2006-12-12 14:52:13 +00:00
/*
Unix SMB / CIFS implementation .
idmap LDAP backend
Copyright ( C ) Tim Potter 2000
Copyright ( C ) Jim McDonough < jmcd @ us . ibm . com > 2003
Copyright ( C ) Gerald Carter 2003
2007-09-10 19:04:57 +00:00
Copyright ( C ) Simo Sorce 2003 - 2007
2010-06-23 12:39:59 +02:00
Copyright ( C ) Michael Adam 2010
2006-12-12 14:52:13 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
the Free Software Foundation ; either version 3 of the License , or
2006-12-12 14:52:13 +00:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 00:52:41 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2006-12-12 14:52:13 +00:00
*/
# include "includes.h"
2007-03-11 16:49:16 +00:00
# include "winbindd.h"
2010-08-05 02:25:37 +02:00
# include "secrets.h"
2010-08-18 18:13:42 +02:00
# include "idmap.h"
2010-06-23 12:18:35 +02:00
# include "idmap_rw.h"
2010-10-12 15:27:50 +11:00
# include "../libcli/security/security.h"
2020-07-03 08:11:20 +02:00
# include "lib/util/smb_strtox.h"
2021-01-03 21:53:49 +01:00
# include "lib/global_contexts.h"
2006-12-12 14:52:13 +00:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_IDMAP
# include <lber.h>
# include <ldap.h>
# include "smbldap.h"
2011-10-17 18:03:31 +02:00
# include "passdb/pdb_ldap_schema.h"
2006-12-12 14:52:13 +00:00
2010-06-17 19:45:39 +02:00
struct idmap_ldap_context {
2006-12-12 14:52:13 +00:00
struct smbldap_state * smbldap_state ;
char * url ;
char * suffix ;
char * user_dn ;
2010-06-17 19:45:39 +02:00
bool anon ;
2010-06-23 12:18:35 +02:00
struct idmap_rw_ops * rw_ops ;
2006-12-12 14:52:13 +00:00
} ;
2007-09-10 19:04:57 +00:00
# define CHECK_ALLOC_DONE(mem) do { \
if ( ! mem ) { \
DEBUG ( 0 , ( " Out of memory! \n " ) ) ; \
ret = NT_STATUS_NO_MEMORY ; \
goto done ; \
} } while ( 0 )
2006-12-12 14:52:13 +00:00
/**********************************************************************
IDMAP ALLOC TDB BACKEND
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-09-10 19:04:57 +00:00
2007-02-06 17:29:18 +00:00
/*********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-09-10 19:04:57 +00:00
static NTSTATUS get_credentials ( TALLOC_CTX * mem_ctx ,
2007-02-06 17:29:18 +00:00
struct smbldap_state * ldap_state ,
struct idmap_domain * dom ,
char * * dn )
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL ;
char * secret = NULL ;
const char * tmp = NULL ;
2007-09-10 19:04:57 +00:00
char * user_dn = NULL ;
2007-10-18 17:40:25 -07:00
bool anon = False ;
2007-09-10 19:04:57 +00:00
2007-02-06 17:29:18 +00:00
/* assume anonymous if we don't have a specified user */
2017-03-18 18:38:10 +01:00
tmp = idmap_config_const_string ( dom - > name , " ldap_user_dn " , NULL ) ;
2007-02-06 17:29:18 +00:00
if ( tmp ) {
2017-04-06 11:35:23 +02:00
secret = idmap_fetch_secret ( " ldap " , dom - > name , tmp ) ;
2007-02-06 17:29:18 +00:00
if ( ! secret ) {
DEBUG ( 0 , ( " get_credentials: Unable to fetch "
" auth credentials for %s in %s \n " ,
2007-05-03 12:28:25 +00:00
tmp , ( dom = = NULL ) ? " ALLOC " : dom - > name ) ) ;
2007-02-06 17:29:18 +00:00
ret = NT_STATUS_ACCESS_DENIED ;
goto done ;
2007-09-10 19:04:57 +00:00
}
2007-02-06 17:29:18 +00:00
* dn = talloc_strdup ( mem_ctx , tmp ) ;
2007-09-10 19:04:57 +00:00
CHECK_ALLOC_DONE ( * dn ) ;
2007-02-06 17:29:18 +00:00
} else {
2007-09-10 19:04:57 +00:00
if ( ! fetch_ldap_pw ( & user_dn , & secret ) ) {
2007-02-06 17:29:18 +00:00
DEBUG ( 2 , ( " get_credentials: Failed to lookup ldap "
2007-09-10 19:04:57 +00:00
" bind creds. Using anonymous connection. \n " ) ) ;
2007-09-10 19:19:59 +00:00
anon = True ;
2009-10-15 16:55:40 -07:00
* dn = NULL ;
2007-02-06 17:29:18 +00:00
} else {
* dn = talloc_strdup ( mem_ctx , user_dn ) ;
2007-09-10 19:04:57 +00:00
SAFE_FREE ( user_dn ) ;
2007-02-06 17:29:18 +00:00
CHECK_ALLOC_DONE ( * dn ) ;
2007-09-10 19:04:57 +00:00
}
2007-02-06 17:29:18 +00:00
}
2007-09-10 19:14:22 +00:00
smbldap_set_creds ( ldap_state , anon , * dn , secret ) ;
2007-02-06 17:29:18 +00:00
ret = NT_STATUS_OK ;
2007-09-10 19:04:57 +00:00
2007-09-10 19:14:22 +00:00
done :
2007-09-10 19:04:57 +00:00
SAFE_FREE ( secret ) ;
2007-02-06 17:29:18 +00:00
2007-09-10 19:04:57 +00:00
return ret ;
2007-02-06 17:29:18 +00:00
}
2006-12-12 14:52:13 +00:00
/**********************************************************************
2007-09-10 19:04:57 +00:00
Verify the sambaUnixIdPool entry in the directory .
2006-12-12 14:52:13 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-06-17 18:59:28 +02:00
static NTSTATUS verify_idpool ( struct idmap_domain * dom )
2006-12-12 14:52:13 +00:00
{
NTSTATUS ret ;
2010-06-17 19:45:39 +02:00
TALLOC_CTX * mem_ctx ;
2006-12-12 14:52:13 +00:00
LDAPMessage * result = NULL ;
LDAPMod * * mods = NULL ;
const char * * attr_list ;
char * filter ;
int count ;
int rc ;
2010-06-17 19:45:39 +02:00
struct idmap_ldap_context * ctx ;
ctx = talloc_get_type ( dom - > private_data , struct idmap_ldap_context ) ;
2007-09-10 19:04:57 +00:00
2010-12-08 00:19:23 +01:00
mem_ctx = talloc_new ( ctx ) ;
2010-06-17 19:45:39 +02:00
if ( mem_ctx = = NULL ) {
2006-12-12 14:52:13 +00:00
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
2010-06-17 19:45:39 +02:00
filter = talloc_asprintf ( mem_ctx , " (objectclass=%s) " , LDAP_OBJ_IDPOOL ) ;
2006-12-12 14:52:13 +00:00
CHECK_ALLOC_DONE ( filter ) ;
2007-09-10 19:04:57 +00:00
2010-06-17 19:45:39 +02:00
attr_list = get_attr_list ( mem_ctx , idpool_attr_list ) ;
2006-12-12 14:52:13 +00:00
CHECK_ALLOC_DONE ( attr_list ) ;
2010-12-08 00:19:23 +01:00
rc = smbldap_search ( ctx - > smbldap_state ,
ctx - > suffix ,
2006-12-12 14:52:13 +00:00
LDAP_SCOPE_SUBTREE ,
filter ,
attr_list ,
0 ,
& result ) ;
if ( rc ! = LDAP_SUCCESS ) {
2007-09-10 19:04:57 +00:00
DEBUG ( 1 , ( " Unable to verify the idpool, "
" cannot continue initialization! \n " ) ) ;
2006-12-12 14:52:13 +00:00
return NT_STATUS_UNSUCCESSFUL ;
}
2017-04-19 13:29:31 +02:00
count = ldap_count_entries ( smbldap_get_ldap ( ctx - > smbldap_state ) ,
result ) ;
2006-12-12 14:52:13 +00:00
ldap_msgfree ( result ) ;
if ( count > 1 ) {
DEBUG ( 0 , ( " Multiple entries returned from %s (base == %s) \n " ,
2010-12-08 00:19:23 +01:00
filter , ctx - > suffix ) ) ;
2006-12-12 14:52:13 +00:00
ret = NT_STATUS_UNSUCCESSFUL ;
goto done ;
}
else if ( count = = 0 ) {
char * uid_str , * gid_str ;
2007-09-10 19:04:57 +00:00
2010-06-17 19:45:39 +02:00
uid_str = talloc_asprintf ( mem_ctx , " %lu " ,
2010-06-17 18:59:28 +02:00
( unsigned long ) dom - > low_id ) ;
2010-06-17 19:45:39 +02:00
gid_str = talloc_asprintf ( mem_ctx , " %lu " ,
2010-06-17 18:59:28 +02:00
( unsigned long ) dom - > low_id ) ;
2006-12-12 14:52:13 +00:00
smbldap_set_mod ( & mods , LDAP_MOD_ADD ,
" objectClass " , LDAP_OBJ_IDPOOL ) ;
2007-09-10 19:04:57 +00:00
smbldap_set_mod ( & mods , LDAP_MOD_ADD ,
get_attr_key2string ( idpool_attr_list ,
LDAP_ATTR_UIDNUMBER ) ,
2006-12-12 14:52:13 +00:00
uid_str ) ;
smbldap_set_mod ( & mods , LDAP_MOD_ADD ,
2007-09-10 19:04:57 +00:00
get_attr_key2string ( idpool_attr_list ,
LDAP_ATTR_GIDNUMBER ) ,
2006-12-12 14:52:13 +00:00
gid_str ) ;
if ( mods ) {
2010-12-08 00:19:23 +01:00
rc = smbldap_modify ( ctx - > smbldap_state ,
ctx - > suffix ,
2006-12-12 14:52:13 +00:00
mods ) ;
ldap_mods_free ( mods , True ) ;
} else {
ret = NT_STATUS_UNSUCCESSFUL ;
goto done ;
}
}
ret = ( rc = = LDAP_SUCCESS ) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL ;
done :
2010-06-17 19:45:39 +02:00
talloc_free ( mem_ctx ) ;
2006-12-12 14:52:13 +00:00
return ret ;
}
/********************************
Allocate a new uid or gid
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2011-06-01 00:25:23 +02:00
static NTSTATUS idmap_ldap_allocate_id_internal ( struct idmap_domain * dom ,
struct unixid * xid )
2006-12-12 14:52:13 +00:00
{
2010-06-17 19:45:39 +02:00
TALLOC_CTX * mem_ctx ;
2006-12-12 14:52:13 +00:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL ;
int rc = LDAP_SERVER_DOWN ;
int count = 0 ;
LDAPMessage * result = NULL ;
LDAPMessage * entry = NULL ;
LDAPMod * * mods = NULL ;
char * id_str ;
char * new_id_str ;
char * filter = NULL ;
const char * dn = NULL ;
const char * * attr_list ;
const char * type ;
2010-06-17 19:45:39 +02:00
struct idmap_ldap_context * ctx ;
2019-01-28 14:07:39 +01:00
int error = 0 ;
2006-12-12 14:52:13 +00:00
2007-04-18 21:10:37 +00:00
/* Only do query if we are online */
if ( idmap_is_offline ( ) ) {
return NT_STATUS_FILE_IS_OFFLINE ;
}
2010-06-17 19:45:39 +02:00
ctx = talloc_get_type ( dom - > private_data , struct idmap_ldap_context ) ;
2010-12-08 00:24:01 +01:00
mem_ctx = talloc_new ( ctx ) ;
2010-06-17 19:45:39 +02:00
if ( ! mem_ctx ) {
2006-12-12 14:52:13 +00:00
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
/* get type */
switch ( xid - > type ) {
case ID_TYPE_UID :
2007-09-10 19:04:57 +00:00
type = get_attr_key2string ( idpool_attr_list ,
LDAP_ATTR_UIDNUMBER ) ;
2006-12-12 14:52:13 +00:00
break ;
case ID_TYPE_GID :
2007-09-10 19:04:57 +00:00
type = get_attr_key2string ( idpool_attr_list ,
LDAP_ATTR_GIDNUMBER ) ;
2006-12-12 14:52:13 +00:00
break ;
2020-09-15 17:26:11 +02:00
case ID_TYPE_BOTH :
/*
* This is not supported here yet and
* already handled in idmap_rw_new_mapping ( )
*/
FALL_THROUGH ;
case ID_TYPE_NOT_SPECIFIED :
/*
* This is handled in idmap_rw_new_mapping ( )
*/
FALL_THROUGH ;
2006-12-12 14:52:13 +00:00
default :
DEBUG ( 2 , ( " Invalid ID type (0x%x) \n " , xid - > type ) ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
2010-06-17 19:45:39 +02:00
filter = talloc_asprintf ( mem_ctx , " (objectClass=%s) " , LDAP_OBJ_IDPOOL ) ;
2006-12-12 14:52:13 +00:00
CHECK_ALLOC_DONE ( filter ) ;
2010-06-17 19:45:39 +02:00
attr_list = get_attr_list ( mem_ctx , idpool_attr_list ) ;
2006-12-12 14:52:13 +00:00
CHECK_ALLOC_DONE ( attr_list ) ;
DEBUG ( 10 , ( " Search of the id pool (filter: %s) \n " , filter ) ) ;
2010-12-08 00:24:01 +01:00
rc = smbldap_search ( ctx - > smbldap_state ,
ctx - > suffix ,
LDAP_SCOPE_SUBTREE , filter ,
attr_list , 0 , & result ) ;
2007-09-10 19:04:57 +00:00
2006-12-12 14:52:13 +00:00
if ( rc ! = LDAP_SUCCESS ) {
DEBUG ( 0 , ( " %s object not found \n " , LDAP_OBJ_IDPOOL ) ) ;
goto done ;
}
2012-09-06 18:53:00 +03:00
smbldap_talloc_autofree_ldapmsg ( mem_ctx , result ) ;
2007-09-10 19:04:57 +00:00
2017-04-19 13:29:31 +02:00
count = ldap_count_entries ( smbldap_get_ldap ( ctx - > smbldap_state ) ,
result ) ;
2006-12-12 14:52:13 +00:00
if ( count ! = 1 ) {
DEBUG ( 0 , ( " Single %s object not found \n " , LDAP_OBJ_IDPOOL ) ) ;
goto done ;
}
2017-04-19 13:29:31 +02:00
entry = ldap_first_entry ( smbldap_get_ldap ( ctx - > smbldap_state ) , result ) ;
2006-12-12 14:52:13 +00:00
2010-06-17 19:45:39 +02:00
dn = smbldap_talloc_dn ( mem_ctx ,
2017-04-19 13:29:31 +02:00
smbldap_get_ldap ( ctx - > smbldap_state ) ,
2007-09-10 19:04:57 +00:00
entry ) ;
2006-12-12 14:52:13 +00:00
if ( ! dn ) {
goto done ;
}
2010-06-17 19:45:39 +02:00
id_str = smbldap_talloc_single_attribute (
2017-04-19 13:29:31 +02:00
smbldap_get_ldap ( ctx - > smbldap_state ) ,
2010-06-17 19:45:39 +02:00
entry , type , mem_ctx ) ;
if ( id_str = = NULL ) {
2006-12-12 14:52:13 +00:00
DEBUG ( 0 , ( " %s attribute not found \n " , type ) ) ;
2010-06-17 20:50:36 +02:00
ret = NT_STATUS_UNSUCCESSFUL ;
2006-12-12 14:52:13 +00:00
goto done ;
}
2019-06-04 09:04:15 +02:00
xid - > id = smb_strtoul ( id_str , NULL , 10 , & error , SMB_STR_STANDARD ) ;
2019-01-28 14:07:39 +01:00
if ( error ! = 0 ) {
ret = NT_STATUS_UNSUCCESSFUL ;
goto done ;
}
2006-12-12 14:52:13 +00:00
/* make sure we still have room to grow */
switch ( xid - > type ) {
case ID_TYPE_UID :
2010-06-17 19:03:12 +02:00
if ( xid - > id > dom - > high_id ) {
2007-09-10 19:04:57 +00:00
DEBUG ( 0 , ( " Cannot allocate uid above %lu! \n " ,
2010-06-17 19:03:12 +02:00
( unsigned long ) dom - > high_id ) ) ;
2006-12-12 14:52:13 +00:00
goto done ;
}
break ;
2007-09-10 19:04:57 +00:00
case ID_TYPE_GID :
2010-06-17 19:03:12 +02:00
if ( xid - > id > dom - > high_id ) {
2007-09-10 19:04:57 +00:00
DEBUG ( 0 , ( " Cannot allocate gid above %lu! \n " ,
2010-06-17 19:03:12 +02:00
( unsigned long ) dom - > high_id ) ) ;
2006-12-12 14:52:13 +00:00
goto done ;
}
break ;
default :
/* impossible */
goto done ;
}
2007-09-10 19:04:57 +00:00
2010-06-17 19:45:39 +02:00
new_id_str = talloc_asprintf ( mem_ctx , " %lu " , ( unsigned long ) xid - > id + 1 ) ;
2006-12-12 14:52:13 +00:00
if ( ! new_id_str ) {
DEBUG ( 0 , ( " Out of memory \n " ) ) ;
ret = NT_STATUS_NO_MEMORY ;
goto done ;
}
2007-09-10 19:04:57 +00:00
2006-12-12 14:52:13 +00:00
smbldap_set_mod ( & mods , LDAP_MOD_DELETE , type , id_str ) ;
smbldap_set_mod ( & mods , LDAP_MOD_ADD , type , new_id_str ) ;
if ( mods = = NULL ) {
DEBUG ( 0 , ( " smbldap_set_mod() failed. \n " ) ) ;
2007-09-10 19:04:57 +00:00
goto done ;
2006-12-12 14:52:13 +00:00
}
2007-09-10 19:04:57 +00:00
DEBUG ( 10 , ( " Try to atomically increment the id (%s -> %s) \n " ,
id_str , new_id_str ) ) ;
2006-12-12 14:52:13 +00:00
2010-12-08 00:24:01 +01:00
rc = smbldap_modify ( ctx - > smbldap_state , dn , mods ) ;
2006-12-12 14:52:13 +00:00
ldap_mods_free ( mods , True ) ;
if ( rc ! = LDAP_SUCCESS ) {
2007-09-10 19:04:57 +00:00
DEBUG ( 1 , ( " Failed to allocate new %s. "
" smbldap_modify() failed. \n " , type ) ) ;
2006-12-12 14:52:13 +00:00
goto done ;
}
2007-09-10 19:04:57 +00:00
2006-12-12 14:52:13 +00:00
ret = NT_STATUS_OK ;
done :
2010-06-17 19:45:39 +02:00
talloc_free ( mem_ctx ) ;
2006-12-12 14:52:13 +00:00
return ret ;
}
2010-06-17 20:18:27 +02:00
/**
* Allocate a new unix - ID .
* For now this is for the default idmap domain only .
* Should be extended later on .
*/
2011-06-01 00:25:23 +02:00
static NTSTATUS idmap_ldap_allocate_id ( struct idmap_domain * dom ,
struct unixid * id )
2010-06-17 20:18:27 +02:00
{
NTSTATUS ret ;
if ( ! strequal ( dom - > name , " * " ) ) {
2011-06-01 00:25:23 +02:00
DEBUG ( 3 , ( " idmap_ldap_allocate_id: "
2010-06-17 20:18:27 +02:00
" Refusing allocation of a new unixid for domain'%s'. "
2011-06-01 00:25:23 +02:00
" This is only supported for the default "
2010-06-17 20:18:27 +02:00
" domain \" * \" . \n " ,
dom - > name ) ) ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
2011-06-01 00:25:23 +02:00
ret = idmap_ldap_allocate_id_internal ( dom , id ) ;
2010-06-17 20:18:27 +02:00
return ret ;
}
2006-12-12 14:52:13 +00:00
/**********************************************************************
IDMAP MAPPING LDAP BACKEND
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-09-10 19:04:57 +00:00
2006-12-12 14:52:13 +00:00
static int idmap_ldap_close_destructor ( struct idmap_ldap_context * ctx )
{
smbldap_free_struct ( & ctx - > smbldap_state ) ;
DEBUG ( 5 , ( " The connection to the LDAP server was closed \n " ) ) ;
/* maybe free the results here --metze */
return 0 ;
}
/********************************
2007-09-10 19:04:57 +00:00
Initialise idmap database .
2006-12-12 14:52:13 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-06-23 12:18:35 +02:00
static NTSTATUS idmap_ldap_set_mapping ( struct idmap_domain * dom ,
const struct id_map * map ) ;
2011-03-02 23:00:58 +01:00
static NTSTATUS idmap_ldap_db_init ( struct idmap_domain * dom )
2006-12-12 14:52:13 +00:00
{
NTSTATUS ret ;
2007-02-06 17:29:18 +00:00
struct idmap_ldap_context * ctx = NULL ;
const char * tmp = NULL ;
2007-04-18 21:10:37 +00:00
/* Only do init if we are online */
if ( idmap_is_offline ( ) ) {
return NT_STATUS_FILE_IS_OFFLINE ;
}
2011-06-07 11:44:43 +10:00
ctx = talloc_zero ( dom , struct idmap_ldap_context ) ;
2006-12-12 14:52:13 +00:00
if ( ! ctx ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
2017-03-18 18:40:28 +01:00
tmp = idmap_config_const_string ( dom - > name , " ldap_url " , NULL ) ;
2006-12-12 14:52:13 +00:00
2011-03-02 17:04:59 +01:00
if ( ! tmp ) {
DEBUG ( 1 , ( " ERROR: missing idmap ldap url \n " ) ) ;
ret = NT_STATUS_UNSUCCESSFUL ;
goto done ;
2006-12-12 14:52:13 +00:00
}
2011-03-02 17:04:59 +01:00
ctx - > url = talloc_strdup ( ctx , tmp ) ;
2006-12-12 14:52:13 +00:00
2009-11-20 12:44:43 +01:00
trim_char ( ctx - > url , ' \" ' , ' \" ' ) ;
2017-03-18 18:40:28 +01:00
tmp = idmap_config_const_string ( dom - > name , " ldap_base_dn " , NULL ) ;
2009-11-20 15:03:59 +01:00
if ( ! tmp | | ! * tmp ) {
2012-07-18 15:07:23 +09:30
tmp = lp_ldap_idmap_suffix ( talloc_tos ( ) ) ;
2009-11-20 15:03:59 +01:00
if ( ! tmp ) {
DEBUG ( 1 , ( " ERROR: missing idmap ldap suffix \n " ) ) ;
ret = NT_STATUS_UNSUCCESSFUL ;
goto done ;
2007-09-10 16:21:55 +00:00
}
2009-11-20 15:03:59 +01:00
}
2007-09-10 16:21:55 +00:00
2006-12-12 14:52:13 +00:00
ctx - > suffix = talloc_strdup ( ctx , tmp ) ;
CHECK_ALLOC_DONE ( ctx - > suffix ) ;
2010-06-23 12:18:35 +02:00
ctx - > rw_ops = talloc_zero ( ctx , struct idmap_rw_ops ) ;
CHECK_ALLOC_DONE ( ctx - > rw_ops ) ;
2011-06-01 00:30:11 +02:00
ctx - > rw_ops - > get_new_id = idmap_ldap_allocate_id_internal ;
2010-06-23 12:18:35 +02:00
ctx - > rw_ops - > set_mapping = idmap_ldap_set_mapping ;
2011-11-15 23:56:38 +01:00
/* get_credentials deals with setting up creds */
2018-08-21 11:06:16 -07:00
ret = smbldap_init ( ctx , global_event_context ( ) , ctx - > url ,
2011-11-15 23:56:38 +01:00
false , NULL , NULL , & ctx - > smbldap_state ) ;
2006-12-12 14:52:13 +00:00
if ( ! NT_STATUS_IS_OK ( ret ) ) {
DEBUG ( 1 , ( " ERROR: smbldap_init (%s) failed! \n " , ctx - > url ) ) ;
goto done ;
}
2017-03-18 18:38:10 +01:00
ret = get_credentials ( ctx , ctx - > smbldap_state ,
2007-02-06 17:29:18 +00:00
dom , & ctx - > user_dn ) ;
if ( ! NT_STATUS_IS_OK ( ret ) ) {
DEBUG ( 1 , ( " idmap_ldap_db_init: Failed to get connection "
" credentials (%s) \n " , nt_errstr ( ret ) ) ) ;
goto done ;
2007-09-10 19:04:57 +00:00
}
2011-03-02 17:10:48 +01:00
/*
* Set the destructor on the context , so that resources are
* properly freed when the context is released .
*/
2006-12-12 14:52:13 +00:00
talloc_set_destructor ( ctx , idmap_ldap_close_destructor ) ;
dom - > private_data = ctx ;
2010-12-08 00:04:20 +01:00
ret = verify_idpool ( dom ) ;
2010-06-17 19:17:48 +02:00
if ( ! NT_STATUS_IS_OK ( ret ) ) {
2010-12-08 00:04:20 +01:00
DEBUG ( 1 , ( " idmap_ldap_db_init: failed to verify ID pool (%s) \n " ,
nt_errstr ( ret ) ) ) ;
2010-06-17 19:17:48 +02:00
goto done ;
}
2006-12-12 14:52:13 +00:00
return NT_STATUS_OK ;
/*failed */
done :
talloc_free ( ctx ) ;
return ret ;
}
2010-06-17 20:15:25 +02:00
/**
* set a mapping .
*/
/* TODO: change this: This function cannot be called to modify a mapping,
* only set a new one */
static NTSTATUS idmap_ldap_set_mapping ( struct idmap_domain * dom ,
const struct id_map * map )
{
NTSTATUS ret ;
TALLOC_CTX * memctx ;
struct idmap_ldap_context * ctx ;
LDAPMessage * entry = NULL ;
LDAPMod * * mods = NULL ;
const char * type ;
char * id_str ;
2018-12-10 12:32:12 +01:00
struct dom_sid_buf sid ;
2010-06-17 20:15:25 +02:00
char * dn ;
int rc = - 1 ;
/* Only do query if we are online */
if ( idmap_is_offline ( ) ) {
return NT_STATUS_FILE_IS_OFFLINE ;
}
ctx = talloc_get_type ( dom - > private_data , struct idmap_ldap_context ) ;
switch ( map - > xid . type ) {
case ID_TYPE_UID :
type = get_attr_key2string ( sidmap_attr_list ,
LDAP_ATTR_UIDNUMBER ) ;
break ;
case ID_TYPE_GID :
type = get_attr_key2string ( sidmap_attr_list ,
LDAP_ATTR_GIDNUMBER ) ;
break ;
default :
return NT_STATUS_INVALID_PARAMETER ;
}
memctx = talloc_new ( ctx ) ;
if ( ! memctx ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
id_str = talloc_asprintf ( memctx , " %lu " , ( unsigned long ) map - > xid . id ) ;
CHECK_ALLOC_DONE ( id_str ) ;
dn = talloc_asprintf ( memctx , " %s=%s,%s " ,
get_attr_key2string ( sidmap_attr_list , LDAP_ATTR_SID ) ,
2018-12-10 12:32:12 +01:00
dom_sid_str_buf ( map - > sid , & sid ) ,
2010-06-17 20:15:25 +02:00
ctx - > suffix ) ;
CHECK_ALLOC_DONE ( dn ) ;
smbldap_set_mod ( & mods , LDAP_MOD_ADD ,
" objectClass " , LDAP_OBJ_IDMAP_ENTRY ) ;
2017-04-19 13:29:31 +02:00
smbldap_make_mod ( smbldap_get_ldap ( ctx - > smbldap_state ) ,
2010-06-17 20:15:25 +02:00
entry , & mods , type , id_str ) ;
2017-04-19 13:29:31 +02:00
smbldap_make_mod ( smbldap_get_ldap ( ctx - > smbldap_state ) , entry , & mods ,
2010-06-17 20:15:25 +02:00
get_attr_key2string ( sidmap_attr_list , LDAP_ATTR_SID ) ,
2018-12-10 12:32:12 +01:00
sid . buf ) ;
2010-06-17 20:15:25 +02:00
if ( ! mods ) {
DEBUG ( 2 , ( " ERROR: No mods? \n " ) ) ;
ret = NT_STATUS_UNSUCCESSFUL ;
goto done ;
}
/* TODO: remove conflicting mappings! */
smbldap_set_mod ( & mods , LDAP_MOD_ADD , " objectClass " , LDAP_OBJ_SID_ENTRY ) ;
2018-12-10 12:32:12 +01:00
DEBUG ( 10 , ( " Set DN %s (%s -> %s) \n " , dn , sid . buf , id_str ) ) ;
2010-06-17 20:15:25 +02:00
rc = smbldap_add ( ctx - > smbldap_state , dn , mods ) ;
ldap_mods_free ( mods , True ) ;
if ( rc ! = LDAP_SUCCESS ) {
char * ld_error = NULL ;
2017-04-19 13:29:31 +02:00
ldap_get_option ( smbldap_get_ldap ( ctx - > smbldap_state ) ,
2010-06-17 20:15:25 +02:00
LDAP_OPT_ERROR_STRING , & ld_error ) ;
DEBUG ( 0 , ( " ldap_set_mapping_internals: Failed to add %s to %lu "
2018-12-10 12:32:12 +01:00
" mapping [%s] \n " , sid . buf ,
2010-06-17 20:15:25 +02:00
( unsigned long ) map - > xid . id , type ) ) ;
DEBUG ( 0 , ( " ldap_set_mapping_internals: Error was: %s (%s) \n " ,
ld_error ? ld_error : " (NULL) " , ldap_err2string ( rc ) ) ) ;
if ( ld_error ) {
ldap_memfree ( ld_error ) ;
}
ret = NT_STATUS_UNSUCCESSFUL ;
goto done ;
}
DEBUG ( 10 , ( " ldap_set_mapping: Successfully created mapping from %s to "
2018-12-10 12:32:12 +01:00
" %lu [%s] \n " , sid . buf , ( unsigned long ) map - > xid . id , type ) ) ;
2010-06-17 20:15:25 +02:00
ret = NT_STATUS_OK ;
done :
talloc_free ( memctx ) ;
return ret ;
}
2010-06-17 20:19:46 +02:00
/**
* Create a new mapping for an unmapped SID , also allocating a new ID .
* If possible , this should be run inside a transaction to make the
* action atomic .
*/
static NTSTATUS idmap_ldap_new_mapping ( struct idmap_domain * dom , struct id_map * map )
{
NTSTATUS ret ;
2010-06-23 12:02:31 +02:00
struct idmap_ldap_context * ctx ;
2010-06-17 20:19:46 +02:00
2010-06-23 12:02:31 +02:00
ctx = talloc_get_type ( dom - > private_data , struct idmap_ldap_context ) ;
2010-06-17 20:19:46 +02:00
2010-06-23 12:02:31 +02:00
ret = idmap_rw_new_mapping ( dom , ctx - > rw_ops , map ) ;
2010-06-17 20:19:46 +02:00
return ret ;
}
2006-12-12 14:52:13 +00:00
/**********************************
2007-09-10 19:04:57 +00:00
lookup a set of unix ids .
2006-12-12 14:52:13 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-09-10 19:04:57 +00:00
static NTSTATUS idmap_ldap_unixids_to_sids ( struct idmap_domain * dom ,
struct id_map * * ids )
2006-12-12 14:52:13 +00:00
{
NTSTATUS ret ;
TALLOC_CTX * memctx ;
struct idmap_ldap_context * ctx ;
LDAPMessage * result = NULL ;
2009-05-22 11:58:00 +02:00
LDAPMessage * entry = NULL ;
2006-12-12 14:52:13 +00:00
const char * uidNumber ;
const char * gidNumber ;
const char * * attr_list ;
char * filter = NULL ;
2007-10-18 17:40:25 -07:00
bool multi = False ;
2006-12-12 14:52:13 +00:00
int idx = 0 ;
int bidx = 0 ;
int count ;
int rc ;
int i ;
2019-01-28 14:07:39 +01:00
int error = 0 ;
2006-12-12 14:52:13 +00:00
2007-04-18 21:10:37 +00:00
/* Only do query if we are online */
if ( idmap_is_offline ( ) ) {
return NT_STATUS_FILE_IS_OFFLINE ;
}
2007-09-10 19:04:57 +00:00
ctx = talloc_get_type ( dom - > private_data , struct idmap_ldap_context ) ;
2006-12-12 14:52:13 +00:00
memctx = talloc_new ( ctx ) ;
if ( ! memctx ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
uidNumber = get_attr_key2string ( idpool_attr_list , LDAP_ATTR_UIDNUMBER ) ;
gidNumber = get_attr_key2string ( idpool_attr_list , LDAP_ATTR_GIDNUMBER ) ;
2007-08-24 11:25:38 +00:00
attr_list = get_attr_list ( memctx , sidmap_attr_list ) ;
2006-12-12 14:52:13 +00:00
if ( ! ids [ 1 ] ) {
/* if we are requested just one mapping use the simple filter */
filter = talloc_asprintf ( memctx , " (&(objectClass=%s)(%s=%lu)) " ,
LDAP_OBJ_IDMAP_ENTRY ,
( ids [ 0 ] - > xid . type = = ID_TYPE_UID ) ? uidNumber : gidNumber ,
( unsigned long ) ids [ 0 ] - > xid . id ) ;
CHECK_ALLOC_DONE ( filter ) ;
DEBUG ( 10 , ( " Filter: [%s] \n " , filter ) ) ;
} else {
/* multiple mappings */
multi = True ;
}
2009-02-26 17:44:33 +08:00
for ( i = 0 ; ids [ i ] ; i + + ) {
ids [ i ] - > status = ID_UNKNOWN ;
}
2006-12-12 14:52:13 +00:00
again :
if ( multi ) {
talloc_free ( filter ) ;
2007-09-10 19:04:57 +00:00
filter = talloc_asprintf ( memctx ,
" (&(objectClass=%s)(| " ,
LDAP_OBJ_IDMAP_ENTRY ) ;
2006-12-12 14:52:13 +00:00
CHECK_ALLOC_DONE ( filter ) ;
bidx = idx ;
for ( i = 0 ; ( i < IDMAP_LDAP_MAX_IDS ) & & ids [ idx ] ; i + + , idx + + ) {
2007-09-14 17:42:10 +00:00
filter = talloc_asprintf_append_buffer ( filter , " (%s=%lu) " ,
2006-12-12 14:52:13 +00:00
( ids [ idx ] - > xid . type = = ID_TYPE_UID ) ? uidNumber : gidNumber ,
( unsigned long ) ids [ idx ] - > xid . id ) ;
CHECK_ALLOC_DONE ( filter ) ;
}
2007-09-14 17:42:10 +00:00
filter = talloc_asprintf_append_buffer ( filter , " )) " ) ;
2006-12-12 14:52:13 +00:00
CHECK_ALLOC_DONE ( filter ) ;
DEBUG ( 10 , ( " Filter: [%s] \n " , filter ) ) ;
} else {
bidx = 0 ;
idx = 1 ;
}
2007-09-10 19:04:57 +00:00
rc = smbldap_search ( ctx - > smbldap_state , ctx - > suffix , LDAP_SCOPE_SUBTREE ,
2006-12-12 14:52:13 +00:00
filter , attr_list , 0 , & result ) ;
if ( rc ! = LDAP_SUCCESS ) {
DEBUG ( 3 , ( " Failure looking up ids (%s) \n " , ldap_err2string ( rc ) ) ) ;
ret = NT_STATUS_UNSUCCESSFUL ;
goto done ;
}
2017-04-19 13:29:31 +02:00
count = ldap_count_entries ( smbldap_get_ldap ( ctx - > smbldap_state ) ,
result ) ;
2006-12-12 14:52:13 +00:00
if ( count = = 0 ) {
DEBUG ( 10 , ( " NO SIDs found \n " ) ) ;
}
for ( i = 0 ; i < count ; i + + ) {
char * sidstr = NULL ;
2009-11-20 15:03:59 +01:00
char * tmp = NULL ;
2006-12-12 14:52:13 +00:00
enum id_type type ;
struct id_map * map ;
uint32_t id ;
2018-12-14 21:09:51 +01:00
struct dom_sid_buf buf ;
2006-12-12 14:52:13 +00:00
if ( i = = 0 ) { /* first entry */
2017-04-19 13:29:31 +02:00
entry = ldap_first_entry (
smbldap_get_ldap ( ctx - > smbldap_state ) , result ) ;
2006-12-12 14:52:13 +00:00
} else { /* following ones */
2017-04-19 13:29:31 +02:00
entry = ldap_next_entry (
smbldap_get_ldap ( ctx - > smbldap_state ) , entry ) ;
2006-12-12 14:52:13 +00:00
}
if ( ! entry ) {
2007-09-10 19:04:57 +00:00
DEBUG ( 2 , ( " ERROR: Unable to fetch ldap entries "
" from results \n " ) ) ;
2007-06-09 18:18:24 +00:00
break ;
2006-12-12 14:52:13 +00:00
}
/* first check if the SID is present */
sidstr = smbldap_talloc_single_attribute (
2017-04-19 13:29:31 +02:00
smbldap_get_ldap ( ctx - > smbldap_state ) ,
2006-12-12 14:52:13 +00:00
entry , LDAP_ATTRIBUTE_SID , memctx ) ;
if ( ! sidstr ) { /* no sid, skip entry */
DEBUG ( 2 , ( " WARNING SID not found on entry \n " ) ) ;
continue ;
}
/* now try to see if it is a uid, if not try with a gid
* ( gid is more common , but in case both uidNumber and
2007-09-10 19:04:57 +00:00
* gidNumber are returned the SID is mapped to the uid
* not the gid ) */
2006-12-12 14:52:13 +00:00
type = ID_TYPE_UID ;
tmp = smbldap_talloc_single_attribute (
2017-04-19 13:29:31 +02:00
smbldap_get_ldap ( ctx - > smbldap_state ) ,
2006-12-12 14:52:13 +00:00
entry , uidNumber , memctx ) ;
if ( ! tmp ) {
type = ID_TYPE_GID ;
tmp = smbldap_talloc_single_attribute (
2017-04-19 13:29:31 +02:00
smbldap_get_ldap ( ctx - > smbldap_state ) ,
2006-12-12 14:52:13 +00:00
entry , gidNumber , memctx ) ;
}
if ( ! tmp ) { /* wow very strange entry, how did it match ? */
2007-09-10 19:04:57 +00:00
DEBUG ( 5 , ( " Unprobable match on (%s), no uidNumber, "
" nor gidNumber returned \n " , sidstr ) ) ;
2006-12-12 14:52:13 +00:00
TALLOC_FREE ( sidstr ) ;
continue ;
}
2019-06-04 09:04:15 +02:00
id = smb_strtoul ( tmp , NULL , 10 , & error , SMB_STR_STANDARD ) ;
2019-01-28 14:07:39 +01:00
TALLOC_FREE ( tmp ) ;
if ( error ! = 0 ) {
DEBUG ( 5 , ( " Requested id (%u) out of range (%u - %u). "
" Filtered! \n " , id ,
dom - > low_id , dom - > high_id ) ) ;
TALLOC_FREE ( sidstr ) ;
continue ;
}
2010-06-17 10:00:49 +02:00
if ( ! idmap_unix_id_is_in_range ( id , dom ) ) {
2007-09-10 19:04:57 +00:00
DEBUG ( 5 , ( " Requested id (%u) out of range (%u - %u). "
" Filtered! \n " , id ,
2010-06-17 10:00:49 +02:00
dom - > low_id , dom - > high_id ) ) ;
2006-12-12 14:52:13 +00:00
TALLOC_FREE ( sidstr ) ;
continue ;
}
2013-02-21 12:30:48 -07:00
map = idmap_find_map_by_id ( & ids [ bidx ] , type , id ) ;
2006-12-12 14:52:13 +00:00
if ( ! map ) {
2007-09-10 19:04:57 +00:00
DEBUG ( 2 , ( " WARNING: couldn't match sid (%s) "
" with requested ids \n " , sidstr ) ) ;
2006-12-12 14:52:13 +00:00
TALLOC_FREE ( sidstr ) ;
continue ;
}
if ( ! string_to_sid ( map - > sid , sidstr ) ) {
DEBUG ( 2 , ( " ERROR: Invalid SID on entry \n " ) ) ;
TALLOC_FREE ( sidstr ) ;
continue ;
}
2009-05-25 11:29:14 +02:00
if ( map - > status = = ID_MAPPED ) {
DEBUG ( 1 , ( " WARNING: duplicate %s mapping in LDAP. "
" overwriting mapping %u -> %s with %u -> %s \n " ,
( type = = ID_TYPE_UID ) ? " UID " : " GID " ,
2018-12-14 21:09:51 +01:00
id ,
dom_sid_str_buf ( map - > sid , & buf ) ,
id ,
sidstr ) ) ;
2009-05-25 11:29:14 +02:00
}
2006-12-12 14:52:13 +00:00
TALLOC_FREE ( sidstr ) ;
/* mapped */
2007-01-14 17:58:24 +00:00
map - > status = ID_MAPPED ;
2006-12-12 14:52:13 +00:00
2018-12-14 21:09:51 +01:00
DEBUG ( 10 , ( " Mapped %s -> %lu (%d) \n " ,
dom_sid_str_buf ( map - > sid , & buf ) ,
2007-09-10 19:04:57 +00:00
( unsigned long ) map - > xid . id , map - > xid . type ) ) ;
2006-12-12 14:52:13 +00:00
}
/* free the ldap results */
if ( result ) {
ldap_msgfree ( result ) ;
result = NULL ;
}
if ( multi & & ids [ idx ] ) { /* still some values to map */
goto again ;
}
ret = NT_STATUS_OK ;
2007-04-18 21:10:37 +00:00
/* mark all unknwon/expired ones as unmapped */
2007-01-14 17:58:24 +00:00
for ( i = 0 ; ids [ i ] ; i + + ) {
2007-04-18 21:10:37 +00:00
if ( ids [ i ] - > status ! = ID_MAPPED )
ids [ i ] - > status = ID_UNMAPPED ;
2007-01-14 17:58:24 +00:00
}
2006-12-12 14:52:13 +00:00
done :
talloc_free ( memctx ) ;
return ret ;
}
/**********************************
2007-09-10 19:04:57 +00:00
lookup a set of sids .
2006-12-12 14:52:13 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-09-10 19:04:57 +00:00
static NTSTATUS idmap_ldap_sids_to_unixids ( struct idmap_domain * dom ,
struct id_map * * ids )
2006-12-12 14:52:13 +00:00
{
2009-11-20 15:03:59 +01:00
LDAPMessage * entry = NULL ;
2006-12-12 14:52:13 +00:00
NTSTATUS ret ;
TALLOC_CTX * memctx ;
struct idmap_ldap_context * ctx ;
LDAPMessage * result = NULL ;
const char * uidNumber ;
const char * gidNumber ;
const char * * attr_list ;
char * filter = NULL ;
2007-10-18 17:40:25 -07:00
bool multi = False ;
2020-09-15 17:26:11 +02:00
size_t num_required = 0 ;
2006-12-12 14:52:13 +00:00
int idx = 0 ;
int bidx = 0 ;
int count ;
int rc ;
int i ;
2007-04-18 21:10:37 +00:00
/* Only do query if we are online */
if ( idmap_is_offline ( ) ) {
return NT_STATUS_FILE_IS_OFFLINE ;
}
2007-09-10 19:04:57 +00:00
ctx = talloc_get_type ( dom - > private_data , struct idmap_ldap_context ) ;
2006-12-12 14:52:13 +00:00
memctx = talloc_new ( ctx ) ;
if ( ! memctx ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
uidNumber = get_attr_key2string ( idpool_attr_list , LDAP_ATTR_UIDNUMBER ) ;
gidNumber = get_attr_key2string ( idpool_attr_list , LDAP_ATTR_GIDNUMBER ) ;
2007-08-24 11:25:38 +00:00
attr_list = get_attr_list ( memctx , sidmap_attr_list ) ;
2006-12-12 14:52:13 +00:00
if ( ! ids [ 1 ] ) {
2018-12-10 12:32:12 +01:00
struct dom_sid_buf buf ;
2006-12-12 14:52:13 +00:00
/* if we are requested just one mapping use the simple filter */
filter = talloc_asprintf ( memctx , " (&(objectClass=%s)(%s=%s)) " ,
LDAP_OBJ_IDMAP_ENTRY ,
LDAP_ATTRIBUTE_SID ,
2018-12-10 12:32:12 +01:00
dom_sid_str_buf ( ids [ 0 ] - > sid , & buf ) ) ;
2006-12-12 14:52:13 +00:00
CHECK_ALLOC_DONE ( filter ) ;
DEBUG ( 10 , ( " Filter: [%s] \n " , filter ) ) ;
} else {
/* multiple mappings */
multi = True ;
}
2009-02-26 17:44:33 +08:00
for ( i = 0 ; ids [ i ] ; i + + ) {
ids [ i ] - > status = ID_UNKNOWN ;
}
2006-12-12 14:52:13 +00:00
again :
if ( multi ) {
TALLOC_FREE ( filter ) ;
2007-09-10 19:04:57 +00:00
filter = talloc_asprintf ( memctx ,
" (&(objectClass=%s)(| " ,
LDAP_OBJ_IDMAP_ENTRY ) ;
2006-12-12 14:52:13 +00:00
CHECK_ALLOC_DONE ( filter ) ;
bidx = idx ;
for ( i = 0 ; ( i < IDMAP_LDAP_MAX_IDS ) & & ids [ idx ] ; i + + , idx + + ) {
2018-12-10 12:32:12 +01:00
struct dom_sid_buf buf ;
2007-09-14 17:42:10 +00:00
filter = talloc_asprintf_append_buffer ( filter , " (%s=%s) " ,
2006-12-12 14:52:13 +00:00
LDAP_ATTRIBUTE_SID ,
2018-12-10 12:32:12 +01:00
dom_sid_str_buf ( ids [ idx ] - > sid , & buf ) ) ;
2006-12-12 14:52:13 +00:00
CHECK_ALLOC_DONE ( filter ) ;
}
2007-09-14 17:42:10 +00:00
filter = talloc_asprintf_append_buffer ( filter , " )) " ) ;
2006-12-12 14:52:13 +00:00
CHECK_ALLOC_DONE ( filter ) ;
DEBUG ( 10 , ( " Filter: [%s] " , filter ) ) ;
} else {
bidx = 0 ;
idx = 1 ;
}
2007-09-10 19:04:57 +00:00
rc = smbldap_search ( ctx - > smbldap_state , ctx - > suffix , LDAP_SCOPE_SUBTREE ,
2006-12-12 14:52:13 +00:00
filter , attr_list , 0 , & result ) ;
if ( rc ! = LDAP_SUCCESS ) {
2007-09-10 19:04:57 +00:00
DEBUG ( 3 , ( " Failure looking up sids (%s) \n " ,
ldap_err2string ( rc ) ) ) ;
2006-12-12 14:52:13 +00:00
ret = NT_STATUS_UNSUCCESSFUL ;
goto done ;
}
2017-04-19 13:29:31 +02:00
count = ldap_count_entries ( smbldap_get_ldap ( ctx - > smbldap_state ) ,
result ) ;
2006-12-12 14:52:13 +00:00
if ( count = = 0 ) {
DEBUG ( 10 , ( " NO SIDs found \n " ) ) ;
}
for ( i = 0 ; i < count ; i + + ) {
char * sidstr = NULL ;
char * tmp = NULL ;
enum id_type type ;
struct id_map * map ;
2010-05-21 11:25:01 +10:00
struct dom_sid sid ;
2018-12-14 21:09:51 +01:00
struct dom_sid_buf buf ;
2006-12-12 14:52:13 +00:00
uint32_t id ;
2019-01-28 14:07:39 +01:00
int error = 0 ;
2006-12-12 14:52:13 +00:00
if ( i = = 0 ) { /* first entry */
2017-04-19 13:29:31 +02:00
entry = ldap_first_entry (
smbldap_get_ldap ( ctx - > smbldap_state ) , result ) ;
2006-12-12 14:52:13 +00:00
} else { /* following ones */
2017-04-19 13:29:31 +02:00
entry = ldap_next_entry (
smbldap_get_ldap ( ctx - > smbldap_state ) , entry ) ;
2006-12-12 14:52:13 +00:00
}
2007-06-09 18:18:24 +00:00
if ( ! entry ) {
2007-09-10 19:04:57 +00:00
DEBUG ( 2 , ( " ERROR: Unable to fetch ldap entries "
" from results \n " ) ) ;
2007-06-09 18:18:24 +00:00
break ;
}
2006-12-12 14:52:13 +00:00
/* first check if the SID is present */
sidstr = smbldap_talloc_single_attribute (
2017-04-19 13:29:31 +02:00
smbldap_get_ldap ( ctx - > smbldap_state ) ,
2006-12-12 14:52:13 +00:00
entry , LDAP_ATTRIBUTE_SID , memctx ) ;
if ( ! sidstr ) { /* no sid ??, skip entry */
DEBUG ( 2 , ( " WARNING SID not found on entry \n " ) ) ;
continue ;
}
if ( ! string_to_sid ( & sid , sidstr ) ) {
DEBUG ( 2 , ( " ERROR: Invalid SID on entry \n " ) ) ;
TALLOC_FREE ( sidstr ) ;
continue ;
}
2013-02-21 12:30:48 -07:00
map = idmap_find_map_by_sid ( & ids [ bidx ] , & sid ) ;
2006-12-12 14:52:13 +00:00
if ( ! map ) {
2007-09-10 19:04:57 +00:00
DEBUG ( 2 , ( " WARNING: couldn't find entry sid (%s) "
" in ids " , sidstr ) ) ;
2006-12-12 14:52:13 +00:00
TALLOC_FREE ( sidstr ) ;
continue ;
}
/* now try to see if it is a uid, if not try with a gid
* ( gid is more common , but in case both uidNumber and
2007-09-10 19:04:57 +00:00
* gidNumber are returned the SID is mapped to the uid
* not the gid ) */
2006-12-12 14:52:13 +00:00
type = ID_TYPE_UID ;
tmp = smbldap_talloc_single_attribute (
2017-04-19 13:29:31 +02:00
smbldap_get_ldap ( ctx - > smbldap_state ) ,
2006-12-12 14:52:13 +00:00
entry , uidNumber , memctx ) ;
if ( ! tmp ) {
type = ID_TYPE_GID ;
tmp = smbldap_talloc_single_attribute (
2017-04-19 13:29:31 +02:00
smbldap_get_ldap ( ctx - > smbldap_state ) ,
2006-12-12 14:52:13 +00:00
entry , gidNumber , memctx ) ;
}
if ( ! tmp ) { /* no ids ?? */
2007-09-10 19:04:57 +00:00
DEBUG ( 5 , ( " no uidNumber, "
" nor gidNumber attributes found \n " ) ) ;
2009-05-25 11:54:43 +02:00
TALLOC_FREE ( sidstr ) ;
2006-12-12 14:52:13 +00:00
continue ;
}
2019-06-04 09:04:15 +02:00
id = smb_strtoul ( tmp , NULL , 10 , & error , SMB_STR_STANDARD ) ;
2019-01-28 14:07:39 +01:00
TALLOC_FREE ( tmp ) ;
if ( error ! = 0 ) {
DEBUG ( 5 , ( " Requested id (%u) out of range (%u - %u). "
" Filtered! \n " , id ,
dom - > low_id , dom - > high_id ) ) ;
TALLOC_FREE ( sidstr ) ;
continue ;
}
if ( error ! = 0 | | ! idmap_unix_id_is_in_range ( id , dom ) ) {
2007-09-10 19:04:57 +00:00
DEBUG ( 5 , ( " Requested id (%u) out of range (%u - %u). "
" Filtered! \n " , id ,
2010-06-17 10:00:49 +02:00
dom - > low_id , dom - > high_id ) ) ;
2009-05-25 11:54:43 +02:00
TALLOC_FREE ( sidstr ) ;
2006-12-12 14:52:13 +00:00
continue ;
}
2009-05-25 11:54:43 +02:00
if ( map - > status = = ID_MAPPED ) {
DEBUG ( 1 , ( " WARNING: duplicate %s mapping in LDAP. "
" overwriting mapping %s -> %u with %s -> %u \n " ,
( type = = ID_TYPE_UID ) ? " UID " : " GID " ,
sidstr , map - > xid . id , sidstr , id ) ) ;
}
TALLOC_FREE ( sidstr ) ;
2006-12-12 14:52:13 +00:00
/* mapped */
map - > xid . type = type ;
map - > xid . id = id ;
2007-01-14 17:58:24 +00:00
map - > status = ID_MAPPED ;
2007-09-10 19:04:57 +00:00
2018-12-14 21:09:51 +01:00
DEBUG ( 10 , ( " Mapped %s -> %lu (%d) \n " ,
dom_sid_str_buf ( map - > sid , & buf ) ,
( unsigned long ) map - > xid . id ,
map - > xid . type ) ) ;
2006-12-12 14:52:13 +00:00
}
/* free the ldap results */
if ( result ) {
ldap_msgfree ( result ) ;
result = NULL ;
}
if ( multi & & ids [ idx ] ) { /* still some values to map */
goto again ;
}
2010-06-17 21:55:02 +02:00
/*
* try to create new mappings for unmapped sids
*/
2007-01-14 17:58:24 +00:00
for ( i = 0 ; ids [ i ] ; i + + ) {
2010-06-17 21:55:02 +02:00
if ( ids [ i ] - > status ! = ID_MAPPED ) {
2007-04-18 21:10:37 +00:00
ids [ i ] - > status = ID_UNMAPPED ;
2010-06-17 21:55:02 +02:00
if ( ids [ i ] - > sid ! = NULL ) {
ret = idmap_ldap_new_mapping ( dom , ids [ i ] ) ;
2020-09-15 17:26:11 +02:00
DBG_DEBUG ( " idmap_ldap_new_mapping returned %s \n " ,
nt_errstr ( ret ) ) ;
if ( NT_STATUS_EQUAL ( ret , STATUS_SOME_UNMAPPED ) ) {
if ( ids [ i ] - > status = = ID_REQUIRE_TYPE ) {
num_required + = 1 ;
continue ;
}
}
2010-06-17 21:55:02 +02:00
if ( ! NT_STATUS_IS_OK ( ret ) ) {
2020-09-15 17:26:11 +02:00
/*
* If we can ' t create
* a new mapping it ' s unlikely
* that it will work for the
* next entry .
*/
2010-06-17 21:55:02 +02:00
goto done ;
}
}
}
2007-01-14 17:58:24 +00:00
}
2010-06-17 21:55:02 +02:00
ret = NT_STATUS_OK ;
2020-09-15 17:26:11 +02:00
if ( num_required > 0 ) {
ret = STATUS_SOME_UNMAPPED ;
}
2010-06-17 21:55:02 +02:00
2006-12-12 14:52:13 +00:00
done :
talloc_free ( memctx ) ;
return ret ;
}
/**********************************
2007-09-10 19:04:57 +00:00
Close the idmap ldap instance
2006-12-12 14:52:13 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2019-03-21 12:30:37 +01:00
static const struct idmap_methods idmap_ldap_methods = {
2006-12-12 14:52:13 +00:00
. init = idmap_ldap_db_init ,
. unixids_to_sids = idmap_ldap_unixids_to_sids ,
. sids_to_unixids = idmap_ldap_sids_to_unixids ,
2011-06-01 00:25:23 +02:00
. allocate_id = idmap_ldap_allocate_id ,
2006-12-12 14:52:13 +00:00
} ;
2017-04-20 12:24:43 -07:00
NTSTATUS idmap_ldap_init ( TALLOC_CTX * ) ;
NTSTATUS idmap_ldap_init ( TALLOC_CTX * ctx )
2006-12-12 14:52:13 +00:00
{
2007-09-10 19:04:57 +00:00
return smb_register_idmap ( SMB_IDMAP_INTERFACE_VERSION , " ldap " ,
& idmap_ldap_methods ) ;
2006-12-12 14:52:13 +00:00
}