2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2007
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
29 #define DBGC_CLASS DBGC_IDMAP
36 struct idmap_ldap_context {
37 struct smbldap_state *smbldap_state;
41 uint32_t filter_low_id, filter_high_id; /* Filter range */
45 struct idmap_ldap_alloc_context {
46 struct smbldap_state *smbldap_state;
50 uid_t low_uid, high_uid; /* Range of uids */
51 gid_t low_gid, high_gid; /* Range of gids */
55 #define CHECK_ALLOC_DONE(mem) do { \
57 DEBUG(0, ("Out of memory!\n")); \
58 ret = NT_STATUS_NO_MEMORY; \
62 /**********************************************************************
63 IDMAP ALLOC TDB BACKEND
64 **********************************************************************/
66 static struct idmap_ldap_alloc_context *idmap_alloc_ldap;
68 /*********************************************************************
69 ********************************************************************/
71 static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
72 struct smbldap_state *ldap_state,
73 const char *config_option,
74 struct idmap_domain *dom,
77 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
79 const char *tmp = NULL;
83 /* assume anonymous if we don't have a specified user */
85 tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
89 /* only the alloc backend can pass in a NULL dom */
90 secret = idmap_fetch_secret("ldap", True,
93 secret = idmap_fetch_secret("ldap", False,
98 DEBUG(0, ("get_credentials: Unable to fetch "
99 "auth credentials for %s in %s\n",
100 tmp, (dom==NULL)?"ALLOC":dom->name));
101 ret = NT_STATUS_ACCESS_DENIED;
104 *dn = talloc_strdup(mem_ctx, tmp);
105 CHECK_ALLOC_DONE(*dn);
107 if (!fetch_ldap_pw(&user_dn, &secret)) {
108 DEBUG(2, ("get_credentials: Failed to lookup ldap "
109 "bind creds. Using anonymous connection.\n"));
112 *dn = talloc_strdup(mem_ctx, user_dn);
113 SAFE_FREE( user_dn );
114 CHECK_ALLOC_DONE(*dn);
118 smbldap_set_creds(ldap_state, anon, *dn, secret);
128 /**********************************************************************
129 Verify the sambaUnixIdPool entry in the directory.
130 **********************************************************************/
132 static NTSTATUS verify_idpool(void)
136 LDAPMessage *result = NULL;
137 LDAPMod **mods = NULL;
138 const char **attr_list;
143 if ( ! idmap_alloc_ldap) {
144 return NT_STATUS_UNSUCCESSFUL;
147 ctx = talloc_new(idmap_alloc_ldap);
149 DEBUG(0, ("Out of memory!\n"));
150 return NT_STATUS_NO_MEMORY;
153 filter = talloc_asprintf(ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
154 CHECK_ALLOC_DONE(filter);
156 attr_list = get_attr_list(ctx, idpool_attr_list);
157 CHECK_ALLOC_DONE(attr_list);
159 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
160 idmap_alloc_ldap->suffix,
167 if (rc != LDAP_SUCCESS) {
168 DEBUG(1, ("Unable to verify the idpool, "
169 "cannot continue initialization!\n"));
170 return NT_STATUS_UNSUCCESSFUL;
173 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
176 ldap_msgfree(result);
179 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
180 filter, idmap_alloc_ldap->suffix));
181 ret = NT_STATUS_UNSUCCESSFUL;
184 else if (count == 0) {
185 char *uid_str, *gid_str;
187 uid_str = talloc_asprintf(ctx, "%lu",
188 (unsigned long)idmap_alloc_ldap->low_uid);
189 gid_str = talloc_asprintf(ctx, "%lu",
190 (unsigned long)idmap_alloc_ldap->low_gid);
192 smbldap_set_mod(&mods, LDAP_MOD_ADD,
193 "objectClass", LDAP_OBJ_IDPOOL);
194 smbldap_set_mod(&mods, LDAP_MOD_ADD,
195 get_attr_key2string(idpool_attr_list,
196 LDAP_ATTR_UIDNUMBER),
198 smbldap_set_mod(&mods, LDAP_MOD_ADD,
199 get_attr_key2string(idpool_attr_list,
200 LDAP_ATTR_GIDNUMBER),
203 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state,
204 idmap_alloc_ldap->suffix,
206 ldap_mods_free(mods, True);
208 ret = NT_STATUS_UNSUCCESSFUL;
213 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
219 /*****************************************************************************
220 Initialise idmap database.
221 *****************************************************************************/
223 static NTSTATUS idmap_ldap_alloc_init(const char *params)
225 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
233 /* Only do init if we are online */
234 if (idmap_is_offline()) {
235 return NT_STATUS_FILE_IS_OFFLINE;
238 idmap_alloc_ldap = TALLOC_ZERO_P(NULL, struct idmap_ldap_alloc_context);
239 CHECK_ALLOC_DONE( idmap_alloc_ldap );
243 idmap_alloc_ldap->low_uid = 0;
244 idmap_alloc_ldap->high_uid = 0;
245 idmap_alloc_ldap->low_gid = 0;
246 idmap_alloc_ldap->high_gid = 0;
248 range = lp_parm_const_string(-1, "idmap alloc config", "range", NULL);
249 if (range && range[0]) {
250 unsigned low_id, high_id;
252 if (sscanf(range, "%u - %u", &low_id, &high_id) == 2) {
253 if (low_id < high_id) {
254 idmap_alloc_ldap->low_gid = low_id;
255 idmap_alloc_ldap->low_uid = low_id;
256 idmap_alloc_ldap->high_gid = high_id;
257 idmap_alloc_ldap->high_uid = high_id;
259 DEBUG(1, ("ERROR: invalid idmap alloc range "
263 DEBUG(1, ("ERROR: invalid syntax for idmap alloc "
264 "config:range [%s]", range));
268 if (lp_idmap_uid(&low_uid, &high_uid)) {
269 idmap_alloc_ldap->low_uid = low_uid;
270 idmap_alloc_ldap->high_uid = high_uid;
273 if (lp_idmap_gid(&low_gid, &high_gid)) {
274 idmap_alloc_ldap->low_gid = low_gid;
275 idmap_alloc_ldap->high_gid= high_gid;
278 if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) {
279 DEBUG(1, ("idmap uid range missing or invalid\n"));
280 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
281 ret = NT_STATUS_UNSUCCESSFUL;
285 if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) {
286 DEBUG(1, ("idmap gid range missing or invalid\n"));
287 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
288 ret = NT_STATUS_UNSUCCESSFUL;
292 if (params && *params) {
293 /* assume location is the only parameter */
294 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params);
296 tmp = lp_parm_const_string(-1, "idmap alloc config",
300 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
301 ret = NT_STATUS_UNSUCCESSFUL;
305 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp);
307 CHECK_ALLOC_DONE( idmap_alloc_ldap->url );
309 tmp = lp_parm_const_string(-1, "idmap alloc config",
310 "ldap_base_dn", NULL);
311 if ( ! tmp || ! *tmp) {
312 tmp = lp_ldap_idmap_suffix();
314 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
315 ret = NT_STATUS_UNSUCCESSFUL;
320 idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp);
321 CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix );
323 ret = smbldap_init(idmap_alloc_ldap, winbind_event_context(),
324 idmap_alloc_ldap->url,
325 &idmap_alloc_ldap->smbldap_state);
326 if (!NT_STATUS_IS_OK(ret)) {
327 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n",
328 idmap_alloc_ldap->url));
332 ret = get_credentials( idmap_alloc_ldap,
333 idmap_alloc_ldap->smbldap_state,
334 "idmap alloc config", NULL,
335 &idmap_alloc_ldap->user_dn );
336 if ( !NT_STATUS_IS_OK(ret) ) {
337 DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection "
338 "credentials (%s)\n", nt_errstr(ret)));
342 /* see if the idmap suffix and sub entries exists */
344 ret = verify_idpool();
347 if ( !NT_STATUS_IS_OK( ret ) )
348 TALLOC_FREE( idmap_alloc_ldap );
353 /********************************
354 Allocate a new uid or gid
355 ********************************/
357 static NTSTATUS idmap_ldap_allocate_id(struct unixid *xid)
360 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
361 int rc = LDAP_SERVER_DOWN;
363 LDAPMessage *result = NULL;
364 LDAPMessage *entry = NULL;
365 LDAPMod **mods = NULL;
369 const char *dn = NULL;
370 const char **attr_list;
373 /* Only do query if we are online */
374 if (idmap_is_offline()) {
375 return NT_STATUS_FILE_IS_OFFLINE;
378 if ( ! idmap_alloc_ldap) {
379 return NT_STATUS_UNSUCCESSFUL;
382 ctx = talloc_new(idmap_alloc_ldap);
384 DEBUG(0, ("Out of memory!\n"));
385 return NT_STATUS_NO_MEMORY;
392 type = get_attr_key2string(idpool_attr_list,
393 LDAP_ATTR_UIDNUMBER);
397 type = get_attr_key2string(idpool_attr_list,
398 LDAP_ATTR_GIDNUMBER);
402 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
403 return NT_STATUS_INVALID_PARAMETER;
406 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
407 CHECK_ALLOC_DONE(filter);
409 attr_list = get_attr_list(ctx, idpool_attr_list);
410 CHECK_ALLOC_DONE(attr_list);
412 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
414 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
415 idmap_alloc_ldap->suffix,
416 LDAP_SCOPE_SUBTREE, filter,
417 attr_list, 0, &result);
419 if (rc != LDAP_SUCCESS) {
420 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
424 talloc_autofree_ldapmsg(ctx, result);
426 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
429 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
433 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct,
436 dn = smbldap_talloc_dn(ctx,
437 idmap_alloc_ldap->smbldap_state->ldap_struct,
443 if ( ! (id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
444 entry, type, ctx))) {
445 DEBUG(0,("%s attribute not found\n", type));
449 DEBUG(0,("Out of memory\n"));
450 ret = NT_STATUS_NO_MEMORY;
454 xid->id = strtoul(id_str, NULL, 10);
456 /* make sure we still have room to grow */
460 if (xid->id > idmap_alloc_ldap->high_uid) {
461 DEBUG(0,("Cannot allocate uid above %lu!\n",
462 (unsigned long)idmap_alloc_ldap->high_uid));
468 if (xid->id > idmap_alloc_ldap->high_gid) {
469 DEBUG(0,("Cannot allocate gid above %lu!\n",
470 (unsigned long)idmap_alloc_ldap->high_uid));
480 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id + 1);
482 DEBUG(0,("Out of memory\n"));
483 ret = NT_STATUS_NO_MEMORY;
487 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
488 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
491 DEBUG(0,("smbldap_set_mod() failed.\n"));
495 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n",
496 id_str, new_id_str));
498 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
500 ldap_mods_free(mods, True);
502 if (rc != LDAP_SUCCESS) {
503 DEBUG(1,("Failed to allocate new %s. "
504 "smbldap_modify() failed.\n", type));
515 /**********************************
516 Get current highest id.
517 **********************************/
519 static NTSTATUS idmap_ldap_get_hwm(struct unixid *xid)
522 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
523 int rc = LDAP_SERVER_DOWN;
525 LDAPMessage *result = NULL;
526 LDAPMessage *entry = NULL;
529 const char **attr_list;
532 /* Only do query if we are online */
533 if (idmap_is_offline()) {
534 return NT_STATUS_FILE_IS_OFFLINE;
537 if ( ! idmap_alloc_ldap) {
538 return NT_STATUS_UNSUCCESSFUL;
541 memctx = talloc_new(idmap_alloc_ldap);
543 DEBUG(0, ("Out of memory!\n"));
544 return NT_STATUS_NO_MEMORY;
551 type = get_attr_key2string(idpool_attr_list,
552 LDAP_ATTR_UIDNUMBER);
556 type = get_attr_key2string(idpool_attr_list,
557 LDAP_ATTR_GIDNUMBER);
561 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
562 return NT_STATUS_INVALID_PARAMETER;
565 filter = talloc_asprintf(memctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
566 CHECK_ALLOC_DONE(filter);
568 attr_list = get_attr_list(memctx, idpool_attr_list);
569 CHECK_ALLOC_DONE(attr_list);
571 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
572 idmap_alloc_ldap->suffix,
573 LDAP_SCOPE_SUBTREE, filter,
574 attr_list, 0, &result);
576 if (rc != LDAP_SUCCESS) {
577 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
581 talloc_autofree_ldapmsg(memctx, result);
583 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
586 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
590 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct,
593 id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
594 entry, type, memctx);
596 DEBUG(0,("%s attribute not found\n", type));
600 DEBUG(0,("Out of memory\n"));
601 ret = NT_STATUS_NO_MEMORY;
605 xid->id = strtoul(id_str, NULL, 10);
612 /**********************************
614 **********************************/
616 static NTSTATUS idmap_ldap_set_hwm(struct unixid *xid)
619 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
620 int rc = LDAP_SERVER_DOWN;
622 LDAPMessage *result = NULL;
623 LDAPMessage *entry = NULL;
624 LDAPMod **mods = NULL;
627 const char *dn = NULL;
628 const char **attr_list;
631 /* Only do query if we are online */
632 if (idmap_is_offline()) {
633 return NT_STATUS_FILE_IS_OFFLINE;
636 if ( ! idmap_alloc_ldap) {
637 return NT_STATUS_UNSUCCESSFUL;
640 ctx = talloc_new(idmap_alloc_ldap);
642 DEBUG(0, ("Out of memory!\n"));
643 return NT_STATUS_NO_MEMORY;
650 type = get_attr_key2string(idpool_attr_list,
651 LDAP_ATTR_UIDNUMBER);
655 type = get_attr_key2string(idpool_attr_list,
656 LDAP_ATTR_GIDNUMBER);
660 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
661 return NT_STATUS_INVALID_PARAMETER;
664 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
665 CHECK_ALLOC_DONE(filter);
667 attr_list = get_attr_list(ctx, idpool_attr_list);
668 CHECK_ALLOC_DONE(attr_list);
670 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
671 idmap_alloc_ldap->suffix,
672 LDAP_SCOPE_SUBTREE, filter,
673 attr_list, 0, &result);
675 if (rc != LDAP_SUCCESS) {
676 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
680 talloc_autofree_ldapmsg(ctx, result);
682 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
685 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
689 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct,
692 dn = smbldap_talloc_dn(ctx,
693 idmap_alloc_ldap->smbldap_state->ldap_struct,
699 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id);
701 DEBUG(0,("Out of memory\n"));
702 ret = NT_STATUS_NO_MEMORY;
706 smbldap_set_mod(&mods, LDAP_MOD_REPLACE, type, new_id_str);
709 DEBUG(0,("smbldap_set_mod() failed.\n"));
713 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
715 ldap_mods_free(mods, True);
717 if (rc != LDAP_SUCCESS) {
718 DEBUG(1,("Failed to allocate new %s. "
719 "smbldap_modify() failed.\n", type));
730 /**********************************
731 Close idmap ldap alloc
732 **********************************/
734 static NTSTATUS idmap_ldap_alloc_close(void)
736 if (idmap_alloc_ldap) {
737 smbldap_free_struct(&idmap_alloc_ldap->smbldap_state);
738 DEBUG(5,("The connection to the LDAP server was closed\n"));
739 /* maybe free the results here --metze */
740 TALLOC_FREE(idmap_alloc_ldap);
746 /**********************************************************************
747 IDMAP MAPPING LDAP BACKEND
748 **********************************************************************/
750 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
752 smbldap_free_struct(&ctx->smbldap_state);
753 DEBUG(5,("The connection to the LDAP server was closed\n"));
754 /* maybe free the results here --metze */
759 /********************************
760 Initialise idmap database.
761 ********************************/
763 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom)
766 struct idmap_ldap_context *ctx = NULL;
767 char *config_option = NULL;
768 const char *range = NULL;
769 const char *tmp = NULL;
771 /* Only do init if we are online */
772 if (idmap_is_offline()) {
773 return NT_STATUS_FILE_IS_OFFLINE;
776 ctx = TALLOC_ZERO_P(dom, struct idmap_ldap_context);
778 DEBUG(0, ("Out of memory!\n"));
779 return NT_STATUS_NO_MEMORY;
782 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
783 if ( ! config_option) {
784 DEBUG(0, ("Out of memory!\n"));
785 ret = NT_STATUS_NO_MEMORY;
790 range = lp_parm_const_string(-1, config_option, "range", NULL);
791 if (range && range[0]) {
792 if ((sscanf(range, "%u - %u", &ctx->filter_low_id,
793 &ctx->filter_high_id) != 2) ||
794 (ctx->filter_low_id > ctx->filter_high_id)) {
795 DEBUG(1, ("ERROR: invalid filter range [%s]", range));
796 ctx->filter_low_id = 0;
797 ctx->filter_high_id = 0;
801 if (dom->params && *(dom->params)) {
802 /* assume location is the only parameter */
803 ctx->url = talloc_strdup(ctx, dom->params);
805 tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
808 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
809 ret = NT_STATUS_UNSUCCESSFUL;
813 ctx->url = talloc_strdup(ctx, tmp);
815 CHECK_ALLOC_DONE(ctx->url);
817 tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
818 if ( ! tmp || ! *tmp) {
819 tmp = lp_ldap_idmap_suffix();
821 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
822 ret = NT_STATUS_UNSUCCESSFUL;
827 ctx->suffix = talloc_strdup(ctx, tmp);
828 CHECK_ALLOC_DONE(ctx->suffix);
830 ret = smbldap_init(ctx, winbind_event_context(), ctx->url,
831 &ctx->smbldap_state);
832 if (!NT_STATUS_IS_OK(ret)) {
833 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
837 ret = get_credentials( ctx, ctx->smbldap_state, config_option,
838 dom, &ctx->user_dn );
839 if ( !NT_STATUS_IS_OK(ret) ) {
840 DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
841 "credentials (%s)\n", nt_errstr(ret)));
845 /* set the destructor on the context, so that resource are properly
846 freed if the contexts is released */
848 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
850 dom->private_data = ctx;
851 dom->initialized = True;
853 talloc_free(config_option);
862 /* max number of ids requested per batch query */
863 #define IDMAP_LDAP_MAX_IDS 30
865 /**********************************
866 lookup a set of unix ids.
867 **********************************/
869 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
870 * in maps for a match */
871 static struct id_map *find_map_by_id(struct id_map **maps,
877 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
878 if (maps[i] == NULL) { /* end of the run */
881 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
889 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom,
894 struct idmap_ldap_context *ctx;
895 LDAPMessage *result = NULL;
896 const char *uidNumber;
897 const char *gidNumber;
898 const char **attr_list;
907 /* Only do query if we are online */
908 if (idmap_is_offline()) {
909 return NT_STATUS_FILE_IS_OFFLINE;
912 /* Initilization my have been deferred because we were offline */
913 if ( ! dom->initialized) {
914 ret = idmap_ldap_db_init(dom);
915 if ( ! NT_STATUS_IS_OK(ret)) {
920 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
922 memctx = talloc_new(ctx);
924 DEBUG(0, ("Out of memory!\n"));
925 return NT_STATUS_NO_MEMORY;
928 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
929 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
931 attr_list = get_attr_list(memctx, sidmap_attr_list);
934 /* if we are requested just one mapping use the simple filter */
936 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
937 LDAP_OBJ_IDMAP_ENTRY,
938 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
939 (unsigned long)ids[0]->xid.id);
940 CHECK_ALLOC_DONE(filter);
941 DEBUG(10, ("Filter: [%s]\n", filter));
943 /* multiple mappings */
951 filter = talloc_asprintf(memctx,
952 "(&(objectClass=%s)(|",
953 LDAP_OBJ_IDMAP_ENTRY);
954 CHECK_ALLOC_DONE(filter);
957 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
958 filter = talloc_asprintf_append_buffer(filter, "(%s=%lu)",
959 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
960 (unsigned long)ids[idx]->xid.id);
961 CHECK_ALLOC_DONE(filter);
963 filter = talloc_asprintf_append_buffer(filter, "))");
964 CHECK_ALLOC_DONE(filter);
965 DEBUG(10, ("Filter: [%s]\n", filter));
971 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
972 filter, attr_list, 0, &result);
974 if (rc != LDAP_SUCCESS) {
975 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
976 ret = NT_STATUS_UNSUCCESSFUL;
980 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
983 DEBUG(10, ("NO SIDs found\n"));
986 for (i = 0; i < count; i++) {
987 LDAPMessage *entry = NULL;
994 if (i == 0) { /* first entry */
995 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
997 } else { /* following ones */
998 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
1002 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
1007 /* first check if the SID is present */
1008 sidstr = smbldap_talloc_single_attribute(
1009 ctx->smbldap_state->ldap_struct,
1010 entry, LDAP_ATTRIBUTE_SID, memctx);
1011 if ( ! sidstr) { /* no sid, skip entry */
1012 DEBUG(2, ("WARNING SID not found on entry\n"));
1016 /* now try to see if it is a uid, if not try with a gid
1017 * (gid is more common, but in case both uidNumber and
1018 * gidNumber are returned the SID is mapped to the uid
1021 tmp = smbldap_talloc_single_attribute(
1022 ctx->smbldap_state->ldap_struct,
1023 entry, uidNumber, memctx);
1026 tmp = smbldap_talloc_single_attribute(
1027 ctx->smbldap_state->ldap_struct,
1028 entry, gidNumber, memctx);
1030 if ( ! tmp) { /* wow very strange entry, how did it match ? */
1031 DEBUG(5, ("Unprobable match on (%s), no uidNumber, "
1032 "nor gidNumber returned\n", sidstr));
1033 TALLOC_FREE(sidstr);
1037 id = strtoul(tmp, NULL, 10);
1039 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
1040 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
1041 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1043 ctx->filter_low_id, ctx->filter_high_id));
1044 TALLOC_FREE(sidstr);
1050 map = find_map_by_id(&ids[bidx], type, id);
1052 DEBUG(2, ("WARNING: couldn't match sid (%s) "
1053 "with requested ids\n", sidstr));
1054 TALLOC_FREE(sidstr);
1058 if ( ! string_to_sid(map->sid, sidstr)) {
1059 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1060 TALLOC_FREE(sidstr);
1063 TALLOC_FREE(sidstr);
1066 map->status = ID_MAPPED;
1068 DEBUG(10, ("Mapped %s -> %lu (%d)\n",
1069 sid_string_static(map->sid),
1070 (unsigned long)map->xid.id, map->xid.type));
1073 /* free the ldap results */
1075 ldap_msgfree(result);
1079 if (multi && ids[idx]) { /* still some values to map */
1085 /* mark all unknwon/expired ones as unmapped */
1086 for (i = 0; ids[i]; i++) {
1087 if (ids[i]->status != ID_MAPPED)
1088 ids[i]->status = ID_UNMAPPED;
1092 talloc_free(memctx);
1096 /**********************************
1097 lookup a set of sids.
1098 **********************************/
1100 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
1101 * in maps for a match */
1102 static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid)
1106 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
1107 if (maps[i] == NULL) { /* end of the run */
1110 if (sid_equal(maps[i]->sid, sid)) {
1118 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
1119 struct id_map **ids)
1121 LDAPMessage *entry = NULL;
1124 struct idmap_ldap_context *ctx;
1125 LDAPMessage *result = NULL;
1126 const char *uidNumber;
1127 const char *gidNumber;
1128 const char **attr_list;
1129 char *filter = NULL;
1137 /* Only do query if we are online */
1138 if (idmap_is_offline()) {
1139 return NT_STATUS_FILE_IS_OFFLINE;
1142 /* Initilization my have been deferred because we were offline */
1143 if ( ! dom->initialized) {
1144 ret = idmap_ldap_db_init(dom);
1145 if ( ! NT_STATUS_IS_OK(ret)) {
1150 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1152 memctx = talloc_new(ctx);
1154 DEBUG(0, ("Out of memory!\n"));
1155 return NT_STATUS_NO_MEMORY;
1158 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
1159 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
1161 attr_list = get_attr_list(memctx, sidmap_attr_list);
1164 /* if we are requested just one mapping use the simple filter */
1166 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
1167 LDAP_OBJ_IDMAP_ENTRY,
1169 sid_string_static(ids[0]->sid));
1170 CHECK_ALLOC_DONE(filter);
1171 DEBUG(10, ("Filter: [%s]\n", filter));
1173 /* multiple mappings */
1180 TALLOC_FREE(filter);
1181 filter = talloc_asprintf(memctx,
1182 "(&(objectClass=%s)(|",
1183 LDAP_OBJ_IDMAP_ENTRY);
1184 CHECK_ALLOC_DONE(filter);
1187 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
1188 filter = talloc_asprintf_append_buffer(filter, "(%s=%s)",
1190 sid_string_static(ids[idx]->sid));
1191 CHECK_ALLOC_DONE(filter);
1193 filter = talloc_asprintf_append_buffer(filter, "))");
1194 CHECK_ALLOC_DONE(filter);
1195 DEBUG(10, ("Filter: [%s]", filter));
1201 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
1202 filter, attr_list, 0, &result);
1204 if (rc != LDAP_SUCCESS) {
1205 DEBUG(3,("Failure looking up sids (%s)\n",
1206 ldap_err2string(rc)));
1207 ret = NT_STATUS_UNSUCCESSFUL;
1211 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
1214 DEBUG(10, ("NO SIDs found\n"));
1217 for (i = 0; i < count; i++) {
1218 char *sidstr = NULL;
1225 if (i == 0) { /* first entry */
1226 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
1228 } else { /* following ones */
1229 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
1233 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
1238 /* first check if the SID is present */
1239 sidstr = smbldap_talloc_single_attribute(
1240 ctx->smbldap_state->ldap_struct,
1241 entry, LDAP_ATTRIBUTE_SID, memctx);
1242 if ( ! sidstr) { /* no sid ??, skip entry */
1243 DEBUG(2, ("WARNING SID not found on entry\n"));
1247 if ( ! string_to_sid(&sid, sidstr)) {
1248 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1249 TALLOC_FREE(sidstr);
1253 map = find_map_by_sid(&ids[bidx], &sid);
1255 DEBUG(2, ("WARNING: couldn't find entry sid (%s) "
1257 TALLOC_FREE(sidstr);
1261 TALLOC_FREE(sidstr);
1263 /* now try to see if it is a uid, if not try with a gid
1264 * (gid is more common, but in case both uidNumber and
1265 * gidNumber are returned the SID is mapped to the uid
1268 tmp = smbldap_talloc_single_attribute(
1269 ctx->smbldap_state->ldap_struct,
1270 entry, uidNumber, memctx);
1273 tmp = smbldap_talloc_single_attribute(
1274 ctx->smbldap_state->ldap_struct,
1275 entry, gidNumber, memctx);
1277 if ( ! tmp) { /* no ids ?? */
1278 DEBUG(5, ("no uidNumber, "
1279 "nor gidNumber attributes found\n"));
1283 id = strtoul(tmp, NULL, 10);
1285 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
1286 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
1287 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1289 ctx->filter_low_id, ctx->filter_high_id));
1296 map->xid.type = type;
1298 map->status = ID_MAPPED;
1300 DEBUG(10, ("Mapped %s -> %lu (%d)\n",
1301 sid_string_static(map->sid),
1302 (unsigned long)map->xid.id, map->xid.type));
1305 /* free the ldap results */
1307 ldap_msgfree(result);
1311 if (multi && ids[idx]) { /* still some values to map */
1317 /* mark all unknwon/expired ones as unmapped */
1318 for (i = 0; ids[i]; i++) {
1319 if (ids[i]->status != ID_MAPPED)
1320 ids[i]->status = ID_UNMAPPED;
1324 talloc_free(memctx);
1328 /**********************************
1330 **********************************/
1332 /* TODO: change this: This function cannot be called to modify a mapping,
1333 * only set a new one */
1335 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
1336 const struct id_map *map)
1340 struct idmap_ldap_context *ctx;
1341 LDAPMessage *entry = NULL;
1342 LDAPMod **mods = NULL;
1349 /* Only do query if we are online */
1350 if (idmap_is_offline()) {
1351 return NT_STATUS_FILE_IS_OFFLINE;
1354 /* Initilization my have been deferred because we were offline */
1355 if ( ! dom->initialized) {
1356 ret = idmap_ldap_db_init(dom);
1357 if ( ! NT_STATUS_IS_OK(ret)) {
1362 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1364 switch(map->xid.type) {
1366 type = get_attr_key2string(sidmap_attr_list,
1367 LDAP_ATTR_UIDNUMBER);
1371 type = get_attr_key2string(sidmap_attr_list,
1372 LDAP_ATTR_GIDNUMBER);
1376 return NT_STATUS_INVALID_PARAMETER;
1379 memctx = talloc_new(ctx);
1381 DEBUG(0, ("Out of memory!\n"));
1382 return NT_STATUS_NO_MEMORY;
1385 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
1386 CHECK_ALLOC_DONE(id_str);
1388 sid = talloc_strdup(memctx, sid_string_static(map->sid));
1389 CHECK_ALLOC_DONE(sid);
1391 dn = talloc_asprintf(memctx, "%s=%s,%s",
1392 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
1395 CHECK_ALLOC_DONE(dn);
1397 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1398 "objectClass", LDAP_OBJ_IDMAP_ENTRY);
1400 smbldap_make_mod(ctx->smbldap_state->ldap_struct,
1401 entry, &mods, type, id_str);
1403 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
1404 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
1408 DEBUG(2, ("ERROR: No mods?\n"));
1409 ret = NT_STATUS_UNSUCCESSFUL;
1413 /* TODO: remove conflicting mappings! */
1415 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
1417 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
1419 rc = smbldap_add(ctx->smbldap_state, dn, mods);
1420 ldap_mods_free(mods, True);
1422 if (rc != LDAP_SUCCESS) {
1423 char *ld_error = NULL;
1424 ldap_get_option(ctx->smbldap_state->ldap_struct,
1425 LDAP_OPT_ERROR_STRING, &ld_error);
1426 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu "
1427 "mapping [%s]\n", sid,
1428 (unsigned long)map->xid.id, type));
1429 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
1430 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
1432 ldap_memfree(ld_error);
1434 ret = NT_STATUS_UNSUCCESSFUL;
1438 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to "
1439 "%lu [%s]\n", sid, (unsigned long)map->xid.id, type));
1444 talloc_free(memctx);
1448 /**********************************
1449 Close the idmap ldap instance
1450 **********************************/
1452 static NTSTATUS idmap_ldap_close(struct idmap_domain *dom)
1454 struct idmap_ldap_context *ctx;
1456 if (dom->private_data) {
1457 ctx = talloc_get_type(dom->private_data,
1458 struct idmap_ldap_context);
1461 dom->private_data = NULL;
1464 return NT_STATUS_OK;
1467 static struct idmap_methods idmap_ldap_methods = {
1469 .init = idmap_ldap_db_init,
1470 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1471 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1472 .set_mapping = idmap_ldap_set_mapping,
1473 .close_fn = idmap_ldap_close
1476 static struct idmap_alloc_methods idmap_ldap_alloc_methods = {
1478 .init = idmap_ldap_alloc_init,
1479 .allocate_id = idmap_ldap_allocate_id,
1480 .get_id_hwm = idmap_ldap_get_hwm,
1481 .set_id_hwm = idmap_ldap_set_hwm,
1482 .close_fn = idmap_ldap_alloc_close,
1483 /* .dump_data = TODO */
1486 NTSTATUS idmap_alloc_ldap_init(void)
1488 return smb_register_idmap_alloc(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1489 &idmap_ldap_alloc_methods);
1492 NTSTATUS idmap_ldap_init(void)
1496 /* FIXME: bad hack to actually register also the alloc_ldap module
1497 * without changining configure.in */
1498 ret = idmap_alloc_ldap_init();
1499 if (! NT_STATUS_IS_OK(ret)) {
1502 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1503 &idmap_ldap_methods);
git.samba.org / amitay / samba.git / blob