148924893489448954896489748984899490049014902490349044905490649074908490949104911491249134914491549164917491849194920492149224923492449254926492749284929493049314932493349344935493649374938493949404941494249434944494549464947494849494950495149524953495449554956495749584959496049614962496349644965496649674968496949704971497249734974497549764977497849794980498149824983498449854986498749884989499049914992499349944995499649974998499950005001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025502650275028502950305031503250335034503550365037503850395040504150425043504450455046504750485049505050515052505350545055505650575058505950605061506250635064506550665067506850695070507150725073507450755076507750785079508050815082508350845085508650875088508950905091509250935094509550965097509850995100510151025103510451055106510751085109511051115112511351145115511651175118511951205121512251235124512551265127512851295130513151325133513451355136513751385139514051415142514351445145514651475148514951505151515251535154515551565157515851595160516151625163516451655166516751685169517051715172517351745175517651775178517951805181518251835184518551865187518851895190519151925193519451955196519751985199520052015202520352045205520652075208520952105211521252135214521552165217521852195220522152225223522452255226522752285229523052315232523352345235523652375238523952405241524252435244524552465247524852495250525152525253525452555256525752585259526052615262526352645265526652675268526952705271527252735274527552765277527852795280528152825283528452855286528752885289529052915292529352945295529652975298529953005301530253035304530553065307530853095310531153125313531453155316531753185319532053215322532353245325532653275328532953305331533253335334533553365337533853395340534153425343534453455346534753485349535053515352535353545355535653575358535953605361536253635364536553665367536853695370537153725373537453755376537753785379538053815382538353845385538653875388538953905391539253935394539553965397539853995400540154025403540454055406540754085409541054115412541354145415541654175418541954205421542254235424542554265427542854295430543154325433543454355436543754385439544054415442544354445445544654475448544954505451545254535454545554565457545854595460546154625463546454655466546754685469547054715472547354745475547654775478547954805481548254835484548554865487548854895490549154925493549454955496549754985499550055015502550355045505550655075508550955105511551255135514551555165517551855195520552155225523552455255526552755285529553055315532553355345535553655375538553955405541554255435544554555465547554855495550555155525553555455555556555755585559556055615562556355645565556655675568556955705571557255735574557555765577557855795580558155825583558455855586558755885589559055915592559355945595559655975598559956005601560256035604560556065607560856095610561156125613561456155616561756185619562056215622562356245625562656275628562956305631563256335634563556365637563856395640564156425643564456455646564756485649565056515652565356545655565656575658565956605661566256635664566556665667566856695670567156725673567456755676567756785679568056815682568356845685568656875688568956905691569256935694569556965697569856995700570157025703570457055706570757085709571057115712571357145715571657175718571957205721572257235724572557265727572857295730573157325733573457355736573757385739574057415742574357445745574657475748574957505751575257535754575557565757575857595760576157625763576457655766576757685769577057715772577357745775577657775778577957805781578257835784578557865787578857895790579157925793579457955796579757985799580058015802580358045805580658075808580958105811581258135814581558165817581858195820582158225823582458255826582758285829583058315832583358345835583658375838583958405841584258435844584558465847584858495850585158525853585458555856585758585859586058615862586358645865586658675868586958705871587258735874587558765877587858795880588158825883588458855886588758885889589058915892589358945895589658975898589959005901590259035904590559065907590859095910591159125913591459155916591759185919592059215922592359245925592659275928592959305931593259335934593559365937593859395940594159425943594459455946594759485949595059515952595359545955595659575958595959605961596259635964596559665967596859695970597159725973597459755976597759785979598059815982598359845985598659875988598959905991599259935994599559965997599859996000600160026003600460056006600760086009601060116012601360146015601660176018601960206021602260236024602560266027602860296030603160326033603460356036603760386039604060416042604360446045604660476048604960506051605260536054605560566057605860596060606160626063606460656066606760686069607060716072607360746075607660776078607960806081608260836084608560866087608860896090609160926093609460956096609760986099610061016102610361046105610661076108610961106111611261136114611561166117611861196120612161226123612461256126612761286129613061316132613361346135613661376138613961406141614261436144614561466147614861496150615161526153615461556156615761586159616061616162616361646165616661676168616961706171617261736174617561766177617861796180618161826183618461856186618761886189619061916192619361946195619661976198619962006201620262036204620562066207620862096210621162126213621462156216621762186219622062216222622362246225622662276228622962306231623262336234623562366237623862396240624162426243624462456246624762486249625062516252625362546255625662576258625962606261626262636264626562666267626862696270627162726273627462756276627762786279628062816282628362846285628662876288628962906291629262936294629562966297629862996300630163026303630463056306630763086309631063116312631363146315631663176318631963206321632263236324632563266327632863296330633163326333633463356336633763386339634063416342634363446345634663476348634963506351635263536354635563566357635863596360636163626363636463656366636763686369637063716372637363746375637663776378637963806381638263836384638563866387638863896390639163926393639463956396639763986399640064016402640364046405640664076408640964106411641264136414641564166417641864196420642164226423642464256426642764286429643064316432643364346435643664376438643964406441644264436444644564466447644864496450645164526453645464556456645764586459646064616462646364646465646664676468646964706471647264736474647564766477647864796480648164826483 
  1. /*##############################################################################
    2. 

  2. 

  3.     HPCC SYSTEMS software Copyright (C) 2012 HPCC Systems®.
    4. 

  4. 

  5.     Licensed under the Apache License, Version 2.0 (the "License");
    6. 

  6.     you may not use this file except in compliance with the License.
    7. 

  7.     You may obtain a copy of the License at
    8. 

  8. 

  9.        http://www.apache.org/licenses/LICENSE-2.0
    10. 

  10. 

  11.     Unless required by applicable law or agreed to in writing, software
    12. 

  12.     distributed under the License is distributed on an "AS IS" BASIS,
    13. 

  13.     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14. 

  14.     See the License for the specific language governing permissions and
    15. 

  15.     limitations under the License.
    16. 

  16. ############################################################################## */
    17. 

  17. 

  18. // LDAP prototypes use char* where they should be using const char *, resulting in lots of spurious warnings
    19. 

  19. #pragma warning( disable : 4786 )
    20. 

  20. #ifdef __GNUC__
    21. 

  21. #pragma GCC diagnostic ignored "-Wwrite-strings"
    22. 

  22. #endif
    23. 

  23. 

  24. #include "permissions.ipp"
    25. 

  25. #include "aci.ipp"
    26. 

  26. #include "ldapsecurity.ipp"
    27. 

  27. #include "jsmartsock.hpp"
    28. 

  28. #include "jrespool.tpp"
    29. 

  29. #include "mpbase.hpp"
    30. 

  30. #include "dautils.hpp"
    31. 

  31. #include "dasds.hpp"
    32. 

  32. 

  33. #include <map>
    34. 

  34. #include <string>
    35. 

  35. #include <set>
    36. 

  36. 

  37. #ifdef _WIN32
    38. 

  38. #include <lm.h>
    39. 

  39. #define LdapRename ldap_rename_ext_s
    40. 

  40.     LDAPMessage* (*LdapFirstEntry)(LDAP*, LDAPMessage*) = &ldap_first_entry;
    41. 

  41.     LDAPMessage* (*LdapNextEntry)(LDAP* ld, LDAPMessage* entry) = &ldap_next_entry;
    42. 

  42. #else
    43. 

  43. #define LdapRename ldap_rename_s
    44. 

  44.     LDAPMessage* (__stdcall *LdapFirstEntry)(LDAP*, LDAPMessage*) = &ldap_first_message;
    45. 

  45.     LDAPMessage* (__stdcall *LdapNextEntry)(LDAP* ld, LDAPMessage* entry) = &ldap_next_message;
    46. 

  46. #endif
    47. 

  47. 

  48. #define LDAPSEC_MAX_RETRIES 2
    49. 

  49. #define LDAPSEC_RETRY_WAIT  3
    50. 

  50. 

  51. #ifdef _WIN32 
    52. 

  52. #define LDAP_NO_ATTRS "1.1"
    53. 

  53. #endif
    54. 

  54. 

  55. #define PWD_NEVER_EXPIRES (__int64)0x8000000000000000
    56. 

  56. 

  57. #define UNK_PERM_VALUE (SecAccessFlags)-2	//used to initialize "default" permission, which we later try to deduce
    58. 

  58. 

  59. const char* UserFieldNames[] = { "@id", "@name", "@fullname", "@passwordexpiration", "@employeeid" };
    60. 

  60. 

  61. const char* getUserFieldNames(UserField field)
    62. 

  62. {
    63. 

  63.     if (field < UFterm)
    64. 

  64.         return UserFieldNames[field];
    65. 

  65.     return NULL;
    66. 

  66. }
    67. 

  67. 

  68. const char* GroupFieldNames[] = { "@name", "@groupOwner", "@desc" };
    69. 

  69. 

  70. const char* getGroupFieldNames(GroupField field)
    71. 

  71. {
    72. 

  72.     if (field < GFterm)
    73. 

  73.         return GroupFieldNames[field];
    74. 

  74.     return NULL;
    75. 

  75. }
    76. 

  76. 

  77. const char* ResourceFieldNames[] = { "@name", "@desc" };
    78. 

  78. 

  79. const char* getResourceFieldNames(ResourceField field)
    80. 

  80. {
    81. 

  81.     if (field < RFterm)
    82. 

  82.         return ResourceFieldNames[field];
    83. 

  83.     return NULL;
    84. 

  84. }
    85. 

  85. 

  86. const char* ResourcePermissionFieldNames[] = { "@name", "@type", "@allow", "@deny" };
    87. 

  87. 

  88. const char* getResourcePermissionFieldNames(ResourcePermissionField field)
    89. 

  89. {
    90. 

  90.     if (field < RPFterm)
    91. 

  91.         return ResourcePermissionFieldNames[field];
    92. 

  92.     return NULL;
    93. 

  93. }
    94. 

  94. 

  95. class CSecItemIterator: public CInterfaceOf<ISecItemIterator>
    96. 

  96. {
    97. 

  97.     IArrayOf<IPropertyTree> attrs;
    98. 

  98.     unsigned index;
    99. 

  99. public:
    100. 

  100.     CSecItemIterator(IArrayOf<IPropertyTree>& trees)
    101. 

  101.     {
    102. 

  102.         ForEachItemIn(t, trees)
    103. 

  103.             attrs.append(*LINK(&trees.item(t)));
    104. 

  104.         index = 0;
    105. 

  105.     }
    106. 

  106. 

  107.     virtual ~CSecItemIterator()
    108. 

  108.     {
    109. 

  109.         attrs.kill();
    110. 

  110.     }
    111. 

  111. 

  112.     bool  first()
    113. 

  113.     {
    114. 

  114.         index = 0;
    115. 

  115.         return (attrs.ordinality()!=0);
    116. 

  116.     }
    117. 

  117. 

  118.     bool  next()
    119. 

  119.     {
    120. 

  120.         index++;
    121. 

  121.         return (index<attrs.ordinality());
    122. 

  122.     }
    123. 

  123. 

  124.     bool  isValid()
    125. 

  125.     {
    126. 

  126.         return (index<attrs.ordinality());
    127. 

  127.     }
    128. 

  128. 

  129.     IPropertyTree &  query()
    130. 

  130.     {
    131. 

  131.         return attrs.item(index);
    132. 

  132.     }
    133. 

  133. };
    134. 

  134. 

  135. 

  136. class CHostManager
    137. 

  137. {
    138. 

  138. private:
    139. 

  139.     StringArray m_hostArray;
    140. 

  140.     Mutex       m_HMMutex;
    141. 

  141.     unsigned    m_curHostIdx;
    142. 

  142.     bool        m_populated;
    143. 

  143. 

  144. public:
    145. 

  145.     CHostManager()
    146. 

  146.     {
    147. 

  147.         m_populated = false;
    148. 

  148.         m_curHostIdx = 0;
    149. 

  149.     }
    150. 

  150. 

  151.     void populateHosts(const char* addrlist)
    152. 

  152.     {
    153. 

  153.         if (m_populated)
    154. 

  154.             return;
    155. 

  155. 

  156.         synchronized block(m_HMMutex);
    157. 

  157.         if (!m_populated)
    158. 

  158.         {
    159. 

  159.             char *copyFullText = strdup(addrlist);
    160. 

  160.             char *saveptr;
    161. 

  161.             char *ip = strtok_r(copyFullText, "|", &saveptr);
    162. 

  162.             while (ip != NULL)
    163. 

  163.             {
    164. 

  164.                 if (isdigit(*ip))
    165. 

  165.                 {
    166. 

  166.                     char *dash = strrchr(ip, '-');
    167. 

  167.                     if (dash)
    168. 

  168.                     {
    169. 

  169.                         *dash = 0;
    170. 

  170.                         int last = atoi(dash+1);
    171. 

  171.                         char *dot = strrchr(ip, '.');
    172. 

  172.                         *dot = 0;
    173. 

  173.                         int first = atoi(dot+1);
    174. 

  174.                         for (int i = first; i <= last; i++)
    175. 

  175.                         {
    176. 

  176.                             StringBuffer t;
    177. 

  177.                             t.append(ip).append('.').append(i);
    178. 

  178.                             m_hostArray.append(t.str());
    179. 

  179.                         }
    180. 

  180.                     }
    181. 

  181.                     else
    182. 

  182.                     {
    183. 

  183.                         m_hostArray.append(ip);
    184. 

  184.                     }
    185. 

  185.                 }
    186. 

  186.                 else
    187. 

  187.                 {
    188. 

  188.                     m_hostArray.append(ip);
    189. 

  189.                 }
    190. 

  190.                 DBGLOG("Added ldap server %s", m_hostArray.item(m_hostArray.ordinality()-1));
    191. 

  191.                 ip = strtok_r(NULL, "|", &saveptr);
    192. 

  192.             }
    193. 

  193.             free(copyFullText);
    194. 

  194. 

  195.             if(m_hostArray.length() == 0)
    196. 

  196.             {
    197. 

  197.                 throw MakeStringException(-1, "No valid ldap server address specified");
    198. 

  198.             }
    199. 

  199. 

  200.             m_curHostIdx = 0;
    201. 

  201.             m_populated = true;
    202. 

  202.         }
    203. 

  203.     }
    204. 

  204. 

  205.     int queryNumHosts()
    206. 

  206.     {
    207. 

  207.         return m_hostArray.ordinality();
    208. 

  208.     }
    209. 

  209. 

  210.     const char * queryCurrentHost()
    211. 

  211.     {
    212. 

  212.         synchronized block(m_HMMutex);
    213. 

  213.         return m_hostArray.item(m_curHostIdx);
    214. 

  214.     }
    215. 

  215. 

  216.     void blacklistHost(const char * blockedHost)
    217. 

  217.     {
    218. 

  218.         if (m_hostArray.ordinality() == 1)
    219. 

  219.         {
    220. 

  220.             DBGLOG("Cannot blacklist the only configured ldap server %s", m_hostArray.item(m_curHostIdx));
    221. 

  221.             return;
    222. 

  222.         }
    223. 

  223. 

  224.         //If blockedHost is not already blacklisted, do so
    225. 

  225.         synchronized block(m_HMMutex);
    226. 

  226.         if (0 == strcmp(blockedHost, m_hostArray.item(m_curHostIdx)))
    227. 

  227.         {
    228. 

  228.             DBGLOG("Blacklisting ldap server %s", m_hostArray.item(m_curHostIdx));
    229. 

  229.             if (++m_curHostIdx == m_hostArray.ordinality())
    230. 

  230.                 m_curHostIdx = 0;//start over at begin of host array
    231. 

  231.         }
    232. 

  232. 

  233.     }
    234. 

  234. } s_hostManager;
    235. 

  235. 

  236. 

  237. inline bool LdapServerDown(int rc)
    238. 

  238. {
    239. 

  239.     return rc==LDAP_SERVER_DOWN||rc==LDAP_UNAVAILABLE||rc==LDAP_TIMEOUT;
    240. 

  240. }
    241. 

  241. 

  242. class CLdapConfig : implements ILdapConfig, public CInterface
    243. 

  243. {
    244. 

  244. private:
    245. 

  245.     LdapServerType       m_serverType; 
    246. 

  246.     StringAttr           m_cfgServerType;//LDAP Server type name (ActiveDirectory, Fedora389, etc)
    247. 

  247. 

  248.     Owned<IPropertyTree> m_cfg;
    249. 

  249. 

  250.     int                  m_ldapport;
    251. 

  251.     int                  m_ldap_secure_port;
    252. 

  252.     StringBuffer         m_protocol;
    253. 

  253.     StringBuffer         m_basedn;
    254. 

  254.     StringBuffer         m_domain;
    255. 

  255.     StringBuffer         m_authmethod;
    256. 

  256. 

  257.     StringBuffer         m_user_basedn;
    258. 

  258.     StringBuffer         m_group_basedn;
    259. 

  259.     StringBuffer         m_resource_basedn;
    260. 

  260.     StringBuffer         m_filescope_basedn;
    261. 

  261.     StringBuffer         m_view_basedn;
    262. 

  262.     StringBuffer         m_workunitscope_basedn;
    263. 

  263.     StringBuffer         m_sudoers_basedn;
    264. 

  264.     StringBuffer         m_template_name;
    265. 

  265. 

  266.     StringBuffer         m_sysuser;
    267. 

  267.     StringBuffer         m_sysuser_commonname;
    268. 

  268.     StringBuffer         m_sysuser_password;
    269. 

  269.     StringBuffer         m_sysuser_basedn;
    270. 

  270. 

  271.     bool                 m_sysuser_specified;
    272. 

  272.     StringBuffer         m_sysuser_dn;
    273. 

  273. 

  274.     int                  m_maxConnections;
    275. 

  275.     
    276. 

  276.     StringBuffer         m_sdfieldname;
    277. 

  277. 

  278.     int                  m_timeout;
    279. 

  279. public:
    280. 

  280.     IMPLEMENT_IINTERFACE
    281. 

  281. 

  282.     CLdapConfig(IPropertyTree* cfg)
    283. 

  283.     {
    284. 

  284.         int version = LDAP_VERSION3;
    285. 

  285.         ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
    286. 

  286. 

  287.         m_cfg.set(cfg);
    288. 

  288. 

  289.         //Check for LDAP Server type in config
    290. 

  290.         m_serverType = LDAPSERVER_UNKNOWN;
    291. 

  291.         m_cfgServerType.set(cfg->queryProp(".//@serverType"));
    292. 

  292.         if (m_cfgServerType.length())
    293. 

  293.         {
    294. 

  294.             if (0 == stricmp(m_cfgServerType, "ActiveDirectory"))
    295. 

  295.                 m_serverType = ACTIVE_DIRECTORY;
    296. 

  296.             else if (0 == stricmp(m_cfgServerType, "389DirectoryServer"))//uses iPlanet style ACI
    297. 

  297.                 m_serverType = OPEN_LDAP;
    298. 

  298.             else if (0 == stricmp(m_cfgServerType, "OpenLDAP"))
    299. 

  299.                 m_serverType = OPEN_LDAP;
    300. 

  300.             else if (0 == stricmp(m_cfgServerType, "Fedora389"))
    301. 

  301.                 m_serverType = OPEN_LDAP;
    302. 

  302.             else if (0 == stricmp(m_cfgServerType, "iPlanet"))
    303. 

  303.                 m_serverType = IPLANET;
    304. 

  304.             else
    305. 

  305.                 throw MakeStringException(-1, "Unknown LDAP serverType '%s' specified",m_cfgServerType.get());
    306. 

  306.         }
    307. 

  307.         else
    308. 

  308.         {
    309. 

  309.             DBGLOG("LDAP serverType not specified, will try to deduce");
    310. 

  310.         }
    311. 

  311. 

  312.         StringBuffer hostsbuf;
    313. 

  313.         cfg->getProp(".//@ldapAddress", hostsbuf);
    314. 

  314.         if(hostsbuf.length() == 0)
    315. 

  315.         {
    316. 

  316.             throw MakeStringException(-1, "ldapAddress not found in config");
    317. 

  317.         }
    318. 

  318.         s_hostManager.populateHosts(hostsbuf.str());
    319. 

  319. 

  320.         cfg->getProp(".//@ldapProtocol", m_protocol);
    321. 

  321.         if(m_protocol.length() == 0)
    322. 

  322.         {
    323. 

  323.             m_protocol.append("ldap");
    324. 

  324.         }
    325. 

  325.         
    326. 

  326.         StringBuffer portbuf;
    327. 

  327.         cfg->getProp(".//@ldapPort", portbuf);
    328. 

  328.         if(portbuf.length() == 0)
    329. 

  329.             m_ldapport = 389;
    330. 

  330.         else
    331. 

  331.             m_ldapport = atoi(portbuf.str());
    332. 

  332. 

  333.         portbuf.clear();
    334. 

  334.         cfg->getProp(".//@ldapSecurePort", portbuf);
    335. 

  335.         if(portbuf.length() == 0)
    336. 

  336.             m_ldap_secure_port = 636;
    337. 

  337.         else
    338. 

  338.             m_ldap_secure_port = atoi(portbuf.str());
    339. 

  339. 

  340.         m_timeout = cfg->getPropInt(".//@ldapTimeoutSecs", LDAPTIMEOUT);
    341. 

  341. 

  342.         int rc = LDAP_OTHER;
    343. 

  343.         StringBuffer hostbuf, dcbuf;
    344. 

  344.         const char * ldapDomain = cfg->queryProp(".//@ldapDomain");
    345. 

  345.         for (int numHosts=0; numHosts < getHostCount(); numHosts++)
    346. 

  346.         {
    347. 

  347.             getLdapHost(hostbuf);
    348. 

  348.             unsigned port = strieq("ldaps",m_protocol) ? m_ldap_secure_port : m_ldapport;
    349. 

  349.             StringBuffer sysUserDN, decPwd;
    350. 

  350. 

  351.             {
    352. 

  352.                 StringBuffer pwd;
    353. 

  353.                 cfg->getProp(".//@systemPassword", pwd);
    354. 

  354.                 if (pwd.isEmpty())
    355. 

  355.                     throw MakeStringException(-1, "systemPassword is empty");
    356. 

  356.                 decrypt(decPwd, pwd.str());
    357. 

  357. 

  358.                 StringBuffer sysUserCN;
    359. 

  359.                 cfg->getProp(".//@systemCommonName", sysUserCN);
    360. 

  360.                 if (sysUserCN.isEmpty())
    361. 

  361.                     throw MakeStringException(-1, "systemCommonName is empty");
    362. 

  362. 

  363.                 StringBuffer sysBasedn;
    364. 

  364.                 cfg->getProp(".//@systemBasedn", sysBasedn);
    365. 

  365.                 if (sysBasedn.isEmpty())
    366. 

  366.                     throw MakeStringException(-1, "systemBasedn is empty");
    367. 

  367. 

  368.                 //Guesstimate system user baseDN based on config settings. It will be used if anonymous bind fails
    369. 

  369.                 sysUserDN.append("cn=").append(sysUserCN.str()).append(",").append(sysBasedn.str());
    370. 

  370.             }
    371. 

  371. 

  372.             for(int retries = 0; retries <= LDAPSEC_MAX_RETRIES; retries++)
    373. 

  373.             {
    374. 

  374.                 rc = LdapUtils::getServerInfo(hostbuf.str(), sysUserDN.str(), decPwd.str(), m_protocol, port, dcbuf, m_serverType, ldapDomain, m_timeout);
    375. 

  375.                 if(!LdapServerDown(rc) || retries >= LDAPSEC_MAX_RETRIES)
    376. 

  376.                     break;
    377. 

  377.                 sleep(LDAPSEC_RETRY_WAIT);
    378. 

  378.                 if(retries < LDAPSEC_MAX_RETRIES)
    379. 

  379.                 {
    380. 

  380.                     DBGLOG("Server %s temporarily unreachable, retrying...", hostbuf.str());
    381. 

  381.                 }
    382. 

  382.             }
    383. 

  383.             if (rc != LDAP_SUCCESS)
    384. 

  384.             {
    385. 

  385.                 blacklistHost(hostbuf);
    386. 

  386.             }
    387. 

  387.             else
    388. 

  388.                 break;
    389. 

  389.         }
    390. 

  390. 

  391.         if(rc != LDAP_SUCCESS)
    392. 

  392.         {
    393. 

  393.             throw MakeStringException(-1, "getServerInfo error - %s", ldap_err2string(rc));
    394. 

  394.         }
    395. 

  395.         const char* basedn = cfg->queryProp(".//@commonBasedn");
    396. 

  396.         if(basedn == NULL || *basedn == '\0')
    397. 

  397.         {
    398. 

  398.             basedn = dcbuf.str();
    399. 

  399.         }
    400. 

  400.         LdapUtils::cleanupDn(basedn, m_basedn);
    401. 

  401. 

  402.         StringBuffer user_basedn;
    403. 

  403.         cfg->getProp(".//@usersBasedn", user_basedn);
    404. 

  404.         if(user_basedn.length() == 0)
    405. 

  405.         {
    406. 

  406.             throw MakeStringException(-1, "users basedn not found in config");
    407. 

  407.         }
    408. 

  408.         LdapUtils::normalizeDn(user_basedn.str(), m_basedn.str(), m_user_basedn);
    409. 

  409.         
    410. 

  410.         StringBuffer group_basedn;
    411. 

  411.         cfg->getProp(".//@groupsBasedn", group_basedn);
    412. 

  412.         if(group_basedn.length() == 0)
    413. 

  413.         {
    414. 

  414.             throw MakeStringException(-1, "groups basedn not found in config");
    415. 

  415.         }
    416. 

  416.         LdapUtils::normalizeDn(group_basedn.str(), m_basedn.str(), m_group_basedn);
    417. 

  417. 

  418.         StringBuffer dnbuf;
    419. 

  419.         cfg->getProp(".//@modulesBasedn", dnbuf);
    420. 

  420.         if(dnbuf.length() == 0)
    421. 

  421.             cfg->getProp(".//@resourcesBasedn", dnbuf);
    422. 

  422.         if(dnbuf.length() > 0)
    423. 

  423.             LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_resource_basedn);
    424. 

  424. 

  425.         dnbuf.clear();
    426. 

  426.         cfg->getProp(".//@filesBasedn", dnbuf);
    427. 

  427.         if(dnbuf.length() > 0)
    428. 

  428.             LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_filescope_basedn);
    429. 

  429. 

  430.         dnbuf.clear();
    431. 

  431.         cfg->getProp(".//@viewsBasedn", dnbuf);
    432. 

  432.         if(dnbuf.length() == 0)
    433. 

  433.             dnbuf.append("ou=views,ou=ecl");//viewsBasedn will not exist in legacy environment files
    434. 

  434.         LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_view_basedn);
    435. 

  435. 

  436.         dnbuf.clear();
    437. 

  437.         cfg->getProp(".//@workunitsBasedn", dnbuf);
    438. 

  438.         if(dnbuf.length() > 0)
    439. 

  439.             LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_workunitscope_basedn);
    440. 

  440.         
    441. 

  441.         if(m_resource_basedn.length() + m_filescope_basedn.length() + m_workunitscope_basedn.length() == 0)
    442. 

  442.         {
    443. 

  443.             throw MakeStringException(-1, "One of the following basedns need to be defined: modulesBasedn, resourcesBasedn, filesBasedn or workunitScopesBasedn.");
    444. 

  444.         }
    445. 

  445. 

  446.         dnbuf.clear();
    447. 

  447.         cfg->getProp(".//@sudoersBasedn", dnbuf);
    448. 

  448.         if(dnbuf.length() == 0)
    449. 

  449.             dnbuf.append("ou=SUDOers");
    450. 

  450.         LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_sudoers_basedn);
    451. 

  451. 

  452.         cfg->getProp(".//@templateName", m_template_name);
    453. 

  453.         cfg->getProp(".//@authMethod", m_authmethod);
    454. 

  454.         cfg->getProp(".//@ldapDomain", m_domain);
    455. 

  455.         if(m_domain.length() == 0)
    456. 

  456.         {
    457. 

  457.             const char* dptr = strchr(m_basedn.str(), '=');
    458. 

  458.             if(dptr != NULL)
    459. 

  459.             {
    460. 

  460.                 dptr++;
    461. 

  461.                 while(*dptr != 0 && *dptr != ',')
    462. 

  462.                 {
    463. 

  463.                     char c = *dptr++;
    464. 

  464.                     m_domain.append(c);
    465. 

  465.                 }
    466. 

  466.             }
    467. 

  467.         }
    468. 

  468. 

  469.         m_sysuser_specified = true;
    470. 

  470.         cfg->getProp(".//@systemUser", m_sysuser);
    471. 

  471.         if(m_sysuser.length() == 0)
    472. 

  472.         {
    473. 

  473.             m_sysuser_specified = false;
    474. 

  474.         }
    475. 

  475. 

  476.         cfg->getProp(".//@systemCommonName", m_sysuser_commonname);
    477. 

  477.         if(m_sysuser_specified && (m_sysuser_commonname.length() == 0))
    478. 

  478.         {
    479. 

  479.             throw MakeStringException(-1, "SystemUser commonname is empty");
    480. 

  480.         }
    481. 

  481. 

  482.         StringBuffer passbuf;
    483. 

  483.         cfg->getProp(".//@systemPassword", passbuf);
    484. 

  484.         decrypt(m_sysuser_password, passbuf.str());
    485. 

  485. 

  486.         StringBuffer sysuser_basedn;
    487. 

  487.         cfg->getProp(".//@systemBasedn", sysuser_basedn);
    488. 

  488. 

  489.         if(sysuser_basedn.length() == 0)
    490. 

  490.         {
    491. 

  491.             if(m_serverType == ACTIVE_DIRECTORY)
    492. 

  492.                 LdapUtils::normalizeDn( "cn=Users", m_basedn.str(), m_sysuser_basedn);
    493. 

  493.             else if(m_serverType == IPLANET)
    494. 

  494.                 m_sysuser_basedn.append("ou=administrators,ou=topologymanagement,o=netscaperoot");
    495. 

  495.             else if(m_serverType == OPEN_LDAP)
    496. 

  496.                 m_sysuser_basedn.append(m_basedn.str());
    497. 

  497.         }
    498. 

  498.         else
    499. 

  499.         {
    500. 

  500.             if(m_serverType == ACTIVE_DIRECTORY)
    501. 

  501.                 LdapUtils::normalizeDn(sysuser_basedn.str(), m_basedn.str(), m_sysuser_basedn);
    502. 

  502.             else
    503. 

  503.                 m_sysuser_basedn.append(sysuser_basedn.str());
    504. 

  504.         }
    505. 

  505. 

  506.         if(m_sysuser_specified)
    507. 

  507.         {
    508. 

  508.             if(m_serverType == IPLANET)
    509. 

  509.                 m_sysuser_dn.append("uid=").append(m_sysuser.str()).append(",").append(m_sysuser_basedn.str());
    510. 

  510.             else if(m_serverType == ACTIVE_DIRECTORY)
    511. 

  511.                 m_sysuser_dn.append("cn=").append(m_sysuser_commonname.str()).append(",").append(m_sysuser_basedn.str());
    512. 

  512.             else if(m_serverType == OPEN_LDAP)
    513. 

  513.             {
    514. 

  514.                 if (0==strcmp("Directory Manager",m_sysuser_commonname.str()))
    515. 

  515.                     m_sysuser_dn.append("cn=").append(m_sysuser_commonname.str()).append(",").append(m_sysuser_basedn.str());
    516. 

  516.                 else
    517. 

  517.                     m_sysuser_dn.append("uid=").append(m_sysuser_commonname.str()).append(",").append(m_sysuser_basedn.str()).append(",").append(m_basedn.str());
    518. 

  518.             }
    519. 

  519.         }
    520. 

  520. 

  521.         m_maxConnections = cfg->getPropInt(".//@maxConnections", DEFAULT_LDAP_POOL_SIZE);
    522. 

  522.         if(m_maxConnections <= 0)
    523. 

  523.             m_maxConnections = DEFAULT_LDAP_POOL_SIZE;
    524. 

  524. 

  525.         if(m_serverType == ACTIVE_DIRECTORY)
    526. 

  526.             m_sdfieldname.append("ntSecurityDescriptor");
    527. 

  527.         else if(m_serverType == IPLANET)
    528. 

  528.             m_sdfieldname.append("aci");
    529. 

  529.         else if(m_serverType == OPEN_LDAP)
    530. 

  530.             m_sdfieldname.append("aci");
    531. 

  531.     }
    532. 

  532. 

  533.     virtual LdapServerType getServerType()
    534. 

  534.     {
    535. 

  535.         return m_serverType;
    536. 

  536.     }
    537. 

  537. 

  538.     virtual const char * getCfgServerType() const
    539. 

  539.     {
    540. 

  540.         return m_cfgServerType.get();
    541. 

  541.     }
    542. 

  542. 

  543.     virtual const char* getSdFieldName()
    544. 

  544.     {
    545. 

  545.         return m_sdfieldname.str();
    546. 

  546.     }
    547. 

  547. 

  548.     virtual int getHostCount()
    549. 

  549.     {
    550. 

  550.         return s_hostManager.queryNumHosts();
    551. 

  551.     }
    552. 

  552. 

  553.     virtual StringBuffer& getLdapHost(StringBuffer& hostbuf)
    554. 

  554.     {
    555. 

  555.         hostbuf.set(s_hostManager.queryCurrentHost());
    556. 

  556.         return hostbuf;
    557. 

  557.     }
    558. 

  558. 

  559.     virtual void blacklistHost(const char * host)
    560. 

  560.     {
    561. 

  561.         s_hostManager.blacklistHost(host);
    562. 

  562.     }
    563. 

  563. 

  564.     virtual void markDown(const char* ldaphost)
    565. 

  565.     {
    566. 

  566.         //SocketEndpoint ep(ldaphost, 0);
    567. 

  567.         //m_ldaphosts->setStatus(ep, false);
    568. 

  568.     }
    569. 

  569. 

  570.     virtual int getLdapPort()
    571. 

  571.     {
    572. 

  572.         return m_ldapport;
    573. 

  573.     }
    574. 

  574. 

  575.     virtual int getLdapSecurePort()
    576. 

  576.     {
    577. 

  577.         return m_ldap_secure_port;
    578. 

  578.     }
    579. 

  579. 

  580.     virtual const char* getProtocol()
    581. 

  581.     {
    582. 

  582.         return m_protocol.str();
    583. 

  583.     }
    584. 

  584. 

  585. 

  586.     virtual const char* getBasedn()
    587. 

  587.     {
    588. 

  588.         return m_basedn.str();
    589. 

  589.     }
    590. 

  590. 

  591.     virtual const char* getDomain()
    592. 

  592.     {
    593. 

  593.         return m_domain.str();
    594. 

  594.     }
    595. 

  595. 

  596.     virtual const char* getAuthMethod()
    597. 

  597.     {
    598. 

  598.         return m_authmethod.str();
    599. 

  599.     }
    600. 

  600. 

  601.     virtual const char* getUserBasedn()
    602. 

  602.     {
    603. 

  603.         return m_user_basedn.str();
    604. 

  604.     }
    605. 

  605. 

  606.     virtual const char* getGroupBasedn()
    607. 

  607.     {
    608. 

  608.         return m_group_basedn.str();
    609. 

  609.     }
    610. 

  610. 

  611.     virtual const char* getViewBasedn()
    612. 

  612.     {
    613. 

  613.         return m_view_basedn.str();
    614. 

  614.     }
    615. 

  615. 

  616.     virtual const char* getResourceBasedn(SecResourceType rtype)
    617. 

  617.     {
    618. 

  618.         if(rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE)
    619. 

  619.             return m_resource_basedn.str();
    620. 

  620.         else if(rtype == RT_FILE_SCOPE)
    621. 

  621.             return m_filescope_basedn.str();
    622. 

  622.         else if(rtype == RT_VIEW_SCOPE)
    623. 

  623.             return m_view_basedn.str();
    624. 

  624.         else if(rtype == RT_WORKUNIT_SCOPE)
    625. 

  625.             return m_workunitscope_basedn.str();
    626. 

  626.         else if(rtype == RT_SUDOERS)
    627. 

  627.             return m_sudoers_basedn.str();
    628. 

  628.         else
    629. 

  629.             return m_resource_basedn.str();
    630. 

  630.     }
    631. 

  631. 

  632.     virtual const char* getTemplateName()
    633. 

  633.     {
    634. 

  634.         return m_template_name.str();
    635. 

  635.     }
    636. 

  636. 

  637.     virtual const char* getSysUser()
    638. 

  638.     {
    639. 

  639.         return m_sysuser.str();
    640. 

  640.     }
    641. 

  641. 

  642.     virtual const char* getSysUserDn()
    643. 

  643.     {
    644. 

  644.         return m_sysuser_dn.str();
    645. 

  645.     }
    646. 

  646. 

  647.     virtual const char* getSysUserCommonName()
    648. 

  648.     {
    649. 

  649.         return m_sysuser_commonname.str();
    650. 

  650.     }
    651. 

  651. 

  652.     virtual const char* getSysUserPassword()
    653. 

  653.     {
    654. 

  654.         return m_sysuser_password.str();
    655. 

  655.     }
    656. 

  656. 

  657.     virtual const char* getSysUserBasedn()
    658. 

  658.     {
    659. 

  659.         return m_sysuser_basedn.str();
    660. 

  660.     }
    661. 

  661. 

  662.     virtual bool sysuserSpecified()
    663. 

  663.     {
    664. 

  664.         return m_sysuser_specified;
    665. 

  665.     }
    666. 

  666. 

  667.     virtual int getMaxConnections()
    668. 

  668.     {
    669. 

  669.         return m_maxConnections;
    670. 

  670.     }
    671. 

  671. 

  672.     // For now, only sets default resourcebasedn, since it's only used by ESP services
    673. 

  673.     virtual void setResourceBasedn(const char* rbasedn, SecResourceType rtype)
    674. 

  674.     {
    675. 

  675.         if(rbasedn == NULL || rbasedn[0] == '\0')
    676. 

  676.             return;
    677. 

  677. 

  678.         if(rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE)
    679. 

  679.         {
    680. 

  680.             LdapUtils::normalizeDn(rbasedn, m_basedn.str(), m_resource_basedn);
    681. 

  681.         }
    682. 

  682.         else if(rtype == RT_FILE_SCOPE)
    683. 

  683.         {
    684. 

  684.             LdapUtils::normalizeDn(rbasedn, m_basedn.str(), m_filescope_basedn);
    685. 

  685.         }
    686. 

  686.         else if(rtype == RT_VIEW_SCOPE)
    687. 

  687.         {
    688. 

  688.             LdapUtils::normalizeDn(rbasedn, m_basedn.str(), m_view_basedn);
    689. 

  689.         }
    690. 

  690.         else if(rtype == RT_WORKUNIT_SCOPE)
    691. 

  691.         {
    692. 

  692.             LdapUtils::normalizeDn(rbasedn, m_basedn.str(), m_workunitscope_basedn);
    693. 

  693.         }
    694. 

  694.         else
    695. 

  695.         {
    696. 

  696.             LdapUtils::normalizeDn(rbasedn, m_basedn.str(), m_resource_basedn);
    697. 

  697.         }
    698. 

  698.     }
    699. 

  699. 

  700.     virtual void getDefaultSysUserBasedn(StringBuffer& sysuser_basedn)
    701. 

  701.     {
    702. 

  702.         if(m_serverType == ACTIVE_DIRECTORY)
    703. 

  703.             LdapUtils::normalizeDn( "cn=Users", m_basedn.str(), sysuser_basedn);
    704. 

  704.         else if(m_serverType == IPLANET)
    705. 

  705.             sysuser_basedn.append("ou=administrators,ou=topologymanagement,o=netscaperoot");
    706. 

  706.     }
    707. 

  707. 

  708.     virtual int getLdapTimeout()
    709. 

  709.     {
    710. 

  710.         return m_timeout;
    711. 

  711.     }
    712. 

  712. };
    713. 

  713. 

  714. 

  715. class CLdapConnection : implements ILdapConnection, public CInterface
    716. 

  716. {
    717. 

  717. private:
    718. 

  718.     LDAP                *m_ld;
    719. 

  719.     Owned<CLdapConfig>   m_ldapconfig;
    720. 

  720. 

  721.     time_t               m_lastaccesstime;
    722. 

  722.     bool                 m_connected;
    723. 

  723.     bool                 m_useSSL;
    724. 

  724. 

  725. public:
    726. 

  726.     IMPLEMENT_IINTERFACE
    727. 

  727. 

  728.     CLdapConnection(CLdapConfig* ldapconfig)
    729. 

  729.     {
    730. 

  730.         m_ldapconfig.setown(LINK(ldapconfig));
    731. 

  731.         m_ld = NULL;
    732. 

  732.         m_connected = false;
    733. 

  733.         m_lastaccesstime = 0;
    734. 

  734.         m_useSSL = false;
    735. 

  735.     }
    736. 

  736. 

  737.     ~CLdapConnection()
    738. 

  738.     {
    739. 

  739.         if(m_ld != NULL)
    740. 

  740.         {
    741. 

  741.             LDAP_UNBIND(m_ld);
    742. 

  742.         }
    743. 

  743.     }
    744. 

  744. 

  745. private:
    746. 

  746.     virtual int connect(const char* ldapserver, const char* protocol)
    747. 

  747.     {
    748. 

  748.         if(!ldapserver || *ldapserver == '\0')
    749. 

  749.             return -1;
    750. 

  750. 

  751.         m_ld = LdapUtils::LdapInit(protocol, ldapserver, m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort());
    752. 

  752.         int rc = LDAP_SUCCESS;
    753. 

  753.         if(m_ldapconfig->sysuserSpecified())
    754. 

  754.             rc =  LdapUtils::LdapBind(m_ld, m_ldapconfig->getLdapTimeout(), m_ldapconfig->getDomain(), m_ldapconfig->getSysUser(), m_ldapconfig->getSysUserPassword(), m_ldapconfig->getSysUserDn(), m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    755. 

  755.         else
    756. 

  756.             rc =  LdapUtils::LdapBind(m_ld, m_ldapconfig->getLdapTimeout(), m_ldapconfig->getDomain(), NULL, NULL, NULL, m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    757. 

  757. 

  758.         if(rc == LDAP_SUCCESS)
    759. 

  759.         {
    760. 

  760.             time(&m_lastaccesstime);
    761. 

  761.             m_connected = true;
    762. 

  762.             const char * ldap = NULL;
    763. 

  763.             switch (m_ldapconfig->getServerType())
    764. 

  764.             {
    765. 

  765.             case ACTIVE_DIRECTORY:
    766. 

  766.                 ldap = "Active Directory";
    767. 

  767.                 break;
    768. 

  768.             case OPEN_LDAP:
    769. 

  769.                 ldap = "OpenLDAP";
    770. 

  770.                 break;
    771. 

  771.             case IPLANET:
    772. 

  772.                 ldap = "iplanet";
    773. 

  773.                 break;
    774. 

  774.             default:
    775. 

  775.                 ldap = "unknown";
    776. 

  776.                 break;
    777. 

  777.             }
    778. 

  778.             DBGLOG("Connected to '%s' LdapServer %s using protocol %s", ldap, ldapserver, protocol);
    779. 

  779.         }
    780. 

  780.         else
    781. 

  781.         {
    782. 

  782.             DBGLOG("LDAP: sysuser bind failed - %s", ldap_err2string(rc));
    783. 

  783.             LDAP_UNBIND(m_ld);
    784. 

  784.             m_ld = NULL;
    785. 

  785.         }
    786. 

  786. 

  787.         return rc;
    788. 

  788.     }
    789. 

  789. 

  790. public:
    791. 

  791.     virtual bool connect(bool force_ssl = false)
    792. 

  792.     {
    793. 

  793. 

  794.         const char* proto;
    795. 

  795.         if(force_ssl)
    796. 

  796.         {
    797. 

  797.             proto = "ldaps";
    798. 

  798.             m_useSSL = true;
    799. 

  799.         }
    800. 

  800.         else
    801. 

  801.         {
    802. 

  802.             proto = m_ldapconfig->getProtocol();//get configured protocol, LDAP or LDAPS
    803. 

  803.             m_useSSL = (0 == stricmp(proto, "ldaps") ? true : false);
    804. 

  804.         }
    805. 

  805. 

  806.         int rc = LDAP_SERVER_DOWN;//assume bad things
    807. 

  807.         StringBuffer hostbuf;
    808. 

  808.         for (int numHosts=0; numHosts < m_ldapconfig->getHostCount(); numHosts++)
    809. 

  809.         {
    810. 

  810.             m_ldapconfig->getLdapHost(hostbuf);
    811. 

  811. 

  812.             for(int retries = 0; retries <= LDAPSEC_MAX_RETRIES; retries++)
    813. 

  813.             {
    814. 

  814.                 rc = connect(hostbuf.str(), proto);
    815. 

  815.                 if(!LdapServerDown(rc) || retries > LDAPSEC_MAX_RETRIES)
    816. 

  816.                     break;
    817. 

  817.                 sleep(LDAPSEC_RETRY_WAIT);
    818. 

  818.                 if(retries < LDAPSEC_MAX_RETRIES)
    819. 

  819.                     DBGLOG("Server temporarily unreachable, retrying ...");
    820. 

  820.             }
    821. 

  821. 

  822.             if(rc == LDAP_SERVER_DOWN)
    823. 

  823.             {
    824. 

  824.                 StringBuffer dc;
    825. 

  825.                 LdapUtils::getDcName(m_ldapconfig->getDomain(), dc);
    826. 

  826.                 if(dc.length() > 0)
    827. 

  827.                 {
    828. 

  828.                     WARNLOG("Using automatically obtained LDAP Server %s", dc.str());
    829. 

  829.                     rc = connect(dc.str(), proto);
    830. 

  830.                 }
    831. 

  831.             }
    832. 

  832. 

  833.             if (rc != LDAP_SUCCESS)
    834. 

  834.             {
    835. 

  835.                 m_ldapconfig->blacklistHost(hostbuf);
    836. 

  836.             }
    837. 

  837.             else
    838. 

  838.                 break;
    839. 

  839.         }
    840. 

  840. 

  841.         if(rc == LDAP_SUCCESS)
    842. 

  842.             return true;
    843. 

  843.         else
    844. 

  844.             return false;
    845. 

  845.     }
    846. 

  846. 

  847.     virtual LDAP* getLd()
    848. 

  848.     {
    849. 

  849.         return m_ld;
    850. 

  850.     }
    851. 

  851. 

  852.     virtual bool validate()
    853. 

  853.     {
    854. 

  854.         time_t now;
    855. 

  855.         time(&now);
    856. 

  856. 

  857.         if(!m_connected)
    858. 

  858.             return connect();
    859. 

  859.         else if(now - m_lastaccesstime <= 300)
    860. 

  860.             return true;
    861. 

  861.         else
    862. 

  862.         {
    863. 

  863.             LDAPMessage* msg = NULL;
    864. 

  864.             
    865. 

  865.             TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    866. 

  866.             int err = ldap_search_ext_s(m_ld, NULL, LDAP_SCOPE_BASE, "objectClass=*", NULL, 0, NULL, NULL, &timeOut, 1, &msg);
    867. 

  867. 

  868.             if(msg != NULL)
    869. 

  869.                 ldap_msgfree(msg);
    870. 

  870.             
    871. 

  871.             if(err != LDAP_SUCCESS)
    872. 

  872.             {
    873. 

  873.                 if(m_ld != NULL)
    874. 

  874.                 {
    875. 

  875.                     LDAP_UNBIND(m_ld);
    876. 

  876.                     m_ld = NULL;
    877. 

  877.                     m_connected = false;
    878. 

  878.                 }
    879. 

  879.                 DBGLOG("cached connection invalid (%s), creating a new connection", ldap_err2string(err));
    880. 

  880.                 return connect(m_useSSL);//reconnect stale connection, using original protocol
    881. 

  881.             }
    882. 

  882.             else
    883. 

  883.             {
    884. 

  884.                 time(&m_lastaccesstime);
    885. 

  885.             }
    886. 

  886.         }
    887. 

  887. 

  888.         return true;
    889. 

  889.     }
    890. 

  890. };
    891. 

  891. 

  892. class CLdapConnectionPool : implements ILdapConnectionPool, public CInterface
    893. 

  893. {
    894. 

  894. private:
    895. 

  895.     int m_maxsize;
    896. 

  896.     int m_currentsize;
    897. 

  897.     IArrayOf<ILdapConnection> m_connections;
    898. 

  898.     Monitor m_monitor;
    899. 

  899.     Owned<CLdapConfig> m_ldapconfig;
    900. 

  900. 

  901. public:
    902. 

  902.     IMPLEMENT_IINTERFACE
    903. 

  903. 

  904.     CLdapConnectionPool(CLdapConfig* ldapconfig)
    905. 

  905.     {
    906. 

  906.         m_ldapconfig.setown(LINK(ldapconfig));
    907. 

  907.         m_maxsize = m_ldapconfig->getMaxConnections();
    908. 

  908.         m_currentsize = 0;
    909. 

  909.         // Set LDAP version to 3
    910. 

  910.         int version = LDAP_VERSION3;
    911. 

  911.         ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
    912. 

  912.     }
    913. 

  913. 

  914.     virtual ILdapConnection* getConnection()
    915. 

  915.     {
    916. 

  916.         synchronized block(m_monitor);
    917. 

  917.         ForEachItemIn(x, m_connections)
    918. 

  918.         {
    919. 

  919.             CLdapConnection* curcon = (CLdapConnection*)&(m_connections.item(x));
    920. 

  920.             if(curcon != NULL && !curcon->IsShared())
    921. 

  921.             {
    922. 

  922.                 //PrintLog("Reusing an LDAP connection");
    923. 

  923.                 if(curcon->validate())
    924. 

  924.                     return LINK(curcon);
    925. 

  925.                 else
    926. 

  926.                     throw MakeStringException(-1, "Connecting/authenticating to ldap server in re-validation failed");
    927. 

  927.             }
    928. 

  928.         }
    929. 

  929. 

  930.         //PrintLog("Creating new connection");
    931. 

  931.         CLdapConnection* newcon = new CLdapConnection(m_ldapconfig.get());
    932. 

  932.         if(newcon != NULL)
    933. 

  933.         {
    934. 

  934.             if(!newcon->connect())
    935. 

  935.             {
    936. 

  936.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server failed");
    937. 

  937.             }
    938. 

  938.             
    939. 

  939.             if(m_currentsize <= m_maxsize)
    940. 

  940.             {
    941. 

  941.                 m_connections.append(*newcon);
    942. 

  942.                 m_currentsize++;
    943. 

  943.                 return LINK(newcon);
    944. 

  944.             }
    945. 

  945.             else
    946. 

  946.             {
    947. 

  947.                 return newcon;
    948. 

  948.             }
    949. 

  949.         }
    950. 

  950.         else
    951. 

  951.         {
    952. 

  952.             throw MakeStringException(-1, "Failed to create new ldap connection");
    953. 

  953.         }
    954. 

  954.     }
    955. 

  955. 

  956.     virtual ILdapConnection* getSSLConnection()
    957. 

  957.     {
    958. 

  958.         CLdapConnection* newcon = new CLdapConnection(m_ldapconfig.get());
    959. 

  959.         if(newcon != NULL)
    960. 

  960.         {
    961. 

  961.             if(!newcon->connect(true))
    962. 

  962.             {
    963. 

  963.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server via ldaps failed");
    964. 

  964.             }
    965. 

  965.             return newcon;
    966. 

  966.         }
    967. 

  967.         else
    968. 

  968.         {
    969. 

  969.             throw MakeStringException(-1, "Failed to create new ldap connection");
    970. 

  970.         }
    971. 

  971.     }
    972. 

  972. 

  973. };
    974. 

  974. 

  975. #define LDAP_CONNECTION_TIMEOUT INFINITE
    976. 

  976. 

  977. //------------ New Connection Pool Implementation ------------//
    978. 

  978. class CLdapConnectionManager : implements IResourceFactory<CLdapConnection>, public CInterface
    979. 

  979. {
    980. 

  980.     Owned<CLdapConfig>   m_ldapconfig;
    981. 

  981.     
    982. 

  982. public:
    983. 

  983.     IMPLEMENT_IINTERFACE;
    984. 

  984.     
    985. 

  985.     CLdapConnectionManager(CLdapConfig* ldapconfig)
    986. 

  986.     {
    987. 

  987.         m_ldapconfig.setown(LINK(ldapconfig));
    988. 

  988.     }
    989. 

  989. 

  990.     CLdapConnection* createResource()
    991. 

  991.     {
    992. 

  992.         CLdapConnection* newcon = new CLdapConnection(m_ldapconfig.get());
    993. 

  993.         if(newcon != NULL)
    994. 

  994.         {
    995. 

  995.             if(!newcon->connect())
    996. 

  996.             {
    997. 

  997.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server failed");
    998. 

  998.             }
    999. 

  999.             
    1000. 

  1000.             return newcon;
    1001. 

  1001.         }
    1002. 

  1002.         else
    1003. 

  1003.         {
    1004. 

  1004.             throw MakeStringException(-1, "Failed to create new ldap connection");
    1005. 

  1005.         }
    1006. 

  1006.     }
    1007. 

  1007. };
    1008. 

  1008. 

  1009. class CLdapConnectionPool2 : implements ILdapConnectionPool, public CInterface
    1010. 

  1010. {
    1011. 

  1011. private:
    1012. 

  1012.     int m_maxsize;
    1013. 

  1013.     Owned<CLdapConfig> m_ldapconfig;
    1014. 

  1014.     Owned<CResourcePool<CLdapConnection> > m_connections;
    1015. 

  1015. public:
    1016. 

  1016.     IMPLEMENT_IINTERFACE
    1017. 

  1017. 

  1018.     CLdapConnectionPool2(CLdapConfig* ldapconfig)
    1019. 

  1019.     {
    1020. 

  1020.         m_ldapconfig.setown(LINK(ldapconfig));
    1021. 

  1021.         m_maxsize = m_ldapconfig->getMaxConnections();
    1022. 

  1022.         // Set LDAP version to 3
    1023. 

  1023.         int version = LDAP_VERSION3;
    1024. 

  1024.         ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
    1025. 

  1025. 

  1026.         m_connections.setown(new CResourcePool<CLdapConnection>);
    1027. 

  1027.         Owned<CLdapConnectionManager> poolMgr = new CLdapConnectionManager(ldapconfig);
    1028. 

  1028.         m_connections->init(m_maxsize, poolMgr.get());
    1029. 

  1029.     }
    1030. 

  1030. 

  1031.     virtual ILdapConnection* getConnection()
    1032. 

  1032.     {
    1033. 

  1033.         Owned<CLdapConnection> con;
    1034. 

  1034.         try
    1035. 

  1035.         {
    1036. 

  1036.             con.setown(m_connections->get(LDAP_CONNECTION_TIMEOUT));
    1037. 

  1037.         }
    1038. 

  1038.         catch(IException* e)
    1039. 

  1039.         {
    1040. 

  1040.             StringBuffer emsg;
    1041. 

  1041.             e->errorMessage(emsg);
    1042. 

  1042.             DBGLOG("getConnection exception - %s", emsg.str());
    1043. 

  1043.             e->Release();
    1044. 

  1044.         }
    1045. 

  1045.         catch(...)
    1046. 

  1046.         {
    1047. 

  1047.             DBGLOG("getConnection unknown exception");
    1048. 

  1048.         }
    1049. 

  1049. 

  1050.         if(con.get())
    1051. 

  1051.         {
    1052. 

  1052.             if(con->validate())
    1053. 

  1053.                 return con.getLink();
    1054. 

  1054.             else
    1055. 

  1055.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server in re-validation failed");
    1056. 

  1056.         }
    1057. 

  1057.         else
    1058. 

  1058.                 throw MakeStringException(-1, "Failed to get an LDAP Connection.");
    1059. 

  1059.     }
    1060. 

  1060. 

  1061.     virtual ILdapConnection* getSSLConnection()
    1062. 

  1062.     {
    1063. 

  1063.         CLdapConnection* newcon = new CLdapConnection(m_ldapconfig.get());
    1064. 

  1064.         if(newcon != NULL)
    1065. 

  1065.         {
    1066. 

  1066.             if(!newcon->connect(true))
    1067. 

  1067.             {
    1068. 

  1068.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server via ldaps failed");
    1069. 

  1069.             }
    1070. 

  1070.             return newcon;
    1071. 

  1071.         }
    1072. 

  1072.         else
    1073. 

  1073.         {
    1074. 

  1074.             throw MakeStringException(-1, "Failed to create new ldap connection");
    1075. 

  1075.         }
    1076. 

  1076.     }
    1077. 

  1077. };
    1078. 

  1078. 

  1079. 

  1080. struct ltstr
    1081. 

  1081. {
    1082. 

  1082.     bool operator()(const char* s1, const char* s2) const { return strcmp(s1, s2) < 0; }
    1083. 

  1083. };
    1084. 

  1084. 

  1085. 

  1086. //--------------------------------------------
    1087. 

  1087. // This helper class ensures memory allocate by calls
    1088. 

  1088. // to ldap_first_attribute/ldap_next_attribute gets freed
    1089. 

  1089. //--------------------------------------------
    1090. 

  1090. class CLDAPGetAttributesWrapper
    1091. 

  1091. {
    1092. 

  1092. private:
    1093. 

  1093.         LDAP *          ld;
    1094. 

  1094.         LDAPMessage *   entry;
    1095. 

  1095.         BerElement *    elem;
    1096. 

  1096.         char *          attribute;
    1097. 

  1097. public:
    1098. 

  1098.     CLDAPGetAttributesWrapper(LDAP * _ld, LDAPMessage * _entry)
    1099. 

  1099.         : ld(_ld), entry(_entry)
    1100. 

  1100.     {
    1101. 

  1101.         elem = NULL;
    1102. 

  1102.         attribute = NULL;
    1103. 

  1103.     }
    1104. 

  1104. 

  1105.     ~CLDAPGetAttributesWrapper()
    1106. 

  1106.     {
    1107. 

  1107.         if (attribute)
    1108. 

  1108.             ldap_memfree(attribute);
    1109. 

  1109.         if (elem)
    1110. 

  1110.             ber_free(elem, 0);
    1111. 

  1111.     }
    1112. 

  1112. 

  1113.     inline char * getFirst()
    1114. 

  1114.     {
    1115. 

  1115.         return attribute = ldap_first_attribute(ld, entry, &elem);
    1116. 

  1116.     }
    1117. 

  1117. 

  1118.     inline char * getNext()
    1119. 

  1119.     {
    1120. 

  1120.         if (attribute)
    1121. 

  1121.             ldap_memfree(attribute);
    1122. 

  1122.         return attribute = ldap_next_attribute(ld, entry, elem);
    1123. 

  1123.     }
    1124. 

  1124. };
    1125. 

  1125. 

  1126. class CLDAPMessage
    1127. 

  1127. {
    1128. 

  1128. public:
    1129. 

  1129.     LDAPMessage *msg;
    1130. 

  1130.     CLDAPMessage()       { msg = NULL; }
    1131. 

  1131.     ~CLDAPMessage()      { ldapMsgFree(); }
    1132. 

  1132.     inline void ldapMsgFree()  { if (msg) { ldap_msgfree(msg); msg = NULL;} }
    1133. 

  1133.     inline operator LDAPMessage *() const { return msg; }
    1134. 

  1134. };
    1135. 

  1135. 

  1136. //------------------------------------------------------
    1137. 

  1137. // class CPagedLDAPSearch
    1138. 

  1138. //
    1139. 

  1139. //  Performs a "paged" LDAP search, which allows for
    1140. 

  1140. //  searching when there are over 1000 matching entries. Also
    1141. 

  1141. //  works when there are less than 1000, but not as efficient as
    1142. 

  1142. //  simply calling ldap_search_ext_s()
    1143. 

  1143. //------------------------------------------------------
    1144. 

  1144. #define MAX_ENTRIES 1000
    1145. 

  1145. class CPagedLDAPSearch
    1146. 

  1146. {
    1147. 

  1147. private:
    1148. 

  1148.     LDAP *          m_pLdapConn;
    1149. 

  1149.     char *          m_pszDN;
    1150. 

  1150.     unsigned long   m_scope;
    1151. 

  1151.     char *          m_pszFilter;
    1152. 

  1152.     char * *        m_pszAttrs;
    1153. 

  1153. 

  1154.     bool            m_morePages;
    1155. 

  1155.     struct berval * m_pCookie;
    1156. 

  1156.     LDAPMessage *   m_pPageEntry;
    1157. 

  1157.     LDAPMessage *   m_pPageBlock;
    1158. 

  1158.     int             m_timeout;
    1159. 

  1159. 

  1160.     //local helper class, ensures ldap Page Control memory freed
    1161. 

  1161.     class CPageControlMemWrapper
    1162. 

  1162.     {
    1163. 

  1163.         LDAPControl *   m_pageControl;
    1164. 

  1164.         LDAPControl **  m_returnedCtrls;
    1165. 

  1165.     public:
    1166. 

  1166.         CPageControlMemWrapper()                        { m_pageControl = NULL; m_returnedCtrls = NULL; }
    1167. 

  1167.         void setPageControl(LDAPControl * _pageCtrl)    { m_pageControl = _pageCtrl; }
    1168. 

  1168.         void setRetControls(LDAPControl ** _retCtrls)   { m_returnedCtrls = _retCtrls; }
    1169. 

  1169.         virtual ~CPageControlMemWrapper()
    1170. 

  1170.         {
    1171. 

  1171.             if (m_pageControl)
    1172. 

  1172.                 ldap_control_free(m_pageControl);
    1173. 

  1173.             if (m_returnedCtrls)
    1174. 

  1174.                 ldap_controls_free(m_returnedCtrls);
    1175. 

  1175.         }
    1176. 

  1176.     };
    1177. 

  1177. 

  1178.     //---------------------------------------------------
    1179. 

  1179.     // Request next page of search results
    1180. 

  1180.     //---------------------------------------------------
    1181. 

  1181.     bool requestNextPage()
    1182. 

  1182.     {
    1183. 

  1183.         if (!m_morePages)
    1184. 

  1184.             return false;
    1185. 

  1185. 

  1186.         CPageControlMemWrapper pageCtrlMem;
    1187. 

  1187.         TIMEVAL timeOut = {m_timeout,0};
    1188. 

  1188.         try
    1189. 

  1189.         {
    1190. 

  1190. #ifdef LDAP_API_FEATURE_PAGED_RESULTS
    1191. 

  1191.             LDAPControl * pageControl = NULL;
    1192. 

  1192.             int rc = ldap_create_page_control(m_pLdapConn, MAX_ENTRIES, m_pCookie, false, &pageControl);//cookie gets set on first call to ldap_parse_page_control()
    1193. 

  1193.             if (rc != LDAP_SUCCESS)
    1194. 

  1194.             {
    1195. 

  1195.                 int err = GetLastError();
    1196. 

  1196.                 throw MakeStringException(-1, "ldap_create_page_control failed with 0x%x (%s)",err, ldap_err2string( err ));
    1197. 

  1197.             }
    1198. 

  1198.             pageCtrlMem.setPageControl(pageControl);
    1199. 

  1199.             LDAPControl * svrCtrls[] = { pageControl, NULL };
    1200. 

  1200. 

  1201.             if (m_pPageBlock)
    1202. 

  1202.                 ldap_msgfree(m_pPageBlock);
    1203. 

  1203.             rc = ldap_search_ext_s(m_pLdapConn, m_pszDN, m_scope, m_pszFilter, m_pszAttrs, 0, svrCtrls, NULL, &timeOut, 0, &m_pPageBlock);
    1204. 

  1204.             if (rc != LDAP_SUCCESS)
    1205. 

  1205.             {
    1206. 

  1206.                 int err = GetLastError();
    1207. 

  1207.                 if (err && rc != LDAP_PARTIAL_RESULTS)//389DirectoryServer sometimes returns rc, but GetLastError returns 0. In this scenario continuing the query succeeds
    1208. 

  1208.                 {
    1209. 

  1209.                     if (m_pCookie)
    1210. 

  1210.                     {
    1211. 

  1211.                         ber_bvfree(m_pCookie);
    1212. 

  1212.                         m_pCookie = NULL;
    1213. 

  1213.                     }
    1214. 

  1214.                     throw MakeStringException(-1, "ldap_search_ext_s failed with 0x%x (%s)",err, ldap_err2string( err ));
    1215. 

  1215.                 }
    1216. 

  1216.             }
    1217. 

  1217. 

  1218.             unsigned long l_errcode;
    1219. 

  1219.             LDAPControl **  returnedCtrls = NULL;
    1220. 

  1220. #ifdef _WIN32
    1221. 

  1221.             rc = ldap_parse_result(m_pLdapConn, m_pPageBlock, &l_errcode, NULL, NULL, NULL, &returnedCtrls, false);
    1222. 

  1222. #else
    1223. 

  1223.             rc = ldap_parse_result(m_pLdapConn, m_pPageBlock, (int*)&l_errcode, NULL, NULL, NULL, &returnedCtrls, false);
    1224. 

  1224. #endif
    1225. 

  1225.             if (m_pCookie)
    1226. 

  1226.             {
    1227. 

  1227.                 ber_bvfree(m_pCookie);
    1228. 

  1228.                 m_pCookie = NULL;
    1229. 

  1229.             }
    1230. 

  1230. 

  1231.             if (rc != LDAP_SUCCESS)
    1232. 

  1232.             {
    1233. 

  1233.                 int err = GetLastError();
    1234. 

  1234.                 if (err)
    1235. 

  1235.                 {
    1236. 

  1236.                     throw MakeStringException(-1, "ldap_parse_result failed with 0x%x (%s)",err, ldap_err2string( err ));
    1237. 

  1237.                 }
    1238. 

  1238.                 else
    1239. 

  1239.                 {
    1240. 

  1240.                     DBGLOG("ldap_parse_result returned unexpected rc=%x, err=%x, ignoring",rc,err);
    1241. 

  1241.                 }
    1242. 

  1242.             }
    1243. 

  1243. 

  1244.             pageCtrlMem.setRetControls(returnedCtrls);
    1245. 

  1245.             unsigned long totCount;
    1246. 

  1246. #ifdef _WIN32
    1247. 

  1247.             rc = ldap_parse_page_control(m_pLdapConn, returnedCtrls, &totCount, &m_pCookie);//sets cookie for next call to ldap_create_page_control()
    1248. 

  1248. #else
    1249. 

  1249.             rc = ldap_parse_page_control(m_pLdapConn, returnedCtrls, (int*)&totCount, &m_pCookie);//sets cookie for next call to ldap_create_page_control()
    1250. 

  1250. #endif
    1251. 

  1251.             if (rc != LDAP_SUCCESS)
    1252. 

  1252.             {
    1253. 

  1253.                 int err = GetLastError();
    1254. 

  1254.                 if (err)
    1255. 

  1255.                 {
    1256. 

  1256.                     throw MakeStringException(-1, "ldap_parse_page_control failed with 0x%x (%s)",err, ldap_err2string( err ));
    1257. 

  1257.                 }
    1258. 

  1258.                 else
    1259. 

  1259.                 {
    1260. 

  1260.                     DBGLOG("ldap_parse_page_control returned unexpected rc=%x, err=%x, ignoring",rc,err);
    1261. 

  1261.                 }
    1262. 

  1262.             }
    1263. 

  1263. 

  1264.             if (!(m_pCookie && m_pCookie->bv_val != NULL && (strlen(m_pCookie->bv_val) > 0)))
    1265. 

  1265.                 m_morePages = false;
    1266. 

  1266. #else
    1267. 

  1267.             int rc = ldap_search_ext_s(m_pLdapConn, m_pszDN, m_scope, m_pszFilter, m_pszAttrs, 0, NULL, NULL, &timeOut, 0, &m_pPageBlock);
    1268. 

  1268.             m_morePages = false;
    1269. 

  1269.             if (rc != LDAP_SUCCESS)
    1270. 

  1270.             {
    1271. 

  1271.                 throw MakeStringException(-1, "ldap_search_ext_s failed with 0x%x (%s)",rc, ldap_err2string( rc ));
    1272. 

  1272.             }
    1273. 

  1273. #endif
    1274. 

  1274.         }
    1275. 

  1275. 

  1276.         catch(IException* e)
    1277. 

  1277.         {
    1278. 

  1278.             StringBuffer emsg;
    1279. 

  1279.             e->errorMessage(emsg);
    1280. 

  1280.             throw MakeStringException(-1, "LDAP Paged Search - %s", emsg.str());
    1281. 

  1281.         }
    1282. 

  1282. 

  1283.         catch(...)
    1284. 

  1284.         {
    1285. 

  1285.             throw MakeStringException(-1, "Unknown Exception calling LDAP Paged Search");
    1286. 

  1286.         }
    1287. 

  1287. 

  1288.         return true;
    1289. 

  1289.     }
    1290. 

  1290. 

  1291. public:
    1292. 

  1292. 

  1293.     CPagedLDAPSearch(LDAP* _pLdapConn, int _timeout, char * _pszDN, unsigned long _scope, char * _pszFilter, char * _pszAttrs[])
    1294. 

  1294.     {
    1295. 

  1295.         m_pLdapConn =_pLdapConn;
    1296. 

  1296. 

  1297.         m_pszDN = _pszDN;
    1298. 

  1298.         m_timeout = _timeout;
    1299. 

  1299.         m_scope = _scope;
    1300. 

  1300.         m_pszFilter = _pszFilter;
    1301. 

  1301.         m_pszAttrs = _pszAttrs;
    1302. 

  1302. 

  1303.         m_pCookie = NULL;
    1304. 

  1304.         m_morePages = true;
    1305. 

  1305.         m_pPageEntry = NULL;
    1306. 

  1306.         m_pPageBlock = NULL;
    1307. 

  1307.     }
    1308. 

  1308. 

  1309.     virtual ~CPagedLDAPSearch()
    1310. 

  1310.     {
    1311. 

  1311.         if (m_pPageBlock)
    1312. 

  1312.             ldap_msgfree(m_pPageBlock);
    1313. 

  1313.         if (m_pCookie)
    1314. 

  1314.             ber_bvfree(m_pCookie);
    1315. 

  1315.     }
    1316. 

  1316. 

  1317.     //---------------------------------------------------
    1318. 

  1318.     // Returns the count of the matching DN/filter/scope entries
    1319. 

  1319.     //---------------------------------------------------
    1320. 

  1320.     unsigned countEntries()
    1321. 

  1321.     {
    1322. 

  1322.         unsigned count = 0;
    1323. 

  1323.         while (requestNextPage())
    1324. 

  1324.             count += ldap_count_entries(m_pLdapConn, m_pPageBlock);
    1325. 

  1325.         return count;
    1326. 

  1326.     }
    1327. 

  1327. 

  1328.     //---------------------------------------------------
    1329. 

  1329.     // Get the first/next entry
    1330. 

  1330.     // Returns NULL when no more
    1331. 

  1331.     //---------------------------------------------------
    1332. 

  1332.     LDAPMessage * getFirstEntry()
    1333. 

  1333.     {
    1334. 

  1334.         if (!requestNextPage())
    1335. 

  1335.         {
    1336. 

  1336.             m_morePages = false;
    1337. 

  1337.             return NULL;
    1338. 

  1338.         }
    1339. 

  1339.         return getNextEntry();
    1340. 

  1340.     }
    1341. 

  1341. 

  1342.     LDAPMessage * getNextEntry()
    1343. 

  1343.     {
    1344. 

  1344.         if (!m_pPageEntry)
    1345. 

  1345.             m_pPageEntry = LdapFirstEntry(m_pLdapConn, m_pPageBlock);
    1346. 

  1346.         else
    1347. 

  1347.             m_pPageEntry = LdapNextEntry(m_pLdapConn, m_pPageEntry);
    1348. 

  1348. 

  1349.         if (!m_pPageEntry)
    1350. 

  1350.         {
    1351. 

  1351.             if (!requestNextPage())
    1352. 

  1352.                 return NULL;
    1353. 

  1353.             m_pPageEntry = LdapFirstEntry(m_pLdapConn, m_pPageBlock);
    1354. 

  1354.         }
    1355. 

  1355.         return m_pPageEntry;
    1356. 

  1356.     }
    1357. 

  1357. };
    1358. 

  1358. 

  1359. static CriticalSection  mpaCrit;
    1360. 

  1360. static __int64 getMaxPwdAge(Owned<ILdapConnectionPool> _conns, const char * _baseDN, int _timeout)
    1361. 

  1361. {
    1362. 

  1362.     static time_t   lastPwdAgeCheck = 0;
    1363. 

  1363.     static __int64  maxPwdAge = PWD_NEVER_EXPIRES;
    1364. 

  1364.     #define HOURLY  ((time_t)(60*60*1000))
    1365. 

  1365. 

  1366.     CriticalBlock block(mpaCrit);
    1367. 

  1367.     if (lastPwdAgeCheck != 0 && (((msTick() - lastPwdAgeCheck) < HOURLY)))//in case it was retrieved whilst this thread blocked
    1368. 

  1368.         return maxPwdAge;
    1369. 

  1369. 

  1370.     DBGLOG("Retrieving LDAP 'maxPwdAge'");
    1371. 

  1371.     char* attrs[] = {"maxPwdAge", NULL};
    1372. 

  1372.     CLDAPMessage searchResult;
    1373. 

  1373.     TIMEVAL timeOut = {_timeout,0};
    1374. 

  1374.     Owned<ILdapConnection> lconn = _conns->getConnection();
    1375. 

  1375.     LDAP* sys_ld = ((CLdapConnection*)lconn.get())->getLd();
    1376. 

  1376.     int result = ldap_search_ext_s(sys_ld, (char*)_baseDN, LDAP_SCOPE_BASE, NULL,
    1377. 

  1377.         attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg);
    1378. 

  1378.     if(result != LDAP_SUCCESS)
    1379. 

  1379.     {
    1380. 

  1380.         DBGLOG("ldap_search_ext_s error: %s, when searching maxPwdAge", ldap_err2string( result ));
    1381. 

  1381.         return 0;
    1382. 

  1382.     }
    1383. 

  1383.     unsigned entries = ldap_count_entries(sys_ld, searchResult);
    1384. 

  1384.     if(entries == 0)
    1385. 

  1385.     {
    1386. 

  1386.         DBGLOG("ldap_search_ext_s error: Could not find maxPwdAge");
    1387. 

  1387.         return 0;
    1388. 

  1388.     }
    1389. 

  1389.     maxPwdAge = 0;
    1390. 

  1390.     CLDAPGetValuesLenWrapper vals(sys_ld, searchResult.msg, "maxPwdAge");
    1391. 

  1391.     if (vals.hasValues())
    1392. 

  1392.     {
    1393. 

  1393.         const char *val = vals.queryCharValue(0);
    1394. 

  1394.         if (val && *val)
    1395. 

  1395.         {
    1396. 

  1396.             if (*val == '-')
    1397. 

  1397.                 ++val;
    1398. 

  1398.             for (int x=0; val[x]; x++)
    1399. 

  1399.                 maxPwdAge = maxPwdAge * 10 + ( (int)val[x] - '0');
    1400. 

  1400.         }
    1401. 

  1401.     }
    1402. 

  1402.     else
    1403. 

  1403.         maxPwdAge = PWD_NEVER_EXPIRES;
    1404. 

  1404.     lastPwdAgeCheck = msTick();
    1405. 

  1405.     return maxPwdAge;
    1406. 

  1406. }
    1407. 

  1407. 

  1408. static CriticalSection  lcCrit;
    1409. 

  1409. class CLdapClient : implements ILdapClient, public CInterface
    1410. 

  1410. {
    1411. 

  1411. private:
    1412. 

  1412.     Owned<ILdapConnectionPool> m_connections;
    1413. 

  1413.     IPermissionProcessor* m_pp;     
    1414. 

  1414.     //int                  m_defaultFileScopePermission;
    1415. 

  1415.     //int                  m_defaultWorkunitScopePermission;
    1416. 

  1416.     Owned<CLdapConfig>   m_ldapconfig;
    1417. 

  1417.     StringBuffer         m_pwscheme;
    1418. 

  1418.     bool                 m_domainPwdsNeverExpire;//no domain policy for password expiration
    1419. 

  1419. 

  1420. public:
    1421. 

  1421.     IMPLEMENT_IINTERFACE
    1422. 

  1422. 

  1423.     CLdapClient(IPropertyTree* cfg)
    1424. 

  1424.     {
    1425. 

  1425.         m_ldapconfig.setown(new CLdapConfig(cfg));
    1426. 

  1426.         if(cfg && cfg->getPropBool("@useRealConnectionPool", false))
    1427. 

  1427.             m_connections.setown(new CLdapConnectionPool2(m_ldapconfig.get())); 
    1428. 

  1428.         else
    1429. 

  1429.             m_connections.setown(new CLdapConnectionPool(m_ldapconfig.get()));  
    1430. 

  1430.         m_pp = NULL;
    1431. 

  1431.         //m_defaultFileScopePermission = -2;
    1432. 

  1432.         //m_defaultWorkunitScopePermission = -2;
    1433. 

  1433.         m_domainPwdsNeverExpire = false;
    1434. 

  1434.     }
    1435. 

  1435. 

  1436.     virtual void init(IPermissionProcessor* pp)
    1437. 

  1437.     {
    1438. 

  1438.         m_pp = pp;
    1439. 

  1439.         static bool createdOU = false;
    1440. 

  1440.         CriticalBlock block(lcCrit);
    1441. 

  1441.         if (!createdOU)
    1442. 

  1442.         {
    1443. 

  1443.             if(m_ldapconfig->getServerType() == OPEN_LDAP)
    1444. 

  1444.             {
    1445. 

  1445.                 try
    1446. 

  1446.                 {
    1447. 

  1447.                     addDC(m_ldapconfig->getBasedn());
    1448. 

  1448.                 }
    1449. 

  1449.                 catch(...)
    1450. 

  1450.                 {
    1451. 

  1451.                 }
    1452. 

  1452.                 try
    1453. 

  1453.                 {
    1454. 

  1454.                     addGroup("Directory Administrators", NULL, NULL, m_ldapconfig->getBasedn());
    1455. 

  1455.                 }
    1456. 

  1456.                 catch(...)
    1457. 

  1457.                 {
    1458. 

  1458.                 }
    1459. 

  1459.             }
    1460. 

  1460. 

  1461.             //Create base LDAP OU tree. Specify PT_DEFAULT to ensure each OU
    1462. 

  1462.             //grants access to both Administrators and to Authenticated Users
    1463. 

  1463.             createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_DEFAULT), PT_DEFAULT);
    1464. 

  1464.             createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE), PT_DEFAULT);
    1465. 

  1465.             createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_VIEW_SCOPE), PT_DEFAULT);
    1466. 

  1466.             createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_WORKUNIT_SCOPE), PT_DEFAULT);
    1467. 

  1467.             createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_SUDOERS), PT_DEFAULT);
    1468. 

  1468. 

  1469.             createLdapBasedn(NULL, m_ldapconfig->getUserBasedn(), PT_DEFAULT);
    1470. 

  1470.             createLdapBasedn(NULL, m_ldapconfig->getGroupBasedn(), PT_DEFAULT);
    1471. 

  1471.             createdOU = true;
    1472. 

  1472.         }
    1473. 

  1473.     }
    1474. 

  1474. 

  1475.     virtual LdapServerType getServerType()
    1476. 

  1476.     {
    1477. 

  1477.         return m_ldapconfig->getServerType();
    1478. 

  1478.     }
    1479. 

  1479. 

  1480.     virtual ILdapConfig* getLdapConfig()
    1481. 

  1481.     {
    1482. 

  1482.         return m_ldapconfig.get();
    1483. 

  1483.     }
    1484. 

  1484. 

  1485.     virtual void setResourceBasedn(const char* rbasedn, SecResourceType rtype)
    1486. 

  1486.     {
    1487. 

  1487.         m_ldapconfig->setResourceBasedn(rbasedn, rtype);
    1488. 

  1488.         createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(rtype), PT_DEFAULT);
    1489. 

  1489.     }
    1490. 

  1490. 

  1491.     void calcPWExpiry(CDateTime &dt, unsigned len, char * val)
    1492. 

  1492.     {
    1493. 

  1493.         __int64 time = 0;
    1494. 

  1494.         for (unsigned x=0; x < len; x++)
    1495. 

  1495.             time = time * 10 + ( (int)val[x] - '0');
    1496. 

  1496.         time += getMaxPwdAge(m_connections,(char*)m_ldapconfig->getBasedn(), m_ldapconfig->getLdapTimeout());
    1497. 

  1497.         dt.setFromFILETIME(time);
    1498. 

  1498.         dt.adjustTime(dt.queryUtcToLocalDelta());
    1499. 

  1499.     }
    1500. 

  1500. 

  1501.     virtual bool authenticate(ISecUser& user)
    1502. 

  1502.     {
    1503. 

  1503.         {
    1504. 

  1504.             char        *attribute;
    1505. 

  1505.             user.setAuthenticateStatus(AS_UNEXPECTED_ERROR);//assume the worst
    1506. 

  1506. 

  1507.             const char* username = user.getName();
    1508. 

  1508.             const char* password = user.credentials().getPassword();
    1509. 

  1509.             if(!username || !*username || !password || !*password)
    1510. 

  1510.             {
    1511. 

  1511.                 DBGLOG("CLdapClient::authenticate username/password must be provided");
    1512. 

  1512.                 return false;
    1513. 

  1513.             }
    1514. 

  1514. 

  1515.             if (getMaxPwdAge(m_connections,(char*)m_ldapconfig->getBasedn(), m_ldapconfig->getLdapTimeout()) != PWD_NEVER_EXPIRES)
    1516. 

  1516.                 m_domainPwdsNeverExpire = false;
    1517. 

  1517.             else
    1518. 

  1518.                 m_domainPwdsNeverExpire = true;
    1519. 

  1519. 

  1520.             StringBuffer filter;
    1521. 

  1521.             // Retrieve user's dn with system connection
    1522. 

  1522.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1523. 

  1523.                 filter.append("sAMAccountName=");
    1524. 

  1524.             else
    1525. 

  1525.                 filter.append("uid=");
    1526. 

  1526.             filter.append(username);
    1527. 

  1527. 

  1528.             char* attrs[] = {"cn", "userAccountControl", "pwdLastSet", "givenName", "sn", "employeeId", "distinguishedName",NULL};
    1529. 

  1529. 

  1530.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    1531. 

  1531.             LDAP* sys_ld = ((CLdapConnection*)lconn.get())->getLd();
    1532. 

  1532.             CLDAPMessage searchResult;
    1533. 

  1533.             TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    1534. 

  1534.             int result = ldap_search_ext_s(sys_ld,
    1535. 

  1535.                             (char*)m_ldapconfig->getUserBasedn(), //distinguished name of the entry at which to start the search
    1536. 

  1536.                             LDAP_SCOPE_SUBTREE,
    1537. 

  1537.                             (char*)filter.str(), //search filter
    1538. 

  1538.                             attrs,
    1539. 

  1539.                             0, //attribute types and values are to be returned, nonzero if only types are required
    1540. 

  1540.                             NULL,
    1541. 

  1541.                             NULL,
    1542. 

  1542.                             &timeOut,
    1543. 

  1543.                             LDAP_NO_LIMIT,
    1544. 

  1544.                             &searchResult.msg);
    1545. 

  1545. 

  1546.             if(result != LDAP_SUCCESS)
    1547. 

  1547.             {
    1548. 

  1548.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( result ), filter.str(), m_ldapconfig->getUserBasedn());
    1549. 

  1549.                 return false;
    1550. 

  1550.             }
    1551. 

  1551. 

  1552.             unsigned entries = ldap_count_entries(sys_ld, searchResult);
    1553. 

  1553.             if(entries == 0)
    1554. 

  1554.             {
    1555. 

  1555.                 searchResult.ldapMsgFree();
    1556. 

  1556.                 TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    1557. 

  1557.                 result = ldap_search_ext_s(sys_ld, (char*)m_ldapconfig->getSysUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg);
    1558. 

  1558.                 if(result != LDAP_SUCCESS)
    1559. 

  1559.                 {
    1560. 

  1560.                     DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( result ), filter.str(), m_ldapconfig->getSysUserBasedn());
    1561. 

  1561.                     user.setAuthenticateStatus(AS_INVALID_CREDENTIALS);
    1562. 

  1562.                     return false;
    1563. 

  1563.                 }
    1564. 

  1564. 

  1565.                 entries = ldap_count_entries(sys_ld, searchResult);
    1566. 

  1566.                 if(entries == 0)
    1567. 

  1567.                 {
    1568. 

  1568.                     DBGLOG("LDAP: User %s not found", username);
    1569. 

  1569.                     user.setAuthenticateStatus(AS_INVALID_CREDENTIALS);
    1570. 

  1570.                     return false;
    1571. 

  1571.                 }
    1572. 

  1572.             }
    1573. 

  1573. 

  1574.             LDAPMessage *entry = LdapFirstEntry(sys_ld, searchResult);
    1575. 

  1575.             if(entry == NULL)
    1576. 

  1576.             {
    1577. 

  1577.                 DBGLOG("LDAP: Can't find entry for user %s", username);
    1578. 

  1578.                 return false;
    1579. 

  1579.             }
    1580. 

  1580.             bool accountPwdNeverExpires = false;
    1581. 

  1581. 

  1582.             CLDAPGetAttributesWrapper   atts(sys_ld, searchResult);
    1583. 

  1583.             for ( attribute = atts.getFirst();
    1584. 

  1584.                   attribute != NULL;
    1585. 

  1585.                   attribute = atts.getNext())
    1586. 

  1586.             {
    1587. 

  1587.                 if(stricmp(attribute, "cn") == 0)
    1588. 

  1588.                 {
    1589. 

  1589.                     CLDAPGetValuesLenWrapper vals(sys_ld, entry, attribute);
    1590. 

  1590.                     if (vals.hasValues())
    1591. 

  1591.                         user.setFullName(vals.queryCharValue(0));
    1592. 

  1592.                 }
    1593. 

  1593.                 else if((stricmp(attribute, "givenName") == 0))
    1594. 

  1594.                 {
    1595. 

  1595.                     CLDAPGetValuesLenWrapper vals(sys_ld, entry, attribute);
    1596. 

  1596.                     if (vals.hasValues())
    1597. 

  1597.                         user.setFirstName(vals.queryCharValue(0));
    1598. 

  1598.                 }
    1599. 

  1599.                 else if((stricmp(attribute, "sn") == 0))
    1600. 

  1600.                 {
    1601. 

  1601.                     CLDAPGetValuesLenWrapper vals(sys_ld, entry, attribute);
    1602. 

  1602.                     if (vals.hasValues())
    1603. 

  1603.                         user.setLastName(vals.queryCharValue(0));
    1604. 

  1604.                 }
    1605. 

  1605.                 else if((stricmp(attribute, "userAccountControl") == 0))
    1606. 

  1606.                 {
    1607. 

  1607.                     //UF_DONT_EXPIRE_PASSWD 0x10000
    1608. 

  1608.                     CLDAPGetValuesLenWrapper vals(sys_ld, entry, attribute);
    1609. 

  1609.                     if (vals.hasValues())
    1610. 

  1610.                         if (atoi((char*)vals.queryCharValue(0)) & 0x10000)//this can be true at the account level, even if domain policy requires password
    1611. 

  1611.                             accountPwdNeverExpires = true;
    1612. 

  1612.                 }
    1613. 

  1613.                 else if((stricmp(attribute, "pwdLastSet") == 0))
    1614. 

  1614.                 {
    1615. 

  1615.                     /*pwdLastSet is the date and time that the password for this account was last changed. This
    1616. 

  1616.                     value is stored as a large integer that represents the number of 100 nanosecond intervals
    1617. 

  1617.                     since January 1, 1601 (UTC), also known as a FILETIME value. If this value is set
    1618. 

  1618.                     to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD
    1619. 

  1619.                     flag, then the user must set the password at the next logon.
    1620. 

  1620.                     */
    1621. 

  1621.                     CLDAPGetValuesLenWrapper valsLen(sys_ld, entry, attribute);
    1622. 

  1622.                     if (valsLen.hasValues())
    1623. 

  1623.                     {
    1624. 

  1624.                         CDateTime expiry;
    1625. 

  1625.                         if (!m_domainPwdsNeverExpire && !accountPwdNeverExpires)
    1626. 

  1626.                         {
    1627. 

  1627.                             char * val = (char*)valsLen.queryCharValue(0);
    1628. 

  1628.                             calcPWExpiry(expiry, (unsigned)strlen(val), val);
    1629. 

  1629.                         }
    1630. 

  1630.                         else
    1631. 

  1631.                         {
    1632. 

  1632.                             expiry.clear();
    1633. 

  1633.                             DBGLOG("LDAP: Password never expires for user %s", username);
    1634. 

  1634.                         }
    1635. 

  1635.                         user.setPasswordExpiration(expiry);
    1636. 

  1636.                     }
    1637. 

  1637.                 }
    1638. 

  1638.                 else if(stricmp(attribute, "employeeId") == 0)
    1639. 

  1639.                 {
    1640. 

  1640.                     CLDAPGetValuesLenWrapper vals(sys_ld, entry, attribute);
    1641. 

  1641.                     if (vals.hasValues())
    1642. 

  1642.                         user.setEmployeeID(vals.queryCharValue(0));
    1643. 

  1643.                 }
    1644. 

  1644.                 else if(stricmp(attribute, "distinguishedName") == 0)
    1645. 

  1645.                 {
    1646. 

  1646.                     CLDAPGetValuesLenWrapper vals(sys_ld, entry, attribute);
    1647. 

  1647.                     if (vals.hasValues())
    1648. 

  1648.                         user.setDistinguishedName(vals.queryCharValue(0));
    1649. 

  1649.                 }
    1650. 

  1650.             }
    1651. 

  1651. 

  1652.             char *userdn = ldap_get_dn(sys_ld, entry);
    1653. 

  1653.             if(userdn == NULL || strlen(userdn) == 0)
    1654. 

  1654.             {
    1655. 

  1655.                 DBGLOG("LDAP: dn not found for user %s", username);
    1656. 

  1656.                 return false;
    1657. 

  1657.             }
    1658. 

  1658. 

  1659.             StringBuffer userdnbuf;
    1660. 

  1660.             userdnbuf.append(userdn);
    1661. 

  1661.             ldap_memfree(userdn);
    1662. 

  1662. 

  1663.             StringBuffer hostbuf;
    1664. 

  1664.             m_ldapconfig->getLdapHost(hostbuf);
    1665. 

  1665.             int rc = LDAP_SERVER_DOWN;
    1666. 

  1666.             char *ldap_errstring=NULL;
    1667. 

  1667. 

  1668.             for(int retries = 0; retries <= LDAPSEC_MAX_RETRIES; retries++)
    1669. 

  1669.             {
    1670. 

  1670.                 DBGLOG("LdapBind for user %s (retries=%d).", username, retries);
    1671. 

  1671.                 {
    1672. 

  1672.                     LDAP* user_ld = LdapUtils::LdapInit(m_ldapconfig->getProtocol(), hostbuf.str(), m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort());
    1673. 

  1673.                     rc = LdapUtils::LdapBind(user_ld, m_ldapconfig->getLdapTimeout(), m_ldapconfig->getDomain(), username, password, userdnbuf.str(), m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    1674. 

  1674.                     if(rc != LDAP_SUCCESS)
    1675. 

  1675.                         ldap_get_option(user_ld, LDAP_OPT_ERROR_STRING, &ldap_errstring);
    1676. 

  1676.                     LDAP_UNBIND(user_ld);
    1677. 

  1677.                 }
    1678. 

  1678.                 DBGLOG("finished LdapBind for user %s, rc=%d", username, rc);
    1679. 

  1679.                 if(!LdapServerDown(rc) || retries > LDAPSEC_MAX_RETRIES)
    1680. 

  1680.                     break;
    1681. 

  1681.                 sleep(LDAPSEC_RETRY_WAIT);
    1682. 

  1682.                 if(retries < LDAPSEC_MAX_RETRIES)
    1683. 

  1683.                     DBGLOG("Server temporarily unreachable, retrying ...");
    1684. 

  1684.                 // Retrying next ldap sever, might be the same server
    1685. 

  1685.                 m_ldapconfig->getLdapHost(hostbuf);
    1686. 

  1686.             }
    1687. 

  1687. 

  1688.             if(rc == LDAP_SERVER_DOWN)
    1689. 

  1689.             {
    1690. 

  1690.                 StringBuffer dc;
    1691. 

  1691.                 LdapUtils::getDcName(NULL, dc);
    1692. 

  1692.                 if(dc.length() > 0)
    1693. 

  1693.                 {
    1694. 

  1694.                     WARNLOG("Using automatically obtained LDAP Server %s", dc.str());
    1695. 

  1695.                     LDAP* user_ld = LdapUtils::LdapInit(m_ldapconfig->getProtocol(), dc.str(), m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort());
    1696. 

  1696.                     rc = LdapUtils::LdapBind(user_ld, m_ldapconfig->getLdapTimeout(), m_ldapconfig->getDomain(), username, password, userdnbuf.str(), m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    1697. 

  1697.                     if(rc != LDAP_SUCCESS)
    1698. 

  1698.                         ldap_get_option(user_ld, LDAP_OPT_ERROR_STRING, &ldap_errstring);
    1699. 

  1699.                     LDAP_UNBIND(user_ld);
    1700. 

  1700.                 }
    1701. 

  1701.             }
    1702. 

  1702.             if(rc != LDAP_SUCCESS)
    1703. 

  1703.             {
    1704. 

  1704.                 if (ldap_errstring && *ldap_errstring && strstr(ldap_errstring, " data "))//if extended error strings are available (they are not in windows clients)
    1705. 

  1705.                 {
    1706. 

  1706. #ifdef _DEBUG
    1707. 

  1707.                     DBGLOG("LDAPBIND ERR: RC=%d, - '%s'", rc, ldap_errstring);
    1708. 

  1708. #endif
    1709. 

  1709.                     if (strstr(ldap_errstring, "data 532"))//80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 532, v1db0.
    1710. 

  1710.                     {
    1711. 

  1711.                         DBGLOG("LDAP: Password Expired(1) for user %s", username);
    1712. 

  1712.                         user.setAuthenticateStatus(AS_PASSWORD_VALID_BUT_EXPIRED);
    1713. 

  1713.                     }
    1714. 

  1714.                     else if (strstr(ldap_errstring, "data 773"))//User must reset password "80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1'
    1715. 

  1715.                     {
    1716. 

  1716.                         DBGLOG("LDAP: User %s Must Reset Password", username);
    1717. 

  1717.                         user.setAuthenticateStatus(AS_PASSWORD_VALID_BUT_EXPIRED);
    1718. 

  1718.                     }
    1719. 

  1719.                     else
    1720. 

  1720.                     {
    1721. 

  1721.                         DBGLOG("LDAP: Authentication(1) for user %s failed - %s", username, ldap_err2string(rc));
    1722. 

  1722.                         user.setAuthenticateStatus(AS_INVALID_CREDENTIALS);
    1723. 

  1723.                     }
    1724. 

  1724.                 }
    1725. 

  1725.                 else
    1726. 

  1726.                 {
    1727. 

  1727.                     //This path is typical if running ESP on Windows. We have no way
    1728. 

  1728.                     //to determine if password entered is valid but expired
    1729. 

  1729.                     if (user.getPasswordDaysRemaining() == scPasswordExpired)
    1730. 

  1730.                     {
    1731. 

  1731.                         DBGLOG("LDAP: Password Expired(2) for user %s", username);
    1732. 

  1732.                         user.setAuthenticateStatus(AS_PASSWORD_EXPIRED);
    1733. 

  1733.                     }
    1734. 

  1734.                     else
    1735. 

  1735.                     {
    1736. 

  1736.                         DBGLOG("LDAP: Authentication(2) for user %s failed - %s", username, ldap_err2string(rc));
    1737. 

  1737.                         user.setAuthenticateStatus(AS_INVALID_CREDENTIALS);
    1738. 

  1738.                     }
    1739. 

  1739.                 }
    1740. 

  1740.                 return false;
    1741. 

  1741.             }
    1742. 

  1742.             user.setAuthenticateStatus(AS_AUTHENTICATED);
    1743. 

  1743.         }
    1744. 

  1744.         //Always retrieve user info(SID, UID, fullname, etc) for Active Directory, when the user first logs in.
    1745. 

  1745.         if((m_ldapconfig->getServerType() == ACTIVE_DIRECTORY) && (m_pp != NULL))
    1746. 

  1746.             m_pp->retrieveUserInfo(user);
    1747. 

  1747. 

  1748.         return true;
    1749. 

  1749.     };
    1750. 

  1750. 

  1751.     virtual bool authorize(SecResourceType rtype, ISecUser& user, IArrayOf<ISecResource>& resources, const char * resName = nullptr)
    1752. 

  1752.     {
    1753. 

  1753.         bool ok = false;
    1754. 

  1754.         const char* basedn = m_ldapconfig->getResourceBasedn(rtype);
    1755. 

  1755.         if(basedn == NULL || *basedn == '\0')
    1756. 

  1756.         {
    1757. 

  1757.             DBGLOG("corresponding basedn is not defined for authorize");
    1758. 

  1758.             return false;
    1759. 

  1759.         }
    1760. 

  1760. 

  1761.         const char* username = user.getName();
    1762. 

  1762.         if(!username || !*username)
    1763. 

  1763.         {
    1764. 

  1764.             DBGLOG("CLdapClient::authorize username must be specified");
    1765. 

  1765.             return false;
    1766. 

  1766.         }
    1767. 

  1767. 

  1768.         const char* sysuser = m_ldapconfig->getSysUser();
    1769. 

  1769.         if(sysuser && *sysuser && (strcmp(username, sysuser) == 0))
    1770. 

  1770.         {
    1771. 

  1771.             ForEachItemIn(x, resources)
    1772. 

  1772.             {
    1773. 

  1773.                 ISecResource* res = &resources.item(x);
    1774. 

  1774.                 if(!res)
    1775. 

  1775.                     continue;
    1776. 

  1776.                 if(rtype == RT_MODULE)
    1777. 

  1777.                 {
    1778. 

  1778.                     StringBuffer filter;
    1779. 

  1779.                     if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1780. 

  1780.                         filter.append("name=");
    1781. 

  1781.                     else
    1782. 

  1782.                         filter.append("ou=");
    1783. 

  1783.                     filter.append(res->getName());
    1784. 

  1784.                     int count = countEntries(m_ldapconfig->getResourceBasedn(rtype), (char*)filter.str(), 10);
    1785. 

  1785.                     if(count != 0)
    1786. 

  1786.                         res->setAccessFlags(SecAccess_Full);
    1787. 

  1787.                     else
    1788. 

  1788.                         res->setAccessFlags(SecAccess_Unavailable);
    1789. 

  1789.                 }
    1790. 

  1790.                 else
    1791. 

  1791.                     res->setAccessFlags(SecAccess_Full);
    1792. 

  1792.             }
    1793. 

  1793.             return true;
    1794. 

  1794.         }
    1795. 

  1795. 

  1796.         if(rtype == RT_FILE_SCOPE)
    1797. 

  1797.         {
    1798. 

  1798.             SecAccessFlags defaultFileScopePermission = queryDefaultPermission(user);
    1799. 

  1799.             IArrayOf<ISecResource> non_emptylist;
    1800. 

  1800.             ForEachItemIn(x, resources)
    1801. 

  1801.             {
    1802. 

  1802.                 ISecResource& res = resources.item(x);
    1803. 

  1803.                 const char* res_name = res.getName();
    1804. 

  1804.                 if(res_name == NULL || *res_name == '\0')
    1805. 

  1805.                     res.setAccessFlags(defaultFileScopePermission); //res.setAccessFlags(m_defaultFileScopePermission);
    1806. 

  1806.                 else 
    1807. 

  1807.                     non_emptylist.append(*LINK(&res));
    1808. 

  1808.             }
    1809. 

  1809. 

  1810.             ok = authorizeScope(user, non_emptylist, basedn);
    1811. 

  1811.             //if(ok && m_defaultFileScopePermission != -2)
    1812. 

  1812.             if(ok && defaultFileScopePermission != UNK_PERM_VALUE)
    1813. 

  1813.             {
    1814. 

  1814.                 ForEachItemIn(x, non_emptylist)
    1815. 

  1815.                 {
    1816. 

  1816.                     ISecResource& res = non_emptylist.item(x);
    1817. 

  1817.                     if(res.getAccessFlags() == -1)
    1818. 

  1818.                         res.setAccessFlags(defaultFileScopePermission); //res.setAccessFlags(m_defaultFileScopePermission);
    1819. 

  1819.                 }
    1820. 

  1820.             }
    1821. 

  1821. 

  1822.             return ok;
    1823. 

  1823.         }
    1824. 

  1824.         else if(rtype == RT_WORKUNIT_SCOPE)
    1825. 

  1825.         {
    1826. 

  1826.             SecAccessFlags defaultWorkunitScopePermission = UNK_PERM_VALUE;//init to invalid SecAccessFlags value
    1827. 

  1827.             //if(m_defaultWorkunitScopePermission == -2)
    1828. 

  1828.             {
    1829. 

  1829.                 const char* basebasedn = strchr(basedn, ',') + 1;
    1830. 

  1830.                 StringBuffer baseresource;
    1831. 

  1831.                 baseresource.append(basebasedn-basedn-4, basedn+3);
    1832. 

  1832.                 IArrayOf<ISecResource> base_resources;
    1833. 

  1833.                 base_resources.append(*(new CLdapSecResource(baseresource.str())));
    1834. 

  1834.                 bool baseok = authorizeScope(user, base_resources, basebasedn);
    1835. 

  1835.                 if(baseok)
    1836. 

  1836.                 {
    1837. 

  1837.                     defaultWorkunitScopePermission = base_resources.item(0).getAccessFlags();//replace UNK_PERM_VALUE with a valid flag
    1838. 

  1838.                 }
    1839. 

  1839.             }
    1840. 

  1840.             IArrayOf<ISecResource> non_emptylist;
    1841. 

  1841.             ForEachItemIn(x, resources)
    1842. 

  1842.             {
    1843. 

  1843.                 ISecResource& res = resources.item(x);
    1844. 

  1844.                 const char* res_name = res.getName();
    1845. 

  1845.                 if(res_name == NULL || *res_name == '\0')
    1846. 

  1846.                     res.setAccessFlags(defaultWorkunitScopePermission);
    1847. 

  1847.                 else 
    1848. 

  1848.                     non_emptylist.append(*LINK(&res));
    1849. 

  1849.             }
    1850. 

  1850.             ok = authorizeScope(user, non_emptylist, basedn);
    1851. 

  1851.             if(ok && defaultWorkunitScopePermission != UNK_PERM_VALUE)//if default perm is known, use it
    1852. 

  1852.             {
    1853. 

  1853.                 ForEachItemIn(x, non_emptylist)
    1854. 

  1854.                 {
    1855. 

  1855.                     ISecResource& res = non_emptylist.item(x);
    1856. 

  1856.                     if(res.getAccessFlags() == -1)
    1857. 

  1857.                         res.setAccessFlags(defaultWorkunitScopePermission);
    1858. 

  1858.                 }
    1859. 

  1859.             }
    1860. 

  1860. 

  1861.             return ok;
    1862. 

  1862.         }
    1863. 

  1863.         else if (rtype == RT_VIEW_SCOPE)
    1864. 

  1864.         {
    1865. 

  1865.             SecAccessFlags defPerm = queryDefaultPermission(user); //default perm to be applied when no lfn or column provided
    1866. 

  1866. 

  1867.             //Get view lfn/col mappings for this view
    1868. 

  1868.             assertex(resources.ordinality() > 0);
    1869. 

  1869.             assertex(resName && *resName != '\0');
    1870. 

  1870.             StringArray viewFiles;
    1871. 

  1871.             StringArray viewColumns;
    1872. 

  1872.             queryViewColumns(resName, viewFiles, viewColumns);
    1873. 

  1873.             unsigned numViewMembers = viewFiles.ordinality();
    1874. 

  1874.             assertex(numViewMembers == viewColumns.ordinality());
    1875. 

  1875. 

  1876.             StringAttr lfn;
    1877. 

  1877.             StringAttr col;
    1878. 

  1878.             unsigned fails = 0;
    1879. 

  1879.             ForEachItemIn(idx, resources) //Iterate over all resources in list
    1880. 

  1880.             {
    1881. 

  1881.                 ISecResource& res = resources.item(idx);
    1882. 

  1882.                 assertex(RT_VIEW_SCOPE == res.getResourceType());
    1883. 

  1883. 

  1884.                 lfn.set(res.getParameter("file"));
    1885. 

  1885.                 col.set(res.getParameter("column"));
    1886. 

  1886. #ifdef _DEBUG
    1887. 

  1887.                 DBGLOG("Checking '%s' RT_VIEW_SCOPE for lfn %s, col %s", resName, lfn.str(), col.str());
    1888. 

  1888. #endif
    1889. 

  1889.                 if (lfn.isEmpty() || col.isEmpty())
    1890. 

  1890.                     res.setAccessFlags(defPerm);
    1891. 

  1891.                 else
    1892. 

  1892.                 {
    1893. 

  1893.                     //Check LDAP
    1894. 

  1894.                     res.setAccessFlags(SecAccess_None);
    1895. 

  1895.                     ++fails;
    1896. 

  1896.                     for (unsigned vIdx = 0; vIdx < numViewMembers; vIdx++)
    1897. 

  1897.                     {
    1898. 

  1898.                         if (0 == stricmp(lfn.str(), viewFiles.item(vIdx)) &&
    1899. 

  1899.                             0 == stricmp(col.str(), viewColumns.item(vIdx)))
    1900. 

  1900.                         {
    1901. 

  1901.                             res.setAccessFlags(SecAccess_Full);
    1902. 

  1902.                             --fails;
    1903. 

  1903.                             break;
    1904. 

  1904.                         }
    1905. 

  1905.                     }
    1906. 

  1906.                 }
    1907. 

  1907.             }
    1908. 

  1908.             return fails == 0 ? true : false;
    1909. 

  1909.         }
    1910. 

  1910.         else
    1911. 

  1911.         {
    1912. 

  1912.             IArrayOf<CSecurityDescriptor> sdlist;
    1913. 

  1913.             ForEachItemIn(x, resources)
    1914. 

  1914.             {
    1915. 

  1915.                 ISecResource& res = resources.item(x);
    1916. 

  1916.                 const char* resourcename = res.getName();
    1917. 

  1917.                 CSecurityDescriptor* sd = new CSecurityDescriptor(resourcename);
    1918. 

  1918.                 sdlist.append(*sd);
    1919. 

  1919.             }
    1920. 

  1920. 

  1921.             getSecurityDescriptors(rtype, sdlist);
    1922. 

  1922.             if(m_pp != NULL)
    1923. 

  1923.                 ok = m_pp->getPermissions(user, sdlist, resources);
    1924. 

  1924.             return ok;
    1925. 

  1925.         }
    1926. 

  1926.     }
    1927. 

  1927. 

  1928.     // Returns true if all resources are correctly added, otherwise returns false.
    1929. 

  1929.     virtual bool addResources(SecResourceType rtype, ISecUser& user, IArrayOf<ISecResource>& resources, SecPermissionType ptype, const char* basedn)
    1930. 

  1930.     {
    1931. 

  1931.         bool ret = true;
    1932. 

  1932. 

  1933.         for(unsigned i = 0; i < resources.length(); i++)
    1934. 

  1934.         {
    1935. 

  1935.             ISecResource* resource = &resources.item(i);
    1936. 

  1936.             if(resource != NULL)
    1937. 

  1937.             {
    1938. 

  1938.                 bool oneret = addResource(rtype, user, resource, ptype, basedn);
    1939. 

  1939.                 ret = ret && oneret; 
    1940. 

  1940.             }
    1941. 

  1941.         }
    1942. 

  1942. 

  1943.         return ret;
    1944. 

  1944.     }
    1945. 

  1945. 

  1946.     virtual bool getUserInfo(ISecUser& user, const char* infotype)
    1947. 

  1947.     {
    1948. 

  1948.         char        *attribute;
    1949. 

  1949.         LDAPMessage *message;
    1950. 

  1950. 

  1951.         const char* username = user.getName();
    1952. 

  1952. 

  1953.         if(username == NULL || strlen(username) == 0)
    1954. 

  1954.         {
    1955. 

  1955.             DBGLOG("LDAP: getUserInfo : username is empty");
    1956. 

  1956.             return false;
    1957. 

  1957.         }
    1958. 

  1958.         
    1959. 

  1959.         if(infotype && stricmp(infotype, "sudoers") == 0)
    1960. 

  1960.         {
    1961. 

  1961.             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    1962. 

  1962.             if (ldapuser == nullptr)
    1963. 

  1963.             {
    1964. 

  1964.                 throw MakeStringException(-1, "Unable to cast user %s to CLdapSecUser", username);
    1965. 

  1965.             }
    1966. 

  1966. 

  1967.             TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    1968. 

  1968.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    1969. 

  1969.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    1970. 

  1970. 

  1971.             StringBuffer filter("sudoUser=");
    1972. 

  1972.             filter.append(username);
    1973. 

  1973.             char  *attrs[] = {"sudoHost", "sudoCommand", "sudoOption", NULL};
    1974. 

  1974.             const char* basedn = m_ldapconfig->getResourceBasedn(RT_SUDOERS);
    1975. 

  1975.             CLDAPMessage searchResult;
    1976. 

  1976.             int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg);
    1977. 

  1977. 

  1978.             if ( rc != LDAP_SUCCESS )
    1979. 

  1979.             {
    1980. 

  1980.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basedn);
    1981. 

  1981.                 ldapuser->setSudoersEnabled(false);
    1982. 

  1982.                 ldapuser->setInSudoers(false);
    1983. 

  1983.                 return false;
    1984. 

  1984.             }
    1985. 

  1985.             
    1986. 

  1986.             ldapuser->setSudoersEnabled(true);
    1987. 

  1987. 

  1988.             unsigned entries = ldap_count_entries(ld, searchResult);
    1989. 

  1989.             if(entries == 0)
    1990. 

  1990.             {
    1991. 

  1991.                 ldapuser->setInSudoers(false);
    1992. 

  1992.                 return true;
    1993. 

  1993.             }
    1994. 

  1994. 

  1995.             message = LdapFirstEntry(ld, searchResult);
    1996. 

  1996.             if(message == NULL)
    1997. 

  1997.             {
    1998. 

  1998.                 ldapuser->setInSudoers(false);
    1999. 

  1999.                 return true;
    2000. 

  2000.             }
    2001. 

  2001. 

  2002.             ldapuser->setInSudoers(true);
    2003. 

  2003.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    2004. 

  2004.             for ( attribute = atts.getFirst();
    2005. 

  2005.                   attribute != NULL;
    2006. 

  2006.                   attribute = atts.getNext())
    2007. 

  2007.             {
    2008. 

  2008.                 CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    2009. 

  2009.                 if (vals.hasValues())
    2010. 

  2010.                 {
    2011. 

  2011.                     if(stricmp(attribute, "sudoHost") == 0)
    2012. 

  2012.                         ldapuser->setSudoHost(vals.queryCharValue(0));
    2013. 

  2013.                     else if(stricmp(attribute, "sudoCommand") == 0)
    2014. 

  2014.                         ldapuser->setSudoCommand(vals.queryCharValue(0));
    2015. 

  2015.                     else if(stricmp(attribute, "sudoOption") == 0)
    2016. 

  2016.                         ldapuser->setSudoOption(vals.queryCharValue(0));
    2017. 

  2017.                 }
    2018. 

  2018.             }
    2019. 

  2019.             return true;
    2020. 

  2020.         }
    2021. 

  2021.         else
    2022. 

  2022.         {
    2023. 

  2023.             StringBuffer filter;
    2024. 

  2024.             const char* basedn = m_ldapconfig->getUserBasedn();
    2025. 

  2025.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2026. 

  2026.             {
    2027. 

  2027.                 filter.append("sAMAccountName=");
    2028. 

  2028.             }
    2029. 

  2029.             else
    2030. 

  2030.             {
    2031. 

  2031.                 filter.append("uid=");
    2032. 

  2032.                 if(stricmp(username, m_ldapconfig->getSysUser()) == 0)
    2033. 

  2033.                     basedn = m_ldapconfig->getSysUserBasedn();
    2034. 

  2034.             }
    2035. 

  2035. 

  2036.             filter.append(user.getName());
    2037. 

  2037. 

  2038.             TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    2039. 

  2039.             
    2040. 

  2040.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2041. 

  2041.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2042. 

  2042. 

  2043.             char        *attrs[] = {"cn", "givenName", "sn", "gidnumber", "uidnumber", "homedirectory", "loginshell", "objectClass", "employeeId", "distinguishedName", "userAccountControl", "pwdLastSet", NULL};
    2044. 

  2044.             CLDAPMessage searchResult;
    2045. 

  2045.             int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult.msg );
    2046. 

  2046. 

  2047.             if ( rc != LDAP_SUCCESS )
    2048. 

  2048.             {
    2049. 

  2049.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basedn);
    2050. 

  2050.                 return false;
    2051. 

  2051.             }
    2052. 

  2052. 

  2053.             bool accountPwdNeverExpires = false;
    2054. 

  2054.             ((CLdapSecUser*)&user)->setPosixenabled(false);
    2055. 

  2055.             // Go through the search results by checking message types
    2056. 

  2056.             for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    2057. 

  2057.             {
    2058. 

  2058.                 CLDAPGetAttributesWrapper   atts(ld, searchResult);
    2059. 

  2059.                 for ( attribute = atts.getFirst();
    2060. 

  2060.                       attribute != NULL;
    2061. 

  2061.                       attribute = atts.getNext())
    2062. 

  2062.                 {
    2063. 

  2063.                     CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    2064. 

  2064.                     if (vals.hasValues())
    2065. 

  2065.                     {
    2066. 

  2066.                         if(stricmp(attribute, "cn") == 0)
    2067. 

  2067.                             user.setFullName(vals.queryCharValue(0));
    2068. 

  2068.                         else if(stricmp(attribute, "givenName") == 0)
    2069. 

  2069.                             user.setFirstName(vals.queryCharValue(0));
    2070. 

  2070.                         else if(stricmp(attribute, "sn") == 0)
    2071. 

  2071.                             user.setLastName(vals.queryCharValue(0));
    2072. 

  2072.                         else if(stricmp(attribute, "gidnumber") == 0)
    2073. 

  2073.                             ((CLdapSecUser*)&user)->setGidnumber(vals.queryCharValue(0));
    2074. 

  2074.                         else if(stricmp(attribute, "uidnumber") == 0)
    2075. 

  2075.                             ((CLdapSecUser*)&user)->setUidnumber(vals.queryCharValue(0));
    2076. 

  2076.                         else if(stricmp(attribute, "homedirectory") == 0)
    2077. 

  2077.                             ((CLdapSecUser*)&user)->setHomedirectory(vals.queryCharValue(0));
    2078. 

  2078.                         else if(stricmp(attribute, "loginshell") == 0)
    2079. 

  2079.                             ((CLdapSecUser*)&user)->setLoginshell(vals.queryCharValue(0));
    2080. 

  2080.                         else if(stricmp(attribute, "distinguishedName") == 0)
    2081. 

  2081.                             ((CLdapSecUser*)&user)->setDistinguishedName(vals.queryCharValue(0));
    2082. 

  2082.                         else if((stricmp(attribute, "userAccountControl") == 0))
    2083. 

  2083.                         {
    2084. 

  2084.                             //UF_DONT_EXPIRE_PASSWD 0x10000
    2085. 

  2085.                             CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    2086. 

  2086.                             if (vals.hasValues())
    2087. 

  2087.                                 if (atoi((char*)vals.queryCharValue(0)) & 0x10000)//this can be true at the account level, even if domain policy requires password
    2088. 

  2088.                                     accountPwdNeverExpires = true;
    2089. 

  2089.                         }
    2090. 

  2090.                         else if(stricmp(attribute, "pwdLastSet") == 0)
    2091. 

  2091.                         {
    2092. 

  2092.                             CLDAPGetValuesLenWrapper valsLen(ld, message, attribute);
    2093. 

  2093.                             if (!m_domainPwdsNeverExpire && !accountPwdNeverExpires && valsLen.hasValues())
    2094. 

  2094.                             {
    2095. 

  2095.                                 CDateTime expiry;
    2096. 

  2096.                                 char * val = (char*)valsLen.queryCharValue(0);
    2097. 

  2097.                                 calcPWExpiry(expiry, (unsigned)strlen(val), val);
    2098. 

  2098.                                 ((CLdapSecUser*)&user)->setPasswordExpiration(expiry);
    2099. 

  2099.                             }
    2100. 

  2100.                         }
    2101. 

  2101.                         else if(stricmp(attribute, "objectClass") == 0)
    2102. 

  2102.                         {
    2103. 

  2103.                             int valind = 0;
    2104. 

  2104.                             while(vals.queryCharValue(valind))
    2105. 

  2105.                             {
    2106. 

  2106.                                 if(stricmp(vals.queryCharValue(valind), "posixAccount") == 0)
    2107. 

  2107.                                 {
    2108. 

  2108.                                     ((CLdapSecUser*)&user)->setPosixenabled(true);
    2109. 

  2109.                                     break;
    2110. 

  2110.                                 }
    2111. 

  2111.                                 valind++;
    2112. 

  2112.                             }
    2113. 

  2113.                         }
    2114. 

  2114.                         else if(stricmp(attribute, "employeeId") == 0)
    2115. 

  2115.                             user.setEmployeeID(vals.queryCharValue(0));
    2116. 

  2116.                     }
    2117. 

  2117.                 }
    2118. 

  2118.             }
    2119. 

  2119.             return true;
    2120. 

  2120.         }
    2121. 

  2121.     }
    2122. 

  2122. 

  2123.     ISecUser* lookupUser(unsigned uid)
    2124. 

  2124.     {
    2125. 

  2125.         StringBuffer sysuser;
    2126. 

  2126.         sysuser.append(m_ldapconfig->getSysUser());
    2127. 

  2127.         if(sysuser.length() == 0)
    2128. 

  2128.         {
    2129. 

  2129. #ifdef _WIN32
    2130. 

  2130.             char uname[128];
    2131. 

  2131.             unsigned long len = 128;
    2132. 

  2132.             int rc = GetUserName(uname, &len);
    2133. 

  2133.             if(rc != 0)
    2134. 

  2134.                 sysuser.append(len, uname);
    2135. 

  2135.             else
    2136. 

  2136.                 throw MakeStringException(-1, "Error getting current user's username, error code = %d", rc);
    2137. 

  2137. #else
    2138. 

  2138.             throw MakeStringException(-1, "systemUser not found in config");
    2139. 

  2139. #endif
    2140. 

  2140.         }
    2141. 

  2141.         
    2142. 

  2142.         MemoryBuffer usersidbuf;
    2143. 

  2143.         StringBuffer usersidstr;
    2144. 

  2144. 

  2145.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2146. 

  2146.         {
    2147. 

  2147.             if(m_pp != NULL)
    2148. 

  2148.                 m_pp->lookupSid(sysuser.str(), usersidbuf);
    2149. 

  2149.             if(usersidbuf.length() == 0)
    2150. 

  2150.             {
    2151. 

  2151.                 throw MakeStringException(-1, "system user %s's SID not found", sysuser.str());
    2152. 

  2152.             }
    2153. 

  2153. 

  2154.             int sidlen = usersidbuf.length();
    2155. 

  2155.             char* uidbuf = (char*)&uid;
    2156. 

  2156.             for(int i = 0; i < 4; i++)
    2157. 

  2157.             {
    2158. 

  2158.                 usersidbuf.writeDirect(sidlen -4 + i, 1, (uidbuf + 3 - i));
    2159. 

  2159.             }
    2160. 

  2160.             LdapUtils::bin2str(usersidbuf, usersidstr);
    2161. 

  2161.         }
    2162. 

  2162.         else
    2163. 

  2163.         {
    2164. 

  2164.             usersidbuf.append(uid);
    2165. 

  2165.         }
    2166. 

  2166. 

  2167.         char        *attribute;
    2168. 

  2168.         LDAPMessage *message;
    2169. 

  2169. 

  2170.         StringBuffer filter;
    2171. 

  2171.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2172. 

  2172.         {
    2173. 

  2173.             filter.append("objectSid=").append(usersidstr.str());
    2174. 

  2174.         }
    2175. 

  2175.         else
    2176. 

  2176.         {
    2177. 

  2177.             filter.appendf("entryid=%d", uid);
    2178. 

  2178.         }
    2179. 

  2179. 

  2180.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    2181. 

  2181. 

  2182.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    2183. 

  2183.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2184. 

  2184. 

  2185.         char* act_fieldname;
    2186. 

  2186.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2187. 

  2187.         {
    2188. 

  2188.             act_fieldname = "sAMAccountName";
    2189. 

  2189.         }
    2190. 

  2190.         else
    2191. 

  2191.         {
    2192. 

  2192.             act_fieldname = "uid";
    2193. 

  2193.         }
    2194. 

  2194.             
    2195. 

  2195.         char        *attrs[] = {"cn", act_fieldname, NULL};
    2196. 

  2196.         CLDAPMessage searchResult;
    2197. 

  2197.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    2198. 

  2198. 

  2199.         if ( rc != LDAP_SUCCESS )
    2200. 

  2200.         {
    2201. 

  2201.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    2202. 

  2202.             return NULL;
    2203. 

  2203.         }
    2204. 

  2204. 

  2205.         if(ldap_count_entries(ld, searchResult) < 1)
    2206. 

  2206.         {
    2207. 

  2207.             DBGLOG("No entries are found for user with uid %0X", uid);
    2208. 

  2208.             return NULL;
    2209. 

  2209.         }
    2210. 

  2210. 

  2211.         CLdapSecUser* ldapuser = new CLdapSecUser("", "");
    2212. 

  2212. 

  2213.         // Go through the search results by checking message types
    2214. 

  2214.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    2215. 

  2215.         {
    2216. 

  2216.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    2217. 

  2217.             for ( attribute = atts.getFirst();
    2218. 

  2218.                   attribute != NULL;
    2219. 

  2219.                   attribute = atts.getNext())
    2220. 

  2220.             {
    2221. 

  2221.                 CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    2222. 

  2222.                 if (vals.hasValues())
    2223. 

  2223.                 {
    2224. 

  2224.                     if(stricmp(attribute, "cn") == 0)
    2225. 

  2225.                         ldapuser->setFullName(vals.queryCharValue(0));
    2226. 

  2226.                     else if(stricmp(attribute, act_fieldname) == 0)
    2227. 

  2227.                         ldapuser->setName(vals.queryCharValue(0));
    2228. 

  2228.                 }
    2229. 

  2229.             }
    2230. 

  2230.         }
    2231. 

  2231. 

  2232.         ldapuser->setUserID(uid);
    2233. 

  2233.         ldapuser->setUserSid(usersidbuf.length(), usersidbuf.toByteArray());
    2234. 

  2234.         
    2235. 

  2235.         // Since we've got the SID for the user, cache it for later uses.
    2236. 

  2236.         MemoryBuffer mb;
    2237. 

  2237.         if(m_pp != NULL)
    2238. 

  2238.         {
    2239. 

  2239.             m_pp->getCachedSid(ldapuser->getName(), mb);
    2240. 

  2240.             if(mb.length() == 0)
    2241. 

  2241.             {
    2242. 

  2242.                 m_pp->cacheSid(ldapuser->getName(), usersidbuf.length(), usersidbuf.toByteArray());
    2243. 

  2243.             }
    2244. 

  2244.         }
    2245. 

  2245.         return ldapuser;
    2246. 

  2246.     }
    2247. 

  2247. 

  2248.     bool lookupAccount(MemoryBuffer& sidbuf, StringBuffer& account_name, ACT_TYPE& act_type)
    2249. 

  2249.     {
    2250. 

  2250.         char        *attribute;
    2251. 

  2251.         LDAPMessage *message;
    2252. 

  2252. 

  2253.         char* act_fieldname;
    2254. 

  2254. 

  2255.         StringBuffer filter;
    2256. 

  2256.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2257. 

  2257.         {
    2258. 

  2258.             act_fieldname = "sAMAccountName";
    2259. 

  2259.             StringBuffer usersidstr;
    2260. 

  2260.             LdapUtils::bin2str(sidbuf, usersidstr);
    2261. 

  2261.             filter.append("objectSid=").append(usersidstr.str());
    2262. 

  2262.         }
    2263. 

  2263.         else
    2264. 

  2264.         {
    2265. 

  2265.             unsigned* uid = (unsigned*)sidbuf.toByteArray();
    2266. 

  2266.             filter.appendf("entryid=%d", *uid);
    2267. 

  2267.             act_fieldname = "uid";
    2268. 

  2268.         }
    2269. 

  2269. 

  2270.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    2271. 

  2271. 

  2272.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    2273. 

  2273.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2274. 

  2274.         
    2275. 

  2275.         char  *attrs[] = {"cn", act_fieldname, "objectClass", NULL};
    2276. 

  2276.         CLDAPMessage searchResult;
    2277. 

  2277.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    2278. 

  2278. 

  2279.         if ( rc != LDAP_SUCCESS )
    2280. 

  2280.         {
    2281. 

  2281.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    2282. 

  2282.             return false;
    2283. 

  2283.         }
    2284. 

  2284. 

  2285.         if(ldap_count_entries(ld, searchResult) < 1)
    2286. 

  2286.         {
    2287. 

  2287.             searchResult.ldapMsgFree();
    2288. 

  2288.             ldap_search_ext_s(ld, (char*)m_ldapconfig->getGroupBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult.msg );
    2289. 

  2289.             if(ldap_count_entries(ld, searchResult) < 1)
    2290. 

  2290.             {
    2291. 

  2291.                 searchResult.ldapMsgFree();
    2292. 

  2292.                 ldap_search_ext_s(ld, (char*)m_ldapconfig->getSysUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );
    2293. 

  2293.                 if(ldap_count_entries(ld, searchResult) < 1)
    2294. 

  2294.                 {
    2295. 

  2295.                     DBGLOG("CLdapClient::lookupAccount No entries found");
    2296. 

  2296.                     return false;
    2297. 

  2297.                 }
    2298. 

  2298.             }
    2299. 

  2299.         }
    2300. 

  2300. 

  2301.         StringBuffer act_name;
    2302. 

  2302.         StringBuffer cnbuf;
    2303. 

  2303. 

  2304.         // Go through the search results by checking message types
    2305. 

  2305.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    2306. 

  2306.         {
    2307. 

  2307.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    2308. 

  2308.             for ( attribute = atts.getFirst();
    2309. 

  2309.                   attribute != NULL;
    2310. 

  2310.                   attribute = atts.getNext())
    2311. 

  2311.             {
    2312. 

  2312.                 CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    2313. 

  2313.                 if (vals.hasValues())
    2314. 

  2314.                 {
    2315. 

  2315.                     if(stricmp(attribute, act_fieldname) == 0)
    2316. 

  2316.                         act_name.clear().append(vals.queryCharValue(0));
    2317. 

  2317.                     else if(stricmp(attribute, "cn") == 0)
    2318. 

  2318.                         cnbuf.clear().append(vals.queryCharValue(0));
    2319. 

  2319.                     else if(stricmp(attribute, "objectClass") == 0)
    2320. 

  2320.                     {
    2321. 

  2321.                         int i = 0;
    2322. 

  2322.                         while(vals.queryCharValue(i) != NULL)
    2323. 

  2323.                         {
    2324. 

  2324.                             if(stricmp(vals.queryCharValue(i), "person") == 0)
    2325. 

  2325.                                 act_type = USER_ACT;
    2326. 

  2326.                             else if(stricmp(vals.queryCharValue(i), "group") == 0)
    2327. 

  2327.                                 act_type = GROUP_ACT;
    2328. 

  2328.                             i++;
    2329. 

  2329.                         }
    2330. 

  2330.                     }
    2331. 

  2331.                 }
    2332. 

  2332.             }
    2333. 

  2333.         }
    2334. 

  2334. 

  2335.         if(act_type == USER_ACT)
    2336. 

  2336.             account_name.append(act_name.str());
    2337. 

  2337.         else
    2338. 

  2338.             account_name.append(cnbuf.str());
    2339. 

  2339. 

  2340.         return true;
    2341. 

  2341.     }
    2342. 

  2342. 

  2343.     virtual void lookupSid(const char* basedn, const char* filter, MemoryBuffer& act_sid)
    2344. 

  2344.     {
    2345. 

  2345.         char        *attribute;       
    2346. 

  2346.         LDAPMessage *message;
    2347. 

  2347. 

  2348.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    2349. 

  2349. 

  2350.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    2351. 

  2351.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2352. 

  2352. 

  2353.         char* fieldname;
    2354. 

  2354.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2355. 

  2355.             fieldname = "objectSid";
    2356. 

  2356.         else
    2357. 

  2357.             fieldname = "entryid";
    2358. 

  2358. 

  2359.         char        *attrs[] = {fieldname, NULL};
    2360. 

  2360.         CLDAPMessage searchResult;
    2361. 

  2361.         int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter, attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );
    2362. 

  2362. 

  2363.         if ( rc != LDAP_SUCCESS )
    2364. 

  2364.         {
    2365. 

  2365.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter, basedn);
    2366. 

  2366.             return;
    2367. 

  2367.         }
    2368. 

  2368. 

  2369.         message = LdapFirstEntry( ld, searchResult);
    2370. 

  2370.         if(message != NULL)
    2371. 

  2371.         {
    2372. 

  2372.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    2373. 

  2373.             for ( attribute = atts.getFirst();
    2374. 

  2374.                   attribute != NULL;
    2375. 

  2375.                   attribute = atts.getNext())
    2376. 

  2376.             {
    2377. 

  2377.                 if(0 == stricmp(attribute, fieldname))
    2378. 

  2378.                 {
    2379. 

  2379.                     CLDAPGetValuesLenWrapper valsLen(ld, message, attribute);
    2380. 

  2380.                     if (valsLen.hasValues())
    2381. 

  2381.                     {
    2382. 

  2382.                         struct berval* val = valsLen.queryBValues()[0];
    2383. 

  2383.                         if(val != NULL)
    2384. 

  2384.                         {
    2385. 

  2385.                             int len = val->bv_len;
    2386. 

  2386.                             act_sid.append(val->bv_len, val->bv_val);
    2387. 

  2387.                         }
    2388. 

  2388.                     }
    2389. 

  2389.                     break;
    2390. 

  2390.                 }
    2391. 

  2391.             }
    2392. 

  2392.         }
    2393. 

  2393.     }
    2394. 

  2394. 

  2395.     virtual void lookupSid(const char* act_name, MemoryBuffer& act_sid, ACT_TYPE act_type)
    2396. 

  2396.     {
    2397. 

  2397.         StringBuffer filter;
    2398. 

  2398.         const char* basedn;
    2399. 

  2399.         if(act_type == USER_ACT)
    2400. 

  2400.         {
    2401. 

  2401.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2402. 

  2402.                 filter.append("sAMAccountName=").append(act_name);
    2403. 

  2403.             else
    2404. 

  2404.                 filter.append("uid=").append(act_name);
    2405. 

  2405. 

  2406.             basedn = m_ldapconfig->getUserBasedn();
    2407. 

  2407.             lookupSid(basedn, filter.str(), act_sid);
    2408. 

  2408.             if(act_sid.length() == 0)
    2409. 

  2409.             {
    2410. 

  2410.                 StringBuffer basebuf;
    2411. 

  2411.                 if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2412. 

  2412.                     basebuf.append("cn=Users,").append(m_ldapconfig->getBasedn());
    2413. 

  2413.                 else if(stricmp(act_name, m_ldapconfig->getSysUser()) == 0)
    2414. 

  2414.                     basebuf.append(m_ldapconfig->getSysUserBasedn());
    2415. 

  2415.                 else
    2416. 

  2416.                     basebuf.append("ou=People,").append(m_ldapconfig->getBasedn());
    2417. 

  2417. 

  2418.                 lookupSid(basebuf.str(), filter.str(), act_sid);
    2419. 

  2419.             }
    2420. 

  2420.         }
    2421. 

  2421.         else
    2422. 

  2422.         {
    2423. 

  2423.             filter.append("cn=").append(act_name);
    2424. 

  2424.             basedn = m_ldapconfig->getGroupBasedn();
    2425. 

  2425.             lookupSid(basedn, filter.str(), act_sid);
    2426. 

  2426.             if(act_sid.length() == 0)
    2427. 

  2427.             {
    2428. 

  2428.                 StringBuffer basebuf;
    2429. 

  2429.                 basebuf.append("cn=Users,").append(m_ldapconfig->getBasedn());
    2430. 

  2430.                 lookupSid(basebuf.str(), filter.str(), act_sid);
    2431. 

  2431.                 if(act_sid.length() == 0)
    2432. 

  2432.                 {
    2433. 

  2433.                     basebuf.clear();
    2434. 

  2434.                     basebuf.append("cn=Builtin,").append(m_ldapconfig->getBasedn());
    2435. 

  2435.                     lookupSid(basebuf.str(), filter.str(), act_sid);
    2436. 

  2436.                 }
    2437. 

  2437.             }       
    2438. 

  2438.         }
    2439. 

  2439. 

  2440.     }
    2441. 

  2441. 

  2442.     virtual void setPermissionProcessor(IPermissionProcessor* pp)
    2443. 

  2443.     {
    2444. 

  2444.         m_pp = pp;
    2445. 

  2445.     }
    2446. 

  2446. 

  2447.     virtual bool retrieveUsers(IUserArray& users)
    2448. 

  2448.     {
    2449. 

  2449.         return retrieveUsers("", users);
    2450. 

  2450.     }
    2451. 

  2451. 

  2452.     virtual bool retrieveUsers(const char* searchstr, IUserArray& users)
    2453. 

  2453.     {
    2454. 

  2454.         char        *attribute;
    2455. 

  2455.         LDAPMessage *message;
    2456. 

  2456. 

  2457.         StringBuffer filter;
    2458. 

  2458.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2459. 

  2459.             filter.append("objectClass=User");
    2460. 

  2460.         else
    2461. 

  2461.             filter.append("objectClass=inetorgperson");
    2462. 

  2462. 

  2463.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    2464. 

  2464. 

  2465.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    2466. 

  2466.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2467. 

  2467. 

  2468.         char* act_fieldname;
    2469. 

  2469.         char* sid_fieldname;
    2470. 

  2470.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2471. 

  2471.         {
    2472. 

  2472.             act_fieldname = "sAMAccountName";
    2473. 

  2473.             sid_fieldname = "objectSid";
    2474. 

  2474.         }
    2475. 

  2475.         else
    2476. 

  2476.         {
    2477. 

  2477.             act_fieldname = "uid";
    2478. 

  2478.             sid_fieldname = "entryid";
    2479. 

  2479.         }
    2480. 

  2480. 

  2481.         if(searchstr && *searchstr && strcmp(searchstr, "*") != 0)
    2482. 

  2482.         {
    2483. 

  2483.             filter.insert(0, "(&(");
    2484. 

  2484.             filter.appendf(")(|(%s=*%s*)(%s=*%s*)(%s=*%s*)))", act_fieldname, searchstr, "givenName", searchstr, "sn", searchstr);
    2485. 

  2485.         }
    2486. 

  2486. 

  2487.         char *attrs[] = {act_fieldname, sid_fieldname, "cn", "userAccountControl", "pwdLastSet", "employeeId", NULL};
    2488. 

  2488. 

  2489.         CPagedLDAPSearch pagedSrch(ld, m_ldapconfig->getLdapTimeout(), (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs);
    2490. 

  2490.         for (message = pagedSrch.getFirstEntry(); message; message = pagedSrch.getNextEntry())
    2491. 

  2491.         {
    2492. 

  2492.             bool accountPwdNeverExpires = false;
    2493. 

  2493.             Owned<ISecUser> user = new CLdapSecUser("", "");
    2494. 

  2494.             // Go through the search results by checking message types
    2495. 

  2495.             CLDAPGetAttributesWrapper   atts(ld, message);
    2496. 

  2496.             for ( attribute = atts.getFirst();
    2497. 

  2497.                   attribute != NULL;
    2498. 

  2498.                   attribute = atts.getNext())
    2499. 

  2499.             {
    2500. 

  2500.                 CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    2501. 

  2501.                 if (!vals.hasValues())
    2502. 

  2502.                     continue;
    2503. 

  2503.                 if(stricmp(attribute, "cn") == 0)
    2504. 

  2504.                 {
    2505. 

  2505.                     CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    2506. 

  2506.                     if (vals.hasValues())
    2507. 

  2507.                         user->setFullName(vals.queryCharValue(0));
    2508. 

  2508.                 }
    2509. 

  2509.                 else if (stricmp(attribute, "userAccountControl") == 0)
    2510. 

  2510.                 {
    2511. 

  2511.                     //UF_DONT_EXPIRE_PASSWD 0x10000
    2512. 

  2512.                     CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    2513. 

  2513.                     if (vals.hasValues())
    2514. 

  2514.                         if (atoi((char*)vals.queryCharValue(0)) & 0x10000)//this can be true at the account level, even if domain policy requires password
    2515. 

  2515.                             accountPwdNeverExpires = true;
    2516. 

  2516.                 }
    2517. 

  2517.                 else if(stricmp(attribute, "pwdLastSet") == 0)
    2518. 

  2518.                 {
    2519. 

  2519.                     CDateTime expiry;
    2520. 

  2520.                     if (!m_domainPwdsNeverExpire && !accountPwdNeverExpires)
    2521. 

  2521.                     {
    2522. 

  2522.                         CLDAPGetValuesLenWrapper valsLen(ld, message, attribute);
    2523. 

  2523.                         if (valsLen.hasValues())
    2524. 

  2524.                         {
    2525. 

  2525.                             struct berval* val = valsLen.queryBValues()[0];
    2526. 

  2526.                             calcPWExpiry(expiry, (unsigned)val->bv_len, val->bv_val);
    2527. 

  2527.                         }
    2528. 

  2528.                     }
    2529. 

  2529.                     else
    2530. 

  2530.                         expiry.clear();
    2531. 

  2531.                     user->setPasswordExpiration(expiry);
    2532. 

  2532.                 }
    2533. 

  2533.                 else if(stricmp(attribute, act_fieldname) == 0)
    2534. 

  2534.                 {
    2535. 

  2535.                     CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    2536. 

  2536.                     if (vals.hasValues())
    2537. 

  2537.                         user->setName(vals.queryCharValue(0));
    2538. 

  2538.                 }
    2539. 

  2539.                 else if(stricmp(attribute, sid_fieldname) == 0)
    2540. 

  2540.                 {
    2541. 

  2541.                     if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2542. 

  2542.                     {
    2543. 

  2543.                         CLDAPGetValuesLenWrapper valsLen(ld, message, attribute);
    2544. 

  2544.                         if (valsLen.hasValues())
    2545. 

  2545.                         {
    2546. 

  2546.                             struct berval* val = valsLen.queryBValues()[0];
    2547. 

  2547.                             if(val != NULL)
    2548. 

  2548.                             {
    2549. 

  2549.                                 unsigned uid = val->bv_val[val->bv_len - 4];
    2550. 

  2550.                                 int i;
    2551. 

  2551.                                 for(i = 3; i > 0; i--)
    2552. 

  2552.                                 {
    2553. 

  2553.                                     uid = (uid << 8) + val->bv_val[val->bv_len - i];
    2554. 

  2554.                                 }
    2555. 

  2555.                                 ((CLdapSecUser*)user.get())->setUserID(uid);
    2556. 

  2556.                             }
    2557. 

  2557.                         }
    2558. 

  2558.                     }
    2559. 

  2559.                     else
    2560. 

  2560.                     {
    2561. 

  2561.                         CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    2562. 

  2562.                         if (vals.hasValues())
    2563. 

  2563.                             ((CLdapSecUser*)user.get())->setUserID(atoi(vals.queryCharValue(0)));
    2564. 

  2564.                     }
    2565. 

  2565.                 }
    2566. 

  2566.                 else if(stricmp(attribute, "employeeId") == 0)
    2567. 

  2567.                 {
    2568. 

  2568.                     CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    2569. 

  2569.                     if (vals.hasValues())
    2570. 

  2570.                         user->setEmployeeID(vals.queryCharValue(0));
    2571. 

  2571.                 }
    2572. 

  2572.             }
    2573. 

  2573.             if (user->getName() && *user->getName())
    2574. 

  2574.                 users.append(*LINK(user.get()));
    2575. 

  2575.         }
    2576. 

  2576. 

  2577.         return true;
    2578. 

  2578.     }
    2579. 

  2579. 

  2580.     virtual IPropertyTreeIterator* getUserIterator(const char* userName)
    2581. 

  2581.     {
    2582. 

  2582.         IUserArray users;
    2583. 

  2583.         retrieveUsers(userName, users);
    2584. 

  2584.         Owned<IPropertyTree> usersTree = createPTree("Users");
    2585. 

  2585.         ForEachItemIn(i, users)
    2586. 

  2586.             addUserTree(users.item(i), usersTree);
    2587. 

  2587. 

  2588.         return usersTree->getElements("*");
    2589. 

  2589.     }
    2590. 

  2590. 

  2591.     void addUserTree(ISecUser& usr, IPropertyTree* users)
    2592. 

  2592.     {
    2593. 

  2593.         const char* usrName = usr.getName();
    2594. 

  2594.         if(!usrName || !*usrName)
    2595. 

  2595.         {
    2596. 

  2596.             DBGLOG("CLdapClient::addUserTree username must be provided");
    2597. 

  2597.             return;
    2598. 

  2598.         }
    2599. 

  2599. 

  2600.         const char* fullName = usr.getFullName();
    2601. 

  2601.         StringBuffer sb;
    2602. 

  2602.         switch (usr.getPasswordDaysRemaining())//-1 if expired, -2 if never expires
    2603. 

  2603.         {
    2604. 

  2604.         case scPasswordExpired:
    2605. 

  2605.             sb.set("Expired");
    2606. 

  2606.             break;
    2607. 

  2607.         case scPasswordNeverExpires:
    2608. 

  2608.             sb.set("Never");
    2609. 

  2609.             break;
    2610. 

  2610.         default:
    2611. 

  2611.             CDateTime dt;
    2612. 

  2612.             usr.getPasswordExpiration(dt);
    2613. 

  2613.             dt.getDateString(sb);
    2614. 

  2614.             break;
    2615. 

  2615.         }
    2616. 

  2616. 

  2617.         Owned<IPTree> userTree = createPTree("User");
    2618. 

  2618.         userTree->addProp(getUserFieldNames(UFName), usrName);
    2619. 

  2619.         if (fullName && *fullName)
    2620. 

  2620.             userTree->addProp(getUserFieldNames(UFFullName), fullName);
    2621. 

  2621.         userTree->addPropInt(getUserFieldNames(UFUserID), usr.getUserID());
    2622. 

  2622.         userTree->addProp(getUserFieldNames(UFPasswordExpiration), sb.str());
    2623. 

  2623.         userTree->addProp(getUserFieldNames(UFEmployeeID), usr.getEmployeeID());
    2624. 

  2624.         users->addPropTree("User", userTree.getClear());
    2625. 

  2625.     }
    2626. 

  2626. 

  2627.     ISecItemIterator* getUsersSorted(const char* userName, UserField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint)
    2628. 

  2628.     {
    2629. 

  2629.         class CElementsPager : public CSimpleInterface, implements IElementsPager
    2630. 

  2630.         {
    2631. 

  2631.             ILdapClient* ldapClient;
    2632. 

  2632.             StringAttr userName;
    2633. 

  2633.             StringAttr sortOrder;
    2634. 

  2634. 

  2635.         public:
    2636. 

  2636.             IMPLEMENT_IINTERFACE_USING(CSimpleInterface);
    2637. 

  2637. 

  2638.             CElementsPager(ILdapClient* _ldapClient, const char* _userName, const char*_sortOrder)
    2639. 

  2639.                 : ldapClient(_ldapClient), userName(_userName), sortOrder(_sortOrder) { };
    2640. 

  2640.             virtual IRemoteConnection* getElements(IArrayOf<IPropertyTree>& elements)
    2641. 

  2641.             {
    2642. 

  2642.                 StringArray unknownAttributes;
    2643. 

  2643.                 Owned<IPropertyTreeIterator> iter = ldapClient->getUserIterator(userName.get());
    2644. 

  2644.                 sortElements(iter, sortOrder.get(), NULL, NULL, unknownAttributes, elements);
    2645. 

  2645.                 return NULL;
    2646. 

  2646.             }
    2647. 

  2647.             virtual bool allMatchingElementsReceived() { return true; }//For now, ldap always returns all of matched users.
    2648. 

  2648.         };
    2649. 

  2649. 

  2650.         StringBuffer so;
    2651. 

  2651.         if (sortOrder)
    2652. 

  2652.         {
    2653. 

  2653.             for (unsigned i=0;sortOrder[i]!=UFterm;i++)
    2654. 

  2654.             {
    2655. 

  2655.                 if (so.length())
    2656. 

  2656.                     so.append(',');
    2657. 

  2657.                 int fmt = sortOrder[i];
    2658. 

  2658.                 if (fmt&UFreverse)
    2659. 

  2659.                     so.append('-');
    2660. 

  2660.                 if (fmt&UFnocase)
    2661. 

  2661.                     so.append('?');
    2662. 

  2662.                 if (fmt&UFnumeric)
    2663. 

  2663.                     so.append('#');
    2664. 

  2664.                 so.append(getUserFieldNames((UserField) (fmt&0xff)));
    2665. 

  2665.             }
    2666. 

  2666.         }
    2667. 

  2667.         IArrayOf<IPropertyTree> results;
    2668. 

  2668.         Owned<IElementsPager> elementsPager = new CElementsPager(this, userName, so.length()?so.str():NULL);
    2669. 

  2669.         Owned<IRemoteConnection> conn=getElementsPaged(elementsPager, pageStartFrom, pageSize, NULL, "", cacheHint, results, total, NULL, false);
    2670. 

  2670.         return new CSecItemIterator(results);
    2671. 

  2671.     }
    2672. 

  2672. 

  2673.     virtual bool userInGroup(const char* userdn, const char* groupdn)
    2674. 

  2674.     {
    2675. 

  2675.         const char* fldname;
    2676. 

  2676.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2677. 

  2677.             fldname = "member";
    2678. 

  2678.         else
    2679. 

  2679.             fldname = "uniquemember";
    2680. 

  2680. 

  2681.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    2682. 

  2682.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2683. 

  2683. 

  2684.         int rc = LDAP_COMPARE_EXT_S(ld, (const char*)groupdn, (const char*)fldname, (const char*)userdn,0,0,0);
    2685. 

  2685. #ifndef _WIN32
    2686. 

  2686.         if (rc == -3)//389DirectoryServer always seems to return -3
    2687. 

  2687.             rc = ldap_compare_s(ld, groupdn, fldname, userdn);
    2688. 

  2688. #endif
    2689. 

  2689.         if(rc == LDAP_COMPARE_TRUE)
    2690. 

  2690.             return true;
    2691. 

  2691.         else
    2692. 

  2692.             return false;
    2693. 

  2693.     }
    2694. 

  2694. 

  2695.     // Update user's firstname, lastname (plus displayname for active directory).
    2696. 

  2696.     virtual bool updateUser(const char* type, ISecUser& user)
    2697. 

  2697.     {
    2698. 

  2698.         const char* username = user.getName();
    2699. 

  2699.         if(!username || !*username)
    2700. 

  2700.         {
    2701. 

  2701.             DBGLOG("CLdapClient::updateUser username must be provided");
    2702. 

  2702.             return false;
    2703. 

  2703.         }
    2704. 

  2704. 

  2705.         StringBuffer userdn;
    2706. 

  2706.         getUserDN(username, userdn);
    2707. 

  2707. 

  2708.         int rc = LDAP_SUCCESS;
    2709. 

  2709. 

  2710.         if(!type || !*type || stricmp(type, "names") == 0)
    2711. 

  2711.         {
    2712. 

  2712.             StringBuffer cnbuf;
    2713. 

  2713.             const char* fname = user.getFirstName();
    2714. 

  2714.             const char* lname = user.getLastName();
    2715. 

  2715.             if(fname && *fname && lname && *lname)
    2716. 

  2716.             {
    2717. 

  2717.                 cnbuf.append(fname).append(" ").append(lname);
    2718. 

  2718.             }
    2719. 

  2719.             else
    2720. 

  2720.                 throw MakeStringException(-1, "Please specify both firstname and lastname");
    2721. 

  2721. 

  2722.             char *gn_values[] = { (char*)fname, NULL };
    2723. 

  2723.             LDAPMod gn_attr = {
    2724. 

  2724.                 LDAP_MOD_REPLACE,
    2725. 

  2725.                 "givenName",
    2726. 

  2726.                 gn_values
    2727. 

  2727.             };
    2728. 

  2728. 

  2729.             char *sn_values[] = { (char*)lname, NULL };
    2730. 

  2730.             LDAPMod sn_attr = {
    2731. 

  2731.                 LDAP_MOD_REPLACE,
    2732. 

  2732.                 "sn",
    2733. 

  2733.                 sn_values
    2734. 

  2734.             };
    2735. 

  2735. 

  2736.             char *cn_values[] = {(char*)cnbuf.str(), NULL };
    2737. 

  2737.             LDAPMod cn_attr = 
    2738. 

  2738.             {
    2739. 

  2739.                 LDAP_MOD_REPLACE,
    2740. 

  2740.                 "cn",
    2741. 

  2741.                 cn_values
    2742. 

  2742.             };
    2743. 

  2743. 

  2744.             char *dispname_values[] = {(char*)cnbuf.str(), NULL };
    2745. 

  2745.             LDAPMod dispname_attr = 
    2746. 

  2746.             {
    2747. 

  2747.                 LDAP_MOD_REPLACE,
    2748. 

  2748.                 "displayName",
    2749. 

  2749.                 dispname_values
    2750. 

  2750.             };
    2751. 

  2751. 

  2752. 

  2753.             const char * emplID = user.getEmployeeID();
    2754. 

  2754.             char *employeeID_values[] = {(emplID && *emplID) ? (char*)emplID : nullptr, nullptr };
    2755. 

  2755.             LDAPMod employeeID_attr =
    2756. 

  2756.             {
    2757. 

  2757.                 LDAP_MOD_REPLACE,
    2758. 

  2758.                 "employeeId",
    2759. 

  2759.                 employeeID_values
    2760. 

  2760.             };
    2761. 

  2761. 

  2762.             LDAPMod *attrs[5];
    2763. 

  2763.             int ind = 0;
    2764. 

  2764.         
    2765. 

  2765.             attrs[ind++] = &gn_attr;
    2766. 

  2766.             attrs[ind++] = &sn_attr;
    2767. 

  2767. 

  2768.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2769. 

  2769.             {
    2770. 

  2770.                 attrs[ind++] = &dispname_attr;
    2771. 

  2771.             }
    2772. 

  2772.             else
    2773. 

  2773.             {
    2774. 

  2774.                 attrs[ind++] = &cn_attr;
    2775. 

  2775.             }
    2776. 

  2776. 

  2777.             attrs[ind++] = &employeeID_attr;
    2778. 

  2778.             
    2779. 

  2779.             attrs[ind] = NULL;
    2780. 

  2780.             
    2781. 

  2781.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2782. 

  2782.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2783. 

  2783. 

  2784.             rc = ldap_modify_ext_s(ld, (char*)userdn.str(), attrs, NULL, NULL);
    2785. 

  2785.             if (rc == LDAP_SUCCESS && m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2786. 

  2786.             {
    2787. 

  2787.                 StringBuffer newrdn("cn=");
    2788. 

  2788.                 newrdn.append(cnbuf.str());
    2789. 

  2789.                 rc = LdapRename(ld, (char*)userdn.str(), (char*)newrdn.str(), NULL, true, NULL, NULL);
    2790. 

  2790.             }
    2791. 

  2791.         }
    2792. 

  2792.         else if(stricmp(type, "posixenable") == 0)
    2793. 

  2793.         {
    2794. 

  2794.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2795. 

  2795.                 throw MakeStringException(-1, "posixAccount isn't applicable to Active Directory");
    2796. 

  2796. 

  2797.             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    2798. 

  2798.             if (ldapuser == nullptr)
    2799. 

  2799.             {
    2800. 

  2800.                 throw MakeStringException(-1, "Unable to cast user %s to CLdapSecUser", username);
    2801. 

  2801.             }
    2802. 

  2802. 

  2803.             char* oc_values[] = {"posixAccount", NULL};
    2804. 

  2804.             LDAPMod oc_attr = {
    2805. 

  2805.                 LDAP_MOD_ADD,
    2806. 

  2806.                 "objectclass",
    2807. 

  2807.                 oc_values
    2808. 

  2808.             };
    2809. 

  2809. 

  2810.             char* oc1_values[] = {"shadowAccount", NULL};
    2811. 

  2811.             LDAPMod oc1_attr = {
    2812. 

  2812.                 LDAP_MOD_ADD,
    2813. 

  2813.                 "objectclass",
    2814. 

  2814.                 oc1_values
    2815. 

  2815.             };
    2816. 

  2816. 

  2817.             char *gidnum_values[] = { (char*)ldapuser->getGidnumber(), NULL };
    2818. 

  2818.             LDAPMod gidnum_attr = {
    2819. 

  2819.                 LDAP_MOD_REPLACE,
    2820. 

  2820.                 "gidnumber",
    2821. 

  2821.                 gidnum_values
    2822. 

  2822.             };
    2823. 

  2823. 

  2824.             char *uidnum_values[] = { (char*)ldapuser->getUidnumber(), NULL };
    2825. 

  2825.             LDAPMod uidnum_attr = {
    2826. 

  2826.                 LDAP_MOD_REPLACE,
    2827. 

  2827.                 "uidnumber",
    2828. 

  2828.                 uidnum_values
    2829. 

  2829.             };
    2830. 

  2830. 

  2831.             char *homedir_values[] = {(char*)ldapuser->getHomedirectory(), NULL };
    2832. 

  2832.             LDAPMod homedir_attr =
    2833. 

  2833.             {
    2834. 

  2834.                 LDAP_MOD_REPLACE,
    2835. 

  2835.                 "homedirectory",
    2836. 

  2836.                 homedir_values
    2837. 

  2837.             };
    2838. 

  2838. 

  2839.             char *loginshell_values[] = {(char*)ldapuser->getLoginshell(), NULL };
    2840. 

  2840.             LDAPMod loginshell_attr = 
    2841. 

  2841.             {
    2842. 

  2842.                 LDAP_MOD_REPLACE,
    2843. 

  2843.                 "loginshell",
    2844. 

  2844.                 loginshell_values
    2845. 

  2845.             };
    2846. 

  2846. 

  2847.             LDAPMod *attrs[7];
    2848. 

  2848.             int ind = 0;
    2849. 

  2849.         
    2850. 

  2850.             attrs[ind++] = &gidnum_attr;
    2851. 

  2851.             attrs[ind++] = &uidnum_attr;
    2852. 

  2852.             attrs[ind++] = &homedir_attr;
    2853. 

  2853.             attrs[ind++] = &loginshell_attr;
    2854. 

  2854.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2855. 

  2855.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2856. 

  2856.             int compresult = LDAP_COMPARE_EXT_S(ld, (const char*)userdn.str(), (const char*)"objectclass", (const char*)"posixAccount",0,0,0);
    2857. 

  2857. #ifndef _WIN32
    2858. 

  2858.             if (compresult == -3)//389DirectoryServer always seems to return -3
    2859. 

  2859.                 compresult = ldap_compare_s(ld, userdn.str(), "objectclass", "posixAccount");
    2860. 

  2860. #endif
    2861. 

  2861.             if(compresult != LDAP_COMPARE_TRUE)
    2862. 

  2862.                 attrs[ind++] = &oc_attr;
    2863. 

  2863.             compresult = LDAP_COMPARE_EXT_S(ld, (const char*)userdn.str(), (const char*)"objectclass", (const char*)"shadowAccount",0,0,0);
    2864. 

  2864. #ifndef _WIN32
    2865. 

  2865.             if (compresult == -3)//389DirectoryServer always seems to return -3
    2866. 

  2866.                 compresult = ldap_compare_s(ld, userdn.str(), "objectclass", "shadowAccount");
    2867. 

  2867. #endif
    2868. 

  2868.             if(compresult != LDAP_COMPARE_TRUE)
    2869. 

  2869.                 attrs[ind++] = &oc1_attr;
    2870. 

  2870.             attrs[ind] = NULL;
    2871. 

  2871.             rc = ldap_modify_ext_s(ld, (char*)userdn.str(), attrs, NULL, NULL);
    2872. 

  2872.         }
    2873. 

  2873.         else if(stricmp(type, "posixdisable") == 0)
    2874. 

  2874.         {
    2875. 

  2875.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2876. 

  2876.                 throw MakeStringException(-1, "posixAccount isn't applicable to Active Directory");
    2877. 

  2877. 

  2878.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2879. 

  2879.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2880. 

  2880.             int compresult = LDAP_COMPARE_EXT_S(ld, (const char*)userdn.str(), (const char*)"objectclass", (const char*)"posixAccount",0,0,0);
    2881. 

  2881. #ifndef _WIN32
    2882. 

  2882.             if (compresult == -3)//389DirectoryServer always seems to return -3
    2883. 

  2883.                 compresult = ldap_compare_s(ld, userdn.str(), "objectclass", "posixAccount");
    2884. 

  2884. #endif
    2885. 

  2885.             if(compresult != LDAP_COMPARE_TRUE)
    2886. 

  2886.             {
    2887. 

  2887.                 rc = LDAP_SUCCESS;
    2888. 

  2888.             }
    2889. 

  2889.             else
    2890. 

  2890.             {
    2891. 

  2891.                 char* oc_values[] = {"posixAccount", NULL};
    2892. 

  2892.                 LDAPMod oc_attr = {
    2893. 

  2893.                     LDAP_MOD_DELETE,
    2894. 

  2894.                     "objectclass",
    2895. 

  2895.                     oc_values
    2896. 

  2896.                 };
    2897. 

  2897. 

  2898.                 char* oc1_values[] = {"shadowAccount", NULL};
    2899. 

  2899.                 LDAPMod oc1_attr = {
    2900. 

  2900.                     LDAP_MOD_DELETE,
    2901. 

  2901.                     "objectclass",
    2902. 

  2902.                     oc1_values
    2903. 

  2903.                 };
    2904. 

  2904. 

  2905.                 char *gidnum_values[] = { NULL };
    2906. 

  2906.                 LDAPMod gidnum_attr = {
    2907. 

  2907.                     LDAP_MOD_DELETE,
    2908. 

  2908.                     "gidnumber",
    2909. 

  2909.                     gidnum_values
    2910. 

  2910.                 };
    2911. 

  2911. 

  2912.                 char *uidnum_values[] = {NULL };
    2913. 

  2913.                 LDAPMod uidnum_attr = {
    2914. 

  2914.                     LDAP_MOD_DELETE,
    2915. 

  2915.                     "uidnumber",
    2916. 

  2916.                     uidnum_values
    2917. 

  2917.                 };
    2918. 

  2918. 

  2919.                 char *homedir_values[] = { NULL };
    2920. 

  2920.                 LDAPMod homedir_attr =
    2921. 

  2921.                 {
    2922. 

  2922.                     LDAP_MOD_DELETE,
    2923. 

  2923.                     "homedirectory",
    2924. 

  2924.                     homedir_values
    2925. 

  2925.                 };
    2926. 

  2926. 

  2927.                 char *loginshell_values[] = { NULL };
    2928. 

  2928.                 LDAPMod loginshell_attr =
    2929. 

  2929.                 {
    2930. 

  2930.                     LDAP_MOD_DELETE,
    2931. 

  2931.                     "loginshell",
    2932. 

  2932.                     loginshell_values
    2933. 

  2933.                 };
    2934. 

  2934. 

  2935.                 LDAPMod *attrs[7];
    2936. 

  2936.                 int ind = 0;
    2937. 

  2937.             
    2938. 

  2938.                 attrs[ind++] = &gidnum_attr;
    2939. 

  2939.                 attrs[ind++] = &uidnum_attr;
    2940. 

  2940.                 attrs[ind++] = &homedir_attr;
    2941. 

  2941.                 attrs[ind++] = &loginshell_attr;
    2942. 

  2942.                 attrs[ind++] = &oc_attr;
    2943. 

  2943.                 attrs[ind++] = &oc1_attr;
    2944. 

  2944.                 attrs[ind] = NULL;
    2945. 

  2945. 

  2946.                 rc = ldap_modify_ext_s(ld, (char*)userdn.str(), attrs, NULL, NULL);
    2947. 

  2947.             }
    2948. 

  2948.         }
    2949. 

  2949.         else if(stricmp(type, "sudoersadd") == 0)
    2950. 

  2950.         {
    2951. 

  2951.             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    2952. 

  2952.             if (ldapuser == nullptr)
    2953. 

  2953.             {
    2954. 

  2954.                 throw MakeStringException(-1, "Unable to cast user %s to CLdapSecUser", username);
    2955. 

  2955.             }
    2956. 

  2956. 

  2957.             char *cn_values[] = {(char*)username, NULL };
    2958. 

  2958.             LDAPMod cn_attr =
    2959. 

  2959.             {
    2960. 

  2960.                 LDAP_MOD_ADD,
    2961. 

  2961.                 "cn",
    2962. 

  2962.                 cn_values
    2963. 

  2963.             };
    2964. 

  2964. 

  2965.             char *oc_values[] = {"sudoRole", NULL };
    2966. 

  2966.             LDAPMod oc_attr =
    2967. 

  2967.             {
    2968. 

  2968.                 LDAP_MOD_ADD,
    2969. 

  2969.                 "objectClass",
    2970. 

  2970.                 oc_values
    2971. 

  2971.             };
    2972. 

  2972. 

  2973.             char *user_values[] = {(char*)username, NULL };
    2974. 

  2974.             LDAPMod user_attr =
    2975. 

  2975.             {
    2976. 

  2976.                 LDAP_MOD_ADD,
    2977. 

  2977.                 "sudoUser",
    2978. 

  2978.                 user_values
    2979. 

  2979.             };
    2980. 

  2980. 

  2981.             char* sudoHost = (char*)ldapuser->getSudoHost();
    2982. 

  2982.             char* sudoCommand = (char*)ldapuser->getSudoCommand();
    2983. 

  2983.             char* sudoOption = (char*)ldapuser->getSudoOption();
    2984. 

  2984. 

  2985.             char *host_values[] = {sudoHost, NULL };
    2986. 

  2986.             LDAPMod host_attr = 
    2987. 

  2987.             {
    2988. 

  2988.                 LDAP_MOD_ADD,
    2989. 

  2989.                 "sudoHost",
    2990. 

  2990.                 host_values
    2991. 

  2991.             };
    2992. 

  2992.             char *cmd_values[] = {sudoCommand, NULL };
    2993. 

  2993.             LDAPMod cmd_attr = 
    2994. 

  2994.             {
    2995. 

  2995.                 LDAP_MOD_ADD,
    2996. 

  2996.                 "sudoCommand",
    2997. 

  2997.                 cmd_values
    2998. 

  2998.             };
    2999. 

  2999.             char *option_values[] = {sudoOption, NULL };
    3000. 

  3000.             LDAPMod option_attr = 
    3001. 

  3001.             {
    3002. 

  3002.                 LDAP_MOD_ADD,
    3003. 

  3003.                 "sudoOption",
    3004. 

  3004.                 option_values
    3005. 

  3005.             };
    3006. 

  3006. 

  3007.             LDAPMod *attrs[8];
    3008. 

  3008.             int ind = 0;
    3009. 

  3009.             
    3010. 

  3010.             attrs[ind++] = &cn_attr;
    3011. 

  3011.             attrs[ind++] = &oc_attr;
    3012. 

  3012.             attrs[ind++] = &user_attr;
    3013. 

  3013.             if(sudoHost && *sudoHost)
    3014. 

  3014.                 attrs[ind++] = &host_attr;
    3015. 

  3015.             if(sudoCommand && *sudoCommand)
    3016. 

  3016.                 attrs[ind++] = &cmd_attr;
    3017. 

  3017.             if(sudoOption && *sudoOption)
    3018. 

  3018.                 attrs[ind++] = &option_attr;
    3019. 

  3019. 

  3020.             attrs[ind] = NULL;
    3021. 

  3021. 

  3022.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    3023. 

  3023.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3024. 

  3024.             StringBuffer dn;
    3025. 

  3025.             dn.append("cn=").append(username).append(",").append(m_ldapconfig->getResourceBasedn(RT_SUDOERS));
    3026. 

  3026.             int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    3027. 

  3027.             if ( rc != LDAP_SUCCESS )
    3028. 

  3028.             {
    3029. 

  3029.                 if(rc == LDAP_ALREADY_EXISTS)
    3030. 

  3030.                 {
    3031. 

  3031.                     throw MakeStringException(-1, "can't add %s to sudoers, an LDAP object with this name already exists", username);
    3032. 

  3032.                 }
    3033. 

  3033.                 else
    3034. 

  3034.                 {
    3035. 

  3035.                     DBGLOG("error adding %s to sudoers: %s", username, ldap_err2string( rc ));
    3036. 

  3036.                     throw MakeStringException(-1, "error adding %s to sudoers: %s", username, ldap_err2string( rc ));
    3037. 

  3037.                 }
    3038. 

  3038.             }
    3039. 

  3039.         }
    3040. 

  3040.         else if(stricmp(type, "sudoersdelete") == 0)
    3041. 

  3041.         {
    3042. 

  3042.             StringBuffer dn;
    3043. 

  3043.             dn.append("cn=").append(username).append(",").append(m_ldapconfig->getResourceBasedn(RT_SUDOERS));
    3044. 

  3044. 

  3045.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    3046. 

  3046.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3047. 

  3047. 

  3048.             int rc = ldap_delete_ext_s(ld, (char*)dn.str(), NULL, NULL);
    3049. 

  3049. 

  3050.             if ( rc != LDAP_SUCCESS )
    3051. 

  3051.             {
    3052. 

  3052.                 throw MakeStringException(-1, "Error deleting user %s from sudoers: %s", username, ldap_err2string(rc));
    3053. 

  3053.             }
    3054. 

  3054.         }
    3055. 

  3055.         else if(stricmp(type, "sudoersupdate") == 0)
    3056. 

  3056.         {
    3057. 

  3057.             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    3058. 

  3058.             if (ldapuser == nullptr)
    3059. 

  3059.             {
    3060. 

  3060.                 throw MakeStringException(-1, "Unable to cast user %s to CLdapSecUser", username);
    3061. 

  3061.             }
    3062. 

  3062. 

  3063.             char* sudoHost = (char*)ldapuser->getSudoHost();
    3064. 

  3064.             char* sudoCommand = (char*)ldapuser->getSudoCommand();
    3065. 

  3065.             char* sudoOption = (char*)ldapuser->getSudoOption();
    3066. 

  3066. 

  3067.             char *host_values[] = {(sudoHost&&*sudoHost)?sudoHost:NULL, NULL };
    3068. 

  3068.             LDAPMod host_attr =
    3069. 

  3069.             {
    3070. 

  3070.                 LDAP_MOD_REPLACE,
    3071. 

  3071.                 "sudoHost",
    3072. 

  3072.                 host_values
    3073. 

  3073.             };
    3074. 

  3074. 

  3075.             char *cmd_values[] = {(sudoCommand&&*sudoCommand)?sudoCommand:NULL, NULL };
    3076. 

  3076.             LDAPMod cmd_attr =
    3077. 

  3077.             {
    3078. 

  3078.                 LDAP_MOD_REPLACE,
    3079. 

  3079.                 "sudoCommand",
    3080. 

  3080.                 cmd_values
    3081. 

  3081.             };
    3082. 

  3082. 

  3083.             char *option_values[] = {(sudoOption&&*sudoOption)?sudoOption:NULL, NULL };
    3084. 

  3084.             LDAPMod option_attr =
    3085. 

  3085.             {
    3086. 

  3086.                 LDAP_MOD_REPLACE,
    3087. 

  3087.                 "sudoOption",
    3088. 

  3088.                 option_values
    3089. 

  3089.             };
    3090. 

  3090. 

  3091.             LDAPMod *attrs[4];
    3092. 

  3092.             int ind = 0;
    3093. 

  3093. 

  3094.             attrs[ind++] = &host_attr;
    3095. 

  3095.             attrs[ind++] = &cmd_attr;
    3096. 

  3096.             attrs[ind++] = &option_attr;
    3097. 

  3097. 

  3098.             attrs[ind] = NULL;
    3099. 

  3099. 

  3100.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    3101. 

  3101.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3102. 

  3102.             StringBuffer dn;
    3103. 

  3103.             dn.append("cn=").append(username).append(",").append(m_ldapconfig->getResourceBasedn(RT_SUDOERS));
    3104. 

  3104.             int rc = ldap_modify_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    3105. 

  3105.             if ( rc != LDAP_SUCCESS )
    3106. 

  3106.             {
    3107. 

  3107.                 DBGLOG("error modifying sudoers for user %s: %s", username, ldap_err2string( rc ));
    3108. 

  3108.                 throw MakeStringException(-1, "error modifying sudoers for user %s: %s", username, ldap_err2string( rc ));
    3109. 

  3109.             }
    3110. 

  3110.         }
    3111. 

  3111. 

  3112.         if (rc == LDAP_SUCCESS )
    3113. 

  3113.             DBGLOG("User %s successfully updated", username);
    3114. 

  3114.         else
    3115. 

  3115.             throw MakeStringException(-1, "Error updating user %s - %s", username, ldap_err2string( rc ));
    3116. 

  3116. 

  3117.         return true;
    3118. 

  3118.     }
    3119. 

  3119. 

  3120.     virtual bool changePasswordSSL(const char* username, const char* newPassword)
    3121. 

  3121.     {
    3122. 

  3122.         Owned<ILdapConnection> lconn;
    3123. 

  3123.         try
    3124. 

  3124.         {
    3125. 

  3125.             lconn.setown(m_connections->getSSLConnection());
    3126. 

  3126.         }
    3127. 

  3127.         catch(IException*)
    3128. 

  3128.         {
    3129. 

  3129.             throw MakeStringException(-1, "Failed to set user %s's password because of not being able to create an SSL connection to the ldap server. To set an Active Directory user's password from Linux, you need to enable SSL on the Active Directory ldap server", username);
    3130. 

  3130.         }
    3131. 

  3131. 

  3132.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3133. 

  3133. 

  3134.         char        *attribute, **values = NULL;
    3135. 

  3135.         LDAPMessage *message;
    3136. 

  3136. 

  3137.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    3138. 

  3138. 

  3139.         StringBuffer filter;
    3140. 

  3140.         filter.append("sAMAccountName=").append(username);
    3141. 

  3141. 

  3142.         char        *attrs[] = {"distinguishedName", NULL};
    3143. 

  3143.         CLDAPMessage searchResult;
    3144. 

  3144.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    3145. 

  3145. 

  3146.         if ( rc != LDAP_SUCCESS )
    3147. 

  3147.         {
    3148. 

  3148.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    3149. 

  3149.             return false;
    3150. 

  3150.         }
    3151. 

  3151. 

  3152.         StringBuffer userdn;
    3153. 

  3153.         message = LdapFirstEntry( ld, searchResult);
    3154. 

  3154.         if(message != NULL)
    3155. 

  3155.         {
    3156. 

  3156.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    3157. 

  3157.             for ( attribute = atts.getFirst();
    3158. 

  3158.                   attribute != NULL;
    3159. 

  3159.                   attribute = atts.getNext())
    3160. 

  3160.             {
    3161. 

  3161.                 if(0 == stricmp(attribute, "distinguishedName"))
    3162. 

  3162.                 {
    3163. 

  3163.                     CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    3164. 

  3164.                     if (vals.hasValues())
    3165. 

  3165.                         userdn.set(vals.queryCharValue(0));
    3166. 

  3166.                     break;
    3167. 

  3167.                 }
    3168. 

  3168.             }
    3169. 

  3169.         }
    3170. 

  3170. 

  3171.         if(userdn.length() == 0)
    3172. 

  3172.         {
    3173. 

  3173.             throw MakeStringException(-1, "can't find dn for user %s", username);
    3174. 

  3174.         }
    3175. 

  3175. 

  3176.         LDAPMod modPassword;
    3177. 

  3177.         LDAPMod *modEntry[2];
    3178. 

  3178.         struct berval pwdBerVal;
    3179. 

  3179.         struct berval *pwd_attr[2];
    3180. 

  3180.         unsigned short pszPasswordWithQuotes[1024];
    3181. 

  3181. 

  3182.         modEntry[0] = &modPassword;
    3183. 

  3183.         modEntry[1] = NULL;
    3184. 

  3184. 

  3185.         modPassword.mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
    3186. 

  3186.         modPassword.mod_type =  "unicodePwd";
    3187. 

  3187.         modPassword.mod_vals.modv_bvals = pwd_attr;
    3188. 

  3188. 

  3189.         pwd_attr[0] = &pwdBerVal;
    3190. 

  3190.         pwd_attr[1]= NULL;
    3191. 

  3191. 

  3192.         StringBuffer quotedPasswd("\"");
    3193. 

  3193.         quotedPasswd.append(newPassword).append("\"");
    3194. 

  3194.         ConvertCToW(pszPasswordWithQuotes, quotedPasswd);
    3195. 

  3195. 

  3196.         pwdBerVal.bv_len = quotedPasswd.length() * sizeof(unsigned short);
    3197. 

  3197.         pwdBerVal.bv_val = (char*)pszPasswordWithQuotes;
    3198. 

  3198. 

  3199.         rc = ldap_modify_ext_s(ld, (char*)userdn.str(), modEntry, NULL, NULL);
    3200. 

  3200. 

  3201.         if (rc == LDAP_SUCCESS )
    3202. 

  3202.             DBGLOG("User %s's password has been changed successfully", username);
    3203. 

  3203.         else
    3204. 

  3204.         {
    3205. 

  3205.             StringBuffer errmsg;
    3206. 

  3206.             errmsg.appendf("Error setting password for %s - (%d) %s.", username, rc, ldap_err2string( rc ));
    3207. 

  3207.             if(rc == LDAP_UNWILLING_TO_PERFORM)
    3208. 

  3208.                 errmsg.append(" The ldap server refused to change the password. Usually this is because your new password doesn't satisfy the domain policy.");
    3209. 

  3209. 

  3210.             throw MakeStringExceptionDirect(-1, errmsg.str());
    3211. 

  3211.         }
    3212. 

  3212. 

  3213.         return true;
    3214. 

  3214.     }
    3215. 

  3215. 

  3216.     virtual bool queryPasswordStatus(ISecUser& user, const char* password)
    3217. 

  3217.     {
    3218. 

  3218.         char *ldap_errstring = NULL;
    3219. 

  3219.         const char * username = user.getName();
    3220. 

  3220. 

  3221.         StringBuffer userdn;
    3222. 

  3222.         getUserDN(user.getName(), userdn);
    3223. 

  3223. 

  3224.         StringBuffer hostbuf;
    3225. 

  3225.         m_ldapconfig->getLdapHost(hostbuf);
    3226. 

  3226. 

  3227.         LDAP* user_ld = LdapUtils::LdapInit(m_ldapconfig->getProtocol(), hostbuf.str(), m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort());
    3228. 

  3228.         int rc = LdapUtils::LdapBind(user_ld, m_ldapconfig->getLdapTimeout(),m_ldapconfig->getDomain(), username, password, userdn, m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    3229. 

  3229.         if(rc != LDAP_SUCCESS)
    3230. 

  3230.             ldap_get_option(user_ld, LDAP_OPT_ERROR_STRING, &ldap_errstring);
    3231. 

  3231.         LDAP_UNBIND(user_ld);
    3232. 

  3232. 

  3233.         //Error string ""80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 532, v1db0."
    3234. 

  3234.         //is returned if pw valid but expired
    3235. 

  3235.         if(rc == LDAP_SUCCESS || strstr(ldap_errstring, "data 532") || strstr(ldap_errstring, "data 773"))//
    3236. 

  3236.             return true;
    3237. 

  3237.         else
    3238. 

  3238.             return false;
    3239. 

  3239.     }
    3240. 

  3240. 

  3241.     virtual bool updateUserPassword(ISecUser& user, const char* newPassword, const char* currPassword)
    3242. 

  3242.     {
    3243. 

  3243.         const char* username = user.getName();
    3244. 

  3244.         if(!username || !*username)
    3245. 

  3245.         {
    3246. 

  3246.             DBGLOG("CLdapClient::updateUserPassword username must be provided");
    3247. 

  3247.             return false;
    3248. 

  3248.         }
    3249. 

  3249. 

  3250.         if (currPassword)
    3251. 

  3251.         {
    3252. 

  3252.             //User will not be authenticated if their password was expired,
    3253. 

  3253.             //so check here that they provided a valid one in the "change
    3254. 

  3254.             //password" form (use the one they type, not the one in the secuser)
    3255. 

  3255.             bool validated = queryPasswordStatus(user, currPassword);
    3256. 

  3256.             if (!validated)
    3257. 

  3257.                 throw MakeStringException(-1, "Password not changed, invalid credentials");
    3258. 

  3258.         }
    3259. 

  3259. 

  3260.         return updateUserPassword(username, newPassword);
    3261. 

  3261.     }
    3262. 

  3262. 

  3263.     virtual bool updateUserPassword(const char* username, const char* newPassword)
    3264. 

  3264.     {
    3265. 

  3265.         if(!username || !*username)
    3266. 

  3266.         {
    3267. 

  3267.             DBGLOG("CLdapClient::updateUserPassword username must be provided");
    3268. 

  3268.             return false;
    3269. 

  3269.         }
    3270. 

  3270. 

  3271.         const char* sysuser = m_ldapconfig->getSysUser();
    3272. 

  3272.         if(sysuser && *sysuser && strcmp(username, sysuser) == 0)
    3273. 

  3273.             throw MakeStringException(-1, "You can't change password of the system user.");
    3274. 

  3274. 

  3275.         LdapServerType servertype = m_ldapconfig->getServerType();
    3276. 

  3276.         bool ret = true;
    3277. 

  3277.         if(servertype == ACTIVE_DIRECTORY)
    3278. 

  3278.         {
    3279. 

  3279. #ifdef _WIN32
    3280. 

  3280.             DWORD nStatus = 0;
    3281. 

  3281.             // The application has to run on the same domain as ldap host, and under an administrative user.
    3282. 

  3282.             USER_INFO_1003 usriSetPassword;
    3283. 

  3283.             StringBuffer fullserver("\\\\");
    3284. 

  3284.             StringBuffer server;
    3285. 

  3285.             m_ldapconfig->getLdapHost(server);
    3286. 

  3286.             fullserver.append(server.str());
    3287. 

  3287.             LPWSTR whost = (LPWSTR)alloca((fullserver.length() +1) * sizeof(WCHAR));
    3288. 

  3288.             ConvertCToW((unsigned short *)whost, fullserver.str());
    3289. 

  3289. 

  3290.             LPWSTR wusername = (LPWSTR)alloca((strlen(username) + 1) * sizeof(WCHAR));
    3291. 

  3291.             ConvertCToW((unsigned short *)wusername, username);
    3292. 

  3292.             LPWSTR wnewpasswd = (LPWSTR)alloca((strlen(newPassword) + 1) * sizeof(WCHAR));
    3293. 

  3293.             ConvertCToW((unsigned short *)wnewpasswd, newPassword);
    3294. 

  3294.             usriSetPassword.usri1003_password  = wnewpasswd;
    3295. 

  3295.             nStatus = NetUserSetInfo(whost, wusername,  1003, (LPBYTE)&usriSetPassword, NULL);
    3296. 

  3296. 

  3297.             if (nStatus == NERR_Success)
    3298. 

  3298.             {
    3299. 

  3299.                 DBGLOG("User %s's password has been changed successfully", username);
    3300. 

  3300.                 return true;
    3301. 

  3301.             }
    3302. 

  3302.             else
    3303. 

  3303.             {
    3304. 

  3304.                 StringBuffer errcode, errmsg;
    3305. 

  3305. 

  3306.                 if(nStatus == ERROR_ACCESS_DENIED)
    3307. 

  3307.                 {
    3308. 

  3308.                     errcode.append("ERROR_ACCESS_DENIED");
    3309. 

  3309.                     errmsg.append("The user does not have access to the requested information.");
    3310. 

  3310.                 }
    3311. 

  3311.                 else if(nStatus == ERROR_INVALID_PASSWORD)
    3312. 

  3312.                 {
    3313. 

  3313.                     errcode.append("ERROR_INVALID_PASSWORD");
    3314. 

  3314.                     errmsg.append("The user has entered an invalid password.");
    3315. 

  3315.                 }
    3316. 

  3316.                 else if(nStatus == NERR_InvalidComputer)
    3317. 

  3317.                 {
    3318. 

  3318.                     errcode.append("NERR_InvalidComputer");
    3319. 

  3319.                     errmsg.append("The computer name is invalid.");
    3320. 

  3320.                 }
    3321. 

  3321.                 else if(nStatus == NERR_NotPrimary)
    3322. 

  3322.                 {
    3323. 

  3323.                     errcode.append("NERR_NotPrimary");
    3324. 

  3324.                     errmsg.append("The operation is allowed only on the primary domain controller of the domain.");
    3325. 

  3325.                 }
    3326. 

  3326.                 else if(nStatus == NERR_UserNotFound)
    3327. 

  3327.                 {
    3328. 

  3328.                     errcode.append("NERR_UserNotFound");
    3329. 

  3329.                     errmsg.append("The user name could not be found.");
    3330. 

  3330.                 }
    3331. 

  3331.                 else if(nStatus == NERR_PasswordTooShort)
    3332. 

  3332.                 {
    3333. 

  3333.                     errcode.append("NERR_PasswordTooShort");
    3334. 

  3334.                     errmsg.append("The password is shorter than required. ");
    3335. 

  3335.                 }
    3336. 

  3336.                 else if(nStatus == ERROR_LOGON_FAILURE)
    3337. 

  3337.                 {
    3338. 

  3338.                     errcode.append("ERROR_LOGON_FAILURE");
    3339. 

  3339.                     errmsg.append("To be able to reset password this way, esp has to run under an administrative user on the same domain as the active directory. ");
    3340. 

  3340.                 }
    3341. 

  3341.                 else
    3342. 

  3342.                 {
    3343. 

  3343.                     errcode.appendf("%d", nStatus);
    3344. 

  3344.                     errmsg.append("");
    3345. 

  3345.                 }
    3346. 

  3346.                 // For certain errors just return, other errors try changePasswordSSL.
    3347. 

  3347.                 if(nStatus == ERROR_INVALID_PASSWORD || nStatus == NERR_UserNotFound || nStatus == NERR_PasswordTooShort)
    3348. 

  3348.                     throw MakeStringException(-1, "An error has occurred while setting password with NetUserSetInfo for %s: %s - %s\n", username, errcode.str(), errmsg.str());
    3349. 

  3349.                 else
    3350. 

  3350.                     DBGLOG("An error has occurred while setting password with NetUserSetInfo for %s: %s - %s\n", username, errcode.str(), errmsg.str());
    3351. 

  3351.             }
    3352. 

  3352.             DBGLOG("Trying changePasswordSSL to change password over regular SSL connection.");
    3353. 

  3353. #endif
    3354. 

  3354.             changePasswordSSL(username, newPassword);
    3355. 

  3355.         }
    3356. 

  3356.         else
    3357. 

  3357.         {
    3358. 

  3358.             StringBuffer filter;
    3359. 

  3359.             filter.append("uid=").append(username);
    3360. 

  3360. 

  3361.             char        **values = NULL;
    3362. 

  3362.             LDAPMessage *message;
    3363. 

  3363. 

  3364.             TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    3365. 

  3365. 

  3366.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    3367. 

  3367.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3368. 

  3368. 

  3369.             char        *attrs[] = {LDAP_NO_ATTRS, NULL};
    3370. 

  3370.             CLDAPMessage searchResult;
    3371. 

  3371.             int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    3372. 

  3372. 

  3373.             if ( rc != LDAP_SUCCESS )
    3374. 

  3374.             {
    3375. 

  3375.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    3376. 

  3376.                 return false;
    3377. 

  3377.             }
    3378. 

  3378. 

  3379.             StringBuffer userdn;
    3380. 

  3380.             message = LdapFirstEntry( ld, searchResult);
    3381. 

  3381. 

  3382.             if(message != NULL)
    3383. 

  3383.             {
    3384. 

  3384.                 char *p = ldap_get_dn(ld, message);
    3385. 

  3385.                 userdn.append(p);
    3386. 

  3386.                 ldap_memfree(p);
    3387. 

  3387.             }
    3388. 

  3388.             char* passwdvalue[] = { (char*)newPassword, NULL };
    3389. 

  3389.             LDAPMod pmod =
    3390. 

  3390.             {
    3391. 

  3391.                 LDAP_MOD_REPLACE,
    3392. 

  3392.                 "userpassword",
    3393. 

  3393.                 passwdvalue
    3394. 

  3394.             };
    3395. 

  3395. 

  3396.             LDAPMod* pmods[] = {&pmod, NULL};
    3397. 

  3397.             rc = ldap_modify_ext_s(ld, (char*)userdn.str(), pmods, NULL, NULL);
    3398. 

  3398. 

  3399.             if (rc == LDAP_SUCCESS )
    3400. 

  3400.                 DBGLOG("User %s's password has been changed successfully", username);
    3401. 

  3401.             else
    3402. 

  3402.             {
    3403. 

  3403.                 StringBuffer errmsg;
    3404. 

  3404.                 errmsg.appendf("Error changing password for %s - (%d) %s.", username, rc, ldap_err2string( rc ));
    3405. 

  3405.                 if(rc == LDAP_UNWILLING_TO_PERFORM)
    3406. 

  3406.                     errmsg.append(" The ldap server refused to execute the password change action, one of the reasons might be that the new password you entered doesn't satisfy the policy requirement.");
    3407. 

  3407. 

  3408.                 throw MakeStringExceptionDirect(-1, errmsg.str());
    3409. 

  3409.             }
    3410. 

  3410.         }
    3411. 

  3411.         return true;
    3412. 

  3412.     }
    3413. 

  3413. 

  3414.     virtual bool getResources(SecResourceType rtype, const char * basedn, const char* prefix, IArrayOf<ISecResource>& resources)
    3415. 

  3415.     {
    3416. 

  3416.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3417. 

  3417.         return getResources( ((CLdapConnection*)lconn.get())->getLd(), rtype, basedn, prefix, resources);
    3418. 

  3418.     }
    3419. 

  3419. 

  3420.     virtual bool getResources(LDAP* ld, SecResourceType rtype, const char * basedn, const char* prefix, IArrayOf<ISecResource>& resources)
    3421. 

  3421.     {
    3422. 

  3422.         char        *attribute;
    3423. 

  3423.         LDAPMessage *message;
    3424. 

  3424. 

  3425.         StringBuffer basednbuf;
    3426. 

  3426.         LdapUtils::normalizeDn(basedn, m_ldapconfig->getBasedn(), basednbuf);
    3427. 

  3427.         StringBuffer filter("objectClass=*");
    3428. 

  3428. 

  3429.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    3430. 

  3430.         const char* fldname;
    3431. 

  3431.         LdapServerType servertype = m_ldapconfig->getServerType();
    3432. 

  3432.         if(servertype == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    3433. 

  3433.             fldname = "name";
    3434. 

  3434.         else
    3435. 

  3435.             fldname = "ou";
    3436. 

  3436.         char        *attrs[] = {(char*)fldname, "description", NULL};
    3437. 

  3437. 

  3438.         CPagedLDAPSearch pagedSrch(ld, m_ldapconfig->getLdapTimeout(), (char*)basednbuf.str(), LDAP_SCOPE_ONELEVEL, (char*)filter.str(), attrs);
    3439. 

  3439.         for (message = pagedSrch.getFirstEntry(); message; message = pagedSrch.getNextEntry())
    3440. 

  3440.         {
    3441. 

  3441.             // Go through the search results by checking message types
    3442. 

  3442.             CLDAPGetAttributesWrapper   atts(ld, message);
    3443. 

  3443.             for ( attribute = atts.getFirst();
    3444. 

  3444.                   attribute != NULL;
    3445. 

  3445.                   attribute = atts.getNext())
    3446. 

  3446.             {
    3447. 

  3447.                 StringBuffer descbuf;
    3448. 

  3448.                 StringBuffer curname;
    3449. 

  3449. 

  3450.                 CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    3451. 

  3451.                 if (vals.hasValues())
    3452. 

  3452.                 {
    3453. 

  3453.                     const char* val = vals.queryCharValue(0);
    3454. 

  3454.                     if(val != NULL)
    3455. 

  3455.                     {
    3456. 

  3456.                         if(stricmp(attribute, fldname) == 0)
    3457. 

  3457.                         {
    3458. 

  3458.                             curname.append(val);
    3459. 

  3459.                         }
    3460. 

  3460.                         else if(stricmp(attribute, "description") == 0)
    3461. 

  3461.                         {
    3462. 

  3462.                             descbuf.append(val);
    3463. 

  3463.                         }
    3464. 

  3464.                     }
    3465. 

  3465.                 }
    3466. 

  3466. 

  3467.                 if(curname.length() == 0)
    3468. 

  3468.                     continue;
    3469. 

  3469.                 StringBuffer resourcename;
    3470. 

  3470.                 if(prefix != NULL && *prefix != '\0')
    3471. 

  3471.                     resourcename.append(prefix);
    3472. 

  3472.                 resourcename.append(curname.str());
    3473. 

  3473.                 CLdapSecResource* resource = new CLdapSecResource(resourcename.str());
    3474. 

  3474.                 resource->setDescription(descbuf.str());
    3475. 

  3475.                 resources.append(*resource);
    3476. 

  3476.                 if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    3477. 

  3477.                 {
    3478. 

  3478.                     StringBuffer nextbasedn;
    3479. 

  3479.                     nextbasedn.append("ou=").append(curname.str()).append(",").append(basedn);
    3480. 

  3480.                     StringBuffer nextprefix;
    3481. 

  3481.                     if(prefix != NULL && *prefix != '\0')
    3482. 

  3482.                         nextprefix.append(prefix);
    3483. 

  3483.                     nextprefix.append(curname.str()).append("::");
    3484. 

  3484.                     getResources(ld, rtype, nextbasedn.str(), nextprefix.str(), resources);
    3485. 

  3485.                 }
    3486. 

  3486.             }
    3487. 

  3487.         }
    3488. 

  3488. 

  3489.         return true;
    3490. 

  3490.     }
    3491. 

  3491. 

  3492.     virtual bool getResourcesEx(SecResourceType rtype, const char * basedn, const char* prefix, const char* searchstr, IArrayOf<ISecResource>& resources)
    3493. 

  3493.     {
    3494. 

  3494.         char        *attribute;
    3495. 

  3495.         LDAPMessage *message;
    3496. 

  3496. 

  3497.         StringBuffer basednbuf;
    3498. 

  3498.         LdapUtils::normalizeDn(basedn, m_ldapconfig->getBasedn(), basednbuf);
    3499. 

  3499.         StringBuffer filter("objectClass=*");
    3500. 

  3500.         if(searchstr && *searchstr && strcmp(searchstr, "*") != 0)
    3501. 

  3501.         {
    3502. 

  3502.             filter.insert(0, "(&(");
    3503. 

  3503.             filter.appendf(")(|(%s=*%s*)))", "uNCName", searchstr);
    3504. 

  3504.         }
    3505. 

  3505. 

  3506.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    3507. 

  3507. 

  3508.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3509. 

  3509.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3510. 

  3510. 

  3511.         const char* fldname;
    3512. 

  3512.         LdapServerType servertype = m_ldapconfig->getServerType();
    3513. 

  3513.         if(servertype == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    3514. 

  3514.             fldname = "name";
    3515. 

  3515.         else
    3516. 

  3516.             fldname = "ou";
    3517. 

  3517.         char        *attrs[] = {(char*)fldname, "description", NULL};
    3518. 

  3518. 

  3519.         CPagedLDAPSearch pagedSrch(ld, m_ldapconfig->getLdapTimeout(), (char*)basednbuf.str(), LDAP_SCOPE_ONELEVEL, (char*)filter.str(), attrs);
    3520. 

  3520.         for (message = pagedSrch.getFirstEntry(); message; message = pagedSrch.getNextEntry())
    3521. 

  3521.         {
    3522. 

  3522.             // Go through the search results by checking message types
    3523. 

  3523.             StringBuffer descbuf;
    3524. 

  3524.             StringBuffer curname;
    3525. 

  3525.             CLDAPGetAttributesWrapper   atts(ld, message);
    3526. 

  3526.             for ( attribute = atts.getFirst();
    3527. 

  3527.                   attribute != NULL;
    3528. 

  3528.                   attribute = atts.getNext())
    3529. 

  3529.             {
    3530. 

  3530.                 CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    3531. 

  3531.                 if (vals.hasValues())
    3532. 

  3532.                 {
    3533. 

  3533.                     const char * val = vals.queryCharValue(0);
    3534. 

  3534.                     if(val != NULL)
    3535. 

  3535.                     {
    3536. 

  3536.                         if(stricmp(attribute, fldname) == 0)
    3537. 

  3537.                         {
    3538. 

  3538.                             curname.append(val);
    3539. 

  3539.                         }
    3540. 

  3540.                         else if(stricmp(attribute, "description") == 0)
    3541. 

  3541.                         {
    3542. 

  3542.                             descbuf.append(val);
    3543. 

  3543.                         }
    3544. 

  3544.                     }
    3545. 

  3545.                 }
    3546. 

  3546.             }
    3547. 

  3547.             if(curname.length() == 0)
    3548. 

  3548.                 continue;
    3549. 

  3549.             StringBuffer resourcename;
    3550. 

  3550.             if(prefix != NULL && *prefix != '\0')
    3551. 

  3551.                 resourcename.append(prefix);
    3552. 

  3552.             resourcename.append(curname.str());
    3553. 

  3553.             CLdapSecResource* resource = new CLdapSecResource(resourcename.str());
    3554. 

  3554.             resource->setDescription(descbuf.str());
    3555. 

  3555.             resources.append(*resource);
    3556. 

  3556.             if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    3557. 

  3557.             {
    3558. 

  3558.                 StringBuffer nextbasedn;
    3559. 

  3559.                 nextbasedn.append("ou=").append(curname.str()).append(",").append(basedn);
    3560. 

  3560.                 StringBuffer nextprefix;
    3561. 

  3561.                 if(prefix != NULL && *prefix != '\0')
    3562. 

  3562.                     nextprefix.append(prefix);
    3563. 

  3563.                 nextprefix.append(curname.str()).append("::");
    3564. 

  3564.                 getResources(ld, rtype, nextbasedn.str(), nextprefix.str(), resources);
    3565. 

  3565.             }
    3566. 

  3566.         }
    3567. 

  3567. 

  3568.         return true;
    3569. 

  3569.     }
    3570. 

  3570. 

  3571.     virtual IPropertyTreeIterator* getResourceIterator(SecResourceType rtype, const char * basedn,
    3572. 

  3572.         const char* prefix, const char* resourceName, unsigned extraNameFilter)
    3573. 

  3573.     {
    3574. 

  3574.         IArrayOf<ISecResource> resources;
    3575. 

  3575.         getResourcesEx(rtype, basedn, prefix, resourceName, resources);
    3576. 

  3576. 

  3577.         Owned<IPTree> resourceTree = createPTree("Resources");
    3578. 

  3578.         ForEachItemIn(i, resources)
    3579. 

  3579.         {
    3580. 

  3580.             ISecResource& resource = resources.item(i);
    3581. 

  3581.             const char* resourceName = resource.getName();
    3582. 

  3582.             if (!resourceName || !*resourceName)
    3583. 

  3583.                 continue;
    3584. 

  3584.             if (checkResourceNameExtraFilter(rtype, resourceName, extraNameFilter))
    3585. 

  3585.                 addResourceTree(resourceName, resource.getDescription(), resourceTree);
    3586. 

  3586.         }
    3587. 

  3587.         return resourceTree->getElements("*");
    3588. 

  3588.     }
    3589. 

  3589. 

  3590.     bool checkResourceNameExtraFilter(SecResourceType rtype, const char* name, unsigned extraNameFilter)
    3591. 

  3591.     {
    3592. 

  3592.         if((rtype == RT_FILE_SCOPE) && (extraNameFilter & RF_RT_FILE_SCOPE_FILE) && strieq(name, "file"))
    3593. 

  3593.             return false;
    3594. 

  3594.         if((rtype == RT_MODULE) && (extraNameFilter & RF_RT_MODULE_NO_REPOSITORY) && strnicmp(name, "repository.", 11))
    3595. 

  3595.             return false;
    3596. 

  3596.         return true;
    3597. 

  3597.     }
    3598. 

  3598. 

  3599.     void addResourceTree(const char* name, const char* desc, IPropertyTree* elements)
    3600. 

  3600.     {
    3601. 

  3601.         if (!name || !*name)
    3602. 

  3602.         {
    3603. 

  3603.             DBGLOG("CLdapClient::addResourceTree resource name must be provided");
    3604. 

  3604.             return;
    3605. 

  3605.         }
    3606. 

  3606. 

  3607.         Owned<IPTree> element = createPTree();
    3608. 

  3608.         element->addProp(getResourceFieldNames(RFName), name);
    3609. 

  3609.         if (desc && *desc)
    3610. 

  3610.             element->addProp(getResourceFieldNames(RFDesc), desc);
    3611. 

  3611.         elements->addPropTree("Resource", element.getClear());
    3612. 

  3612.     }
    3613. 

  3613. 

  3614.     ISecItemIterator* getResourcesSorted(SecResourceType rtype, const char * basedn, const char* resourceName, unsigned extraNameFilter,
    3615. 

  3615.         ResourceField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint)
    3616. 

  3616.     {
    3617. 

  3617.         class CElementsPager : public CSimpleInterface, implements IElementsPager
    3618. 

  3618.         {
    3619. 

  3619.             ILdapClient* ldapClient;
    3620. 

  3620.             StringAttr sortOrder, basedn, resourceName;
    3621. 

  3621.             SecResourceType rtype;
    3622. 

  3622.             unsigned extraNameFilter;
    3623. 

  3623. 

  3624.         public:
    3625. 

  3625.             IMPLEMENT_IINTERFACE_USING(CSimpleInterface);
    3626. 

  3626. 

  3627.             CElementsPager(ILdapClient* _ldapClient, SecResourceType _rtype, const char * _basedn, const char* _resourceName,
    3628. 

  3628.                 unsigned _extraNameFilter, const char*_sortOrder) : ldapClient(_ldapClient), rtype(_rtype), basedn(_basedn),
    3629. 

  3629.                 resourceName(_resourceName), extraNameFilter(_extraNameFilter), sortOrder(_sortOrder) { };
    3630. 

  3630.             virtual IRemoteConnection* getElements(IArrayOf<IPropertyTree>& elements)
    3631. 

  3631.             {
    3632. 

  3632.                 StringArray unknownAttributes;
    3633. 

  3633.                 Owned<IPropertyTreeIterator> iter = ldapClient->getResourceIterator(rtype, basedn.get(), "", resourceName.get(), extraNameFilter);
    3634. 

  3634.                 sortElements(iter, sortOrder.get(), NULL, NULL, unknownAttributes, elements);
    3635. 

  3635.                 return NULL;
    3636. 

  3636.             }
    3637. 

  3637.             virtual bool allMatchingElementsReceived() { return true; }//For now, ldap always returns all of matched users.
    3638. 

  3638.         };
    3639. 

  3639. 

  3640.         StringBuffer so;
    3641. 

  3641.         if (sortOrder)
    3642. 

  3642.         {
    3643. 

  3643.             for (unsigned i=0;sortOrder[i]!=RFterm;i++)
    3644. 

  3644.             {
    3645. 

  3645.                 if (so.length())
    3646. 

  3646.                     so.append(',');
    3647. 

  3647.                 int fmt = sortOrder[i];
    3648. 

  3648.                 if (fmt&UFreverse)
    3649. 

  3649.                     so.append('-');
    3650. 

  3650.                 if (fmt&UFnocase)
    3651. 

  3651.                     so.append('?');
    3652. 

  3652.                 if (fmt&UFnumeric)
    3653. 

  3653.                     so.append('#');
    3654. 

  3654.                 so.append(getUserFieldNames((UserField) (fmt&0xff)));
    3655. 

  3655.             }
    3656. 

  3656.         }
    3657. 

  3657.         IArrayOf<IPropertyTree> results;
    3658. 

  3658.         Owned<IElementsPager> elementsPager = new CElementsPager(this, rtype, basedn, resourceName, extraNameFilter, so.length()?so.str():NULL);
    3659. 

  3659.         Owned<IRemoteConnection> conn=getElementsPaged(elementsPager, pageStartFrom, pageSize, NULL, "", cacheHint, results, total, NULL, false);
    3660. 

  3660.         return new CSecItemIterator(results);
    3661. 

  3661.     }
    3662. 

  3662. 

  3663.     virtual bool getPermissionsArray(const char* basedn, SecResourceType rtype, const char* name, IArrayOf<CPermission>& permissions)
    3664. 

  3664.     {
    3665. 

  3665.         StringBuffer basednbuf;
    3666. 

  3666.         LdapUtils::normalizeDn(basedn, m_ldapconfig->getBasedn(), basednbuf);
    3667. 

  3667.         Owned<CSecurityDescriptor> sd = new CSecurityDescriptor(name);
    3668. 

  3668.         IArrayOf<CSecurityDescriptor> sdlist;
    3669. 

  3669.         sdlist.append(*LINK(sd));
    3670. 

  3670.         if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    3671. 

  3671.             getSecurityDescriptorsScope(sdlist, basednbuf.str());
    3672. 

  3672.         else
    3673. 

  3673.             getSecurityDescriptors(sdlist, basednbuf.str());
    3674. 

  3674. 

  3675.         m_pp->getPermissionsArray(sd.get(), permissions);
    3676. 

  3676. 

  3677.         return true;
    3678. 

  3678.     }
    3679. 

  3679. 

  3680.     SecResourceType str2RType(const char* rtstr)
    3681. 

  3681.     {
    3682. 

  3682.         if(isEmptyString(rtstr))
    3683. 

  3683.             return RT_DEFAULT;
    3684. 

  3684.         else if(strieq(rtstr, "module"))
    3685. 

  3685.             return RT_MODULE;
    3686. 

  3686.         else if(strieq(rtstr, "service"))
    3687. 

  3687.             return RT_SERVICE;
    3688. 

  3688.         else if(strieq(rtstr, "file"))
    3689. 

  3689.             return RT_FILE_SCOPE;
    3690. 

  3690.         else if(strieq(rtstr, "workunit"))
    3691. 

  3691.             return RT_WORKUNIT_SCOPE;
    3692. 

  3692.         else
    3693. 

  3693.             return RT_DEFAULT;
    3694. 

  3694.     }
    3695. 

  3695. 

  3696.     void addPermissionTree(CPermission& permission, enum ACCOUNT_TYPE_REQ accountType, IPropertyTree* permissionTree)
    3697. 

  3697.     {
    3698. 

  3698.         const char* accountName = permission.getAccount_name();
    3699. 

  3699.         if(isEmptyString(accountName))
    3700. 

  3700.             return;
    3701. 

  3701. 

  3702.         ACT_TYPE type = permission.getAccount_type();
    3703. 

  3703.         if ((accountType != REQ_ANY_ACT) && (type != (ACT_TYPE) accountType))
    3704. 

  3704.             return;
    3705. 

  3705. 

  3706.         Owned<IPTree> permissionNode = createPTree();
    3707. 

  3707.         permissionNode->setProp(getResourcePermissionFieldNames(RPFName), accountName);
    3708. 

  3708.         permissionNode->setPropInt(getResourcePermissionFieldNames(RPFType), type);
    3709. 

  3709.         permissionNode->setPropInt(getResourcePermissionFieldNames(RPFAllow), permission.getAllows());
    3710. 

  3710.         permissionNode->setPropInt(getResourcePermissionFieldNames(RPFDeny), permission.getDenies());
    3711. 

  3711.         permissionTree->addPropTree("Permission", permissionNode.getClear());
    3712. 

  3712.     }
    3713. 

  3713. 

  3714.     virtual IPropertyTreeIterator* getResourcePermissionIterator(const char* name, enum ACCOUNT_TYPE_REQ accountType, const char* baseDN,
    3715. 

  3715.         const char* rtype, const char* prefix)
    3716. 

  3716.     {
    3717. 

  3717.         StringBuffer namebuf(name);
    3718. 

  3718.         SecResourceType type = str2RType(rtype);
    3719. 

  3719.         if((type == RT_MODULE) && !strieq(name, "repository") && (strnicmp(name, "repository.", 11) != 0))
    3720. 

  3720.             namebuf.insert(0, "repository.");
    3721. 

  3721. 

  3722.         if(prefix && *prefix)
    3723. 

  3723.             namebuf.insert(0, prefix);
    3724. 

  3724. 

  3725.         IArrayOf<CPermission> permissions;
    3726. 

  3726.         getPermissionsArray(baseDN, type, namebuf.str(), permissions);
    3727. 

  3727. 

  3728.         Owned<IPropertyTree> permissionTree = createPTree("Permissions");
    3729. 

  3729.         ForEachItemIn(i, permissions)
    3730. 

  3730.             addPermissionTree(permissions.item(i), accountType, permissionTree);
    3731. 

  3731.         return permissionTree->getElements("*");
    3732. 

  3732.     }
    3733. 

  3733. 

  3734.     ISecItemIterator* getResourcePermissionsSorted(const char* name, enum ACCOUNT_TYPE_REQ accountType, const char* baseDN, const char* rtype,
    3735. 

  3735.         const char* prefix, ResourcePermissionField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize,
    3736. 

  3736.         unsigned* total, __int64* cacheHint)
    3737. 

  3737.     {
    3738. 

  3738.         class CElementsPager : public CSimpleInterface, implements IElementsPager
    3739. 

  3739.         {
    3740. 

  3740.             ILdapClient* ldapClient;
    3741. 

  3741.             StringAttr sortOrder, name, baseDN, rtype, prefix;
    3742. 

  3742.             enum ACCOUNT_TYPE_REQ accountType;
    3743. 

  3743. 

  3744.         public:
    3745. 

  3745.             IMPLEMENT_IINTERFACE_USING(CSimpleInterface);
    3746. 

  3746. 

  3747.             CElementsPager(ILdapClient* _ldapClient, const char* _name, enum ACCOUNT_TYPE_REQ _accountType, const char* _baseDN,
    3748. 

  3748.                 const char* _rtype, const char* _prefix, const char*_sortOrder) : ldapClient(_ldapClient), name(_name),
    3749. 

  3749.                 accountType(_accountType), baseDN(_baseDN), rtype(_rtype), prefix(_prefix), sortOrder(_sortOrder) { };
    3750. 

  3750.             virtual IRemoteConnection* getElements(IArrayOf<IPropertyTree>& elements)
    3751. 

  3751.             {
    3752. 

  3752.                 StringArray unknownAttributes;
    3753. 

  3753.                 Owned<IPropertyTreeIterator> iter = ldapClient->getResourcePermissionIterator(name.get(), accountType, baseDN.get(), rtype.get(), prefix.get());
    3754. 

  3754.                 sortElements(iter, sortOrder.get(), NULL, NULL, unknownAttributes, elements);
    3755. 

  3755.                 return NULL;
    3756. 

  3756.             }
    3757. 

  3757.             virtual bool allMatchingElementsReceived() { return true; }//For now, ldap always returns all of matched users.
    3758. 

  3758.         };
    3759. 

  3759. 

  3760.         StringBuffer so;
    3761. 

  3761.         if (sortOrder)
    3762. 

  3762.         {
    3763. 

  3763.             for (unsigned i=0; sortOrder[i]!=RPFterm; i++)
    3764. 

  3764.             {
    3765. 

  3765.                 if (so.length())
    3766. 

  3766.                     so.append(',');
    3767. 

  3767.                 int fmt = sortOrder[i];
    3768. 

  3768.                 if (fmt&RPFreverse)
    3769. 

  3769.                     so.append('-');
    3770. 

  3770.                 if (fmt&RPFnocase)
    3771. 

  3771.                     so.append('?');
    3772. 

  3772.                 if (fmt&RPFnumeric)
    3773. 

  3773.                     so.append('#');
    3774. 

  3774.                 so.append(getResourcePermissionFieldNames((ResourcePermissionField) (fmt&0xff)));
    3775. 

  3775.             }
    3776. 

  3776.         }
    3777. 

  3777.         IArrayOf<IPropertyTree> results;
    3778. 

  3778.         Owned<IElementsPager> elementsPager = new CElementsPager(this, name, accountType, baseDN, rtype, prefix, so.length()?so.str():NULL);
    3779. 

  3779.         Owned<IRemoteConnection> conn=getElementsPaged(elementsPager, pageStartFrom, pageSize, NULL, "", cacheHint, results, total, NULL, false);
    3780. 

  3780.         return new CSecItemIterator(results);
    3781. 

  3781.     }
    3782. 

  3782. 

  3783.     virtual void getAllGroups(StringArray & groups, StringArray & managedBy, StringArray & descriptions, const char * baseDN=nullptr)
    3784. 

  3784.     {
    3785. 

  3785.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3786. 

  3786.         {
    3787. 

  3787.             groups.append("Authenticated Users");
    3788. 

  3788.             managedBy.append("");
    3789. 

  3789.             descriptions.append("");
    3790. 

  3790.             groups.append("Administrators");
    3791. 

  3791.             managedBy.append("");
    3792. 

  3792.             descriptions.append("");
    3793. 

  3793.         }
    3794. 

  3794.         else
    3795. 

  3795.         {
    3796. 

  3796.             groups.append("Directory Administrators");
    3797. 

  3797.             managedBy.append("");
    3798. 

  3798.             descriptions.append("");
    3799. 

  3799.         }
    3800. 

  3800. 

  3801.         char        *attribute;
    3802. 

  3802.         LDAPMessage *message;
    3803. 

  3803. 

  3804.         StringBuffer filter;
    3805. 

  3805. 

  3806.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3807. 

  3807.             filter.append("objectClass=group");
    3808. 

  3808.         else
    3809. 

  3809.             filter.append("objectClass=groupofuniquenames");
    3810. 

  3810. 

  3811.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    3812. 

  3812. 

  3813.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3814. 

  3814.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3815. 

  3815.         char *attrs[] = {"cn", "managedBy", "description", NULL};
    3816. 

  3816. 

  3817.         CPagedLDAPSearch pagedSrch(ld, m_ldapconfig->getLdapTimeout(), baseDN==nullptr ? (char*)m_ldapconfig->getGroupBasedn() : (char*)baseDN, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs);
    3818. 

  3818.         for (message = pagedSrch.getFirstEntry(); message; message = pagedSrch.getNextEntry())
    3819. 

  3819.         {
    3820. 

  3820.             // Go through the search results by checking message types
    3821. 

  3821.             CLDAPGetAttributesWrapper   atts(ld, message);
    3822. 

  3822.             for ( attribute = atts.getFirst();
    3823. 

  3823.                   attribute != NULL;
    3824. 

  3824.                   attribute = atts.getNext())
    3825. 

  3825.             {
    3826. 

  3826.                 CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    3827. 

  3827.                 if (!vals.hasValues())
    3828. 

  3828.                     continue;
    3829. 

  3829.                 if(stricmp(attribute, "cn") == 0)
    3830. 

  3830.                 {
    3831. 

  3831.                     groups.append(vals.queryCharValue(0));
    3832. 

  3832.                     managedBy.append("");
    3833. 

  3833.                     descriptions.append("");
    3834. 

  3834.                 }
    3835. 

  3835.                 else if(stricmp(attribute, "managedBy") == 0)
    3836. 

  3836.                     managedBy.replace(vals.queryCharValue(0), groups.length() - 1);
    3837. 

  3837.                 else if(stricmp(attribute, "description") == 0)
    3838. 

  3838.                     descriptions.replace(vals.queryCharValue(0), groups.length() - 1);
    3839. 

  3839.             }
    3840. 

  3840.         }
    3841. 

  3841. 

  3842.     }
    3843. 

  3843. 

  3844.     virtual IPropertyTreeIterator* getGroupIterator()
    3845. 

  3845.     {
    3846. 

  3846.         StringArray groupNames, managedBy, descriptions;
    3847. 

  3847.         getAllGroups(groupNames, managedBy, descriptions);
    3848. 

  3848. 

  3849.         Owned<IPTree> groups = createPTree("Groups");
    3850. 

  3850.         ForEachItemIn(i, groupNames)
    3851. 

  3851.             addGroupTree(groupNames.item(i), managedBy.item(i), descriptions.item(i), groups);
    3852. 

  3852.         return groups->getElements("*");
    3853. 

  3853.     }
    3854. 

  3854. 

  3855.     void addGroupTree(const char* name, const char* manageBy, const char* desc, IPropertyTree* groups)
    3856. 

  3856.     {
    3857. 

  3857.         if (!name || !*name)
    3858. 

  3858.         {
    3859. 

  3859.             DBGLOG("CLdapClient::addGroupTree groupname must be provided");
    3860. 

  3860.             return;
    3861. 

  3861.         }
    3862. 

  3862. 

  3863.         Owned<IPTree> group = createPTree();
    3864. 

  3864.         group->addProp(getGroupFieldNames(GFName), name);
    3865. 

  3865.         if (manageBy && *manageBy)
    3866. 

  3866.             group->addProp(getGroupFieldNames(GFManagedBy), manageBy);
    3867. 

  3867.         if (desc && *desc)
    3868. 

  3868.             group->addProp(getGroupFieldNames(GFDesc), desc);
    3869. 

  3869.         groups->addPropTree("Group", group.getClear());
    3870. 

  3870.     }
    3871. 

  3871. 

  3872.     ISecItemIterator* getGroupsSorted(GroupField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint)
    3873. 

  3873.     {
    3874. 

  3874.         class CElementsPager : public CSimpleInterface, implements IElementsPager
    3875. 

  3875.         {
    3876. 

  3876.             ILdapClient* ldapClient;
    3877. 

  3877.             StringAttr sortOrder;
    3878. 

  3878. 

  3879.         public:
    3880. 

  3880.             IMPLEMENT_IINTERFACE_USING(CSimpleInterface);
    3881. 

  3881. 

  3882.             CElementsPager(ILdapClient* _ldapClient, const char*_sortOrder)
    3883. 

  3883.                 : ldapClient(_ldapClient), sortOrder(_sortOrder) { };
    3884. 

  3884.             virtual IRemoteConnection* getElements(IArrayOf<IPropertyTree>& elements)
    3885. 

  3885.             {
    3886. 

  3886.                 StringArray unknownAttributes;
    3887. 

  3887.                 Owned<IPropertyTreeIterator> iter = ldapClient->getGroupIterator();
    3888. 

  3888.                 sortElements(iter, sortOrder.get(), NULL, NULL, unknownAttributes, elements);
    3889. 

  3889.                 return NULL;
    3890. 

  3890.             }
    3891. 

  3891.             virtual bool allMatchingElementsReceived() { return true; }//For now, ldap always returns all of matched users.
    3892. 

  3892.         };
    3893. 

  3893. 

  3894.         StringBuffer so;
    3895. 

  3895.         if (sortOrder)
    3896. 

  3896.         {
    3897. 

  3897.             for (unsigned i=0;sortOrder[i]!=GFterm;i++)
    3898. 

  3898.             {
    3899. 

  3899.                 if (so.length())
    3900. 

  3900.                     so.append(',');
    3901. 

  3901.                 int fmt = sortOrder[i];
    3902. 

  3902.                 if (fmt&UFreverse)
    3903. 

  3903.                     so.append('-');
    3904. 

  3904.                 if (fmt&UFnocase)
    3905. 

  3905.                     so.append('?');
    3906. 

  3906.                 if (fmt&UFnumeric)
    3907. 

  3907.                     so.append('#');
    3908. 

  3908.                 so.append(getUserFieldNames((UserField) (fmt&0xff)));
    3909. 

  3909.             }
    3910. 

  3910.         }
    3911. 

  3911.         IArrayOf<IPropertyTree> results;
    3912. 

  3912.         Owned<IElementsPager> elementsPager = new CElementsPager(this, so.length()?so.str():NULL);
    3913. 

  3913.         Owned<IRemoteConnection> conn=getElementsPaged(elementsPager, pageStartFrom, pageSize, NULL, "", cacheHint, results, total, NULL, false);
    3914. 

  3914.         return new CSecItemIterator(results);
    3915. 

  3915.     }
    3916. 

  3916. 

  3917.     virtual bool changePermission(CPermissionAction& action)
    3918. 

  3918.     {
    3919. 

  3919.         StringBuffer basednbuf;
    3920. 

  3920.         LdapUtils::normalizeDn(action.m_basedn.str(), m_ldapconfig->getBasedn(), basednbuf);
    3921. 

  3921.         Owned<CSecurityDescriptor> sd = new CSecurityDescriptor(action.m_rname.str());
    3922. 

  3922.         IArrayOf<CSecurityDescriptor> sdlist;
    3923. 

  3923.         sdlist.append(*LINK(sd));
    3924. 

  3924.         if(action.m_rtype == RT_FILE_SCOPE || action.m_rtype == RT_WORKUNIT_SCOPE)
    3925. 

  3925.             getSecurityDescriptorsScope(sdlist, basednbuf.str());
    3926. 

  3926.         else
    3927. 

  3927.             getSecurityDescriptors(sdlist, basednbuf.str());
    3928. 

  3928. 

  3929.         if(m_ldapconfig->getServerType() != ACTIVE_DIRECTORY)
    3930. 

  3930.         {
    3931. 

  3931.             StringBuffer act_dn;
    3932. 

  3932.             if(action.m_account_type == GROUP_ACT)
    3933. 

  3933.                 getGroupDN(action.m_account_name.str(), act_dn);
    3934. 

  3934.             else
    3935. 

  3935.                 getUserDN(action.m_account_name.str(), act_dn);
    3936. 

  3936.             
    3937. 

  3937.             action.m_account_name.clear().append(act_dn.str());
    3938. 

  3938.         }
    3939. 

  3939. 

  3940.         Owned<CSecurityDescriptor> newsd = m_pp->changePermission(sd.get(), action);
    3941. 

  3941. 

  3942.         StringBuffer normdnbuf;
    3943. 

  3943.         LdapServerType servertype = m_ldapconfig->getServerType();
    3944. 

  3944.         name2dn(action.m_rtype, action.m_rname.str(), action.m_basedn.str(), normdnbuf);
    3945. 

  3945. 

  3946.         char *empty_values[] = { NULL };
    3947. 

  3947. 

  3948.         int numberOfSegs = m_pp->sdSegments(newsd.get());
    3949. 

  3949. 

  3950.         LDAPMod *attrs[2];
    3951. 

  3951.         LDAPMod sd_attr;
    3952. 

  3952.         if(newsd->getDescriptor().length() > 0)
    3953. 

  3953.         {
    3954. 

  3954.             struct berval** sd_values = (struct berval**)alloca(sizeof(struct berval*)*(numberOfSegs+1));
    3955. 

  3955.             MemoryBuffer& sdbuf = newsd->getDescriptor();
    3956. 

  3956. 

  3957.             // Active Directory acutally has only one segment.
    3958. 

  3958.             if(servertype == ACTIVE_DIRECTORY)
    3959. 

  3959.             {
    3960. 

  3960.                 struct berval* sd_val = (struct berval*)alloca(sizeof(struct berval));
    3961. 

  3961.                 sd_val->bv_len = sdbuf.length();
    3962. 

  3962.                 sd_val->bv_val = (char*)sdbuf.toByteArray();
    3963. 

  3963.                 sd_values[0] = sd_val;
    3964. 

  3964.                 sd_values[1] = NULL;
    3965. 

  3965. 

  3966.                 sd_attr.mod_type = "nTSecurityDescriptor";
    3967. 

  3967.             }
    3968. 

  3968.             else
    3969. 

  3969.             {
    3970. 

  3970.                 const char* bbptr = sdbuf.toByteArray();
    3971. 

  3971.                 const char* bptr = sdbuf.toByteArray();
    3972. 

  3972.                 int sdbuflen = sdbuf.length();
    3973. 

  3973.                 int segind;
    3974. 

  3974.                 for(segind = 0; segind < numberOfSegs; segind++)
    3975. 

  3975.                 {
    3976. 

  3976.                     if(bptr - bbptr >= sdbuflen)
    3977. 

  3977.                         break;
    3978. 

  3978.                     while(*bptr == '\0' && (bptr - bbptr) < sdbuflen)
    3979. 

  3979.                         bptr++;
    3980. 

  3980. 

  3981.                     const char* eptr = bptr;
    3982. 

  3982.                     while(*eptr != '\0' && (eptr - bbptr) < sdbuflen)
    3983. 

  3983.                         eptr++;
    3984. 

  3984. 

  3985.                     struct berval* sd_val = (struct berval*)alloca(sizeof(struct berval));
    3986. 

  3986.                     sd_val->bv_len = eptr - bptr;
    3987. 

  3987.                     sd_val->bv_val = (char*)bptr;
    3988. 

  3988.                     sd_values[segind] = sd_val;
    3989. 

  3989. 

  3990.                     bptr = eptr + 1;
    3991. 

  3991.                 }
    3992. 

  3992.                 sd_values[segind] = NULL;
    3993. 

  3993. 

  3994.                 sd_attr.mod_type = (char*)m_ldapconfig->getSdFieldName();
    3995. 

  3995.             }
    3996. 

  3996.             sd_attr.mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
    3997. 

  3997.             sd_attr.mod_vals.modv_bvals = sd_values;
    3998. 

  3998. 

  3999.             attrs[0] = &sd_attr;
    4000. 

  4000.         }
    4001. 

  4001.         else
    4002. 

  4002.         {
    4003. 

  4003.             if(m_ldapconfig->getServerType() == OPEN_LDAP)
    4004. 

  4004.                 throw MakeStringException(-1, "removing all permissions for openldap is currently not supported");
    4005. 

  4005. 

  4006.             sd_attr.mod_op = LDAP_MOD_DELETE;
    4007. 

  4007.             sd_attr.mod_type = (char*)m_ldapconfig->getSdFieldName();
    4008. 

  4008.             sd_attr.mod_vals.modv_strvals = empty_values;
    4009. 

  4009.             attrs[0] = &sd_attr;
    4010. 

  4010.         }
    4011. 

  4011. 

  4012.         attrs[1] = NULL;
    4013. 

  4013. 

  4014.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4015. 

  4015.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4016. 

  4016.         int rc = ldap_modify_ext_s(ld, (char*)normdnbuf.str(), attrs, NULL, NULL);
    4017. 

  4017.         if ( rc != LDAP_SUCCESS )
    4018. 

  4018.         {
    4019. 

  4019.             throw MakeStringException(-1, "ldap_modify_ext_s error: %d %s", rc, ldap_err2string( rc ));
    4020. 

  4020.         }
    4021. 

  4021. 

  4022.         return true;
    4023. 

  4023.     }
    4024. 

  4024. 

  4025.     virtual void getGroups(const char *user, StringArray& groups)
    4026. 

  4026.     {
    4027. 

  4027.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4028. 

  4028.         {
    4029. 

  4029.             char        *attribute;
    4030. 

  4030.             LDAPMessage *message;
    4031. 

  4031. 

  4032.             if(user == NULL || strlen(user) == 0)
    4033. 

  4033.             {
    4034. 

  4034.                 DBGLOG("CLdapClient::getGroups username must be provided");
    4035. 

  4035.                 return;
    4036. 

  4036.             }
    4037. 

  4037.             StringBuffer filter("sAMAccountName=");
    4038. 

  4038.             filter.append(user);
    4039. 

  4039. 

  4040.             TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    4041. 

  4041. 

  4042.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    4043. 

  4043.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4044. 

  4044. 

  4045.             char        *attrs[] = {"memberOf", NULL};
    4046. 

  4046.             CLDAPMessage searchResult;
    4047. 

  4047.             int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    4048. 

  4048. 

  4049.             if ( rc != LDAP_SUCCESS )
    4050. 

  4050.             {
    4051. 

  4051.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    4052. 

  4052.                 return;
    4053. 

  4053.             }
    4054. 

  4054.             
    4055. 

  4055.             unsigned entries = ldap_count_entries(ld, searchResult);
    4056. 

  4056.             if(entries == 0)
    4057. 

  4057.             {
    4058. 

  4058.                 searchResult.ldapMsgFree();
    4059. 

  4059.                 rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getSysUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );
    4060. 

  4060. 

  4061.                 if ( rc != LDAP_SUCCESS )
    4062. 

  4062.                 {
    4063. 

  4063.                     DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getSysUserBasedn());
    4064. 

  4064.                     return;
    4065. 

  4065.                 }
    4066. 

  4066.             }
    4067. 

  4067. 

  4068.             // Go through the search results by checking message types
    4069. 

  4069.             for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    4070. 

  4070.             {
    4071. 

  4071.                 CLDAPGetAttributesWrapper   atts(ld, searchResult);
    4072. 

  4072.                 for ( attribute = atts.getFirst();
    4073. 

  4073.                       attribute != NULL;
    4074. 

  4074.                       attribute = atts.getNext())
    4075. 

  4075.                 {
    4076. 

  4076.                     if(0 == stricmp(attribute, "memberOf"))
    4077. 

  4077.                     {
    4078. 

  4078.                         CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    4079. 

  4079.                         if (vals.hasValues())
    4080. 

  4080.                         {
    4081. 

  4081.                             for (int i = 0; vals.queryBValues()[ i ] != NULL; i++ )
    4082. 

  4082.                             {
    4083. 

  4083.                                 const char* val = vals.queryCharValue(i);
    4084. 

  4084.                                 char* comma = strchr((char*)val, ',');
    4085. 

  4085.                                 StringBuffer groupname;
    4086. 

  4086.                                 groupname.append(comma - val -3, val+3);
    4087. 

  4087.                                 groups.append(groupname.str());
    4088. 

  4088.                             }
    4089. 

  4089.                         }
    4090. 

  4090.                     }
    4091. 

  4091.                 }
    4092. 

  4092.             }
    4093. 

  4093.         }
    4094. 

  4094.         else
    4095. 

  4095.         {
    4096. 

  4096.             StringArray allgroups;
    4097. 

  4097.             StringArray allgroupManagedBy;
    4098. 

  4098.             StringArray allgroupDescription;
    4099. 

  4099.             getAllGroups(allgroups, allgroupManagedBy, allgroupDescription);
    4100. 

  4100.             for(unsigned i = 0; i < allgroups.length(); i++)
    4101. 

  4101.             {
    4102. 

  4102.                 const char* grp = allgroups.item(i);
    4103. 

  4103.                 StringBuffer grpdn, usrdn;
    4104. 

  4104.                 getUserDN(user, usrdn);
    4105. 

  4105.                 getGroupDN(grp, grpdn);
    4106. 

  4106.                 if(userInGroup(usrdn.str(), grpdn.str()))
    4107. 

  4107.                 {
    4108. 

  4108.                     groups.append(grp);
    4109. 

  4109.                 }
    4110. 

  4110.             }
    4111. 

  4111.         }       
    4112. 

  4112.     }
    4113. 

  4113. 

  4114.     virtual void changeUserGroup(const char* action, const char* username, const char* groupname, const char * groupDN=nullptr)
    4115. 

  4115.     {
    4116. 

  4116.         StringBuffer userdn, groupdn;
    4117. 

  4117.         getUserDN(username, userdn);
    4118. 

  4118.         getGroupDN(groupname, groupdn, groupDN);
    4119. 

  4119.         // Not needed for Active Directory
    4120. 

  4120.         // changeUserMemberOf(action, userdn.str(), groupdn.str());
    4121. 

  4121.         changeGroupMember(action, groupdn.str(), userdn.str());
    4122. 

  4122.     }
    4123. 

  4123. 

  4124.     virtual bool deleteUser(ISecUser* user)
    4125. 

  4125.     {
    4126. 

  4126.         if(user == NULL)
    4127. 

  4127.         {
    4128. 

  4128.             DBGLOG("CLdapClient::deleteUser ISecUser must be provided");
    4129. 

  4129.             return false;
    4130. 

  4130.         }
    4131. 

  4131.         const char* username = user->getName();
    4132. 

  4132.         if(username == NULL || *username == '\0')
    4133. 

  4133.         {
    4134. 

  4134.             DBGLOG("CLdapClient::deleteUser username must be provided");
    4135. 

  4135.             return false;
    4136. 

  4136.         }
    4137. 

  4137. 

  4138.         StringBuffer userdn;
    4139. 

  4139.         getUserDN(username, userdn);
    4140. 

  4140.         
    4141. 

  4141.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4142. 

  4142.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4143. 

  4143.         
    4144. 

  4144.         int rc = ldap_delete_ext_s(ld, (char*)userdn.str(), NULL, NULL);
    4145. 

  4145. 

  4146.         if ( rc != LDAP_SUCCESS )
    4147. 

  4147.         {
    4148. 

  4148.             throw MakeStringException(-1, "error deleting user %s: %s", username, ldap_err2string(rc));
    4149. 

  4149.         }
    4150. 

  4150. 

  4151.         StringArray grps;
    4152. 

  4152.         getGroups(username, grps);
    4153. 

  4153.         ForEachItemIn(x, grps)
    4154. 

  4154.         {
    4155. 

  4155.             const char* grp = grps.item(x);
    4156. 

  4156.             if(!grp || !*grp)
    4157. 

  4157.                 continue;
    4158. 

  4158.             changeUserGroup("delete", username, grp);
    4159. 

  4159.         }
    4160. 

  4160. 

  4161.         //Remove tempfile scope for this user
    4162. 

  4162.         StringBuffer resName(queryDfsXmlBranchName(DXB_Internal));
    4163. 

  4163.         resName.append("::").append(username);
    4164. 

  4164.         deleteResource(RT_FILE_SCOPE, resName.str(), m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE));
    4165. 

  4165.         
    4166. 

  4166.         return true;
    4167. 

  4167.     }
    4168. 

  4168. 

  4169.     virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc)
    4170. 

  4170.     {
    4171. 

  4171.         if(groupname == NULL || *groupname == '\0')
    4172. 

  4172.             throw MakeStringException(-1, "Can't add group, groupname is empty");
    4173. 

  4173. 

  4174.         addGroup(groupname, groupOwner, groupDesc, m_ldapconfig->getGroupBasedn());
    4175. 

  4175.     }
    4176. 

  4176. 

  4177.     virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc, const char* basedn)
    4178. 

  4178.     {
    4179. 

  4179.         if(groupname == NULL || *groupname == '\0')
    4180. 

  4180.         {
    4181. 

  4181.             DBGLOG("CLdapClient::addGroup groupname must be provided");
    4182. 

  4182.             return;
    4183. 

  4183.         }
    4184. 

  4184. 

  4185.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4186. 

  4186.         {
    4187. 

  4187.             if(stricmp(groupname, "Administrators") == 0)
    4188. 

  4188.                 throw MakeStringException(-1, "Can't add group %s, it's reserved by the system.", groupname);
    4189. 

  4189.         }
    4190. 

  4190.         else
    4191. 

  4191.         {
    4192. 

  4192.             if(stricmp(groupname, "Directory Administrators") == 0)
    4193. 

  4193.                 throw MakeStringException(-1, "Can't add group %s, it's reserved by the system.", groupname);
    4194. 

  4194.         }
    4195. 

  4195. 

  4196.         StringBuffer dn;
    4197. 

  4197.         dn.append("cn=").append(groupname).append(",").append(basedn);
    4198. 

  4198. 

  4199.         char* oc_name;
    4200. 

  4200.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4201. 

  4201.         {
    4202. 

  4202.             oc_name = "group";
    4203. 

  4203.         }
    4204. 

  4204.         else
    4205. 

  4205.         {
    4206. 

  4206.             oc_name = "groupofuniquenames";
    4207. 

  4207.         }
    4208. 

  4208. 

  4209.         char *cn_values[] = {(char*)groupname, NULL };
    4210. 

  4210.         LDAPMod cn_attr = 
    4211. 

  4211.         {
    4212. 

  4212.             LDAP_MOD_ADD,
    4213. 

  4213.             "cn",
    4214. 

  4214.             cn_values
    4215. 

  4215.         };
    4216. 

  4216. 

  4217.         char *oc_values[] = {oc_name, NULL };
    4218. 

  4218.         LDAPMod oc_attr =
    4219. 

  4219.         {
    4220. 

  4220.             LDAP_MOD_ADD,
    4221. 

  4221.             "objectClass",
    4222. 

  4222.             oc_values
    4223. 

  4223.         };
    4224. 

  4224. 

  4225.         char *member_values[] = {"", NULL};
    4226. 

  4226.         LDAPMod member_attr = 
    4227. 

  4227.         {
    4228. 

  4228.             LDAP_MOD_ADD,
    4229. 

  4229.             "uniqueMember",
    4230. 

  4230.             member_values
    4231. 

  4231.         };
    4232. 

  4232. 

  4233.         char *owner_values[] = {(char*)groupOwner, NULL};
    4234. 

  4234.         LDAPMod owner_attr =
    4235. 

  4235.         {
    4236. 

  4236.             LDAP_MOD_ADD,
    4237. 

  4237.             "managedBy",
    4238. 

  4238.             owner_values
    4239. 

  4239.         };
    4240. 

  4240.         char *desc_values[] = {(char*)groupDesc, NULL};
    4241. 

  4241.         LDAPMod desc_attr =
    4242. 

  4242.         {
    4243. 

  4243.             LDAP_MOD_ADD,
    4244. 

  4244.             "description",
    4245. 

  4245.             desc_values
    4246. 

  4246.         };
    4247. 

  4247.         LDAPMod *attrs[6];
    4248. 

  4248.         int ind = 0;
    4249. 

  4249.         
    4250. 

  4250.         attrs[ind++] = &cn_attr;
    4251. 

  4251.         attrs[ind++] = &oc_attr;
    4252. 

  4252.         if (groupOwner && *groupOwner)
    4253. 

  4253.             attrs[ind++] = &owner_attr;
    4254. 

  4254.         if (groupDesc && *groupDesc)
    4255. 

  4255.             attrs[ind++] = &desc_attr;
    4256. 

  4256.         attrs[ind] = NULL;
    4257. 

  4257. 

  4258.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4259. 

  4259.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4260. 

  4260.         int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    4261. 

  4261.         if ( rc == LDAP_INVALID_SYNTAX  && m_ldapconfig->getServerType() == OPEN_LDAP)//Fedora389 does not 'seem' to need this, openLDAP does
    4262. 

  4262.         {
    4263. 

  4263.             attrs[ind++] = &member_attr;
    4264. 

  4264.             attrs[ind] = NULL;
    4265. 

  4265.             rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    4266. 

  4266.         }
    4267. 

  4267.         if ( rc != LDAP_SUCCESS)
    4268. 

  4268.         {
    4269. 

  4269.             if(rc == LDAP_ALREADY_EXISTS)
    4270. 

  4270.             {
    4271. 

  4271.                 throw MakeStringException(-1, "can't add group %s, an LDAP object with this name already exists", groupname);
    4272. 

  4272.             }
    4273. 

  4273.             else
    4274. 

  4274.             {
    4275. 

  4275.                 DBGLOG("error addGroup %s, ldap_add_ext_s error: %s", groupname, ldap_err2string( rc ));
    4276. 

  4276.                 throw MakeStringException(-1, "error addGroup %s, ldap_add_ext_s error: %s", groupname, ldap_err2string( rc ));
    4277. 

  4277.             }
    4278. 

  4278.         }
    4279. 

  4279. 

  4280.     }
    4281. 

  4281. 

  4282.     virtual void deleteGroup(const char* groupname, const char * groupsDN=nullptr)
    4283. 

  4283.     {
    4284. 

  4284.         if(groupname == NULL || *groupname == '\0')
    4285. 

  4285.             throw MakeStringException(-1, "group name can't be empty");
    4286. 

  4286. 

  4287.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4288. 

  4288.         {
    4289. 

  4289.             if(stricmp(groupname, "Administrators") == 0 || stricmp(groupname, "Authenticated Users") == 0)
    4290. 

  4290.                 throw MakeStringException(-1, "you can't delete Authenticated Users or Administrators group");
    4291. 

  4291.         }
    4292. 

  4292.         else
    4293. 

  4293.         {
    4294. 

  4294.             if(stricmp(groupname, "Directory Administrators") == 0)
    4295. 

  4295.                 throw MakeStringException(-1, "you can't delete Directory Administrators group");
    4296. 

  4296.         }
    4297. 

  4297. 

  4298.         StringBuffer dn;
    4299. 

  4299.         getGroupDN(groupname, dn, groupsDN);
    4300. 

  4300.         
    4301. 

  4301.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4302. 

  4302.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4303. 

  4303.         
    4304. 

  4304.         int rc = ldap_delete_ext_s(ld, (char*)dn.str(), NULL, NULL);
    4305. 

  4305. 

  4306.         if ( rc != LDAP_SUCCESS )
    4307. 

  4307.         {
    4308. 

  4308.             throw MakeStringException(-1, "error deleting group %s: %s", groupname, ldap_err2string(rc));
    4309. 

  4309.         }
    4310. 

  4310.     }
    4311. 

  4311. 

  4312.     virtual void getGroupMembers(const char* groupname, StringArray & users, const char * groupsDN=nullptr)
    4313. 

  4313.     {
    4314. 

  4314.         char        *attribute;
    4315. 

  4315.         LDAPMessage *message;
    4316. 

  4316. 

  4317.         if(groupname == NULL || strlen(groupname) == 0)
    4318. 

  4318.             throw MakeStringException(-1, "group name can't be empty");
    4319. 

  4319. 

  4320.         StringBuffer grpdn;
    4321. 

  4321.         getGroupDN(groupname, grpdn, groupsDN);
    4322. 

  4322.         StringBuffer filter;
    4323. 

  4323.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4324. 

  4324.         {
    4325. 

  4325.             filter.append("distinguishedName=").append(grpdn.str());
    4326. 

  4326.         }
    4327. 

  4327.         else if(m_ldapconfig->getServerType() == IPLANET)
    4328. 

  4328.         {
    4329. 

  4329.             filter.append("entrydn=").append(grpdn.str());
    4330. 

  4330.         }
    4331. 

  4331.         else if(m_ldapconfig->getServerType() == OPEN_LDAP)
    4332. 

  4332.         {
    4333. 

  4333.             filter.append("cn=").append(groupname);
    4334. 

  4334.         }
    4335. 

  4335. 

  4336.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    4337. 

  4337. 

  4338.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4339. 

  4339.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4340. 

  4340. 

  4341.         const char* memfieldname;
    4342. 

  4342. 

  4343.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4344. 

  4344.         {
    4345. 

  4345.             memfieldname = "member";
    4346. 

  4346.         }
    4347. 

  4347.         else
    4348. 

  4348.         {
    4349. 

  4349.             memfieldname = "uniquemember";
    4350. 

  4350.         }
    4351. 

  4351. 

  4352.         char        *attrs[] = {(char*)memfieldname, NULL};
    4353. 

  4353.         StringBuffer groupbasedn;
    4354. 

  4354.         getGroupBaseDN(groupname, groupbasedn, groupsDN);
    4355. 

  4355. 

  4356.         CPagedLDAPSearch pagedSrch(ld, m_ldapconfig->getLdapTimeout(), (char*)groupbasedn.str(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs);
    4357. 

  4357.         for (message = pagedSrch.getFirstEntry(); message; message = pagedSrch.getNextEntry())
    4358. 

  4358.         {
    4359. 

  4359.             // Go through the search results by checking message types
    4360. 

  4360.             CLDAPGetAttributesWrapper   atts(ld, message);
    4361. 

  4361.             for ( attribute = atts.getFirst();
    4362. 

  4362.                   attribute != NULL;
    4363. 

  4363.                   attribute = atts.getNext())
    4364. 

  4364.             {
    4365. 

  4365.                 CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    4366. 

  4366.                 if (vals.hasValues())
    4367. 

  4367.                 {
    4368. 

  4368.                     for (int i = 0; vals.queryBValues()[ i ] != NULL; i++ )
    4369. 

  4369.                     {
    4370. 

  4370.                         const char* val = vals.queryCharValue(i);
    4371. 

  4371.                         StringBuffer uid;
    4372. 

  4372.                         getUidFromDN(ld, val, uid);
    4373. 

  4373.                         if(uid.length() > 0)
    4374. 

  4374.                             users.append(uid.str());
    4375. 

  4375.                     }
    4376. 

  4376.                 }
    4377. 

  4377.             }
    4378. 

  4378.         }
    4379. 

  4379. 

  4380.     }
    4381. 

  4381. 

  4382.     virtual IPropertyTreeIterator* getGroupMemberIterator(const char* groupName)
    4383. 

  4383.     {
    4384. 

  4384.         StringArray users;
    4385. 

  4385.         getGroupMembers(groupName, users);
    4386. 

  4386. 

  4387.         Owned<IPropertyTree> usersTree = createPTree("Users");
    4388. 

  4388.         ForEachItemIn(i, users)
    4389. 

  4389.         {
    4390. 

  4390.             const char* usrName = users.item(i);
    4391. 

  4391.             if (!usrName || !*usrName)
    4392. 

  4392.                 continue;
    4393. 

  4393. 

  4394.             IUserArray usersInBaseDN;
    4395. 

  4395.             retrieveUsers(usrName, usersInBaseDN);
    4396. 

  4396.             ForEachItemIn(x, usersInBaseDN)
    4397. 

  4397.             {
    4398. 

  4398.                 ISecUser& usr = usersInBaseDN.item(x);
    4399. 

  4399.                 const char* usrName0 = usr.getName();
    4400. 

  4400.                 if(usrName0 && strieq(usrName, usrName0))
    4401. 

  4401.                 {
    4402. 

  4402.                     //BUG#41536: The users in the Administrators group are all the users on the whole
    4403. 

  4403.                     //active directory, while the users in the users list are only the users who are
    4404. 

  4404.                     //under the "usersBasedn" of this environment. So, we should only return the users
    4405. 

  4405.                     //who are in the usersBasedn.
    4406. 

  4406.                     addUserTree(usr, usersTree);
    4407. 

  4407.                     break;
    4408. 

  4408.                 }
    4409. 

  4409.             }
    4410. 

  4410.         }
    4411. 

  4411.         return usersTree->getElements("*");
    4412. 

  4412.     }
    4413. 

  4413. 

  4414.     ISecItemIterator* getGroupMembersSorted(const char* groupName, UserField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize,
    4415. 

  4415.         unsigned* total, __int64* cacheHint)
    4416. 

  4416.     {
    4417. 

  4417.         class CElementsPager : public CSimpleInterface, implements IElementsPager
    4418. 

  4418.         {
    4419. 

  4419.             ILdapClient* ldapClient;
    4420. 

  4420.             StringAttr sortOrder, groupName;
    4421. 

  4421. 

  4422.         public:
    4423. 

  4423.             IMPLEMENT_IINTERFACE_USING(CSimpleInterface);
    4424. 

  4424. 

  4425.             CElementsPager(ILdapClient* _ldapClient, const char*_groupName, const char*_sortOrder)
    4426. 

  4426.                 : ldapClient(_ldapClient), groupName(_groupName), sortOrder(_sortOrder) { };
    4427. 

  4427.             virtual IRemoteConnection* getElements(IArrayOf<IPropertyTree>& elements)
    4428. 

  4428.             {
    4429. 

  4429.                 StringArray unknownAttributes;
    4430. 

  4430.                 Owned<IPropertyTreeIterator> iter = ldapClient->getGroupMemberIterator(groupName.str());
    4431. 

  4431.                 sortElements(iter, sortOrder.get(), NULL, NULL, unknownAttributes, elements);
    4432. 

  4432.                 return NULL;
    4433. 

  4433.             }
    4434. 

  4434.             virtual bool allMatchingElementsReceived() { return true; }//For now, ldap always returns all of matched users.
    4435. 

  4435.         };
    4436. 

  4436. 

  4437.         StringBuffer so;
    4438. 

  4438.         if (sortOrder)
    4439. 

  4439.         {
    4440. 

  4440.             for (unsigned i=0;sortOrder[i]!=UFterm;i++)
    4441. 

  4441.             {
    4442. 

  4442.                 if (so.length())
    4443. 

  4443.                     so.append(',');
    4444. 

  4444.                 int fmt = sortOrder[i];
    4445. 

  4445.                 if (fmt&UFreverse)
    4446. 

  4446.                     so.append('-');
    4447. 

  4447.                 if (fmt&UFnocase)
    4448. 

  4448.                     so.append('?');
    4449. 

  4449.                 if (fmt&UFnumeric)
    4450. 

  4450.                     so.append('#');
    4451. 

  4451.                 so.append(getUserFieldNames((UserField) (fmt&0xff)));
    4452. 

  4452.             }
    4453. 

  4453.         }
    4454. 

  4454.         IArrayOf<IPropertyTree> results;
    4455. 

  4455.         Owned<IElementsPager> elementsPager = new CElementsPager(this, groupName, so.length()?so.str():NULL);
    4456. 

  4456.         Owned<IRemoteConnection> conn=getElementsPaged(elementsPager, pageStartFrom, pageSize, NULL, "", cacheHint, results, total, NULL, false);
    4457. 

  4457.         return new CSecItemIterator(results);
    4458. 

  4458.     }
    4459. 

  4459. 

  4460.     virtual void deleteResource(SecResourceType rtype, const char* name, const char* basedn)
    4461. 

  4461.     {
    4462. 

  4462.         if(basedn == NULL || *basedn == '\0')
    4463. 

  4463.             basedn = m_ldapconfig->getResourceBasedn(rtype);
    4464. 

  4464. 

  4465.         StringBuffer dn;
    4466. 

  4466.         name2dn(rtype, name, basedn, dn);
    4467. 

  4467. 

  4468.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4469. 

  4469.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4470. 

  4470.         
    4471. 

  4471.         int rc = ldap_delete_ext_s(ld, (char*)dn.str(), NULL, NULL);
    4472. 

  4472. 

  4473.         if ( rc != LDAP_SUCCESS )
    4474. 

  4474.         {
    4475. 

  4475.             DBGLOG("error deleting %s: %s", dn.str(), ldap_err2string(rc));
    4476. 

  4476.             //throw MakeStringException(-1, "error deleting %s: %s", dn.str(), ldap_err2string(rc));
    4477. 

  4477.         }
    4478. 

  4478.         
    4479. 

  4479.     }
    4480. 

  4480. 

  4481.     virtual void renameResource(SecResourceType rtype, const char* oldname, const char* newname, const char* basedn)
    4482. 

  4482.     {
    4483. 

  4483.         if(oldname == NULL || *oldname == '\0' || newname == NULL || *newname == '\0')
    4484. 

  4484.             throw MakeStringException(-1, "please specfiy old and new names");
    4485. 

  4485. 

  4486.         if(basedn == NULL || *basedn == '\0')
    4487. 

  4487.             basedn = m_ldapconfig->getResourceBasedn(rtype);
    4488. 

  4488. 

  4489.         StringBuffer olddn, newrdn;
    4490. 

  4490.         name2dn(rtype, oldname, basedn, olddn);
    4491. 

  4491.         name2rdn(rtype, newname, newrdn);
    4492. 

  4492.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4493. 

  4493.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4494. 

  4494. 

  4495.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    4496. 

  4496.         {
    4497. 

  4497.             char* uncname_values[] = {(char*)newname, NULL};
    4498. 

  4498.             LDAPMod uncname_attr =
    4499. 

  4499.             {
    4500. 

  4500.                 LDAP_MOD_REPLACE,
    4501. 

  4501.                 "uNCName",
    4502. 

  4502.                 uncname_values
    4503. 

  4503.             };
    4504. 

  4504. 

  4505.             LDAPMod *attrs[2];
    4506. 

  4506.             attrs[0] = &uncname_attr;
    4507. 

  4507.             attrs[1] = NULL;
    4508. 

  4508. 

  4509.             int rc = ldap_modify_ext_s(ld, (char*)olddn.str(), attrs, NULL, NULL);
    4510. 

  4510. 

  4511.             if (rc != LDAP_SUCCESS )
    4512. 

  4512.             {
    4513. 

  4513.                 DBGLOG("Error changing unc %s to %s - %s", oldname, newname, ldap_err2string( rc ));
    4514. 

  4514.                 //throw MakeStringException(-1, "Error changing unc %s to %s - %s", oldname, newname, ldap_err2string( rc ));
    4515. 

  4515.             }
    4516. 

  4516.         }
    4517. 

  4517. 

  4518. #ifdef _WIN32
    4519. 

  4519.         int rc = ldap_rename_ext_s(ld, (char*)olddn.str(), (char*)newrdn.str(), NULL, true, NULL, NULL);
    4520. 

  4520. #else
    4521. 

  4521.         int rc = ldap_rename_s(ld, (char*)olddn.str(), (char*)newrdn.str(), NULL, true, NULL, NULL);
    4522. 

  4522. #endif
    4523. 

  4523.         if (rc != LDAP_SUCCESS )
    4524. 

  4524.         {
    4525. 

  4525.             DBGLOG("Error renaming %s to %s - %s", oldname, newname, ldap_err2string( rc ));
    4526. 

  4526.             //throw MakeStringException(-1, "Error renaming %s to %s - %s", oldname, newname, ldap_err2string( rc ));
    4527. 

  4527.         }
    4528. 

  4528.     }
    4529. 

  4529. 

  4530.     virtual void copyResource(SecResourceType rtype, const char* oldname, const char* newname, const char* basedn)
    4531. 

  4531.     {
    4532. 

  4532.         if(oldname == NULL || *oldname == '\0' || newname == NULL || *newname == '\0')
    4533. 

  4533.             throw MakeStringException(-1, "please specfiy old and new names");
    4534. 

  4534. 

  4535.         if(basedn == NULL || *basedn == '\0')
    4536. 

  4536.             basedn = m_ldapconfig->getResourceBasedn(rtype);
    4537. 

  4537. 

  4538.         Owned<CSecurityDescriptor> sd = new CSecurityDescriptor(oldname);
    4539. 

  4539.         IArrayOf<CSecurityDescriptor> sdlist;
    4540. 

  4540.         sdlist.append(*LINK(sd));
    4541. 

  4541.         if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    4542. 

  4542.             getSecurityDescriptorsScope(sdlist, basedn);
    4543. 

  4543.         else
    4544. 

  4544.             getSecurityDescriptors(sdlist, basedn);
    4545. 

  4545. 

  4546.         if(sd->getDescriptor().length() == 0)
    4547. 

  4547.             throw MakeStringException(-1, "error copying %s to %s, %s doesn't exist", oldname, newname, oldname);
    4548. 

  4548.         
    4549. 

  4549.         ISecUser* user = NULL;
    4550. 

  4550.         CLdapSecResource resource(newname);
    4551. 

  4551.         addResource(rtype, *user, &resource, PT_DEFAULT, basedn, sd.get(), false);
    4552. 

  4552.     }
    4553. 

  4553. 

  4554.     void normalizeDn(const char* dn, StringBuffer& ndn)
    4555. 

  4555.     {
    4556. 

  4556.         LdapUtils::normalizeDn(dn, m_ldapconfig->getBasedn(), ndn);
    4557. 

  4557.     }
    4558. 

  4558. 

  4559.     virtual bool isSuperUser(ISecUser* user)
    4560. 

  4560.     {
    4561. 

  4561.         if(user == NULL || user->getName() == NULL)
    4562. 

  4562.         {
    4563. 

  4563.             DBGLOG("CLdapClient::isSuperUser Populated ISecUser must be provided");
    4564. 

  4564.             return false;
    4565. 

  4565.         }
    4566. 

  4566. 

  4567.         const char* username = user->getName();
    4568. 

  4568.         const char* sysuser = m_ldapconfig->getSysUser();
    4569. 

  4569.         if(sysuser != NULL && stricmp(sysuser, username) == 0)
    4570. 

  4570.             return true;
    4571. 

  4571.         StringBuffer userdn, admingrpdn;
    4572. 

  4572.         getUserDN(username, userdn);
    4573. 

  4573.         getAdminGroupDN(admingrpdn);
    4574. 

  4574.         return userInGroup(userdn.str(), admingrpdn.str());
    4575. 

  4575.     }
    4576. 

  4576. 

  4577.     virtual ILdapConfig* queryConfig()
    4578. 

  4578.     {
    4579. 

  4579.         return m_ldapconfig.get();
    4580. 

  4580.     }
    4581. 

  4581. 

  4582.     virtual int countUsers(const char* searchstr, int limit)
    4583. 

  4583.     {
    4584. 

  4584.         StringBuffer filter;
    4585. 

  4585.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4586. 

  4586.             filter.append("objectClass=User");
    4587. 

  4587.         else
    4588. 

  4588.             filter.append("objectClass=inetorgperson");
    4589. 

  4589. 

  4590.         if(searchstr && *searchstr && strcmp(searchstr, "*") != 0)
    4591. 

  4591.         {
    4592. 

  4592.             filter.insert(0, "(&(");
    4593. 

  4593.             filter.appendf(")(|(%s=*%s*)(%s=*%s*)(%s=*%s*)))", (m_ldapconfig->getServerType()==ACTIVE_DIRECTORY)?"sAMAcccountName":"uid", searchstr, "givenName", searchstr, "sn", searchstr);
    4594. 

  4594.         }
    4595. 

  4595. 

  4596.         return countEntries(m_ldapconfig->getUserBasedn(), filter.str(), limit);
    4597. 

  4597.     }
    4598. 

  4598. 

  4599.     virtual int countResources(const char* basedn, const char* searchstr, int limit)
    4600. 

  4600.     {
    4601. 

  4601.         StringBuffer filter;
    4602. 

  4602.         filter.append("objectClass=*");
    4603. 

  4603. 

  4604.         if(searchstr && *searchstr && strcmp(searchstr, "*") != 0)
    4605. 

  4605.         {
    4606. 

  4606.             filter.insert(0, "(&(");
    4607. 

  4607.             filter.appendf(")(|(%s=*%s*)))", "uNCName", searchstr);
    4608. 

  4608.         }
    4609. 

  4609. 

  4610.         return countEntries(basedn, filter.str(), limit);
    4611. 

  4611.     }
    4612. 

  4612. 

  4613.     virtual int countEntries(const char* basedn, const char* filter, int limit)
    4614. 

  4614.     {
    4615. 

  4615.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    4616. 

  4616. 

  4617.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4618. 

  4618.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4619. 

  4619. 

  4620.         char *attrs[] = { LDAP_NO_ATTRS, NULL };
    4621. 

  4621.         CPagedLDAPSearch pagedSrch(ld, m_ldapconfig->getLdapTimeout(), (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter, attrs);
    4622. 

  4622.         int entries = pagedSrch.countEntries();
    4623. 

  4623.         return entries;
    4624. 

  4624.     }
    4625. 

  4625. 

  4626.     virtual const char* getPasswordStorageScheme()
    4627. 

  4627.     {
    4628. 

  4628.         if(m_pwscheme.length() == 0)
    4629. 

  4629.         {
    4630. 

  4630.             if(m_ldapconfig->getServerType() == IPLANET)
    4631. 

  4631.             {
    4632. 

  4632.                 Owned<ILdapConnection> lconn = m_connections->getConnection();
    4633. 

  4633.                 LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4634. 

  4634.                 
    4635. 

  4635.                 char* pw_attrs[] = {"nsslapd-rootpwstoragescheme", NULL};
    4636. 

  4636.                 CLDAPMessage msg;
    4637. 

  4637.                 TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    4638. 

  4638.                 int err = ldap_search_ext_s(ld, "cn=config", LDAP_SCOPE_BASE, "objectClass=*", pw_attrs, false, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &msg.msg);
    4639. 

  4639.                 if(err != LDAP_SUCCESS)
    4640. 

  4640.                 {
    4641. 

  4641.                     DBGLOG("ldap_search_ext_s error: %s", ldap_err2string( err ));
    4642. 

  4642.                     return NULL;
    4643. 

  4643.                 }
    4644. 

  4644.                 LDAPMessage* entry = LdapFirstEntry(ld, msg);
    4645. 

  4645.                 if(entry != NULL)
    4646. 

  4646.                 {
    4647. 

  4647.                     CLDAPGetValuesLenWrapper vals(ld, entry, "nsslapd-rootpwstoragescheme");
    4648. 

  4648.                     if (vals.hasValues())
    4649. 

  4649.                         m_pwscheme.append(vals.queryCharValue(0));
    4650. 

  4650.                 }
    4651. 

  4651.                 ldap_msgfree(msg);
    4652. 

  4652.             }
    4653. 

  4653.         }
    4654. 

  4654.         
    4655. 

  4655.         if(m_pwscheme.length() == 0)
    4656. 

  4656.             return NULL;
    4657. 

  4657.         else
    4658. 

  4658.             return m_pwscheme.str();
    4659. 

  4659.     }
    4660. 

  4660. 

  4661. private:
    4662. 

  4662. 

  4663.     virtual void addDC(const char* dc)
    4664. 

  4664.     {
    4665. 

  4665.         if(dc == NULL || *dc == '\0')
    4666. 

  4666.         {
    4667. 

  4667.             DBGLOG("CLdapClient::addDC dc must be provided");
    4668. 

  4668.             return;
    4669. 

  4669.         }
    4670. 

  4670. 

  4671.         StringBuffer dcname;
    4672. 

  4672.         LdapUtils::getName(dc, dcname);
    4673. 

  4673. 

  4674.         char *dc_values[] = {(char*)dcname.str(), NULL };
    4675. 

  4675.         LDAPMod dc_attr = 
    4676. 

  4676.         {
    4677. 

  4677.             LDAP_MOD_ADD,
    4678. 

  4678.             "dc",
    4679. 

  4679.             dc_values
    4680. 

  4680.         };
    4681. 

  4681. 

  4682.         char *o_values[] = {(char*)dcname.str(), NULL };
    4683. 

  4683.         LDAPMod o_attr = 
    4684. 

  4684.         {
    4685. 

  4685.             LDAP_MOD_ADD,
    4686. 

  4686.             "o",
    4687. 

  4687.             o_values
    4688. 

  4688.         };
    4689. 

  4689. 

  4690.         char *oc_values[] = {"organization", "dcObject", NULL };
    4691. 

  4691.         LDAPMod oc_attr =
    4692. 

  4692.         {
    4693. 

  4693.             LDAP_MOD_ADD,
    4694. 

  4694.             "objectClass",
    4695. 

  4695.             oc_values
    4696. 

  4696.         };
    4697. 

  4697.         
    4698. 

  4698.         LDAPMod *attrs[4];
    4699. 

  4699.         attrs[0] = &oc_attr;
    4700. 

  4700.         attrs[1] = &o_attr;
    4701. 

  4701.         attrs[2] = &dc_attr;
    4702. 

  4702.         attrs[3] = NULL;
    4703. 

  4703. 

  4704.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4705. 

  4705.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4706. 

  4706.         int rc = ldap_add_ext_s(ld, (char*)dc, attrs, NULL, NULL);
    4707. 

  4707.         if ( rc != LDAP_SUCCESS )
    4708. 

  4708.         {
    4709. 

  4709.             if(rc == LDAP_ALREADY_EXISTS)
    4710. 

  4710.             {
    4711. 

  4711.                 throw MakeStringException(-1, "can't add dc %s, an LDAP object with this name already exists", dc);
    4712. 

  4712.             }
    4713. 

  4713.             else
    4714. 

  4714.             {
    4715. 

  4715.                 DBGLOG("error addDC %s, ldap_add_ext_s error: 0x%0x %s", dc, rc, ldap_err2string( rc ));
    4716. 

  4716.                 throw MakeStringException(-1, "error addDC %s, ldap_add_ext_s error: %s", dc, ldap_err2string( rc ));
    4717. 

  4717.             }
    4718. 

  4718.         }
    4719. 

  4719.     }
    4720. 

  4720. 

  4721.     virtual void getUserDN(const char* username, StringBuffer& userdn)
    4722. 

  4722.     {
    4723. 

  4723.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4724. 

  4724.         {
    4725. 

  4725.             StringBuffer filter;
    4726. 

  4726.             filter.append("sAMAccountName=");
    4727. 

  4727.             filter.append(username);
    4728. 

  4728. 

  4729.             char        *attribute;
    4730. 

  4730.             LDAPMessage *message;
    4731. 

  4731. 

  4732.             TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    4733. 

  4733. 

  4734.             char *dn_fieldname;
    4735. 

  4735.             dn_fieldname = "distinguishedName";
    4736. 

  4736. 

  4737.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    4738. 

  4738.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4739. 

  4739. 

  4740.             char        *attrs[] = {dn_fieldname, NULL};
    4741. 

  4741.             CLDAPMessage searchResult;
    4742. 

  4742.             int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    4743. 

  4743. 

  4744.             if ( rc != LDAP_SUCCESS )
    4745. 

  4745.             {
    4746. 

  4746.                 throw MakeStringException(-1, "ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    4747. 

  4747.             }
    4748. 

  4748. 

  4749.             unsigned entries = ldap_count_entries(ld, searchResult);
    4750. 

  4750.             if(entries == 0)
    4751. 

  4751.             {
    4752. 

  4752.                 searchResult.ldapMsgFree();
    4753. 

  4753.                 int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getSysUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );
    4754. 

  4754. 

  4755.                 if ( rc != LDAP_SUCCESS )
    4756. 

  4756.                 {
    4757. 

  4757.                     throw MakeStringException(-1, "ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getSysUserBasedn());
    4758. 

  4758.                 }
    4759. 

  4759.             }
    4760. 

  4760. 

  4761.             message = LdapFirstEntry( ld, searchResult);
    4762. 

  4762.             if(message != NULL)
    4763. 

  4763.             {
    4764. 

  4764. 

  4765.                 CLDAPGetAttributesWrapper   atts(ld, searchResult);
    4766. 

  4766.                 attribute = atts.getFirst();
    4767. 

  4767.                 if(attribute != NULL)
    4768. 

  4768.                 {
    4769. 

  4769.                     CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    4770. 

  4770.                     if (vals.hasValues())
    4771. 

  4771.                         userdn.append(vals.queryCharValue(0));
    4772. 

  4772.                 }
    4773. 

  4773.             }
    4774. 

  4774.             if(userdn.length() == 0)
    4775. 

  4775.                 throw MakeStringException(-1, "user %s can't be found", username);
    4776. 

  4776.         }
    4777. 

  4777.         else
    4778. 

  4778.         {
    4779. 

  4779.             if(stricmp(username, "anyone") == 0)
    4780. 

  4780.                 userdn.append(username);
    4781. 

  4781.             else
    4782. 

  4782.                 userdn.append("uid=").append(username).append(",").append(m_ldapconfig->getUserBasedn());
    4783. 

  4783.         }
    4784. 

  4784. 

  4785.     }
    4786. 

  4786.     
    4787. 

  4787.     virtual void getUidFromDN(LDAP* ld, const char* dn, StringBuffer& uid)
    4788. 

  4788.     {
    4789. 

  4789.         if(dn == NULL || *dn == '\0')
    4790. 

  4790.         {
    4791. 

  4791.             DBGLOG("CLdapClient::getUidFromDN dn must be provided");
    4792. 

  4792.             return;
    4793. 

  4793.         }
    4794. 

  4794. 

  4795.         if(m_ldapconfig->getServerType() != ACTIVE_DIRECTORY)
    4796. 

  4796.         {
    4797. 

  4797.             if (strncmp(dn,"uid=",4))//Fedora389 returns "cn=Directory Administrators"
    4798. 

  4798.                 return;
    4799. 

  4799.             const char* comma = strchr(dn, ',');
    4800. 

  4800.             // DN is in the format of "uid=uuu,ou=ooo,dc=dd"
    4801. 

  4801.             uid.append(comma - dn - 4, dn + 4);
    4802. 

  4802.             return;
    4803. 

  4803.         }
    4804. 

  4804. 

  4805.         StringBuffer filter;
    4806. 

  4806.         filter.append("distinguishedName=").append(dn);
    4807. 

  4807. 

  4808.         filter.replaceString("\\", "\\5c");//Replace special characters with valid UTF-8 string (see valueencoding rule in RFC 4515)
    4809. 

  4809.         filter.replaceString("*", "\\2a");
    4810. 

  4810.         filter.replaceString("(", "\\28");
    4811. 

  4811.         filter.replaceString(")", "\\29");
    4812. 

  4812. 

  4813.         char        *attribute;
    4814. 

  4814.         LDAPMessage *message;
    4815. 

  4815. 

  4816.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    4817. 

  4817. 

  4818.         char *uid_fieldname = "sAMAccountName";
    4819. 

  4819.         char        *attrs[] = {uid_fieldname, NULL};
    4820. 

  4820.         CLDAPMessage searchResult;
    4821. 

  4821.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    4822. 

  4822. 

  4823.         if ( rc != LDAP_SUCCESS )
    4824. 

  4824.         {
    4825. 

  4825.             throw MakeStringException(-1, "ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    4826. 

  4826.         }
    4827. 

  4827. 

  4828.         message = LdapFirstEntry( ld, searchResult);
    4829. 

  4829.         if(message != NULL)
    4830. 

  4830.         {
    4831. 

  4831.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    4832. 

  4832.             attribute = atts.getFirst();
    4833. 

  4833.             if(attribute != NULL)
    4834. 

  4834.             {
    4835. 

  4835.                 CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    4836. 

  4836.                 if (vals.hasValues())
    4837. 

  4837.                     uid.append(vals.queryCharValue(0));
    4838. 

  4838.             }
    4839. 

  4839.         }
    4840. 

  4840.     }
    4841. 

  4841. 

  4842.     virtual void getGroupDN(const char* groupname, StringBuffer& groupdn, const char * groupBaseDN=nullptr)
    4843. 

  4843.     {
    4844. 

  4844.         if(groupname == NULL)
    4845. 

  4845.         {
    4846. 

  4846.             DBGLOG("CLdapClient::getGroupDN groupname must be provided");
    4847. 

  4847.             return;
    4848. 

  4848.         }
    4849. 

  4849.         LdapServerType stype = m_ldapconfig->getServerType();
    4850. 

  4850.         groupdn.append("cn=").append(groupname).append(",");
    4851. 

  4851.         if(stype == ACTIVE_DIRECTORY && stricmp(groupname, "Administrators") == 0)
    4852. 

  4852.         {
    4853. 

  4853.             groupdn.append("cn=Builtin,").append(m_ldapconfig->getBasedn());
    4854. 

  4854.         }
    4855. 

  4855.         else if((stype == IPLANET || stype == OPEN_LDAP) && stricmp(groupname, "Directory Administrators") == 0)
    4856. 

  4856.         {
    4857. 

  4857.             groupdn.append(m_ldapconfig->getBasedn());
    4858. 

  4858.         }
    4859. 

  4859.         else
    4860. 

  4860.         {
    4861. 

  4861.             groupdn.append(groupBaseDN == nullptr ? m_ldapconfig->getGroupBasedn() : groupBaseDN);
    4862. 

  4862.         }
    4863. 

  4863.     }
    4864. 

  4864. 

  4865.     virtual void getGroupBaseDN(const char* groupname, StringBuffer& groupbasedn, const char * groupBaseDN=nullptr)
    4866. 

  4866.     {
    4867. 

  4867.         if(groupname == NULL)
    4868. 

  4868.         {
    4869. 

  4869.             DBGLOG("CLdapClient::getGroupBaseDN groupname must be provided");
    4870. 

  4870.             return;
    4871. 

  4871.         }
    4872. 

  4872.         LdapServerType stype = m_ldapconfig->getServerType();
    4873. 

  4873.         if(stype == ACTIVE_DIRECTORY && stricmp(groupname, "Administrators") == 0)
    4874. 

  4874.         {
    4875. 

  4875.             groupbasedn.append("cn=Builtin,").append(m_ldapconfig->getBasedn());
    4876. 

  4876.         }
    4877. 

  4877.         else if((stype == IPLANET || stype == OPEN_LDAP) && stricmp(groupname, "Directory Administrators") == 0)
    4878. 

  4878.         {
    4879. 

  4879.             groupbasedn.append(m_ldapconfig->getBasedn());
    4880. 

  4880.         }
    4881. 

  4881.         else
    4882. 

  4882.         {
    4883. 

  4883.             groupbasedn.append(groupBaseDN==nullptr ? m_ldapconfig->getGroupBasedn() : groupBaseDN);
    4884. 

  4884.         }
    4885. 

  4885.     }
    4886. 

  4886. 

  4887.     virtual void getAdminGroupDN(StringBuffer& groupdn)
    4888. 

  4888.     {
    4889. 

  4889.         LdapServerType stype = m_ldapconfig->getServerType();
    4890. 

  4890.         if(stype == ACTIVE_DIRECTORY)
    4891. 

  4891.         {
    4892. 

  4892.             groupdn.append("cn=Administrators,cn=Builtin,").append(m_ldapconfig->getBasedn());
    4893. 

  4893.         }
    4894. 

  4894.         else if(stype == IPLANET)
    4895. 

  4895.         {
    4896. 

  4896.             groupdn.append("cn=Directory Administrators,").append(m_ldapconfig->getBasedn());
    4897. 

  4897.         }
    4898. 

  4898.         else if(stype == OPEN_LDAP)
    4899. 

  4899.         {
    4900. 

  4900.             groupdn.append("cn=Directory Administrators,").append(m_ldapconfig->getBasedn());
    4901. 

  4901.         }
    4902. 

  4902.     }
    4903. 

  4903. 

  4904.     virtual void changeUserMemberOf(const char* action, const char* userdn, const char* groupdn)
    4905. 

  4905.     {
    4906. 

  4906.         char *grp_values[] = {(char*)groupdn, NULL};
    4907. 

  4907.         LDAPMod grp_attr = {
    4908. 

  4908.             (action != NULL && stricmp(action, "delete") == 0)?LDAP_MOD_DELETE:LDAP_MOD_ADD,
    4909. 

  4909.             "memberOf",
    4910. 

  4910.             grp_values
    4911. 

  4911.         };
    4912. 

  4912. 

  4913.         LDAPMod *grp_attrs[2];
    4914. 

  4914.         grp_attrs[0] = &grp_attr;
    4915. 

  4915.         grp_attrs[1] = NULL;
    4916. 

  4916. 

  4917.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4918. 

  4918.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4919. 

  4919. 

  4920.         int rc = ldap_modify_ext_s(ld, (char*)userdn, grp_attrs, NULL, NULL);
    4921. 

  4921.         if ( rc != LDAP_SUCCESS )
    4922. 

  4922.         {
    4923. 

  4923.             throw MakeStringException(-1, "error changing group for user %s, ldap_modify_ext_s error: %s", userdn, ldap_err2string( rc ));
    4924. 

  4924.         }
    4925. 

  4925.     }
    4926. 

  4926. 

  4927.     virtual void changeGroupMember(const char* action, const char* groupdn, const char* userdn)
    4928. 

  4928.     {
    4929. 

  4929.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4930. 

  4930.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4931. 

  4931. 

  4932.         const char* memberfieldname;
    4933. 

  4933.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4934. 

  4934.         {
    4935. 

  4935.             memberfieldname = "member";
    4936. 

  4936.         }
    4937. 

  4937.         else
    4938. 

  4938.         {
    4939. 

  4939.             memberfieldname = "uniquemember";
    4940. 

  4940.         }
    4941. 

  4941. 

  4942.         char *member_values[] = {(char*)userdn, NULL};
    4943. 

  4943.         LDAPMod member_attr = {
    4944. 

  4944.             (action != NULL && stricmp(action, "delete") == 0)?LDAP_MOD_DELETE:LDAP_MOD_ADD,
    4945. 

  4945.             (char*)memberfieldname,
    4946. 

  4946.             member_values
    4947. 

  4947.         };
    4948. 

  4948. 

  4949.         LDAPMod *member_attrs[2];
    4950. 

  4950.         member_attrs[0] = &member_attr;
    4951. 

  4951.         member_attrs[1] = NULL;
    4952. 

  4952. 

  4953.         int rc = ldap_modify_ext_s(ld, (char*)groupdn, member_attrs, NULL, NULL);
    4954. 

  4954.         if ( rc != LDAP_SUCCESS )
    4955. 

  4955.         {
    4956. 

  4956.             if (action != NULL && stricmp(action, "delete") == 0)
    4957. 

  4957.                 throw MakeStringException(-1, "Failed in deleting member from group: ldap_modify_ext_s error: %s; userdn: %s; groupdn: %s", ldap_err2string( rc ), userdn, groupdn);
    4958. 

  4958.             else
    4959. 

  4959.                 throw MakeStringException(-1, "Failed in adding member to group, ldap_modify_ext_s error: %s; userdn: %s; groupdn: %s", ldap_err2string( rc ), userdn, groupdn);
    4960. 

  4960.         }
    4961. 

  4961.     }
    4962. 

  4962. 

  4963.     void ConvertCToW(unsigned short* pszDest, const char * pszSrc)
    4964. 

  4964.     {
    4965. 

  4965.         unsigned i = 0;
    4966. 

  4966.         for(i = 0; i < strlen(pszSrc); i++)
    4967. 

  4967.             pszDest[i] = (unsigned short) pszSrc[i];
    4968. 

  4968.         pszDest[i] = (unsigned short)'\0';
    4969. 

  4969.     }
    4970. 

  4970. 

  4971. 

  4972.     virtual bool authorizeScope(ISecUser& user, IArrayOf<ISecResource>& resources, const char* basedn)
    4973. 

  4973.     {
    4974. 

  4974.         IArrayOf<CSecurityDescriptor> sdlist;
    4975. 

  4975.         std::set<const char*, ltstr> scopeset;
    4976. 

  4976.         ForEachItemIn(x, resources)
    4977. 

  4977.         {
    4978. 

  4978.             ISecResource& res = resources.item(x);
    4979. 

  4979.             const char* resourcename = res.getName();
    4980. 

  4980.             if(resourcename == NULL || *resourcename == '\0')
    4981. 

  4981.                 continue;
    4982. 

  4982. 

  4983.             // Add one extra Volume type SecurityDescriptor for each resource for ActiveDirectory.
    4984. 

  4984.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4985. 

  4985.             {
    4986. 

  4986.                 CSecurityDescriptor* sd = new CSecurityDescriptor(resourcename);
    4987. 

  4987.                 sd->setObjectClass("Volume");
    4988. 

  4988.                 sdlist.append(*sd);
    4989. 

  4989.             }
    4990. 

  4990. 

  4991.             scopeset.insert(resourcename);
    4992. 

  4992.             int len = strlen(resourcename);
    4993. 

  4993.             const char* curptr = resourcename + len - 1;
    4994. 

  4994.             while(curptr > resourcename)
    4995. 

  4995.             {
    4996. 

  4996.                 while(curptr > resourcename && *curptr != ':')
    4997. 

  4997.                     curptr--;
    4998. 

  4998.                 bool foundcolon=false;
    4999. 

  4999.                 while(curptr >resourcename && *curptr == ':')
    5000. 

  5000.                 {
    5001. 

  5001.                     curptr--;
    5002. 

  5002.                     foundcolon = true;
    5003. 

  5003.                 }
    5004. 

  5004.                 if(curptr > resourcename || foundcolon)
    5005. 

  5005.                 {
    5006. 

  5006.                     int curlen = curptr - resourcename + 1;
    5007. 

  5007.                     char* curscope = (char*)alloca(curlen + 1);
    5008. 

  5008.                     strncpy(curscope, resourcename, curlen);
    5009. 

  5009.                     curscope[curlen] = 0;
    5010. 

  5010.                     scopeset.insert(curscope);
    5011. 

  5011.                 }
    5012. 

  5012.             }
    5013. 

  5013.         }
    5014. 

  5014. 

  5015.         if(scopeset.size() == 0)
    5016. 

  5016.             return true;
    5017. 

  5017. 

  5018.         std::set<const char*, ltstr>::iterator iter;
    5019. 

  5019.         for(iter = scopeset.begin(); iter != scopeset.end(); iter++)
    5020. 

  5020.         {
    5021. 

  5021.             const char* curscope = *iter;
    5022. 

  5022.             CSecurityDescriptor* sd = new CSecurityDescriptor(*iter);
    5023. 

  5023.             sd->setObjectClass("organizationalUnit");
    5024. 

  5024.             sdlist.append(*sd);
    5025. 

  5025.         }
    5026. 

  5026. 

  5027.         getSecurityDescriptorsScope(sdlist, basedn);
    5028. 

  5028. 

  5029.         IArrayOf<CSecurityDescriptor> matched_sdlist;
    5030. 

  5030.         ForEachItemIn(y, resources)
    5031. 

  5031.         {
    5032. 

  5032.             ISecResource& res = resources.item(y);
    5033. 

  5033.             const char* rname = res.getName();
    5034. 

  5034.             if(rname == NULL || *rname == '\0')
    5035. 

  5035.                 throw MakeStringException(-1, "resource name can't be empty inside authorizeScope");
    5036. 

  5036. 

  5037.             CSecurityDescriptor* matchedsd = NULL;
    5038. 

  5038.             ForEachItemIn(z, sdlist)
    5039. 

  5039.             {
    5040. 

  5040.                 CSecurityDescriptor& sd = sdlist.item(z);
    5041. 

  5041.                 const char* sdname = sd.getName();
    5042. 

  5042.                 if(sdname ==  NULL || *sdname == '\0')
    5043. 

  5043.                     continue;
    5044. 

  5044.                 if(strncmp(sdname, rname, strlen(sdname)) == 0 
    5045. 

  5045.                     && (matchedsd == NULL 
    5046. 

  5046.                         || ((matchedsd->getDescriptor().length() == 0 && sd.getDescriptor().length() > 0) 
    5047. 

  5047.                         || (sd.getDescriptor().length() > 0 && strlen(sdname) > strlen(matchedsd->getName())))))
    5048. 

  5048.                     matchedsd = &sd;
    5049. 

  5049.             }
    5050. 

  5050.             if(matchedsd != NULL)
    5051. 

  5051.                 matched_sdlist.append(*LINK(matchedsd));
    5052. 

  5052.             else
    5053. 

  5053.                 matched_sdlist.append(*(new CSecurityDescriptor(rname)));
    5054. 

  5054.         }
    5055. 

  5055. 

  5056.         bool ok = false;
    5057. 

  5057.         if(m_pp != NULL)
    5058. 

  5058.             ok = m_pp->getPermissions(user, matched_sdlist, resources);
    5059. 

  5059.         return ok;
    5060. 

  5060.     }
    5061. 

  5061. 

  5062.     virtual void getSecurityDescriptors(SecResourceType rtype, IArrayOf<CSecurityDescriptor>& sdlist)
    5063. 

  5063.     {
    5064. 

  5064.         int len = sdlist.length();
    5065. 

  5065.         if(len == 0)
    5066. 

  5066.         {
    5067. 

  5067.             DBGLOG("CLdapClient::getSecurityDescriptors sdlist cannot be empty");
    5068. 

  5068.             return;
    5069. 

  5069.         }
    5070. 

  5070. 

  5071.         const char* rbasedn = m_ldapconfig->getResourceBasedn(rtype);
    5072. 

  5072.         if(rbasedn == NULL || *rbasedn == '\0')
    5073. 

  5073.         {
    5074. 

  5074.             DBGLOG("corresponding resource basedn is not defined");
    5075. 

  5075.             return;
    5076. 

  5076.         }
    5077. 

  5077.             
    5078. 

  5078.         std::map<std::string, IArrayOf<CSecurityDescriptor>*> sdmap;
    5079. 

  5079. 

  5080.         for(int i = 0; i < len; i++)
    5081. 

  5081.         {
    5082. 

  5082.             CSecurityDescriptor& sd = sdlist.item(i);
    5083. 

  5083.             const char* relativeBasedn = sd.getRelativeBasedn();
    5084. 

  5084.             StringBuffer basedn;
    5085. 

  5085.             if(relativeBasedn != NULL)
    5086. 

  5086.                 basedn.append(relativeBasedn).append(",");
    5087. 

  5087.             basedn.append(rbasedn);
    5088. 

  5088. 

  5089.             std::map<std::string, IArrayOf<CSecurityDescriptor>*>::iterator sdit = sdmap.find(basedn.str());
    5090. 

  5090.             if(sdit == sdmap.end())
    5091. 

  5091.             {
    5092. 

  5092.                 IArrayOf<CSecurityDescriptor>* newlist = new IArrayOf<CSecurityDescriptor>;
    5093. 

  5093.                 newlist->append(*LINK(&sd));
    5094. 

  5094.                 sdmap[basedn.str()] = newlist;
    5095. 

  5095.             }
    5096. 

  5096.             else
    5097. 

  5097.             {
    5098. 

  5098.                 (*sdit).second->append(*LINK(&sd));
    5099. 

  5099.             }
    5100. 

  5100.         }
    5101. 

  5101. 

  5102.         for(std::map<std::string, IArrayOf<CSecurityDescriptor>*>::iterator cur = sdmap.begin(); cur != sdmap.end(); cur++)
    5103. 

  5103.         {
    5104. 

  5104.             getSecurityDescriptors(*((*cur).second), (*cur).first.c_str());
    5105. 

  5105.             delete (*cur).second;
    5106. 

  5106.         }
    5107. 

  5107. 

  5108.     }
    5109. 

  5109. 

  5110.     virtual void getSecurityDescriptors(IArrayOf<CSecurityDescriptor>& sdlist, const char* basedn)
    5111. 

  5111.     {
    5112. 

  5112.         char        *attribute;
    5113. 

  5113.         CLDAPGetValuesLenWrapper valsLen;
    5114. 

  5114.         LDAPMessage *message;
    5115. 

  5115.         int i;
    5116. 

  5116.         
    5117. 

  5117.         const char *id_fieldname;
    5118. 

  5118.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    5119. 

  5119.         {
    5120. 

  5120.             id_fieldname = "name";
    5121. 

  5121.         }
    5122. 

  5122.         else
    5123. 

  5123.         {
    5124. 

  5124.             id_fieldname = "ou";
    5125. 

  5125.         }
    5126. 

  5126.         const char *des_fieldname = m_ldapconfig->getSdFieldName();
    5127. 

  5127. 

  5128.         int len = sdlist.length();
    5129. 

  5129.         if(len == 0)
    5130. 

  5130.         {
    5131. 

  5131.             DBGLOG("CLdapClient::getSecurityDescriptors2 sdlist cannot be empty");
    5132. 

  5132.             return;
    5133. 

  5133.         }
    5134. 

  5134. 

  5135.         StringBuffer filter;
    5136. 

  5136.         filter.append("(|");
    5137. 

  5137.         for(i = 0; i < len; i++)
    5138. 

  5138.         {
    5139. 

  5139.             CSecurityDescriptor& sd = sdlist.item(i);
    5140. 

  5140.             StringBuffer namebuf;
    5141. 

  5141.             namebuf.append(sd.getName());
    5142. 

  5142.             namebuf.trim();
    5143. 

  5143.             if(namebuf.length() > 0)
    5144. 

  5144.             {
    5145. 

  5145.                 filter.append("(").append(id_fieldname).append("=").append(namebuf.str()).append(")");;
    5146. 

  5146.             }
    5147. 

  5147.         }
    5148. 

  5148.         filter.append(")");
    5149. 

  5149. 

  5150.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    5151. 

  5151.         
    5152. 

  5152.         char* attrs[] = {(char*)id_fieldname, (char*)des_fieldname, NULL};
    5153. 

  5153.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    5154. 

  5154.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    5155. 

  5155.         CLDAPMessage searchResult;
    5156. 

  5156.         int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );     /* returned results */
    5157. 

  5157.         
    5158. 

  5158.         if ( rc != LDAP_SUCCESS )
    5159. 

  5159.         {
    5160. 

  5160.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basedn);
    5161. 

  5161.             return;
    5162. 

  5162.         }
    5163. 

  5163. 

  5164.         // Go through the search results by checking message types
    5165. 

  5165.         for(message = LdapFirstEntry(ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    5166. 

  5166.         {
    5167. 

  5167.             StringBuffer resourcename;
    5168. 

  5168.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    5169. 

  5169.             for ( attribute = atts.getFirst();
    5170. 

  5170.                   attribute != NULL;
    5171. 

  5171.                   attribute = atts.getNext())
    5172. 

  5172.             {
    5173. 

  5173.                 if(stricmp(attribute, id_fieldname) == 0)
    5174. 

  5174.                 {
    5175. 

  5175.                     CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    5176. 

  5176.                     if (vals.hasValues())
    5177. 

  5177.                         resourcename.append(vals.queryCharValue(0));
    5178. 

  5178.                 }
    5179. 

  5179.                 else if(stricmp(attribute, des_fieldname) == 0) 
    5180. 

  5180.                 {
    5181. 

  5181.                     valsLen.retrieveBValues(ld, message, attribute);
    5182. 

  5182.                 }
    5183. 

  5183.             }
    5184. 

  5184.             for(i = 0; i < len; i++)
    5185. 

  5185.             {
    5186. 

  5186.                 CSecurityDescriptor& sd = sdlist.item(i);
    5187. 

  5187.                 if(resourcename.length() > 0 && stricmp(resourcename.str(), sd.getName()) == 0)
    5188. 

  5188.                 {
    5189. 

  5189.                     if (valsLen.hasValues())
    5190. 

  5190.                     {
    5191. 

  5191.                         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    5192. 

  5192.                         {
    5193. 

  5193.                             struct berval* val = valsLen.queryBValues()[0];
    5194. 

  5194.                             if(val != NULL)
    5195. 

  5195.                             {
    5196. 

  5196.                                 CSecurityDescriptor& sd = sdlist.item(i);
    5197. 

  5197.                                 sd.setDescriptor(val->bv_len, val->bv_val);
    5198. 

  5198.                             }
    5199. 

  5199.                         }
    5200. 

  5200.                         else
    5201. 

  5201.                         {
    5202. 

  5202.                             MemoryBuffer allvals;
    5203. 

  5203.                             int valseq = 0;
    5204. 

  5204.                             struct berval* val = valsLen.queryBValues()[valseq++];
    5205. 

  5205.                             while(val != NULL)
    5206. 

  5206.                             {
    5207. 

  5207.                                 if(val->bv_len > 0)
    5208. 

  5208.                                 {
    5209. 

  5209.                                     allvals.append(val->bv_len, val->bv_val);
    5210. 

  5210.                                     allvals.append('\0'); // my separator between ACIs
    5211. 

  5211.                                 }
    5212. 

  5212.                                 val = valsLen.queryBValues()[valseq++];
    5213. 

  5213.                             }
    5214. 

  5214.                             if(allvals.length() > 0)
    5215. 

  5215.                             {
    5216. 

  5216.                                 CSecurityDescriptor& sd = sdlist.item(i);
    5217. 

  5217.                                 sd.setDescriptor(allvals.length(), (void*)allvals.toByteArray());
    5218. 

  5218.                             }
    5219. 

  5219.                         }
    5220. 

  5220.                     }
    5221. 

  5221.                     break;
    5222. 

  5222.                 }
    5223. 

  5223.             }
    5224. 

  5224.         }
    5225. 

  5225.     }
    5226. 

  5226. 

  5227.     virtual void getSecurityDescriptorsScope(IArrayOf<CSecurityDescriptor>& sdlist, const char* basedn)
    5228. 

  5228.     {
    5229. 

  5229.         char        *attribute;
    5230. 

  5230.         CLDAPGetValuesLenWrapper valsLen;
    5231. 

  5231.         LDAPMessage *message;
    5232. 

  5232.         int i;
    5233. 

  5233. 

  5234.         int len = sdlist.length();
    5235. 

  5235.         if(len == 0)
    5236. 

  5236.         {
    5237. 

  5237.             DBGLOG("CLdapClient::getSecurityDescriptorsScope sdlist cannot be empty");
    5238. 

  5238.             return;
    5239. 

  5239.         }
    5240. 

  5240. 

  5241.         LdapServerType servertype = m_ldapconfig->getServerType();
    5242. 

  5242. 

  5243.         char *sd_fieldname = (char*)m_ldapconfig->getSdFieldName();
    5244. 

  5244. 

  5245.         StringBuffer filter;
    5246. 

  5246.         filter.append("(|");
    5247. 

  5247.         for(i = 0; i < len; i++)
    5248. 

  5248.         {
    5249. 

  5249.             CSecurityDescriptor& sd = sdlist.item(i);
    5250. 

  5250.             StringBuffer namebuf;
    5251. 

  5251.             namebuf.append(sd.getName());
    5252. 

  5252.             namebuf.trim();
    5253. 

  5253.             if(namebuf.length() > 0)
    5254. 

  5254.             {
    5255. 

  5255.                 const char* resourcename = namebuf.str();
    5256. 

  5256.                 int len = namebuf.length();
    5257. 

  5257.                 const char* curptr = resourcename + len - 1;
    5258. 

  5258.                 StringBuffer dn, cn;
    5259. 

  5259.                 bool isleaf = true;
    5260. 

  5260.                 while(curptr > resourcename)
    5261. 

  5261.                 {
    5262. 

  5262.                     const char* lastptr = curptr;
    5263. 

  5263.                     while(curptr > resourcename && *curptr != ':')
    5264. 

  5264.                         curptr--;
    5265. 

  5265.                     int curlen;
    5266. 

  5266.                     const char* curscope;
    5267. 

  5267.                     if(*curptr == ':')
    5268. 

  5268.                     {
    5269. 

  5269.                         curlen = lastptr - curptr;
    5270. 

  5270.                         curscope = curptr + 1;
    5271. 

  5271.                     }
    5272. 

  5272.                     else
    5273. 

  5273.                     {
    5274. 

  5274.                         curlen = lastptr - curptr + 1;
    5275. 

  5275.                         curscope = curptr;
    5276. 

  5276.                     }
    5277. 

  5277.                     if(isleaf && (sd.getObjectClass() != NULL) && (stricmp(sd.getObjectClass(), "Volume") == 0))
    5278. 

  5278.                     {
    5279. 

  5279.                         cn.append(curlen, curscope);
    5280. 

  5280.                         dn.append("cn=").append(curlen, curscope).append(",");
    5281. 

  5281.                     }
    5282. 

  5282.                     else
    5283. 

  5283.                     {
    5284. 

  5284.                         cn.append(curlen, curscope);
    5285. 

  5285.                         dn.append("ou=").append(curlen, curscope).append(",");
    5286. 

  5286.                     }
    5287. 

  5287.                     
    5288. 

  5288.                     isleaf = false;
    5289. 

  5289. 

  5290.                     if (curptr == resourcename) //handle a single char as the top scope, such as x::abc
    5291. 

  5291.                         break;
    5292. 

  5292. 

  5293.                     while(curptr >resourcename && *curptr == ':')
    5294. 

  5294.                         curptr--;
    5295. 

  5295. 

  5296.                     if (curptr == resourcename && *curptr != ':') //handle a single char as the top scope, such as x::abc
    5297. 

  5297.                     {
    5298. 

  5298.                         dn.append("ou=").append(1, curptr).append(",");
    5299. 

  5299.                     }
    5300. 

  5300.                 }
    5301. 

  5301.                 dn.append(basedn);
    5302. 

  5302. 

  5303.                 if(servertype == ACTIVE_DIRECTORY)
    5304. 

  5304.                 {
    5305. 

  5305.                     filter.append("(distinguishedName=").append(dn.str()).append(")");
    5306. 

  5306.                 }
    5307. 

  5307.                 else if(servertype == IPLANET)
    5308. 

  5308.                 {
    5309. 

  5309.                     filter.append("(entrydn=").append(dn.str()).append(")");
    5310. 

  5310.                 }
    5311. 

  5311.                 else if(servertype == OPEN_LDAP)
    5312. 

  5312.                 {
    5313. 

  5313.                     filter.append("(ou=").append(cn.str()).append(")");
    5314. 

  5314.                 }
    5315. 

  5315.                 sd.setDn(dn.str());
    5316. 

  5316.             }
    5317. 

  5317.         }
    5318. 

  5318.         filter.append(")");
    5319. 

  5319. 

  5320.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    5321. 

  5321.         
    5322. 

  5322.         char* attrs[] = {sd_fieldname, NULL};
    5323. 

  5323.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    5324. 

  5324.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    5325. 

  5325.         CLDAPMessage searchResult;
    5326. 

  5326.         int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );     /* returned results */
    5327. 

  5327.         
    5328. 

  5328.         if ( rc != LDAP_SUCCESS )
    5329. 

  5329.         {
    5330. 

  5330.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basedn);
    5331. 

  5331.             return;
    5332. 

  5332.         }
    5333. 

  5333. 

  5334.         // Go through the search results by checking message types
    5335. 

  5335.         for(message = LdapFirstEntry(ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    5336. 

  5336.         {
    5337. 

  5337.             StringBuffer dn;
    5338. 

  5338. 

  5339.             char *p = ldap_get_dn(ld, message);
    5340. 

  5340.             dn.append(p);
    5341. 

  5341.             ldap_memfree(p);
    5342. 

  5342. 

  5343.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    5344. 

  5344.             for ( attribute = atts.getFirst();
    5345. 

  5345.                   attribute != NULL;
    5346. 

  5346.                   attribute = atts.getNext())
    5347. 

  5347.             {
    5348. 

  5348.                 if(stricmp(attribute, sd_fieldname) == 0) 
    5349. 

  5349.                 {
    5350. 

  5350.                     valsLen.retrieveBValues(ld, message, attribute);
    5351. 

  5351.                 }
    5352. 

  5352.             }
    5353. 

  5353.             for(i = 0; i < len; i++)
    5354. 

  5354.             {
    5355. 

  5355.                 CSecurityDescriptor& sd = sdlist.item(i);
    5356. 

  5356.                 if(dn.length() > 0 && stricmp(dn.str(), sd.getDn()) == 0)
    5357. 

  5357.                 {
    5358. 

  5358.                     if (valsLen.hasValues())
    5359. 

  5359.                     {
    5360. 

  5360.                         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    5361. 

  5361.                         {
    5362. 

  5362.                             struct berval* val = valsLen.queryBValues()[0];
    5363. 

  5363.                             if(val != NULL)
    5364. 

  5364.                             {
    5365. 

  5365.                                 CSecurityDescriptor& sd = sdlist.item(i);
    5366. 

  5366.                                 sd.setDescriptor(val->bv_len, val->bv_val);
    5367. 

  5367.                             }
    5368. 

  5368.                         }
    5369. 

  5369.                         else
    5370. 

  5370.                         {
    5371. 

  5371.                             MemoryBuffer allvals;
    5372. 

  5372.                             int valseq = 0;
    5373. 

  5373.                             struct berval* val = valsLen.queryBValues()[valseq++];
    5374. 

  5374.                             while(val != NULL)
    5375. 

  5375.                             {
    5376. 

  5376.                                 if(val->bv_len > 0)
    5377. 

  5377.                                 {
    5378. 

  5378.                                     allvals.append(val->bv_len, val->bv_val);
    5379. 

  5379.                                     allvals.append('\0'); // my separator between ACIs
    5380. 

  5380.                                 }
    5381. 

  5381.                                 val = valsLen.queryBValues()[valseq++];
    5382. 

  5382.                             }
    5383. 

  5383.                             if(allvals.length() > 0)
    5384. 

  5384.                             {
    5385. 

  5385.                                 CSecurityDescriptor& sd = sdlist.item(i);
    5386. 

  5386.                                 sd.setDescriptor(allvals.length(), (void*)allvals.toByteArray());
    5387. 

  5387.                             }
    5388. 

  5388.                         }
    5389. 

  5389. 

  5390.                     }
    5391. 

  5391.                     break;
    5392. 

  5392.                 }
    5393. 

  5393.             }
    5394. 

  5394.         }
    5395. 

  5395.     }
    5396. 

  5396. 

  5397.     virtual const bool organizationalUnitExists(const char * ou) const
    5398. 

  5398.     {
    5399. 

  5399.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    5400. 

  5400.         LDAP* sys_ld = ((CLdapConnection*)lconn.get())->getLd();
    5401. 

  5401.         char* attrs[] = {"ou", NULL};
    5402. 

  5402.         CLDAPMessage searchResult;
    5403. 

  5403.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    5404. 

  5404.         int rc = ldap_search_ext_s(sys_ld,const_cast <char*>(ou),LDAP_SCOPE_ONELEVEL,NULL,attrs,0,NULL,NULL,&timeOut,LDAP_NO_LIMIT,&searchResult.msg);
    5405. 

  5405.         return rc == LDAP_SUCCESS;
    5406. 

  5406.     }
    5407. 

  5407. 

  5408.     virtual void createLdapBasedn(ISecUser* user, const char* basedn, SecPermissionType ptype)
    5409. 

  5409.     {
    5410. 

  5410.         if(basedn == NULL || basedn[0] == '\0')
    5411. 

  5411.         {
    5412. 

  5412.             DBGLOG("CLdapClient::createLdapBasedn basedn must be provided");
    5413. 

  5413.             return;
    5414. 

  5414.         }
    5415. 

  5415. 

  5416.         const char* ptr = strstr(basedn, "ou=");
    5417. 

  5417.         if(ptr == NULL)
    5418. 

  5418.         {
    5419. 

  5419.             DBGLOG("CLdapClient::createLdapBasedn OU= missing from basedn");
    5420. 

  5420.             return;
    5421. 

  5421.         }
    5422. 

  5422.         ptr += 3;
    5423. 

  5423. 

  5424.         StringBuffer oubuf;
    5425. 

  5425.         const char* comma = strchr(ptr, ',');
    5426. 

  5426.         if(comma == NULL)
    5427. 

  5427.         {
    5428. 

  5428.             oubuf.append(ptr);
    5429. 

  5429.             ptr = NULL;
    5430. 

  5430.         }
    5431. 

  5431.         else
    5432. 

  5432.         {
    5433. 

  5433.             oubuf.append(comma - ptr, ptr);
    5434. 

  5434.             ptr = comma + 1;
    5435. 

  5435.         }
    5436. 

  5436. 

  5437.         if (ptr && strstr(ptr,"ou=") && !organizationalUnitExists(ptr))
    5438. 

  5438.             createLdapBasedn(user, ptr, ptype);
    5439. 

  5439. 

  5440.         addOrganizationalUnit(user, oubuf.str(), ptr, ptype);
    5441. 

  5441. 

  5442.     }
    5443. 

  5443. 

  5444.     virtual bool addOrganizationalUnit(ISecUser* user, const char* name, const char* basedn, SecPermissionType ptype)
    5445. 

  5445.     {
    5446. 

  5446.         if(name == NULL || basedn == NULL)
    5447. 

  5447.         {
    5448. 

  5448.             DBGLOG("CLdapClient::addOrganizationalUnit OU name must be provided");
    5449. 

  5449.             return false;
    5450. 

  5450.         }
    5451. 

  5451. 

  5452.         if(strchr(name, '/') != NULL || strchr(name, '=') != NULL)
    5453. 

  5453.         {
    5454. 

  5454.             DBGLOG("CLdapClient::addOrganizationalUnit Invalid characters in OU");
    5455. 

  5455.             return false;
    5456. 

  5456.         }
    5457. 

  5457. 

  5458.         StringBuffer dn;
    5459. 

  5459.         dn.append("ou=").append(name).append(",").append(basedn);
    5460. 

  5460. 

  5461.         if (organizationalUnitExists(dn.str()))
    5462. 

  5462.             return true;
    5463. 

  5463. 

  5464.         char *ou_values[] = {(char*)name, NULL };
    5465. 

  5465.         LDAPMod ou_attr = 
    5466. 

  5466.         {
    5467. 

  5467.             LDAP_MOD_ADD,
    5468. 

  5468.             "ou",
    5469. 

  5469.             ou_values
    5470. 

  5470.         };
    5471. 

  5471. 

  5472.         char *name_values[] = {(char*)name, NULL };
    5473. 

  5473.         LDAPMod name_attr = 
    5474. 

  5474.         {
    5475. 

  5475.             LDAP_MOD_ADD,
    5476. 

  5476.             "name",
    5477. 

  5477.             name_values
    5478. 

  5478.         };
    5479. 

  5479. 

  5480.         char *oc_values[] = {"OrganizationalUnit", NULL };
    5481. 

  5481.         LDAPMod oc_attr =
    5482. 

  5482.         {
    5483. 

  5483.             LDAP_MOD_ADD,
    5484. 

  5484.             "objectClass",
    5485. 

  5485.             oc_values
    5486. 

  5486.         };
    5487. 

  5487. 

  5488.         MemoryBuffer sdbuf;
    5489. 

  5489.         Owned<CSecurityDescriptor> default_sd = NULL;
    5490. 

  5490.         if(m_pp !=  NULL)
    5491. 

  5491.             default_sd.setown(m_pp->createDefaultSD(user, name, ptype));
    5492. 

  5492.         if(default_sd != NULL)
    5493. 

  5493.             sdbuf.append(default_sd->getDescriptor());
    5494. 

  5494. 

  5495.         LDAPMod *attrs[6];
    5496. 

  5496.         int ind = 0;
    5497. 

  5497.         attrs[ind++] = &ou_attr;
    5498. 

  5498.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    5499. 

  5499.         {       
    5500. 

  5500.             attrs[ind++] = &name_attr;
    5501. 

  5501.         }
    5502. 

  5502.         attrs[ind++] = &oc_attr;
    5503. 

  5503. 

  5504.         LDAPMod sd_attr;
    5505. 

  5505.         struct berval sd_val;
    5506. 

  5506.         sd_val.bv_len = sdbuf.length();
    5507. 

  5507.         sd_val.bv_val = (char*)sdbuf.toByteArray();
    5508. 

  5508.         struct berval* sd_values[] = {&sd_val, NULL};
    5509. 

  5509.         sd_attr.mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES;
    5510. 

  5510.         
    5511. 

  5511.         sd_attr.mod_type = (char*)m_ldapconfig->getSdFieldName();
    5512. 

  5512. 

  5513.         sd_attr.mod_vals.modv_bvals = sd_values;
    5514. 

  5514. 

  5515.         if(sdbuf.length() > 0)
    5516. 

  5516.             attrs[ind++] = &sd_attr;
    5517. 

  5517. 

  5518.         attrs[ind] = NULL;
    5519. 

  5519. 

  5520.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    5521. 

  5521.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    5522. 

  5522.         int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    5523. 

  5523.         if ( rc != LDAP_SUCCESS )
    5524. 

  5524.         {
    5525. 

  5525.             if(rc == LDAP_ALREADY_EXISTS)
    5526. 

  5526.             {
    5527. 

  5527.                 WARNLOG("CLdapClient::addOrganizationalUnit LDAP object 'ou=%s,%s' already exists", name, basedn);
    5528. 

  5528.                 return false;
    5529. 

  5529.             }
    5530. 

  5530.             else
    5531. 

  5531.             {
    5532. 

  5532.                 throw MakeStringException(-1, "ldap_add_ext_s error for ou=%s,%s: %d %s", name, basedn, rc, ldap_err2string( rc ));
    5533. 

  5533.             }
    5534. 

  5534.         }
    5535. 

  5535. 

  5536.         return true;
    5537. 

  5537.     }
    5538. 

  5538. 

  5539.     virtual void name2dn(SecResourceType rtype, const char* resourcename, const char* basedn, StringBuffer& ldapname)
    5540. 

  5540.     {
    5541. 

  5541.         StringBuffer namebuf;
    5542. 

  5542. 

  5543.         const char* bptr = resourcename;
    5544. 

  5544.         const char* sep = strstr(resourcename, "::");
    5545. 

  5545.         while(sep != NULL)
    5546. 

  5546.         {
    5547. 

  5547.             if(sep > bptr)
    5548. 

  5548.             {
    5549. 

  5549.                 StringBuffer onebuf;
    5550. 

  5550.                 onebuf.append("ou=").append(sep-bptr, bptr).append(",");
    5551. 

  5551.                 namebuf.insert(0, onebuf.str());
    5552. 

  5552.             }
    5553. 

  5553. 

  5554.             bptr = sep + 2;
    5555. 

  5555.             sep = strstr(bptr, "::");
    5556. 

  5556.         }
    5557. 

  5557.         if(*bptr != '\0')
    5558. 

  5558.         {
    5559. 

  5559.             StringBuffer onebuf;
    5560. 

  5560.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    5561. 

  5561.                 onebuf.append("cn");
    5562. 

  5562.             else
    5563. 

  5563.                 onebuf.append("ou");
    5564. 

  5564.             onebuf.append("=").append(bptr).append(",");
    5565. 

  5565.             namebuf.insert(0, onebuf.str());
    5566. 

  5566.         }
    5567. 

  5567. 

  5568.         namebuf.append(basedn);
    5569. 

  5569.         LdapUtils::normalizeDn(namebuf.str(), m_ldapconfig->getBasedn(), ldapname);
    5570. 

  5570.     }
    5571. 

  5571. 

  5572.     virtual void name2rdn(SecResourceType rtype, const char* resourcename, StringBuffer& ldapname)
    5573. 

  5573.     {
    5574. 

  5574.         if(resourcename == NULL || *resourcename == '\0')
    5575. 

  5575.         {
    5576. 

  5576.             DBGLOG("CLdapClient::name2rdn resourcename must be provided");
    5577. 

  5577.             return;
    5578. 

  5578.         }
    5579. 

  5579. 

  5580.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    5581. 

  5581.             ldapname.append("cn=");
    5582. 

  5582.         else
    5583. 

  5583.             ldapname.append("ou=");
    5584. 

  5584.         
    5585. 

  5585.         const char* prevptr = resourcename;
    5586. 

  5586.         const char* nextptr = strstr(resourcename, "::");
    5587. 

  5587.         while(nextptr != NULL)
    5588. 

  5588.         {
    5589. 

  5589.             prevptr = nextptr + 2;
    5590. 

  5590.             nextptr = strstr(prevptr, "::");
    5591. 

  5591.         }
    5592. 

  5592.         if(*prevptr != '\0')
    5593. 

  5593.             ldapname.append(prevptr);
    5594. 

  5594.     }
    5595. 

  5595. 

  5596.     virtual bool addResource(SecResourceType rtype, ISecUser& user, ISecResource* resource, SecPermissionType ptype, const char* basedn)
    5597. 

  5597.     {
    5598. 

  5598.         Owned<CSecurityDescriptor> template_sd = NULL;
    5599. 

  5599.         const char* templatename = m_ldapconfig->getTemplateName();
    5600. 

  5600.         if(templatename != NULL && *templatename != '\0')
    5601. 

  5601.         {
    5602. 

  5602.             IArrayOf<CSecurityDescriptor> sdlist;
    5603. 

  5603.             template_sd.setown(new CSecurityDescriptor(templatename));
    5604. 

  5604.             sdlist.append(*LINK(template_sd));
    5605. 

  5605.             if(basedn && *basedn)
    5606. 

  5606.                 getSecurityDescriptors(sdlist, basedn);
    5607. 

  5607.             else
    5608. 

  5608.                 getSecurityDescriptors(rtype, sdlist);
    5609. 

  5609.         }
    5610. 

  5610. 

  5611.         Owned<CSecurityDescriptor> default_sd = NULL;
    5612. 

  5612.         if(template_sd != NULL && template_sd->getDescriptor().length() > 0)
    5613. 

  5613.         {
    5614. 

  5614.             MemoryBuffer template_sd_buf;
    5615. 

  5615.             template_sd_buf.append(template_sd->getDescriptor());
    5616. 

  5616.             if(m_pp != NULL)
    5617. 

  5617.                 default_sd.setown(m_pp->createDefaultSD(&user, resource, template_sd_buf));
    5618. 

  5618.         }
    5619. 

  5619.         else
    5620. 

  5620.         {
    5621. 

  5621.             if(m_pp !=  NULL)
    5622. 

  5622.                 default_sd.setown(m_pp->createDefaultSD(&user, resource, ptype));
    5623. 

  5623.         }
    5624. 

  5624. 

  5625.         return addResource(rtype, user, resource, ptype, basedn, default_sd.get());
    5626. 

  5626.     }
    5627. 

  5627. 

  5628.     virtual bool addResource(SecResourceType rtype, ISecUser& user, ISecResource* resource, SecPermissionType ptype, const char* basedn, CSecurityDescriptor* default_sd, bool lessException=true)
    5629. 

  5629.     {
    5630. 

  5630.         if(resource == NULL)
    5631. 

  5631.         {
    5632. 

  5632.             DBGLOG("CLdapClient::addResource can't add resource, ISecResource must be specified");
    5633. 

  5633.             return true;
    5634. 

  5634.         }
    5635. 

  5635. 

  5636.         char* resourcename = (char*)resource->getName();
    5637. 

  5637.         if(resourcename == NULL)
    5638. 

  5638.         {
    5639. 

  5639.             DBGLOG("CLdapClient::addResource can't add resource, empty resource name");
    5640. 

  5640.             return false;
    5641. 

  5641.         }
    5642. 

  5642. 

  5643.         const char* rbasedn;
    5644. 

  5644.         StringBuffer rbasednbuf;
    5645. 

  5645.         if(basedn == NULL)
    5646. 

  5646.             rbasedn = m_ldapconfig->getResourceBasedn(rtype);
    5647. 

  5647.         else
    5648. 

  5648.         {
    5649. 

  5649.             LdapUtils::normalizeDn(basedn, m_ldapconfig->getBasedn(), rbasednbuf);
    5650. 

  5650.             rbasedn = rbasednbuf.str();
    5651. 

  5651.         }
    5652. 

  5652.         if(rbasedn == NULL || *rbasedn == '\0')
    5653. 

  5653.         {
    5654. 

  5654.             DBGLOG("CLdapClient::addResource Can't add resource '%s', corresponding resource basedn is not defined",resourcename);
    5655. 

  5655.             return false;
    5656. 

  5656.         }
    5657. 

  5657. 

  5658.         if(strchr(resourcename, '/') != NULL || strchr(resourcename, '=') != NULL)
    5659. 

  5659.         {
    5660. 

  5660.             DBGLOG("CLdapClient::addResource Can't add resource '%s', invalid characters specified",resourcename);
    5661. 

  5661.             return false;
    5662. 

  5662.         }
    5663. 

  5663. 

  5664.         if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    5665. 

  5665.         {
    5666. 

  5666.             StringBuffer extbuf;
    5667. 

  5667.             name2dn(rtype, resourcename, rbasedn, extbuf);
    5668. 

  5668.             createLdapBasedn(&user, extbuf.str(), ptype);
    5669. 

  5669.             return true;
    5670. 

  5670.         }
    5671. 

  5671. 

  5672.         LdapServerType servertype = m_ldapconfig->getServerType();
    5673. 

  5673. 

  5674.         char* description = (char*)((CLdapSecResource*)resource)->getDescription();
    5675. 

  5675. 

  5676.         StringBuffer dn;
    5677. 

  5677.         
    5678. 

  5678.         char *fieldname, *oc_name;
    5679. 

  5679.         if(servertype == ACTIVE_DIRECTORY)
    5680. 

  5680.         {
    5681. 

  5681.             fieldname = "cn";
    5682. 

  5682.             oc_name = "Volume";
    5683. 

  5683.         }
    5684. 

  5684.         else
    5685. 

  5685.         {
    5686. 

  5686.             fieldname = "ou";
    5687. 

  5687.             oc_name = "OrganizationalUnit";
    5688. 

  5688.         }
    5689. 

  5689. 

  5690.         dn.append(fieldname).append("=").append(resourcename).append(",");
    5691. 

  5691.         dn.append(rbasedn);
    5692. 

  5692. 

  5693.         char *cn_values[] = {resourcename, NULL };
    5694. 

  5694.         LDAPMod cn_attr = 
    5695. 

  5695.         {
    5696. 

  5696.             LDAP_MOD_ADD,
    5697. 

  5697.             fieldname,
    5698. 

  5698.             cn_values
    5699. 

  5699.         };
    5700. 

  5700.         char *oc_values[] = {oc_name, NULL };
    5701. 

  5701.         LDAPMod oc_attr =
    5702. 

  5702.         {
    5703. 

  5703.             LDAP_MOD_ADD,
    5704. 

  5704.             "objectClass",
    5705. 

  5705.             oc_values
    5706. 

  5706.         };
    5707. 

  5707.         char* uncname_values[] = {resourcename, NULL};
    5708. 

  5708.         LDAPMod uncname_attr =
    5709. 

  5709.         {
    5710. 

  5710.             LDAP_MOD_ADD,
    5711. 

  5711.             "uNCName",
    5712. 

  5712.             uncname_values
    5713. 

  5713.         };
    5714. 

  5714. 

  5715.         StringBuffer descriptionbuf;
    5716. 

  5716.         if(description  && *description)
    5717. 

  5717.             descriptionbuf.append(description);
    5718. 

  5718.         else
    5719. 

  5719.             descriptionbuf.appendf("Access to %s", resourcename);
    5720. 

  5720. 

  5721.         char* description_values[] = {(char*)descriptionbuf.str(), NULL};
    5722. 

  5722.         LDAPMod description_attr =
    5723. 

  5723.         {
    5724. 

  5724.             LDAP_MOD_ADD,
    5725. 

  5725.             "description",
    5726. 

  5726.             description_values
    5727. 

  5727.         };
    5728. 

  5728. 

  5729.         Owned<CSecurityDescriptor> template_sd = NULL;
    5730. 

  5730.         const char* templatename = m_ldapconfig->getTemplateName();
    5731. 

  5731.         if(templatename != NULL && *templatename != '\0')
    5732. 

  5732.         {
    5733. 

  5733.             IArrayOf<CSecurityDescriptor> sdlist;
    5734. 

  5734.             template_sd.setown(new CSecurityDescriptor(templatename));
    5735. 

  5735.             sdlist.append(*LINK(template_sd));
    5736. 

  5736.             getSecurityDescriptors(rtype, sdlist);
    5737. 

  5737.         }
    5738. 

  5738. 

  5739.         int numberOfSegs = 0;
    5740. 

  5740.         if(default_sd != NULL)
    5741. 

  5741.         {
    5742. 

  5742.             numberOfSegs = m_pp->sdSegments(default_sd);
    5743. 

  5743.         }
    5744. 

  5744. 

  5745.         LDAPMod **attrs = (LDAPMod**)(alloca((5+numberOfSegs)*sizeof(LDAPMod*)));
    5746. 

  5746. 

  5747.         int ind = 0;
    5748. 

  5748.         attrs[ind++] = &cn_attr;
    5749. 

  5749.         attrs[ind++] = &oc_attr;
    5750. 

  5750.         attrs[ind++] = &description_attr;
    5751. 

  5751. 

  5752.         if(servertype == ACTIVE_DIRECTORY)
    5753. 

  5753.         {
    5754. 

  5754.             attrs[ind++] = &uncname_attr;
    5755. 

  5755.         }
    5756. 

  5756. 

  5757.         LDAPMod sd_attr;
    5758. 

  5758. 

  5759.         if(default_sd != NULL)
    5760. 

  5760.         {
    5761. 

  5761.             struct berval** sd_values = (struct berval**)alloca(sizeof(struct berval*)*(numberOfSegs+1));
    5762. 

  5762.             MemoryBuffer& sdbuf = default_sd->getDescriptor();
    5763. 

  5763. 

  5764.             // Active Directory acutally has only one segment.
    5765. 

  5765.             if(servertype == ACTIVE_DIRECTORY)
    5766. 

  5766.             {
    5767. 

  5767.                 struct berval* sd_val = (struct berval*)alloca(sizeof(struct berval));
    5768. 

  5768.                 sd_val->bv_len = sdbuf.length();
    5769. 

  5769.                 sd_val->bv_val = (char*)sdbuf.toByteArray();
    5770. 

  5770.                 sd_values[0] = sd_val;
    5771. 

  5771.                 sd_values[1] = NULL;
    5772. 

  5772. 

  5773.                 sd_attr.mod_type = "ntSecurityDescriptor";
    5774. 

  5774.             }
    5775. 

  5775.             else
    5776. 

  5776.             {
    5777. 

  5777.                 const char* bbptr = sdbuf.toByteArray();
    5778. 

  5778.                 const char* bptr = sdbuf.toByteArray();
    5779. 

  5779.                 int sdbuflen = sdbuf.length();
    5780. 

  5780.                 int segind;
    5781. 

  5781.                 for(segind = 0; segind < numberOfSegs; segind++)
    5782. 

  5782.                 {
    5783. 

  5783.                     if(bptr - bbptr >= sdbuflen)
    5784. 

  5784.                         break;
    5785. 

  5785.                     while(*bptr == '\0' && (bptr - bbptr) < sdbuflen)
    5786. 

  5786.                         bptr++;
    5787. 

  5787. 

  5788.                     const char* eptr = bptr;
    5789. 

  5789.                     while(*eptr != '\0' && (eptr - bbptr) < sdbuflen)
    5790. 

  5790.                         eptr++;
    5791. 

  5791. 

  5792.                     struct berval* sd_val = (struct berval*)alloca(sizeof(struct berval));
    5793. 

  5793.                     sd_val->bv_len = eptr - bptr;
    5794. 

  5794.                     sd_val->bv_val = (char*)bptr;
    5795. 

  5795.                     sd_values[segind] = sd_val;
    5796. 

  5796. 

  5797.                     bptr = eptr + 1;
    5798. 

  5798.                 }
    5799. 

  5799.                 sd_values[segind] = NULL;
    5800. 

  5800. 

  5801.                 sd_attr.mod_type = (char*)m_ldapconfig->getSdFieldName();
    5802. 

  5802.             }
    5803. 

  5803.             sd_attr.mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES;
    5804. 

  5804.             sd_attr.mod_vals.modv_bvals = sd_values;
    5805. 

  5805. 

  5806.             attrs[ind++] = &sd_attr;
    5807. 

  5807.         }
    5808. 

  5808.         attrs[ind] = NULL;
    5809. 

  5809. 

  5810.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    5811. 

  5811.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    5812. 

  5812.         int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    5813. 

  5813.         if ( rc != LDAP_SUCCESS )
    5814. 

  5814.         {
    5815. 

  5815.             if(rc == LDAP_ALREADY_EXISTS)
    5816. 

  5816.             {
    5817. 

  5817.                 //WARNLOG("Can't insert %s to Ldap Server, an LDAP object with this name already exists", resourcename);
    5818. 

  5818.                 if(lessException)
    5819. 

  5819.                 {
    5820. 

  5820.                     DBGLOG("CLdapClient::addResource Can't add resource '%s', an LDAP object with this name already exists", resourcename);
    5821. 

  5821.                     return false;
    5822. 

  5822.                 }
    5823. 

  5823.                 else
    5824. 

  5824.                     throw MakeStringException(-1, "Can't insert %s, an LDAP object with this name already exists", resourcename);
    5825. 

  5825.             }
    5826. 

  5826.             else
    5827. 

  5827.             {
    5828. 

  5828.                 throw MakeStringException(-1, "ldap_add_ext_s error for %s: %d %s", resourcename, rc, ldap_err2string( rc ));
    5829. 

  5829.             }
    5830. 

  5830.         }
    5831. 

  5831. 

  5832.         return true;
    5833. 

  5833.     }
    5834. 

  5834. 

  5835.     virtual void enableUser(ISecUser* user, const char* dn, LDAP* ld)
    5836. 

  5836.     {
    5837. 

  5837.         const char* username = user->getName();
    5838. 

  5838. 

  5839.         StringBuffer filter;
    5840. 

  5840.         filter.append("sAMAccountName=").append(username);
    5841. 

  5841. 

  5842.         char        *attribute;
    5843. 

  5843.         LDAPMessage *message;
    5844. 

  5844. 

  5845.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    5846. 

  5846. 

  5847.         char        *attrs[] = {"userAccountControl", NULL};
    5848. 

  5848.         CLDAPMessage searchResult;
    5849. 

  5849.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    5850. 

  5850. 

  5851.         if ( rc != LDAP_SUCCESS )
    5852. 

  5852.         {
    5853. 

  5853.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    5854. 

  5854.             throw MakeStringException(-1, "ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    5855. 

  5855.         }
    5856. 

  5856. 

  5857.         StringBuffer act_ctrl;
    5858. 

  5858.         message = LdapFirstEntry( ld, searchResult);
    5859. 

  5859.         if(message != NULL)
    5860. 

  5860.         {
    5861. 

  5861.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    5862. 

  5862.             for ( attribute = atts.getFirst();
    5863. 

  5863.                   attribute != NULL;
    5864. 

  5864.                   attribute = atts.getNext())
    5865. 

  5865.             {
    5866. 

  5866.                 if(0 == stricmp(attribute, "userAccountControl"))
    5867. 

  5867.                 {
    5868. 

  5868.                     CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    5869. 

  5869.                     if (vals.hasValues())
    5870. 

  5870.                     {
    5871. 

  5871.                         act_ctrl.append(vals.queryCharValue(0));
    5872. 

  5872.                         break;
    5873. 

  5873.                     }
    5874. 

  5874.                 }
    5875. 

  5875.             }
    5876. 

  5876.         }
    5877. 

  5877. 

  5878.         if(act_ctrl.length() == 0)
    5879. 

  5879.         {
    5880. 

  5880.             DBGLOG("enableUser: userAccountControl doesn't exist for user %s",username);
    5881. 

  5881.             throw MakeStringException(-1, "enableUser: userAccountControl doesn't exist for user %s",username);
    5882. 

  5882.         }
    5883. 

  5883. 

  5884.         unsigned act_ctrl_val = atoi(act_ctrl.str());
    5885. 

  5885. 

  5886.         // UF_ACCOUNTDISABLE 0x0002
    5887. 

  5887.         act_ctrl_val &= 0xFFFFFFFD;
    5888. 

  5888. #ifdef _DONT_EXPIRE_PASSWORD
    5889. 

  5889.         // UF_DONT_EXPIRE_PASSWD 0x10000
    5890. 

  5890.         if (m_domainPwdsNeverExpire)
    5891. 

  5891.             act_ctrl_val |= 0x10000;
    5892. 

  5892. #endif
    5893. 

  5893. 

  5894.         StringBuffer new_act_ctrl;
    5895. 

  5895.         new_act_ctrl.append(act_ctrl_val);
    5896. 

  5896. 

  5897.         char *ctrl_values[] = {(char*)new_act_ctrl.str(), NULL};
    5898. 

  5898.         LDAPMod ctrl_attr = {
    5899. 

  5899.             LDAP_MOD_REPLACE,
    5900. 

  5900.             "userAccountControl",
    5901. 

  5901.             ctrl_values
    5902. 

  5902.         };
    5903. 

  5903.         LDAPMod *cattrs[2];
    5904. 

  5904.         cattrs[0] = &ctrl_attr;
    5905. 

  5905.         cattrs[1] = NULL;
    5906. 

  5906. 

  5907.         rc = ldap_modify_ext_s(ld, (char*)dn, cattrs, NULL, NULL);
    5908. 

  5908.         if ( rc != LDAP_SUCCESS )
    5909. 

  5909.         {
    5910. 

  5910.             throw MakeStringException(-1, "error enableUser %s, ldap_modify_ext_s error: %s", username, ldap_err2string( rc ));
    5911. 

  5911.         }
    5912. 

  5912. 

  5913.         // set the password.
    5914. 

  5914.         Owned<ISecUser> tmpuser = new CLdapSecUser(user->getName(), "");
    5915. 

  5915.         const char* passwd = user->credentials().getPassword();
    5916. 

  5916.         if(passwd == NULL || *passwd == '\0')
    5917. 

  5917.             passwd = "password";
    5918. 

  5918. 

  5919.         if (!updateUserPassword(*tmpuser, passwd, NULL))
    5920. 

  5920.         {
    5921. 

  5921.             DBGLOG("Error updating password for %s",username);
    5922. 

  5922.             throw MakeStringException(-1, "Error updating password for %s",username);
    5923. 

  5923.         }
    5924. 

  5924.     }
    5925. 

  5925. 

  5926. 

  5927.     virtual bool addUser(ISecUser& user)
    5928. 

  5928.     {
    5929. 

  5929.         const char* username = user.getName();
    5930. 

  5930.         if(username == NULL || *username == '\0')
    5931. 

  5931.         {
    5932. 

  5932.             DBGLOG("Can't add user, username not set");
    5933. 

  5933.             throw MakeStringException(-1, "Can't add user, username not set");
    5934. 

  5934.         }
    5935. 

  5935. 

  5936.         const char* fname = user.getFirstName();
    5937. 

  5937.         const char* lname = user.getLastName();
    5938. 

  5938.         if((lname == NULL || *lname == '\0') && (fname == NULL || *fname == '\0' || m_ldapconfig->getServerType() == IPLANET))
    5939. 

  5939.             lname = username;
    5940. 

  5940. 

  5941.         const char* fullname = user.getFullName();
    5942. 

  5942.         StringBuffer fullname_buf;
    5943. 

  5943.         if(fullname == NULL || *fullname == '\0')
    5944. 

  5944.         {
    5945. 

  5945.             if(fname != NULL && *fname != '\0')
    5946. 

  5946.             {
    5947. 

  5947.                 fullname_buf.append(fname);
    5948. 

  5948.                 if(lname != NULL && *lname != '\0')
    5949. 

  5949.                     fullname_buf.append(" ");
    5950. 

  5950.             }
    5951. 

  5951.             if(lname != NULL && *lname  != '\0')
    5952. 

  5952.                 fullname_buf.append(lname);
    5953. 

  5953. 

  5954.             if(fullname_buf.length() == 0)
    5955. 

  5955.             {
    5956. 

  5956.                 fullname_buf.append(username);
    5957. 

  5957.             }
    5958. 

  5958.             fullname = fullname_buf.str();
    5959. 

  5959.         }
    5960. 

  5960. 

  5961.         const char* employeeID = user.getEmployeeID();
    5962. 

  5962. 

  5963.         StringBuffer dn;
    5964. 

  5964.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    5965. 

  5965.         {
    5966. 

  5966.             dn.append("cn=").append(fullname).append(",");
    5967. 

  5967.         }
    5968. 

  5968.         else
    5969. 

  5969.         {
    5970. 

  5970.             dn.append("uid=").append(user.getName()).append(",");
    5971. 

  5971.         }
    5972. 

  5972.         dn.append(m_ldapconfig->getUserBasedn());
    5973. 

  5973. 

  5974.         char* oc_name;
    5975. 

  5975.         char* act_fieldname;
    5976. 

  5976.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    5977. 

  5977.         {
    5978. 

  5978.             oc_name = "User";
    5979. 

  5979.             act_fieldname = "sAMAccountName";
    5980. 

  5980.         }
    5981. 

  5981.         else
    5982. 

  5982.         {
    5983. 

  5983.             oc_name = "inetorgperson";
    5984. 

  5984.             act_fieldname = "uid";
    5985. 

  5985.         }
    5986. 

  5986. 

  5987.         char *cn_values[] = {(char*)fullname, NULL };
    5988. 

  5988.         LDAPMod cn_attr = 
    5989. 

  5989.         {
    5990. 

  5990.             LDAP_MOD_ADD,
    5991. 

  5991.             "cn",
    5992. 

  5992.             cn_values
    5993. 

  5993.         };
    5994. 

  5994. 

  5995.         char *oc_values[] = {oc_name, NULL};
    5996. 

  5996.         LDAPMod oc_attr =
    5997. 

  5997.         {
    5998. 

  5998.             LDAP_MOD_ADD,
    5999. 

  5999.             "objectClass",
    6000. 

  6000.             oc_values
    6001. 

  6001.         };
    6002. 

  6002. 

  6003.         char *gn_values[] = { (char*)fname, NULL };
    6004. 

  6004.         LDAPMod gn_attr = {
    6005. 

  6005.             LDAP_MOD_ADD,
    6006. 

  6006.             "givenName",
    6007. 

  6007.             gn_values
    6008. 

  6008.         };
    6009. 

  6009. 

  6010.         char *sn_values[] = { (char*)lname, NULL };
    6011. 

  6011.         LDAPMod sn_attr = {
    6012. 

  6012.             LDAP_MOD_ADD,
    6013. 

  6013.             "sn",
    6014. 

  6014.             sn_values
    6015. 

  6015.         };
    6016. 

  6016. 

  6017.         char* actname_values[] = {(char*)username, NULL};
    6018. 

  6018.         LDAPMod actname_attr =
    6019. 

  6019.         {
    6020. 

  6020.             LDAP_MOD_ADD,
    6021. 

  6021.             act_fieldname,
    6022. 

  6022.             actname_values
    6023. 

  6023.         };
    6024. 

  6024. 

  6025.         const char* passwd = user.credentials().getPassword();
    6026. 

  6026.         if(passwd == NULL || *passwd == '\0')
    6027. 

  6027.             passwd = "password";
    6028. 

  6028.         char* passwd_values[] = {(char*)passwd, NULL};
    6029. 

  6029.         LDAPMod passwd_attr =
    6030. 

  6030.         {
    6031. 

  6031.             LDAP_MOD_ADD,
    6032. 

  6032.             "userpassword",
    6033. 

  6033.             passwd_values
    6034. 

  6034.         };
    6035. 

  6035. 

  6036.         char *dispname_values[] = {(char*)fullname, NULL };
    6037. 

  6037.         LDAPMod dispname_attr = 
    6038. 

  6038.         {
    6039. 

  6039.             LDAP_MOD_ADD,
    6040. 

  6040.             "displayName",
    6041. 

  6041.             dispname_values
    6042. 

  6042.         };
    6043. 

  6043. 

  6044.         char* username_values[] = {(char*)username, NULL};
    6045. 

  6045.         LDAPMod username_attr =
    6046. 

  6046.         {
    6047. 

  6047.             LDAP_MOD_ADD,
    6048. 

  6048.             "userPrincipalName",
    6049. 

  6049.             username_values
    6050. 

  6050.         };
    6051. 

  6051. 

  6052.         char* employeeID_values[] = {(char*)employeeID, NULL};
    6053. 

  6053.         LDAPMod employeeID_attr =
    6054. 

  6054.         {
    6055. 

  6055.             LDAP_MOD_ADD,
    6056. 

  6056.             "employeeId",
    6057. 

  6057.             employeeID_values
    6058. 

  6058.         };
    6059. 

  6059. 

  6060.         LDAPMod *attrs[9];
    6061. 

  6061.         int ind = 0;
    6062. 

  6062.         
    6063. 

  6063.         attrs[ind++] = &cn_attr;
    6064. 

  6064.         attrs[ind++] = &oc_attr;
    6065. 

  6065.         if(fname != NULL && *fname != '\0')
    6066. 

  6066.             attrs[ind++] = &gn_attr;
    6067. 

  6067.         if(lname != NULL && *lname != '\0')
    6068. 

  6068.             attrs[ind++] = &sn_attr;
    6069. 

  6069.         attrs[ind++] = &actname_attr;
    6070. 

  6070. 

  6071.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    6072. 

  6072.         {
    6073. 

  6073.             attrs[ind++] = &username_attr;
    6074. 

  6074.             attrs[ind++] = &dispname_attr;
    6075. 

  6075.             if (employeeID && *employeeID)
    6076. 

  6076.                 attrs[ind++] = &employeeID_attr;
    6077. 

  6077.         }
    6078. 

  6078.         else
    6079. 

  6079.         {
    6080. 

  6080.             attrs[ind++] = &passwd_attr;
    6081. 

  6081.         }
    6082. 

  6082. 

  6083.         attrs[ind] = NULL;
    6084. 

  6084. 

  6085.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    6086. 

  6086.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    6087. 

  6087.         int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    6088. 

  6088.         if ( rc != LDAP_SUCCESS )
    6089. 

  6089.         {
    6090. 

  6090.             if(rc == LDAP_ALREADY_EXISTS)
    6091. 

  6091.             {
    6092. 

  6092.                 DBGLOG("Can't add user %s, an LDAP object with this name already exists", username);
    6093. 

  6093.                 throw MakeStringException(-1, "Can't add user %s, an LDAP object with this name already exists", username);
    6094. 

  6094.             }
    6095. 

  6095.             else
    6096. 

  6096.             {
    6097. 

  6097.                 DBGLOG("Error addUser %s, ldap_add_ext_s error: %s", username, ldap_err2string( rc ));
    6098. 

  6098.                 throw MakeStringException(-1, "Error addUser %s, ldap_add_ext_s error: %s", username, ldap_err2string( rc ));
    6099. 

  6099.             }
    6100. 

  6100.         }
    6101. 

  6101. 

  6102.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    6103. 

  6103.         {
    6104. 

  6104.             try
    6105. 

  6105.             {
    6106. 

  6106.                 enableUser(&user, dn.str(), ld);
    6107. 

  6107.             }
    6108. 

  6108.             catch(...)
    6109. 

  6109.             {
    6110. 

  6110.                 deleteUser(&user);
    6111. 

  6111.                 throw;
    6112. 

  6112.             }
    6113. 

  6113.         }
    6114. 

  6114. 

  6115.         //Add tempfile scope for this user (spill, paused and checkpoint
    6116. 

  6116.         //will be created under this user specific scope)
    6117. 

  6117.         StringBuffer resName(queryDfsXmlBranchName(DXB_Internal));
    6118. 

  6118.         resName.append("::").append(username);
    6119. 

  6119.         Owned<ISecResource> resource = new CLdapSecResource(resName.str());
    6120. 

  6120.         if (!addResource(RT_FILE_SCOPE, user, resource, PT_ADMINISTRATORS_AND_USER, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE)))
    6121. 

  6121.         {
    6122. 

  6122.             throw MakeStringException(-1, "Error adding temp file scope %s",resName.str());
    6123. 

  6123.         }
    6124. 

  6124. 

  6125.         return true;
    6126. 

  6126.     }
    6127. 

  6127. 

  6128.     bool createUserScope(ISecUser& user)
    6129. 

  6129.     {
    6130. 

  6130.         //Add tempfile scope for given user (spill, paused and checkpoint
    6131. 

  6131.         //files will be created under this user specific scope)
    6132. 

  6132.         StringBuffer resName(queryDfsXmlBranchName(DXB_Internal));
    6133. 

  6133.         resName.append("::").append(user.getName());
    6134. 

  6134.         Owned<ISecResource> resource = new CLdapSecResource(resName.str());
    6135. 

  6135.         return addResource(RT_FILE_SCOPE, user, resource, PT_ADMINISTRATORS_AND_USER, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE));
    6136. 

  6136.     }
    6137. 

  6137. 

  6138.     virtual aindex_t getManagedFileScopes(IArrayOf<ISecResource>& scopes)
    6139. 

  6139.     {
    6140. 

  6140.         getResourcesEx(RT_FILE_SCOPE, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE), NULL, NULL, scopes);
    6141. 

  6141.         return scopes.length();
    6142. 

  6142.     }
    6143. 

  6143. 

  6144.     virtual SecAccessFlags queryDefaultPermission(ISecUser& user)
    6145. 

  6145.     {
    6146. 

  6146.         const char* basedn = m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE);
    6147. 

  6147.         if(basedn == NULL || *basedn == '\0')
    6148. 

  6148.         {
    6149. 

  6149.             DBGLOG("corresponding basedn is not defined");
    6150. 

  6150.             return SecAccess_Unavailable;
    6151. 

  6151.         }
    6152. 

  6152.         const char* basebasedn = strchr(basedn, ',') + 1;
    6153. 

  6153.         StringBuffer baseresource;
    6154. 

  6154.         baseresource.append(basebasedn-basedn-4, basedn+3);
    6155. 

  6155.         IArrayOf<ISecResource> base_resources;
    6156. 

  6156.         base_resources.append(*new CLdapSecResource(baseresource.str()));
    6157. 

  6157.         bool baseok = authorizeScope(user, base_resources, basebasedn);
    6158. 

  6158.         if(baseok)
    6159. 

  6159.             return base_resources.item(0).getAccessFlags();
    6160. 

  6160.         else
    6161. 

  6161.             return UNK_PERM_VALUE;
    6162. 

  6162.     }
    6163. 

  6163. 

  6164.     bool isReservedGroupName(const char * groupName)
    6165. 

  6165.     {
    6166. 

  6166.         if (stricmp(groupName, "Administrators") == 0 ||
    6167. 

  6167.             stricmp(groupName, "Authenticated Users") == 0 ||
    6168. 

  6168.             stricmp(groupName, "Directory Administrators") == 0)
    6169. 

  6169.         {
    6170. 

  6170.             return true;
    6171. 

  6171.         }
    6172. 

  6172.         return false;
    6173. 

  6173.     }
    6174. 

  6174. 

  6175.     //Data View related interfaces
    6176. 

  6176. 

  6177.     void createView(const char * viewName, const char * viewDescription)
    6178. 

  6178.     {
    6179. 

  6179.         if(viewName == nullptr || *viewName == '\0')
    6180. 

  6180.             throw MakeStringException(-1, "Can't add view, viewname is empty");
    6181. 

  6181. 

  6182.         if (isReservedGroupName(viewName))
    6183. 

  6183.         {
    6184. 

  6184.             throw MakeStringException(-1, "Can't add view, '%s' is a reserved name", viewName);
    6185. 

  6185.         }
    6186. 

  6186. 

  6187.         addGroup(viewName, nullptr, nullptr, m_ldapconfig->getViewBasedn());//TODO Save description
    6188. 

  6188.     }
    6189. 

  6189. 

  6190.     void deleteView(const char * viewName)
    6191. 

  6191.     {
    6192. 

  6192.         if(viewName == nullptr || *viewName == '\0')
    6193. 

  6193.             throw MakeStringException(-1, "Can't delete view, viewname is empty");
    6194. 

  6194. 

  6195.         deleteGroup(viewName, (const char *)m_ldapconfig->getViewBasedn());
    6196. 

  6196.     }
    6197. 

  6197. 

  6198.     void queryAllViews(StringArray & viewNames, StringArray & viewDescriptions, StringArray & viewManagedBy)
    6199. 

  6199.     {
    6200. 

  6200.         StringArray names;
    6201. 

  6201.         StringArray managedBy;
    6202. 

  6202.         StringArray desc;
    6203. 

  6203.         getAllGroups(names, managedBy, desc, (const char *)m_ldapconfig->getViewBasedn());
    6204. 

  6204. 

  6205.         unsigned len = names.ordinality();
    6206. 

  6206.         for(unsigned idx = 0; idx < len; idx++)
    6207. 

  6207.         {
    6208. 

  6208.             const char * pName = names.item(idx);
    6209. 

  6209.             if (!isReservedGroupName(pName))
    6210. 

  6210.             {
    6211. 

  6211.                 viewNames.append(pName);
    6212. 

  6212.                 viewDescriptions.append(desc.item(idx));
    6213. 

  6213.                 viewManagedBy.append(managedBy.item(idx));
    6214. 

  6214.             }
    6215. 

  6215.         }
    6216. 

  6216.     }
    6217. 

  6217. 

  6218.     bool userInView(const char * user, const char* viewName)
    6219. 

  6219.     {
    6220. 

  6220.         if(user == nullptr || *user == '\0')
    6221. 

  6221.             throw MakeStringException(-1, "Can't check user in view, user name is empty");
    6222. 

  6222. 

  6223.         if(viewName == nullptr || *viewName == '\0')
    6224. 

  6224.             throw MakeStringException(-1, "Can't check user in view, viewName is empty");
    6225. 

  6225. 

  6226.         try
    6227. 

  6227.         {
    6228. 

  6228.             StringBuffer userDN;
    6229. 

  6229.             getUserDN(user, userDN);
    6230. 

  6230.             VStringBuffer viewDN("CN=%s,%s",viewName, m_ldapconfig->getViewBasedn());
    6231. 

  6231.             return userInGroup(userDN.str(), viewDN.str());
    6232. 

  6232.         }
    6233. 

  6233.         catch (IException* e)
    6234. 

  6234.         {
    6235. 

  6235. #ifdef _DEBUG
    6236. 

  6236.             StringBuffer emsg;
    6237. 

  6237.             e->errorMessage(emsg);
    6238. 

  6238.             DBGLOG("userInView(%s,%s) - %s", user, viewName, emsg.str());
    6239. 

  6239. #endif
    6240. 

  6240.             e->Release();
    6241. 

  6241.             return false;
    6242. 

  6242.         }
    6243. 

  6243.     }
    6244. 

  6244. 

  6245.     void updateViewContents(const char * viewName, const char * content)
    6246. 

  6246.     {
    6247. 

  6247.         if(viewName == nullptr || *viewName == '\0')
    6248. 

  6248.             throw MakeStringException(-1, "Can't updateViewContents, viewName is empty");
    6249. 

  6249. 

  6250.         //Update LDAP description
    6251. 

  6251.         char *desc_values[] = { (content && *content != '\0') ? (char*)content : (char*)"|", NULL };
    6252. 

  6252.         LDAPMod desc_attr = {
    6253. 

  6253.             LDAP_MOD_REPLACE,
    6254. 

  6254.             "description",
    6255. 

  6255.             desc_values
    6256. 

  6256.         };
    6257. 

  6257. 

  6258.         LDAPMod *attrs[2];
    6259. 

  6259.         attrs[0] = &desc_attr;
    6260. 

  6260.         attrs[1] = nullptr;
    6261. 

  6261. 

  6262.         TIMEVAL timeOut = { m_ldapconfig->getLdapTimeout(), 0 };
    6263. 

  6263.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    6264. 

  6264.         LDAP* ld = ((CLdapConnection*) lconn.get())->getLd();
    6265. 

  6265. 

  6266.         StringBuffer dn;
    6267. 

  6267.         dn.appendf("CN=%s,%s", viewName, (char*) m_ldapconfig->getViewBasedn());
    6268. 

  6268.         unsigned rc = ldap_modify_ext_s(ld, (char*)dn.str(), attrs, nullptr, nullptr);
    6269. 

  6269.         if (rc != LDAP_SUCCESS )
    6270. 

  6270.             throw MakeStringException(-1, "Error updating view %s - %s", viewName, ldap_err2string( rc ));
    6271. 

  6271.     }
    6272. 

  6272. 

  6273. 

  6274.     void addViewColumns(const char * viewName, StringArray & files, StringArray & columns)
    6275. 

  6275.     {
    6276. 

  6276.         if(viewName == nullptr || *viewName == '\0')
    6277. 

  6277.             throw MakeStringException(-1, "Can't addViewColumns, viewName is empty");
    6278. 

  6278. 

  6279.         StringArray currFiles;
    6280. 

  6280.         StringArray currCols;
    6281. 

  6281.         queryViewColumns(viewName, currFiles, currCols);
    6282. 

  6282.         unsigned vCount = currFiles.ordinality();
    6283. 

  6283.         assertex(vCount == currCols.ordinality());
    6284. 

  6284. 

  6285.         unsigned len = files.ordinality();
    6286. 

  6286.         assertex(len == columns.ordinality());
    6287. 

  6287.         bool changed = false;
    6288. 

  6288.         for(unsigned idx = 0; idx < len; idx++)
    6289. 

  6289.         {
    6290. 

  6290.             bool isDup = false;
    6291. 

  6291.             for (unsigned vIdx = 0; vIdx < vCount; vIdx++)//look for dups
    6292. 

  6292.             {
    6293. 

  6293.                 if (0 == stricmp(files.item(idx), currFiles.item(vIdx)) &&
    6294. 

  6294.                     0 == stricmp(columns.item(idx), currCols.item(vIdx)))
    6295. 

  6295.                 {
    6296. 

  6296.                     isDup = true;//skip duplicate entry
    6297. 

  6297.                     break;
    6298. 

  6298.                 }
    6299. 

  6299.             }
    6300. 

  6300. 

  6301.             if (!isDup)
    6302. 

  6302.             {
    6303. 

  6303.                 currFiles.append(files.item(idx));
    6304. 

  6304.                 currCols.append(columns.item(idx));
    6305. 

  6305.                 changed = true;
    6306. 

  6306.             }
    6307. 

  6307.         }
    6308. 

  6308. 

  6309.         if (!changed)
    6310. 

  6310.         {
    6311. 

  6311.             throw MakeStringException(-1, "Specified columns already exist in view");
    6312. 

  6312.         }
    6313. 

  6313. 

  6314.         ///build description buffer containing one or more ||lfn|col
    6315. 

  6315.         StringBuffer description;
    6316. 

  6316.         len = currFiles.ordinality();
    6317. 

  6317.         for(unsigned idx = 0; idx < len; idx++)
    6318. 

  6318.         {
    6319. 

  6319.             description.appendf("||%s|%s",currFiles.item(idx), currCols.item(idx));//use illegal LFN character as separators
    6320. 

  6320.         }
    6321. 

  6321. 

  6322.         updateViewContents(viewName, description.str());
    6323. 

  6323.     }
    6324. 

  6324. 

  6325.     void removeViewColumns(const char * viewName, StringArray & files, StringArray & columns)
    6326. 

  6326.     {
    6327. 

  6327.         if(viewName == nullptr || *viewName == '\0')
    6328. 

  6328.             throw MakeStringException(-1, "Can't removeViewColumns, viewName is empty");
    6329. 

  6329. 

  6330.         StringArray currFiles;
    6331. 

  6331.         StringArray currCols;
    6332. 

  6332.         queryViewColumns(viewName, currFiles, currCols);
    6333. 

  6333.         assertex(currFiles.ordinality() == currCols.ordinality());
    6334. 

  6334. 

  6335.         unsigned len = files.ordinality();
    6336. 

  6336.         assertex(len == columns.ordinality());
    6337. 

  6337.         bool changed = false;
    6338. 

  6338.         for(unsigned idx = 0; idx < len; idx++)//for all pairs to be removed
    6339. 

  6339.         {
    6340. 

  6340.             unsigned len2 = currFiles.ordinality();
    6341. 

  6341.             for(unsigned idx2 = 0; idx2 < len2; idx2++)
    6342. 

  6342.             {
    6343. 

  6343.                 if (0 == stricmp(files.item(idx), currFiles.item(idx2)) &&
    6344. 

  6344.                     0 == stricmp(columns.item(idx), currCols.item(idx2)))
    6345. 

  6345.                 {
    6346. 

  6346.                     currFiles.remove(idx2);
    6347. 

  6347.                     currCols.remove(idx2);
    6348. 

  6348.                     changed = true;
    6349. 

  6349.                     break;
    6350. 

  6350.                 }
    6351. 

  6351.             }
    6352. 

  6352.         }
    6353. 

  6353. 

  6354.         if (!changed)
    6355. 

  6355.         {
    6356. 

  6356.             throw MakeStringException(-1, "Specified columns do not exist in view");
    6357. 

  6357.         }
    6358. 

  6358. 

  6359.         ///build description buffer containing one or more ||lfn|col
    6360. 

  6360.         StringBuffer description;
    6361. 

  6361.         len = currFiles.ordinality();
    6362. 

  6362.         for(unsigned idx = 0; idx < len; idx++)
    6363. 

  6363.         {
    6364. 

  6364.             description.appendf("||%s|%s",currFiles.item(idx), currCols.item(idx));//use illegal LFN character as separators
    6365. 

  6365.         }
    6366. 

  6366. 

  6367.         updateViewContents(viewName, description.str());
    6368. 

  6368.     }
    6369. 

  6369. 

  6370.     void queryViewColumns(const char * viewName, StringArray & files, StringArray & columns)
    6371. 

  6371.     {
    6372. 

  6372.         if(viewName == nullptr || *viewName == '\0')
    6373. 

  6373.             throw MakeStringException(-1, "Can't queryViewColumns, viewName is empty");
    6374. 

  6374. 

  6375.        StringBuffer filter;
    6376. 

  6376. 

  6377.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    6378. 

  6378.             filter.append("objectClass=group");
    6379. 

  6379.         else
    6380. 

  6380.             filter.append("objectClass=groupofuniquenames");
    6381. 

  6381. 

  6382.         TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
    6383. 

  6383. 

  6384.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    6385. 

  6385.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    6386. 

  6386.         char *attrs[] = {"description", NULL};
    6387. 

  6387. 

  6388.         StringBuffer dn;
    6389. 

  6389.         dn.appendf("CN=%s,%s", viewName, (char*)m_ldapconfig->getViewBasedn() );
    6390. 

  6390.         CPagedLDAPSearch pagedSrch(ld, m_ldapconfig->getLdapTimeout(), (char*)dn.str(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs);
    6391. 

  6391.         int idx = 0;
    6392. 

  6392.         LDAPMessage *message = pagedSrch.getFirstEntry();
    6393. 

  6393.         if (message)
    6394. 

  6394.         {
    6395. 

  6395.             CLDAPGetAttributesWrapper atts(ld, message);
    6396. 

  6396.             char * attribute = atts.getFirst();
    6397. 

  6397.             if (attribute)
    6398. 

  6398.             {
    6399. 

  6399.                 CLDAPGetValuesLenWrapper vals(ld, message, attribute);
    6400. 

  6400.                 if(vals.hasValues() && stricmp(attribute, "description") == 0)
    6401. 

  6401.                 {
    6402. 

  6402.                     StringBuffer sb(vals.queryCharValue(0));
    6403. 

  6403.                     if (!sb.isEmpty())
    6404. 

  6404.                     {
    6405. 

  6405.                         StringBuffer sbFile;
    6406. 

  6406.                         StringBuffer sbCol;
    6407. 

  6407.                         unsigned finger = 0;
    6408. 

  6408.                         unsigned len = sb.length();
    6409. 

  6409.                         while (finger < len)
    6410. 

  6410.                         {
    6411. 

  6411.                             while (finger < len && sb.charAt(finger) == '|')
    6412. 

  6412.                                 finger++;//skip to lfn
    6413. 

  6413.                             sbFile.clear();
    6414. 

  6414.                             while (finger < len && sb.charAt(finger) != '|')
    6415. 

  6415.                                 sbFile.append(sb.charAt(finger++));
    6416. 

  6416.                             while (finger < len && sb.charAt(finger) == '|')
    6417. 

  6417.                                 finger++;//skip to column name
    6418. 

  6418.                             sbCol.clear();
    6419. 

  6419.                             while (finger < len && sb.charAt(finger) != '|')
    6420. 

  6420.                                 sbCol.append(sb.charAt(finger++));
    6421. 

  6421. 

  6422.                             if (!sbFile.isEmpty() && !sbCol.isEmpty())
    6423. 

  6423.                             {
    6424. 

  6424.                                 files.append(sbFile.str());
    6425. 

  6425.                                 columns.append(sbCol.str());
    6426. 

  6426.                             }
    6427. 

  6427.                         }
    6428. 

  6428.                     }
    6429. 

  6429.                 }
    6430. 

  6430.             }
    6431. 

  6431.         }
    6432. 

  6432.     }
    6433. 

  6433. 

  6434.     void addViewMembers(const char * viewName, StringArray & viewUsers, StringArray & viewGroups)
    6435. 

  6435.     {
    6436. 

  6436.         if(viewName == nullptr || *viewName == '\0')
    6437. 

  6437.             throw MakeStringException(-1, "Can't addViewMembers, viewName is empty");
    6438. 

  6438. 

  6439.         unsigned len = viewUsers.ordinality();
    6440. 

  6440.         for (unsigned idx = 0; idx < len; idx++)
    6441. 

  6441.         {
    6442. 

  6442.             changeUserGroup("add", viewUsers.item(idx), viewName, m_ldapconfig->getViewBasedn());
    6443. 

  6443.         }
    6444. 

  6444.         //TODO handle viewGroups
    6445. 

  6445. 

  6446.     }
    6447. 

  6447. 

  6448.     void removeViewMembers(const char * viewName, StringArray & viewUsers, StringArray & viewGroups)
    6449. 

  6449.     {
    6450. 

  6450.         if(viewName == nullptr || *viewName == '\0')
    6451. 

  6451.             throw MakeStringException(-1, "Can't removeViewMembers, viewName is empty");
    6452. 

  6452. 

  6453.         unsigned len = viewUsers.ordinality();
    6454. 

  6454.         for (unsigned idx = 0; idx < len; idx++)
    6455. 

  6455.         {
    6456. 

  6456.             changeUserGroup("delete", viewUsers.item(idx), viewName, m_ldapconfig->getViewBasedn());
    6457. 

  6457.         }
    6458. 

  6458.         //TODO handle viewGroups
    6459. 

  6459.     }
    6460. 

  6460. 

  6461.     void queryViewMembers(const char * viewName, StringArray & viewUsers, StringArray & viewGroups)
    6462. 

  6462.     {
    6463. 

  6463.         if(viewName == nullptr || *viewName == '\0')
    6464. 

  6464.             throw MakeStringException(-1, "Can't queryViewMembers, viewName is empty");
    6465. 

  6465. 

  6466.         getGroupMembers(viewName, viewUsers, m_ldapconfig->getViewBasedn());
    6467. 

  6467.         //TODO get viewGroups
    6468. 

  6468.     }
    6469. 

  6469. };
    6470. 

  6470. 

  6471. #ifdef _WIN32
    6472. 

  6472. bool verifyServerCert(LDAP* ld, PCCERT_CONTEXT pServerCert)
    6473. 

  6473. {
    6474. 

  6474.     return true;
    6475. 

  6475. }
    6476. 

  6476. #endif
    6477. 

  6477. 

  6478. ILdapClient* createLdapClient(IPropertyTree* cfg)
    6479. 

  6479. {
    6480. 

  6480.     return new CLdapClient(cfg);
    6481. 

  6481. }
    6482. 

  6482. 

  6483.