2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Simo Sorce 2003
9 Copyright (C) Gerald Carter 2003
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 #define DBGC_CLASS DBGC_IDMAP
31 struct ldap_connection *ldap_conn = NULL;
33 /* number tries while allocating new id */
34 #define LDAP_MAX_ALLOC_ID 128
37 /***********************************************************************
38 This function cannot be called to modify a mapping, only set a new one
39 ***********************************************************************/
41 static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
43 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
47 struct ldap_message *msg;
48 struct ldap_message *mod_res = NULL;
51 type = (id_type & ID_USERID) ? "uidNumber" : "gidNumber";
53 sid_to_string( sid_string, sid );
55 pstr_sprintf(id_str, "%lu",
56 ((id_type & ID_USERID) ?
57 (unsigned long)id.uid : (unsigned long)id.gid));
60 "dn: sambaSID=%s,%s\n"
62 "objectClass: sambaIdmapEntry\n"
63 "objectClass: sambaSidEntry\n"
66 sid_string, lp_ldap_idmap_suffix(), sid_string, type,
67 ((id_type & ID_USERID) ?
68 (unsigned long)id.uid : (unsigned long)id.gid));
70 msg = ldap_ldif2msg(mod);
75 return NT_STATUS_NO_MEMORY;
77 mod_res = ldap_transaction(ldap_conn, msg);
79 if ((mod_res == NULL) || (mod_res->r.ModifyResponse.resultcode != 0))
84 destroy_ldap_message(msg);
85 destroy_ldap_message(mod_res);
89 /*****************************************************************************
90 Allocate a new uid or gid
91 *****************************************************************************/
93 static NTSTATUS ldap_allocate_id(unid_t *id, enum idmap_type id_type)
95 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
98 const char *attrs[] = { "uidNumber", "gidNumber" };
99 struct ldap_message *idpool_s = NULL;
100 struct ldap_message *idpool = NULL;
101 struct ldap_message *mod_msg = NULL;
102 struct ldap_message *mod_res = NULL;
104 const char *id_attrib;
107 if (id_type != ID_USERID && id_type != ID_GROUPID) {
108 return NT_STATUS_INVALID_PARAMETER;
111 id_attrib = (id_type == ID_USERID) ? "uidNumber" : "gidNumber";
113 idpool_s = new_ldap_search_message(lp_ldap_suffix(),
114 LDAP_SEARCH_SCOPE_SUB,
115 "(objectclass=sambaUnixIdPool)",
118 if (idpool_s == NULL)
119 return NT_STATUS_NO_MEMORY;
121 idpool = ldap_searchone(ldap_conn, idpool_s, NULL);
126 if (!ldap_find_single_int(idpool, id_attrib, &value))
129 /* this must succeed or else we wouldn't have initialized */
131 lp_idmap_uid( &luid, &huid);
132 lp_idmap_gid( &lgid, &hgid);
134 /* make sure we still have room to grow */
136 if (id_type == ID_USERID) {
138 if (id->uid > huid ) {
139 DEBUG(0,("ldap_allocate_id: Cannot allocate uid "
140 "above %lu!\n", (unsigned long)huid));
146 if (id->gid > hgid ) {
147 DEBUG(0,("ldap_allocate_id: Cannot allocate gid "
148 "above %lu!\n", (unsigned long)hgid));
155 "changetype: modify\n"
161 idpool->r.SearchResultEntry.dn, id_attrib, id_attrib, value,
162 id_attrib, id_attrib, value+1);
164 mod_msg = ldap_ldif2msg(mod);
171 mod_res = ldap_transaction(ldap_conn, mod_msg);
173 if ((mod_res == NULL) || (mod_res->r.ModifyResponse.resultcode != 0))
178 destroy_ldap_message(idpool_s);
179 destroy_ldap_message(idpool);
180 destroy_ldap_message(mod_msg);
181 destroy_ldap_message(mod_res);
186 /*****************************************************************************
188 *****************************************************************************/
190 static NTSTATUS ldap_get_sid_from_id(DOM_SID *sid, unid_t id, int id_type)
194 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
195 const char *attr_list[] = { "sambaSID" };
196 struct ldap_message *msg;
197 struct ldap_message *entry = NULL;
200 type = (id_type & ID_USERID) ? "uidNumber" : "gidNumber";
202 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))", "sambaIdmapEntry",
204 ((id_type & ID_USERID) ?
205 (unsigned long)id.uid : (unsigned long)id.gid));
207 msg = new_ldap_search_message(lp_ldap_idmap_suffix(),
208 LDAP_SEARCH_SCOPE_SUB,
209 filter, 1, attr_list);
212 return NT_STATUS_NO_MEMORY;
214 entry = ldap_searchone(ldap_conn, msg, NULL);
219 if (!ldap_find_single_string(entry, "sambaSID", entry->mem_ctx,
223 if (!string_to_sid(sid, sid_str))
228 destroy_ldap_message(msg);
229 destroy_ldap_message(entry);
234 /***********************************************************************
236 ***********************************************************************/
238 static NTSTATUS ldap_get_id_from_sid(unid_t *id, int *id_type,
243 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
244 struct ldap_message *msg;
245 struct ldap_message *entry = NULL;
248 DEBUG(8,("ldap_get_id_from_sid: %s (%s)\n", sid_string_static(sid),
249 (*id_type & ID_GROUPID ? "group" : "user") ));
251 type = ((*id_type) & ID_USERID) ? "uidNumber" : "gidNumber";
253 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
254 "sambaIdmapEntry", "sambaSID", sid_string_static(sid));
256 msg = new_ldap_search_message(lp_ldap_idmap_suffix(),
257 LDAP_SEARCH_SCOPE_SUB,
261 return NT_STATUS_NO_MEMORY;
263 entry = ldap_searchone(ldap_conn, msg, NULL);
268 if (!ldap_find_single_int(entry, type, &value))
271 if ((*id_type) & ID_USERID)
280 if ((*id_type) & ID_QUERY_ONLY)
283 /* Allocate a new RID */
285 for (i = 0; i < LDAP_MAX_ALLOC_ID; i++) {
286 ret = ldap_allocate_id(id, *id_type);
287 if ( NT_STATUS_IS_OK(ret) )
291 if ( !NT_STATUS_IS_OK(ret) ) {
292 DEBUG(0,("Could not allocate id\n"));
296 DEBUG(10,("ldap_get_id_from_sid: Allocated new %cid [%ul]\n",
297 (*id_type & ID_GROUPID ? 'g' : 'u'), (uint32)id->uid ));
299 ret = ldap_set_mapping(sid, *id, *id_type);
302 destroy_ldap_message(msg);
303 destroy_ldap_message(entry);
308 /**********************************************************************
309 Verify the sambaUnixIdPool entry in the directory.
310 **********************************************************************/
311 static NTSTATUS verify_idpool(void)
313 const char *attr_list[3] = { "uidnumber", "gidnumber", "objectclass" };
316 struct ldap_message *msg, *entry, *res;
321 msg = new_ldap_search_message(lp_ldap_suffix(),
322 LDAP_SEARCH_SCOPE_SUB,
323 "(objectClass=sambaUnixIdPool)",
327 return NT_STATUS_NO_MEMORY;
329 entry = ldap_searchone(ldap_conn, msg, NULL);
331 result = (entry != NULL);
333 destroy_ldap_message(msg);
334 destroy_ldap_message(entry);
339 if ( !lp_idmap_uid(&luid, &huid) || !lp_idmap_gid( &lgid, &hgid ) ) {
340 DEBUG(3,("ldap_idmap_init: idmap uid/gid parameters not "
342 return NT_STATUS_UNSUCCESSFUL;
347 "changetype: modify\n"
349 "objectClass: sambaUnixIdPool\n"
356 lp_ldap_idmap_suffix(),
357 (unsigned long)luid, (unsigned long)lgid);
359 msg = ldap_ldif2msg(mod);
364 return NT_STATUS_NO_MEMORY;
366 res = ldap_transaction(ldap_conn, msg);
368 if ((res == NULL) || (res->r.ModifyResponse.resultcode != 0)) {
369 destroy_ldap_message(msg);
370 destroy_ldap_message(res);
371 DEBUG(5, ("Could not add sambaUnixIdPool\n"));
372 return NT_STATUS_UNSUCCESSFUL;
375 destroy_ldap_message(msg);
376 destroy_ldap_message(res);
380 /*****************************************************************************
381 Initialise idmap database.
382 *****************************************************************************/
384 static NTSTATUS ldap_idmap_init( char *params )
389 ldap_conn = new_ldap_connection();
391 if (!fetch_ldap_pw(&dn, &pw))
392 return NT_STATUS_UNSUCCESSFUL;
394 ldap_conn->auth_dn = talloc_strdup(ldap_conn->mem_ctx, dn);
395 ldap_conn->simple_pw = talloc_strdup(ldap_conn->mem_ctx, pw);
400 if (!ldap_setup_connection(ldap_conn, params, NULL, NULL))
401 return NT_STATUS_UNSUCCESSFUL;
403 /* see if the idmap suffix and sub entries exists */
405 nt_status = verify_idpool();
406 if ( !NT_STATUS_IS_OK(nt_status) )
412 /*****************************************************************************
414 *****************************************************************************/
416 static NTSTATUS ldap_idmap_close(void)
419 DEBUG(5,("The connection to the LDAP server was closed\n"));
420 /* maybe free the results here --metze */
426 /* This function doesn't make as much sense in an LDAP world since the calling
427 node doesn't really control the ID ranges */
428 static void ldap_idmap_status(void)
430 DEBUG(0, ("LDAP IDMAP Status not available\n"));
433 static struct idmap_methods ldap_methods = {
436 ldap_get_sid_from_id,
437 ldap_get_id_from_sid,
444 NTSTATUS idmap_smbldap_init(void)
446 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "smbldap", &ldap_methods);