mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
r21182: * Refactor the code to obtain the LDAP connection credentials
from both idmap_ldap_{alloc,db}_init()
* Fix the backwards compat support in idmap_ldap.c
* Fix a spelling error in the idmap_fetch_secret() function name
(This used to be commit 615a104356
)
This commit is contained in:
parent
6ab97dc69d
commit
e7d2f46229
@ -1283,8 +1283,8 @@ void idmap_dump_maps(char *logfile)
|
||||
fclose(dump);
|
||||
}
|
||||
|
||||
const char *idmap_fecth_secret(const char *backend, bool alloc,
|
||||
const char *domain, const char *identity)
|
||||
char *idmap_fetch_secret(const char *backend, bool alloc,
|
||||
const char *domain, const char *identity)
|
||||
{
|
||||
char *tmp, *ret;
|
||||
int r;
|
||||
@ -1295,11 +1295,13 @@ const char *idmap_fecth_secret(const char *backend, bool alloc,
|
||||
r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
|
||||
}
|
||||
|
||||
if (r < 0) return NULL;
|
||||
if (r < 0)
|
||||
return NULL;
|
||||
|
||||
strupper_m(tmp); /* make sure the key is case insensitive */
|
||||
ret = secrets_fetch_generic(tmp, identity);
|
||||
|
||||
free(tmp);
|
||||
SAFE_FREE( tmp );
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@ -33,6 +33,15 @@
|
||||
|
||||
#include "smbldap.h"
|
||||
|
||||
struct idmap_ldap_context {
|
||||
struct smbldap_state *smbldap_state;
|
||||
char *url;
|
||||
char *suffix;
|
||||
char *user_dn;
|
||||
uint32_t filter_low_id, filter_high_id; /* Filter range */
|
||||
BOOL anon;
|
||||
};
|
||||
|
||||
struct idmap_ldap_alloc_context {
|
||||
struct smbldap_state *smbldap_state;
|
||||
char *url;
|
||||
@ -51,6 +60,57 @@ struct idmap_ldap_alloc_context {
|
||||
|
||||
static struct idmap_ldap_alloc_context *idmap_alloc_ldap;
|
||||
|
||||
/*********************************************************************
|
||||
********************************************************************/
|
||||
|
||||
static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
|
||||
struct smbldap_state *ldap_state,
|
||||
const char *config_option,
|
||||
struct idmap_domain *dom,
|
||||
char **dn )
|
||||
{
|
||||
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
|
||||
char *user_dn = NULL;
|
||||
char *secret = NULL;
|
||||
const char *tmp = NULL;
|
||||
|
||||
/* assume anonymous if we don't have a specified user */
|
||||
|
||||
tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
|
||||
|
||||
if ( tmp ) {
|
||||
secret = idmap_fetch_secret("ldap", false, dom->name, tmp);
|
||||
if (!secret) {
|
||||
DEBUG(0, ("get_credentials: Unable to fetch "
|
||||
"auth credentials for %s in %s\n",
|
||||
tmp, dom->name));
|
||||
ret = NT_STATUS_ACCESS_DENIED;
|
||||
goto done;
|
||||
}
|
||||
*dn = talloc_strdup(mem_ctx, tmp);
|
||||
CHECK_ALLOC_DONE(*dn);
|
||||
} else {
|
||||
if ( !fetch_ldap_pw( &user_dn, &secret ) ) {
|
||||
DEBUG(2, ("get_credentials: Failed to lookup ldap "
|
||||
"bind creds. Using anonymous connection.\n"));
|
||||
*dn = talloc_strdup( mem_ctx, "" );
|
||||
} else {
|
||||
*dn = talloc_strdup(mem_ctx, user_dn);
|
||||
SAFE_FREE( user_dn );
|
||||
CHECK_ALLOC_DONE(*dn);
|
||||
}
|
||||
}
|
||||
|
||||
smbldap_set_creds(ldap_state, false, *dn, secret);
|
||||
ret = NT_STATUS_OK;
|
||||
|
||||
done:
|
||||
SAFE_FREE( secret );
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
/**********************************************************************
|
||||
Verify the sambaUnixIdPool entry in the directory.
|
||||
**********************************************************************/
|
||||
@ -141,8 +201,7 @@ done:
|
||||
|
||||
static NTSTATUS idmap_ldap_alloc_init(const char *params)
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
const char *secret;
|
||||
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
|
||||
const char *range;
|
||||
const char *tmp;
|
||||
uid_t low_uid = 0;
|
||||
@ -151,12 +210,10 @@ static NTSTATUS idmap_ldap_alloc_init(const char *params)
|
||||
gid_t high_gid = 0;
|
||||
|
||||
idmap_alloc_ldap = talloc_zero(NULL, struct idmap_ldap_alloc_context);
|
||||
if (!idmap_alloc_ldap) {
|
||||
DEBUG(0, ("Out of memory!\n"));
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
CHECK_ALLOC_DONE( idmap_alloc_ldap );
|
||||
|
||||
/* load ranges */
|
||||
|
||||
idmap_alloc_ldap->low_uid = 0;
|
||||
idmap_alloc_ldap->high_uid = 0;
|
||||
idmap_alloc_ldap->low_gid = 0;
|
||||
@ -191,15 +248,15 @@ static NTSTATUS idmap_ldap_alloc_init(const char *params)
|
||||
if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) {
|
||||
DEBUG(1, ("idmap uid range missing or invalid\n"));
|
||||
DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
|
||||
talloc_free(idmap_alloc_ldap);
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
ret = NT_STATUS_UNSUCCESSFUL;
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) {
|
||||
DEBUG(1, ("idmap gid range missing or invalid\n"));
|
||||
DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
|
||||
talloc_free(idmap_alloc_ldap);
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
ret = NT_STATUS_UNSUCCESSFUL;
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (params && *params) {
|
||||
@ -210,17 +267,13 @@ static NTSTATUS idmap_ldap_alloc_init(const char *params)
|
||||
|
||||
if ( ! tmp) {
|
||||
DEBUG(1, ("ERROR: missing idmap ldap url\n"));
|
||||
talloc_free(idmap_alloc_ldap);
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
ret = NT_STATUS_UNSUCCESSFUL;
|
||||
goto done;
|
||||
}
|
||||
|
||||
idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp);
|
||||
}
|
||||
if ( ! idmap_alloc_ldap->url) {
|
||||
talloc_free(idmap_alloc_ldap);
|
||||
DEBUG(0, ("Out of memory!\n"));
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
CHECK_ALLOC_DONE( idmap_alloc_ldap->url );
|
||||
|
||||
tmp = lp_ldap_idmap_suffix();
|
||||
if ( ! tmp || ! *tmp) {
|
||||
@ -232,64 +285,43 @@ static NTSTATUS idmap_ldap_alloc_init(const char *params)
|
||||
DEBUG(1, ("WARNING: Trying to use the global ldap suffix(%s)\n", tmp));
|
||||
DEBUGADD(1, ("as suffix. This may not be what you want!\n"));
|
||||
}
|
||||
if ( ! tmp) {
|
||||
DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
|
||||
ret = NT_STATUS_UNSUCCESSFUL;
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
if ( ! tmp) {
|
||||
DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
|
||||
talloc_free(idmap_alloc_ldap);
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
|
||||
idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp);
|
||||
if ( ! idmap_alloc_ldap->suffix) {
|
||||
talloc_free(idmap_alloc_ldap);
|
||||
DEBUG(0, ("Out of memory!\n"));
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix );
|
||||
|
||||
tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_user_dn", NULL);
|
||||
|
||||
if ( ! tmp) {
|
||||
tmp = lp_ldap_admin_dn();
|
||||
}
|
||||
if (! tmp || ! *tmp) {
|
||||
DEBUG(1, ("ERROR: missing idmap ldap user dn\n"));
|
||||
talloc_free(idmap_alloc_ldap);
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
|
||||
idmap_alloc_ldap->user_dn = talloc_strdup(idmap_alloc_ldap, tmp);
|
||||
if ( ! idmap_alloc_ldap->user_dn) {
|
||||
talloc_free(idmap_alloc_ldap);
|
||||
DEBUG(0, ("Out of memory!\n"));
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
if (!NT_STATUS_IS_OK(nt_status =
|
||||
smbldap_init(idmap_alloc_ldap, idmap_alloc_ldap->url,
|
||||
&idmap_alloc_ldap->smbldap_state))) {
|
||||
ret = smbldap_init(idmap_alloc_ldap, idmap_alloc_ldap->url,
|
||||
&idmap_alloc_ldap->smbldap_state);
|
||||
if (!NT_STATUS_IS_OK(ret)) {
|
||||
DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n",
|
||||
idmap_alloc_ldap->url));
|
||||
talloc_free(idmap_alloc_ldap);
|
||||
return nt_status;
|
||||
idmap_alloc_ldap->url));
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* fetch credentials from secrets.tdb */
|
||||
secret = idmap_fecth_secret("ldap", true, NULL, idmap_alloc_ldap->user_dn);
|
||||
if (!secret) {
|
||||
DEBUG(1, ("ERROR: unable to fetch auth credentials\n"));
|
||||
talloc_free(idmap_alloc_ldap);
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
ret = get_credentials( idmap_alloc_ldap,
|
||||
idmap_alloc_ldap->smbldap_state,
|
||||
"idmap alloc config", NULL,
|
||||
&idmap_alloc_ldap->user_dn );
|
||||
if ( !NT_STATUS_IS_OK(ret) ) {
|
||||
DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection "
|
||||
"credentials (%s)\n", nt_errstr(ret)));
|
||||
goto done;
|
||||
}
|
||||
/* now set credentials */
|
||||
smbldap_set_creds(idmap_alloc_ldap->smbldap_state, false, idmap_alloc_ldap->user_dn, secret);
|
||||
|
||||
/* see if the idmap suffix and sub entries exists */
|
||||
nt_status = verify_idpool();
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(idmap_alloc_ldap);
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
return NT_STATUS_OK;
|
||||
ret = verify_idpool();
|
||||
|
||||
done:
|
||||
if ( !NT_STATUS_IS_OK( ret ) )
|
||||
TALLOC_FREE( idmap_alloc_ldap );
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
/********************************
|
||||
@ -655,15 +687,6 @@ static NTSTATUS idmap_ldap_alloc_close(void)
|
||||
IDMAP MAPPING LDAP BACKEND
|
||||
**********************************************************************/
|
||||
|
||||
struct idmap_ldap_context {
|
||||
struct smbldap_state *smbldap_state;
|
||||
char *url;
|
||||
char *suffix;
|
||||
char *user_dn;
|
||||
uint32_t filter_low_id, filter_high_id; /* Filter range */
|
||||
BOOL anon;
|
||||
};
|
||||
|
||||
static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
|
||||
{
|
||||
smbldap_free_struct(&ctx->smbldap_state);
|
||||
@ -680,11 +703,10 @@ static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
|
||||
static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom, const char *params)
|
||||
{
|
||||
NTSTATUS ret;
|
||||
struct idmap_ldap_context *ctx;
|
||||
char *config_option;
|
||||
const char *secret;
|
||||
const char *range;
|
||||
const char *tmp;
|
||||
struct idmap_ldap_context *ctx = NULL;
|
||||
char *config_option = NULL;
|
||||
const char *range = NULL;
|
||||
const char *tmp = NULL;
|
||||
|
||||
ctx = talloc_zero(dom, struct idmap_ldap_context);
|
||||
if ( ! ctx) {
|
||||
@ -735,54 +757,32 @@ static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom, const char *params)
|
||||
if (tmp) {
|
||||
DEBUG(1, ("WARNING: Trying to use the global ldap suffix(%s)\n", tmp));
|
||||
DEBUGADD(1, ("as suffix. This may not be what you want!\n"));
|
||||
} else {
|
||||
DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
|
||||
ret = NT_STATUS_UNSUCCESSFUL;
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
if ( ! tmp) {
|
||||
DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
|
||||
ret = NT_STATUS_UNSUCCESSFUL;
|
||||
goto done;
|
||||
}
|
||||
ctx->suffix = talloc_strdup(ctx, tmp);
|
||||
CHECK_ALLOC_DONE(ctx->suffix);
|
||||
|
||||
ctx->anon = lp_parm_bool(-1, config_option, "ldap_anon", False);
|
||||
|
||||
ret = smbldap_init(ctx, ctx->url, &ctx->smbldap_state);
|
||||
if (!NT_STATUS_IS_OK(ret)) {
|
||||
DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
|
||||
goto done;
|
||||
}
|
||||
|
||||
if ( ! ctx->anon) {
|
||||
tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
|
||||
|
||||
if ( ! tmp) {
|
||||
tmp = lp_ldap_admin_dn();
|
||||
}
|
||||
if (! tmp || ! *tmp) {
|
||||
DEBUG(1, ("ERROR: missing idmap ldap user dn\n"));
|
||||
ret = NT_STATUS_UNSUCCESSFUL;
|
||||
goto done;
|
||||
}
|
||||
|
||||
ctx->user_dn = talloc_strdup(ctx, tmp);
|
||||
CHECK_ALLOC_DONE(ctx->user_dn);
|
||||
|
||||
/* fetch credentials */
|
||||
secret = idmap_fecth_secret("ldap", false, dom->name, ctx->user_dn);
|
||||
if (!secret) {
|
||||
DEBUG(1, ("ERROR: unable to fetch auth credentials\n"));
|
||||
ret = NT_STATUS_ACCESS_DENIED;
|
||||
goto done;
|
||||
}
|
||||
/* now set credentials */
|
||||
smbldap_set_creds(ctx->smbldap_state, false, ctx->user_dn, secret);
|
||||
} else {
|
||||
smbldap_set_creds(ctx->smbldap_state, true, NULL, NULL);
|
||||
ret = get_credentials( ctx, ctx->smbldap_state, config_option,
|
||||
dom, &ctx->user_dn );
|
||||
if ( !NT_STATUS_IS_OK(ret) ) {
|
||||
DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
|
||||
"credentials (%s)\n", nt_errstr(ret)));
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* set the destructor on the context, so that resource are properly
|
||||
* freed if the contexts is released */
|
||||
freed if the contexts is released */
|
||||
|
||||
talloc_set_destructor(ctx, idmap_ldap_close_destructor);
|
||||
|
||||
dom->private_data = ctx;
|
||||
|
Loading…
Reference in New Issue
Block a user