summaryrefslogtreecommitdiffstats
path: root/examples/misc/adssearch.pl
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:20:00 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:20:00 +0000
commit8daa83a594a2e98f39d764422bfbdbc62c9efd44 (patch)
tree4099e8021376c7d8c05bdf8503093d80e9c7bad0 /examples/misc/adssearch.pl
parentInitial commit. (diff)
downloadsamba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.tar.xz
samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.zip
Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'examples/misc/adssearch.pl')
-rwxr-xr-xexamples/misc/adssearch.pl1897
1 files changed, 1897 insertions, 0 deletions
diff --git a/examples/misc/adssearch.pl b/examples/misc/adssearch.pl
new file mode 100755
index 0000000..fc24811
--- /dev/null
+++ b/examples/misc/adssearch.pl
@@ -0,0 +1,1897 @@
+#!/usr/bin/perl -w
+#
+# adssearch.pl - query an Active Directory server and
+# display objects in a human readable format
+#
+# Copyright (C) Guenther Deschner <gd@samba.org> 2003-2008
+#
+# TODO: add range retrieval
+# write sddl-converter, decode userParameters
+# apparently only win2k3 allows simple-binds with machine-accounts.
+# make sasl support independent from Authen::SASL::Cyrus v >0.11
+use strict;
+
+use Net::LDAP;
+use Net::LDAP::Control;
+use Net::LDAP::Constant qw(LDAP_REFERRAL);
+use Convert::ASN1;
+use Time::Local;
+use POSIX qw(strftime);
+use Getopt::Long;
+
+my $have_sasl;
+my $works_sasl;
+my $pref_version;
+BEGIN {
+ my $class = 'Authen::SASL';
+ $pref_version = "0.32";
+ if ( eval "require $class;" ) {
+ $have_sasl = 1;
+ }
+ if ( eval "Net::LDAP->VERSION($pref_version);" ) {
+ $works_sasl = 1;
+ }
+}
+
+# users may set defaults here
+my $base = "";
+my $binddn = "";
+my $password = "";
+my $server = "";
+my $rebind_url;
+
+
+my $tdbdump = "/usr/bin/tdbdump";
+my $ntdbdump = "/usr/bin/ntdbdump";
+my $testparm = "/usr/bin/testparm";
+my $net = "/usr/bin/net";
+my $dig = "/usr/bin/dig";
+my $nmblookup = "/usr/bin/nmblookup";
+my $secrets_tdb = "/etc/samba/secrets.tdb";
+my $secrets_ntdb = "/etc/samba/secrets.ntdb";
+my $klist = "/usr/bin/klist";
+my $kinit = "/usr/bin/kinit";
+my $workgroup = "";
+my $machine = "";
+my $realm = "";
+
+# parse input
+my (
+ $opt_asq,
+ $opt_base,
+ $opt_binddn,
+ $opt_debug,
+ $opt_display_extendeddn,
+ $opt_display_metadata,
+ $opt_display_raw,
+ $opt_domain_scope,
+ $opt_dump_rootdse,
+ $opt_dump_schema,
+ $opt_dump_wknguid,
+ $opt_fastbind,
+ $opt_help,
+ $opt_host,
+ $opt_machine,
+ $opt_notify,
+ $opt_notify_nodiffs,
+ $opt_paging,
+ $opt_password,
+ $opt_port,
+ $opt_realm,
+ $opt_saslmech,
+ $opt_search_opt,
+ $opt_scope,
+ $opt_simpleauth,
+ $opt_starttls,
+ $opt_user,
+ $opt_verbose,
+ $opt_workgroup,
+);
+
+GetOptions(
+ 'asq=s' => \$opt_asq,
+ 'base|b=s' => \$opt_base,
+ 'D|DN=s' => \$opt_binddn,
+ 'debug=i' => \$opt_debug,
+ 'domain_scope' => \$opt_domain_scope,
+ 'extendeddn|e:i' => \$opt_display_extendeddn,
+ 'fastbind' => \$opt_fastbind,
+ 'help' => \$opt_help,
+ 'host|h=s' => \$opt_host,
+ 'machine|P' => \$opt_machine,
+ 'metadata|m' => \$opt_display_metadata,
+ 'nodiffs' => \$opt_notify_nodiffs,
+ 'notify|n' => \$opt_notify,
+ 'paging:i' => \$opt_paging,
+ 'password|w=s' => \$opt_password,
+ 'port=i' => \$opt_port,
+ 'rawdisplay' => \$opt_display_raw,
+ 'realm|R=s' => \$opt_realm,
+ 'rootDSE' => \$opt_dump_rootdse,
+ 'saslmech|Y=s' => \$opt_saslmech,
+ 'schema|c' => \$opt_dump_schema,
+ 'scope|s=s' => \$opt_scope,
+ 'searchopt:i' => \$opt_search_opt,
+ 'simpleauth|x' => \$opt_simpleauth,
+ 'tls|Z' => \$opt_starttls,
+ 'user|U=s' => \$opt_user,
+ 'verbose|v' => \$opt_verbose,
+ 'wknguid' => \$opt_dump_wknguid,
+ 'workgroup|k=s' => \$opt_workgroup,
+ );
+
+
+if (!@ARGV && !$opt_dump_schema && !$opt_dump_rootdse && !$opt_notify || $opt_help) {
+ usage();
+ exit 1;
+}
+
+if ($opt_fastbind && !$opt_simpleauth) {
+ printf("LDAP fast bind can only be performed with simple binds\n");
+ exit 1;
+}
+
+if ($opt_notify) {
+ $opt_paging = undef;
+}
+
+# get the query
+my $query = shift;
+my @attrs = @ARGV;
+
+# some global vars
+my $filter = "";
+my ($dse, $uri);
+my ($attr, $value);
+my (@ctrls, @ctrls_s);
+my ($ctl_paged, $cookie);
+my ($page_count, $total_entry_count);
+my ($sasl_hd, $async_ldap_hd, $sync_ldap_hd);
+my ($mesg, $usn);
+my (%entry_store);
+my $async_search;
+
+# fixed values and vars
+my $set = "X";
+my $unset = "-";
+my $tabsize = "\t\t\t";
+
+# get defaults
+my $scope = $opt_scope || "sub";
+my $port = $opt_port;
+
+my %ads_controls = (
+"LDAP_SERVER_NOTIFICATION_OID" => "1.2.840.113556.1.4.528",
+"LDAP_SERVER_EXTENDED_DN_OID" => "1.2.840.113556.1.4.529",
+"LDAP_PAGED_RESULT_OID_STRING" => "1.2.840.113556.1.4.319",
+"LDAP_SERVER_SD_FLAGS_OID" => "1.2.840.113556.1.4.801",
+"LDAP_SERVER_SORT_OID" => "1.2.840.113556.1.4.473",
+"LDAP_SERVER_RESP_SORT_OID" => "1.2.840.113556.1.4.474",
+"LDAP_CONTROL_VLVREQUEST" => "2.16.840.1.113730.3.4.9",
+"LDAP_CONTROL_VLVRESPONSE" => "2.16.840.1.113730.3.4.10",
+"LDAP_SERVER_RANGE_RETRIEVAL" => "1.2.840.113556.1.4.802", #unsure
+"LDAP_SERVER_SHOW_DELETED_OID" => "1.2.840.113556.1.4.417",
+"LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID" => "1.2.840.113556.1.4.521",
+"LDAP_SERVER_LAZY_COMMIT_OID" => "1.2.840.113556.1.4.619",
+"LDAP_SERVER_TREE_DELETE_OID" => "1.2.840.113556.1.4.805",
+"LDAP_SERVER_DIRSYNC_OID" => "1.2.840.113556.1.4.841",
+"LDAP_SERVER_VERIFY_NAME_OID" => "1.2.840.113556.1.4.1338",
+"LDAP_SERVER_DOMAIN_SCOPE_OID" => "1.2.840.113556.1.4.1339",
+"LDAP_SERVER_SEARCH_OPTIONS_OID" => "1.2.840.113556.1.4.1340",
+"LDAP_SERVER_PERMISSIVE_MODIFY_OID" => "1.2.840.113556.1.4.1413",
+"LDAP_SERVER_ASQ_OID" => "1.2.840.113556.1.4.1504",
+"NONE (Get stats control)" => "1.2.840.113556.1.4.970",
+"LDAP_SERVER_QUOTA_CONTROL_OID" => "1.2.840.113556.1.4.1852",
+"LDAP_SERVER_SHUTDOWN_NOTIFY_OID" => "1.2.840.113556.1.4.1907",
+);
+
+my %ads_capabilities = (
+"LDAP_CAP_ACTIVE_DIRECTORY_OID" => "1.2.840.113556.1.4.800",
+"LDAP_CAP_ACTIVE_DIRECTORY_V51_OID" => "1.2.840.113556.1.4.1670",
+"LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID" => "1.2.840.113556.1.4.1791",
+);
+
+my %ads_extensions = (
+"LDAP_START_TLS_OID" => "1.3.6.1.4.1.1466.20037",
+"LDAP_TTL_EXTENDED_OP_OID" => "1.3.6.1.4.1.1466.101.119.1",
+"LDAP_SERVER_FAST_BIND_OID" => "1.2.840.113556.1.4.1781",
+"NONE (TTL refresh extended op)" => "1.3.6.1.4.1.1466.101.119.1",
+);
+
+my %ads_matching_rules = (
+"LDAP_MATCHING_RULE_BIT_AND" => "1.2.840.113556.1.4.803",
+"LDAP_MATCHING_RULE_BIT_OR" => "1.2.840.113556.1.4.804",
+);
+
+my %wknguids = (
+"WELL_KNOWN_GUID_COMPUTERS" => "AA312825768811D1ADED00C04FD8D5CD",
+"WELL_KNOWN_GUID_DOMAIN_CONTROLLERS" => "A361B2FFFFD211D1AA4B00C04FD7D83A",
+"WELL_KNOWN_GUID_SYSTEM" => "AB1D30F3768811D1ADED00C04FD8D5CD",
+"WELL_KNOWN_GUID_USERS" => "A9D1CA15768811D1ADED00C04FD8D5CD",
+);
+
+my %ads_systemflags = (
+"FLAG_DONT_REPLICATE" => 0x00000001, # 1
+"FLAG_REPLICATE_TO_GC" => 0x00000002, # 2
+"FLAG_ATTRIBUTE_CONSTRUCT" => 0x00000004, # 4
+"FLAG_CATEGORY_1_OBJECT" => 0x00000010, # 16
+"FLAG_DELETE_WITHOUT_TOMBSTONE" => 0x02000000, # 33554432
+"FLAG_DOMAIN_DISALLOW_MOVE" => 0x04000000, # 67108864
+"FLAG_DOMAIN_DISALLOW_RENAME" => 0x08000000, # 134217728
+#"FLAG_CONFIG_CAN_MOVE_RESTRICTED" => 0x10000000, # 268435456 # only setable on creation
+#"FLAG_CONFIG_CAN_MOVE" => 0x20000000, # 536870912 # only setable on creation
+#"FLAG_CONFIG_CAN_RENAME" => 0x40000000, # 1073741824 # only setable on creation
+"FLAG_DISALLOW_DELETE" => 0x80000000, # 2147483648
+);
+
+my %ads_mixed_domain = (
+"NATIVE_LEVEL_DOMAIN" => 0,
+"MIXED_LEVEL_DOMAIN" => 1,
+);
+
+my %ads_ds_func = (
+"DS_BEHAVIOR_WIN2000" => 0, # untested
+"DS_BEHAVIOR_WIN2003" => 2,
+"DS_BEHAVIOR_WIN2008" => 3,
+);
+
+my %ads_instance_type = (
+"DS_INSTANCETYPE_IS_NC_HEAD" => 0x1,
+"IT_WRITE" => 0x4,
+"IT_NC_ABOVE" => 0x8,
+);
+
+my %ads_uacc = (
+ "ACCOUNT_NEVER_EXPIRES" => 0x000000, # 0
+ "ACCOUNT_OK" => 0x800000, # 8388608
+ "ACCOUNT_LOCKED_OUT" => 0x800010, # 8388624
+);
+
+my %ads_enctypes = (
+ "DES-CBC-CRC" => 0x01,
+ "DES-CBC-MD5" => 0x02,
+ "RC4_HMAC_MD5" => 0x04,
+ "AES128_CTS_HMAC_SHA1_96" => 0x08,
+ "AES128_CTS_HMAC_SHA1_128" => 0x10,
+);
+
+my %ads_gpoptions = (
+ "GPOPTIONS_INHERIT" => 0,
+ "GPOPTIONS_BLOCK_INHERITANCE" => 1,
+);
+
+my %ads_gplink_opts = (
+ "GPLINK_OPT_NONE" => 0,
+ "GPLINK_OPT_DISABLED" => 1,
+ "GPLINK_OPT_ENFORCED" => 2,
+);
+
+my %ads_gpflags = (
+ "GPFLAGS_ALL_ENABLED" => 0,
+ "GPFLAGS_USER_SETTINGS_DISABLED" => 1,
+ "GPFLAGS_MACHINE_SETTINGS_DISABLED" => 2,
+ "GPFLAGS_ALL_DISABLED" => 3,
+);
+
+my %ads_serverstate = (
+ "SERVER_ENABLED" => 1,
+ "SERVER_DISABLED" => 2,
+);
+
+my %ads_sdeffective = (
+ "OWNER_SECURITY_INFORMATION" => 0x01,
+ "DACL_SECURITY_INFORMATION" => 0x04,
+ "SACL_SECURITY_INFORMATION" => 0x10,
+);
+
+my %ads_trustattrs = (
+ "TRUST_ATTRIBUTE_NON_TRANSITIVE" => 0x00000001,
+ "TRUST_ATTRIBUTE_UPLEVEL_ONLY" => 0x00000002,
+ "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN" => 0x00000004,
+ "TRUST_ATTRIBUTE_FOREST_TRANSITIVE" => 0x00000008,
+ "TRUST_ATTRIBUTE_CROSS_ORGANIZATION" => 0x00000010,
+ "TRUST_ATTRIBUTE_WITHIN_FOREST" => 0x00000020,
+ "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL" => 0x00000040,
+ "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION" => 0x00000080,
+ "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION" => 0x00000200,
+ "TRUST_ATTRIBUTE_PIM_TRUST" => 0x00000400,
+ "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION" => 0x00000800,
+);
+
+my %ads_trustdirection = (
+ "TRUST_DIRECTION_INBOUND" => 1,
+ "TRUST_DIRECTION_OUTBOUND" => 2,
+ "TRUST_DIRECTION_BIDIRECTIONAL" => 3,
+);
+
+my %ads_trusttype = (
+ "TRUST_TYPE_DOWNLEVEL" => 1,
+ "TRUST_TYPE_UPLEVEL" => 2,
+ "TRUST_TYPE_KERBEROS" => 3,
+ "TRUST_TYPE_DCE" => 4,
+);
+
+my %ads_pwdproperties = (
+ "DOMAIN_PASSWORD_COMPLEX" => 1,
+ "DOMAIN_PASSWORD_NO_ANON_CHANGE" => 2,
+ "DOMAIN_PASSWORD_NO_CLEAR_CHANGE" => 4,
+ "DOMAIN_LOCKOUT_ADMINS" => 8,
+ "DOMAIN_PASSWORD_STORE_CLEARTEXT" => 16,
+ "DOMAIN_REFUSE_PASSWORD_CHANGE" => 32,
+);
+
+my %ads_uascompat = (
+ "LANMAN_USER_ACCOUNT_SYSTEM_NOLIMITS" => 0,
+ "LANMAN_USER_ACCOUNT_SYSTEM_COMPAT" => 1,
+);
+
+my %ads_frstypes = (
+ "REPLICA_SET_SYSVOL" => 2, # unsure
+ "REPLICA_SET_DFS" => 1, # unsure
+ "REPLICA_SET_OTHER" => 0, # unsure
+);
+
+my %ads_gp_cse_extensions = (
+"Administrative Templates Extension" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
+"Disk Quotas" => "3610EDA5-77EF-11D2-8DC5-00C04FA31A66",
+"EFS Recovery" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
+"Folder Redirection" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
+"IP Security" => "E437BC1C-AA7D-11D2-A382-00C04F991E27",
+"Internet Explorer Maintenance" => "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B",
+"QoS Packet Scheduler" => "426031c0-0b47-4852-b0ca-ac3d37bfcb39",
+"Scripts" => "42B5FAAE-6536-11D2-AE5A-0000F87571E3",
+"Security" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
+"Software Installation" => "C6DC5466-785A-11D2-84D0-00C04FB169F7",
+);
+
+# guess work
+my %ads_gpcextensions = (
+"Administrative Templates" => "0F6B957D-509E-11D1-A7CC-0000F87571E3",
+"Certificates" => "53D6AB1D-2488-11D1-A28C-00C04FB94F17",
+"EFS recovery policy processing" => "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A",
+"Folder Redirection policy processing" => "25537BA6-77A8-11D2-9B6C-0000F8080861",
+"Folder Redirection" => "88E729D6-BDC1-11D1-BD2A-00C04FB9603F",
+"Registry policy processing" => "35378EAC-683F-11D2-A89A-00C04FBBCFA2",
+"Remote Installation Services" => "3060E8CE-7020-11D2-842D-00C04FA372D4",
+"Security Settings" => "803E14A0-B4FB-11D0-A0D0-00A0C90F574B",
+"Security policy processing" => "827D319E-6EAC-11D2-A4EA-00C04F79F83A",
+"unknown" => "3060E8D0-7020-11D2-842D-00C04FA372D4",
+"unknown2" => "53D6AB1B-2488-11D1-A28C-00C04FB94F17",
+);
+
+my %ads_gpo_default_guids = (
+"Default Domain Policy" => "31B2F340-016D-11D2-945F-00C04FB984F9",
+"Default Domain Controllers Policy" => "6AC1786C-016F-11D2-945F-00C04fB984F9",
+"mist" => "61718096-3D3F-4398-8318-203A48976F9E",
+);
+
+my %ads_uf = (
+ "UF_SCRIPT" => 0x00000001,
+ "UF_ACCOUNTDISABLE" => 0x00000002,
+# "UF_UNUSED_1" => 0x00000004,
+ "UF_HOMEDIR_REQUIRED" => 0x00000008,
+ "UF_LOCKOUT" => 0x00000010,
+ "UF_PASSWD_NOTREQD" => 0x00000020,
+ "UF_PASSWD_CANT_CHANGE" => 0x00000040,
+ "UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" => 0x00000080,
+ "UF_TEMP_DUPLICATE_ACCOUNT" => 0x00000100,
+ "UF_NORMAL_ACCOUNT" => 0x00000200,
+# "UF_UNUSED_2" => 0x00000400,
+ "UF_INTERDOMAIN_TRUST_ACCOUNT" => 0x00000800,
+ "UF_WORKSTATION_TRUST_ACCOUNT" => 0x00001000,
+ "UF_SERVER_TRUST_ACCOUNT" => 0x00002000,
+# "UF_UNUSED_3" => 0x00004000,
+# "UF_UNUSED_4" => 0x00008000,
+ "UF_DONT_EXPIRE_PASSWD" => 0x00010000,
+ "UF_MNS_LOGON_ACCOUNT" => 0x00020000,
+ "UF_SMARTCARD_REQUIRED" => 0x00040000,
+ "UF_TRUSTED_FOR_DELEGATION" => 0x00080000,
+ "UF_NOT_DELEGATED" => 0x00100000,
+ "UF_USE_DES_KEY_ONLY" => 0x00200000,
+ "UF_DONT_REQUIRE_PREAUTH" => 0x00400000,
+ "UF_PASSWORD_EXPIRED" => 0x00800000,
+ "UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION" => 0x01000000,
+ "UF_NO_AUTH_DATA_REQUIRED" => 0x02000000,
+# "UF_UNUSED_8" => 0x04000000,
+# "UF_UNUSED_9" => 0x08000000,
+# "UF_UNUSED_10" => 0x10000000,
+# "UF_UNUSED_11" => 0x20000000,
+# "UF_UNUSED_12" => 0x40000000,
+# "UF_UNUSED_13" => 0x80000000,
+);
+
+my %ads_grouptype = (
+ "GROUP_TYPE_BUILTIN_LOCAL_GROUP" => 0x00000001,
+ "GROUP_TYPE_ACCOUNT_GROUP" => 0x00000002,
+ "GROUP_TYPE_RESOURCE_GROUP" => 0x00000004,
+ "GROUP_TYPE_UNIVERSAL_GROUP" => 0x00000008,
+ "GROUP_TYPE_APP_BASIC_GROUP" => 0x00000010,
+ "GROUP_TYPE_APP_QUERY_GROUP" => 0x00000020,
+ "GROUP_TYPE_SECURITY_ENABLED" => 0x80000000,
+);
+
+my %ads_atype = (
+ "ATYPE_NORMAL_ACCOUNT" => 0x30000000,
+ "ATYPE_WORKSTATION_TRUST" => 0x30000001,
+ "ATYPE_INTERDOMAIN_TRUST" => 0x30000002,
+ "ATYPE_SECURITY_GLOBAL_GROUP" => 0x10000000,
+ "ATYPE_DISTRIBUTION_GLOBAL_GROUP" => 0x10000001,
+ "ATYPE_DISTRIBUTION_UNIVERSAL_GROUP" => 0x10000001, # ATYPE_DISTRIBUTION_GLOBAL_GROUP
+ "ATYPE_SECURITY_LOCAL_GROUP" => 0x20000000,
+ "ATYPE_DISTRIBUTION_LOCAL_GROUP" => 0x20000001,
+ "ATYPE_ACCOUNT" => 0x30000000, # ATYPE_NORMAL_ACCOUNT
+ "ATYPE_GLOBAL_GROUP" => 0x10000000, # ATYPE_SECURITY_GLOBAL_GROUP
+ "ATYPE_LOCAL_GROUP" => 0x20000000, # ATYPE_SECURITY_LOCAL_GROUP
+);
+
+my %ads_gtype = (
+ "GTYPE_SECURITY_BUILTIN_LOCAL_GROUP" => 0x80000005,
+ "GTYPE_SECURITY_DOMAIN_LOCAL_GROUP" => 0x80000004,
+ "GTYPE_SECURITY_GLOBAL_GROUP" => 0x80000002,
+ "GTYPE_SECURITY_UNIVERSAL_GROUP" => 0x80000008,
+ "GTYPE_DISTRIBUTION_GLOBAL_GROUP" => 0x00000002,
+ "GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP" => 0x00000004,
+ "GTYPE_DISTRIBUTION_UNIVERSAL_GROUP" => 0x00000008,
+);
+
+my %munged_dial = (
+ "CtxCfgPresent" => \&dump_int,
+ "CtxCfgFlags1" => \&dump_int,
+ "CtxCallback" => \&dump_string,
+ "CtxShadow" => \&dump_string,
+ "CtxMaxConnectionTime" => \&dump_int,
+ "CtxMaxDisconnectionTime"=> \&dump_int,
+ "CtxMaxIdleTime" => \&dump_int,
+ "CtxKeyboardLayout" => \&dump_int,
+ "CtxMinEncryptionLevel" => \&dump_int,
+ "CtxWorkDirectory" => \&dump_string,
+ "CtxNWLogonServer" => \&dump_string,
+ "CtxWFHomeDir" => \&dump_string,
+ "CtxWFHomeDirDrive" => \&dump_string,
+ "CtxWFProfilePath" => \&dump_string,
+ "CtxInitialProgram" => \&dump_string,
+ "CtxCallbackNumber" => \&dump_string,
+);
+
+$SIG{__WARN__} = sub {
+ use Carp;
+ Carp::cluck (shift);
+};
+
+# if there is data missing, we try to autodetect with samba-tools (if installed)
+# this might fill up workgroup, machine, realm
+get_samba_info();
+
+# get a workgroup
+$workgroup = $workgroup || $opt_workgroup || "";
+
+# get the server
+$server = process_servername($opt_host) ||
+ detect_server($workgroup,$opt_realm) ||
+ die "please define server to query with -h host\n";
+
+
+# get the base
+$base = defined($opt_base)? $opt_base : "" ||
+ get_base_from_rootdse($server,$dse);
+
+# get the realm
+$realm = $opt_realm ||
+ get_realm_from_rootdse($server,$dse);
+
+# get sasl mechs
+my @sasl_mechs = get_sasl_mechs_from_rootdse($server,$dse);
+my $sasl_mech = "GSSAPI";
+if ($opt_saslmech) {
+ $sasl_mech = sprintf("%s", (check_sasl_mech($opt_saslmech) == 0)?uc($opt_saslmech):"");
+}
+
+# set bind type
+my $sasl_bind = 1 if (!$opt_simpleauth);
+
+# get username
+my $user = check_user($opt_user) || $ENV{'USER'} || "";
+
+# gen upn
+my $upn = sprintf("%s", gen_upn($opt_machine ? "$machine\$" : $user, $realm));
+
+# get binddn
+$binddn = $opt_binddn || $upn;
+
+# get the password
+$password = $password || $opt_password;
+if (!$password) {
+ $password = $opt_machine ? get_machine_password($workgroup) : get_password();
+}
+
+my %attr_handler = (
+ "Token-Groups-No-GC-Acceptable" => \&dump_sid, #wrong name
+ "accountExpires" => \&dump_nttime,
+ "attributeSecurityGUID" => \&dump_guid,
+ "badPasswordTime" => \&dump_nttime,
+ "creationTime" => \&dump_nttime,
+ "currentTime" => \&dump_timestr,
+ "domainControllerFunctionality" => \&dump_ds_func,
+ "domainFunctionality" => \&dump_ds_func,
+ "fRSReplicaSetGUID" => \&dump_guid,
+ "fRSReplicaSetType" => \&dump_frstype,
+ "fRSVersionGUID" => \&dump_guid,
+ "flags" => \&dump_gpflags, # fixme: possibly only on gpos!
+ "forceLogoff" => \&dump_nttime_abs,
+ "forestFunctionality" => \&dump_ds_func,
+# "gPCMachineExtensionNames" => \&dump_gpcextensions,
+# "gPCUserExtensionNames" => \&dump_gpcextensions,
+ "gPLink" => \&dump_gplink,
+ "gPOptions" => \&dump_gpoptions,
+ "groupType" => \&dump_gtype,
+ "instanceType" => \&dump_instance_type,
+ "lastLogon" => \&dump_nttime,
+ "lastLogonTimestamp" => \&dump_nttime,
+ "lastSetTime" => \&dump_nttime,
+ "lockOutObservationWindow" => \&dump_nttime_abs,
+ "lockoutDuration" => \&dump_nttime_abs,
+ "lockoutTime" => \&dump_nttime,
+# "logonHours" => \&dump_logonhours,
+ "maxPwdAge" => \&dump_nttime_abs,
+ "minPwdAge" => \&dump_nttime_abs,
+ "modifyTimeStamp" => \&dump_timestr,
+ "msDS-Behavior-Version" => \&dump_ds_func, #unsure
+ "msDS-User-Account-Control-Computed" => \&dump_uacc,
+ "msDS-SupportedEncryptionTypes" => \&dump_enctypes,
+ "mS-DS-CreatorSID" => \&dump_sid,
+# "msRADIUSFramedIPAddress" => \&dump_ipaddr,
+# "msRASSavedFramedIPAddress" => \&dump_ipaddr,
+ "netbootGUID" => \&dump_guid,
+ "nTMixedDomain" => \&dump_mixed_domain,
+ "nTSecurityDescriptor" => \&dump_secdesc,
+ "objectGUID" => \&dump_guid,
+ "objectSid" => \&dump_sid,
+ "pKT" => \&dump_pkt,
+ "pKTGuid" => \&dump_guid,
+ "priorSetTime" => \&dump_nttime,
+ "pwdLastSet" => \&dump_nttime,
+ "pwdProperties" => \&dump_pwdproperties,
+ "sAMAccountType" => \&dump_atype,
+ "schemaIDGUID" => \&dump_guid,
+ "sDRightsEffective" => \&dump_sdeffective,
+ "securityIdentifier" => \&dump_sid,
+ "serverState" => \&dump_serverstate,
+ "supportedCapabilities", => \&dump_capabilities,
+ "supportedControl", => \&dump_controls,
+ "supportedExtension", => \&dump_extension,
+ "systemFlags" => \&dump_systemflags,
+ "tokenGroups", => \&dump_sid,
+ "tokenGroupsGlobalAndUniversal" => \&dump_sid,
+ "tokenGroupsNoGCAcceptable" => \&dump_sid,
+ "trustAttributes" => \&dump_trustattr,
+ "trustDirection" => \&dump_trustdirection,
+ "trustType" => \&dump_trusttype,
+ "uASCompat" => \&dump_uascompat,
+ "userAccountControl" => \&dump_uac,
+ "userCertificate" => \&dump_cert,
+ "userFlags" => \&dump_uf,
+ "userParameters" => \&dump_munged_dial,
+ "whenChanged" => \&dump_timestr,
+ "whenCreated" => \&dump_timestr,
+# "dSCorePropagationData" => \&dump_timestr,
+);
+
+
+
+################
+# subfunctions #
+################
+
+sub usage {
+ print "usage: $0 [--asq] [--base|-b base] [--debug level] [--debug level] [--DN|-D binddn] [--extendeddn|-e] [--help] [--host|-h host] [--machine|-P] [--metadata|-m] [--nodiffs] [--notify|-n] [--password|-w password] [--port port] [--rawdisplay] [--realm|-R realm] [--rootdse] [--saslmech|-Y saslmech] [--schema|-c] [--scope|-s scope] [--simpleauth|-x] [--starttls|-Z] [--user|-U user] [--wknguid] [--workgroup|-k workgroup] filter [attrs]\n";
+ print "\t--asq [attribute]\n\t\tAttribute to use for a attribute scoped query (LDAP_SERVER_ASQ_OID)\n";
+ print "\t--base|-b [base]\n\t\tUse base [base]\n";
+ print "\t--debug [level]\n\t\tUse debuglevel (for Net::LDAP)\n";
+ print "\t--domain_scope\n\t\tLimit LDAP search to local domain (LDAP_SERVER_DOMAIN_SCOPE_OID)\n";
+ print "\t--DN|-D [binddn]\n\t\tUse binddn or principal\n";
+ print "\t--extendeddn|-e [value]\n\t\tDisplay extended dn (LDAP_SERVER_EXTENDED_DN_OID)\n";
+ print "\t--fastbind\n\t\tDo LDAP fast bind using LDAP_SERVER_FAST_BIND_OID extension\n";
+ print "\t--help\n\t\tDisplay help page\n";
+ print "\t--host|-h [host]\n\t\tQuery Host [host] (either a hostname or an LDAP uri)\n";
+ print "\t--machine|-P\n\t\tUse samba3 machine account stored in $secrets_tdb (needs root access)\n";
+ print "\t--metdata|-m\n\t\tDisplay replication metadata\n";
+ print "\t--nodiffs\n\t\tDisplay no diffs but full entry dump when running in notify mode\n";
+ print "\t--notify|-n\n\t\tActivate asynchronous change notification (LDAP_SERVER_NOTIFICATION_OID)\n";
+ print "\t--paging [pagesize]\n\t\tUse paged results when searching\n";
+ print "\t--password|-w [password]\n\t\tUse [password] for binddn\n";
+ print "\t--port [port]\n\t\tUse [port] when connecting ADS\n";
+ print "\t--rawdisplay\n\t\tDo not interpret values\n";
+ print "\t--realm|-R [realm]\n\t\tUse [realm] when trying to construct bind-principal\n";
+ print "\t--rootdse\n\t\tDisplay RootDSE (anonymously)\n";
+ print "\t--saslmech|-Y [saslmech]\n\t\tUse SASL Mechanism [saslmech] when binding\n";
+ print "\t--schema|-c\n\t\tDisplay DSE-Schema\n";
+ print "\t--scope|-s [scope]\n\t\tUse scope [scope] (sub, base, one)\n";
+ print "\t--simpleauth|-x\n\t\tUse simple bind (otherwise SASL binds are performed)\n";
+ print "\t--starttls|-Z\n\t\tUse Start TLS extended operation to secure LDAP traffic\n";
+ print "\t--user|-U [user]\n\t\tUse [user]\n";
+ print "\t--wknguid\n\t\tDisplay well known guids\n";
+ print "\t--workgroup|-k [workgroup]\n\t\tWhen LDAP-Server is not known try to find a Domain-Controller for [workgroup]\n";
+}
+
+sub write_ads_list {
+ my ($mod,$attr,$value) = @_;
+ my $ofh = select(STDOUT);
+ $~ = "ADS_LIST";
+ select($ofh);
+ write();
+
+format ADS_LIST =
+@<<<< @>>>>>>>>>>>>>>>>>>>>>>>: @*
+$mod, $attr, $value
+.
+}
+
+sub write_ads {
+ my ($mod,$attr,$value) = @_;
+ my $ofh = select(STDOUT);
+ $~ = "ADS";
+ select($ofh);
+ write();
+
+format ADS =
+@<<<< @>>>>>>>>>>>>>>>>>>>>>>>: ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+$mod, $attr, $value
+~~ ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+ $value
+.
+}
+
+sub detect_server {
+
+ my $workgroup = shift;
+ my $realm = shift;
+ my $result;
+ my $found;
+
+ # try net cache (nbt records)
+ if ( -x $net && $workgroup ) {
+ my $key = sprintf("NBT/%s#1C", uc($workgroup));
+ chomp($result = `$net cache search $key 2>&1 /dev/null`);
+ $result =~ s/^.*Value: //;
+ $result =~ s/:.*//;
+ return $result if $result;
+ printf("%10s query failed for [%s]\n", "net cache", $key);
+ }
+
+ # try dns SRV entries
+ if ( -x $dig && $realm ) {
+ my $key = sprintf("_ldap._tcp.%s", lc($realm));
+ chomp($result = `$dig $key SRV +short +search | egrep "^[0-9]" | head -1`);
+ $result =~ s/.* //g;
+ $result =~ s/.$//g;
+ return $result if $result;
+ printf("%10s query failed for [%s]\n", "dns", $key);
+ }
+
+ # try netbios broadcast query
+ if ( -x $nmblookup && $workgroup ) {
+ my $key = sprintf("%s#1C", uc($workgroup));
+ my $pattern = sprintf("%s<1c>", uc($workgroup));
+ chomp($result = `$nmblookup $key -d 0 | grep '$pattern'`);
+ $result =~ s/\s.*//;
+ return $result if $result;
+ printf("%10s query failed for [%s]\n", "nmblookup", $key);
+ }
+
+ return "";
+}
+
+sub get_samba_info {
+
+ if (! -x $testparm) { return -1; }
+
+ my $tmp;
+ open(TESTPARM, "$testparm -s -v 2> /dev/null |");
+ while (my $line = <TESTPARM>) {
+ chomp($line);
+ if ($line =~ /netbios name/) {
+ ($tmp, $machine) = split(/=/, $line);
+ $machine =~ s/\s+|\t+//g;
+ }
+ if ($line =~ /realm/) {
+ ($tmp, $realm) = split(/=/, $line);
+ $realm =~ s/\s+|\t+//g;
+ }
+ if ($line =~ /workgroup/) {
+ ($tmp, $workgroup) = split(/=/, $line);
+ $workgroup =~ s/\s+|\t+//g;
+ }
+ }
+ close(TESTPARM);
+ return 0;
+}
+
+sub gen_upn {
+ my $machine = shift;
+ my $realm = shift;
+ if ($machine && $realm) {
+ return sprintf("%s\@%s", lc($machine), uc($realm));
+ };
+ return undef;
+}
+
+sub get_password {
+ if (!$password && $opt_simpleauth && check_ticket($user)) {
+ return prompt_password($user);
+ }
+ return "";
+}
+
+sub get_user {
+ my $user = shift || prompt_user();
+ return $user;
+}
+
+sub get_machine_password {
+
+ my $workgroup = shift || "";
+ $workgroup = uc($workgroup);
+
+ my ($found, $tmp, $dbdump, $db);
+ if (-r $secrets_ntdb) {
+ -x $ntdbdump || die "ntdbdump is not installed. cannot proceed autodetection\n";
+ $dbdump = $ntdbdump;
+ $db = $secrets_ntdb;
+ } else {
+ -x $tdbdump || die "tdbdump is not installed. cannot proceed autodetection\n";
+ -r $secrets_tdb || die "cannot read $secrets_tdb. cannot proceed autodetection\n";
+ $dbdump = $tdbdump;
+ $db = $secrets_tdb;
+ }
+
+ # get machine-password
+ my $key = sprintf("SECRETS/MACHINE_PASSWORD/%s", $workgroup);
+ open(SECRETS,"$dbdump $db |");
+ while(my $line = <SECRETS>) {
+ chomp($line);
+ if ($found) {
+ $line =~ s/\\00//;
+ ($line,$password) = split(/"/, $line);
+ last;
+ }
+ if ($line =~ /\"$key\"/) {
+ $found = 1;
+ }
+ }
+ close(SECRETS);
+
+ if ($found) {
+ print "Successfully autodetected machine password for workgroup: $workgroup\n";
+ return $password;
+ } else {
+ warn "No machine password available for $workgroup\n";
+ }
+ return "";
+}
+
+sub prompt_password {
+
+ my $acct = shift || "";
+ if ($acct =~ /\%/) {
+ ($acct, $password) = split(/\%/, $acct);
+ return $password;
+ }
+ system "stty -echo";
+ print "Enter password for $acct:";
+ my $password = <STDIN>;
+ chomp($password);
+ print "\n";
+ system "stty echo";
+ return $password;
+}
+
+sub prompt_user {
+
+ print "Enter Username:";
+ my $user = <STDIN>;
+ chomp($user);
+ print "\n";
+ return $user;
+}
+
+sub check_ticket {
+ return 0;
+ # works only for heimdal
+ return system("$klist -t");
+}
+
+sub get_ticket {
+
+ my $KRB5_CONFIG = "/tmp/.krb5.conf.telads-$<";
+
+ open(KRB5CONF, "> $KRB5_CONFIG") || die "cannot write $KRB5_CONFIG";
+ printf KRB5CONF "# autogenerated by $0\n";
+ printf KRB5CONF "[libdefaults]\n\tdefault_realm = %s\n\tclockskew = %d\n", uc($realm), 60*60;
+ printf KRB5CONF "[realms]\n\t%s = {\n\t\tkdc = %s\n\t}\n", uc($realm), $server;
+ close(KRB5CONF);
+
+ if ( system("KRB5_CONFIG=$KRB5_CONFIG $kinit $user") != 0) {
+ return -1;
+ }
+
+ return 0;
+}
+
+sub check_user {
+ my $acct = shift || "";
+ if ($acct =~ /\%/) {
+ ($acct, $password) = split(/\%/, $acct);
+ }
+ return $acct;
+}
+
+sub check_root_dse($$$@) {
+
+ # bogus function??
+ my $server = shift || "";
+ $dse = shift || get_dse($server) || return -1;
+ my $attr = shift || die "unknown query";
+ my @array = @_;
+
+ my $dse_list = $dse->get_value($attr, asref => '1');
+ my @dse_array = @$dse_list;
+
+ foreach my $i (@array) {
+ # we could use -> supported_control but this
+ # is only available in newer versions of perl-ldap
+# if ( ! $dse->supported_control( $i ) ) {
+ if ( grep(/$i->type()/, @dse_array) ) {
+ printf("required \"$attr\": %s is not supported by ADS-server.\n", $i->type());
+ return -1;
+ }
+ }
+ return 0;
+}
+
+sub check_ctrls ($$@) {
+ my $server = shift;
+ my $dse = shift;
+ my @array = @_;
+ return check_root_dse($server, $dse, "supportedControl", @array);
+}
+
+sub check_exts ($$@) {
+ my $server = shift;
+ my $dse = shift;
+ my @array = @_;
+ return check_root_dse($server, $dse, "supportedExtension", @array);
+}
+
+sub get_base_from_rootdse {
+
+ my $server = shift || "";
+ $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
+ return $dse->get_value($opt_dump_schema ? 'schemaNamingContext':
+ 'defaultNamingContext');
+}
+
+sub get_realm_from_rootdse {
+
+ my $server = shift || "";
+ $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
+ my $service = $dse->get_value('ldapServiceName') || "";
+ if ($service) {
+ my ($t,$realm) = split(/\@/, $service);
+ return $realm;
+ } else {
+ die "very odd: could not get realm";
+ }
+}
+
+sub get_sasl_mechs_from_rootdse {
+
+ my $server = shift || "";
+ $dse = shift || get_dse($server,$async_ldap_hd) || return -1;
+ my $mechs = $dse->get_value('supportedSASLMechanisms', asref => 1);
+ return @$mechs;
+}
+
+sub get_dse {
+
+ my $server = shift || return undef;
+ $async_ldap_hd = shift || get_ldap_hd($server,1);
+ if (!$async_ldap_hd) {
+ print "oh, no connection\n";
+ return undef;
+ }
+ my $mesg = $async_ldap_hd->bind() || die "cannot bind\n";
+ if ($mesg->code) { die "failed to bind\n"; };
+ my $dse = $async_ldap_hd->root_dse( attrs => ['*', "supportedExtension", "supportedFeatures" ] );
+
+ return $dse;
+}
+
+sub process_servername {
+
+ my $name = shift || return "";
+ if ($name =~ /^ldaps:\/\//i ) {
+ $name =~ s#^ldaps://##i;
+ $uri = sprintf("%s://%s", "ldaps", $name);
+ } else {
+ $name =~ s#^ldap://##i;
+ $uri = sprintf("%s://%s", "ldap", $name);
+ }
+ return $name;
+}
+
+sub get_ldap_hd {
+
+ my $server = shift || return undef;
+ my $async = shift || "0";
+ my $hd;
+ die "uri unavailable" if (!$uri);
+ if ($uri =~ /^ldaps:\/\//i ) {
+ $port = $port || 636;
+ use Net::LDAPS;
+ $hd = Net::LDAPS->new( $server, async => $async, port => $port ) ||
+ die "host $server not available: $!";
+ } else {
+ $port = $port || 389;
+ $hd = Net::LDAP->new( $server, async => $async, port => $port ) ||
+ die "host $server not available: $!";
+ }
+ $hd->debug($opt_debug);
+ if ($opt_starttls) {
+ $hd->start_tls( verify => 'none' );
+ }
+
+ return $hd;
+}
+
+sub get_sasl_hd {
+
+ if (!$have_sasl) {
+ print "no sasl support\n";
+ return undef;
+ }
+
+ my $hd;
+ if ($sasl_mech && $sasl_mech eq "GSSAPI") {
+ my $user = sprintf("%s\@%s", $user, uc($realm));
+ if (check_ticket($user) != 0 && get_ticket($user) != 0) {
+ print "Could not get Kerberos ticket for user [$user]\n";
+ return undef;
+ }
+
+ $hd = Authen::SASL->new( mechanism => 'GSSAPI' ) || die "nope";
+ my $conn = $hd->client_new("ldap", $server);
+
+ if ($conn->code == -1) {
+ printf "%s\n", $conn->error();
+ return undef;
+ };
+
+ } elsif ($sasl_mech) {
+
+ # here comes generic sasl code
+ $hd = Authen::SASL->new( mechanism => $sasl_mech,
+ callback => {
+ user => \&get_user,
+ pass => \&get_password
+ }
+ ) || die "nope";
+ } else {
+ $sasl_bind = 0;
+ print "no supported SASL mechanism found (@sasl_mechs).\n";
+ print "falling back to simple bind.\n";
+ return undef;
+ }
+
+ return $hd;
+}
+
+sub check_sasl_mech {
+ my $mech_check = shift;
+ my $have_mech = 0;
+ foreach my $mech (@sasl_mechs) {
+ $have_mech = 1 if ($mech eq uc($mech_check));
+ }
+ if (!$have_mech) {
+ return -1;
+ }
+ return 0;
+}
+
+sub store_result ($) {
+
+ my $entry = shift;
+ return if (!$entry);
+ $entry_store{$entry->dn} = $entry;
+}
+
+sub display_result_diff ($) {
+
+ my $entry_new = shift;
+ return if ( !$entry_new);
+
+ if ( !exists $entry_store{$entry_new->dn}) {
+ print "can't display any differences yet. full dump...\n";
+ display_entry_generic($entry_new);
+ return;
+ }
+
+ my $entry_old = $entry_store{$entry_new->dn};
+
+ foreach my $attr (sort $entry_new->attributes) {
+ if ( $entry_new->exists($attr) && ! $entry_old->exists($attr)) {
+ display_attr_generic("add:\t", $entry_new, $attr);
+ next;
+ }
+ }
+
+ foreach my $attr (sort $entry_old->attributes) {
+ if (! $entry_new->exists($attr) && $entry_old->exists($attr)) {
+ display_attr_generic("del:\t", $entry_old, $attr);
+ next;
+ }
+
+ # now check for all values if they have changed, display changes
+ my ($old_vals, $new_vals, @old_vals, @new_vals, %old, %new);
+
+ $old_vals = $entry_old->get_value($attr, asref => 1);
+ @old_vals = @$old_vals;
+ $new_vals = $entry_new->get_value($attr, asref => 1);
+ @new_vals = @$new_vals;
+
+ if (scalar(@old_vals) == 1 && scalar(@new_vals) == 1) {
+ if ($old_vals[0] ne $new_vals[0]) {
+ display_attr_generic("old:\t", $entry_old, $attr);
+ display_attr_generic("new:\t", $entry_new, $attr);
+ }
+ next;
+ }
+
+ # handle multivalued diffs
+ foreach my $val (@old_vals) { $old{$val} = "dummy"; };
+ foreach my $val (@new_vals) { $new{$val} = "dummy"; };
+ foreach my $val (sort keys %new) {
+ if (!exists $old{$val}) {
+ display_value_generic("add:\t", $attr, $val);
+ }
+ }
+ foreach my $val (sort keys %old) {
+ if (!exists $new{$val}) {
+ display_value_generic("del:\t", $attr, $val);
+ }
+ }
+ }
+ print "\n";
+
+}
+
+sub sid2string ($) {
+
+ # Fix from Michael James <michael@james.st>
+ my $binary_sid = shift;
+ my($sid_rev, $num_auths, $id1, $id2, @ids) = unpack("H2 H2 n N V*", $binary_sid);
+ my $sid_string = join("-", "S", hex($sid_rev), ($id1<<32)+$id2, @ids);
+ return $sid_string;
+
+}
+
+sub string_to_guid {
+ my $string = shift;
+ return undef unless $string =~ /([0-9,a-z]{8})-([0-9,a-z]{4})-([0-9,a-z]{4})-([0-9,a-z]{2})([0-9,a-z]{2})-([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})([0-9,a-z]{2})/i;
+
+ return pack("I", hex $1) .
+ pack("S", hex $2) .
+ pack("S", hex $3) .
+ pack("C", hex $4) .
+ pack("C", hex $5) .
+ pack("C", hex $6) .
+ pack("C", hex $7) .
+ pack("C", hex $8) .
+ pack("C", hex $9) .
+ pack("C", hex $10) .
+ pack("C", hex $11);
+
+# print "$1\n$2\n$3\n$4\n$5\n$6\n$7\n$8\n$9\n$10\n$11\n";
+}
+
+sub bindstring_to_guid {
+ my $str = shift;
+ return pack("H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2 H2",
+ substr($str,0,2),
+ substr($str,2,2),
+ substr($str,4,2),
+ substr($str,6,2),
+ substr($str,8,2),
+ substr($str,10,2),
+ substr($str,12,2),
+ substr($str,14,2),
+ substr($str,16,2),
+ substr($str,18,2),
+ substr($str,20,2),
+ substr($str,22,2),
+ substr($str,24,2),
+ substr($str,26,2),
+ substr($str,28,2),
+ substr($str,30,2));
+}
+
+sub guid_to_string {
+ my $guid = shift;
+ my $string = sprintf "%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X",
+ unpack("I", $guid),
+ unpack("S", substr($guid, 4, 2)),
+ unpack("S", substr($guid, 6, 2)),
+ unpack("C", substr($guid, 8, 1)),
+ unpack("C", substr($guid, 9, 1)),
+ unpack("C", substr($guid, 10, 1)),
+ unpack("C", substr($guid, 11, 1)),
+ unpack("C", substr($guid, 12, 1)),
+ unpack("C", substr($guid, 13, 1)),
+ unpack("C", substr($guid, 14, 1)),
+ unpack("C", substr($guid, 15, 1));
+ return lc($string);
+}
+
+sub guid_to_bindstring {
+ my $guid = shift;
+ return unpack("H" . 2 * length($guid), $guid),
+}
+
+sub dump_wknguid {
+ print "Dumping Well known GUIDs:\n";
+ foreach my $wknguid (keys %wknguids) {
+
+ my $guid = bindstring_to_guid($wknguids{$wknguid});
+ my $str = guid_to_string($guid);
+ my $back = guid_to_bindstring($guid);
+
+ printf "wkguid: %s\n", $wknguid;
+ printf "bind_string format: %s\n", $wknguids{$wknguid};
+ printf "string format: %s\n", guid_to_string($guid);
+ printf "back to bind_string:%s\n", guid_to_bindstring($guid);
+
+ printf "use base: \"<WKGUID=%s,%s>\"\n", guid_to_bindstring($guid), $base;
+ }
+}
+
+sub gen_bitmask_string_format($%) {
+ my $mod = shift;
+ my (%tmp) = @_;
+ my @list;
+ foreach my $key (sort keys %tmp) {
+ push(@list, sprintf("%s %s", $tmp{$key}, $key));
+ }
+ return join("\n$mod$tabsize",@list);
+}
+
+
+sub nt_to_unixtime ($) {
+ # the number of 100 nanosecond intervals since jan. 1. 1601 (utc)
+ my $t64 = shift;
+ $t64 =~ s/(.+).{7,7}/$1/;
+ $t64 -= 11644473600;
+ return $t64;
+}
+
+sub dump_equal {
+ my $val = shift;
+ my $mod = shift || die "no mod";
+ my (%header) = @_;
+ my %tmp;
+ my $found = 0;
+ foreach my $key (keys %header) {
+ if ($header{$key} eq $val) {
+ $tmp{"($val)"} = $key;
+ $found = 1;
+ last;
+ }
+ }
+ if (!$found) { $tmp{$val} = ""; };
+ return gen_bitmask_string_format($mod,%tmp);
+}
+
+sub dump_bitmask {
+ my $op = shift || die "no op";
+ my $val = shift;
+ my $mod = shift || die "no mod";
+ my (%header) = @_;
+ my %tmp;
+ $tmp{""} = sprintf("%s (0x%08x)", $val, $val);
+ foreach my $key (sort keys %header) { # sort by val !
+ my $val_hex = sprintf("0x%08x", $header{$key});
+ if ($op eq "&") {
+ $tmp{"$key ($val_hex)"} = ( $val & $header{$key} ) ? $set:$unset;
+ } elsif ($op eq "==") {
+ $tmp{"$key ($val_hex)"} = ( $val == $header{$key} ) ? $set:$unset;
+ } else {
+ print "unknown operator: $op\n";
+ return;
+ }
+ }
+ return gen_bitmask_string_format($mod,%tmp);
+}
+
+sub dump_bitmask_and {
+ return dump_bitmask("&",@_);
+}
+
+sub dump_bitmask_equal {
+ return dump_bitmask("==",@_);
+}
+
+sub dump_uac {
+ return dump_bitmask_and(@_,%ads_uf); # ads_uf ?
+}
+
+sub dump_uascompat {
+ return dump_bitmask_equal(@_,%ads_uascompat);
+}
+
+sub dump_gpoptions {
+ return dump_bitmask_equal(@_,%ads_gpoptions);
+}
+
+sub dump_gpflags {
+ return dump_bitmask_equal(@_,%ads_gpflags);
+}
+
+sub dump_uacc {
+ return dump_bitmask_equal(@_,%ads_uacc);
+}
+
+sub dump_enctypes {
+ return dump_bitmask_and(@_,%ads_enctypes);
+}
+
+sub dump_uf {
+ return dump_bitmask_and(@_,%ads_uf);
+}
+
+sub dump_gtype {
+ my $ret = dump_bitmask_and(@_,%ads_grouptype);
+ $ret .= "\n$tabsize\t";
+ $ret .= dump_bitmask_equal(@_,%ads_gtype);
+ return $ret;
+}
+
+sub dump_atype {
+ return dump_bitmask_equal(@_,%ads_atype);
+}
+
+sub dump_controls {
+ return dump_equal(@_,%ads_controls);
+}
+
+sub dump_capabilities {
+ return dump_equal(@_,%ads_capabilities);
+}
+
+sub dump_extension {
+ return dump_equal(@_,%ads_extensions);
+}
+
+sub dump_systemflags {
+ return dump_bitmask_and(@_,%ads_systemflags);
+}
+
+sub dump_instance_type {
+ return dump_bitmask_and(@_,%ads_instance_type);
+}
+
+sub dump_ds_func {
+ return dump_bitmask_equal(@_,%ads_ds_func);
+}
+
+sub dump_serverstate {
+ return dump_bitmask_equal(@_,%ads_serverstate);
+}
+
+sub dump_sdeffective {
+ return dump_bitmask_and(@_,%ads_sdeffective);
+}
+
+sub dump_trustattr {
+ return dump_bitmask_and(@_,%ads_trustattrs);
+}
+
+sub dump_trusttype {
+ return dump_bitmask_equal(@_,%ads_trusttype);
+}
+
+sub dump_trustdirection {
+ return dump_bitmask_equal(@_,%ads_trustdirection);
+}
+
+sub dump_pwdproperties {
+ return dump_bitmask_and(@_,%ads_pwdproperties);
+}
+
+sub dump_frstype {
+ return dump_bitmask_equal(@_,%ads_frstypes)
+}
+
+sub dump_mixed_domain {
+ return dump_bitmask_equal(@_,%ads_mixed_domain);
+}
+
+sub dump_sid {
+ my $bin_sid = shift;
+ return sid2string($bin_sid);
+}
+
+sub dump_guid {
+ my $guid = shift;
+ return guid_to_string($guid);
+}
+
+sub dump_secdesc {
+ my $val = shift;
+ return "FIXME: write sddl-converter!";
+}
+
+sub dump_nttime {
+ my $nttime = shift;
+ if ($nttime == 0) {
+ return sprintf("%s (%s)", "never", $nttime);
+ }
+ my $localtime = localtime(nt_to_unixtime($nttime));
+ return sprintf("%s (%s)", $localtime, $nttime);
+}
+
+sub dump_nttime_abs {
+ if ($_[0] == 9223372036854775807) {
+ return sprintf("%s (%s)", "now", $_[0]);
+ }
+ if ($_[0] == -9223372036854775808 || $_[0] == 0) { # 0x7FFFFFFFFFFFFFFF
+ return sprintf("%s (%s)", "never", $_[0]);
+ }
+ # FIXME: actually *do* abs time !
+ return dump_nttime($_[0]);
+}
+
+sub dump_timestr {
+ my $time = shift;
+ if ($time eq "16010101000010.0Z") {
+ return sprintf("%s (%s)", "never", $time);
+ }
+ my ($year,$mon,$mday,$hour,$min,$sec,$zone) =
+ unpack('a4 a2 a2 a2 a2 a2 a4', $time);
+ $mon -= 1;
+ my $localtime = localtime(timegm($sec,$min,$hour,$mday,$mon,$year));
+ return sprintf("%s (%s)", $localtime, $time);
+}
+
+sub dump_string {
+ return $_[0];
+}
+
+sub dump_int {
+ return sprintf("%d", $_[0]);
+}
+
+sub dump_munged_dial {
+ my $dial = shift;
+ return "FIXME! decode this";
+}
+
+sub dump_cert {
+
+ my $cert = shift;
+ open(OPENSSL, "| /usr/bin/openssl x509 -text -inform der");
+ print OPENSSL $cert;
+ close(OPENSSL);
+ return "";
+}
+
+sub dump_pkt {
+ my $pkt = shift;
+ return "not yet";
+ printf("%s: ", $pkt);
+ printf("%02X", $pkt);
+
+}
+
+sub dump_gplink {
+
+ my $gplink = shift;
+ my $gplink_mod = $gplink;
+ my @links = split("\\]\\[", $gplink_mod);
+ foreach my $link (@links) {
+ $link =~ s/^\[|\]$//g;
+ my ($ldap_link, $opt) = split(";", $link);
+ my @array = ( "$opt", "\t" );
+ printf("%slink: %s, opt: %s\n", $tabsize, $ldap_link, dump_bitmask_and(@array, %ads_gplink_opts));
+ }
+ return $gplink;
+}
+
+sub construct_filter {
+
+ my $tmp = shift;
+
+ if (!$tmp || $opt_notify) {
+ return "(objectclass=*)";
+ }
+
+ if ($tmp && $tmp !~ /^.*\=/) {
+ return "(ANR=$tmp)";
+ }
+
+ return $tmp;
+ # (&(objectCategory=person)
+ # (userAccountControl:$ads_matching_rules{LDAP_MATCHING_RULE_BIT_AND}:=2))
+}
+
+sub construct_attrs {
+
+ my @attrs = @_;
+
+ if (!@attrs) {
+ push(@attrs,"*");
+ }
+
+ if ($opt_notify) {
+ push(@attrs,"uSNChanged");
+ }
+
+ if ($opt_display_metadata) {
+ push(@attrs,"msDS-ReplAttributeMetaData");
+ push(@attrs,"replPropertyMetaData");
+ }
+
+ if ($opt_verbose) {
+ push(@attrs,"nTSecurityDescriptor");
+ push(@attrs,"msDS-KeyVersionNumber");
+ push(@attrs,"msDS-User-Account-Control-Computed");
+ push(@attrs,"modifyTimeStamp");
+ }
+
+ return sort @attrs;
+}
+
+sub print_header {
+
+ print "\n";
+ printf "%10s: %s\n", "uri", $uri;
+ printf "%10s: %s\n", "port", $port;
+ printf "%10s: %s\n", "base", $base;
+ printf "%10s: %s\n", $sasl_bind ? "principal" : "binddn", $sasl_bind ? $upn : $binddn;
+ printf "%10s: %s\n", "password", $password;
+ printf "%10s: %s\n", "bind-type", $sasl_bind ? "SASL" : "simple";
+ printf "%10s: %s\n", "sasl-mech", $sasl_mech if ($sasl_mech);
+ printf "%10s: %s\n", "filter", $filter;
+ printf "%10s: %s\n", "scope", $scope;
+ printf "%10s: %s\n", "attrs", join(", ", @attrs);
+ printf "%10s: %s\n", "controls", join(", ", @ctrls_s);
+ printf "%10s: %s\n", "page_size", $opt_paging if ($opt_paging);
+ printf "%10s: %s\n", "start_tls", $opt_starttls ? "yes" : "no";
+ printf "\n";
+}
+
+sub gen_controls {
+
+ # setup attribute-scoped query control
+ my $asq_asn = Convert::ASN1->new;
+ $asq_asn->prepare(
+ q< asq ::= SEQUENCE {
+ sourceAttribute OCTET_STRING
+ }
+ >
+ );
+ my $ctl_asq_val = $asq_asn->encode( sourceAttribute => $opt_asq);
+ my $ctl_asq = Net::LDAP::Control->new(
+ type => $ads_controls{'LDAP_SERVER_ASQ_OID'},
+ critical => 'true',
+ value => $ctl_asq_val);
+
+
+ # setup extended dn control
+ my $asn_extended_dn = Convert::ASN1->new;
+ $asn_extended_dn->prepare(
+ q< ExtendedDn ::= SEQUENCE {
+ mode INTEGER
+ }
+ >
+ );
+
+ # only w2k3 accepts '1' and needs the ctl_val, w2k does not accept a ctl_val
+ my $ctl_extended_dn_val = $asn_extended_dn->encode( mode => $opt_display_extendeddn);
+ my $ctl_extended_dn = Net::LDAP::Control->new(
+ type => $ads_controls{'LDAP_SERVER_EXTENDED_DN_OID'},
+ critical => 'true',
+ value => $opt_display_extendeddn ? $ctl_extended_dn_val : "");
+
+ # setup search options
+ my $search_opt = Convert::ASN1->new;
+ $search_opt->prepare(
+ q< searchopt ::= SEQUENCE {
+ flags INTEGER
+ }
+ >
+ );
+
+ my $tmp = $search_opt->encode( flags => $opt_search_opt);
+ my $ctl_search_opt = Net::LDAP::Control->new(
+ type => $ads_controls{'LDAP_SERVER_SEARCH_OPTIONS_OID'},
+ critical => 'true',
+ value => $tmp);
+
+ # setup notify control
+ my $ctl_notification = Net::LDAP::Control->new(
+ type => $ads_controls{'LDAP_SERVER_NOTIFICATION_OID'},
+ critical => 'true');
+
+
+ # setup paging control
+ $ctl_paged = Net::LDAP::Control->new(
+ type => $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'},
+ critical => 'true',
+ size => $opt_paging ? $opt_paging : 1000);
+
+ # setup domscope control
+ my $ctl_domscope = Net::LDAP::Control->new(
+ type => $ads_controls{'LDAP_SERVER_DOMAIN_SCOPE_OID'},
+ critical => 'true',
+ value => "");
+
+ if (defined($opt_paging) || $opt_dump_schema) {
+ push(@ctrls, $ctl_paged);
+ push(@ctrls_s, "LDAP_PAGED_RESULT_OID_STRING" );
+ }
+
+ if (defined($opt_display_extendeddn)) {
+ push(@ctrls, $ctl_extended_dn);
+ push(@ctrls_s, "LDAP_SERVER_EXTENDED_DN_OID");
+ }
+ if ($opt_notify) {
+ push(@ctrls, $ctl_notification);
+ push(@ctrls_s, "LDAP_SERVER_NOTIFICATION_OID");
+ }
+
+ if ($opt_asq) {
+ push(@ctrls, $ctl_asq);
+ push(@ctrls_s, "LDAP_SERVER_ASQ_OID");
+ }
+
+ if ($opt_domain_scope) {
+ push(@ctrls, $ctl_domscope);
+ push(@ctrls_s, "LDAP_SERVER_DOMAIN_SCOPE_OID");
+ }
+
+ if ($opt_search_opt) {
+ push(@ctrls, $ctl_search_opt);
+ push(@ctrls_s, "LDAP_SERVER_SEARCH_OPTIONS_OID");
+ }
+
+ return @ctrls;
+}
+
+sub display_value_generic ($$$) {
+
+ my ($mod,$attr,$value) = @_;
+ return unless (defined($value) and defined($attr));
+
+ if ( ! $opt_display_raw && exists $attr_handler{$attr} ) {
+ $value = $attr_handler{$attr}($value,$mod);
+ write_ads_list($mod,$attr,$value);
+ return;
+ }
+ write_ads($mod,$attr,$value);
+}
+
+sub display_attr_generic ($$$) {
+
+ my ($mod,$entry,$attr) = @_;
+ return if (!$attr || !$entry);
+
+ my $ref = $entry->get_value($attr, asref => 1);
+ my @values = @$ref;
+
+ foreach my $value ( sort @values) {
+ display_value_generic($mod,$attr,$value);
+ }
+}
+
+sub display_entry_generic ($) {
+
+ my $entry = shift;
+ return if (!$entry);
+
+ foreach my $attr ( sort $entry->attributes) {
+ display_attr_generic("\t",$entry,$attr);
+ }
+}
+
+sub display_ldap_err ($) {
+
+ my $msg = shift;
+ print_header();
+ my ($package, $filename, $line, $subroutine) = caller(0);
+
+ print "got error from ADS:\n";
+ printf("%s(%d): ERROR (%s): %s\n",
+ $subroutine, $line, $msg->code, $msg->error);
+
+}
+
+sub process_result {
+
+ my ($msg,$entry) = @_;
+
+ if (!defined($msg)) {
+ return;
+ }
+
+ if ($msg->code) {
+ display_ldap_err($msg);
+ exit 1;
+ }
+
+ if (!defined($entry)) {
+ return;
+ }
+
+ if ($entry->isa('Net::LDAP::Reference')) {
+ foreach my $ref ($entry->references) {
+ print "\ngot Reference: [$ref]\n";
+ }
+ return;
+ }
+
+ print "\nfound entry: ".$entry->dn."\n".("-" x 80)."\n";
+
+ display_entry_generic($entry);
+}
+
+sub default_callback {
+
+ my ($res,$obj) = @_;
+
+ if (!$opt_notify && $res->code == LDAP_REFERRAL) {
+ return;
+ }
+
+ if (!$opt_notify) {
+ return process_result($res,$obj);
+ }
+}
+
+sub error_callback {
+
+ my ($msg,$entry) = @_;
+
+ if (!$msg) {
+ return;
+ }
+
+ if ($msg->code) {
+ display_ldap_err($msg);
+ exit(1);
+ }
+ return;
+}
+
+sub notify_callback {
+
+ my ($msg, $obj) = @_;
+
+ if (! defined($obj)) {
+ return;
+ }
+
+ if ($obj->isa('Net::LDAP::Reference')) {
+ foreach my $ref ($obj->references) {
+ print "\ngot Reference: [$ref]\n";
+ }
+ return;
+ }
+
+ while (1) {
+
+ my $async_entry = $async_search->pop_entry;
+
+ if (!$async_entry->dn) {
+ print "very weird. entry has no dn\n";
+ next;
+ }
+
+ printf("\ngot changenotify for dn: [%s]\n%s\n", $async_entry->dn, ("-" x 80));
+
+ my $new_usn = $async_entry->get_value('uSNChanged');
+ if (!$new_usn) {
+ die "odd, no usnChanged attribute???";
+ }
+ if (!$usn || $new_usn > $usn) {
+ $usn = $new_usn;
+ if ($opt_notify_nodiffs) {
+ display_entry_generic($async_entry);
+ } else {
+ display_result_diff($async_entry);
+ }
+ }
+ store_result($async_entry);
+ }
+}
+
+sub do_bind($$) {
+
+ my $async_ldap_hd = shift || return undef;
+ my $sasl_bind = shift;
+
+ if ($sasl_bind) {
+ if (!$works_sasl) {
+ print "this version of Net::LDAP does not have proper SASL support.\n";
+ print "Need at least perl-ldap V. $pref_version\n";
+ }
+ $sasl_hd = get_sasl_hd();
+ if (!$sasl_hd) {
+ print "failed to create SASL handle\n";
+ return -1;
+ }
+ $mesg = $async_ldap_hd->bind(
+ sasl => $sasl_hd,
+ callback => \&error_callback
+ ) || die "doesn't work";
+ } else {
+ $sasl_mech = "";
+ $mesg = $async_ldap_hd->bind(
+ $binddn,
+ password => $password,
+ callback => $opt_fastbind ? undef : \&error_callback
+ ) || die "doesn't work";
+ };
+ if ($mesg->code) {
+ display_ldap_err($mesg) if (!$opt_fastbind);
+ return -1;
+ }
+ return 0;
+}
+
+sub do_fast_bind() {
+
+ do_unbind();
+
+ my $hd = get_ldap_hd($server,1);
+
+ my $mesg = $hd->extension(
+ name => $ads_extensions{'LDAP_SERVER_FAST_BIND_OID'});
+
+ if ($mesg->code) {
+ display_ldap_err($mesg);
+ return -1;
+ }
+
+ my $ret = do_bind($hd, undef);
+ $hd->unbind;
+
+ printf("bind using 'LDAP_SERVER_FAST_BIND_OID' %s\n",
+ $ret == 0 ? "succeeded" : "failed");
+
+ return $ret;
+}
+
+sub do_unbind() {
+ if ($async_ldap_hd) {
+ $async_ldap_hd->unbind;
+ }
+ if ($sync_ldap_hd) {
+ $sync_ldap_hd->unbind;
+ }
+}
+
+###############################################################################
+
+sub main () {
+
+ if ($opt_fastbind) {
+
+ if (check_exts($server,$dse,"LDAP_SERVER_FAST_BIND_OID") == -1) {
+ print "LDAP_SERVER_FAST_BIND_OID not supported by this server\n";
+ exit 1;
+ }
+
+ # fast bind can only bind, not search
+ exit do_fast_bind();
+ }
+
+ $filter = construct_filter($query);
+ @attrs = construct_attrs(@attrs);
+ @ctrls = gen_controls();
+
+ if (check_ctrls($server,$dse,@ctrls) == -1) {
+ print "not all required LDAP Controls are supported by this server\n";
+ exit 1;
+ }
+
+ if ($opt_dump_rootdse) {
+ print "Dumping Root-DSE:\n";
+ display_entry_generic($dse);
+ exit 0;
+ }
+
+ if ($opt_dump_wknguid) {
+ dump_wknguid();
+ exit 0;
+ }
+
+ if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
+ exit 1;
+ }
+
+ print_header();
+
+ if ($opt_dump_schema) {
+ print "Dumping Schema:\n";
+# my $ads_schema = $async_ldap_hd->schema;
+# $ads_schema->dump;
+# exit 0;
+ }
+
+ while (1) {
+
+ $async_search = $async_ldap_hd->search(
+ base => $base,
+ filter => $filter,
+ attrs => [ @attrs ],
+ control => [ @ctrls ],
+ callback => \&default_callback,
+ scope => $scope,
+ ) || die "cannot search";
+
+ if (!$opt_notify && ($async_search->code == LDAP_REFERRAL)) {
+ foreach my $ref ($async_search->referrals) {
+ print "\ngot Referral: [$ref]\n";
+ my ($prot, $host, $base) = split(/\/+/, $ref);
+ $async_ldap_hd->unbind();
+ $async_ldap_hd = get_ldap_hd($host, 1);
+ if (do_bind($async_ldap_hd, $sasl_bind) == -1) {
+ $async_ldap_hd->unbind();
+ next;
+ }
+ print "\nsuccessful rebind to: [$ref]\n";
+ last;
+ }
+ next; # repeat the query
+ }
+
+ if ($opt_notify) {
+
+ print "Base [$base] is registered now for change-notify\n";
+ print "\nWaiting for change-notify...\n";
+
+ my $sync_ldap_hd = get_ldap_hd($server,0);
+ if (do_bind($sync_ldap_hd, $sasl_bind) == -1) {
+ exit 2;
+ }
+
+ my $sync_search = $sync_ldap_hd->search(
+ base => $base,
+ filter => $filter,
+ attrs => [ @attrs ],
+ callback => \&notify_callback,
+ scope => $scope,
+ ) || die "cannot search";
+
+ }
+
+ $total_entry_count += $async_search->count;
+ ++$page_count;
+ print "-" x 80 . "\n";
+ printf("Got %d Entries in Page %d \n\n",
+ $async_search->count, $page_count);
+ my ($resp) = $async_search->control(
+ $ads_controls{'LDAP_PAGED_RESULT_OID_STRING'} ) or last;
+ last unless ref $resp && $ctl_paged->cookie($resp->cookie);
+ }
+
+ if ($async_search->entries == 0) {
+ print "No entries found with filter $filter\n";
+ } else {
+ print "Got $total_entry_count Entries in $page_count Pages\n" if ($opt_paging);
+ }
+
+ do_unbind()
+}
+
+main();
+
+exit 0;