1#!/usr/bin/perl -w 2# 3# adssearch.pl - query an Active Directory server and 4# display objects in a human readable format 5# 6# Copyright (C) Guenther Deschner <gd@samba.org> 2003-2008 7# 8# TODO: add range retrieval 9# write sddl-converter, decode userParameters 10# apparently only win2k3 allows simple-binds with machine-accounts. 11# make sasl support independent from Authen::SASL::Cyrus v >0.11 12use strict; 13 14use Net::LDAP; 15use Net::LDAP::Control; 16use Net::LDAP::Constant qw(LDAP_REFERRAL); 17use Convert::ASN1; 18use Time::Local; 19use POSIX qw(strftime); 20use Getopt::Long; 21 22my $have_sasl; 23my $works_sasl; 24my $pref_version; 25BEGIN { 26 my $class = 'Authen::SASL'; 27 $pref_version = "0.32"; 28 if ( eval "require $class;" ) { 29 $have_sasl = 1; 30 } 31 if ( eval "Net::LDAP->VERSION($pref_version);" ) { 32 $works_sasl = 1; 33 } 34} 35 36# users may set defaults here 37my $base = ""; 38my $binddn = ""; 39my $password = ""; 40my $server = ""; 41my $rebind_url; 42 43 44my $tdbdump = "/usr/bin/tdbdump"; 45my $testparm = "/usr/bin/testparm"; 46my $net = "/usr/bin/net"; 47my $dig = "/usr/bin/dig"; 48my $nmblookup = "/usr/bin/nmblookup"; 49my $secrets_tdb = "/etc/samba/secrets.tdb"; 50my $klist = "/usr/bin/klist"; 51my $kinit = "/usr/bin/kinit"; 52my $workgroup = ""; 53my $machine = ""; 54my $realm = ""; 55 56# parse input 57my ( 58 $opt_asq, 59 $opt_base, 60 $opt_binddn, 61 $opt_debug, 62 $opt_display_extendeddn, 63 $opt_display_metadata, 64 $opt_display_raw, 65 $opt_domain_scope, 66 $opt_dump_rootdse, 67 $opt_dump_schema, 68 $opt_dump_wknguid, 69 $opt_fastbind, 70 $opt_help, 71 $opt_host, 72 $opt_machine, 73 $opt_notify, 74 $opt_notify_nodiffs, 75 $opt_paging, 76 $opt_password, 77 $opt_port, 78 $opt_realm, 79 $opt_saslmech, 80 $opt_search_opt, 81 $opt_scope, 82 $opt_simpleauth, 83 $opt_starttls, 84 $opt_user, 85 $opt_verbose, 86 $opt_workgroup, 87); 88 89GetOptions( 90 'asq=s' => \$opt_asq, 91 'base|b=s' => \$opt_base, 92 'D|DN=s' => \$opt_binddn, 93 'debug=i' => \$opt_debug, 94 'domain_scope' => \$opt_domain_scope, 95 'extendeddn|e:i' => \$opt_display_extendeddn, 96 'fastbind' => \$opt_fastbind, 97 'help' => \$opt_help, 98 'host|h=s' => \$opt_host, 99 'machine|P' => \$opt_machine, 100 'metadata|m' => \$opt_display_metadata, 101 'nodiffs' => \$opt_notify_nodiffs, 102 'notify|n' => \$opt_notify, 103 'paging:i' => \$opt_paging, 104 'password|w=s' => \$opt_password, 105 'port=i' => \$opt_port, 106 'rawdisplay' => \$opt_display_raw, 107 'realm|R=s' => \$opt_realm, 108 'rootDSE' => \$opt_dump_rootdse, 109 'saslmech|Y=s' => \$opt_saslmech, 110 'schema|c' => \$opt_dump_schema, 111 'scope|s=s' => \$opt_scope, 112 'searchopt:i' => \$opt_search_opt, 113 'simpleauth|x' => \$opt_simpleauth, 114 'tls|Z' => \$opt_starttls, 115 'user|U=s' => \$opt_user, 116 'verbose|v' => \$opt_verbose, 117 'wknguid' => \$opt_dump_wknguid, 118 'workgroup|k=s' => \$opt_workgroup, 119 ); 120 121 122if (!@ARGV && !$opt_dump_schema && !$opt_dump_rootdse && !$opt_notify || $opt_help) { 123 usage(); 124 exit 1; 125} 126 127if ($opt_fastbind && !$opt_simpleauth) { 128 printf("LDAP fast bind can only be performed with simple binds\n"); 129 exit 1; 130} 131 132if ($opt_notify) { 133 $opt_paging = undef; 134} 135 136# get the query 137my $query = shift; 138my @attrs = @ARGV; 139 140# some global vars 141my $filter = ""; 142my ($dse, $uri); 143my ($attr, $value); 144my (@ctrls, @ctrls_s); 145my ($ctl_paged, $cookie); 146my ($page_count, $total_entry_count); 147my ($sasl_hd, $async_ldap_hd, $sync_ldap_hd); 148my ($mesg, $usn); 149my (%entry_store); 150my $async_search; 151 152# fixed values and vars 153my $set = "X"; 154my $unset = "-"; 155my $tabsize = "\t\t\t"; 156 157# get defaults 158my $scope = $opt_scope || "sub"; 159my $port = $opt_port; 160 161my %ads_controls = ( 162"LDAP_SERVER_NOTIFICATION_OID" => "1.2.840.113556.1.4.528", 163"LDAP_SERVER_EXTENDED_DN_OID" => "1.2.840.113556.1.4.529", 164"LDAP_PAGED_RESULT_OID_STRING" => "1.2.840.113556.1.4.319", 165"LDAP_SERVER_SD_FLAGS_OID" => "1.2.840.113556.1.4.801", 166"LDAP_SERVER_SORT_OID" => "1.2.840.113556.1.4.473", 167"LDAP_SERVER_RESP_SORT_OID" => "1.2.840.113556.1.4.474", 168"LDAP_CONTROL_VLVREQUEST" => "2.16.840.1.113730.3.4.9", 169"LDAP_CONTROL_VLVRESPONSE" => "2.16.840.1.113730.3.4.10", 170"LDAP_SERVER_RANGE_RETRIEVAL" => "1.2.840.113556.1.4.802", #unsure 171"LDAP_SERVER_SHOW_DELETED_OID" => "1.2.840.113556.1.4.417", 172"LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID" => "1.2.840.113556.1.4.521", 173"LDAP_SERVER_LAZY_COMMIT_OID" => "1.2.840.113556.1.4.619", 174"LDAP_SERVER_TREE_DELETE_OID" => "1.2.840.113556.1.4.805", 175"LDAP_SERVER_DIRSYNC_OID" => "1.2.840.113556.1.4.841", 176"LDAP_SERVER_VERIFY_NAME_OID" => "1.2.840.113556.1.4.1338", 177"LDAP_SERVER_DOMAIN_SCOPE_OID" => "1.2.840.113556.1.4.1339", 178"LDAP_SERVER_SEARCH_OPTIONS_OID" => "1.2.840.113556.1.4.1340", 179"LDAP_SERVER_PERMISSIVE_MODIFY_OID" => "1.2.840.113556.1.4.1413", 180"LDAP_SERVER_ASQ_OID" => "1.2.840.113556.1.4.1504", 181"NONE (Get stats control)" => "1.2.840.113556.1.4.970", 182"LDAP_SERVER_QUOTA_CONTROL_OID" => "1.2.840.113556.1.4.1852", 183"LDAP_SERVER_SHUTDOWN_NOTIFY_OID" => "1.2.840.113556.1.4.1907", 184); 185 186my %ads_capabilities = ( 187"LDAP_CAP_ACTIVE_DIRECTORY_OID" => "1.2.840.113556.1.4.800", 188"LDAP_CAP_ACTIVE_DIRECTORY_V51_OID" => "1.2.840.113556.1.4.1670", 189"LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID" => "1.2.840.113556.1.4.1791", 190); 191 192my %ads_extensions = ( 193"LDAP_START_TLS_OID" => "1.3.6.1.4.1.1466.20037", 194"LDAP_TTL_EXTENDED_OP_OID" => "1.3.6.1.4.1.1466.101.119.1", 195"LDAP_SERVER_FAST_BIND_OID" => "1.2.840.113556.1.4.1781", 196"NONE (TTL refresh extended op)" => "1.3.6.1.4.1.1466.101.119.1", 197); 198 199my %ads_matching_rules = ( 200"LDAP_MATCHING_RULE_BIT_AND" => "1.2.840.113556.1.4.803", 201"LDAP_MATCHING_RULE_BIT_OR" => "1.2.840.113556.1.4.804", 202); 203 204my %wknguids = ( 205"WELL_KNOWN_GUID_COMPUTERS" => "AA312825768811D1ADED00C04FD8D5CD", 206"WELL_KNOWN_GUID_DOMAIN_CONTROLLERS" => "A361B2FFFFD211D1AA4B00C04FD7D83A", 207"WELL_KNOWN_GUID_SYSTEM" => "AB1D30F3768811D1ADED00C04FD8D5CD", 208"WELL_KNOWN_GUID_USERS" => "A9D1CA15768811D1ADED00C04FD8D5CD", 209); 210 211my %ads_systemflags = ( 212"FLAG_DONT_REPLICATE" => 0x00000001, # 1 213"FLAG_REPLICATE_TO_GC" => 0x00000002, # 2 214"FLAG_ATTRIBUTE_CONSTRUCT" => 0x00000004, # 4 215"FLAG_CATEGORY_1_OBJECT" => 0x00000010, # 16 216"FLAG_DELETE_WITHOUT_TOMBSTONE" => 0x02000000, # 33554432 217"FLAG_DOMAIN_DISALLOW_MOVE" => 0x04000000, # 67108864 218"FLAG_DOMAIN_DISALLOW_RENAME" => 0x08000000, # 134217728 219#"FLAG_CONFIG_CAN_MOVE_RESTRICTED" => 0x10000000, # 268435456 # only setable on creation 220#"FLAG_CONFIG_CAN_MOVE" => 0x20000000, # 536870912 # only setable on creation 221#"FLAG_CONFIG_CAN_RENAME" => 0x40000000, # 1073741824 # only setable on creation 222"FLAG_DISALLOW_DELETE" => 0x80000000, # 2147483648 223); 224 225my %ads_mixed_domain = ( 226"NATIVE_LEVEL_DOMAIN" => 0, 227"MIXED_LEVEL_DOMAIN" => 1, 228); 229 230my %ads_ds_func = ( 231"DS_BEHAVIOR_WIN2000" => 0, # untested 232"DS_BEHAVIOR_WIN2003" => 2, 233"DS_BEHAVIOR_WIN2008" => 3, 234); 235 236my %ads_instance_type = ( 237"DS_INSTANCETYPE_IS_NC_HEAD" => 0x1, 238"IT_WRITE" => 0x4, 239"IT_NC_ABOVE" => 0x8, 240); 241 242my %ads_uacc = ( 243 "ACCOUNT_NEVER_EXPIRES" => 0x000000, # 0 244 "ACCOUNT_OK" => 0x800000, # 8388608 245 "ACCOUNT_LOCKED_OUT" => 0x800010, # 8388624 246); 247 248my %ads_enctypes = ( 249 "DES-CBC-CRC" => 0x01, 250 "DES-CBC-MD5" => 0x02, 251 "RC4_HMAC_MD5" => 0x04, 252 "AES128_CTS_HMAC_SHA1_96" => 0x08, 253 "AES128_CTS_HMAC_SHA1_128" => 0x10, 254); 255 256my %ads_gpoptions = ( 257 "GPOPTIONS_INHERIT" => 0, 258 "GPOPTIONS_BLOCK_INHERITANCE" => 1, 259); 260 261my %ads_gplink_opts = ( 262 "GPLINK_OPT_NONE" => 0, 263 "GPLINK_OPT_DISABLED" => 1, 264 "GPLINK_OPT_ENFORCED" => 2, 265); 266 267my %ads_gpflags = ( 268 "GPFLAGS_ALL_ENABLED" => 0, 269 "GPFLAGS_USER_SETTINGS_DISABLED" => 1, 270 "GPFLAGS_MACHINE_SETTINGS_DISABLED" => 2, 271 "GPFLAGS_ALL_DISABLED" => 3, 272); 273 274my %ads_serverstate = ( 275 "SERVER_ENABLED" => 1, 276 "SERVER_DISABLED" => 2, 277); 278 279my %ads_sdeffective = ( 280 "OWNER_SECURITY_INFORMATION" => 0x01, 281 "DACL_SECURITY_INFORMATION" => 0x04, 282 "SACL_SECURITY_INFORMATION" => 0x10, 283); 284 285my %ads_trustattrs = ( 286 "TRUST_ATTRIBUTE_NON_TRANSITIVE" => 1, 287 "TRUST_ATTRIBUTE_TREE_PARENT" => 2, 288 "TRUST_ATTRIBUTE_TREE_ROOT" => 3, 289 "TRUST_ATTRIBUTE_UPLEVEL_ONLY" => 4, 290); 291 292my %ads_trustdirection = ( 293 "TRUST_DIRECTION_INBOUND" => 1, 294 "TRUST_DIRECTION_OUTBOUND" => 2, 295 "TRUST_DIRECTION_BIDIRECTIONAL" => 3, 296); 297 298my %ads_trusttype = ( 299 "TRUST_TYPE_DOWNLEVEL" => 1, 300 "TRUST_TYPE_UPLEVEL" => 2, 301 "TRUST_TYPE_KERBEROS" => 3, 302 "TRUST_TYPE_DCE" => 4, 303); 304 305my %ads_pwdproperties = ( 306 "DOMAIN_PASSWORD_COMPLEX" => 1, 307 "DOMAIN_PASSWORD_NO_ANON_CHANGE" => 2, 308 "DOMAIN_PASSWORD_NO_CLEAR_CHANGE" => 4, 309 "DOMAIN_LOCKOUT_ADMINS" => 8, 310 "DOMAIN_PASSWORD_STORE_CLEARTEXT" => 16, 311 "DOMAIN_REFUSE_PASSWORD_CHANGE" => 32, 312); 313 314my %ads_uascompat = ( 315 "LANMAN_USER_ACCOUNT_SYSTEM_NOLIMITS" => 0, 316 "LANMAN_USER_ACCOUNT_SYSTEM_COMPAT" => 1, 317); 318 319my %ads_frstypes = ( 320 "REPLICA_SET_SYSVOL" => 2, # unsure 321 "REPLICA_SET_DFS" => 1, # unsure 322 "REPLICA_SET_OTHER" => 0, # unsure 323); 324 325my %ads_gp_cse_extensions = ( 326"Administrative Templates Extension" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2", 327"Disk Quotas" => "3610EDA5-77EF-11D2-8DC5-00C04FA31A66", 328"EFS Recovery" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", 329"Folder Redirection" => "25537BA6-77A8-11D2-9B6C-0000F8080861", 330"IP Security" => "E437BC1C-AA7D-11D2-A382-00C04F991E27", 331"Internet Explorer Maintenance" => "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B", 332"QoS Packet Scheduler" => "426031c0-0b47-4852-b0ca-ac3d37bfcb39", 333"Scripts" => "42B5FAAE-6536-11D2-AE5A-0000F87571E3", 334"Security" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A", 335"Software Installation" => "C6DC5466-785A-11D2-84D0-00C04FB169F7", 336); 337 338# guess work 339my %ads_gpcextensions = ( 340"Administrative Templates" => "0F6B957D-509E-11D1-A7CC-0000F87571E3", 341"Certificates" => "53D6AB1D-2488-11D1-A28C-00C04FB94F17", 342"EFS recovery policy processing" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", 343"Folder Redirection policy processing" => "25537BA6-77A8-11D2-9B6C-0000F8080861", 344"Folder Redirection" => "88E729D6-BDC1-11D1-BD2A-00C04FB9603F", 345"Registry policy processing" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2", 346"Remote Installation Services" => "3060E8CE-7020-11D2-842D-00C04FA372D4", 347"Security Settings" => "803E14A0-B4FB-11D0-A0D0-00A0C90F574B", 348"Security policy processing" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A", 349"unknown" => "3060E8D0-7020-11D2-842D-00C04FA372D4", 350"unknown2" => "53D6AB1B-2488-11D1-A28C-00C04FB94F17", 351); 352 353my %ads_gpo_default_guids = ( 354"Default Domain Policy" => "31B2F340-016D-11D2-945F-00C04FB984F9", 355"Default Domain Controllers Policy" => "6AC1786C-016F-11D2-945F-00C04fB984F9", 356"mist" => "61718096-3D3F-4398-8318-203A48976F9E", 357); 358 359my %ads_uf = ( 360 "UF_SCRIPT" => 0x00000001, 361 "UF_ACCOUNTDISABLE" => 0x00000002, 362# "UF_UNUSED_1" => 0x00000004, 363 "UF_HOMEDIR_REQUIRED" => 0x00000008, 364 "UF_LOCKOUT" => 0x00000010, 365 "UF_PASSWD_NOTREQD" => 0x00000020, 366 "UF_PASSWD_CANT_CHANGE" => 0x00000040, 367 "UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" => 0x00000080, 368 "UF_TEMP_DUPLICATE_ACCOUNT" => 0x00000100, 369 "UF_NORMAL_ACCOUNT" => 0x00000200, 370# "UF_UNUSED_2" => 0x00000400, 371 "UF_INTERDOMAIN_TRUST_ACCOUNT" => 0x00000800, 372 "UF_WORKSTATION_TRUST_ACCOUNT" => 0x00001000, 373 "UF_SERVER_TRUST_ACCOUNT" => 0x00002000, 374# "UF_UNUSED_3" => 0x00004000, 375# "UF_UNUSED_4" => 0x00008000, 376 "UF_DONT_EXPIRE_PASSWD" => 0x00010000, 377 "UF_MNS_LOGON_ACCOUNT" => 0x00020000, 378 "UF_SMARTCARD_REQUIRED" => 0x00040000, 379 "UF_TRUSTED_FOR_DELEGATION" => 0x00080000, 380 "UF_NOT_DELEGATED" => 0x00100000, 381 "UF_USE_DES_KEY_ONLY" => 0x00200000, 382 "UF_DONT_REQUIRE_PREAUTH" => 0x00400000, 383 "UF_PASSWORD_EXPIRED" => 0x00800000, 384 "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION" => 0x01000000, 385 "UF_NO_AUTH_DATA_REQUIRED" => 0x02000000, 386# "UF_UNUSED_8" => 0x04000000, 387# "UF_UNUSED_9" => 0x08000000, 388# "UF_UNUSED_10" => 0x10000000, 389# "UF_UNUSED_11" => 0x20000000, 390# "UF_UNUSED_12" => 0x40000000, 391# "UF_UNUSED_13" => 0x80000000, 392); 393 394my %ads_grouptype = ( 395 "GROUP_TYPE_BUILTIN_LOCAL_GROUP" => 0x00000001, 396 "GROUP_TYPE_ACCOUNT_GROUP" => 0x00000002, 397 "GROUP_TYPE_RESOURCE_GROUP" => 0x00000004, 398 "GROUP_TYPE_UNIVERSAL_GROUP" => 0x00000008, 399 "GROUP_TYPE_APP_BASIC_GROUP" => 0x00000010, 400 "GROUP_TYPE_APP_QUERY_GROUP" => 0x00000020, 401 "GROUP_TYPE_SECURITY_ENABLED" => 0x80000000, 402); 403 404my %ads_atype = ( 405 "ATYPE_NORMAL_ACCOUNT" => 0x30000000, 406 "ATYPE_WORKSTATION_TRUST" => 0x30000001, 407 "ATYPE_INTERDOMAIN_TRUST" => 0x30000002, 408 "ATYPE_SECURITY_GLOBAL_GROUP" => 0x10000000, 409 "ATYPE_DISTRIBUTION_GLOBAL_GROUP" => 0x10000001, 410 "ATYPE_DISTRIBUTION_UNIVERSAL_GROUP" => 0x10000001, # ATYPE_DISTRIBUTION_GLOBAL_GROUP 411 "ATYPE_SECURITY_LOCAL_GROUP" => 0x20000000, 412 "ATYPE_DISTRIBUTION_LOCAL_GROUP" => 0x20000001, 413 "ATYPE_ACCOUNT" => 0x30000000, # ATYPE_NORMAL_ACCOUNT 414 "ATYPE_GLOBAL_GROUP" => 0x10000000, # ATYPE_SECURITY_GLOBAL_GROUP 415 "ATYPE_LOCAL_GROUP" => 0x20000000, # ATYPE_SECURITY_LOCAL_GROUP 416); 417 418my %ads_gtype = ( 419 "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP" => 0x80000005, 420 "GTYPE_SECURITY_DOMAIN_LOCAL_GROUP" => 0x80000004, 421 "GTYPE_SECURITY_GLOBAL_GROUP" => 0x80000002, 422 "GTYPE_SECURITY_UNIVERSAL_GROUP" => 0x80000008, 423 "GTYPE_DISTRIBUTION_GLOBAL_GROUP" => 0x00000002, 424 "GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP" => 0x00000004, 425 "GTYPE_DISTRIBUTION_UNIVERSAL_GROUP" => 0x00000008, 426); 427 428my %munged_dial = ( 429 "CtxCfgPresent" => \&dump_int, 430 "CtxCfgFlags1" => \&dump_int, 431 "CtxCallback" => \&dump_string, 432 "CtxShadow" => \&dump_string, 433 "CtxMaxConnectionTime" => \&dump_int, 434 "CtxMaxDisconnectionTime"=> \&dump_int, 435 "CtxMaxIdleTime" => \&dump_int, 436 "CtxKeyboardLayout" => \&dump_int, 437 "CtxMinEncryptionLevel" => \&dump_int, 438 "CtxWorkDirectory" => \&dump_string, 439 "CtxNWLogonServer" => \&dump_string, 440 "CtxWFHomeDir" => \&dump_string, 441 "CtxWFHomeDirDrive" => \&dump_string, 442 "CtxWFProfilePath" => \&dump_string, 443 "CtxInitialProgram" => \&dump_string, 444 "CtxCallbackNumber" => \&dump_string, 445); 446 447$SIG{__WARN__} = sub { 448 use Carp; 449 Carp::cluck (shift); 450}; 451 452# if there is data missing, we try to autodetect with samba-tools (if installed) 453# this might fill up workgroup, machine, realm 454get_samba_info(); 455 456# get a workgroup 457$workgroup = $workgroup || $opt_workgroup || ""; 458 459# get the server 460$server = process_servername($opt_host) || 461 detect_server($workgroup,$opt_realm) || 462 die "please define server to query with -h host\n"; 463 464 465# get the base 466$base = defined($opt_base)? $opt_base : "" || 467 get_base_from_rootdse($server,$dse); 468 469# get the realm 470$realm = $opt_realm || 471 get_realm_from_rootdse($server,$dse); 472 473# get sasl mechs 474my @sasl_mechs = get_sasl_mechs_from_rootdse($server,$dse); 475my $sasl_mech = "GSSAPI"; 476if ($opt_saslmech) { 477 $sasl_mech = sprintf("%s", (check_sasl_mech($opt_saslmech) == 0)?uc($opt_saslmech):""); 478} 479 480# set bind type 481my $sasl_bind = 1 if (!$opt_simpleauth); 482 483# get username 484my $user = check_user($opt_user) || $ENV{'USER'} || ""; 485 486# gen upn 487my $upn = sprintf("%s", gen_upn($opt_machine ? "$machine\$" : $user, $realm)); 488 489# get binddn 490$binddn = $opt_binddn || $upn; 491 492# get the password 493$password = $password || $opt_password; 494if (!$password) { 495 $password = $opt_machine ? get_machine_password($workgroup) : get_password(); 496} 497 498my %attr_handler = ( 499 "Token-Groups-No-GC-Acceptable" => \&dump_sid, #wrong name 500 "accountExpires" => \&dump_nttime, 501 "attributeSecurityGUID" => \&dump_guid, 502 "badPasswordTime" => \&dump_nttime, 503 "creationTime" => \&dump_nttime, 504 "currentTime" => \&dump_timestr, 505 "domainControllerFunctionality" => \&dump_ds_func, 506 "domainFunctionality" => \&dump_ds_func, 507 "fRSReplicaSetGUID" => \&dump_guid, 508 "fRSReplicaSetType" => \&dump_frstype, 509 "fRSVersionGUID" => \&dump_guid, 510 "flags" => \&dump_gpflags, # fixme: possibly only on gpos! 511 "forceLogoff" => \&dump_nttime_abs, 512 "forestFunctionality" => \&dump_ds_func, 513# "gPCMachineExtensionNames" => \&dump_gpcextensions, 514# "gPCUserExtensionNames" => \&dump_gpcextensions, 515 "gPLink" => \&dump_gplink, 516 "gPOptions" => \&dump_gpoptions, 517 "groupType" => \&dump_gtype, 518 "instanceType" => \&dump_instance_type, 519 "lastLogon" => \&dump_nttime, 520 "lastLogonTimestamp" => \&dump_nttime, 521 "lastSetTime" => \&dump_nttime, 522 "lockOutObservationWindow" => \&dump_nttime_abs, 523 "lockoutDuration" => \&dump_nttime_abs, 524 "lockoutTime" => \&dump_nttime, 525# "logonHours" => \&dump_logonhours, 526 "maxPwdAge" => \&dump_nttime_abs, 527 "minPwdAge" => \&dump_nttime_abs, 528 "modifyTimeStamp" => \&dump_timestr, 529 "msDS-Behavior-Version" => \&dump_ds_func, #unsure 530 "msDS-User-Account-Control-Computed" => \&dump_uacc, 531 "msDS-SupportedEncryptionTypes" => \&dump_enctypes, 532 "mS-DS-CreatorSID" => \&dump_sid, 533# "msRADIUSFramedIPAddress" => \&dump_ipaddr, 534# "msRASSavedFramedIPAddress" => \&dump_ipaddr, 535 "netbootGUID" => \&dump_guid, 536 "nTMixedDomain" => \&dump_mixed_domain, 537 "nTSecurityDescriptor" => \&dump_secdesc, 538 "objectGUID" => \&dump_guid, 539 "objectSid" => \&dump_sid, 540 "pKT" => \&dump_pkt, 541 "pKTGuid" => \&dump_guid, 542 "priorSetTime" => \&dump_nttime, 543 "pwdLastSet" => \&dump_nttime, 544 "pwdProperties" => \&dump_pwdproperties, 545 "sAMAccountType" => \&dump_atype, 546 "schemaIDGUID" => \&dump_guid, 547 "sDRightsEffective" => \&dump_sdeffective, 548 "securityIdentifier" => \&dump_sid, 549 "serverState" => \&dump_serverstate, 550 "supportedCapabilities", => \&dump_capabilities, 551 "supportedControl", => \&dump_controls, 552 "supportedExtension", => \&dump_extension, 553 "systemFlags" => \&dump_systemflags, 554 "tokenGroups", => \&dump_sid, 555 "tokenGroupsGlobalAndUniversal" => \&dump_sid, 556 "tokenGroupsNoGCAcceptable" => \&dump_sid, 557 "trustAttributes" => \&dump_trustattr, 558 "trustDirection" => \&dump_trustdirection, 559 "trustType" => \&dump_trusttype, 560 "uASCompat" => \&dump_uascompat, 561 "userAccountControl" => \&dump_uac, 562 "userCertificate" => \&dump_cert, 563 "userFlags" => \&dump_uf, 564 "userParameters" => \&dump_munged_dial, 565 "whenChanged" => \&dump_timestr, 566 "whenCreated" => \&dump_timestr, 567# "dSCorePropagationData" => \&dump_timestr, 568); 569 570 571 572################ 573# subfunctions # 574################ 575 576sub usage { 577 print "usage: $0 [--asq] [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n"; 578 print "\t--asq [attribute]\n\t\tAttribute to use for a attribute scoped query (LDAP_SERVER_ASQ_OID)\n"; 579 print "\t--base|-b [base]\n\t\tUse base [base]\n"; 580 print "\t--debug [level]\n\t\tUse debuglevel (for Net::LDAP)\n"; 581 print "\t--domain_scope\n\t\tLimit LDAP search to local domain (LDAP_SERVER_DOMAIN_SCOPE_OID)\n"; 582 print "\t--DN|-D [binddn]\n\t\tUse binddn or principal\n"; 583 print "\t--extendeddn|-e [value]\n\t\tDisplay extended dn (LDAP_SERVER_EXTENDED_DN_OID)\n"; 584 print "\t--fastbind\n\t\tDo LDAP fast bind using LDAP_SERVER_FAST_BIND_OID extension\n"; 585 print "\t--help\n\t\tDisplay help page\n"; 586 print "\t--host|-h [host]\n\t\tQuery Host [host] (either a hostname or an LDAP uri)\n"; 587 print "\t--machine|-P\n\t\tUse samba3 machine account stored in $secrets_tdb (needs root access)\n"; 588 print "\t--metdata|-m\n\t\tDisplay replication metadata\n"; 589 print "\t--nodiffs\n\t\tDisplay no diffs but full entry dump when running in notify mode\n"; 590 print "\t--notify|-n\n\t\tActivate asynchronous change notification (LDAP_SERVER_NOTIFICATION_OID)\n"; 591 print "\t--paging [pagesize]\n\t\tUse paged results when searching\n"; 592 print "\t--password|-w [password]\n\t\tUse [password] for binddn\n"; 593 print "\t--port [port]\n\t\tUse [port] when connecting ADS\n"; 594 print "\t--rawdisplay\n\t\tDo not interpret values\n"; 595 print "\t--realm|-R [realm]\n\t\tUse [realm] when trying to construct bind-principal\n"; 596 print "\t--rootdse\n\t\tDisplay RootDSE (anonymously)\n"; 597 print "\t--saslmech|-Y [saslmech]\n\t\tUse SASL Mechanism [saslmech] when binding\n"; 598 print "\t--schema|-c\n\t\tDisplay DSE-Schema\n"; 599 print "\t--scope|-s [scope]\n\t\tUse scope [scope] (sub, base, one)\n"; 600 print "\t--simpleauth|-x\n\t\tUse simple bind (otherwise SASL binds are performed)\n"; 601 print "\t--starttls|-Z\n\t\tUse Start TLS extended operation to secure LDAP traffic\n"; 602 print "\t--user|-U [user]\n\t\tUse [user]\n"; 603 print "\t--wknguid\n\t\tDisplay well known guids\n"; 604 print "\t--workgroup|-k [workgroup]\n\t\tWhen LDAP-Server is not known try to find a Domain-Controller for [workgroup]\n"; 605} 606 607sub write_ads_list { 608 my ($mod,$attr,$value) = @_; 609 my $ofh = select(STDOUT); 610 $~ = "ADS_LIST"; 611 select($ofh); 612 write(); 613 614format ADS_LIST = 615@<<<< @>>>>>>>>>>>>>>>>>>>>>>>: @* 616$mod, $attr, $value 617. 618} 619 620sub write_ads { 621 my ($mod,$attr,$value) = @_; 622 my $ofh = select(STDOUT); 623 $~ = "ADS"; 624 select($ofh); 625 write(); 626 627format ADS = 628@<<<< @>>>>>>>>>>>>>>>>>>>>>>>: ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 629$mod, $attr, $value 630~~ ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 631 $value 632. 633} 634 635sub detect_server { 636 637 my $workgroup = shift; 638 my $realm = shift; 639 my $result; 640 my $found; 641 642 # try net cache (nbt records) 643 if ( -x $net && $workgroup ) { 644 my $key = sprintf("NBT/%s#1C", uc($workgroup)); 645 chomp($result = `$net cache search $key 2>&1 /dev/null`); 646 $result =~ s/^.*Value: //; 647 $result =~ s/:.*//; 648 return $result if $result; 649 printf("%10s query failed for [%s]\n", "net cache", $key); 650 } 651 652 # try dns SRV entries 653 if ( -x $dig && $realm ) { 654 my $key = sprintf("_ldap._tcp.%s", lc($realm)); 655 chomp($result = `$dig $key SRV +short +search | egrep "^[0-9]" | head -1`); 656 $result =~ s/.* //g; 657 $result =~ s/.$//g; 658 return $result if $result; 659 printf("%10s query failed for [%s]\n", "dns", $key); 660 } 661 662 # try netbios broadcast query 663 if ( -x $nmblookup && $workgroup ) { 664 my $key = sprintf("%s#1C", uc($workgroup)); 665 my $pattern = sprintf("%s<1c>", uc($workgroup)); 666 chomp($result = `$nmblookup $key -d 0 | grep '$pattern'`); 667 $result =~ s/\s.*//; 668 return $result if $result; 669 printf("%10s query failed for [%s]\n", "nmblookup", $key); 670 } 671 672 return ""; 673} 674 675sub get_samba_info { 676 677 if (! -x $testparm) { return -1; } 678 679 my $tmp; 680 open(TESTPARM, "$testparm -s -v 2> /dev/null |"); 681 while (my $line = <TESTPARM>) { 682 chomp($line); 683 if ($line =~ /netbios name/) { 684 ($tmp, $machine) = split(/=/, $line); 685 $machine =~ s/\s+|\t+//g; 686 } 687 if ($line =~ /realm/) { 688 ($tmp, $realm) = split(/=/, $line); 689 $realm =~ s/\s+|\t+//g; 690 } 691 if ($line =~ /workgroup/) { 692 ($tmp, $workgroup) = split(/=/, $line); 693 $workgroup =~ s/\s+|\t+//g; 694 } 695 } 696 close(TESTPARM); 697 return 0; 698} 699 700sub gen_upn { 701 my $machine = shift; 702 my $realm = shift; 703 if ($machine && $realm) { 704 return sprintf("%s\@%s", lc($machine), uc($realm)); 705 }; 706 return undef; 707} 708 709sub get_password { 710 if (!$password && $opt_simpleauth && check_ticket($user)) { 711 return prompt_password($user); 712 } 713 return ""; 714} 715 716sub get_user { 717 my $user = shift || prompt_user(); 718 return $user; 719} 720 721sub get_machine_password { 722 723 my $workgroup = shift || ""; 724 $workgroup = uc($workgroup); 725 726 my ($found, $tmp); 727 -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n"; 728 -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n"; 729 730 # get machine-password 731 my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup); 732 open(SECRETS,"$tdbdump $secrets_tdb |"); 733 while(my $line = <SECRETS>) { 734 chomp($line); 735 if ($found) { 736 $line =~ s/\\00//; 737 ($line,$password) = split(/"/, $line); 738 last; 739 } 740 if ($line =~ /\"$key\"/) { 741 $found = 1; 742 } 743 } 744 close(SECRETS); 745 746 if ($found) { 747 print "Successfully autodetected machine password for workgroup: $workgroup\n"; 748 return $password; 749 } else { 750 warn "No machine password available for $workgroup\n"; 751 } 752 return ""; 753} 754 755sub prompt_password { 756 757 my $acct = shift || ""; 758 if ($acct =~ /\%/) { 759 ($acct, $password) = split(/\%/, $acct); 760 return $password; 761 } 762 system "stty -echo"; 763 print "Enter password for $acct:"; 764 my $password = <STDIN>; 765 chomp($password); 766 print "\n"; 767 system "stty echo"; 768 return $password; 769} 770 771sub prompt_user { 772 773 print "Enter Username:"; 774 my $user = <STDIN>; 775 chomp($user); 776 print "\n"; 777 return $user; 778} 779 780sub check_ticket { 781 return 0; 782 # works only for heimdal 783 return system("$klist -t"); 784} 785 786sub get_ticket { 787 788 my $KRB5_CONFIG = "/tmp/.krb5.conf.telads-$<"; 789 790 open(KRB5CONF, "> $KRB5_CONFIG") || die "cannot write $KRB5_CONFIG"; 791 printf KRB5CONF "# autogenerated by $0\n"; 792 printf KRB5CONF "[libdefaults]\n\tdefault_realm = %s\n\tclockskew = %d\n", uc($realm), 60*60; 793 printf KRB5CONF "[realms]\n\t%s = {\n\t\tkdc = %s\n\t}\n", uc($realm), $server; 794 close(KRB5CONF); 795 796 if ( system("KRB5_CONFIG=$KRB5_CONFIG $kinit $user") != 0) { 797 return -1; 798 } 799 800 return 0; 801} 802 803sub check_user { 804 my $acct = shift || ""; 805 if ($acct =~ /\%/) { 806 ($acct, $password) = split(/\%/, $acct); 807 } 808 return $acct; 809} 810 811sub check_root_dse($$$@) { 812 813 # bogus function?? 814 my $server = shift || ""; 815 $dse = shift || get_dse($server) || return -1; 816 my $attr = shift || die "unknown query"; 817 my @array = @_; 818 819 my $dse_list = $dse->get_value($attr, asref => '1'); 820 my @dse_array = @$dse_list; 821 822 foreach my $i (@array) { 823 # we could use -> supported_control but this 824 # is only available in newer versions of perl-ldap 825# if ( ! $dse->supported_control( $i ) ) { 826 if ( grep(/$i->type()/, @dse_array) ) { 827 printf("required \"$attr\": %s is not supported by ADS-server.\n", $i->type()); 828 return -1; 829 } 830 } 831 return 0; 832} 833 834sub check_ctrls ($$@) { 835 my $server = shift; 836 my $dse = shift; 837 my @array = @_; 838 return check_root_dse($server, $dse, "supportedControl", @array); 839} 840 841sub check_exts ($$@) { 842 my $server = shift; 843 my $dse = shift; 844 my @array = @_; 845 return check_root_dse($server, $dse, "supportedExtension", @array); 846} 847 848sub get_base_from_rootdse { 849 850 my $server = shift || ""; 851 $dse = shift || get_dse($server,$async_ldap_hd) || return -1; 852 return $dse->get_value($opt_dump_schema ? 'schemaNamingContext': 853 'defaultNamingContext'); 854} 855 856sub get_realm_from_rootdse { 857 858 my $server = shift || ""; 859 $dse = shift || get_dse($server,$async_ldap_hd) || return -1; 860 my $service = $dse->get_value('ldapServiceName') || ""; 861 if ($service) { 862 my ($t,$realm) = split(/\@/, $service); 863 return $realm; 864 } else { 865 die "very odd: could not get realm"; 866 } 867} 868 869sub get_sasl_mechs_from_rootdse { 870 871 my $server = shift || ""; 872 $dse = shift || get_dse($server,$async_ldap_hd) || return -1; 873 my $mechs = $dse->get_value('supportedSASLMechanisms', asref => 1); 874 return @$mechs; 875} 876 877sub get_dse { 878 879 my $server = shift || return undef; 880 $async_ldap_hd = shift || get_ldap_hd($server,1); 881 if (!$async_ldap_hd) { 882 print "oh, no connection\n"; 883 return undef; 884 } 885 my $mesg = $async_ldap_hd->bind() || die "cannot bind\n"; 886 if ($mesg->code) { die "failed to bind\n"; }; 887 my $dse = $async_ldap_hd->root_dse( attrs => ['*', "supportedExtension", "supportedFeatures" ] ); 888 889 return $dse; 890} 891 892sub process_servername { 893 894 my $name = shift || return ""; 895 if ($name =~ /^ldaps:\/\//i ) { 896 $name =~ s#^ldaps://##i; 897 $uri = sprintf("%s://%s", "ldaps", $name); 898 } else { 899 $name =~ s#^ldap://##i; 900 $uri = sprintf("%s://%s", "ldap", $name); 901 } 902 return $name; 903} 904 905sub get_ldap_hd { 906 907 my $server = shift || return undef; 908 my $async = shift || "0"; 909 my $hd; 910 die "uri unavailable" if (!$uri); 911 if ($uri =~ /^ldaps:\/\//i ) { 912 $port = $port || 636; 913 use Net::LDAPS; 914 $hd = Net::LDAPS->new( $server, async => $async, port => $port ) || 915 die "host $server not available: $!"; 916 } else { 917 $port = $port || 389; 918 $hd = Net::LDAP->new( $server, async => $async, port => $port ) || 919 die "host $server not available: $!"; 920 } 921 $hd->debug($opt_debug); 922 if ($opt_starttls) { 923 $hd->start_tls( verify => 'none' ); 924 } 925 926 return $hd; 927} 928 929sub get_sasl_hd { 930 931 if (!$have_sasl) { 932 print "no sasl support\n"; 933 return undef; 934 } 935 936 my $hd; 937 if ($sasl_mech && $sasl_mech eq "GSSAPI") { 938 my $user = sprintf("%s\@%s", $user, uc($realm)); 939 if (check_ticket($user) != 0 && get_ticket($user) != 0) { 940 print "Could not get Kerberos ticket for user [$user]\n"; 941 return undef; 942 } 943 944 $hd = Authen::SASL->new( mechanism => 'GSSAPI' ) || die "nope"; 945 my $conn = $hd->client_new("ldap", $server); 946 947 if ($conn->code == -1) { 948 printf "%s\n", $conn->error(); 949 return undef; 950 }; 951 952 } elsif ($sasl_mech) { 953 954 # here comes generic sasl code 955 $hd = Authen::SASL->new( mechanism => $sasl_mech, 956 callback => { 957 user => \&get_user, 958 pass => \&get_password 959 } 960 ) || die "nope"; 961 } else { 962 $sasl_bind = 0; 963 print "no supported SASL mechanism found (@sasl_mechs).\n"; 964 print "falling back to simple bind.\n"; 965 return undef; 966 } 967 968 return $hd; 969} 970 971sub check_sasl_mech { 972 my $mech_check = shift; 973 my $have_mech = 0; 974 foreach my $mech (@sasl_mechs) { 975 $have_mech = 1 if ($mech eq uc($mech_check)); 976 } 977 if (!$have_mech) { 978 return -1; 979 } 980 return 0; 981} 982 983sub store_result ($) { 984 985 my $entry = shift; 986 return if (!$entry); 987 $entry_store{$entry->dn} = $entry; 988} 989 990sub display_result_diff ($) { 991 992 my $entry_new = shift; 993 return if ( !$entry_new); 994 995 if ( !exists $entry_store{$entry_new->dn}) { 996 print "can't display any differences yet. full dump...\n"; 997 display_entry_generic($entry_new); 998 return; 999 } 1000 1001 my $entry_old = $entry_store{$entry_new->dn}; 1002 1003 foreach my $attr (sort $entry_new->attributes) { 1004 if ( $entry_new->exists($attr) && ! $entry_old->exists($attr)) { 1005 display_attr_generic("add:\t", $entry_new, $attr); 1006 next; 1007 } 1008 } 1009 1010 foreach my $attr (sort $entry_old->attributes) { 1011 if (! $entry_new->exists($attr) && $entry_old->exists($attr)) { 1012 display_attr_generic("del:\t", $entry_old, $attr); 1013 next; 1014 } 1015 1016 # now check for all values if they have changed, display changes 1017 my ($old_vals, $new_vals, @old_vals, @new_vals, %old, %new); 1018 1019 $old_vals = $entry_old->get_value($attr, asref => 1); 1020 @old_vals = @$old_vals; 1021 $new_vals = $entry_new->get_value($attr, asref => 1); 1022 @new_vals = @$new_vals; 1023 1024 if (scalar(@old_vals) == 1 && scalar(@new_vals) == 1) { 1025 if ($old_vals[0] ne $new_vals[0]) { 1026 display_attr_generic("old:\t", $entry_old, $attr); 1027 display_attr_generic("new:\t", $entry_new, $attr); 1028 } 1029 next; 1030 } 1031 1032 # handle multivalued diffs 1033 foreach my $val (@old_vals) { $old{$val} = "dummy"; }; 1034 foreach my $val (@new_vals) { $new{$val} = "dummy"; }; 1035 foreach my $val (sort keys %new) { 1036 if (!exists $old{$val}) { 1037 display_value_generic("add:\t", $attr, $val); 1038 } 1039 } 1040 foreach my $val (sort keys %old) { 1041 if (!exists $new{$val}) { 1042 display_value_generic("del:\t", $attr, $val); 1043 } 1044 } 1045 } 1046 print "\n"; 1047 1048} 1049 1050sub sid2string ($) { 1051 1052 # Fix from Michael James <michael@james.st> 1053 my $binary_sid = shift; 1054 my($sid_rev, $num_auths, $id1, $id2, @ids) = unpack("H2 H2 n N V*", $binary_sid); 1055 my $sid_string = join("-", "S", hex($sid_rev), ($id1<<32)+$id2, @ids); 1056 return $sid_string; 1057 1058} 1059 1060sub string_to_guid { 1061 my $string = shift; 1062 return undef unless $string =~ /([0-9,a-z]{8})-([0-9,a-z]{4})-([0-9,a-z]{4})-([0-9,a-z]{2})([0-9,a-z]{2})-([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})/i; 1063 1064 return pack("I", hex $1) . 1065 pack("S", hex $2) . 1066 pack("S", hex $3) . 1067 pack("C", hex $4) . 1068 pack("C", hex $5) . 1069 pack("C", hex $6) . 1070 pack("C", hex $7) . 1071 pack("C", hex $8) . 1072 pack("C", hex $9) . 1073 pack("C", hex $10) . 1074 pack("C", hex $11); 1075 1076# print "$1\n$2\n$3\n$4\n$5\n$6\n$7\n$8\n$9\n$10\n$11\n"; 1077} 1078 1079sub bindstring_to_guid { 1080 my $str = shift; 1081 return pack("H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2", 1082 substr($str,0,2), 1083 substr($str,2,2), 1084 substr($str,4,2), 1085 substr($str,6,2), 1086 substr($str,8,2), 1087 substr($str,10,2), 1088 substr($str,12,2), 1089 substr($str,14,2), 1090 substr($str,16,2), 1091 substr($str,18,2), 1092 substr($str,20,2), 1093 substr($str,22,2), 1094 substr($str,24,2), 1095 substr($str,26,2), 1096 substr($str,28,2), 1097 substr($str,30,2)); 1098} 1099 1100sub guid_to_string { 1101 my $guid = shift; 1102 my $string = sprintf "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", 1103 unpack("I", $guid), 1104 unpack("S", substr($guid, 4, 2)), 1105 unpack("S", substr($guid, 6, 2)), 1106 unpack("C", substr($guid, 8, 1)), 1107 unpack("C", substr($guid, 9, 1)), 1108 unpack("C", substr($guid, 10, 1)), 1109 unpack("C", substr($guid, 11, 1)), 1110 unpack("C", substr($guid, 12, 1)), 1111 unpack("C", substr($guid, 13, 1)), 1112 unpack("C", substr($guid, 14, 1)), 1113 unpack("C", substr($guid, 15, 1)); 1114 return lc($string); 1115} 1116 1117sub guid_to_bindstring { 1118 my $guid = shift; 1119 return unpack("H" . 2 * length($guid), $guid), 1120} 1121 1122sub dump_wknguid { 1123 print "Dumping Well known GUIDs:\n"; 1124 foreach my $wknguid (keys %wknguids) { 1125 1126 my $guid = bindstring_to_guid($wknguids{$wknguid}); 1127 my $str = guid_to_string($guid); 1128 my $back = guid_to_bindstring($guid); 1129 1130 printf "wkguid: %s\n", $wknguid; 1131 printf "bind_string format: %s\n", $wknguids{$wknguid}; 1132 printf "string format: %s\n", guid_to_string($guid); 1133 printf "back to bind_string:%s\n", guid_to_bindstring($guid); 1134 1135 printf "use base: \"<WKGUID=%s,%s>\"\n", guid_to_bindstring($guid), $base; 1136 } 1137} 1138 1139sub gen_bitmask_string_format($%) { 1140 my $mod = shift; 1141 my (%tmp) = @_; 1142 my @list; 1143 foreach my $key (sort keys %tmp) { 1144 push(@list, sprintf("%s %s", $tmp{$key}, $key)); 1145 } 1146 return join("\n$mod$tabsize",@list); 1147} 1148 1149 1150sub nt_to_unixtime ($) { 1151 # the number of 100 nanosecond intervals since jan. 1. 1601 (utc) 1152 my $t64 = shift; 1153 $t64 =~ s/(.+).{7,7}/$1/; 1154 $t64 -= 11644473600; 1155 return $t64; 1156} 1157 1158sub dump_equal { 1159 my $val = shift; 1160 my $mod = shift || die "no mod"; 1161 my (%header) = @_; 1162 my %tmp; 1163 my $found = 0; 1164 foreach my $key (keys %header) { 1165 if ($header{$key} eq $val) { 1166 $tmp{"($val)"} = $key; 1167 $found = 1; 1168 last; 1169 } 1170 } 1171 if (!$found) { $tmp{$val} = ""; }; 1172 return gen_bitmask_string_format($mod,%tmp); 1173} 1174 1175sub dump_bitmask { 1176 my $op = shift || die "no op"; 1177 my $val = shift; 1178 my $mod = shift || die "no mod"; 1179 my (%header) = @_; 1180 my %tmp; 1181 $tmp{""} = sprintf("%s (0x%08x)", $val, $val); 1182 foreach my $key (sort keys %header) { # sort by val ! 1183 my $val_hex = sprintf("0x%08x", $header{$key}); 1184 if ($op eq "&") { 1185 $tmp{"$key ($val_hex)"} = ( $val & $header{$key} ) ? $set:$unset; 1186 } elsif ($op eq "==") { 1187 $tmp{"$key ($val_hex)"} = ( $val == $header{$key} ) ? $set:$unset; 1188 } else { 1189 print "unknown operator: $op\n"; 1190 return; 1191 } 1192 } 1193 return gen_bitmask_string_format($mod,%tmp); 1194} 1195 1196sub dump_bitmask_and { 1197 return dump_bitmask("&",@_); 1198} 1199 1200sub dump_bitmask_equal { 1201 return dump_bitmask("==",@_); 1202} 1203 1204sub dump_uac { 1205 return dump_bitmask_and(@_,%ads_uf); # ads_uf ? 1206} 1207 1208sub dump_uascompat { 1209 return dump_bitmask_equal(@_,%ads_uascompat); 1210} 1211 1212sub dump_gpoptions { 1213 return dump_bitmask_equal(@_,%ads_gpoptions); 1214} 1215 1216sub dump_gpflags { 1217 return dump_bitmask_equal(@_,%ads_gpflags); 1218} 1219 1220sub dump_uacc { 1221 return dump_bitmask_equal(@_,%ads_uacc); 1222} 1223 1224sub dump_enctypes { 1225 return dump_bitmask_and(@_,%ads_enctypes); 1226} 1227 1228sub dump_uf { 1229 return dump_bitmask_and(@_,%ads_uf); 1230} 1231 1232sub dump_gtype { 1233 my $ret = dump_bitmask_and(@_,%ads_grouptype); 1234 $ret .= "\n$tabsize\t"; 1235 $ret .= dump_bitmask_equal(@_,%ads_gtype); 1236 return $ret; 1237} 1238 1239sub dump_atype { 1240 return dump_bitmask_equal(@_,%ads_atype); 1241} 1242 1243sub dump_controls { 1244 return dump_equal(@_,%ads_controls); 1245} 1246 1247sub dump_capabilities { 1248 return dump_equal(@_,%ads_capabilities); 1249} 1250 1251sub dump_extension { 1252 return dump_equal(@_,%ads_extensions); 1253} 1254 1255sub dump_systemflags { 1256 return dump_bitmask_and(@_,%ads_systemflags); 1257} 1258 1259sub dump_instance_type { 1260 return dump_bitmask_and(@_,%ads_instance_type); 1261} 1262 1263sub dump_ds_func { 1264 return dump_bitmask_equal(@_,%ads_ds_func); 1265} 1266 1267sub dump_serverstate { 1268 return dump_bitmask_equal(@_,%ads_serverstate); 1269} 1270 1271sub dump_sdeffective { 1272 return dump_bitmask_and(@_,%ads_sdeffective); 1273} 1274 1275sub dump_trustattr { 1276 return dump_bitmask_equal(@_,%ads_trustattrs); 1277} 1278 1279sub dump_trusttype { 1280 return dump_bitmask_equal(@_,%ads_trusttype); 1281} 1282 1283sub dump_trustdirection { 1284 return dump_bitmask_equal(@_,%ads_trustdirection); 1285} 1286 1287sub dump_pwdproperties { 1288 return dump_bitmask_and(@_,%ads_pwdproperties); 1289} 1290 1291sub dump_frstype { 1292 return dump_bitmask_equal(@_,%ads_frstypes) 1293} 1294 1295sub dump_mixed_domain { 1296 return dump_bitmask_equal(@_,%ads_mixed_domain); 1297} 1298 1299sub dump_sid { 1300 my $bin_sid = shift; 1301 return sid2string($bin_sid); 1302} 1303 1304sub dump_guid { 1305 my $guid = shift; 1306 return guid_to_string($guid); 1307} 1308 1309sub dump_secdesc { 1310 my $val = shift; 1311 return "FIXME: write sddl-converter!"; 1312} 1313 1314sub dump_nttime { 1315 my $nttime = shift; 1316 if ($nttime == 0) { 1317 return sprintf("%s (%s)", "never", $nttime); 1318 } 1319 my $localtime = localtime(nt_to_unixtime($nttime)); 1320 return sprintf("%s (%s)", $localtime, $nttime); 1321} 1322 1323sub dump_nttime_abs { 1324 if ($_[0] == 9223372036854775807) { 1325 return sprintf("%s (%s)", "now", $_[0]); 1326 } 1327 if ($_[0] == -9223372036854775808 || $_[0] == 0) { # 0x7FFFFFFFFFFFFFFF 1328 return sprintf("%s (%s)", "never", $_[0]); 1329 } 1330 # FIXME: actually *do* abs time ! 1331 return dump_nttime($_[0]); 1332} 1333 1334sub dump_timestr { 1335 my $time = shift; 1336 if ($time eq "16010101000010.0Z") { 1337 return sprintf("%s (%s)", "never", $time); 1338 } 1339 my ($year,$mon,$mday,$hour,$min,$sec,$zone) = 1340 unpack('a4 a2 a2 a2 a2 a2 a4', $time); 1341 $mon -= 1; 1342 my $localtime = localtime(timegm($sec,$min,$hour,$mday,$mon,$year)); 1343 return sprintf("%s (%s)", $localtime, $time); 1344} 1345 1346sub dump_string { 1347 return $_[0]; 1348} 1349 1350sub dump_int { 1351 return sprintf("%d", $_[0]); 1352} 1353 1354sub dump_munged_dial { 1355 my $dial = shift; 1356 return "FIXME! decode this"; 1357} 1358 1359sub dump_cert { 1360 1361 my $cert = shift; 1362 open(OPENSSL, "| /usr/bin/openssl x509 -text -inform der"); 1363 print OPENSSL $cert; 1364 close(OPENSSL); 1365 return ""; 1366} 1367 1368sub dump_pkt { 1369 my $pkt = shift; 1370 return "not yet"; 1371 printf("%s: ", $pkt); 1372 printf("%02X", $pkt); 1373 1374} 1375 1376sub dump_gplink { 1377 1378 my $gplink = shift; 1379 my $gplink_mod = $gplink; 1380 my @links = split("\\]\\[", $gplink_mod); 1381 foreach my $link (@links) { 1382 $link =~ s/^\[|\]$//g; 1383 my ($ldap_link, $opt) = split(";", $link); 1384 my @array = ( "$opt", "\t" ); 1385 printf("%slink: %s, opt: %s\n", $tabsize, $ldap_link, dump_bitmask_and(@array, %ads_gplink_opts)); 1386 } 1387 return $gplink; 1388} 1389 1390sub construct_filter { 1391 1392 my $tmp = shift; 1393 1394 if (!$tmp || $opt_notify) { 1395 return "(objectclass=*)"; 1396 } 1397 1398 if ($tmp && $tmp !~ /^.*\=/) { 1399 return "(ANR=$tmp)"; 1400 } 1401 1402 return $tmp; 1403 # (&(objectCategory=person) 1404 # (userAccountControl:$ads_matching_rules{LDAP_MATCHING_RULE_BIT_AND}:=2)) 1405} 1406 1407sub construct_attrs { 1408 1409 my @attrs = @_; 1410 1411 if (!@attrs) { 1412 push(@attrs,"*"); 1413 } 1414 1415 if ($opt_notify) { 1416 push(@attrs,"uSNChanged"); 1417 } 1418 1419 if ($opt_display_metadata) { 1420 push(@attrs,"msDS-ReplAttributeMetaData"); 1421 push(@attrs,"replPropertyMetaData"); 1422 } 1423 1424 if ($opt_verbose) { 1425 push(@attrs,"nTSecurityDescriptor"); 1426 push(@attrs,"msDS-KeyVersionNumber"); 1427 push(@attrs,"msDS-User-Account-Control-Computed"); 1428 push(@attrs,"modifyTimeStamp"); 1429 } 1430 1431 return sort @attrs; 1432} 1433 1434sub print_header { 1435 1436 print "\n"; 1437 printf "%10s: %s\n", "uri", $uri; 1438 printf "%10s: %s\n", "port", $port; 1439 printf "%10s: %s\n", "base", $base; 1440 printf "%10s: %s\n", $sasl_bind ? "principal" : "binddn", $sasl_bind ? $upn : $binddn; 1441 printf "%10s: %s\n", "password", $password; 1442 printf "%10s: %s\n", "bind-type", $sasl_bind ? "SASL" : "simple"; 1443 printf "%10s: %s\n", "sasl-mech", $sasl_mech if ($sasl_mech); 1444 printf "%10s: %s\n", "filter", $filter; 1445 printf "%10s: %s\n", "scope", $scope; 1446 printf "%10s: %s\n", "attrs", join(", ", @attrs); 1447 printf "%10s: %s\n", "controls", join(", ", @ctrls_s); 1448 printf "%10s: %s\n", "page_size", $opt_paging if ($opt_paging); 1449 printf "%10s: %s\n", "start_tls", $opt_starttls ? "yes" : "no"; 1450 printf "\n"; 1451} 1452 1453sub gen_controls { 1454 1455 # setup attribute-scoped query control 1456 my $asq_asn = Convert::ASN1->new; 1457 $asq_asn->prepare( 1458 q< asq ::= SEQUENCE { 1459 sourceAttribute OCTET_STRING 1460 } 1461 > 1462 ); 1463 my $ctl_asq_val = $asq_asn->encode( sourceAttribute => $opt_asq); 1464 my $ctl_asq = Net::LDAP::Control->new( 1465 type => $ads_controls{'LDAP_SERVER_ASQ_OID'}, 1466 critical => 'true', 1467 value => $ctl_asq_val); 1468 1469 1470 # setup extended dn control 1471 my $asn_extended_dn = Convert::ASN1->new; 1472 $asn_extended_dn->prepare( 1473 q< ExtendedDn ::= SEQUENCE { 1474 mode INTEGER 1475 } 1476 > 1477 ); 1478 1479 # only w2k3 accepts '1' and needs the ctl_val, w2k does not accept a ctl_val 1480 my $ctl_extended_dn_val = $asn_extended_dn->encode( mode => $opt_display_extendeddn); 1481 my $ctl_extended_dn = Net::LDAP::Control->new( 1482 type => $ads_controls{'LDAP_SERVER_EXTENDED_DN_OID'}, 1483 critical => 'true', 1484 value => $opt_display_extendeddn ? $ctl_extended_dn_val : ""); 1485 1486 # setup search options 1487 my $search_opt = Convert::ASN1->new; 1488 $search_opt->prepare( 1489 q< searchopt ::= SEQUENCE { 1490 flags INTEGER 1491 } 1492 > 1493 ); 1494 1495 my $tmp = $search_opt->encode( flags => $opt_search_opt); 1496 my $ctl_search_opt = Net::LDAP::Control->new( 1497 type => $ads_controls{'LDAP_SERVER_SEARCH_OPTIONS_OID'}, 1498 critical => 'true', 1499 value => $tmp); 1500 1501 # setup notify control 1502 my $ctl_notification = Net::LDAP::Control->new( 1503 type => $ads_controls{'LDAP_SERVER_NOTIFICATION_OID'}, 1504 critical => 'true'); 1505 1506 1507 # setup paging control 1508 $ctl_paged = Net::LDAP::Control->new( 1509 type => $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'}, 1510 critical => 'true', 1511 size => $opt_paging ? $opt_paging : 1000); 1512 1513 # setup domscope control 1514 my $ctl_domscope = Net::LDAP::Control->new( 1515 type => $ads_controls{'LDAP_SERVER_DOMAIN_SCOPE_OID'}, 1516 critical => 'true', 1517 value => ""); 1518 1519 if (defined($opt_paging) || $opt_dump_schema) { 1520 push(@ctrls, $ctl_paged); 1521 push(@ctrls_s, "LDAP_PAGED_RESULT_OID_STRING" ); 1522 } 1523 1524 if (defined($opt_display_extendeddn)) { 1525 push(@ctrls, $ctl_extended_dn); 1526 push(@ctrls_s, "LDAP_SERVER_EXTENDED_DN_OID"); 1527 } 1528 if ($opt_notify) { 1529 push(@ctrls, $ctl_notification); 1530 push(@ctrls_s, "LDAP_SERVER_NOTIFICATION_OID"); 1531 } 1532 1533 if ($opt_asq) { 1534 push(@ctrls, $ctl_asq); 1535 push(@ctrls_s, "LDAP_SERVER_ASQ_OID"); 1536 } 1537 1538 if ($opt_domain_scope) { 1539 push(@ctrls, $ctl_domscope); 1540 push(@ctrls_s, "LDAP_SERVER_DOMAIN_SCOPE_OID"); 1541 } 1542 1543 if ($opt_search_opt) { 1544 push(@ctrls, $ctl_search_opt); 1545 push(@ctrls_s, "LDAP_SERVER_SEARCH_OPTIONS_OID"); 1546 } 1547 1548 return @ctrls; 1549} 1550 1551sub display_value_generic ($$$) { 1552 1553 my ($mod,$attr,$value) = @_; 1554 return unless (defined($value) and defined($attr)); 1555 1556 if ( ! $opt_display_raw && exists $attr_handler{$attr} ) { 1557 $value = $attr_handler{$attr}($value,$mod); 1558 write_ads_list($mod,$attr,$value); 1559 return; 1560 } 1561 write_ads($mod,$attr,$value); 1562} 1563 1564sub display_attr_generic ($$$) { 1565 1566 my ($mod,$entry,$attr) = @_; 1567 return if (!$attr || !$entry); 1568 1569 my $ref = $entry->get_value($attr, asref => 1); 1570 my @values = @$ref; 1571 1572 foreach my $value ( sort @values) { 1573 display_value_generic($mod,$attr,$value); 1574 } 1575} 1576 1577sub display_entry_generic ($) { 1578 1579 my $entry = shift; 1580 return if (!$entry); 1581 1582 foreach my $attr ( sort $entry->attributes) { 1583 display_attr_generic("\t",$entry,$attr); 1584 } 1585} 1586 1587sub display_ldap_err ($) { 1588 1589 my $msg = shift; 1590 print_header(); 1591 my ($package, $filename, $line, $subroutine) = caller(0); 1592 1593 print "got error from ADS:\n"; 1594 printf("%s(%d): ERROR (%s): %s\n", 1595 $subroutine, $line, $msg->code, $msg->error); 1596 1597} 1598 1599sub process_result { 1600 1601 my ($msg,$entry) = @_; 1602 1603 if (!defined($msg)) { 1604 return; 1605 } 1606 1607 if ($msg->code) { 1608 display_ldap_err($msg); 1609 exit 1; 1610 } 1611 1612 if (!defined($entry)) { 1613 return; 1614 } 1615 1616 if ($entry->isa('Net::LDAP::Reference')) { 1617 foreach my $ref ($entry->references) { 1618 print "\ngot Reference: [$ref]\n"; 1619 } 1620 return; 1621 } 1622 1623 print "\nfound entry: ".$entry->dn."\n".("-" x 80)."\n"; 1624 1625 display_entry_generic($entry); 1626} 1627 1628sub default_callback { 1629 1630 my ($res,$obj) = @_; 1631 1632 if (!$opt_notify && $res->code == LDAP_REFERRAL) { 1633 return; 1634 } 1635 1636 if (!$opt_notify) { 1637 return process_result($res,$obj); 1638 } 1639} 1640 1641sub error_callback { 1642 1643 my ($msg,$entry) = @_; 1644 1645 if (!$msg) { 1646 return; 1647 } 1648 1649 if ($msg->code) { 1650 display_ldap_err($msg); 1651 exit(1); 1652 } 1653 return; 1654} 1655 1656sub notify_callback { 1657 1658 my ($msg, $obj) = @_; 1659 1660 if (! defined($obj)) { 1661 return; 1662 } 1663 1664 if ($obj->isa('Net::LDAP::Reference')) { 1665 foreach my $ref ($obj->references) { 1666 print "\ngot Reference: [$ref]\n"; 1667 } 1668 return; 1669 } 1670 1671 while (1) { 1672 1673 my $async_entry = $async_search->pop_entry; 1674 1675 if (!$async_entry->dn) { 1676 print "very weird. entry has no dn\n"; 1677 next; 1678 } 1679 1680 printf("\ngot changenotify for dn: [%s]\n%s\n", $async_entry->dn, ("-" x 80)); 1681 1682 my $new_usn = $async_entry->get_value('uSNChanged'); 1683 if (!$new_usn) { 1684 die "odd, no usnChanged attribute???"; 1685 } 1686 if (!$usn || $new_usn > $usn) { 1687 $usn = $new_usn; 1688 if ($opt_notify_nodiffs) { 1689 display_entry_generic($async_entry); 1690 } else { 1691 display_result_diff($async_entry); 1692 } 1693 } 1694 store_result($async_entry); 1695 } 1696} 1697 1698sub do_bind($$) { 1699 1700 my $async_ldap_hd = shift || return undef; 1701 my $sasl_bind = shift; 1702 1703 if ($sasl_bind) { 1704 if (!$works_sasl) { 1705 print "this version of Net::LDAP does not have proper SASL support.\n"; 1706 print "Need at least perl-ldap V. $pref_version\n"; 1707 } 1708 $sasl_hd = get_sasl_hd(); 1709 if (!$sasl_hd) { 1710 print "failed to create SASL handle\n"; 1711 return -1; 1712 } 1713 $mesg = $async_ldap_hd->bind( 1714 sasl => $sasl_hd, 1715 callback => \&error_callback 1716 ) || die "doesnt work"; 1717 } else { 1718 $sasl_mech = ""; 1719 $mesg = $async_ldap_hd->bind( 1720 $binddn, 1721 password => $password, 1722 callback => $opt_fastbind ? undef : \&error_callback 1723 ) || die "doesnt work"; 1724 }; 1725 if ($mesg->code) { 1726 display_ldap_err($mesg) if (!$opt_fastbind); 1727 return -1; 1728 } 1729 return 0; 1730} 1731 1732sub do_fast_bind() { 1733 1734 do_unbind(); 1735 1736 my $hd = get_ldap_hd($server,1); 1737 1738 my $mesg = $hd->extension( 1739 name => $ads_extensions{'LDAP_SERVER_FAST_BIND_OID'}); 1740 1741 if ($mesg->code) { 1742 display_ldap_err($mesg); 1743 return -1; 1744 } 1745 1746 my $ret = do_bind($hd, undef); 1747 $hd->unbind; 1748 1749 printf("bind using 'LDAP_SERVER_FAST_BIND_OID' %s\n", 1750 $ret == 0 ? "succeeded" : "failed"); 1751 1752 return $ret; 1753} 1754 1755sub do_unbind() { 1756 if ($async_ldap_hd) { 1757 $async_ldap_hd->unbind; 1758 } 1759 if ($sync_ldap_hd) { 1760 $sync_ldap_hd->unbind; 1761 } 1762} 1763 1764############################################################################### 1765 1766sub main () { 1767 1768 if ($opt_fastbind) { 1769 1770 if (check_exts($server,$dse,"LDAP_SERVER_FAST_BIND_OID") == -1) { 1771 print "LDAP_SERVER_FAST_BIND_OID not supported by this server\n"; 1772 exit 1; 1773 } 1774 1775 # fast bind can only bind, not search 1776 exit do_fast_bind(); 1777 } 1778 1779 $filter = construct_filter($query); 1780 @attrs = construct_attrs(@attrs); 1781 @ctrls = gen_controls(); 1782 1783 if (check_ctrls($server,$dse,@ctrls) == -1) { 1784 print "not all required LDAP Controls are supported by this server\n"; 1785 exit 1; 1786 } 1787 1788 if ($opt_dump_rootdse) { 1789 print "Dumping Root-DSE:\n"; 1790 display_entry_generic($dse); 1791 exit 0; 1792 } 1793 1794 if ($opt_dump_wknguid) { 1795 dump_wknguid(); 1796 exit 0; 1797 } 1798 1799 if (do_bind($async_ldap_hd, $sasl_bind) == -1) { 1800 exit 1; 1801 } 1802 1803 print_header(); 1804 1805 if ($opt_dump_schema) { 1806 print "Dumping Schema:\n"; 1807# my $ads_schema = $async_ldap_hd->schema; 1808# $ads_schema->dump; 1809# exit 0; 1810 } 1811 1812 while (1) { 1813 1814 $async_search = $async_ldap_hd->search( 1815 base => $base, 1816 filter => $filter, 1817 attrs => [ @attrs ], 1818 control => [ @ctrls ], 1819 callback => \&default_callback, 1820 scope => $scope, 1821 ) || die "cannot search"; 1822 1823 if (!$opt_notify && ($async_search->code == LDAP_REFERRAL)) { 1824 foreach my $ref ($async_search->referrals) { 1825 print "\ngot Referral: [$ref]\n"; 1826 my ($prot, $host, $base) = split(/\/+/, $ref); 1827 $async_ldap_hd->unbind(); 1828 $async_ldap_hd = get_ldap_hd($host, 1); 1829 if (do_bind($async_ldap_hd, $sasl_bind) == -1) { 1830 $async_ldap_hd->unbind(); 1831 next; 1832 } 1833 print "\nsuccessful rebind to: [$ref]\n"; 1834 last; 1835 } 1836 next; # repeat the query 1837 } 1838 1839 if ($opt_notify) { 1840 1841 print "Base [$base] is registered now for change-notify\n"; 1842 print "\nWaiting for change-notify...\n"; 1843 1844 my $sync_ldap_hd = get_ldap_hd($server,0); 1845 if (do_bind($sync_ldap_hd, $sasl_bind) == -1) { 1846 exit 2; 1847 } 1848 1849 my $sync_search = $sync_ldap_hd->search( 1850 base => $base, 1851 filter => $filter, 1852 attrs => [ @attrs ], 1853 callback => \¬ify_callback, 1854 scope => $scope, 1855 ) || die "cannot search"; 1856 1857 } 1858 1859 $total_entry_count += $async_search->count; 1860 ++$page_count; 1861 print "-" x 80 . "\n"; 1862 printf("Got %d Entries in Page %d \n\n", 1863 $async_search->count, $page_count); 1864 my ($resp) = $async_search->control( 1865 $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'} ) or last; 1866 last unless ref $resp && $ctl_paged->cookie($resp->cookie); 1867 } 1868 1869 if ($async_search->entries == 0) { 1870 print "No entries found with filter $filter\n"; 1871 } else { 1872 print "Got $total_entry_count Entries in $page_count Pages\n" if ($opt_paging); 1873 } 1874 1875 do_unbind() 1876} 1877 1878main(); 1879 1880exit 0; 1881