2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2007
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
30 #define DBGC_CLASS DBGC_IDMAP
37 static char *idmap_fetch_secret(const char *backend, bool alloc,
38 const char *domain, const char *identity)
44 r = asprintf(&tmp, "IDMAP_ALLOC_%s", backend);
46 r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
52 strupper_m(tmp); /* make sure the key is case insensitive */
53 ret = secrets_fetch_generic(tmp, identity);
60 struct idmap_ldap_context {
61 struct smbldap_state *smbldap_state;
68 struct idmap_ldap_alloc_context {
69 struct smbldap_state *smbldap_state;
73 uid_t low_uid, high_uid; /* Range of uids */
74 gid_t low_gid, high_gid; /* Range of gids */
78 #define CHECK_ALLOC_DONE(mem) do { \
80 DEBUG(0, ("Out of memory!\n")); \
81 ret = NT_STATUS_NO_MEMORY; \
85 /**********************************************************************
86 IDMAP ALLOC TDB BACKEND
87 **********************************************************************/
89 static struct idmap_ldap_alloc_context *idmap_alloc_ldap;
91 /*********************************************************************
92 ********************************************************************/
94 static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
95 struct smbldap_state *ldap_state,
96 const char *config_option,
97 struct idmap_domain *dom,
100 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
102 const char *tmp = NULL;
103 char *user_dn = NULL;
106 /* assume anonymous if we don't have a specified user */
108 tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
112 /* only the alloc backend can pass in a NULL dom */
113 secret = idmap_fetch_secret("ldap", True,
116 secret = idmap_fetch_secret("ldap", False,
121 DEBUG(0, ("get_credentials: Unable to fetch "
122 "auth credentials for %s in %s\n",
123 tmp, (dom==NULL)?"ALLOC":dom->name));
124 ret = NT_STATUS_ACCESS_DENIED;
127 *dn = talloc_strdup(mem_ctx, tmp);
128 CHECK_ALLOC_DONE(*dn);
130 if (!fetch_ldap_pw(&user_dn, &secret)) {
131 DEBUG(2, ("get_credentials: Failed to lookup ldap "
132 "bind creds. Using anonymous connection.\n"));
136 *dn = talloc_strdup(mem_ctx, user_dn);
137 SAFE_FREE( user_dn );
138 CHECK_ALLOC_DONE(*dn);
142 smbldap_set_creds(ldap_state, anon, *dn, secret);
152 /**********************************************************************
153 Verify the sambaUnixIdPool entry in the directory.
154 **********************************************************************/
156 static NTSTATUS verify_idpool(void)
160 LDAPMessage *result = NULL;
161 LDAPMod **mods = NULL;
162 const char **attr_list;
167 if ( ! idmap_alloc_ldap) {
168 return NT_STATUS_UNSUCCESSFUL;
171 ctx = talloc_new(idmap_alloc_ldap);
173 DEBUG(0, ("Out of memory!\n"));
174 return NT_STATUS_NO_MEMORY;
177 filter = talloc_asprintf(ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
178 CHECK_ALLOC_DONE(filter);
180 attr_list = get_attr_list(ctx, idpool_attr_list);
181 CHECK_ALLOC_DONE(attr_list);
183 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
184 idmap_alloc_ldap->suffix,
191 if (rc != LDAP_SUCCESS) {
192 DEBUG(1, ("Unable to verify the idpool, "
193 "cannot continue initialization!\n"));
194 return NT_STATUS_UNSUCCESSFUL;
197 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
200 ldap_msgfree(result);
203 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
204 filter, idmap_alloc_ldap->suffix));
205 ret = NT_STATUS_UNSUCCESSFUL;
208 else if (count == 0) {
209 char *uid_str, *gid_str;
211 uid_str = talloc_asprintf(ctx, "%lu",
212 (unsigned long)idmap_alloc_ldap->low_uid);
213 gid_str = talloc_asprintf(ctx, "%lu",
214 (unsigned long)idmap_alloc_ldap->low_gid);
216 smbldap_set_mod(&mods, LDAP_MOD_ADD,
217 "objectClass", LDAP_OBJ_IDPOOL);
218 smbldap_set_mod(&mods, LDAP_MOD_ADD,
219 get_attr_key2string(idpool_attr_list,
220 LDAP_ATTR_UIDNUMBER),
222 smbldap_set_mod(&mods, LDAP_MOD_ADD,
223 get_attr_key2string(idpool_attr_list,
224 LDAP_ATTR_GIDNUMBER),
227 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state,
228 idmap_alloc_ldap->suffix,
230 ldap_mods_free(mods, True);
232 ret = NT_STATUS_UNSUCCESSFUL;
237 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
243 /*****************************************************************************
244 Initialise idmap database.
245 *****************************************************************************/
247 static NTSTATUS idmap_ldap_alloc_init(const char *params)
249 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
256 /* Only do init if we are online */
257 if (idmap_is_offline()) {
258 return NT_STATUS_FILE_IS_OFFLINE;
261 idmap_alloc_ldap = TALLOC_ZERO_P(NULL, struct idmap_ldap_alloc_context);
262 CHECK_ALLOC_DONE( idmap_alloc_ldap );
266 if (!lp_idmap_uid(&low_uid, &high_uid)
267 || !lp_idmap_gid(&low_gid, &high_gid)) {
268 DEBUG(1, ("idmap uid or idmap gid missing\n"));
269 ret = NT_STATUS_UNSUCCESSFUL;
273 idmap_alloc_ldap->low_uid = low_uid;
274 idmap_alloc_ldap->high_uid = high_uid;
275 idmap_alloc_ldap->low_gid = low_gid;
276 idmap_alloc_ldap->high_gid= high_gid;
278 if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) {
279 DEBUG(1, ("idmap uid range invalid\n"));
280 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
281 ret = NT_STATUS_UNSUCCESSFUL;
285 if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) {
286 DEBUG(1, ("idmap gid range invalid\n"));
287 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
288 ret = NT_STATUS_UNSUCCESSFUL;
292 if (params && *params) {
293 /* assume location is the only parameter */
294 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params);
296 tmp = lp_parm_const_string(-1, "idmap alloc config",
300 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
301 ret = NT_STATUS_UNSUCCESSFUL;
305 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp);
307 CHECK_ALLOC_DONE( idmap_alloc_ldap->url );
309 trim_char(idmap_alloc_ldap->url, '\"', '\"');
311 tmp = lp_parm_const_string(-1, "idmap alloc config",
312 "ldap_base_dn", NULL);
313 if ( ! tmp || ! *tmp) {
314 tmp = lp_ldap_idmap_suffix();
316 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
317 ret = NT_STATUS_UNSUCCESSFUL;
322 idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp);
323 CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix );
325 ret = smbldap_init(idmap_alloc_ldap, winbind_event_context(),
326 idmap_alloc_ldap->url,
327 &idmap_alloc_ldap->smbldap_state);
328 if (!NT_STATUS_IS_OK(ret)) {
329 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n",
330 idmap_alloc_ldap->url));
334 ret = get_credentials( idmap_alloc_ldap,
335 idmap_alloc_ldap->smbldap_state,
336 "idmap alloc config", NULL,
337 &idmap_alloc_ldap->user_dn );
338 if ( !NT_STATUS_IS_OK(ret) ) {
339 DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection "
340 "credentials (%s)\n", nt_errstr(ret)));
344 /* see if the idmap suffix and sub entries exists */
346 ret = verify_idpool();
349 if ( !NT_STATUS_IS_OK( ret ) )
350 TALLOC_FREE( idmap_alloc_ldap );
355 /********************************
356 Allocate a new uid or gid
357 ********************************/
359 static NTSTATUS idmap_ldap_allocate_id(struct unixid *xid)
362 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
363 int rc = LDAP_SERVER_DOWN;
365 LDAPMessage *result = NULL;
366 LDAPMessage *entry = NULL;
367 LDAPMod **mods = NULL;
371 const char *dn = NULL;
372 const char **attr_list;
375 /* Only do query if we are online */
376 if (idmap_is_offline()) {
377 return NT_STATUS_FILE_IS_OFFLINE;
380 if ( ! idmap_alloc_ldap) {
381 return NT_STATUS_UNSUCCESSFUL;
384 ctx = talloc_new(idmap_alloc_ldap);
386 DEBUG(0, ("Out of memory!\n"));
387 return NT_STATUS_NO_MEMORY;
394 type = get_attr_key2string(idpool_attr_list,
395 LDAP_ATTR_UIDNUMBER);
399 type = get_attr_key2string(idpool_attr_list,
400 LDAP_ATTR_GIDNUMBER);
404 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
405 return NT_STATUS_INVALID_PARAMETER;
408 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
409 CHECK_ALLOC_DONE(filter);
411 attr_list = get_attr_list(ctx, idpool_attr_list);
412 CHECK_ALLOC_DONE(attr_list);
414 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
416 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
417 idmap_alloc_ldap->suffix,
418 LDAP_SCOPE_SUBTREE, filter,
419 attr_list, 0, &result);
421 if (rc != LDAP_SUCCESS) {
422 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
426 talloc_autofree_ldapmsg(ctx, result);
428 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
431 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
435 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct,
438 dn = smbldap_talloc_dn(ctx,
439 idmap_alloc_ldap->smbldap_state->ldap_struct,
445 if ( ! (id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
446 entry, type, ctx))) {
447 DEBUG(0,("%s attribute not found\n", type));
448 ret = NT_STATUS_UNSUCCESSFUL;
452 xid->id = strtoul(id_str, NULL, 10);
454 /* make sure we still have room to grow */
458 if (xid->id > idmap_alloc_ldap->high_uid) {
459 DEBUG(0,("Cannot allocate uid above %lu!\n",
460 (unsigned long)idmap_alloc_ldap->high_uid));
466 if (xid->id > idmap_alloc_ldap->high_gid) {
467 DEBUG(0,("Cannot allocate gid above %lu!\n",
468 (unsigned long)idmap_alloc_ldap->high_uid));
478 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id + 1);
480 DEBUG(0,("Out of memory\n"));
481 ret = NT_STATUS_NO_MEMORY;
485 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
486 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
489 DEBUG(0,("smbldap_set_mod() failed.\n"));
493 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n",
494 id_str, new_id_str));
496 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
498 ldap_mods_free(mods, True);
500 if (rc != LDAP_SUCCESS) {
501 DEBUG(1,("Failed to allocate new %s. "
502 "smbldap_modify() failed.\n", type));
513 /**********************************
514 Close idmap ldap alloc
515 **********************************/
517 static NTSTATUS idmap_ldap_alloc_close(void)
519 if (idmap_alloc_ldap) {
520 smbldap_free_struct(&idmap_alloc_ldap->smbldap_state);
521 DEBUG(5,("The connection to the LDAP server was closed\n"));
522 /* maybe free the results here --metze */
523 TALLOC_FREE(idmap_alloc_ldap);
529 /**********************************************************************
530 IDMAP MAPPING LDAP BACKEND
531 **********************************************************************/
533 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
535 smbldap_free_struct(&ctx->smbldap_state);
536 DEBUG(5,("The connection to the LDAP server was closed\n"));
537 /* maybe free the results here --metze */
542 /********************************
543 Initialise idmap database.
544 ********************************/
546 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom,
550 struct idmap_ldap_context *ctx = NULL;
551 char *config_option = NULL;
552 const char *tmp = NULL;
554 /* Only do init if we are online */
555 if (idmap_is_offline()) {
556 return NT_STATUS_FILE_IS_OFFLINE;
559 ctx = TALLOC_ZERO_P(dom, struct idmap_ldap_context);
561 DEBUG(0, ("Out of memory!\n"));
562 return NT_STATUS_NO_MEMORY;
565 if (strequal(dom->name, "*")) {
566 /* more specific configuration can go here */
568 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
569 if ( ! config_option) {
570 DEBUG(0, ("Out of memory!\n"));
571 ret = NT_STATUS_NO_MEMORY;
576 if (params != NULL) {
577 /* assume location is the only parameter */
578 ctx->url = talloc_strdup(ctx, params);
580 tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
583 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
584 ret = NT_STATUS_UNSUCCESSFUL;
588 ctx->url = talloc_strdup(ctx, tmp);
590 CHECK_ALLOC_DONE(ctx->url);
592 trim_char(ctx->url, '\"', '\"');
594 tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
595 if ( ! tmp || ! *tmp) {
596 tmp = lp_ldap_idmap_suffix();
598 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
599 ret = NT_STATUS_UNSUCCESSFUL;
604 ctx->suffix = talloc_strdup(ctx, tmp);
605 CHECK_ALLOC_DONE(ctx->suffix);
607 ret = smbldap_init(ctx, winbind_event_context(), ctx->url,
608 &ctx->smbldap_state);
609 if (!NT_STATUS_IS_OK(ret)) {
610 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
614 ret = get_credentials( ctx, ctx->smbldap_state, config_option,
615 dom, &ctx->user_dn );
616 if ( !NT_STATUS_IS_OK(ret) ) {
617 DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
618 "credentials (%s)\n", nt_errstr(ret)));
622 /* set the destructor on the context, so that resource are properly
623 freed if the contexts is released */
625 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
627 dom->private_data = ctx;
629 talloc_free(config_option);
638 /* max number of ids requested per batch query */
639 #define IDMAP_LDAP_MAX_IDS 30
641 /**********************************
642 lookup a set of unix ids.
643 **********************************/
645 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
646 * in maps for a match */
647 static struct id_map *find_map_by_id(struct id_map **maps,
653 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
654 if (maps[i] == NULL) { /* end of the run */
657 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
665 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom,
670 struct idmap_ldap_context *ctx;
671 LDAPMessage *result = NULL;
672 LDAPMessage *entry = NULL;
673 const char *uidNumber;
674 const char *gidNumber;
675 const char **attr_list;
684 /* Only do query if we are online */
685 if (idmap_is_offline()) {
686 return NT_STATUS_FILE_IS_OFFLINE;
689 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
691 memctx = talloc_new(ctx);
693 DEBUG(0, ("Out of memory!\n"));
694 return NT_STATUS_NO_MEMORY;
697 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
698 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
700 attr_list = get_attr_list(memctx, sidmap_attr_list);
703 /* if we are requested just one mapping use the simple filter */
705 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
706 LDAP_OBJ_IDMAP_ENTRY,
707 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
708 (unsigned long)ids[0]->xid.id);
709 CHECK_ALLOC_DONE(filter);
710 DEBUG(10, ("Filter: [%s]\n", filter));
712 /* multiple mappings */
716 for (i = 0; ids[i]; i++) {
717 ids[i]->status = ID_UNKNOWN;
724 filter = talloc_asprintf(memctx,
725 "(&(objectClass=%s)(|",
726 LDAP_OBJ_IDMAP_ENTRY);
727 CHECK_ALLOC_DONE(filter);
730 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
731 filter = talloc_asprintf_append_buffer(filter, "(%s=%lu)",
732 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
733 (unsigned long)ids[idx]->xid.id);
734 CHECK_ALLOC_DONE(filter);
736 filter = talloc_asprintf_append_buffer(filter, "))");
737 CHECK_ALLOC_DONE(filter);
738 DEBUG(10, ("Filter: [%s]\n", filter));
744 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
745 filter, attr_list, 0, &result);
747 if (rc != LDAP_SUCCESS) {
748 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
749 ret = NT_STATUS_UNSUCCESSFUL;
753 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
756 DEBUG(10, ("NO SIDs found\n"));
759 for (i = 0; i < count; i++) {
766 if (i == 0) { /* first entry */
767 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
769 } else { /* following ones */
770 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
774 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
779 /* first check if the SID is present */
780 sidstr = smbldap_talloc_single_attribute(
781 ctx->smbldap_state->ldap_struct,
782 entry, LDAP_ATTRIBUTE_SID, memctx);
783 if ( ! sidstr) { /* no sid, skip entry */
784 DEBUG(2, ("WARNING SID not found on entry\n"));
788 /* now try to see if it is a uid, if not try with a gid
789 * (gid is more common, but in case both uidNumber and
790 * gidNumber are returned the SID is mapped to the uid
793 tmp = smbldap_talloc_single_attribute(
794 ctx->smbldap_state->ldap_struct,
795 entry, uidNumber, memctx);
798 tmp = smbldap_talloc_single_attribute(
799 ctx->smbldap_state->ldap_struct,
800 entry, gidNumber, memctx);
802 if ( ! tmp) { /* wow very strange entry, how did it match ? */
803 DEBUG(5, ("Unprobable match on (%s), no uidNumber, "
804 "nor gidNumber returned\n", sidstr));
809 id = strtoul(tmp, NULL, 10);
810 if (!idmap_unix_id_is_in_range(id, dom)) {
811 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
813 dom->low_id, dom->high_id));
820 map = find_map_by_id(&ids[bidx], type, id);
822 DEBUG(2, ("WARNING: couldn't match sid (%s) "
823 "with requested ids\n", sidstr));
828 if ( ! string_to_sid(map->sid, sidstr)) {
829 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
834 if (map->status == ID_MAPPED) {
835 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
836 "overwriting mapping %u -> %s with %u -> %s\n",
837 (type == ID_TYPE_UID) ? "UID" : "GID",
838 id, sid_string_dbg(map->sid), id, sidstr));
844 map->status = ID_MAPPED;
846 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
847 (unsigned long)map->xid.id, map->xid.type));
850 /* free the ldap results */
852 ldap_msgfree(result);
856 if (multi && ids[idx]) { /* still some values to map */
862 /* mark all unknwon/expired ones as unmapped */
863 for (i = 0; ids[i]; i++) {
864 if (ids[i]->status != ID_MAPPED)
865 ids[i]->status = ID_UNMAPPED;
873 /**********************************
874 lookup a set of sids.
875 **********************************/
877 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
878 * in maps for a match */
879 static struct id_map *find_map_by_sid(struct id_map **maps, struct dom_sid *sid)
883 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
884 if (maps[i] == NULL) { /* end of the run */
887 if (sid_equal(maps[i]->sid, sid)) {
895 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
898 LDAPMessage *entry = NULL;
901 struct idmap_ldap_context *ctx;
902 LDAPMessage *result = NULL;
903 const char *uidNumber;
904 const char *gidNumber;
905 const char **attr_list;
914 /* Only do query if we are online */
915 if (idmap_is_offline()) {
916 return NT_STATUS_FILE_IS_OFFLINE;
919 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
921 memctx = talloc_new(ctx);
923 DEBUG(0, ("Out of memory!\n"));
924 return NT_STATUS_NO_MEMORY;
927 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
928 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
930 attr_list = get_attr_list(memctx, sidmap_attr_list);
933 /* if we are requested just one mapping use the simple filter */
935 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
936 LDAP_OBJ_IDMAP_ENTRY,
938 sid_string_talloc(memctx, ids[0]->sid));
939 CHECK_ALLOC_DONE(filter);
940 DEBUG(10, ("Filter: [%s]\n", filter));
942 /* multiple mappings */
946 for (i = 0; ids[i]; i++) {
947 ids[i]->status = ID_UNKNOWN;
954 filter = talloc_asprintf(memctx,
955 "(&(objectClass=%s)(|",
956 LDAP_OBJ_IDMAP_ENTRY);
957 CHECK_ALLOC_DONE(filter);
960 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
961 filter = talloc_asprintf_append_buffer(filter, "(%s=%s)",
963 sid_string_talloc(memctx,
965 CHECK_ALLOC_DONE(filter);
967 filter = talloc_asprintf_append_buffer(filter, "))");
968 CHECK_ALLOC_DONE(filter);
969 DEBUG(10, ("Filter: [%s]", filter));
975 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
976 filter, attr_list, 0, &result);
978 if (rc != LDAP_SUCCESS) {
979 DEBUG(3,("Failure looking up sids (%s)\n",
980 ldap_err2string(rc)));
981 ret = NT_STATUS_UNSUCCESSFUL;
985 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
988 DEBUG(10, ("NO SIDs found\n"));
991 for (i = 0; i < count; i++) {
999 if (i == 0) { /* first entry */
1000 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
1002 } else { /* following ones */
1003 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
1007 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
1012 /* first check if the SID is present */
1013 sidstr = smbldap_talloc_single_attribute(
1014 ctx->smbldap_state->ldap_struct,
1015 entry, LDAP_ATTRIBUTE_SID, memctx);
1016 if ( ! sidstr) { /* no sid ??, skip entry */
1017 DEBUG(2, ("WARNING SID not found on entry\n"));
1021 if ( ! string_to_sid(&sid, sidstr)) {
1022 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1023 TALLOC_FREE(sidstr);
1027 map = find_map_by_sid(&ids[bidx], &sid);
1029 DEBUG(2, ("WARNING: couldn't find entry sid (%s) "
1031 TALLOC_FREE(sidstr);
1035 /* now try to see if it is a uid, if not try with a gid
1036 * (gid is more common, but in case both uidNumber and
1037 * gidNumber are returned the SID is mapped to the uid
1040 tmp = smbldap_talloc_single_attribute(
1041 ctx->smbldap_state->ldap_struct,
1042 entry, uidNumber, memctx);
1045 tmp = smbldap_talloc_single_attribute(
1046 ctx->smbldap_state->ldap_struct,
1047 entry, gidNumber, memctx);
1049 if ( ! tmp) { /* no ids ?? */
1050 DEBUG(5, ("no uidNumber, "
1051 "nor gidNumber attributes found\n"));
1052 TALLOC_FREE(sidstr);
1056 id = strtoul(tmp, NULL, 10);
1057 if (!idmap_unix_id_is_in_range(id, dom)) {
1058 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1060 dom->low_id, dom->high_id));
1061 TALLOC_FREE(sidstr);
1067 if (map->status == ID_MAPPED) {
1068 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
1069 "overwriting mapping %s -> %u with %s -> %u\n",
1070 (type == ID_TYPE_UID) ? "UID" : "GID",
1071 sidstr, map->xid.id, sidstr, id));
1074 TALLOC_FREE(sidstr);
1077 map->xid.type = type;
1079 map->status = ID_MAPPED;
1081 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
1082 (unsigned long)map->xid.id, map->xid.type));
1085 /* free the ldap results */
1087 ldap_msgfree(result);
1091 if (multi && ids[idx]) { /* still some values to map */
1097 /* mark all unknwon/expired ones as unmapped */
1098 for (i = 0; ids[i]; i++) {
1099 if (ids[i]->status != ID_MAPPED)
1100 ids[i]->status = ID_UNMAPPED;
1104 talloc_free(memctx);
1108 /**********************************
1110 **********************************/
1112 /* TODO: change this: This function cannot be called to modify a mapping,
1113 * only set a new one */
1115 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
1116 const struct id_map *map)
1120 struct idmap_ldap_context *ctx;
1121 LDAPMessage *entry = NULL;
1122 LDAPMod **mods = NULL;
1129 /* Only do query if we are online */
1130 if (idmap_is_offline()) {
1131 return NT_STATUS_FILE_IS_OFFLINE;
1134 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1136 switch(map->xid.type) {
1138 type = get_attr_key2string(sidmap_attr_list,
1139 LDAP_ATTR_UIDNUMBER);
1143 type = get_attr_key2string(sidmap_attr_list,
1144 LDAP_ATTR_GIDNUMBER);
1148 return NT_STATUS_INVALID_PARAMETER;
1151 memctx = talloc_new(ctx);
1153 DEBUG(0, ("Out of memory!\n"));
1154 return NT_STATUS_NO_MEMORY;
1157 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
1158 CHECK_ALLOC_DONE(id_str);
1160 sid = talloc_strdup(memctx, sid_string_talloc(memctx, map->sid));
1161 CHECK_ALLOC_DONE(sid);
1163 dn = talloc_asprintf(memctx, "%s=%s,%s",
1164 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
1167 CHECK_ALLOC_DONE(dn);
1169 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1170 "objectClass", LDAP_OBJ_IDMAP_ENTRY);
1172 smbldap_make_mod(ctx->smbldap_state->ldap_struct,
1173 entry, &mods, type, id_str);
1175 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
1176 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
1180 DEBUG(2, ("ERROR: No mods?\n"));
1181 ret = NT_STATUS_UNSUCCESSFUL;
1185 /* TODO: remove conflicting mappings! */
1187 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
1189 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
1191 rc = smbldap_add(ctx->smbldap_state, dn, mods);
1192 ldap_mods_free(mods, True);
1194 if (rc != LDAP_SUCCESS) {
1195 char *ld_error = NULL;
1196 ldap_get_option(ctx->smbldap_state->ldap_struct,
1197 LDAP_OPT_ERROR_STRING, &ld_error);
1198 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu "
1199 "mapping [%s]\n", sid,
1200 (unsigned long)map->xid.id, type));
1201 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
1202 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
1204 ldap_memfree(ld_error);
1206 ret = NT_STATUS_UNSUCCESSFUL;
1210 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to "
1211 "%lu [%s]\n", sid, (unsigned long)map->xid.id, type));
1216 talloc_free(memctx);
1220 /**********************************
1221 Close the idmap ldap instance
1222 **********************************/
1224 static NTSTATUS idmap_ldap_close(struct idmap_domain *dom)
1226 struct idmap_ldap_context *ctx;
1228 if (dom->private_data) {
1229 ctx = talloc_get_type(dom->private_data,
1230 struct idmap_ldap_context);
1233 dom->private_data = NULL;
1236 return NT_STATUS_OK;
1239 static struct idmap_methods idmap_ldap_methods = {
1241 .init = idmap_ldap_db_init,
1242 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1243 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1244 .allocate_id = idmap_ldap_get_new_id,
1245 .close_fn = idmap_ldap_close
1248 NTSTATUS idmap_ldap_init(void);
1249 NTSTATUS idmap_ldap_init(void)
1251 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1252 &idmap_ldap_methods);