2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2006
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
29 #define DBGC_CLASS DBGC_IDMAP
36 struct idmap_ldap_context {
37 struct smbldap_state *smbldap_state;
41 uint32_t filter_low_id, filter_high_id; /* Filter range */
45 struct idmap_ldap_alloc_context {
46 struct smbldap_state *smbldap_state;
50 uid_t low_uid, high_uid; /* Range of uids */
51 gid_t low_gid, high_gid; /* Range of gids */
55 #define CHECK_ALLOC_DONE(mem) do { if (!mem) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; goto done; } } while (0)
57 /**********************************************************************
58 IDMAP ALLOC TDB BACKEND
59 **********************************************************************/
61 static struct idmap_ldap_alloc_context *idmap_alloc_ldap;
63 /*********************************************************************
64 ********************************************************************/
66 static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
67 struct smbldap_state *ldap_state,
68 const char *config_option,
69 struct idmap_domain *dom,
72 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
75 const char *tmp = NULL;
77 /* assume anonymous if we don't have a specified user */
79 tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
83 /* only the alloc backend is allowed to pass in a NULL dom */
84 secret = idmap_fetch_secret("ldap", true, NULL, tmp);
86 secret = idmap_fetch_secret("ldap", false, dom->name, tmp);
90 DEBUG(0, ("get_credentials: Unable to fetch "
91 "auth credentials for %s in %s\n",
92 tmp, (dom==NULL)?"ALLOC":dom->name));
93 ret = NT_STATUS_ACCESS_DENIED;
96 *dn = talloc_strdup(mem_ctx, tmp);
97 CHECK_ALLOC_DONE(*dn);
99 if ( !fetch_ldap_pw( &user_dn, &secret ) ) {
100 DEBUG(2, ("get_credentials: Failed to lookup ldap "
101 "bind creds. Using anonymous connection.\n"));
102 *dn = talloc_strdup( mem_ctx, "" );
104 *dn = talloc_strdup(mem_ctx, user_dn);
105 SAFE_FREE( user_dn );
106 CHECK_ALLOC_DONE(*dn);
110 smbldap_set_creds(ldap_state, false, *dn, secret);
120 /**********************************************************************
121 Verify the sambaUnixIdPool entry in the directory.
122 **********************************************************************/
124 static NTSTATUS verify_idpool(void)
128 LDAPMessage *result = NULL;
129 LDAPMod **mods = NULL;
130 const char **attr_list;
135 if ( ! idmap_alloc_ldap) {
136 return NT_STATUS_UNSUCCESSFUL;
139 ctx = talloc_new(idmap_alloc_ldap);
141 DEBUG(0, ("Out of memory!\n"));
142 return NT_STATUS_NO_MEMORY;
145 filter = talloc_asprintf(ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
146 CHECK_ALLOC_DONE(filter);
148 attr_list = get_attr_list(ctx, idpool_attr_list);
149 CHECK_ALLOC_DONE(attr_list);
151 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
152 idmap_alloc_ldap->suffix,
159 if (rc != LDAP_SUCCESS) {
160 DEBUG(1, ("Unable to verify the idpool, cannot continue initialization!\n"));
161 return NT_STATUS_UNSUCCESSFUL;
164 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
166 ldap_msgfree(result);
169 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
170 filter, idmap_alloc_ldap->suffix));
171 ret = NT_STATUS_UNSUCCESSFUL;
174 else if (count == 0) {
175 char *uid_str, *gid_str;
177 uid_str = talloc_asprintf(ctx, "%lu", (unsigned long)idmap_alloc_ldap->low_uid);
178 gid_str = talloc_asprintf(ctx, "%lu", (unsigned long)idmap_alloc_ldap->low_gid);
180 smbldap_set_mod(&mods, LDAP_MOD_ADD,
181 "objectClass", LDAP_OBJ_IDPOOL);
182 smbldap_set_mod(&mods, LDAP_MOD_ADD,
183 get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER),
185 smbldap_set_mod(&mods, LDAP_MOD_ADD,
186 get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER),
189 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state,
190 idmap_alloc_ldap->suffix,
192 ldap_mods_free(mods, True);
194 ret = NT_STATUS_UNSUCCESSFUL;
199 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
205 /*****************************************************************************
206 Initialise idmap database.
207 *****************************************************************************/
209 static NTSTATUS idmap_ldap_alloc_init(const char *params)
211 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
219 /* Only do init if we are online */
220 if (idmap_is_offline()) {
221 return NT_STATUS_FILE_IS_OFFLINE;
224 idmap_alloc_ldap = TALLOC_ZERO_P(NULL, struct idmap_ldap_alloc_context);
225 CHECK_ALLOC_DONE( idmap_alloc_ldap );
229 idmap_alloc_ldap->low_uid = 0;
230 idmap_alloc_ldap->high_uid = 0;
231 idmap_alloc_ldap->low_gid = 0;
232 idmap_alloc_ldap->high_gid = 0;
234 range = lp_parm_const_string(-1, "idmap alloc config", "range", NULL);
235 if (range && range[0]) {
236 unsigned low_id, high_id;
238 if (sscanf(range, "%u - %u", &low_id, &high_id) == 2) {
239 if (low_id < high_id) {
240 idmap_alloc_ldap->low_gid = idmap_alloc_ldap->low_uid = low_id;
241 idmap_alloc_ldap->high_gid = idmap_alloc_ldap->high_uid = high_id;
243 DEBUG(1, ("ERROR: invalid idmap alloc range [%s]", range));
246 DEBUG(1, ("ERROR: invalid syntax for idmap alloc config:range [%s]", range));
250 if (lp_idmap_uid(&low_uid, &high_uid)) {
251 idmap_alloc_ldap->low_uid = low_uid;
252 idmap_alloc_ldap->high_uid = high_uid;
255 if (lp_idmap_gid(&low_gid, &high_gid)) {
256 idmap_alloc_ldap->low_gid = low_gid;
257 idmap_alloc_ldap->high_gid= high_gid;
260 if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) {
261 DEBUG(1, ("idmap uid range missing or invalid\n"));
262 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
263 ret = NT_STATUS_UNSUCCESSFUL;
267 if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) {
268 DEBUG(1, ("idmap gid range missing or invalid\n"));
269 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
270 ret = NT_STATUS_UNSUCCESSFUL;
274 if (params && *params) {
275 /* assume location is the only parameter */
276 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params);
278 tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_url", NULL);
281 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
282 ret = NT_STATUS_UNSUCCESSFUL;
286 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp);
288 CHECK_ALLOC_DONE( idmap_alloc_ldap->url );
290 tmp = lp_ldap_idmap_suffix();
291 if ( ! tmp || ! *tmp) {
292 tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_base_dn", NULL);
295 tmp = lp_ldap_suffix();
297 DEBUG(1, ("WARNING: Trying to use the global ldap suffix(%s)\n", tmp));
298 DEBUGADD(1, ("as suffix. This may not be what you want!\n"));
301 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
302 ret = NT_STATUS_UNSUCCESSFUL;
307 idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp);
308 CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix );
310 ret = smbldap_init(idmap_alloc_ldap, winbind_event_context(),
311 idmap_alloc_ldap->url,
312 &idmap_alloc_ldap->smbldap_state);
313 if (!NT_STATUS_IS_OK(ret)) {
314 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n",
315 idmap_alloc_ldap->url));
319 ret = get_credentials( idmap_alloc_ldap,
320 idmap_alloc_ldap->smbldap_state,
321 "idmap alloc config", NULL,
322 &idmap_alloc_ldap->user_dn );
323 if ( !NT_STATUS_IS_OK(ret) ) {
324 DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection "
325 "credentials (%s)\n", nt_errstr(ret)));
329 /* see if the idmap suffix and sub entries exists */
331 ret = verify_idpool();
334 if ( !NT_STATUS_IS_OK( ret ) )
335 TALLOC_FREE( idmap_alloc_ldap );
340 /********************************
341 Allocate a new uid or gid
342 ********************************/
344 static NTSTATUS idmap_ldap_allocate_id(struct unixid *xid)
347 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
348 int rc = LDAP_SERVER_DOWN;
350 LDAPMessage *result = NULL;
351 LDAPMessage *entry = NULL;
352 LDAPMod **mods = NULL;
356 const char *dn = NULL;
357 const char **attr_list;
360 /* Only do query if we are online */
361 if (idmap_is_offline()) {
362 return NT_STATUS_FILE_IS_OFFLINE;
365 if ( ! idmap_alloc_ldap) {
366 return NT_STATUS_UNSUCCESSFUL;
369 ctx = talloc_new(idmap_alloc_ldap);
371 DEBUG(0, ("Out of memory!\n"));
372 return NT_STATUS_NO_MEMORY;
379 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
383 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
387 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
388 return NT_STATUS_INVALID_PARAMETER;
391 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
392 CHECK_ALLOC_DONE(filter);
394 attr_list = get_attr_list(ctx, idpool_attr_list);
395 CHECK_ALLOC_DONE(attr_list);
397 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
399 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
400 idmap_alloc_ldap->suffix,
401 LDAP_SCOPE_SUBTREE, filter,
402 attr_list, 0, &result);
404 if (rc != LDAP_SUCCESS) {
405 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
409 talloc_autofree_ldapmsg(ctx, result);
411 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
413 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
417 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
419 dn = smbldap_talloc_dn(ctx, idmap_alloc_ldap->smbldap_state->ldap_struct, entry);
424 if ( ! (id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
425 entry, type, ctx))) {
426 DEBUG(0,("%s attribute not found\n", type));
430 DEBUG(0,("Out of memory\n"));
431 ret = NT_STATUS_NO_MEMORY;
435 xid->id = strtoul(id_str, NULL, 10);
437 /* make sure we still have room to grow */
441 if (xid->id > idmap_alloc_ldap->high_uid) {
442 DEBUG(0,("Cannot allocate uid above %lu!\n",
443 (unsigned long)idmap_alloc_ldap->high_uid));
449 if (xid->id > idmap_alloc_ldap->high_gid) {
450 DEBUG(0,("Cannot allocate gid above %lu!\n",
451 (unsigned long)idmap_alloc_ldap->high_uid));
461 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id + 1);
463 DEBUG(0,("Out of memory\n"));
464 ret = NT_STATUS_NO_MEMORY;
468 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
469 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
472 DEBUG(0,("smbldap_set_mod() failed.\n"));
476 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n", id_str, new_id_str));
478 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
480 ldap_mods_free(mods, True);
482 if (rc != LDAP_SUCCESS) {
483 DEBUG(1,("Failed to allocate new %s. smbldap_modify() failed.\n", type));
494 /**********************************
495 Get current highest id.
496 **********************************/
498 static NTSTATUS idmap_ldap_get_hwm(struct unixid *xid)
501 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
502 int rc = LDAP_SERVER_DOWN;
504 LDAPMessage *result = NULL;
505 LDAPMessage *entry = NULL;
508 const char **attr_list;
511 /* Only do query if we are online */
512 if (idmap_is_offline()) {
513 return NT_STATUS_FILE_IS_OFFLINE;
516 if ( ! idmap_alloc_ldap) {
517 return NT_STATUS_UNSUCCESSFUL;
520 memctx = talloc_new(idmap_alloc_ldap);
522 DEBUG(0, ("Out of memory!\n"));
523 return NT_STATUS_NO_MEMORY;
530 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
534 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
538 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
539 return NT_STATUS_INVALID_PARAMETER;
542 filter = talloc_asprintf(memctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
543 CHECK_ALLOC_DONE(filter);
545 attr_list = get_attr_list(memctx, idpool_attr_list);
546 CHECK_ALLOC_DONE(attr_list);
548 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
549 idmap_alloc_ldap->suffix,
550 LDAP_SCOPE_SUBTREE, filter,
551 attr_list, 0, &result);
553 if (rc != LDAP_SUCCESS) {
554 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
558 talloc_autofree_ldapmsg(memctx, result);
560 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
562 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
566 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
568 id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
569 entry, type, memctx);
571 DEBUG(0,("%s attribute not found\n", type));
575 DEBUG(0,("Out of memory\n"));
576 ret = NT_STATUS_NO_MEMORY;
580 xid->id = strtoul(id_str, NULL, 10);
587 /**********************************
589 **********************************/
591 static NTSTATUS idmap_ldap_set_hwm(struct unixid *xid)
594 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
595 int rc = LDAP_SERVER_DOWN;
597 LDAPMessage *result = NULL;
598 LDAPMessage *entry = NULL;
599 LDAPMod **mods = NULL;
602 const char *dn = NULL;
603 const char **attr_list;
606 /* Only do query if we are online */
607 if (idmap_is_offline()) {
608 return NT_STATUS_FILE_IS_OFFLINE;
611 if ( ! idmap_alloc_ldap) {
612 return NT_STATUS_UNSUCCESSFUL;
615 ctx = talloc_new(idmap_alloc_ldap);
617 DEBUG(0, ("Out of memory!\n"));
618 return NT_STATUS_NO_MEMORY;
625 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
629 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
633 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
634 return NT_STATUS_INVALID_PARAMETER;
637 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
638 CHECK_ALLOC_DONE(filter);
640 attr_list = get_attr_list(ctx, idpool_attr_list);
641 CHECK_ALLOC_DONE(attr_list);
643 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
644 idmap_alloc_ldap->suffix,
645 LDAP_SCOPE_SUBTREE, filter,
646 attr_list, 0, &result);
648 if (rc != LDAP_SUCCESS) {
649 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
653 talloc_autofree_ldapmsg(ctx, result);
655 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
657 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
661 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
663 dn = smbldap_talloc_dn(ctx, idmap_alloc_ldap->smbldap_state->ldap_struct, entry);
668 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id);
670 DEBUG(0,("Out of memory\n"));
671 ret = NT_STATUS_NO_MEMORY;
675 smbldap_set_mod(&mods, LDAP_MOD_REPLACE, type, new_id_str);
678 DEBUG(0,("smbldap_set_mod() failed.\n"));
682 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
684 ldap_mods_free(mods, True);
686 if (rc != LDAP_SUCCESS) {
687 DEBUG(1,("Failed to allocate new %s. smbldap_modify() failed.\n", type));
698 /**********************************
699 Close idmap ldap alloc
700 **********************************/
702 static NTSTATUS idmap_ldap_alloc_close(void)
704 if (idmap_alloc_ldap) {
705 smbldap_free_struct(&idmap_alloc_ldap->smbldap_state);
706 DEBUG(5,("The connection to the LDAP server was closed\n"));
707 /* maybe free the results here --metze */
708 TALLOC_FREE(idmap_alloc_ldap);
714 /**********************************************************************
715 IDMAP MAPPING LDAP BACKEND
716 **********************************************************************/
718 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
720 smbldap_free_struct(&ctx->smbldap_state);
721 DEBUG(5,("The connection to the LDAP server was closed\n"));
722 /* maybe free the results here --metze */
727 /********************************
728 Initialise idmap database.
729 ********************************/
731 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom)
734 struct idmap_ldap_context *ctx = NULL;
735 char *config_option = NULL;
736 const char *range = NULL;
737 const char *tmp = NULL;
739 /* Only do init if we are online */
740 if (idmap_is_offline()) {
741 return NT_STATUS_FILE_IS_OFFLINE;
744 ctx = TALLOC_ZERO_P(dom, struct idmap_ldap_context);
746 DEBUG(0, ("Out of memory!\n"));
747 return NT_STATUS_NO_MEMORY;
750 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
751 if ( ! config_option) {
752 DEBUG(0, ("Out of memory!\n"));
753 ret = NT_STATUS_NO_MEMORY;
758 range = lp_parm_const_string(-1, config_option, "range", NULL);
759 if (range && range[0]) {
760 if ((sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2) ||
761 (ctx->filter_low_id > ctx->filter_high_id)) {
762 DEBUG(1, ("ERROR: invalid filter range [%s]", range));
763 ctx->filter_low_id = 0;
764 ctx->filter_high_id = 0;
768 if (dom->params && *(dom->params)) {
769 /* assume location is the only parameter */
770 ctx->url = talloc_strdup(ctx, dom->params);
772 tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
775 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
776 ret = NT_STATUS_UNSUCCESSFUL;
780 ctx->url = talloc_strdup(ctx, tmp);
782 CHECK_ALLOC_DONE(ctx->url);
784 tmp = lp_ldap_idmap_suffix();
785 if ( ! tmp || ! *tmp) {
786 tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
789 tmp = lp_ldap_suffix();
791 DEBUG(1, ("WARNING: Trying to use the global ldap suffix(%s)\n", tmp));
792 DEBUGADD(1, ("as suffix. This may not be what you want!\n"));
794 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
795 ret = NT_STATUS_UNSUCCESSFUL;
799 ctx->suffix = talloc_strdup(ctx, tmp);
800 CHECK_ALLOC_DONE(ctx->suffix);
802 ret = smbldap_init(ctx, winbind_event_context(), ctx->url,
803 &ctx->smbldap_state);
804 if (!NT_STATUS_IS_OK(ret)) {
805 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
809 ret = get_credentials( ctx, ctx->smbldap_state, config_option,
810 dom, &ctx->user_dn );
811 if ( !NT_STATUS_IS_OK(ret) ) {
812 DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
813 "credentials (%s)\n", nt_errstr(ret)));
817 /* set the destructor on the context, so that resource are properly
818 freed if the contexts is released */
820 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
822 dom->private_data = ctx;
823 dom->initialized = True;
825 talloc_free(config_option);
834 /* max number of ids requested per batch query */
835 #define IDMAP_LDAP_MAX_IDS 30
837 /**********************************
838 lookup a set of unix ids.
839 **********************************/
841 /* this function searches up to IDMAP_LDAP_MAX_IDS entries in maps for a match */
842 static struct id_map *find_map_by_id(struct id_map **maps, enum id_type type, uint32_t id)
846 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
847 if (maps[i] == NULL) { /* end of the run */
850 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
858 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
862 struct idmap_ldap_context *ctx;
863 LDAPMessage *result = NULL;
864 const char *uidNumber;
865 const char *gidNumber;
866 const char **attr_list;
875 /* Only do query if we are online */
876 if (idmap_is_offline()) {
877 return NT_STATUS_FILE_IS_OFFLINE;
880 /* Initilization my have been deferred because we were offline */
881 if ( ! dom->initialized) {
882 ret = idmap_ldap_db_init(dom);
883 if ( ! NT_STATUS_IS_OK(ret)) {
888 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
890 memctx = talloc_new(ctx);
892 DEBUG(0, ("Out of memory!\n"));
893 return NT_STATUS_NO_MEMORY;
896 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
897 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
899 attr_list = get_attr_list(ctx, sidmap_attr_list);
902 /* if we are requested just one mapping use the simple filter */
904 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
905 LDAP_OBJ_IDMAP_ENTRY,
906 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
907 (unsigned long)ids[0]->xid.id);
908 CHECK_ALLOC_DONE(filter);
909 DEBUG(10, ("Filter: [%s]\n", filter));
911 /* multiple mappings */
919 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(|", LDAP_OBJ_IDMAP_ENTRY);
920 CHECK_ALLOC_DONE(filter);
923 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
924 filter = talloc_asprintf_append(filter, "(%s=%lu)",
925 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
926 (unsigned long)ids[idx]->xid.id);
927 CHECK_ALLOC_DONE(filter);
929 filter = talloc_asprintf_append(filter, "))");
930 CHECK_ALLOC_DONE(filter);
931 DEBUG(10, ("Filter: [%s]\n", filter));
937 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
938 filter, attr_list, 0, &result);
940 if (rc != LDAP_SUCCESS) {
941 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
942 ret = NT_STATUS_UNSUCCESSFUL;
946 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
949 DEBUG(10, ("NO SIDs found\n"));
952 for (i = 0; i < count; i++) {
953 LDAPMessage *entry = NULL;
960 if (i == 0) { /* first entry */
961 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, result);
962 } else { /* following ones */
963 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct, entry);
966 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
970 /* first check if the SID is present */
971 sidstr = smbldap_talloc_single_attribute(
972 ctx->smbldap_state->ldap_struct,
973 entry, LDAP_ATTRIBUTE_SID, memctx);
974 if ( ! sidstr) { /* no sid, skip entry */
975 DEBUG(2, ("WARNING SID not found on entry\n"));
979 /* now try to see if it is a uid, if not try with a gid
980 * (gid is more common, but in case both uidNumber and
981 * gidNumber are returned the SID is mapped to the uid not the gid) */
983 tmp = smbldap_talloc_single_attribute(
984 ctx->smbldap_state->ldap_struct,
985 entry, uidNumber, memctx);
988 tmp = smbldap_talloc_single_attribute(
989 ctx->smbldap_state->ldap_struct,
990 entry, gidNumber, memctx);
992 if ( ! tmp) { /* wow very strange entry, how did it match ? */
993 DEBUG(5, ("Unprobable match on (%s), no uidNumber, nor gidNumber returned\n", sidstr));
998 id = strtoul(tmp, NULL, 10);
1000 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
1001 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
1002 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
1003 id, ctx->filter_low_id, ctx->filter_high_id));
1004 TALLOC_FREE(sidstr);
1010 map = find_map_by_id(&ids[bidx], type, id);
1012 DEBUG(2, ("WARNING: couldn't match sid (%s) with requested ids\n", sidstr));
1013 TALLOC_FREE(sidstr);
1017 if ( ! string_to_sid(map->sid, sidstr)) {
1018 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1019 TALLOC_FREE(sidstr);
1022 TALLOC_FREE(sidstr);
1025 map->status = ID_MAPPED;
1027 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_static(map->sid), (unsigned long)map->xid.id, map->xid.type));
1030 /* free the ldap results */
1032 ldap_msgfree(result);
1036 if (multi && ids[idx]) { /* still some values to map */
1042 /* mark all unknwon/expired ones as unmapped */
1043 for (i = 0; ids[i]; i++) {
1044 if (ids[i]->status != ID_MAPPED)
1045 ids[i]->status = ID_UNMAPPED;
1049 talloc_free(memctx);
1053 /**********************************
1054 lookup a set of sids.
1055 **********************************/
1057 /* this function searches up to IDMAP_LDAP_MAX_IDS entries in maps for a match */
1058 static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid)
1062 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
1063 if (maps[i] == NULL) { /* end of the run */
1066 if (sid_equal(maps[i]->sid, sid)) {
1074 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
1076 LDAPMessage *entry = NULL;
1079 struct idmap_ldap_context *ctx;
1080 LDAPMessage *result = NULL;
1081 const char *uidNumber;
1082 const char *gidNumber;
1083 const char **attr_list;
1084 char *filter = NULL;
1092 /* Only do query if we are online */
1093 if (idmap_is_offline()) {
1094 return NT_STATUS_FILE_IS_OFFLINE;
1097 /* Initilization my have been deferred because we were offline */
1098 if ( ! dom->initialized) {
1099 ret = idmap_ldap_db_init(dom);
1100 if ( ! NT_STATUS_IS_OK(ret)) {
1105 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1107 memctx = talloc_new(ctx);
1109 DEBUG(0, ("Out of memory!\n"));
1110 return NT_STATUS_NO_MEMORY;
1113 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
1114 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
1116 attr_list = get_attr_list(ctx, sidmap_attr_list);
1119 /* if we are requested just one mapping use the simple filter */
1121 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
1122 LDAP_OBJ_IDMAP_ENTRY,
1124 sid_string_static(ids[0]->sid));
1125 CHECK_ALLOC_DONE(filter);
1126 DEBUG(10, ("Filter: [%s]\n", filter));
1128 /* multiple mappings */
1135 TALLOC_FREE(filter);
1136 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(|", LDAP_OBJ_IDMAP_ENTRY);
1137 CHECK_ALLOC_DONE(filter);
1140 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
1141 filter = talloc_asprintf_append(filter, "(%s=%s)",
1143 sid_string_static(ids[idx]->sid));
1144 CHECK_ALLOC_DONE(filter);
1146 filter = talloc_asprintf_append(filter, "))");
1147 CHECK_ALLOC_DONE(filter);
1148 DEBUG(10, ("Filter: [%s]", filter));
1154 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
1155 filter, attr_list, 0, &result);
1157 if (rc != LDAP_SUCCESS) {
1158 DEBUG(3,("Failure looking up sids (%s)\n", ldap_err2string(rc)));
1159 ret = NT_STATUS_UNSUCCESSFUL;
1163 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
1166 DEBUG(10, ("NO SIDs found\n"));
1169 for (i = 0; i < count; i++) {
1170 char *sidstr = NULL;
1177 if (i == 0) { /* first entry */
1178 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, result);
1179 } else { /* following ones */
1180 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct, entry);
1183 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
1187 /* first check if the SID is present */
1188 sidstr = smbldap_talloc_single_attribute(
1189 ctx->smbldap_state->ldap_struct,
1190 entry, LDAP_ATTRIBUTE_SID, memctx);
1191 if ( ! sidstr) { /* no sid ??, skip entry */
1192 DEBUG(2, ("WARNING SID not found on entry\n"));
1196 if ( ! string_to_sid(&sid, sidstr)) {
1197 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1198 TALLOC_FREE(sidstr);
1202 map = find_map_by_sid(&ids[bidx], &sid);
1204 DEBUG(2, ("WARNING: couldn't find entry sid (%s) in ids", sidstr));
1205 TALLOC_FREE(sidstr);
1209 TALLOC_FREE(sidstr);
1211 /* now try to see if it is a uid, if not try with a gid
1212 * (gid is more common, but in case both uidNumber and
1213 * gidNumber are returned the SID is mapped to the uid not the gid) */
1215 tmp = smbldap_talloc_single_attribute(
1216 ctx->smbldap_state->ldap_struct,
1217 entry, uidNumber, memctx);
1220 tmp = smbldap_talloc_single_attribute(
1221 ctx->smbldap_state->ldap_struct,
1222 entry, gidNumber, memctx);
1224 if ( ! tmp) { /* no ids ?? */
1225 DEBUG(5, ("no uidNumber, nor gidNumber attributes found\n"));
1229 id = strtoul(tmp, NULL, 10);
1231 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
1232 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
1233 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
1234 id, ctx->filter_low_id, ctx->filter_high_id));
1241 map->xid.type = type;
1243 map->status = ID_MAPPED;
1245 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_static(map->sid), (unsigned long)map->xid.id, map->xid.type));
1248 /* free the ldap results */
1250 ldap_msgfree(result);
1254 if (multi && ids[idx]) { /* still some values to map */
1260 /* mark all unknwon/expired ones as unmapped */
1261 for (i = 0; ids[i]; i++) {
1262 if (ids[i]->status != ID_MAPPED)
1263 ids[i]->status = ID_UNMAPPED;
1267 talloc_free(memctx);
1271 /**********************************
1273 **********************************/
1275 /* TODO: change this: This function cannot be called to modify a mapping, only set a new one */
1277 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom, const struct id_map *map)
1281 struct idmap_ldap_context *ctx;
1282 LDAPMessage *entry = NULL;
1283 LDAPMod **mods = NULL;
1290 /* Only do query if we are online */
1291 if (idmap_is_offline()) {
1292 return NT_STATUS_FILE_IS_OFFLINE;
1295 /* Initilization my have been deferred because we were offline */
1296 if ( ! dom->initialized) {
1297 ret = idmap_ldap_db_init(dom);
1298 if ( ! NT_STATUS_IS_OK(ret)) {
1303 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1305 switch(map->xid.type) {
1307 type = get_attr_key2string(sidmap_attr_list, LDAP_ATTR_UIDNUMBER);
1311 type = get_attr_key2string(sidmap_attr_list, LDAP_ATTR_GIDNUMBER);
1315 return NT_STATUS_INVALID_PARAMETER;
1318 memctx = talloc_new(ctx);
1320 DEBUG(0, ("Out of memory!\n"));
1321 return NT_STATUS_NO_MEMORY;
1324 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
1325 CHECK_ALLOC_DONE(id_str);
1327 sid = talloc_strdup(memctx, sid_string_static(map->sid));
1328 CHECK_ALLOC_DONE(sid);
1330 dn = talloc_asprintf(memctx, "%s=%s,%s",
1331 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
1334 CHECK_ALLOC_DONE(dn);
1336 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDMAP_ENTRY);
1338 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods, type, id_str);
1340 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
1341 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID), sid);
1344 DEBUG(2, ("ERROR: No mods?\n"));
1345 ret = NT_STATUS_UNSUCCESSFUL;
1349 /* TODO: remove conflicting mappings! */
1351 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
1353 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
1355 rc = smbldap_add(ctx->smbldap_state, dn, mods);
1356 ldap_mods_free(mods, True);
1358 if (rc != LDAP_SUCCESS) {
1359 char *ld_error = NULL;
1360 ldap_get_option(ctx->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1361 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu mapping [%s]\n",
1362 sid, (unsigned long)map->xid.id, type));
1363 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
1364 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
1366 ldap_memfree(ld_error);
1368 ret = NT_STATUS_UNSUCCESSFUL;
1372 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to %lu [%s]\n",
1373 sid, (unsigned long)map->xid.id, type));
1378 talloc_free(memctx);
1382 /**********************************
1383 Close the idmap ldap instance
1384 **********************************/
1386 static NTSTATUS idmap_ldap_close(struct idmap_domain *dom)
1388 struct idmap_ldap_context *ctx;
1390 if (dom->private_data) {
1391 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1394 dom->private_data = NULL;
1397 return NT_STATUS_OK;
1400 static struct idmap_methods idmap_ldap_methods = {
1402 .init = idmap_ldap_db_init,
1403 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1404 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1405 .set_mapping = idmap_ldap_set_mapping,
1406 .close_fn = idmap_ldap_close
1409 static struct idmap_alloc_methods idmap_ldap_alloc_methods = {
1411 .init = idmap_ldap_alloc_init,
1412 .allocate_id = idmap_ldap_allocate_id,
1413 .get_id_hwm = idmap_ldap_get_hwm,
1414 .set_id_hwm = idmap_ldap_set_hwm,
1415 .close_fn = idmap_ldap_alloc_close,
1416 /* .dump_data = TODO */
1419 NTSTATUS idmap_alloc_ldap_init(void)
1421 return smb_register_idmap_alloc(SMB_IDMAP_INTERFACE_VERSION, "ldap", &idmap_ldap_alloc_methods);
1424 NTSTATUS idmap_ldap_init(void)
1428 /* FIXME: bad hack to actually register also the alloc_ldap module without changining configure.in */
1429 ret = idmap_alloc_ldap_init();
1430 if (! NT_STATUS_IS_OK(ret)) {
1433 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap", &idmap_ldap_methods);