Sākums Izpētīt Palīdzība
Pierakstīties
RONCC
/
Big-Data-HPC-Platform
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Koks: b025875cb7
Atzari Tagi
Big-Data-HPC...
/
system
/
security
/
LdapSecurity
/
ldapconnection.cpp

ldapconnection.cpp 187 KB
Vēsture Neapstrādāts

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335533653375338533953405341534253435344 
  1. /*##############################################################################
    2. 

  2. 

  3.     HPCC SYSTEMS software Copyright (C) 2012 HPCC Systems.
    4. 

  4. 

  5.     Licensed under the Apache License, Version 2.0 (the "License");
    6. 

  6.     you may not use this file except in compliance with the License.
    7. 

  7.     You may obtain a copy of the License at
    8. 

  8. 

  9.        http://www.apache.org/licenses/LICENSE-2.0
    10. 

  10. 

  11.     Unless required by applicable law or agreed to in writing, software
    12. 

  12.     distributed under the License is distributed on an "AS IS" BASIS,
    13. 

  13.     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14. 

  14.     See the License for the specific language governing permissions and
    15. 

  15.     limitations under the License.
    16. 

  16. ############################################################################## */
    17. 

  17. 

  18. // LDAP prototypes use char* where they should be using const char *, resulting in lots of spurious warnings
    19. 

  19. #pragma warning( disable : 4786 )
    20. 

  20. #ifdef __GNUC__
    21. 

  21. #pragma GCC diagnostic ignored "-Wwrite-strings"
    22. 

  22. #endif
    23. 

  23. 

  24. #include "permissions.ipp"
    25. 

  25. #include "aci.ipp"
    26. 

  26. #include "ldapsecurity.ipp"
    27. 

  27. #include "jsmartsock.hpp"
    28. 

  28. #include "jrespool.tpp"
    29. 

  29. #include "mpbase.hpp"
    30. 

  30. #include "dautils.hpp"
    31. 

  31. 

  32. #undef new
    33. 

  33. #include <map>
    34. 

  34. #include <string>
    35. 

  35. #include <set>
    36. 

  36. #if defined(_DEBUG) && defined(_WIN32) && !defined(USING_MPATROL)
    37. 

  37.  #define new new(_NORMAL_BLOCK, __FILE__, __LINE__)
    38. 

  38. #endif
    39. 

  39. #ifdef _WIN32
    40. 

  40. #include <lm.h>
    41. 

  41. #define LdapRename ldap_rename_ext_s
    42. 

  42.     LDAPMessage* (*LdapFirstEntry)(LDAP*, LDAPMessage*) = &ldap_first_entry;
    43. 

  43.     LDAPMessage* (*LdapNextEntry)(LDAP* ld, LDAPMessage* entry) = &ldap_next_entry;
    44. 

  44. #else
    45. 

  45. #define LdapRename ldap_rename_s
    46. 

  46.     LDAPMessage* (__stdcall *LdapFirstEntry)(LDAP*, LDAPMessage*) = &ldap_first_message;
    47. 

  47.     LDAPMessage* (__stdcall *LdapNextEntry)(LDAP* ld, LDAPMessage* entry) = &ldap_next_message;
    48. 

  48. #endif
    49. 

  49. 

  50. #define LDAPSEC_MAX_RETRIES 2
    51. 

  51. #define LDAPSEC_RETRY_WAIT  3
    52. 

  52. 

  53. #ifdef _WIN32 
    54. 

  54. #define LDAP_NO_ATTRS "1.1"
    55. 

  55. #endif
    56. 

  56. 

  57. #define PWD_NEVER_EXPIRES (__int64)0x8000000000000000
    58. 

  58. 

  59. class CLoadBalancer : public CInterface, implements IInterface
    60. 

  60. {
    61. 

  61. private:
    62. 

  62.     StringArray hostArray;
    63. 

  63.     unsigned    nextIndex;
    64. 

  64.     Mutex       m_mutex;
    65. 

  65. 

  66. public:
    67. 

  67.     IMPLEMENT_IINTERFACE
    68. 

  68. 

  69.     CLoadBalancer(const char* addrlist)
    70. 

  70.     {
    71. 

  71.         char *copyFullText = strdup(addrlist);
    72. 

  72.         char *saveptr;
    73. 

  73.         char *ip = strtok_r(copyFullText, "|", &saveptr);
    74. 

  74.         while (ip != NULL)
    75. 

  75.         {
    76. 

  76.             if (isdigit(*ip))
    77. 

  77.             {
    78. 

  78.                 char *dash = strrchr(ip, '-');
    79. 

  79.                 if (dash)
    80. 

  80.                 {
    81. 

  81.                     *dash = 0;
    82. 

  82.                     int last = atoi(dash+1);
    83. 

  83.                     char *dot = strrchr(ip, '.');
    84. 

  84.                     *dot = 0;
    85. 

  85.                     int first = atoi(dot+1);
    86. 

  86.                     for (int i = first; i <= last; i++)
    87. 

  87.                     {
    88. 

  88.                         StringBuffer t;
    89. 

  89.                         t.append(ip).append('.').append(i);
    90. 

  90.                         hostArray.append(t.str());
    91. 

  91.                     }
    92. 

  92.                 }
    93. 

  93.                 else
    94. 

  94.                 {
    95. 

  95.                     hostArray.append(ip);
    96. 

  96.                 }
    97. 

  97.             }
    98. 

  98.             else
    99. 

  99.             {
    100. 

  100.                 hostArray.append(ip);
    101. 

  101.             }
    102. 

  102.             ip = strtok_r(NULL, "|", &saveptr);
    103. 

  103.         }
    104. 

  104.         free(copyFullText);
    105. 

  105. 

  106.         if(hostArray.length() == 0)
    107. 

  107.         {
    108. 

  108.             throw MakeStringException(-1, "No valid ldap server address specified");
    109. 

  109.         }
    110. 

  110. 

  111.         Owned<IRandomNumberGenerator> random = createRandomNumberGenerator();
    112. 

  112.         random->seed((unsigned)get_cycles_now());
    113. 

  113. 

  114.         unsigned i = hostArray.ordinality();
    115. 

  115.         while (i > 1)
    116. 

  116.         {
    117. 

  117.             unsigned j = random->next() % i;
    118. 

  118.             i--;
    119. 

  119.             hostArray.swap(i, j);
    120. 

  120.         }
    121. 

  121. 

  122.         nextIndex = 0;
    123. 

  123. 

  124.         for(unsigned ind = 0; ind < hostArray.length(); ind++)
    125. 

  125.         {
    126. 

  126.             DBGLOG("Added ldap server %s", hostArray.item(ind));
    127. 

  127.         }
    128. 

  128.     }
    129. 

  129. 

  130.     virtual ~CLoadBalancer()
    131. 

  131.     {
    132. 

  132.     }
    133. 

  133. 

  134.     const char* next()
    135. 

  135.     {
    136. 

  136.         unsigned curindex = 0;
    137. 

  137.         
    138. 

  138.         {
    139. 

  139.             synchronized block(m_mutex);
    140. 

  140.             curindex = nextIndex;
    141. 

  141.             ++nextIndex %= hostArray.ordinality();
    142. 

  142.         }
    143. 

  143. 

  144.         return (hostArray.item(curindex));
    145. 

  145.     }
    146. 

  146. };
    147. 

  147. 

  148. inline bool LdapServerDown(int rc)
    149. 

  149. {
    150. 

  150.     return rc==LDAP_SERVER_DOWN||rc==LDAP_UNAVAILABLE||rc==LDAP_TIMEOUT;
    151. 

  151. }
    152. 

  152. 

  153. class CLdapConfig : public CInterface, implements ILdapConfig
    154. 

  154. {
    155. 

  155. private:
    156. 

  156.     LdapServerType       m_serverType; 
    157. 

  157.     StringAttr           m_cfgServerType;//LDAP Server type name (ActiveDirectory, Fedora389, etc)
    158. 

  158. 

  159.     Owned<IPropertyTree> m_cfg;
    160. 

  160. 

  161.     Owned<CLoadBalancer> m_ldaphosts;
    162. 

  162.     int                  m_ldapport;
    163. 

  163.     int                  m_ldap_secure_port;
    164. 

  164.     StringBuffer         m_protocol;
    165. 

  165.     StringBuffer         m_basedn;
    166. 

  166.     StringBuffer         m_domain;
    167. 

  167.     StringBuffer         m_authmethod;
    168. 

  168. 

  169.     StringBuffer         m_user_basedn;
    170. 

  170.     StringBuffer         m_group_basedn;
    171. 

  171.     StringBuffer         m_resource_basedn;
    172. 

  172.     StringBuffer         m_filescope_basedn;
    173. 

  173.     StringBuffer         m_workunitscope_basedn;
    174. 

  174.     StringBuffer         m_sudoers_basedn;
    175. 

  175.     StringBuffer         m_template_name;
    176. 

  176. 

  177.     StringBuffer         m_sysuser;
    178. 

  178.     StringBuffer         m_sysuser_commonname;
    179. 

  179.     StringBuffer         m_sysuser_password;
    180. 

  180.     StringBuffer         m_sysuser_basedn;
    181. 

  181. 

  182.     bool                 m_sysuser_specified;
    183. 

  183.     StringBuffer         m_sysuser_dn;
    184. 

  184. 

  185.     int                  m_maxConnections;
    186. 

  186.     
    187. 

  187.     StringBuffer         m_sdfieldname;
    188. 

  188. public:
    189. 

  189.     IMPLEMENT_IINTERFACE
    190. 

  190. 

  191.     CLdapConfig(IPropertyTree* cfg)
    192. 

  192.     {
    193. 

  193.         int version = LDAP_VERSION3;
    194. 

  194.         ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
    195. 

  195. 

  196.         m_cfg.set(cfg);
    197. 

  197. 

  198.         //Check for LDAP Server type in config
    199. 

  199.         m_serverType = LDAPSERVER_UNKNOWN;
    200. 

  200.         m_cfgServerType.set(cfg->queryProp(".//@serverType"));
    201. 

  201.         if (m_cfgServerType.length())
    202. 

  202.         {
    203. 

  203.             if (0 == stricmp(m_cfgServerType, "ActiveDirectory"))
    204. 

  204.                 m_serverType = ACTIVE_DIRECTORY;
    205. 

  205.             else if (0 == stricmp(m_cfgServerType, "389DirectoryServer"))//uses iPlanet style ACI
    206. 

  206.                 m_serverType = OPEN_LDAP;
    207. 

  207.             else if (0 == stricmp(m_cfgServerType, "OpenLDAP"))
    208. 

  208.                 m_serverType = OPEN_LDAP;
    209. 

  209.             else if (0 == stricmp(m_cfgServerType, "Fedora389"))
    210. 

  210.                 m_serverType = OPEN_LDAP;
    211. 

  211.             else if (0 == stricmp(m_cfgServerType, "iPlanet"))
    212. 

  212.                 m_serverType = IPLANET;
    213. 

  213.             else
    214. 

  214.                 throw MakeStringException(-1, "Unknown LDAP serverType '%s' specified",m_cfgServerType.get());
    215. 

  215.         }
    216. 

  216.         else
    217. 

  217.         {
    218. 

  218.             DBGLOG("LDAP serverType not specified, will try to deduce");
    219. 

  219.         }
    220. 

  220. 

  221.         StringBuffer hostsbuf;
    222. 

  222.         cfg->getProp(".//@ldapAddress", hostsbuf);
    223. 

  223.         if(hostsbuf.length() == 0)
    224. 

  224.         {
    225. 

  225.             throw MakeStringException(-1, "ldapAddress not found in config");
    226. 

  226.         }
    227. 

  227.         m_ldaphosts.setown(new CLoadBalancer(hostsbuf.str()));
    228. 

  228. 

  229.         cfg->getProp(".//@ldapProtocol", m_protocol);
    230. 

  230.         if(m_protocol.length() == 0)
    231. 

  231.         {
    232. 

  232.             m_protocol.append("ldap");
    233. 

  233.         }
    234. 

  234.         
    235. 

  235.         StringBuffer portbuf;
    236. 

  236.         cfg->getProp(".//@ldapPort", portbuf);
    237. 

  237.         if(portbuf.length() == 0)
    238. 

  238.             m_ldapport = 389;
    239. 

  239.         else
    240. 

  240.             m_ldapport = atoi(portbuf.str());
    241. 

  241. 

  242.         portbuf.clear();
    243. 

  243.         cfg->getProp(".//@ldapSecurePort", portbuf);
    244. 

  244.         if(portbuf.length() == 0)
    245. 

  245.             m_ldap_secure_port = 636;
    246. 

  246.         else
    247. 

  247.             m_ldap_secure_port = atoi(portbuf.str());
    248. 

  248. 

  249.         StringBuffer hostbuf, dcbuf;
    250. 

  250.         int rc = 0;
    251. 

  251.         getLdapHost(hostbuf);
    252. 

  252.         for(int retries = 0; retries <= LDAPSEC_MAX_RETRIES; retries++)
    253. 

  253.         {
    254. 

  254.             rc = LdapUtils::getServerInfo(hostbuf.str(), m_ldapport, dcbuf, m_serverType, cfg->queryProp(".//@ldapDomain"));
    255. 

  255.             if(!LdapServerDown(rc) || retries > LDAPSEC_MAX_RETRIES)
    256. 

  256.                 break;
    257. 

  257.             sleep(LDAPSEC_RETRY_WAIT);
    258. 

  258.             if(retries < LDAPSEC_MAX_RETRIES)
    259. 

  259.             {
    260. 

  260.                 DBGLOG("Server %s temporarily unreachable.", hostbuf.str());
    261. 

  261.                 // Retrying next ldap sever, might be the same server
    262. 

  262.                 hostbuf.clear();
    263. 

  263.                 getLdapHost(hostbuf);
    264. 

  264.                 DBGLOG("Retrying with %s...", hostbuf.str());
    265. 

  265.             }
    266. 

  266.         }
    267. 

  267.         if(rc != LDAP_SUCCESS)
    268. 

  268.         {
    269. 

  269.             throw MakeStringException(-1, "getServerInfo error - %s", ldap_err2string(rc));
    270. 

  270.         }
    271. 

  271.         const char* basedn = cfg->queryProp(".//@commonBasedn");
    272. 

  272.         if(basedn == NULL || *basedn == '\0')
    273. 

  273.         {
    274. 

  274.             basedn = dcbuf.str();
    275. 

  275.         }
    276. 

  276.         LdapUtils::cleanupDn(basedn, m_basedn);
    277. 

  277. 

  278.         StringBuffer user_basedn;
    279. 

  279.         cfg->getProp(".//@usersBasedn", user_basedn);
    280. 

  280.         if(user_basedn.length() == 0)
    281. 

  281.         {
    282. 

  282.             throw MakeStringException(-1, "users basedn not found in config");
    283. 

  283.         }
    284. 

  284.         LdapUtils::normalizeDn(user_basedn.str(), m_basedn.str(), m_user_basedn);
    285. 

  285.         
    286. 

  286.         StringBuffer group_basedn;
    287. 

  287.         cfg->getProp(".//@groupsBasedn", group_basedn);
    288. 

  288.         if(group_basedn.length() == 0)
    289. 

  289.         {
    290. 

  290.             throw MakeStringException(-1, "groups basedn not found in config");
    291. 

  291.         }
    292. 

  292.         LdapUtils::normalizeDn(group_basedn.str(), m_basedn.str(), m_group_basedn);
    293. 

  293. 

  294.         StringBuffer dnbuf;
    295. 

  295.         cfg->getProp(".//@modulesBasedn", dnbuf);
    296. 

  296.         if(dnbuf.length() == 0)
    297. 

  297.             cfg->getProp(".//@resourcesBasedn", dnbuf);
    298. 

  298.         if(dnbuf.length() > 0)
    299. 

  299.             LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_resource_basedn);
    300. 

  300. 

  301.         dnbuf.clear();
    302. 

  302.         cfg->getProp(".//@filesBasedn", dnbuf);
    303. 

  303.         if(dnbuf.length() > 0)
    304. 

  304.             LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_filescope_basedn);
    305. 

  305. 

  306.         dnbuf.clear();
    307. 

  307.         cfg->getProp(".//@workunitsBasedn", dnbuf);
    308. 

  308.         if(dnbuf.length() > 0)
    309. 

  309.             LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_workunitscope_basedn);
    310. 

  310.         
    311. 

  311.         if(m_resource_basedn.length() + m_filescope_basedn.length() + m_workunitscope_basedn.length() == 0)
    312. 

  312.         {
    313. 

  313.             throw MakeStringException(-1, "One of the following basedns need to be defined: modulesBasedn, resourcesBasedn, filesBasedn or workunitScopesBasedn.");
    314. 

  314.         }
    315. 

  315. 

  316.         dnbuf.clear();
    317. 

  317.         cfg->getProp(".//@sudoersBasedn", dnbuf);
    318. 

  318.         if(dnbuf.length() == 0)
    319. 

  319.             dnbuf.append("ou=SUDOers");
    320. 

  320.         LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_sudoers_basedn);
    321. 

  321. 

  322.         cfg->getProp(".//@templateName", m_template_name);
    323. 

  323.         cfg->getProp(".//@authMethod", m_authmethod);
    324. 

  324.         cfg->getProp(".//@ldapDomain", m_domain);
    325. 

  325.         if(m_domain.length() == 0)
    326. 

  326.         {
    327. 

  327.             const char* dptr = strchr(m_basedn.str(), '=');
    328. 

  328.             if(dptr != NULL)
    329. 

  329.             {
    330. 

  330.                 dptr++;
    331. 

  331.                 while(*dptr != 0 && *dptr != ',')
    332. 

  332.                 {
    333. 

  333.                     char c = *dptr++;
    334. 

  334.                     m_domain.append(c);
    335. 

  335.                 }
    336. 

  336.             }
    337. 

  337.         }
    338. 

  338. 

  339.         m_sysuser_specified = true;
    340. 

  340.         cfg->getProp(".//@systemUser", m_sysuser);
    341. 

  341.         if(m_sysuser.length() == 0)
    342. 

  342.         {
    343. 

  343.             m_sysuser_specified = false;
    344. 

  344.         }
    345. 

  345. 

  346.         cfg->getProp(".//@systemCommonName", m_sysuser_commonname);
    347. 

  347.         if(m_sysuser_specified && (m_sysuser_commonname.length() == 0))
    348. 

  348.         {
    349. 

  349.             throw MakeStringException(-1, "SystemUser commonname is empty");
    350. 

  350.         }
    351. 

  351. 

  352.         StringBuffer passbuf;
    353. 

  353.         cfg->getProp(".//@systemPassword", passbuf);
    354. 

  354.         decrypt(m_sysuser_password, passbuf.str());
    355. 

  355. 

  356.         StringBuffer sysuser_basedn;
    357. 

  357.         cfg->getProp(".//@systemBasedn", sysuser_basedn);
    358. 

  358. 

  359.         if(sysuser_basedn.length() == 0)
    360. 

  360.         {
    361. 

  361.             if(m_serverType == ACTIVE_DIRECTORY)
    362. 

  362.                 LdapUtils::normalizeDn( "cn=Users", m_basedn.str(), m_sysuser_basedn);
    363. 

  363.             else if(m_serverType == IPLANET)
    364. 

  364.                 m_sysuser_basedn.append("ou=administrators,ou=topologymanagement,o=netscaperoot");
    365. 

  365.             else if(m_serverType == OPEN_LDAP)
    366. 

  366.                 m_sysuser_basedn.append(m_basedn.str());
    367. 

  367.         }
    368. 

  368.         else
    369. 

  369.         {
    370. 

  370.             if(m_serverType == ACTIVE_DIRECTORY)
    371. 

  371.                 LdapUtils::normalizeDn(sysuser_basedn.str(), m_basedn.str(), m_sysuser_basedn);
    372. 

  372.             else
    373. 

  373.                 m_sysuser_basedn.append(sysuser_basedn.str());
    374. 

  374.         }
    375. 

  375. 

  376.         if(m_sysuser_specified)
    377. 

  377.         {
    378. 

  378.             if(m_serverType == IPLANET)
    379. 

  379.                 m_sysuser_dn.append("uid=").append(m_sysuser.str()).append(",").append(m_sysuser_basedn.str());
    380. 

  380.             else if(m_serverType == ACTIVE_DIRECTORY)
    381. 

  381.                 m_sysuser_dn.append("cn=").append(m_sysuser_commonname.str()).append(",").append(m_sysuser_basedn.str());
    382. 

  382.             else if(m_serverType == OPEN_LDAP)
    383. 

  383.             {
    384. 

  384.                 if (0==strcmp("Directory Manager",m_sysuser_commonname.str()))
    385. 

  385.                     m_sysuser_dn.append("cn=").append(m_sysuser_commonname.str()).append(",").append(m_sysuser_basedn.str());
    386. 

  386.                 else
    387. 

  387.                     m_sysuser_dn.append("uid=").append(m_sysuser_commonname.str()).append(",").append(m_sysuser_basedn.str()).append(",").append(m_basedn.str());
    388. 

  388.             }
    389. 

  389.         }
    390. 

  390. 

  391.         m_maxConnections = cfg->getPropInt(".//@maxConnections", DEFAULT_LDAP_POOL_SIZE);
    392. 

  392.         if(m_maxConnections <= 0)
    393. 

  393.             m_maxConnections = DEFAULT_LDAP_POOL_SIZE;
    394. 

  394. 

  395.         if(m_serverType == ACTIVE_DIRECTORY)
    396. 

  396.             m_sdfieldname.append("ntSecurityDescriptor");
    397. 

  397.         else if(m_serverType == IPLANET)
    398. 

  398.             m_sdfieldname.append("aci");
    399. 

  399.         else if(m_serverType == OPEN_LDAP)
    400. 

  400.             m_sdfieldname.append("aci");
    401. 

  401.     }
    402. 

  402. 

  403.     virtual LdapServerType getServerType()
    404. 

  404.     {
    405. 

  405.         return m_serverType;
    406. 

  406.     }
    407. 

  407. 

  408.     virtual const char * getCfgServerType() const
    409. 

  409.     {
    410. 

  410.         return m_cfgServerType.get();
    411. 

  411.     }
    412. 

  412. 

  413.     virtual const char* getSdFieldName()
    414. 

  414.     {
    415. 

  415.         return m_sdfieldname.str();
    416. 

  416.     }
    417. 

  417. 

  418.     virtual StringBuffer& getLdapHost(StringBuffer& hostbuf)
    419. 

  419.     {
    420. 

  420.         hostbuf.clear();
    421. 

  421.         try
    422. 

  422.         {
    423. 

  423.             hostbuf.append(m_ldaphosts->next());
    424. 

  424.         }
    425. 

  425.         catch(IException* e)
    426. 

  426.         {
    427. 

  427.             StringBuffer emsg;
    428. 

  428.             e->errorMessage(emsg);
    429. 

  429.             DBGLOG("getLdapHost exception - %s", emsg.str());
    430. 

  430.             e->Release();
    431. 

  431.         }
    432. 

  432.         catch(...)
    433. 

  433.         {
    434. 

  434.             DBGLOG("getLdapHost unknown exception");
    435. 

  435.         }
    436. 

  436. 

  437.         return hostbuf;
    438. 

  438.     }
    439. 

  439. 

  440.     virtual void markDown(const char* ldaphost)
    441. 

  441.     {
    442. 

  442.         //SocketEndpoint ep(ldaphost, 0);
    443. 

  443.         //m_ldaphosts->setStatus(ep, false);
    444. 

  444.     }
    445. 

  445. 

  446.     virtual int getLdapPort()
    447. 

  447.     {
    448. 

  448.         return m_ldapport;
    449. 

  449.     }
    450. 

  450. 

  451.     virtual int getLdapSecurePort()
    452. 

  452.     {
    453. 

  453.         return m_ldap_secure_port;
    454. 

  454.     }
    455. 

  455. 

  456.     virtual const char* getProtocol()
    457. 

  457.     {
    458. 

  458.         return m_protocol.str();
    459. 

  459.     }
    460. 

  460. 

  461. 

  462.     virtual const char* getBasedn()
    463. 

  463.     {
    464. 

  464.         return m_basedn.str();
    465. 

  465.     }
    466. 

  466. 

  467.     virtual const char* getDomain()
    468. 

  468.     {
    469. 

  469.         return m_domain.str();
    470. 

  470.     }
    471. 

  471. 

  472.     virtual const char* getAuthMethod()
    473. 

  473.     {
    474. 

  474.         return m_authmethod.str();
    475. 

  475.     }
    476. 

  476. 

  477.     virtual const char* getUserBasedn()
    478. 

  478.     {
    479. 

  479.         return m_user_basedn.str();
    480. 

  480.     }
    481. 

  481. 

  482.     virtual const char* getGroupBasedn()
    483. 

  483.     {
    484. 

  484.         return m_group_basedn.str();
    485. 

  485.     }
    486. 

  486. 

  487.     virtual const char* getResourceBasedn(SecResourceType rtype)
    488. 

  488.     {
    489. 

  489.         if(rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE)
    490. 

  490.             return m_resource_basedn.str();
    491. 

  491.         else if(rtype == RT_FILE_SCOPE)
    492. 

  492.             return m_filescope_basedn.str();
    493. 

  493.         else if(rtype == RT_WORKUNIT_SCOPE)
    494. 

  494.             return m_workunitscope_basedn.str();
    495. 

  495.         else if(rtype == RT_SUDOERS)
    496. 

  496.             return m_sudoers_basedn.str();
    497. 

  497.         else
    498. 

  498.             return m_resource_basedn.str();
    499. 

  499.     }
    500. 

  500. 

  501.     virtual const char* getTemplateName()
    502. 

  502.     {
    503. 

  503.         return m_template_name.str();
    504. 

  504.     }
    505. 

  505. 

  506.     virtual const char* getSysUser()
    507. 

  507.     {
    508. 

  508.         return m_sysuser.str();
    509. 

  509.     }
    510. 

  510. 

  511.     virtual const char* getSysUserDn()
    512. 

  512.     {
    513. 

  513.         return m_sysuser_dn.str();
    514. 

  514.     }
    515. 

  515. 

  516.     virtual const char* getSysUserCommonName()
    517. 

  517.     {
    518. 

  518.         return m_sysuser_commonname.str();
    519. 

  519.     }
    520. 

  520. 

  521.     virtual const char* getSysUserPassword()
    522. 

  522.     {
    523. 

  523.         return m_sysuser_password.str();
    524. 

  524.     }
    525. 

  525. 

  526.     virtual const char* getSysUserBasedn()
    527. 

  527.     {
    528. 

  528.         return m_sysuser_basedn.str();
    529. 

  529.     }
    530. 

  530. 

  531.     virtual bool sysuserSpecified()
    532. 

  532.     {
    533. 

  533.         return m_sysuser_specified;
    534. 

  534.     }
    535. 

  535. 

  536.     virtual int getMaxConnections()
    537. 

  537.     {
    538. 

  538.         return m_maxConnections;
    539. 

  539.     }
    540. 

  540. 

  541.     // For now, only sets default resourcebasedn, since it's only used by ESP services
    542. 

  542.     virtual void setResourceBasedn(const char* rbasedn, SecResourceType rtype)
    543. 

  543.     {
    544. 

  544.         if(rbasedn == NULL || rbasedn[0] == '\0')
    545. 

  545.             return;
    546. 

  546. 

  547.         if(rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE)
    548. 

  548.         {
    549. 

  549.             LdapUtils::normalizeDn(rbasedn, m_basedn.str(), m_resource_basedn);
    550. 

  550.         }
    551. 

  551.         else if(rtype == RT_FILE_SCOPE)
    552. 

  552.         {
    553. 

  553.             LdapUtils::normalizeDn(rbasedn, m_basedn.str(), m_filescope_basedn);
    554. 

  554.         }
    555. 

  555.         else if(rtype == RT_WORKUNIT_SCOPE)
    556. 

  556.         {
    557. 

  557.             LdapUtils::normalizeDn(rbasedn, m_basedn.str(), m_workunitscope_basedn);
    558. 

  558.         }
    559. 

  559.         else
    560. 

  560.         {
    561. 

  561.             LdapUtils::normalizeDn(rbasedn, m_basedn.str(), m_resource_basedn);
    562. 

  562.         }
    563. 

  563.     }
    564. 

  564. 

  565.     virtual void getDefaultSysUserBasedn(StringBuffer& sysuser_basedn)
    566. 

  566.     {
    567. 

  567.         if(m_serverType == ACTIVE_DIRECTORY)
    568. 

  568.             LdapUtils::normalizeDn( "cn=Users", m_basedn.str(), sysuser_basedn);
    569. 

  569.         else if(m_serverType == IPLANET)
    570. 

  570.             sysuser_basedn.append("ou=administrators,ou=topologymanagement,o=netscaperoot");
    571. 

  571.     }
    572. 

  572. };
    573. 

  573. 

  574. 

  575. class CLdapConnection : public CInterface, implements ILdapConnection
    576. 

  576. {
    577. 

  577. private:
    578. 

  578.     LDAP                *m_ld;
    579. 

  579.     Owned<CLdapConfig>   m_ldapconfig;
    580. 

  580. 

  581.     time_t               m_lastaccesstime;
    582. 

  582.     bool                 m_connected;
    583. 

  583. 

  584. public:
    585. 

  585.     IMPLEMENT_IINTERFACE
    586. 

  586. 

  587.     CLdapConnection(CLdapConfig* ldapconfig)
    588. 

  588.     {
    589. 

  589.         m_ldapconfig.setown(LINK(ldapconfig));
    590. 

  590.         m_ld = NULL;
    591. 

  591.         m_connected = false;
    592. 

  592.         m_lastaccesstime = 0;
    593. 

  593.     }
    594. 

  594. 

  595.     ~CLdapConnection()
    596. 

  596.     {
    597. 

  597.         if(m_ld != NULL)
    598. 

  598.         {
    599. 

  599.             ldap_unbind(m_ld);
    600. 

  600.         }
    601. 

  601.     }
    602. 

  602. 

  603.     virtual int connect(const char* ldapserver, const char* protocol)
    604. 

  604.     {
    605. 

  605.         if(!ldapserver || *ldapserver == '\0')
    606. 

  606.             return -1;
    607. 

  607. 

  608.         m_ld = LdapUtils::LdapInit(protocol, ldapserver, m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort());
    609. 

  609.         int rc = LDAP_SUCCESS;
    610. 

  610.         if(m_ldapconfig->sysuserSpecified())
    611. 

  611.             rc =  LdapUtils::LdapBind(m_ld, m_ldapconfig->getDomain(), m_ldapconfig->getSysUser(), m_ldapconfig->getSysUserPassword(), m_ldapconfig->getSysUserDn(), m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    612. 

  612.         else
    613. 

  613.             rc =  LdapUtils::LdapBind(m_ld, m_ldapconfig->getDomain(), NULL, NULL, NULL, m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    614. 

  614. 

  615.         if(rc == LDAP_SUCCESS)
    616. 

  616.         {
    617. 

  617.             time(&m_lastaccesstime);
    618. 

  618.             m_connected = true;
    619. 

  619.             const char * ldap = NULL;
    620. 

  620.             switch (m_ldapconfig->getServerType())
    621. 

  621.             {
    622. 

  622.             case ACTIVE_DIRECTORY:
    623. 

  623.                 ldap = "Active Directory";
    624. 

  624.                 break;
    625. 

  625.             case OPEN_LDAP:
    626. 

  626.                 ldap = "OpenLDAP";
    627. 

  627.                 break;
    628. 

  628.             case IPLANET:
    629. 

  629.                 ldap = "iplanet";
    630. 

  630.                 break;
    631. 

  631.             default:
    632. 

  632.                 ldap = "unknown";
    633. 

  633.                 break;
    634. 

  634.             }
    635. 

  635.             DBGLOG("Connected to '%s' LdapServer %s using protocol %s", ldap, ldapserver, protocol);
    636. 

  636.         }
    637. 

  637.         else
    638. 

  638.         {
    639. 

  639.             DBGLOG("LDAP: sysuser bind failed - %s", ldap_err2string(rc));
    640. 

  640.             ldap_unbind(m_ld);
    641. 

  641.             m_ld = NULL;
    642. 

  642.         }
    643. 

  643. 

  644.         return rc;
    645. 

  645.     }
    646. 

  646. 

  647.     virtual bool connect(bool force_ssl = false)
    648. 

  648.     {
    649. 

  649.         StringBuffer hostbuf;
    650. 

  650.         m_ldapconfig->getLdapHost(hostbuf);
    651. 

  651.         int rc = LDAP_SERVER_DOWN;
    652. 

  652.         const char* proto;
    653. 

  653.         if(force_ssl)
    654. 

  654.             proto = "ldaps";
    655. 

  655.         else
    656. 

  656.             proto = m_ldapconfig->getProtocol();
    657. 

  657.         
    658. 

  658.         for(int retries = 0; retries <= LDAPSEC_MAX_RETRIES; retries++)
    659. 

  659.         {
    660. 

  660.             rc = connect(hostbuf.str(), proto);
    661. 

  661.             if(!LdapServerDown(rc) || retries > LDAPSEC_MAX_RETRIES)
    662. 

  662.                 break;
    663. 

  663.             sleep(LDAPSEC_RETRY_WAIT);
    664. 

  664.             if(retries < LDAPSEC_MAX_RETRIES)
    665. 

  665.                 DBGLOG("Server temporarily unreachable, retrying ...");
    666. 

  666.             // Retrying next ldap sever, might be the same server
    667. 

  667.             hostbuf.clear();
    668. 

  668.             m_ldapconfig->getLdapHost(hostbuf);
    669. 

  669.         }
    670. 

  670. 

  671.         if(rc == LDAP_SERVER_DOWN)
    672. 

  672.         {
    673. 

  673.             StringBuffer dc;
    674. 

  674.             LdapUtils::getDcName(m_ldapconfig->getDomain(), dc);
    675. 

  675.             if(dc.length() > 0)
    676. 

  676.             {
    677. 

  677.                 WARNLOG("Using automatically obtained LDAP Server %s", dc.str());
    678. 

  678.                 rc = connect(dc.str(), proto);
    679. 

  679.             }
    680. 

  680.         }
    681. 

  681.         if(rc == LDAP_SUCCESS)
    682. 

  682.             return true;
    683. 

  683.         else
    684. 

  684.             return false;
    685. 

  685.     }
    686. 

  686. 

  687.     virtual LDAP* getLd()
    688. 

  688.     {
    689. 

  689.         return m_ld;
    690. 

  690.     }
    691. 

  691. 

  692.     virtual bool validate()
    693. 

  693.     {
    694. 

  694.         time_t now;
    695. 

  695.         time(&now);
    696. 

  696. 

  697.         if(!m_connected)
    698. 

  698.             return connect();
    699. 

  699.         else if(now - m_lastaccesstime <= 300)
    700. 

  700.             return true;
    701. 

  701.         else
    702. 

  702.         {
    703. 

  703.             bool ok = false;
    704. 

  704.             LDAPMessage* msg = NULL;
    705. 

  705.             
    706. 

  706.             TIMEVAL timeOut = {LDAPTIMEOUT,0};
    707. 

  707.             int err = ldap_search_ext_s(m_ld, NULL, LDAP_SCOPE_BASE, "objectClass=*", NULL, 0, NULL, NULL, &timeOut, 1, &msg);
    708. 

  708. 

  709.             if(err == LDAP_SUCCESS)
    710. 

  710.             {
    711. 

  711.                 ok = true;
    712. 

  712.             }
    713. 

  713. 

  714.             if(msg != NULL)
    715. 

  715.                 ldap_msgfree(msg);
    716. 

  716.             
    717. 

  717.             if(!ok)
    718. 

  718.             {
    719. 

  719.                 if(m_ld != NULL)
    720. 

  720.                 {
    721. 

  721.                     ldap_unbind(m_ld);
    722. 

  722.                     m_ld = NULL;
    723. 

  723.                     m_connected = false;
    724. 

  724.                 }
    725. 

  725.                 DBGLOG("cached connection invalid, creating a new connection");
    726. 

  726.                 return connect();
    727. 

  727.             }
    728. 

  728.             else
    729. 

  729.             {
    730. 

  730.                 time(&m_lastaccesstime);
    731. 

  731.             }
    732. 

  732.         }
    733. 

  733. 

  734.         return true;
    735. 

  735.     }
    736. 

  736. };
    737. 

  737. 

  738. class CLdapConnectionPool : public CInterface, implements ILdapConnectionPool
    739. 

  739. {
    740. 

  740. private:
    741. 

  741.     int m_maxsize;
    742. 

  742.     int m_currentsize;
    743. 

  743.     IArrayOf<ILdapConnection> m_connections;
    744. 

  744.     Monitor m_monitor;
    745. 

  745.     Owned<CLdapConfig> m_ldapconfig;
    746. 

  746. 

  747. public:
    748. 

  748.     IMPLEMENT_IINTERFACE
    749. 

  749. 

  750.     CLdapConnectionPool(CLdapConfig* ldapconfig)
    751. 

  751.     {
    752. 

  752.         m_ldapconfig.setown(LINK(ldapconfig));
    753. 

  753.         m_maxsize = m_ldapconfig->getMaxConnections();
    754. 

  754.         m_currentsize = 0;
    755. 

  755.         // Set LDAP version to 3
    756. 

  756.         int version = LDAP_VERSION3;
    757. 

  757.         ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
    758. 

  758.     }
    759. 

  759. 

  760.     virtual ILdapConnection* getConnection()
    761. 

  761.     {
    762. 

  762.         synchronized block(m_monitor);
    763. 

  763.         ForEachItemIn(x, m_connections)
    764. 

  764.         {
    765. 

  765.             CLdapConnection* curcon = (CLdapConnection*)&(m_connections.item(x));
    766. 

  766.             if(curcon != NULL && !curcon->IsShared())
    767. 

  767.             {
    768. 

  768.                 //PrintLog("Reusing an LDAP connection");
    769. 

  769.                 if(curcon->validate())
    770. 

  770.                     return LINK(curcon);
    771. 

  771.                 else
    772. 

  772.                     throw MakeStringException(-1, "Connecting/authenticating to ldap server in re-validation failed");
    773. 

  773.             }
    774. 

  774.         }
    775. 

  775. 

  776.         //PrintLog("Creating new connection");
    777. 

  777.         CLdapConnection* newcon = new CLdapConnection(m_ldapconfig.get());
    778. 

  778.         if(newcon != NULL)
    779. 

  779.         {
    780. 

  780.             if(!newcon->connect())
    781. 

  781.             {
    782. 

  782.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server failed");
    783. 

  783.             }
    784. 

  784.             
    785. 

  785.             if(m_currentsize <= m_maxsize)
    786. 

  786.             {
    787. 

  787.                 m_connections.append(*newcon);
    788. 

  788.                 m_currentsize++;
    789. 

  789.                 return LINK(newcon);
    790. 

  790.             }
    791. 

  791.             else
    792. 

  792.             {
    793. 

  793.                 return newcon;
    794. 

  794.             }
    795. 

  795.         }
    796. 

  796.         else
    797. 

  797.         {
    798. 

  798.             throw MakeStringException(-1, "Failed to create new ldap connection");
    799. 

  799.         }
    800. 

  800.     }
    801. 

  801. 

  802.     virtual ILdapConnection* getSSLConnection()
    803. 

  803.     {
    804. 

  804.         CLdapConnection* newcon = new CLdapConnection(m_ldapconfig.get());
    805. 

  805.         if(newcon != NULL)
    806. 

  806.         {
    807. 

  807.             if(!newcon->connect(true))
    808. 

  808.             {
    809. 

  809.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server via ldaps failed");
    810. 

  810.             }
    811. 

  811.             return newcon;
    812. 

  812.         }
    813. 

  813.         else
    814. 

  814.         {
    815. 

  815.             throw MakeStringException(-1, "Failed to create new ldap connection");
    816. 

  816.         }
    817. 

  817.     }
    818. 

  818. 

  819. };
    820. 

  820. 

  821. #define LDAP_CONNECTION_TIMEOUT INFINITE
    822. 

  822. 

  823. //------------ New Connection Pool Implementation ------------//
    824. 

  824. class CLdapConnectionManager : public CInterface, implements IResourceFactory<CLdapConnection>
    825. 

  825. {
    826. 

  826.     Owned<CLdapConfig>   m_ldapconfig;
    827. 

  827.     
    828. 

  828. public:
    829. 

  829.     IMPLEMENT_IINTERFACE;
    830. 

  830.     
    831. 

  831.     CLdapConnectionManager(CLdapConfig* ldapconfig)
    832. 

  832.     {
    833. 

  833.         m_ldapconfig.setown(LINK(ldapconfig));
    834. 

  834.     }
    835. 

  835. 

  836.     CLdapConnection* createResource()
    837. 

  837.     {
    838. 

  838.         CLdapConnection* newcon = new CLdapConnection(m_ldapconfig.get());
    839. 

  839.         if(newcon != NULL)
    840. 

  840.         {
    841. 

  841.             if(!newcon->connect())
    842. 

  842.             {
    843. 

  843.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server failed");
    844. 

  844.             }
    845. 

  845.             
    846. 

  846.             return newcon;
    847. 

  847.         }
    848. 

  848.         else
    849. 

  849.         {
    850. 

  850.             throw MakeStringException(-1, "Failed to create new ldap connection");
    851. 

  851.         }
    852. 

  852.     }
    853. 

  853. };
    854. 

  854. 

  855. class CLdapConnectionPool2 : public CInterface, implements ILdapConnectionPool
    856. 

  856. {
    857. 

  857. private:
    858. 

  858.     int m_maxsize;
    859. 

  859.     Owned<CLdapConfig> m_ldapconfig;
    860. 

  860.     Owned<CResourcePool<CLdapConnection> > m_connections;
    861. 

  861. public:
    862. 

  862.     IMPLEMENT_IINTERFACE
    863. 

  863. 

  864.     CLdapConnectionPool2(CLdapConfig* ldapconfig)
    865. 

  865.     {
    866. 

  866.         m_ldapconfig.setown(LINK(ldapconfig));
    867. 

  867.         m_maxsize = m_ldapconfig->getMaxConnections();
    868. 

  868.         // Set LDAP version to 3
    869. 

  869.         int version = LDAP_VERSION3;
    870. 

  870.         ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
    871. 

  871. 

  872.         m_connections.setown(new CResourcePool<CLdapConnection>);
    873. 

  873.         Owned<CLdapConnectionManager> poolMgr = new CLdapConnectionManager(ldapconfig);
    874. 

  874.         m_connections->init(m_maxsize, poolMgr.get());
    875. 

  875.     }
    876. 

  876. 

  877.     virtual ILdapConnection* getConnection()
    878. 

  878.     {
    879. 

  879.         Owned<CLdapConnection> con;
    880. 

  880.         try
    881. 

  881.         {
    882. 

  882.             con.setown(m_connections->get(LDAP_CONNECTION_TIMEOUT));
    883. 

  883.         }
    884. 

  884.         catch(IException* e)
    885. 

  885.         {
    886. 

  886.             StringBuffer emsg;
    887. 

  887.             e->errorMessage(emsg);
    888. 

  888.             DBGLOG("getConnection exception - %s", emsg.str());
    889. 

  889.             e->Release();
    890. 

  890.         }
    891. 

  891.         catch(...)
    892. 

  892.         {
    893. 

  893.             DBGLOG("getConnection unknown exception");
    894. 

  894.         }
    895. 

  895. 

  896.         if(con.get())
    897. 

  897.         {
    898. 

  898.             if(con->validate())
    899. 

  899.                 return con.getLink();
    900. 

  900.             else
    901. 

  901.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server in re-validation failed");
    902. 

  902.         }
    903. 

  903.         else
    904. 

  904.                 throw MakeStringException(-1, "Failed to get an LDAP Connection.");
    905. 

  905.     }
    906. 

  906. 

  907.     virtual ILdapConnection* getSSLConnection()
    908. 

  908.     {
    909. 

  909.         CLdapConnection* newcon = new CLdapConnection(m_ldapconfig.get());
    910. 

  910.         if(newcon != NULL)
    911. 

  911.         {
    912. 

  912.             if(!newcon->connect(true))
    913. 

  913.             {
    914. 

  914.                 throw MakeStringException(-1, "Connecting/authenticating to ldap server via ldaps failed");
    915. 

  915.             }
    916. 

  916.             return newcon;
    917. 

  917.         }
    918. 

  918.         else
    919. 

  919.         {
    920. 

  920.             throw MakeStringException(-1, "Failed to create new ldap connection");
    921. 

  921.         }
    922. 

  922.     }
    923. 

  923. };
    924. 

  924. 

  925. 

  926. struct ltstr
    927. 

  927. {
    928. 

  928.     bool operator()(const char* s1, const char* s2) const { return strcmp(s1, s2) < 0; }
    929. 

  929. };
    930. 

  930. 

  931. //--------------------------------------------
    932. 

  932. // This helper class ensures memory allocate by
    933. 

  933. // calls to ldap_get_values gets freed
    934. 

  934. //--------------------------------------------
    935. 

  935. class CLDAPGetValuesWrapper
    936. 

  936. {
    937. 

  937. private:
    938. 

  938.     char **values;
    939. 

  939. public:
    940. 

  940.     CLDAPGetValuesWrapper(LDAP *ld, LDAPMessage *msg, const char * attr)
    941. 

  941.     {
    942. 

  942. #ifdef _WIN32
    943. 

  943.         values = ldap_get_values(ld, msg, (const PCHAR)attr);
    944. 

  944. #else
    945. 

  945.         values = ldap_get_values(ld, msg, attr);
    946. 

  946. #endif
    947. 

  947.     }
    948. 

  948. 

  949.     ~CLDAPGetValuesWrapper()
    950. 

  950.     {
    951. 

  951.         if (values)
    952. 

  952.             ldap_value_free(values);
    953. 

  953.     }
    954. 

  954.     inline bool hasValues()     { return values != NULL  && *values != (char)NULL; }
    955. 

  955.     inline char **queryValues() { return values; }
    956. 

  956. };
    957. 

  957. 

  958. //--------------------------------------------
    959. 

  959. // This helper class ensures memory allocate by
    960. 

  960. // calls to ldap_get_values_len gets freed
    961. 

  961. //--------------------------------------------
    962. 

  962. class CLDAPGetValuesLenWrapper
    963. 

  963. {
    964. 

  964. private:
    965. 

  965.     struct berval** bvalues;
    966. 

  966. public:
    967. 

  967.     CLDAPGetValuesLenWrapper()
    968. 

  968.     {
    969. 

  969.         bvalues = NULL;
    970. 

  970.     }
    971. 

  971.     CLDAPGetValuesLenWrapper(LDAP *ld, LDAPMessage *msg, const char * attr)
    972. 

  972.     {
    973. 

  973.         bvalues = NULL;
    974. 

  974.         getValues(ld,msg,attr);
    975. 

  975.     }
    976. 

  976. 

  977.     ~CLDAPGetValuesLenWrapper()
    978. 

  978.     {
    979. 

  979.         if (bvalues)
    980. 

  980.             ldap_value_free_len(bvalues);
    981. 

  981.     }
    982. 

  982.     inline bool hasValues()         { return bvalues != NULL  && *bvalues != NULL; }
    983. 

  983.     inline berval **queryValues()   { return bvalues; }
    984. 

  984. 

  985.     //Delayed call to ldap_get_values_len
    986. 

  986.     void getValues(LDAP *ld, LDAPMessage *msg, const char * attr)
    987. 

  987.     {
    988. 

  988.         if (bvalues)
    989. 

  989.             ldap_value_free_len(bvalues);
    990. 

  990. #ifdef _WIN32
    991. 

  991.         bvalues = ldap_get_values_len(ld, msg, (const PCHAR)attr);
    992. 

  992. #else
    993. 

  993.         bvalues = ldap_get_values_len(ld, msg, attr);
    994. 

  994. #endif
    995. 

  995.     }
    996. 

  996. };
    997. 

  997. 

  998. 

  999. //--------------------------------------------
    1000. 

  1000. // This helper class ensures memory allocate by calls
    1001. 

  1001. // to ldap_first_attribute/ldap_next_attribute gets freed
    1002. 

  1002. //--------------------------------------------
    1003. 

  1003. class CLDAPGetAttributesWrapper
    1004. 

  1004. {
    1005. 

  1005. private:
    1006. 

  1006.         LDAP *          ld;
    1007. 

  1007.         LDAPMessage *   entry;
    1008. 

  1008.         BerElement *    elem;
    1009. 

  1009.         char *          attribute;
    1010. 

  1010. public:
    1011. 

  1011.     CLDAPGetAttributesWrapper(LDAP * _ld, LDAPMessage * _entry)
    1012. 

  1012.         : ld(_ld), entry(_entry)
    1013. 

  1013.     {
    1014. 

  1014.         elem = NULL;
    1015. 

  1015.         attribute = NULL;
    1016. 

  1016.     }
    1017. 

  1017. 

  1018.     ~CLDAPGetAttributesWrapper()
    1019. 

  1019.     {
    1020. 

  1020.         if (attribute)
    1021. 

  1021.             ldap_memfree(attribute);
    1022. 

  1022.         if (elem)
    1023. 

  1023.             ber_free(elem, 0);
    1024. 

  1024.     }
    1025. 

  1025. 

  1026.     inline char * getFirst()
    1027. 

  1027.     {
    1028. 

  1028.         return attribute = ldap_first_attribute(ld, entry, &elem);
    1029. 

  1029.     }
    1030. 

  1030. 

  1031.     inline char * getNext()
    1032. 

  1032.     {
    1033. 

  1033.         if (attribute)
    1034. 

  1034.             ldap_memfree(attribute);
    1035. 

  1035.         return attribute = ldap_next_attribute(ld, entry, elem);
    1036. 

  1036.     }
    1037. 

  1037. };
    1038. 

  1038. 

  1039. class CLDAPMessage
    1040. 

  1040. {
    1041. 

  1041. public:
    1042. 

  1042.     LDAPMessage *msg;
    1043. 

  1043.     CLDAPMessage()       { msg = NULL; }
    1044. 

  1044.     ~CLDAPMessage()      { ldapMsgFree(); }
    1045. 

  1045.     inline void ldapMsgFree()  { if (msg) { ldap_msgfree(msg); msg = NULL;} }
    1046. 

  1046.     inline operator LDAPMessage *() const { return msg; }
    1047. 

  1047. };
    1048. 

  1048. 

  1049. static CriticalSection  mpaCrit;
    1050. 

  1050. static __int64 getMaxPwdAge(Owned<ILdapConnectionPool> _conns, const char * _baseDN)
    1051. 

  1051. {
    1052. 

  1052.     static time_t   lastPwdAgeCheck = 0;
    1053. 

  1053.     static __int64  maxPwdAge = PWD_NEVER_EXPIRES;
    1054. 

  1054.     #define HOURLY  ((time_t)(60*60*1000))
    1055. 

  1055. 

  1056.     CriticalBlock block(mpaCrit);
    1057. 

  1057.     if (lastPwdAgeCheck != 0 && (((msTick() - lastPwdAgeCheck) < HOURLY)))//in case it was retrieved whilst this thread blocked
    1058. 

  1058.         return maxPwdAge;
    1059. 

  1059. 

  1060.     DBGLOG("Retrieving LDAP 'maxPwdAge'");
    1061. 

  1061.     char* attrs[] = {"maxPwdAge", NULL};
    1062. 

  1062.     CLDAPMessage searchResult;
    1063. 

  1063.     TIMEVAL timeOut = {LDAPTIMEOUT,0};
    1064. 

  1064.     Owned<ILdapConnection> lconn = _conns->getConnection();
    1065. 

  1065.     LDAP* sys_ld = ((CLdapConnection*)lconn.get())->getLd();
    1066. 

  1066.     int result = ldap_search_ext_s(sys_ld, (char*)_baseDN, LDAP_SCOPE_BASE, NULL,
    1067. 

  1067.         attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg);
    1068. 

  1068.     if(result != LDAP_SUCCESS)
    1069. 

  1069.     {
    1070. 

  1070.         DBGLOG("ldap_search_ext_s error: %s, when searching maxPwdAge", ldap_err2string( result ));
    1071. 

  1071.         return 0;
    1072. 

  1072.     }
    1073. 

  1073.     unsigned entries = ldap_count_entries(sys_ld, searchResult);
    1074. 

  1074.     if(entries == 0)
    1075. 

  1075.     {
    1076. 

  1076.         DBGLOG("ldap_search_ext_s error: Could not find maxPwdAge");
    1077. 

  1077.         return 0;
    1078. 

  1078.     }
    1079. 

  1079.     maxPwdAge = 0;
    1080. 

  1080.     CLDAPGetValuesWrapper vals(sys_ld, searchResult.msg, "maxPwdAge");
    1081. 

  1081.     if (vals.hasValues())
    1082. 

  1082.     {
    1083. 

  1083.         char *val = vals.queryValues()[0];
    1084. 

  1084.         if (*val == '-')
    1085. 

  1085.             ++val;
    1086. 

  1086.         for (int x=0; val[x]; x++)
    1087. 

  1087.             maxPwdAge = maxPwdAge * 10 + ( (int)val[x] - '0');
    1088. 

  1088.     }
    1089. 

  1089.     else
    1090. 

  1090.         maxPwdAge = PWD_NEVER_EXPIRES;
    1091. 

  1091.     lastPwdAgeCheck = msTick();
    1092. 

  1092.     return maxPwdAge;
    1093. 

  1093. }
    1094. 

  1094. 

  1095. class CLdapClient : public CInterface, implements ILdapClient
    1096. 

  1096. {
    1097. 

  1097. private:
    1098. 

  1098.     Owned<ILdapConnectionPool> m_connections;
    1099. 

  1099.     IPermissionProcessor* m_pp;     
    1100. 

  1100.     //int                  m_defaultFileScopePermission;
    1101. 

  1101.     //int                  m_defaultWorkunitScopePermission;
    1102. 

  1102.     Owned<CLdapConfig>   m_ldapconfig;
    1103. 

  1103.     StringBuffer         m_pwscheme;
    1104. 

  1104.     bool                 m_domainPwdsNeverExpire;//no domain policy for password expiration
    1105. 

  1105. 

  1106. public:
    1107. 

  1107.     IMPLEMENT_IINTERFACE
    1108. 

  1108. 

  1109.     CLdapClient(IPropertyTree* cfg)
    1110. 

  1110.     {
    1111. 

  1111.         m_ldapconfig.setown(new CLdapConfig(cfg));
    1112. 

  1112.         if(cfg && cfg->getPropBool("@useRealConnectionPool", false))
    1113. 

  1113.             m_connections.setown(new CLdapConnectionPool2(m_ldapconfig.get())); 
    1114. 

  1114.         else
    1115. 

  1115.             m_connections.setown(new CLdapConnectionPool(m_ldapconfig.get()));  
    1116. 

  1116.         m_pp = NULL;
    1117. 

  1117.         //m_defaultFileScopePermission = -2;
    1118. 

  1118.         //m_defaultWorkunitScopePermission = -2;
    1119. 

  1119.     }
    1120. 

  1120. 

  1121.     virtual void init(IPermissionProcessor* pp)
    1122. 

  1122.     {
    1123. 

  1123.         m_pp = pp;
    1124. 

  1124.         if(m_ldapconfig->getServerType() == OPEN_LDAP)
    1125. 

  1125.         {
    1126. 

  1126.             try
    1127. 

  1127.             {
    1128. 

  1128.                 addDC(m_ldapconfig->getBasedn());
    1129. 

  1129.             }
    1130. 

  1130.             catch(...)
    1131. 

  1131.             {
    1132. 

  1132.             }
    1133. 

  1133.             try
    1134. 

  1134.             {
    1135. 

  1135.                 addGroup("Directory Administrators", NULL, NULL, m_ldapconfig->getBasedn());
    1136. 

  1136.             }
    1137. 

  1137.             catch(...)
    1138. 

  1138.             {
    1139. 

  1139.             }
    1140. 

  1140.         }
    1141. 

  1141.         createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_DEFAULT), PT_DEFAULT);
    1142. 

  1142.         createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE), PT_DEFAULT);
    1143. 

  1143.         createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_WORKUNIT_SCOPE), PT_DEFAULT);
    1144. 

  1144.         createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_SUDOERS), PT_DEFAULT);
    1145. 

  1145. 

  1146.         createLdapBasedn(NULL, m_ldapconfig->getUserBasedn(), PT_DEFAULT);
    1147. 

  1147.         createLdapBasedn(NULL, m_ldapconfig->getGroupBasedn(), PT_DEFAULT);
    1148. 

  1148.     }
    1149. 

  1149. 

  1150.     virtual LdapServerType getServerType()
    1151. 

  1151.     {
    1152. 

  1152.         return m_ldapconfig->getServerType();
    1153. 

  1153.     }
    1154. 

  1154. 

  1155.     virtual ILdapConfig* getLdapConfig()
    1156. 

  1156.     {
    1157. 

  1157.         return m_ldapconfig.get();
    1158. 

  1158.     }
    1159. 

  1159. 

  1160.     virtual void setResourceBasedn(const char* rbasedn, SecResourceType rtype)
    1161. 

  1161.     {
    1162. 

  1162.         m_ldapconfig->setResourceBasedn(rbasedn, rtype);
    1163. 

  1163.         createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(rtype), PT_DEFAULT);
    1164. 

  1164.     }
    1165. 

  1165. 

  1166.     void calcPWExpiry(CDateTime &dt, unsigned len, char * val)
    1167. 

  1167.     {
    1168. 

  1168.         __int64 time = 0;
    1169. 

  1169.         for (unsigned x=0; x < len; x++)
    1170. 

  1170.             time = time * 10 + ( (int)val[x] - '0');
    1171. 

  1171.         time += getMaxPwdAge(m_connections,(char*)m_ldapconfig->getBasedn() );
    1172. 

  1172.         dt.setFromFILETIME(time);
    1173. 

  1173.         dt.adjustTime(dt.queryUtcToLocalDelta());
    1174. 

  1174.     }
    1175. 

  1175. 

  1176.     virtual bool authenticate(ISecUser& user)
    1177. 

  1177.     {
    1178. 

  1178.         {
    1179. 

  1179.             char        *attribute;
    1180. 

  1180.             user.setAuthenticateStatus(AS_UNEXPECTED_ERROR);//assume the worst
    1181. 

  1181. 

  1182.             const char* username = user.getName();
    1183. 

  1183.             const char* password = user.credentials().getPassword();
    1184. 

  1184.             if(!username || !*username || !password || !*password)
    1185. 

  1185.                 return false;
    1186. 

  1186. 

  1187.             if (getMaxPwdAge(m_connections,(char*)m_ldapconfig->getBasedn()) != PWD_NEVER_EXPIRES)
    1188. 

  1188.                 m_domainPwdsNeverExpire = false;
    1189. 

  1189.             else
    1190. 

  1190.                 m_domainPwdsNeverExpire = true;
    1191. 

  1191. 

  1192.             const char* sysuser = m_ldapconfig->getSysUser();
    1193. 

  1193.             bool sysUser = false;
    1194. 

  1194.             if(sysuser && *sysuser && (strcmp(username, sysuser) == 0))
    1195. 

  1195.             {
    1196. 

  1196.                 if(strcmp(password, m_ldapconfig->getSysUserPassword()) == 0)
    1197. 

  1197.                 {
    1198. 

  1198.                     user.setFullName(m_ldapconfig->getSysUserCommonName());
    1199. 

  1199.                     user.setAuthenticateStatus(AS_AUTHENTICATED);
    1200. 

  1200.                     if (m_ldapconfig->getServerType() != ACTIVE_DIRECTORY)
    1201. 

  1201.                         return true;
    1202. 

  1202.                     sysUser = true;
    1203. 

  1203.                 }
    1204. 

  1204.                 else
    1205. 

  1205.                 {
    1206. 

  1206.                     user.setAuthenticateStatus(AS_INVALID_CREDENTIALS);
    1207. 

  1207.                     return false;
    1208. 

  1208.                 }
    1209. 

  1209.             }
    1210. 

  1210. 

  1211.             StringBuffer filter;
    1212. 

  1212.             // Retrieve user's dn with system connection
    1213. 

  1213.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1214. 

  1214.                 filter.append("sAMAccountName=");
    1215. 

  1215.             else
    1216. 

  1216.                 filter.append("uid=");
    1217. 

  1217.             filter.append(username);
    1218. 

  1218. 

  1219.             char* attrs[] = {"cn", "userAccountControl", "pwdLastSet", "givenName", "sn", NULL};
    1220. 

  1220. 

  1221.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    1222. 

  1222.             LDAP* sys_ld = ((CLdapConnection*)lconn.get())->getLd();
    1223. 

  1223.             CLDAPMessage searchResult;
    1224. 

  1224.             TIMEVAL timeOut = {LDAPTIMEOUT,0};
    1225. 

  1225.             int result = ldap_search_ext_s(sys_ld,
    1226. 

  1226.                             (char*)m_ldapconfig->getUserBasedn(), //distinguished name of the entry at which to start the search
    1227. 

  1227.                             LDAP_SCOPE_SUBTREE,
    1228. 

  1228.                             (char*)filter.str(), //search filter
    1229. 

  1229.                             attrs,
    1230. 

  1230.                             0, //attribute types and values are to be returned, nonzero if only types are required
    1231. 

  1231.                             NULL,
    1232. 

  1232.                             NULL,
    1233. 

  1233.                             &timeOut,
    1234. 

  1234.                             LDAP_NO_LIMIT,
    1235. 

  1235.                             &searchResult.msg);
    1236. 

  1236. 

  1237.             if(result != LDAP_SUCCESS)
    1238. 

  1238.             {
    1239. 

  1239.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( result ), filter.str(), m_ldapconfig->getUserBasedn());
    1240. 

  1240.                 return false;
    1241. 

  1241.             }
    1242. 

  1242. 

  1243.             unsigned entries = ldap_count_entries(sys_ld, searchResult);
    1244. 

  1244.             if(entries == 0)
    1245. 

  1245.             {
    1246. 

  1246.                 searchResult.ldapMsgFree();
    1247. 

  1247.                 TIMEVAL timeOut = {LDAPTIMEOUT,0};
    1248. 

  1248.                 result = ldap_search_ext_s(sys_ld, (char*)m_ldapconfig->getSysUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg);
    1249. 

  1249.                 if(result != LDAP_SUCCESS)
    1250. 

  1250.                 {
    1251. 

  1251.                     DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( result ), filter.str(), m_ldapconfig->getSysUserBasedn());
    1252. 

  1252.                     user.setAuthenticateStatus(AS_INVALID_CREDENTIALS);
    1253. 

  1253.                     return false;
    1254. 

  1254.                 }
    1255. 

  1255. 

  1256.                 entries = ldap_count_entries(sys_ld, searchResult);
    1257. 

  1257.                 if(entries == 0)
    1258. 

  1258.                 {
    1259. 

  1259.                     DBGLOG("LDAP: User %s not found", username);
    1260. 

  1260.                     user.setAuthenticateStatus(AS_INVALID_CREDENTIALS);
    1261. 

  1261.                     return false;
    1262. 

  1262.                 }
    1263. 

  1263.             }
    1264. 

  1264. 

  1265.             LDAPMessage *entry = LdapFirstEntry(sys_ld, searchResult);
    1266. 

  1266.             if(entry == NULL)
    1267. 

  1267.             {
    1268. 

  1268.                 DBGLOG("LDAP: Can't find entry for user %s", username);
    1269. 

  1269.                 return false;
    1270. 

  1270.             }
    1271. 

  1271.             bool accountPwdNeverExpires = false;
    1272. 

  1272. 

  1273.             CLDAPGetAttributesWrapper   atts(sys_ld, searchResult);
    1274. 

  1274.             for ( attribute = atts.getFirst();
    1275. 

  1275.                   attribute != NULL;
    1276. 

  1276.                   attribute = atts.getNext())
    1277. 

  1277.             {
    1278. 

  1278.                 if(stricmp(attribute, "cn") == 0)
    1279. 

  1279.                 {
    1280. 

  1280.                     CLDAPGetValuesWrapper vals(sys_ld, entry, attribute);
    1281. 

  1281.                     if (vals.hasValues())
    1282. 

  1282.                         user.setFullName(vals.queryValues()[0]);
    1283. 

  1283.                 }
    1284. 

  1284.                 else if((stricmp(attribute, "givenName") == 0))
    1285. 

  1285.                 {
    1286. 

  1286.                     CLDAPGetValuesWrapper vals(sys_ld, entry, attribute);
    1287. 

  1287.                     if (vals.hasValues())
    1288. 

  1288.                         user.setFirstName(vals.queryValues()[0]);
    1289. 

  1289.                 }
    1290. 

  1290.                 else if((stricmp(attribute, "sn") == 0))
    1291. 

  1291.                 {
    1292. 

  1292.                     CLDAPGetValuesWrapper vals(sys_ld, entry, attribute);
    1293. 

  1293.                     if (vals.hasValues())
    1294. 

  1294.                         user.setLastName(vals.queryValues()[0]);
    1295. 

  1295.                 }
    1296. 

  1296.                 else if((stricmp(attribute, "userAccountControl") == 0))
    1297. 

  1297.                 {
    1298. 

  1298.                     //UF_DONT_EXPIRE_PASSWD 0x10000
    1299. 

  1299.                     CLDAPGetValuesWrapper vals(sys_ld, entry, attribute);
    1300. 

  1300.                     if (vals.hasValues())
    1301. 

  1301.                         if (atoi((char*)vals.queryValues()[0]) & 0x10000)//this can be true at the account level, even if domain policy requires password
    1302. 

  1302.                             accountPwdNeverExpires = true;
    1303. 

  1303.                 }
    1304. 

  1304.                 else if((stricmp(attribute, "pwdLastSet") == 0))
    1305. 

  1305.                 {
    1306. 

  1306.                     /*pwdLastSet is the date and time that the password for this account was last changed. This
    1307. 

  1307.                     value is stored as a large integer that represents the number of 100 nanosecond intervals
    1308. 

  1308.                     since January 1, 1601 (UTC), also known as a FILETIME value. If this value is set
    1309. 

  1309.                     to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD
    1310. 

  1310.                     flag, then the user must set the password at the next logon.
    1311. 

  1311.                     */
    1312. 

  1312.                     CLDAPGetValuesLenWrapper valsLen(sys_ld, entry, attribute);
    1313. 

  1313.                     if (valsLen.hasValues())
    1314. 

  1314.                     {
    1315. 

  1315.                         CDateTime expiry;
    1316. 

  1316.                         if (!m_domainPwdsNeverExpire && !accountPwdNeverExpires)
    1317. 

  1317.                         {
    1318. 

  1318.                             struct berval* val = valsLen.queryValues()[0];
    1319. 

  1319.                             calcPWExpiry(expiry, (unsigned)val->bv_len, val->bv_val);
    1320. 

  1320.                         }
    1321. 

  1321.                         else
    1322. 

  1322.                         {
    1323. 

  1323.                             expiry.clear();
    1324. 

  1324.                             DBGLOG("LDAP: Password never expires for user %s", username);
    1325. 

  1325.                         }
    1326. 

  1326.                         user.setPasswordExpiration(expiry);
    1327. 

  1327.                     }
    1328. 

  1328.                 }
    1329. 

  1329.             }
    1330. 

  1330. 

  1331.             char *userdn = ldap_get_dn(sys_ld, entry);
    1332. 

  1332.             if(userdn == NULL || strlen(userdn) == 0)
    1333. 

  1333.             {
    1334. 

  1334.                 DBGLOG("LDAP: dn not found for user %s", username);
    1335. 

  1335.                 return false;
    1336. 

  1336.             }
    1337. 

  1337. 

  1338.             StringBuffer userdnbuf;
    1339. 

  1339.             userdnbuf.append(userdn);
    1340. 

  1340.             ldap_memfree(userdn);
    1341. 

  1341. 

  1342.             if (sysUser)
    1343. 

  1343.                 return true;//sysuser authenticated above
    1344. 

  1344. 

  1345.             StringBuffer hostbuf;
    1346. 

  1346.             m_ldapconfig->getLdapHost(hostbuf);
    1347. 

  1347.             int rc = LDAP_SERVER_DOWN;
    1348. 

  1348.             char *ldap_errstring=NULL;
    1349. 

  1349. 

  1350.             for(int retries = 0; retries <= LDAPSEC_MAX_RETRIES; retries++)
    1351. 

  1351.             {
    1352. 

  1352.                 DBGLOG("LdapBind for user %s (retries=%d).", username, retries);
    1353. 

  1353.                 {
    1354. 

  1354. #ifdef NULL_DALIUSER_STACKTRACE
    1355. 

  1355.                     //following debug code to be removed
    1356. 

  1356.                     if (!username)
    1357. 

  1357.                     {
    1358. 

  1358.                         DBGLOG("UNEXPECTED USER (NULL) in ldapconnection.cpp authenticate() line %d", __LINE__);
    1359. 

  1359.                         PrintStackReport();
    1360. 

  1360.                     }
    1361. 

  1361. #endif
    1362. 

  1362.                     LDAP* user_ld = LdapUtils::LdapInit(m_ldapconfig->getProtocol(), hostbuf.str(), m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort());
    1363. 

  1363.                     rc = LdapUtils::LdapBind(user_ld, m_ldapconfig->getDomain(), username, password, userdnbuf.str(), m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    1364. 

  1364.                     if(rc != LDAP_SUCCESS)
    1365. 

  1365.                         ldap_get_option(user_ld, LDAP_OPT_ERROR_STRING, &ldap_errstring);
    1366. 

  1366.                     ldap_unbind(user_ld);
    1367. 

  1367.                 }
    1368. 

  1368.                 DBGLOG("finished LdapBind for user %s, rc=%d", username, rc);
    1369. 

  1369.                 if(!LdapServerDown(rc) || retries > LDAPSEC_MAX_RETRIES)
    1370. 

  1370.                     break;
    1371. 

  1371.                 sleep(LDAPSEC_RETRY_WAIT);
    1372. 

  1372.                 if(retries < LDAPSEC_MAX_RETRIES)
    1373. 

  1373.                     DBGLOG("Server temporarily unreachable, retrying ...");
    1374. 

  1374.                 // Retrying next ldap sever, might be the same server
    1375. 

  1375.                 hostbuf.clear();
    1376. 

  1376.                 m_ldapconfig->getLdapHost(hostbuf);
    1377. 

  1377.             }
    1378. 

  1378. 

  1379.             if(rc == LDAP_SERVER_DOWN)
    1380. 

  1380.             {
    1381. 

  1381.                 StringBuffer dc;
    1382. 

  1382.                 LdapUtils::getDcName(NULL, dc);
    1383. 

  1383.                 if(dc.length() > 0)
    1384. 

  1384.                 {
    1385. 

  1385.                     WARNLOG("Using automatically obtained LDAP Server %s", dc.str());
    1386. 

  1386.                     LDAP* user_ld = LdapUtils::LdapInit(m_ldapconfig->getProtocol(), dc.str(), m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort());
    1387. 

  1387.                     rc = LdapUtils::LdapBind(user_ld, m_ldapconfig->getDomain(), username, password, userdnbuf.str(), m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    1388. 

  1388.                     if(rc != LDAP_SUCCESS)
    1389. 

  1389.                         ldap_get_option(user_ld, LDAP_OPT_ERROR_STRING, &ldap_errstring);
    1390. 

  1390.                     ldap_unbind(user_ld);
    1391. 

  1391.                 }
    1392. 

  1392.             }
    1393. 

  1393.             if(rc != LDAP_SUCCESS)
    1394. 

  1394.             {
    1395. 

  1395.                 if (ldap_errstring && *ldap_errstring && strstr(ldap_errstring, " data "))//if extended error strings are available (they are not in windows clients)
    1396. 

  1396.                 {
    1397. 

  1397. #ifdef _DEBUG
    1398. 

  1398.                     DBGLOG("LDAPBIND ERR: RC=%d, - '%s'", rc, ldap_errstring);
    1399. 

  1399. #endif
    1400. 

  1400.                     if (strstr(ldap_errstring, "data 532"))//80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 532, v1db0.
    1401. 

  1401.                     {
    1402. 

  1402.                         DBGLOG("LDAP: Password Expired(1) for user %s", username);
    1403. 

  1403.                         user.setAuthenticateStatus(AS_PASSWORD_VALID_BUT_EXPIRED);
    1404. 

  1404.                     }
    1405. 

  1405.                     else if (strstr(ldap_errstring, "data 773"))//User must reset password "80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1'
    1406. 

  1406.                     {
    1407. 

  1407.                         DBGLOG("LDAP: User %s Must Reset Password", username);
    1408. 

  1408.                         user.setAuthenticateStatus(AS_PASSWORD_VALID_BUT_EXPIRED);
    1409. 

  1409.                     }
    1410. 

  1410.                     else
    1411. 

  1411.                     {
    1412. 

  1412.                         DBGLOG("LDAP: Authentication(1) for user %s failed - %s", username, ldap_err2string(rc));
    1413. 

  1413.                         user.setAuthenticateStatus(AS_INVALID_CREDENTIALS);
    1414. 

  1414.                     }
    1415. 

  1415.                 }
    1416. 

  1416.                 else
    1417. 

  1417.                 {
    1418. 

  1418.                     //This path is typical if running ESP on Windows. We have no way
    1419. 

  1419.                     //to determine if password entered is valid but expired
    1420. 

  1420.                     if (user.getPasswordDaysRemaining() == scPasswordExpired)
    1421. 

  1421.                     {
    1422. 

  1422.                         DBGLOG("LDAP: Password Expired(2) for user %s", username);
    1423. 

  1423.                         user.setAuthenticateStatus(AS_PASSWORD_EXPIRED);
    1424. 

  1424.                     }
    1425. 

  1425.                     else
    1426. 

  1426.                     {
    1427. 

  1427.                         DBGLOG("LDAP: Authentication(2) for user %s failed - %s", username, ldap_err2string(rc));
    1428. 

  1428.                         user.setAuthenticateStatus(AS_INVALID_CREDENTIALS);
    1429. 

  1429.                     }
    1430. 

  1430.                 }
    1431. 

  1431.                 return false;
    1432. 

  1432.             }
    1433. 

  1433.             user.setAuthenticateStatus(AS_AUTHENTICATED);
    1434. 

  1434.         }
    1435. 

  1435.         //Always retrieve user info(SID, UID, fullname, etc) for Active Directory, when the user first logs in.
    1436. 

  1436.         if((m_ldapconfig->getServerType() == ACTIVE_DIRECTORY) && (m_pp != NULL))
    1437. 

  1437.             m_pp->retrieveUserInfo(user);
    1438. 

  1438. 

  1439.         return true;
    1440. 

  1440.     };
    1441. 

  1441. 

  1442.     virtual bool authorize(SecResourceType rtype, ISecUser& user, IArrayOf<ISecResource>& resources)
    1443. 

  1443.     {
    1444. 

  1444.         bool ok = false;
    1445. 

  1445.         const char* basedn = m_ldapconfig->getResourceBasedn(rtype);
    1446. 

  1446.         if(basedn == NULL || *basedn == '\0')
    1447. 

  1447.         {
    1448. 

  1448.             DBGLOG("corresponding basedn is not defined for authorize");
    1449. 

  1449.             return false;
    1450. 

  1450.         }
    1451. 

  1451. 

  1452.         const char* username = user.getName();
    1453. 

  1453.         if(!username || !*username)
    1454. 

  1454.             return false;
    1455. 

  1455. 

  1456.         const char* sysuser = m_ldapconfig->getSysUser();
    1457. 

  1457.         if(sysuser && *sysuser && (strcmp(username, sysuser) == 0))
    1458. 

  1458.         {
    1459. 

  1459.             ForEachItemIn(x, resources)
    1460. 

  1460.             {
    1461. 

  1461.                 ISecResource* res = &resources.item(x);
    1462. 

  1462.                 if(!res)
    1463. 

  1463.                     continue;
    1464. 

  1464.                 if(rtype == RT_MODULE)
    1465. 

  1465.                 {
    1466. 

  1466.                     StringBuffer filter;
    1467. 

  1467.                     if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1468. 

  1468.                         filter.append("name=");
    1469. 

  1469.                     else
    1470. 

  1470.                         filter.append("ou=");
    1471. 

  1471.                     filter.append(res->getName());
    1472. 

  1472.                     int count = countEntries(m_ldapconfig->getResourceBasedn(rtype), (char*)filter.str(), 10);
    1473. 

  1473.                     if(count != 0)
    1474. 

  1474.                         res->setAccessFlags(SecAccess_Full);
    1475. 

  1475.                     else
    1476. 

  1476.                         res->setAccessFlags(-1);
    1477. 

  1477.                 }
    1478. 

  1478.                 else
    1479. 

  1479.                     res->setAccessFlags(SecAccess_Full);
    1480. 

  1480.             }
    1481. 

  1481.             return true;
    1482. 

  1482.         }
    1483. 

  1483. 

  1484.         if(rtype == RT_FILE_SCOPE)
    1485. 

  1485.         {
    1486. 

  1486.             int defaultFileScopePermission = queryDefaultPermission(user);
    1487. 

  1487.             IArrayOf<ISecResource> non_emptylist;
    1488. 

  1488.             ForEachItemIn(x, resources)
    1489. 

  1489.             {
    1490. 

  1490.                 ISecResource& res = resources.item(x);
    1491. 

  1491.                 const char* res_name = res.getName();
    1492. 

  1492.                 if(res_name == NULL || *res_name == '\0')
    1493. 

  1493.                     res.setAccessFlags(defaultFileScopePermission); //res.setAccessFlags(m_defaultFileScopePermission);
    1494. 

  1494.                 else 
    1495. 

  1495.                     non_emptylist.append(*LINK(&res));
    1496. 

  1496.             }
    1497. 

  1497. 

  1498.             ok = authorizeScope(user, non_emptylist, basedn);
    1499. 

  1499.             //if(ok && m_defaultFileScopePermission != -2)
    1500. 

  1500.             if(ok && defaultFileScopePermission != -2)
    1501. 

  1501.             {
    1502. 

  1502.                 ForEachItemIn(x, non_emptylist)
    1503. 

  1503.                 {
    1504. 

  1504.                     ISecResource& res = non_emptylist.item(x);
    1505. 

  1505.                     if(res.getAccessFlags() == -1)
    1506. 

  1506.                         res.setAccessFlags(defaultFileScopePermission); //res.setAccessFlags(m_defaultFileScopePermission);
    1507. 

  1507.                 }
    1508. 

  1508.             }
    1509. 

  1509. 

  1510.             return ok;
    1511. 

  1511.         }
    1512. 

  1512.         else if(rtype == RT_WORKUNIT_SCOPE)
    1513. 

  1513.         {
    1514. 

  1514.             int defaultWorkunitScopePermission = -2;
    1515. 

  1515.             //if(m_defaultWorkunitScopePermission == -2)
    1516. 

  1516.             {
    1517. 

  1517.                 const char* basebasedn = strchr(basedn, ',') + 1;
    1518. 

  1518.                 StringBuffer baseresource;
    1519. 

  1519.                 baseresource.append(basebasedn-basedn-4, basedn+3);
    1520. 

  1520.                 IArrayOf<ISecResource> base_resources;
    1521. 

  1521.                 base_resources.append(*(new CLdapSecResource(baseresource.str())));
    1522. 

  1522.                 bool baseok = authorizeScope(user, base_resources, basebasedn);
    1523. 

  1523.                 if(baseok)
    1524. 

  1524.                 {
    1525. 

  1525.                     defaultWorkunitScopePermission = base_resources.item(0).getAccessFlags();
    1526. 

  1526.                 }
    1527. 

  1527.             }
    1528. 

  1528.             IArrayOf<ISecResource> non_emptylist;
    1529. 

  1529.             ForEachItemIn(x, resources)
    1530. 

  1530.             {
    1531. 

  1531.                 ISecResource& res = resources.item(x);
    1532. 

  1532.                 const char* res_name = res.getName();
    1533. 

  1533.                 if(res_name == NULL || *res_name == '\0')
    1534. 

  1534.                     res.setAccessFlags(defaultWorkunitScopePermission);
    1535. 

  1535.                 else 
    1536. 

  1536.                     non_emptylist.append(*LINK(&res));
    1537. 

  1537.             }
    1538. 

  1538.             ok = authorizeScope(user, non_emptylist, basedn);
    1539. 

  1539.             if(ok && defaultWorkunitScopePermission != -2)
    1540. 

  1540.             {
    1541. 

  1541.                 ForEachItemIn(x, non_emptylist)
    1542. 

  1542.                 {
    1543. 

  1543.                     ISecResource& res = non_emptylist.item(x);
    1544. 

  1544.                     if(res.getAccessFlags() == -1)
    1545. 

  1545.                         res.setAccessFlags(defaultWorkunitScopePermission);
    1546. 

  1546.                 }
    1547. 

  1547.             }
    1548. 

  1548. 

  1549.             return ok;
    1550. 

  1550.         }
    1551. 

  1551.         else
    1552. 

  1552.         {
    1553. 

  1553.             IArrayOf<CSecurityDescriptor> sdlist;
    1554. 

  1554.             ForEachItemIn(x, resources)
    1555. 

  1555.             {
    1556. 

  1556.                 ISecResource& res = resources.item(x);
    1557. 

  1557.                 const char* resourcename = res.getName();
    1558. 

  1558.                 CSecurityDescriptor* sd = new CSecurityDescriptor(resourcename);
    1559. 

  1559.                 sdlist.append(*sd);
    1560. 

  1560.             }
    1561. 

  1561. 

  1562.             getSecurityDescriptors(rtype, sdlist);
    1563. 

  1563.             if(m_pp != NULL)
    1564. 

  1564.                 ok = m_pp->getPermissions(user, sdlist, resources);
    1565. 

  1565.             return ok;
    1566. 

  1566.         }
    1567. 

  1567.     }
    1568. 

  1568. 

  1569.     // Returns true if all resources are correctly added, otherwise returns false.
    1570. 

  1570.     virtual bool addResources(SecResourceType rtype, ISecUser& user, IArrayOf<ISecResource>& resources, SecPermissionType ptype, const char* basedn)
    1571. 

  1571.     {
    1572. 

  1572.         bool ret = true;
    1573. 

  1573. 

  1574.         for(unsigned i = 0; i < resources.length(); i++)
    1575. 

  1575.         {
    1576. 

  1576.             ISecResource* resource = &resources.item(i);
    1577. 

  1577.             if(resource != NULL)
    1578. 

  1578.             {
    1579. 

  1579.                 bool oneret = addResource(rtype, user, resource, ptype, basedn);
    1580. 

  1580.                 ret = ret && oneret; 
    1581. 

  1581.             }
    1582. 

  1582.         }
    1583. 

  1583. 

  1584.         return ret;
    1585. 

  1585.     }
    1586. 

  1586. 

  1587.     virtual bool getUserInfo(ISecUser& user, const char* infotype)
    1588. 

  1588.     {
    1589. 

  1589.         char        *attribute;
    1590. 

  1590.         LDAPMessage *message;
    1591. 

  1591. 

  1592.         const char* username = user.getName();
    1593. 

  1593. 

  1594.         if(username == NULL || strlen(username) == 0)
    1595. 

  1595.         {
    1596. 

  1596.             DBGLOG("LDAP: getUserInfo : username is empty");
    1597. 

  1597.             return false;
    1598. 

  1598.         }
    1599. 

  1599.         
    1600. 

  1600.         if(infotype && stricmp(infotype, "sudoers") == 0)
    1601. 

  1601.         {
    1602. 

  1602.             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    1603. 

  1603. 

  1604.             TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    1605. 

  1605.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    1606. 

  1606.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    1607. 

  1607. 

  1608.             StringBuffer filter("sudoUser=");
    1609. 

  1609.             filter.append(username);
    1610. 

  1610.             char  *attrs[] = {"sudoHost", "sudoCommand", "sudoOption", NULL};
    1611. 

  1611.             const char* basedn = m_ldapconfig->getResourceBasedn(RT_SUDOERS);
    1612. 

  1612.             CLDAPMessage searchResult;
    1613. 

  1613.             int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg);
    1614. 

  1614. 

  1615.             if ( rc != LDAP_SUCCESS )
    1616. 

  1616.             {
    1617. 

  1617.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basedn);
    1618. 

  1618.                 ldapuser->setSudoersEnabled(false);
    1619. 

  1619.                 ldapuser->setInSudoers(false);
    1620. 

  1620.                 return false;
    1621. 

  1621.             }
    1622. 

  1622.             
    1623. 

  1623.             ldapuser->setSudoersEnabled(true);
    1624. 

  1624. 

  1625.             unsigned entries = ldap_count_entries(ld, searchResult);
    1626. 

  1626.             if(entries == 0)
    1627. 

  1627.             {
    1628. 

  1628.                 ldapuser->setInSudoers(false);
    1629. 

  1629.                 return true;
    1630. 

  1630.             }
    1631. 

  1631. 

  1632.             message = LdapFirstEntry(ld, searchResult);
    1633. 

  1633.             if(message == NULL)
    1634. 

  1634.             {
    1635. 

  1635.                 ldapuser->setInSudoers(false);
    1636. 

  1636.                 return true;
    1637. 

  1637.             }
    1638. 

  1638. 

  1639.             ldapuser->setInSudoers(true);
    1640. 

  1640.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    1641. 

  1641.             for ( attribute = atts.getFirst();
    1642. 

  1642.                   attribute != NULL;
    1643. 

  1643.                   attribute = atts.getNext())
    1644. 

  1644.             {
    1645. 

  1645.                 CLDAPGetValuesWrapper vals(ld, message, attribute);
    1646. 

  1646.                 if (vals.hasValues())
    1647. 

  1647.                 {
    1648. 

  1648.                     if(stricmp(attribute, "sudoHost") == 0)
    1649. 

  1649.                         ldapuser->setSudoHost(vals.queryValues()[0]);
    1650. 

  1650.                     else if(stricmp(attribute, "sudoCommand") == 0)
    1651. 

  1651.                         ldapuser->setSudoCommand(vals.queryValues()[0]);
    1652. 

  1652.                     else if(stricmp(attribute, "sudoOption") == 0)
    1653. 

  1653.                         ldapuser->setSudoOption(vals.queryValues()[0]);
    1654. 

  1654.                 }
    1655. 

  1655.             }
    1656. 

  1656.             return true;
    1657. 

  1657.         }
    1658. 

  1658.         else
    1659. 

  1659.         {
    1660. 

  1660.             StringBuffer filter;
    1661. 

  1661.             const char* basedn = m_ldapconfig->getUserBasedn();
    1662. 

  1662.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1663. 

  1663.             {
    1664. 

  1664.                 filter.append("sAMAccountName=");
    1665. 

  1665.             }
    1666. 

  1666.             else
    1667. 

  1667.             {
    1668. 

  1668.                 filter.append("uid=");
    1669. 

  1669.                 if(stricmp(username, m_ldapconfig->getSysUser()) == 0)
    1670. 

  1670.                     basedn = m_ldapconfig->getSysUserBasedn();
    1671. 

  1671.             }
    1672. 

  1672. 

  1673.             filter.append(user.getName());
    1674. 

  1674. 

  1675.             TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    1676. 

  1676.             
    1677. 

  1677.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    1678. 

  1678.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    1679. 

  1679. 

  1680.             char        *attrs[] = {"cn", "givenName", "sn", "gidnumber", "uidnumber", "homedirectory", "loginshell", "objectClass", NULL};
    1681. 

  1681.             CLDAPMessage searchResult;
    1682. 

  1682.             int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult.msg );
    1683. 

  1683. 

  1684.             if ( rc != LDAP_SUCCESS )
    1685. 

  1685.             {
    1686. 

  1686.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basedn);
    1687. 

  1687.                 return false;
    1688. 

  1688.             }
    1689. 

  1689. 

  1690.             ((CLdapSecUser*)&user)->setPosixenabled(false);
    1691. 

  1691.             // Go through the search results by checking message types
    1692. 

  1692.             for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    1693. 

  1693.             {
    1694. 

  1694.                 CLDAPGetAttributesWrapper   atts(ld, searchResult);
    1695. 

  1695.                 for ( attribute = atts.getFirst();
    1696. 

  1696.                       attribute != NULL;
    1697. 

  1697.                       attribute = atts.getNext())
    1698. 

  1698.                 {
    1699. 

  1699.                     CLDAPGetValuesWrapper vals(ld, message, attribute);
    1700. 

  1700.                     if (vals.hasValues())
    1701. 

  1701.                     {
    1702. 

  1702.                         if(stricmp(attribute, "cn") == 0)
    1703. 

  1703.                             user.setFullName(vals.queryValues()[0]);
    1704. 

  1704.                         else if(stricmp(attribute, "givenName") == 0)
    1705. 

  1705.                             user.setFirstName(vals.queryValues()[0]);
    1706. 

  1706.                         else if(stricmp(attribute, "sn") == 0)
    1707. 

  1707.                             user.setLastName(vals.queryValues()[0]);
    1708. 

  1708.                         else if(stricmp(attribute, "gidnumber") == 0)
    1709. 

  1709.                             ((CLdapSecUser*)&user)->setGidnumber(vals.queryValues()[0]);
    1710. 

  1710.                         else if(stricmp(attribute, "uidnumber") == 0)
    1711. 

  1711.                             ((CLdapSecUser*)&user)->setUidnumber(vals.queryValues()[0]);
    1712. 

  1712.                         else if(stricmp(attribute, "homedirectory") == 0)
    1713. 

  1713.                             ((CLdapSecUser*)&user)->setHomedirectory(vals.queryValues()[0]);
    1714. 

  1714.                         else if(stricmp(attribute, "loginshell") == 0)
    1715. 

  1715.                             ((CLdapSecUser*)&user)->setLoginshell(vals.queryValues()[0]);
    1716. 

  1716.                         else if(stricmp(attribute, "objectClass") == 0)
    1717. 

  1717.                         {
    1718. 

  1718.                             int valind = 0;
    1719. 

  1719.                             char ** values = vals.queryValues();
    1720. 

  1720.                             while(values[valind])
    1721. 

  1721.                             {
    1722. 

  1722.                                 if(values[valind] && stricmp(values[valind], "posixAccount") == 0)
    1723. 

  1723.                                 {
    1724. 

  1724.                                     ((CLdapSecUser*)&user)->setPosixenabled(true);
    1725. 

  1725.                                     break;
    1726. 

  1726.                                 }
    1727. 

  1727.                                 valind++;
    1728. 

  1728.                             }
    1729. 

  1729.                         }
    1730. 

  1730.                     }
    1731. 

  1731.                 }
    1732. 

  1732.             }
    1733. 

  1733.             return true;
    1734. 

  1734.         }
    1735. 

  1735.     }
    1736. 

  1736. 

  1737.     ISecUser* lookupUser(unsigned uid)
    1738. 

  1738.     {
    1739. 

  1739.         StringBuffer sysuser;
    1740. 

  1740.         sysuser.append(m_ldapconfig->getSysUser());
    1741. 

  1741.         if(sysuser.length() == 0)
    1742. 

  1742.         {
    1743. 

  1743. #ifdef _WIN32
    1744. 

  1744.             char uname[128];
    1745. 

  1745.             unsigned long len = 128;
    1746. 

  1746.             int rc = GetUserName(uname, &len);
    1747. 

  1747.             if(rc != 0)
    1748. 

  1748.                 sysuser.append(len, uname);
    1749. 

  1749.             else
    1750. 

  1750.                 throw MakeStringException(-1, "Error getting current user's username, error code = %d", rc);
    1751. 

  1751. #else
    1752. 

  1752.             throw MakeStringException(-1, "systemUser not found in config");
    1753. 

  1753. #endif
    1754. 

  1754.         }
    1755. 

  1755.         
    1756. 

  1756.         MemoryBuffer usersidbuf;
    1757. 

  1757.         StringBuffer usersidstr;
    1758. 

  1758. 

  1759.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1760. 

  1760.         {
    1761. 

  1761.             if(m_pp != NULL)
    1762. 

  1762.                 m_pp->lookupSid(sysuser.str(), usersidbuf);
    1763. 

  1763.             if(usersidbuf.length() == 0)
    1764. 

  1764.             {
    1765. 

  1765.                 throw MakeStringException(-1, "system user %s's SID not found", sysuser.str());
    1766. 

  1766.             }
    1767. 

  1767. 

  1768.             int sidlen = usersidbuf.length();
    1769. 

  1769.             char* uidbuf = (char*)&uid;
    1770. 

  1770.             for(int i = 0; i < 4; i++)
    1771. 

  1771.             {
    1772. 

  1772.                 usersidbuf.writeDirect(sidlen -4 + i, 1, (uidbuf + 3 - i));
    1773. 

  1773.             }
    1774. 

  1774.             LdapUtils::bin2str(usersidbuf, usersidstr);
    1775. 

  1775.         }
    1776. 

  1776.         else
    1777. 

  1777.         {
    1778. 

  1778.             usersidbuf.append(uid);
    1779. 

  1779.         }
    1780. 

  1780. 

  1781.         char        *attribute;
    1782. 

  1782.         LDAPMessage *message;
    1783. 

  1783. 

  1784.         StringBuffer filter;
    1785. 

  1785.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1786. 

  1786.         {
    1787. 

  1787.             filter.append("objectSid=").append(usersidstr.str());
    1788. 

  1788.         }
    1789. 

  1789.         else
    1790. 

  1790.         {
    1791. 

  1791.             filter.appendf("entryid=%d", uid);
    1792. 

  1792.         }
    1793. 

  1793. 

  1794.         TIMEVAL timeOut = {LDAPTIMEOUT,0}; 
    1795. 

  1795. 

  1796.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    1797. 

  1797.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    1798. 

  1798. 

  1799.         char* act_fieldname;
    1800. 

  1800.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1801. 

  1801.         {
    1802. 

  1802.             act_fieldname = "sAMAccountName";
    1803. 

  1803.         }
    1804. 

  1804.         else
    1805. 

  1805.         {
    1806. 

  1806.             act_fieldname = "uid";
    1807. 

  1807.         }
    1808. 

  1808.             
    1809. 

  1809.         char        *attrs[] = {"cn", act_fieldname, NULL};
    1810. 

  1810.         CLDAPMessage searchResult;
    1811. 

  1811.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    1812. 

  1812. 

  1813.         if ( rc != LDAP_SUCCESS )
    1814. 

  1814.         {
    1815. 

  1815.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    1816. 

  1816.             return NULL;
    1817. 

  1817.         }
    1818. 

  1818. 

  1819.         if(ldap_count_entries(ld, searchResult) < 1)
    1820. 

  1820.         {
    1821. 

  1821.             DBGLOG("No entries are found for user with uid %0X", uid);
    1822. 

  1822.             return NULL;
    1823. 

  1823.         }
    1824. 

  1824. 

  1825.         CLdapSecUser* ldapuser = new CLdapSecUser("", "");
    1826. 

  1826. 

  1827.         // Go through the search results by checking message types
    1828. 

  1828.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    1829. 

  1829.         {
    1830. 

  1830.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    1831. 

  1831.             for ( attribute = atts.getFirst();
    1832. 

  1832.                   attribute != NULL;
    1833. 

  1833.                   attribute = atts.getNext())
    1834. 

  1834.             {
    1835. 

  1835.                 CLDAPGetValuesWrapper vals(ld, message, attribute);
    1836. 

  1836.                 if (vals.hasValues())
    1837. 

  1837.                 {
    1838. 

  1838.                     if(stricmp(attribute, "cn") == 0)
    1839. 

  1839.                         ldapuser->setFullName(vals.queryValues()[0]);
    1840. 

  1840.                     else if(stricmp(attribute, act_fieldname) == 0)
    1841. 

  1841.                         ldapuser->setName(vals.queryValues()[0]);
    1842. 

  1842.                 }
    1843. 

  1843.             }
    1844. 

  1844.         }
    1845. 

  1845. 

  1846.         ldapuser->setUserID(uid);
    1847. 

  1847.         ldapuser->setUserSid(usersidbuf.length(), usersidbuf.toByteArray());
    1848. 

  1848.         
    1849. 

  1849.         // Since we've got the SID for the user, cache it for later uses.
    1850. 

  1850.         MemoryBuffer mb;
    1851. 

  1851.         if(m_pp != NULL)
    1852. 

  1852.             m_pp->getCachedSid(ldapuser->getName(), mb);
    1853. 

  1853.         if(mb.length() == 0)
    1854. 

  1854.         {
    1855. 

  1855.             m_pp->cacheSid(ldapuser->getName(), usersidbuf.length(), usersidbuf.toByteArray());
    1856. 

  1856.         }
    1857. 

  1857. 

  1858.         return ldapuser;
    1859. 

  1859.     }
    1860. 

  1860. 

  1861.     bool lookupAccount(MemoryBuffer& sidbuf, StringBuffer& account_name, ACT_TYPE& act_type)
    1862. 

  1862.     {
    1863. 

  1863.         char        *attribute;
    1864. 

  1864.         LDAPMessage *message;
    1865. 

  1865. 

  1866.         char* act_fieldname;
    1867. 

  1867. 

  1868.         StringBuffer filter;
    1869. 

  1869.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1870. 

  1870.         {
    1871. 

  1871.             act_fieldname = "sAMAccountName";
    1872. 

  1872.             StringBuffer usersidstr;
    1873. 

  1873.             LdapUtils::bin2str(sidbuf, usersidstr);
    1874. 

  1874.             filter.append("objectSid=").append(usersidstr.str());
    1875. 

  1875.         }
    1876. 

  1876.         else
    1877. 

  1877.         {
    1878. 

  1878.             unsigned* uid = (unsigned*)sidbuf.toByteArray();
    1879. 

  1879.             filter.appendf("entryid=%d", *uid);
    1880. 

  1880.             act_fieldname = "uid";
    1881. 

  1881.         }
    1882. 

  1882. 

  1883.         TIMEVAL timeOut = {LDAPTIMEOUT,0}; 
    1884. 

  1884. 

  1885.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    1886. 

  1886.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    1887. 

  1887.         
    1888. 

  1888.         char  *attrs[] = {"cn", act_fieldname, "objectClass", NULL};
    1889. 

  1889.         CLDAPMessage searchResult;
    1890. 

  1890.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    1891. 

  1891. 

  1892.         if ( rc != LDAP_SUCCESS )
    1893. 

  1893.         {
    1894. 

  1894.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    1895. 

  1895.             return false;
    1896. 

  1896.         }
    1897. 

  1897. 

  1898.         if(ldap_count_entries(ld, searchResult) < 1)
    1899. 

  1899.         {
    1900. 

  1900.             searchResult.ldapMsgFree();
    1901. 

  1901.             rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getGroupBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult.msg );
    1902. 

  1902.             if(ldap_count_entries(ld, searchResult) < 1)
    1903. 

  1903.             {
    1904. 

  1904.                 searchResult.ldapMsgFree();
    1905. 

  1905.                 rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getSysUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );
    1906. 

  1906.                 //DBGLOG("No entries are found");
    1907. 

  1907.                 return false;
    1908. 

  1908.             }
    1909. 

  1909.         }
    1910. 

  1910. 

  1911.         StringBuffer act_name;
    1912. 

  1912.         StringBuffer cnbuf;
    1913. 

  1913. 

  1914.         // Go through the search results by checking message types
    1915. 

  1915.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    1916. 

  1916.         {
    1917. 

  1917.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    1918. 

  1918.             for ( attribute = atts.getFirst();
    1919. 

  1919.                   attribute != NULL;
    1920. 

  1920.                   attribute = atts.getNext())
    1921. 

  1921.             {
    1922. 

  1922.                 CLDAPGetValuesWrapper vals(ld, message, attribute);
    1923. 

  1923.                 if (vals.hasValues())
    1924. 

  1924.                 {
    1925. 

  1925.                     if(stricmp(attribute, act_fieldname) == 0)
    1926. 

  1926.                         act_name.clear().append(vals.queryValues()[0]);
    1927. 

  1927.                     else if(stricmp(attribute, "cn") == 0)
    1928. 

  1928.                         cnbuf.clear().append(vals.queryValues()[0]);
    1929. 

  1929.                     else if(stricmp(attribute, "objectClass") == 0)
    1930. 

  1930.                     {
    1931. 

  1931.                         int i = 0;
    1932. 

  1932.                         while(vals.queryValues()[i] != NULL)
    1933. 

  1933.                         {
    1934. 

  1934.                             if(stricmp(vals.queryValues()[i], "person") == 0)
    1935. 

  1935.                                 act_type = USER_ACT;
    1936. 

  1936.                             if(stricmp(vals.queryValues()[i], "group") == 0)
    1937. 

  1937.                                 act_type = GROUP_ACT;
    1938. 

  1938.                             i++;
    1939. 

  1939.                         }
    1940. 

  1940.                     }
    1941. 

  1941.                 }
    1942. 

  1942.             }
    1943. 

  1943.         }
    1944. 

  1944. 

  1945.         if(act_type == USER_ACT)
    1946. 

  1946.             account_name.append(act_name.str());
    1947. 

  1947.         else
    1948. 

  1948.             account_name.append(cnbuf.str());
    1949. 

  1949. 

  1950.         return true;
    1951. 

  1951.     }
    1952. 

  1952. 

  1953.     virtual void lookupSid(const char* basedn, const char* filter, MemoryBuffer& act_sid)
    1954. 

  1954.     {
    1955. 

  1955.         char        *attribute;       
    1956. 

  1956.         LDAPMessage *message;
    1957. 

  1957. 

  1958.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    1959. 

  1959. 

  1960.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    1961. 

  1961.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    1962. 

  1962. 

  1963.         char* fieldname;
    1964. 

  1964.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    1965. 

  1965.             fieldname = "objectSid";
    1966. 

  1966.         else
    1967. 

  1967.             fieldname = "entryid";
    1968. 

  1968. 

  1969.         char        *attrs[] = {fieldname, NULL};
    1970. 

  1970.         CLDAPMessage searchResult;
    1971. 

  1971.         int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter, attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );
    1972. 

  1972. 

  1973.         if ( rc != LDAP_SUCCESS )
    1974. 

  1974.         {
    1975. 

  1975.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter, basedn);
    1976. 

  1976.             return;
    1977. 

  1977.         }
    1978. 

  1978. 

  1979.         message = LdapFirstEntry( ld, searchResult);
    1980. 

  1980.         if(message != NULL)
    1981. 

  1981.         {
    1982. 

  1982.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    1983. 

  1983.             for ( attribute = atts.getFirst();
    1984. 

  1984.                   attribute != NULL;
    1985. 

  1985.                   attribute = atts.getNext())
    1986. 

  1986.             {
    1987. 

  1987.                 if(0 == stricmp(attribute, fieldname))
    1988. 

  1988.                 {
    1989. 

  1989.                     CLDAPGetValuesLenWrapper valsLen(ld, message, attribute);
    1990. 

  1990.                     if (valsLen.hasValues())
    1991. 

  1991.                     {
    1992. 

  1992.                         struct berval* val = valsLen.queryValues()[0];
    1993. 

  1993.                         if(val != NULL)
    1994. 

  1994.                         {
    1995. 

  1995.                             int len = val->bv_len;
    1996. 

  1996.                             act_sid.append(val->bv_len, val->bv_val);
    1997. 

  1997.                         }
    1998. 

  1998.                     }
    1999. 

  1999.                     break;
    2000. 

  2000.                 }
    2001. 

  2001.             }
    2002. 

  2002.         }
    2003. 

  2003.     }
    2004. 

  2004. 

  2005.     virtual void lookupSid(const char* act_name, MemoryBuffer& act_sid, ACT_TYPE act_type)
    2006. 

  2006.     {
    2007. 

  2007.         StringBuffer filter;
    2008. 

  2008.         const char* basedn;
    2009. 

  2009.         if(act_type == USER_ACT)
    2010. 

  2010.         {
    2011. 

  2011.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2012. 

  2012.                 filter.append("sAMAccountName=").append(act_name);
    2013. 

  2013.             else
    2014. 

  2014.                 filter.append("uid=").append(act_name);
    2015. 

  2015. 

  2016.             basedn = m_ldapconfig->getUserBasedn();
    2017. 

  2017.             lookupSid(basedn, filter.str(), act_sid);
    2018. 

  2018.             if(act_sid.length() == 0)
    2019. 

  2019.             {
    2020. 

  2020.                 StringBuffer basebuf;
    2021. 

  2021.                 if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2022. 

  2022.                     basebuf.append("cn=Users,").append(m_ldapconfig->getBasedn());
    2023. 

  2023.                 else if(stricmp(act_name, m_ldapconfig->getSysUser()) == 0)
    2024. 

  2024.                     basebuf.append(m_ldapconfig->getSysUserBasedn());
    2025. 

  2025.                 else
    2026. 

  2026.                     basebuf.append("ou=People,").append(m_ldapconfig->getBasedn());
    2027. 

  2027. 

  2028.                 lookupSid(basebuf.str(), filter.str(), act_sid);
    2029. 

  2029.             }
    2030. 

  2030.         }
    2031. 

  2031.         else
    2032. 

  2032.         {
    2033. 

  2033.             filter.append("cn=").append(act_name);
    2034. 

  2034.             basedn = m_ldapconfig->getGroupBasedn();
    2035. 

  2035.             lookupSid(basedn, filter.str(), act_sid);
    2036. 

  2036.             if(act_sid.length() == 0)
    2037. 

  2037.             {
    2038. 

  2038.                 StringBuffer basebuf;
    2039. 

  2039.                 basebuf.append("cn=Users,").append(m_ldapconfig->getBasedn());
    2040. 

  2040.                 lookupSid(basebuf.str(), filter.str(), act_sid);
    2041. 

  2041.                 if(act_sid.length() == 0)
    2042. 

  2042.                 {
    2043. 

  2043.                     basebuf.clear();
    2044. 

  2044.                     basebuf.append("cn=Builtin,").append(m_ldapconfig->getBasedn());
    2045. 

  2045.                     lookupSid(basebuf.str(), filter.str(), act_sid);
    2046. 

  2046.                 }
    2047. 

  2047.             }       
    2048. 

  2048.         }
    2049. 

  2049. 

  2050.     }
    2051. 

  2051. 

  2052.     virtual void setPermissionProcessor(IPermissionProcessor* pp)
    2053. 

  2053.     {
    2054. 

  2054.         m_pp = pp;
    2055. 

  2055.     }
    2056. 

  2056. 

  2057.     virtual bool retrieveUsers(IUserArray& users)
    2058. 

  2058.     {
    2059. 

  2059.         return retrieveUsers("", users);
    2060. 

  2060.     }
    2061. 

  2061. 

  2062.     virtual bool retrieveUsers(const char* searchstr, IUserArray& users)
    2063. 

  2063.     {
    2064. 

  2064.         char        *attribute;
    2065. 

  2065.         LDAPMessage *message;
    2066. 

  2066. 

  2067.         StringBuffer filter;
    2068. 

  2068.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2069. 

  2069.             filter.append("objectClass=User");
    2070. 

  2070.         else
    2071. 

  2071.             filter.append("objectClass=inetorgperson");
    2072. 

  2072. 

  2073.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    2074. 

  2074. 

  2075.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    2076. 

  2076.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2077. 

  2077. 

  2078.         char* act_fieldname;
    2079. 

  2079.         char* sid_fieldname;
    2080. 

  2080.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2081. 

  2081.         {
    2082. 

  2082.             act_fieldname = "sAMAccountName";
    2083. 

  2083.             sid_fieldname = "objectSid";
    2084. 

  2084.         }
    2085. 

  2085.         else
    2086. 

  2086.         {
    2087. 

  2087.             act_fieldname = "uid";
    2088. 

  2088.             sid_fieldname = "entryid";
    2089. 

  2089.         }
    2090. 

  2090. 

  2091.         if(searchstr && *searchstr && strcmp(searchstr, "*") != 0)
    2092. 

  2092.         {
    2093. 

  2093.             filter.insert(0, "(&(");
    2094. 

  2094.             filter.appendf(")(|(%s=*%s*)(%s=*%s*)(%s=*%s*)))", act_fieldname, searchstr, "givenName", searchstr, "sn", searchstr);
    2095. 

  2095.         }
    2096. 

  2096. 

  2097.         char *attrs[] = {act_fieldname, sid_fieldname, "cn", "userAccountControl", "pwdLastSet", NULL};
    2098. 

  2098.         CLDAPMessage searchResult;
    2099. 

  2099.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    2100. 

  2100.         if ( rc != LDAP_SUCCESS )
    2101. 

  2101.         {
    2102. 

  2102.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    2103. 

  2103.             return false;
    2104. 

  2104.         }
    2105. 

  2105. 

  2106. 

  2107.         // Go through the search results by checking message types
    2108. 

  2108.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    2109. 

  2109.         {
    2110. 

  2110.             bool accountPwdNeverExpires = false;
    2111. 

  2111.             Owned<ISecUser> user = new CLdapSecUser("", "");
    2112. 

  2112. 

  2113.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    2114. 

  2114.             for ( attribute = atts.getFirst();
    2115. 

  2115.                   attribute != NULL;
    2116. 

  2116.                   attribute = atts.getNext())
    2117. 

  2117.             {
    2118. 

  2118.                 if(stricmp(attribute, "cn") == 0)
    2119. 

  2119.                 {
    2120. 

  2120.                     CLDAPGetValuesWrapper vals(ld, message, attribute);
    2121. 

  2121.                     if (vals.hasValues())
    2122. 

  2122.                         user->setFullName(vals.queryValues()[0]);
    2123. 

  2123.                 }
    2124. 

  2124.                 else if (stricmp(attribute, "userAccountControl") == 0)
    2125. 

  2125.                 {
    2126. 

  2126.                     //UF_DONT_EXPIRE_PASSWD 0x10000
    2127. 

  2127.                     CLDAPGetValuesWrapper vals(ld, message, attribute);
    2128. 

  2128.                     if (vals.hasValues())
    2129. 

  2129.                         if (atoi((char*)vals.queryValues()[0]) & 0x10000)//this can be true at the account level, even if domain policy requires password
    2130. 

  2130.                             accountPwdNeverExpires = true;
    2131. 

  2131.                 }
    2132. 

  2132.                 else if(stricmp(attribute, "pwdLastSet") == 0)
    2133. 

  2133.                 {
    2134. 

  2134.                     CDateTime expiry;
    2135. 

  2135.                     if (!m_domainPwdsNeverExpire && !accountPwdNeverExpires)
    2136. 

  2136.                     {
    2137. 

  2137.                         CLDAPGetValuesLenWrapper valsLen(ld, message, attribute);
    2138. 

  2138.                         if (valsLen.hasValues())
    2139. 

  2139.                         {
    2140. 

  2140.                             struct berval* val = valsLen.queryValues()[0];
    2141. 

  2141.                             calcPWExpiry(expiry, (unsigned)val->bv_len, val->bv_val);
    2142. 

  2142.                         }
    2143. 

  2143.                     }
    2144. 

  2144.                     else
    2145. 

  2145.                         expiry.clear();
    2146. 

  2146.                     user->setPasswordExpiration(expiry);
    2147. 

  2147.                 }
    2148. 

  2148.                 else if(stricmp(attribute, act_fieldname) == 0)
    2149. 

  2149.                 {
    2150. 

  2150.                     CLDAPGetValuesWrapper vals(ld, message, attribute);
    2151. 

  2151.                     if (vals.hasValues())
    2152. 

  2152.                         user->setName(vals.queryValues()[0]);
    2153. 

  2153.                 }
    2154. 

  2154.                 else if(stricmp(attribute, sid_fieldname) == 0)
    2155. 

  2155.                 {
    2156. 

  2156.                     if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2157. 

  2157.                     {
    2158. 

  2158.                         CLDAPGetValuesLenWrapper valsLen(ld, message, attribute);
    2159. 

  2159.                         if (valsLen.hasValues())
    2160. 

  2160.                         {
    2161. 

  2161.                             struct berval* val = valsLen.queryValues()[0];
    2162. 

  2162.                             if(val != NULL)
    2163. 

  2163.                             {
    2164. 

  2164.                                 unsigned uid = val->bv_val[val->bv_len - 4];
    2165. 

  2165.                                 int i;
    2166. 

  2166.                                 for(i = 3; i > 0; i--)
    2167. 

  2167.                                 {
    2168. 

  2168.                                     uid = (uid << 8) + val->bv_val[val->bv_len - i];
    2169. 

  2169.                                 }
    2170. 

  2170.                                 ((CLdapSecUser*)user.get())->setUserID(uid);
    2171. 

  2171.                             }
    2172. 

  2172.                         }
    2173. 

  2173.                     }
    2174. 

  2174.                     else
    2175. 

  2175.                     {
    2176. 

  2176.                         CLDAPGetValuesWrapper vals(ld, message, attribute);
    2177. 

  2177.                         if (vals.hasValues())
    2178. 

  2178.                             ((CLdapSecUser*)user.get())->setUserID(atoi(vals.queryValues()[0]));
    2179. 

  2179.                     }
    2180. 

  2180.                 }
    2181. 

  2181.             }
    2182. 

  2182.             users.append(*LINK(user.get()));
    2183. 

  2183.         }
    2184. 

  2184.         return true;
    2185. 

  2185.     }
    2186. 

  2186. 

  2187.     virtual bool userInGroup(const char* userdn, const char* groupdn)
    2188. 

  2188.     {
    2189. 

  2189.         const char* fldname;
    2190. 

  2190.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2191. 

  2191.             fldname = "member";
    2192. 

  2192.         else
    2193. 

  2193.             fldname = "uniquemember";
    2194. 

  2194. 

  2195.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    2196. 

  2196.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2197. 

  2197. 

  2198.         int rc = ldap_compare_s(ld, (char*)groupdn, (char*)fldname, (char*)userdn);
    2199. 

  2199.         if(rc == LDAP_COMPARE_TRUE)
    2200. 

  2200.             return true;
    2201. 

  2201.         else
    2202. 

  2202.             return false;
    2203. 

  2203.     }
    2204. 

  2204. 

  2205.     // Update user's firstname, lastname (plus displayname for active directory).
    2206. 

  2206.     virtual bool updateUser(const char* type, ISecUser& user)
    2207. 

  2207.     {
    2208. 

  2208.         const char* username = user.getName();
    2209. 

  2209.         if(!username || !*username)
    2210. 

  2210.             return false;
    2211. 

  2211. 

  2212.         StringBuffer userdn;
    2213. 

  2213.         getUserDN(username, userdn);
    2214. 

  2214. 

  2215.         int rc = LDAP_SUCCESS;
    2216. 

  2216. 

  2217.         if(!type || !*type || stricmp(type, "names") == 0)
    2218. 

  2218.         {
    2219. 

  2219.             StringBuffer cnbuf;
    2220. 

  2220.             const char* fname = user.getFirstName();
    2221. 

  2221.             const char* lname = user.getLastName();
    2222. 

  2222.             if(fname && *fname && lname && *lname)
    2223. 

  2223.             {
    2224. 

  2224.                 cnbuf.append(fname).append(" ").append(lname);
    2225. 

  2225.             }
    2226. 

  2226.             else
    2227. 

  2227.                 throw MakeStringException(-1, "Please specify both firstname and lastname");
    2228. 

  2228. 

  2229.             char *gn_values[] = { (char*)fname, NULL };
    2230. 

  2230.             LDAPMod gn_attr = {
    2231. 

  2231.                 LDAP_MOD_REPLACE,
    2232. 

  2232.                 "givenName",
    2233. 

  2233.                 gn_values
    2234. 

  2234.             };
    2235. 

  2235. 

  2236.             char *sn_values[] = { (char*)lname, NULL };
    2237. 

  2237.             LDAPMod sn_attr = {
    2238. 

  2238.                 LDAP_MOD_REPLACE,
    2239. 

  2239.                 "sn",
    2240. 

  2240.                 sn_values
    2241. 

  2241.             };
    2242. 

  2242. 

  2243.             char *cn_values[] = {(char*)cnbuf.str(), NULL };
    2244. 

  2244.             LDAPMod cn_attr = 
    2245. 

  2245.             {
    2246. 

  2246.                 LDAP_MOD_REPLACE,
    2247. 

  2247.                 "cn",
    2248. 

  2248.                 cn_values
    2249. 

  2249.             };
    2250. 

  2250. 

  2251.             char *dispname_values[] = {(char*)cnbuf.str(), NULL };
    2252. 

  2252.             LDAPMod dispname_attr = 
    2253. 

  2253.             {
    2254. 

  2254.                 LDAP_MOD_REPLACE,
    2255. 

  2255.                 "displayName",
    2256. 

  2256.                 dispname_values
    2257. 

  2257.             };
    2258. 

  2258. 

  2259.             LDAPMod *attrs[4];
    2260. 

  2260.             int ind = 0;
    2261. 

  2261.         
    2262. 

  2262.             attrs[ind++] = &gn_attr;
    2263. 

  2263.             attrs[ind++] = &sn_attr;
    2264. 

  2264. 

  2265.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2266. 

  2266.             {
    2267. 

  2267.                 attrs[ind++] = &dispname_attr;
    2268. 

  2268.             }
    2269. 

  2269.             else
    2270. 

  2270.             {
    2271. 

  2271.                 attrs[ind++] = &cn_attr;
    2272. 

  2272.             }
    2273. 

  2273.             
    2274. 

  2274.             attrs[ind] = NULL;
    2275. 

  2275.             
    2276. 

  2276.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2277. 

  2277.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2278. 

  2278. 

  2279.             rc = ldap_modify_s(ld, (char*)userdn.str(), attrs);
    2280. 

  2280.             if (rc == LDAP_SUCCESS && m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2281. 

  2281.             {
    2282. 

  2282.                 StringBuffer newrdn("cn=");
    2283. 

  2283.                 newrdn.append(cnbuf.str());
    2284. 

  2284.                 rc = LdapRename(ld, (char*)userdn.str(), (char*)newrdn.str(), NULL, true, NULL, NULL);
    2285. 

  2285.             }
    2286. 

  2286.         }
    2287. 

  2287.         else if(stricmp(type, "posixenable") == 0)
    2288. 

  2288.         {
    2289. 

  2289.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2290. 

  2290.                 throw MakeStringException(-1, "posixAccount isn't applicable to Active Directory");
    2291. 

  2291. 

  2292.             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    2293. 

  2293. 

  2294.             char* oc_values[] = {"posixAccount", NULL};
    2295. 

  2295.             LDAPMod oc_attr = {
    2296. 

  2296.                 LDAP_MOD_ADD,
    2297. 

  2297.                 "objectclass",
    2298. 

  2298.                 oc_values
    2299. 

  2299.             };
    2300. 

  2300. 

  2301.             char* oc1_values[] = {"shadowAccount", NULL};
    2302. 

  2302.             LDAPMod oc1_attr = {
    2303. 

  2303.                 LDAP_MOD_ADD,
    2304. 

  2304.                 "objectclass",
    2305. 

  2305.                 oc1_values
    2306. 

  2306.             };
    2307. 

  2307. 

  2308.             char *gidnum_values[] = { (char*)ldapuser->getGidnumber(), NULL };
    2309. 

  2309.             LDAPMod gidnum_attr = {
    2310. 

  2310.                 LDAP_MOD_REPLACE,
    2311. 

  2311.                 "gidnumber",
    2312. 

  2312.                 gidnum_values
    2313. 

  2313.             };
    2314. 

  2314. 

  2315.             char *uidnum_values[] = { (char*)ldapuser->getUidnumber(), NULL };
    2316. 

  2316.             LDAPMod uidnum_attr = {
    2317. 

  2317.                 LDAP_MOD_REPLACE,
    2318. 

  2318.                 "uidnumber",
    2319. 

  2319.                 uidnum_values
    2320. 

  2320.             };
    2321. 

  2321. 

  2322.             char *homedir_values[] = {(char*)ldapuser->getHomedirectory(), NULL };
    2323. 

  2323.             LDAPMod homedir_attr = 
    2324. 

  2324.             {
    2325. 

  2325.                 LDAP_MOD_REPLACE,
    2326. 

  2326.                 "homedirectory",
    2327. 

  2327.                 homedir_values
    2328. 

  2328.             };
    2329. 

  2329. 

  2330.             char *loginshell_values[] = {(char*)ldapuser->getLoginshell(), NULL };
    2331. 

  2331.             LDAPMod loginshell_attr = 
    2332. 

  2332.             {
    2333. 

  2333.                 LDAP_MOD_REPLACE,
    2334. 

  2334.                 "loginshell",
    2335. 

  2335.                 loginshell_values
    2336. 

  2336.             };
    2337. 

  2337. 

  2338.             LDAPMod *attrs[7];
    2339. 

  2339.             int ind = 0;
    2340. 

  2340.         
    2341. 

  2341.             attrs[ind++] = &gidnum_attr;
    2342. 

  2342.             attrs[ind++] = &uidnum_attr;
    2343. 

  2343.             attrs[ind++] = &homedir_attr;
    2344. 

  2344.             attrs[ind++] = &loginshell_attr;
    2345. 

  2345.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2346. 

  2346.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2347. 

  2347.             int compresult = ldap_compare_s(ld, (char*)userdn.str(), (char*)"objectclass", (char*)"posixAccount");
    2348. 

  2348.             if(compresult != LDAP_COMPARE_TRUE)
    2349. 

  2349.                 attrs[ind++] = &oc_attr;
    2350. 

  2350.             compresult = ldap_compare_s(ld, (char*)userdn.str(), (char*)"objectclass", (char*)"shadowAccount");
    2351. 

  2351.             if(compresult != LDAP_COMPARE_TRUE)
    2352. 

  2352.                 attrs[ind++] = &oc1_attr;
    2353. 

  2353.             attrs[ind] = NULL;
    2354. 

  2354.             rc = ldap_modify_s(ld, (char*)userdn.str(), attrs);
    2355. 

  2355.         }
    2356. 

  2356.         else if(stricmp(type, "posixdisable") == 0)
    2357. 

  2357.         {
    2358. 

  2358.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    2359. 

  2359.                 throw MakeStringException(-1, "posixAccount isn't applicable to Active Directory");
    2360. 

  2360. 

  2361.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2362. 

  2362.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2363. 

  2363.             int compresult = ldap_compare_s(ld, (char*)userdn.str(), (char*)"objectclass", (char*)"posixAccount");
    2364. 

  2364.             if(compresult != LDAP_COMPARE_TRUE)
    2365. 

  2365.             {
    2366. 

  2366.                 rc = LDAP_SUCCESS;
    2367. 

  2367.             }
    2368. 

  2368.             else
    2369. 

  2369.             {
    2370. 

  2370. 

  2371.                 CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    2372. 

  2372. 

  2373.                 char* oc_values[] = {"posixAccount", NULL};
    2374. 

  2374.                 LDAPMod oc_attr = {
    2375. 

  2375.                     LDAP_MOD_DELETE,
    2376. 

  2376.                     "objectclass",
    2377. 

  2377.                     oc_values
    2378. 

  2378.                 };
    2379. 

  2379. 

  2380.                 char* oc1_values[] = {"shadowAccount", NULL};
    2381. 

  2381.                 LDAPMod oc1_attr = {
    2382. 

  2382.                     LDAP_MOD_DELETE,
    2383. 

  2383.                     "objectclass",
    2384. 

  2384.                     oc1_values
    2385. 

  2385.                 };
    2386. 

  2386. 

  2387.                 char *gidnum_values[] = { NULL };
    2388. 

  2388.                 LDAPMod gidnum_attr = {
    2389. 

  2389.                     LDAP_MOD_DELETE,
    2390. 

  2390.                     "gidnumber",
    2391. 

  2391.                     gidnum_values
    2392. 

  2392.                 };
    2393. 

  2393. 

  2394.                 char *uidnum_values[] = {NULL };
    2395. 

  2395.                 LDAPMod uidnum_attr = {
    2396. 

  2396.                     LDAP_MOD_DELETE,
    2397. 

  2397.                     "uidnumber",
    2398. 

  2398.                     uidnum_values
    2399. 

  2399.                 };
    2400. 

  2400. 

  2401.                 char *homedir_values[] = { NULL };
    2402. 

  2402.                 LDAPMod homedir_attr = 
    2403. 

  2403.                 {
    2404. 

  2404.                     LDAP_MOD_DELETE,
    2405. 

  2405.                     "homedirectory",
    2406. 

  2406.                     homedir_values
    2407. 

  2407.                 };
    2408. 

  2408. 

  2409.                 char *loginshell_values[] = { NULL };
    2410. 

  2410.                 LDAPMod loginshell_attr = 
    2411. 

  2411.                 {
    2412. 

  2412.                     LDAP_MOD_DELETE,
    2413. 

  2413.                     "loginshell",
    2414. 

  2414.                     loginshell_values
    2415. 

  2415.                 };
    2416. 

  2416. 

  2417.                 LDAPMod *attrs[7];
    2418. 

  2418.                 int ind = 0;
    2419. 

  2419.             
    2420. 

  2420.                 attrs[ind++] = &gidnum_attr;
    2421. 

  2421.                 attrs[ind++] = &uidnum_attr;
    2422. 

  2422.                 attrs[ind++] = &homedir_attr;
    2423. 

  2423.                 attrs[ind++] = &loginshell_attr;
    2424. 

  2424.                 attrs[ind++] = &oc_attr;
    2425. 

  2425.                 attrs[ind++] = &oc1_attr;
    2426. 

  2426.                 attrs[ind] = NULL;
    2427. 

  2427. 

  2428.                 rc = ldap_modify_s(ld, (char*)userdn.str(), attrs);
    2429. 

  2429.             }
    2430. 

  2430.         }
    2431. 

  2431.         else if(stricmp(type, "sudoersadd") == 0)
    2432. 

  2432.         {
    2433. 

  2433.             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    2434. 

  2434. 

  2435.             char *cn_values[] = {(char*)username, NULL };
    2436. 

  2436.             LDAPMod cn_attr = 
    2437. 

  2437.             {
    2438. 

  2438.                 LDAP_MOD_ADD,
    2439. 

  2439.                 "cn",
    2440. 

  2440.                 cn_values
    2441. 

  2441.             };
    2442. 

  2442. 

  2443.             char *oc_values[] = {"sudoRole", NULL };
    2444. 

  2444.             LDAPMod oc_attr =
    2445. 

  2445.             {
    2446. 

  2446.                 LDAP_MOD_ADD,
    2447. 

  2447.                 "objectClass",
    2448. 

  2448.                 oc_values
    2449. 

  2449.             };
    2450. 

  2450. 

  2451.             char *user_values[] = {(char*)username, NULL };
    2452. 

  2452.             LDAPMod user_attr = 
    2453. 

  2453.             {
    2454. 

  2454.                 LDAP_MOD_ADD,
    2455. 

  2455.                 "sudoUser",
    2456. 

  2456.                 user_values
    2457. 

  2457.             };
    2458. 

  2458. 

  2459.             char* sudoHost = (char*)ldapuser->getSudoHost();
    2460. 

  2460.             char* sudoCommand = (char*)ldapuser->getSudoCommand();
    2461. 

  2461.             char* sudoOption = (char*)ldapuser->getSudoOption();
    2462. 

  2462. 

  2463.             char *host_values[] = {sudoHost, NULL };
    2464. 

  2464.             LDAPMod host_attr = 
    2465. 

  2465.             {
    2466. 

  2466.                 LDAP_MOD_ADD,
    2467. 

  2467.                 "sudoHost",
    2468. 

  2468.                 host_values
    2469. 

  2469.             };
    2470. 

  2470.             char *cmd_values[] = {sudoCommand, NULL };
    2471. 

  2471.             LDAPMod cmd_attr = 
    2472. 

  2472.             {
    2473. 

  2473.                 LDAP_MOD_ADD,
    2474. 

  2474.                 "sudoCommand",
    2475. 

  2475.                 cmd_values
    2476. 

  2476.             };
    2477. 

  2477.             char *option_values[] = {sudoOption, NULL };
    2478. 

  2478.             LDAPMod option_attr = 
    2479. 

  2479.             {
    2480. 

  2480.                 LDAP_MOD_ADD,
    2481. 

  2481.                 "sudoOption",
    2482. 

  2482.                 option_values
    2483. 

  2483.             };
    2484. 

  2484. 

  2485.             LDAPMod *attrs[8];
    2486. 

  2486.             int ind = 0;
    2487. 

  2487.             
    2488. 

  2488.             attrs[ind++] = &cn_attr;
    2489. 

  2489.             attrs[ind++] = &oc_attr;
    2490. 

  2490.             attrs[ind++] = &user_attr;
    2491. 

  2491.             if(sudoHost && *sudoHost)
    2492. 

  2492.                 attrs[ind++] = &host_attr;
    2493. 

  2493.             if(sudoCommand && *sudoCommand)
    2494. 

  2494.                 attrs[ind++] = &cmd_attr;
    2495. 

  2495.             if(sudoOption && *sudoOption)
    2496. 

  2496.                 attrs[ind++] = &option_attr;
    2497. 

  2497. 

  2498.             attrs[ind] = NULL;
    2499. 

  2499. 

  2500.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2501. 

  2501.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2502. 

  2502.             StringBuffer dn;
    2503. 

  2503.             dn.append("cn=").append(username).append(",").append(m_ldapconfig->getResourceBasedn(RT_SUDOERS));
    2504. 

  2504.             int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    2505. 

  2505.             if ( rc != LDAP_SUCCESS )
    2506. 

  2506.             {
    2507. 

  2507.                 if(rc == LDAP_ALREADY_EXISTS)
    2508. 

  2508.                 {
    2509. 

  2509.                     throw MakeStringException(-1, "can't add %s to sudoers, an LDAP object with this name already exists", username);
    2510. 

  2510.                 }
    2511. 

  2511.                 else
    2512. 

  2512.                 {
    2513. 

  2513.                     DBGLOG("error adding %s to sudoers: %s", username, ldap_err2string( rc ));
    2514. 

  2514.                     throw MakeStringException(-1, "error adding %s to sudoers: %s", username, ldap_err2string( rc ));
    2515. 

  2515.                 }
    2516. 

  2516.             }
    2517. 

  2517.         }
    2518. 

  2518.         else if(stricmp(type, "sudoersdelete") == 0)
    2519. 

  2519.         {
    2520. 

  2520.             StringBuffer dn;
    2521. 

  2521.             dn.append("cn=").append(username).append(",").append(m_ldapconfig->getResourceBasedn(RT_SUDOERS));
    2522. 

  2522. 

  2523.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2524. 

  2524.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2525. 

  2525.             
    2526. 

  2526.             int rc = ldap_delete_s(ld, (char*)dn.str());
    2527. 

  2527. 

  2528.             if ( rc != LDAP_SUCCESS )
    2529. 

  2529.             {
    2530. 

  2530.                 throw MakeStringException(-1, "Error deleting user %s from sudoers: %s", username, ldap_err2string(rc));
    2531. 

  2531.             }
    2532. 

  2532.         }
    2533. 

  2533.         else if(stricmp(type, "sudoersupdate") == 0)
    2534. 

  2534.         {
    2535. 

  2535.             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
    2536. 

  2536.             
    2537. 

  2537.             char* sudoHost = (char*)ldapuser->getSudoHost();
    2538. 

  2538.             char* sudoCommand = (char*)ldapuser->getSudoCommand();
    2539. 

  2539.             char* sudoOption = (char*)ldapuser->getSudoOption();
    2540. 

  2540. 

  2541.             char *host_values[] = {(sudoHost&&*sudoHost)?sudoHost:NULL, NULL };
    2542. 

  2542.             LDAPMod host_attr = 
    2543. 

  2543.             {
    2544. 

  2544.                 LDAP_MOD_REPLACE,
    2545. 

  2545.                 "sudoHost",
    2546. 

  2546.                 host_values
    2547. 

  2547.             };
    2548. 

  2548.             
    2549. 

  2549.             char *cmd_values[] = {(sudoCommand&&*sudoCommand)?sudoCommand:NULL, NULL };
    2550. 

  2550.             LDAPMod cmd_attr = 
    2551. 

  2551.             {
    2552. 

  2552.                 LDAP_MOD_REPLACE,
    2553. 

  2553.                 "sudoCommand",
    2554. 

  2554.                 cmd_values
    2555. 

  2555.             };
    2556. 

  2556.             
    2557. 

  2557.             char *option_values[] = {(sudoOption&&*sudoOption)?sudoOption:NULL, NULL };
    2558. 

  2558.             LDAPMod option_attr = 
    2559. 

  2559.             {
    2560. 

  2560.                 LDAP_MOD_REPLACE,
    2561. 

  2561.                 "sudoOption",
    2562. 

  2562.                 option_values
    2563. 

  2563.             };
    2564. 

  2564. 

  2565.             LDAPMod *attrs[4];
    2566. 

  2566.             int ind = 0;
    2567. 

  2567.             
    2568. 

  2568.             attrs[ind++] = &host_attr;
    2569. 

  2569.             attrs[ind++] = &cmd_attr;
    2570. 

  2570.             attrs[ind++] = &option_attr;
    2571. 

  2571. 

  2572.             attrs[ind] = NULL;
    2573. 

  2573. 

  2574.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2575. 

  2575.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2576. 

  2576.             StringBuffer dn;
    2577. 

  2577.             dn.append("cn=").append(username).append(",").append(m_ldapconfig->getResourceBasedn(RT_SUDOERS));
    2578. 

  2578.             int rc = ldap_modify_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    2579. 

  2579.             if ( rc != LDAP_SUCCESS )
    2580. 

  2580.             {
    2581. 

  2581.                 DBGLOG("error modifying sudoers for user %s: %s", username, ldap_err2string( rc ));
    2582. 

  2582.                 throw MakeStringException(-1, "error modifying sudoers for user %s: %s", username, ldap_err2string( rc ));
    2583. 

  2583.             }
    2584. 

  2584.         }
    2585. 

  2585. 

  2586.         if (rc == LDAP_SUCCESS )
    2587. 

  2587.             DBGLOG("User %s successfully updated", username);
    2588. 

  2588.         else
    2589. 

  2589.             throw MakeStringException(-1, "Error updating user %s - %s", username, ldap_err2string( rc ));
    2590. 

  2590. 

  2591.         return true;
    2592. 

  2592.     }
    2593. 

  2593. 

  2594.     virtual bool changePasswordSSL(const char* username, const char* newPassword)
    2595. 

  2595.     {
    2596. 

  2596.         Owned<ILdapConnection> lconn;
    2597. 

  2597.         try
    2598. 

  2598.         {
    2599. 

  2599.             lconn.setown(m_connections->getSSLConnection());
    2600. 

  2600.         }
    2601. 

  2601.         catch(IException*)
    2602. 

  2602.         {
    2603. 

  2603.             throw MakeStringException(-1, "Failed to set user %s's password because of not being able to create an SSL connection to the ldap server. To set an Active Directory user's password from Linux, you need to enable SSL on the Active Directory ldap server", username);
    2604. 

  2604.         }
    2605. 

  2605. 

  2606.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2607. 

  2607. 

  2608.         char        *attribute, **values = NULL;       
    2609. 

  2609.         LDAPMessage *message;
    2610. 

  2610. 

  2611.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    2612. 

  2612. 

  2613.         StringBuffer filter;
    2614. 

  2614.         filter.append("sAMAccountName=").append(username);
    2615. 

  2615. 

  2616.         char        *attrs[] = {"distinguishedName", NULL};
    2617. 

  2617.         CLDAPMessage searchResult;
    2618. 

  2618.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    2619. 

  2619. 

  2620.         if ( rc != LDAP_SUCCESS )
    2621. 

  2621.         {
    2622. 

  2622.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    2623. 

  2623.             return false;
    2624. 

  2624.         }
    2625. 

  2625. 

  2626.         StringBuffer userdn;
    2627. 

  2627.         message = LdapFirstEntry( ld, searchResult);
    2628. 

  2628.         if(message != NULL)
    2629. 

  2629.         {
    2630. 

  2630.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    2631. 

  2631.             for ( attribute = atts.getFirst();
    2632. 

  2632.                   attribute != NULL;
    2633. 

  2633.                   attribute = atts.getNext())
    2634. 

  2634.             {
    2635. 

  2635.                 if(0 == stricmp(attribute, "distinguishedName"))
    2636. 

  2636.                 {
    2637. 

  2637.                     CLDAPGetValuesWrapper vals(ld, message, attribute);
    2638. 

  2638.                     if (vals.hasValues())
    2639. 

  2639.                         userdn.set(vals.queryValues()[0]);
    2640. 

  2640.                     break;
    2641. 

  2641.                 }
    2642. 

  2642.             }
    2643. 

  2643.         }
    2644. 

  2644. 

  2645.         if(userdn.length() == 0)
    2646. 

  2646.         {
    2647. 

  2647.             throw MakeStringException(-1, "can't find dn for user %s", username);
    2648. 

  2648.         }
    2649. 

  2649. 

  2650.         LDAPMod modPassword;
    2651. 

  2651.         LDAPMod *modEntry[2];
    2652. 

  2652.         struct berval pwdBerVal;
    2653. 

  2653.         struct berval *pwd_attr[2];
    2654. 

  2654.         unsigned short pszPasswordWithQuotes[1024];
    2655. 

  2655. 

  2656.         modEntry[0] = &modPassword;
    2657. 

  2657.         modEntry[1] = NULL;
    2658. 

  2658. 

  2659.         modPassword.mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
    2660. 

  2660.         modPassword.mod_type =  "unicodePwd";
    2661. 

  2661.         modPassword.mod_vals.modv_bvals = pwd_attr;
    2662. 

  2662. 

  2663.         pwd_attr[0] = &pwdBerVal;
    2664. 

  2664.         pwd_attr[1]= NULL;
    2665. 

  2665. 

  2666.         StringBuffer quotedPasswd("\"");
    2667. 

  2667.         quotedPasswd.append(newPassword).append("\"");
    2668. 

  2668.         ConvertCToW(pszPasswordWithQuotes, quotedPasswd);
    2669. 

  2669. 

  2670.         pwdBerVal.bv_len = quotedPasswd.length() * sizeof(unsigned short);
    2671. 

  2671.         pwdBerVal.bv_val = (char*)pszPasswordWithQuotes;
    2672. 

  2672. 

  2673.         rc = ldap_modify_s(ld, (char*)userdn.str(), modEntry);
    2674. 

  2674. 

  2675.         if (rc == LDAP_SUCCESS )
    2676. 

  2676.             DBGLOG("User %s's password has been changed successfully", username);
    2677. 

  2677.         else
    2678. 

  2678.         {
    2679. 

  2679.             StringBuffer errmsg;
    2680. 

  2680.             errmsg.appendf("Error setting password for %s - (%d) %s.", username, rc, ldap_err2string( rc ));
    2681. 

  2681.             if(rc == LDAP_UNWILLING_TO_PERFORM)
    2682. 

  2682.                 errmsg.append(" The ldap server refused to change the password. Usually this is because your new password doesn't satisfy the domain policy.");
    2683. 

  2683. 

  2684.             throw MakeStringExceptionDirect(-1, errmsg.str());
    2685. 

  2685.         }
    2686. 

  2686. 

  2687.         return true;
    2688. 

  2688.     }
    2689. 

  2689. 

  2690.     virtual bool queryPasswordStatus(ISecUser& user, const char* password)
    2691. 

  2691.     {
    2692. 

  2692.         char *ldap_errstring = NULL;
    2693. 

  2693.         const char * username = user.getName();
    2694. 

  2694. 

  2695.         StringBuffer userdn;
    2696. 

  2696.         getUserDN(user.getName(), userdn);
    2697. 

  2697. 

  2698.         StringBuffer hostbuf;
    2699. 

  2699.         m_ldapconfig->getLdapHost(hostbuf);
    2700. 

  2700. 

  2701.         LDAP* user_ld = LdapUtils::LdapInit(m_ldapconfig->getProtocol(), hostbuf.str(), m_ldapconfig->getLdapPort(), m_ldapconfig->getLdapSecurePort());
    2702. 

  2702.         int rc = LdapUtils::LdapBind(user_ld, m_ldapconfig->getDomain(), username, password, userdn, m_ldapconfig->getServerType(), m_ldapconfig->getAuthMethod());
    2703. 

  2703.         if(rc != LDAP_SUCCESS)
    2704. 

  2704.             ldap_get_option(user_ld, LDAP_OPT_ERROR_STRING, &ldap_errstring);
    2705. 

  2705.         ldap_unbind(user_ld);
    2706. 

  2706. 

  2707.         //Error string ""80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 532, v1db0."
    2708. 

  2708.         //is returned if pw valid but expired
    2709. 

  2709.         if(rc == LDAP_SUCCESS || strstr(ldap_errstring, "data 532") || strstr(ldap_errstring, "data 773"))//
    2710. 

  2710.             return true;
    2711. 

  2711.         else
    2712. 

  2712.             return false;
    2713. 

  2713.     }
    2714. 

  2714. 

  2715.     virtual bool updateUserPassword(ISecUser& user, const char* newPassword, const char* currPassword)
    2716. 

  2716.     {
    2717. 

  2717.         const char* username = user.getName();
    2718. 

  2718.         if(!username || !*username)
    2719. 

  2719.             return false;
    2720. 

  2720. 

  2721.         if (currPassword)
    2722. 

  2722.         {
    2723. 

  2723.             //User will not be authenticated if their password was expired,
    2724. 

  2724.             //so check here that they provided a valid one in the "change
    2725. 

  2725.             //password" form (use the one they type, not the one in the secuser)
    2726. 

  2726.             bool validated = queryPasswordStatus(user, currPassword);
    2727. 

  2727.             if (!validated)
    2728. 

  2728.                 throw MakeStringException(-1, "Password not changed, invalid credentials");
    2729. 

  2729.         }
    2730. 

  2730. 

  2731.         return updateUserPassword(username, newPassword);
    2732. 

  2732.     }
    2733. 

  2733. 

  2734.     virtual bool updateUserPassword(const char* username, const char* newPassword)
    2735. 

  2735.     {
    2736. 

  2736.         if(!username || !*username)
    2737. 

  2737.             return false;
    2738. 

  2738.         
    2739. 

  2739.         const char* sysuser = m_ldapconfig->getSysUser();
    2740. 

  2740.         if(sysuser && *sysuser && strcmp(username, sysuser) == 0)
    2741. 

  2741.             throw MakeStringException(-1, "You can't change password of the system user.");
    2742. 

  2742. 

  2743.         LdapServerType servertype = m_ldapconfig->getServerType();
    2744. 

  2744.         bool ret = true;
    2745. 

  2745.         if(servertype == ACTIVE_DIRECTORY)
    2746. 

  2746.         {
    2747. 

  2747. #ifdef _WIN32
    2748. 

  2748.             DWORD nStatus = 0;
    2749. 

  2749.             // The application has to run on the same domain as ldap host, and under an administrative user.
    2750. 

  2750.             USER_INFO_1003 usriSetPassword;
    2751. 

  2751.             StringBuffer fullserver("\\\\");
    2752. 

  2752.             StringBuffer server;
    2753. 

  2753.             m_ldapconfig->getLdapHost(server);
    2754. 

  2754.             fullserver.append(server.str());
    2755. 

  2755.             LPWSTR whost = (LPWSTR)alloca((fullserver.length() +1) * sizeof(WCHAR));
    2756. 

  2756.             ConvertCToW((unsigned short *)whost, fullserver.str());
    2757. 

  2757. 

  2758.             LPWSTR wusername = (LPWSTR)alloca((strlen(username) + 1) * sizeof(WCHAR));
    2759. 

  2759.             ConvertCToW((unsigned short *)wusername, username);
    2760. 

  2760.             LPWSTR wnewpasswd = (LPWSTR)alloca((strlen(newPassword) + 1) * sizeof(WCHAR));
    2761. 

  2761.             ConvertCToW((unsigned short *)wnewpasswd, newPassword);
    2762. 

  2762.             usriSetPassword.usri1003_password  = wnewpasswd;
    2763. 

  2763.             nStatus = NetUserSetInfo(whost, wusername,  1003, (LPBYTE)&usriSetPassword, NULL);
    2764. 

  2764. 

  2765.             if (nStatus == NERR_Success)
    2766. 

  2766.             {
    2767. 

  2767.                 DBGLOG("User %s's password has been changed successfully", username);
    2768. 

  2768.                 return true;
    2769. 

  2769.             }
    2770. 

  2770.             else
    2771. 

  2771.             {
    2772. 

  2772.                 StringBuffer errcode, errmsg;
    2773. 

  2773. 

  2774.                 if(nStatus == ERROR_ACCESS_DENIED)
    2775. 

  2775.                 {
    2776. 

  2776.                     errcode.append("ERROR_ACCESS_DENIED");
    2777. 

  2777.                     errmsg.append("The user does not have access to the requested information.");
    2778. 

  2778.                 }
    2779. 

  2779.                 else if(nStatus == ERROR_INVALID_PASSWORD)
    2780. 

  2780.                 {
    2781. 

  2781.                     errcode.append("ERROR_INVALID_PASSWORD");
    2782. 

  2782.                     errmsg.append("The user has entered an invalid password.");
    2783. 

  2783.                 }
    2784. 

  2784.                 else if(nStatus == NERR_InvalidComputer)
    2785. 

  2785.                 {
    2786. 

  2786.                     errcode.append("NERR_InvalidComputer");
    2787. 

  2787.                     errmsg.append("The computer name is invalid.");
    2788. 

  2788.                 }
    2789. 

  2789.                 else if(nStatus == NERR_NotPrimary)
    2790. 

  2790.                 {
    2791. 

  2791.                     errcode.append("NERR_NotPrimary");
    2792. 

  2792.                     errmsg.append("The operation is allowed only on the primary domain controller of the domain.");
    2793. 

  2793.                 }
    2794. 

  2794.                 else if(nStatus == NERR_UserNotFound)
    2795. 

  2795.                 {
    2796. 

  2796.                     errcode.append("NERR_UserNotFound");
    2797. 

  2797.                     errmsg.append("The user name could not be found.");
    2798. 

  2798.                 }
    2799. 

  2799.                 else if(nStatus == NERR_PasswordTooShort)
    2800. 

  2800.                 {
    2801. 

  2801.                     errcode.append("NERR_PasswordTooShort");
    2802. 

  2802.                     errmsg.append("The password is shorter than required. ");
    2803. 

  2803.                 }
    2804. 

  2804.                 else if(nStatus == ERROR_LOGON_FAILURE)
    2805. 

  2805.                 {
    2806. 

  2806.                     errcode.append("ERROR_LOGON_FAILURE");
    2807. 

  2807.                     errmsg.append("To be able to reset password this way, esp has to run under an administrative user on the same domain as the active directory. ");
    2808. 

  2808.                 }
    2809. 

  2809.                 else
    2810. 

  2810.                 {
    2811. 

  2811.                     errcode.appendf("%d", nStatus);
    2812. 

  2812.                     errmsg.append("");
    2813. 

  2813.                 }
    2814. 

  2814.                 // For certain errors just return, other errors try changePasswordSSL.
    2815. 

  2815.                 if(nStatus == ERROR_INVALID_PASSWORD || nStatus == NERR_UserNotFound || nStatus == NERR_PasswordTooShort)
    2816. 

  2816.                     throw MakeStringException(-1, "An error has occurred while setting password with NetUserSetInfo for %s: %s - %s\n", username, errcode.str(), errmsg.str());
    2817. 

  2817.                 else
    2818. 

  2818.                     DBGLOG("An error has occurred while setting password with NetUserSetInfo for %s: %s - %s\n", username, errcode.str(), errmsg.str());
    2819. 

  2819.             }
    2820. 

  2820.             DBGLOG("Trying changePasswordSSL to change password over regular SSL connection.");
    2821. 

  2821. #endif
    2822. 

  2822.             changePasswordSSL(username, newPassword);
    2823. 

  2823.         }
    2824. 

  2824.         else 
    2825. 

  2825.         {
    2826. 

  2826.             StringBuffer filter;
    2827. 

  2827.             filter.append("uid=").append(username);
    2828. 

  2828. 

  2829.             char        **values = NULL;       
    2830. 

  2830.             LDAPMessage *message;
    2831. 

  2831. 

  2832.             TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    2833. 

  2833. 

  2834.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    2835. 

  2835.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2836. 

  2836. 

  2837.             char        *attrs[] = {LDAP_NO_ATTRS, NULL};
    2838. 

  2838.             CLDAPMessage searchResult;
    2839. 

  2839.             int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    2840. 

  2840. 

  2841.             if ( rc != LDAP_SUCCESS )
    2842. 

  2842.             {
    2843. 

  2843.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    2844. 

  2844.                 return false;
    2845. 

  2845.             }
    2846. 

  2846. 

  2847.             StringBuffer userdn;
    2848. 

  2848.             message = LdapFirstEntry( ld, searchResult);
    2849. 

  2849.             
    2850. 

  2850.             if(message != NULL)
    2851. 

  2851.             {
    2852. 

  2852.                 char *p = ldap_get_dn(ld, message);
    2853. 

  2853.                 userdn.append(p);
    2854. 

  2854.                 ldap_memfree(p);
    2855. 

  2855.             }
    2856. 

  2856.             char* passwdvalue[] = { (char*)newPassword, NULL };
    2857. 

  2857.             LDAPMod pmod = 
    2858. 

  2858.             {
    2859. 

  2859.                 LDAP_MOD_REPLACE,
    2860. 

  2860.                 "userpassword", 
    2861. 

  2861.                 passwdvalue
    2862. 

  2862.             };
    2863. 

  2863. 

  2864.             LDAPMod* pmods[] = {&pmod, NULL};
    2865. 

  2865.             rc = ldap_modify_s(ld, (char*)userdn.str(), pmods);
    2866. 

  2866. 

  2867.             if (rc == LDAP_SUCCESS )
    2868. 

  2868.                 DBGLOG("User %s's password has been changed successfully", username);
    2869. 

  2869.             else
    2870. 

  2870.             {
    2871. 

  2871.                 StringBuffer errmsg;
    2872. 

  2872.                 errmsg.appendf("Error changing password for %s - (%d) %s.", username, rc, ldap_err2string( rc ));
    2873. 

  2873.                 if(rc == LDAP_UNWILLING_TO_PERFORM)
    2874. 

  2874.                     errmsg.append(" The ldap server refused to execute the password change action, one of the reasons might be that the new password you entered doesn't satisfy the policy requirement.");
    2875. 

  2875. 

  2876.                 throw MakeStringExceptionDirect(-1, errmsg.str());
    2877. 

  2877.             }
    2878. 

  2878.         }
    2879. 

  2879.         return true;
    2880. 

  2880.     }
    2881. 

  2881. 

  2882.     virtual bool getResources(SecResourceType rtype, const char * basedn, const char* prefix, IArrayOf<ISecResource>& resources)
    2883. 

  2883.     {
    2884. 

  2884.         char        *attribute;
    2885. 

  2885.         LDAPMessage *message;
    2886. 

  2886. 

  2887.         StringBuffer basednbuf;
    2888. 

  2888.         LdapUtils::normalizeDn(basedn, m_ldapconfig->getBasedn(), basednbuf);
    2889. 

  2889.         StringBuffer filter("objectClass=*");
    2890. 

  2890. 

  2891.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    2892. 

  2892. 

  2893.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    2894. 

  2894.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2895. 

  2895. 

  2896.         const char* fldname;
    2897. 

  2897.         LdapServerType servertype = m_ldapconfig->getServerType();
    2898. 

  2898.         if(servertype == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    2899. 

  2899.             fldname = "name";
    2900. 

  2900.         else
    2901. 

  2901.             fldname = "ou";
    2902. 

  2902.         char        *attrs[] = {(char*)fldname, "description", NULL};
    2903. 

  2903.         CLDAPMessage searchResult;
    2904. 

  2904.         int rc = ldap_search_ext_s(ld, (char*)basednbuf.str(), LDAP_SCOPE_ONELEVEL, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );
    2905. 

  2905. 

  2906.         if ( rc != LDAP_SUCCESS )
    2907. 

  2907.         {
    2908. 

  2908.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basednbuf.str());
    2909. 

  2909.             return false;
    2910. 

  2910.         }
    2911. 

  2911. 

  2912.         // Go through the search results by checking message types
    2913. 

  2913.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    2914. 

  2914.         {
    2915. 

  2915.             StringBuffer descbuf;
    2916. 

  2916.             StringBuffer curname;
    2917. 

  2917.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    2918. 

  2918.             for ( attribute = atts.getFirst();
    2919. 

  2919.                   attribute != NULL;
    2920. 

  2920.                   attribute = atts.getNext())
    2921. 

  2921.             {
    2922. 

  2922.                 CLDAPGetValuesWrapper vals(ld, message, attribute);
    2923. 

  2923.                 if (vals.hasValues())
    2924. 

  2924.                 {
    2925. 

  2925.                     char* val = vals.queryValues()[0];
    2926. 

  2926.                     if(val != NULL)
    2927. 

  2927.                     {
    2928. 

  2928.                         if(stricmp(attribute, fldname) == 0)
    2929. 

  2929.                         {
    2930. 

  2930.                             curname.append(val);
    2931. 

  2931.                         }
    2932. 

  2932.                         else if(stricmp(attribute, "description") == 0)
    2933. 

  2933.                         {
    2934. 

  2934.                             descbuf.append(val);
    2935. 

  2935.                         }
    2936. 

  2936.                     }
    2937. 

  2937.                 }
    2938. 

  2938.             }
    2939. 

  2939.             if(curname.length() == 0)
    2940. 

  2940.                 continue;
    2941. 

  2941.             StringBuffer resourcename;
    2942. 

  2942.             if(prefix != NULL && *prefix != '\0')
    2943. 

  2943.                 resourcename.append(prefix);
    2944. 

  2944.             resourcename.append(curname.str());
    2945. 

  2945.             CLdapSecResource* resource = new CLdapSecResource(resourcename.str());
    2946. 

  2946.             resource->setDescription(descbuf.str());
    2947. 

  2947.             resources.append(*resource);
    2948. 

  2948.             if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    2949. 

  2949.             {
    2950. 

  2950.                 StringBuffer nextbasedn;
    2951. 

  2951.                 nextbasedn.append("ou=").append(curname.str()).append(",").append(basedn);
    2952. 

  2952.                 StringBuffer nextprefix;
    2953. 

  2953.                 if(prefix != NULL && *prefix != '\0')
    2954. 

  2954.                     nextprefix.append(prefix);
    2955. 

  2955.                 nextprefix.append(curname.str()).append("::");
    2956. 

  2956.                 getResources(rtype, nextbasedn.str(), nextprefix.str(), resources);
    2957. 

  2957.             }
    2958. 

  2958.         }
    2959. 

  2959.         return true;
    2960. 

  2960.     }
    2961. 

  2961. 

  2962.     virtual bool getResourcesEx(SecResourceType rtype, const char * basedn, const char* prefix, const char* searchstr, IArrayOf<ISecResource>& resources)
    2963. 

  2963.     {
    2964. 

  2964.         char        *attribute;
    2965. 

  2965.         LDAPMessage *message;
    2966. 

  2966. 

  2967.         StringBuffer basednbuf;
    2968. 

  2968.         LdapUtils::normalizeDn(basedn, m_ldapconfig->getBasedn(), basednbuf);
    2969. 

  2969.         StringBuffer filter("objectClass=*");
    2970. 

  2970.         if(searchstr && *searchstr && strcmp(searchstr, "*") != 0)
    2971. 

  2971.         {
    2972. 

  2972.             filter.insert(0, "(&(");
    2973. 

  2973.             filter.appendf(")(|(%s=*%s*)))", "uNCName", searchstr);
    2974. 

  2974.         }
    2975. 

  2975. 

  2976.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    2977. 

  2977. 

  2978.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    2979. 

  2979.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    2980. 

  2980. 

  2981.         const char* fldname;
    2982. 

  2982.         LdapServerType servertype = m_ldapconfig->getServerType();
    2983. 

  2983.         if(servertype == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    2984. 

  2984.             fldname = "name";
    2985. 

  2985.         else
    2986. 

  2986.             fldname = "ou";
    2987. 

  2987.         char        *attrs[] = {(char*)fldname, "description", NULL};
    2988. 

  2988.         CLDAPMessage searchResult;
    2989. 

  2989.         int rc = ldap_search_ext_s(ld, (char*)basednbuf.str(), LDAP_SCOPE_ONELEVEL, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );
    2990. 

  2990. 

  2991.         if ( rc != LDAP_SUCCESS )
    2992. 

  2992.         {
    2993. 

  2993.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basednbuf.str());
    2994. 

  2994.             return false;
    2995. 

  2995.         }
    2996. 

  2996. 

  2997.         // Go through the search results by checking message types
    2998. 

  2998.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    2999. 

  2999.         {
    3000. 

  3000.             StringBuffer descbuf;
    3001. 

  3001.             StringBuffer curname;
    3002. 

  3002.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    3003. 

  3003.             for ( attribute = atts.getFirst();
    3004. 

  3004.                   attribute != NULL;
    3005. 

  3005.                   attribute = atts.getNext())
    3006. 

  3006.             {
    3007. 

  3007.                 CLDAPGetValuesWrapper vals(ld, message, attribute);
    3008. 

  3008.                 if (vals.hasValues())
    3009. 

  3009.                 {
    3010. 

  3010.                     char* val = vals.queryValues()[0];
    3011. 

  3011.                     if(val != NULL)
    3012. 

  3012.                     {
    3013. 

  3013.                         if(stricmp(attribute, fldname) == 0)
    3014. 

  3014.                         {
    3015. 

  3015.                             curname.append(val);
    3016. 

  3016.                         }
    3017. 

  3017.                         else if(stricmp(attribute, "description") == 0)
    3018. 

  3018.                         {
    3019. 

  3019.                             descbuf.append(val);
    3020. 

  3020.                         }
    3021. 

  3021.                     }
    3022. 

  3022.                 }
    3023. 

  3023.             }
    3024. 

  3024.             if(curname.length() == 0)
    3025. 

  3025.                 continue;
    3026. 

  3026.             StringBuffer resourcename;
    3027. 

  3027.             if(prefix != NULL && *prefix != '\0')
    3028. 

  3028.                 resourcename.append(prefix);
    3029. 

  3029.             resourcename.append(curname.str());
    3030. 

  3030.             CLdapSecResource* resource = new CLdapSecResource(resourcename.str());
    3031. 

  3031.             resource->setDescription(descbuf.str());
    3032. 

  3032.             resources.append(*resource);
    3033. 

  3033.             if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    3034. 

  3034.             {
    3035. 

  3035.                 StringBuffer nextbasedn;
    3036. 

  3036.                 nextbasedn.append("ou=").append(curname.str()).append(",").append(basedn);
    3037. 

  3037.                 StringBuffer nextprefix;
    3038. 

  3038.                 if(prefix != NULL && *prefix != '\0')
    3039. 

  3039.                     nextprefix.append(prefix);
    3040. 

  3040.                 nextprefix.append(curname.str()).append("::");
    3041. 

  3041.                 getResources(rtype, nextbasedn.str(), nextprefix.str(), resources);
    3042. 

  3042.             }
    3043. 

  3043.         }
    3044. 

  3044.         return true;
    3045. 

  3045.     }
    3046. 

  3046. 

  3047.     virtual bool getPermissionsArray(const char* basedn, SecResourceType rtype, const char* name, IArrayOf<CPermission>& permissions)
    3048. 

  3048.     {
    3049. 

  3049.         StringBuffer basednbuf;
    3050. 

  3050.         LdapUtils::normalizeDn(basedn, m_ldapconfig->getBasedn(), basednbuf);
    3051. 

  3051.         Owned<CSecurityDescriptor> sd = new CSecurityDescriptor(name);
    3052. 

  3052.         IArrayOf<CSecurityDescriptor> sdlist;
    3053. 

  3053.         sdlist.append(*LINK(sd));
    3054. 

  3054.         if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    3055. 

  3055.             getSecurityDescriptorsScope(sdlist, basednbuf.str());
    3056. 

  3056.         else
    3057. 

  3057.             getSecurityDescriptors(sdlist, basednbuf.str());
    3058. 

  3058. 

  3059.         m_pp->getPermissionsArray(sd.get(), permissions);
    3060. 

  3060. 

  3061.         return true;
    3062. 

  3062.     }
    3063. 

  3063. 

  3064.     virtual void getAllGroups(StringArray & groups, StringArray & managedBy, StringArray & descriptions)
    3065. 

  3065.     {
    3066. 

  3066.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3067. 

  3067.         {
    3068. 

  3068.             groups.append("Authenticated Users");
    3069. 

  3069.             managedBy.append("");
    3070. 

  3070.             descriptions.append("");
    3071. 

  3071.             groups.append("Administrators");
    3072. 

  3072.             managedBy.append("");
    3073. 

  3073.             descriptions.append("");
    3074. 

  3074.         }
    3075. 

  3075.         else
    3076. 

  3076.         {
    3077. 

  3077.             groups.append("Directory Administrators");
    3078. 

  3078.             managedBy.append("");
    3079. 

  3079.             descriptions.append("");
    3080. 

  3080.         }
    3081. 

  3081. 

  3082.         char        *attribute;
    3083. 

  3083.         LDAPMessage *message;
    3084. 

  3084. 

  3085.         StringBuffer filter;
    3086. 

  3086. 

  3087.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3088. 

  3088.             filter.append("objectClass=group");
    3089. 

  3089.         else
    3090. 

  3090.             filter.append("objectClass=groupofuniquenames");
    3091. 

  3091. 

  3092.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    3093. 

  3093. 

  3094.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3095. 

  3095.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3096. 

  3096.         char *attrs[] = {"cn", "managedBy", "description", NULL};
    3097. 

  3097.         CLDAPMessage searchResult;
    3098. 

  3098.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getGroupBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult.msg );
    3099. 

  3099. 

  3100.         if ( rc != LDAP_SUCCESS )
    3101. 

  3101.         {
    3102. 

  3102.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getGroupBasedn());
    3103. 

  3103.             return;
    3104. 

  3104.         }
    3105. 

  3105. 

  3106.         // Go through the search results by checking message types
    3107. 

  3107.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    3108. 

  3108.         {
    3109. 

  3109.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    3110. 

  3110.             for ( attribute = atts.getFirst();
    3111. 

  3111.                   attribute != NULL;
    3112. 

  3112.                   attribute = atts.getNext())
    3113. 

  3113.             {
    3114. 

  3114.                 CLDAPGetValuesWrapper vals(ld, message, attribute);
    3115. 

  3115.                 if (!vals.hasValues())
    3116. 

  3116.                     continue;
    3117. 

  3117.                 if(stricmp(attribute, "cn") == 0)
    3118. 

  3118.                 {
    3119. 

  3119.                     groups.append(vals.queryValues()[0]);
    3120. 

  3120.                     managedBy.append("");
    3121. 

  3121.                     descriptions.append("");
    3122. 

  3122.                 }
    3123. 

  3123.                 else if(stricmp(attribute, "managedBy") == 0)
    3124. 

  3124.                     managedBy.replace(vals.queryValues()[0], groups.length() - 1);
    3125. 

  3125.                 else if(stricmp(attribute, "description") == 0)
    3126. 

  3126.                     descriptions.replace(vals.queryValues()[0], groups.length() - 1);
    3127. 

  3127.             }
    3128. 

  3128.         }
    3129. 

  3129.     }
    3130. 

  3130. 

  3131.     virtual bool changePermission(CPermissionAction& action)
    3132. 

  3132.     {
    3133. 

  3133.         StringBuffer basednbuf;
    3134. 

  3134.         LdapUtils::normalizeDn(action.m_basedn.str(), m_ldapconfig->getBasedn(), basednbuf);
    3135. 

  3135.         Owned<CSecurityDescriptor> sd = new CSecurityDescriptor(action.m_rname.str());
    3136. 

  3136.         IArrayOf<CSecurityDescriptor> sdlist;
    3137. 

  3137.         sdlist.append(*LINK(sd));
    3138. 

  3138.         if(action.m_rtype == RT_FILE_SCOPE || action.m_rtype == RT_WORKUNIT_SCOPE)
    3139. 

  3139.             getSecurityDescriptorsScope(sdlist, basednbuf.str());
    3140. 

  3140.         else
    3141. 

  3141.             getSecurityDescriptors(sdlist, basednbuf.str());
    3142. 

  3142. 

  3143.         if(m_ldapconfig->getServerType() != ACTIVE_DIRECTORY)
    3144. 

  3144.         {
    3145. 

  3145.             StringBuffer act_dn;
    3146. 

  3146.             if(action.m_account_type == GROUP_ACT)
    3147. 

  3147.                 getGroupDN(action.m_account_name.str(), act_dn);
    3148. 

  3148.             else
    3149. 

  3149.                 getUserDN(action.m_account_name.str(), act_dn);
    3150. 

  3150.             
    3151. 

  3151.             action.m_account_name.clear().append(act_dn.str());
    3152. 

  3152.         }
    3153. 

  3153. 

  3154.         Owned<CSecurityDescriptor> newsd = m_pp->changePermission(sd.get(), action);
    3155. 

  3155. 

  3156.         StringBuffer normdnbuf;
    3157. 

  3157.         LdapServerType servertype = m_ldapconfig->getServerType();
    3158. 

  3158.         name2dn(action.m_rtype, action.m_rname.str(), action.m_basedn.str(), normdnbuf);
    3159. 

  3159. 

  3160.         char *empty_values[] = { NULL };
    3161. 

  3161. 

  3162.         int numberOfSegs = m_pp->sdSegments(newsd.get());
    3163. 

  3163. 

  3164.         LDAPMod *attrs[2];
    3165. 

  3165.         LDAPMod sd_attr;
    3166. 

  3166.         if(newsd->getDescriptor().length() > 0)
    3167. 

  3167.         {
    3168. 

  3168.             struct berval** sd_values = (struct berval**)alloca(sizeof(struct berval*)*(numberOfSegs+1));
    3169. 

  3169.             MemoryBuffer& sdbuf = newsd->getDescriptor();
    3170. 

  3170. 

  3171.             // Active Directory acutally has only one segment.
    3172. 

  3172.             if(servertype == ACTIVE_DIRECTORY)
    3173. 

  3173.             {
    3174. 

  3174.                 struct berval* sd_val = (struct berval*)alloca(sizeof(struct berval));
    3175. 

  3175.                 sd_val->bv_len = sdbuf.length();
    3176. 

  3176.                 sd_val->bv_val = (char*)sdbuf.toByteArray();
    3177. 

  3177.                 sd_values[0] = sd_val;
    3178. 

  3178.                 sd_values[1] = NULL;
    3179. 

  3179. 

  3180.                 sd_attr.mod_type = "nTSecurityDescriptor";
    3181. 

  3181.             }
    3182. 

  3182.             else
    3183. 

  3183.             {
    3184. 

  3184.                 const char* bbptr = sdbuf.toByteArray();
    3185. 

  3185.                 const char* bptr = sdbuf.toByteArray();
    3186. 

  3186.                 int sdbuflen = sdbuf.length();
    3187. 

  3187.                 int segind;
    3188. 

  3188.                 for(segind = 0; segind < numberOfSegs; segind++)
    3189. 

  3189.                 {
    3190. 

  3190.                     if(bptr - bbptr >= sdbuflen)
    3191. 

  3191.                         break;
    3192. 

  3192.                     while(*bptr == '\0' && (bptr - bbptr) < sdbuflen)
    3193. 

  3193.                         bptr++;
    3194. 

  3194. 

  3195.                     const char* eptr = bptr;
    3196. 

  3196.                     while(*eptr != '\0' && (eptr - bbptr) < sdbuflen)
    3197. 

  3197.                         eptr++;
    3198. 

  3198. 

  3199.                     struct berval* sd_val = (struct berval*)alloca(sizeof(struct berval));
    3200. 

  3200.                     sd_val->bv_len = eptr - bptr;
    3201. 

  3201.                     sd_val->bv_val = (char*)bptr;
    3202. 

  3202.                     sd_values[segind] = sd_val;
    3203. 

  3203. 

  3204.                     bptr = eptr + 1;
    3205. 

  3205.                 }
    3206. 

  3206.                 sd_values[segind] = NULL;
    3207. 

  3207. 

  3208.                 sd_attr.mod_type = (char*)m_ldapconfig->getSdFieldName();
    3209. 

  3209.             }
    3210. 

  3210.             sd_attr.mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
    3211. 

  3211.             sd_attr.mod_vals.modv_bvals = sd_values;
    3212. 

  3212. 

  3213.             attrs[0] = &sd_attr;
    3214. 

  3214.         }
    3215. 

  3215.         else
    3216. 

  3216.         {
    3217. 

  3217.             if(m_ldapconfig->getServerType() == OPEN_LDAP)
    3218. 

  3218.                 throw MakeStringException(-1, "removing all permissions for openldap is currently not supported");
    3219. 

  3219. 

  3220.             sd_attr.mod_op = LDAP_MOD_DELETE;
    3221. 

  3221.             sd_attr.mod_type = (char*)m_ldapconfig->getSdFieldName();
    3222. 

  3222.             sd_attr.mod_vals.modv_strvals = empty_values;
    3223. 

  3223.             attrs[0] = &sd_attr;
    3224. 

  3224.         }
    3225. 

  3225. 

  3226.         attrs[1] = NULL;
    3227. 

  3227. 

  3228.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3229. 

  3229.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3230. 

  3230.         int rc = ldap_modify_s(ld, (char*)normdnbuf.str(), attrs);
    3231. 

  3231.         if ( rc != LDAP_SUCCESS )
    3232. 

  3232.         {
    3233. 

  3233.             throw MakeStringException(-1, "ldap_modify_s error: %d %s", rc, ldap_err2string( rc ));
    3234. 

  3234.         }
    3235. 

  3235. 

  3236.         return true;
    3237. 

  3237.     }
    3238. 

  3238. 

  3239.     virtual void getGroups(const char *user, StringArray& groups)
    3240. 

  3240.     {
    3241. 

  3241.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3242. 

  3242.         {
    3243. 

  3243.             char        *attribute;
    3244. 

  3244.             LDAPMessage *message;
    3245. 

  3245. 

  3246.             if(user == NULL || strlen(user) == 0)
    3247. 

  3247.                 return;
    3248. 

  3248.             StringBuffer filter("sAMAccountName=");
    3249. 

  3249.             filter.append(user);
    3250. 

  3250. 

  3251.             TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    3252. 

  3252. 

  3253.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    3254. 

  3254.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3255. 

  3255. 

  3256.             char        *attrs[] = {"memberOf", NULL};
    3257. 

  3257.             CLDAPMessage searchResult;
    3258. 

  3258.             int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    3259. 

  3259. 

  3260.             if ( rc != LDAP_SUCCESS )
    3261. 

  3261.             {
    3262. 

  3262.                 DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    3263. 

  3263.                 return;
    3264. 

  3264.             }
    3265. 

  3265.             
    3266. 

  3266.             unsigned entries = ldap_count_entries(ld, searchResult);
    3267. 

  3267.             if(entries == 0)
    3268. 

  3268.             {
    3269. 

  3269.                 searchResult.ldapMsgFree();
    3270. 

  3270.                 rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getSysUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );
    3271. 

  3271. 

  3272.                 if ( rc != LDAP_SUCCESS )
    3273. 

  3273.                 {
    3274. 

  3274.                     DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getSysUserBasedn());
    3275. 

  3275.                     return;
    3276. 

  3276.                 }
    3277. 

  3277.             }
    3278. 

  3278. 

  3279.             // Go through the search results by checking message types
    3280. 

  3280.             for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    3281. 

  3281.             {
    3282. 

  3282.                 CLDAPGetAttributesWrapper   atts(ld, searchResult);
    3283. 

  3283.                 for ( attribute = atts.getFirst();
    3284. 

  3284.                       attribute != NULL;
    3285. 

  3285.                       attribute = atts.getNext())
    3286. 

  3286.                 {
    3287. 

  3287.                     if(0 == stricmp(attribute, "memberOf"))
    3288. 

  3288.                     {
    3289. 

  3289.                         CLDAPGetValuesWrapper vals(ld, message, attribute);
    3290. 

  3290.                         if (vals.hasValues())
    3291. 

  3291.                         {
    3292. 

  3292.                             for (int i = 0; vals.queryValues()[ i ] != NULL; i++ )
    3293. 

  3293.                             {
    3294. 

  3294.                                 char* val = vals.queryValues()[i];
    3295. 

  3295.                                 char* comma = strchr(val, ',');
    3296. 

  3296.                                 StringBuffer groupname;
    3297. 

  3297.                                 groupname.append(comma - val -3, val+3);
    3298. 

  3298.                                 groups.append(groupname.str());
    3299. 

  3299.                             }
    3300. 

  3300.                         }
    3301. 

  3301.                     }
    3302. 

  3302.                 }
    3303. 

  3303.             }
    3304. 

  3304.         }
    3305. 

  3305.         else
    3306. 

  3306.         {
    3307. 

  3307.             StringArray allgroups;
    3308. 

  3308.             StringArray allgroupManagedBy;
    3309. 

  3309.             StringArray allgroupDescription;
    3310. 

  3310.             getAllGroups(allgroups, allgroupManagedBy, allgroupDescription);
    3311. 

  3311.             for(unsigned i = 0; i < allgroups.length(); i++)
    3312. 

  3312.             {
    3313. 

  3313.                 const char* grp = allgroups.item(i);
    3314. 

  3314.                 StringBuffer grpdn, usrdn;
    3315. 

  3315.                 getUserDN(user, usrdn);
    3316. 

  3316.                 getGroupDN(grp, grpdn);
    3317. 

  3317.                 if(userInGroup(usrdn.str(), grpdn.str()))
    3318. 

  3318.                 {
    3319. 

  3319.                     groups.append(grp);
    3320. 

  3320.                 }
    3321. 

  3321.             }
    3322. 

  3322.         }       
    3323. 

  3323.     }
    3324. 

  3324. 

  3325.     virtual void changeUserGroup(const char* action, const char* username, const char* groupname)
    3326. 

  3326.     {
    3327. 

  3327.         StringBuffer userdn, groupdn;
    3328. 

  3328.         getUserDN(username, userdn);
    3329. 

  3329.         getGroupDN(groupname, groupdn);
    3330. 

  3330.         // Not needed for Active Directory
    3331. 

  3331.         // changeUserMemberOf(action, userdn.str(), groupdn.str());
    3332. 

  3332.         changeGroupMember(action, groupdn.str(), userdn.str());
    3333. 

  3333.     }
    3334. 

  3334. 

  3335.     virtual bool deleteUser(ISecUser* user)
    3336. 

  3336.     {
    3337. 

  3337.         if(user == NULL)
    3338. 

  3338.             return false;
    3339. 

  3339.         const char* username = user->getName();
    3340. 

  3340.         if(username == NULL || *username == '\0')
    3341. 

  3341.             return false;
    3342. 

  3342. 

  3343.         StringBuffer userdn;
    3344. 

  3344.         getUserDN(username, userdn);
    3345. 

  3345.         
    3346. 

  3346.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3347. 

  3347.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3348. 

  3348.         
    3349. 

  3349.         int rc = ldap_delete_s(ld, (char*)userdn.str());
    3350. 

  3350. 

  3351.         if ( rc != LDAP_SUCCESS )
    3352. 

  3352.         {
    3353. 

  3353.             throw MakeStringException(-1, "error deleting user %s: %s", username, ldap_err2string(rc));
    3354. 

  3354.         }
    3355. 

  3355. 

  3356.         StringArray grps;
    3357. 

  3357.         getGroups(username, grps);
    3358. 

  3358.         ForEachItemIn(x, grps)
    3359. 

  3359.         {
    3360. 

  3360.             const char* grp = grps.item(x);
    3361. 

  3361.             if(!grp || !*grp)
    3362. 

  3362.                 continue;
    3363. 

  3363.             changeUserGroup("delete", username, grp);
    3364. 

  3364.         }
    3365. 

  3365. 

  3366.         //Remove tempfile scope for this user
    3367. 

  3367.         StringBuffer resName(queryDfsXmlBranchName(DXB_Internal));
    3368. 

  3368.         resName.append("::").append(username);
    3369. 

  3369.         deleteResource(RT_FILE_SCOPE, resName.str(), m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE));
    3370. 

  3370.         
    3371. 

  3371.         return true;
    3372. 

  3372.     }
    3373. 

  3373. 

  3374.     virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc)
    3375. 

  3375.     {
    3376. 

  3376.         if(groupname == NULL || *groupname == '\0')
    3377. 

  3377.             throw MakeStringException(-1, "Can't add group, groupname is empty");
    3378. 

  3378. 

  3379.         addGroup(groupname, groupOwner, groupDesc, m_ldapconfig->getGroupBasedn());
    3380. 

  3380.     }
    3381. 

  3381. 

  3382.     virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc, const char* basedn)
    3383. 

  3383.     {
    3384. 

  3384.         if(groupname == NULL || *groupname == '\0')
    3385. 

  3385.             return;
    3386. 

  3386. 

  3387.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3388. 

  3388.         {
    3389. 

  3389.             if(stricmp(groupname, "Administrators") == 0)
    3390. 

  3390.                 throw MakeStringException(-1, "Can't add group %s, it's reserved by the system.", groupname);
    3391. 

  3391.         }
    3392. 

  3392.         else
    3393. 

  3393.         {
    3394. 

  3394.             if(stricmp(groupname, "Directory Administrators") == 0)
    3395. 

  3395.                 throw MakeStringException(-1, "Can't add group %s, it's reserved by the system.", groupname);
    3396. 

  3396.         }
    3397. 

  3397. 

  3398.         StringBuffer dn;
    3399. 

  3399.         dn.append("cn=").append(groupname).append(",").append(basedn);
    3400. 

  3400. 

  3401.         char* oc_name;
    3402. 

  3402.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3403. 

  3403.         {
    3404. 

  3404.             oc_name = "group";
    3405. 

  3405.         }
    3406. 

  3406.         else
    3407. 

  3407.         {
    3408. 

  3408.             oc_name = "groupofuniquenames";
    3409. 

  3409.         }
    3410. 

  3410. 

  3411.         char *cn_values[] = {(char*)groupname, NULL };
    3412. 

  3412.         LDAPMod cn_attr = 
    3413. 

  3413.         {
    3414. 

  3414.             LDAP_MOD_ADD,
    3415. 

  3415.             "cn",
    3416. 

  3416.             cn_values
    3417. 

  3417.         };
    3418. 

  3418. 

  3419.         char *oc_values[] = {oc_name, NULL };
    3420. 

  3420.         LDAPMod oc_attr =
    3421. 

  3421.         {
    3422. 

  3422.             LDAP_MOD_ADD,
    3423. 

  3423.             "objectClass",
    3424. 

  3424.             oc_values
    3425. 

  3425.         };
    3426. 

  3426. 

  3427.         char *member_values[] = {"", NULL};
    3428. 

  3428.         LDAPMod member_attr = 
    3429. 

  3429.         {
    3430. 

  3430.             LDAP_MOD_ADD,
    3431. 

  3431.             "uniqueMember",
    3432. 

  3432.             member_values
    3433. 

  3433.         };
    3434. 

  3434. 

  3435.         char *owner_values[] = {(char*)groupOwner, NULL};
    3436. 

  3436.         LDAPMod owner_attr =
    3437. 

  3437.         {
    3438. 

  3438.             LDAP_MOD_ADD,
    3439. 

  3439.             "managedBy",
    3440. 

  3440.             owner_values
    3441. 

  3441.         };
    3442. 

  3442.         char *desc_values[] = {(char*)groupDesc, NULL};
    3443. 

  3443.         LDAPMod desc_attr =
    3444. 

  3444.         {
    3445. 

  3445.             LDAP_MOD_ADD,
    3446. 

  3446.             "description",
    3447. 

  3447.             desc_values
    3448. 

  3448.         };
    3449. 

  3449.         LDAPMod *attrs[6];
    3450. 

  3450.         int ind = 0;
    3451. 

  3451.         
    3452. 

  3452.         attrs[ind++] = &cn_attr;
    3453. 

  3453.         attrs[ind++] = &oc_attr;
    3454. 

  3454.         if (groupOwner && *groupOwner)
    3455. 

  3455.             attrs[ind++] = &owner_attr;
    3456. 

  3456.         if (groupDesc && *groupDesc)
    3457. 

  3457.             attrs[ind++] = &desc_attr;
    3458. 

  3458.         attrs[ind] = NULL;
    3459. 

  3459. 

  3460.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3461. 

  3461.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3462. 

  3462.         int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    3463. 

  3463.         if ( rc == LDAP_INVALID_SYNTAX  && m_ldapconfig->getServerType() == OPEN_LDAP)//Fedora389 does not 'seem' to need this, openLDAP does
    3464. 

  3464.         {
    3465. 

  3465.             attrs[ind++] = &member_attr;
    3466. 

  3466.             attrs[ind] = NULL;
    3467. 

  3467.             rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    3468. 

  3468.         }
    3469. 

  3469.         if ( rc != LDAP_SUCCESS)
    3470. 

  3470.         {
    3471. 

  3471.             if(rc == LDAP_ALREADY_EXISTS)
    3472. 

  3472.             {
    3473. 

  3473.                 throw MakeStringException(-1, "can't add group %s, an LDAP object with this name already exists", groupname);
    3474. 

  3474.             }
    3475. 

  3475.             else
    3476. 

  3476.             {
    3477. 

  3477.                 DBGLOG("error addGroup %s, ldap_add_ext_s error: %s", groupname, ldap_err2string( rc ));
    3478. 

  3478.                 throw MakeStringException(-1, "error addGroup %s, ldap_add_ext_s error: %s", groupname, ldap_err2string( rc ));
    3479. 

  3479.             }
    3480. 

  3480.         }
    3481. 

  3481. 

  3482.     }
    3483. 

  3483. 

  3484.     virtual void deleteGroup(const char* groupname)
    3485. 

  3485.     {
    3486. 

  3486.         if(groupname == NULL || *groupname == '\0')
    3487. 

  3487.             throw MakeStringException(-1, "group name can't be empty");
    3488. 

  3488. 

  3489.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3490. 

  3490.         {
    3491. 

  3491.             if(stricmp(groupname, "Administrators") == 0 || stricmp(groupname, "Authenticated Users") == 0)
    3492. 

  3492.                 throw MakeStringException(-1, "you can't delete Authenticated Users or Administrators group");
    3493. 

  3493.         }
    3494. 

  3494.         else
    3495. 

  3495.         {
    3496. 

  3496.             if(stricmp(groupname, "Directory Administrators") == 0)
    3497. 

  3497.                 throw MakeStringException(-1, "you can't delete Directory Administrators group");
    3498. 

  3498.         }
    3499. 

  3499. 

  3500.         StringBuffer dn;
    3501. 

  3501.         getGroupDN(groupname, dn);
    3502. 

  3502.         
    3503. 

  3503.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3504. 

  3504.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3505. 

  3505.         
    3506. 

  3506.         int rc = ldap_delete_s(ld, (char*)dn.str());
    3507. 

  3507. 

  3508.         if ( rc != LDAP_SUCCESS )
    3509. 

  3509.         {
    3510. 

  3510.             throw MakeStringException(-1, "error deleting group %s: %s", groupname, ldap_err2string(rc));
    3511. 

  3511.         }
    3512. 

  3512.     }
    3513. 

  3513. 

  3514.     virtual void getGroupMembers(const char* groupname, StringArray & users)
    3515. 

  3515.     {
    3516. 

  3516.         char        *attribute;
    3517. 

  3517.         LDAPMessage *message;
    3518. 

  3518. 

  3519.         if(groupname == NULL || strlen(groupname) == 0)
    3520. 

  3520.             throw MakeStringException(-1, "group name can't be empty");
    3521. 

  3521. 

  3522.         StringBuffer grpdn;
    3523. 

  3523.         getGroupDN(groupname, grpdn);
    3524. 

  3524.         StringBuffer filter;
    3525. 

  3525.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3526. 

  3526.         {
    3527. 

  3527.             filter.append("distinguishedName=").append(grpdn.str());
    3528. 

  3528.         }
    3529. 

  3529.         else if(m_ldapconfig->getServerType() == IPLANET)
    3530. 

  3530.         {
    3531. 

  3531.             filter.append("entrydn=").append(grpdn.str());
    3532. 

  3532.         }
    3533. 

  3533.         else if(m_ldapconfig->getServerType() == OPEN_LDAP)
    3534. 

  3534.         {
    3535. 

  3535.             filter.append("cn=").append(groupname);
    3536. 

  3536.         }
    3537. 

  3537. 

  3538.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    3539. 

  3539. 

  3540.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3541. 

  3541.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3542. 

  3542. 

  3543.         const char* memfieldname;
    3544. 

  3544. 

  3545.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3546. 

  3546.         {
    3547. 

  3547.             memfieldname = "member";
    3548. 

  3548.         }
    3549. 

  3549.         else
    3550. 

  3550.         {
    3551. 

  3551.             memfieldname = "uniquemember";
    3552. 

  3552.         }
    3553. 

  3553. 

  3554.         char        *attrs[] = {(char*)memfieldname, NULL};
    3555. 

  3555.         StringBuffer groupbasedn;
    3556. 

  3556.         getGroupBaseDN(groupname, groupbasedn);
    3557. 

  3557.         CLDAPMessage searchResult;
    3558. 

  3558.         int rc = ldap_search_ext_s(ld, (char*)groupbasedn.str(),LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );
    3559. 

  3559. 

  3560.         if ( rc != LDAP_SUCCESS )
    3561. 

  3561.         {
    3562. 

  3562.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getBasedn());
    3563. 

  3563.             return;
    3564. 

  3564.         }
    3565. 

  3565.         
    3566. 

  3566.         unsigned entries = ldap_count_entries(ld, searchResult);
    3567. 

  3567.         if(entries == 0)
    3568. 

  3568.         {
    3569. 

  3569.             throw MakeStringException(-1, "group %s not found", groupname);
    3570. 

  3570.         }
    3571. 

  3571. 

  3572.         // Go through the search results by checking message types
    3573. 

  3573.         for(message = LdapFirstEntry( ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    3574. 

  3574.         {
    3575. 

  3575.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    3576. 

  3576.             for ( attribute = atts.getFirst();
    3577. 

  3577.                   attribute != NULL;
    3578. 

  3578.                   attribute = atts.getNext())
    3579. 

  3579.             {
    3580. 

  3580.                 CLDAPGetValuesWrapper vals(ld, message, attribute);
    3581. 

  3581.                 if (vals.hasValues())
    3582. 

  3582.                 {
    3583. 

  3583.                     for (int i = 0; vals.queryValues()[ i ] != NULL; i++ )
    3584. 

  3584.                     {
    3585. 

  3585.                         char* val = vals.queryValues()[i];
    3586. 

  3586.                         StringBuffer uid;
    3587. 

  3587.                         getUidFromDN(val, uid);
    3588. 

  3588.                         if(uid.length() > 0)
    3589. 

  3589.                             users.append(uid.str());
    3590. 

  3590.                     }
    3591. 

  3591.                 }
    3592. 

  3592.             }
    3593. 

  3593.         }
    3594. 

  3594.     }
    3595. 

  3595. 

  3596.     virtual void deleteResource(SecResourceType rtype, const char* name, const char* basedn)
    3597. 

  3597.     {
    3598. 

  3598.         if(basedn == NULL || *basedn == '\0')
    3599. 

  3599.             basedn = m_ldapconfig->getResourceBasedn(rtype);
    3600. 

  3600. 

  3601.         StringBuffer dn;
    3602. 

  3602.         name2dn(rtype, name, basedn, dn);
    3603. 

  3603. 

  3604.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3605. 

  3605.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3606. 

  3606.         
    3607. 

  3607.         int rc = ldap_delete_s(ld, (char*)dn.str());
    3608. 

  3608. 

  3609.         if ( rc != LDAP_SUCCESS )
    3610. 

  3610.         {
    3611. 

  3611.             DBGLOG("error deleting %s: %s", dn.str(), ldap_err2string(rc));
    3612. 

  3612.             //throw MakeStringException(-1, "error deleting %s: %s", dn.str(), ldap_err2string(rc));
    3613. 

  3613.         }
    3614. 

  3614.         
    3615. 

  3615.     }
    3616. 

  3616. 

  3617.     virtual void renameResource(SecResourceType rtype, const char* oldname, const char* newname, const char* basedn)
    3618. 

  3618.     {
    3619. 

  3619.         if(oldname == NULL || *oldname == '\0' || newname == NULL || *newname == '\0')
    3620. 

  3620.             throw MakeStringException(-1, "please specfiy old and new names");
    3621. 

  3621. 

  3622.         if(basedn == NULL || *basedn == '\0')
    3623. 

  3623.             basedn = m_ldapconfig->getResourceBasedn(rtype);
    3624. 

  3624. 

  3625.         StringBuffer olddn, newrdn;
    3626. 

  3626.         name2dn(rtype, oldname, basedn, olddn);
    3627. 

  3627.         name2rdn(rtype, newname, newrdn);
    3628. 

  3628.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3629. 

  3629.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3630. 

  3630. 

  3631.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    3632. 

  3632.         {
    3633. 

  3633.             char* uncname_values[] = {(char*)newname, NULL};
    3634. 

  3634.             LDAPMod uncname_attr =
    3635. 

  3635.             {
    3636. 

  3636.                 LDAP_MOD_REPLACE,
    3637. 

  3637.                 "uNCName",
    3638. 

  3638.                 uncname_values
    3639. 

  3639.             };
    3640. 

  3640. 

  3641.             LDAPMod *attrs[2];
    3642. 

  3642.             attrs[0] = &uncname_attr;
    3643. 

  3643.             attrs[1] = NULL;
    3644. 

  3644. 

  3645.             int rc = ldap_modify_s(ld, (char*)olddn.str(), attrs);
    3646. 

  3646. 

  3647.             if (rc != LDAP_SUCCESS )
    3648. 

  3648.             {
    3649. 

  3649.                 DBGLOG("Error changing unc %s to %s - %s", oldname, newname, ldap_err2string( rc ));
    3650. 

  3650.                 //throw MakeStringException(-1, "Error changing unc %s to %s - %s", oldname, newname, ldap_err2string( rc ));
    3651. 

  3651.             }
    3652. 

  3652.         }
    3653. 

  3653. 

  3654. #ifdef _WIN32
    3655. 

  3655.         int rc = ldap_rename_ext_s(ld, (char*)olddn.str(), (char*)newrdn.str(), NULL, true, NULL, NULL);
    3656. 

  3656. #else
    3657. 

  3657.         int rc = ldap_rename_s(ld, (char*)olddn.str(), (char*)newrdn.str(), NULL, true, NULL, NULL);
    3658. 

  3658. #endif
    3659. 

  3659.         if (rc != LDAP_SUCCESS )
    3660. 

  3660.         {
    3661. 

  3661.             DBGLOG("Error renaming %s to %s - %s", oldname, newname, ldap_err2string( rc ));
    3662. 

  3662.             //throw MakeStringException(-1, "Error renaming %s to %s - %s", oldname, newname, ldap_err2string( rc ));
    3663. 

  3663.         }
    3664. 

  3664.     }
    3665. 

  3665. 

  3666.     virtual void copyResource(SecResourceType rtype, const char* oldname, const char* newname, const char* basedn)
    3667. 

  3667.     {
    3668. 

  3668.         if(oldname == NULL || *oldname == '\0' || newname == NULL || *newname == '\0')
    3669. 

  3669.             throw MakeStringException(-1, "please specfiy old and new names");
    3670. 

  3670. 

  3671.         if(basedn == NULL || *basedn == '\0')
    3672. 

  3672.             basedn = m_ldapconfig->getResourceBasedn(rtype);
    3673. 

  3673. 

  3674.         Owned<CSecurityDescriptor> sd = new CSecurityDescriptor(oldname);
    3675. 

  3675.         IArrayOf<CSecurityDescriptor> sdlist;
    3676. 

  3676.         sdlist.append(*LINK(sd));
    3677. 

  3677.         if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    3678. 

  3678.             getSecurityDescriptorsScope(sdlist, basedn);
    3679. 

  3679.         else
    3680. 

  3680.             getSecurityDescriptors(sdlist, basedn);
    3681. 

  3681. 

  3682.         if(sd->getDescriptor().length() == 0)
    3683. 

  3683.             throw MakeStringException(-1, "error copying %s to %s, %s doesn't exist", oldname, newname, oldname);
    3684. 

  3684.         
    3685. 

  3685.         ISecUser* user = NULL;
    3686. 

  3686.         CLdapSecResource resource(newname);
    3687. 

  3687.         addResource(rtype, *user, &resource, PT_DEFAULT, basedn, sd.get(), false);
    3688. 

  3688.     }
    3689. 

  3689. 

  3690.     void normalizeDn(const char* dn, StringBuffer& ndn)
    3691. 

  3691.     {
    3692. 

  3692.         LdapUtils::normalizeDn(dn, m_ldapconfig->getBasedn(), ndn);
    3693. 

  3693.     }
    3694. 

  3694. 

  3695.     virtual bool isSuperUser(ISecUser* user)
    3696. 

  3696.     {
    3697. 

  3697.         if(user == NULL || user->getName() == NULL)
    3698. 

  3698.             return false;
    3699. 

  3699.         const char* username = user->getName();
    3700. 

  3700.         const char* sysuser = m_ldapconfig->getSysUser();
    3701. 

  3701.         if(sysuser != NULL && stricmp(sysuser, username) == 0)
    3702. 

  3702.             return true;
    3703. 

  3703.         StringBuffer userdn, admingrpdn;
    3704. 

  3704.         getUserDN(username, userdn);
    3705. 

  3705.         getAdminGroupDN(admingrpdn);
    3706. 

  3706.         return userInGroup(userdn.str(), admingrpdn.str());
    3707. 

  3707.     }
    3708. 

  3708. 

  3709.     virtual ILdapConfig* queryConfig()
    3710. 

  3710.     {
    3711. 

  3711.         return m_ldapconfig.get();
    3712. 

  3712.     }
    3713. 

  3713. 

  3714.     virtual int countUsers(const char* searchstr, int limit)
    3715. 

  3715.     {
    3716. 

  3716.         StringBuffer filter;
    3717. 

  3717.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3718. 

  3718.             filter.append("objectClass=User");
    3719. 

  3719.         else
    3720. 

  3720.             filter.append("objectClass=inetorgperson");
    3721. 

  3721. 

  3722.         if(searchstr && *searchstr && strcmp(searchstr, "*") != 0)
    3723. 

  3723.         {
    3724. 

  3724.             filter.insert(0, "(&(");
    3725. 

  3725.             filter.appendf(")(|(%s=*%s*)(%s=*%s*)(%s=*%s*)))", (m_ldapconfig->getServerType()==ACTIVE_DIRECTORY)?"sAMAcccountName":"uid", searchstr, "givenName", searchstr, "sn", searchstr);
    3726. 

  3726.         }
    3727. 

  3727. 

  3728.         return countEntries(m_ldapconfig->getUserBasedn(), filter.str(), limit);
    3729. 

  3729.     }
    3730. 

  3730. 

  3731.     virtual int countResources(const char* basedn, const char* searchstr, int limit)
    3732. 

  3732.     {
    3733. 

  3733.         StringBuffer filter;
    3734. 

  3734.         filter.append("objectClass=*");
    3735. 

  3735. 

  3736.         if(searchstr && *searchstr && strcmp(searchstr, "*") != 0)
    3737. 

  3737.         {
    3738. 

  3738.             filter.insert(0, "(&(");
    3739. 

  3739.             filter.appendf(")(|(%s=*%s*)))", "uNCName", searchstr);
    3740. 

  3740.         }
    3741. 

  3741. 

  3742.         return countEntries(basedn, filter.str(), limit);
    3743. 

  3743.     }
    3744. 

  3744. 

  3745.     virtual int countEntries(const char* basedn, const char* filter, int limit)
    3746. 

  3746.     {
    3747. 

  3747.         TIMEVAL timeOut = {LDAPTIMEOUT,0};
    3748. 

  3748. 

  3749.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3750. 

  3750.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3751. 

  3751. 

  3752.         char *attrs[] = { LDAP_NO_ATTRS, NULL };
    3753. 

  3753.         CLDAPMessage searchResult;
    3754. 

  3754.         int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter, attrs, 0, NULL, NULL, &timeOut, limit, &searchResult.msg );
    3755. 

  3755. 

  3756.         if ( rc != LDAP_SUCCESS )
    3757. 

  3757.         {
    3758. 

  3758.             if(rc == LDAP_SIZELIMIT_EXCEEDED)
    3759. 

  3759.                 return -1;
    3760. 

  3760.             else
    3761. 

  3761.                 throw MakeStringException(-1, "ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter, basedn);
    3762. 

  3762.         }
    3763. 

  3763. 

  3764.         int entries = ldap_count_entries(ld, searchResult);
    3765. 

  3765.         return entries;
    3766. 

  3766.     }
    3767. 

  3767. 

  3768.     virtual const char* getPasswordStorageScheme()
    3769. 

  3769.     {
    3770. 

  3770.         if(m_pwscheme.length() == 0)
    3771. 

  3771.         {
    3772. 

  3772.             if(m_ldapconfig->getServerType() == IPLANET)
    3773. 

  3773.             {
    3774. 

  3774.                 Owned<ILdapConnection> lconn = m_connections->getConnection();
    3775. 

  3775.                 LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3776. 

  3776.                 
    3777. 

  3777.                 char* pw_attrs[] = {"nsslapd-rootpwstoragescheme", NULL};
    3778. 

  3778.                 CLDAPMessage msg;
    3779. 

  3779.                 int err = ldap_search_s(ld, "cn=config", LDAP_SCOPE_BASE, "objectClass=*", pw_attrs, false, &msg.msg);
    3780. 

  3780.                 if(err != LDAP_SUCCESS)
    3781. 

  3781.                 {
    3782. 

  3782.                     DBGLOG("ldap_search_s error: %s", ldap_err2string( err ));
    3783. 

  3783.                     return NULL;
    3784. 

  3784.                 }
    3785. 

  3785.                 LDAPMessage* entry = LdapFirstEntry(ld, msg);
    3786. 

  3786.                 if(entry != NULL)
    3787. 

  3787.                 {
    3788. 

  3788.                     CLDAPGetValuesWrapper vals(ld, entry, "nsslapd-rootpwstoragescheme");
    3789. 

  3789.                     if (vals.hasValues())
    3790. 

  3790.                         m_pwscheme.append(vals.queryValues()[0]);
    3791. 

  3791.                 }
    3792. 

  3792.                 ldap_msgfree(msg);
    3793. 

  3793.             }
    3794. 

  3794.         }
    3795. 

  3795.         
    3796. 

  3796.         if(m_pwscheme.length() == 0)
    3797. 

  3797.             return NULL;
    3798. 

  3798.         else
    3799. 

  3799.             return m_pwscheme.str();
    3800. 

  3800.     }
    3801. 

  3801. 

  3802. private:
    3803. 

  3803. 

  3804.     virtual void addDC(const char* dc)
    3805. 

  3805.     {
    3806. 

  3806.         if(dc == NULL || *dc == '\0')
    3807. 

  3807.             return;
    3808. 

  3808. 

  3809.         StringBuffer dcname;
    3810. 

  3810.         LdapUtils::getName(dc, dcname);
    3811. 

  3811. 

  3812.         char *dc_values[] = {(char*)dcname.str(), NULL };
    3813. 

  3813.         LDAPMod dc_attr = 
    3814. 

  3814.         {
    3815. 

  3815.             LDAP_MOD_ADD,
    3816. 

  3816.             "dc",
    3817. 

  3817.             dc_values
    3818. 

  3818.         };
    3819. 

  3819. 

  3820.         char *o_values[] = {(char*)dcname.str(), NULL };
    3821. 

  3821.         LDAPMod o_attr = 
    3822. 

  3822.         {
    3823. 

  3823.             LDAP_MOD_ADD,
    3824. 

  3824.             "o",
    3825. 

  3825.             o_values
    3826. 

  3826.         };
    3827. 

  3827. 

  3828.         char *oc_values[] = {"organization", "dcObject", NULL };
    3829. 

  3829.         LDAPMod oc_attr =
    3830. 

  3830.         {
    3831. 

  3831.             LDAP_MOD_ADD,
    3832. 

  3832.             "objectClass",
    3833. 

  3833.             oc_values
    3834. 

  3834.         };
    3835. 

  3835.         
    3836. 

  3836.         LDAPMod *attrs[4];
    3837. 

  3837.         attrs[0] = &oc_attr;
    3838. 

  3838.         attrs[1] = &o_attr;
    3839. 

  3839.         attrs[2] = &dc_attr;
    3840. 

  3840.         attrs[3] = NULL;
    3841. 

  3841. 

  3842.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3843. 

  3843.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3844. 

  3844.         int rc = ldap_add_ext_s(ld, (char*)dc, attrs, NULL, NULL);
    3845. 

  3845.         if ( rc != LDAP_SUCCESS )
    3846. 

  3846.         {
    3847. 

  3847.             if(rc == LDAP_ALREADY_EXISTS)
    3848. 

  3848.             {
    3849. 

  3849.                 throw MakeStringException(-1, "can't add dc %s, an LDAP object with this name already exists", dc);
    3850. 

  3850.             }
    3851. 

  3851.             else
    3852. 

  3852.             {
    3853. 

  3853.                 DBGLOG("error addDC %s, ldap_add_ext_s error: 0x%0x %s", dc, rc, ldap_err2string( rc ));
    3854. 

  3854.                 throw MakeStringException(-1, "error addDC %s, ldap_add_ext_s error: %s", dc, ldap_err2string( rc ));
    3855. 

  3855.             }
    3856. 

  3856.         }
    3857. 

  3857.     }
    3858. 

  3858. 

  3859.     virtual void getUserDN(const char* username, StringBuffer& userdn)
    3860. 

  3860.     {
    3861. 

  3861.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    3862. 

  3862.         {
    3863. 

  3863.             StringBuffer filter;
    3864. 

  3864.             filter.append("sAMAccountName=");
    3865. 

  3865.             filter.append(username);
    3866. 

  3866. 

  3867.             char        *attribute;
    3868. 

  3868.             LDAPMessage *message;
    3869. 

  3869. 

  3870.             TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    3871. 

  3871. 

  3872.             char *dn_fieldname;
    3873. 

  3873.             dn_fieldname = "distinguishedName";
    3874. 

  3874. 

  3875.             Owned<ILdapConnection> lconn = m_connections->getConnection();
    3876. 

  3876.             LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3877. 

  3877. 

  3878.             char        *attrs[] = {dn_fieldname, NULL};
    3879. 

  3879.             CLDAPMessage searchResult;
    3880. 

  3880.             int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    3881. 

  3881. 

  3882.             if ( rc != LDAP_SUCCESS )
    3883. 

  3883.             {
    3884. 

  3884.                 throw MakeStringException(-1, "ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    3885. 

  3885.             }
    3886. 

  3886. 

  3887.             unsigned entries = ldap_count_entries(ld, searchResult);
    3888. 

  3888.             if(entries == 0)
    3889. 

  3889.             {
    3890. 

  3890.                 searchResult.ldapMsgFree();
    3891. 

  3891.                 int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getSysUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );
    3892. 

  3892. 

  3893.                 if ( rc != LDAP_SUCCESS )
    3894. 

  3894.                 {
    3895. 

  3895.                     throw MakeStringException(-1, "ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getSysUserBasedn());
    3896. 

  3896.                 }
    3897. 

  3897.             }
    3898. 

  3898. 

  3899.             message = LdapFirstEntry( ld, searchResult);
    3900. 

  3900.             if(message != NULL)
    3901. 

  3901.             {
    3902. 

  3902. 

  3903.                 CLDAPGetAttributesWrapper   atts(ld, searchResult);
    3904. 

  3904.                 attribute = atts.getFirst();
    3905. 

  3905.                 if(attribute != NULL)
    3906. 

  3906.                 {
    3907. 

  3907.                     CLDAPGetValuesWrapper vals(ld, message, attribute);
    3908. 

  3908.                     if (vals.hasValues())
    3909. 

  3909.                         userdn.append(vals.queryValues()[0]);
    3910. 

  3910.                 }
    3911. 

  3911.             }
    3912. 

  3912.             if(userdn.length() == 0)
    3913. 

  3913.                 throw MakeStringException(-1, "user %s can't be found", username);
    3914. 

  3914.         }
    3915. 

  3915.         else
    3916. 

  3916.         {
    3917. 

  3917.             if(stricmp(username, "anyone") == 0)
    3918. 

  3918.                 userdn.append(username);
    3919. 

  3919.             else
    3920. 

  3920.                 userdn.append("uid=").append(username).append(",").append(m_ldapconfig->getUserBasedn());
    3921. 

  3921.         }
    3922. 

  3922. 

  3923.     }
    3924. 

  3924.     
    3925. 

  3925.     virtual void getUidFromDN(const char* dn, StringBuffer& uid)
    3926. 

  3926.     {
    3927. 

  3927.         if(dn == NULL || *dn == '\0')
    3928. 

  3928.             return;
    3929. 

  3929. 

  3930.         if(m_ldapconfig->getServerType() != ACTIVE_DIRECTORY)
    3931. 

  3931.         {
    3932. 

  3932.             if (strncmp(dn,"uid=",4))//Fedora389 returns "cn=Directory Administrators"
    3933. 

  3933.                 return;
    3934. 

  3934.             const char* comma = strchr(dn, ',');
    3935. 

  3935.             // DN is in the format of "uid=uuu,ou=ooo,dc=dd"
    3936. 

  3936.             uid.append(comma - dn - 4, dn + 4);
    3937. 

  3937.             return;
    3938. 

  3938.         }
    3939. 

  3939. 

  3940.         StringBuffer filter;
    3941. 

  3941.         filter.append("distinguishedName=").append(dn);
    3942. 

  3942. 

  3943.         char        *attribute;
    3944. 

  3944.         LDAPMessage *message;
    3945. 

  3945. 

  3946.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    3947. 

  3947. 

  3948.         char *uid_fieldname = "sAMAccountName";
    3949. 

  3949. 

  3950.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    3951. 

  3951.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    3952. 

  3952. 

  3953.         char        *attrs[] = {uid_fieldname, NULL};
    3954. 

  3954.         CLDAPMessage searchResult;
    3955. 

  3955.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    3956. 

  3956. 

  3957.         if ( rc != LDAP_SUCCESS )
    3958. 

  3958.         {
    3959. 

  3959.             throw MakeStringException(-1, "ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    3960. 

  3960.         }
    3961. 

  3961. 

  3962.         message = LdapFirstEntry( ld, searchResult);
    3963. 

  3963.         if(message != NULL)
    3964. 

  3964.         {
    3965. 

  3965.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    3966. 

  3966.             attribute = atts.getFirst();
    3967. 

  3967.             if(attribute != NULL)
    3968. 

  3968.             {
    3969. 

  3969.                 CLDAPGetValuesWrapper vals(ld, message, attribute);
    3970. 

  3970.                 if (vals.hasValues())
    3971. 

  3971.                     uid.append(vals.queryValues()[0]);
    3972. 

  3972.             }
    3973. 

  3973.         }
    3974. 

  3974.     }
    3975. 

  3975. 

  3976.     virtual void getGroupDN(const char* groupname, StringBuffer& groupdn)
    3977. 

  3977.     {
    3978. 

  3978.         if(groupname == NULL)
    3979. 

  3979.             return;
    3980. 

  3980.         LdapServerType stype = m_ldapconfig->getServerType();
    3981. 

  3981.         groupdn.append("cn=").append(groupname).append(",");
    3982. 

  3982.         if(stype == ACTIVE_DIRECTORY && stricmp(groupname, "Administrators") == 0)
    3983. 

  3983.         {
    3984. 

  3984.             groupdn.append("cn=Builtin,").append(m_ldapconfig->getBasedn());
    3985. 

  3985.         }
    3986. 

  3986.         else if((stype == IPLANET || stype == OPEN_LDAP) && stricmp(groupname, "Directory Administrators") == 0)
    3987. 

  3987.         {
    3988. 

  3988.             groupdn.append(m_ldapconfig->getBasedn());
    3989. 

  3989.         }
    3990. 

  3990.         else
    3991. 

  3991.         {
    3992. 

  3992.             groupdn.append(m_ldapconfig->getGroupBasedn());
    3993. 

  3993.         }
    3994. 

  3994.     }
    3995. 

  3995. 

  3996.     virtual void getGroupBaseDN(const char* groupname, StringBuffer& groupbasedn)
    3997. 

  3997.     {
    3998. 

  3998.         if(groupname == NULL)
    3999. 

  3999.             return;
    4000. 

  4000.         LdapServerType stype = m_ldapconfig->getServerType();
    4001. 

  4001.         if(stype == ACTIVE_DIRECTORY && stricmp(groupname, "Administrators") == 0)
    4002. 

  4002.         {
    4003. 

  4003.             groupbasedn.append("cn=Builtin,").append(m_ldapconfig->getBasedn());
    4004. 

  4004.         }
    4005. 

  4005.         else if((stype == IPLANET || stype == OPEN_LDAP) && stricmp(groupname, "Directory Administrators") == 0)
    4006. 

  4006.         {
    4007. 

  4007.             groupbasedn.append(m_ldapconfig->getBasedn());
    4008. 

  4008.         }
    4009. 

  4009.         else
    4010. 

  4010.         {
    4011. 

  4011.             groupbasedn.append(m_ldapconfig->getGroupBasedn());
    4012. 

  4012.         }
    4013. 

  4013.     }
    4014. 

  4014. 

  4015.     virtual void getAdminGroupDN(StringBuffer& groupdn)
    4016. 

  4016.     {
    4017. 

  4017.         LdapServerType stype = m_ldapconfig->getServerType();
    4018. 

  4018.         if(stype == ACTIVE_DIRECTORY)
    4019. 

  4019.         {
    4020. 

  4020.             groupdn.append("cn=Administrators,cn=Builtin,").append(m_ldapconfig->getBasedn());
    4021. 

  4021.         }
    4022. 

  4022.         else if(stype == IPLANET)
    4023. 

  4023.         {
    4024. 

  4024.             groupdn.append("cn=Directory Administrators,").append(m_ldapconfig->getBasedn());
    4025. 

  4025.         }
    4026. 

  4026.         else if(stype == OPEN_LDAP)
    4027. 

  4027.         {
    4028. 

  4028.             groupdn.append("cn=Directory Administrators,").append(m_ldapconfig->getBasedn());
    4029. 

  4029.         }
    4030. 

  4030.     }
    4031. 

  4031. 

  4032.     virtual void changeUserMemberOf(const char* action, const char* userdn, const char* groupdn)
    4033. 

  4033.     {
    4034. 

  4034.         char *grp_values[] = {(char*)groupdn, NULL};
    4035. 

  4035.         LDAPMod grp_attr = {
    4036. 

  4036.             (action != NULL && stricmp(action, "delete") == 0)?LDAP_MOD_DELETE:LDAP_MOD_ADD,
    4037. 

  4037.             "memberOf",
    4038. 

  4038.             grp_values
    4039. 

  4039.         };
    4040. 

  4040. 

  4041.         LDAPMod *grp_attrs[2];
    4042. 

  4042.         grp_attrs[0] = &grp_attr;
    4043. 

  4043.         grp_attrs[1] = NULL;
    4044. 

  4044. 

  4045.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4046. 

  4046.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4047. 

  4047. 

  4048.         int rc = ldap_modify_ext_s(ld, (char*)userdn, grp_attrs, NULL, NULL);
    4049. 

  4049.         if ( rc != LDAP_SUCCESS )
    4050. 

  4050.         {
    4051. 

  4051.             throw MakeStringException(-1, "error changing group for user %s, ldap_modify_ext_s error: %s", userdn, ldap_err2string( rc ));
    4052. 

  4052.         }
    4053. 

  4053.     }
    4054. 

  4054. 

  4055.     virtual void changeGroupMember(const char* action, const char* groupdn, const char* userdn)
    4056. 

  4056.     {
    4057. 

  4057.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4058. 

  4058.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4059. 

  4059. 

  4060.         const char* memberfieldname;
    4061. 

  4061.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4062. 

  4062.         {
    4063. 

  4063.             memberfieldname = "member";
    4064. 

  4064.         }
    4065. 

  4065.         else
    4066. 

  4066.         {
    4067. 

  4067.             memberfieldname = "uniquemember";
    4068. 

  4068.         }
    4069. 

  4069. 

  4070.         char *member_values[] = {(char*)userdn, NULL};
    4071. 

  4071.         LDAPMod member_attr = {
    4072. 

  4072.             (action != NULL && stricmp(action, "delete") == 0)?LDAP_MOD_DELETE:LDAP_MOD_ADD,
    4073. 

  4073.             (char*)memberfieldname,
    4074. 

  4074.             member_values
    4075. 

  4075.         };
    4076. 

  4076. 

  4077.         LDAPMod *member_attrs[2];
    4078. 

  4078.         member_attrs[0] = &member_attr;
    4079. 

  4079.         member_attrs[1] = NULL;
    4080. 

  4080. 

  4081.         int rc = ldap_modify_ext_s(ld, (char*)groupdn, member_attrs, NULL, NULL);
    4082. 

  4082.         if ( rc != LDAP_SUCCESS )
    4083. 

  4083.         {
    4084. 

  4084.             if (action != NULL && stricmp(action, "delete") == 0)
    4085. 

  4085.                 throw MakeStringException(-1, "Failed in deleting member from group: ldap_modify_ext_s error: %s; userdn: %s; groupdn: %s", ldap_err2string( rc ), userdn, groupdn);
    4086. 

  4086.             else
    4087. 

  4087.                 throw MakeStringException(-1, "Failed in adding member to group, ldap_modify_ext_s error: %s; userdn: %s; groupdn: %s", ldap_err2string( rc ), userdn, groupdn);
    4088. 

  4088.         }
    4089. 

  4089.     }
    4090. 

  4090. 

  4091.     void ConvertCToW(unsigned short* pszDest, const char * pszSrc)
    4092. 

  4092.     {
    4093. 

  4093.         unsigned i = 0;
    4094. 

  4094.         for(i = 0; i < strlen(pszSrc); i++)
    4095. 

  4095.             pszDest[i] = (unsigned short) pszSrc[i];
    4096. 

  4096.         pszDest[i] = (unsigned short)'\0';
    4097. 

  4097.     }
    4098. 

  4098. 

  4099. 

  4100.     virtual bool authorizeScope(ISecUser& user, IArrayOf<ISecResource>& resources, const char* basedn)
    4101. 

  4101.     {
    4102. 

  4102.         IArrayOf<CSecurityDescriptor> sdlist;
    4103. 

  4103.         std::set<const char*, ltstr> scopeset;
    4104. 

  4104.         ForEachItemIn(x, resources)
    4105. 

  4105.         {
    4106. 

  4106.             ISecResource& res = resources.item(x);
    4107. 

  4107.             const char* resourcename = res.getName();
    4108. 

  4108.             if(resourcename == NULL || *resourcename == '\0')
    4109. 

  4109.                 continue;
    4110. 

  4110. 

  4111.             // Add one extra Volume type SecurityDescriptor for each resource for ActiveDirectory.
    4112. 

  4112.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4113. 

  4113.             {
    4114. 

  4114.                 CSecurityDescriptor* sd = new CSecurityDescriptor(resourcename);
    4115. 

  4115.                 sd->setObjectClass("Volume");
    4116. 

  4116.                 sdlist.append(*sd);
    4117. 

  4117.             }
    4118. 

  4118. 

  4119.             scopeset.insert(resourcename);
    4120. 

  4120.             int len = strlen(resourcename);
    4121. 

  4121.             const char* curptr = resourcename + len - 1;
    4122. 

  4122.             while(curptr > resourcename)
    4123. 

  4123.             {
    4124. 

  4124.                 while(curptr > resourcename && *curptr != ':')
    4125. 

  4125.                     curptr--;
    4126. 

  4126.                 bool foundcolon=false;
    4127. 

  4127.                 while(curptr >resourcename && *curptr == ':')
    4128. 

  4128.                 {
    4129. 

  4129.                     curptr--;
    4130. 

  4130.                     foundcolon = true;
    4131. 

  4131.                 }
    4132. 

  4132.                 if(curptr > resourcename || foundcolon)
    4133. 

  4133.                 {
    4134. 

  4134.                     int curlen = curptr - resourcename + 1;
    4135. 

  4135.                     char* curscope = (char*)alloca(curlen + 1);
    4136. 

  4136.                     strncpy(curscope, resourcename, curlen);
    4137. 

  4137.                     curscope[curlen] = 0;
    4138. 

  4138.                     scopeset.insert(curscope);
    4139. 

  4139.                 }
    4140. 

  4140.             }
    4141. 

  4141.         }
    4142. 

  4142. 

  4143.         if(scopeset.size() == 0)
    4144. 

  4144.             return true;
    4145. 

  4145. 

  4146.         std::set<const char*, ltstr>::iterator iter;
    4147. 

  4147.         for(iter = scopeset.begin(); iter != scopeset.end(); iter++)
    4148. 

  4148.         {
    4149. 

  4149.             const char* curscope = *iter;
    4150. 

  4150.             CSecurityDescriptor* sd = new CSecurityDescriptor(*iter);
    4151. 

  4151.             sd->setObjectClass("organizationalUnit");
    4152. 

  4152.             sdlist.append(*sd);
    4153. 

  4153.         }
    4154. 

  4154. 

  4155.         getSecurityDescriptorsScope(sdlist, basedn);
    4156. 

  4156. 

  4157.         IArrayOf<CSecurityDescriptor> matched_sdlist;
    4158. 

  4158.         ForEachItemIn(y, resources)
    4159. 

  4159.         {
    4160. 

  4160.             ISecResource& res = resources.item(y);
    4161. 

  4161.             const char* rname = res.getName();
    4162. 

  4162.             if(rname == NULL || *rname == '\0')
    4163. 

  4163.                 throw MakeStringException(-1, "resource name can't be empty inside authorizeScope");
    4164. 

  4164. 

  4165.             CSecurityDescriptor* matchedsd = NULL;
    4166. 

  4166.             ForEachItemIn(z, sdlist)
    4167. 

  4167.             {
    4168. 

  4168.                 CSecurityDescriptor& sd = sdlist.item(z);
    4169. 

  4169.                 const char* sdname = sd.getName();
    4170. 

  4170.                 if(sdname ==  NULL || *sdname == '\0')
    4171. 

  4171.                     continue;
    4172. 

  4172.                 if(strncmp(sdname, rname, strlen(sdname)) == 0 
    4173. 

  4173.                     && (matchedsd == NULL 
    4174. 

  4174.                         || ((matchedsd->getDescriptor().length() == 0 && sd.getDescriptor().length() > 0) 
    4175. 

  4175.                         || (sd.getDescriptor().length() > 0 && strlen(sdname) > strlen(matchedsd->getName())))))
    4176. 

  4176.                     matchedsd = &sd;
    4177. 

  4177.             }
    4178. 

  4178.             if(matchedsd != NULL)
    4179. 

  4179.                 matched_sdlist.append(*LINK(matchedsd));
    4180. 

  4180.             else
    4181. 

  4181.                 matched_sdlist.append(*(new CSecurityDescriptor(rname)));
    4182. 

  4182.         }
    4183. 

  4183. 

  4184.         bool ok = false;
    4185. 

  4185.         if(m_pp != NULL)
    4186. 

  4186.             ok = m_pp->getPermissions(user, matched_sdlist, resources);
    4187. 

  4187.         return ok;
    4188. 

  4188.     }
    4189. 

  4189. 

  4190.     virtual void getSecurityDescriptors(SecResourceType rtype, IArrayOf<CSecurityDescriptor>& sdlist)
    4191. 

  4191.     {
    4192. 

  4192.         int len = sdlist.length();
    4193. 

  4193.         if(len == 0)
    4194. 

  4194.             return;
    4195. 

  4195. 

  4196.         const char* rbasedn = m_ldapconfig->getResourceBasedn(rtype);
    4197. 

  4197.         if(rbasedn == NULL || *rbasedn == '\0')
    4198. 

  4198.         {
    4199. 

  4199.             DBGLOG("corresponding resource basedn is not defined");
    4200. 

  4200.             return;
    4201. 

  4201.         }
    4202. 

  4202.             
    4203. 

  4203.         std::map<std::string, IArrayOf<CSecurityDescriptor>*> sdmap;
    4204. 

  4204. 

  4205.         for(int i = 0; i < len; i++)
    4206. 

  4206.         {
    4207. 

  4207.             CSecurityDescriptor& sd = sdlist.item(i);
    4208. 

  4208.             const char* relativeBasedn = sd.getRelativeBasedn();
    4209. 

  4209.             StringBuffer basedn;
    4210. 

  4210.             if(relativeBasedn != NULL)
    4211. 

  4211.                 basedn.append(relativeBasedn).append(",");
    4212. 

  4212.             basedn.append(rbasedn);
    4213. 

  4213. 

  4214.             std::map<std::string, IArrayOf<CSecurityDescriptor>*>::iterator sdit = sdmap.find(basedn.str());
    4215. 

  4215.             if(sdit == sdmap.end())
    4216. 

  4216.             {
    4217. 

  4217.                 IArrayOf<CSecurityDescriptor>* newlist = new IArrayOf<CSecurityDescriptor>;
    4218. 

  4218.                 newlist->append(*LINK(&sd));
    4219. 

  4219.                 sdmap[basedn.str()] = newlist;
    4220. 

  4220.             }
    4221. 

  4221.             else
    4222. 

  4222.             {
    4223. 

  4223.                 (*sdit).second->append(*LINK(&sd));
    4224. 

  4224.             }
    4225. 

  4225.         }
    4226. 

  4226. 

  4227.         for(std::map<std::string, IArrayOf<CSecurityDescriptor>*>::iterator cur = sdmap.begin(); cur != sdmap.end(); cur++)
    4228. 

  4228.         {
    4229. 

  4229.             getSecurityDescriptors(*((*cur).second), (*cur).first.c_str());
    4230. 

  4230.             delete (*cur).second;
    4231. 

  4231.         }
    4232. 

  4232. 

  4233.     }
    4234. 

  4234. 

  4235.     virtual void getSecurityDescriptors(IArrayOf<CSecurityDescriptor>& sdlist, const char* basedn)
    4236. 

  4236.     {
    4237. 

  4237.         char        *attribute;
    4238. 

  4238.         CLDAPGetValuesLenWrapper valsLen;
    4239. 

  4239.         LDAPMessage *message;
    4240. 

  4240.         int i;
    4241. 

  4241.         
    4242. 

  4242.         const char *id_fieldname;
    4243. 

  4243.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4244. 

  4244.         {
    4245. 

  4245.             id_fieldname = "name";
    4246. 

  4246.         }
    4247. 

  4247.         else
    4248. 

  4248.         {
    4249. 

  4249.             id_fieldname = "ou";
    4250. 

  4250.         }
    4251. 

  4251.         const char *des_fieldname = m_ldapconfig->getSdFieldName();
    4252. 

  4252. 

  4253.         int len = sdlist.length();
    4254. 

  4254.         if(len == 0)
    4255. 

  4255.             return;
    4256. 

  4256. 

  4257.         StringBuffer filter;
    4258. 

  4258.         filter.append("(|");
    4259. 

  4259.         for(i = 0; i < len; i++)
    4260. 

  4260.         {
    4261. 

  4261.             CSecurityDescriptor& sd = sdlist.item(i);
    4262. 

  4262.             StringBuffer namebuf;
    4263. 

  4263.             namebuf.append(sd.getName());
    4264. 

  4264.             namebuf.trim();
    4265. 

  4265.             if(namebuf.length() > 0)
    4266. 

  4266.             {
    4267. 

  4267.                 filter.append("(").append(id_fieldname).append("=").append(namebuf.str()).append(")");;
    4268. 

  4268.             }
    4269. 

  4269.         }
    4270. 

  4270.         filter.append(")");
    4271. 

  4271. 

  4272.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    4273. 

  4273.         
    4274. 

  4274.         char* attrs[] = {(char*)id_fieldname, (char*)des_fieldname, NULL};
    4275. 

  4275.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4276. 

  4276.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4277. 

  4277.         CLDAPMessage searchResult;
    4278. 

  4278.         int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );     /* returned results */
    4279. 

  4279.         
    4280. 

  4280.         if ( rc != LDAP_SUCCESS )
    4281. 

  4281.         {
    4282. 

  4282.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basedn);
    4283. 

  4283.             return;
    4284. 

  4284.         }
    4285. 

  4285. 

  4286.         // Go through the search results by checking message types
    4287. 

  4287.         for(message = LdapFirstEntry(ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    4288. 

  4288.         {
    4289. 

  4289.             StringBuffer resourcename;
    4290. 

  4290.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    4291. 

  4291.             for ( attribute = atts.getFirst();
    4292. 

  4292.                   attribute != NULL;
    4293. 

  4293.                   attribute = atts.getNext())
    4294. 

  4294.             {
    4295. 

  4295.                 if(stricmp(attribute, id_fieldname) == 0)
    4296. 

  4296.                 {
    4297. 

  4297.                     CLDAPGetValuesWrapper vals(ld, message, attribute);
    4298. 

  4298.                     if (vals.hasValues())
    4299. 

  4299.                         resourcename.append(vals.queryValues()[0]);
    4300. 

  4300.                 }
    4301. 

  4301.                 else if(stricmp(attribute, des_fieldname) == 0) 
    4302. 

  4302.                 {
    4303. 

  4303.                     valsLen.getValues(ld, message, attribute);
    4304. 

  4304.                 }
    4305. 

  4305.             }
    4306. 

  4306.             for(i = 0; i < len; i++)
    4307. 

  4307.             {
    4308. 

  4308.                 CSecurityDescriptor& sd = sdlist.item(i);
    4309. 

  4309.                 if(resourcename.length() > 0 && stricmp(resourcename.str(), sd.getName()) == 0)
    4310. 

  4310.                 {
    4311. 

  4311.                     if (valsLen.hasValues())
    4312. 

  4312.                     {
    4313. 

  4313.                         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4314. 

  4314.                         {
    4315. 

  4315.                             struct berval* val = valsLen.queryValues()[0];
    4316. 

  4316.                             if(val != NULL)
    4317. 

  4317.                             {
    4318. 

  4318.                                 CSecurityDescriptor& sd = sdlist.item(i);
    4319. 

  4319.                                 sd.setDescriptor(val->bv_len, val->bv_val);
    4320. 

  4320.                             }
    4321. 

  4321.                         }
    4322. 

  4322.                         else
    4323. 

  4323.                         {
    4324. 

  4324.                             MemoryBuffer allvals;
    4325. 

  4325.                             int valseq = 0;
    4326. 

  4326.                             struct berval* val = valsLen.queryValues()[valseq++];
    4327. 

  4327.                             while(val != NULL)
    4328. 

  4328.                             {
    4329. 

  4329.                                 if(val->bv_len > 0)
    4330. 

  4330.                                 {
    4331. 

  4331.                                     allvals.append(val->bv_len, val->bv_val);
    4332. 

  4332.                                     allvals.append('\0'); // my separator between ACIs
    4333. 

  4333.                                 }
    4334. 

  4334.                                 val = valsLen.queryValues()[valseq++];
    4335. 

  4335.                             }
    4336. 

  4336.                             if(allvals.length() > 0)
    4337. 

  4337.                             {
    4338. 

  4338.                                 CSecurityDescriptor& sd = sdlist.item(i);
    4339. 

  4339.                                 sd.setDescriptor(allvals.length(), (void*)allvals.toByteArray());
    4340. 

  4340.                             }
    4341. 

  4341.                         }
    4342. 

  4342.                     }
    4343. 

  4343.                     break;
    4344. 

  4344.                 }
    4345. 

  4345.             }
    4346. 

  4346.         }
    4347. 

  4347.     }
    4348. 

  4348. 

  4349.     virtual void getSecurityDescriptorsScope(IArrayOf<CSecurityDescriptor>& sdlist, const char* basedn)
    4350. 

  4350.     {
    4351. 

  4351.         char        *attribute;
    4352. 

  4352.         CLDAPGetValuesLenWrapper valsLen;
    4353. 

  4353.         LDAPMessage *message;
    4354. 

  4354.         int i;
    4355. 

  4355. 

  4356.         int len = sdlist.length();
    4357. 

  4357.         if(len == 0)
    4358. 

  4358.             return;
    4359. 

  4359. 

  4360.         LdapServerType servertype = m_ldapconfig->getServerType();
    4361. 

  4361. 

  4362.         char *sd_fieldname = (char*)m_ldapconfig->getSdFieldName();
    4363. 

  4363. 

  4364.         StringBuffer filter;
    4365. 

  4365.         filter.append("(|");
    4366. 

  4366.         for(i = 0; i < len; i++)
    4367. 

  4367.         {
    4368. 

  4368.             CSecurityDescriptor& sd = sdlist.item(i);
    4369. 

  4369.             StringBuffer namebuf;
    4370. 

  4370.             namebuf.append(sd.getName());
    4371. 

  4371.             namebuf.trim();
    4372. 

  4372.             if(namebuf.length() > 0)
    4373. 

  4373.             {
    4374. 

  4374.                 const char* resourcename = namebuf.str();
    4375. 

  4375.                 int len = namebuf.length();
    4376. 

  4376.                 const char* curptr = resourcename + len - 1;
    4377. 

  4377.                 StringBuffer dn, cn;
    4378. 

  4378.                 bool isleaf = true;
    4379. 

  4379.                 while(curptr > resourcename)
    4380. 

  4380.                 {
    4381. 

  4381.                     const char* lastptr = curptr;
    4382. 

  4382.                     while(curptr > resourcename && *curptr != ':')
    4383. 

  4383.                         curptr--;
    4384. 

  4384.                     int curlen;
    4385. 

  4385.                     const char* curscope;
    4386. 

  4386.                     if(*curptr == ':')
    4387. 

  4387.                     {
    4388. 

  4388.                         curlen = lastptr - curptr;
    4389. 

  4389.                         curscope = curptr + 1;
    4390. 

  4390.                     }
    4391. 

  4391.                     else
    4392. 

  4392.                     {
    4393. 

  4393.                         curlen = lastptr - curptr + 1;
    4394. 

  4394.                         curscope = curptr;
    4395. 

  4395.                     }
    4396. 

  4396.                     if(isleaf && (sd.getObjectClass() != NULL) && (stricmp(sd.getObjectClass(), "Volume") == 0))
    4397. 

  4397.                     {
    4398. 

  4398.                         cn.append(curlen, curscope);
    4399. 

  4399.                         dn.append("cn=").append(curlen, curscope).append(",");
    4400. 

  4400.                     }
    4401. 

  4401.                     else
    4402. 

  4402.                     {
    4403. 

  4403.                         cn.append(curlen, curscope);
    4404. 

  4404.                         dn.append("ou=").append(curlen, curscope).append(",");
    4405. 

  4405.                     }
    4406. 

  4406.                     
    4407. 

  4407.                     isleaf = false;
    4408. 

  4408. 

  4409.                     if (curptr == resourcename) //handle a single char as the top scope, such as x::abc
    4410. 

  4410.                         break;
    4411. 

  4411. 

  4412.                     while(curptr >resourcename && *curptr == ':')
    4413. 

  4413.                         curptr--;
    4414. 

  4414. 

  4415.                     if (curptr == resourcename && *curptr != ':') //handle a single char as the top scope, such as x::abc
    4416. 

  4416.                     {
    4417. 

  4417.                         dn.append("ou=").append(1, curptr).append(",");
    4418. 

  4418.                     }
    4419. 

  4419.                 }
    4420. 

  4420.                 dn.append(basedn);
    4421. 

  4421. 

  4422.                 if(servertype == ACTIVE_DIRECTORY)
    4423. 

  4423.                 {
    4424. 

  4424.                     filter.append("(distinguishedName=").append(dn.str()).append(")");
    4425. 

  4425.                 }
    4426. 

  4426.                 else if(servertype == IPLANET)
    4427. 

  4427.                 {
    4428. 

  4428.                     filter.append("(entrydn=").append(dn.str()).append(")");
    4429. 

  4429.                 }
    4430. 

  4430.                 else if(servertype == OPEN_LDAP)
    4431. 

  4431.                 {
    4432. 

  4432.                     filter.append("(ou=").append(cn.str()).append(")");
    4433. 

  4433.                 }
    4434. 

  4434.                 sd.setDn(dn.str());
    4435. 

  4435.             }
    4436. 

  4436.         }
    4437. 

  4437.         filter.append(")");
    4438. 

  4438. 

  4439.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    4440. 

  4440.         
    4441. 

  4441.         char* attrs[] = {sd_fieldname, NULL};
    4442. 

  4442.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4443. 

  4443.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4444. 

  4444.         CLDAPMessage searchResult;
    4445. 

  4445.         int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg );     /* returned results */
    4446. 

  4446.         
    4447. 

  4447.         if ( rc != LDAP_SUCCESS )
    4448. 

  4448.         {
    4449. 

  4449.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basedn);
    4450. 

  4450.             return;
    4451. 

  4451.         }
    4452. 

  4452. 

  4453.         // Go through the search results by checking message types
    4454. 

  4454.         for(message = LdapFirstEntry(ld, searchResult); message != NULL; message = ldap_next_entry(ld, message))
    4455. 

  4455.         {
    4456. 

  4456.             StringBuffer dn;
    4457. 

  4457. 

  4458.             char *p = ldap_get_dn(ld, message);
    4459. 

  4459.             dn.append(p);
    4460. 

  4460.             ldap_memfree(p);
    4461. 

  4461. 

  4462.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    4463. 

  4463.             for ( attribute = atts.getFirst();
    4464. 

  4464.                   attribute != NULL;
    4465. 

  4465.                   attribute = atts.getNext())
    4466. 

  4466.             {
    4467. 

  4467.                 if(stricmp(attribute, sd_fieldname) == 0) 
    4468. 

  4468.                 {
    4469. 

  4469.                     valsLen.getValues(ld, message, attribute);
    4470. 

  4470.                 }
    4471. 

  4471.             }
    4472. 

  4472.             for(i = 0; i < len; i++)
    4473. 

  4473.             {
    4474. 

  4474.                 CSecurityDescriptor& sd = sdlist.item(i);
    4475. 

  4475.                 if(dn.length() > 0 && stricmp(dn.str(), sd.getDn()) == 0)
    4476. 

  4476.                 {
    4477. 

  4477.                     if (valsLen.hasValues())
    4478. 

  4478.                     {
    4479. 

  4479.                         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4480. 

  4480.                         {
    4481. 

  4481.                             struct berval* val = valsLen.queryValues()[0];
    4482. 

  4482.                             if(val != NULL)
    4483. 

  4483.                             {
    4484. 

  4484.                                 CSecurityDescriptor& sd = sdlist.item(i);
    4485. 

  4485.                                 sd.setDescriptor(val->bv_len, val->bv_val);
    4486. 

  4486.                             }
    4487. 

  4487.                         }
    4488. 

  4488.                         else
    4489. 

  4489.                         {
    4490. 

  4490.                             MemoryBuffer allvals;
    4491. 

  4491.                             int valseq = 0;
    4492. 

  4492.                             struct berval* val = valsLen.queryValues()[valseq++];
    4493. 

  4493.                             while(val != NULL)
    4494. 

  4494.                             {
    4495. 

  4495.                                 if(val->bv_len > 0)
    4496. 

  4496.                                 {
    4497. 

  4497.                                     allvals.append(val->bv_len, val->bv_val);
    4498. 

  4498.                                     allvals.append('\0'); // my separator between ACIs
    4499. 

  4499.                                 }
    4500. 

  4500.                                 val = valsLen.queryValues()[valseq++];
    4501. 

  4501.                             }
    4502. 

  4502.                             if(allvals.length() > 0)
    4503. 

  4503.                             {
    4504. 

  4504.                                 CSecurityDescriptor& sd = sdlist.item(i);
    4505. 

  4505.                                 sd.setDescriptor(allvals.length(), (void*)allvals.toByteArray());
    4506. 

  4506.                             }
    4507. 

  4507.                         }
    4508. 

  4508. 

  4509.                     }
    4510. 

  4510.                     break;
    4511. 

  4511.                 }
    4512. 

  4512.             }
    4513. 

  4513.         }
    4514. 

  4514.     }
    4515. 

  4515. 

  4516.     virtual void createLdapBasedn(ISecUser* user, const char* basedn, SecPermissionType ptype)
    4517. 

  4517.     {
    4518. 

  4518.         if(basedn == NULL || basedn[0] == '\0')
    4519. 

  4519.             return;
    4520. 

  4520. 

  4521.         const char* ptr = strstr(basedn, "ou=");
    4522. 

  4522.         if(ptr == NULL)
    4523. 

  4523.             return;
    4524. 

  4524.         ptr += 3;
    4525. 

  4525. 

  4526.         StringBuffer oubuf;
    4527. 

  4527.         const char* comma = strchr(ptr, ',');
    4528. 

  4528.         if(comma == NULL)
    4529. 

  4529.         {
    4530. 

  4530.             oubuf.append(ptr);
    4531. 

  4531.             ptr = NULL;
    4532. 

  4532.         }
    4533. 

  4533.         else
    4534. 

  4534.         {
    4535. 

  4535.             oubuf.append(comma - ptr, ptr);
    4536. 

  4536.             ptr = comma + 1;
    4537. 

  4537.         }
    4538. 

  4538. 

  4539.         if(ptr != NULL)
    4540. 

  4540.             createLdapBasedn(user, ptr, ptype);
    4541. 

  4541. 

  4542.         addOrganizationalUnit(user, oubuf.str(), ptr, ptype);
    4543. 

  4543. 

  4544.     }
    4545. 

  4545. 

  4546.     virtual bool addOrganizationalUnit(ISecUser* user, const char* name, const char* basedn, SecPermissionType ptype)
    4547. 

  4547.     {
    4548. 

  4548.         if(name == NULL || basedn == NULL)
    4549. 

  4549.             return false;
    4550. 

  4550. 

  4551.         if(strchr(name, '/') != NULL || strchr(name, '=') != NULL)
    4552. 

  4552.             return false;
    4553. 

  4553. 

  4554.         StringBuffer dn;
    4555. 

  4555.         dn.append("ou=").append(name).append(",").append(basedn);
    4556. 

  4556. 

  4557.         char *ou_values[] = {(char*)name, NULL };
    4558. 

  4558.         LDAPMod ou_attr = 
    4559. 

  4559.         {
    4560. 

  4560.             LDAP_MOD_ADD,
    4561. 

  4561.             "ou",
    4562. 

  4562.             ou_values
    4563. 

  4563.         };
    4564. 

  4564. 

  4565.         char *name_values[] = {(char*)name, NULL };
    4566. 

  4566.         LDAPMod name_attr = 
    4567. 

  4567.         {
    4568. 

  4568.             LDAP_MOD_ADD,
    4569. 

  4569.             "name",
    4570. 

  4570.             name_values
    4571. 

  4571.         };
    4572. 

  4572. 

  4573.         char *oc_values[] = {"OrganizationalUnit", NULL };
    4574. 

  4574.         LDAPMod oc_attr =
    4575. 

  4575.         {
    4576. 

  4576.             LDAP_MOD_ADD,
    4577. 

  4577.             "objectClass",
    4578. 

  4578.             oc_values
    4579. 

  4579.         };
    4580. 

  4580. 

  4581.         MemoryBuffer sdbuf;
    4582. 

  4582.         Owned<CSecurityDescriptor> default_sd = NULL;
    4583. 

  4583.         if(m_pp !=  NULL)
    4584. 

  4584.             default_sd.setown(m_pp->createDefaultSD(user, name, ptype));
    4585. 

  4585.         if(default_sd != NULL)
    4586. 

  4586.             sdbuf.append(default_sd->getDescriptor());
    4587. 

  4587. 

  4588.         LDAPMod *attrs[6];
    4589. 

  4589.         int ind = 0;
    4590. 

  4590.         attrs[ind++] = &ou_attr;
    4591. 

  4591.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    4592. 

  4592.         {       
    4593. 

  4593.             attrs[ind++] = &name_attr;
    4594. 

  4594.         }
    4595. 

  4595.         attrs[ind++] = &oc_attr;
    4596. 

  4596. 

  4597.         LDAPMod sd_attr;
    4598. 

  4598.         struct berval sd_val;
    4599. 

  4599.         sd_val.bv_len = sdbuf.length();
    4600. 

  4600.         sd_val.bv_val = (char*)sdbuf.toByteArray();
    4601. 

  4601.         struct berval* sd_values[] = {&sd_val, NULL};
    4602. 

  4602.         sd_attr.mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES;
    4603. 

  4603.         
    4604. 

  4604.         sd_attr.mod_type = (char*)m_ldapconfig->getSdFieldName();
    4605. 

  4605. 

  4606.         sd_attr.mod_vals.modv_bvals = sd_values;
    4607. 

  4607. 

  4608.         if(sdbuf.length() > 0)
    4609. 

  4609.             attrs[ind++] = &sd_attr;
    4610. 

  4610. 

  4611.         attrs[ind] = NULL;
    4612. 

  4612. 

  4613.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4614. 

  4614.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4615. 

  4615.         int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    4616. 

  4616.         if ( rc != LDAP_SUCCESS )
    4617. 

  4617.         {
    4618. 

  4618.             if(rc == LDAP_ALREADY_EXISTS)
    4619. 

  4619.             {
    4620. 

  4620.                 //WARNLOG("Can't insert ou=%s,%s to Ldap Server, an LDAP object with this name already exists", name, basedn);
    4621. 

  4621.                 return false;
    4622. 

  4622.             }
    4623. 

  4623.             else
    4624. 

  4624.             {
    4625. 

  4625.                 throw MakeStringException(-1, "ldap_add_ext_s error for ou=%s,%s: %d %s", name, basedn, rc, ldap_err2string( rc ));
    4626. 

  4626.             }
    4627. 

  4627.         }
    4628. 

  4628. 

  4629.         return true;
    4630. 

  4630.     }
    4631. 

  4631. 

  4632.     virtual void name2dn(SecResourceType rtype, const char* resourcename, const char* basedn, StringBuffer& ldapname)
    4633. 

  4633.     {
    4634. 

  4634.         StringBuffer namebuf;
    4635. 

  4635. 

  4636.         const char* bptr = resourcename;
    4637. 

  4637.         const char* sep = strstr(resourcename, "::");
    4638. 

  4638.         while(sep != NULL)
    4639. 

  4639.         {
    4640. 

  4640.             if(sep > bptr)
    4641. 

  4641.             {
    4642. 

  4642.                 StringBuffer onebuf;
    4643. 

  4643.                 onebuf.append("ou=").append(sep-bptr, bptr).append(",");
    4644. 

  4644.                 namebuf.insert(0, onebuf.str());
    4645. 

  4645.             }
    4646. 

  4646. 

  4647.             bptr = sep + 2;
    4648. 

  4648.             sep = strstr(bptr, "::");
    4649. 

  4649.         }
    4650. 

  4650.         if(*bptr != '\0')
    4651. 

  4651.         {
    4652. 

  4652.             StringBuffer onebuf;
    4653. 

  4653.             if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    4654. 

  4654.                 onebuf.append("cn");
    4655. 

  4655.             else
    4656. 

  4656.                 onebuf.append("ou");
    4657. 

  4657.             onebuf.append("=").append(bptr).append(",");
    4658. 

  4658.             namebuf.insert(0, onebuf.str());
    4659. 

  4659.         }
    4660. 

  4660. 

  4661.         namebuf.append(basedn);
    4662. 

  4662.         LdapUtils::normalizeDn(namebuf.str(), m_ldapconfig->getBasedn(), ldapname);
    4663. 

  4663.     }
    4664. 

  4664. 

  4665.     virtual void name2rdn(SecResourceType rtype, const char* resourcename, StringBuffer& ldapname)
    4666. 

  4666.     {
    4667. 

  4667.         if(resourcename == NULL || *resourcename == '\0')
    4668. 

  4668.             return;
    4669. 

  4669. 

  4670.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY && (rtype == RT_DEFAULT || rtype == RT_MODULE || rtype == RT_SERVICE))
    4671. 

  4671.             ldapname.append("cn=");
    4672. 

  4672.         else
    4673. 

  4673.             ldapname.append("ou=");
    4674. 

  4674.         
    4675. 

  4675.         const char* prevptr = resourcename;
    4676. 

  4676.         const char* nextptr = strstr(resourcename, "::");
    4677. 

  4677.         while(nextptr != NULL)
    4678. 

  4678.         {
    4679. 

  4679.             prevptr = nextptr + 2;
    4680. 

  4680.             nextptr = strstr(prevptr, "::");
    4681. 

  4681.         }
    4682. 

  4682.         if(prevptr != NULL && *prevptr != '\0')
    4683. 

  4683.             ldapname.append(prevptr);
    4684. 

  4684.     }
    4685. 

  4685. 

  4686.     virtual bool addResource(SecResourceType rtype, ISecUser& user, ISecResource* resource, SecPermissionType ptype, const char* basedn)
    4687. 

  4687.     {
    4688. 

  4688.         Owned<CSecurityDescriptor> template_sd = NULL;
    4689. 

  4689.         const char* templatename = m_ldapconfig->getTemplateName();
    4690. 

  4690.         if(templatename != NULL && *templatename != '\0')
    4691. 

  4691.         {
    4692. 

  4692.             IArrayOf<CSecurityDescriptor> sdlist;
    4693. 

  4693.             template_sd.setown(new CSecurityDescriptor(templatename));
    4694. 

  4694.             sdlist.append(*LINK(template_sd));
    4695. 

  4695.             if(basedn && *basedn)
    4696. 

  4696.                 getSecurityDescriptors(sdlist, basedn);
    4697. 

  4697.             else
    4698. 

  4698.                 getSecurityDescriptors(rtype, sdlist);
    4699. 

  4699.         }
    4700. 

  4700. 

  4701.         Owned<CSecurityDescriptor> default_sd = NULL;
    4702. 

  4702.         if(template_sd != NULL && template_sd->getDescriptor().length() > 0)
    4703. 

  4703.         {
    4704. 

  4704.             MemoryBuffer template_sd_buf;
    4705. 

  4705.             template_sd_buf.append(template_sd->getDescriptor());
    4706. 

  4706.             if(m_pp != NULL)
    4707. 

  4707.                 default_sd.setown(m_pp->createDefaultSD(&user, resource, template_sd_buf));
    4708. 

  4708.         }
    4709. 

  4709.         else
    4710. 

  4710.         {
    4711. 

  4711.             if(m_pp !=  NULL)
    4712. 

  4712.                 default_sd.setown(m_pp->createDefaultSD(&user, resource, ptype));
    4713. 

  4713.         }
    4714. 

  4714. 

  4715.         return addResource(rtype, user, resource, ptype, basedn, default_sd.get());
    4716. 

  4716.     }
    4717. 

  4717. 

  4718.     virtual bool addResource(SecResourceType rtype, ISecUser& user, ISecResource* resource, SecPermissionType ptype, const char* basedn, CSecurityDescriptor* default_sd, bool lessException=true)
    4719. 

  4719.     {
    4720. 

  4720.         if(resource == NULL)
    4721. 

  4721.             return true;
    4722. 

  4722. 

  4723.         char* resourcename = (char*)resource->getName();
    4724. 

  4724.         if(resourcename == NULL)
    4725. 

  4725.         {
    4726. 

  4726.             DBGLOG("can't add resource, empty resource name");
    4727. 

  4727.             return false;
    4728. 

  4728.         }
    4729. 

  4729. 

  4730.         const char* rbasedn;
    4731. 

  4731.         StringBuffer rbasednbuf;
    4732. 

  4732.         if(basedn == NULL)
    4733. 

  4733.             rbasedn = m_ldapconfig->getResourceBasedn(rtype);
    4734. 

  4734.         else
    4735. 

  4735.         {
    4736. 

  4736.             LdapUtils::normalizeDn(basedn, m_ldapconfig->getBasedn(), rbasednbuf);
    4737. 

  4737.             rbasedn = rbasednbuf.str();
    4738. 

  4738.         }
    4739. 

  4739.         if(rbasedn == NULL || *rbasedn == '\0')
    4740. 

  4740.         {
    4741. 

  4741.             DBGLOG("Can't add resource, corresponding resource basedn is not defined");
    4742. 

  4742.             return false;
    4743. 

  4743.         }
    4744. 

  4744. 

  4745.         if(strchr(resourcename, '/') != NULL || strchr(resourcename, '=') != NULL)
    4746. 

  4746.             return false;
    4747. 

  4747. 

  4748.         if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
    4749. 

  4749.         {
    4750. 

  4750.             StringBuffer extbuf;
    4751. 

  4751.             name2dn(rtype, resourcename, rbasedn, extbuf);
    4752. 

  4752.             createLdapBasedn(&user, extbuf.str(), ptype);
    4753. 

  4753.             return true;
    4754. 

  4754.         }
    4755. 

  4755. 

  4756.         LdapServerType servertype = m_ldapconfig->getServerType();
    4757. 

  4757. 

  4758.         char* description = (char*)((CLdapSecResource*)resource)->getDescription();
    4759. 

  4759. 

  4760.         StringBuffer dn;
    4761. 

  4761.         
    4762. 

  4762.         char *fieldname, *oc_name;
    4763. 

  4763.         if(servertype == ACTIVE_DIRECTORY)
    4764. 

  4764.         {
    4765. 

  4765.             fieldname = "cn";
    4766. 

  4766.             oc_name = "Volume";
    4767. 

  4767.         }
    4768. 

  4768.         else
    4769. 

  4769.         {
    4770. 

  4770.             fieldname = "ou";
    4771. 

  4771.             oc_name = "OrganizationalUnit";
    4772. 

  4772.         }
    4773. 

  4773. 

  4774.         dn.append(fieldname).append("=").append(resourcename).append(",");
    4775. 

  4775.         dn.append(rbasedn);
    4776. 

  4776. 

  4777.         char *cn_values[] = {resourcename, NULL };
    4778. 

  4778.         LDAPMod cn_attr = 
    4779. 

  4779.         {
    4780. 

  4780.             LDAP_MOD_ADD,
    4781. 

  4781.             fieldname,
    4782. 

  4782.             cn_values
    4783. 

  4783.         };
    4784. 

  4784.         char *oc_values[] = {oc_name, NULL };
    4785. 

  4785.         LDAPMod oc_attr =
    4786. 

  4786.         {
    4787. 

  4787.             LDAP_MOD_ADD,
    4788. 

  4788.             "objectClass",
    4789. 

  4789.             oc_values
    4790. 

  4790.         };
    4791. 

  4791.         char* uncname_values[] = {resourcename, NULL};
    4792. 

  4792.         LDAPMod uncname_attr =
    4793. 

  4793.         {
    4794. 

  4794.             LDAP_MOD_ADD,
    4795. 

  4795.             "uNCName",
    4796. 

  4796.             uncname_values
    4797. 

  4797.         };
    4798. 

  4798. 

  4799.         StringBuffer descriptionbuf;
    4800. 

  4800.         if(description  && *description)
    4801. 

  4801.             descriptionbuf.append(description);
    4802. 

  4802.         else
    4803. 

  4803.             descriptionbuf.appendf("Access to %s", resourcename);
    4804. 

  4804. 

  4805.         char* description_values[] = {(char*)descriptionbuf.str(), NULL};
    4806. 

  4806.         LDAPMod description_attr =
    4807. 

  4807.         {
    4808. 

  4808.             LDAP_MOD_ADD,
    4809. 

  4809.             "description",
    4810. 

  4810.             description_values
    4811. 

  4811.         };
    4812. 

  4812. 

  4813.         Owned<CSecurityDescriptor> template_sd = NULL;
    4814. 

  4814.         const char* templatename = m_ldapconfig->getTemplateName();
    4815. 

  4815.         if(templatename != NULL && *templatename != '\0')
    4816. 

  4816.         {
    4817. 

  4817.             IArrayOf<CSecurityDescriptor> sdlist;
    4818. 

  4818.             template_sd.setown(new CSecurityDescriptor(templatename));
    4819. 

  4819.             sdlist.append(*LINK(template_sd));
    4820. 

  4820.             getSecurityDescriptors(rtype, sdlist);
    4821. 

  4821.         }
    4822. 

  4822. 

  4823.         int numberOfSegs = 0;
    4824. 

  4824.         if(default_sd != NULL)
    4825. 

  4825.         {
    4826. 

  4826.             numberOfSegs = m_pp->sdSegments(default_sd);
    4827. 

  4827.         }
    4828. 

  4828. 

  4829.         LDAPMod **attrs = (LDAPMod**)(alloca((5+numberOfSegs)*sizeof(LDAPMod*)));
    4830. 

  4830. 

  4831.         int ind = 0;
    4832. 

  4832.         attrs[ind++] = &cn_attr;
    4833. 

  4833.         attrs[ind++] = &oc_attr;
    4834. 

  4834.         attrs[ind++] = &description_attr;
    4835. 

  4835. 

  4836.         if(servertype == ACTIVE_DIRECTORY)
    4837. 

  4837.         {
    4838. 

  4838.             attrs[ind++] = &uncname_attr;
    4839. 

  4839.         }
    4840. 

  4840. 

  4841.         LDAPMod sd_attr;
    4842. 

  4842. 

  4843.         if(default_sd != NULL)
    4844. 

  4844.         {
    4845. 

  4845.             struct berval** sd_values = (struct berval**)alloca(sizeof(struct berval*)*(numberOfSegs+1));
    4846. 

  4846.             MemoryBuffer& sdbuf = default_sd->getDescriptor();
    4847. 

  4847. 

  4848.             // Active Directory acutally has only one segment.
    4849. 

  4849.             if(servertype == ACTIVE_DIRECTORY)
    4850. 

  4850.             {
    4851. 

  4851.                 struct berval* sd_val = (struct berval*)alloca(sizeof(struct berval));
    4852. 

  4852.                 sd_val->bv_len = sdbuf.length();
    4853. 

  4853.                 sd_val->bv_val = (char*)sdbuf.toByteArray();
    4854. 

  4854.                 sd_values[0] = sd_val;
    4855. 

  4855.                 sd_values[1] = NULL;
    4856. 

  4856. 

  4857.                 sd_attr.mod_type = "ntSecurityDescriptor";
    4858. 

  4858.             }
    4859. 

  4859.             else
    4860. 

  4860.             {
    4861. 

  4861.                 const char* bbptr = sdbuf.toByteArray();
    4862. 

  4862.                 const char* bptr = sdbuf.toByteArray();
    4863. 

  4863.                 int sdbuflen = sdbuf.length();
    4864. 

  4864.                 int segind;
    4865. 

  4865.                 for(segind = 0; segind < numberOfSegs; segind++)
    4866. 

  4866.                 {
    4867. 

  4867.                     if(bptr - bbptr >= sdbuflen)
    4868. 

  4868.                         break;
    4869. 

  4869.                     while(*bptr == '\0' && (bptr - bbptr) < sdbuflen)
    4870. 

  4870.                         bptr++;
    4871. 

  4871. 

  4872.                     const char* eptr = bptr;
    4873. 

  4873.                     while(*eptr != '\0' && (eptr - bbptr) < sdbuflen)
    4874. 

  4874.                         eptr++;
    4875. 

  4875. 

  4876.                     struct berval* sd_val = (struct berval*)alloca(sizeof(struct berval));
    4877. 

  4877.                     sd_val->bv_len = eptr - bptr;
    4878. 

  4878.                     sd_val->bv_val = (char*)bptr;
    4879. 

  4879.                     sd_values[segind] = sd_val;
    4880. 

  4880. 

  4881.                     bptr = eptr + 1;
    4882. 

  4882.                 }
    4883. 

  4883.                 sd_values[segind] = NULL;
    4884. 

  4884. 

  4885.                 sd_attr.mod_type = (char*)m_ldapconfig->getSdFieldName();
    4886. 

  4886.             }
    4887. 

  4887.             sd_attr.mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES;
    4888. 

  4888.             sd_attr.mod_vals.modv_bvals = sd_values;
    4889. 

  4889. 

  4890.             attrs[ind++] = &sd_attr;
    4891. 

  4891.         }
    4892. 

  4892.         attrs[ind] = NULL;
    4893. 

  4893. 

  4894.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    4895. 

  4895.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    4896. 

  4896.         int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    4897. 

  4897.         if ( rc != LDAP_SUCCESS )
    4898. 

  4898.         {
    4899. 

  4899.             if(rc == LDAP_ALREADY_EXISTS)
    4900. 

  4900.             {
    4901. 

  4901.                 //WARNLOG("Can't insert %s to Ldap Server, an LDAP object with this name already exists", resourcename);
    4902. 

  4902.                 if(lessException)
    4903. 

  4903.                     return false;
    4904. 

  4904.                 else
    4905. 

  4905.                     throw MakeStringException(-1, "Can't insert %s, an LDAP object with this name already exists", resourcename);
    4906. 

  4906.             }
    4907. 

  4907.             else
    4908. 

  4908.             {
    4909. 

  4909.                 throw MakeStringException(-1, "ldap_add_ext_s error for %s: %d %s", resourcename, rc, ldap_err2string( rc ));
    4910. 

  4910.             }
    4911. 

  4911.         }
    4912. 

  4912. 

  4913.         return true;
    4914. 

  4914.     }
    4915. 

  4915. 

  4916.     virtual void enableUser(ISecUser* user, const char* dn, LDAP* ld)
    4917. 

  4917.     {
    4918. 

  4918.         const char* username = user->getName();
    4919. 

  4919. 

  4920.         StringBuffer filter;
    4921. 

  4921.         filter.append("sAMAccountName=").append(username);
    4922. 

  4922. 

  4923.         char        *attribute;
    4924. 

  4924.         LDAPMessage *message;
    4925. 

  4925. 

  4926.         TIMEVAL timeOut = {LDAPTIMEOUT,0};   
    4927. 

  4927. 

  4928.         char        *attrs[] = {"userAccountControl", NULL};
    4929. 

  4929.         CLDAPMessage searchResult;
    4930. 

  4930.         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getUserBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,    &searchResult.msg );
    4931. 

  4931. 

  4932.         if ( rc != LDAP_SUCCESS )
    4933. 

  4933.         {
    4934. 

  4934.             DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    4935. 

  4935.             throw MakeStringException(-1, "ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), m_ldapconfig->getUserBasedn());
    4936. 

  4936.         }
    4937. 

  4937. 

  4938.         StringBuffer act_ctrl;
    4939. 

  4939.         message = LdapFirstEntry( ld, searchResult);
    4940. 

  4940.         if(message != NULL)
    4941. 

  4941.         {
    4942. 

  4942.             CLDAPGetAttributesWrapper   atts(ld, searchResult);
    4943. 

  4943.             for ( attribute = atts.getFirst();
    4944. 

  4944.                   attribute != NULL;
    4945. 

  4945.                   attribute = atts.getNext())
    4946. 

  4946.             {
    4947. 

  4947.                 if(0 == stricmp(attribute, "userAccountControl"))
    4948. 

  4948.                 {
    4949. 

  4949.                     CLDAPGetValuesWrapper vals(ld, message, attribute);
    4950. 

  4950.                     if (vals.hasValues())
    4951. 

  4951.                     {
    4952. 

  4952.                         act_ctrl.append(vals.queryValues()[0]);
    4953. 

  4953.                         break;
    4954. 

  4954.                     }
    4955. 

  4955.                 }
    4956. 

  4956.             }
    4957. 

  4957.         }
    4958. 

  4958. 

  4959.         if(act_ctrl.length() == 0)
    4960. 

  4960.         {
    4961. 

  4961.             DBGLOG("enableUser: userAccountControl doesn't exist for user %s",username);
    4962. 

  4962.             throw MakeStringException(-1, "enableUser: userAccountControl doesn't exist for user %s",username);
    4963. 

  4963.         }
    4964. 

  4964. 

  4965.         unsigned act_ctrl_val = atoi(act_ctrl.str());
    4966. 

  4966. 

  4967.         // UF_ACCOUNTDISABLE 0x0002
    4968. 

  4968.         act_ctrl_val &= 0xFFFFFFFD;
    4969. 

  4969. #ifdef _DONT_EXPIRE_PASSWORD
    4970. 

  4970.         // UF_DONT_EXPIRE_PASSWD 0x10000
    4971. 

  4971.         if (m_domainPwdsNeverExpire)
    4972. 

  4972.             act_ctrl_val |= 0x10000;
    4973. 

  4973. #endif
    4974. 

  4974. 

  4975.         StringBuffer new_act_ctrl;
    4976. 

  4976.         new_act_ctrl.append(act_ctrl_val);
    4977. 

  4977. 

  4978.         char *ctrl_values[] = {(char*)new_act_ctrl.str(), NULL};
    4979. 

  4979.         LDAPMod ctrl_attr = {
    4980. 

  4980.             LDAP_MOD_REPLACE,
    4981. 

  4981.             "userAccountControl",
    4982. 

  4982.             ctrl_values
    4983. 

  4983.         };
    4984. 

  4984.         LDAPMod *cattrs[2];
    4985. 

  4985.         cattrs[0] = &ctrl_attr;
    4986. 

  4986.         cattrs[1] = NULL;
    4987. 

  4987. 

  4988.         rc = ldap_modify_ext_s(ld, (char*)dn, cattrs, NULL, NULL);
    4989. 

  4989.         if ( rc != LDAP_SUCCESS )
    4990. 

  4990.         {
    4991. 

  4991.             throw MakeStringException(-1, "error enableUser %s, ldap_modify_ext_s error: %s", username, ldap_err2string( rc ));
    4992. 

  4992.         }
    4993. 

  4993. 

  4994.         // set the password.
    4995. 

  4995.         Owned<ISecUser> tmpuser = new CLdapSecUser(user->getName(), "");
    4996. 

  4996.         const char* passwd = user->credentials().getPassword();
    4997. 

  4997.         if(passwd == NULL || *passwd == '\0')
    4998. 

  4998.             passwd = "password";
    4999. 

  4999. 

  5000.         if (!updateUserPassword(*tmpuser, passwd, NULL))
    5001. 

  5001.         {
    5002. 

  5002.             DBGLOG("Error updating password for %s",username);
    5003. 

  5003.             throw MakeStringException(-1, "Error updating password for %s",username);
    5004. 

  5004.         }
    5005. 

  5005.     }
    5006. 

  5006. 

  5007. 

  5008.     virtual bool addUser(ISecUser& user)
    5009. 

  5009.     {
    5010. 

  5010.         const char* username = user.getName();
    5011. 

  5011.         if(username == NULL || *username == '\0')
    5012. 

  5012.         {
    5013. 

  5013.             DBGLOG("Can't add user, username not set");
    5014. 

  5014.             throw MakeStringException(-1, "Can't add user, username not set");
    5015. 

  5015.         }
    5016. 

  5016. 

  5017.         const char* fname = user.getFirstName();
    5018. 

  5018.         const char* lname = user.getLastName();
    5019. 

  5019.         if((lname == NULL || *lname == '\0') && (fname == NULL || *fname == '\0' || m_ldapconfig->getServerType() == IPLANET))
    5020. 

  5020.             lname = username;
    5021. 

  5021. 

  5022.         const char* fullname = user.getFullName();
    5023. 

  5023.         StringBuffer fullname_buf;
    5024. 

  5024.         if(fullname == NULL || *fullname == '\0')
    5025. 

  5025.         {
    5026. 

  5026.             if(fname != NULL && *fname != '\0')
    5027. 

  5027.             {
    5028. 

  5028.                 fullname_buf.append(fname);
    5029. 

  5029.                 if(lname != NULL && *lname != '\0')
    5030. 

  5030.                     fullname_buf.append(" ");
    5031. 

  5031.             }
    5032. 

  5032.             if(lname != NULL && *lname  != '\0')
    5033. 

  5033.                 fullname_buf.append(lname);
    5034. 

  5034. 

  5035.             if(fullname_buf.length() == 0)
    5036. 

  5036.             {
    5037. 

  5037.                 fullname_buf.append(username);
    5038. 

  5038.             }
    5039. 

  5039.             fullname = fullname_buf.str();
    5040. 

  5040.         }
    5041. 

  5041. 

  5042.         StringBuffer dn;
    5043. 

  5043.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    5044. 

  5044.         {
    5045. 

  5045.             dn.append("cn=").append(fullname).append(",");
    5046. 

  5046.         }
    5047. 

  5047.         else
    5048. 

  5048.         {
    5049. 

  5049.             dn.append("uid=").append(user.getName()).append(",");
    5050. 

  5050.         }
    5051. 

  5051.         dn.append(m_ldapconfig->getUserBasedn());
    5052. 

  5052. 

  5053.         char* oc_name;
    5054. 

  5054.         char* act_fieldname;
    5055. 

  5055.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    5056. 

  5056.         {
    5057. 

  5057.             oc_name = "User";
    5058. 

  5058.             act_fieldname = "sAMAccountName";
    5059. 

  5059.         }
    5060. 

  5060.         else
    5061. 

  5061.         {
    5062. 

  5062.             oc_name = "inetorgperson";
    5063. 

  5063.             act_fieldname = "uid";
    5064. 

  5064.         }
    5065. 

  5065. 

  5066.         char *cn_values[] = {(char*)fullname, NULL };
    5067. 

  5067.         LDAPMod cn_attr = 
    5068. 

  5068.         {
    5069. 

  5069.             LDAP_MOD_ADD,
    5070. 

  5070.             "cn",
    5071. 

  5071.             cn_values
    5072. 

  5072.         };
    5073. 

  5073. 

  5074.         char *oc_values[] = {oc_name, NULL};
    5075. 

  5075.         LDAPMod oc_attr =
    5076. 

  5076.         {
    5077. 

  5077.             LDAP_MOD_ADD,
    5078. 

  5078.             "objectClass",
    5079. 

  5079.             oc_values
    5080. 

  5080.         };
    5081. 

  5081. 

  5082.         char *gn_values[] = { (char*)fname, NULL };
    5083. 

  5083.         LDAPMod gn_attr = {
    5084. 

  5084.             LDAP_MOD_ADD,
    5085. 

  5085.             "givenName",
    5086. 

  5086.             gn_values
    5087. 

  5087.         };
    5088. 

  5088. 

  5089.         char *sn_values[] = { (char*)lname, NULL };
    5090. 

  5090.         LDAPMod sn_attr = {
    5091. 

  5091.             LDAP_MOD_ADD,
    5092. 

  5092.             "sn",
    5093. 

  5093.             sn_values
    5094. 

  5094.         };
    5095. 

  5095. 

  5096.         char* actname_values[] = {(char*)username, NULL};
    5097. 

  5097.         LDAPMod actname_attr =
    5098. 

  5098.         {
    5099. 

  5099.             LDAP_MOD_ADD,
    5100. 

  5100.             act_fieldname,
    5101. 

  5101.             actname_values
    5102. 

  5102.         };
    5103. 

  5103. 

  5104.         const char* passwd = user.credentials().getPassword();
    5105. 

  5105.         if(passwd == NULL || *passwd == '\0')
    5106. 

  5106.             passwd = "password";
    5107. 

  5107.         char* passwd_values[] = {(char*)passwd, NULL};
    5108. 

  5108.         LDAPMod passwd_attr =
    5109. 

  5109.         {
    5110. 

  5110.             LDAP_MOD_ADD,
    5111. 

  5111.             "userpassword",
    5112. 

  5112.             passwd_values
    5113. 

  5113.         };
    5114. 

  5114. 

  5115.         char *dispname_values[] = {(char*)fullname, NULL };
    5116. 

  5116.         LDAPMod dispname_attr = 
    5117. 

  5117.         {
    5118. 

  5118.             LDAP_MOD_ADD,
    5119. 

  5119.             "displayName",
    5120. 

  5120.             dispname_values
    5121. 

  5121.         };
    5122. 

  5122. 

  5123.         char* username_values[] = {(char*)username, NULL};
    5124. 

  5124.         LDAPMod username_attr =
    5125. 

  5125.         {
    5126. 

  5126.             LDAP_MOD_ADD,
    5127. 

  5127.             "userPrincipalName",
    5128. 

  5128.             username_values
    5129. 

  5129.         };
    5130. 

  5130. 

  5131.         LDAPMod *attrs[8];
    5132. 

  5132.         int ind = 0;
    5133. 

  5133.         
    5134. 

  5134.         attrs[ind++] = &cn_attr;
    5135. 

  5135.         attrs[ind++] = &oc_attr;
    5136. 

  5136.         if(fname != NULL && *fname != '\0')
    5137. 

  5137.             attrs[ind++] = &gn_attr;
    5138. 

  5138.         if(lname != NULL && *lname != '\0')
    5139. 

  5139.             attrs[ind++] = &sn_attr;
    5140. 

  5140.         attrs[ind++] = &actname_attr;
    5141. 

  5141. 

  5142.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    5143. 

  5143.         {
    5144. 

  5144.             attrs[ind++] = &username_attr;
    5145. 

  5145.             attrs[ind++] = &dispname_attr;
    5146. 

  5146.         }
    5147. 

  5147.         else
    5148. 

  5148.         {
    5149. 

  5149.             attrs[ind++] = &passwd_attr;
    5150. 

  5150.         }
    5151. 

  5151. 

  5152.         attrs[ind] = NULL;
    5153. 

  5153. 

  5154.         Owned<ILdapConnection> lconn = m_connections->getConnection();
    5155. 

  5155.         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
    5156. 

  5156.         int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
    5157. 

  5157.         if ( rc != LDAP_SUCCESS )
    5158. 

  5158.         {
    5159. 

  5159.             if(rc == LDAP_ALREADY_EXISTS)
    5160. 

  5160.             {
    5161. 

  5161.                 DBGLOG("Can't add user %s, an LDAP object with this name already exists", username);
    5162. 

  5162.                 throw MakeStringException(-1, "Can't add user %s, an LDAP object with this name already exists", username);
    5163. 

  5163.             }
    5164. 

  5164.             else
    5165. 

  5165.             {
    5166. 

  5166.                 DBGLOG("Error addUser %s, ldap_add_ext_s error: %s", username, ldap_err2string( rc ));
    5167. 

  5167.                 throw MakeStringException(-1, "Error addUser %s, ldap_add_ext_s error: %s", username, ldap_err2string( rc ));
    5168. 

  5168.             }
    5169. 

  5169.         }
    5170. 

  5170. 

  5171.         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
    5172. 

  5172.         {
    5173. 

  5173.             try
    5174. 

  5174.             {
    5175. 

  5175.                 enableUser(&user, dn.str(), ld);
    5176. 

  5176.             }
    5177. 

  5177.             catch(...)
    5178. 

  5178.             {
    5179. 

  5179.                 deleteUser(&user);
    5180. 

  5180.                 throw;
    5181. 

  5181.             }
    5182. 

  5182.         }
    5183. 

  5183. 

  5184.         //Add tempfile scope for this user (spill, paused and checkpoint
    5185. 

  5185.         //will be created under this user specific scope)
    5186. 

  5186.         StringBuffer resName(queryDfsXmlBranchName(DXB_Internal));
    5187. 

  5187.         resName.append("::").append(username);
    5188. 

  5188.         Owned<ISecResource> resource = new CLdapSecResource(resName.str());
    5189. 

  5189.         if (!addResource(RT_FILE_SCOPE, user, resource, PT_ADMINISTRATORS_AND_USER, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE)))
    5190. 

  5190.         {
    5191. 

  5191.             throw MakeStringException(-1, "Error adding temp file scope %s",resName.str());
    5192. 

  5192.         }
    5193. 

  5193. 

  5194.         return true;
    5195. 

  5195.     }
    5196. 

  5196. 

  5197.     bool createUserScope(ISecUser& user)
    5198. 

  5198.     {
    5199. 

  5199.         //Add tempfile scope for given user (spill, paused and checkpoint
    5200. 

  5200.         //files will be created under this user specific scope)
    5201. 

  5201.         StringBuffer resName(queryDfsXmlBranchName(DXB_Internal));
    5202. 

  5202.         resName.append("::").append(user.getName());
    5203. 

  5203.         Owned<ISecResource> resource = new CLdapSecResource(resName.str());
    5204. 

  5204.         return addResource(RT_FILE_SCOPE, user, resource, PT_ADMINISTRATORS_AND_USER, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE));
    5205. 

  5205.     }
    5206. 

  5206. 

  5207.     virtual aindex_t getManagedFileScopes(IArrayOf<ISecResource>& scopes)
    5208. 

  5208.     {
    5209. 

  5209.         getResourcesEx(RT_FILE_SCOPE, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE), NULL, NULL, scopes);
    5210. 

  5210.         return scopes.length();
    5211. 

  5211.     }
    5212. 

  5212. 

  5213.     virtual int queryDefaultPermission(ISecUser& user)
    5214. 

  5214.     {
    5215. 

  5215.         const char* basedn = m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE);
    5216. 

  5216.         if(basedn == NULL || *basedn == '\0')
    5217. 

  5217.         {
    5218. 

  5218.             DBGLOG("corresponding basedn is not defined");
    5219. 

  5219.             return -2;
    5220. 

  5220.         }
    5221. 

  5221.         const char* basebasedn = strchr(basedn, ',') + 1;
    5222. 

  5222.         StringBuffer baseresource;
    5223. 

  5223.         baseresource.append(basebasedn-basedn-4, basedn+3);
    5224. 

  5224.         IArrayOf<ISecResource> base_resources;
    5225. 

  5225.         base_resources.append(*new CLdapSecResource(baseresource.str()));
    5226. 

  5226.         bool baseok = authorizeScope(user, base_resources, basebasedn);
    5227. 

  5227.         if(baseok)
    5228. 

  5228.             return base_resources.item(0).getAccessFlags();
    5229. 

  5229.         else
    5230. 

  5230.             return -2;
    5231. 

  5231.     }
    5232. 

  5232. };
    5233. 

  5233. 

  5234. int LdapUtils::getServerInfo(const char* ldapserver, int ldapport, StringBuffer& domainDN, LdapServerType& stype, const char* domainname)
    5235. 

  5235. {
    5236. 

  5236.     LdapServerType deducedSType = LDAPSERVER_UNKNOWN;
    5237. 

  5237.     LDAP* ld = LdapInit("ldap", ldapserver, ldapport, 636); 
    5238. 

  5238.     if(ld == NULL)
    5239. 

  5239.     {
    5240. 

  5240.         ERRLOG("ldap init error");
    5241. 

  5241.         return false;
    5242. 

  5242.     }
    5243. 

  5243.     
    5244. 

  5244.     int err = LdapSimpleBind(ld, NULL, NULL);
    5245. 

  5245.     if(err != LDAP_SUCCESS)
    5246. 

  5246.     {
    5247. 

  5247.         DBGLOG("ldap anonymous bind error (%d) - %s", err, ldap_err2string(err));
    5248. 

  5248. 

  5249.         // for new versions of openldap, version 2.2.*
    5250. 

  5250.         if(err == LDAP_PROTOCOL_ERROR)
    5251. 

  5251.             DBGLOG("If you're trying to connect to an OpenLdap server, make sure you have \"allow bind_v2\" enabled in slapd.conf");
    5252. 

  5252. 

  5253.         return err;
    5254. 

  5254.     }
    5255. 

  5255. 

  5256.     LDAPMessage* msg = NULL;
    5257. 

  5257.     char* attrs[] = {"namingContexts", NULL};
    5258. 

  5258.     err = ldap_search_s(ld, NULL, LDAP_SCOPE_BASE, "objectClass=*", attrs, false, &msg);
    5259. 

  5259.     if(err != LDAP_SUCCESS)
    5260. 

  5260.     {
    5261. 

  5261.         DBGLOG("ldap_search_s error: %s", ldap_err2string( err ));
    5262. 

  5262.         if (msg)
    5263. 

  5263.             ldap_msgfree(msg);
    5264. 

  5264.         return err;
    5265. 

  5265.     }
    5266. 

  5266.     LDAPMessage* entry = LdapFirstEntry(ld, msg);
    5267. 

  5267.     if(entry != NULL)
    5268. 

  5268.     {
    5269. 

  5269.         CLDAPGetValuesWrapper vals(ld, entry, "namingContexts");
    5270. 

  5270.         char** domains = vals.queryValues();
    5271. 

  5271.         if(domains != NULL)
    5272. 

  5272.         {
    5273. 

  5273.             int i = 0;
    5274. 

  5274.             char* curdn;
    5275. 

  5275.             StringBuffer onedn;
    5276. 

  5276.             while((curdn = domains[i]) != NULL)
    5277. 

  5277.             {
    5278. 

  5278.                 if(*curdn != '\0' && (strncmp(curdn, "dc=", 3) == 0 || strncmp(curdn, "DC=", 3) == 0) && strstr(curdn,"DC=ForestDnsZones")==0 && strstr(curdn,"DC=DomainDnsZones")==0 )
    5279. 

  5279.                 {
    5280. 

  5280.                     if(domainDN.length() == 0)
    5281. 

  5281.                     {
    5282. 

  5282.                         StringBuffer curdomain;
    5283. 

  5283.                         LdapUtils::getName(curdn, curdomain);
    5284. 

  5284.                         if(onedn.length() == 0)
    5285. 

  5285.                         {
    5286. 

  5286.                             DBGLOG("Queried '%s', selected basedn '%s'",curdn, curdomain.str());
    5287. 

  5287.                             onedn.append(curdomain.str());
    5288. 

  5288.                         }
    5289. 

  5289.                         else
    5290. 

  5290.                             DBGLOG("Ignoring %s", curdn);
    5291. 

  5291.                         if(!domainname || !*domainname || stricmp(curdomain.str(), domainname) == 0)
    5292. 

  5292.                             domainDN.append(curdn);
    5293. 

  5293.                     }
    5294. 

  5294.                 }
    5295. 

  5295.                 else if(*curdn != '\0' && strcmp(curdn, "o=NetscapeRoot") == 0)
    5296. 

  5296.                 {
    5297. 

  5297.                     PROGLOG("Deduced LDAP Server Type 'iPlanet'");
    5298. 

  5298.                     deducedSType = IPLANET;
    5299. 

  5299.                 }
    5300. 

  5300.                 i++;
    5301. 

  5301.             }
    5302. 

  5302.             
    5303. 

  5303.             if(domainDN.length() == 0)
    5304. 

  5304.                 domainDN.append(onedn.str());
    5305. 

  5305. 

  5306.             if (deducedSType == LDAPSERVER_UNKNOWN)
    5307. 

  5307.             {
    5308. 

  5308.                 if(i <= 1)
    5309. 

  5309.                 {
    5310. 

  5310.                     PROGLOG("Deduced LDAP Server Type 'OpenLDAP'");
    5311. 

  5311.                     deducedSType = OPEN_LDAP;
    5312. 

  5312.                 }
    5313. 

  5313.                 else
    5314. 

  5314.                 {
    5315. 

  5315.                     PROGLOG("Deduced LDAP Server Type 'Active Directory'");
    5316. 

  5316.                     deducedSType = ACTIVE_DIRECTORY;
    5317. 

  5317.                 }
    5318. 

  5318.             }
    5319. 

  5319.         }
    5320. 

  5320.     }
    5321. 

  5321.     ldap_msgfree(msg);
    5322. 

  5322.     ldap_unbind(ld);
    5323. 

  5323. 

  5324.     if (stype == LDAPSERVER_UNKNOWN)
    5325. 

  5325.         stype = deducedSType;
    5326. 

  5326.     else if (deducedSType != stype)
    5327. 

  5327.         WARNLOG("Ignoring deduced LDAP Server Type, does not match config LDAPServerType");
    5328. 

  5328. 

  5329.     return err;
    5330. 

  5330. }
    5331. 

  5331. 

  5332. #ifdef _WIN32
    5333. 

  5333. bool verifyServerCert(LDAP* ld, PCCERT_CONTEXT pServerCert)
    5334. 

  5334. {
    5335. 

  5335.     return true;
    5336. 

  5336. }
    5337. 

  5337. #endif
    5338. 

  5338. 

  5339. ILdapClient* createLdapClient(IPropertyTree* cfg)
    5340. 

  5340. {
    5341. 

  5341.     return new CLdapClient(cfg);
    5342. 

  5342. }
    5343. 

  5343. 

  5344.