summaryrefslogtreecommitdiffstats
path: root/ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
diff options
context:
space:
mode:
Diffstat (limited to 'ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c')
-rw-r--r--ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c539
1 files changed, 537 insertions, 2 deletions
diff --git a/ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c b/ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
index c69a68329..f18a939c9 100644
--- a/ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
+++ b/ipa-server/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
@@ -61,6 +61,25 @@
static char *ipa_winsync_plugin_name = IPA_WINSYNC_PLUGIN_NAME;
+static void
+sync_acct_disable(
+ void *cbdata, /* the usual domain config data */
+ const Slapi_Entry *ad_entry, /* the AD entry */
+ Slapi_Entry *ds_entry, /* the DS entry */
+ int direction, /* the direction - TO_AD or TO_DS */
+ Slapi_Entry *update_entry, /* the entry to update for ADDs */
+ Slapi_Mods *smods, /* the mod list for MODIFYs */
+ int *do_modify /* set to true if mods were applied */
+);
+
+static void
+do_force_sync(
+ const Slapi_Entry *ad_entry, /* the AD entry */
+ Slapi_Entry *ds_entry, /* the DS entry */
+ Slapi_Mods *smods, /* the mod list */
+ int *do_modify /* set to true if mods were applied */
+);
+
/* This is called when a new agreement is created or loaded
at startup.
*/
@@ -121,6 +140,11 @@ ipa_winsync_pre_ds_search_entry_cb(void *cbdata, const char *agmt_dn,
"--> ipa_winsync_pre_ds_search_cb -- begin\n");
slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "-- ipa_winsync_pre_ds_search_cb - base [%s] "
+ "scope [%d] filter [%s]\n",
+ *base, *scope, *filter);
+
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
"<-- ipa_winsync_pre_ds_search_cb -- end\n");
return;
@@ -157,6 +181,9 @@ ipa_winsync_pre_ad_mod_user_cb(void *cbdata, const Slapi_Entry *rawentry,
slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
"--> ipa_winsync_pre_ad_mod_user_cb -- begin\n");
+ sync_acct_disable(cbdata, rawentry, ds_entry, ACCT_DISABLE_TO_AD,
+ NULL, smods, do_modify);
+
slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
"<-- ipa_winsync_pre_ad_mod_user_cb -- end\n");
@@ -185,6 +212,11 @@ ipa_winsync_pre_ds_mod_user_cb(void *cbdata, const Slapi_Entry *rawentry,
slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
"--> ipa_winsync_pre_ds_mod_user_cb -- begin\n");
+ sync_acct_disable(cbdata, rawentry, ds_entry, ACCT_DISABLE_TO_DS,
+ NULL, smods, do_modify);
+
+ do_force_sync(rawentry, ds_entry, smods, do_modify);
+
slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
"<-- ipa_winsync_pre_ds_mod_user_cb -- end\n");
@@ -376,6 +408,8 @@ ipa_winsync_pre_ds_add_user_cb(void *cbdata, const Slapi_Entry *rawentry,
}
}
+ sync_acct_disable(cbdata, rawentry, ds_entry, ACCT_DISABLE_TO_DS,
+ ds_entry, NULL, NULL);
slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
"<-- ipa_winsync_pre_ds_add_user_cb -- end\n");
@@ -449,12 +483,25 @@ ipa_winsync_get_new_ds_group_dn_cb(void *cbdata, const Slapi_Entry *rawentry,
static void
ipa_winsync_pre_ad_mod_user_mods_cb(void *cbdata, const Slapi_Entry *rawentry,
- const Slapi_DN *local_dn, LDAPMod * const *origmods,
+ const Slapi_DN *local_dn,
+ const Slapi_Entry *ds_entry,
+ LDAPMod * const *origmods,
Slapi_DN *remote_dn, LDAPMod ***modstosend)
{
+ Slapi_Mods *smods;
+
slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
"--> ipa_winsync_pre_ad_mod_user_mods_cb -- begin\n");
+ /* wrap the modstosend in a Slapi_Mods for convenience */
+ smods = slapi_mods_new();
+ slapi_mods_init_byref(smods, *modstosend);
+ sync_acct_disable(cbdata, rawentry, (Slapi_Entry *)ds_entry,
+ ACCT_DISABLE_TO_AD, NULL, smods, NULL);
+
+ /* convert back to LDAPMod ** and clean up */
+ *modstosend = slapi_mods_get_ldapmods_passout(smods);
+ slapi_mods_free(&smods);
slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
"<-- ipa_winsync_pre_ad_mod_user_mods_cb -- end\n");
@@ -463,7 +510,9 @@ ipa_winsync_pre_ad_mod_user_mods_cb(void *cbdata, const Slapi_Entry *rawentry,
static void
ipa_winsync_pre_ad_mod_group_mods_cb(void *cbdata, const Slapi_Entry *rawentry,
- const Slapi_DN *local_dn, LDAPMod * const *origmods,
+ const Slapi_DN *local_dn,
+ const Slapi_Entry *ds_entry,
+ LDAPMod * const *origmods,
Slapi_DN *remote_dn, LDAPMod ***modstosend)
{
slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
@@ -663,3 +712,489 @@ int ipa_winsync_plugin_init(Slapi_PBlock *pb)
"<-- ipa_winsync_plugin_init -- end\n");
return 0;
}
+
+/*
+ * Check if the given entry has account lock on (i.e. entry is disabled)
+ * Mostly copied from check_account_lock in the server code.
+ * Returns: 0 - account is disabled (lock == "true")
+ * 1 - account is enabled (lock == "false" or empty)
+ * -1 - some sort of error
+ */
+static int
+ipa_check_account_lock(Slapi_Entry *ds_entry, int *isvirt)
+{
+ int rc = 1;
+ Slapi_ValueSet *values = NULL;
+ int type_name_disposition = 0;
+ char *actual_type_name = NULL;
+ int attr_free_flags = 0;
+ char *strval;
+
+ /* first, see if the attribute is a "real" attribute */
+ strval = slapi_entry_attr_get_charptr(ds_entry, "nsAccountLock");
+ if (strval) { /* value is real */
+ *isvirt = 0; /* value is real */
+ rc = 1; /* default to enabled */
+ if (PL_strncasecmp(strval, "true", 4) == 0) {
+ rc = 0; /* account is disabled */
+ }
+ slapi_ch_free_string(&strval);
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "<-- ipa_check_account_lock - entry [%s] has real "
+ "attribute nsAccountLock and entry %s locked\n",
+ slapi_entry_get_dn_const(ds_entry),
+ rc ? "is not" : "is");
+ return rc;
+ }
+
+ rc = slapi_vattr_values_get(ds_entry, "nsAccountLock",
+ &values,
+ &type_name_disposition, &actual_type_name,
+ SLAPI_VIRTUALATTRS_REQUEST_POINTERS,
+ &attr_free_flags);
+ if (rc == 0) {
+ Slapi_Value *v = NULL;
+ const struct berval *bvp = NULL;
+
+ rc = 1; /* default is enabled */
+ *isvirt = 1; /* value is virtual */
+ if ((slapi_valueset_first_value(values, &v) != -1) &&
+ (bvp = slapi_value_get_berval(v)) != NULL) {
+ if ( (bvp != NULL) && (PL_strncasecmp(bvp->bv_val, "true", 4) == 0) ) {
+ slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags);
+ rc = 0; /* account is disabled */
+ }
+ }
+
+ if (values != NULL) {
+ slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags);
+ }
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "<-- ipa_check_account_lock - entry [%s] has virtual "
+ "attribute nsAccountLock and entry %s locked\n",
+ slapi_entry_get_dn_const(ds_entry),
+ rc ? "is not" : "is");
+ } else {
+ rc = 1; /* no attr == entry is enabled */
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "<-- ipa_check_account_lock - entry [%s] does not "
+ "have attribute nsAccountLock - entry %s locked\n",
+ slapi_entry_get_dn_const(ds_entry),
+ rc ? "is not" : "is");
+ }
+
+ return rc;
+}
+
+static int
+do_group_modify(const char *dn, const char *modtype, int modop, const char *modval)
+{
+ int rc = 0;
+ LDAPMod mod;
+ LDAPMod *mods[2];
+ const char *val[2];
+ Slapi_PBlock *mod_pb = NULL;
+
+ mod_pb = slapi_pblock_new();
+
+ mods[0] = &mod;
+ mods[1] = NULL;
+
+ val[0] = modval;
+ val[1] = NULL;
+
+ mod.mod_op = modop;
+ mod.mod_type = (char *)modtype;
+ mod.mod_values = (char **)val;
+
+ slapi_modify_internal_set_pb(
+ mod_pb, dn, mods, 0, 0,
+ ipa_winsync_get_plugin_identity(), 0);
+
+ slapi_modify_internal_pb(mod_pb);
+
+ slapi_pblock_get(mod_pb,
+ SLAPI_PLUGIN_INTOP_RESULT,
+ &rc);
+
+ slapi_pblock_destroy(mod_pb);
+
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "<-- do_group_modify - %s value [%s] in attribute [%s] "
+ "in entry [%s] - result (%d: %s)\n",
+ (modop & LDAP_MOD_ADD) ? "added" : "deleted",
+ modval, modtype, dn,
+ rc, ldap_err2string(rc));
+
+ return rc;
+}
+
+/*
+ * This can be used either in the to ad direction or the to ds direction, since in both
+ * cases we have to read both entries and compare the values.
+ * ad_entry - entry from AD
+ * ds_entry - entry from DS
+ * direction - either ACCT_DISABLE_TO_AD or ACCT_DISABLE_TO_DS
+ *
+ * If smods is given, this is the list of mods to send in the given direction. The
+ * appropriate modify operation will be added to this list or changed to the correct
+ * value if it already exists.
+ * Otherwise, if a destination entry is given, the value will be written into
+ * that entry.
+ */
+static void
+sync_acct_disable(
+ void *cbdata, /* the usual domain config data */
+ const Slapi_Entry *ad_entry, /* the AD entry */
+ Slapi_Entry *ds_entry, /* the DS entry */
+ int direction, /* the direction - TO_AD or TO_DS */
+ Slapi_Entry *update_entry, /* the entry to update for ADDs */
+ Slapi_Mods *smods, /* the mod list for MODIFYs */
+ int *do_modify /* if not NULL, set this to true if mods were added */
+)
+{
+ IPA_WinSync_Domain_Config *ipaconfig = (IPA_WinSync_Domain_Config *)cbdata;
+ IPA_WinSync_Config *global_ipaconfig = ipa_winsync_get_config();
+ int acct_disable;
+ int ds_is_enabled = 1; /* default to true */
+ int ad_is_enabled = 1; /* default to true */
+ unsigned long adval = 0; /* raw account val from ad entry */
+ int isvirt = 1; /* default to virt */
+
+ slapi_lock_mutex(global_ipaconfig->lock);
+ acct_disable = global_ipaconfig->acct_disable;
+ slapi_unlock_mutex(global_ipaconfig->lock);
+
+ if (acct_disable == ACCT_DISABLE_NONE) {
+ return; /* not supported */
+ }
+
+ /* get the account lock state of the ds entry */
+ if (0 == ipa_check_account_lock(ds_entry, &isvirt)) {
+ ds_is_enabled = 0;
+ }
+
+ /* get the account lock state of the ad entry */
+ adval = slapi_entry_attr_get_ulong(ad_entry, "UserAccountControl");
+ if (adval & 0x2) {
+ /* account is disabled */
+ ad_is_enabled = 0;
+ }
+
+ if (ad_is_enabled == ds_is_enabled) { /* both have same value - nothing to do */
+ return;
+ }
+
+ /* have to enable or disable */
+ if (direction == ACCT_DISABLE_TO_AD) {
+ unsigned long mask;
+ /* set the mod or entry */
+ if (update_entry) {
+ if (ds_is_enabled) {
+ mask = ~0x2;
+ adval &= mask; /* unset the 0x2 disable bit */
+ } else {
+ mask = 0x2;
+ adval |= mask; /* set the 0x2 disable bit */
+ }
+ slapi_entry_attr_set_ulong(update_entry, "userAccountControl", adval);
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "<-- sync_acct_disable - %s AD account [%s] - "
+ "new value is [%ld]\n",
+ (ds_is_enabled) ? "enabled" : "disabled",
+ slapi_entry_get_dn_const(update_entry),
+ adval);
+ } else {
+ /* iterate through the mods - if there is already a mod
+ for userAccountControl, change it - otherwise, add it */
+ char acctvalstr[32];
+ LDAPMod *mod = NULL;
+ struct berval *mod_bval = NULL;
+ for (mod = slapi_mods_get_first_mod(smods); mod;
+ mod = slapi_mods_get_next_mod(smods)) {
+ if (!PL_strcasecmp(mod->mod_type, "userAccountControl") &&
+ mod->mod_bvalues && mod->mod_bvalues[0]) {
+ mod_bval = mod->mod_bvalues[0];
+ /* mod_bval points directly to value inside mod list */
+ break;
+ }
+ }
+ if (!mod_bval) { /* not found - add it */
+ struct berval tmpbval = {0, NULL};
+ Slapi_Mod *smod = slapi_mod_new();
+ slapi_mod_init(smod, 1); /* one element */
+ slapi_mod_set_type(smod, "userAccountControl");
+ slapi_mod_set_operation(smod, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES);
+ slapi_mod_add_value(smod, &tmpbval);
+ /* add_value makes a copy of the bval - so let's get a pointer
+ to that new value - we will change the bval in place */
+ mod_bval = slapi_mod_get_first_value(smod);
+ /* mod_bval points directly to value inside mod list */
+ /* now add the new mod to smods */
+ slapi_mods_add_ldapmod(smods,
+ slapi_mod_get_ldapmod_passout(smod));
+ /* smods now owns the ldapmod */
+ slapi_mod_free(&smod);
+ if (do_modify) {
+ *do_modify = 1; /* added mods */
+ }
+ }
+ if (mod_bval) {
+ /* this is where we set or update the actual value
+ mod_bval points directly into the mod list we are
+ sending */
+ if (mod_bval->bv_val && (mod_bval->bv_len > 0)) {
+ /* get the old val */
+ adval = strtol(mod_bval->bv_val, NULL, 10);
+ }
+ if (ds_is_enabled) {
+ mask = ~0x2;
+ adval &= mask; /* unset the 0x2 disable bit */
+ } else {
+ mask = 0x2;
+ adval |= mask; /* set the 0x2 disable bit */
+ }
+ PR_snprintf(acctvalstr, sizeof(acctvalstr), "%lu", adval);
+ slapi_ch_free_string(&mod_bval->bv_val);
+ mod_bval->bv_val = slapi_ch_strdup(acctvalstr);
+ mod_bval->bv_len = strlen(acctvalstr);
+ }
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "<-- sync_acct_disable - %s AD account [%s] - "
+ "new value is [%ld]\n",
+ (ds_is_enabled) ? "enabled" : "disabled",
+ slapi_entry_get_dn_const(ad_entry),
+ adval);
+ }
+ }
+
+ if (direction == ACCT_DISABLE_TO_DS) {
+ if (!isvirt) {
+ char *attrtype = NULL;
+ char *attrval = NULL;
+ attrtype = "nsAccountLock";
+ if (ad_is_enabled) {
+ attrval = NULL; /* will delete the value */
+ } else {
+ attrval = "true";
+ }
+
+ if (update_entry) {
+ slapi_entry_attr_set_charptr(update_entry, attrtype, attrval);
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "<-- sync_acct_disable - %s DS account [%s]\n",
+ (ad_is_enabled) ? "enabled" : "disabled",
+ slapi_entry_get_dn_const(ds_entry));
+ } else { /* do mod */
+ struct berval tmpbval = {0, NULL};
+ Slapi_Mod *smod = slapi_mod_new();
+ slapi_mod_init(smod, 1); /* one element */
+ slapi_mod_set_type(smod, attrtype);
+ if (attrval == NULL) {
+ slapi_mod_set_operation(smod, LDAP_MOD_DELETE|LDAP_MOD_BVALUES);
+ } else {
+ slapi_mod_set_operation(smod, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES);
+ }
+ slapi_mod_add_value(smod, &tmpbval);
+ slapi_mods_add_ldapmod(smods,
+ slapi_mod_get_ldapmod_passout(smod));
+ slapi_mod_free(&smod);
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "<-- sync_acct_disable - %s DS account [%s]\n",
+ (ad_is_enabled) ? "enabled" : "disabled",
+ slapi_entry_get_dn_const(ds_entry));
+ if (do_modify) {
+ *do_modify = 1; /* added mods */
+ }
+ }
+ } else { /* use the virtual attr scheme */
+ char *adddn, *deldn;
+ const char *dsdn;
+ int rc;
+ if (ad_is_enabled) {
+ /* add user to activated group, delete from inactivated group */
+ adddn = ipaconfig->activated_group_dn;
+ deldn = ipaconfig->inactivated_group_dn;
+ } else {
+ /* add user to inactivated group, delete from activated group */
+ adddn = ipaconfig->inactivated_group_dn;
+ deldn = ipaconfig->activated_group_dn;
+ }
+
+ dsdn = slapi_entry_get_dn_const(ds_entry);
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "<-- sync_acct_disable - %s DS account [%s] - "
+ "deldn [%s] adddn [%s]\n",
+ (ad_is_enabled) ? "enabling" : "disabling",
+ slapi_entry_get_dn_const(ds_entry),
+ deldn, adddn);
+ /* first, delete the user from the deldn group - ignore (but log)
+ value not found errors - means the user wasn't there yet */
+ rc = do_group_modify(deldn, "member", LDAP_MOD_DELETE, dsdn);
+ if (rc == LDAP_NO_SUCH_ATTRIBUTE) {
+ /* either the value of the attribute doesn't exist */
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "Could not delete user [%s] from the [%s] group: "
+ "either the user was not in the group already, "
+ "or the group had no members\n",
+ dsdn, deldn);
+ } else if (rc != LDAP_SUCCESS) {
+ slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name,
+ "Error deleting user [%s] from the [%s] group: "
+ "(%d - %s)\n", dsdn, deldn, rc,
+ ldap_err2string(rc));
+ }
+ /* next, add the user to the adddn group - ignore (but log)
+ if the user is already in that group */
+ rc = do_group_modify(adddn, "member", LDAP_MOD_ADD, dsdn);
+ if (rc == LDAP_TYPE_OR_VALUE_EXISTS) {
+ /* user already in that group */
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "Could not add user [%s] to the [%s] group: "
+ "user is already in that group\n",
+ dsdn, adddn);
+ } else if (rc != LDAP_SUCCESS) {
+ slapi_log_error(SLAPI_LOG_FATAL, ipa_winsync_plugin_name,
+ "Error adding user [%s] to the [%s] group: "
+ "(%d - %s)\n", dsdn, adddn, rc,
+ ldap_err2string(rc));
+ }
+#ifndef MEMBEROF_WORKS_FOR_INTERNAL_OPS
+ /* memberOf doesn't currently listen for internal operations
+ that change group membership - so we manually set the
+ memberOf attribute in the ds entry - this should not
+ conflict with memberOf */
+ {
+ Slapi_Value *sv = slapi_value_new();
+ slapi_value_init_string(sv, deldn);
+ if (slapi_entry_attr_has_syntax_value(ds_entry,
+ "memberOf", sv)) {
+ if (smods) {
+ slapi_mods_add_string(smods, LDAP_MOD_DELETE,
+ "memberOf", deldn);
+ if (do_modify) {
+ *do_modify = 1; /* added mods */
+ }
+ } else if (update_entry) {
+ slapi_entry_delete_string(update_entry,
+ "memberOf", deldn);
+ }
+ }
+ slapi_value_set_string(sv, adddn);
+ if (!slapi_entry_attr_has_syntax_value(ds_entry,
+ "memberOf", sv)) {
+ if (smods) {
+ slapi_mods_add_string(smods, LDAP_MOD_ADD,
+ "memberOf", adddn);
+ if (do_modify) {
+ *do_modify = 1; /* added mods */
+ }
+ } else if (update_entry) {
+ slapi_entry_add_string(update_entry,
+ "memberOf", adddn);
+ }
+ }
+ slapi_value_free(&sv);
+ }
+#endif /* MEMBEROF_WORKS_FOR_INTERNAL_OPS */
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "<-- sync_acct_disable - %s DS account [%s]\n",
+ (ad_is_enabled) ? "enabled" : "disabled",
+ slapi_entry_get_dn_const(ds_entry));
+ }
+ }
+
+ return;
+}
+
+/* if entry does not have attribute type and val, and neither
+ does the smods, add them to the smods */
+static void
+find_and_add_mod(Slapi_Entry *ent, Slapi_Mods *smods, const char *type,
+ const char *val, size_t vallen, int *do_modify)
+{
+ int found = 1;
+ Slapi_Value *sv = slapi_value_new();
+ LDAPMod *mod = NULL;
+
+ slapi_value_init_string(sv, val);
+ if (!slapi_entry_attr_has_syntax_value(ent, type, sv)) {
+ /* entry doesn't have type val - see if there is already
+ a mod in the mods list that adds it replaces it */
+ found = 0; /* not found in entry - see if in mod list */
+ for (mod = slapi_mods_get_first_mod(smods);
+ !found && mod;
+ mod = slapi_mods_get_next_mod(smods)) {
+ int ii;
+ if (PL_strcasecmp(mod->mod_type, type)) {
+ continue; /* skip - not a mod of this type */
+ }
+ if (!(mod->mod_op & (LDAP_MOD_ADD|LDAP_MOD_REPLACE))) {
+ continue; /* skip - not an add or replace op */
+ }
+ /* now see if val is in the list of vals for this mod op */
+ for (ii = 0;
+ !found && mod->mod_bvalues && mod->mod_bvalues[ii];
+ ++ii) {
+ if (mod->mod_bvalues[ii]->bv_val) {
+ found = !PL_strncasecmp(mod->mod_bvalues[ii]->bv_val,
+ val, vallen);
+ }
+ }
+ }
+ }
+ if (!found) {
+ slapi_mods_add_string(smods, LDAP_MOD_ADD, type, val);
+ if (do_modify) {
+ *do_modify = 1; /* added a mod */
+ }
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "<-- find_and_add_mod - added value [%s] "
+ "to attribute [%s] in entry [%s]\n",
+ val, type, slapi_entry_get_dn_const(ent));
+ }
+ slapi_value_free(&sv);
+
+ return;
+}
+
+/*
+ * If force sync is true, any time an entry is being added or modified
+ * in DS, we must ensure the entry has the ntUser objectclass, and that
+ * it has the ntUserDomainID attribute, and the value of that attribute
+ * corresponds to the samAccountName in the AD entry.
+ * ad_entry - entry from AD
+ * ds_entry - entry from DS
+ *
+ * The appropriate modify operation will be added to the given smods
+ * if it doesn't already exist.
+ */
+static void
+do_force_sync(
+ const Slapi_Entry *ad_entry, /* the AD entry */
+ Slapi_Entry *ds_entry, /* the DS entry */
+ Slapi_Mods *smods, /* the mod list for MODIFYs */
+ int *do_modify /* if not NULL, set to true if mods were added */
+)
+{
+ IPA_WinSync_Config *global_ipaconfig = ipa_winsync_get_config();
+ PRBool forceSync;
+
+ slapi_lock_mutex(global_ipaconfig->lock);
+ forceSync = global_ipaconfig->forceSync;
+ slapi_unlock_mutex(global_ipaconfig->lock);
+
+ if (forceSync == PR_FALSE) {
+ return; /* not supported */
+ }
+
+ slapi_log_error(SLAPI_LOG_PLUGIN, ipa_winsync_plugin_name,
+ "do_force_sync - forcing sync of AD entry [%s] "
+ "with DS entry [%s]\n",
+ slapi_entry_get_dn_const(ad_entry),
+ slapi_entry_get_dn_const(ds_entry));
+
+ find_and_add_mod(ds_entry, smods, "objectClass", "ntUser", (size_t)6, do_modify);
+
+ return;
+}
generated by cgit (git 2.34.1) at 2024-04-25 01:12:39 +0000