sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-08 04:58:40 +03:00
Code

Add a 'ldap trust ids' option that lets pdb_ldap check for posixAccount

Browse Source 
attributes rather than calling getpwnam() on the user.

This should help fix some of metze's performance issues - particularly on
enumerations.

There is a consequential change to the operation of 'non unix account's in LDAP
- they are no longer restricted to being 'within' the NUA range, but will
always be added to that range.

Finally, there is the doco for this and the previous LDAP SSL changes.
(This used to be commit 18abaeffda300074a507561d8372d5bfddc8fe50)
This commit is contained in:
Andrew Bartlett 2002-11-02 07:09:17 +00:00
parent 949133f5f2
commit b017064cec
3 changed files with 135 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
docs/docbook/manpages/smb.conf.5.sgml
View File

@ -663,6 +663,7 @@
<listitem><para><link linkend="LDAPUSERSUFFIX"><parameter>ldap user suffix</parameter></link></para></listitem>
<listitem><para><link linkend="LDAPMACHINESUFFIX"><parameter>ldap machine suffix</parameter></link></para></listitem>
<listitem><para><link linkend="LDAPPASSWDSYNC"><parameter>ldap passwd sync</parameter></link></para></listitem>
<listitem><para><link linkend="LDAPTRUSTIDS"><parameter>ldap trust ids</parameter></link></para></listitem>
<listitem><para><link linkend="LMANNOUNCE"><parameter>lm announce</parameter></link></para></listitem>
<listitem><para><link linkend="LMINTERVAL"><parameter>lm interval</parameter></link></para></listitem>
@ -3464,16 +3465,20 @@
The <parameter>ldap ssl</parameter> can be set to one of three values:
</para>
<itemizedlist>
<listitem><para><parameter>On</parameter> = Always use SSL when contacting the
<parameter>ldap server</parameter>.</para></listitem>
<listitem><para><parameter>Off</parameter> = Never use SSL when querying the directory.</para></listitem>
<listitem><para><parameter>Start_tls</parameter> = Use the LDAPv3 StartTLS extended operation
(RFC2830) for communicating with the directory server.</para></listitem>
<listitem><para><parameter>On</parameter> =
Use SSL on the ldaps port when contacting the
<parameter>ldap server</parameter>. Only
available when the backwards-compatiblity <command>
--with-ldapsam</command> option is specified
to configure. See <link linkend="PASSDBBACKEND"><paramater>passdb backend</parameter></link></para></listitem>
</itemizedlist>
<para>Default : <command>ldap ssl = on</command></para>
<para>Default : <command>ldap ssl = start_tls</command></para>
</listitem>
</varlistentry>
@ -3540,9 +3545,24 @@
</listitem>
</varlistentry>
<varlistentry>
<term><anchor id="LDAPTRUSTUIDS">ldap trust uids (G)</term>
<listitem><para>Normally, Samba validates each entry
in the LDAP server against getpwnam(). This allows
LDAP to be used for Samba with the unix system using
NIS (for example) and also ensures that Samba does not
present accounts that do not otherwise exist. </para>
<para>This option is used to disable this functionality, and
instead to rely on the presence of the appropriate
attributes in LDAP directly, which can result in a
significant performance boost in some situations.
Setting this option to yes effectivly assumes
that the local machine is running <command>nss_ldap</command> against the
same LDAP server.</para>
<para>Default: <command>ldap trust ids = No</command></para>
</listitem>
</varlistentry>
<varlistentry>
<term><anchor id="LEVEL2OPLOCKS">level2 oplocks (S)</term>
@ -5357,8 +5377,20 @@
<listitem><para><command>ldapsam_nua</command> - The LDAP based passdb
backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to
<command>ldap://localhost</command>)</para>
<para>Note: In this module, any account
without a matching POSIX account is regarded
as 'non unix'.
<para>See also <link linkend="NONUNIXACCOUNTRANGE">
<parameter>non unix account range</parameter></link></para></listitem>
<parameter>non unix account
range</parameter></link></para>
<para>LDAP connections should be secured where
possible. This may be done using either
Start-TLS (see <link linkend="LDAPSSL">
<parameter>ldap ssl</parameter>) or by
specifying <paramater>ldaps://</paramater> in
the URL argument.
</para></listitem>
<listitem><para><command>nisplussam</command> - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. </para></listitem>

3
source3/param/loadparm.c
View File

@ -216,6 +216,7 @@ typedef struct
char *szLdapSuffix;
char *szLdapFilter;
char *szLdapAdminDn;
BOOL ldap_trust_ids;
char *szAclCompat;
int ldap_passwd_sync;
BOOL bMsAddPrinterWizard;
@ -1008,6 +1009,7 @@ static struct parm_struct parm_table[] = {
{"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, FLAG_ADVANCED | FLAG_DEVELOPER},
{"ldap passwd sync", P_ENUM, P_GLOBAL, &Globals.ldap_passwd_sync, NULL, enum_ldap_passwd_sync, FLAG_ADVANCED | FLAG_DEVELOPER},
{"ldap trust ids", P_BOOL, P_GLOBAL, &Globals.ldap_trust_ids, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"Miscellaneous Options", P_SEP, P_SEPARATOR},
{"add share command", P_STRING, P_GLOBAL, &Globals.szAddShareCommand, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
@ -1602,6 +1604,7 @@ FN_GLOBAL_STRING(lp_ldap_filter, &Globals.szLdapFilter)
FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
FN_GLOBAL_INTEGER(lp_ldap_passwd_sync, &Globals.ldap_passwd_sync)
FN_GLOBAL_BOOL(lp_ldap_trust_ids, &Globals.ldap_trust_ids)
FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand)
FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand)
FN_GLOBAL_STRING(lp_delete_share_cmd, &Globals.szDeleteShareCommand)

127
source3/passdb/pdb_ldap.c
View File

@ -146,15 +146,17 @@ static BOOL fetch_ldapsam_pw(char **dn, char** pw)
}
static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
"logoffTime", "kickoffTime", "cn",
"pwdCanChange", "pwdMustChange",
"displayName", "homeDrive",
"smbHome", "scriptPath",
"profilePath", "description",
"userWorkstations", "rid",
"primaryGroupID", "lmPassword",
"ntPassword", "acctFlags",
"domain", NULL };
"logoffTime", "kickoffTime", "cn",
"pwdCanChange", "pwdMustChange",
"displayName", "homeDrive",
"smbHome", "scriptPath",
"profilePath", "description",
"userWorkstations", "rid",
"primaryGroupID", "lmPassword",
"ntPassword", "acctFlags",
"domain", "objectClass",
"uidNumber", "gidNumber",
"homeDirectory", NULL };
/*******************************************************************
open a connection to the ldap server.
@ -817,6 +819,60 @@ static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, c
/* New Interface is being implemented here */
/**********************************************************************
Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
*********************************************************************/
static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
SAM_ACCOUNT * sampass,
LDAPMessage * entry)
{
pstring homedir;
pstring temp;
uid_t uid;
gid_t gid;
char **ldap_values;
char **values;
if ((ldap_values = ldap_get_values (ldap_state->ldap_struct, entry, "objectClass")) == NULL) {
DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
return False;
}
for (values=ldap_values;*values;values++) {
if (strcasecmp(*values, "posixAccount") == 0) {
break;
}
}
if (!*values) { /*end of array, no posixAccount */
DEBUG(10, ("user does not have posixAcccount attributes\n"));
ldap_value_free(ldap_values);
return False;
}
ldap_value_free(ldap_values);
if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir))
return False;
if (!get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp))
return False;
uid = (uid_t)atol(temp);
if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
return False;
gid = (gid_t)atol(temp);
pdb_set_unix_homedir(sampass, homedir, PDB_SET);
pdb_set_uid(sampass, uid, PDB_SET);
pdb_set_gid(sampass, gid, PDB_SET);
DEBUG(10, ("user has posixAcccount attributes\n"));
return True;
}
/**********************************************************************
Initialize SAM_ACCOUNT from an LDAP query
(Based on init_sam_from_buffer in pdb_tdb.c)
@ -906,40 +962,43 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
}
if ((ldap_state->permit_non_unix_accounts)
&& (user_rid >= ldap_state->low_nua_rid)
&& (user_rid <= ldap_state->high_nua_rid)) {
if (lp_ldap_trust_ids() && (get_unix_attributes(ldap_state,sampass, entry))) {
} else {
/* These values MAY be in LDAP, but they can also be retrieved through
* sys_getpw*() which is how we're doing it
*/
pw = getpwnam_alloc(username);
if (pw == NULL) {
DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
return False;
}
uid = pw->pw_uid;
gid = pw->pw_gid;
pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
passwd_free(&pw);
pdb_set_uid(sampass, uid, PDB_SET);
pdb_set_gid(sampass, gid, PDB_SET);
if (group_rid == 0) {
GROUP_MAP map;
/* call the mapping code here */
if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
pdb_set_group_sid(sampass, &map.sid, PDB_SET);
}
else {
pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
if (! ldap_state->permit_non_unix_accounts) {
DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
return False;
}
} else {
uid = pw->pw_uid;
pdb_set_uid(sampass, uid, PDB_SET);
gid = pw->pw_gid;
pdb_set_gid(sampass, gid, PDB_SET);
pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
passwd_free(&pw);
}
}
if (group_rid == 0 && pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT) {
GROUP_MAP map;
gid = pdb_get_gid(sampass);
/* call the mapping code here */
if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
pdb_set_group_sid(sampass, &map.sid, PDB_SET);
}
else {
pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
}
}