libtdeldap/src/libtdeldap.cpp

/***************************************************************************
 *   Copyright (C) 2012 by Timothy Pearson                                 *
 *   kb9vqf@pearsoncomputing.net                                           *
 *                                                                         *
 *   This program is free software; you can redistribute it and/or modify  *
 *   it under the terms of the GNU General Public License as published by  *
 *   the Free Software Foundation; either version 2 of the License, or     *
 *   (at your option) any later version.                                   *
 *                                                                         *
 *   This program is distributed in the hope that it will be useful,       *
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
 *   GNU General Public License for more details.                          *
 *                                                                         *
 *   You should have received a copy of the GNU General Public License     *
 *   along with this program; if not, write to the                         *
 *   Free Software Foundation, Inc.,                                       *
 *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
 ***************************************************************************/

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netdb.h>
#include <pwd.h>

#include <tqfile.h>
#include <tqcheckbox.h>

#include <klocale.h>
#include <kmessagebox.h>
#include <klineedit.h>
#include <kpassdlg.h>
#include <ksimpleconfig.h>

#include <ldap.h>
#include <stdlib.h>
#include <sys/time.h>

#include "libtdeldap.h"
#include "ldaplogindlg.h"
#include "ldappasswddlg.h"

#define LDAP_INSECURE_PORT 389
#define LDAP_SECURE_PORT 636

// FIXME
// Connect this to CMake/Automake
#define KDE_CONFDIR "/etc/trinity"
#define LDAP_FILE "/etc/ldap/ldap.conf"

int requested_ldap_version = LDAP_VERSION3;
int requested_ldap_auth_method = LDAP_AUTH_SIMPLE;	// Is this safe and secure over an untrusted connection?
char* ldap_user_and_operational_attributes[2] = {"*", "+"};

enum ErrorCauseLocation {
	ERRORCAUSE_LOCATION_BIND = 0
};

LDAPManager::LDAPManager(TQString realm, TQString host, TQObject *parent, const char *name) : TQObject(parent, name), m_realm(realm), m_host(host), m_port(0), m_creds(0), m_ldap(0)
{
	TQStringList domainChunks = TQStringList::split(".", realm.lower());
	m_basedc = "dc=" + domainChunks.join(",dc=");
}

LDAPManager::LDAPManager(TQString realm, TQString host, LDAPCredentials* creds, TQObject *parent, const char *name) : TQObject(parent, name), m_realm(realm), m_host(host), m_port(0), m_creds(creds), m_ldap(0)
{
	TQStringList domainChunks = TQStringList::split(".", realm.lower());
	m_basedc = "dc=" + domainChunks.join(",dc=");
}

LDAPManager::~LDAPManager() {
	unbind(true);
}

TQString LDAPManager::basedn() {
	return m_basedc;
}

TQString LDAPManager::realm() {
	return m_realm;
}

LDAPCredentials LDAPManager::currentLDAPCredentials() {
	if (m_creds) {
		return *m_creds;
	}
	else {
		return LDAPCredentials();
	}
}

TQString ldapLikelyErrorCause(int errcode, int location) {
	TQString ret;

	if (location == ERRORCAUSE_LOCATION_BIND) {
		if (errcode == LDAP_SERVER_DOWN) {
			ret = " * LDAP server down<br> * Invalid LDAP Certificate Authority file on client";
		}
		if (LDAP_NAME_ERROR(errcode)) {
			ret = "Unknown user name or incorrect user name format";
		}
	}

	if (ret != "") {
		if (ret.contains("<br>")) {
			ret.prepend("<p>" + i18n("Potential causes") + ":<br>");
		}
		else {
			ret.prepend("<p>" + i18n("Potential cause") + ":<br>");
		}
	}

	return ret;
}

int LDAPManager::bind(TQString* errstr) {
printf("[RAJA DEBUG 600.0] In LDAPManager::bind(%p)\n\r", errstr); fflush(stdout);
	if (m_ldap) {
		return 0;
	}

	bool using_ldapi = false;
	if (m_host.startsWith("ldapi://")) {
		using_ldapi = true;
	}
	bool havepass = false;
	if (m_creds || using_ldapi) {
		havepass = true;
	}
	else {
printf("[RAJA DEBUG 660.1] using_ldapi: %d\n\r", using_ldapi); fflush(stdout);
		LDAPPasswordDialog passdlg(0);
		passdlg.m_base->ldapAdminRealm->setEnabled(false);
		passdlg.m_base->ldapAdminRealm->insertItem(m_realm);
		passdlg.m_base->ldapUseTLS->setChecked(true);
		if (passdlg.exec() == TQDialog::Accepted) {
			havepass = true;
			if (!m_creds) {
				m_creds = new LDAPCredentials();
				m_creds->username = passdlg.m_base->ldapAdminUsername->text();
				m_creds->password = passdlg.m_base->ldapAdminPassword->password();
				m_creds->realm = passdlg.m_base->ldapAdminRealm->currentText();
				m_creds->use_tls = passdlg.m_base->ldapUseTLS->isOn();
			}
		}
	}

	TQString uri;
	if (m_host.contains("://")) {
		uri = m_host;
		if (!m_creds) {
			m_creds = new LDAPCredentials();
			m_creds->username = "";
			m_creds->password = "";
			m_creds->realm = m_realm;
		}
	}
	else {
		if (m_creds->use_tls) {
			m_port = LDAP_SECURE_PORT;
			uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port);
		}
		else {
			m_port = LDAP_INSECURE_PORT;
			uri = TQString("ldap://%1:%2").arg(m_host).arg(m_port);
		}
	}
printf("[RAJA DEBUG 600.1] URI: %s\n\r", uri.ascii()); fflush(stdout);

	int retcode = ldap_initialize(&m_ldap, uri.ascii());
	if (retcode < 0) {
		if (errstr) *errstr = i18n("<qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4%5</qt>").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)).arg(ldapLikelyErrorCause(retcode, ERRORCAUSE_LOCATION_BIND));
		else KMessageBox::error(0, i18n("<qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4%5</qt>").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)).arg(ldapLikelyErrorCause(retcode, ERRORCAUSE_LOCATION_BIND)), i18n("Unable to connect to server!"));
		return -1;
	}
	retcode = ldap_set_option(m_ldap, LDAP_OPT_PROTOCOL_VERSION, &requested_ldap_version);
	if (retcode != LDAP_OPT_SUCCESS) {
		if (errstr) *errstr = i18n("<qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4%5</qt>").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)).arg(ldapLikelyErrorCause(retcode, ERRORCAUSE_LOCATION_BIND));
		else KMessageBox::error(0, i18n("<qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4%5</qt>").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)).arg(ldapLikelyErrorCause(retcode, ERRORCAUSE_LOCATION_BIND)), i18n("Unable to connect to server!"));
		return -1;
	}
printf("[RAJA DEBUG 660.0]\n\r"); fflush(stdout);

	TQString errorString;
	if (havepass == true) {
		char* mechanism = NULL;
		struct berval cred;
		TQString ldap_dn = m_creds->username;
		TQCString pass = m_creds->password;
		cred.bv_val = pass.data();
		cred.bv_len = pass.length();
printf("[RAJA DEBUG 660.2]\n\r"); fflush(stdout);
		if (!using_ldapi) {
			if (!ldap_dn.contains(",")) {
				// Look for a POSIX account with anonymous bind and the specified account name
				TQString uri;
				LDAP* ldapconn;
				if (m_host.contains("://")) {
					uri = m_host;
				}
				else {
					if (m_creds->use_tls) {
						m_port = LDAP_SECURE_PORT;
						uri = TQString("ldaps://%1:%2").arg(m_host).arg(m_port);
					}
					else {
						m_port = LDAP_INSECURE_PORT;
						uri = TQString("ldap://%1:%2").arg(m_host).arg(m_port);
					}
				}
				int retcode = ldap_initialize(&ldapconn, uri.ascii());
				if (retcode < 0) {
					if (errstr) *errstr = i18n("<qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4</qt>").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode));
					else KMessageBox::error(0, i18n("<qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4</qt>").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)), i18n("Unable to connect to server!"));
					return -1;
				}
				retcode = ldap_set_option(ldapconn, LDAP_OPT_PROTOCOL_VERSION, &requested_ldap_version);
				if (retcode != LDAP_OPT_SUCCESS) {
					if (errstr) *errstr = i18n("<qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4</qt>").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode));
					else KMessageBox::error(0, i18n("<qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4</qt>").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)), i18n("Unable to connect to server!"));
					return -1;
				}
				struct berval anoncred;
				anoncred.bv_val = "";
				anoncred.bv_len = strlen("");
				retcode = ldap_sasl_bind_s(ldapconn, "", mechanism, &anoncred, NULL, NULL, NULL);
				if (retcode == LDAP_SUCCESS ) {
					// Look for the DN for the specified user
					LDAPMessage* msg;
					TQString ldap_base_dn = m_basedc;
					TQString ldap_filter = TQString("(&(objectclass=posixAccount)(uid=%1))").arg(m_creds->username);
					retcode = ldap_search_ext_s(ldapconn, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), NULL, 0, NULL, NULL, NULL, 0, &msg);
					if (retcode != LDAP_SUCCESS) {
						if (errstr) *errstr = i18n("<qt>LDAP search failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode));
						else KMessageBox::error(0, i18n("<qt>LDAP search failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
					}
					else {
						// Iterate through the returned entries
						char* dn = NULL;
						LDAPMessage* entry;
						for(entry = ldap_first_entry(ldapconn, msg); entry != NULL; entry = ldap_next_entry(ldapconn, entry)) {
							if((dn = ldap_get_dn(ldapconn, entry)) != NULL) {
								ldap_dn = dn;
								ldap_memfree(dn);
							}
						}
					}
					// clean up
					ldap_msgfree(msg);
	
					// All done!
					ldap_unbind_ext_s(ldapconn, NULL, NULL);
				}
			}
		}

		retcode = ldap_sasl_bind_s(m_ldap, ldap_dn.ascii(), mechanism, &cred, NULL, NULL, NULL);
printf("[RAJA DEBUG 600.2] ldap_dn: %s\n\r", ldap_dn.ascii()); fflush(stdout);

		if (retcode != LDAP_SUCCESS ) {
			if (errstr) *errstr = i18n("<qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4%5</qt>").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)).arg(ldapLikelyErrorCause(retcode, ERRORCAUSE_LOCATION_BIND));
			else KMessageBox::error(0, i18n("<qt>Unable to connect to LDAP server %1 on port %2<p>Reason: [%3] %4%5</qt>").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)).arg(ldapLikelyErrorCause(retcode, ERRORCAUSE_LOCATION_BIND)), i18n("Unable to connect to server!"));
			return -1;
		}

		return 0;
	}
	else {
		return -2;
	}

	return -3;
}

int LDAPManager::unbind(bool force, TQString* errstr) {
printf("[RAJA DEBUG 601.0] In LDAPManager::unbind()\n\r"); fflush(stdout);
	if (!m_ldap) {
		return 0;
	}

	int retcode = ldap_unbind_ext_s(m_ldap, NULL, NULL);
	if ((retcode < 0) && (force == false)) {
		if (errstr) *errstr = i18n("<qt>Unable to disconnect from LDAP server %1 on port %2<p>Reason: [%3] %4</qt>").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode));
		else KMessageBox::error(0, i18n("<qt>Unable to disconnect from LDAP server %1 on port %2<p>Reason: [%3] %4</qt>").arg(m_host).arg(m_port).arg(retcode).arg(ldap_err2string(retcode)), i18n("Unable to disconnect from server!"));
		return retcode;
	}
	else {
		m_ldap = 0;
	}
	return retcode;
}

LDAPUserInfo LDAPManager::parseLDAPUserRecord(LDAPMessage* entry) {
	int i;
	char* dn = NULL;
	char* attr;
	struct berval **vals;
	BerElement* ber;

	LDAPUserInfo userinfo;

	if((dn = ldap_get_dn(m_ldap, entry)) != NULL) {
		printf("Returned dn: %s\n", dn);
		userinfo.distinguishedName = dn;
		TQStringList dnParts = TQStringList::split(",", dn);
		TQString id = dnParts[0];
		if (id.startsWith("uid=")) {
			id = id.remove(0, 4);
			userinfo.name = id;
		}
		ldap_memfree(dn);
	}

	for( attr = ldap_first_attribute(m_ldap, entry, &ber); attr != NULL; attr = ldap_next_attribute(m_ldap, entry, ber)) {
		if ((vals = ldap_get_values_len(m_ldap, entry, attr)) != NULL)  {
printf("[RAJA DEBUG 100.3] %s: %s\n\r", attr, vals[i]->bv_val);
			userinfo.informationValid = true;
			TQString ldap_field = attr;
			i=0;
			if (ldap_field == "creatorsName") {
				userinfo.creatorsName = vals[i]->bv_val;
			}
			else if (ldap_field == "uidNumber") {
				userinfo.uid = atoi(vals[i]->bv_val);
			}
			else if (ldap_field == "loginShell") {
				userinfo.shell = vals[i]->bv_val;
			}
			else if (ldap_field == "homeDirectory") {
				userinfo.homedir = vals[i]->bv_val;
			}
			else if (ldap_field == "gidNumber") {
				userinfo.primary_gid = atoi(vals[i]->bv_val);
			}
			else if (ldap_field == "tdeBuiltinAccount") {
				userinfo.tde_builtin_account = (TQString(vals[i]->bv_val).upper() == "TRUE")?true:false;
			}
			else if (ldap_field == "krb5KDCFlags") {
				userinfo.status = (LDAPKRB5Flags)(atoi(vals[i]->bv_val));
			}
			else if (ldap_field == "createTimestamp") {		// YYYYMMDD000000Z
				TQString formattedDate = vals[i]->bv_val;
				formattedDate.insert(4,"-");
				formattedDate.insert(7,"-");
				formattedDate.insert(10,"T");
				formattedDate.insert(13,":");
				formattedDate.insert(16,":");
				formattedDate.remove(19, 1);
				userinfo.account_created = TQDateTime::fromString(formattedDate, TQt::ISODate);
			}
			else if (ldap_field == "modifyTimestamp") {		// YYYYMMDD000000Z
				TQString formattedDate = vals[i]->bv_val;
				formattedDate.insert(4,"-");
				formattedDate.insert(7,"-");
				formattedDate.insert(10,"T");
				formattedDate.insert(13,":");
				formattedDate.insert(16,":");
				formattedDate.remove(19, 1);
				userinfo.account_modified = TQDateTime::fromString(formattedDate, TQt::ISODate);
			}
				// FIXME
				// These two attributes do not seem to be available with a Heimdal KDC
				// userinfo.password_last_changed = vals[i]->bv_val;
				// userinfo.password_expires = vals[i]->bv_val;
			else if (ldap_field == "krb5PasswordEnd") {		// YYYYMMDD000000Z
				TQString formattedDate = vals[i]->bv_val;
				formattedDate.insert(4,"-");
				formattedDate.insert(7,"-");
				formattedDate.insert(10,"T");
				formattedDate.insert(13,":");
				formattedDate.insert(16,":");
				formattedDate.remove(19, 1);
				userinfo.password_expiration = TQDateTime::fromString(formattedDate, TQt::ISODate);
			}
				// FIXME
				// These six(!) attributes do not seem to be available with a Heimdal KDC
				// userinfo.password_ages = vals[i]->bv_val;
				// userinfo.new_password_interval = vals[i]->bv_val;
				// userinfo.new_password_warn_interval = vals[i]->bv_val;
				// userinfo.new_password_lockout_delay = vals[i]->bv_val;
				// userinfo.password_has_minimum_age = vals[i]->bv_val;
				// userinfo.password_minimum_age = vals[i]->bv_val;
			else if (ldap_field == "krb5MaxLife") {			// units: hours
				userinfo.maximum_ticket_lifetime = atoi(vals[i]->bv_val);
			}
			else if (ldap_field == "cn") {
				userinfo.commonName = vals[i]->bv_val;
			}
			else if (ldap_field == "givenName") {
				userinfo.givenName = vals[i]->bv_val;
			}
			else if (ldap_field == "sn") {
				userinfo.surName = vals[i]->bv_val;
			}
			else if (ldap_field == "initials") {
				userinfo.initials = vals[i]->bv_val;
			}
			else if (ldap_field == "title") {
				userinfo.title = vals[i]->bv_val;
			}
			else if (ldap_field == "mail") {
				userinfo.email = vals[i]->bv_val;
			}
			else if (ldap_field == "description") {
				userinfo.description = vals[i]->bv_val;
			}
			else if (ldap_field == "l") {
				userinfo.locality = vals[i]->bv_val;
			}
			else if (ldap_field == "telephoneNumber") {
				userinfo.telephoneNumber = vals[i]->bv_val;
			}
			else if (ldap_field == "facsimileTelephoneNumber") {
				userinfo.faxNumber = vals[i]->bv_val;
			}
			else if (ldap_field == "homePhone") {
				userinfo.homePhone = vals[i]->bv_val;
			}
			else if (ldap_field == "mobile") {
				userinfo.mobilePhone = vals[i]->bv_val;
			}
			else if (ldap_field == "pager") {
				userinfo.pagerNumber = vals[i]->bv_val;
			}
			else if (ldap_field == "websiteURL") {
				userinfo.website = vals[i]->bv_val;
			}
			else if (ldap_field == "postOfficeBox") {
				userinfo.poBox = vals[i]->bv_val;
			}
			else if (ldap_field == "street") {
				userinfo.street = vals[i]->bv_val;
			}
			else if (ldap_field == "postalAddress") {
				userinfo.address = vals[i]->bv_val;
			}
			else if (ldap_field == "st") {
				userinfo.state = vals[i]->bv_val;
			}
			else if (ldap_field == "postalCode") {
				userinfo.postcode = vals[i]->bv_val;
			}
			else if (ldap_field == "registeredAddress") {
				userinfo.registeredAddress = vals[i]->bv_val;
			}
			else if (ldap_field == "homePostalAddress") {
				userinfo.homeAddress = vals[i]->bv_val;
			}
			else if (ldap_field == "seeAlso") {
				userinfo.seeAlso = vals[i]->bv_val;
			}
			else if (ldap_field == "physicalDeliveryOfficeName") {
				userinfo.deliveryOffice = vals[i]->bv_val;
			}
			else if (ldap_field == "departmentNumber") {
				userinfo.department = vals[i]->bv_val;
			}
			else if (ldap_field == "roomNumber") {
				userinfo.roomNumber = vals[i]->bv_val;
			}
			else if (ldap_field == "employeeType") {
				userinfo.employeeType = vals[i]->bv_val;
			}
			else if (ldap_field == "employeeNumber") {
				userinfo.employeeNumber = vals[i]->bv_val;
			}
			else if (ldap_field == "managerName") {
				userinfo.manager = vals[i]->bv_val;
			}
			else if (ldap_field == "secretaryName") {
				userinfo.secretary = vals[i]->bv_val;
			}
			else if (ldap_field == "internationaliSDNNumber") {
				userinfo.isdnNumber = vals[i]->bv_val;
			}
			else if (ldap_field == "teletexId") {
				userinfo.teletexID = vals[i]->bv_val;
			}
			else if (ldap_field == "telexNumber") {
				userinfo.telexNumber = vals[i]->bv_val;
			}
			else if (ldap_field == "preferredDelivery") {
				userinfo.preferredDelivery = vals[i]->bv_val;
			}
			else if (ldap_field == "destinationIndicator") {
				userinfo.destinationIndicator = vals[i]->bv_val;
			}
			else if (ldap_field == "x121Address") {
				userinfo.x121Address = vals[i]->bv_val;
			}
			else if (ldap_field == "displayName") {
				userinfo.displayName = vals[i]->bv_val;
			}
			else if (ldap_field == "preferredLanguage") {
				userinfo.preferredLanguage = vals[i]->bv_val;
			}
			else if (ldap_field == "locallyUniqueID") {
				userinfo.uniqueIdentifier = vals[i]->bv_val;
			}
			else if (ldap_field == "businessCategory") {
				userinfo.businessCategory = vals[i]->bv_val;
			}
			else if (ldap_field == "carLicense") {
				userinfo.carLicense = vals[i]->bv_val;
			}
			else if (ldap_field == "notes") {
				userinfo.notes = vals[i]->bv_val;
			}
			ldap_value_free_len(vals);
		}
		ldap_memfree(attr);
	}

	if (ber != NULL) {
		ber_free(ber, 0);
	}

	printf("\n\r");

	return userinfo;
}

LDAPUserInfoList LDAPManager::users(int* mretcode) {
	int retcode;
	LDAPUserInfoList users;
printf("[RAJA DEBUG 100.0] In LDAPManager::users()\n\r"); fflush(stdout);

	if (bind() < 0) {
		if (mretcode) *mretcode = -1;
		return LDAPUserInfoList();
	}
	else {
printf("[RAJA DEBUG 100.1] In LDAPManager::users() bind was OK\n\r"); fflush(stdout);
		LDAPMessage* msg;
		TQString ldap_base_dn = m_basedc;
		TQString ldap_filter = "(objectClass=posixAccount)";
		retcode = ldap_search_ext_s(m_ldap, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg);
		if (retcode != LDAP_SUCCESS) {
			KMessageBox::error(0, i18n("<qt>LDAP search failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			if (mretcode) *mretcode = -1;
			return LDAPUserInfoList();
		}
		
printf("[RAJA DEBUG 100.2] The number of entries returned was %d\n\n", ldap_count_entries(m_ldap, msg));

		// Iterate through the returned entries
		LDAPMessage* entry;
		for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) {
			users.append(parseLDAPUserRecord(entry));
		}
		
		// clean up
		ldap_msgfree(msg);

		if (mretcode) *mretcode = 0;
		return users;
	}

	return LDAPUserInfoList();
}

LDAPUserInfo LDAPManager::getUserByDistinguishedName(TQString dn) {
	int retcode;
	LDAPUserInfo userinfo;

	if (bind() < 0) {
		return LDAPUserInfo();
	}
	else {
		LDAPMessage* msg;
		struct timeval timeout;
		timeout.tv_sec = 10;	// 10 second timeout
		retcode = ldap_search_ext_s(m_ldap, dn.ascii(), LDAP_SCOPE_SUBTREE, NULL, ldap_user_and_operational_attributes, 0, NULL, NULL, &timeout, 0, &msg);
		if (retcode != LDAP_SUCCESS) {
			KMessageBox::error(0, i18n("<qt>LDAP search failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			return LDAPUserInfo();
		}

		// Iterate through the returned entries
		LDAPMessage* entry;
		for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) {
			userinfo = parseLDAPUserRecord(entry);
		}
		
		// clean up
		ldap_msgfree(msg);

		return userinfo;
	}

	return LDAPUserInfo();
}

LDAPGroupInfo LDAPManager::getGroupByDistinguishedName(TQString dn, TQString *errstr) {
	int retcode;
	LDAPGroupInfo groupinfo;

	if (bind(errstr) < 0) {
		return LDAPGroupInfo();
	}
	else {
		LDAPMessage* msg;
		struct timeval timeout;
		timeout.tv_sec = 10;	// 10 second timeout
		retcode = ldap_search_ext_s(m_ldap, dn.ascii(), LDAP_SCOPE_SUBTREE, NULL, ldap_user_and_operational_attributes, 0, NULL, NULL, &timeout, 0, &msg);
		if (retcode != LDAP_SUCCESS) {
			if (errstr) *errstr = i18n("<qt>LDAP search failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode));
			else KMessageBox::error(0, i18n("<qt>LDAP search failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			return LDAPGroupInfo();
		}

		// Iterate through the returned entries
		LDAPMessage* entry;
		for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) {
			groupinfo = parseLDAPGroupRecord(entry);
		}
		
		// clean up
		ldap_msgfree(msg);

		return groupinfo;
	}

	return LDAPGroupInfo();
}

void create_single_attribute_operation(LDAPMod **mods, int *i, TQString attr, TQString value) {
	if (value != "") {
		char **values = (char**)malloc(2*sizeof(char*));
		values[0] = strdup(value.ascii());
		values[1] = NULL;
		mods[*i]->mod_op = LDAP_MOD_ADD;
		mods[*i]->mod_type = strdup(attr.ascii());
		mods[*i]->mod_values = values;
		(*i)++;
	}
}

void create_multiple_attributes_operation(LDAPMod **mods, int *i, TQString attr, TQStringList strings) {
	int j=0;
	char **values = (char**)malloc((strings.count()+1)*sizeof(char*));
	for ( TQStringList::Iterator it = strings.begin(); it != strings.end(); ++it ) {
		if ((*it) != "") {
			values[j] = strdup((*it).ascii());
			j++;
		}
	}
	values[j] = NULL;
	mods[*i]->mod_op = LDAP_MOD_ADD;
	mods[*i]->mod_type = strdup(attr.ascii());
	mods[*i]->mod_values = values;
	(*i)++;
}

void add_single_attribute_operation(LDAPMod **mods, int *i, TQString attr, TQString value) {
	if (value != "") {
		char **values = (char**)malloc(2*sizeof(char*));
		values[0] = strdup(value.ascii());
		values[1] = NULL;
		mods[*i]->mod_op = LDAP_MOD_REPLACE;
		mods[*i]->mod_type = strdup(attr.ascii());
		mods[*i]->mod_values = values;
		(*i)++;
	}
}

void add_single_binary_attribute_operation(LDAPMod **mods, int *i, TQString attr, TQByteArray &ba) {
	if (ba.size() > 0) {
		struct berval **values = (berval**)malloc(2*sizeof(berval*));
		values[0] = new berval;
		values[0]->bv_len = ba.size();
		values[0]->bv_val = ba.data();
		values[1] = NULL;
		mods[*i]->mod_op = LDAP_MOD_REPLACE|LDAP_MOD_BVALUES;
		mods[*i]->mod_type = strdup(attr.ascii());
		mods[*i]->mod_bvalues = values;
		(*i)++;
	}
}

void add_multiple_attributes_operation(LDAPMod **mods, int *i, TQString attr, TQStringList strings) {
	int j=0;
	char **values = (char**)malloc((strings.count()+1)*sizeof(char*));
	for ( TQStringList::Iterator it = strings.begin(); it != strings.end(); ++it ) {
		if ((*it) != "") {
			values[j] = strdup((*it).ascii());
			j++;
		}
	}
	values[j] = NULL;
	mods[*i]->mod_op = LDAP_MOD_REPLACE;
	mods[*i]->mod_type = strdup(attr.ascii());
	mods[*i]->mod_values = values;
	(*i)++;
}

int LDAPManager::updateUserInfo(LDAPUserInfo user) {
	int retcode;
	int i;
	LDAPUserInfo userinfo;

	if (bind() < 0) {
		return -1;
	}
	else {
		// Assemble the LDAPMod structure
		// We will replace any existing attributes with the new values
		int number_of_parameters = 40;				// 40 primary attributes
		LDAPMod *mods[number_of_parameters+1];
		for (i=0;i<number_of_parameters;i++) {
			mods[i] = new LDAPMod;
			mods[i]->mod_type = NULL;
			mods[i]->mod_values = NULL;
		}
		mods[number_of_parameters] = NULL;

		// Load LDAP modification requests from provided data structure
		i=0;
		add_single_attribute_operation(mods, &i, "uidNumber", TQString("%1").arg(user.uid));
		add_single_attribute_operation(mods, &i, "loginShell", user.shell);
		add_single_attribute_operation(mods, &i, "homeDirectory", user.homedir);
		add_single_attribute_operation(mods, &i, "userPassword", "{SASL}" + user.name + "@" + m_realm.upper());
		add_single_attribute_operation(mods, &i, "gidNumber", TQString("%1").arg(user.primary_gid));
		add_single_attribute_operation(mods, &i, "krb5KDCFlags", TQString("%1").arg(user.status));			// Default active user is 586 [KRB5_ACTIVE_DEFAULT] and locked out user is 7586 [KRB5_DISABLED_ACCOUNT]
// 		add_single_attribute_operation(mods, &i, "", user.password_expires);
// 		add_single_attribute_operation(mods, &i, "", user.password_expiration);
// 		add_single_attribute_operation(mods, &i, "", user.password_ages);
// 		add_single_attribute_operation(mods, &i, "", user.new_password_interval);
// 		add_single_attribute_operation(mods, &i, "", user.new_password_warn_interval);
// 		add_single_attribute_operation(mods, &i, "", user.new_password_lockout_delay);
// 		add_single_attribute_operation(mods, &i, "", user.password_has_minimum_age);
// 		add_single_attribute_operation(mods, &i, "", user.password_minimum_age);
		add_single_attribute_operation(mods, &i, "krb5MaxLife", TQString("%1").arg(user.maximum_ticket_lifetime));
		add_single_attribute_operation(mods, &i, "cn", user.commonName);
		add_single_attribute_operation(mods, &i, "givenName", user.givenName);
		add_single_attribute_operation(mods, &i, "sn", user.surName);
		add_single_attribute_operation(mods, &i, "initials", user.initials);
		add_single_attribute_operation(mods, &i, "title", user.title);
		add_single_attribute_operation(mods, &i, "mail", user.email);
		add_single_attribute_operation(mods, &i, "description", user.description);
		add_single_attribute_operation(mods, &i, "l", user.locality);
		add_single_attribute_operation(mods, &i, "telephoneNumber", user.telephoneNumber);
		add_single_attribute_operation(mods, &i, "facsimileTelephoneNumber", user.faxNumber);
		add_single_attribute_operation(mods, &i, "homePhone", user.homePhone);
		add_single_attribute_operation(mods, &i, "mobile", user.mobilePhone);
		add_single_attribute_operation(mods, &i, "pager", user.pagerNumber);
		add_single_attribute_operation(mods, &i, "websiteURL", user.website);
		add_single_attribute_operation(mods, &i, "postOfficeBox", user.poBox);
		add_single_attribute_operation(mods, &i, "street", user.street);
		add_single_attribute_operation(mods, &i, "postalAddress", user.address);
		add_single_attribute_operation(mods, &i, "st", user.state);
		add_single_attribute_operation(mods, &i, "postalCode", user.postcode);
		add_single_attribute_operation(mods, &i, "registeredAddress", user.registeredAddress);
		add_single_attribute_operation(mods, &i, "homePostalAddress", user.homeAddress);
		add_single_attribute_operation(mods, &i, "seeAlso", user.seeAlso);
		add_single_attribute_operation(mods, &i, "physicalDeliveryOfficeName", user.deliveryOffice);
		add_single_attribute_operation(mods, &i, "departmentNumber", user.department);
		add_single_attribute_operation(mods, &i, "roomNumber", user.roomNumber);
		add_single_attribute_operation(mods, &i, "employeeType", user.employeeType);
		add_single_attribute_operation(mods, &i, "employeeNumber", user.employeeNumber);
		add_single_attribute_operation(mods, &i, "managerName", user.manager);
		add_single_attribute_operation(mods, &i, "secretaryName", user.secretary);
		add_single_attribute_operation(mods, &i, "internationaliSDNNumber", user.isdnNumber);
		add_single_attribute_operation(mods, &i, "teletexId", user.teletexID);
		add_single_attribute_operation(mods, &i, "telexNumber", user.telexNumber);
		add_single_attribute_operation(mods, &i, "preferredDelivery", user.preferredDelivery);
		add_single_attribute_operation(mods, &i, "destinationIndicator", user.destinationIndicator);
		add_single_attribute_operation(mods, &i, "x121Address", user.x121Address);
		add_single_attribute_operation(mods, &i, "displayName", user.displayName);
		add_single_attribute_operation(mods, &i, "preferredLanguage", user.preferredLanguage);
		add_single_attribute_operation(mods, &i, "locallyUniqueID", user.uniqueIdentifier);
		add_single_attribute_operation(mods, &i, "businessCategory", user.businessCategory);
		add_single_attribute_operation(mods, &i, "carLicense", user.carLicense);
		add_single_attribute_operation(mods, &i, "notes", user.notes);
		LDAPMod *prevterm = mods[i];
		mods[i] = NULL;

		// Perform LDAP update
		retcode = ldap_modify_ext_s(m_ldap, user.distinguishedName.ascii(), mods, NULL, NULL);

		// Clean up
		mods[i] = prevterm;
		for (i=0;i<number_of_parameters;i++) {
			if (mods[i]->mod_type != NULL) {
				free(mods[i]->mod_type);
			}
			if (mods[i]->mod_values != NULL) {
				int j = 0;
				while (mods[i]->mod_values[j] != NULL) {
					free(mods[i]->mod_values[j]);
					j++;
				}
				free(mods[i]->mod_values);
			}
			delete mods[i];
		}

		if (retcode != LDAP_SUCCESS) {
			KMessageBox::error(0, i18n("<qt>LDAP modification failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			return -2;
		}
		else {
			return 0;
		}
	}
}

int LDAPManager::updateGroupInfo(LDAPGroupInfo group) {
	int retcode;
	int i;
	LDAPGroupInfo groupinfo;

	if (bind() < 0) {
		return -1;
	}
	else {
		// Assemble the LDAPMod structure
		// We will replace any existing attributes with the new values
		int number_of_parameters = 3;				// 3 primary attributes
		LDAPMod *mods[number_of_parameters+1];
		for (i=0;i<number_of_parameters;i++) {
			mods[i] = new LDAPMod;
			mods[i]->mod_type = NULL;
			mods[i]->mod_values = NULL;
		}
		mods[number_of_parameters] = NULL;

		// Load LDAP modification requests from provided data structure
		i=0;
		add_single_attribute_operation(mods, &i, "gidNumber", TQString("%1").arg(group.gid));
		TQStringList completeGroupList = group.userlist;
		TQString placeholderGroup = "cn=placeholder," + m_basedc;
		if (!completeGroupList.contains(placeholderGroup)) {
			completeGroupList.prepend(placeholderGroup);
		}
		add_multiple_attributes_operation(mods, &i, "member", completeGroupList);
		// Also populate memberUid attribute from the above list (minus the cn=,dc=... stuff, i.e. just the username)
		TQStringList posixGroupList;
		for ( TQStringList::Iterator it = group.userlist.begin(); it != group.userlist.end(); ++it ) {
			TQString plainUserName = *it;
			int eqpos = plainUserName.find("=")+1;
			int cmpos = plainUserName.find(",", eqpos);
			plainUserName.truncate(cmpos);
			plainUserName.remove(0, eqpos);
			posixGroupList.append(plainUserName);
		}
		add_multiple_attributes_operation(mods, &i, "memberUid", posixGroupList);

		LDAPMod *prevterm = mods[i];
		mods[i] = NULL;

		// Perform LDAP update
		retcode = ldap_modify_ext_s(m_ldap, group.distinguishedName.ascii(), mods, NULL, NULL);

		// Clean up
		mods[i] = prevterm;
		for (i=0;i<number_of_parameters;i++) {
			if (mods[i]->mod_type != NULL) {
				free(mods[i]->mod_type);
			}
			if (mods[i]->mod_values != NULL) {
				int j = 0;
				while (mods[i]->mod_values[j] != NULL) {
					free(mods[i]->mod_values[j]);
					j++;
				}
				free(mods[i]->mod_values);
			}
			delete mods[i];
		}

		if (retcode != LDAP_SUCCESS) {
			KMessageBox::error(0, i18n("<qt>LDAP modification failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			return -2;
		}
		else {
			return 0;
		}
	}
}

int LDAPManager::addUserInfo(LDAPUserInfo user) {
	int retcode;
	int i;
	LDAPUserInfo userinfo;

	if (bind() < 0) {
		return -1;
	}
	else {
		// Create the base DN entry
		int number_of_parameters = 13;				// 13 primary attributes
		LDAPMod *mods[number_of_parameters+1];
		for (i=0;i<number_of_parameters;i++) {
			mods[i] = new LDAPMod;
			mods[i]->mod_type = NULL;
			mods[i]->mod_values = NULL;
		}
		mods[number_of_parameters] = NULL;

		// Load initial required LDAP object attributes
		i=0;
		create_single_attribute_operation(mods, &i, "uidNumber", TQString("%1").arg(user.uid));
		create_single_attribute_operation(mods, &i, "gidNumber", TQString("%1").arg(user.primary_gid));
		create_multiple_attributes_operation(mods, &i, "objectClass", TQStringList::split(" ", "inetOrgPerson krb5Realm krb5Principal krb5KDCEntry emsUser posixAccount"));
		create_single_attribute_operation(mods, &i, "uid", user.name);
		create_single_attribute_operation(mods, &i, "cn", user.commonName);
		create_single_attribute_operation(mods, &i, "sn", user.surName);
		create_single_attribute_operation(mods, &i, "homeDirectory", user.homedir);
		create_single_attribute_operation(mods, &i, "userPassword", "{SASL}" + user.name + "@" + m_realm.upper());
		// Kerberos
		create_single_attribute_operation(mods, &i, "krb5KeyVersionNumber", "1");
		create_single_attribute_operation(mods, &i, "krb5PrincipalName", TQString(user.name.lower()) + "@" + m_realm.upper());
		create_single_attribute_operation(mods, &i, "krb5RealmName", m_realm.upper());
		// Zivios specific
		create_single_attribute_operation(mods, &i, "emsdescription", "None");
		create_single_attribute_operation(mods, &i, "emsprimarygroupdn", "None");
		create_single_attribute_operation(mods, &i, "emstype", "UserEntry");
		LDAPMod *prevterm = mods[i];
		mods[i] = NULL;

		// Add new object
		retcode = ldap_add_ext_s(m_ldap, user.distinguishedName.ascii(), mods, NULL, NULL);

		// Clean up
		mods[i] = prevterm;
		for (i=0;i<number_of_parameters;i++) {
			if (mods[i]->mod_type != NULL) {
				free(mods[i]->mod_type);
			}
			if (mods[i]->mod_values != NULL) {
				int j = 0;
				while (mods[i]->mod_values[j] != NULL) {
					free(mods[i]->mod_values[j]);
					j++;
				}
				free(mods[i]->mod_values);
			}
			delete mods[i];
		}

		if (retcode != LDAP_SUCCESS) {
			KMessageBox::error(0, i18n("<qt>LDAP addition failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			return -2;
		}
		else {
			return updateUserInfo(user);
		}
	}
}

int LDAPManager::addGroupInfo(LDAPGroupInfo group) {
	int retcode;
	int i;
	LDAPGroupInfo groupinfo;

	if (bind() < 0) {
		return -1;
	}
	else {
		// Create the base DN entry
		int number_of_parameters = 6;				// 6 primary attributes
		LDAPMod *mods[number_of_parameters+1];
		for (i=0;i<number_of_parameters;i++) {
			mods[i] = new LDAPMod;
			mods[i]->mod_type = NULL;
			mods[i]->mod_values = NULL;
		}
		mods[number_of_parameters] = NULL;

		TQString placeholderGroup = "cn=placeholder," + m_basedc;

		// Load initial required LDAP object attributes
		i=0;
		create_single_attribute_operation(mods, &i, "gidNumber", TQString("%1").arg(group.gid));
		create_multiple_attributes_operation(mods, &i, "objectClass", TQStringList::split(" ", "emsGroup groupOfNames posixGroup"));
		create_single_attribute_operation(mods, &i, "cn", group.name);
		create_multiple_attributes_operation(mods, &i, "member", TQStringList(placeholderGroup));
		// Zivios specific
		create_single_attribute_operation(mods, &i, "emsdescription", "None");
		create_single_attribute_operation(mods, &i, "emstype", "GroupEntry");
		LDAPMod *prevterm = mods[i];
		mods[i] = NULL;

		// Add new object
		retcode = ldap_add_ext_s(m_ldap, group.distinguishedName.ascii(), mods, NULL, NULL);

		// Clean up
		mods[i] = prevterm;
		for (i=0;i<number_of_parameters;i++) {
			if (mods[i]->mod_type != NULL) {
				free(mods[i]->mod_type);
			}
			if (mods[i]->mod_values != NULL) {
				int j = 0;
				while (mods[i]->mod_values[j] != NULL) {
					free(mods[i]->mod_values[j]);
					j++;
				}
				free(mods[i]->mod_values);
			}
			delete mods[i];
		}

		if (retcode != LDAP_SUCCESS) {
			KMessageBox::error(0, i18n("<qt>LDAP addition failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			return -2;
		}
		else {
			return updateGroupInfo(group);
		}
	}
}

int LDAPManager::deleteUserInfo(LDAPUserInfo user) {
	int retcode;
	LDAPUserInfo userinfo;

	if (bind() < 0) {
		return -1;
	}
	else {
		// Delete the base DN entry
		retcode = ldap_delete_ext_s(m_ldap, user.distinguishedName.ascii(), NULL, NULL);
		if (retcode != LDAP_SUCCESS) {
			KMessageBox::error(0, i18n("<qt>LDAP deletion failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			return -2;
		}
		else {
			return 0;
		}
	}
}

int LDAPManager::deleteGroupInfo(LDAPGroupInfo group) {
	int retcode;
	LDAPGroupInfo groupinfo;

	if (bind() < 0) {
		return -1;
	}
	else {
		// Delete the base DN entry
		retcode = ldap_delete_ext_s(m_ldap, group.distinguishedName.ascii(), NULL, NULL);
		if (retcode != LDAP_SUCCESS) {
			KMessageBox::error(0, i18n("<qt>LDAP deletion failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			return -2;
		}
		else {
			return 0;
		}
	}
}

int LDAPManager::deleteMachineInfo(LDAPMachineInfo machine) {
	int retcode;
	LDAPMachineInfo machineinfo;

	if (bind() < 0) {
		return -1;
	}
	else {
		// Delete the base DN entry
		retcode = ldap_delete_ext_s(m_ldap, machine.distinguishedName.ascii(), NULL, NULL);
		if (retcode != LDAP_SUCCESS) {
			KMessageBox::error(0, i18n("<qt>LDAP deletion failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			return -2;
		}
		else {
			return 0;
		}
	}
}

LDAPGroupInfo LDAPManager::parseLDAPGroupRecord(LDAPMessage* entry) {
	char* dn = NULL;
	char* attr;
	struct berval **vals;
	BerElement* ber;
	int i;

	LDAPGroupInfo groupinfo;

	if((dn = ldap_get_dn(m_ldap, entry)) != NULL) {
		printf("Returned dn: %s\n", dn);
		groupinfo.distinguishedName = dn;
		TQStringList dnParts = TQStringList::split(",", dn);
		TQString id = dnParts[0];
		if (id.startsWith("cn=")) {
			id = id.remove(0, 3);
			groupinfo.name = id;
		}
		ldap_memfree(dn);
	}

	for( attr = ldap_first_attribute(m_ldap, entry, &ber); attr != NULL; attr = ldap_next_attribute(m_ldap, entry, ber)) {
		if ((vals = ldap_get_values_len(m_ldap, entry, attr)) != NULL)  {
for(i = 0; vals[i] != NULL; i++) {
	printf("[RAJA DEBUG 110.3] %s: %s\n\r", attr, vals[i]->bv_val);
}
			groupinfo.informationValid = true;
			TQString ldap_field = attr;
			i=0;
			if (ldap_field == "creatorsName") {
				groupinfo.creatorsName = vals[i]->bv_val;
			}
			else if (ldap_field == "member") {
				TQStringList members;
				for(i = 0; vals[i] != NULL; i++) {
					TQString userdn = vals[i]->bv_val;
					if (userdn.startsWith("cn=placeholder,dc=")) {
						continue;
					}
					members.append(userdn);
				}
				groupinfo.userlist = members;
			}
			else if (ldap_field == "gidNumber") {
				groupinfo.gid = atoi(vals[i]->bv_val);
			}
			else if (ldap_field == "tdeBuiltinAccount") {
				groupinfo.tde_builtin_account = (TQString(vals[i]->bv_val).upper() == "TRUE")?true:false;
			}
			ldap_value_free_len(vals);
		}
		ldap_memfree(attr);
	}

	if (ber != NULL) {
		ber_free(ber, 0);
	}

	printf("\n\r");

	return groupinfo;
}

LDAPMachineInfo LDAPManager::parseLDAPMachineRecord(LDAPMessage* entry) {
	char* dn = NULL;
	char* attr;
	struct berval **vals;
	BerElement* ber;
	int i;

	LDAPMachineInfo machineinfo;

	if((dn = ldap_get_dn(m_ldap, entry)) != NULL) {
		printf("Returned dn: %s\n", dn);
		machineinfo.distinguishedName = dn;
		TQStringList dnParts = TQStringList::split(",", dn);
		TQString id = dnParts[0];
		if (id.startsWith("krb5PrincipalName=host/")) {
			id = id.remove(0, 23);
			id.replace("@"+m_realm, "");
			machineinfo.name = id;
		}
		ldap_memfree(dn);
	}

	for( attr = ldap_first_attribute(m_ldap, entry, &ber); attr != NULL; attr = ldap_next_attribute(m_ldap, entry, ber)) {
		if ((vals = ldap_get_values_len(m_ldap, entry, attr)) != NULL)  {
for(i = 0; vals[i] != NULL; i++) {
	printf("[RAJA DEBUG 120.3] %s: %s\n\r", attr, vals[i]->bv_val);
}
			machineinfo.informationValid = true;
			TQString ldap_field = attr;
			i=0;
			if (ldap_field == "creatorsName") {
				machineinfo.creatorsName = vals[i]->bv_val;
			}
			else if (ldap_field == "tdeBuiltinAccount") {
				machineinfo.tde_builtin_account = (TQString(vals[i]->bv_val).upper() == "TRUE")?true:false;
			}
			else if (ldap_field == "krb5KDCFlags") {
				machineinfo.status = (LDAPKRB5Flags)(atoi(vals[i]->bv_val));
			}
			ldap_value_free_len(vals);
		}
		ldap_memfree(attr);
	}

	if (ber != NULL) {
		ber_free(ber, 0);
	}

	printf("\n\r");

	return machineinfo;
}

LDAPGroupInfoList LDAPManager::groups(int* mretcode) {
	int retcode;
	LDAPGroupInfoList groups;
printf("[RAJA DEBUG 110.0] In LDAPManager::groups()\n\r"); fflush(stdout);

	if (bind() < 0) {
		if (mretcode) *mretcode = -1;
		return LDAPGroupInfoList();
	}
	else {
printf("[RAJA DEBUG 110.1] In LDAPManager::groups() bind was OK\n\r"); fflush(stdout);
		LDAPMessage* msg;
		TQString ldap_base_dn = m_basedc;
		TQString ldap_filter = "(objectClass=posixGroup)";
		retcode = ldap_search_ext_s(m_ldap, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg);
		if (retcode != LDAP_SUCCESS) {
			KMessageBox::error(0, i18n("<qt>LDAP search failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			if (mretcode) *mretcode = -1;
			return LDAPGroupInfoList();
		}
		
printf("[RAJA DEBUG 110.2] The number of entries returned was %d\n\n", ldap_count_entries(m_ldap, msg));

		// Iterate through the returned entries
		LDAPMessage* entry;
		for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) {
			// RAJA
			groups.append(parseLDAPGroupRecord(entry));
		}
		
		// clean up
		ldap_msgfree(msg);

		if (mretcode) *mretcode = 0;
		return groups;
	}

	return LDAPGroupInfoList();
}

LDAPMachineInfoList LDAPManager::machines(int* mretcode) {
	int retcode;
	LDAPMachineInfoList machines;
printf("[RAJA DEBUG 120.0] In LDAPManager::machines()\n\r"); fflush(stdout);

	if (bind() < 0) {
		if (mretcode) *mretcode = -1;
		return LDAPMachineInfoList();
	}
	else {
printf("[RAJA DEBUG 120.1] In LDAPManager::machines() bind was OK\n\r"); fflush(stdout);
		LDAPMessage* msg;
		TQString ldap_base_dn = m_basedc;
		TQString ldap_filter = "(&(objectClass=krb5Principal)(uid=host/*))";
		retcode = ldap_search_ext_s(m_ldap, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg);
		if (retcode != LDAP_SUCCESS) {
			KMessageBox::error(0, i18n("<qt>LDAP search failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			if (mretcode) *mretcode = -1;
			return LDAPMachineInfoList();
		}
		
printf("[RAJA DEBUG 120.2] The number of entries returned was %d\n\n", ldap_count_entries(m_ldap, msg));

		// Iterate through the returned entries
		LDAPMessage* entry;
		for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) {
			machines.append(parseLDAPMachineRecord(entry));
		}

		// clean up
		ldap_msgfree(msg);

		if (mretcode) *mretcode = 0;
		return machines;
	}

	return LDAPMachineInfoList();
}

int LDAPManager::writeCertificateFileIntoDirectory(TQByteArray cert, TQString attr, TQString* errstr) {
	int retcode;
	int i;

	if (bind() < 0) {
		return -1;
	}
	else {
		// Assemble the LDAPMod structure
		// We will replace any existing attributes with the new values
		int number_of_parameters = 1;				// 1 primary attribute
		LDAPMod *mods[number_of_parameters+1];
		for (i=0;i<number_of_parameters;i++) {
			mods[i] = new LDAPMod;
			mods[i]->mod_type = NULL;
			mods[i]->mod_values = NULL;
		}
		mods[number_of_parameters] = NULL;

		// Load LDAP modification requests from provided data structure
		i=0;
		add_single_binary_attribute_operation(mods, &i, attr, cert);
		LDAPMod *prevterm = mods[i];
		mods[i] = NULL;

		// Perform LDAP update
		retcode = ldap_modify_ext_s(m_ldap, TQString("cn=certificate store,o=tde,cn=tde realm data,ou=master services,ou=core,ou=realm,%1").arg(m_basedc).ascii(), mods, NULL, NULL);	// RAJA FIXME

		// Clean up
		mods[i] = prevterm;
		for (i=0;i<number_of_parameters;i++) {
			if (mods[i]->mod_type != NULL) {
				free(mods[i]->mod_type);
			}
			if (mods[i]->mod_values != NULL) {
				int j = 0;
				while (mods[i]->mod_values[j] != NULL) {
					delete mods[i]->mod_values[j];
					j++;
				}
				free(mods[i]->mod_values);
			}
			delete mods[i];
		}

		if (retcode != LDAP_SUCCESS) {
			if (errstr) *errstr = i18n("<qt>LDAP certificate upload failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode));
			else KMessageBox::error(0, i18n("<qt>LDAP certificate upload failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			return -2;
		}
		else {
			return 0;
		}
	}
}

// Special method, used when creating a new Kerberos realm
int LDAPManager::moveKerberosEntries(TQString newSuffix, TQString* errstr) {
	int retcode;
printf("[RAJA DEBUG 140.0] In LDAPManager::moveKerberosEntries()\n\r"); fflush(stdout);

	if (bind(errstr) < 0) {
		return -1;
	}
	else {
printf("[RAJA DEBUG 140.1] In LDAPManager::moveKerberosEntries() bind was OK\n\r"); fflush(stdout);
		LDAPMessage* msg;
		TQString ldap_base_dn = m_basedc;
		TQString ldap_filter = "(&(objectClass=krb5Principal)(!(objectClass=posixAccount)))";
		retcode = ldap_search_ext_s(m_ldap, ldap_base_dn.ascii(), LDAP_SCOPE_SUBTREE, ldap_filter.ascii(), ldap_user_and_operational_attributes, 0, NULL, NULL, NULL, 0, &msg);
		if (retcode != LDAP_SUCCESS) {
			KMessageBox::error(0, i18n("<qt>LDAP search failure<p>Reason: [%3] %4</qt>").arg(retcode).arg(ldap_err2string(retcode)), i18n("LDAP Error"));
			return -1;
		}
		
printf("[RAJA DEBUG 140.2] The number of entries returned was %d\n\n", ldap_count_entries(m_ldap, msg));

		// Iterate through the returned entries
		LDAPMessage* entry;
		for(entry = ldap_first_entry(m_ldap, msg); entry != NULL; entry = ldap_next_entry(m_ldap, entry)) {
			char* dn = NULL;
		
			LDAPMachineInfo machineinfo;
		
			if((dn = ldap_get_dn(m_ldap, entry)) != NULL) {
				TQStringList dnParts = TQStringList::split(",", dn);
				TQString id = dnParts[0];
printf("[RAJA DEBUG 140.3] Moving %s to relative DN %s and parent %s", dn, id.ascii(), newSuffix.ascii()); fflush(stdout);
				retcode = ldap_rename_s(m_ldap, dn, id, newSuffix, 0, NULL, NULL);
				if (retcode != LDAP_SUCCESS) {
					if (errstr) *errstr = i18n("LDAP rename failure<p>Reason: [%3] %4").arg(retcode).arg(ldap_err2string(retcode));
					return -1;
				}
			}
		}

		// clean up
		ldap_msgfree(msg);

		return 0;
	}

	return -1;
}

void LDAPManager::writeLDAPConfFile(LDAPRealmConfig realmcfg) {
	KSimpleConfig* systemconfig;
	TQString m_defaultRealm;
	int m_ticketLifetime;
	int m_ldapVersion;
	int m_ldapTimeout;
	TQString m_bindPolicy;
	int m_ldapBindTimeout;
	TQString m_passwordHash;
	TQString m_ignoredUsers;

	systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
	systemconfig->setGroup(NULL);
	m_defaultRealm = systemconfig->readEntry("DefaultRealm", TQString::null);
	m_ticketLifetime = systemconfig->readNumEntry("TicketLifetime", 86400);

	m_ldapVersion = systemconfig->readNumEntry("ConnectionLDAPVersion", 3);
	m_ldapTimeout = systemconfig->readNumEntry("ConnectionLDAPTimeout", 2);
	m_bindPolicy = systemconfig->readEntry("ConnectionBindPolicy", "soft");
	m_ldapBindTimeout = systemconfig->readNumEntry("ConnectionBindTimeout", 2);
	m_passwordHash = systemconfig->readEntry("ConnectionPasswordHash", "exop");
	m_ignoredUsers = systemconfig->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST);

	TQFile file(LDAP_FILE);
	if (file.open(IO_WriteOnly)) {
		TQTextStream stream( &file );

		stream << "# This file was automatically generated by TDE\n";
		stream << "# All changes will be lost!\n";
		stream << "\n";

		if (realmcfg.bonded) {
			stream << "host " << realmcfg.admin_server << "\n";
			TQStringList domainChunks = TQStringList::split(".", realmcfg.name.lower());
			stream << "base dc=" << domainChunks.join(",dc=") << "\n";
			stream << "ldap_version " << m_ldapVersion << "\n";
			stream << "timelimit " << m_ldapTimeout << "\n";
			stream << "bind_timelimit " << m_ldapBindTimeout << "\n";
			stream << "bind_policy " << m_bindPolicy.lower() << "\n";
			stream << "pam_password " << m_passwordHash.lower() << "\n";
			stream << "nss_initgroups_ignoreusers " << m_ignoredUsers << "\n";
			stream << "tls_cacert /etc/trinity/ldap/tde-ca/public/argus5.starlink.edu.ldap.crt" << "\n";
		}

		file.close();
	}

	chmod(LDAP_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);

	delete systemconfig;
}

void LDAPManager::writeTDERealmList(LDAPRealmConfigList realms, KSimpleConfig* config) {
	LDAPRealmConfigList::Iterator it;
	for (it = realms.begin(); it != realms.end(); ++it) {
		LDAPRealmConfig realmcfg = it.data();
		TQString configRealmName = realmcfg.name;
		configRealmName.prepend("LDAPRealm-");
		config->setGroup(configRealmName);
		// Save realm settings
		config->writeEntry("bonded", realmcfg.bonded);
		config->writeEntry("uid_offset", realmcfg.uid_offset);
		config->writeEntry("gid_offset", realmcfg.gid_offset);
		config->writeEntry("domain_mappings", realmcfg.domain_mappings);
		config->writeEntry("kdc", realmcfg.kdc);
		config->writeEntry("kdc_port", realmcfg.kdc_port);
		config->writeEntry("admin_server", realmcfg.admin_server);
		config->writeEntry("admin_server_port", realmcfg.admin_server_port);
		config->writeEntry("pkinit_require_eku", realmcfg.pkinit_require_eku);
		config->writeEntry("pkinit_require_krbtgt_otherName", realmcfg.pkinit_require_krbtgt_otherName);
		config->writeEntry("win2k_pkinit", realmcfg.win2k_pkinit);
		config->writeEntry("win2k_pkinit_require_binding", realmcfg.win2k_pkinit_require_binding);
	}

	// Delete any realms that do not exist in the realms database
	TQStringList cfgRealms = config->groupList();
	for (TQStringList::Iterator it(cfgRealms.begin()); it != cfgRealms.end(); ++it) {
		if ((*it).startsWith("LDAPRealm-")) {
			config->setGroup(*it);
			TQString realmName=*it;
			realmName.remove(0,strlen("LDAPRealm-"));
			if (!realms.contains(realmName)) {
				config->deleteGroup(*it);
			}
		}
	}
}

TQString LDAPManager::getMachineFQDN() {
	struct addrinfo hints, *info, *p;
	int gai_result;
	
	char hostname[1024];
	hostname[1023] = '\0';
	gethostname(hostname, 1023);
	
	memset(&hints, 0, sizeof hints);
	hints.ai_family = AF_UNSPEC; // IPV4 or IPV6
	hints.ai_socktype = SOCK_STREAM;
	hints.ai_flags = AI_CANONNAME;
	
	if ((gai_result = getaddrinfo(hostname, NULL, &hints, &info)) != 0) {
		return TQString(hostname);
	}
	TQString fqdn = TQString(hostname);
	for (p=info; p!=NULL; p=p->ai_next) {
		fqdn = TQString(p->ai_canonname);
	}
	freeaddrinfo(info);

	return fqdn;
}

// ===============================================================================================================
//
// DATA CLASS CONSTRUCTORS AND DESTRUCTORS
//
// ===============================================================================================================

LDAPCredentials::LDAPCredentials() {
	// TQStrings are always initialized to TQString::null, so they don't need initialization here...
	use_tls = true;
}

LDAPCredentials::~LDAPCredentials() {
	//
}

LDAPUserInfo::LDAPUserInfo() {
	// TQStrings are always initialized to TQString::null, so they don't need initialization here...
	informationValid = false;

	uid = -1;
	primary_gid = -1;
	tde_builtin_account = false;
	status = (LDAPKRB5Flags)0;
	account_created = TQDateTime::fromString("1970-01-01T00:00:00", TQt::ISODate);
	account_modified = TQDateTime::fromString("1970-01-01T00:00:00", TQt::ISODate);
	password_last_changed = TQDateTime::fromString("1970-01-01T00:00:00", TQt::ISODate);
	password_expires = false;
	password_expiration = TQDateTime::fromString("1970-01-01T00:00:00", TQt::ISODate);
	password_ages = false;
	new_password_interval = -1;
	new_password_warn_interval = -1;
	new_password_lockout_delay = -1;
	password_has_minimum_age = false;
	password_minimum_age = -1;
	maximum_ticket_lifetime = -1;
}

LDAPUserInfo::~LDAPUserInfo() {
	//
}

LDAPGroupInfo::LDAPGroupInfo() {
	// TQStrings are always initialized to TQString::null, so they don't need initialization here...
	informationValid = false;

	gid = -1;
	tde_builtin_account = false;
}

LDAPGroupInfo::~LDAPGroupInfo() {
	//
}

LDAPMachineInfo::LDAPMachineInfo() {
	// TQStrings are always initialized to TQString::null, so they don't need initialization here...
	informationValid = false;

	tde_builtin_account = false;
	status = (LDAPKRB5Flags)0;
}

LDAPMachineInfo::~LDAPMachineInfo() {
	//
}

#include "libtdeldap.moc"