2003-11-07 17:39:47 +03:00
/*
2003-06-03 22:19:59 +04:00
Unix SMB / CIFS implementation .
idmap LDAP backend
2003-06-05 06:34:30 +04:00
Copyright ( C ) Tim Potter 2000
2003-08-01 19:30:44 +04:00
Copyright ( C ) Jim McDonough < jmcd @ us . ibm . com > 2003
2003-06-05 06:34:30 +04:00
Copyright ( C ) Simo Sorce 2003
Copyright ( C ) Gerald Carter 2003
2003-11-07 17:39:47 +03:00
2003-06-03 22:19:59 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
2003-11-07 17:39:47 +03:00
2003-06-03 22:19:59 +04:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2003-11-07 17:39:47 +03:00
2003-06-03 22:19:59 +04:00
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_IDMAP
# include <lber.h>
# include <ldap.h>
2003-06-05 06:34:30 +04:00
# include "smbldap.h"
2003-06-03 22:19:59 +04:00
struct ldap_idmap_state {
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
struct smbldap_state * smbldap_state ;
TALLOC_CTX * mem_ctx ;
2003-06-03 22:19:59 +04:00
} ;
static struct ldap_idmap_state ldap_state ;
2003-11-07 17:39:47 +03:00
/* number tries while allocating new id */
# define LDAP_MAX_ALLOC_ID 128
/***********************************************************************
This function cannot be called to modify a mapping , only set a new one
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-06-03 22:19:59 +04:00
2006-07-11 22:01:26 +04:00
static NTSTATUS ldap_set_mapping ( const DOM_SID * sid , unid_t id , enum idmap_type id_type )
2003-11-07 17:39:47 +03:00
{
pstring dn ;
pstring id_str ;
fstring type ;
LDAPMod * * mods = NULL ;
int rc = - 1 ;
int ldap_op ;
fstring sid_string ;
LDAPMessage * entry = NULL ;
sid_to_string ( sid_string , sid ) ;
ldap_op = LDAP_MOD_ADD ;
pstr_sprintf ( dn , " %s=%s,%s " , get_attr_key2string ( sidmap_attr_list , LDAP_ATTR_SID ) ,
sid_string , lp_ldap_idmap_suffix ( ) ) ;
2006-07-11 22:01:26 +04:00
if ( id_type = = ID_USERID ) {
2003-11-07 17:39:47 +03:00
fstrcpy ( type , get_attr_key2string ( sidmap_attr_list , LDAP_ATTR_UIDNUMBER ) ) ;
2006-07-11 22:01:26 +04:00
} else {
2003-11-07 17:39:47 +03:00
fstrcpy ( type , get_attr_key2string ( sidmap_attr_list , LDAP_ATTR_GIDNUMBER ) ) ;
2006-07-11 22:01:26 +04:00
}
2003-11-07 17:39:47 +03:00
2006-07-11 22:01:26 +04:00
pstr_sprintf ( id_str , " %lu " , ( ( id_type = = ID_USERID ) ? ( unsigned long ) id . uid :
2005-06-09 02:10:34 +04:00
( unsigned long ) id . gid ) ) ;
2003-11-07 17:39:47 +03:00
smbldap_set_mod ( & mods , LDAP_MOD_ADD , " objectClass " , LDAP_OBJ_IDMAP_ENTRY ) ;
smbldap_make_mod ( ldap_state . smbldap_state - > ldap_struct ,
entry , & mods , type , id_str ) ;
smbldap_make_mod ( ldap_state . smbldap_state - > ldap_struct ,
entry , & mods ,
get_attr_key2string ( sidmap_attr_list , LDAP_ATTR_SID ) ,
sid_string ) ;
/* There may well be nothing at all to do */
if ( mods ) {
smbldap_set_mod ( & mods , LDAP_MOD_ADD , " objectClass " , LDAP_OBJ_SID_ENTRY ) ;
rc = smbldap_add ( ldap_state . smbldap_state , dn , mods ) ;
ldap_mods_free ( mods , True ) ;
} else {
rc = LDAP_SUCCESS ;
}
if ( rc ! = LDAP_SUCCESS ) {
char * ld_error = NULL ;
ldap_get_option ( ldap_state . smbldap_state - > ldap_struct , LDAP_OPT_ERROR_STRING ,
& ld_error ) ;
DEBUG ( 0 , ( " ldap_set_mapping_internals: Failed to %s mapping from %s to %lu [%s] \n " ,
( ldap_op = = LDAP_MOD_ADD ) ? " add " : " replace " ,
sid_string , ( unsigned long ) ( ( id_type & ID_USERID ) ? id . uid : id . gid ) , type ) ) ;
DEBUG ( 0 , ( " ldap_set_mapping_internals: Error was: %s (%s) \n " ,
ld_error ? ld_error : " (NULL) " , ldap_err2string ( rc ) ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
DEBUG ( 10 , ( " ldap_set_mapping: Successfully created mapping from %s to %lu [%s] \n " ,
sid_string , ( ( id_type & ID_USERID ) ? ( unsigned long ) id . uid :
( unsigned long ) id . gid ) , type ) ) ;
return NT_STATUS_OK ;
}
2003-06-03 22:19:59 +04:00
2003-06-05 06:34:30 +04:00
/*****************************************************************************
Allocate a new uid or gid
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-06-03 22:19:59 +04:00
2006-07-11 22:01:26 +04:00
static NTSTATUS ldap_allocate_id ( unid_t * id , enum idmap_type id_type )
2003-06-03 22:19:59 +04:00
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL ;
int rc = LDAP_SERVER_DOWN ;
int count = 0 ;
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
LDAPMessage * result = NULL ;
LDAPMessage * entry = NULL ;
2003-06-03 22:19:59 +04:00
pstring id_str , new_id_str ;
2003-06-06 17:48:39 +04:00
LDAPMod * * mods = NULL ;
2003-06-05 06:34:30 +04:00
const char * type ;
2003-11-14 06:28:03 +03:00
char * dn = NULL ;
2005-02-17 17:27:34 +03:00
const char * * attr_list ;
2003-06-05 06:34:30 +04:00
pstring filter ;
2003-06-06 17:48:39 +04:00
uid_t luid , huid ;
gid_t lgid , hgid ;
2003-06-05 06:34:30 +04:00
2006-07-11 22:01:26 +04:00
if ( id_type ! = ID_USERID & & id_type ! = ID_GROUPID ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2003-06-03 22:19:59 +04:00
2006-07-11 22:01:26 +04:00
type = ( id_type = = ID_USERID ) ?
2003-06-05 06:34:30 +04:00
get_attr_key2string ( idpool_attr_list , LDAP_ATTR_UIDNUMBER ) :
get_attr_key2string ( idpool_attr_list , LDAP_ATTR_GIDNUMBER ) ;
2003-07-23 16:33:59 +04:00
pstr_sprintf ( filter , " (objectClass=%s) " , LDAP_OBJ_IDPOOL ) ;
2003-06-05 06:34:30 +04:00
2006-02-04 01:19:41 +03:00
attr_list = get_attr_list ( NULL , idpool_attr_list ) ;
2003-11-07 17:39:47 +03:00
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
rc = smbldap_search ( ldap_state . smbldap_state , lp_ldap_idmap_suffix ( ) ,
2003-06-05 06:34:30 +04:00
LDAP_SCOPE_SUBTREE , filter ,
attr_list , 0 , & result ) ;
2006-02-20 20:59:58 +03:00
TALLOC_FREE ( attr_list ) ;
2003-06-05 06:34:30 +04:00
2003-06-03 22:19:59 +04:00
if ( rc ! = LDAP_SUCCESS ) {
2003-06-05 06:34:30 +04:00
DEBUG ( 0 , ( " ldap_allocate_id: %s object not found \n " , LDAP_OBJ_IDPOOL ) ) ;
2003-06-03 22:19:59 +04:00
goto out ;
}
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
count = ldap_count_entries ( ldap_state . smbldap_state - > ldap_struct , result ) ;
2003-06-03 22:19:59 +04:00
if ( count ! = 1 ) {
2003-06-05 06:34:30 +04:00
DEBUG ( 0 , ( " ldap_allocate_id: single %s object not found \n " , LDAP_OBJ_IDPOOL ) ) ;
2003-06-03 22:19:59 +04:00
goto out ;
}
2003-09-11 03:49:23 +04:00
dn = smbldap_get_dn ( ldap_state . smbldap_state - > ldap_struct , result ) ;
if ( ! dn ) {
goto out ;
}
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
entry = ldap_first_entry ( ldap_state . smbldap_state - > ldap_struct , result ) ;
2003-06-03 22:19:59 +04:00
2004-03-11 19:32:19 +03:00
if ( ! smbldap_get_single_pstring ( ldap_state . smbldap_state - > ldap_struct , entry , type , id_str ) ) {
2003-06-03 22:19:59 +04:00
DEBUG ( 0 , ( " ldap_allocate_id: %s attribute not found \n " ,
type ) ) ;
goto out ;
}
2003-06-06 17:48:39 +04:00
/* this must succeed or else we wouldn't have initialized */
lp_idmap_uid ( & luid , & huid ) ;
lp_idmap_gid ( & lgid , & hgid ) ;
2003-06-05 06:34:30 +04:00
2003-06-06 17:48:39 +04:00
/* make sure we still have room to grow */
2006-07-11 22:01:26 +04:00
if ( id_type = = ID_USERID ) {
2003-06-03 22:19:59 +04:00
id - > uid = strtoul ( id_str , NULL , 10 ) ;
2003-06-06 17:48:39 +04:00
if ( id - > uid > huid ) {
2003-07-22 08:31:20 +04:00
DEBUG ( 0 , ( " ldap_allocate_id: Cannot allocate uid above %lu! \n " ,
( unsigned long ) huid ) ) ;
2003-06-06 17:48:39 +04:00
goto out ;
}
2006-07-11 22:01:26 +04:00
} else {
2003-06-03 22:19:59 +04:00
id - > gid = strtoul ( id_str , NULL , 10 ) ;
2003-06-06 17:48:39 +04:00
if ( id - > gid > hgid ) {
2003-07-22 08:31:20 +04:00
DEBUG ( 0 , ( " ldap_allocate_id: Cannot allocate gid above %lu! \n " ,
( unsigned long ) hgid ) ) ;
2003-06-06 17:48:39 +04:00
goto out ;
}
}
2003-06-05 06:34:30 +04:00
2003-07-23 16:33:59 +04:00
pstr_sprintf ( new_id_str , " %lu " ,
2006-07-11 22:01:26 +04:00
( ( id_type = = ID_USERID ) ? ( unsigned long ) id - > uid :
2003-07-22 08:31:20 +04:00
( unsigned long ) id - > gid ) + 1 ) ;
2003-06-06 17:48:39 +04:00
2003-06-21 04:45:03 +04:00
smbldap_set_mod ( & mods , LDAP_MOD_DELETE , type , id_str ) ;
smbldap_set_mod ( & mods , LDAP_MOD_ADD , type , new_id_str ) ;
2003-11-14 06:28:03 +03:00
if ( mods = = NULL ) {
DEBUG ( 0 , ( " ldap_allocate_id: smbldap_set_mod() failed. \n " ) ) ;
goto out ;
}
2003-09-11 03:49:23 +04:00
rc = smbldap_modify ( ldap_state . smbldap_state , dn , mods ) ;
2003-06-05 06:34:30 +04:00
2003-06-06 17:48:39 +04:00
ldap_mods_free ( mods , True ) ;
2003-06-05 06:34:30 +04:00
if ( rc ! = LDAP_SUCCESS ) {
2004-11-15 16:18:12 +03:00
DEBUG ( 1 , ( " ldap_allocate_id: Failed to allocate new %s. ldap_modify() failed. \n " ,
2003-06-05 06:34:30 +04:00
type ) ) ;
goto out ;
}
ret = NT_STATUS_OK ;
2003-06-03 22:19:59 +04:00
out :
2003-11-14 06:28:03 +03:00
SAFE_FREE ( dn ) ;
if ( result ! = NULL )
ldap_msgfree ( result ) ;
2003-06-03 22:19:59 +04:00
return ret ;
}
2003-06-05 06:34:30 +04:00
/*****************************************************************************
get a sid from an id
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-07-11 22:01:26 +04:00
static NTSTATUS ldap_get_sid_from_id ( DOM_SID * sid , unid_t id , enum idmap_type id_type , int flags )
2003-06-03 22:19:59 +04:00
{
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
LDAPMessage * result = NULL ;
LDAPMessage * entry = NULL ;
2003-06-03 22:19:59 +04:00
pstring sid_str ;
pstring filter ;
2003-06-06 17:48:39 +04:00
pstring suffix ;
2003-06-05 06:34:30 +04:00
const char * type ;
2003-06-03 22:19:59 +04:00
int rc ;
int count ;
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL ;
2005-02-17 17:27:34 +03:00
const char * * attr_list ;
2003-06-05 06:34:30 +04:00
2006-07-11 22:01:26 +04:00
if ( id_type = = ID_USERID )
2003-06-06 17:48:39 +04:00
type = get_attr_key2string ( idpool_attr_list , LDAP_ATTR_UIDNUMBER ) ;
2003-11-07 17:39:47 +03:00
else
2003-06-06 17:48:39 +04:00
type = get_attr_key2string ( idpool_attr_list , LDAP_ATTR_GIDNUMBER ) ;
2003-11-07 17:39:47 +03:00
pstrcpy ( suffix , lp_ldap_idmap_suffix ( ) ) ;
2005-06-09 02:10:34 +04:00
pstr_sprintf ( filter , " (&(objectClass=%s)(%s=%lu)) " ,
2003-11-07 17:39:47 +03:00
LDAP_OBJ_IDMAP_ENTRY , type ,
2005-06-09 02:10:34 +04:00
( ( id_type & ID_USERID ) ? ( unsigned long ) id . uid : ( unsigned long ) id . gid ) ) ;
2003-11-07 17:39:47 +03:00
2006-02-04 01:19:41 +03:00
attr_list = get_attr_list ( NULL , sidmap_attr_list ) ;
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
rc = smbldap_search ( ldap_state . smbldap_state , suffix , LDAP_SCOPE_SUBTREE ,
2003-11-07 17:39:47 +03:00
filter , attr_list , 0 , & result ) ;
2003-08-13 04:08:28 +04:00
if ( rc ! = LDAP_SUCCESS ) {
DEBUG ( 3 , ( " ldap_get_isd_from_id: Failure looking up entry (%s) \n " ,
ldap_err2string ( rc ) ) ) ;
2003-06-05 06:34:30 +04:00
goto out ;
2003-08-13 04:08:28 +04:00
}
2003-06-05 06:34:30 +04:00
2003-11-07 17:39:47 +03:00
count = ldap_count_entries ( ldap_state . smbldap_state - > ldap_struct , result ) ;
2003-08-13 04:08:28 +04:00
2003-11-07 17:39:47 +03:00
if ( count ! = 1 ) {
DEBUG ( 0 , ( " ldap_get_sid_from_id: mapping not found for %s: %lu \n " ,
type , ( ( id_type & ID_USERID ) ? ( unsigned long ) id . uid :
( unsigned long ) id . gid ) ) ) ;
goto out ;
2003-06-03 22:19:59 +04:00
}
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
entry = ldap_first_entry ( ldap_state . smbldap_state - > ldap_struct , result ) ;
2003-06-03 22:19:59 +04:00
2004-03-11 19:32:19 +03:00
if ( ! smbldap_get_single_pstring ( ldap_state . smbldap_state - > ldap_struct , entry , LDAP_ATTRIBUTE_SID , sid_str ) )
2003-06-03 22:19:59 +04:00
goto out ;
2003-11-07 17:39:47 +03:00
if ( ! string_to_sid ( sid , sid_str ) )
2003-06-03 22:19:59 +04:00
goto out ;
ret = NT_STATUS_OK ;
out :
2006-02-20 20:59:58 +03:00
TALLOC_FREE ( attr_list ) ;
2003-06-05 06:34:30 +04:00
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if ( result )
ldap_msgfree ( result ) ;
2003-06-03 22:19:59 +04:00
return ret ;
}
2003-06-05 06:34:30 +04:00
/***********************************************************************
2006-07-11 22:01:26 +04:00
Get an id from a sid - urg . This is assuming the * output * parameter id_type
has been initialized with the correct needed type - ID_USERID or ID_GROUPID .
This * sucks * and is bad design and needs fixing . JRA .
2003-06-05 06:34:30 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-07-11 22:01:26 +04:00
static NTSTATUS ldap_get_id_from_sid ( unid_t * id , enum idmap_type * id_type , const DOM_SID * sid , int flags )
2003-06-03 22:19:59 +04:00
{
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
LDAPMessage * result = NULL ;
LDAPMessage * entry = NULL ;
2003-06-03 22:19:59 +04:00
pstring sid_str ;
pstring filter ;
pstring id_str ;
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
const char * suffix ;
2003-06-05 06:34:30 +04:00
const char * type ;
2003-06-03 22:19:59 +04:00
int rc ;
int count ;
2005-02-17 17:27:34 +03:00
const char * * attr_list ;
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
char * dn = NULL ;
2003-06-03 22:19:59 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL ;
2003-06-05 06:34:30 +04:00
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
sid_to_string ( sid_str , sid ) ;
2003-08-13 04:08:28 +04:00
DEBUG ( 8 , ( " ldap_get_id_from_sid: %s (%s) \n " , sid_str ,
( * id_type & ID_GROUPID ? " group " : " user " ) ) ) ;
2003-11-07 17:39:47 +03:00
suffix = lp_ldap_idmap_suffix ( ) ;
pstr_sprintf ( filter , " (&(objectClass=%s)(%s=%s)) " ,
LDAP_OBJ_IDMAP_ENTRY , LDAP_ATTRIBUTE_SID , sid_str ) ;
2006-07-11 22:01:26 +04:00
if ( * id_type = = ID_GROUPID )
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
type = get_attr_key2string ( sidmap_attr_list , LDAP_ATTR_GIDNUMBER ) ;
2003-11-07 17:39:47 +03:00
else
2003-08-13 04:08:28 +04:00
type = get_attr_key2string ( sidmap_attr_list , LDAP_ATTR_UIDNUMBER ) ;
/* do the search and check for errors */
2006-02-04 01:19:41 +03:00
attr_list = get_attr_list ( NULL , sidmap_attr_list ) ;
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
rc = smbldap_search ( ldap_state . smbldap_state , suffix , LDAP_SCOPE_SUBTREE ,
2003-11-07 17:39:47 +03:00
filter , attr_list , 0 , & result ) ;
if ( rc ! = LDAP_SUCCESS ) {
DEBUG ( 3 , ( " ldap_get_id_from_sid: Failure looking up idmap entry (%s) \n " ,
2003-08-13 04:08:28 +04:00
ldap_err2string ( rc ) ) ) ;
2003-06-03 22:19:59 +04:00
goto out ;
2003-08-13 04:08:28 +04:00
}
2003-11-07 17:39:47 +03:00
/* check for the number of entries returned */
2003-06-05 06:34:30 +04:00
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
count = ldap_count_entries ( ldap_state . smbldap_state - > ldap_struct , result ) ;
2003-11-07 17:39:47 +03:00
2003-08-13 04:08:28 +04:00
if ( count > 1 ) {
2003-11-07 17:39:47 +03:00
DEBUG ( 0 , ( " ldap_get_id_from_sid: (2nd) search %s returned [%d] entries! \n " ,
2003-08-13 04:08:28 +04:00
filter , count ) ) ;
goto out ;
}
2003-11-07 17:39:47 +03:00
/* try to allocate a new id if we still haven't found one */
2003-08-13 04:08:28 +04:00
2003-11-07 17:39:47 +03:00
if ( ! count ) {
int i ;
2003-06-06 17:48:39 +04:00
2006-07-11 22:01:26 +04:00
if ( flags & IDMAP_FLAG_QUERY_ONLY ) {
2003-11-07 17:39:47 +03:00
DEBUG ( 5 , ( " ldap_get_id_from_sid: No matching entry found and QUERY_ONLY flag set \n " ) ) ;
2003-06-05 06:34:30 +04:00
goto out ;
2003-08-13 04:08:28 +04:00
}
2003-11-07 17:39:47 +03:00
DEBUG ( 8 , ( " ldap_get_id_from_sid: Allocating new id \n " ) ) ;
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
2003-11-07 17:39:47 +03:00
for ( i = 0 ; i < LDAP_MAX_ALLOC_ID ; i + + ) {
ret = ldap_allocate_id ( id , * id_type ) ;
if ( NT_STATUS_IS_OK ( ret ) )
break ;
}
2003-06-05 06:34:30 +04:00
2003-11-07 17:39:47 +03:00
if ( ! NT_STATUS_IS_OK ( ret ) ) {
DEBUG ( 0 , ( " ldap_allocate_id: cannot acquire id lock! \n " ) ) ;
goto out ;
}
2003-08-13 04:08:28 +04:00
2003-11-07 17:39:47 +03:00
DEBUG ( 10 , ( " ldap_get_id_from_sid: Allocated new %cid [%ul] \n " ,
( * id_type & ID_GROUPID ? ' g ' : ' u ' ) , ( uint32 ) id - > uid ) ) ;
2003-08-13 04:08:28 +04:00
2003-11-07 17:39:47 +03:00
ret = ldap_set_mapping ( sid , * id , * id_type ) ;
2003-08-13 04:08:28 +04:00
2003-11-07 17:39:47 +03:00
/* all done */
2003-08-13 04:08:28 +04:00
2003-11-07 17:39:47 +03:00
goto out ;
2003-06-03 22:19:59 +04:00
}
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
2003-08-13 04:08:28 +04:00
DEBUG ( 10 , ( " ldap_get_id_from_sid: success \n " ) ) ;
entry = ldap_first_entry ( ldap_state . smbldap_state - > ldap_struct , result ) ;
2003-09-11 03:49:23 +04:00
dn = smbldap_get_dn ( ldap_state . smbldap_state - > ldap_struct , result ) ;
if ( ! dn )
goto out ;
2003-08-13 04:08:28 +04:00
DEBUG ( 10 , ( " Found mapping entry at dn=%s, looking for %s \n " , dn , type ) ) ;
2004-03-11 19:32:19 +03:00
if ( smbldap_get_single_pstring ( ldap_state . smbldap_state - > ldap_struct , entry , type , id_str ) ) {
2006-07-11 22:01:26 +04:00
if ( ( * id_type = = ID_USERID ) )
2003-08-13 04:08:28 +04:00
id - > uid = strtoul ( id_str , NULL , 10 ) ;
else
id - > gid = strtoul ( id_str , NULL , 10 ) ;
ret = NT_STATUS_OK ;
goto out ;
}
2003-06-03 22:19:59 +04:00
out :
2006-02-20 20:59:58 +03:00
TALLOC_FREE ( attr_list ) ;
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
if ( result )
ldap_msgfree ( result ) ;
2003-09-11 03:49:23 +04:00
SAFE_FREE ( dn ) ;
2003-06-05 06:34:30 +04:00
2003-06-03 22:19:59 +04:00
return ret ;
}
2003-08-13 04:08:28 +04:00
/**********************************************************************
Verify the sambaUnixIdPool entry in the directiry .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS verify_idpool ( void )
2003-06-03 22:19:59 +04:00
{
2003-06-06 17:48:39 +04:00
fstring filter ;
int rc ;
2005-02-17 17:27:34 +03:00
const char * * attr_list ;
2003-06-06 17:48:39 +04:00
LDAPMessage * result = NULL ;
LDAPMod * * mods = NULL ;
int count ;
2003-07-23 16:33:59 +04:00
fstr_sprintf ( filter , " (objectclass=%s) " , LDAP_OBJ_IDPOOL ) ;
2003-06-06 17:48:39 +04:00
2006-02-04 01:19:41 +03:00
attr_list = get_attr_list ( NULL , idpool_attr_list ) ;
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
rc = smbldap_search ( ldap_state . smbldap_state , lp_ldap_idmap_suffix ( ) ,
2003-06-06 17:48:39 +04:00
LDAP_SCOPE_SUBTREE , filter , attr_list , 0 , & result ) ;
2006-02-20 20:59:58 +03:00
TALLOC_FREE ( attr_list ) ;
2003-06-06 17:48:39 +04:00
if ( rc ! = LDAP_SUCCESS )
return NT_STATUS_UNSUCCESSFUL ;
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
count = ldap_count_entries ( ldap_state . smbldap_state - > ldap_struct , result ) ;
2003-06-06 17:48:39 +04:00
2003-11-14 06:28:03 +03:00
ldap_msgfree ( result ) ;
2003-06-06 17:48:39 +04:00
if ( count > 1 ) {
DEBUG ( 0 , ( " ldap_idmap_init: multiple entries returned from %s (base == %s) \n " ,
filter , lp_ldap_idmap_suffix ( ) ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
else if ( count = = 0 ) {
uid_t luid , huid ;
gid_t lgid , hgid ;
fstring uid_str , gid_str ;
if ( ! lp_idmap_uid ( & luid , & huid ) | | ! lp_idmap_gid ( & lgid , & hgid ) ) {
DEBUG ( 0 , ( " ldap_idmap_init: idmap uid/gid parameters not specified \n " ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
2005-06-09 02:10:34 +04:00
fstr_sprintf ( uid_str , " %lu " , ( unsigned long ) luid ) ;
fstr_sprintf ( gid_str , " %lu " , ( unsigned long ) lgid ) ;
2003-06-06 17:48:39 +04:00
2003-06-21 04:45:03 +04:00
smbldap_set_mod ( & mods , LDAP_MOD_ADD , " objectClass " , LDAP_OBJ_IDPOOL ) ;
smbldap_set_mod ( & mods , LDAP_MOD_ADD ,
2003-06-06 17:48:39 +04:00
get_attr_key2string ( idpool_attr_list , LDAP_ATTR_UIDNUMBER ) , uid_str ) ;
2003-06-21 04:45:03 +04:00
smbldap_set_mod ( & mods , LDAP_MOD_ADD ,
2003-06-06 17:48:39 +04:00
get_attr_key2string ( idpool_attr_list , LDAP_ATTR_GIDNUMBER ) , gid_str ) ;
2004-05-27 04:04:43 +04:00
if ( mods ) {
rc = smbldap_modify ( ldap_state . smbldap_state , lp_ldap_idmap_suffix ( ) , mods ) ;
ldap_mods_free ( mods , True ) ;
} else {
return NT_STATUS_UNSUCCESSFUL ;
}
2003-06-06 17:48:39 +04:00
}
2003-08-13 04:08:28 +04:00
return ( rc = = LDAP_SUCCESS ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL ) ;
}
/*****************************************************************************
Initialise idmap database .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-09-11 03:49:23 +04:00
2006-07-11 22:01:26 +04:00
static NTSTATUS ldap_idmap_init ( const char * params )
2003-08-13 04:08:28 +04:00
{
NTSTATUS nt_status ;
ldap_state . mem_ctx = talloc_init ( " idmap_ldap " ) ;
if ( ! ldap_state . mem_ctx ) {
return NT_STATUS_NO_MEMORY ;
}
/* assume location is the only parameter */
if ( ! NT_STATUS_IS_OK ( nt_status =
smbldap_init ( ldap_state . mem_ctx , params ,
& ldap_state . smbldap_state ) ) ) {
talloc_destroy ( ldap_state . mem_ctx ) ;
return nt_status ;
}
/* see if the idmap suffix and sub entries exists */
2003-06-06 17:48:39 +04:00
2003-08-13 04:08:28 +04:00
nt_status = verify_idpool ( ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) )
return nt_status ;
2003-06-03 22:19:59 +04:00
return NT_STATUS_OK ;
}
2003-06-05 06:34:30 +04:00
/*****************************************************************************
End the LDAP session
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-06-03 22:19:59 +04:00
static NTSTATUS ldap_idmap_close ( void )
{
2003-06-06 17:48:39 +04:00
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
smbldap_free_struct ( & ( ldap_state ) . smbldap_state ) ;
talloc_destroy ( ldap_state . mem_ctx ) ;
2003-06-03 22:19:59 +04:00
DEBUG ( 5 , ( " The connection to the LDAP server was closed \n " ) ) ;
/* maybe free the results here --metze */
return NT_STATUS_OK ;
}
/* This function doesn't make as much sense in an LDAP world since the calling
node doesn ' t really control the ID ranges */
static void ldap_idmap_status ( void )
{
DEBUG ( 0 , ( " LDAP IDMAP Status not available \n " ) ) ;
}
static struct idmap_methods ldap_methods = {
ldap_idmap_init ,
2003-07-09 20:44:47 +04:00
ldap_allocate_id ,
2003-06-03 22:19:59 +04:00
ldap_get_sid_from_id ,
ldap_get_id_from_sid ,
ldap_set_mapping ,
ldap_idmap_close ,
ldap_idmap_status
} ;
NTSTATUS idmap_ldap_init ( void )
{
return smb_register_idmap ( SMB_IDMAP_INTERFACE_VERSION , " ldap " , & ldap_methods ) ;
}
