2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2007
10 Copyright (C) Michael Adam 2010
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
33 #define DBGC_CLASS DBGC_IDMAP
40 static char *idmap_fetch_secret(const char *backend, bool alloc,
41 const char *domain, const char *identity)
47 r = asprintf(&tmp, "IDMAP_ALLOC_%s", backend);
49 r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
55 strupper_m(tmp); /* make sure the key is case insensitive */
56 ret = secrets_fetch_generic(tmp, identity);
63 struct idmap_ldap_alloc_context {
64 struct smbldap_state *smbldap_state;
70 struct idmap_ldap_context {
71 struct smbldap_state *smbldap_state;
76 struct idmap_ldap_alloc_context *alloc;
77 struct idmap_rw_ops *rw_ops;
80 #define CHECK_ALLOC_DONE(mem) do { \
82 DEBUG(0, ("Out of memory!\n")); \
83 ret = NT_STATUS_NO_MEMORY; \
87 /**********************************************************************
88 IDMAP ALLOC TDB BACKEND
89 **********************************************************************/
91 /*********************************************************************
92 ********************************************************************/
94 static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
95 struct smbldap_state *ldap_state,
96 const char *config_option,
97 struct idmap_domain *dom,
100 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
102 const char *tmp = NULL;
103 char *user_dn = NULL;
106 /* assume anonymous if we don't have a specified user */
108 tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
112 /* only the alloc backend can pass in a NULL dom */
113 secret = idmap_fetch_secret("ldap", True,
116 secret = idmap_fetch_secret("ldap", False,
121 DEBUG(0, ("get_credentials: Unable to fetch "
122 "auth credentials for %s in %s\n",
123 tmp, (dom==NULL)?"ALLOC":dom->name));
124 ret = NT_STATUS_ACCESS_DENIED;
127 *dn = talloc_strdup(mem_ctx, tmp);
128 CHECK_ALLOC_DONE(*dn);
130 if (!fetch_ldap_pw(&user_dn, &secret)) {
131 DEBUG(2, ("get_credentials: Failed to lookup ldap "
132 "bind creds. Using anonymous connection.\n"));
136 *dn = talloc_strdup(mem_ctx, user_dn);
137 SAFE_FREE( user_dn );
138 CHECK_ALLOC_DONE(*dn);
142 smbldap_set_creds(ldap_state, anon, *dn, secret);
152 /**********************************************************************
153 Verify the sambaUnixIdPool entry in the directory.
154 **********************************************************************/
156 static NTSTATUS verify_idpool(struct idmap_domain *dom)
160 LDAPMessage *result = NULL;
161 LDAPMod **mods = NULL;
162 const char **attr_list;
166 struct idmap_ldap_context *ctx;
168 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
171 return NT_STATUS_UNSUCCESSFUL;
174 mem_ctx = talloc_new(ctx->alloc);
175 if (mem_ctx == NULL) {
176 DEBUG(0, ("Out of memory!\n"));
177 return NT_STATUS_NO_MEMORY;
180 filter = talloc_asprintf(mem_ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
181 CHECK_ALLOC_DONE(filter);
183 attr_list = get_attr_list(mem_ctx, idpool_attr_list);
184 CHECK_ALLOC_DONE(attr_list);
186 rc = smbldap_search(ctx->alloc->smbldap_state,
194 if (rc != LDAP_SUCCESS) {
195 DEBUG(1, ("Unable to verify the idpool, "
196 "cannot continue initialization!\n"));
197 return NT_STATUS_UNSUCCESSFUL;
200 count = ldap_count_entries(ctx->alloc->smbldap_state->ldap_struct,
203 ldap_msgfree(result);
206 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
207 filter, ctx->alloc->suffix));
208 ret = NT_STATUS_UNSUCCESSFUL;
211 else if (count == 0) {
212 char *uid_str, *gid_str;
214 uid_str = talloc_asprintf(mem_ctx, "%lu",
215 (unsigned long)dom->low_id);
216 gid_str = talloc_asprintf(mem_ctx, "%lu",
217 (unsigned long)dom->low_id);
219 smbldap_set_mod(&mods, LDAP_MOD_ADD,
220 "objectClass", LDAP_OBJ_IDPOOL);
221 smbldap_set_mod(&mods, LDAP_MOD_ADD,
222 get_attr_key2string(idpool_attr_list,
223 LDAP_ATTR_UIDNUMBER),
225 smbldap_set_mod(&mods, LDAP_MOD_ADD,
226 get_attr_key2string(idpool_attr_list,
227 LDAP_ATTR_GIDNUMBER),
230 rc = smbldap_modify(ctx->alloc->smbldap_state,
233 ldap_mods_free(mods, True);
235 ret = NT_STATUS_UNSUCCESSFUL;
240 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
242 talloc_free(mem_ctx);
246 /*****************************************************************************
247 Initialise idmap database.
248 *****************************************************************************/
250 static int idmap_ldap_alloc_close_destructor(struct idmap_ldap_alloc_context *ctx)
252 smbldap_free_struct(&ctx->smbldap_state);
253 DEBUG(5,("The connection to the LDAP server was closed\n"));
254 /* maybe free the results here --metze */
258 static NTSTATUS idmap_ldap_alloc_init(struct idmap_domain *dom,
261 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
263 struct idmap_ldap_context *ctx;
265 /* Only do init if we are online */
266 if (idmap_is_offline()) {
267 return NT_STATUS_FILE_IS_OFFLINE;
270 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
272 ctx->alloc = talloc_zero(ctx, struct idmap_ldap_alloc_context);
273 CHECK_ALLOC_DONE(ctx->alloc);
275 if (params && *params) {
276 /* assume location is the only parameter */
277 ctx->alloc->url = talloc_strdup(ctx->alloc, params);
279 tmp = lp_parm_const_string(-1, "idmap alloc config",
283 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
284 ret = NT_STATUS_UNSUCCESSFUL;
288 ctx->alloc->url = talloc_strdup(ctx->alloc, tmp);
290 CHECK_ALLOC_DONE(ctx->alloc->url);
292 trim_char(ctx->alloc->url, '\"', '\"');
294 tmp = lp_parm_const_string(-1, "idmap alloc config",
295 "ldap_base_dn", NULL);
296 if ( ! tmp || ! *tmp) {
297 tmp = lp_ldap_idmap_suffix();
299 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
300 ret = NT_STATUS_UNSUCCESSFUL;
305 ctx->alloc->suffix = talloc_strdup(ctx->alloc, tmp);
306 CHECK_ALLOC_DONE(ctx->alloc->suffix);
308 ret = smbldap_init(ctx->alloc, winbind_event_context(),
310 &ctx->alloc->smbldap_state);
311 if (!NT_STATUS_IS_OK(ret)) {
312 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n",
317 talloc_set_destructor(ctx->alloc, idmap_ldap_alloc_close_destructor);
319 ret = get_credentials(ctx->alloc,
320 ctx->alloc->smbldap_state,
321 "idmap alloc config", NULL,
322 &ctx->alloc->user_dn);
323 if ( !NT_STATUS_IS_OK(ret) ) {
324 DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection "
325 "credentials (%s)\n", nt_errstr(ret)));
329 /* see if the idmap suffix and sub entries exists */
331 ret = verify_idpool(dom);
334 if ( !NT_STATUS_IS_OK( ret ) )
335 TALLOC_FREE(ctx->alloc);
340 /********************************
341 Allocate a new uid or gid
342 ********************************/
344 static NTSTATUS idmap_ldap_allocate_id(struct idmap_domain *dom,
348 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
349 int rc = LDAP_SERVER_DOWN;
351 LDAPMessage *result = NULL;
352 LDAPMessage *entry = NULL;
353 LDAPMod **mods = NULL;
357 const char *dn = NULL;
358 const char **attr_list;
360 struct idmap_ldap_context *ctx;
362 /* Only do query if we are online */
363 if (idmap_is_offline()) {
364 return NT_STATUS_FILE_IS_OFFLINE;
367 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
370 return NT_STATUS_UNSUCCESSFUL;
373 mem_ctx = talloc_new(ctx->alloc);
375 DEBUG(0, ("Out of memory!\n"));
376 return NT_STATUS_NO_MEMORY;
383 type = get_attr_key2string(idpool_attr_list,
384 LDAP_ATTR_UIDNUMBER);
388 type = get_attr_key2string(idpool_attr_list,
389 LDAP_ATTR_GIDNUMBER);
393 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
394 return NT_STATUS_INVALID_PARAMETER;
397 filter = talloc_asprintf(mem_ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
398 CHECK_ALLOC_DONE(filter);
400 attr_list = get_attr_list(mem_ctx, idpool_attr_list);
401 CHECK_ALLOC_DONE(attr_list);
403 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
405 rc = smbldap_search(ctx->alloc->smbldap_state,
407 LDAP_SCOPE_SUBTREE, filter,
408 attr_list, 0, &result);
410 if (rc != LDAP_SUCCESS) {
411 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
415 talloc_autofree_ldapmsg(mem_ctx, result);
417 count = ldap_count_entries(ctx->alloc->smbldap_state->ldap_struct,
420 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
424 entry = ldap_first_entry(ctx->alloc->smbldap_state->ldap_struct,
427 dn = smbldap_talloc_dn(mem_ctx,
428 ctx->alloc->smbldap_state->ldap_struct,
434 id_str = smbldap_talloc_single_attribute(
435 ctx->alloc->smbldap_state->ldap_struct,
436 entry, type, mem_ctx);
437 if (id_str == NULL) {
438 DEBUG(0,("%s attribute not found\n", type));
439 ret = NT_STATUS_UNSUCCESSFUL;
443 xid->id = strtoul(id_str, NULL, 10);
445 /* make sure we still have room to grow */
449 if (xid->id > dom->high_id) {
450 DEBUG(0,("Cannot allocate uid above %lu!\n",
451 (unsigned long)dom->high_id));
457 if (xid->id > dom->high_id) {
458 DEBUG(0,("Cannot allocate gid above %lu!\n",
459 (unsigned long)dom->high_id));
469 new_id_str = talloc_asprintf(mem_ctx, "%lu", (unsigned long)xid->id + 1);
471 DEBUG(0,("Out of memory\n"));
472 ret = NT_STATUS_NO_MEMORY;
476 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
477 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
480 DEBUG(0,("smbldap_set_mod() failed.\n"));
484 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n",
485 id_str, new_id_str));
487 rc = smbldap_modify(ctx->alloc->smbldap_state, dn, mods);
489 ldap_mods_free(mods, True);
491 if (rc != LDAP_SUCCESS) {
492 DEBUG(1,("Failed to allocate new %s. "
493 "smbldap_modify() failed.\n", type));
500 talloc_free(mem_ctx);
505 * Allocate a new unix-ID.
506 * For now this is for the default idmap domain only.
507 * Should be extended later on.
509 static NTSTATUS idmap_ldap_get_new_id(struct idmap_domain *dom,
514 if (!strequal(dom->name, "*")) {
515 DEBUG(3, ("idmap_ldap_get_new_id: "
516 "Refusing allocation of a new unixid for domain'%s'. "
517 "Currently only supported for the default "
520 return NT_STATUS_NOT_IMPLEMENTED;
523 ret = idmap_ldap_allocate_id(dom, id);
529 /**********************************************************************
530 IDMAP MAPPING LDAP BACKEND
531 **********************************************************************/
533 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
535 smbldap_free_struct(&ctx->smbldap_state);
536 DEBUG(5,("The connection to the LDAP server was closed\n"));
537 /* maybe free the results here --metze */
542 /********************************
543 Initialise idmap database.
544 ********************************/
546 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
547 const struct id_map *map);
549 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom,
553 struct idmap_ldap_context *ctx = NULL;
554 char *config_option = NULL;
555 const char *tmp = NULL;
557 /* Only do init if we are online */
558 if (idmap_is_offline()) {
559 return NT_STATUS_FILE_IS_OFFLINE;
562 ctx = TALLOC_ZERO_P(dom, struct idmap_ldap_context);
564 DEBUG(0, ("Out of memory!\n"));
565 return NT_STATUS_NO_MEMORY;
568 if (strequal(dom->name, "*")) {
569 /* more specific configuration can go here */
571 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
572 if ( ! config_option) {
573 DEBUG(0, ("Out of memory!\n"));
574 ret = NT_STATUS_NO_MEMORY;
579 if (params != NULL) {
580 /* assume location is the only parameter */
581 ctx->url = talloc_strdup(ctx, params);
583 tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
586 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
587 ret = NT_STATUS_UNSUCCESSFUL;
591 ctx->url = talloc_strdup(ctx, tmp);
593 CHECK_ALLOC_DONE(ctx->url);
595 trim_char(ctx->url, '\"', '\"');
597 tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
598 if ( ! tmp || ! *tmp) {
599 tmp = lp_ldap_idmap_suffix();
601 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
602 ret = NT_STATUS_UNSUCCESSFUL;
607 ctx->suffix = talloc_strdup(ctx, tmp);
608 CHECK_ALLOC_DONE(ctx->suffix);
610 ctx->rw_ops = talloc_zero(ctx, struct idmap_rw_ops);
611 CHECK_ALLOC_DONE(ctx->rw_ops);
613 ctx->rw_ops->get_new_id = idmap_ldap_get_new_id;
614 ctx->rw_ops->set_mapping = idmap_ldap_set_mapping;
616 ret = smbldap_init(ctx, winbind_event_context(), ctx->url,
617 &ctx->smbldap_state);
618 if (!NT_STATUS_IS_OK(ret)) {
619 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
623 ret = get_credentials( ctx, ctx->smbldap_state, config_option,
624 dom, &ctx->user_dn );
625 if ( !NT_STATUS_IS_OK(ret) ) {
626 DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
627 "credentials (%s)\n", nt_errstr(ret)));
631 /* set the destructor on the context, so that resource are properly
632 freed if the contexts is released */
634 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
636 dom->private_data = ctx;
638 ret = idmap_ldap_alloc_init(dom, params);
639 if (!NT_STATUS_IS_OK(ret)) {
640 DEBUG(1, ("idmap_ldap_db_init: Failed to initialize alloc "
641 "subsystem: %s\n", nt_errstr(ret)));
645 talloc_free(config_option);
658 /* TODO: change this: This function cannot be called to modify a mapping,
659 * only set a new one */
661 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
662 const struct id_map *map)
666 struct idmap_ldap_context *ctx;
667 LDAPMessage *entry = NULL;
668 LDAPMod **mods = NULL;
675 /* Only do query if we are online */
676 if (idmap_is_offline()) {
677 return NT_STATUS_FILE_IS_OFFLINE;
680 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
682 switch(map->xid.type) {
684 type = get_attr_key2string(sidmap_attr_list,
685 LDAP_ATTR_UIDNUMBER);
689 type = get_attr_key2string(sidmap_attr_list,
690 LDAP_ATTR_GIDNUMBER);
694 return NT_STATUS_INVALID_PARAMETER;
697 memctx = talloc_new(ctx);
699 DEBUG(0, ("Out of memory!\n"));
700 return NT_STATUS_NO_MEMORY;
703 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
704 CHECK_ALLOC_DONE(id_str);
706 sid = talloc_strdup(memctx, sid_string_talloc(memctx, map->sid));
707 CHECK_ALLOC_DONE(sid);
709 dn = talloc_asprintf(memctx, "%s=%s,%s",
710 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
713 CHECK_ALLOC_DONE(dn);
715 smbldap_set_mod(&mods, LDAP_MOD_ADD,
716 "objectClass", LDAP_OBJ_IDMAP_ENTRY);
718 smbldap_make_mod(ctx->smbldap_state->ldap_struct,
719 entry, &mods, type, id_str);
721 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
722 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
726 DEBUG(2, ("ERROR: No mods?\n"));
727 ret = NT_STATUS_UNSUCCESSFUL;
731 /* TODO: remove conflicting mappings! */
733 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
735 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
737 rc = smbldap_add(ctx->smbldap_state, dn, mods);
738 ldap_mods_free(mods, True);
740 if (rc != LDAP_SUCCESS) {
741 char *ld_error = NULL;
742 ldap_get_option(ctx->smbldap_state->ldap_struct,
743 LDAP_OPT_ERROR_STRING, &ld_error);
744 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu "
745 "mapping [%s]\n", sid,
746 (unsigned long)map->xid.id, type));
747 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
748 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
750 ldap_memfree(ld_error);
752 ret = NT_STATUS_UNSUCCESSFUL;
756 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to "
757 "%lu [%s]\n", sid, (unsigned long)map->xid.id, type));
767 * Create a new mapping for an unmapped SID, also allocating a new ID.
768 * If possible, this should be run inside a transaction to make the
771 static NTSTATUS idmap_ldap_new_mapping(struct idmap_domain *dom, struct id_map *map)
774 struct idmap_ldap_context *ctx;
776 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
778 ret = idmap_rw_new_mapping(dom, ctx->rw_ops, map);
784 /* max number of ids requested per batch query */
785 #define IDMAP_LDAP_MAX_IDS 30
787 /**********************************
788 lookup a set of unix ids.
789 **********************************/
791 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
792 * in maps for a match */
793 static struct id_map *find_map_by_id(struct id_map **maps,
799 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
800 if (maps[i] == NULL) { /* end of the run */
803 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
811 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom,
816 struct idmap_ldap_context *ctx;
817 LDAPMessage *result = NULL;
818 LDAPMessage *entry = NULL;
819 const char *uidNumber;
820 const char *gidNumber;
821 const char **attr_list;
830 /* Only do query if we are online */
831 if (idmap_is_offline()) {
832 return NT_STATUS_FILE_IS_OFFLINE;
835 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
837 memctx = talloc_new(ctx);
839 DEBUG(0, ("Out of memory!\n"));
840 return NT_STATUS_NO_MEMORY;
843 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
844 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
846 attr_list = get_attr_list(memctx, sidmap_attr_list);
849 /* if we are requested just one mapping use the simple filter */
851 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
852 LDAP_OBJ_IDMAP_ENTRY,
853 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
854 (unsigned long)ids[0]->xid.id);
855 CHECK_ALLOC_DONE(filter);
856 DEBUG(10, ("Filter: [%s]\n", filter));
858 /* multiple mappings */
862 for (i = 0; ids[i]; i++) {
863 ids[i]->status = ID_UNKNOWN;
870 filter = talloc_asprintf(memctx,
871 "(&(objectClass=%s)(|",
872 LDAP_OBJ_IDMAP_ENTRY);
873 CHECK_ALLOC_DONE(filter);
876 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
877 filter = talloc_asprintf_append_buffer(filter, "(%s=%lu)",
878 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
879 (unsigned long)ids[idx]->xid.id);
880 CHECK_ALLOC_DONE(filter);
882 filter = talloc_asprintf_append_buffer(filter, "))");
883 CHECK_ALLOC_DONE(filter);
884 DEBUG(10, ("Filter: [%s]\n", filter));
890 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
891 filter, attr_list, 0, &result);
893 if (rc != LDAP_SUCCESS) {
894 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
895 ret = NT_STATUS_UNSUCCESSFUL;
899 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
902 DEBUG(10, ("NO SIDs found\n"));
905 for (i = 0; i < count; i++) {
912 if (i == 0) { /* first entry */
913 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
915 } else { /* following ones */
916 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
920 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
925 /* first check if the SID is present */
926 sidstr = smbldap_talloc_single_attribute(
927 ctx->smbldap_state->ldap_struct,
928 entry, LDAP_ATTRIBUTE_SID, memctx);
929 if ( ! sidstr) { /* no sid, skip entry */
930 DEBUG(2, ("WARNING SID not found on entry\n"));
934 /* now try to see if it is a uid, if not try with a gid
935 * (gid is more common, but in case both uidNumber and
936 * gidNumber are returned the SID is mapped to the uid
939 tmp = smbldap_talloc_single_attribute(
940 ctx->smbldap_state->ldap_struct,
941 entry, uidNumber, memctx);
944 tmp = smbldap_talloc_single_attribute(
945 ctx->smbldap_state->ldap_struct,
946 entry, gidNumber, memctx);
948 if ( ! tmp) { /* wow very strange entry, how did it match ? */
949 DEBUG(5, ("Unprobable match on (%s), no uidNumber, "
950 "nor gidNumber returned\n", sidstr));
955 id = strtoul(tmp, NULL, 10);
956 if (!idmap_unix_id_is_in_range(id, dom)) {
957 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
959 dom->low_id, dom->high_id));
966 map = find_map_by_id(&ids[bidx], type, id);
968 DEBUG(2, ("WARNING: couldn't match sid (%s) "
969 "with requested ids\n", sidstr));
974 if ( ! string_to_sid(map->sid, sidstr)) {
975 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
980 if (map->status == ID_MAPPED) {
981 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
982 "overwriting mapping %u -> %s with %u -> %s\n",
983 (type == ID_TYPE_UID) ? "UID" : "GID",
984 id, sid_string_dbg(map->sid), id, sidstr));
990 map->status = ID_MAPPED;
992 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
993 (unsigned long)map->xid.id, map->xid.type));
996 /* free the ldap results */
998 ldap_msgfree(result);
1002 if (multi && ids[idx]) { /* still some values to map */
1008 /* mark all unknwon/expired ones as unmapped */
1009 for (i = 0; ids[i]; i++) {
1010 if (ids[i]->status != ID_MAPPED)
1011 ids[i]->status = ID_UNMAPPED;
1015 talloc_free(memctx);
1019 /**********************************
1020 lookup a set of sids.
1021 **********************************/
1023 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
1024 * in maps for a match */
1025 static struct id_map *find_map_by_sid(struct id_map **maps, struct dom_sid *sid)
1029 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
1030 if (maps[i] == NULL) { /* end of the run */
1033 if (sid_equal(maps[i]->sid, sid)) {
1041 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
1042 struct id_map **ids)
1044 LDAPMessage *entry = NULL;
1047 struct idmap_ldap_context *ctx;
1048 LDAPMessage *result = NULL;
1049 const char *uidNumber;
1050 const char *gidNumber;
1051 const char **attr_list;
1052 char *filter = NULL;
1060 /* Only do query if we are online */
1061 if (idmap_is_offline()) {
1062 return NT_STATUS_FILE_IS_OFFLINE;
1065 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1067 memctx = talloc_new(ctx);
1069 DEBUG(0, ("Out of memory!\n"));
1070 return NT_STATUS_NO_MEMORY;
1073 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
1074 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
1076 attr_list = get_attr_list(memctx, sidmap_attr_list);
1079 /* if we are requested just one mapping use the simple filter */
1081 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
1082 LDAP_OBJ_IDMAP_ENTRY,
1084 sid_string_talloc(memctx, ids[0]->sid));
1085 CHECK_ALLOC_DONE(filter);
1086 DEBUG(10, ("Filter: [%s]\n", filter));
1088 /* multiple mappings */
1092 for (i = 0; ids[i]; i++) {
1093 ids[i]->status = ID_UNKNOWN;
1099 TALLOC_FREE(filter);
1100 filter = talloc_asprintf(memctx,
1101 "(&(objectClass=%s)(|",
1102 LDAP_OBJ_IDMAP_ENTRY);
1103 CHECK_ALLOC_DONE(filter);
1106 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
1107 filter = talloc_asprintf_append_buffer(filter, "(%s=%s)",
1109 sid_string_talloc(memctx,
1111 CHECK_ALLOC_DONE(filter);
1113 filter = talloc_asprintf_append_buffer(filter, "))");
1114 CHECK_ALLOC_DONE(filter);
1115 DEBUG(10, ("Filter: [%s]", filter));
1121 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
1122 filter, attr_list, 0, &result);
1124 if (rc != LDAP_SUCCESS) {
1125 DEBUG(3,("Failure looking up sids (%s)\n",
1126 ldap_err2string(rc)));
1127 ret = NT_STATUS_UNSUCCESSFUL;
1131 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
1134 DEBUG(10, ("NO SIDs found\n"));
1137 for (i = 0; i < count; i++) {
1138 char *sidstr = NULL;
1145 if (i == 0) { /* first entry */
1146 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
1148 } else { /* following ones */
1149 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
1153 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
1158 /* first check if the SID is present */
1159 sidstr = smbldap_talloc_single_attribute(
1160 ctx->smbldap_state->ldap_struct,
1161 entry, LDAP_ATTRIBUTE_SID, memctx);
1162 if ( ! sidstr) { /* no sid ??, skip entry */
1163 DEBUG(2, ("WARNING SID not found on entry\n"));
1167 if ( ! string_to_sid(&sid, sidstr)) {
1168 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1169 TALLOC_FREE(sidstr);
1173 map = find_map_by_sid(&ids[bidx], &sid);
1175 DEBUG(2, ("WARNING: couldn't find entry sid (%s) "
1177 TALLOC_FREE(sidstr);
1181 /* now try to see if it is a uid, if not try with a gid
1182 * (gid is more common, but in case both uidNumber and
1183 * gidNumber are returned the SID is mapped to the uid
1186 tmp = smbldap_talloc_single_attribute(
1187 ctx->smbldap_state->ldap_struct,
1188 entry, uidNumber, memctx);
1191 tmp = smbldap_talloc_single_attribute(
1192 ctx->smbldap_state->ldap_struct,
1193 entry, gidNumber, memctx);
1195 if ( ! tmp) { /* no ids ?? */
1196 DEBUG(5, ("no uidNumber, "
1197 "nor gidNumber attributes found\n"));
1198 TALLOC_FREE(sidstr);
1202 id = strtoul(tmp, NULL, 10);
1203 if (!idmap_unix_id_is_in_range(id, dom)) {
1204 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1206 dom->low_id, dom->high_id));
1207 TALLOC_FREE(sidstr);
1213 if (map->status == ID_MAPPED) {
1214 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
1215 "overwriting mapping %s -> %u with %s -> %u\n",
1216 (type == ID_TYPE_UID) ? "UID" : "GID",
1217 sidstr, map->xid.id, sidstr, id));
1220 TALLOC_FREE(sidstr);
1223 map->xid.type = type;
1225 map->status = ID_MAPPED;
1227 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
1228 (unsigned long)map->xid.id, map->xid.type));
1231 /* free the ldap results */
1233 ldap_msgfree(result);
1237 if (multi && ids[idx]) { /* still some values to map */
1242 * try to create new mappings for unmapped sids
1244 for (i = 0; ids[i]; i++) {
1245 if (ids[i]->status != ID_MAPPED) {
1246 ids[i]->status = ID_UNMAPPED;
1247 if (ids[i]->sid != NULL) {
1248 ret = idmap_ldap_new_mapping(dom, ids[i]);
1249 if (!NT_STATUS_IS_OK(ret)) {
1259 talloc_free(memctx);
1263 /**********************************
1264 Close the idmap ldap instance
1265 **********************************/
1267 static NTSTATUS idmap_ldap_close(struct idmap_domain *dom)
1269 struct idmap_ldap_context *ctx;
1271 if (dom->private_data) {
1272 ctx = talloc_get_type(dom->private_data,
1273 struct idmap_ldap_context);
1276 dom->private_data = NULL;
1279 return NT_STATUS_OK;
1282 static struct idmap_methods idmap_ldap_methods = {
1284 .init = idmap_ldap_db_init,
1285 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1286 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1287 .allocate_id = idmap_ldap_get_new_id,
1288 .close_fn = idmap_ldap_close
1291 NTSTATUS idmap_ldap_init(void);
1292 NTSTATUS idmap_ldap_init(void)
1294 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1295 &idmap_ldap_methods);