2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2006
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
30 #define DBGC_CLASS DBGC_IDMAP
37 struct idmap_ldap_context {
38 struct smbldap_state *smbldap_state;
42 uint32_t filter_low_id, filter_high_id; /* Filter range */
46 struct idmap_ldap_alloc_context {
47 struct smbldap_state *smbldap_state;
51 uid_t low_uid, high_uid; /* Range of uids */
52 gid_t low_gid, high_gid; /* Range of gids */
56 #define CHECK_ALLOC_DONE(mem) do { if (!mem) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; goto done; } } while (0)
58 /**********************************************************************
59 IDMAP ALLOC TDB BACKEND
60 **********************************************************************/
62 static struct idmap_ldap_alloc_context *idmap_alloc_ldap;
64 /*********************************************************************
65 ********************************************************************/
67 static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
68 struct smbldap_state *ldap_state,
69 const char *config_option,
70 struct idmap_domain *dom,
73 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
76 const char *tmp = NULL;
78 /* assume anonymous if we don't have a specified user */
80 tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
83 secret = idmap_fetch_secret("ldap", false, dom->name, tmp);
85 DEBUG(0, ("get_credentials: Unable to fetch "
86 "auth credentials for %s in %s\n",
88 ret = NT_STATUS_ACCESS_DENIED;
91 *dn = talloc_strdup(mem_ctx, tmp);
92 CHECK_ALLOC_DONE(*dn);
94 if ( !fetch_ldap_pw( &user_dn, &secret ) ) {
95 DEBUG(2, ("get_credentials: Failed to lookup ldap "
96 "bind creds. Using anonymous connection.\n"));
97 *dn = talloc_strdup( mem_ctx, "" );
99 *dn = talloc_strdup(mem_ctx, user_dn);
100 SAFE_FREE( user_dn );
101 CHECK_ALLOC_DONE(*dn);
105 smbldap_set_creds(ldap_state, false, *dn, secret);
115 /**********************************************************************
116 Verify the sambaUnixIdPool entry in the directory.
117 **********************************************************************/
119 static NTSTATUS verify_idpool(void)
123 LDAPMessage *result = NULL;
124 LDAPMod **mods = NULL;
125 const char **attr_list;
130 if ( ! idmap_alloc_ldap) {
131 return NT_STATUS_UNSUCCESSFUL;
134 ctx = talloc_new(idmap_alloc_ldap);
136 DEBUG(0, ("Out of memory!\n"));
137 return NT_STATUS_NO_MEMORY;
140 filter = talloc_asprintf(ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
141 CHECK_ALLOC_DONE(filter);
143 attr_list = get_attr_list(ctx, idpool_attr_list);
144 CHECK_ALLOC_DONE(attr_list);
146 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
147 idmap_alloc_ldap->suffix,
154 if (rc != LDAP_SUCCESS) {
155 DEBUG(1, ("Unable to verify the idpool, cannot continue initialization!\n"));
156 return NT_STATUS_UNSUCCESSFUL;
159 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
161 ldap_msgfree(result);
164 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
165 filter, idmap_alloc_ldap->suffix));
166 ret = NT_STATUS_UNSUCCESSFUL;
169 else if (count == 0) {
170 char *uid_str, *gid_str;
172 uid_str = talloc_asprintf(ctx, "%lu", (unsigned long)idmap_alloc_ldap->low_uid);
173 gid_str = talloc_asprintf(ctx, "%lu", (unsigned long)idmap_alloc_ldap->low_gid);
175 smbldap_set_mod(&mods, LDAP_MOD_ADD,
176 "objectClass", LDAP_OBJ_IDPOOL);
177 smbldap_set_mod(&mods, LDAP_MOD_ADD,
178 get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER),
180 smbldap_set_mod(&mods, LDAP_MOD_ADD,
181 get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER),
184 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state,
185 idmap_alloc_ldap->suffix,
187 ldap_mods_free(mods, True);
189 ret = NT_STATUS_UNSUCCESSFUL;
194 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
200 /*****************************************************************************
201 Initialise idmap database.
202 *****************************************************************************/
204 static NTSTATUS idmap_ldap_alloc_init(const char *params)
206 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
214 /* Only do init if we are online */
215 if (idmap_is_offline()) {
216 return NT_STATUS_FILE_IS_OFFLINE;
219 idmap_alloc_ldap = talloc_zero(NULL, struct idmap_ldap_alloc_context);
220 CHECK_ALLOC_DONE( idmap_alloc_ldap );
224 idmap_alloc_ldap->low_uid = 0;
225 idmap_alloc_ldap->high_uid = 0;
226 idmap_alloc_ldap->low_gid = 0;
227 idmap_alloc_ldap->high_gid = 0;
229 range = lp_parm_const_string(-1, "idmap alloc config", "range", NULL);
230 if (range && range[0]) {
231 unsigned low_id, high_id;
233 if (sscanf(range, "%u - %u", &low_id, &high_id) == 2) {
234 if (low_id < high_id) {
235 idmap_alloc_ldap->low_gid = idmap_alloc_ldap->low_uid = low_id;
236 idmap_alloc_ldap->high_gid = idmap_alloc_ldap->high_uid = high_id;
238 DEBUG(1, ("ERROR: invalid idmap alloc range [%s]", range));
241 DEBUG(1, ("ERROR: invalid syntax for idmap alloc config:range [%s]", range));
245 if (lp_idmap_uid(&low_uid, &high_uid)) {
246 idmap_alloc_ldap->low_uid = low_uid;
247 idmap_alloc_ldap->high_uid = high_uid;
250 if (lp_idmap_gid(&low_gid, &high_gid)) {
251 idmap_alloc_ldap->low_gid = low_gid;
252 idmap_alloc_ldap->high_gid= high_gid;
255 if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) {
256 DEBUG(1, ("idmap uid range missing or invalid\n"));
257 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
258 ret = NT_STATUS_UNSUCCESSFUL;
262 if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) {
263 DEBUG(1, ("idmap gid range missing or invalid\n"));
264 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
265 ret = NT_STATUS_UNSUCCESSFUL;
269 if (params && *params) {
270 /* assume location is the only parameter */
271 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params);
273 tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_url", NULL);
276 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
277 ret = NT_STATUS_UNSUCCESSFUL;
281 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp);
283 CHECK_ALLOC_DONE( idmap_alloc_ldap->url );
285 tmp = lp_ldap_idmap_suffix();
286 if ( ! tmp || ! *tmp) {
287 tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_base_dn", NULL);
290 tmp = lp_ldap_suffix();
292 DEBUG(1, ("WARNING: Trying to use the global ldap suffix(%s)\n", tmp));
293 DEBUGADD(1, ("as suffix. This may not be what you want!\n"));
296 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
297 ret = NT_STATUS_UNSUCCESSFUL;
302 idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp);
303 CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix );
305 ret = smbldap_init(idmap_alloc_ldap, winbind_event_context(),
306 idmap_alloc_ldap->url,
307 &idmap_alloc_ldap->smbldap_state);
308 if (!NT_STATUS_IS_OK(ret)) {
309 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n",
310 idmap_alloc_ldap->url));
314 ret = get_credentials( idmap_alloc_ldap,
315 idmap_alloc_ldap->smbldap_state,
316 "idmap alloc config", NULL,
317 &idmap_alloc_ldap->user_dn );
318 if ( !NT_STATUS_IS_OK(ret) ) {
319 DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection "
320 "credentials (%s)\n", nt_errstr(ret)));
324 /* see if the idmap suffix and sub entries exists */
326 ret = verify_idpool();
329 if ( !NT_STATUS_IS_OK( ret ) )
330 TALLOC_FREE( idmap_alloc_ldap );
335 /********************************
336 Allocate a new uid or gid
337 ********************************/
339 static NTSTATUS idmap_ldap_allocate_id(struct unixid *xid)
342 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
343 int rc = LDAP_SERVER_DOWN;
345 LDAPMessage *result = NULL;
346 LDAPMessage *entry = NULL;
347 LDAPMod **mods = NULL;
351 const char *dn = NULL;
352 const char **attr_list;
355 /* Only do query if we are online */
356 if (idmap_is_offline()) {
357 return NT_STATUS_FILE_IS_OFFLINE;
360 if ( ! idmap_alloc_ldap) {
361 return NT_STATUS_UNSUCCESSFUL;
364 ctx = talloc_new(idmap_alloc_ldap);
366 DEBUG(0, ("Out of memory!\n"));
367 return NT_STATUS_NO_MEMORY;
374 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
378 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
382 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
383 return NT_STATUS_INVALID_PARAMETER;
386 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
387 CHECK_ALLOC_DONE(filter);
389 attr_list = get_attr_list(ctx, idpool_attr_list);
390 CHECK_ALLOC_DONE(attr_list);
392 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
394 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
395 idmap_alloc_ldap->suffix,
396 LDAP_SCOPE_SUBTREE, filter,
397 attr_list, 0, &result);
399 if (rc != LDAP_SUCCESS) {
400 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
404 talloc_autofree_ldapmsg(ctx, result);
406 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
408 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
412 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
414 dn = smbldap_talloc_dn(ctx, idmap_alloc_ldap->smbldap_state->ldap_struct, entry);
419 if ( ! (id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
420 entry, type, ctx))) {
421 DEBUG(0,("%s attribute not found\n", type));
425 DEBUG(0,("Out of memory\n"));
426 ret = NT_STATUS_NO_MEMORY;
430 xid->id = strtoul(id_str, NULL, 10);
432 /* make sure we still have room to grow */
436 if (xid->id > idmap_alloc_ldap->high_uid) {
437 DEBUG(0,("Cannot allocate uid above %lu!\n",
438 (unsigned long)idmap_alloc_ldap->high_uid));
444 if (xid->id > idmap_alloc_ldap->high_gid) {
445 DEBUG(0,("Cannot allocate gid above %lu!\n",
446 (unsigned long)idmap_alloc_ldap->high_uid));
456 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id + 1);
458 DEBUG(0,("Out of memory\n"));
459 ret = NT_STATUS_NO_MEMORY;
463 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
464 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
467 DEBUG(0,("smbldap_set_mod() failed.\n"));
471 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n", id_str, new_id_str));
473 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
475 ldap_mods_free(mods, True);
477 if (rc != LDAP_SUCCESS) {
478 DEBUG(1,("Failed to allocate new %s. smbldap_modify() failed.\n", type));
489 /**********************************
490 Get current highest id.
491 **********************************/
493 static NTSTATUS idmap_ldap_get_hwm(struct unixid *xid)
496 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
497 int rc = LDAP_SERVER_DOWN;
499 LDAPMessage *result = NULL;
500 LDAPMessage *entry = NULL;
503 const char **attr_list;
506 /* Only do query if we are online */
507 if (idmap_is_offline()) {
508 return NT_STATUS_FILE_IS_OFFLINE;
511 if ( ! idmap_alloc_ldap) {
512 return NT_STATUS_UNSUCCESSFUL;
515 memctx = talloc_new(idmap_alloc_ldap);
517 DEBUG(0, ("Out of memory!\n"));
518 return NT_STATUS_NO_MEMORY;
525 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
529 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
533 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
534 return NT_STATUS_INVALID_PARAMETER;
537 filter = talloc_asprintf(memctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
538 CHECK_ALLOC_DONE(filter);
540 attr_list = get_attr_list(memctx, idpool_attr_list);
541 CHECK_ALLOC_DONE(attr_list);
543 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
544 idmap_alloc_ldap->suffix,
545 LDAP_SCOPE_SUBTREE, filter,
546 attr_list, 0, &result);
548 if (rc != LDAP_SUCCESS) {
549 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
553 talloc_autofree_ldapmsg(memctx, result);
555 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
557 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
561 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
563 id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
564 entry, type, memctx);
566 DEBUG(0,("%s attribute not found\n", type));
570 DEBUG(0,("Out of memory\n"));
571 ret = NT_STATUS_NO_MEMORY;
575 xid->id = strtoul(id_str, NULL, 10);
582 /**********************************
584 **********************************/
586 static NTSTATUS idmap_ldap_set_hwm(struct unixid *xid)
589 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
590 int rc = LDAP_SERVER_DOWN;
592 LDAPMessage *result = NULL;
593 LDAPMessage *entry = NULL;
594 LDAPMod **mods = NULL;
597 const char *dn = NULL;
598 const char **attr_list;
601 /* Only do query if we are online */
602 if (idmap_is_offline()) {
603 return NT_STATUS_FILE_IS_OFFLINE;
606 if ( ! idmap_alloc_ldap) {
607 return NT_STATUS_UNSUCCESSFUL;
610 ctx = talloc_new(idmap_alloc_ldap);
612 DEBUG(0, ("Out of memory!\n"));
613 return NT_STATUS_NO_MEMORY;
620 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
624 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
628 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
629 return NT_STATUS_INVALID_PARAMETER;
632 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
633 CHECK_ALLOC_DONE(filter);
635 attr_list = get_attr_list(ctx, idpool_attr_list);
636 CHECK_ALLOC_DONE(attr_list);
638 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
639 idmap_alloc_ldap->suffix,
640 LDAP_SCOPE_SUBTREE, filter,
641 attr_list, 0, &result);
643 if (rc != LDAP_SUCCESS) {
644 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
648 talloc_autofree_ldapmsg(ctx, result);
650 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
652 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
656 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
658 dn = smbldap_talloc_dn(ctx, idmap_alloc_ldap->smbldap_state->ldap_struct, entry);
663 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id);
665 DEBUG(0,("Out of memory\n"));
666 ret = NT_STATUS_NO_MEMORY;
670 smbldap_set_mod(&mods, LDAP_MOD_REPLACE, type, new_id_str);
673 DEBUG(0,("smbldap_set_mod() failed.\n"));
677 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
679 ldap_mods_free(mods, True);
681 if (rc != LDAP_SUCCESS) {
682 DEBUG(1,("Failed to allocate new %s. smbldap_modify() failed.\n", type));
693 /**********************************
694 Close idmap ldap alloc
695 **********************************/
697 static NTSTATUS idmap_ldap_alloc_close(void)
699 if (idmap_alloc_ldap) {
700 smbldap_free_struct(&idmap_alloc_ldap->smbldap_state);
701 DEBUG(5,("The connection to the LDAP server was closed\n"));
702 /* maybe free the results here --metze */
703 TALLOC_FREE(idmap_alloc_ldap);
709 /**********************************************************************
710 IDMAP MAPPING LDAP BACKEND
711 **********************************************************************/
713 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
715 smbldap_free_struct(&ctx->smbldap_state);
716 DEBUG(5,("The connection to the LDAP server was closed\n"));
717 /* maybe free the results here --metze */
722 /********************************
723 Initialise idmap database.
724 ********************************/
726 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom)
729 struct idmap_ldap_context *ctx = NULL;
730 char *config_option = NULL;
731 const char *range = NULL;
732 const char *tmp = NULL;
734 /* Only do init if we are online */
735 if (idmap_is_offline()) {
736 return NT_STATUS_FILE_IS_OFFLINE;
739 ctx = talloc_zero(dom, struct idmap_ldap_context);
741 DEBUG(0, ("Out of memory!\n"));
742 return NT_STATUS_NO_MEMORY;
745 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
746 if ( ! config_option) {
747 DEBUG(0, ("Out of memory!\n"));
748 ret = NT_STATUS_NO_MEMORY;
753 range = lp_parm_const_string(-1, config_option, "range", NULL);
754 if (range && range[0]) {
755 if ((sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2) ||
756 (ctx->filter_low_id > ctx->filter_high_id)) {
757 DEBUG(1, ("ERROR: invalid filter range [%s]", range));
758 ctx->filter_low_id = 0;
759 ctx->filter_high_id = 0;
763 if (dom->params && *(dom->params)) {
764 /* assume location is the only parameter */
765 ctx->url = talloc_strdup(ctx, dom->params);
767 tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
770 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
771 ret = NT_STATUS_UNSUCCESSFUL;
775 ctx->url = talloc_strdup(ctx, tmp);
777 CHECK_ALLOC_DONE(ctx->url);
779 tmp = lp_ldap_idmap_suffix();
780 if ( ! tmp || ! *tmp) {
781 tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
784 tmp = lp_ldap_suffix();
786 DEBUG(1, ("WARNING: Trying to use the global ldap suffix(%s)\n", tmp));
787 DEBUGADD(1, ("as suffix. This may not be what you want!\n"));
789 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
790 ret = NT_STATUS_UNSUCCESSFUL;
794 ctx->suffix = talloc_strdup(ctx, tmp);
795 CHECK_ALLOC_DONE(ctx->suffix);
797 ret = smbldap_init(ctx, winbind_event_context(), ctx->url,
798 &ctx->smbldap_state);
799 if (!NT_STATUS_IS_OK(ret)) {
800 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
804 ret = get_credentials( ctx, ctx->smbldap_state, config_option,
805 dom, &ctx->user_dn );
806 if ( !NT_STATUS_IS_OK(ret) ) {
807 DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
808 "credentials (%s)\n", nt_errstr(ret)));
812 /* set the destructor on the context, so that resource are properly
813 freed if the contexts is released */
815 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
817 dom->private_data = ctx;
819 talloc_free(config_option);
828 /* max number of ids requested per batch query */
829 #define IDMAP_LDAP_MAX_IDS 30
831 /**********************************
832 lookup a set of unix ids.
833 **********************************/
835 /* this function searches up to IDMAP_LDAP_MAX_IDS entries in maps for a match */
836 static struct id_map *find_map_by_id(struct id_map **maps, enum id_type type, uint32_t id)
840 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
841 if (maps[i] == NULL) { /* end of the run */
844 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
852 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
856 struct idmap_ldap_context *ctx;
857 LDAPMessage *result = NULL;
858 const char *uidNumber;
859 const char *gidNumber;
860 const char **attr_list;
869 /* Only do query if we are online */
870 if (idmap_is_offline()) {
871 return NT_STATUS_FILE_IS_OFFLINE;
874 /* Initilization my have been deferred because we were offline */
875 if ( ! dom->initialized) {
876 ret = idmap_ldap_db_init(dom);
877 if ( ! NT_STATUS_IS_OK(ret)) {
882 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
884 memctx = talloc_new(ctx);
886 DEBUG(0, ("Out of memory!\n"));
887 return NT_STATUS_NO_MEMORY;
890 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
891 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
893 attr_list = get_attr_list(ctx, sidmap_attr_list);
896 /* if we are requested just one mapping use the simple filter */
898 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
899 LDAP_OBJ_IDMAP_ENTRY,
900 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
901 (unsigned long)ids[0]->xid.id);
902 CHECK_ALLOC_DONE(filter);
903 DEBUG(10, ("Filter: [%s]\n", filter));
905 /* multiple mappings */
913 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(|", LDAP_OBJ_IDMAP_ENTRY);
914 CHECK_ALLOC_DONE(filter);
917 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
918 filter = talloc_asprintf_append(filter, "(%s=%lu)",
919 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
920 (unsigned long)ids[idx]->xid.id);
921 CHECK_ALLOC_DONE(filter);
923 filter = talloc_asprintf_append(filter, "))");
924 CHECK_ALLOC_DONE(filter);
925 DEBUG(10, ("Filter: [%s]\n", filter));
931 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
932 filter, attr_list, 0, &result);
934 if (rc != LDAP_SUCCESS) {
935 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
936 ret = NT_STATUS_UNSUCCESSFUL;
940 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
943 DEBUG(10, ("NO SIDs found\n"));
946 for (i = 0; i < count; i++) {
947 LDAPMessage *entry = NULL;
954 if (i == 0) { /* first entry */
955 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, result);
956 } else { /* following ones */
957 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct, entry);
960 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
964 /* first check if the SID is present */
965 sidstr = smbldap_talloc_single_attribute(
966 ctx->smbldap_state->ldap_struct,
967 entry, LDAP_ATTRIBUTE_SID, memctx);
968 if ( ! sidstr) { /* no sid, skip entry */
969 DEBUG(2, ("WARNING SID not found on entry\n"));
973 /* now try to see if it is a uid, if not try with a gid
974 * (gid is more common, but in case both uidNumber and
975 * gidNumber are returned the SID is mapped to the uid not the gid) */
977 tmp = smbldap_talloc_single_attribute(
978 ctx->smbldap_state->ldap_struct,
979 entry, uidNumber, memctx);
982 tmp = smbldap_talloc_single_attribute(
983 ctx->smbldap_state->ldap_struct,
984 entry, gidNumber, memctx);
986 if ( ! tmp) { /* wow very strange entry, how did it match ? */
987 DEBUG(5, ("Unprobable match on (%s), no uidNumber, nor gidNumber returned\n", sidstr));
992 id = strtoul(tmp, NULL, 10);
994 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
995 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
996 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
997 id, ctx->filter_low_id, ctx->filter_high_id));
1004 map = find_map_by_id(&ids[bidx], type, id);
1006 DEBUG(2, ("WARNING: couldn't match sid (%s) with requested ids\n", sidstr));
1007 TALLOC_FREE(sidstr);
1011 if ( ! string_to_sid(map->sid, sidstr)) {
1012 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1013 TALLOC_FREE(sidstr);
1016 TALLOC_FREE(sidstr);
1019 map->status = ID_MAPPED;
1021 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_static(map->sid), (unsigned long)map->xid.id, map->xid.type));
1024 /* free the ldap results */
1026 ldap_msgfree(result);
1030 if (multi && ids[idx]) { /* still some values to map */
1036 /* mark all unknwon/expired ones as unmapped */
1037 for (i = 0; ids[i]; i++) {
1038 if (ids[i]->status != ID_MAPPED)
1039 ids[i]->status = ID_UNMAPPED;
1043 talloc_free(memctx);
1047 /**********************************
1048 lookup a set of sids.
1049 **********************************/
1051 /* this function searches up to IDMAP_LDAP_MAX_IDS entries in maps for a match */
1052 static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid)
1056 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
1057 if (maps[i] == NULL) { /* end of the run */
1060 if (sid_equal(maps[i]->sid, sid)) {
1068 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
1070 LDAPMessage *entry = NULL;
1073 struct idmap_ldap_context *ctx;
1074 LDAPMessage *result = NULL;
1075 const char *uidNumber;
1076 const char *gidNumber;
1077 const char **attr_list;
1078 char *filter = NULL;
1086 /* Only do query if we are online */
1087 if (idmap_is_offline()) {
1088 return NT_STATUS_FILE_IS_OFFLINE;
1091 /* Initilization my have been deferred because we were offline */
1092 if ( ! dom->initialized) {
1093 ret = idmap_ldap_db_init(dom);
1094 if ( ! NT_STATUS_IS_OK(ret)) {
1099 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1101 memctx = talloc_new(ctx);
1103 DEBUG(0, ("Out of memory!\n"));
1104 return NT_STATUS_NO_MEMORY;
1107 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
1108 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
1110 attr_list = get_attr_list(ctx, sidmap_attr_list);
1113 /* if we are requested just one mapping use the simple filter */
1115 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
1116 LDAP_OBJ_IDMAP_ENTRY,
1118 sid_string_static(ids[0]->sid));
1119 CHECK_ALLOC_DONE(filter);
1120 DEBUG(10, ("Filter: [%s]\n", filter));
1122 /* multiple mappings */
1129 TALLOC_FREE(filter);
1130 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(|", LDAP_OBJ_IDMAP_ENTRY);
1131 CHECK_ALLOC_DONE(filter);
1134 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
1135 filter = talloc_asprintf_append(filter, "(%s=%s)",
1137 sid_string_static(ids[idx]->sid));
1138 CHECK_ALLOC_DONE(filter);
1140 filter = talloc_asprintf_append(filter, "))");
1141 CHECK_ALLOC_DONE(filter);
1142 DEBUG(10, ("Filter: [%s]", filter));
1148 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
1149 filter, attr_list, 0, &result);
1151 if (rc != LDAP_SUCCESS) {
1152 DEBUG(3,("Failure looking up sids (%s)\n", ldap_err2string(rc)));
1153 ret = NT_STATUS_UNSUCCESSFUL;
1157 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
1160 DEBUG(10, ("NO SIDs found\n"));
1163 for (i = 0; i < count; i++) {
1164 char *sidstr = NULL;
1171 if (i == 0) { /* first entry */
1172 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, result);
1173 } else { /* following ones */
1174 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct, entry);
1177 /* first check if the SID is present */
1178 sidstr = smbldap_talloc_single_attribute(
1179 ctx->smbldap_state->ldap_struct,
1180 entry, LDAP_ATTRIBUTE_SID, memctx);
1181 if ( ! sidstr) { /* no sid ??, skip entry */
1182 DEBUG(2, ("WARNING SID not found on entry\n"));
1186 if ( ! string_to_sid(&sid, sidstr)) {
1187 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1188 TALLOC_FREE(sidstr);
1192 map = find_map_by_sid(&ids[bidx], &sid);
1194 DEBUG(2, ("WARNING: couldn't find entry sid (%s) in ids", sidstr));
1195 TALLOC_FREE(sidstr);
1199 TALLOC_FREE(sidstr);
1201 /* now try to see if it is a uid, if not try with a gid
1202 * (gid is more common, but in case both uidNumber and
1203 * gidNumber are returned the SID is mapped to the uid not the gid) */
1205 tmp = smbldap_talloc_single_attribute(
1206 ctx->smbldap_state->ldap_struct,
1207 entry, uidNumber, memctx);
1210 tmp = smbldap_talloc_single_attribute(
1211 ctx->smbldap_state->ldap_struct,
1212 entry, gidNumber, memctx);
1214 if ( ! tmp) { /* no ids ?? */
1215 DEBUG(5, ("no uidNumber, nor gidNumber attributes found\n"));
1219 id = strtoul(tmp, NULL, 10);
1221 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
1222 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
1223 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
1224 id, ctx->filter_low_id, ctx->filter_high_id));
1231 map->xid.type = type;
1233 map->status = ID_MAPPED;
1235 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_static(map->sid), (unsigned long)map->xid.id, map->xid.type));
1238 /* free the ldap results */
1240 ldap_msgfree(result);
1244 if (multi && ids[idx]) { /* still some values to map */
1250 /* mark all unknwon/expired ones as unmapped */
1251 for (i = 0; ids[i]; i++) {
1252 if (ids[i]->status != ID_MAPPED)
1253 ids[i]->status = ID_UNMAPPED;
1257 talloc_free(memctx);
1261 /**********************************
1263 **********************************/
1265 /* TODO: change this: This function cannot be called to modify a mapping, only set a new one */
1267 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom, const struct id_map *map)
1271 struct idmap_ldap_context *ctx;
1272 LDAPMessage *entry = NULL;
1273 LDAPMod **mods = NULL;
1280 /* Only do query if we are online */
1281 if (idmap_is_offline()) {
1282 return NT_STATUS_FILE_IS_OFFLINE;
1285 /* Initilization my have been deferred because we were offline */
1286 if ( ! dom->initialized) {
1287 ret = idmap_ldap_db_init(dom);
1288 if ( ! NT_STATUS_IS_OK(ret)) {
1293 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1295 switch(map->xid.type) {
1297 type = get_attr_key2string(sidmap_attr_list, LDAP_ATTR_UIDNUMBER);
1301 type = get_attr_key2string(sidmap_attr_list, LDAP_ATTR_GIDNUMBER);
1305 return NT_STATUS_INVALID_PARAMETER;
1308 memctx = talloc_new(ctx);
1310 DEBUG(0, ("Out of memory!\n"));
1311 return NT_STATUS_NO_MEMORY;
1314 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
1315 CHECK_ALLOC_DONE(id_str);
1317 sid = talloc_strdup(memctx, sid_string_static(map->sid));
1318 CHECK_ALLOC_DONE(sid);
1320 dn = talloc_asprintf(memctx, "%s=%s,%s",
1321 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
1324 CHECK_ALLOC_DONE(dn);
1326 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDMAP_ENTRY);
1328 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods, type, id_str);
1330 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
1331 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID), sid);
1334 DEBUG(2, ("ERROR: No mods?\n"));
1335 ret = NT_STATUS_UNSUCCESSFUL;
1339 /* TODO: remove conflicting mappings! */
1341 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
1343 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
1345 rc = smbldap_add(ctx->smbldap_state, dn, mods);
1346 ldap_mods_free(mods, True);
1348 if (rc != LDAP_SUCCESS) {
1349 char *ld_error = NULL;
1350 ldap_get_option(ctx->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1351 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu mapping [%s]\n",
1352 sid, (unsigned long)map->xid.id, type));
1353 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
1354 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
1356 ldap_memfree(ld_error);
1358 ret = NT_STATUS_UNSUCCESSFUL;
1362 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to %lu [%s]\n",
1363 sid, (unsigned long)map->xid.id, type));
1368 talloc_free(memctx);
1372 /**********************************
1373 Close the idmap ldap instance
1374 **********************************/
1376 static NTSTATUS idmap_ldap_close(struct idmap_domain *dom)
1378 struct idmap_ldap_context *ctx;
1380 if (dom->private_data) {
1381 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1384 dom->private_data = NULL;
1387 return NT_STATUS_OK;
1390 static struct idmap_methods idmap_ldap_methods = {
1392 .init = idmap_ldap_db_init,
1393 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1394 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1395 .set_mapping = idmap_ldap_set_mapping,
1396 .close_fn = idmap_ldap_close
1399 static struct idmap_alloc_methods idmap_ldap_alloc_methods = {
1401 .init = idmap_ldap_alloc_init,
1402 .allocate_id = idmap_ldap_allocate_id,
1403 .get_id_hwm = idmap_ldap_get_hwm,
1404 .set_id_hwm = idmap_ldap_set_hwm,
1405 .close_fn = idmap_ldap_alloc_close,
1406 /* .dump_data = TODO */
1409 NTSTATUS idmap_alloc_ldap_init(void)
1411 return smb_register_idmap_alloc(SMB_IDMAP_INTERFACE_VERSION, "ldap", &idmap_ldap_alloc_methods);
1414 NTSTATUS idmap_ldap_init(void)
1418 /* FIXME: bad hack to actually register also the alloc_ldap module without changining configure.in */
1419 ret = idmap_alloc_ldap_init();
1420 if (! NT_STATUS_IS_OK(ret)) {
1423 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap", &idmap_ldap_methods);