From 23042161694c51c48d73ceaa935bceb113ac2f79 Mon Sep 17 00:00:00 2001
From: katagia <katagia>
Date: Sun, 21 Dec 2003 14:52:23 +0000
Subject: [PATCH] improved new modules Added support for hosts.

---
 lam/lib/account.inc                    |  47 ++++-
 lam/lib/modules/account.inc            | 166 ++++++++++++++++++
 lam/lib/modules/inetOrgPerson.inc      | 163 +-----------------
 lam/lib/modules/posixAccount.inc       | 230 ++++++++++++++++++++++---
 lam/lib/modules/sambaAccount.inc       | 122 +++++++++----
 lam/lib/modules/sambaSamAccount.inc    | 119 ++++++++++---
 lam/lib/modules/shadowAccount.inc      |   4 +-
 lam/templates/account/hostedit.php.new |  73 ++++++++
 8 files changed, 677 insertions(+), 247 deletions(-)
 create mode 100644 lam/lib/modules/account.inc
 create mode 100644 lam/templates/account/hostedit.php.new

diff --git a/lam/lib/account.inc b/lam/lib/account.inc
index ccd0d6af..84cca40f 100644
--- a/lam/lib/account.inc
+++ b/lam/lib/account.inc
@@ -44,7 +44,6 @@ class cache {
 	* syntax of $attributes is array( scope1 => array ( attributes ), scope2 => array ( attributes ), ...)
 	*/
 	function add_cache($attributes) {
-		$this->refresh_cache();
 		// Check input variable
 		$allowed_types = array ( 'user', 'group', 'host', '*' );
 		if (!is_array($attributes)) trigger_error(_('Argument of add_cache must be : array ( scope => array(attribute1(string), attribute2(string), ..), scope => ... ).'), E_USER_ERROR);
@@ -64,6 +63,8 @@ class cache {
 				if (!@in_array($attributes[$scope][$i] ,$this->attributes[$scope])) $this->attributes[$scope][] = $attributes[$scope][$i];
 				}
 			}
+		// Rebuild cache
+		$this->refresh_cache(true);
 		}
 
 	/* This function returns an array ( dn1 => array(uidnumber1), dn2 => array(uidnumber2), ... )
@@ -80,10 +81,39 @@ class cache {
 			}
 		// Return error if objectClass isn't found
 		if ($line==-1) trigger_error (sprintf(_("objectClass %s required but not defined in ldap."), $objectClass), E_USER_WARNING);
+
+		// Create list of all allowed attributes
+		for ($i=0; $i<count($this->ldap->objectClasses); $i++ ) {
+			if (strpos($this->ldap->objectClasses[$i],  'MUST (')) {
+				$string_withtail = substr($this->ldap->objectClasses[$i], strpos($this->ldap->objectClasses[$i],  'MUST (')+6);
+				// Now we have a string with all must-attributes
+				$string = substr($string_withtail, 0, strpos($string_withtail, ')'));
+				$string = trim($string);
+				$allowed_attributes = array_merge($allowed_attributes, explode(" $ ", $string));
+				}
+			// create array with may-attributes
+			// Get startposition in string
+			if (strpos($this->ldap->objectClasses[$i],  'MAY (')) {
+				$string_withtail = substr($this->ldap->objectClasses[$i], strpos($this->ldap->objectClasses[$i],  'MAY (')+5);
+				// Now we have a string with all must-attributes
+				$string = substr($string_withtail, 0, strpos($string_withtail, ')'));
+				$string = trim($string);
+				$allowed_attributes = array_merge($allowed_attributes, explode(" $ ", $string));
+				}
+			}
+		$allowed_attributes = array_unique($allowed_attributes);
+		if (!in_array($attribute, $allowed_attributes)) trigger_error(_('Attribute not defined in LDAP.'), E_USER_WARNING);
+
 		// Everything seems to be OK, start processing data
 		$this->refresh_cache();
 		if ($singlescope == '*') $scopes = $allowed_types;
 			else $scopes = array ( $singlescope );
+		// Add cache entry dynamic
+		foreach ($scopes as $scope) {
+			if (!@in_array($attribute ,$this->attributes[$scope])) $add[$scope][] = $attribute;
+			}
+		if (count($add)!=0) $this->add_cache($add);
+
 		foreach ($scopes as $scope) {
 			if (isset($this->ldapcache[$scope])) {
 				$DNs = array_keys($this->ldapcache[$scope]);
@@ -132,11 +162,17 @@ class cache {
 			}
 		$allowed_attributes = array_unique($allowed_attributes);
 		if (!in_array($attribute, $allowed_attributes)) trigger_error(_('Attribute not defined in LDAP.'), E_USER_WARNING);
+
 		// Everything seems to be OK, start processing data
 		$this->refresh_cache();
 		if ($singlescope == '*') $scopes = $allowed_types;
 			else $scopes = array ( $singlescope );
-		//print_r($this->ldapcache);
+		// Add cache entry dynamic
+		foreach ($scopes as $scope) {
+			if (!@in_array($attribute ,$this->attributes[$scope])) $add[$scope][] = $attribute;
+			}
+		if (count($add)!=0) $this->add_cache($add);
+
 		foreach ($scopes as $scope) {
 			if (isset($this->ldapcache[$scope])) {
 				$DNs = array_keys($this->ldapcache[$scope]);
@@ -157,8 +193,8 @@ class cache {
 
 	/* This functions refreshs the cache
 	*/
-	function refresh_cache() {
-		if ($time + $this->config->get_cacheTimeoutSec() < time()) {
+	function refresh_cache($rebuild=false) {
+		if ($time + $this->config->get_cacheTimeoutSec() < time() || $rebuild) {
 			// unset old cache
 			unset ($this->ldapcache);
 			$scopes = array_keys($this->attributes);
@@ -813,7 +849,8 @@ class accountContainer {
 		// Add objects
 		foreach ($attr['objectClass'] as $objectClass) $this->add_objectClass($objectClass);
 		// load attributes
-		foreach ($attr['objectClass'] as $objectClass) if (isset($this->module[$objectClass])) $this->module[$objectClass]->load_attributes($attr);
+		foreach ($attr['objectClass'] as $objectClass)
+			if (isset($this->module[$objectClass])) $this->module[$objectClass]->load_attributes($attr);
 		// sortm modules and make all active because all required attributes should be set
 		$module = array_keys ($this->module);
 		$modulelist = array();
diff --git a/lam/lib/modules/account.inc b/lam/lib/modules/account.inc
new file mode 100644
index 00000000..d520fe00
--- /dev/null
+++ b/lam/lib/modules/account.inc
@@ -0,0 +1,166 @@
+<?php
+/*
+$Id$
+
+  This code is part of LDAP Account Manager (http://www.sourceforge.net/projects/lam)
+  Copyright (C) 2003  Tilo Lutz
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+*/
+
+/*
+* Variables in basearray which are no objects:
+* type: Type of account. Can be user, group, host
+* attributes: List of all attributes, how to get them and are theiy required or optional
+* dn: current DN without uid= or cn=
+* dn_orig: old DN if account was loaded with uid= or cn=
+
+* External functions which are used
+* account.inc:
+*/
+
+
+/* This class contains all account LDAP attributes
+* and funtioncs required to deal with account
+* account can only be created when it should be added
+* to an array.
+* basearray is the same array account should be added
+* to. If basearray is not given the constructor tries to
+* create an array with account and all other required
+* objects.
+* Example: $user[] = new account($user);
+*
+*/
+
+class account {
+	// Constructor
+	function account($base) {
+		/* Return an error if posixAccount should be created without
+		* base container
+		*/
+		if (!$base) trigger_error(_('Please create a base object with $var = new accountContainer();'), E_USER_ERROR);
+		if (!is_string($base)) trigger_error(_('Please create a new module object with $accountContainer->add_objectClass(\'account\');'), E_USER_ERROR);
+		$this->base = $base;
+		// account is only a valid objectClass for users
+		if ($_SESSION[$this->base]->get_type() != 'host') trigger_error(_('account can only be used for hosts.'), E_USER_WARNING);
+		// Add Array with all attributes and type
+		$this->attributes = $_SESSION[$this->base]->get_module_attributes('account');
+		$_SESSION[$this->base]->add_attributes ('account');
+		$this->orig = $this->attributes ;
+		$this->attributes['objectClass'][0] = 'account';
+		// unset userPassword because we handle it separat.
+		$this->alias = _('account');
+		}
+
+	// Variables
+	// Alias Name. This name is shown in the menu instead of posixAccount
+	var $alias;
+	// reference to base-array so we can read other classes in basearray
+	var $base;
+	// This variable contains all account attributes
+	var $attributes;
+	/* If an account was loaded all attributes are kept in this array
+	* to compare it with new changed attributes
+	*/
+	var $orig;
+
+	/* This function returns a list with all required modules
+	*/
+	function dependencies() {
+		return array('main');
+		}
+
+	function module_ready() {
+		return true;
+		}
+
+	/* Write variables into object and do some regexp checks
+	*/
+	function proccess_attributes($post) {
+		// Load attributes
+		$this->attributes['description'][0] = $post['form_account_description'];
+
+		return 0;
+		}
+
+	/* This function loads all attributes into the object
+	* $attr is an array as it's retured from ldap_get_attributes
+	*/
+	function load_attributes($attr) {
+		// Load attributes which are displayed
+		// unset count entries
+		unset ($attr['count']);
+		$attributes = array_keys($attr);
+		foreach ($attributes as $attribute) unset ($attr[$attribute]['count']);
+		// unset double entries
+		for ($i=0; $i<count($attr); $i++)
+			if (isset($attr[$i])) unset($attr[$i]);
+		foreach ($attributes as $attribute) {
+			if (isset($this->orig[$attribute])) {
+				$this->orig[$attribute] = $attr[$attribute];
+				// decode as unicode
+				for ($i=0; $i<count($this->orig[$attribute]); $i++) $this->orig[$attribute][$i] = utf8_decode ($this->orig[$attribute][$i]);
+				}
+			}
+		// Values are kept as copy so we can compare old attributes with new attributes
+		$this->orig['objectClass'][0] = 'account';
+		$this->attributes = $this->orig;
+		return 0;
+		}
+
+
+
+	/* This function returns an array with 3 entries:
+	* array( DN1 ('add' => array($attr), 'remove' => array($attr), 'modify' => array($attr)), DN2 .... )
+	* DN is the DN to change. It may be possible to change several DNs,
+	* e.g. create a new user and add him to some groups via attribute memberUid
+	* add are attributes which have to be added to ldap entry
+	* remove are attributes which have to be removed from ldap entry
+	*/
+	function save_attributes() {
+		$return = $_SESSION[$this->base]->save_module_attributes($this->attributes, $this->orig);
+
+		return $return;
+		}
+
+	/* This function returns all ldap attributes
+	* which are part of account and returns
+	* also their values.
+	*/
+	function get_attributes() {
+		return $this->attributes;
+		}
+
+	/* This function will create the html-page
+	* to show a page with all attributes.
+	* It will output a complete html-table
+	*/
+	function display_html_attributes($post) {
+		echo "<table border=0 width=\"100%\">\n<tr>\n";
+		echo "<tr>\n";
+		echo "<td>" . _('Description') . "</td>\n";
+		echo "<td><input name=\"form_account_description\" type=\"text\" size=\"30\" maxlength=\"255\" value=\"".$this->attributes['description'][0]."\"></td>\n";
+		echo "<td><a href=\"../help.php?HelpNumber=404\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
+		echo "</tr>\n";
+		echo "</table>\n";
+		return 0;
+		}
+
+
+	}
+
+
+
+?>
diff --git a/lam/lib/modules/inetOrgPerson.inc b/lam/lib/modules/inetOrgPerson.inc
index 43179d4f..a65a25f7 100644
--- a/lam/lib/modules/inetOrgPerson.inc
+++ b/lam/lib/modules/inetOrgPerson.inc
@@ -60,10 +60,7 @@ class inetOrgPerson {
 		$_SESSION[$this->base]->add_attributes ('inetOrgPerson');
 		$this->orig = $this->attributes ;
 		$this->attributes['objectClass'][0] = 'inetOrgPerson';
-		// unset userPassword because we handle it separat.
 		$this->alias = _('inetOrgPerson');
-		// Add attributes which should be cached
-		$_SESSION[$_SESSION[$this->base]->cache]->add_cache(array ('user' => array('uid'), 'host' => array('uid')));
 		}
 
 	// Variables
@@ -71,10 +68,6 @@ class inetOrgPerson {
 	var $alias;
 	// reference to base-array so we can read other classes in basearray
 	var $base;
-	// Use a unix password?
-	var $userPassword_no;
-	// Lock account?
-	var $userPassword_lock;
 	// This variable contains all inetOrgPerson attributes
 	var $attributes;
 	/* If an account was loaded all attributes are kept in this array
@@ -82,33 +75,6 @@ class inetOrgPerson {
 	*/
 	var $orig;
 
-	/* $attribute['userPassword'] can't accessed directly because it's enrcypted
-	* To read / write password function userPassword is needed
-	* This function will return the unencrypted password when
-	* called without a variable
-	* If it's called with a new password, the
-	* new password will be stored encrypted
-	*/
-	function userPassword($newpassword=false) {
-		if (is_string($newpassword)) {
-			// Write new password
-			$iv = base64_decode($_COOKIE["IV"]);
-			$key = base64_decode($_COOKIE["Key"]);
-			$this->attributes['userPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
-			return 0;
-			}
-		else {
-			if ($this->attributes['userPassword'][0]!='') {
-				// Read existing password if set
-				$iv = base64_decode($_COOKIE["IV"]);
-				$key = base64_decode($_COOKIE["Key"]);
-				$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['userPassword'][0]), MCRYPT_MODE_ECB, $iv);
-				$password = str_replace(chr(00), '', $password);
-				return $password;
-				}
-			else return '';
-			}
-		}
 
 	/* This function returns a list with all required modules
 	*/
@@ -124,10 +90,6 @@ class inetOrgPerson {
 	*/
 	function proccess_attributes($post) {
 		// Load attributes
-		if (($this->attributes['uid'][0] != $post['form_inetOrgPerson_uid']) &&  ereg('[A-Z]$', $post['form_inetOrgPerson_uid']))
-			$errors[] = array('WARN', _('Username'), _('You are using a capital letters. This can cause problems because windows isn\'t case-sensitive.'));
-		$this->attributes['uid'][0] = $post['form_inetOrgPerson_uid'];
-		$this->attributes['cn'][0] = $this->attributes['uid'][0];
 		$this->attributes['description'][0] = $post['form_inetOrgPerson_description'];
 		$this->attributes['sn'][0] = $post['form_inetOrgPerson_sn'];
 		$this->attributes['givenName'][0] = $post['form_inetOrgPerson_givenName'];
@@ -151,67 +113,10 @@ class inetOrgPerson {
 				if ($host!="") $this->attributes['host'][] = $host;
 			}
 
-		if ($post['form_inetOrgPerson_userPassword_no']) $this->userPassword_no=true;
-			else $this->userPassword_no=false;
-		if ($post['form_inetOrgPerson_userPassword_lock']) $this->userPassword_lock=true;
-			else $this->userPassword_lock=false;
-		if (isset($post['form_inetOrgPerson_userPassword'])) {
-			if ($post['form_inetOrgPerson_userPassword'] != $post['form_inetOrgPerson_userPassword2']) {
-				$errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.'));
-				unset ($post['form_inetOrgPerson_userPassword2']);
-				}
-				else $this->userPassword($post['form_inetOrgPerson_userPassword']);
-			}
-		if ($post['form_inetOrgPerson_genpass']) $this->userPassword(genpasswd());
-
 		// Check if givenname is valid
 		if ( !ereg('^([a-z]|[A-Z]|[-]|[ ]|[ä]|[Ä]|[ö]|[Ö]|[ü]|[Ü]|[ß])+$', $this->attributes['givenName'][0])) $errors[] = array('ERROR', _('Given name'), _('Given name contains invalid characters'));
 		// Check if surname is valid
 		if ( !ereg('^([a-z]|[A-Z]|[-]|[ ]|[ä]|[Ä]|[ö]|[Ö]|[ü]|[Ü]|[ß])+$', $this->attributes['sn'][0])) $errors[] = array('ERROR', _('Surname'), _('Surname contains invalid characters'));
-		// Check if Username contains only valid characters
-		if ( !ereg('^([a-z]|[A-Z]|[0-9]|[.]|[-]|[_])+$', $this->attributes['uid'][0]))
-			$errors[] = array('ERROR', _('Username'), _('Username contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and .-_ !'));
-		// Create automatic useraccount with number if original user already exists
-		// Reset name to original name if new name is in use
-		// Set username back to original name if new username is in use
-		if ($_SESSION[$_SESSION[$this->base]->cache]->in_cache($this->attributes['uid'][0],'uid', '*')!=false && ($this->orig['uid'][0]!='')) {
-			$this->attributes['uid'][0] = $this->orig['uid'][0];
-			}
-		// Change uid to a new uid until a free uid is found
-		else while ($_SESSION[$_SESSION[$this->base]->cache]->in_cache($this->attributes['uid'][0], 'uid', '*')) {
-			// get last character of username
-			$lastchar = substr($this->attributes['uid'][0], strlen($this->attributes['uid'][0])-1, 1);
-			// Last character is no number
-			if ( !ereg('^([0-9])+$', $lastchar))
-				/* Last character is no number. Therefore we only have to
-				* add "2" to it.
-				*/
-				$this->attributes['uid'][0] = $this->attributes['uid'][0] . '2';
-			 else {
-				/* Last character is a number -> we have to increase the number until we've
-				* found a groupname with trailing number which is not in use.
-				*
-				* $i will show us were we have to split groupname so we get a part
-				* with the groupname and a part with the trailing number
-				*/
-				$i=strlen($this->attributes['uid'][0])-1;
-				$mark = false;
-				// Set $i to the last character which is a number in $account_new->general_username
-				while (!$mark) {
-					if (ereg('^([0-9])+$',substr($this->attributes['uid'][0], $i, strlen($this->attributes['uid'][0])-$i))) $i--;
-						else $mark=true;
-					}
-				// increase last number with one
-				$firstchars = substr($this->attributes['uid'][0], 0, $i+1);
-				$lastchars = substr($this->attributes['uid'][0], $i+1, strlen($this->attributes['uid'][0])-$i);
-				// Put username together
-				$this->attributes['uid'][0] = $firstchars . (intval($lastchars)+1);
-				}
-			}
-		// Show warning if lam has changed username
-		if ($this->attributes['uid'][0] != $post['form_inetOrgPerson_uid']) $errors[] = array('WARN', _('Username'), _('Username in use. Selected next free username.'));
-		if (!ereg('^([a-z]|[A-Z]|[0-9]|[\|]|[\#]|[\*]|[\,]|[\.]|[\;]|[\:]|[\_]|[\-]|[\+]|[\!]|[\%]|[\&]|[\/]|[\?]|[\{]|[\[]|[\(]|[\)]|[\]]|[\}])*$', $this->userPassword()))
-			$errors[] = array('ERROR', _('Password'), _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!$%&/|?{[()]}= !'));
 
 		if ( !ereg('^(\+)*([0-9]|[ ]|[.]|[(]|[)]|[/]|[-])*$', $this->attributes['telephoneNumber'][0]))  $errors[] = array('ERROR', _('Telephone number'), _('Please enter a valid telephone number!'));
 		if ( !ereg('^(\+)*([0-9]|[ ]|[.]|[(]|[)]|[/]|[-])*$', $this->attributes['mobileTelephoneNumber'][0]))  $errors[] = array('ERROR', _('Mobile number'), _('Please enter a valid mobile number!'));
@@ -249,7 +154,6 @@ class inetOrgPerson {
 		// Values are kept as copy so we can compare old attributes with new attributes
 		$this->orig['objectClass'][0] = 'inetOrgPerson';
 		$this->attributes = $this->orig;
-		$this->userPassword(''); // Remove old password so it won't displayed as hash
 		return 0;
 		}
 
@@ -266,36 +170,6 @@ class inetOrgPerson {
 		$return = $_SESSION[$this->base]->save_module_attributes($this->attributes, $this->orig);
 		if (isset($return[$_SESSION[$this->base]->dn]['modify']['userPassword']))
 			unset($return[$_SESSION[$this->base]->dn]['modify']['userPassword']);
-		// Set unix password
-		if (count($this->orig['userPassword'])==0) {
-			// New user or no old password set
-			if ($this->userPassword_no) {
-				$return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = pwd_hash ('', !$this->userPassword_lock);
-				}
-				else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode(pwd_hash ($this->userPassword(), !$this->userPassword_lock));
-			}
-		else {
-			if ($this->userPassword()!='' || $this->userPassword_no) {
-				// Write new password
-				if ($this->userPassword_no) $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = pwd_hash ('', !$this->userPassword_lock);
-					else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode(pwd_hash ($this->userPassword(), !$this->userPassword_lock));
-				}
-			else { // No new password but old password
-				// (un)lock password
-				if ($this->userPassword_lock == pwd_is_enabled($this->orig['userPassword'][0])) {
-					// Split old password hash in {CRYPT} and password-hash
-					$i = 0;
-					while ($this->orig['userPassword'][0]{$i} != '}') $i++;
-					$passwd = substr($this->orig['userPassword'][0], $i+1 );
-					$crypt = substr($this->orig['userPassword'][0], 0, $i+1 );
-					// remove trailing ! from password hash
-					if ($passwd{0} == '!') $passwd = substr($passwd, 1);
-					// Write new password
-					if ($this->userPassword_lock) $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode("$crypt!$passwd");
-					else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode("$crypt$passwd");
-					}
-				}
-			}
 		return $return;
 		}
 
@@ -304,9 +178,7 @@ class inetOrgPerson {
 	* also their values.
 	*/
 	function get_attributes() {
-		$return = $this->attributes;
-		$return['userPassword'] = $this->userPassword();
-		return $return;
+		return $this->attributes;
 		}
 
 	/* This function will create the html-page
@@ -315,43 +187,12 @@ class inetOrgPerson {
 	*/
 	function display_html_attributes($post) {
 
-		echo "<table border=0 width=\"100%\">\n<tr>\n";
-		echo '<td>' . _('Username') . "*</td>\n";
-		echo "<td><input name=\"form_inetOrgPerson_uid\" type=\"text\" size=\"20\" maxlength=\"20\" value=\"".$this->attributes['uid'][0]."\"></td>\n";
-		echo "<td><a href=\"../help.php?HelpNumber=400\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
-		echo "</tr>\n";
+		echo "<table border=0 width=\"100%\">\n";
 		echo "<tr>\n";
 		echo "<td>" . _('Description') . "</td>\n";
 		echo "<td><input name=\"form_inetOrgPerson_description\" type=\"text\" size=\"30\" maxlength=\"255\" value=\"".$this->attributes['description'][0]."\"></td>\n";
 		echo "<td><a href=\"../help.php?HelpNumber=404\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
 		echo "</tr>\n";
-		echo "<tr>\n";
-		echo "<td>" . _('Password') . "</td>\n";
-		echo "<td><input name=\"form_inetOrgPerson_userPassword\" type=\"password\" size=\"20\" maxlength=\"20\" value=\"".$this->userPassword()."\"></td>\n";
-		echo "<td><input name=\"form_inetOrgPerson_genpass\" type=\"submit\" value=\"" . _('Generate password') . "\"></td>\n";
-		echo "</tr>\n";
-		echo "<tr>\n";
-		echo "<td>" . _('Repeat password') . "</td>\n";
-		echo "<td><input name=\"form_inetOrgPerson_userPassword2\" type=\"password\" size=\"20\" maxlength=\"20\" value=\"";
-			if ($post['form_inetOrgPerson_userPassword2']!='') echo $post['form_posixAccount_userPassword2'];
-			else echo $this->userPassword();
-		echo "\"></td>\n";
-		echo "<td></td>\n";
-		echo "</tr>\n";
-		echo "<tr>\n";
-		echo "<td>" . _('Use no password') . "</td>\n";
-		echo "<td><input name=\"form_inetOrgPerson_userPassword_no\" type=\"checkbox\"";
-			if ($this->userPassword_no) echo " checked ";
-			echo "></td>\n";
-		echo "<td><a href=\"../help.php?HelpNumber=426\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
-		echo "</tr>\n";
-		echo "<tr>\n";
-		echo "<td>" . _('Lock password') . "</td>\n";
-		echo "<td><input name=\"form_inetOrgPerson_userPassword_lock\" type=\"checkbox\"";
-			if ($this->userPassword_lock) echo " checked ";
-			echo "></td>\n";
-		echo "<td><a href=\"../help.php?HelpNumber=426\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
-		echo "</tr>\n";
 		if (isset($this->attributes['host'])) {
 			echo "<tr>\n";
 			echo "<td>" . _('Unix workstations') . "</td>\n";
diff --git a/lam/lib/modules/posixAccount.inc b/lam/lib/modules/posixAccount.inc
index 74d65449..49138166 100644
--- a/lam/lib/modules/posixAccount.inc
+++ b/lam/lib/modules/posixAccount.inc
@@ -62,7 +62,7 @@ class posixAccount {
 		if (!is_string($base)) trigger_error(_('Please create a new module object with $accountContainer->add_objectClass(\'posixAccount\');'), E_USER_ERROR);
 		$this->base = $base;
 		// posixAccount is only a valid objectClass for user and host
-		if (!($_SESSION[$this->base]->get_type() == 'user') && !($_SESSION[$this->base]->get_type() != 'host')) trigger_error(_('posixAccount can only be used for users or hosts.'), E_USER_WARNING);
+		if (!($_SESSION[$this->base]->get_type() == 'user') && !($_SESSION[$this->base]->get_type() == 'host')) trigger_error(_('posixAccount can only be used for users or hosts.'), E_USER_WARNING);
 		/* Check if ldap conatiner is in array and set type
 		* users are using inetOrgPerson-, hosts account-container
 		*/
@@ -73,10 +73,6 @@ class posixAccount {
 		$_SESSION[$this->base]->add_attributes ('posixAccount');
 
 		$this->alias = _('posixAccount');
-		// Add attributes which should be cached
-		$_SESSION[$_SESSION[$this->base]->cache]->add_cache(array ('user' => array('cn', 'uid', 'uidNumber'), 'host' => array('cn', 'uid', 'uidNumber'), 'group' => array('cn', 'memberUid')));
-		/* Check if at least one group does exist in ldap
-		*/
 		$groups = findgroups(); // list of all groupnames
 		if (count($groups)==0) trigger_error(_('No groups found in ldap.'), E_USER_WARNING);
 
@@ -98,6 +94,10 @@ class posixAccount {
 	var $alias;
 	// name of accountContainer so we can read other classes in accuontArray
 	var $base;
+	// Use a unix password?
+	var $userPassword_no;
+	// Lock account?
+	var $userPassword_lock;
 
 	// This variable contains all inetOrgPerson attributes
 	var $attributes;
@@ -112,6 +112,37 @@ class posixAccount {
 	var $groups_orig;
 	var $createhomedir;
 
+	/* $attribute['userPassword'] can't accessed directly because it's enrcypted
+	* To read / write password function userPassword is needed
+	* This function will return the unencrypted password when
+	* called without a variable
+	* If it's called with a new password, the
+	* new password will be stored encrypted
+	*/
+	function userPassword($newpassword=false) {
+		if (is_string($newpassword)) {
+			// Write new password
+			if ($newpassword!='') {
+				$iv = base64_decode($_COOKIE["IV"]);
+				$key = base64_decode($_COOKIE["Key"]);
+				$this->attributes['userPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv));
+				}
+			else $this->attributes['userPassword'][0] = '';
+			return 0;
+			}
+		else {
+			if ($this->attributes['userPassword'][0]!='') {
+				// Read existing password if set
+				$iv = base64_decode($_COOKIE["IV"]);
+				$key = base64_decode($_COOKIE["Key"]);
+				$password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['userPassword'][0]), MCRYPT_MODE_ECB, $iv);
+				$password = str_replace(chr(00), '', $password);
+				return $password;
+				}
+			else return '';
+			}
+		}
+
 	/* This function returns a list with all required modules
 	*/
 	function dependencies() {
@@ -129,6 +160,8 @@ class posixAccount {
 	*/
 	function proccess_attributes($post) {
 		// Load attributes
+		$this->attributes['uid'][0] = $post['form_posixAccount_uid'];
+		$this->attributes['cn'][0] = $this->attributes['uid'][0];
 		$this->attributes['uidNumber'][0] = $post['form_posixAccount_uidNumber'];
 		$this->attributes['gidNumber'][0] = getgrnam($post['form_posixAccount_gidNumber']);
 		$this->attributes['homeDirectory'][0] = $post['form_posixAccount_homeDirectory'];
@@ -136,14 +169,27 @@ class posixAccount {
 		$this->attributes['gecos'][0] = $post['form_posixAccount_gecos'];
 		if ($post['form_posixAccount_createhomedir']) $this->createhomedir = true;
 			else $this->createhomedir = false;
+		if ($post['form_posixAccount_userPassword_no']) $this->userPassword_no=true;
+			else $this->userPassword_no=false;
+		if ($post['form_posixAccount_userPassword_lock']) $this->userPassword_lock=true;
+			else $this->userPassword_lock=false;
+		if (isset($post['form_posixAccount_userPassword'])) {
+			if ($post['form_posixAccount_userPassword'] != $post['form_posixAccount_userPassword2']) {
+				$errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.'));
+				unset ($post['form_posixAccount_userPassword2']);
+				}
+				else $this->userPassword($post['form_posixAccount_userPassword']);
+			}
+		if ($post['form_posixAccount_genpass']) $this->userPassword(genpasswd());
+
 
 		// Check if UID is valid. If none value was entered, the next useable value will be inserted
 		// load min and may uidNumber
-		if ($_SESSION[$this->base]['type']=='user') {
+		if ($_SESSION[$this->base]->type=='user') {
 			$minID = intval($_SESSION[$_SESSION[$this->base]->config]->get_minUID());
 			$maxID = intval($_SESSION[$_SESSION[$this->base]->config]->get_maxUID());
 			}
-		else {
+		if ($_SESSION[$this->base]->type=='host') {
 			$minID = intval($_SESSION[$_SESSION[$this->base]->config]->get_minMachine());
 			$maxID = intval($_SESSION[$_SESSION[$this->base]->config]->get_maxMachine());
 			}
@@ -197,13 +243,82 @@ class posixAccount {
 				}
 			}
 
-		// Check if Homedir is valid
-		$this->attributes['homeDirectory'][0] = str_replace('$group', getgrnam($this->attributes['gidNumber'][0]), $this->attributes['homeDirectory'][0]);
-		if ($this->attributes['uid'][0] != '')
-			$this->attributes['homeDirectory'][0] = str_replace('$user', $this->attributes['uid'][0], $this->attributes['homeDirectory'][0]);
-		if ($this->attributes['homeDirectory'][0] != $post['form_posixAccount_homeDirectory']) $errors[] = array('INFO', _('Home directory'), _('Replaced $user or $group in homedir.'));
-		if ( !ereg('^[/]([a-z]|[A-Z])([a-z]|[A-Z]|[0-9]|[.]|[-]|[_])*([/]([a-z]|[A-Z])([a-z]|[A-Z]|[0-9]|[.]|[-]|[_])*)*$', $this->attributes['homeDirectory'][0] ))
-			$errors[] = array('ERROR', _('Home directory'), _('Homedirectory contains invalid characters.'));
+		if ($_SESSION[$this->base]->type=='user') {
+			if (($this->attributes['uid'][0] != $post['form_posixAccount_uid']) &&  ereg('[A-Z]$', $post['form_posixAccount_uid']))
+				$errors[] = array('WARN', _('Username'), _('You are using a capital letters. This can cause problems because windows isn\'t case-sensitive.'));
+			// Check if Homedir is valid
+			$this->attributes['homeDirectory'][0] = str_replace('$group', getgrnam($this->attributes['gidNumber'][0]), $this->attributes['homeDirectory'][0]);
+			if ($this->attributes['uid'][0] != '')
+				$this->attributes['homeDirectory'][0] = str_replace('$user', $this->attributes['uid'][0], $this->attributes['homeDirectory'][0]);
+			if ($this->attributes['homeDirectory'][0] != $post['form_posixAccount_homeDirectory']) $errors[] = array('INFO', _('Home directory'), _('Replaced $user or $group in homedir.'));
+			if ( !ereg('^[/]([a-z]|[A-Z])([a-z]|[A-Z]|[0-9]|[.]|[-]|[_])*([/]([a-z]|[A-Z])([a-z]|[A-Z]|[0-9]|[.]|[-]|[_])*)*$', $this->attributes['homeDirectory'][0] ))
+				$errors[] = array('ERROR', _('Home directory'), _('Homedirectory contains invalid characters.'));
+			// Check if Username contains only valid characters
+			if ( !ereg('^([a-z]|[A-Z]|[0-9]|[.]|[-]|[_])+$', $this->attributes['uid'][0]))
+				$errors[] = array('ERROR', _('Username'), _('Username contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and .-_ !'));
+			}
+
+		if ($_SESSION[$this->base]->type=='host') {
+			if (($this->attributes['uid'][0] != $post['form_account_uid']) &&  ereg('[A-Z]$', $post['form_account_uid']))
+				$errors[] = array('WARN', _('Hostname'), _('You are using a capital letters. This can cause problems because windows isn\'t case-sensitive.'));
+			// Check if Username contains only valid characters
+			if ( !ereg('^([a-z]|[A-Z]|[0-9]|[.]|[-]|[_])+[$]$', $this->attributes['uid'][0]))
+				$errors[] = array('ERROR', _('Hostname'), _('Hostname contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and .-_ ! Hostname must end with $ !'));
+			}
+
+		// Create automatic useraccount with number if original user already exists
+		// Reset name to original name if new name is in use
+		// Set username back to original name if new username is in use
+		if ($_SESSION[$_SESSION[$this->base]->cache]->in_cache($this->attributes['uid'][0],'uid', '*')!=false && ($this->orig['uid'][0]!='')) {
+			$this->attributes['uid'][0] = $this->orig['uid'][0];
+			}
+		// Change uid to a new uid until a free uid is found
+		else while ($_SESSION[$_SESSION[$this->base]->cache]->in_cache($this->attributes['uid'][0], 'uid', '*')) {
+			if ($_SESSION[$this->base]->type=='host') $this->attributes['uid'][0] = substr($this->attributes['uid'][0], 0, -1);
+				// get last character of username
+			$lastchar = substr($this->attributes['uid'][0], strlen($this->attributes['uid'][0])-1, 1);
+			// Last character is no number
+			if ( !ereg('^([0-9])+$', $lastchar))
+				/* Last character is no number. Therefore we only have to
+				* add "2" to it.
+				*/
+				if ($_SESSION[$this->base]->type=='host') $this->attributes['uid'][0] = $this->attributes['uid'][0] . '2$';
+					else $this->attributes['uid'][0] = $this->attributes['uid'][0] . '2';
+			 else {
+				/* Last character is a number -> we have to increase the number until we've
+				* found a groupname with trailing number which is not in use.
+				*
+				* $i will show us were we have to split groupname so we get a part
+				* with the groupname and a part with the trailing number
+				*/
+				$i=strlen($this->attributes['uid'][0])-1;
+				$mark = false;
+				// Set $i to the last character which is a number in $account_new->general_username
+				while (!$mark) {
+					if (ereg('^([0-9])+$',substr($this->attributes['uid'][0], $i, strlen($this->attributes['uid'][0])-$i))) $i--;
+						else $mark=true;
+					}
+				// increase last number with one
+				$firstchars = substr($this->attributes['uid'][0], 0, $i+1);
+				$lastchars = substr($this->attributes['uid'][0], $i+1, strlen($this->attributes['uid'][0])-$i);
+				// Put username together
+				if ($_SESSION[$this->base]->type=='host') $this->attributes['uid'][0] = $firstchars . (intval($lastchars)+1)."$";
+					else $this->attributes['uid'][0] = $firstchars . (intval($lastchars)+1);
+				}
+			}
+
+		// Show warning if lam has changed username
+		if ($_SESSION[$this->base]->type=='user')
+			if ($this->attributes['uid'][0] != $post['form_posixAccount_uid']) {
+				$errors[] = array('WARN', _('Username'), _('Username in use. Selected next free username.'));
+				}
+		if ($_SESSION[$this->base]->type=='host')
+			if ($this->attributes['uid'][0] != $post['form_posixAccount_uid']) {
+				$errors[] = array('WARN', _('Hostname'), _('Hostname in use. Selected next free hostname.'));
+				}
+
+		if (!ereg('^([a-z]|[A-Z]|[0-9]|[\|]|[\#]|[\*]|[\,]|[\.]|[\;]|[\:]|[\_]|[\-]|[\+]|[\!]|[\%]|[\&]|[\/]|[\?]|[\{]|[\[]|[\(]|[\)]|[\]]|[\}])*$', $this->userPassword()))
+			$errors[] = array('ERROR', _('Password'), _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!$%&/|?{[()]}= !'));
 		// Return error-messages
 		if (is_array($errors)) return $errors;
 		// Go to additional group page when no error did ocour and button was pressed
@@ -259,6 +374,7 @@ class posixAccount {
 		// Values are kept as copy so we can compare old attributes with new attributes
 		$this->attributes['objectClass'][0] = 'posixAccount';
 		$this->orig = $this->attributes;
+
 		// get all additional groupmemberships
 		$dn_groups = $_SESSION[$_SESSION[$this->base]->cache]->get_cache('memberUid', 'posixGroup', 'group');
 		$DNs = array_keys($dn_groups);
@@ -283,6 +399,39 @@ class posixAccount {
 	function save_attributes() {
 		$return = $_SESSION[$this->base]->save_module_attributes($this->attributes, $this->orig);
 
+		if (isset($return[$_SESSION[$this->base]->dn]['modify']['userPassword']))
+			unset($return[$_SESSION[$this->base]->dn]['modify']['userPassword']);
+		// Set unix password
+		if (count($this->orig['userPassword'])==0) {
+			// New user or no old password set
+			if ($this->userPassword_no) {
+				$return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = pwd_hash ('', !$this->userPassword_lock);
+				}
+				else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode(pwd_hash ($this->userPassword(), !$this->userPassword_lock));
+			}
+		else {
+			if (($this->attributes['userPassword'][0] != $this->orig['userPassword'][0] && $this->userPassword()!='' ) || $this->userPassword_no) {
+				// Write new password
+				if ($this->userPassword_no) $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = pwd_hash ('', !$this->userPassword_lock);
+					else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode(pwd_hash ($this->userPassword(), !$this->userPassword_lock));
+				}
+			else { // No new password but old password
+				// (un)lock password
+				if ($this->userPassword_lock == pwd_is_enabled($this->orig['userPassword'][0])) {
+					// Split old password hash in {CRYPT} and password-hash
+					$i = 0;
+					while ($this->orig['userPassword'][0]{$i} != '}') $i++;
+					$passwd = substr($this->orig['userPassword'][0], $i+1 );
+					$crypt = substr($this->orig['userPassword'][0], 0, $i+1 );
+					// remove trailing ! from password hash
+					if ($passwd{0} == '!') $passwd = substr($passwd, 1);
+					// Write new password
+					if ($this->userPassword_lock) $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode("$crypt!$passwd");
+					else $return[$_SESSION[$this->base]->dn]['modify']['userPassword'][0] = utf8_encode("$crypt$passwd");
+					}
+				}
+			}
+
 		// Remove primary group from additional groups
 		for ($i=0; $i<count($this->groups); $i++) {
 			if ($this->groups[$i]==getgrnam($this->attributes['gidNumber'])) unset($this->groups[$i]);
@@ -336,7 +485,9 @@ class posixAccount {
 	* also their values.
 	*/
 	function get_attributes() {
-		return $this->attributes;
+		$return = $this->attributes;
+		$return['userPassword'] = $this->userPassword();
+		return $return;
 		}
 
 	/* This function will create the html-page
@@ -346,12 +497,25 @@ class posixAccount {
 	function display_html_attributes($post) {
 		$groups = findgroups(); // list of all groupnames
 		$shelllist = getshells(); // list of all valid shells
-		echo "<table border=0 width=\"100%\">\n<tr>\n";
+		if ($this->attributes['userPassword'][0] != $this->orig['userPassword'][0]) $password=$this->userPassword();
+			else $password='';
+		echo "<table border=0 width=\"100%\">\n";
+		echo "<tr>\n";
+		echo '<td>' . _('Username') . "*</td>\n";
+		echo "<td><input name=\"form_posixAccount_uid\" type=\"text\" size=\"20\" maxlength=\"20\" value=\"".$this->attributes['uid'][0]."\"></td>\n";
+		echo "<td><a href=\"../help.php?HelpNumber=400\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
+		echo "</tr>\n";
+		echo "<tr>\n";
 		echo "<td>" . _('UID number') ."</td>\n";
 		echo "<td><input name=\"form_posixAccount_uidNumber\" type=\"text\" size=\"6\" maxlength=\"6\" value=\"".$this->attributes['uidNumber'][0]."\"></td>\n";
 		echo "<td><a href=\"../help.php?HelpNumber=401\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
 		echo "</tr>\n";
 		echo "<tr>\n";
+		echo "<td>" . _('Gecos') . "</td>\n";
+		echo "<td><input name=\"form_posixAccount_gecos\" type=\"text\" size=\"30\" maxlength=\"255\" value=\"".$this->attributes['gecos'][0]."\"></td>\n";
+		echo "<td><a href=\"../help.php?HelpNumber=404\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
+		echo "</tr>\n";
+		echo "<tr>\n";
 		echo "<td>" . _('Primary group') . "*</td>\n";
 		echo "<td><select name=\"form_posixAccount_group\">";
 		// loop trough existing groups
@@ -380,13 +544,33 @@ class posixAccount {
 					echo "></td>\n";
 				echo "<tr>\n";
 				}
-			}
-		echo "<tr>\n";
-		echo "<td>" . _('Gecos') . "</td>\n";
-		echo "<td><input name=\"form_posixAccount_gecos\" type=\"text\" size=\"30\" maxlength=\"255\" value=\"".$this->attributes['gecos'][0]."\"></td>\n";
-		echo "<td><a href=\"../help.php?HelpNumber=404\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
-		echo "</tr>\n";
-		if ($_SESSION[$this->base]->type=='user') {
+			echo "<tr>\n";
+			echo "<td>" . _('Password') . "</td>\n";
+			echo "<td><input name=\"form_posixAccount_userPassword\" type=\"password\" size=\"20\" maxlength=\"20\" value=\"$password\"></td>\n";
+			echo "<td><input name=\"form_posixAccount_genpass\" type=\"submit\" value=\"" . _('Generate password') . "\"></td>\n";
+			echo "</tr>\n";
+			echo "<tr>\n";
+			echo "<td>" . _('Repeat password') . "</td>\n";
+			echo "<td><input name=\"form_posixAccount_userPassword2\" type=\"password\" size=\"20\" maxlength=\"20\" value=\"";
+				if ($post['form_posixAccount_userPassword2']!='') echo $post['form_posixAccount_userPassword2'];
+				else echo $password;
+			echo "\"></td>\n";
+			echo "<td></td>\n";
+			echo "</tr>\n";
+			echo "<tr>\n";
+			echo "<td>" . _('Use no password') . "</td>\n";
+			echo "<td><input name=\"form_posixAccount_userPassword_no\" type=\"checkbox\"";
+				if ($this->userPassword_no) echo " checked ";
+				echo "></td>\n";
+			echo "<td><a href=\"../help.php?HelpNumber=426\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
+			echo "</tr>\n";
+			echo "<tr>\n";
+			echo "<td>" . _('Lock password') . "</td>\n";
+			echo "<td><input name=\"form_posixAccount_userPassword_lock\" type=\"checkbox\"";
+				if ($this->userPassword_lock) echo " checked ";
+				echo "></td>\n";
+			echo "<td><a href=\"../help.php?HelpNumber=426\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
+			echo "</tr>\n";
 			if (count($shelllist)!=0) {
 				echo "<tr>\n";
 				echo "<td>" . _('Login shell') . "*</td>\n";
diff --git a/lam/lib/modules/sambaAccount.inc b/lam/lib/modules/sambaAccount.inc
index d99f582d..55c071b7 100644
--- a/lam/lib/modules/sambaAccount.inc
+++ b/lam/lib/modules/sambaAccount.inc
@@ -133,7 +133,7 @@ class sambaAccount {
 			return 0;
 			}
 		else {
-			if ($this->useunixpwd) return $_SESSION[$this->base]->module['inetOrgPerson']->userPassword();
+			if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword();
 			if ($this->attributes['lmPassword'][0]!='') {
 				// Read existing password if set
 				$iv = base64_decode($_COOKIE["IV"]);
@@ -151,7 +151,32 @@ class sambaAccount {
 	/* Write variables into object and do some regexp checks
 	*/
 	function proccess_attributes($post) {
-		// Load attributes
+		$this->attributes['domain'][0] = $post['form_sambaAccount_domain'];
+		// Start character
+		$flag = "[";
+		if ($post['form_sambaAccount_acctFlagsD']) $flag .= "D";
+		if ($post['form_sambaAccount_acctFlagsX']) $flag .= "X";
+		if ($post['form_sambaAccount_acctFlagsN']) $flag .= "N";
+		if ($post['form_sambaAccount_acctFlagsS']) $flag .= "S";
+		if ($post['form_sambaAccount_acctFlagsH']) $flag .= "H";
+		if ($post['form_sambaAccount_acctFlagsW']) $flag .= "W";
+		if ($post['form_sambaAccount_acctFlagsU']) $flag .= "U";
+		// Expand string to fixed length
+		$flag = str_pad($flag, 12);
+		// End character
+		$flag = $flag. "]";
+		$this->attributes['acctFlags'][0] = $flag;
+
+		if ($_SESSION[$this->base]->type=='host') {
+			$this->attributes['primaryGroupID'][0] = $this->rids[_('Domain Computers')];
+			if ($post['form_sambaAccount_ResetSambaPassword']) {
+				// *** fixme. What is the default password?
+				$this->lmPassword('');
+				$_SESSION[$this->base]->module['posixAccount']->userPassword('');
+				}
+			}
+
+		// Check values
 		if ($_SESSION[$this->base]->type=='user') {
 			$this->attributes['pwdCanChange'][0] = mktime($post['form_sambaAccount_pwdCanChange_h'], $post['form_sambaAccount_pwdCanChange_m'], $post['form_sambaAccount_pwdCanChange_s'],
 				$post['form_sambaAccount_pwdCanChange_mon'], $post['form_sambaAccount_pwdCanChange_day'], $post['form_sambaAccount_pwdCanChange_yea']);
@@ -180,26 +205,19 @@ class sambaAccount {
 				}
 			if ($post['form_sambaAccount_useunixpwd']) $this->useunixpwd = true;
 				else $this->useunixpwd = false;
-			}
 
-		$this->attributes['domain'][0] = $post['form_sambaAccount_domain'];
-		// Start character
-		$flag = "[";
-		if ($post['form_sambaAccount_acctFlagsD']) $flag .= "D";
-		if ($post['form_sambaAccount_acctFlagsX']) $flag .= "X";
-		if ($post['form_sambaAccount_acctFlagsN']) $flag .= "N";
-		if ($post['form_sambaAccount_acctFlagsS']) $flag .= "S";
-		if ($post['form_sambaAccount_acctFlagsH']) $flag .= "H";
-		if ($post['form_sambaAccount_acctFlagsW']) $flag .= "W";
-		if ($post['form_sambaAccount_acctFlagsU']) $flag .= "U";
-		// Expand string to fixed length
-		$flag = str_pad($flag, 12);
-		// End character
-		$flag = $flag. "]";
-		$this->attributes['acctFlags'][0] = $flag;
-
-		// Check values
-		if ($_SESSION[$this->base]->type=='user') {
+			if ($post['form_sambaAccount_rid']== _('Administrator')) {
+				$this->attributes['rid'][0] = "500";
+				// Do a check if an administrator already exists
+				if ($_SESSION[$_SESSION[$this->base]->cache]->in_cache("500", 'rid', 'user'))
+					$errors[] = array('ERROR', _('Special user'), _('There can be only one administrator per domain.'));
+				}
+			if ($post['form_sambaAccount_rid']== _('Guest')) {
+				$this->attributes['rid'][0] = "501";
+				// Do a check if an administrator already exists
+				if ($_SESSION[$_SESSION[$this->base]->cache]->in_cache("501", 'rid', 'user'))
+					$errors[] = array('ERROR', _('Special user'), _('There can be only one guest per domain.'));
+				}
 			$this->attributes['smbHome'][0] = str_replace('$user', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['uid'][0], $this->attributes['smbHome'][0]);
 			$this->attributes['smbHome'][0] = str_replace('$group', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['gid'][0], $this->attributes['smbHome'][0]);
 			if ($this->attributes['smbHome'][0] != stripslashes($post['form_sambaAccount_smbHome'])) $errors[] = array('INFO', _('Home path'), _('Inserted user- or groupname in HomePath.'));
@@ -312,6 +330,17 @@ class sambaAccount {
 	* modify are attributes which have to been modified in ldap entry
 	*/
 	function save_attributes() {
+		/* Create sambaSID. Can't create it while loading attributes because
+		* it's psssible uidNumber has changed
+		*/
+		$special = false;
+		if ($this->attributes['rid'][0] == "500") $special = true;
+		if ($this->attributes['rid'][0] == "501") $special = true;
+		if ($this->attributes['rid'][0] == "515") $special = true;
+		if (!$special) $this->attributes['rid'][0] == $_SESSION[$this->base]->module['posixAccount']->attributes['uidNumber'][0]*2+1000;
+
+
+
 		$return = $_SESSION[$this->base]->save_module_attributes($this->attributes, $this->orig);
 		// Set password
 		if (isset($return[$_SESSION[$this->base]->dn]['modify']['lmPassword']))
@@ -368,13 +397,15 @@ class sambaAccount {
 				echo "\"></td>\n";
 			echo "<td></td>\n";
 			echo "</tr>\n";
-			echo "<tr>\n";
-			echo "<td>" . _('Use unix password') . "</td>\n";
-			echo "<td><input name=\"form_sambaAccount_useunixpwd\" type=\"checkbox\"";
-				if ($this->useunixpwd) echo " checked ";
-				echo "></td>\n";
-			echo "<td><a href=\"../help.php?HelpNumber=428\" target=\"lamhelp\">" . _('Help') . "</a></td>";
-			echo "</tr>\n";
+			if ($_SESSION[$this->base]->module['posixAccount']->orig['userPassword'][0] != $_SESSION[$this->base]->module['posixAccount']->attributes['userPassword'][0]) {
+				echo "<tr>\n";
+				echo "<td>" . _('Use unix password') . "</td>\n";
+				echo "<td><input name=\"form_sambaAccount_useunixpwd\" type=\"checkbox\"";
+					if ($this->useunixpwd) echo " checked ";
+					echo "></td>\n";
+				echo "<td><a href=\"../help.php?HelpNumber=428\" target=\"lamhelp\">" . _('Help') . "</a></td>";
+				echo "</tr>\n";
+				}
 			echo "<tr>\n";
 			echo "<td>" . _('Use no password') . "</td>\n";
 			echo "<td><input name=\"form_sambaAccount_acctFlagsN\" type=\"checkbox\"";
@@ -484,14 +515,45 @@ class sambaAccount {
 			echo "<td><a href=\"../help.php?HelpNumber=464\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
 			echo "</tr>\n";
 			echo "<tr>\n";
+			echo "<td>" . _('Special user') . "</td>\n";
+			echo "<td><select name=\"form_sambaAccount_rid\">";
+				// Display if group SID should be mapped to a well kown SID
+				$wrid=false;
+				if ($this->attributes['rid'][0]=="500") {
+					echo "<option selected>" . _('Administrator') . "</option>";
+					$wrid=true;
+					}
+				else echo "<option>" . _('Administrator') . "</option>";
+				if ($this->attributes['rid'][0]=="501") {
+					echo "<option selected>" . _('Guest') . "</option>";
+					$wrid=true;
+					}
+				else echo "<option>" . _('Guest') . "</option>";
+				if ($wrid) echo "<option>" . _('Ordinary user') . "</option>";
+					else echo "<option selected>" . _('Ordinary user') . "</option>";
+				echo	"</select></td>\n";
+			echo "<td><a href=\"../help.php?HelpNumber=XXX\" target=\"lamhelp\">" . _('Help-XX') . "</a></td>\n";
+			echo "</tr>\n";
+			echo "<tr>\n";
 			echo "<td>" . _('Domain') . "</td>\n";
 			echo "<td><input name=\"form_sambaAccount_domain\" type=\"text\" size=\"20\" maxlength=\"80\" value=\"" . $this->attributes['domain'][0] . "\"></td>\n";
 			echo "<td><a href=\"../help.php?HelpNumber=438\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
 			echo "</tr>\n";
 			echo "</table>\n";
 			}
-		else {
-
+		if ($_SESSION[$this->base]->type=='host') {
+			echo '<input name="form_sambaAccount_acctFlagsW" type="hidden" value="true">';
+			echo "<table border=0 width=\"100%\">\n<tr>\n";
+			echo "<tr>\n";
+			echo "<td>" . _('Reset password') . "</td>\n";
+			echo "<td><input name=\"form_sambaAccount_ResetSambaPassword\" type=\"submit\" value=\"" . _('Reset password') . "\"></td>\n";
+			echo "</tr>\n";
+			echo "<tr>\n";
+			echo "<td>" . _('Domain') . "</td>\n";
+			echo "<td><input name=\"form_sambaAccount_domain\" type=\"text\" size=\"20\" maxlength=\"80\" value=\"" . $this->attributes['domain'][0] . "\"></td>\n";
+			echo "<td><a href=\"../help.php?HelpNumber=438\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
+			echo "</tr>\n";
+			echo "</table>\n";
 			}
 		return 0;
 		}
diff --git a/lam/lib/modules/sambaSamAccount.inc b/lam/lib/modules/sambaSamAccount.inc
index 9e347d29..10f2f528 100644
--- a/lam/lib/modules/sambaSamAccount.inc
+++ b/lam/lib/modules/sambaSamAccount.inc
@@ -133,7 +133,7 @@ class sambaSamAccount {
 			return 0;
 			}
 		else {
-			if ($this->useunixpwd) return $_SESSION[$this->base]->module['inetOrgPerson']->userPassword();
+			if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword();
 			if ($this->attributes['sambaLMPassword'][0]!='') {
 				// Read existing password if set
 				$iv = base64_decode($_COOKIE["IV"]);
@@ -158,7 +158,6 @@ class sambaSamAccount {
 		for ($i=0; $i<count($sambaDomains); $i++ )
 			if ($this->attributes['sambaDomainName'][0] == $sambaDomains[$i]->name) {
 				$SID = $sambaDomains[$i]->SID;
-				$RIDbase = $sambaDomain[$i]->RIDbase;
 				}
 
 		$flag = "[";
@@ -175,6 +174,15 @@ class sambaSamAccount {
 		$flag = $flag. "]";
 		$this->attributes['sambaAcctFlags'][0] = $flag;
 
+		if ($_SESSION[$this->base]->type=='host') {
+			$this->attributes['sambaPrimaryGroupSID'][0] = $SID."-".$this->rids[_('Domain Computers')];
+			if ($post['form_sambaSamAccount_ResetSambaPassword']) {
+				// *** fixme. What is the default password?
+				$this->sambaLMPassword('');
+				$_SESSION[$this->base]->module['posixAccount']->userPassword('');
+				}
+			}
+
 		if ($_SESSION[$this->base]->type=='user') {
 			$this->attributes['sambaPwdCanChange'][0] = mktime($post['form_sambaSamAccount_sambaPwdCanChange_h'], $post['form_sambaSamAccount_sambaPwdCanChange_m'], $post['form_sambaSamAccount_sambaPwdCanChange_s'],
 				$post['form_sambaSamAccount_sambaPwdCanChange_mon'], $post['form_sambaSamAccount_sambaPwdCanChange_day'], $post['form_sambaSamAccount_sambaPwdCanChange_yea']);
@@ -204,11 +212,20 @@ class sambaSamAccount {
 				}
 			if ($post['form_sambaSamAccount_useunixpwd']) $this->useunixpwd = true;
 				else $this->useunixpwd = false;
-			}
 
-
-		// Check values
-		if ($_SESSION[$this->base]->type=='user') {
+			if ($post['form_sambaSamAccount_sambaSID']== _('Administrator')) {
+				$this->attributes['sambaSID'][0] = $SID."-500";
+				// Do a check if an administrator already exists
+				if ($_SESSION[$_SESSION[$this->base]->cache]->in_cache($SID."-500", 'sambaSID', 'user'))
+					$errors[] = array('ERROR', _('Special user'), _('There can be only one administrator per domain.'));
+				}
+			if ($post['form_sambaSamAccount_sambaSID']== _('Guest')) {
+				$this->attributes['sambaSID'][0] = $SID."-501";
+				// Do a check if an administrator already exists
+				if ($_SESSION[$_SESSION[$this->base]->cache]->in_cache($SID."-501", 'sambaSID', 'user'))
+					$errors[] = array('ERROR', _('Special user'), _('There can be only one guest per domain.'));
+				}
+			// Check values
 			$this->attributes['sambaHomePath'][0] = str_replace('$user', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['uid'][0], $this->attributes['sambaHomePath'][0]);
 			$this->attributes['sambaHomePath'][0] = str_replace('$group', $_SESSION[$this->base]->module['inetOrgPerson']->attributes['gid'][0], $this->attributes['sambaHomePath'][0]);
 			if ($this->attributes['sambaHomePath'][0] != stripslashes($post['form_sambaSamAccount_sambaHomePath'])) $errors[] = array('INFO', _('Home path'), _('Inserted user- or groupname in HomePath.'));
@@ -230,10 +247,6 @@ class sambaSamAccount {
 					$errors[] = array('ERROR', _('Profile path'), _('Profile path is invalid!'));
 			}
 
-		if ((!$this->attributes['sambaDomainName'][0]=='') && !ereg('^([a-z]|[A-Z]|[0-9]|[-])+$', $this->attributes['sambaDomainName'][0]))
-			$errors[] = array('ERROR', _('Domain name'), _('Domain name contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and -.'));
-
-
 		if (is_array($errors)) return $errors;
 		if ($post['form_sambaSamAccount_sambaUserWorkstations'])  return 'sambaUserWorkstations';
 		return 0;
@@ -322,6 +335,21 @@ class sambaSamAccount {
 	* modify are attributes which have to been modified in ldap entry
 	*/
 	function save_attributes() {
+		/* Create sambaSID. Can't create it while loading attributes because
+		* it's psssible uidNumber has changed
+		*/
+		// Get Domain SID from name
+		$sambaDomains = $_SESSION[$_SESSION[$this->base]->ldap]->search_domains($_SESSION[$_SESSION[$this->base]->config]->get_domainSuffix());
+		for ($i=0; $i<count($sambaDomains); $i++ )
+			if ($this->attributes['sambaDomainName'][0] == $sambaDomains[$i]->name) {
+				$SID = $sambaDomains[$i]->SID;
+				$RIDbase = $sambaDomain[$i]->RIDbase;
+				}
+		$special = false;
+		if ($this->attributes['sambaSID'][0] == $SID."-500") $special = true;
+		if ($this->attributes['sambaSID'][0] == $SID."-501") $special = true;
+		if (!$special) $this->attributes['sambaSID'][0] == $SID."-".($_SESSION[$this->base]->module['posixAccount']->attributes['uidNumber'][0]*2+$RIDbase);
+
 		$return = $_SESSION[$this->base]->save_module_attributes($this->attributes, $this->orig);
 		// Set password
 		if (isset($return[$_SESSION[$this->base]->dn]['modify']['sambaLMPassword']))
@@ -355,16 +383,16 @@ class sambaSamAccount {
 	* It will output a complete html-table
 	*/
 	function display_html_attributes($post) {
+		// Get Domain SID from name
+		$sambaDomains = $_SESSION[$_SESSION[$this->base]->ldap]->search_domains($_SESSION[$_SESSION[$this->base]->config]->get_domainSuffix());
+		for ($i=0; $i<count($sambaDomains); $i++ ) {
+			$sambaDomainNames[] = $sambaDomains[$i]->name;
+			if ($this->attributes['sambaDomainName'][0] == $sambaDomains[$i]->name)
+				$SID = $sambaDomains[$i]->SID;
+			}
 		if ($_SESSION[$this->base]->type=='user') {
 			$canchangedate = getdate($this->attributes['sambaPwdCanChange'][0]);
 			$mustchangedate = getdate($this->attributes['sambaPwdMustChange'][0]);
-			// Get Domain SID from name
-			$sambaDomains = $_SESSION[$_SESSION[$this->base]->ldap]->search_domains($_SESSION[$_SESSION[$this->base]->config]->get_domainSuffix());
-			for ($i=0; $i<count($sambaDomains); $i++ ) {
-				$sambaDomainNames[] = $sambaDomains[$i]->name;
-				if ($this->attributes['sambaDomainName'][0] == $sambaDomains[$i]->name)
-					$SID = $sambaDomains[$i]->SID;
-				}
 			echo	'<input name="form_sambaSamAccount_sambaPwdCanChange_h" type="hidden" value="'.$canchangedate['hours'].'">'.
 				'<input name="form_sambaSamAccount_sambaPwdCanChange_m" type="hidden" value="'.$canchangedate['minutes'].'">'.
 				'<input name="form_sambaSamAccount_sambaPwdCanChange_s" type="hidden" value="'.$canchangedate['seconds'].'">'.
@@ -385,13 +413,15 @@ class sambaSamAccount {
 				echo "\"></td>\n";
 			echo "<td></td>\n";
 			echo "</tr>\n";
-			echo "<tr>\n";
-			echo "<td>" . _('Use unix password') . "</td>\n";
-			echo "<td><input name=\"form_sambaSamAccount_useunixpwd\" type=\"checkbox\"";
-				if ($this->useunixpwd) echo " checked ";
-				echo "></td>\n";
-			echo "<td><a href=\"../help.php?HelpNumber=428\" target=\"lamhelp\">" . _('Help') . "</a></td>";
-			echo "</tr>\n";
+			if ($_SESSION[$this->base]->module['posixAccount']->orig['userPassword'][0] != $_SESSION[$this->base]->module['posixAccount']->attributes['userPassword'][0]) {
+				echo "<tr>\n";
+				echo "<td>" . _('Use unix password') . "</td>\n";
+				echo "<td><input name=\"form_sambaAccount_useunixpwd\" type=\"checkbox\"";
+					if ($this->useunixpwd) echo " checked ";
+					echo "></td>\n";
+				echo "<td><a href=\"../help.php?HelpNumber=428\" target=\"lamhelp\">" . _('Help') . "</a></td>";
+				echo "</tr>\n";
+				}
 			echo "<tr>\n";
 			echo "<td>" . _('Use no password') . "</td>\n";
 			echo "<td><input name=\"form_sambaSamAccount_sambaAcctFlagsN\" type=\"checkbox\"";
@@ -501,6 +531,26 @@ class sambaSamAccount {
 			echo "<td><a href=\"../help.php?HelpNumber=464\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
 			echo "</tr>\n";
 			echo "<tr>\n";
+			echo "<td>" . _('Special user') . "</td>\n";
+			echo "<td><select name=\"form_sambaSamAccount_sambaSID\">";
+				// Display if group SID should be mapped to a well kown SID
+				$wrid=false;
+				if ($this->attributes['sambaSID'][0]==$SID."-500") {
+					echo "<option selected>" . _('Administrator') . "</option>";
+					$wrid=true;
+					}
+				else echo "<option>" . _('Administrator') . "</option>";
+				if ($this->attributes['sambaSID'][0]==$SID."-501") {
+					echo "<option selected>" . _('Guest') . "</option>";
+					$wrid=true;
+					}
+				else echo "<option>" . _('Guest') . "</option>";
+				if ($wrid) echo "<option>" . _('Ordinary user') . "</option>";
+					else echo "<option selected>" . _('Ordinary user') . "</option>";
+				echo	"</select></td>\n";
+			echo "<td><a href=\"../help.php?HelpNumber=XXX\" target=\"lamhelp\">" . _('Help-XX') . "</a></td>\n";
+			echo "</tr>\n";
+			echo "<tr>\n";
 			echo "<td>" . _('Domain') . "</td>\n";
 			echo "<td><select name=\"form_sambaSamAccount_sambaDomainName\">";
 				foreach ($sambaDomainNames as $domain) {
@@ -512,8 +562,24 @@ class sambaSamAccount {
 			echo "</tr>\n";
 			echo "</table>\n";
 			}
-		else {
-
+		if ($_SESSION[$this->base]->type=='host') {
+			echo '<input name="form_sambaSamAccount_sambaAcctFlagsW" type="hidden" value="true">';
+			echo "<table border=0 width=\"100%\">\n<tr>\n";
+			echo "<tr>\n";
+			echo "<td>" . _('Reset password') . "</td>\n";
+			echo "<td><input name=\"form_sambaSamAccount_ResetSambaPassword\" type=\"submit\" value=\"" . _('Reset password') . "\"></td>\n";
+			echo "</tr>\n";
+			echo "<tr>\n";
+			echo "<td>" . _('Domain') . "</td>\n";
+			echo "<td><select name=\"form_sambaSamAccount_sambaDomainName\">";
+				foreach ($sambaDomainNames as $domain) {
+					if ($this->attributes['sambaDomainName'][0]==$domain) echo "<option selected>$domain</option>";
+						else "<option>$domain</option>";
+					}
+				echo "</select></td>\n";
+			echo "<td><a href=\"../help.php?HelpNumber=438\" target=\"lamhelp\">" . _('Help') . "</a></td>\n";
+			echo "</tr>\n";
+			echo "</table>\n";
 			}
 		return 0;
 		}
@@ -575,4 +641,5 @@ class sambaSamAccount {
 
 
 
+
 ?>
diff --git a/lam/lib/modules/shadowAccount.inc b/lam/lib/modules/shadowAccount.inc
index 616637ce..c996896e 100644
--- a/lam/lib/modules/shadowAccount.inc
+++ b/lam/lib/modules/shadowAccount.inc
@@ -95,7 +95,7 @@ class shadowAccount {
 	/* This function returns a list with all required modules
 	*/
 	function dependencies() {
-		return array('inetOrgPerson');
+		return array('posixAccount');
 		}
 
 	function module_ready() {
@@ -162,7 +162,7 @@ class shadowAccount {
 		$return = $_SESSION[$this->base]->save_module_attributes($this->attributes, $this->orig);
 
 		// Set shadowLastchange manual.
-		if ($_SESSION[$this->base]->module['inetOrgPerson']->userPassword()!='' || $_SESSION[$this->base]->module['inetOrgPerson']->userPassword_no)
+		if (($_SESSION[$this->base]->module['posixAccount']->orig['userPassword'][0] != $_SESSION[$this->base]->module['posixAccount']->attributes['userPassword'][0]  && $_SESSION[$this->base]->module['posixAccount']->userPassword()!='') || $_SESSION[$this->base]->module['posixAccount']->userPassword_no)
 			$return[$_SESSION[$this->base]->dn]['modify']['shadowLastChange'] = array(intval(time()/3600/24));
 
 		return $return;
diff --git a/lam/templates/account/hostedit.php.new b/lam/templates/account/hostedit.php.new
new file mode 100644
index 00000000..87328663
--- /dev/null
+++ b/lam/templates/account/hostedit.php.new
@@ -0,0 +1,73 @@
+<?php
+/*
+$Id$
+
+  This code is part of LDAP Account Manager (http://www.sourceforge.net/projects/lam)
+  Copyright (C) 2003  Tilo Lutz
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+  LDAP Account Manager displays table for creating or modifying accounts in LDAP
+*/
+
+// include all needed files
+include_once('../../lib/account.inc'); // File with all account-funtions
+include_once('../../lib/config.inc'); // File with configure-functions
+include_once('../../lib/profiles.inc'); // functions to load and save profiles
+include_once('../../lib/status.inc'); // Return error-message
+include_once('../../lib/pdf.inc'); // Return a pdf-file
+include_once('../../lib/ldap.inc'); // LDAP-functions
+
+/* We have to include all modules
+* before start session
+* *** fixme I would prefer loading them dynamic but
+* i don't know how to to this
+*/
+$dir = opendir('../../lib/modules');
+while ($entry = readdir($dir))
+	if (is_file('../../lib/modules/'.$entry)) include_once ('../../lib/modules/'.$entry);
+
+
+
+// Start session
+session_save_path('../../sess');
+@session_start();
+
+// Redirect to startpage if user is not loged in
+if (!isset($_SESSION['loggedIn'])) {
+	metaRefresh("../login.php");
+	exit;
+	}
+
+// Set correct language, codepages, ....
+setlanguage();
+
+if (!isset($_SESSION['cache'])) {
+	$_SESSION['cache'] = new cache();
+	}
+if ($_GET['DN']) {
+	//load account
+	$DN = str_replace("\'", '', $_GET['DN']);
+	$_SESSION['account'] = new accountContainer('host', 'account');
+	$_SESSION['account']->load_account($DN);
+	}
+else if (count($_POST)==0) {
+	$_SESSION['account'] = new accountContainer('host', 'account');
+	$_SESSION['account']->new_account();
+	}
+$_SESSION['account']->continue_main($_POST);
+
+?>