2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2007
10 Copyright (C) Michael Adam 2010
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
31 #define DBGC_CLASS DBGC_IDMAP
38 static char *idmap_fetch_secret(const char *backend, bool alloc,
39 const char *domain, const char *identity)
45 r = asprintf(&tmp, "IDMAP_ALLOC_%s", backend);
47 r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
53 strupper_m(tmp); /* make sure the key is case insensitive */
54 ret = secrets_fetch_generic(tmp, identity);
61 struct idmap_ldap_alloc_context {
62 struct smbldap_state *smbldap_state;
68 struct idmap_ldap_context {
69 struct smbldap_state *smbldap_state;
74 struct idmap_ldap_alloc_context *alloc;
75 struct idmap_rw_ops *rw_ops;
78 #define CHECK_ALLOC_DONE(mem) do { \
80 DEBUG(0, ("Out of memory!\n")); \
81 ret = NT_STATUS_NO_MEMORY; \
85 /**********************************************************************
86 IDMAP ALLOC TDB BACKEND
87 **********************************************************************/
89 /*********************************************************************
90 ********************************************************************/
92 static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
93 struct smbldap_state *ldap_state,
94 const char *config_option,
95 struct idmap_domain *dom,
98 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
100 const char *tmp = NULL;
101 char *user_dn = NULL;
104 /* assume anonymous if we don't have a specified user */
106 tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
110 /* only the alloc backend can pass in a NULL dom */
111 secret = idmap_fetch_secret("ldap", True,
114 secret = idmap_fetch_secret("ldap", False,
119 DEBUG(0, ("get_credentials: Unable to fetch "
120 "auth credentials for %s in %s\n",
121 tmp, (dom==NULL)?"ALLOC":dom->name));
122 ret = NT_STATUS_ACCESS_DENIED;
125 *dn = talloc_strdup(mem_ctx, tmp);
126 CHECK_ALLOC_DONE(*dn);
128 if (!fetch_ldap_pw(&user_dn, &secret)) {
129 DEBUG(2, ("get_credentials: Failed to lookup ldap "
130 "bind creds. Using anonymous connection.\n"));
133 *dn = talloc_strdup(mem_ctx, user_dn);
134 SAFE_FREE( user_dn );
135 CHECK_ALLOC_DONE(*dn);
139 smbldap_set_creds(ldap_state, anon, *dn, secret);
149 /**********************************************************************
150 Verify the sambaUnixIdPool entry in the directory.
151 **********************************************************************/
153 static NTSTATUS verify_idpool(struct idmap_domain *dom)
157 LDAPMessage *result = NULL;
158 LDAPMod **mods = NULL;
159 const char **attr_list;
163 struct idmap_ldap_context *ctx;
165 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
168 return NT_STATUS_UNSUCCESSFUL;
171 mem_ctx = talloc_new(ctx->alloc);
172 if (mem_ctx == NULL) {
173 DEBUG(0, ("Out of memory!\n"));
174 return NT_STATUS_NO_MEMORY;
177 filter = talloc_asprintf(mem_ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
178 CHECK_ALLOC_DONE(filter);
180 attr_list = get_attr_list(mem_ctx, idpool_attr_list);
181 CHECK_ALLOC_DONE(attr_list);
183 rc = smbldap_search(ctx->alloc->smbldap_state,
191 if (rc != LDAP_SUCCESS) {
192 DEBUG(1, ("Unable to verify the idpool, "
193 "cannot continue initialization!\n"));
194 return NT_STATUS_UNSUCCESSFUL;
197 count = ldap_count_entries(ctx->alloc->smbldap_state->ldap_struct,
200 ldap_msgfree(result);
203 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
204 filter, ctx->alloc->suffix));
205 ret = NT_STATUS_UNSUCCESSFUL;
208 else if (count == 0) {
209 char *uid_str, *gid_str;
211 uid_str = talloc_asprintf(mem_ctx, "%lu",
212 (unsigned long)dom->low_id);
213 gid_str = talloc_asprintf(mem_ctx, "%lu",
214 (unsigned long)dom->low_id);
216 smbldap_set_mod(&mods, LDAP_MOD_ADD,
217 "objectClass", LDAP_OBJ_IDPOOL);
218 smbldap_set_mod(&mods, LDAP_MOD_ADD,
219 get_attr_key2string(idpool_attr_list,
220 LDAP_ATTR_UIDNUMBER),
222 smbldap_set_mod(&mods, LDAP_MOD_ADD,
223 get_attr_key2string(idpool_attr_list,
224 LDAP_ATTR_GIDNUMBER),
227 rc = smbldap_modify(ctx->alloc->smbldap_state,
230 ldap_mods_free(mods, True);
232 ret = NT_STATUS_UNSUCCESSFUL;
237 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
239 talloc_free(mem_ctx);
243 /*****************************************************************************
244 Initialise idmap database.
245 *****************************************************************************/
247 static int idmap_ldap_alloc_close_destructor(struct idmap_ldap_alloc_context *ctx)
249 smbldap_free_struct(&ctx->smbldap_state);
250 DEBUG(5,("The connection to the LDAP server was closed\n"));
251 /* maybe free the results here --metze */
255 static NTSTATUS idmap_ldap_alloc_init(struct idmap_domain *dom,
258 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
260 struct idmap_ldap_context *ctx;
262 /* Only do init if we are online */
263 if (idmap_is_offline()) {
264 return NT_STATUS_FILE_IS_OFFLINE;
267 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
269 ctx->alloc = talloc_zero(ctx, struct idmap_ldap_alloc_context);
270 CHECK_ALLOC_DONE(ctx->alloc);
272 if (params && *params) {
273 /* assume location is the only parameter */
274 ctx->alloc->url = talloc_strdup(ctx->alloc, params);
276 tmp = lp_parm_const_string(-1, "idmap alloc config",
280 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
281 ret = NT_STATUS_UNSUCCESSFUL;
285 ctx->alloc->url = talloc_strdup(ctx->alloc, tmp);
287 CHECK_ALLOC_DONE(ctx->alloc->url);
289 trim_char(ctx->alloc->url, '\"', '\"');
291 tmp = lp_parm_const_string(-1, "idmap alloc config",
292 "ldap_base_dn", NULL);
293 if ( ! tmp || ! *tmp) {
294 tmp = lp_ldap_idmap_suffix();
296 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
297 ret = NT_STATUS_UNSUCCESSFUL;
302 ctx->alloc->suffix = talloc_strdup(ctx->alloc, tmp);
303 CHECK_ALLOC_DONE(ctx->alloc->suffix);
305 ret = smbldap_init(ctx->alloc, winbind_event_context(),
307 &ctx->alloc->smbldap_state);
308 if (!NT_STATUS_IS_OK(ret)) {
309 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n",
314 talloc_set_destructor(ctx->alloc, idmap_ldap_alloc_close_destructor);
316 ret = get_credentials(ctx->alloc,
317 ctx->alloc->smbldap_state,
318 "idmap alloc config", NULL,
319 &ctx->alloc->user_dn);
320 if ( !NT_STATUS_IS_OK(ret) ) {
321 DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection "
322 "credentials (%s)\n", nt_errstr(ret)));
326 /* see if the idmap suffix and sub entries exists */
328 ret = verify_idpool(dom);
331 if ( !NT_STATUS_IS_OK( ret ) )
332 TALLOC_FREE(ctx->alloc);
337 /********************************
338 Allocate a new uid or gid
339 ********************************/
341 static NTSTATUS idmap_ldap_allocate_id(struct idmap_domain *dom,
345 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
346 int rc = LDAP_SERVER_DOWN;
348 LDAPMessage *result = NULL;
349 LDAPMessage *entry = NULL;
350 LDAPMod **mods = NULL;
354 const char *dn = NULL;
355 const char **attr_list;
357 struct idmap_ldap_context *ctx;
359 /* Only do query if we are online */
360 if (idmap_is_offline()) {
361 return NT_STATUS_FILE_IS_OFFLINE;
364 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
367 return NT_STATUS_UNSUCCESSFUL;
370 mem_ctx = talloc_new(ctx->alloc);
372 DEBUG(0, ("Out of memory!\n"));
373 return NT_STATUS_NO_MEMORY;
380 type = get_attr_key2string(idpool_attr_list,
381 LDAP_ATTR_UIDNUMBER);
385 type = get_attr_key2string(idpool_attr_list,
386 LDAP_ATTR_GIDNUMBER);
390 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
391 return NT_STATUS_INVALID_PARAMETER;
394 filter = talloc_asprintf(mem_ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
395 CHECK_ALLOC_DONE(filter);
397 attr_list = get_attr_list(mem_ctx, idpool_attr_list);
398 CHECK_ALLOC_DONE(attr_list);
400 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
402 rc = smbldap_search(ctx->alloc->smbldap_state,
404 LDAP_SCOPE_SUBTREE, filter,
405 attr_list, 0, &result);
407 if (rc != LDAP_SUCCESS) {
408 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
412 talloc_autofree_ldapmsg(mem_ctx, result);
414 count = ldap_count_entries(ctx->alloc->smbldap_state->ldap_struct,
417 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
421 entry = ldap_first_entry(ctx->alloc->smbldap_state->ldap_struct,
424 dn = smbldap_talloc_dn(mem_ctx,
425 ctx->alloc->smbldap_state->ldap_struct,
431 id_str = smbldap_talloc_single_attribute(
432 ctx->alloc->smbldap_state->ldap_struct,
433 entry, type, mem_ctx);
434 if (id_str == NULL) {
435 DEBUG(0,("%s attribute not found\n", type));
436 ret = NT_STATUS_UNSUCCESSFUL;
440 xid->id = strtoul(id_str, NULL, 10);
442 /* make sure we still have room to grow */
446 if (xid->id > dom->high_id) {
447 DEBUG(0,("Cannot allocate uid above %lu!\n",
448 (unsigned long)dom->high_id));
454 if (xid->id > dom->high_id) {
455 DEBUG(0,("Cannot allocate gid above %lu!\n",
456 (unsigned long)dom->high_id));
466 new_id_str = talloc_asprintf(mem_ctx, "%lu", (unsigned long)xid->id + 1);
468 DEBUG(0,("Out of memory\n"));
469 ret = NT_STATUS_NO_MEMORY;
473 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
474 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
477 DEBUG(0,("smbldap_set_mod() failed.\n"));
481 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n",
482 id_str, new_id_str));
484 rc = smbldap_modify(ctx->alloc->smbldap_state, dn, mods);
486 ldap_mods_free(mods, True);
488 if (rc != LDAP_SUCCESS) {
489 DEBUG(1,("Failed to allocate new %s. "
490 "smbldap_modify() failed.\n", type));
497 talloc_free(mem_ctx);
502 * Allocate a new unix-ID.
503 * For now this is for the default idmap domain only.
504 * Should be extended later on.
506 static NTSTATUS idmap_ldap_get_new_id(struct idmap_domain *dom,
511 if (!strequal(dom->name, "*")) {
512 DEBUG(3, ("idmap_ldap_get_new_id: "
513 "Refusing allocation of a new unixid for domain'%s'. "
514 "Currently only supported for the default "
517 return NT_STATUS_NOT_IMPLEMENTED;
520 ret = idmap_ldap_allocate_id(dom, id);
526 /**********************************************************************
527 IDMAP MAPPING LDAP BACKEND
528 **********************************************************************/
530 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
532 smbldap_free_struct(&ctx->smbldap_state);
533 DEBUG(5,("The connection to the LDAP server was closed\n"));
534 /* maybe free the results here --metze */
539 /********************************
540 Initialise idmap database.
541 ********************************/
543 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
544 const struct id_map *map);
546 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom,
550 struct idmap_ldap_context *ctx = NULL;
551 char *config_option = NULL;
552 const char *tmp = NULL;
554 /* Only do init if we are online */
555 if (idmap_is_offline()) {
556 return NT_STATUS_FILE_IS_OFFLINE;
559 ctx = TALLOC_ZERO_P(dom, struct idmap_ldap_context);
561 DEBUG(0, ("Out of memory!\n"));
562 return NT_STATUS_NO_MEMORY;
565 if (strequal(dom->name, "*")) {
566 /* more specific configuration can go here */
568 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
569 if ( ! config_option) {
570 DEBUG(0, ("Out of memory!\n"));
571 ret = NT_STATUS_NO_MEMORY;
576 if (params != NULL) {
577 /* assume location is the only parameter */
578 ctx->url = talloc_strdup(ctx, params);
580 tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
583 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
584 ret = NT_STATUS_UNSUCCESSFUL;
588 ctx->url = talloc_strdup(ctx, tmp);
590 CHECK_ALLOC_DONE(ctx->url);
592 trim_char(ctx->url, '\"', '\"');
594 tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
595 if ( ! tmp || ! *tmp) {
596 tmp = lp_ldap_idmap_suffix();
598 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
599 ret = NT_STATUS_UNSUCCESSFUL;
604 ctx->suffix = talloc_strdup(ctx, tmp);
605 CHECK_ALLOC_DONE(ctx->suffix);
607 ctx->rw_ops = talloc_zero(ctx, struct idmap_rw_ops);
608 CHECK_ALLOC_DONE(ctx->rw_ops);
610 ctx->rw_ops->get_new_id = idmap_ldap_get_new_id;
611 ctx->rw_ops->set_mapping = idmap_ldap_set_mapping;
613 ret = smbldap_init(ctx, winbind_event_context(), ctx->url,
614 &ctx->smbldap_state);
615 if (!NT_STATUS_IS_OK(ret)) {
616 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
620 ret = get_credentials( ctx, ctx->smbldap_state, config_option,
621 dom, &ctx->user_dn );
622 if ( !NT_STATUS_IS_OK(ret) ) {
623 DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
624 "credentials (%s)\n", nt_errstr(ret)));
628 /* set the destructor on the context, so that resource are properly
629 freed if the contexts is released */
631 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
633 dom->private_data = ctx;
635 ret = idmap_ldap_alloc_init(dom, params);
636 if (!NT_STATUS_IS_OK(ret)) {
637 DEBUG(1, ("idmap_ldap_db_init: Failed to initialize alloc "
638 "subsystem: %s\n", nt_errstr(ret)));
642 talloc_free(config_option);
655 /* TODO: change this: This function cannot be called to modify a mapping,
656 * only set a new one */
658 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
659 const struct id_map *map)
663 struct idmap_ldap_context *ctx;
664 LDAPMessage *entry = NULL;
665 LDAPMod **mods = NULL;
672 /* Only do query if we are online */
673 if (idmap_is_offline()) {
674 return NT_STATUS_FILE_IS_OFFLINE;
677 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
679 switch(map->xid.type) {
681 type = get_attr_key2string(sidmap_attr_list,
682 LDAP_ATTR_UIDNUMBER);
686 type = get_attr_key2string(sidmap_attr_list,
687 LDAP_ATTR_GIDNUMBER);
691 return NT_STATUS_INVALID_PARAMETER;
694 memctx = talloc_new(ctx);
696 DEBUG(0, ("Out of memory!\n"));
697 return NT_STATUS_NO_MEMORY;
700 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
701 CHECK_ALLOC_DONE(id_str);
703 sid = talloc_strdup(memctx, sid_string_talloc(memctx, map->sid));
704 CHECK_ALLOC_DONE(sid);
706 dn = talloc_asprintf(memctx, "%s=%s,%s",
707 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
710 CHECK_ALLOC_DONE(dn);
712 smbldap_set_mod(&mods, LDAP_MOD_ADD,
713 "objectClass", LDAP_OBJ_IDMAP_ENTRY);
715 smbldap_make_mod(ctx->smbldap_state->ldap_struct,
716 entry, &mods, type, id_str);
718 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
719 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
723 DEBUG(2, ("ERROR: No mods?\n"));
724 ret = NT_STATUS_UNSUCCESSFUL;
728 /* TODO: remove conflicting mappings! */
730 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
732 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
734 rc = smbldap_add(ctx->smbldap_state, dn, mods);
735 ldap_mods_free(mods, True);
737 if (rc != LDAP_SUCCESS) {
738 char *ld_error = NULL;
739 ldap_get_option(ctx->smbldap_state->ldap_struct,
740 LDAP_OPT_ERROR_STRING, &ld_error);
741 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu "
742 "mapping [%s]\n", sid,
743 (unsigned long)map->xid.id, type));
744 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
745 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
747 ldap_memfree(ld_error);
749 ret = NT_STATUS_UNSUCCESSFUL;
753 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to "
754 "%lu [%s]\n", sid, (unsigned long)map->xid.id, type));
764 * Create a new mapping for an unmapped SID, also allocating a new ID.
765 * If possible, this should be run inside a transaction to make the
768 static NTSTATUS idmap_ldap_new_mapping(struct idmap_domain *dom, struct id_map *map)
773 ret = NT_STATUS_INVALID_PARAMETER;
777 if ((map->xid.type != ID_TYPE_UID) && (map->xid.type != ID_TYPE_GID)) {
778 ret = NT_STATUS_INVALID_PARAMETER;
782 if (map->sid == NULL) {
783 ret = NT_STATUS_INVALID_PARAMETER;
787 ret = idmap_ldap_get_new_id(dom, &map->xid);
788 if (!NT_STATUS_IS_OK(ret)) {
789 DEBUG(3, ("Could not allocate id: %s\n", nt_errstr(ret)));
793 DEBUG(10, ("Setting mapping: %s <-> %s %lu\n",
794 sid_string_dbg(map->sid),
795 (map->xid.type == ID_TYPE_UID) ? "UID" : "GID",
796 (unsigned long)map->xid.id));
798 map->status = ID_MAPPED;
800 /* store the mapping */
801 ret = idmap_ldap_set_mapping(dom, map);
802 if (!NT_STATUS_IS_OK(ret)) {
803 DEBUG(3, ("Could not store the new mapping: %s\n",
812 /* max number of ids requested per batch query */
813 #define IDMAP_LDAP_MAX_IDS 30
815 /**********************************
816 lookup a set of unix ids.
817 **********************************/
819 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
820 * in maps for a match */
821 static struct id_map *find_map_by_id(struct id_map **maps,
827 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
828 if (maps[i] == NULL) { /* end of the run */
831 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
839 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom,
844 struct idmap_ldap_context *ctx;
845 LDAPMessage *result = NULL;
846 LDAPMessage *entry = NULL;
847 const char *uidNumber;
848 const char *gidNumber;
849 const char **attr_list;
858 /* Only do query if we are online */
859 if (idmap_is_offline()) {
860 return NT_STATUS_FILE_IS_OFFLINE;
863 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
865 memctx = talloc_new(ctx);
867 DEBUG(0, ("Out of memory!\n"));
868 return NT_STATUS_NO_MEMORY;
871 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
872 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
874 attr_list = get_attr_list(memctx, sidmap_attr_list);
877 /* if we are requested just one mapping use the simple filter */
879 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
880 LDAP_OBJ_IDMAP_ENTRY,
881 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
882 (unsigned long)ids[0]->xid.id);
883 CHECK_ALLOC_DONE(filter);
884 DEBUG(10, ("Filter: [%s]\n", filter));
886 /* multiple mappings */
890 for (i = 0; ids[i]; i++) {
891 ids[i]->status = ID_UNKNOWN;
898 filter = talloc_asprintf(memctx,
899 "(&(objectClass=%s)(|",
900 LDAP_OBJ_IDMAP_ENTRY);
901 CHECK_ALLOC_DONE(filter);
904 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
905 filter = talloc_asprintf_append_buffer(filter, "(%s=%lu)",
906 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
907 (unsigned long)ids[idx]->xid.id);
908 CHECK_ALLOC_DONE(filter);
910 filter = talloc_asprintf_append_buffer(filter, "))");
911 CHECK_ALLOC_DONE(filter);
912 DEBUG(10, ("Filter: [%s]\n", filter));
918 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
919 filter, attr_list, 0, &result);
921 if (rc != LDAP_SUCCESS) {
922 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
923 ret = NT_STATUS_UNSUCCESSFUL;
927 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
930 DEBUG(10, ("NO SIDs found\n"));
933 for (i = 0; i < count; i++) {
940 if (i == 0) { /* first entry */
941 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
943 } else { /* following ones */
944 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
948 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
953 /* first check if the SID is present */
954 sidstr = smbldap_talloc_single_attribute(
955 ctx->smbldap_state->ldap_struct,
956 entry, LDAP_ATTRIBUTE_SID, memctx);
957 if ( ! sidstr) { /* no sid, skip entry */
958 DEBUG(2, ("WARNING SID not found on entry\n"));
962 /* now try to see if it is a uid, if not try with a gid
963 * (gid is more common, but in case both uidNumber and
964 * gidNumber are returned the SID is mapped to the uid
967 tmp = smbldap_talloc_single_attribute(
968 ctx->smbldap_state->ldap_struct,
969 entry, uidNumber, memctx);
972 tmp = smbldap_talloc_single_attribute(
973 ctx->smbldap_state->ldap_struct,
974 entry, gidNumber, memctx);
976 if ( ! tmp) { /* wow very strange entry, how did it match ? */
977 DEBUG(5, ("Unprobable match on (%s), no uidNumber, "
978 "nor gidNumber returned\n", sidstr));
983 id = strtoul(tmp, NULL, 10);
984 if (!idmap_unix_id_is_in_range(id, dom)) {
985 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
987 dom->low_id, dom->high_id));
994 map = find_map_by_id(&ids[bidx], type, id);
996 DEBUG(2, ("WARNING: couldn't match sid (%s) "
997 "with requested ids\n", sidstr));
1002 if ( ! string_to_sid(map->sid, sidstr)) {
1003 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1004 TALLOC_FREE(sidstr);
1008 if (map->status == ID_MAPPED) {
1009 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
1010 "overwriting mapping %u -> %s with %u -> %s\n",
1011 (type == ID_TYPE_UID) ? "UID" : "GID",
1012 id, sid_string_dbg(map->sid), id, sidstr));
1015 TALLOC_FREE(sidstr);
1018 map->status = ID_MAPPED;
1020 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
1021 (unsigned long)map->xid.id, map->xid.type));
1024 /* free the ldap results */
1026 ldap_msgfree(result);
1030 if (multi && ids[idx]) { /* still some values to map */
1036 /* mark all unknwon/expired ones as unmapped */
1037 for (i = 0; ids[i]; i++) {
1038 if (ids[i]->status != ID_MAPPED)
1039 ids[i]->status = ID_UNMAPPED;
1043 talloc_free(memctx);
1047 /**********************************
1048 lookup a set of sids.
1049 **********************************/
1051 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
1052 * in maps for a match */
1053 static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid)
1057 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
1058 if (maps[i] == NULL) { /* end of the run */
1061 if (sid_equal(maps[i]->sid, sid)) {
1069 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
1070 struct id_map **ids)
1072 LDAPMessage *entry = NULL;
1075 struct idmap_ldap_context *ctx;
1076 LDAPMessage *result = NULL;
1077 const char *uidNumber;
1078 const char *gidNumber;
1079 const char **attr_list;
1080 char *filter = NULL;
1088 /* Only do query if we are online */
1089 if (idmap_is_offline()) {
1090 return NT_STATUS_FILE_IS_OFFLINE;
1093 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1095 memctx = talloc_new(ctx);
1097 DEBUG(0, ("Out of memory!\n"));
1098 return NT_STATUS_NO_MEMORY;
1101 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
1102 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
1104 attr_list = get_attr_list(memctx, sidmap_attr_list);
1107 /* if we are requested just one mapping use the simple filter */
1109 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
1110 LDAP_OBJ_IDMAP_ENTRY,
1112 sid_string_talloc(memctx, ids[0]->sid));
1113 CHECK_ALLOC_DONE(filter);
1114 DEBUG(10, ("Filter: [%s]\n", filter));
1116 /* multiple mappings */
1120 for (i = 0; ids[i]; i++) {
1121 ids[i]->status = ID_UNKNOWN;
1127 TALLOC_FREE(filter);
1128 filter = talloc_asprintf(memctx,
1129 "(&(objectClass=%s)(|",
1130 LDAP_OBJ_IDMAP_ENTRY);
1131 CHECK_ALLOC_DONE(filter);
1134 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
1135 filter = talloc_asprintf_append_buffer(filter, "(%s=%s)",
1137 sid_string_talloc(memctx,
1139 CHECK_ALLOC_DONE(filter);
1141 filter = talloc_asprintf_append_buffer(filter, "))");
1142 CHECK_ALLOC_DONE(filter);
1143 DEBUG(10, ("Filter: [%s]", filter));
1149 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
1150 filter, attr_list, 0, &result);
1152 if (rc != LDAP_SUCCESS) {
1153 DEBUG(3,("Failure looking up sids (%s)\n",
1154 ldap_err2string(rc)));
1155 ret = NT_STATUS_UNSUCCESSFUL;
1159 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
1162 DEBUG(10, ("NO SIDs found\n"));
1165 for (i = 0; i < count; i++) {
1166 char *sidstr = NULL;
1173 if (i == 0) { /* first entry */
1174 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
1176 } else { /* following ones */
1177 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
1181 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
1186 /* first check if the SID is present */
1187 sidstr = smbldap_talloc_single_attribute(
1188 ctx->smbldap_state->ldap_struct,
1189 entry, LDAP_ATTRIBUTE_SID, memctx);
1190 if ( ! sidstr) { /* no sid ??, skip entry */
1191 DEBUG(2, ("WARNING SID not found on entry\n"));
1195 if ( ! string_to_sid(&sid, sidstr)) {
1196 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1197 TALLOC_FREE(sidstr);
1201 map = find_map_by_sid(&ids[bidx], &sid);
1203 DEBUG(2, ("WARNING: couldn't find entry sid (%s) "
1205 TALLOC_FREE(sidstr);
1209 /* now try to see if it is a uid, if not try with a gid
1210 * (gid is more common, but in case both uidNumber and
1211 * gidNumber are returned the SID is mapped to the uid
1214 tmp = smbldap_talloc_single_attribute(
1215 ctx->smbldap_state->ldap_struct,
1216 entry, uidNumber, memctx);
1219 tmp = smbldap_talloc_single_attribute(
1220 ctx->smbldap_state->ldap_struct,
1221 entry, gidNumber, memctx);
1223 if ( ! tmp) { /* no ids ?? */
1224 DEBUG(5, ("no uidNumber, "
1225 "nor gidNumber attributes found\n"));
1226 TALLOC_FREE(sidstr);
1230 id = strtoul(tmp, NULL, 10);
1231 if (!idmap_unix_id_is_in_range(id, dom)) {
1232 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1234 dom->low_id, dom->high_id));
1235 TALLOC_FREE(sidstr);
1241 if (map->status == ID_MAPPED) {
1242 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
1243 "overwriting mapping %s -> %u with %s -> %u\n",
1244 (type == ID_TYPE_UID) ? "UID" : "GID",
1245 sidstr, map->xid.id, sidstr, id));
1248 TALLOC_FREE(sidstr);
1251 map->xid.type = type;
1253 map->status = ID_MAPPED;
1255 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
1256 (unsigned long)map->xid.id, map->xid.type));
1259 /* free the ldap results */
1261 ldap_msgfree(result);
1265 if (multi && ids[idx]) { /* still some values to map */
1270 * try to create new mappings for unmapped sids
1272 for (i = 0; ids[i]; i++) {
1273 if (ids[i]->status != ID_MAPPED) {
1274 ids[i]->status = ID_UNMAPPED;
1275 if (ids[i]->sid != NULL) {
1276 ret = idmap_ldap_new_mapping(dom, ids[i]);
1277 if (!NT_STATUS_IS_OK(ret)) {
1287 talloc_free(memctx);
1291 /**********************************
1292 Close the idmap ldap instance
1293 **********************************/
1295 static NTSTATUS idmap_ldap_close(struct idmap_domain *dom)
1297 struct idmap_ldap_context *ctx;
1299 if (dom->private_data) {
1300 ctx = talloc_get_type(dom->private_data,
1301 struct idmap_ldap_context);
1304 dom->private_data = NULL;
1307 return NT_STATUS_OK;
1310 static struct idmap_methods idmap_ldap_methods = {
1312 .init = idmap_ldap_db_init,
1313 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1314 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1315 .allocate_id = idmap_ldap_get_new_id,
1316 .close_fn = idmap_ldap_close
1319 NTSTATUS idmap_ldap_init(void);
1320 NTSTATUS idmap_ldap_init(void)
1322 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1323 &idmap_ldap_methods);
git.samba.org / metze / samba / wip.git / blob