1/* 2 header for ads (active directory) library routines 3 4 basically this is a wrapper around ldap 5*/ 6 7typedef struct { 8 void *ld; /* the active ldap structure */ 9 struct in_addr ldap_ip; /* the ip of the active connection, if any */ 10 time_t last_attempt; /* last attempt to reconnect */ 11 int ldap_port; 12 13 /* info needed to find the server */ 14 struct { 15 char *realm; 16 char *workgroup; 17 char *ldap_server; 18 char *ldap_uri; 19 int foreign; /* set to 1 if connecting to a foreign realm */ 20 } server; 21 22 /* info needed to authenticate */ 23 struct { 24 char *realm; 25 char *password; 26 char *user_name; 27 char *kdc_server; 28 unsigned flags; 29 int time_offset; 30 } auth; 31 32 /* info derived from the servers config */ 33 struct { 34 char *realm; 35 char *bind_path; 36 char *ldap_server_name; 37 time_t current_time; 38 } config; 39} ADS_STRUCT; 40 41/* there are 5 possible types of errors the ads subsystem can produce */ 42enum ads_error_type {ENUM_ADS_ERROR_KRB5, ENUM_ADS_ERROR_GSS, 43 ENUM_ADS_ERROR_LDAP, ENUM_ADS_ERROR_SYSTEM, ENUM_ADS_ERROR_NT}; 44 45typedef struct { 46 enum ads_error_type error_type; 47 union err_state{ 48 int rc; 49 NTSTATUS nt_status; 50 } err; 51 /* For error_type = ENUM_ADS_ERROR_GSS minor_status describe GSS API error */ 52 /* Where rc represents major_status of GSS API error */ 53 int minor_status; 54} ADS_STATUS; 55 56#ifdef HAVE_ADS 57typedef LDAPMod **ADS_MODLIST; 58#else 59typedef void **ADS_MODLIST; 60#endif 61 62/* macros to simplify error returning */ 63#define ADS_ERROR(rc) ADS_ERROR_LDAP(rc) 64#define ADS_ERROR_LDAP(rc) ads_build_error(ENUM_ADS_ERROR_LDAP, rc, 0) 65#define ADS_ERROR_SYSTEM(rc) ads_build_error(ENUM_ADS_ERROR_SYSTEM, rc?rc:EINVAL, 0) 66#define ADS_ERROR_KRB5(rc) ads_build_error(ENUM_ADS_ERROR_KRB5, rc, 0) 67#define ADS_ERROR_GSS(rc, minor) ads_build_error(ENUM_ADS_ERROR_GSS, rc, minor) 68#define ADS_ERROR_NT(rc) ads_build_nt_error(ENUM_ADS_ERROR_NT,rc) 69 70#define ADS_ERR_OK(status) ((status.error_type == ENUM_ADS_ERROR_NT) ? NT_STATUS_IS_OK(status.err.nt_status):(status.err.rc == 0)) 71#define ADS_SUCCESS ADS_ERROR(0) 72 73/* time between reconnect attempts */ 74#define ADS_RECONNECT_TIME 5 75 76/* timeout on searches */ 77#define ADS_SEARCH_TIMEOUT 10 78 79/* ldap control oids */ 80#define ADS_PAGE_CTL_OID "1.2.840.113556.1.4.319" 81#define ADS_NO_REFERRALS_OID "1.2.840.113556.1.4.1339" 82#define ADS_SERVER_SORT_OID "1.2.840.113556.1.4.473" 83#define ADS_PERMIT_MODIFY_OID "1.2.840.113556.1.4.1413" 84 85/* UserFlags for userAccountControl */ 86#define UF_SCRIPT 0x00000001 87#define UF_ACCOUNTDISABLE 0x00000002 88#define UF_UNUSED_1 0x00000004 89#define UF_HOMEDIR_REQUIRED 0x00000008 90 91#define UF_LOCKOUT 0x00000010 92#define UF_PASSWD_NOTREQD 0x00000020 93#define UF_PASSWD_CANT_CHANGE 0x00000040 94#define UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED 0x00000080 95 96#define UF_TEMP_DUPLICATE_ACCOUNT 0x00000100 97#define UF_NORMAL_ACCOUNT 0x00000200 98#define UF_UNUSED_2 0x00000400 99#define UF_INTERDOMAIN_TRUST_ACCOUNT 0x00000800 100 101#define UF_WORKSTATION_TRUST_ACCOUNT 0x00001000 102#define UF_SERVER_TRUST_ACCOUNT 0x00002000 103#define UF_UNUSED_3 0x00004000 104#define UF_UNUSED_4 0x00008000 105 106#define UF_DONT_EXPIRE_PASSWD 0x00010000 107#define UF_MNS_LOGON_ACCOUNT 0x00020000 108#define UF_SMARTCARD_REQUIRED 0x00040000 109#define UF_TRUSTED_FOR_DELEGATION 0x00080000 110 111#define UF_NOT_DELEGATED 0x00100000 112#define UF_USE_DES_KEY_ONLY 0x00200000 113#define UF_DONT_REQUIRE_PREAUTH 0x00400000 114#define UF_UNUSED_5 0x00800000 115 116#define UF_UNUSED_6 0x01000000 117#define UF_UNUSED_7 0x02000000 118#define UF_UNUSED_8 0x04000000 119#define UF_UNUSED_9 0x08000000 120 121#define UF_UNUSED_10 0x10000000 122#define UF_UNUSED_11 0x20000000 123#define UF_UNUSED_12 0x40000000 124#define UF_UNUSED_13 0x80000000 125 126#define UF_MACHINE_ACCOUNT_MASK (\ 127 UF_INTERDOMAIN_TRUST_ACCOUNT |\ 128 UF_WORKSTATION_TRUST_ACCOUNT |\ 129 UF_SERVER_TRUST_ACCOUNT \ 130 ) 131 132#define UF_ACCOUNT_TYPE_MASK (\ 133 UF_TEMP_DUPLICATE_ACCOUNT |\ 134 UF_NORMAL_ACCOUNT |\ 135 UF_INTERDOMAIN_TRUST_ACCOUNT |\ 136 UF_WORKSTATION_TRUST_ACCOUNT |\ 137 UF_SERVER_TRUST_ACCOUNT \ 138 ) 139 140#define UF_SETTABLE_BITS (\ 141 UF_SCRIPT |\ 142 UF_ACCOUNTDISABLE |\ 143 UF_HOMEDIR_REQUIRED |\ 144 UF_LOCKOUT |\ 145 UF_PASSWD_NOTREQD |\ 146 UF_PASSWD_CANT_CHANGE |\ 147 UF_ACCOUNT_TYPE_MASK | \ 148 UF_DONT_EXPIRE_PASSWD | \ 149 UF_MNS_LOGON_ACCOUNT |\ 150 UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED |\ 151 UF_SMARTCARD_REQUIRED |\ 152 UF_TRUSTED_FOR_DELEGATION |\ 153 UF_NOT_DELEGATED |\ 154 UF_USE_DES_KEY_ONLY |\ 155 UF_DONT_REQUIRE_PREAUTH \ 156 ) 157 158/* sAMAccountType */ 159#define ATYPE_NORMAL_ACCOUNT 0x30000000 /* 805306368 */ 160#define ATYPE_WORKSTATION_TRUST 0x30000001 /* 805306369 */ 161#define ATYPE_INTERDOMAIN_TRUST 0x30000002 /* 805306370 */ 162#define ATYPE_SECURITY_GLOBAL_GROUP 0x10000000 /* 268435456 */ 163#define ATYPE_DISTRIBUTION_GLOBAL_GROUP 0x10000001 /* 268435457 */ 164#define ATYPE_DISTRIBUTION_UNIVERSAL_GROUP ATYPE_DISTRIBUTION_GLOBAL_GROUP 165#define ATYPE_SECURITY_LOCAL_GROUP 0x20000000 /* 536870912 */ 166#define ATYPE_DISTRIBUTION_LOCAL_GROUP 0x20000001 /* 536870913 */ 167 168#define ATYPE_ACCOUNT ATYPE_NORMAL_ACCOUNT /* 0x30000000 805306368 */ 169#define ATYPE_GLOBAL_GROUP ATYPE_SECURITY_GLOBAL_GROUP /* 0x10000000 268435456 */ 170#define ATYPE_LOCAL_GROUP ATYPE_SECURITY_LOCAL_GROUP /* 0x20000000 536870912 */ 171 172/* groupType */ 173#define GTYPE_SECURITY_BUILTIN_LOCAL_GROUP 0x80000005 /* -2147483643 */ 174#define GTYPE_SECURITY_DOMAIN_LOCAL_GROUP 0x80000004 /* -2147483644 */ 175#define GTYPE_SECURITY_GLOBAL_GROUP 0x80000002 /* -2147483646 */ 176#define GTYPE_DISTRIBUTION_GLOBAL_GROUP 0x00000002 /* 2 */ 177#define GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP 0x00000004 /* 4 */ 178#define GTYPE_DISTRIBUTION_UNIVERSAL_GROUP 0x00000008 /* 8 */ 179 180/* Mailslot or cldap getdcname response flags */ 181#define ADS_PDC 0x00000001 /* DC is PDC */ 182#define ADS_GC 0x00000004 /* DC is a GC of forest */ 183#define ADS_LDAP 0x00000008 /* DC is an LDAP server */ 184#define ADS_DS 0x00000010 /* DC supports DS */ 185#define ADS_KDC 0x00000020 /* DC is running KDC */ 186#define ADS_TIMESERV 0x00000040 /* DC is running time services */ 187#define ADS_CLOSEST 0x00000080 /* DC is closest to client */ 188#define ADS_WRITABLE 0x00000100 /* DC has writable DS */ 189#define ADS_GOOD_TIMESERV 0x00000200 /* DC has hardware clock 190 (and running time) */ 191#define ADS_NDNC 0x00000400 /* DomainName is non-domain NC serviced 192 by LDAP server */ 193#define ADS_PINGS 0x0000FFFF /* Ping response */ 194#define ADS_DNS_CONTROLLER 0x20000000 /* DomainControllerName is a DNS name*/ 195#define ADS_DNS_DOMAIN 0x40000000 /* DomainName is a DNS name */ 196#define ADS_DNS_FOREST 0x80000000 /* DnsForestName is a DNS name */ 197 198/* DomainCntrollerAddressType */ 199#define ADS_INET_ADDRESS 0x00000001 200#define ADS_NETBIOS_ADDRESS 0x00000002 201 202 203/* ads auth control flags */ 204#define ADS_AUTH_DISABLE_KERBEROS 0x01 205#define ADS_AUTH_NO_BIND 0x02 206#define ADS_AUTH_ANON_BIND 0x04 207#define ADS_AUTH_SIMPLE_BIND 0x08 208#define ADS_AUTH_ALLOW_NTLMSSP 0x10 209 210/* Kerberos environment variable names */ 211#define KRB5_ENV_CCNAME "KRB5CCNAME" 212 213/* Heimdal uses a slightly different name */ 214#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5) 215#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5 216#endif 217 218/* The older versions of heimdal that don't have this 219 define don't seem to use it anyway. I'm told they 220 always use a subkey */ 221#ifndef HAVE_AP_OPTS_USE_SUBKEY 222#define AP_OPTS_USE_SUBKEY 0 223#endif 224