libldap.c

pwdutils是一套密码管理工具

}

/* ldap_delete_group: Deletes an group entry in the LDAP database.
   session: pointer to struct with LDAP session data.
   group: Name of the group, which should be removed from the LDAP database.
   binddn: Optional, DN as which we should bind to the server.
           If not given, we will use the user DN for binding.
	   password: Password used for binding to the LDAP server. */
int
ldap_delete_group (ldap_session_t *session, const char *group,
		   const char *binddn, const char *password)
{
  char *groupdn;
  int rc;

  /* Sanity check.  */
  if (session == NULL || group == NULL || binddn == NULL)
    return 1;

  if (session->bind == NULL)
    {
      int i;
      /* If no binding is created yet, call ldap_authentication,
	 which creates the binding and checks the password.  */
      if ((i = ldap_authentication (session, NULL, binddn, password)) != 0)
	{
	  fprintf (stderr, _("Authentication failure.\n"));
	  return i;
	}
    }

  groupdn = convert_group_to_dn (session, group);
  if (groupdn == NULL)
    return 1;

  if (!session->bind->bound_as_user)
    {
      rc = reopen_ldap_session (session);
      if (rc != LDAP_SUCCESS)
	return rc;

      rc = connect_with_dn (session);
      if (rc != LDAP_SUCCESS)
	return rc;
    }

  rc = ldap_delete_s (session->ld, groupdn);

  return rc;
}

/* Try to find the baseou for passwd and group in LDAP. At first we try
   to find a posixAccount or posixGroup object. If we don't find one, try
   to find a organizationalUnit with ou=People or ou=Groups. The result
   will always be a guess, there is no way to determine this without
   explicit option by the admin.  */
static char *
find_baseou (ldap_session_t *session, const char *filter, char *prefer[])
{
    int ldap_errors;
  LDAPMessage *searchresults = NULL;
  LDAPMessage *entry = NULL;
  char *dn = NULL;

  ldap_errors = ldap_search_s (session->ld, session->conf->base,
			       LDAP_SCOPE_SUBTREE,
                               "objectclass=organizationalUnit", NULL, 0,
                               &searchresults);
  if (ldap_errors)
    {
      fprintf (stderr, "ldap_search_s: %s.\n", ldap_err2string (ldap_errors));
      return NULL;
    }

  entry = ldap_first_entry (session->ld, searchresults);
  while (entry)
    {
      LDAPMessage *search2results = NULL, *entry2 = NULL;

      ldap_errors = ldap_search_s (session->ld,
				   ldap_get_dn (session->ld, entry),
				   LDAP_SCOPE_ONELEVEL, filter, NULL, 0,
                                   &search2results);
      if (ldap_errors)
        {
          fprintf (stderr, "ldap_search_s: %s.\n",
		   ldap_err2string (ldap_errors));
          return NULL;
        }

      entry2 = ldap_first_entry (session->ld, search2results);
      if (entry2)
        {
          if (dn)
            free (dn);
          dn = ldap_get_dn (session->ld, entry);
        }
      else if (dn == NULL)
        {
          BerElement *attributehandler;
          char *attribute = ldap_first_attribute (session->ld, entry,
						  &attributehandler);
          while (attribute)
            {
              char **value_collection = NULL;
	      int i;

              if (strcasecmp (attribute, "ou") == 0)
                {
                  value_collection = ldap_get_values (session->ld,
						      entry, attribute);

		  for (i = 0; prefer[i]; i++)
		    {
		      if (strcasecmp (value_collection[0], prefer[i]) == 0)
			dn = ldap_get_dn (session->ld, entry);
		    }
                  ldap_value_free (value_collection);
                }
              attribute = ldap_next_attribute (session->ld,
					       entry, attributehandler);
            }
        }
      entry = ldap_next_entry (session->ld, entry);
    }
  ldap_msgfree (searchresults);

  return dn;

}

char *
ldap_find_user_baseou (ldap_session_t *session)
{
  char *prefer[] = {"People", "User", NULL};

  return find_baseou (session, "objectclass=posixAccount", prefer);

}

char *
ldap_find_group_baseou (ldap_session_t *session)
{
  char *prefer[] = {"Group", "Groups", NULL};

  return find_baseou (session, "objectclass=posixGroup", prefer);

}

int
ldap_create_user (ldap_session_t *session, struct passwd *pw,
		  struct spwd *sp, const char *binddn, const char *password)
{
  LDAPMod *mods[8], mod[8];
  char *strvals[8][2];
  char *userdn, *baseou;
  int i, rc;

  /* Sanity check.  */
  if (session == NULL || pw == NULL)
    return 1;

  if (session->bind == NULL)
    {
      /* If no binding is created yet, call ldap_authentication,
	 which creates the binding and checks the password.  */
      if ((i = ldap_authentication (session, NULL, binddn, password)) != 0)
	{
	  fprintf (stderr, _("Authentication failure.\n"));
	  return i;
	}
    }

  baseou = ldap_find_user_baseou (session);
  if (baseou == NULL)
    {
      fprintf (stderr, _("Cannot find base ou for new users.\n"));
      return 1;
    }
  printf (_("Base DN for user account `%s' is \"%s\".\n"),
	  pw->pw_name, baseou);


  /* create top account object */
  strvals[0][0] = "account";
  strvals[0][1] = NULL;
  strvals[1][0] = pw->pw_name;
  strvals[1][1] = NULL;

  mod[0].mod_values = strvals[0];
  mod[0].mod_type = "objectClass";
  mod[0].mod_op = LDAP_MOD_ADD;
  mod[1].mod_values = strvals[1];
  mod[1].mod_type = "uid";
  mod[1].mod_op = LDAP_MOD_ADD;

  mods[0] = &mod[0];
  mods[1] = &mod[1];
  mods[2] = NULL;

  if (!session->bind->bound_as_user)
    {
      rc = reopen_ldap_session (session);
      if (rc != LDAP_SUCCESS)
	return rc;

      rc = connect_with_dn (session);
      if (rc != LDAP_SUCCESS)
	return rc;
    }

  asprintf (&userdn, "uid=%s,%s", pw->pw_name, baseou);
  rc = ldap_add_s (session->ld, userdn, mods);
  if (rc != 0)
    {
      free (userdn);
      return rc;
    }

  /* create posixAccount object */
  strvals[0][0] = "posixAccount";
  strvals[0][1] = NULL;
  strvals[1][0] = pw->pw_name;
  strvals[1][1] = NULL;
  if (sp && sp->sp_pwdp)
    strvals[2][0] = sp->sp_pwdp;
  else
    strvals[2][0] = pw->pw_passwd ?: "x";
  strvals[2][1] = NULL;
  asprintf (&strvals[3][0], "%u", pw->pw_uid);
  strvals[3][1] = NULL;
  asprintf (&strvals[4][0], "%u", pw->pw_gid);
  strvals[4][1] = NULL;
  strvals[5][0] = pw->pw_dir ?: "";
  strvals[5][1] = NULL;
  strvals[6][0] = pw->pw_shell ?: "";
  strvals[6][1] = NULL;
  strvals[7][0] = pw->pw_gecos;
  strvals[7][1] = NULL;

  mod[0].mod_values = strvals[0];
  mod[0].mod_type = "objectClass";
  mod[0].mod_op = LDAP_MOD_ADD;
  mod[1].mod_values = strvals[1];
  mod[1].mod_type = "cn";
  mod[1].mod_op = LDAP_MOD_ADD;
  mod[2].mod_values = strvals[2];
  mod[2].mod_type = "userPassword";
  mod[2].mod_op = LDAP_MOD_ADD;
  mod[3].mod_values = strvals[3];
  mod[3].mod_type = "uidNumber";
  mod[3].mod_op = LDAP_MOD_ADD;
  mod[4].mod_values = strvals[4];
  mod[4].mod_type = "gidNumber";
  mod[4].mod_op = LDAP_MOD_ADD;
  mod[5].mod_values = strvals[5];
  mod[5].mod_type = "homeDirectory";
  mod[5].mod_op = LDAP_MOD_ADD;
  mod[6].mod_values = strvals[6];
  mod[6].mod_type = "loginShell";
  mod[6].mod_op = LDAP_MOD_ADD;
  mod[7].mod_values = strvals[7];
  mod[7].mod_type = "gecos";
  mod[7].mod_op = LDAP_MOD_ADD;

  mods[0] = &mod[0];
  mods[1] = &mod[1];
  mods[2] = &mod[2];
  mods[3] = &mod[3];
  mods[4] = &mod[4];
  mods[5] = &mod[5];
  mods[6] = &mod[6];
  if (pw->pw_gecos && pw->pw_gecos[0] != '\0')
    {
      mods[7] = &mod[7];
      mods[8] = NULL;
    }
  else
    mods[7] = NULL;

  rc = ldap_modify_s (session->ld, userdn, mods);
  if (rc != 0)
    {
      ldap_delete_s (session->ld, userdn);
      free (userdn);
      return rc;
    }

  /* create shadowAccount object */
  i = 0;
  strvals[i][0] = "shadowAccount";
  strvals[i][1] = NULL;
  mod[i].mod_values = strvals[i];
  mod[i].mod_type = "objectClass";
  mod[i].mod_op = LDAP_MOD_ADD;
  mods[i] = &mod[i];
  i++;
  if (sp->sp_lstchg > 0)
    {
      asprintf (&strvals[i][0], "%lu", sp->sp_lstchg);
      strvals[i][1] = NULL;
      mod[i].mod_values = strvals[i];
      mod[i].mod_type = "shadowLastChange";
      mod[i].mod_op = LDAP_MOD_ADD;
      mods[i] = &mod[i];
      i++;
    }
  if (sp->sp_min >= 0)
    {
      asprintf (&strvals[i][0], "%ld", sp->sp_min);
      strvals[i][1] = NULL;
      mod[i].mod_values = strvals[i];
      mod[i].mod_type = "shadowMin";
      mod[i].mod_op = LDAP_MOD_ADD;
      mods[i] = &mod[i];
      i++;
    }
  if (sp->sp_max >= 0)
    {
      asprintf (&strvals[i][0], "%ld", sp->sp_max);
      strvals[i][1] = NULL;
      mod[i].mod_values = strvals[i];
      mod[i].mod_type = "shadowMax";
      mod[i].mod_op = LDAP_MOD_ADD;
      mods[i] = &mod[i];
      i++;
    }
  if (sp->sp_warn >= 0)
    {
      asprintf (&strvals[i][0], "%ld", sp->sp_warn);
      strvals[i][1] = NULL;
      mod[i].mod_values = strvals[i];
      mod[i].mod_type = "shadowWarning";
      mod[i].mod_op = LDAP_MOD_ADD;
      mods[i] = &mod[i];
    }
  if (sp->sp_inact >= 0)
    {
      asprintf (&strvals[i][0], "%ld", sp->sp_inact);
      strvals[i][1] = NULL;
      mod[i].mod_values = strvals[i];
      mod[i].mod_type = "shadowInactive";
      mod[i].mod_op = LDAP_MOD_ADD;
      mods[i] = &mod[i];
      i++;
    }
  if (sp->sp_expire >= 0)
    {
      asprintf (&strvals[i][0], "%ld", sp->sp_expire);
      strvals[i][1] = NULL;
      mod[i].mod_values = strvals[i];
      mod[i].mod_type = "shadowExpire";
      mod[i].mod_op = LDAP_MOD_ADD;
      mods[i] = &mod[i];
      i++;
    }
  if ((long int) sp->sp_flag != -1 )
    {
      asprintf (&strvals[i][0], "%lu", sp->sp_flag);
      strvals[i][1] = NULL;
      mod[i].mod_values = strvals[i];
      mod[i].mod_type = "shadowFlag";
      mod[i].mod_op = LDAP_MOD_ADD;
      mods[i] = &mod[i];
      i++;
    }

  mods[i] = NULL;

  rc = ldap_modify_s (session->ld, userdn, mods);
  if (rc != 0)
    ldap_delete_s (session->ld, userdn);

  free (userdn);

  return rc;

}

int
ldap_create_group (ldap_session_t *session, struct group *gr,
		   const char *binddn, const char *password)
{
  LDAPMod *mods[8], mod[8];
  char *strvals[8][2];
  char *groupdn, *baseou;
  int i, rc;

  /* Sanity check.  */
  if (session == NULL || gr == NULL)
    return 1;

  if (session->bind == NULL)
    {
      /* If no binding is created yet, call ldap_authentication,
	 which creates the binding and checks the password.  */
      if ((i = ldap_authentication (session, NULL, binddn, password)) != 0)
	{
	  fprintf (stderr, _("Authentication failure.\n"));
	  return i;
	}
    }

  baseou = ldap_find_group_baseou (session);
  if (baseou == NULL)
    {
      fprintf (stderr, _("Cannot find base ou for new groups.\n"));
      return 1;
    }
  printf (_("Base DN for group `%s' is \"%s\".\n"),
	  gr->gr_name, baseou);
  asprintf (&groupdn, "cn=%s,%s", gr->gr_name, baseou);

  if (!session->bind->bound_as_user)
    {
      rc = reopen_ldap_session (session);
      if (rc != LDAP_SUCCESS)
	return rc;

      rc = connect_with_dn (session);
      if (rc != LDAP_SUCCESS)
	return rc;
    }


  /* create top objectClass.  */
  strvals[0][0] = "namedObject";
  strvals[0][1] = NULL;
  strvals[1][0] = gr->gr_name;
  strvals[1][1] = NULL;

  mod[0].mod_values = strvals[0];
  mod[0].mod_type = "objectClass";
  mod[0].mod_op = LDAP_MOD_ADD;
  mod[1].mod_values = strvals[1];
  mod[1].mod_type = "cn";
  mod[1].mod_op = LDAP_MOD_ADD;

  mods[0] = &mod[0];
  mods[1] = &mod[1];
  mods[2] = NULL;

  rc = ldap_add_s (session->ld, groupdn, mods);
  if (rc != 0)
    {
      ldap_delete_s (session->ld, groupdn);
      free (groupdn);
      return rc;
    }

#if 0
  /* Create nameObject objectClass.  */
  strvals[0][0] = "namedObject";
  strvals[0][1] = NULL;

  mod[0].mod_values = strvals[0];
  mod[0].mod_type = "objectClass";
  mod[0].mod_op = LDAP_MOD_ADD;

  mods[0] = &mod[0];
  mods[1] = NULL;

  rc = ldap_modify_s (session->ld, groupdn, mods);
  if (rc != 0)
    {
      ldap_delete_s (session->ld, groupdn);
      free (groupdn);
      return rc;
    }
#endif

  strvals[0][0] = "posixGroup";
  strvals[0][1] = NULL;
  asprintf (&strvals[2][0], "%u", gr->gr_gid);
  strvals[2][1] = NULL;

  mod[0].mod_values = strvals[0];
  mod[0].mod_type = "objectClass";
  mod[0].mod_op = LDAP_MOD_ADD;
  mod[1].mod_values = strvals[2];
  mod[1].mod_type = "gidNumber";
  mod[1].mod_op = LDAP_MOD_ADD;

  mods[0] = &mod[0];
  mods[1] = &mod[1];
  mods[2] = NULL;

  rc = ldap_modify_s (session->ld, groupdn, mods);

  free (strvals[1][0]);

  if (rc != 0)
    ldap_delete_s (session->ld, groupdn);

  free (groupdn);

  return rc;

}

#endif /* USE_LDAP */