diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
commit | 8daa83a594a2e98f39d764422bfbdbc62c9efd44 (patch) | |
tree | 4099e8021376c7d8c05bdf8503093d80e9c7bad0 /examples/misc/adssearch.pl | |
parent | Initial commit. (diff) | |
download | samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.tar.xz samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.zip |
Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'examples/misc/adssearch.pl')
-rwxr-xr-x | examples/misc/adssearch.pl | 1897 |
1 files changed, 1897 insertions, 0 deletions
diff --git a/examples/misc/adssearch.pl b/examples/misc/adssearch.pl new file mode 100755 index 0000000..fc24811 --- /dev/null +++ b/examples/misc/adssearch.pl @@ -0,0 +1,1897 @@ +#!/usr/bin/perl -w +# +# adssearch.pl - query an Active Directory server and +# display objects in a human readable format +# +# Copyright (C) Guenther Deschner <gd@samba.org> 2003-2008 +# +# TODO: add range retrieval +# write sddl-converter, decode userParameters +# apparently only win2k3 allows simple-binds with machine-accounts. +# make sasl support independent from Authen::SASL::Cyrus v >0.11 +use strict; + +use Net::LDAP; +use Net::LDAP::Control; +use Net::LDAP::Constant qw(LDAP_REFERRAL); +use Convert::ASN1; +use Time::Local; +use POSIX qw(strftime); +use Getopt::Long; + +my $have_sasl; +my $works_sasl; +my $pref_version; +BEGIN { + my $class = 'Authen::SASL'; + $pref_version = "0.32"; + if ( eval "require $class;" ) { + $have_sasl = 1; + } + if ( eval "Net::LDAP->VERSION($pref_version);" ) { + $works_sasl = 1; + } +} + +# users may set defaults here +my $base = ""; +my $binddn = ""; +my $password = ""; +my $server = ""; +my $rebind_url; + + +my $tdbdump = "/usr/bin/tdbdump"; +my $ntdbdump = "/usr/bin/ntdbdump"; +my $testparm = "/usr/bin/testparm"; +my $net = "/usr/bin/net"; +my $dig = "/usr/bin/dig"; +my $nmblookup = "/usr/bin/nmblookup"; +my $secrets_tdb = "/etc/samba/secrets.tdb"; +my $secrets_ntdb = "/etc/samba/secrets.ntdb"; +my $klist = "/usr/bin/klist"; +my $kinit = "/usr/bin/kinit"; +my $workgroup = ""; +my $machine = ""; +my $realm = ""; + +# parse input +my ( + $opt_asq, + $opt_base, + $opt_binddn, + $opt_debug, + $opt_display_extendeddn, + $opt_display_metadata, + $opt_display_raw, + $opt_domain_scope, + $opt_dump_rootdse, + $opt_dump_schema, + $opt_dump_wknguid, + $opt_fastbind, + $opt_help, + $opt_host, + $opt_machine, + $opt_notify, + $opt_notify_nodiffs, + $opt_paging, + $opt_password, + $opt_port, + $opt_realm, + $opt_saslmech, + $opt_search_opt, + $opt_scope, + $opt_simpleauth, + $opt_starttls, + $opt_user, + $opt_verbose, + $opt_workgroup, +); + +GetOptions( + 'asq=s' => \$opt_asq, + 'base|b=s' => \$opt_base, + 'D|DN=s' => \$opt_binddn, + 'debug=i' => \$opt_debug, + 'domain_scope' => \$opt_domain_scope, + 'extendeddn|e:i' => \$opt_display_extendeddn, + 'fastbind' => \$opt_fastbind, + 'help' => \$opt_help, + 'host|h=s' => \$opt_host, + 'machine|P' => \$opt_machine, + 'metadata|m' => \$opt_display_metadata, + 'nodiffs' => \$opt_notify_nodiffs, + 'notify|n' => \$opt_notify, + 'paging:i' => \$opt_paging, + 'password|w=s' => \$opt_password, + 'port=i' => \$opt_port, + 'rawdisplay' => \$opt_display_raw, + 'realm|R=s' => \$opt_realm, + 'rootDSE' => \$opt_dump_rootdse, + 'saslmech|Y=s' => \$opt_saslmech, + 'schema|c' => \$opt_dump_schema, + 'scope|s=s' => \$opt_scope, + 'searchopt:i' => \$opt_search_opt, + 'simpleauth|x' => \$opt_simpleauth, + 'tls|Z' => \$opt_starttls, + 'user|U=s' => \$opt_user, + 'verbose|v' => \$opt_verbose, + 'wknguid' => \$opt_dump_wknguid, + 'workgroup|k=s' => \$opt_workgroup, + ); + + +if (!@ARGV && !$opt_dump_schema && !$opt_dump_rootdse && !$opt_notify || $opt_help) { + usage(); + exit 1; +} + +if ($opt_fastbind && !$opt_simpleauth) { + printf("LDAP fast bind can only be performed with simple binds\n"); + exit 1; +} + +if ($opt_notify) { + $opt_paging = undef; +} + +# get the query +my $query = shift; +my @attrs = @ARGV; + +# some global vars +my $filter = ""; +my ($dse, $uri); +my ($attr, $value); +my (@ctrls, @ctrls_s); +my ($ctl_paged, $cookie); +my ($page_count, $total_entry_count); +my ($sasl_hd, $async_ldap_hd, $sync_ldap_hd); +my ($mesg, $usn); +my (%entry_store); +my $async_search; + +# fixed values and vars +my $set = "X"; +my $unset = "-"; +my $tabsize = "\t\t\t"; + +# get defaults +my $scope = $opt_scope || "sub"; +my $port = $opt_port; + +my %ads_controls = ( +"LDAP_SERVER_NOTIFICATION_OID" => "1.2.840.113556.1.4.528", +"LDAP_SERVER_EXTENDED_DN_OID" => "1.2.840.113556.1.4.529", +"LDAP_PAGED_RESULT_OID_STRING" => "1.2.840.113556.1.4.319", +"LDAP_SERVER_SD_FLAGS_OID" => "1.2.840.113556.1.4.801", +"LDAP_SERVER_SORT_OID" => "1.2.840.113556.1.4.473", +"LDAP_SERVER_RESP_SORT_OID" => "1.2.840.113556.1.4.474", +"LDAP_CONTROL_VLVREQUEST" => "2.16.840.1.113730.3.4.9", +"LDAP_CONTROL_VLVRESPONSE" => "2.16.840.1.113730.3.4.10", +"LDAP_SERVER_RANGE_RETRIEVAL" => "1.2.840.113556.1.4.802", #unsure +"LDAP_SERVER_SHOW_DELETED_OID" => "1.2.840.113556.1.4.417", +"LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID" => "1.2.840.113556.1.4.521", +"LDAP_SERVER_LAZY_COMMIT_OID" => "1.2.840.113556.1.4.619", +"LDAP_SERVER_TREE_DELETE_OID" => "1.2.840.113556.1.4.805", +"LDAP_SERVER_DIRSYNC_OID" => "1.2.840.113556.1.4.841", +"LDAP_SERVER_VERIFY_NAME_OID" => "1.2.840.113556.1.4.1338", +"LDAP_SERVER_DOMAIN_SCOPE_OID" => "1.2.840.113556.1.4.1339", +"LDAP_SERVER_SEARCH_OPTIONS_OID" => "1.2.840.113556.1.4.1340", +"LDAP_SERVER_PERMISSIVE_MODIFY_OID" => "1.2.840.113556.1.4.1413", +"LDAP_SERVER_ASQ_OID" => "1.2.840.113556.1.4.1504", +"NONE (Get stats control)" => "1.2.840.113556.1.4.970", +"LDAP_SERVER_QUOTA_CONTROL_OID" => "1.2.840.113556.1.4.1852", +"LDAP_SERVER_SHUTDOWN_NOTIFY_OID" => "1.2.840.113556.1.4.1907", +); + +my %ads_capabilities = ( +"LDAP_CAP_ACTIVE_DIRECTORY_OID" => "1.2.840.113556.1.4.800", +"LDAP_CAP_ACTIVE_DIRECTORY_V51_OID" => "1.2.840.113556.1.4.1670", +"LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID" => "1.2.840.113556.1.4.1791", +); + +my %ads_extensions = ( +"LDAP_START_TLS_OID" => "1.3.6.1.4.1.1466.20037", +"LDAP_TTL_EXTENDED_OP_OID" => "1.3.6.1.4.1.1466.101.119.1", +"LDAP_SERVER_FAST_BIND_OID" => "1.2.840.113556.1.4.1781", +"NONE (TTL refresh extended op)" => "1.3.6.1.4.1.1466.101.119.1", +); + +my %ads_matching_rules = ( +"LDAP_MATCHING_RULE_BIT_AND" => "1.2.840.113556.1.4.803", +"LDAP_MATCHING_RULE_BIT_OR" => "1.2.840.113556.1.4.804", +); + +my %wknguids = ( +"WELL_KNOWN_GUID_COMPUTERS" => "AA312825768811D1ADED00C04FD8D5CD", +"WELL_KNOWN_GUID_DOMAIN_CONTROLLERS" => "A361B2FFFFD211D1AA4B00C04FD7D83A", +"WELL_KNOWN_GUID_SYSTEM" => "AB1D30F3768811D1ADED00C04FD8D5CD", +"WELL_KNOWN_GUID_USERS" => "A9D1CA15768811D1ADED00C04FD8D5CD", +); + +my %ads_systemflags = ( +"FLAG_DONT_REPLICATE" => 0x00000001, # 1 +"FLAG_REPLICATE_TO_GC" => 0x00000002, # 2 +"FLAG_ATTRIBUTE_CONSTRUCT" => 0x00000004, # 4 +"FLAG_CATEGORY_1_OBJECT" => 0x00000010, # 16 +"FLAG_DELETE_WITHOUT_TOMBSTONE" => 0x02000000, # 33554432 +"FLAG_DOMAIN_DISALLOW_MOVE" => 0x04000000, # 67108864 +"FLAG_DOMAIN_DISALLOW_RENAME" => 0x08000000, # 134217728 +#"FLAG_CONFIG_CAN_MOVE_RESTRICTED" => 0x10000000, # 268435456 # only setable on creation +#"FLAG_CONFIG_CAN_MOVE" => 0x20000000, # 536870912 # only setable on creation +#"FLAG_CONFIG_CAN_RENAME" => 0x40000000, # 1073741824 # only setable on creation +"FLAG_DISALLOW_DELETE" => 0x80000000, # 2147483648 +); + +my %ads_mixed_domain = ( +"NATIVE_LEVEL_DOMAIN" => 0, +"MIXED_LEVEL_DOMAIN" => 1, +); + +my %ads_ds_func = ( +"DS_BEHAVIOR_WIN2000" => 0, # untested +"DS_BEHAVIOR_WIN2003" => 2, +"DS_BEHAVIOR_WIN2008" => 3, +); + +my %ads_instance_type = ( +"DS_INSTANCETYPE_IS_NC_HEAD" => 0x1, +"IT_WRITE" => 0x4, +"IT_NC_ABOVE" => 0x8, +); + +my %ads_uacc = ( + "ACCOUNT_NEVER_EXPIRES" => 0x000000, # 0 + "ACCOUNT_OK" => 0x800000, # 8388608 + "ACCOUNT_LOCKED_OUT" => 0x800010, # 8388624 +); + +my %ads_enctypes = ( + "DES-CBC-CRC" => 0x01, + "DES-CBC-MD5" => 0x02, + "RC4_HMAC_MD5" => 0x04, + "AES128_CTS_HMAC_SHA1_96" => 0x08, + "AES128_CTS_HMAC_SHA1_128" => 0x10, +); + +my %ads_gpoptions = ( + "GPOPTIONS_INHERIT" => 0, + "GPOPTIONS_BLOCK_INHERITANCE" => 1, +); + +my %ads_gplink_opts = ( + "GPLINK_OPT_NONE" => 0, + "GPLINK_OPT_DISABLED" => 1, + "GPLINK_OPT_ENFORCED" => 2, +); + +my %ads_gpflags = ( + "GPFLAGS_ALL_ENABLED" => 0, + "GPFLAGS_USER_SETTINGS_DISABLED" => 1, + "GPFLAGS_MACHINE_SETTINGS_DISABLED" => 2, + "GPFLAGS_ALL_DISABLED" => 3, +); + +my %ads_serverstate = ( + "SERVER_ENABLED" => 1, + "SERVER_DISABLED" => 2, +); + +my %ads_sdeffective = ( + "OWNER_SECURITY_INFORMATION" => 0x01, + "DACL_SECURITY_INFORMATION" => 0x04, + "SACL_SECURITY_INFORMATION" => 0x10, +); + +my %ads_trustattrs = ( + "TRUST_ATTRIBUTE_NON_TRANSITIVE" => 0x00000001, + "TRUST_ATTRIBUTE_UPLEVEL_ONLY" => 0x00000002, + "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN" => 0x00000004, + "TRUST_ATTRIBUTE_FOREST_TRANSITIVE" => 0x00000008, + "TRUST_ATTRIBUTE_CROSS_ORGANIZATION" => 0x00000010, + "TRUST_ATTRIBUTE_WITHIN_FOREST" => 0x00000020, + "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL" => 0x00000040, + "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION" => 0x00000080, + "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION" => 0x00000200, + "TRUST_ATTRIBUTE_PIM_TRUST" => 0x00000400, + "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION" => 0x00000800, +); + +my %ads_trustdirection = ( + "TRUST_DIRECTION_INBOUND" => 1, + "TRUST_DIRECTION_OUTBOUND" => 2, + "TRUST_DIRECTION_BIDIRECTIONAL" => 3, +); + +my %ads_trusttype = ( + "TRUST_TYPE_DOWNLEVEL" => 1, + "TRUST_TYPE_UPLEVEL" => 2, + "TRUST_TYPE_KERBEROS" => 3, + "TRUST_TYPE_DCE" => 4, +); + +my %ads_pwdproperties = ( + "DOMAIN_PASSWORD_COMPLEX" => 1, + "DOMAIN_PASSWORD_NO_ANON_CHANGE" => 2, + "DOMAIN_PASSWORD_NO_CLEAR_CHANGE" => 4, + "DOMAIN_LOCKOUT_ADMINS" => 8, + "DOMAIN_PASSWORD_STORE_CLEARTEXT" => 16, + "DOMAIN_REFUSE_PASSWORD_CHANGE" => 32, +); + +my %ads_uascompat = ( + "LANMAN_USER_ACCOUNT_SYSTEM_NOLIMITS" => 0, + "LANMAN_USER_ACCOUNT_SYSTEM_COMPAT" => 1, +); + +my %ads_frstypes = ( + "REPLICA_SET_SYSVOL" => 2, # unsure + "REPLICA_SET_DFS" => 1, # unsure + "REPLICA_SET_OTHER" => 0, # unsure +); + +my %ads_gp_cse_extensions = ( +"Administrative Templates Extension" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2", +"Disk Quotas" => "3610EDA5-77EF-11D2-8DC5-00C04FA31A66", +"EFS Recovery" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", +"Folder Redirection" => "25537BA6-77A8-11D2-9B6C-0000F8080861", +"IP Security" => "E437BC1C-AA7D-11D2-A382-00C04F991E27", +"Internet Explorer Maintenance" => "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B", +"QoS Packet Scheduler" => "426031c0-0b47-4852-b0ca-ac3d37bfcb39", +"Scripts" => "42B5FAAE-6536-11D2-AE5A-0000F87571E3", +"Security" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A", +"Software Installation" => "C6DC5466-785A-11D2-84D0-00C04FB169F7", +); + +# guess work +my %ads_gpcextensions = ( +"Administrative Templates" => "0F6B957D-509E-11D1-A7CC-0000F87571E3", +"Certificates" => "53D6AB1D-2488-11D1-A28C-00C04FB94F17", +"EFS recovery policy processing" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", +"Folder Redirection policy processing" => "25537BA6-77A8-11D2-9B6C-0000F8080861", +"Folder Redirection" => "88E729D6-BDC1-11D1-BD2A-00C04FB9603F", +"Registry policy processing" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2", +"Remote Installation Services" => "3060E8CE-7020-11D2-842D-00C04FA372D4", +"Security Settings" => "803E14A0-B4FB-11D0-A0D0-00A0C90F574B", +"Security policy processing" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A", +"unknown" => "3060E8D0-7020-11D2-842D-00C04FA372D4", +"unknown2" => "53D6AB1B-2488-11D1-A28C-00C04FB94F17", +); + +my %ads_gpo_default_guids = ( +"Default Domain Policy" => "31B2F340-016D-11D2-945F-00C04FB984F9", +"Default Domain Controllers Policy" => "6AC1786C-016F-11D2-945F-00C04fB984F9", +"mist" => "61718096-3D3F-4398-8318-203A48976F9E", +); + +my %ads_uf = ( + "UF_SCRIPT" => 0x00000001, + "UF_ACCOUNTDISABLE" => 0x00000002, +# "UF_UNUSED_1" => 0x00000004, + "UF_HOMEDIR_REQUIRED" => 0x00000008, + "UF_LOCKOUT" => 0x00000010, + "UF_PASSWD_NOTREQD" => 0x00000020, + "UF_PASSWD_CANT_CHANGE" => 0x00000040, + "UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" => 0x00000080, + "UF_TEMP_DUPLICATE_ACCOUNT" => 0x00000100, + "UF_NORMAL_ACCOUNT" => 0x00000200, +# "UF_UNUSED_2" => 0x00000400, + "UF_INTERDOMAIN_TRUST_ACCOUNT" => 0x00000800, + "UF_WORKSTATION_TRUST_ACCOUNT" => 0x00001000, + "UF_SERVER_TRUST_ACCOUNT" => 0x00002000, +# "UF_UNUSED_3" => 0x00004000, +# "UF_UNUSED_4" => 0x00008000, + "UF_DONT_EXPIRE_PASSWD" => 0x00010000, + "UF_MNS_LOGON_ACCOUNT" => 0x00020000, + "UF_SMARTCARD_REQUIRED" => 0x00040000, + "UF_TRUSTED_FOR_DELEGATION" => 0x00080000, + "UF_NOT_DELEGATED" => 0x00100000, + "UF_USE_DES_KEY_ONLY" => 0x00200000, + "UF_DONT_REQUIRE_PREAUTH" => 0x00400000, + "UF_PASSWORD_EXPIRED" => 0x00800000, + "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION" => 0x01000000, + "UF_NO_AUTH_DATA_REQUIRED" => 0x02000000, +# "UF_UNUSED_8" => 0x04000000, +# "UF_UNUSED_9" => 0x08000000, +# "UF_UNUSED_10" => 0x10000000, +# "UF_UNUSED_11" => 0x20000000, +# "UF_UNUSED_12" => 0x40000000, +# "UF_UNUSED_13" => 0x80000000, +); + +my %ads_grouptype = ( + "GROUP_TYPE_BUILTIN_LOCAL_GROUP" => 0x00000001, + "GROUP_TYPE_ACCOUNT_GROUP" => 0x00000002, + "GROUP_TYPE_RESOURCE_GROUP" => 0x00000004, + "GROUP_TYPE_UNIVERSAL_GROUP" => 0x00000008, + "GROUP_TYPE_APP_BASIC_GROUP" => 0x00000010, + "GROUP_TYPE_APP_QUERY_GROUP" => 0x00000020, + "GROUP_TYPE_SECURITY_ENABLED" => 0x80000000, +); + +my %ads_atype = ( + "ATYPE_NORMAL_ACCOUNT" => 0x30000000, + "ATYPE_WORKSTATION_TRUST" => 0x30000001, + "ATYPE_INTERDOMAIN_TRUST" => 0x30000002, + "ATYPE_SECURITY_GLOBAL_GROUP" => 0x10000000, + "ATYPE_DISTRIBUTION_GLOBAL_GROUP" => 0x10000001, + "ATYPE_DISTRIBUTION_UNIVERSAL_GROUP" => 0x10000001, # ATYPE_DISTRIBUTION_GLOBAL_GROUP + "ATYPE_SECURITY_LOCAL_GROUP" => 0x20000000, + "ATYPE_DISTRIBUTION_LOCAL_GROUP" => 0x20000001, + "ATYPE_ACCOUNT" => 0x30000000, # ATYPE_NORMAL_ACCOUNT + "ATYPE_GLOBAL_GROUP" => 0x10000000, # ATYPE_SECURITY_GLOBAL_GROUP + "ATYPE_LOCAL_GROUP" => 0x20000000, # ATYPE_SECURITY_LOCAL_GROUP +); + +my %ads_gtype = ( + "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP" => 0x80000005, + "GTYPE_SECURITY_DOMAIN_LOCAL_GROUP" => 0x80000004, + "GTYPE_SECURITY_GLOBAL_GROUP" => 0x80000002, + "GTYPE_SECURITY_UNIVERSAL_GROUP" => 0x80000008, + "GTYPE_DISTRIBUTION_GLOBAL_GROUP" => 0x00000002, + "GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP" => 0x00000004, + "GTYPE_DISTRIBUTION_UNIVERSAL_GROUP" => 0x00000008, +); + +my %munged_dial = ( + "CtxCfgPresent" => \&dump_int, + "CtxCfgFlags1" => \&dump_int, + "CtxCallback" => \&dump_string, + "CtxShadow" => \&dump_string, + "CtxMaxConnectionTime" => \&dump_int, + "CtxMaxDisconnectionTime"=> \&dump_int, + "CtxMaxIdleTime" => \&dump_int, + "CtxKeyboardLayout" => \&dump_int, + "CtxMinEncryptionLevel" => \&dump_int, + "CtxWorkDirectory" => \&dump_string, + "CtxNWLogonServer" => \&dump_string, + "CtxWFHomeDir" => \&dump_string, + "CtxWFHomeDirDrive" => \&dump_string, + "CtxWFProfilePath" => \&dump_string, + "CtxInitialProgram" => \&dump_string, + "CtxCallbackNumber" => \&dump_string, +); + +$SIG{__WARN__} = sub { + use Carp; + Carp::cluck (shift); +}; + +# if there is data missing, we try to autodetect with samba-tools (if installed) +# this might fill up workgroup, machine, realm +get_samba_info(); + +# get a workgroup +$workgroup = $workgroup || $opt_workgroup || ""; + +# get the server +$server = process_servername($opt_host) || + detect_server($workgroup,$opt_realm) || + die "please define server to query with -h host\n"; + + +# get the base +$base = defined($opt_base)? $opt_base : "" || + get_base_from_rootdse($server,$dse); + +# get the realm +$realm = $opt_realm || + get_realm_from_rootdse($server,$dse); + +# get sasl mechs +my @sasl_mechs = get_sasl_mechs_from_rootdse($server,$dse); +my $sasl_mech = "GSSAPI"; +if ($opt_saslmech) { + $sasl_mech = sprintf("%s", (check_sasl_mech($opt_saslmech) == 0)?uc($opt_saslmech):""); +} + +# set bind type +my $sasl_bind = 1 if (!$opt_simpleauth); + +# get username +my $user = check_user($opt_user) || $ENV{'USER'} || ""; + +# gen upn +my $upn = sprintf("%s", gen_upn($opt_machine ? "$machine\$" : $user, $realm)); + +# get binddn +$binddn = $opt_binddn || $upn; + +# get the password +$password = $password || $opt_password; +if (!$password) { + $password = $opt_machine ? get_machine_password($workgroup) : get_password(); +} + +my %attr_handler = ( + "Token-Groups-No-GC-Acceptable" => \&dump_sid, #wrong name + "accountExpires" => \&dump_nttime, + "attributeSecurityGUID" => \&dump_guid, + "badPasswordTime" => \&dump_nttime, + "creationTime" => \&dump_nttime, + "currentTime" => \&dump_timestr, + "domainControllerFunctionality" => \&dump_ds_func, + "domainFunctionality" => \&dump_ds_func, + "fRSReplicaSetGUID" => \&dump_guid, + "fRSReplicaSetType" => \&dump_frstype, + "fRSVersionGUID" => \&dump_guid, + "flags" => \&dump_gpflags, # fixme: possibly only on gpos! + "forceLogoff" => \&dump_nttime_abs, + "forestFunctionality" => \&dump_ds_func, +# "gPCMachineExtensionNames" => \&dump_gpcextensions, +# "gPCUserExtensionNames" => \&dump_gpcextensions, + "gPLink" => \&dump_gplink, + "gPOptions" => \&dump_gpoptions, + "groupType" => \&dump_gtype, + "instanceType" => \&dump_instance_type, + "lastLogon" => \&dump_nttime, + "lastLogonTimestamp" => \&dump_nttime, + "lastSetTime" => \&dump_nttime, + "lockOutObservationWindow" => \&dump_nttime_abs, + "lockoutDuration" => \&dump_nttime_abs, + "lockoutTime" => \&dump_nttime, +# "logonHours" => \&dump_logonhours, + "maxPwdAge" => \&dump_nttime_abs, + "minPwdAge" => \&dump_nttime_abs, + "modifyTimeStamp" => \&dump_timestr, + "msDS-Behavior-Version" => \&dump_ds_func, #unsure + "msDS-User-Account-Control-Computed" => \&dump_uacc, + "msDS-SupportedEncryptionTypes" => \&dump_enctypes, + "mS-DS-CreatorSID" => \&dump_sid, +# "msRADIUSFramedIPAddress" => \&dump_ipaddr, +# "msRASSavedFramedIPAddress" => \&dump_ipaddr, + "netbootGUID" => \&dump_guid, + "nTMixedDomain" => \&dump_mixed_domain, + "nTSecurityDescriptor" => \&dump_secdesc, + "objectGUID" => \&dump_guid, + "objectSid" => \&dump_sid, + "pKT" => \&dump_pkt, + "pKTGuid" => \&dump_guid, + "priorSetTime" => \&dump_nttime, + "pwdLastSet" => \&dump_nttime, + "pwdProperties" => \&dump_pwdproperties, + "sAMAccountType" => \&dump_atype, + "schemaIDGUID" => \&dump_guid, + "sDRightsEffective" => \&dump_sdeffective, + "securityIdentifier" => \&dump_sid, + "serverState" => \&dump_serverstate, + "supportedCapabilities", => \&dump_capabilities, + "supportedControl", => \&dump_controls, + "supportedExtension", => \&dump_extension, + "systemFlags" => \&dump_systemflags, + "tokenGroups", => \&dump_sid, + "tokenGroupsGlobalAndUniversal" => \&dump_sid, + "tokenGroupsNoGCAcceptable" => \&dump_sid, + "trustAttributes" => \&dump_trustattr, + "trustDirection" => \&dump_trustdirection, + "trustType" => \&dump_trusttype, + "uASCompat" => \&dump_uascompat, + "userAccountControl" => \&dump_uac, + "userCertificate" => \&dump_cert, + "userFlags" => \&dump_uf, + "userParameters" => \&dump_munged_dial, + "whenChanged" => \&dump_timestr, + "whenCreated" => \&dump_timestr, +# "dSCorePropagationData" => \&dump_timestr, +); + + + +################ +# subfunctions # +################ + +sub usage { + print "usage: $0 [--asq] [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n"; + print "\t--asq [attribute]\n\t\tAttribute to use for a attribute scoped query (LDAP_SERVER_ASQ_OID)\n"; + print "\t--base|-b [base]\n\t\tUse base [base]\n"; + print "\t--debug [level]\n\t\tUse debuglevel (for Net::LDAP)\n"; + print "\t--domain_scope\n\t\tLimit LDAP search to local domain (LDAP_SERVER_DOMAIN_SCOPE_OID)\n"; + print "\t--DN|-D [binddn]\n\t\tUse binddn or principal\n"; + print "\t--extendeddn|-e [value]\n\t\tDisplay extended dn (LDAP_SERVER_EXTENDED_DN_OID)\n"; + print "\t--fastbind\n\t\tDo LDAP fast bind using LDAP_SERVER_FAST_BIND_OID extension\n"; + print "\t--help\n\t\tDisplay help page\n"; + print "\t--host|-h [host]\n\t\tQuery Host [host] (either a hostname or an LDAP uri)\n"; + print "\t--machine|-P\n\t\tUse samba3 machine account stored in $secrets_tdb (needs root access)\n"; + print "\t--metdata|-m\n\t\tDisplay replication metadata\n"; + print "\t--nodiffs\n\t\tDisplay no diffs but full entry dump when running in notify mode\n"; + print "\t--notify|-n\n\t\tActivate asynchronous change notification (LDAP_SERVER_NOTIFICATION_OID)\n"; + print "\t--paging [pagesize]\n\t\tUse paged results when searching\n"; + print "\t--password|-w [password]\n\t\tUse [password] for binddn\n"; + print "\t--port [port]\n\t\tUse [port] when connecting ADS\n"; + print "\t--rawdisplay\n\t\tDo not interpret values\n"; + print "\t--realm|-R [realm]\n\t\tUse [realm] when trying to construct bind-principal\n"; + print "\t--rootdse\n\t\tDisplay RootDSE (anonymously)\n"; + print "\t--saslmech|-Y [saslmech]\n\t\tUse SASL Mechanism [saslmech] when binding\n"; + print "\t--schema|-c\n\t\tDisplay DSE-Schema\n"; + print "\t--scope|-s [scope]\n\t\tUse scope [scope] (sub, base, one)\n"; + print "\t--simpleauth|-x\n\t\tUse simple bind (otherwise SASL binds are performed)\n"; + print "\t--starttls|-Z\n\t\tUse Start TLS extended operation to secure LDAP traffic\n"; + print "\t--user|-U [user]\n\t\tUse [user]\n"; + print "\t--wknguid\n\t\tDisplay well known guids\n"; + print "\t--workgroup|-k [workgroup]\n\t\tWhen LDAP-Server is not known try to find a Domain-Controller for [workgroup]\n"; +} + +sub write_ads_list { + my ($mod,$attr,$value) = @_; + my $ofh = select(STDOUT); + $~ = "ADS_LIST"; + select($ofh); + write(); + +format ADS_LIST = +@<<<< @>>>>>>>>>>>>>>>>>>>>>>>: @* +$mod, $attr, $value +. +} + +sub write_ads { + my ($mod,$attr,$value) = @_; + my $ofh = select(STDOUT); + $~ = "ADS"; + select($ofh); + write(); + +format ADS = +@<<<< @>>>>>>>>>>>>>>>>>>>>>>>: ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< +$mod, $attr, $value +~~ ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< + $value +. +} + +sub detect_server { + + my $workgroup = shift; + my $realm = shift; + my $result; + my $found; + + # try net cache (nbt records) + if ( -x $net && $workgroup ) { + my $key = sprintf("NBT/%s#1C", uc($workgroup)); + chomp($result = `$net cache search $key 2>&1 /dev/null`); + $result =~ s/^.*Value: //; + $result =~ s/:.*//; + return $result if $result; + printf("%10s query failed for [%s]\n", "net cache", $key); + } + + # try dns SRV entries + if ( -x $dig && $realm ) { + my $key = sprintf("_ldap._tcp.%s", lc($realm)); + chomp($result = `$dig $key SRV +short +search | egrep "^[0-9]" | head -1`); + $result =~ s/.* //g; + $result =~ s/.$//g; + return $result if $result; + printf("%10s query failed for [%s]\n", "dns", $key); + } + + # try netbios broadcast query + if ( -x $nmblookup && $workgroup ) { + my $key = sprintf("%s#1C", uc($workgroup)); + my $pattern = sprintf("%s<1c>", uc($workgroup)); + chomp($result = `$nmblookup $key -d 0 | grep '$pattern'`); + $result =~ s/\s.*//; + return $result if $result; + printf("%10s query failed for [%s]\n", "nmblookup", $key); + } + + return ""; +} + +sub get_samba_info { + + if (! -x $testparm) { return -1; } + + my $tmp; + open(TESTPARM, "$testparm -s -v 2> /dev/null |"); + while (my $line = <TESTPARM>) { + chomp($line); + if ($line =~ /netbios name/) { + ($tmp, $machine) = split(/=/, $line); + $machine =~ s/\s+|\t+//g; + } + if ($line =~ /realm/) { + ($tmp, $realm) = split(/=/, $line); + $realm =~ s/\s+|\t+//g; + } + if ($line =~ /workgroup/) { + ($tmp, $workgroup) = split(/=/, $line); + $workgroup =~ s/\s+|\t+//g; + } + } + close(TESTPARM); + return 0; +} + +sub gen_upn { + my $machine = shift; + my $realm = shift; + if ($machine && $realm) { + return sprintf("%s\@%s", lc($machine), uc($realm)); + }; + return undef; +} + +sub get_password { + if (!$password && $opt_simpleauth && check_ticket($user)) { + return prompt_password($user); + } + return ""; +} + +sub get_user { + my $user = shift || prompt_user(); + return $user; +} + +sub get_machine_password { + + my $workgroup = shift || ""; + $workgroup = uc($workgroup); + + my ($found, $tmp, $dbdump, $db); + if (-r $secrets_ntdb) { + -x $ntdbdump || die "ntdbdump is not installed. cannot proceed autodetection\n"; + $dbdump = $ntdbdump; + $db = $secrets_ntdb; + } else { + -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n"; + -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n"; + $dbdump = $tdbdump; + $db = $secrets_tdb; + } + + # get machine-password + my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup); + open(SECRETS,"$dbdump $db |"); + while(my $line = <SECRETS>) { + chomp($line); + if ($found) { + $line =~ s/\\00//; + ($line,$password) = split(/"/, $line); + last; + } + if ($line =~ /\"$key\"/) { + $found = 1; + } + } + close(SECRETS); + + if ($found) { + print "Successfully autodetected machine password for workgroup: $workgroup\n"; + return $password; + } else { + warn "No machine password available for $workgroup\n"; + } + return ""; +} + +sub prompt_password { + + my $acct = shift || ""; + if ($acct =~ /\%/) { + ($acct, $password) = split(/\%/, $acct); + return $password; + } + system "stty -echo"; + print "Enter password for $acct:"; + my $password = <STDIN>; + chomp($password); + print "\n"; + system "stty echo"; + return $password; +} + +sub prompt_user { + + print "Enter Username:"; + my $user = <STDIN>; + chomp($user); + print "\n"; + return $user; +} + +sub check_ticket { + return 0; + # works only for heimdal + return system("$klist -t"); +} + +sub get_ticket { + + my $KRB5_CONFIG = "/tmp/.krb5.conf.telads-$<"; + + open(KRB5CONF, "> $KRB5_CONFIG") || die "cannot write $KRB5_CONFIG"; + printf KRB5CONF "# autogenerated by $0\n"; + printf KRB5CONF "[libdefaults]\n\tdefault_realm = %s\n\tclockskew = %d\n", uc($realm), 60*60; + printf KRB5CONF "[realms]\n\t%s = {\n\t\tkdc = %s\n\t}\n", uc($realm), $server; + close(KRB5CONF); + + if ( system("KRB5_CONFIG=$KRB5_CONFIG $kinit $user") != 0) { + return -1; + } + + return 0; +} + +sub check_user { + my $acct = shift || ""; + if ($acct =~ /\%/) { + ($acct, $password) = split(/\%/, $acct); + } + return $acct; +} + +sub check_root_dse($$$@) { + + # bogus function?? + my $server = shift || ""; + $dse = shift || get_dse($server) || return -1; + my $attr = shift || die "unknown query"; + my @array = @_; + + my $dse_list = $dse->get_value($attr, asref => '1'); + my @dse_array = @$dse_list; + + foreach my $i (@array) { + # we could use -> supported_control but this + # is only available in newer versions of perl-ldap +# if ( ! $dse->supported_control( $i ) ) { + if ( grep(/$i->type()/, @dse_array) ) { + printf("required \"$attr\": %s is not supported by ADS-server.\n", $i->type()); + return -1; + } + } + return 0; +} + +sub check_ctrls ($$@) { + my $server = shift; + my $dse = shift; + my @array = @_; + return check_root_dse($server, $dse, "supportedControl", @array); +} + +sub check_exts ($$@) { + my $server = shift; + my $dse = shift; + my @array = @_; + return check_root_dse($server, $dse, "supportedExtension", @array); +} + +sub get_base_from_rootdse { + + my $server = shift || ""; + $dse = shift || get_dse($server,$async_ldap_hd) || return -1; + return $dse->get_value($opt_dump_schema ? 'schemaNamingContext': + 'defaultNamingContext'); +} + +sub get_realm_from_rootdse { + + my $server = shift || ""; + $dse = shift || get_dse($server,$async_ldap_hd) || return -1; + my $service = $dse->get_value('ldapServiceName') || ""; + if ($service) { + my ($t,$realm) = split(/\@/, $service); + return $realm; + } else { + die "very odd: could not get realm"; + } +} + +sub get_sasl_mechs_from_rootdse { + + my $server = shift || ""; + $dse = shift || get_dse($server,$async_ldap_hd) || return -1; + my $mechs = $dse->get_value('supportedSASLMechanisms', asref => 1); + return @$mechs; +} + +sub get_dse { + + my $server = shift || return undef; + $async_ldap_hd = shift || get_ldap_hd($server,1); + if (!$async_ldap_hd) { + print "oh, no connection\n"; + return undef; + } + my $mesg = $async_ldap_hd->bind() || die "cannot bind\n"; + if ($mesg->code) { die "failed to bind\n"; }; + my $dse = $async_ldap_hd->root_dse( attrs => ['*', "supportedExtension", "supportedFeatures" ] ); + + return $dse; +} + +sub process_servername { + + my $name = shift || return ""; + if ($name =~ /^ldaps:\/\//i ) { + $name =~ s#^ldaps://##i; + $uri = sprintf("%s://%s", "ldaps", $name); + } else { + $name =~ s#^ldap://##i; + $uri = sprintf("%s://%s", "ldap", $name); + } + return $name; +} + +sub get_ldap_hd { + + my $server = shift || return undef; + my $async = shift || "0"; + my $hd; + die "uri unavailable" if (!$uri); + if ($uri =~ /^ldaps:\/\//i ) { + $port = $port || 636; + use Net::LDAPS; + $hd = Net::LDAPS->new( $server, async => $async, port => $port ) || + die "host $server not available: $!"; + } else { + $port = $port || 389; + $hd = Net::LDAP->new( $server, async => $async, port => $port ) || + die "host $server not available: $!"; + } + $hd->debug($opt_debug); + if ($opt_starttls) { + $hd->start_tls( verify => 'none' ); + } + + return $hd; +} + +sub get_sasl_hd { + + if (!$have_sasl) { + print "no sasl support\n"; + return undef; + } + + my $hd; + if ($sasl_mech && $sasl_mech eq "GSSAPI") { + my $user = sprintf("%s\@%s", $user, uc($realm)); + if (check_ticket($user) != 0 && get_ticket($user) != 0) { + print "Could not get Kerberos ticket for user [$user]\n"; + return undef; + } + + $hd = Authen::SASL->new( mechanism => 'GSSAPI' ) || die "nope"; + my $conn = $hd->client_new("ldap", $server); + + if ($conn->code == -1) { + printf "%s\n", $conn->error(); + return undef; + }; + + } elsif ($sasl_mech) { + + # here comes generic sasl code + $hd = Authen::SASL->new( mechanism => $sasl_mech, + callback => { + user => \&get_user, + pass => \&get_password + } + ) || die "nope"; + } else { + $sasl_bind = 0; + print "no supported SASL mechanism found (@sasl_mechs).\n"; + print "falling back to simple bind.\n"; + return undef; + } + + return $hd; +} + +sub check_sasl_mech { + my $mech_check = shift; + my $have_mech = 0; + foreach my $mech (@sasl_mechs) { + $have_mech = 1 if ($mech eq uc($mech_check)); + } + if (!$have_mech) { + return -1; + } + return 0; +} + +sub store_result ($) { + + my $entry = shift; + return if (!$entry); + $entry_store{$entry->dn} = $entry; +} + +sub display_result_diff ($) { + + my $entry_new = shift; + return if ( !$entry_new); + + if ( !exists $entry_store{$entry_new->dn}) { + print "can't display any differences yet. full dump...\n"; + display_entry_generic($entry_new); + return; + } + + my $entry_old = $entry_store{$entry_new->dn}; + + foreach my $attr (sort $entry_new->attributes) { + if ( $entry_new->exists($attr) && ! $entry_old->exists($attr)) { + display_attr_generic("add:\t", $entry_new, $attr); + next; + } + } + + foreach my $attr (sort $entry_old->attributes) { + if (! $entry_new->exists($attr) && $entry_old->exists($attr)) { + display_attr_generic("del:\t", $entry_old, $attr); + next; + } + + # now check for all values if they have changed, display changes + my ($old_vals, $new_vals, @old_vals, @new_vals, %old, %new); + + $old_vals = $entry_old->get_value($attr, asref => 1); + @old_vals = @$old_vals; + $new_vals = $entry_new->get_value($attr, asref => 1); + @new_vals = @$new_vals; + + if (scalar(@old_vals) == 1 && scalar(@new_vals) == 1) { + if ($old_vals[0] ne $new_vals[0]) { + display_attr_generic("old:\t", $entry_old, $attr); + display_attr_generic("new:\t", $entry_new, $attr); + } + next; + } + + # handle multivalued diffs + foreach my $val (@old_vals) { $old{$val} = "dummy"; }; + foreach my $val (@new_vals) { $new{$val} = "dummy"; }; + foreach my $val (sort keys %new) { + if (!exists $old{$val}) { + display_value_generic("add:\t", $attr, $val); + } + } + foreach my $val (sort keys %old) { + if (!exists $new{$val}) { + display_value_generic("del:\t", $attr, $val); + } + } + } + print "\n"; + +} + +sub sid2string ($) { + + # Fix from Michael James <michael@james.st> + my $binary_sid = shift; + my($sid_rev, $num_auths, $id1, $id2, @ids) = unpack("H2 H2 n N V*", $binary_sid); + my $sid_string = join("-", "S", hex($sid_rev), ($id1<<32)+$id2, @ids); + return $sid_string; + +} + +sub string_to_guid { + my $string = shift; + return undef unless $string =~ /([0-9,a-z]{8})-([0-9,a-z]{4})-([0-9,a-z]{4})-([0-9,a-z]{2})([0-9,a-z]{2})-([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})/i; + + return pack("I", hex $1) . + pack("S", hex $2) . + pack("S", hex $3) . + pack("C", hex $4) . + pack("C", hex $5) . + pack("C", hex $6) . + pack("C", hex $7) . + pack("C", hex $8) . + pack("C", hex $9) . + pack("C", hex $10) . + pack("C", hex $11); + +# print "$1\n$2\n$3\n$4\n$5\n$6\n$7\n$8\n$9\n$10\n$11\n"; +} + +sub bindstring_to_guid { + my $str = shift; + return pack("H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2", + substr($str,0,2), + substr($str,2,2), + substr($str,4,2), + substr($str,6,2), + substr($str,8,2), + substr($str,10,2), + substr($str,12,2), + substr($str,14,2), + substr($str,16,2), + substr($str,18,2), + substr($str,20,2), + substr($str,22,2), + substr($str,24,2), + substr($str,26,2), + substr($str,28,2), + substr($str,30,2)); +} + +sub guid_to_string { + my $guid = shift; + my $string = sprintf "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", + unpack("I", $guid), + unpack("S", substr($guid, 4, 2)), + unpack("S", substr($guid, 6, 2)), + unpack("C", substr($guid, 8, 1)), + unpack("C", substr($guid, 9, 1)), + unpack("C", substr($guid, 10, 1)), + unpack("C", substr($guid, 11, 1)), + unpack("C", substr($guid, 12, 1)), + unpack("C", substr($guid, 13, 1)), + unpack("C", substr($guid, 14, 1)), + unpack("C", substr($guid, 15, 1)); + return lc($string); +} + +sub guid_to_bindstring { + my $guid = shift; + return unpack("H" . 2 * length($guid), $guid), +} + +sub dump_wknguid { + print "Dumping Well known GUIDs:\n"; + foreach my $wknguid (keys %wknguids) { + + my $guid = bindstring_to_guid($wknguids{$wknguid}); + my $str = guid_to_string($guid); + my $back = guid_to_bindstring($guid); + + printf "wkguid: %s\n", $wknguid; + printf "bind_string format: %s\n", $wknguids{$wknguid}; + printf "string format: %s\n", guid_to_string($guid); + printf "back to bind_string:%s\n", guid_to_bindstring($guid); + + printf "use base: \"<WKGUID=%s,%s>\"\n", guid_to_bindstring($guid), $base; + } +} + +sub gen_bitmask_string_format($%) { + my $mod = shift; + my (%tmp) = @_; + my @list; + foreach my $key (sort keys %tmp) { + push(@list, sprintf("%s %s", $tmp{$key}, $key)); + } + return join("\n$mod$tabsize",@list); +} + + +sub nt_to_unixtime ($) { + # the number of 100 nanosecond intervals since jan. 1. 1601 (utc) + my $t64 = shift; + $t64 =~ s/(.+).{7,7}/$1/; + $t64 -= 11644473600; + return $t64; +} + +sub dump_equal { + my $val = shift; + my $mod = shift || die "no mod"; + my (%header) = @_; + my %tmp; + my $found = 0; + foreach my $key (keys %header) { + if ($header{$key} eq $val) { + $tmp{"($val)"} = $key; + $found = 1; + last; + } + } + if (!$found) { $tmp{$val} = ""; }; + return gen_bitmask_string_format($mod,%tmp); +} + +sub dump_bitmask { + my $op = shift || die "no op"; + my $val = shift; + my $mod = shift || die "no mod"; + my (%header) = @_; + my %tmp; + $tmp{""} = sprintf("%s (0x%08x)", $val, $val); + foreach my $key (sort keys %header) { # sort by val ! + my $val_hex = sprintf("0x%08x", $header{$key}); + if ($op eq "&") { + $tmp{"$key ($val_hex)"} = ( $val & $header{$key} ) ? $set:$unset; + } elsif ($op eq "==") { + $tmp{"$key ($val_hex)"} = ( $val == $header{$key} ) ? $set:$unset; + } else { + print "unknown operator: $op\n"; + return; + } + } + return gen_bitmask_string_format($mod,%tmp); +} + +sub dump_bitmask_and { + return dump_bitmask("&",@_); +} + +sub dump_bitmask_equal { + return dump_bitmask("==",@_); +} + +sub dump_uac { + return dump_bitmask_and(@_,%ads_uf); # ads_uf ? +} + +sub dump_uascompat { + return dump_bitmask_equal(@_,%ads_uascompat); +} + +sub dump_gpoptions { + return dump_bitmask_equal(@_,%ads_gpoptions); +} + +sub dump_gpflags { + return dump_bitmask_equal(@_,%ads_gpflags); +} + +sub dump_uacc { + return dump_bitmask_equal(@_,%ads_uacc); +} + +sub dump_enctypes { + return dump_bitmask_and(@_,%ads_enctypes); +} + +sub dump_uf { + return dump_bitmask_and(@_,%ads_uf); +} + +sub dump_gtype { + my $ret = dump_bitmask_and(@_,%ads_grouptype); + $ret .= "\n$tabsize\t"; + $ret .= dump_bitmask_equal(@_,%ads_gtype); + return $ret; +} + +sub dump_atype { + return dump_bitmask_equal(@_,%ads_atype); +} + +sub dump_controls { + return dump_equal(@_,%ads_controls); +} + +sub dump_capabilities { + return dump_equal(@_,%ads_capabilities); +} + +sub dump_extension { + return dump_equal(@_,%ads_extensions); +} + +sub dump_systemflags { + return dump_bitmask_and(@_,%ads_systemflags); +} + +sub dump_instance_type { + return dump_bitmask_and(@_,%ads_instance_type); +} + +sub dump_ds_func { + return dump_bitmask_equal(@_,%ads_ds_func); +} + +sub dump_serverstate { + return dump_bitmask_equal(@_,%ads_serverstate); +} + +sub dump_sdeffective { + return dump_bitmask_and(@_,%ads_sdeffective); +} + +sub dump_trustattr { + return dump_bitmask_and(@_,%ads_trustattrs); +} + +sub dump_trusttype { + return dump_bitmask_equal(@_,%ads_trusttype); +} + +sub dump_trustdirection { + return dump_bitmask_equal(@_,%ads_trustdirection); +} + +sub dump_pwdproperties { + return dump_bitmask_and(@_,%ads_pwdproperties); +} + +sub dump_frstype { + return dump_bitmask_equal(@_,%ads_frstypes) +} + +sub dump_mixed_domain { + return dump_bitmask_equal(@_,%ads_mixed_domain); +} + +sub dump_sid { + my $bin_sid = shift; + return sid2string($bin_sid); +} + +sub dump_guid { + my $guid = shift; + return guid_to_string($guid); +} + +sub dump_secdesc { + my $val = shift; + return "FIXME: write sddl-converter!"; +} + +sub dump_nttime { + my $nttime = shift; + if ($nttime == 0) { + return sprintf("%s (%s)", "never", $nttime); + } + my $localtime = localtime(nt_to_unixtime($nttime)); + return sprintf("%s (%s)", $localtime, $nttime); +} + +sub dump_nttime_abs { + if ($_[0] == 9223372036854775807) { + return sprintf("%s (%s)", "now", $_[0]); + } + if ($_[0] == -9223372036854775808 || $_[0] == 0) { # 0x7FFFFFFFFFFFFFFF + return sprintf("%s (%s)", "never", $_[0]); + } + # FIXME: actually *do* abs time ! + return dump_nttime($_[0]); +} + +sub dump_timestr { + my $time = shift; + if ($time eq "16010101000010.0Z") { + return sprintf("%s (%s)", "never", $time); + } + my ($year,$mon,$mday,$hour,$min,$sec,$zone) = + unpack('a4 a2 a2 a2 a2 a2 a4', $time); + $mon -= 1; + my $localtime = localtime(timegm($sec,$min,$hour,$mday,$mon,$year)); + return sprintf("%s (%s)", $localtime, $time); +} + +sub dump_string { + return $_[0]; +} + +sub dump_int { + return sprintf("%d", $_[0]); +} + +sub dump_munged_dial { + my $dial = shift; + return "FIXME! decode this"; +} + +sub dump_cert { + + my $cert = shift; + open(OPENSSL, "| /usr/bin/openssl x509 -text -inform der"); + print OPENSSL $cert; + close(OPENSSL); + return ""; +} + +sub dump_pkt { + my $pkt = shift; + return "not yet"; + printf("%s: ", $pkt); + printf("%02X", $pkt); + +} + +sub dump_gplink { + + my $gplink = shift; + my $gplink_mod = $gplink; + my @links = split("\\]\\[", $gplink_mod); + foreach my $link (@links) { + $link =~ s/^\[|\]$//g; + my ($ldap_link, $opt) = split(";", $link); + my @array = ( "$opt", "\t" ); + printf("%slink: %s, opt: %s\n", $tabsize, $ldap_link, dump_bitmask_and(@array, %ads_gplink_opts)); + } + return $gplink; +} + +sub construct_filter { + + my $tmp = shift; + + if (!$tmp || $opt_notify) { + return "(objectclass=*)"; + } + + if ($tmp && $tmp !~ /^.*\=/) { + return "(ANR=$tmp)"; + } + + return $tmp; + # (&(objectCategory=person) + # (userAccountControl:$ads_matching_rules{LDAP_MATCHING_RULE_BIT_AND}:=2)) +} + +sub construct_attrs { + + my @attrs = @_; + + if (!@attrs) { + push(@attrs,"*"); + } + + if ($opt_notify) { + push(@attrs,"uSNChanged"); + } + + if ($opt_display_metadata) { + push(@attrs,"msDS-ReplAttributeMetaData"); + push(@attrs,"replPropertyMetaData"); + } + + if ($opt_verbose) { + push(@attrs,"nTSecurityDescriptor"); + push(@attrs,"msDS-KeyVersionNumber"); + push(@attrs,"msDS-User-Account-Control-Computed"); + push(@attrs,"modifyTimeStamp"); + } + + return sort @attrs; +} + +sub print_header { + + print "\n"; + printf "%10s: %s\n", "uri", $uri; + printf "%10s: %s\n", "port", $port; + printf "%10s: %s\n", "base", $base; + printf "%10s: %s\n", $sasl_bind ? "principal" : "binddn", $sasl_bind ? $upn : $binddn; + printf "%10s: %s\n", "password", $password; + printf "%10s: %s\n", "bind-type", $sasl_bind ? "SASL" : "simple"; + printf "%10s: %s\n", "sasl-mech", $sasl_mech if ($sasl_mech); + printf "%10s: %s\n", "filter", $filter; + printf "%10s: %s\n", "scope", $scope; + printf "%10s: %s\n", "attrs", join(", ", @attrs); + printf "%10s: %s\n", "controls", join(", ", @ctrls_s); + printf "%10s: %s\n", "page_size", $opt_paging if ($opt_paging); + printf "%10s: %s\n", "start_tls", $opt_starttls ? "yes" : "no"; + printf "\n"; +} + +sub gen_controls { + + # setup attribute-scoped query control + my $asq_asn = Convert::ASN1->new; + $asq_asn->prepare( + q< asq ::= SEQUENCE { + sourceAttribute OCTET_STRING + } + > + ); + my $ctl_asq_val = $asq_asn->encode( sourceAttribute => $opt_asq); + my $ctl_asq = Net::LDAP::Control->new( + type => $ads_controls{'LDAP_SERVER_ASQ_OID'}, + critical => 'true', + value => $ctl_asq_val); + + + # setup extended dn control + my $asn_extended_dn = Convert::ASN1->new; + $asn_extended_dn->prepare( + q< ExtendedDn ::= SEQUENCE { + mode INTEGER + } + > + ); + + # only w2k3 accepts '1' and needs the ctl_val, w2k does not accept a ctl_val + my $ctl_extended_dn_val = $asn_extended_dn->encode( mode => $opt_display_extendeddn); + my $ctl_extended_dn = Net::LDAP::Control->new( + type => $ads_controls{'LDAP_SERVER_EXTENDED_DN_OID'}, + critical => 'true', + value => $opt_display_extendeddn ? $ctl_extended_dn_val : ""); + + # setup search options + my $search_opt = Convert::ASN1->new; + $search_opt->prepare( + q< searchopt ::= SEQUENCE { + flags INTEGER + } + > + ); + + my $tmp = $search_opt->encode( flags => $opt_search_opt); + my $ctl_search_opt = Net::LDAP::Control->new( + type => $ads_controls{'LDAP_SERVER_SEARCH_OPTIONS_OID'}, + critical => 'true', + value => $tmp); + + # setup notify control + my $ctl_notification = Net::LDAP::Control->new( + type => $ads_controls{'LDAP_SERVER_NOTIFICATION_OID'}, + critical => 'true'); + + + # setup paging control + $ctl_paged = Net::LDAP::Control->new( + type => $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'}, + critical => 'true', + size => $opt_paging ? $opt_paging : 1000); + + # setup domscope control + my $ctl_domscope = Net::LDAP::Control->new( + type => $ads_controls{'LDAP_SERVER_DOMAIN_SCOPE_OID'}, + critical => 'true', + value => ""); + + if (defined($opt_paging) || $opt_dump_schema) { + push(@ctrls, $ctl_paged); + push(@ctrls_s, "LDAP_PAGED_RESULT_OID_STRING" ); + } + + if (defined($opt_display_extendeddn)) { + push(@ctrls, $ctl_extended_dn); + push(@ctrls_s, "LDAP_SERVER_EXTENDED_DN_OID"); + } + if ($opt_notify) { + push(@ctrls, $ctl_notification); + push(@ctrls_s, "LDAP_SERVER_NOTIFICATION_OID"); + } + + if ($opt_asq) { + push(@ctrls, $ctl_asq); + push(@ctrls_s, "LDAP_SERVER_ASQ_OID"); + } + + if ($opt_domain_scope) { + push(@ctrls, $ctl_domscope); + push(@ctrls_s, "LDAP_SERVER_DOMAIN_SCOPE_OID"); + } + + if ($opt_search_opt) { + push(@ctrls, $ctl_search_opt); + push(@ctrls_s, "LDAP_SERVER_SEARCH_OPTIONS_OID"); + } + + return @ctrls; +} + +sub display_value_generic ($$$) { + + my ($mod,$attr,$value) = @_; + return unless (defined($value) and defined($attr)); + + if ( ! $opt_display_raw && exists $attr_handler{$attr} ) { + $value = $attr_handler{$attr}($value,$mod); + write_ads_list($mod,$attr,$value); + return; + } + write_ads($mod,$attr,$value); +} + +sub display_attr_generic ($$$) { + + my ($mod,$entry,$attr) = @_; + return if (!$attr || !$entry); + + my $ref = $entry->get_value($attr, asref => 1); + my @values = @$ref; + + foreach my $value ( sort @values) { + display_value_generic($mod,$attr,$value); + } +} + +sub display_entry_generic ($) { + + my $entry = shift; + return if (!$entry); + + foreach my $attr ( sort $entry->attributes) { + display_attr_generic("\t",$entry,$attr); + } +} + +sub display_ldap_err ($) { + + my $msg = shift; + print_header(); + my ($package, $filename, $line, $subroutine) = caller(0); + + print "got error from ADS:\n"; + printf("%s(%d): ERROR (%s): %s\n", + $subroutine, $line, $msg->code, $msg->error); + +} + +sub process_result { + + my ($msg,$entry) = @_; + + if (!defined($msg)) { + return; + } + + if ($msg->code) { + display_ldap_err($msg); + exit 1; + } + + if (!defined($entry)) { + return; + } + + if ($entry->isa('Net::LDAP::Reference')) { + foreach my $ref ($entry->references) { + print "\ngot Reference: [$ref]\n"; + } + return; + } + + print "\nfound entry: ".$entry->dn."\n".("-" x 80)."\n"; + + display_entry_generic($entry); +} + +sub default_callback { + + my ($res,$obj) = @_; + + if (!$opt_notify && $res->code == LDAP_REFERRAL) { + return; + } + + if (!$opt_notify) { + return process_result($res,$obj); + } +} + +sub error_callback { + + my ($msg,$entry) = @_; + + if (!$msg) { + return; + } + + if ($msg->code) { + display_ldap_err($msg); + exit(1); + } + return; +} + +sub notify_callback { + + my ($msg, $obj) = @_; + + if (! defined($obj)) { + return; + } + + if ($obj->isa('Net::LDAP::Reference')) { + foreach my $ref ($obj->references) { + print "\ngot Reference: [$ref]\n"; + } + return; + } + + while (1) { + + my $async_entry = $async_search->pop_entry; + + if (!$async_entry->dn) { + print "very weird. entry has no dn\n"; + next; + } + + printf("\ngot changenotify for dn: [%s]\n%s\n", $async_entry->dn, ("-" x 80)); + + my $new_usn = $async_entry->get_value('uSNChanged'); + if (!$new_usn) { + die "odd, no usnChanged attribute???"; + } + if (!$usn || $new_usn > $usn) { + $usn = $new_usn; + if ($opt_notify_nodiffs) { + display_entry_generic($async_entry); + } else { + display_result_diff($async_entry); + } + } + store_result($async_entry); + } +} + +sub do_bind($$) { + + my $async_ldap_hd = shift || return undef; + my $sasl_bind = shift; + + if ($sasl_bind) { + if (!$works_sasl) { + print "this version of Net::LDAP does not have proper SASL support.\n"; + print "Need at least perl-ldap V. $pref_version\n"; + } + $sasl_hd = get_sasl_hd(); + if (!$sasl_hd) { + print "failed to create SASL handle\n"; + return -1; + } + $mesg = $async_ldap_hd->bind( + sasl => $sasl_hd, + callback => \&error_callback + ) || die "doesn't work"; + } else { + $sasl_mech = ""; + $mesg = $async_ldap_hd->bind( + $binddn, + password => $password, + callback => $opt_fastbind ? undef : \&error_callback + ) || die "doesn't work"; + }; + if ($mesg->code) { + display_ldap_err($mesg) if (!$opt_fastbind); + return -1; + } + return 0; +} + +sub do_fast_bind() { + + do_unbind(); + + my $hd = get_ldap_hd($server,1); + + my $mesg = $hd->extension( + name => $ads_extensions{'LDAP_SERVER_FAST_BIND_OID'}); + + if ($mesg->code) { + display_ldap_err($mesg); + return -1; + } + + my $ret = do_bind($hd, undef); + $hd->unbind; + + printf("bind using 'LDAP_SERVER_FAST_BIND_OID' %s\n", + $ret == 0 ? "succeeded" : "failed"); + + return $ret; +} + +sub do_unbind() { + if ($async_ldap_hd) { + $async_ldap_hd->unbind; + } + if ($sync_ldap_hd) { + $sync_ldap_hd->unbind; + } +} + +############################################################################### + +sub main () { + + if ($opt_fastbind) { + + if (check_exts($server,$dse,"LDAP_SERVER_FAST_BIND_OID") == -1) { + print "LDAP_SERVER_FAST_BIND_OID not supported by this server\n"; + exit 1; + } + + # fast bind can only bind, not search + exit do_fast_bind(); + } + + $filter = construct_filter($query); + @attrs = construct_attrs(@attrs); + @ctrls = gen_controls(); + + if (check_ctrls($server,$dse,@ctrls) == -1) { + print "not all required LDAP Controls are supported by this server\n"; + exit 1; + } + + if ($opt_dump_rootdse) { + print "Dumping Root-DSE:\n"; + display_entry_generic($dse); + exit 0; + } + + if ($opt_dump_wknguid) { + dump_wknguid(); + exit 0; + } + + if (do_bind($async_ldap_hd, $sasl_bind) == -1) { + exit 1; + } + + print_header(); + + if ($opt_dump_schema) { + print "Dumping Schema:\n"; +# my $ads_schema = $async_ldap_hd->schema; +# $ads_schema->dump; +# exit 0; + } + + while (1) { + + $async_search = $async_ldap_hd->search( + base => $base, + filter => $filter, + attrs => [ @attrs ], + control => [ @ctrls ], + callback => \&default_callback, + scope => $scope, + ) || die "cannot search"; + + if (!$opt_notify && ($async_search->code == LDAP_REFERRAL)) { + foreach my $ref ($async_search->referrals) { + print "\ngot Referral: [$ref]\n"; + my ($prot, $host, $base) = split(/\/+/, $ref); + $async_ldap_hd->unbind(); + $async_ldap_hd = get_ldap_hd($host, 1); + if (do_bind($async_ldap_hd, $sasl_bind) == -1) { + $async_ldap_hd->unbind(); + next; + } + print "\nsuccessful rebind to: [$ref]\n"; + last; + } + next; # repeat the query + } + + if ($opt_notify) { + + print "Base [$base] is registered now for change-notify\n"; + print "\nWaiting for change-notify...\n"; + + my $sync_ldap_hd = get_ldap_hd($server,0); + if (do_bind($sync_ldap_hd, $sasl_bind) == -1) { + exit 2; + } + + my $sync_search = $sync_ldap_hd->search( + base => $base, + filter => $filter, + attrs => [ @attrs ], + callback => \¬ify_callback, + scope => $scope, + ) || die "cannot search"; + + } + + $total_entry_count += $async_search->count; + ++$page_count; + print "-" x 80 . "\n"; + printf("Got %d Entries in Page %d \n\n", + $async_search->count, $page_count); + my ($resp) = $async_search->control( + $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'} ) or last; + last unless ref $resp && $ctl_paged->cookie($resp->cookie); + } + + if ($async_search->entries == 0) { + print "No entries found with filter $filter\n"; + } else { + print "Got $total_entry_count Entries in $page_count Pages\n" if ($opt_paging); + } + + do_unbind() +} + +main(); + +exit 0; |