2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2007
10 Copyright (C) Michael Adam 2010
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
31 #include "../libcli/security/security.h"
34 #define DBGC_CLASS DBGC_IDMAP
40 #include "passdb/pdb_ldap_schema.h"
42 struct idmap_ldap_context {
43 struct smbldap_state *smbldap_state;
48 struct idmap_rw_ops *rw_ops;
51 #define CHECK_ALLOC_DONE(mem) do { \
53 DEBUG(0, ("Out of memory!\n")); \
54 ret = NT_STATUS_NO_MEMORY; \
58 /**********************************************************************
59 IDMAP ALLOC TDB BACKEND
60 **********************************************************************/
62 /*********************************************************************
63 ********************************************************************/
65 static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
66 struct smbldap_state *ldap_state,
67 struct idmap_domain *dom,
70 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
72 const char *tmp = NULL;
76 /* assume anonymous if we don't have a specified user */
78 tmp = idmap_config_const_string(dom->name, "ldap_user_dn", NULL);
81 secret = idmap_fetch_secret("ldap", dom->name, tmp);
83 DEBUG(0, ("get_credentials: Unable to fetch "
84 "auth credentials for %s in %s\n",
85 tmp, (dom==NULL)?"ALLOC":dom->name));
86 ret = NT_STATUS_ACCESS_DENIED;
89 *dn = talloc_strdup(mem_ctx, tmp);
90 CHECK_ALLOC_DONE(*dn);
92 if (!fetch_ldap_pw(&user_dn, &secret)) {
93 DEBUG(2, ("get_credentials: Failed to lookup ldap "
94 "bind creds. Using anonymous connection.\n"));
98 *dn = talloc_strdup(mem_ctx, user_dn);
100 CHECK_ALLOC_DONE(*dn);
104 smbldap_set_creds(ldap_state, anon, *dn, secret);
114 /**********************************************************************
115 Verify the sambaUnixIdPool entry in the directory.
116 **********************************************************************/
118 static NTSTATUS verify_idpool(struct idmap_domain *dom)
122 LDAPMessage *result = NULL;
123 LDAPMod **mods = NULL;
124 const char **attr_list;
128 struct idmap_ldap_context *ctx;
130 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
132 mem_ctx = talloc_new(ctx);
133 if (mem_ctx == NULL) {
134 DEBUG(0, ("Out of memory!\n"));
135 return NT_STATUS_NO_MEMORY;
138 filter = talloc_asprintf(mem_ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
139 CHECK_ALLOC_DONE(filter);
141 attr_list = get_attr_list(mem_ctx, idpool_attr_list);
142 CHECK_ALLOC_DONE(attr_list);
144 rc = smbldap_search(ctx->smbldap_state,
152 if (rc != LDAP_SUCCESS) {
153 DEBUG(1, ("Unable to verify the idpool, "
154 "cannot continue initialization!\n"));
155 return NT_STATUS_UNSUCCESSFUL;
158 count = ldap_count_entries(smbldap_get_ldap(ctx->smbldap_state),
161 ldap_msgfree(result);
164 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
165 filter, ctx->suffix));
166 ret = NT_STATUS_UNSUCCESSFUL;
169 else if (count == 0) {
170 char *uid_str, *gid_str;
172 uid_str = talloc_asprintf(mem_ctx, "%lu",
173 (unsigned long)dom->low_id);
174 gid_str = talloc_asprintf(mem_ctx, "%lu",
175 (unsigned long)dom->low_id);
177 smbldap_set_mod(&mods, LDAP_MOD_ADD,
178 "objectClass", LDAP_OBJ_IDPOOL);
179 smbldap_set_mod(&mods, LDAP_MOD_ADD,
180 get_attr_key2string(idpool_attr_list,
181 LDAP_ATTR_UIDNUMBER),
183 smbldap_set_mod(&mods, LDAP_MOD_ADD,
184 get_attr_key2string(idpool_attr_list,
185 LDAP_ATTR_GIDNUMBER),
188 rc = smbldap_modify(ctx->smbldap_state,
191 ldap_mods_free(mods, True);
193 ret = NT_STATUS_UNSUCCESSFUL;
198 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
200 talloc_free(mem_ctx);
204 /********************************
205 Allocate a new uid or gid
206 ********************************/
208 static NTSTATUS idmap_ldap_allocate_id_internal(struct idmap_domain *dom,
212 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
213 int rc = LDAP_SERVER_DOWN;
215 LDAPMessage *result = NULL;
216 LDAPMessage *entry = NULL;
217 LDAPMod **mods = NULL;
221 const char *dn = NULL;
222 const char **attr_list;
224 struct idmap_ldap_context *ctx;
227 /* Only do query if we are online */
228 if (idmap_is_offline()) {
229 return NT_STATUS_FILE_IS_OFFLINE;
232 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
234 mem_ctx = talloc_new(ctx);
236 DEBUG(0, ("Out of memory!\n"));
237 return NT_STATUS_NO_MEMORY;
244 type = get_attr_key2string(idpool_attr_list,
245 LDAP_ATTR_UIDNUMBER);
249 type = get_attr_key2string(idpool_attr_list,
250 LDAP_ATTR_GIDNUMBER);
254 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
255 return NT_STATUS_INVALID_PARAMETER;
258 filter = talloc_asprintf(mem_ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
259 CHECK_ALLOC_DONE(filter);
261 attr_list = get_attr_list(mem_ctx, idpool_attr_list);
262 CHECK_ALLOC_DONE(attr_list);
264 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
266 rc = smbldap_search(ctx->smbldap_state,
268 LDAP_SCOPE_SUBTREE, filter,
269 attr_list, 0, &result);
271 if (rc != LDAP_SUCCESS) {
272 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
276 smbldap_talloc_autofree_ldapmsg(mem_ctx, result);
278 count = ldap_count_entries(smbldap_get_ldap(ctx->smbldap_state),
281 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
285 entry = ldap_first_entry(smbldap_get_ldap(ctx->smbldap_state), result);
287 dn = smbldap_talloc_dn(mem_ctx,
288 smbldap_get_ldap(ctx->smbldap_state),
294 id_str = smbldap_talloc_single_attribute(
295 smbldap_get_ldap(ctx->smbldap_state),
296 entry, type, mem_ctx);
297 if (id_str == NULL) {
298 DEBUG(0,("%s attribute not found\n", type));
299 ret = NT_STATUS_UNSUCCESSFUL;
303 xid->id = smb_strtoul(id_str, NULL, 10, &error, SMB_STR_STANDARD);
305 ret = NT_STATUS_UNSUCCESSFUL;
309 /* make sure we still have room to grow */
313 if (xid->id > dom->high_id) {
314 DEBUG(0,("Cannot allocate uid above %lu!\n",
315 (unsigned long)dom->high_id));
321 if (xid->id > dom->high_id) {
322 DEBUG(0,("Cannot allocate gid above %lu!\n",
323 (unsigned long)dom->high_id));
333 new_id_str = talloc_asprintf(mem_ctx, "%lu", (unsigned long)xid->id + 1);
335 DEBUG(0,("Out of memory\n"));
336 ret = NT_STATUS_NO_MEMORY;
340 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
341 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
344 DEBUG(0,("smbldap_set_mod() failed.\n"));
348 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n",
349 id_str, new_id_str));
351 rc = smbldap_modify(ctx->smbldap_state, dn, mods);
353 ldap_mods_free(mods, True);
355 if (rc != LDAP_SUCCESS) {
356 DEBUG(1,("Failed to allocate new %s. "
357 "smbldap_modify() failed.\n", type));
364 talloc_free(mem_ctx);
369 * Allocate a new unix-ID.
370 * For now this is for the default idmap domain only.
371 * Should be extended later on.
373 static NTSTATUS idmap_ldap_allocate_id(struct idmap_domain *dom,
378 if (!strequal(dom->name, "*")) {
379 DEBUG(3, ("idmap_ldap_allocate_id: "
380 "Refusing allocation of a new unixid for domain'%s'. "
381 "This is only supported for the default "
384 return NT_STATUS_NOT_IMPLEMENTED;
387 ret = idmap_ldap_allocate_id_internal(dom, id);
393 /**********************************************************************
394 IDMAP MAPPING LDAP BACKEND
395 **********************************************************************/
397 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
399 smbldap_free_struct(&ctx->smbldap_state);
400 DEBUG(5,("The connection to the LDAP server was closed\n"));
401 /* maybe free the results here --metze */
406 /********************************
407 Initialise idmap database.
408 ********************************/
410 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
411 const struct id_map *map);
413 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom)
416 struct idmap_ldap_context *ctx = NULL;
417 const char *tmp = NULL;
419 /* Only do init if we are online */
420 if (idmap_is_offline()) {
421 return NT_STATUS_FILE_IS_OFFLINE;
424 ctx = talloc_zero(dom, struct idmap_ldap_context);
426 DEBUG(0, ("Out of memory!\n"));
427 return NT_STATUS_NO_MEMORY;
430 tmp = idmap_config_const_string(dom->name, "ldap_url", NULL);
433 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
434 ret = NT_STATUS_UNSUCCESSFUL;
438 ctx->url = talloc_strdup(ctx, tmp);
440 trim_char(ctx->url, '\"', '\"');
442 tmp = idmap_config_const_string(dom->name, "ldap_base_dn", NULL);
443 if ( ! tmp || ! *tmp) {
444 tmp = lp_ldap_idmap_suffix(talloc_tos());
446 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
447 ret = NT_STATUS_UNSUCCESSFUL;
452 ctx->suffix = talloc_strdup(ctx, tmp);
453 CHECK_ALLOC_DONE(ctx->suffix);
455 ctx->rw_ops = talloc_zero(ctx, struct idmap_rw_ops);
456 CHECK_ALLOC_DONE(ctx->rw_ops);
458 ctx->rw_ops->get_new_id = idmap_ldap_allocate_id_internal;
459 ctx->rw_ops->set_mapping = idmap_ldap_set_mapping;
461 /* get_credentials deals with setting up creds */
463 ret = smbldap_init(ctx, global_event_context(), ctx->url,
464 false, NULL, NULL, &ctx->smbldap_state);
465 if (!NT_STATUS_IS_OK(ret)) {
466 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
470 ret = get_credentials( ctx, ctx->smbldap_state,
471 dom, &ctx->user_dn );
472 if ( !NT_STATUS_IS_OK(ret) ) {
473 DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
474 "credentials (%s)\n", nt_errstr(ret)));
479 * Set the destructor on the context, so that resources are
480 * properly freed when the context is released.
482 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
484 dom->private_data = ctx;
486 ret = verify_idpool(dom);
487 if (!NT_STATUS_IS_OK(ret)) {
488 DEBUG(1, ("idmap_ldap_db_init: failed to verify ID pool (%s)\n",
505 /* TODO: change this: This function cannot be called to modify a mapping,
506 * only set a new one */
508 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
509 const struct id_map *map)
513 struct idmap_ldap_context *ctx;
514 LDAPMessage *entry = NULL;
515 LDAPMod **mods = NULL;
518 struct dom_sid_buf sid;
522 /* Only do query if we are online */
523 if (idmap_is_offline()) {
524 return NT_STATUS_FILE_IS_OFFLINE;
527 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
529 switch(map->xid.type) {
531 type = get_attr_key2string(sidmap_attr_list,
532 LDAP_ATTR_UIDNUMBER);
536 type = get_attr_key2string(sidmap_attr_list,
537 LDAP_ATTR_GIDNUMBER);
541 return NT_STATUS_INVALID_PARAMETER;
544 memctx = talloc_new(ctx);
546 DEBUG(0, ("Out of memory!\n"));
547 return NT_STATUS_NO_MEMORY;
550 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
551 CHECK_ALLOC_DONE(id_str);
553 dn = talloc_asprintf(memctx, "%s=%s,%s",
554 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
555 dom_sid_str_buf(map->sid, &sid),
557 CHECK_ALLOC_DONE(dn);
559 smbldap_set_mod(&mods, LDAP_MOD_ADD,
560 "objectClass", LDAP_OBJ_IDMAP_ENTRY);
562 smbldap_make_mod(smbldap_get_ldap(ctx->smbldap_state),
563 entry, &mods, type, id_str);
565 smbldap_make_mod(smbldap_get_ldap(ctx->smbldap_state), entry, &mods,
566 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
570 DEBUG(2, ("ERROR: No mods?\n"));
571 ret = NT_STATUS_UNSUCCESSFUL;
575 /* TODO: remove conflicting mappings! */
577 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
579 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid.buf, id_str));
581 rc = smbldap_add(ctx->smbldap_state, dn, mods);
582 ldap_mods_free(mods, True);
584 if (rc != LDAP_SUCCESS) {
585 char *ld_error = NULL;
586 ldap_get_option(smbldap_get_ldap(ctx->smbldap_state),
587 LDAP_OPT_ERROR_STRING, &ld_error);
588 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu "
589 "mapping [%s]\n", sid.buf,
590 (unsigned long)map->xid.id, type));
591 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
592 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
594 ldap_memfree(ld_error);
596 ret = NT_STATUS_UNSUCCESSFUL;
600 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to "
601 "%lu [%s]\n", sid.buf, (unsigned long)map->xid.id, type));
611 * Create a new mapping for an unmapped SID, also allocating a new ID.
612 * If possible, this should be run inside a transaction to make the
615 static NTSTATUS idmap_ldap_new_mapping(struct idmap_domain *dom, struct id_map *map)
618 struct idmap_ldap_context *ctx;
620 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
622 ret = idmap_rw_new_mapping(dom, ctx->rw_ops, map);
627 /**********************************
628 lookup a set of unix ids.
629 **********************************/
631 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom,
636 struct idmap_ldap_context *ctx;
637 LDAPMessage *result = NULL;
638 LDAPMessage *entry = NULL;
639 const char *uidNumber;
640 const char *gidNumber;
641 const char **attr_list;
651 /* Only do query if we are online */
652 if (idmap_is_offline()) {
653 return NT_STATUS_FILE_IS_OFFLINE;
656 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
658 memctx = talloc_new(ctx);
660 DEBUG(0, ("Out of memory!\n"));
661 return NT_STATUS_NO_MEMORY;
664 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
665 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
667 attr_list = get_attr_list(memctx, sidmap_attr_list);
670 /* if we are requested just one mapping use the simple filter */
672 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
673 LDAP_OBJ_IDMAP_ENTRY,
674 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
675 (unsigned long)ids[0]->xid.id);
676 CHECK_ALLOC_DONE(filter);
677 DEBUG(10, ("Filter: [%s]\n", filter));
679 /* multiple mappings */
683 for (i = 0; ids[i]; i++) {
684 ids[i]->status = ID_UNKNOWN;
691 filter = talloc_asprintf(memctx,
692 "(&(objectClass=%s)(|",
693 LDAP_OBJ_IDMAP_ENTRY);
694 CHECK_ALLOC_DONE(filter);
697 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
698 filter = talloc_asprintf_append_buffer(filter, "(%s=%lu)",
699 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
700 (unsigned long)ids[idx]->xid.id);
701 CHECK_ALLOC_DONE(filter);
703 filter = talloc_asprintf_append_buffer(filter, "))");
704 CHECK_ALLOC_DONE(filter);
705 DEBUG(10, ("Filter: [%s]\n", filter));
711 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
712 filter, attr_list, 0, &result);
714 if (rc != LDAP_SUCCESS) {
715 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
716 ret = NT_STATUS_UNSUCCESSFUL;
720 count = ldap_count_entries(smbldap_get_ldap(ctx->smbldap_state),
724 DEBUG(10, ("NO SIDs found\n"));
727 for (i = 0; i < count; i++) {
733 struct dom_sid_buf buf;
735 if (i == 0) { /* first entry */
736 entry = ldap_first_entry(
737 smbldap_get_ldap(ctx->smbldap_state), result);
738 } else { /* following ones */
739 entry = ldap_next_entry(
740 smbldap_get_ldap(ctx->smbldap_state), entry);
743 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
748 /* first check if the SID is present */
749 sidstr = smbldap_talloc_single_attribute(
750 smbldap_get_ldap(ctx->smbldap_state),
751 entry, LDAP_ATTRIBUTE_SID, memctx);
752 if ( ! sidstr) { /* no sid, skip entry */
753 DEBUG(2, ("WARNING SID not found on entry\n"));
757 /* now try to see if it is a uid, if not try with a gid
758 * (gid is more common, but in case both uidNumber and
759 * gidNumber are returned the SID is mapped to the uid
762 tmp = smbldap_talloc_single_attribute(
763 smbldap_get_ldap(ctx->smbldap_state),
764 entry, uidNumber, memctx);
767 tmp = smbldap_talloc_single_attribute(
768 smbldap_get_ldap(ctx->smbldap_state),
769 entry, gidNumber, memctx);
771 if ( ! tmp) { /* wow very strange entry, how did it match ? */
772 DEBUG(5, ("Unprobable match on (%s), no uidNumber, "
773 "nor gidNumber returned\n", sidstr));
778 id = smb_strtoul(tmp, NULL, 10, &error, SMB_STR_STANDARD);
781 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
783 dom->low_id, dom->high_id));
788 if (!idmap_unix_id_is_in_range(id, dom)) {
789 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
791 dom->low_id, dom->high_id));
796 map = idmap_find_map_by_id(&ids[bidx], type, id);
798 DEBUG(2, ("WARNING: couldn't match sid (%s) "
799 "with requested ids\n", sidstr));
804 if ( ! string_to_sid(map->sid, sidstr)) {
805 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
810 if (map->status == ID_MAPPED) {
811 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
812 "overwriting mapping %u -> %s with %u -> %s\n",
813 (type == ID_TYPE_UID) ? "UID" : "GID",
815 dom_sid_str_buf(map->sid, &buf),
823 map->status = ID_MAPPED;
825 DEBUG(10, ("Mapped %s -> %lu (%d)\n",
826 dom_sid_str_buf(map->sid, &buf),
827 (unsigned long)map->xid.id, map->xid.type));
830 /* free the ldap results */
832 ldap_msgfree(result);
836 if (multi && ids[idx]) { /* still some values to map */
842 /* mark all unknwon/expired ones as unmapped */
843 for (i = 0; ids[i]; i++) {
844 if (ids[i]->status != ID_MAPPED)
845 ids[i]->status = ID_UNMAPPED;
853 /**********************************
854 lookup a set of sids.
855 **********************************/
857 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
860 LDAPMessage *entry = NULL;
863 struct idmap_ldap_context *ctx;
864 LDAPMessage *result = NULL;
865 const char *uidNumber;
866 const char *gidNumber;
867 const char **attr_list;
876 /* Only do query if we are online */
877 if (idmap_is_offline()) {
878 return NT_STATUS_FILE_IS_OFFLINE;
881 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
883 memctx = talloc_new(ctx);
885 DEBUG(0, ("Out of memory!\n"));
886 return NT_STATUS_NO_MEMORY;
889 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
890 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
892 attr_list = get_attr_list(memctx, sidmap_attr_list);
895 struct dom_sid_buf buf;
896 /* if we are requested just one mapping use the simple filter */
898 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
899 LDAP_OBJ_IDMAP_ENTRY,
901 dom_sid_str_buf(ids[0]->sid, &buf));
902 CHECK_ALLOC_DONE(filter);
903 DEBUG(10, ("Filter: [%s]\n", filter));
905 /* multiple mappings */
909 for (i = 0; ids[i]; i++) {
910 ids[i]->status = ID_UNKNOWN;
917 filter = talloc_asprintf(memctx,
918 "(&(objectClass=%s)(|",
919 LDAP_OBJ_IDMAP_ENTRY);
920 CHECK_ALLOC_DONE(filter);
923 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
924 struct dom_sid_buf buf;
925 filter = talloc_asprintf_append_buffer(filter, "(%s=%s)",
927 dom_sid_str_buf(ids[idx]->sid, &buf));
928 CHECK_ALLOC_DONE(filter);
930 filter = talloc_asprintf_append_buffer(filter, "))");
931 CHECK_ALLOC_DONE(filter);
932 DEBUG(10, ("Filter: [%s]", filter));
938 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
939 filter, attr_list, 0, &result);
941 if (rc != LDAP_SUCCESS) {
942 DEBUG(3,("Failure looking up sids (%s)\n",
943 ldap_err2string(rc)));
944 ret = NT_STATUS_UNSUCCESSFUL;
948 count = ldap_count_entries(smbldap_get_ldap(ctx->smbldap_state),
952 DEBUG(10, ("NO SIDs found\n"));
955 for (i = 0; i < count; i++) {
961 struct dom_sid_buf buf;
965 if (i == 0) { /* first entry */
966 entry = ldap_first_entry(
967 smbldap_get_ldap(ctx->smbldap_state), result);
968 } else { /* following ones */
969 entry = ldap_next_entry(
970 smbldap_get_ldap(ctx->smbldap_state), entry);
973 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
978 /* first check if the SID is present */
979 sidstr = smbldap_talloc_single_attribute(
980 smbldap_get_ldap(ctx->smbldap_state),
981 entry, LDAP_ATTRIBUTE_SID, memctx);
982 if ( ! sidstr) { /* no sid ??, skip entry */
983 DEBUG(2, ("WARNING SID not found on entry\n"));
987 if ( ! string_to_sid(&sid, sidstr)) {
988 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
993 map = idmap_find_map_by_sid(&ids[bidx], &sid);
995 DEBUG(2, ("WARNING: couldn't find entry sid (%s) "
1001 /* now try to see if it is a uid, if not try with a gid
1002 * (gid is more common, but in case both uidNumber and
1003 * gidNumber are returned the SID is mapped to the uid
1006 tmp = smbldap_talloc_single_attribute(
1007 smbldap_get_ldap(ctx->smbldap_state),
1008 entry, uidNumber, memctx);
1011 tmp = smbldap_talloc_single_attribute(
1012 smbldap_get_ldap(ctx->smbldap_state),
1013 entry, gidNumber, memctx);
1015 if ( ! tmp) { /* no ids ?? */
1016 DEBUG(5, ("no uidNumber, "
1017 "nor gidNumber attributes found\n"));
1018 TALLOC_FREE(sidstr);
1022 id = smb_strtoul(tmp, NULL, 10, &error, SMB_STR_STANDARD);
1025 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1027 dom->low_id, dom->high_id));
1028 TALLOC_FREE(sidstr);
1032 if (error != 0 || !idmap_unix_id_is_in_range(id, dom)) {
1033 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1035 dom->low_id, dom->high_id));
1036 TALLOC_FREE(sidstr);
1040 if (map->status == ID_MAPPED) {
1041 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
1042 "overwriting mapping %s -> %u with %s -> %u\n",
1043 (type == ID_TYPE_UID) ? "UID" : "GID",
1044 sidstr, map->xid.id, sidstr, id));
1047 TALLOC_FREE(sidstr);
1050 map->xid.type = type;
1052 map->status = ID_MAPPED;
1054 DEBUG(10, ("Mapped %s -> %lu (%d)\n",
1055 dom_sid_str_buf(map->sid, &buf),
1056 (unsigned long)map->xid.id,
1060 /* free the ldap results */
1062 ldap_msgfree(result);
1066 if (multi && ids[idx]) { /* still some values to map */
1071 * try to create new mappings for unmapped sids
1073 for (i = 0; ids[i]; i++) {
1074 if (ids[i]->status != ID_MAPPED) {
1075 ids[i]->status = ID_UNMAPPED;
1076 if (ids[i]->sid != NULL) {
1077 ret = idmap_ldap_new_mapping(dom, ids[i]);
1078 if (!NT_STATUS_IS_OK(ret)) {
1088 talloc_free(memctx);
1092 /**********************************
1093 Close the idmap ldap instance
1094 **********************************/
1096 static struct idmap_methods idmap_ldap_methods = {
1098 .init = idmap_ldap_db_init,
1099 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1100 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1101 .allocate_id = idmap_ldap_allocate_id,
1104 NTSTATUS idmap_ldap_init(TALLOC_CTX *);
1105 NTSTATUS idmap_ldap_init(TALLOC_CTX *ctx)
1107 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1108 &idmap_ldap_methods);