2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2007
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
29 #define DBGC_CLASS DBGC_IDMAP
36 static char *idmap_fetch_secret(const char *backend, bool alloc,
37 const char *domain, const char *identity)
43 r = asprintf(&tmp, "IDMAP_ALLOC_%s", backend);
45 r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
51 strupper_m(tmp); /* make sure the key is case insensitive */
52 ret = secrets_fetch_generic(tmp, identity);
59 struct idmap_ldap_context {
60 struct smbldap_state *smbldap_state;
64 uint32_t filter_low_id, filter_high_id; /* Filter range */
68 struct idmap_ldap_alloc_context {
69 struct smbldap_state *smbldap_state;
73 uid_t low_uid, high_uid; /* Range of uids */
74 gid_t low_gid, high_gid; /* Range of gids */
78 #define CHECK_ALLOC_DONE(mem) do { \
80 DEBUG(0, ("Out of memory!\n")); \
81 ret = NT_STATUS_NO_MEMORY; \
85 /**********************************************************************
86 IDMAP ALLOC TDB BACKEND
87 **********************************************************************/
89 static struct idmap_ldap_alloc_context *idmap_alloc_ldap;
91 /*********************************************************************
92 ********************************************************************/
94 static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
95 struct smbldap_state *ldap_state,
96 const char *config_option,
97 struct idmap_domain *dom,
100 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
102 const char *tmp = NULL;
103 char *user_dn = NULL;
106 /* assume anonymous if we don't have a specified user */
108 tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
112 /* only the alloc backend can pass in a NULL dom */
113 secret = idmap_fetch_secret("ldap", True,
116 secret = idmap_fetch_secret("ldap", False,
121 DEBUG(0, ("get_credentials: Unable to fetch "
122 "auth credentials for %s in %s\n",
123 tmp, (dom==NULL)?"ALLOC":dom->name));
124 ret = NT_STATUS_ACCESS_DENIED;
127 *dn = talloc_strdup(mem_ctx, tmp);
128 CHECK_ALLOC_DONE(*dn);
130 if (!fetch_ldap_pw(&user_dn, &secret)) {
131 DEBUG(2, ("get_credentials: Failed to lookup ldap "
132 "bind creds. Using anonymous connection.\n"));
135 *dn = talloc_strdup(mem_ctx, user_dn);
136 SAFE_FREE( user_dn );
137 CHECK_ALLOC_DONE(*dn);
141 smbldap_set_creds(ldap_state, anon, *dn, secret);
151 /**********************************************************************
152 Verify the sambaUnixIdPool entry in the directory.
153 **********************************************************************/
155 static NTSTATUS verify_idpool(void)
159 LDAPMessage *result = NULL;
160 LDAPMod **mods = NULL;
161 const char **attr_list;
166 if ( ! idmap_alloc_ldap) {
167 return NT_STATUS_UNSUCCESSFUL;
170 ctx = talloc_new(idmap_alloc_ldap);
172 DEBUG(0, ("Out of memory!\n"));
173 return NT_STATUS_NO_MEMORY;
176 filter = talloc_asprintf(ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
177 CHECK_ALLOC_DONE(filter);
179 attr_list = get_attr_list(ctx, idpool_attr_list);
180 CHECK_ALLOC_DONE(attr_list);
182 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
183 idmap_alloc_ldap->suffix,
190 if (rc != LDAP_SUCCESS) {
191 DEBUG(1, ("Unable to verify the idpool, "
192 "cannot continue initialization!\n"));
193 return NT_STATUS_UNSUCCESSFUL;
196 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
199 ldap_msgfree(result);
202 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
203 filter, idmap_alloc_ldap->suffix));
204 ret = NT_STATUS_UNSUCCESSFUL;
207 else if (count == 0) {
208 char *uid_str, *gid_str;
210 uid_str = talloc_asprintf(ctx, "%lu",
211 (unsigned long)idmap_alloc_ldap->low_uid);
212 gid_str = talloc_asprintf(ctx, "%lu",
213 (unsigned long)idmap_alloc_ldap->low_gid);
215 smbldap_set_mod(&mods, LDAP_MOD_ADD,
216 "objectClass", LDAP_OBJ_IDPOOL);
217 smbldap_set_mod(&mods, LDAP_MOD_ADD,
218 get_attr_key2string(idpool_attr_list,
219 LDAP_ATTR_UIDNUMBER),
221 smbldap_set_mod(&mods, LDAP_MOD_ADD,
222 get_attr_key2string(idpool_attr_list,
223 LDAP_ATTR_GIDNUMBER),
226 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state,
227 idmap_alloc_ldap->suffix,
229 ldap_mods_free(mods, True);
231 ret = NT_STATUS_UNSUCCESSFUL;
236 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
242 /*****************************************************************************
243 Initialise idmap database.
244 *****************************************************************************/
246 static NTSTATUS idmap_ldap_alloc_init(const char *params)
248 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
255 /* Only do init if we are online */
256 if (idmap_is_offline()) {
257 return NT_STATUS_FILE_IS_OFFLINE;
260 idmap_alloc_ldap = TALLOC_ZERO_P(NULL, struct idmap_ldap_alloc_context);
261 CHECK_ALLOC_DONE( idmap_alloc_ldap );
265 if (!lp_idmap_uid(&low_uid, &high_uid)
266 || !lp_idmap_gid(&low_gid, &high_gid)) {
267 DEBUG(1, ("idmap uid or idmap gid missing\n"));
268 ret = NT_STATUS_UNSUCCESSFUL;
272 idmap_alloc_ldap->low_uid = low_uid;
273 idmap_alloc_ldap->high_uid = high_uid;
274 idmap_alloc_ldap->low_gid = low_gid;
275 idmap_alloc_ldap->high_gid= high_gid;
277 if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) {
278 DEBUG(1, ("idmap uid range invalid\n"));
279 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
280 ret = NT_STATUS_UNSUCCESSFUL;
284 if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) {
285 DEBUG(1, ("idmap gid range invalid\n"));
286 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
287 ret = NT_STATUS_UNSUCCESSFUL;
291 if (params && *params) {
292 /* assume location is the only parameter */
293 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params);
295 tmp = lp_parm_const_string(-1, "idmap alloc config",
299 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
300 ret = NT_STATUS_UNSUCCESSFUL;
304 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp);
306 CHECK_ALLOC_DONE( idmap_alloc_ldap->url );
308 tmp = lp_parm_const_string(-1, "idmap alloc config",
309 "ldap_base_dn", NULL);
310 if ( ! tmp || ! *tmp) {
311 tmp = lp_ldap_idmap_suffix();
313 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
314 ret = NT_STATUS_UNSUCCESSFUL;
319 idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp);
320 CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix );
322 ret = smbldap_init(idmap_alloc_ldap, winbind_event_context(),
323 idmap_alloc_ldap->url,
324 &idmap_alloc_ldap->smbldap_state);
325 if (!NT_STATUS_IS_OK(ret)) {
326 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n",
327 idmap_alloc_ldap->url));
331 ret = get_credentials( idmap_alloc_ldap,
332 idmap_alloc_ldap->smbldap_state,
333 "idmap alloc config", NULL,
334 &idmap_alloc_ldap->user_dn );
335 if ( !NT_STATUS_IS_OK(ret) ) {
336 DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection "
337 "credentials (%s)\n", nt_errstr(ret)));
341 /* see if the idmap suffix and sub entries exists */
343 ret = verify_idpool();
346 if ( !NT_STATUS_IS_OK( ret ) )
347 TALLOC_FREE( idmap_alloc_ldap );
352 /********************************
353 Allocate a new uid or gid
354 ********************************/
356 static NTSTATUS idmap_ldap_allocate_id(struct unixid *xid)
359 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
360 int rc = LDAP_SERVER_DOWN;
362 LDAPMessage *result = NULL;
363 LDAPMessage *entry = NULL;
364 LDAPMod **mods = NULL;
368 const char *dn = NULL;
369 const char **attr_list;
372 /* Only do query if we are online */
373 if (idmap_is_offline()) {
374 return NT_STATUS_FILE_IS_OFFLINE;
377 if ( ! idmap_alloc_ldap) {
378 return NT_STATUS_UNSUCCESSFUL;
381 ctx = talloc_new(idmap_alloc_ldap);
383 DEBUG(0, ("Out of memory!\n"));
384 return NT_STATUS_NO_MEMORY;
391 type = get_attr_key2string(idpool_attr_list,
392 LDAP_ATTR_UIDNUMBER);
396 type = get_attr_key2string(idpool_attr_list,
397 LDAP_ATTR_GIDNUMBER);
401 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
402 return NT_STATUS_INVALID_PARAMETER;
405 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
406 CHECK_ALLOC_DONE(filter);
408 attr_list = get_attr_list(ctx, idpool_attr_list);
409 CHECK_ALLOC_DONE(attr_list);
411 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
413 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
414 idmap_alloc_ldap->suffix,
415 LDAP_SCOPE_SUBTREE, filter,
416 attr_list, 0, &result);
418 if (rc != LDAP_SUCCESS) {
419 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
423 talloc_autofree_ldapmsg(ctx, result);
425 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
428 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
432 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct,
435 dn = smbldap_talloc_dn(ctx,
436 idmap_alloc_ldap->smbldap_state->ldap_struct,
442 if ( ! (id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
443 entry, type, ctx))) {
444 DEBUG(0,("%s attribute not found\n", type));
448 DEBUG(0,("Out of memory\n"));
449 ret = NT_STATUS_NO_MEMORY;
453 xid->id = strtoul(id_str, NULL, 10);
455 /* make sure we still have room to grow */
459 if (xid->id > idmap_alloc_ldap->high_uid) {
460 DEBUG(0,("Cannot allocate uid above %lu!\n",
461 (unsigned long)idmap_alloc_ldap->high_uid));
467 if (xid->id > idmap_alloc_ldap->high_gid) {
468 DEBUG(0,("Cannot allocate gid above %lu!\n",
469 (unsigned long)idmap_alloc_ldap->high_uid));
479 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id + 1);
481 DEBUG(0,("Out of memory\n"));
482 ret = NT_STATUS_NO_MEMORY;
486 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
487 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
490 DEBUG(0,("smbldap_set_mod() failed.\n"));
494 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n",
495 id_str, new_id_str));
497 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
499 ldap_mods_free(mods, True);
501 if (rc != LDAP_SUCCESS) {
502 DEBUG(1,("Failed to allocate new %s. "
503 "smbldap_modify() failed.\n", type));
514 /**********************************
515 Get current highest id.
516 **********************************/
518 static NTSTATUS idmap_ldap_get_hwm(struct unixid *xid)
521 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
522 int rc = LDAP_SERVER_DOWN;
524 LDAPMessage *result = NULL;
525 LDAPMessage *entry = NULL;
528 const char **attr_list;
531 /* Only do query if we are online */
532 if (idmap_is_offline()) {
533 return NT_STATUS_FILE_IS_OFFLINE;
536 if ( ! idmap_alloc_ldap) {
537 return NT_STATUS_UNSUCCESSFUL;
540 memctx = talloc_new(idmap_alloc_ldap);
542 DEBUG(0, ("Out of memory!\n"));
543 return NT_STATUS_NO_MEMORY;
550 type = get_attr_key2string(idpool_attr_list,
551 LDAP_ATTR_UIDNUMBER);
555 type = get_attr_key2string(idpool_attr_list,
556 LDAP_ATTR_GIDNUMBER);
560 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
561 return NT_STATUS_INVALID_PARAMETER;
564 filter = talloc_asprintf(memctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
565 CHECK_ALLOC_DONE(filter);
567 attr_list = get_attr_list(memctx, idpool_attr_list);
568 CHECK_ALLOC_DONE(attr_list);
570 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
571 idmap_alloc_ldap->suffix,
572 LDAP_SCOPE_SUBTREE, filter,
573 attr_list, 0, &result);
575 if (rc != LDAP_SUCCESS) {
576 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
580 talloc_autofree_ldapmsg(memctx, result);
582 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
585 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
589 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct,
592 id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
593 entry, type, memctx);
595 DEBUG(0,("%s attribute not found\n", type));
599 DEBUG(0,("Out of memory\n"));
600 ret = NT_STATUS_NO_MEMORY;
604 xid->id = strtoul(id_str, NULL, 10);
611 /**********************************
613 **********************************/
615 static NTSTATUS idmap_ldap_set_hwm(struct unixid *xid)
618 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
619 int rc = LDAP_SERVER_DOWN;
621 LDAPMessage *result = NULL;
622 LDAPMessage *entry = NULL;
623 LDAPMod **mods = NULL;
626 const char *dn = NULL;
627 const char **attr_list;
630 /* Only do query if we are online */
631 if (idmap_is_offline()) {
632 return NT_STATUS_FILE_IS_OFFLINE;
635 if ( ! idmap_alloc_ldap) {
636 return NT_STATUS_UNSUCCESSFUL;
639 ctx = talloc_new(idmap_alloc_ldap);
641 DEBUG(0, ("Out of memory!\n"));
642 return NT_STATUS_NO_MEMORY;
649 type = get_attr_key2string(idpool_attr_list,
650 LDAP_ATTR_UIDNUMBER);
654 type = get_attr_key2string(idpool_attr_list,
655 LDAP_ATTR_GIDNUMBER);
659 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
660 return NT_STATUS_INVALID_PARAMETER;
663 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
664 CHECK_ALLOC_DONE(filter);
666 attr_list = get_attr_list(ctx, idpool_attr_list);
667 CHECK_ALLOC_DONE(attr_list);
669 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
670 idmap_alloc_ldap->suffix,
671 LDAP_SCOPE_SUBTREE, filter,
672 attr_list, 0, &result);
674 if (rc != LDAP_SUCCESS) {
675 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
679 talloc_autofree_ldapmsg(ctx, result);
681 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
684 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
688 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct,
691 dn = smbldap_talloc_dn(ctx,
692 idmap_alloc_ldap->smbldap_state->ldap_struct,
698 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id);
700 DEBUG(0,("Out of memory\n"));
701 ret = NT_STATUS_NO_MEMORY;
705 smbldap_set_mod(&mods, LDAP_MOD_REPLACE, type, new_id_str);
708 DEBUG(0,("smbldap_set_mod() failed.\n"));
712 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
714 ldap_mods_free(mods, True);
716 if (rc != LDAP_SUCCESS) {
717 DEBUG(1,("Failed to allocate new %s. "
718 "smbldap_modify() failed.\n", type));
729 /**********************************
730 Close idmap ldap alloc
731 **********************************/
733 static NTSTATUS idmap_ldap_alloc_close(void)
735 if (idmap_alloc_ldap) {
736 smbldap_free_struct(&idmap_alloc_ldap->smbldap_state);
737 DEBUG(5,("The connection to the LDAP server was closed\n"));
738 /* maybe free the results here --metze */
739 TALLOC_FREE(idmap_alloc_ldap);
745 /**********************************************************************
746 IDMAP MAPPING LDAP BACKEND
747 **********************************************************************/
749 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
751 smbldap_free_struct(&ctx->smbldap_state);
752 DEBUG(5,("The connection to the LDAP server was closed\n"));
753 /* maybe free the results here --metze */
758 /********************************
759 Initialise idmap database.
760 ********************************/
762 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom,
766 struct idmap_ldap_context *ctx = NULL;
767 char *config_option = NULL;
768 const char *tmp = NULL;
770 /* Only do init if we are online */
771 if (idmap_is_offline()) {
772 return NT_STATUS_FILE_IS_OFFLINE;
775 ctx = TALLOC_ZERO_P(dom, struct idmap_ldap_context);
777 DEBUG(0, ("Out of memory!\n"));
778 return NT_STATUS_NO_MEMORY;
781 if (strequal(dom->name, "*")) {
787 ctx->filter_low_id = 0;
788 ctx->filter_high_id = 0;
790 if (lp_idmap_uid(&low_uid, &high_uid)) {
791 ctx->filter_low_id = low_uid;
792 ctx->filter_high_id = high_uid;
794 DEBUG(3, ("Warning: 'idmap uid' not set!\n"));
797 if (lp_idmap_gid(&low_gid, &high_gid)) {
798 if ((low_gid != low_uid) || (high_gid != high_uid)) {
799 DEBUG(1, ("Warning: 'idmap uid' and 'idmap gid'"
800 " ranges do not agree -- building "
802 ctx->filter_low_id = MAX(ctx->filter_low_id,
804 ctx->filter_high_id = MIN(ctx->filter_high_id,
808 DEBUG(3, ("Warning: 'idmap gid' not set!\n"));
811 const char *range = NULL;
813 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
814 if ( ! config_option) {
815 DEBUG(0, ("Out of memory!\n"));
816 ret = NT_STATUS_NO_MEMORY;
821 range = lp_parm_const_string(-1, config_option, "range", NULL);
822 if (range && range[0]) {
823 if ((sscanf(range, "%u - %u", &ctx->filter_low_id,
824 &ctx->filter_high_id) != 2))
826 DEBUG(1, ("ERROR: invalid filter range [%s]", range));
827 ctx->filter_low_id = 0;
828 ctx->filter_high_id = 0;
833 if (ctx->filter_low_id > ctx->filter_high_id) {
834 DEBUG(1, ("ERROR: invalid filter range [%u-%u]",
835 ctx->filter_low_id, ctx->filter_high_id));
836 ctx->filter_low_id = 0;
837 ctx->filter_high_id = 0;
840 if (params != NULL) {
841 /* assume location is the only parameter */
842 ctx->url = talloc_strdup(ctx, params);
844 tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
847 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
848 ret = NT_STATUS_UNSUCCESSFUL;
852 ctx->url = talloc_strdup(ctx, tmp);
854 CHECK_ALLOC_DONE(ctx->url);
856 tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
857 if ( ! tmp || ! *tmp) {
858 tmp = lp_ldap_idmap_suffix();
860 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
861 ret = NT_STATUS_UNSUCCESSFUL;
866 ctx->suffix = talloc_strdup(ctx, tmp);
867 CHECK_ALLOC_DONE(ctx->suffix);
869 ret = smbldap_init(ctx, winbind_event_context(), ctx->url,
870 &ctx->smbldap_state);
871 if (!NT_STATUS_IS_OK(ret)) {
872 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
876 ret = get_credentials( ctx, ctx->smbldap_state, config_option,
877 dom, &ctx->user_dn );
878 if ( !NT_STATUS_IS_OK(ret) ) {
879 DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
880 "credentials (%s)\n", nt_errstr(ret)));
884 /* set the destructor on the context, so that resource are properly
885 freed if the contexts is released */
887 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
889 dom->private_data = ctx;
891 talloc_free(config_option);
900 /* max number of ids requested per batch query */
901 #define IDMAP_LDAP_MAX_IDS 30
903 /**********************************
904 lookup a set of unix ids.
905 **********************************/
907 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
908 * in maps for a match */
909 static struct id_map *find_map_by_id(struct id_map **maps,
915 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
916 if (maps[i] == NULL) { /* end of the run */
919 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
927 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom,
932 struct idmap_ldap_context *ctx;
933 LDAPMessage *result = NULL;
934 LDAPMessage *entry = NULL;
935 const char *uidNumber;
936 const char *gidNumber;
937 const char **attr_list;
946 /* Only do query if we are online */
947 if (idmap_is_offline()) {
948 return NT_STATUS_FILE_IS_OFFLINE;
951 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
953 memctx = talloc_new(ctx);
955 DEBUG(0, ("Out of memory!\n"));
956 return NT_STATUS_NO_MEMORY;
959 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
960 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
962 attr_list = get_attr_list(memctx, sidmap_attr_list);
965 /* if we are requested just one mapping use the simple filter */
967 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
968 LDAP_OBJ_IDMAP_ENTRY,
969 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
970 (unsigned long)ids[0]->xid.id);
971 CHECK_ALLOC_DONE(filter);
972 DEBUG(10, ("Filter: [%s]\n", filter));
974 /* multiple mappings */
978 for (i = 0; ids[i]; i++) {
979 ids[i]->status = ID_UNKNOWN;
986 filter = talloc_asprintf(memctx,
987 "(&(objectClass=%s)(|",
988 LDAP_OBJ_IDMAP_ENTRY);
989 CHECK_ALLOC_DONE(filter);
992 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
993 filter = talloc_asprintf_append_buffer(filter, "(%s=%lu)",
994 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
995 (unsigned long)ids[idx]->xid.id);
996 CHECK_ALLOC_DONE(filter);
998 filter = talloc_asprintf_append_buffer(filter, "))");
999 CHECK_ALLOC_DONE(filter);
1000 DEBUG(10, ("Filter: [%s]\n", filter));
1006 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
1007 filter, attr_list, 0, &result);
1009 if (rc != LDAP_SUCCESS) {
1010 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
1011 ret = NT_STATUS_UNSUCCESSFUL;
1015 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
1018 DEBUG(10, ("NO SIDs found\n"));
1021 for (i = 0; i < count; i++) {
1022 char *sidstr = NULL;
1028 if (i == 0) { /* first entry */
1029 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
1031 } else { /* following ones */
1032 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
1036 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
1041 /* first check if the SID is present */
1042 sidstr = smbldap_talloc_single_attribute(
1043 ctx->smbldap_state->ldap_struct,
1044 entry, LDAP_ATTRIBUTE_SID, memctx);
1045 if ( ! sidstr) { /* no sid, skip entry */
1046 DEBUG(2, ("WARNING SID not found on entry\n"));
1050 /* now try to see if it is a uid, if not try with a gid
1051 * (gid is more common, but in case both uidNumber and
1052 * gidNumber are returned the SID is mapped to the uid
1055 tmp = smbldap_talloc_single_attribute(
1056 ctx->smbldap_state->ldap_struct,
1057 entry, uidNumber, memctx);
1060 tmp = smbldap_talloc_single_attribute(
1061 ctx->smbldap_state->ldap_struct,
1062 entry, gidNumber, memctx);
1064 if ( ! tmp) { /* wow very strange entry, how did it match ? */
1065 DEBUG(5, ("Unprobable match on (%s), no uidNumber, "
1066 "nor gidNumber returned\n", sidstr));
1067 TALLOC_FREE(sidstr);
1071 id = strtoul(tmp, NULL, 10);
1073 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
1074 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
1075 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1077 ctx->filter_low_id, ctx->filter_high_id));
1078 TALLOC_FREE(sidstr);
1084 map = find_map_by_id(&ids[bidx], type, id);
1086 DEBUG(2, ("WARNING: couldn't match sid (%s) "
1087 "with requested ids\n", sidstr));
1088 TALLOC_FREE(sidstr);
1092 if ( ! string_to_sid(map->sid, sidstr)) {
1093 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1094 TALLOC_FREE(sidstr);
1098 if (map->status == ID_MAPPED) {
1099 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
1100 "overwriting mapping %u -> %s with %u -> %s\n",
1101 (type == ID_TYPE_UID) ? "UID" : "GID",
1102 id, sid_string_dbg(map->sid), id, sidstr));
1105 TALLOC_FREE(sidstr);
1108 map->status = ID_MAPPED;
1110 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
1111 (unsigned long)map->xid.id, map->xid.type));
1114 /* free the ldap results */
1116 ldap_msgfree(result);
1120 if (multi && ids[idx]) { /* still some values to map */
1126 /* mark all unknwon/expired ones as unmapped */
1127 for (i = 0; ids[i]; i++) {
1128 if (ids[i]->status != ID_MAPPED)
1129 ids[i]->status = ID_UNMAPPED;
1133 talloc_free(memctx);
1137 /**********************************
1138 lookup a set of sids.
1139 **********************************/
1141 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
1142 * in maps for a match */
1143 static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid)
1147 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
1148 if (maps[i] == NULL) { /* end of the run */
1151 if (sid_equal(maps[i]->sid, sid)) {
1159 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
1160 struct id_map **ids)
1162 LDAPMessage *entry = NULL;
1165 struct idmap_ldap_context *ctx;
1166 LDAPMessage *result = NULL;
1167 const char *uidNumber;
1168 const char *gidNumber;
1169 const char **attr_list;
1170 char *filter = NULL;
1178 /* Only do query if we are online */
1179 if (idmap_is_offline()) {
1180 return NT_STATUS_FILE_IS_OFFLINE;
1183 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1185 memctx = talloc_new(ctx);
1187 DEBUG(0, ("Out of memory!\n"));
1188 return NT_STATUS_NO_MEMORY;
1191 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
1192 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
1194 attr_list = get_attr_list(memctx, sidmap_attr_list);
1197 /* if we are requested just one mapping use the simple filter */
1199 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
1200 LDAP_OBJ_IDMAP_ENTRY,
1202 sid_string_talloc(memctx, ids[0]->sid));
1203 CHECK_ALLOC_DONE(filter);
1204 DEBUG(10, ("Filter: [%s]\n", filter));
1206 /* multiple mappings */
1210 for (i = 0; ids[i]; i++) {
1211 ids[i]->status = ID_UNKNOWN;
1217 TALLOC_FREE(filter);
1218 filter = talloc_asprintf(memctx,
1219 "(&(objectClass=%s)(|",
1220 LDAP_OBJ_IDMAP_ENTRY);
1221 CHECK_ALLOC_DONE(filter);
1224 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
1225 filter = talloc_asprintf_append_buffer(filter, "(%s=%s)",
1227 sid_string_talloc(memctx,
1229 CHECK_ALLOC_DONE(filter);
1231 filter = talloc_asprintf_append_buffer(filter, "))");
1232 CHECK_ALLOC_DONE(filter);
1233 DEBUG(10, ("Filter: [%s]", filter));
1239 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
1240 filter, attr_list, 0, &result);
1242 if (rc != LDAP_SUCCESS) {
1243 DEBUG(3,("Failure looking up sids (%s)\n",
1244 ldap_err2string(rc)));
1245 ret = NT_STATUS_UNSUCCESSFUL;
1249 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
1252 DEBUG(10, ("NO SIDs found\n"));
1255 for (i = 0; i < count; i++) {
1256 char *sidstr = NULL;
1263 if (i == 0) { /* first entry */
1264 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
1266 } else { /* following ones */
1267 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
1271 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
1276 /* first check if the SID is present */
1277 sidstr = smbldap_talloc_single_attribute(
1278 ctx->smbldap_state->ldap_struct,
1279 entry, LDAP_ATTRIBUTE_SID, memctx);
1280 if ( ! sidstr) { /* no sid ??, skip entry */
1281 DEBUG(2, ("WARNING SID not found on entry\n"));
1285 if ( ! string_to_sid(&sid, sidstr)) {
1286 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1287 TALLOC_FREE(sidstr);
1291 map = find_map_by_sid(&ids[bidx], &sid);
1293 DEBUG(2, ("WARNING: couldn't find entry sid (%s) "
1295 TALLOC_FREE(sidstr);
1299 /* now try to see if it is a uid, if not try with a gid
1300 * (gid is more common, but in case both uidNumber and
1301 * gidNumber are returned the SID is mapped to the uid
1304 tmp = smbldap_talloc_single_attribute(
1305 ctx->smbldap_state->ldap_struct,
1306 entry, uidNumber, memctx);
1309 tmp = smbldap_talloc_single_attribute(
1310 ctx->smbldap_state->ldap_struct,
1311 entry, gidNumber, memctx);
1313 if ( ! tmp) { /* no ids ?? */
1314 DEBUG(5, ("no uidNumber, "
1315 "nor gidNumber attributes found\n"));
1316 TALLOC_FREE(sidstr);
1320 id = strtoul(tmp, NULL, 10);
1322 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
1323 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
1324 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1326 ctx->filter_low_id, ctx->filter_high_id));
1327 TALLOC_FREE(sidstr);
1333 if (map->status == ID_MAPPED) {
1334 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
1335 "overwriting mapping %s -> %u with %s -> %u\n",
1336 (type == ID_TYPE_UID) ? "UID" : "GID",
1337 sidstr, map->xid.id, sidstr, id));
1340 TALLOC_FREE(sidstr);
1343 map->xid.type = type;
1345 map->status = ID_MAPPED;
1347 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
1348 (unsigned long)map->xid.id, map->xid.type));
1351 /* free the ldap results */
1353 ldap_msgfree(result);
1357 if (multi && ids[idx]) { /* still some values to map */
1363 /* mark all unknwon/expired ones as unmapped */
1364 for (i = 0; ids[i]; i++) {
1365 if (ids[i]->status != ID_MAPPED)
1366 ids[i]->status = ID_UNMAPPED;
1370 talloc_free(memctx);
1374 /**********************************
1376 **********************************/
1378 /* TODO: change this: This function cannot be called to modify a mapping,
1379 * only set a new one */
1381 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
1382 const struct id_map *map)
1386 struct idmap_ldap_context *ctx;
1387 LDAPMessage *entry = NULL;
1388 LDAPMod **mods = NULL;
1395 /* Only do query if we are online */
1396 if (idmap_is_offline()) {
1397 return NT_STATUS_FILE_IS_OFFLINE;
1400 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1402 switch(map->xid.type) {
1404 type = get_attr_key2string(sidmap_attr_list,
1405 LDAP_ATTR_UIDNUMBER);
1409 type = get_attr_key2string(sidmap_attr_list,
1410 LDAP_ATTR_GIDNUMBER);
1414 return NT_STATUS_INVALID_PARAMETER;
1417 memctx = talloc_new(ctx);
1419 DEBUG(0, ("Out of memory!\n"));
1420 return NT_STATUS_NO_MEMORY;
1423 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
1424 CHECK_ALLOC_DONE(id_str);
1426 sid = talloc_strdup(memctx, sid_string_talloc(memctx, map->sid));
1427 CHECK_ALLOC_DONE(sid);
1429 dn = talloc_asprintf(memctx, "%s=%s,%s",
1430 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
1433 CHECK_ALLOC_DONE(dn);
1435 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1436 "objectClass", LDAP_OBJ_IDMAP_ENTRY);
1438 smbldap_make_mod(ctx->smbldap_state->ldap_struct,
1439 entry, &mods, type, id_str);
1441 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
1442 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
1446 DEBUG(2, ("ERROR: No mods?\n"));
1447 ret = NT_STATUS_UNSUCCESSFUL;
1451 /* TODO: remove conflicting mappings! */
1453 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
1455 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
1457 rc = smbldap_add(ctx->smbldap_state, dn, mods);
1458 ldap_mods_free(mods, True);
1460 if (rc != LDAP_SUCCESS) {
1461 char *ld_error = NULL;
1462 ldap_get_option(ctx->smbldap_state->ldap_struct,
1463 LDAP_OPT_ERROR_STRING, &ld_error);
1464 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu "
1465 "mapping [%s]\n", sid,
1466 (unsigned long)map->xid.id, type));
1467 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
1468 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
1470 ldap_memfree(ld_error);
1472 ret = NT_STATUS_UNSUCCESSFUL;
1476 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to "
1477 "%lu [%s]\n", sid, (unsigned long)map->xid.id, type));
1482 talloc_free(memctx);
1486 /**********************************
1487 Close the idmap ldap instance
1488 **********************************/
1490 static NTSTATUS idmap_ldap_close(struct idmap_domain *dom)
1492 struct idmap_ldap_context *ctx;
1494 if (dom->private_data) {
1495 ctx = talloc_get_type(dom->private_data,
1496 struct idmap_ldap_context);
1499 dom->private_data = NULL;
1502 return NT_STATUS_OK;
1505 static struct idmap_methods idmap_ldap_methods = {
1507 .init = idmap_ldap_db_init,
1508 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1509 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1510 .set_mapping = idmap_ldap_set_mapping,
1511 .close_fn = idmap_ldap_close
1514 static struct idmap_alloc_methods idmap_ldap_alloc_methods = {
1516 .init = idmap_ldap_alloc_init,
1517 .allocate_id = idmap_ldap_allocate_id,
1518 .get_id_hwm = idmap_ldap_get_hwm,
1519 .set_id_hwm = idmap_ldap_set_hwm,
1520 .close_fn = idmap_ldap_alloc_close,
1521 /* .dump_data = TODO */
1524 static NTSTATUS idmap_alloc_ldap_init(void)
1526 return smb_register_idmap_alloc(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1527 &idmap_ldap_alloc_methods);
1530 NTSTATUS idmap_ldap_init(void);
1531 NTSTATUS idmap_ldap_init(void)
1535 /* FIXME: bad hack to actually register also the alloc_ldap module
1536 * without changining configure.in */
1537 ret = idmap_alloc_ldap_init();
1538 if (! NT_STATUS_IS_OK(ret)) {
1541 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1542 &idmap_ldap_methods);
git.samba.org / ira / wip.git / blob