#include "includes.h"
#include "winbindd.h"
+#include "secrets.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_IDMAP
DEBUG(2, ("get_credentials: Failed to lookup ldap "
"bind creds. Using anonymous connection.\n"));
anon = True;
+ *dn = NULL;
} else {
*dn = talloc_strdup(mem_ctx, user_dn);
SAFE_FREE( user_dn );
}
CHECK_ALLOC_DONE( idmap_alloc_ldap->url );
+ trim_char(idmap_alloc_ldap->url, '\"', '\"');
+
tmp = lp_parm_const_string(-1, "idmap alloc config",
"ldap_base_dn", NULL);
if ( ! tmp || ! *tmp) {
if ( ! (id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
entry, type, ctx))) {
DEBUG(0,("%s attribute not found\n", type));
- goto done;
- }
- if ( ! id_str) {
- DEBUG(0,("Out of memory\n"));
- ret = NT_STATUS_NO_MEMORY;
+ ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
CHECK_ALLOC_DONE(attr_list);
rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
- idmap_alloc_ldap->suffix,
- LDAP_SCOPE_SUBTREE, filter,
- attr_list, 0, &result);
+ idmap_alloc_ldap->suffix,
+ LDAP_SCOPE_SUBTREE, filter,
+ attr_list, 0, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
NTSTATUS ret;
struct idmap_ldap_context *ctx = NULL;
char *config_option = NULL;
- const char *range = NULL;
const char *tmp = NULL;
/* Only do init if we are online */
return NT_STATUS_NO_MEMORY;
}
- config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
- if ( ! config_option) {
- DEBUG(0, ("Out of memory!\n"));
- ret = NT_STATUS_NO_MEMORY;
- goto done;
- }
+ if (strequal(dom->name, "*")) {
+ uid_t low_uid = 0;
+ uid_t high_uid = 0;
+ gid_t low_gid = 0;
+ gid_t high_gid = 0;
- /* load ranges */
- range = lp_parm_const_string(-1, config_option, "range", NULL);
- if (range && range[0]) {
- if ((sscanf(range, "%u - %u", &ctx->filter_low_id,
- &ctx->filter_high_id) != 2) ||
- (ctx->filter_low_id > ctx->filter_high_id)) {
- DEBUG(1, ("ERROR: invalid filter range [%s]", range));
- ctx->filter_low_id = 0;
- ctx->filter_high_id = 0;
+ ctx->filter_low_id = 0;
+ ctx->filter_high_id = 0;
+
+ if (lp_idmap_uid(&low_uid, &high_uid)) {
+ ctx->filter_low_id = low_uid;
+ ctx->filter_high_id = high_uid;
+ } else {
+ DEBUG(3, ("Warning: 'idmap uid' not set!\n"));
+ }
+
+ if (lp_idmap_gid(&low_gid, &high_gid)) {
+ if ((low_gid != low_uid) || (high_gid != high_uid)) {
+ DEBUG(1, ("Warning: 'idmap uid' and 'idmap gid'"
+ " ranges do not agree -- building "
+ "intersection\n"));
+ ctx->filter_low_id = MAX(ctx->filter_low_id,
+ low_gid);
+ ctx->filter_high_id = MIN(ctx->filter_high_id,
+ high_gid);
+ }
+ } else {
+ DEBUG(3, ("Warning: 'idmap gid' not set!\n"));
+ }
+ } else {
+ const char *range = NULL;
+
+ config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
+ if ( ! config_option) {
+ DEBUG(0, ("Out of memory!\n"));
+ ret = NT_STATUS_NO_MEMORY;
+ goto done;
}
+
+ /* load ranges */
+ range = lp_parm_const_string(-1, config_option, "range", NULL);
+ if (range && range[0]) {
+ if ((sscanf(range, "%u - %u", &ctx->filter_low_id,
+ &ctx->filter_high_id) != 2))
+ {
+ DEBUG(1, ("ERROR: invalid filter range [%s]", range));
+ ctx->filter_low_id = 0;
+ ctx->filter_high_id = 0;
+ }
+ }
+ }
+
+ if (ctx->filter_low_id > ctx->filter_high_id) {
+ DEBUG(1, ("ERROR: invalid filter range [%u-%u]",
+ ctx->filter_low_id, ctx->filter_high_id));
+ ctx->filter_low_id = 0;
+ ctx->filter_high_id = 0;
}
if (params != NULL) {
}
CHECK_ALLOC_DONE(ctx->url);
- tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
- if ( ! tmp || ! *tmp) {
- tmp = lp_ldap_idmap_suffix();
- if ( ! tmp) {
- DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
- ret = NT_STATUS_UNSUCCESSFUL;
- goto done;
+ trim_char(ctx->url, '\"', '\"');
+
+ tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
+ if ( ! tmp || ! *tmp) {
+ tmp = lp_ldap_idmap_suffix();
+ if ( ! tmp) {
+ DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ goto done;
}
- }
+ }
ctx->suffix = talloc_strdup(ctx, tmp);
CHECK_ALLOC_DONE(ctx->suffix);
goto done;
}
- ret = get_credentials( ctx, ctx->smbldap_state, config_option,
+ ret = get_credentials( ctx, ctx->smbldap_state, config_option,
dom, &ctx->user_dn );
if ( !NT_STATUS_IS_OK(ret) ) {
DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
for (i = 0; i < count; i++) {
char *sidstr = NULL;
- char *tmp = NULL;
+ char *tmp = NULL;
enum id_type type;
struct id_map *map;
uint32_t id;
/* this function searches up to IDMAP_LDAP_MAX_IDS entries
* in maps for a match */
-static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid)
+static struct id_map *find_map_by_sid(struct id_map **maps, struct dom_sid *sid)
{
int i;
static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
struct id_map **ids)
{
- LDAPMessage *entry = NULL;
+ LDAPMessage *entry = NULL;
NTSTATUS ret;
TALLOC_CTX *memctx;
struct idmap_ldap_context *ctx;
char *tmp = NULL;
enum id_type type;
struct id_map *map;
- DOM_SID sid;
+ struct dom_sid sid;
uint32_t id;
if (i == 0) { /* first entry */
continue;
}
- TALLOC_FREE(sidstr);
-
/* now try to see if it is a uid, if not try with a gid
* (gid is more common, but in case both uidNumber and
* gidNumber are returned the SID is mapped to the uid
if ( ! tmp) { /* no ids ?? */
DEBUG(5, ("no uidNumber, "
"nor gidNumber attributes found\n"));
+ TALLOC_FREE(sidstr);
continue;
}
DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
"Filtered!\n", id,
ctx->filter_low_id, ctx->filter_high_id));
+ TALLOC_FREE(sidstr);
TALLOC_FREE(tmp);
continue;
}
TALLOC_FREE(tmp);
+ if (map->status == ID_MAPPED) {
+ DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
+ "overwriting mapping %s -> %u with %s -> %u\n",
+ (type == ID_TYPE_UID) ? "UID" : "GID",
+ sidstr, map->xid.id, sidstr, id));
+ }
+
+ TALLOC_FREE(sidstr);
+
/* mapped */
map->xid.type = type;
map->xid.id = id;
.get_id_hwm = idmap_ldap_get_hwm,
.set_id_hwm = idmap_ldap_set_hwm,
.close_fn = idmap_ldap_alloc_close,
- /* .dump_data = TODO */
};
static NTSTATUS idmap_alloc_ldap_init(void)