|
|
//---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992 - 1995
//
// File: cuar.cxx
//
// Contents: Account Restrictions Propset for the User object
//
// History: 11-1-95 krishnag Created.
//
// PROPERTY_RW(AccountDisabled, boolean, 1) I
// PROPERTY_RW(AccountExpirationDate, DATE, 2) I
// PROPERTY_RO(AccountCanExpire, boolean, 3) I
// PROPERTY_RO(PasswordCanExpire, boolean, 4) I
// PROPERTY_RW(GraceLoginsAllowed, long, 5) NI
// PROPERTY_RW(GraceLoginsRemaining, long, 6) NI
// PROPERTY_RW(IsAccountLocked, boolean, 7) I
// PROPERTY_RW(IsAdmin, boolean, 8) I
// PROPERTY_RW(LoginHours, VARIANT, 9) I
// PROPERTY_RW(LoginWorkstations, VARIANT, 10) I
// PROPERTY_RW(MaxLogins, long, 11) I
// PROPERTY_RW(MaxStorage, long, 12) I
// PROPERTY_RW(PasswordExpirationDate, DATE, 13) I
// PROPERTY_RW(PasswordRequired, boolean, 14) I
// PROPERTY_RW(RequireUniquePassword,boolean, 15) I
//
//
//----------------------------------------------------------------------------
#include "ldap.hxx"
#pragma hdrstop
#include <lm.h>
#include <winldap.h>
#include "..\ldapc\ldpcache.hxx"
#include "..\ldapc\ldaputil.hxx"
#include "..\ldapc\parse.hxx"
#include <dsgetdc.h>
#include <sspi.h>
HRESULTBuildLDAPPathFromADsPath2( LPWSTR szADsPathName, LPWSTR *pszLDAPServer, LPWSTR *pszLDAPDn, DWORD * pdwPort);
DWORDGetDefaultServer( DWORD dwPort, BOOL fVerify, LPWSTR szDomainDnsName, LPWSTR szServerName, BOOL fWriteable );
HRESULTGetDomainDNSNameFromHost( LPWSTR szHostName, SEC_WINNT_AUTH_IDENTITY& AuthI, CCredentials &Credentials, DWORD dwPort, LPWSTR * ppszHostName );
//
// The list of server entries - detailing SSL support
//
PSERVSSLENTRY gpServerSSLList = NULL;
//
// Critical Section and support routines to protect list
//
CRITICAL_SECTION g_ServerListCritSect;
//
// Flag that indicates if kerberos is being used.
//
const unsigned long KERB_SUPPORT_FLAGS = ISC_RET_MUTUAL_AUTH ;//
// Routines that support cacheing server SSL info for perf
//
#define STRING_LENGTH(p) ( p ? wcslen(p) : 0)
//
// Get the status of SSL support on the server pszServerName
// 0 indicates that the server was not in our list.
//
DWORD ReadServerSupportsSSL( LPWSTR pszServerName){ ENTER_SERVERLIST_CRITICAL_SECTION(); PSERVSSLENTRY pServerList = gpServerSSLList; DWORD dwRetVal = 0;
//
// Keep going through the list until we hit the end or
// we find an entry that matches.
//
while ((pServerList != NULL) && (dwRetVal == 0)) {
#ifdef WIN95
if (!(_wcsicmp(pszServerName, pServerList->pszServerName))) {#else
if (CompareStringW( LOCALE_SYSTEM_DEFAULT, NORM_IGNORECASE, pszServerName, -1, pServerList->pszServerName, -1 ) == CSTR_EQUAL ) {#endif
dwRetVal = pServerList->dwFlags; }
pServerList = pServerList->pNext; }
LEAVE_SERVERLIST_CRITICAL_SECTION();
return dwRetVal;}
HRESULT UpdateServerSSLSupportStatus( PWSTR pszServerName, DWORD dwFlags ){ HRESULT hr = S_OK; PSERVSSLENTRY pServEntry = NULL; ENTER_SERVERLIST_CRITICAL_SECTION() PSERVSSLENTRY pServerList = gpServerSSLList; DWORD dwRetVal = 0;
ADsAssert(pszServerName && *pszServerName);
//
// Keep going through the list until we hit the end or
// we find an entry that matches.
//
while ((pServerList != NULL) && (dwRetVal == 0)) {
#ifdef WIN95
if (!(_wcsicmp(pszServerName, pServerList->pszServerName))) {#else
if (CompareStringW( LOCALE_SYSTEM_DEFAULT, NORM_IGNORECASE, pszServerName, -1, pServerList->pszServerName, -1 ) == CSTR_EQUAL ) {#endif
pServerList->dwFlags = dwFlags; LEAVE_SERVERLIST_CRITICAL_SECTION() RRETURN(S_OK); }
pServerList = pServerList->pNext; }
pServEntry = (PSERVSSLENTRY) AllocADsMem(sizeof(SERVSSLENTRY));
if (!pServEntry) { BAIL_ON_FAILURE(hr = E_OUTOFMEMORY); }
pServEntry->pszServerName = AllocADsStr(pszServerName); if (!pServEntry->pszServerName) { BAIL_ON_FAILURE(hr = E_OUTOFMEMORY); }
pServEntry->dwFlags = dwFlags;
pServEntry->pNext = gpServerSSLList; gpServerSSLList = pServEntry;
error: if (FAILED(hr) && pServEntry) { //
// Free only pServEntry as the string cannot have
// a value in the error case
//
FreeADsMem(pServEntry); }
LEAVE_SERVERLIST_CRITICAL_SECTION();
RRETURN(hr);}
void FreeServerSSLSupportList(){ PSERVSSLENTRY pList = gpServerSSLList; PSERVSSLENTRY pPrevEntry = NULL;
while (pList) { pPrevEntry = pList;
FreeADsStr(pList->pszServerName); pList = pList->pNext;
FreeADsMem(pPrevEntry); }}
#if (!defined(WIN95))
//
// Take a AuthI struct and return a cred handle.
//
HRESULTConvertAuthIdentityToCredHandle( SEC_WINNT_AUTH_IDENTITY& AuthI, OUT PCredHandle CredentialsHandle ){ SECURITY_STATUS secStatus = SEC_E_OK; TimeStamp Lifetime;
secStatus = AcquireCredentialsHandleWrapper( NULL, // New principal
MICROSOFT_KERBEROS_NAME_W, SECPKG_CRED_OUTBOUND, NULL, &AuthI, NULL, NULL, CredentialsHandle, &Lifetime );
if (secStatus != SEC_E_OK) {
RRETURN(E_FAIL); } else { RRETURN(S_OK); }
}
//
// ***** Caller must free the strings put in the ****
// ***** AuthIdentity struct later. ****
//
HRESULTGetAuthIdentityForCaller( CCredentials& Credentials, IADs * pIADs, OUT SEC_WINNT_AUTH_IDENTITY *pAuthI, BOOL fEnforceMutualAuth ){ HRESULT hr = S_OK; LPWSTR pszNTLMUser = NULL; LPWSTR pszNTLMDomain = NULL; LPWSTR pszDefaultServer = NULL; LPWSTR dn = NULL; LPWSTR passwd = NULL; IADsObjOptPrivate * pADsPrivObjectOptions = NULL; ULONG ulFlags = 0;
if (fEnforceMutualAuth) {
hr = pIADs->QueryInterface( IID_IADsObjOptPrivate, (void **)&pADsPrivObjectOptions ); BAIL_ON_FAILURE(hr);
hr = pADsPrivObjectOptions->GetOption ( LDAP_MUTUAL_AUTH_STATUS, (void *) &ulFlags );
BAIL_ON_FAILURE(hr);
if (!(ulFlags & KERB_SUPPORT_FLAGS)) { BAIL_ON_FAILURE(hr = E_FAIL); } }
hr = Credentials.GetUserName(&dn); BAIL_ON_FAILURE(hr);
hr = Credentials.GetPassword(&passwd); BAIL_ON_FAILURE(hr);
//
// Get the userName and password into the auth struct.
//
hr = LdapCrackUserDNtoNTLMUser2( dn, &pszNTLMUser, &pszNTLMDomain );
if (FAILED(hr)) { hr = LdapCrackUserDNtoNTLMUser( dn, &pszNTLMUser, &pszNTLMDomain ); BAIL_ON_FAILURE(hr); }
//
// If the domain name is NULL and enforceMutualAuth is false,
// then we need to throw in the defaultDomainName. This will
// be needed subsequently for the LogonUser call.
//
if (!fEnforceMutualAuth && !pszNTLMDomain) { //
// Call GetDefaultServer.
//
pszDefaultServer = (LPWSTR) AllocADsMem(sizeof(WCHAR) * MAX_PATH); if (!pszDefaultServer) { BAIL_ON_FAILURE(hr = E_OUTOFMEMORY); }
pszNTLMDomain = (LPWSTR) AllocADsMem(sizeof(WCHAR) * MAX_PATH); if (!pszNTLMDomain) { BAIL_ON_FAILURE(hr = E_OUTOFMEMORY); }
hr = GetDefaultServer( -1, // this will use the default ldap port
FALSE, pszNTLMDomain, pszDefaultServer, TRUE ); BAIL_ON_FAILURE(hr); }
pAuthI->User = (PWCHAR)pszNTLMUser; pAuthI->UserLength = (pszNTLMUser == NULL)? 0: wcslen(pszNTLMUser); pAuthI->Domain = (PWCHAR)pszNTLMDomain; pAuthI->DomainLength = (pszNTLMDomain == NULL)? 0: wcslen(pszNTLMDomain); pAuthI->Password = (PWCHAR)passwd; pAuthI->PasswordLength = (passwd == NULL)? 0: wcslen(passwd); pAuthI->Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
error:
if (FAILED(hr)) {
//
// Free the strings
//
if (pszNTLMUser) { FreeADsStr(pszNTLMUser); }
if (pszNTLMDomain) { FreeADsStr(pszNTLMDomain); }
if (passwd) { FreeADsStr(passwd); } }
if (pADsPrivObjectOptions) { pADsPrivObjectOptions->Release(); }
//
// Always free the dn
//
if (dn) { FreeADsStr(dn); }
if (pszDefaultServer) { FreeADsMem(pszDefaultServer); }
RRETURN(hr);}#endif
// Class CLDAPUser
STDMETHODIMPCLDAPUser::get_AccountDisabled(THIS_ VARIANT_BOOL FAR* retval){ if ( retval == NULL ) RRETURN( E_ADS_BAD_PARAMETER );
LONG lUserAcctControl; HRESULT hr = get_LONG_Property( (IADsUser *)this, TEXT("userAccountControl"), &lUserAcctControl );
if ( SUCCEEDED(hr)) *retval = lUserAcctControl & UF_ACCOUNTDISABLE ? VARIANT_TRUE : VARIANT_FALSE;
RRETURN(hr);}
STDMETHODIMPCLDAPUser::put_AccountDisabled(THIS_ VARIANT_BOOL fAccountDisabled){ LONG lUserAcctControl; HRESULT hr = get_LONG_Property( (IADsUser *)this, TEXT("userAccountControl"), &lUserAcctControl ); if ( SUCCEEDED(hr)) { if ( fAccountDisabled ) lUserAcctControl |= UF_ACCOUNTDISABLE; else lUserAcctControl &= ~UF_ACCOUNTDISABLE;
hr = put_LONG_Property( (IADsUser *)this, TEXT("userAccountControl"), lUserAcctControl ); }
RRETURN(hr);}
STDMETHODIMPCLDAPUser::get_AccountExpirationDate(THIS_ DATE FAR* retval){ GET_PROPERTY_FILETIME((IADsUser *)this, AccountExpirationDate);}
STDMETHODIMPCLDAPUser::put_AccountExpirationDate(THIS_ DATE daAccountExpirationDate){ PUT_PROPERTY_FILETIME((IADsUser *)this, AccountExpirationDate);}
STDMETHODIMPCLDAPUser::get_GraceLoginsAllowed(THIS_ long FAR* retval){ RRETURN(E_ADS_PROPERTY_NOT_SUPPORTED);}
STDMETHODIMPCLDAPUser::put_GraceLoginsAllowed(THIS_ long lGraceLoginsAllowed){ RRETURN(E_ADS_PROPERTY_NOT_SUPPORTED);}
STDMETHODIMPCLDAPUser::get_GraceLoginsRemaining(THIS_ long FAR* retval){ RRETURN(E_ADS_PROPERTY_NOT_SUPPORTED);}
STDMETHODIMPCLDAPUser::put_GraceLoginsRemaining(THIS_ long lGraceLoginsRemaining){ RRETURN(E_ADS_PROPERTY_NOT_SUPPORTED);}
STDMETHODIMPCLDAPUser::get_IsAccountLocked(THIS_ VARIANT_BOOL FAR* retval){ HRESULT hr = S_OK;
VARIANT var; IADsLargeInteger *pLargeInt = NULL;
LONG LowPart, HighPart;
if ( retval == NULL ) RRETURN( E_ADS_BAD_PARAMETER );
VariantInit(&var);
hr = _pADs->Get(TEXT("lockoutTime"), &var);
if (SUCCEEDED(hr)) { //
// There's a lockoutTime, we need to determine
// if it equals 0 (== not locked-out).
//
ADsAssert(V_VT(&var) == VT_DISPATCH);
if (V_VT(&var) != VT_DISPATCH) { BAIL_ON_FAILURE(hr = E_FAIL); }
hr = V_DISPATCH(&var)->QueryInterface(IID_IADsLargeInteger, reinterpret_cast<void**>(&pLargeInt) ); BAIL_ON_FAILURE(hr);
hr = pLargeInt->get_LowPart(&LowPart); BAIL_ON_FAILURE(hr); hr = pLargeInt->get_HighPart(&HighPart); BAIL_ON_FAILURE(hr);
if ( (LowPart != 0) || (HighPart != 0) ) { *retval = VARIANT_TRUE; } else { *retval = VARIANT_FALSE; }
} else if (hr == E_ADS_PROPERTY_NOT_FOUND) { //
// If there's no lockoutTime, the account is not
// locked-out.
//
*retval = VARIANT_FALSE; hr = S_OK; } else { BAIL_ON_FAILURE(hr); }
error:
if (pLargeInt) { pLargeInt->Release(); }
VariantClear(&var); RRETURN(hr);}
STDMETHODIMPCLDAPUser::put_IsAccountLocked(THIS_ VARIANT_BOOL fIsAccountLocked){ HRESULT hr = S_OK;
if (fIsAccountLocked) { //
// You cannot set an account to a locked state.
//
RRETURN(E_ADS_BAD_PARAMETER); }
hr = put_LONG_Property( (IADsUser *)this, TEXT("lockoutTime"), 0 );
RRETURN(hr);}
STDMETHODIMPCLDAPUser::get_LoginHours(THIS_ VARIANT FAR* retval){ GET_PROPERTY_VARIANT((IADsUser *)this, LoginHours);}
STDMETHODIMPCLDAPUser::put_LoginHours(THIS_ VARIANT vLoginHours){ PUT_PROPERTY_VARIANT((IADsUser *)this, LoginHours);}
STDMETHODIMPCLDAPUser::get_LoginWorkstations(THIS_ VARIANT FAR* retval){ GET_PROPERTY_BSTRARRAY((IADsUser *)this,LoginWorkstations);}
STDMETHODIMPCLDAPUser::put_LoginWorkstations(THIS_ VARIANT vLoginWorkstations){ PUT_PROPERTY_BSTRARRAY((IADsUser *)this,LoginWorkstations);}
STDMETHODIMPCLDAPUser::get_MaxLogins(THIS_ long FAR* retval){ RRETURN(E_ADS_PROPERTY_NOT_SUPPORTED);}
STDMETHODIMPCLDAPUser::put_MaxLogins(THIS_ long lMaxLogins){ RRETURN(E_ADS_PROPERTY_NOT_SUPPORTED);}
STDMETHODIMPCLDAPUser::get_MaxStorage(THIS_ long FAR* retval){ GET_PROPERTY_LONG((IADsUser *)this, MaxStorage);}
STDMETHODIMPCLDAPUser::put_MaxStorage(THIS_ long lMaxStorage){ PUT_PROPERTY_LONG((IADsUser *)this, MaxStorage);}
STDMETHODIMPCLDAPUser::get_PasswordExpirationDate(THIS_ DATE FAR* retval){ GET_PROPERTY_DATE((IADsUser *)this, PasswordExpirationDate);}
STDMETHODIMPCLDAPUser::put_PasswordExpirationDate(THIS_ DATE daPasswordExpirationDate){ PUT_PROPERTY_DATE((IADsUser *)this, PasswordExpirationDate);}
STDMETHODIMPCLDAPUser::get_PasswordRequired(THIS_ VARIANT_BOOL FAR* retval){ if ( retval == NULL ) RRETURN( E_ADS_BAD_PARAMETER );
LONG lUserAcctControl; HRESULT hr = get_LONG_Property( (IADsUser *)this, TEXT("userAccountControl"), &lUserAcctControl );
if ( SUCCEEDED(hr)) *retval = lUserAcctControl & UF_PASSWD_NOTREQD ? VARIANT_FALSE: VARIANT_TRUE;
RRETURN(hr);}
STDMETHODIMPCLDAPUser::put_PasswordRequired(THIS_ VARIANT_BOOL fPasswordRequired){ LONG lUserAcctControl; HRESULT hr = get_LONG_Property( (IADsUser *)this, TEXT("userAccountControl"), &lUserAcctControl ); if ( SUCCEEDED(hr)) { if ( fPasswordRequired ) lUserAcctControl &= ~UF_PASSWD_NOTREQD; else lUserAcctControl |= UF_PASSWD_NOTREQD;
hr = put_LONG_Property( (IADsUser *)this, TEXT("userAccountControl"), lUserAcctControl ); }
RRETURN(hr);}
STDMETHODIMPCLDAPUser::get_PasswordMinimumLength(THIS_ LONG FAR* retval){ GET_PROPERTY_LONG((IADsUser *)this, PasswordMinimumLength);}
STDMETHODIMPCLDAPUser::put_PasswordMinimumLength(THIS_ LONG lPasswordMinimumLength){ PUT_PROPERTY_LONG((IADsUser *)this, PasswordMinimumLength);}
STDMETHODIMPCLDAPUser::get_RequireUniquePassword(THIS_ VARIANT_BOOL FAR* retval){ GET_PROPERTY_VARIANT_BOOL((IADsUser *)this, RequireUniquePassword);}
STDMETHODIMPCLDAPUser::put_RequireUniquePassword(THIS_ VARIANT_BOOL fRequireUniquePassword){ PUT_PROPERTY_VARIANT_BOOL((IADsUser *)this, RequireUniquePassword);}
BOOLEAN_cdecl ServerCertCallback( PLDAP Connection, PCCERT_CONTEXT pServerCert ){ //
// After the secure connection is established, this function is called by
// LDAP. This gives the client an opportunity to verify the server cert.
// If, for some reason, the client doesn't approve it, it should return FALSE
// and the connection will be terminated. Else, return TRUE
//
fprintf( stderr, "Server cert callback has been called...\n" );
//
// Use some way to verify the server certificate.
//
return TRUE;}
STDMETHODIMPCLDAPUser::SetPassword(THIS_ BSTR bstrNewPassword){ HRESULT hr = E_FAIL; BOOLEAN bUseLDAP = FALSE;
LPWSTR pszServer = NULL; LPWSTR pszHostName = NULL; DWORD dwLen = 0; int err = 0;
BSTR bstrADsPath = NULL; LPWSTR szServerSSL = NULL; LPWSTR szDn = NULL; DWORD dwPortSSL = 0; PADSLDP pAdsLdpSSL = NULL;
IADsObjOptPrivate * pADsPrivObjectOptions = NULL; PADSLDP pAdsLdp = NULL; LDAPMessage *pMsgResult = NULL; LDAPMessage *pMsgEntry = NULL; LDAP *pLdapCurrent = NULL; LPWSTR Attributes[] = {L"objectClass", NULL};
VARIANT varSamAccount; DWORD dwServerPwdSupport = SERVER_STATUS_UNKNOWN; LPWSTR pszHostDomainName = NULL; SEC_WINNT_AUTH_IDENTITY AuthI; BOOLEAN fPasswordSet = FALSE; LPWSTR pszTempPwd = NULL; ULONG ulFlags = 0; VARIANT varGetInfoEx; BOOL fCachePrimed = FALSE;
BOOL fImpersonating = FALSE; HANDLE hUserToken = INVALID_HANDLE_VALUE;
//
// Init params we will need to free later.
//
AuthI.User = NULL; AuthI.Domain = NULL; AuthI.Password = NULL; VariantInit(&varSamAccount); VariantInit(&varGetInfoEx);
//
// Get the Ldap path of the user object
//
hr = _pADs->get_ADsPath( &bstrADsPath ); BAIL_ON_FAILURE(hr);
hr = BuildLDAPPathFromADsPath2( bstrADsPath, &szServerSSL, &szDn, &dwPortSSL ); BAIL_ON_FAILURE(hr);
//
// Now do an LDAP Search with Referrals and get the handle to success
// connection. This is where we can find the server the referred object
// resides on
//
hr = _pADs->QueryInterface( IID_IADsObjOptPrivate, (void **)&pADsPrivObjectOptions ); BAIL_ON_FAILURE(hr);
hr = pADsPrivObjectOptions->GetOption ( LDAP_SERVER, (void*)&pszHostName );
BAIL_ON_FAILURE(hr);
//
// additional lengh 3 is for '\0' and "\\\\"
//
dwLen = STRING_LENGTH(pszHostName) + 3; pszServer = (LPWSTR) AllocADsMem( dwLen * sizeof(WCHAR) ); if (!pszServer) { BAIL_ON_FAILURE(hr = E_OUTOFMEMORY); } wcscpy(pszServer,L"\\\\"); wcscat(pszServer, pszHostName); dwServerPwdSupport = ReadServerSupportsSSL(pszHostName);
if (dwServerPwdSupport == ( SERVER_STATUS_UNKNOWN | SERVER_DOES_NOT_SUPPORT_SSL | SERVER_DOES_NOT_SUPPORT_NETUSER | SERVER_DOES_NOT_SUPPORT_KERBEROS ) ) { //
// All flags are set, we will reset and rebuild cache
//
UpdateServerSSLSupportStatus( pszHostName, SERVER_STATUS_UNKNOWN ); dwServerPwdSupport = SERVER_STATUS_UNKNOWN; }
if (dwServerPwdSupport == SERVER_STATUS_UNKNOWN || !(dwServerPwdSupport & SERVER_DOES_NOT_SUPPORT_SSL)) {
//
// Try to establish SSL connection for this Password Operation
//
hr = LdapOpenObject( pszHostName, szDn, &pAdsLdpSSL, _Credentials, 636 );
if (SUCCEEDED(hr)) { int retval; SecPkgContext_ConnectionInfo sslattr;
retval = ldap_get_option( pAdsLdpSSL->LdapHandle, LDAP_OPT_SSL_INFO, &sslattr ); if (retval == LDAP_SUCCESS) { //
// If Channel is secure enough, enable LDAP Password Change
//
if (sslattr.dwCipherStrength >= 128) { bUseLDAP = TRUE; } } }
//
// Update the SSL support if appropriate
//
if (dwServerPwdSupport == SERVER_STATUS_UNKNOWN || !bUseLDAP) {
//
// Set the server does not support ssl bit if necessary
//
UpdateServerSSLSupportStatus( pszHostName, bUseLDAP ? dwServerPwdSupport : dwServerPwdSupport |= SERVER_DOES_NOT_SUPPORT_SSL ); } }
if (bUseLDAP) { //
// LDAP Password Set
//
PLDAPModW prgMod[2]; LDAPModW ModReplace; struct berval* rgBerVal[2]; struct berval BerVal; int ipwdLen;
prgMod[0] = &ModReplace; prgMod[1] = NULL;
ModReplace.mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES; ModReplace.mod_type = L"unicodePwd"; ModReplace.mod_bvalues = rgBerVal; rgBerVal[0] = &BerVal; rgBerVal[1] = NULL;
//
// 2 extra for "" to put the password in.
//
if (bstrNewPassword) { ipwdLen = (wcslen(bstrNewPassword) + 2) * sizeof(WCHAR); } else { ipwdLen = 2 * sizeof(WCHAR); }
//
// Add 1 for the \0.
//
pszTempPwd = (LPWSTR) AllocADsMem(ipwdLen + sizeof(WCHAR)); if (!pszTempPwd) { BAIL_ON_FAILURE(hr = E_OUTOFMEMORY); }
wcscpy(pszTempPwd, L"\""); if (bstrNewPassword) { wcscat(pszTempPwd, bstrNewPassword); }
wcscat(pszTempPwd, L"\"");
BerVal.bv_len = ipwdLen; BerVal.bv_val = (char*)pszTempPwd;
hr = LdapModifyS( pAdsLdpSSL, szDn, prgMod ); BAIL_ON_FAILURE(hr);
//
// Set flag so that we do not try any other methods.
//
fPasswordSet = TRUE; }
//
// Try kerberos setpassword if applicable
//
#if (!defined(WIN95))
//
// Only valid on Win2k
//
if (!fPasswordSet) {
//
// If we cached the server as not supporting Kerberos, most likely it
// was because we were not mutually authenticated. Do a quick check to
// see if that has changed, so that we can update our cached information
// if necessary.
//
if (dwServerPwdSupport & SERVER_DOES_NOT_SUPPORT_KERBEROS) {
hr = pADsPrivObjectOptions->GetOption ( LDAP_MUTUAL_AUTH_STATUS, (void *) &ulFlags );
BAIL_ON_FAILURE(hr);
if ((ulFlags & KERB_SUPPORT_FLAGS)) { UpdateServerSSLSupportStatus( pszHostName, dwServerPwdSupport &= (~SERVER_DOES_NOT_SUPPORT_KERBEROS) ); } } if (!(dwServerPwdSupport & SERVER_DOES_NOT_SUPPORT_KERBEROS)) {
//
// Kerberos set password
//
CredHandle secCredHandle = {0}; SECURITY_STATUS SecStatus; DWORD dwStatus = 0; LPWSTR pszSamAccountArr[] = {L"sAMAccountName"};
if (!fCachePrimed) { hr = ADsBuildVarArrayStr( pszSamAccountArr, 1, &varGetInfoEx ); BAIL_ON_FAILURE(hr);
hr = _pADs->GetInfoEx(varGetInfoEx, 0); BAIL_ON_FAILURE(hr);
fCachePrimed = TRUE; } hr = _pADs->Get(L"sAMAccountName", &varSamAccount); BAIL_ON_FAILURE(hr);
//
// The AuthIdentity structure is ueful down the road.
// This routine will fail if we were not bound using
// kerberos to the server.
//
hr = GetAuthIdentityForCaller( _Credentials, _pADs, &AuthI, TRUE // enforce mutual auth.
);
if (FAILED(hr)) { UpdateServerSSLSupportStatus( pszHostName, dwServerPwdSupport |= SERVER_DOES_NOT_SUPPORT_KERBEROS ); } else {
//
// Kerb really needs this handle.
//
hr = ConvertAuthIdentityToCredHandle( AuthI, &secCredHandle );
if (FAILED(hr)) { UpdateServerSSLSupportStatus( pszHostName, dwServerPwdSupport |= SERVER_DOES_NOT_SUPPORT_KERBEROS ); }
if (SUCCEEDED(hr)) {
//
// Get the domain dns name for the user
//
hr = GetDomainDNSNameFromHost( pszHostName, AuthI, _Credentials, dwPortSSL, &pszHostDomainName );
if (SUCCEEDED(hr)) {
dwStatus = KerbSetPasswordUserEx( pszHostDomainName, V_BSTR(&varSamAccount), bstrNewPassword, &secCredHandle, pszHostName );
if (dwStatus) { //
// We should have got this to come in here.
//
hr = HRESULT_FROM_WIN32(ERROR_LOGON_FAILURE); } else { fPasswordSet = TRUE; } } // if domain dns name get succeeded.
FreeCredentialsHandleWrapper(&secCredHandle);
} // if GetCredentialsForCaller succeeded.
} // if we could get authidentity succesfully
} // if server supports kerberos
} // if password not set.
#endif
//
// At this point server status cannot be unknown, it
// will atleast have info about ssl support.
//
if (!fPasswordSet) {
if (!(dwServerPwdSupport & SERVER_DOES_NOT_SUPPORT_NETUSER)) { //
// Password Set using NET APIs
//
NET_API_STATUS nasStatus; DWORD dwParmErr = 0; LPWSTR pszSamAccountArr[] = {L"sAMAccountName"};
//
// Get SamAccountName
//
VariantClear(&varSamAccount); VariantClear(&varGetInfoEx);
if (!fCachePrimed) { hr = ADsBuildVarArrayStr( pszSamAccountArr, 1, &varGetInfoEx ); BAIL_ON_FAILURE(hr);
hr = _pADs->GetInfoEx(varGetInfoEx, 0); BAIL_ON_FAILURE(hr);
fCachePrimed = TRUE; }
hr = _pADs->Get(L"sAMAccountName", &varSamAccount); BAIL_ON_FAILURE(hr);
//
// Set the password
//
USER_INFO_1003 lpUserInfo1003 ;
lpUserInfo1003.usri1003_password = bstrNewPassword;
#ifndef Win95
//
// At this point if the user credentials are non NULL,
// we want to impersonate the user and then make this call.
// This will make sure the NetUserSetInfo call is made in the
// correct context.
//
if (!_Credentials.IsNullCredentials()) { //
// Need to get the userName and password in the format
// usable by the logonUser call.
//
if ((AuthI.User == NULL) && (AuthI.Domain == NULL) && (AuthI.Password == NULL) ) { //
// Get teh Auth identity struct populate if necessary.
//
hr = GetAuthIdentityForCaller( _Credentials, _pADs, &AuthI, FALSE ); }
BAIL_ON_FAILURE(hr);
//
// Note that if this code is backported, then we might
// need to change LOGON32_PROVIDER_WINNT50 to
// LOGON32_PROVIDER_DEFAULT as NT4 and below will support
// only that option. Also note that Win2k and below, do not
// allow all accounts to impersonate.
//
if (LogonUser( AuthI.User, AuthI.Domain, AuthI.Password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, &hUserToken ) ) { //
// Call succeeded so we should use this context.
//
if (ImpersonateLoggedOnUser(hUserToken)) { fImpersonating = TRUE; } } if (!fImpersonating) { hr = HRESULT_FROM_WIN32(GetLastError()); } BAIL_ON_FAILURE(hr); } // if credentials are valid.
#endif
nasStatus = NetUserSetInfo( pszServer, V_BSTR(&varSamAccount), 1003, (LPBYTE)&lpUserInfo1003, &dwParmErr );#ifndef Win95
if (fImpersonating) { if (RevertToSelf()) { fImpersonating = FALSE; } else { ADsAssert(!"Revert to self failed."); BAIL_ON_FAILURE(hr = HRESULT_FROM_WIN32(GetLastError())); } }#endif
if ( nasStatus == NERR_UserNotFound ) { // User not created yet
hr = E_ADS_OBJECT_UNBOUND; BAIL_ON_FAILURE(hr); }
hr = HRESULT_FROM_WIN32(nasStatus); if (FAILED(hr) && (nasStatus == ERROR_LOGON_FAILURE)) {
//
// Was failure and ERROR_LOGON_FAILURE
//
UpdateServerSSLSupportStatus( pszHostName, dwServerPwdSupport |= SERVER_DOES_NOT_SUPPORT_NETUSER ); //
// Need to free the variant as we will re-read in kerb
//
VariantClear(&varSamAccount); } else { //
// password set succeed
//
fPasswordSet = TRUE; } } } // if Password not set.
error: if (bstrADsPath) { ADsFreeString(bstrADsPath); }
if (szServerSSL) { FreeADsStr(szServerSSL); }
if (szDn) { FreeADsStr(szDn); }
if (pAdsLdpSSL) { LdapCloseObject(pAdsLdpSSL); }
if (pADsPrivObjectOptions) { pADsPrivObjectOptions->Release(); }
if (pMsgResult) { LdapMsgFree(pMsgResult); }
if (pszHostDomainName) { FreeADsStr(pszHostDomainName); }
if (AuthI.User) { FreeADsStr(AuthI.User); }
if (AuthI.Domain) { FreeADsStr(AuthI.Domain); }
if (AuthI.Password) { FreeADsStr(AuthI.Password); }
if (pszTempPwd) { FreeADsMem(pszTempPwd); }
if (pszHostName) { FreeADsStr(pszHostName); }
if (pszServer) { FreeADsMem(pszServer); }
#ifndef Win95
if (fImpersonating) { //
// Try and call revert to self again
//
RevertToSelf(); }#endif
if (hUserToken != INVALID_HANDLE_VALUE ) { CloseHandle(hUserToken); hUserToken = NULL; }
VariantClear(&varSamAccount); VariantClear(&varGetInfoEx);
RRETURN(hr);}
STDMETHODIMPCLDAPUser::ChangePassword(THIS_ BSTR bstrOldPassword, BSTR bstrNewPassword){ HRESULT hr = S_OK; BOOLEAN bUseLDAP = FALSE;
LPWSTR pszServer = NULL; LPWSTR pszHostName = NULL; DWORD dwLen = 0; int err = 0;
BSTR bstrADsPath = NULL; LPWSTR szServerSSL = NULL; LPWSTR szDn = NULL; DWORD dwPortSSL = 0; PADSLDP pAdsLdpSSL = NULL;
IADsObjOptPrivate * pADsPrivObjectOptions = NULL; PADSLDP pAdsLdp = NULL; LDAPMessage *pMsgResult = NULL; LDAPMessage *pMsgEntry = NULL; LDAP *pLdapCurrent = NULL; LPWSTR Attributes[] = {L"objectClass", NULL};
VARIANT varSamAccount; DWORD dwServerSSLSupport = 0; LPWSTR pszNewPassword = NULL; LPWSTR pszOldPassword = NULL; VARIANT varGetInfoEx; SEC_WINNT_AUTH_IDENTITY AuthI; BOOL fImpersonating = FALSE; HANDLE hUserToken = INVALID_HANDLE_VALUE;
VariantInit(&varSamAccount); VariantInit(&varGetInfoEx); memset(&AuthI, 0, sizeof(SEC_WINNT_AUTH_IDENTITY));
//
// Get the Ldap path of the user object
//
hr = _pADs->get_ADsPath( &bstrADsPath ); BAIL_ON_FAILURE(hr);
hr = BuildLDAPPathFromADsPath2( bstrADsPath, &szServerSSL, &szDn, &dwPortSSL ); BAIL_ON_FAILURE(hr);
//
// Now do an LDAP Search with Referrals and get the handle to success
// connection. This is where we can find the server the referred object
// resides on
//
hr = _pADs->QueryInterface( IID_IADsObjOptPrivate, (void **)&pADsPrivObjectOptions ); BAIL_ON_FAILURE(hr);
hr = pADsPrivObjectOptions->GetOption ( LDAP_SERVER, (void *)&pszHostName );
BAIL_ON_FAILURE(hr);
//
// additional length 3 is for '\0' and "\\\\"
//
dwLen = STRING_LENGTH(pszHostName) + 3; pszServer = (LPWSTR) AllocADsMem( dwLen * sizeof(WCHAR) ); if (!pszServer) { BAIL_ON_FAILURE(hr = E_OUTOFMEMORY); } wcscpy(pszServer,L"\\\\"); wcscat(pszServer, pszHostName); dwServerSSLSupport = ReadServerSupportsSSL(pszHostName);
if (dwServerSSLSupport == SERVER_STATUS_UNKNOWN || !(dwServerSSLSupport & SERVER_DOES_NOT_SUPPORT_SSL)) {
//
// Try to establish SSL connection for this Password Operation
//
hr = LdapOpenObject( pszHostName, szDn, &pAdsLdpSSL, _Credentials, 636 );
if (SUCCEEDED(hr)) { int retval; SecPkgContext_ConnectionInfo sslattr;
retval = ldap_get_option( pAdsLdpSSL->LdapHandle, LDAP_OPT_SSL_INFO, &sslattr ); if (retval == LDAP_SUCCESS) { //
// If Channel is secure enough, enable LDAP Password Change
//
if (sslattr.dwCipherStrength >= 128) { bUseLDAP = TRUE; } } }
//
// Update the SSL support if appropriate
//
if (dwServerSSLSupport == SERVER_STATUS_UNKNOWN || !bUseLDAP) {
UpdateServerSSLSupportStatus( pszHostName, bUseLDAP ? dwServerSSLSupport : dwServerSSLSupport |= SERVER_DOES_NOT_SUPPORT_SSL ); }
}
if (bUseLDAP) { //
// LDAP Password Set
//
PLDAPModW prgMod[3]; LDAPModW ModDelete; LDAPModW ModAdd; int iOldPwdLen, iNewPwdLen; struct berval* rgBerVal[2]; struct berval* rgBerVal2[2]; struct berval BerVal; struct berval BerVal2;
prgMod[0] = &ModDelete; prgMod[1] = &ModAdd; prgMod[2] = NULL;
ModDelete.mod_op = LDAP_MOD_DELETE | LDAP_MOD_BVALUES; ModDelete.mod_type = L"unicodePwd"; ModDelete.mod_bvalues = rgBerVal; rgBerVal[0] = &BerVal; rgBerVal[1] = NULL; //
// Put old pwd in quotes.
//
if (bstrOldPassword) { iOldPwdLen = (wcslen(bstrOldPassword) + 2) * sizeof(WCHAR); } else { iOldPwdLen = 2 * sizeof(WCHAR); }
pszOldPassword = (LPWSTR) AllocADsMem((iOldPwdLen+1) * sizeof(WCHAR));
if (!pszOldPassword) { BAIL_ON_FAILURE(hr = E_OUTOFMEMORY); }
wcscpy(pszOldPassword, L"\""); if (bstrOldPassword) { wcscat(pszOldPassword, bstrOldPassword); }
wcscat(pszOldPassword, L"\"");
BerVal.bv_len = iOldPwdLen; BerVal.bv_val = (char*)pszOldPassword;
ModAdd.mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES; ModAdd.mod_type = L"unicodePwd"; ModAdd.mod_bvalues = rgBerVal2; rgBerVal2[0] = &BerVal2; rgBerVal2[1] = NULL; //
// Put new password in ""
//
if (bstrNewPassword) { iNewPwdLen = (wcslen(bstrNewPassword) + 2) * sizeof(WCHAR); } else { iNewPwdLen = 2 * sizeof(WCHAR); }
pszNewPassword = (LPWSTR) AllocADsMem(iNewPwdLen + sizeof(WCHAR));
if (!pszNewPassword) { BAIL_ON_FAILURE(hr = E_FAIL); }
wcscpy(pszNewPassword, L"\""); if (bstrNewPassword) { wcscat(pszNewPassword, bstrNewPassword); } wcscat(pszNewPassword, L"\"");
BerVal2.bv_len = iNewPwdLen; BerVal2.bv_val = (char*)pszNewPassword;
hr = LdapModifyS( pAdsLdpSSL, szDn, prgMod ); BAIL_ON_FAILURE(hr); } else { //
// Password Set using NET APIs
//
NET_API_STATUS nasStatus; DWORD dwParmErr = 0; LPWSTR pszSamAccountArr[] = {L"sAMAccountName"};
//
// Get SamAccountName
//
hr = ADsBuildVarArrayStr( pszSamAccountArr, 1, &varGetInfoEx ); BAIL_ON_FAILURE(hr);
hr = _pADs->GetInfoEx(varGetInfoEx, 0); BAIL_ON_FAILURE(hr); hr = _pADs->Get(L"sAMAccountName", &varSamAccount); BAIL_ON_FAILURE(hr);
#ifndef Win95
//
// At this point if the user credentials are non NULL,
// we want to impersonate the user and then make this call.
// This will make sure the NetUserChangePassword call is made in the
// correct context.
//
if (!_Credentials.IsNullCredentials()) { //
// Need to get the userName and password in the format
// usable by the logonUser call.
//
hr = GetAuthIdentityForCaller( _Credentials, _pADs, &AuthI, FALSE );
if SUCCEEDED(hr) { //
// Note that if this code is backported, then we might
// need to change LOGON32_PROVIDER_WINNT50 to
// LOGON32_PROVIDER_DEFAULT as NT4 and below will support
// only that option. Also note that Win2k and below, do not
// allow all accounts to impersonate.
//
if (LogonUser( AuthI.User, AuthI.Domain, AuthI.Password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, &hUserToken ) ) { //
// Call succeeded so we should use this context.
//
if (ImpersonateLoggedOnUser(hUserToken)) { fImpersonating = TRUE; } } } // if we could successfully get the auth ident structure.
//
// We will continue to make the ChangePassword call even if
// we could not impersonate successfully.
//
} // if credentials are valid.
#endif
//
// Do the actual change password
//
nasStatus = NetUserChangePassword( pszServer, V_BSTR(&varSamAccount), bstrOldPassword, bstrNewPassword );#ifndef Win95
if (fImpersonating) { if (RevertToSelf()) { fImpersonating = FALSE; } else { ADsAssert(!"Revert to self failed."); BAIL_ON_FAILURE(hr = HRESULT_FROM_WIN32(GetLastError())); } }#endif
if ( nasStatus == NERR_UserNotFound ) // User not created yet
{ hr = E_ADS_OBJECT_UNBOUND; BAIL_ON_FAILURE(hr); }
hr = HRESULT_FROM_WIN32(nasStatus); BAIL_ON_FAILURE(hr); }
error: if (bstrADsPath) { ADsFreeString(bstrADsPath); }
if (szServerSSL) { FreeADsStr(szServerSSL); }
if (szDn) { FreeADsStr(szDn); }
if (pAdsLdpSSL) { LdapCloseObject(pAdsLdpSSL); }
if (pADsPrivObjectOptions) { pADsPrivObjectOptions->Release(); }
if (pMsgResult) { LdapMsgFree(pMsgResult); }
if (pszOldPassword) { FreeADsMem(pszOldPassword); } if (pszNewPassword) { FreeADsMem(pszNewPassword); }
if (AuthI.User) { FreeADsStr(AuthI.User); }
if (AuthI.Domain) { FreeADsStr(AuthI.Domain); }
if (AuthI.Password) { FreeADsStr(AuthI.Password); } if (pszHostName) { FreeADsStr(pszHostName); }
if (pszServer) { FreeADsMem(pszServer); }
#ifndef Win95
if (fImpersonating) { //
// Try and call revert to self again
//
RevertToSelf(); }#endif
if (hUserToken != INVALID_HANDLE_VALUE ) { CloseHandle(hUserToken); hUserToken = NULL; }
VariantClear(&varSamAccount); VariantClear(&varGetInfoEx);
RRETURN(hr);}
//+---------------------------------------------------------------------------
//
// GetDomainDNSNameFromHost
//
// Given the domain dns name for a host, we need to get hold of the
// dns name for the domain.
//
// Arguments:
// [szHostName] - name of server.
// [Credentials] - Credentials to use for bind.
// [dwPort] - Port to connect to server on.
// [ppszHostName] - ptr to string for retval.
//
// Returns:
// S_OK - If operation succeeds.
// E_* - For other cases.
//
//----------------------------------------------------------------------------
HRESULTGetDomainDNSNameFromHost( LPWSTR szHostName, SEC_WINNT_AUTH_IDENTITY& AuthI, CCredentials& Credentials, DWORD dwPort, LPWSTR * ppszHostName ){ HRESULT hr = S_OK; PADSLDP ld = NULL; LPTSTR *aValuesNamingContext = NULL; IADsNameTranslate *pNameTranslate = NULL; BSTR bstrName = NULL; int nCount = 0;
//
// Bind to the ROOTDSE of the server.
//
hr = LdapOpenObject( szHostName, NULL, // the DN.
&ld, Credentials, dwPort );
BAIL_ON_FAILURE(hr);
//
// Now get the defaultNamingContext
//
hr = LdapReadAttributeFast( ld, NULL, // the DN.
LDAP_OPATT_DEFAULT_NAMING_CONTEXT_W, &aValuesNamingContext, &nCount ); //
// Verify we actuall got back at least one value
//
if (SUCCEEDED(hr) && (nCount < 1)) { hr = HRESULT_FROM_WIN32(ERROR_DS_NO_ATTRIBUTE_OR_VALUE); }
BAIL_ON_FAILURE(hr);
//
// Create nametran object
//
hr = CoCreateInstance( CLSID_NameTranslate, NULL, CLSCTX_ALL, IID_IADsNameTranslate, (void **) &pNameTranslate ); BAIL_ON_FAILURE(hr);
//
// Init with defaultNamingContext and get transalte
//
hr = pNameTranslate->InitEx( ADS_NAME_INITTYPE_SERVER, szHostName, AuthI.User, AuthI.Domain, AuthI.Password ); BAIL_ON_FAILURE(hr);
hr = pNameTranslate->Set( ADS_NAME_TYPE_1779, aValuesNamingContext[0] ); BAIL_ON_FAILURE(hr);
hr = pNameTranslate->Get( ADS_NAME_TYPE_CANONICAL, &bstrName ); BAIL_ON_FAILURE(hr);
if (!bstrName) { BAIL_ON_FAILURE(hr = E_FAIL); }
*ppszHostName = AllocADsStr(bstrName);
if (!*ppszHostName) { BAIL_ON_FAILURE(hr = E_OUTOFMEMORY); }
//
// Null terminate one place ahead so we can get rid of /
//
(*ppszHostName)[wcslen(bstrName)-1] = L'\0';
error : if (ld) { LdapCloseObject(ld); }
if (pNameTranslate) { pNameTranslate->Release(); }
if (bstrName) { SysFreeString(bstrName); }
if (aValuesNamingContext) { LdapValueFree(aValuesNamingContext); }
RRETURN(hr);}
|
