2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2007
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
30 #define DBGC_CLASS DBGC_IDMAP
37 static char *idmap_fetch_secret(const char *backend, bool alloc,
38 const char *domain, const char *identity)
44 r = asprintf(&tmp, "IDMAP_ALLOC_%s", backend);
46 r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
52 strupper_m(tmp); /* make sure the key is case insensitive */
53 ret = secrets_fetch_generic(tmp, identity);
60 struct idmap_ldap_context {
61 struct smbldap_state *smbldap_state;
65 uint32_t filter_low_id, filter_high_id; /* Filter range */
69 struct idmap_ldap_alloc_context {
70 struct smbldap_state *smbldap_state;
74 uid_t low_uid, high_uid; /* Range of uids */
75 gid_t low_gid, high_gid; /* Range of gids */
79 #define CHECK_ALLOC_DONE(mem) do { \
81 DEBUG(0, ("Out of memory!\n")); \
82 ret = NT_STATUS_NO_MEMORY; \
86 /**********************************************************************
87 IDMAP ALLOC TDB BACKEND
88 **********************************************************************/
90 static struct idmap_ldap_alloc_context *idmap_alloc_ldap;
92 /*********************************************************************
93 ********************************************************************/
95 static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
96 struct smbldap_state *ldap_state,
97 const char *config_option,
98 struct idmap_domain *dom,
101 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
103 const char *tmp = NULL;
104 char *user_dn = NULL;
107 /* assume anonymous if we don't have a specified user */
109 tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
113 /* only the alloc backend can pass in a NULL dom */
114 secret = idmap_fetch_secret("ldap", True,
117 secret = idmap_fetch_secret("ldap", False,
122 DEBUG(0, ("get_credentials: Unable to fetch "
123 "auth credentials for %s in %s\n",
124 tmp, (dom==NULL)?"ALLOC":dom->name));
125 ret = NT_STATUS_ACCESS_DENIED;
128 *dn = talloc_strdup(mem_ctx, tmp);
129 CHECK_ALLOC_DONE(*dn);
131 if (!fetch_ldap_pw(&user_dn, &secret)) {
132 DEBUG(2, ("get_credentials: Failed to lookup ldap "
133 "bind creds. Using anonymous connection.\n"));
137 *dn = talloc_strdup(mem_ctx, user_dn);
138 SAFE_FREE( user_dn );
139 CHECK_ALLOC_DONE(*dn);
143 smbldap_set_creds(ldap_state, anon, *dn, secret);
153 /**********************************************************************
154 Verify the sambaUnixIdPool entry in the directory.
155 **********************************************************************/
157 static NTSTATUS verify_idpool(void)
161 LDAPMessage *result = NULL;
162 LDAPMod **mods = NULL;
163 const char **attr_list;
168 if ( ! idmap_alloc_ldap) {
169 return NT_STATUS_UNSUCCESSFUL;
172 ctx = talloc_new(idmap_alloc_ldap);
174 DEBUG(0, ("Out of memory!\n"));
175 return NT_STATUS_NO_MEMORY;
178 filter = talloc_asprintf(ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
179 CHECK_ALLOC_DONE(filter);
181 attr_list = get_attr_list(ctx, idpool_attr_list);
182 CHECK_ALLOC_DONE(attr_list);
184 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
185 idmap_alloc_ldap->suffix,
192 if (rc != LDAP_SUCCESS) {
193 DEBUG(1, ("Unable to verify the idpool, "
194 "cannot continue initialization!\n"));
195 return NT_STATUS_UNSUCCESSFUL;
198 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
201 ldap_msgfree(result);
204 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
205 filter, idmap_alloc_ldap->suffix));
206 ret = NT_STATUS_UNSUCCESSFUL;
209 else if (count == 0) {
210 char *uid_str, *gid_str;
212 uid_str = talloc_asprintf(ctx, "%lu",
213 (unsigned long)idmap_alloc_ldap->low_uid);
214 gid_str = talloc_asprintf(ctx, "%lu",
215 (unsigned long)idmap_alloc_ldap->low_gid);
217 smbldap_set_mod(&mods, LDAP_MOD_ADD,
218 "objectClass", LDAP_OBJ_IDPOOL);
219 smbldap_set_mod(&mods, LDAP_MOD_ADD,
220 get_attr_key2string(idpool_attr_list,
221 LDAP_ATTR_UIDNUMBER),
223 smbldap_set_mod(&mods, LDAP_MOD_ADD,
224 get_attr_key2string(idpool_attr_list,
225 LDAP_ATTR_GIDNUMBER),
228 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state,
229 idmap_alloc_ldap->suffix,
231 ldap_mods_free(mods, True);
233 ret = NT_STATUS_UNSUCCESSFUL;
238 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
244 /*****************************************************************************
245 Initialise idmap database.
246 *****************************************************************************/
248 static NTSTATUS idmap_ldap_alloc_init(const char *params)
250 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
257 /* Only do init if we are online */
258 if (idmap_is_offline()) {
259 return NT_STATUS_FILE_IS_OFFLINE;
262 idmap_alloc_ldap = TALLOC_ZERO_P(NULL, struct idmap_ldap_alloc_context);
263 CHECK_ALLOC_DONE( idmap_alloc_ldap );
267 if (!lp_idmap_uid(&low_uid, &high_uid)
268 || !lp_idmap_gid(&low_gid, &high_gid)) {
269 DEBUG(1, ("idmap uid or idmap gid missing\n"));
270 ret = NT_STATUS_UNSUCCESSFUL;
274 idmap_alloc_ldap->low_uid = low_uid;
275 idmap_alloc_ldap->high_uid = high_uid;
276 idmap_alloc_ldap->low_gid = low_gid;
277 idmap_alloc_ldap->high_gid= high_gid;
279 if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) {
280 DEBUG(1, ("idmap uid range invalid\n"));
281 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
282 ret = NT_STATUS_UNSUCCESSFUL;
286 if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) {
287 DEBUG(1, ("idmap gid range invalid\n"));
288 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
289 ret = NT_STATUS_UNSUCCESSFUL;
293 if (params && *params) {
294 /* assume location is the only parameter */
295 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params);
297 tmp = lp_parm_const_string(-1, "idmap alloc config",
301 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
302 ret = NT_STATUS_UNSUCCESSFUL;
306 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp);
308 CHECK_ALLOC_DONE( idmap_alloc_ldap->url );
310 trim_char(idmap_alloc_ldap->url, '\"', '\"');
312 tmp = lp_parm_const_string(-1, "idmap alloc config",
313 "ldap_base_dn", NULL);
314 if ( ! tmp || ! *tmp) {
315 tmp = lp_ldap_idmap_suffix();
317 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
318 ret = NT_STATUS_UNSUCCESSFUL;
323 idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp);
324 CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix );
326 ret = smbldap_init(idmap_alloc_ldap, winbind_event_context(),
327 idmap_alloc_ldap->url,
328 &idmap_alloc_ldap->smbldap_state);
329 if (!NT_STATUS_IS_OK(ret)) {
330 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n",
331 idmap_alloc_ldap->url));
335 ret = get_credentials( idmap_alloc_ldap,
336 idmap_alloc_ldap->smbldap_state,
337 "idmap alloc config", NULL,
338 &idmap_alloc_ldap->user_dn );
339 if ( !NT_STATUS_IS_OK(ret) ) {
340 DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection "
341 "credentials (%s)\n", nt_errstr(ret)));
345 /* see if the idmap suffix and sub entries exists */
347 ret = verify_idpool();
350 if ( !NT_STATUS_IS_OK( ret ) )
351 TALLOC_FREE( idmap_alloc_ldap );
356 /********************************
357 Allocate a new uid or gid
358 ********************************/
360 static NTSTATUS idmap_ldap_allocate_id(struct unixid *xid)
363 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
364 int rc = LDAP_SERVER_DOWN;
366 LDAPMessage *result = NULL;
367 LDAPMessage *entry = NULL;
368 LDAPMod **mods = NULL;
372 const char *dn = NULL;
373 const char **attr_list;
376 /* Only do query if we are online */
377 if (idmap_is_offline()) {
378 return NT_STATUS_FILE_IS_OFFLINE;
381 if ( ! idmap_alloc_ldap) {
382 return NT_STATUS_UNSUCCESSFUL;
385 ctx = talloc_new(idmap_alloc_ldap);
387 DEBUG(0, ("Out of memory!\n"));
388 return NT_STATUS_NO_MEMORY;
395 type = get_attr_key2string(idpool_attr_list,
396 LDAP_ATTR_UIDNUMBER);
400 type = get_attr_key2string(idpool_attr_list,
401 LDAP_ATTR_GIDNUMBER);
405 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
406 return NT_STATUS_INVALID_PARAMETER;
409 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
410 CHECK_ALLOC_DONE(filter);
412 attr_list = get_attr_list(ctx, idpool_attr_list);
413 CHECK_ALLOC_DONE(attr_list);
415 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
417 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
418 idmap_alloc_ldap->suffix,
419 LDAP_SCOPE_SUBTREE, filter,
420 attr_list, 0, &result);
422 if (rc != LDAP_SUCCESS) {
423 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
427 talloc_autofree_ldapmsg(ctx, result);
429 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
432 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
436 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct,
439 dn = smbldap_talloc_dn(ctx,
440 idmap_alloc_ldap->smbldap_state->ldap_struct,
446 if ( ! (id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
447 entry, type, ctx))) {
448 DEBUG(0,("%s attribute not found\n", type));
449 ret = NT_STATUS_UNSUCCESSFUL;
453 xid->id = strtoul(id_str, NULL, 10);
455 /* make sure we still have room to grow */
459 if (xid->id > idmap_alloc_ldap->high_uid) {
460 DEBUG(0,("Cannot allocate uid above %lu!\n",
461 (unsigned long)idmap_alloc_ldap->high_uid));
467 if (xid->id > idmap_alloc_ldap->high_gid) {
468 DEBUG(0,("Cannot allocate gid above %lu!\n",
469 (unsigned long)idmap_alloc_ldap->high_uid));
479 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id + 1);
481 DEBUG(0,("Out of memory\n"));
482 ret = NT_STATUS_NO_MEMORY;
486 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
487 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
490 DEBUG(0,("smbldap_set_mod() failed.\n"));
494 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n",
495 id_str, new_id_str));
497 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
499 ldap_mods_free(mods, True);
501 if (rc != LDAP_SUCCESS) {
502 DEBUG(1,("Failed to allocate new %s. "
503 "smbldap_modify() failed.\n", type));
514 /**********************************
515 Close idmap ldap alloc
516 **********************************/
518 static NTSTATUS idmap_ldap_alloc_close(void)
520 if (idmap_alloc_ldap) {
521 smbldap_free_struct(&idmap_alloc_ldap->smbldap_state);
522 DEBUG(5,("The connection to the LDAP server was closed\n"));
523 /* maybe free the results here --metze */
524 TALLOC_FREE(idmap_alloc_ldap);
530 /**********************************************************************
531 IDMAP MAPPING LDAP BACKEND
532 **********************************************************************/
534 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
536 smbldap_free_struct(&ctx->smbldap_state);
537 DEBUG(5,("The connection to the LDAP server was closed\n"));
538 /* maybe free the results here --metze */
543 /********************************
544 Initialise idmap database.
545 ********************************/
547 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom,
551 struct idmap_ldap_context *ctx = NULL;
552 char *config_option = NULL;
553 const char *tmp = NULL;
555 /* Only do init if we are online */
556 if (idmap_is_offline()) {
557 return NT_STATUS_FILE_IS_OFFLINE;
560 ctx = TALLOC_ZERO_P(dom, struct idmap_ldap_context);
562 DEBUG(0, ("Out of memory!\n"));
563 return NT_STATUS_NO_MEMORY;
566 if (strequal(dom->name, "*")) {
572 ctx->filter_low_id = 0;
573 ctx->filter_high_id = 0;
575 if (lp_idmap_uid(&low_uid, &high_uid)) {
576 ctx->filter_low_id = low_uid;
577 ctx->filter_high_id = high_uid;
579 DEBUG(3, ("Warning: 'idmap uid' not set!\n"));
582 if (lp_idmap_gid(&low_gid, &high_gid)) {
583 if ((low_gid != low_uid) || (high_gid != high_uid)) {
584 DEBUG(1, ("Warning: 'idmap uid' and 'idmap gid'"
585 " ranges do not agree -- building "
587 ctx->filter_low_id = MAX(ctx->filter_low_id,
589 ctx->filter_high_id = MIN(ctx->filter_high_id,
593 DEBUG(3, ("Warning: 'idmap gid' not set!\n"));
596 const char *range = NULL;
598 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
599 if ( ! config_option) {
600 DEBUG(0, ("Out of memory!\n"));
601 ret = NT_STATUS_NO_MEMORY;
606 range = lp_parm_const_string(-1, config_option, "range", NULL);
607 if (range && range[0]) {
608 if ((sscanf(range, "%u - %u", &ctx->filter_low_id,
609 &ctx->filter_high_id) != 2))
611 DEBUG(1, ("ERROR: invalid filter range [%s]", range));
612 ctx->filter_low_id = 0;
613 ctx->filter_high_id = 0;
618 if (ctx->filter_low_id > ctx->filter_high_id) {
619 DEBUG(1, ("ERROR: invalid filter range [%u-%u]",
620 ctx->filter_low_id, ctx->filter_high_id));
621 ctx->filter_low_id = 0;
622 ctx->filter_high_id = 0;
625 if (params != NULL) {
626 /* assume location is the only parameter */
627 ctx->url = talloc_strdup(ctx, params);
629 tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
632 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
633 ret = NT_STATUS_UNSUCCESSFUL;
637 ctx->url = talloc_strdup(ctx, tmp);
639 CHECK_ALLOC_DONE(ctx->url);
641 trim_char(ctx->url, '\"', '\"');
643 tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
644 if ( ! tmp || ! *tmp) {
645 tmp = lp_ldap_idmap_suffix();
647 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
648 ret = NT_STATUS_UNSUCCESSFUL;
653 ctx->suffix = talloc_strdup(ctx, tmp);
654 CHECK_ALLOC_DONE(ctx->suffix);
656 ret = smbldap_init(ctx, winbind_event_context(), ctx->url,
657 &ctx->smbldap_state);
658 if (!NT_STATUS_IS_OK(ret)) {
659 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
663 ret = get_credentials( ctx, ctx->smbldap_state, config_option,
664 dom, &ctx->user_dn );
665 if ( !NT_STATUS_IS_OK(ret) ) {
666 DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
667 "credentials (%s)\n", nt_errstr(ret)));
671 /* set the destructor on the context, so that resource are properly
672 freed if the contexts is released */
674 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
676 dom->private_data = ctx;
678 talloc_free(config_option);
687 /* max number of ids requested per batch query */
688 #define IDMAP_LDAP_MAX_IDS 30
690 /**********************************
691 lookup a set of unix ids.
692 **********************************/
694 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
695 * in maps for a match */
696 static struct id_map *find_map_by_id(struct id_map **maps,
702 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
703 if (maps[i] == NULL) { /* end of the run */
706 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
714 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom,
719 struct idmap_ldap_context *ctx;
720 LDAPMessage *result = NULL;
721 LDAPMessage *entry = NULL;
722 const char *uidNumber;
723 const char *gidNumber;
724 const char **attr_list;
733 /* Only do query if we are online */
734 if (idmap_is_offline()) {
735 return NT_STATUS_FILE_IS_OFFLINE;
738 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
740 memctx = talloc_new(ctx);
742 DEBUG(0, ("Out of memory!\n"));
743 return NT_STATUS_NO_MEMORY;
746 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
747 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
749 attr_list = get_attr_list(memctx, sidmap_attr_list);
752 /* if we are requested just one mapping use the simple filter */
754 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
755 LDAP_OBJ_IDMAP_ENTRY,
756 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
757 (unsigned long)ids[0]->xid.id);
758 CHECK_ALLOC_DONE(filter);
759 DEBUG(10, ("Filter: [%s]\n", filter));
761 /* multiple mappings */
765 for (i = 0; ids[i]; i++) {
766 ids[i]->status = ID_UNKNOWN;
773 filter = talloc_asprintf(memctx,
774 "(&(objectClass=%s)(|",
775 LDAP_OBJ_IDMAP_ENTRY);
776 CHECK_ALLOC_DONE(filter);
779 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
780 filter = talloc_asprintf_append_buffer(filter, "(%s=%lu)",
781 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
782 (unsigned long)ids[idx]->xid.id);
783 CHECK_ALLOC_DONE(filter);
785 filter = talloc_asprintf_append_buffer(filter, "))");
786 CHECK_ALLOC_DONE(filter);
787 DEBUG(10, ("Filter: [%s]\n", filter));
793 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
794 filter, attr_list, 0, &result);
796 if (rc != LDAP_SUCCESS) {
797 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
798 ret = NT_STATUS_UNSUCCESSFUL;
802 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
805 DEBUG(10, ("NO SIDs found\n"));
808 for (i = 0; i < count; i++) {
815 if (i == 0) { /* first entry */
816 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
818 } else { /* following ones */
819 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
823 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
828 /* first check if the SID is present */
829 sidstr = smbldap_talloc_single_attribute(
830 ctx->smbldap_state->ldap_struct,
831 entry, LDAP_ATTRIBUTE_SID, memctx);
832 if ( ! sidstr) { /* no sid, skip entry */
833 DEBUG(2, ("WARNING SID not found on entry\n"));
837 /* now try to see if it is a uid, if not try with a gid
838 * (gid is more common, but in case both uidNumber and
839 * gidNumber are returned the SID is mapped to the uid
842 tmp = smbldap_talloc_single_attribute(
843 ctx->smbldap_state->ldap_struct,
844 entry, uidNumber, memctx);
847 tmp = smbldap_talloc_single_attribute(
848 ctx->smbldap_state->ldap_struct,
849 entry, gidNumber, memctx);
851 if ( ! tmp) { /* wow very strange entry, how did it match ? */
852 DEBUG(5, ("Unprobable match on (%s), no uidNumber, "
853 "nor gidNumber returned\n", sidstr));
858 id = strtoul(tmp, NULL, 10);
860 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
861 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
862 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
864 ctx->filter_low_id, ctx->filter_high_id));
871 map = find_map_by_id(&ids[bidx], type, id);
873 DEBUG(2, ("WARNING: couldn't match sid (%s) "
874 "with requested ids\n", sidstr));
879 if ( ! string_to_sid(map->sid, sidstr)) {
880 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
885 if (map->status == ID_MAPPED) {
886 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
887 "overwriting mapping %u -> %s with %u -> %s\n",
888 (type == ID_TYPE_UID) ? "UID" : "GID",
889 id, sid_string_dbg(map->sid), id, sidstr));
895 map->status = ID_MAPPED;
897 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
898 (unsigned long)map->xid.id, map->xid.type));
901 /* free the ldap results */
903 ldap_msgfree(result);
907 if (multi && ids[idx]) { /* still some values to map */
913 /* mark all unknwon/expired ones as unmapped */
914 for (i = 0; ids[i]; i++) {
915 if (ids[i]->status != ID_MAPPED)
916 ids[i]->status = ID_UNMAPPED;
924 /**********************************
925 lookup a set of sids.
926 **********************************/
928 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
929 * in maps for a match */
930 static struct id_map *find_map_by_sid(struct id_map **maps, struct dom_sid *sid)
934 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
935 if (maps[i] == NULL) { /* end of the run */
938 if (sid_equal(maps[i]->sid, sid)) {
946 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
949 LDAPMessage *entry = NULL;
952 struct idmap_ldap_context *ctx;
953 LDAPMessage *result = NULL;
954 const char *uidNumber;
955 const char *gidNumber;
956 const char **attr_list;
965 /* Only do query if we are online */
966 if (idmap_is_offline()) {
967 return NT_STATUS_FILE_IS_OFFLINE;
970 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
972 memctx = talloc_new(ctx);
974 DEBUG(0, ("Out of memory!\n"));
975 return NT_STATUS_NO_MEMORY;
978 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
979 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
981 attr_list = get_attr_list(memctx, sidmap_attr_list);
984 /* if we are requested just one mapping use the simple filter */
986 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
987 LDAP_OBJ_IDMAP_ENTRY,
989 sid_string_talloc(memctx, ids[0]->sid));
990 CHECK_ALLOC_DONE(filter);
991 DEBUG(10, ("Filter: [%s]\n", filter));
993 /* multiple mappings */
997 for (i = 0; ids[i]; i++) {
998 ids[i]->status = ID_UNKNOWN;
1004 TALLOC_FREE(filter);
1005 filter = talloc_asprintf(memctx,
1006 "(&(objectClass=%s)(|",
1007 LDAP_OBJ_IDMAP_ENTRY);
1008 CHECK_ALLOC_DONE(filter);
1011 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
1012 filter = talloc_asprintf_append_buffer(filter, "(%s=%s)",
1014 sid_string_talloc(memctx,
1016 CHECK_ALLOC_DONE(filter);
1018 filter = talloc_asprintf_append_buffer(filter, "))");
1019 CHECK_ALLOC_DONE(filter);
1020 DEBUG(10, ("Filter: [%s]", filter));
1026 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
1027 filter, attr_list, 0, &result);
1029 if (rc != LDAP_SUCCESS) {
1030 DEBUG(3,("Failure looking up sids (%s)\n",
1031 ldap_err2string(rc)));
1032 ret = NT_STATUS_UNSUCCESSFUL;
1036 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
1039 DEBUG(10, ("NO SIDs found\n"));
1042 for (i = 0; i < count; i++) {
1043 char *sidstr = NULL;
1050 if (i == 0) { /* first entry */
1051 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
1053 } else { /* following ones */
1054 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
1058 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
1063 /* first check if the SID is present */
1064 sidstr = smbldap_talloc_single_attribute(
1065 ctx->smbldap_state->ldap_struct,
1066 entry, LDAP_ATTRIBUTE_SID, memctx);
1067 if ( ! sidstr) { /* no sid ??, skip entry */
1068 DEBUG(2, ("WARNING SID not found on entry\n"));
1072 if ( ! string_to_sid(&sid, sidstr)) {
1073 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1074 TALLOC_FREE(sidstr);
1078 map = find_map_by_sid(&ids[bidx], &sid);
1080 DEBUG(2, ("WARNING: couldn't find entry sid (%s) "
1082 TALLOC_FREE(sidstr);
1086 /* now try to see if it is a uid, if not try with a gid
1087 * (gid is more common, but in case both uidNumber and
1088 * gidNumber are returned the SID is mapped to the uid
1091 tmp = smbldap_talloc_single_attribute(
1092 ctx->smbldap_state->ldap_struct,
1093 entry, uidNumber, memctx);
1096 tmp = smbldap_talloc_single_attribute(
1097 ctx->smbldap_state->ldap_struct,
1098 entry, gidNumber, memctx);
1100 if ( ! tmp) { /* no ids ?? */
1101 DEBUG(5, ("no uidNumber, "
1102 "nor gidNumber attributes found\n"));
1103 TALLOC_FREE(sidstr);
1107 id = strtoul(tmp, NULL, 10);
1109 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
1110 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
1111 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1113 ctx->filter_low_id, ctx->filter_high_id));
1114 TALLOC_FREE(sidstr);
1120 if (map->status == ID_MAPPED) {
1121 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
1122 "overwriting mapping %s -> %u with %s -> %u\n",
1123 (type == ID_TYPE_UID) ? "UID" : "GID",
1124 sidstr, map->xid.id, sidstr, id));
1127 TALLOC_FREE(sidstr);
1130 map->xid.type = type;
1132 map->status = ID_MAPPED;
1134 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
1135 (unsigned long)map->xid.id, map->xid.type));
1138 /* free the ldap results */
1140 ldap_msgfree(result);
1144 if (multi && ids[idx]) { /* still some values to map */
1150 /* mark all unknwon/expired ones as unmapped */
1151 for (i = 0; ids[i]; i++) {
1152 if (ids[i]->status != ID_MAPPED)
1153 ids[i]->status = ID_UNMAPPED;
1157 talloc_free(memctx);
1161 /**********************************
1163 **********************************/
1165 /* TODO: change this: This function cannot be called to modify a mapping,
1166 * only set a new one */
1168 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
1169 const struct id_map *map)
1173 struct idmap_ldap_context *ctx;
1174 LDAPMessage *entry = NULL;
1175 LDAPMod **mods = NULL;
1182 /* Only do query if we are online */
1183 if (idmap_is_offline()) {
1184 return NT_STATUS_FILE_IS_OFFLINE;
1187 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1189 switch(map->xid.type) {
1191 type = get_attr_key2string(sidmap_attr_list,
1192 LDAP_ATTR_UIDNUMBER);
1196 type = get_attr_key2string(sidmap_attr_list,
1197 LDAP_ATTR_GIDNUMBER);
1201 return NT_STATUS_INVALID_PARAMETER;
1204 memctx = talloc_new(ctx);
1206 DEBUG(0, ("Out of memory!\n"));
1207 return NT_STATUS_NO_MEMORY;
1210 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
1211 CHECK_ALLOC_DONE(id_str);
1213 sid = talloc_strdup(memctx, sid_string_talloc(memctx, map->sid));
1214 CHECK_ALLOC_DONE(sid);
1216 dn = talloc_asprintf(memctx, "%s=%s,%s",
1217 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
1220 CHECK_ALLOC_DONE(dn);
1222 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1223 "objectClass", LDAP_OBJ_IDMAP_ENTRY);
1225 smbldap_make_mod(ctx->smbldap_state->ldap_struct,
1226 entry, &mods, type, id_str);
1228 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
1229 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
1233 DEBUG(2, ("ERROR: No mods?\n"));
1234 ret = NT_STATUS_UNSUCCESSFUL;
1238 /* TODO: remove conflicting mappings! */
1240 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
1242 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
1244 rc = smbldap_add(ctx->smbldap_state, dn, mods);
1245 ldap_mods_free(mods, True);
1247 if (rc != LDAP_SUCCESS) {
1248 char *ld_error = NULL;
1249 ldap_get_option(ctx->smbldap_state->ldap_struct,
1250 LDAP_OPT_ERROR_STRING, &ld_error);
1251 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu "
1252 "mapping [%s]\n", sid,
1253 (unsigned long)map->xid.id, type));
1254 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
1255 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
1257 ldap_memfree(ld_error);
1259 ret = NT_STATUS_UNSUCCESSFUL;
1263 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to "
1264 "%lu [%s]\n", sid, (unsigned long)map->xid.id, type));
1269 talloc_free(memctx);
1273 /**********************************
1274 Close the idmap ldap instance
1275 **********************************/
1277 static NTSTATUS idmap_ldap_close(struct idmap_domain *dom)
1279 struct idmap_ldap_context *ctx;
1281 if (dom->private_data) {
1282 ctx = talloc_get_type(dom->private_data,
1283 struct idmap_ldap_context);
1286 dom->private_data = NULL;
1289 return NT_STATUS_OK;
1292 static struct idmap_methods idmap_ldap_methods = {
1294 .init = idmap_ldap_db_init,
1295 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1296 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1297 .allocate_id = idmap_ldap_get_new_id,
1298 .close_fn = idmap_ldap_close
1301 NTSTATUS idmap_ldap_init(void);
1302 NTSTATUS idmap_ldap_init(void)
1304 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1305 &idmap_ldap_methods);