2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2007
10 Copyright (C) Michael Adam 2010
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
31 #include "../libcli/security/security.h"
34 #define DBGC_CLASS DBGC_IDMAP
40 #include "passdb/pdb_ldap_schema.h"
42 static char *idmap_fetch_secret(const char *backend,
43 const char *domain, const char *identity)
48 r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
53 strupper_m(tmp); /* make sure the key is case insensitive */
54 ret = secrets_fetch_generic(tmp, identity);
61 struct idmap_ldap_context {
62 struct smbldap_state *smbldap_state;
67 struct idmap_rw_ops *rw_ops;
70 #define CHECK_ALLOC_DONE(mem) do { \
72 DEBUG(0, ("Out of memory!\n")); \
73 ret = NT_STATUS_NO_MEMORY; \
77 /**********************************************************************
78 IDMAP ALLOC TDB BACKEND
79 **********************************************************************/
81 /*********************************************************************
82 ********************************************************************/
84 static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
85 struct smbldap_state *ldap_state,
86 const char *config_option,
87 struct idmap_domain *dom,
90 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
92 const char *tmp = NULL;
96 /* assume anonymous if we don't have a specified user */
98 tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
102 DEBUG(0, ("get_credentials: Invalid domain 'NULL' "
103 "encountered for user DN %s\n",
105 ret = NT_STATUS_UNSUCCESSFUL;
108 secret = idmap_fetch_secret("ldap", dom->name, tmp);
112 DEBUG(0, ("get_credentials: Unable to fetch "
113 "auth credentials for %s in %s\n",
114 tmp, (dom==NULL)?"ALLOC":dom->name));
115 ret = NT_STATUS_ACCESS_DENIED;
118 *dn = talloc_strdup(mem_ctx, tmp);
119 CHECK_ALLOC_DONE(*dn);
121 if (!fetch_ldap_pw(&user_dn, &secret)) {
122 DEBUG(2, ("get_credentials: Failed to lookup ldap "
123 "bind creds. Using anonymous connection.\n"));
127 *dn = talloc_strdup(mem_ctx, user_dn);
128 SAFE_FREE( user_dn );
129 CHECK_ALLOC_DONE(*dn);
133 smbldap_set_creds(ldap_state, anon, *dn, secret);
143 /**********************************************************************
144 Verify the sambaUnixIdPool entry in the directory.
145 **********************************************************************/
147 static NTSTATUS verify_idpool(struct idmap_domain *dom)
151 LDAPMessage *result = NULL;
152 LDAPMod **mods = NULL;
153 const char **attr_list;
157 struct idmap_ldap_context *ctx;
159 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
161 mem_ctx = talloc_new(ctx);
162 if (mem_ctx == NULL) {
163 DEBUG(0, ("Out of memory!\n"));
164 return NT_STATUS_NO_MEMORY;
167 filter = talloc_asprintf(mem_ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
168 CHECK_ALLOC_DONE(filter);
170 attr_list = get_attr_list(mem_ctx, idpool_attr_list);
171 CHECK_ALLOC_DONE(attr_list);
173 rc = smbldap_search(ctx->smbldap_state,
181 if (rc != LDAP_SUCCESS) {
182 DEBUG(1, ("Unable to verify the idpool, "
183 "cannot continue initialization!\n"));
184 return NT_STATUS_UNSUCCESSFUL;
187 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
189 ldap_msgfree(result);
192 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
193 filter, ctx->suffix));
194 ret = NT_STATUS_UNSUCCESSFUL;
197 else if (count == 0) {
198 char *uid_str, *gid_str;
200 uid_str = talloc_asprintf(mem_ctx, "%lu",
201 (unsigned long)dom->low_id);
202 gid_str = talloc_asprintf(mem_ctx, "%lu",
203 (unsigned long)dom->low_id);
205 smbldap_set_mod(&mods, LDAP_MOD_ADD,
206 "objectClass", LDAP_OBJ_IDPOOL);
207 smbldap_set_mod(&mods, LDAP_MOD_ADD,
208 get_attr_key2string(idpool_attr_list,
209 LDAP_ATTR_UIDNUMBER),
211 smbldap_set_mod(&mods, LDAP_MOD_ADD,
212 get_attr_key2string(idpool_attr_list,
213 LDAP_ATTR_GIDNUMBER),
216 rc = smbldap_modify(ctx->smbldap_state,
219 ldap_mods_free(mods, True);
221 ret = NT_STATUS_UNSUCCESSFUL;
226 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
228 talloc_free(mem_ctx);
232 /********************************
233 Allocate a new uid or gid
234 ********************************/
236 static NTSTATUS idmap_ldap_allocate_id_internal(struct idmap_domain *dom,
240 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
241 int rc = LDAP_SERVER_DOWN;
243 LDAPMessage *result = NULL;
244 LDAPMessage *entry = NULL;
245 LDAPMod **mods = NULL;
249 const char *dn = NULL;
250 const char **attr_list;
252 struct idmap_ldap_context *ctx;
254 /* Only do query if we are online */
255 if (idmap_is_offline()) {
256 return NT_STATUS_FILE_IS_OFFLINE;
259 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
261 mem_ctx = talloc_new(ctx);
263 DEBUG(0, ("Out of memory!\n"));
264 return NT_STATUS_NO_MEMORY;
271 type = get_attr_key2string(idpool_attr_list,
272 LDAP_ATTR_UIDNUMBER);
276 type = get_attr_key2string(idpool_attr_list,
277 LDAP_ATTR_GIDNUMBER);
281 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
282 return NT_STATUS_INVALID_PARAMETER;
285 filter = talloc_asprintf(mem_ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
286 CHECK_ALLOC_DONE(filter);
288 attr_list = get_attr_list(mem_ctx, idpool_attr_list);
289 CHECK_ALLOC_DONE(attr_list);
291 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
293 rc = smbldap_search(ctx->smbldap_state,
295 LDAP_SCOPE_SUBTREE, filter,
296 attr_list, 0, &result);
298 if (rc != LDAP_SUCCESS) {
299 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
303 talloc_autofree_ldapmsg(mem_ctx, result);
305 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
307 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
311 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, result);
313 dn = smbldap_talloc_dn(mem_ctx,
314 ctx->smbldap_state->ldap_struct,
320 id_str = smbldap_talloc_single_attribute(
321 ctx->smbldap_state->ldap_struct,
322 entry, type, mem_ctx);
323 if (id_str == NULL) {
324 DEBUG(0,("%s attribute not found\n", type));
325 ret = NT_STATUS_UNSUCCESSFUL;
329 xid->id = strtoul(id_str, NULL, 10);
331 /* make sure we still have room to grow */
335 if (xid->id > dom->high_id) {
336 DEBUG(0,("Cannot allocate uid above %lu!\n",
337 (unsigned long)dom->high_id));
343 if (xid->id > dom->high_id) {
344 DEBUG(0,("Cannot allocate gid above %lu!\n",
345 (unsigned long)dom->high_id));
355 new_id_str = talloc_asprintf(mem_ctx, "%lu", (unsigned long)xid->id + 1);
357 DEBUG(0,("Out of memory\n"));
358 ret = NT_STATUS_NO_MEMORY;
362 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
363 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
366 DEBUG(0,("smbldap_set_mod() failed.\n"));
370 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n",
371 id_str, new_id_str));
373 rc = smbldap_modify(ctx->smbldap_state, dn, mods);
375 ldap_mods_free(mods, True);
377 if (rc != LDAP_SUCCESS) {
378 DEBUG(1,("Failed to allocate new %s. "
379 "smbldap_modify() failed.\n", type));
386 talloc_free(mem_ctx);
391 * Allocate a new unix-ID.
392 * For now this is for the default idmap domain only.
393 * Should be extended later on.
395 static NTSTATUS idmap_ldap_allocate_id(struct idmap_domain *dom,
400 if (!strequal(dom->name, "*")) {
401 DEBUG(3, ("idmap_ldap_allocate_id: "
402 "Refusing allocation of a new unixid for domain'%s'. "
403 "This is only supported for the default "
406 return NT_STATUS_NOT_IMPLEMENTED;
409 ret = idmap_ldap_allocate_id_internal(dom, id);
415 /**********************************************************************
416 IDMAP MAPPING LDAP BACKEND
417 **********************************************************************/
419 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
421 smbldap_free_struct(&ctx->smbldap_state);
422 DEBUG(5,("The connection to the LDAP server was closed\n"));
423 /* maybe free the results here --metze */
428 /********************************
429 Initialise idmap database.
430 ********************************/
432 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
433 const struct id_map *map);
435 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom)
438 struct idmap_ldap_context *ctx = NULL;
439 char *config_option = NULL;
440 const char *tmp = NULL;
442 /* Only do init if we are online */
443 if (idmap_is_offline()) {
444 return NT_STATUS_FILE_IS_OFFLINE;
447 ctx = talloc_zero(dom, struct idmap_ldap_context);
449 DEBUG(0, ("Out of memory!\n"));
450 return NT_STATUS_NO_MEMORY;
453 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
454 if (!config_option) {
455 DEBUG(0, ("Out of memory!\n"));
456 ret = NT_STATUS_NO_MEMORY;
460 tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
463 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
464 ret = NT_STATUS_UNSUCCESSFUL;
468 ctx->url = talloc_strdup(ctx, tmp);
470 trim_char(ctx->url, '\"', '\"');
472 tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
473 if ( ! tmp || ! *tmp) {
474 tmp = lp_ldap_idmap_suffix();
476 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
477 ret = NT_STATUS_UNSUCCESSFUL;
482 ctx->suffix = talloc_strdup(ctx, tmp);
483 CHECK_ALLOC_DONE(ctx->suffix);
485 ctx->rw_ops = talloc_zero(ctx, struct idmap_rw_ops);
486 CHECK_ALLOC_DONE(ctx->rw_ops);
488 ctx->rw_ops->get_new_id = idmap_ldap_allocate_id_internal;
489 ctx->rw_ops->set_mapping = idmap_ldap_set_mapping;
491 /* get_credentials deals with setting up creds */
493 ret = smbldap_init(ctx, winbind_event_context(), ctx->url,
494 false, NULL, NULL, &ctx->smbldap_state);
495 if (!NT_STATUS_IS_OK(ret)) {
496 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
500 ret = get_credentials( ctx, ctx->smbldap_state, config_option,
501 dom, &ctx->user_dn );
502 if ( !NT_STATUS_IS_OK(ret) ) {
503 DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
504 "credentials (%s)\n", nt_errstr(ret)));
509 * Set the destructor on the context, so that resources are
510 * properly freed when the context is released.
512 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
514 dom->private_data = ctx;
516 ret = verify_idpool(dom);
517 if (!NT_STATUS_IS_OK(ret)) {
518 DEBUG(1, ("idmap_ldap_db_init: failed to verify ID pool (%s)\n",
523 talloc_free(config_option);
536 /* TODO: change this: This function cannot be called to modify a mapping,
537 * only set a new one */
539 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
540 const struct id_map *map)
544 struct idmap_ldap_context *ctx;
545 LDAPMessage *entry = NULL;
546 LDAPMod **mods = NULL;
553 /* Only do query if we are online */
554 if (idmap_is_offline()) {
555 return NT_STATUS_FILE_IS_OFFLINE;
558 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
560 switch(map->xid.type) {
562 type = get_attr_key2string(sidmap_attr_list,
563 LDAP_ATTR_UIDNUMBER);
567 type = get_attr_key2string(sidmap_attr_list,
568 LDAP_ATTR_GIDNUMBER);
572 return NT_STATUS_INVALID_PARAMETER;
575 memctx = talloc_new(ctx);
577 DEBUG(0, ("Out of memory!\n"));
578 return NT_STATUS_NO_MEMORY;
581 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
582 CHECK_ALLOC_DONE(id_str);
584 sid = talloc_strdup(memctx, sid_string_talloc(memctx, map->sid));
585 CHECK_ALLOC_DONE(sid);
587 dn = talloc_asprintf(memctx, "%s=%s,%s",
588 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
591 CHECK_ALLOC_DONE(dn);
593 smbldap_set_mod(&mods, LDAP_MOD_ADD,
594 "objectClass", LDAP_OBJ_IDMAP_ENTRY);
596 smbldap_make_mod(ctx->smbldap_state->ldap_struct,
597 entry, &mods, type, id_str);
599 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
600 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
604 DEBUG(2, ("ERROR: No mods?\n"));
605 ret = NT_STATUS_UNSUCCESSFUL;
609 /* TODO: remove conflicting mappings! */
611 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
613 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
615 rc = smbldap_add(ctx->smbldap_state, dn, mods);
616 ldap_mods_free(mods, True);
618 if (rc != LDAP_SUCCESS) {
619 char *ld_error = NULL;
620 ldap_get_option(ctx->smbldap_state->ldap_struct,
621 LDAP_OPT_ERROR_STRING, &ld_error);
622 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu "
623 "mapping [%s]\n", sid,
624 (unsigned long)map->xid.id, type));
625 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
626 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
628 ldap_memfree(ld_error);
630 ret = NT_STATUS_UNSUCCESSFUL;
634 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to "
635 "%lu [%s]\n", sid, (unsigned long)map->xid.id, type));
645 * Create a new mapping for an unmapped SID, also allocating a new ID.
646 * If possible, this should be run inside a transaction to make the
649 static NTSTATUS idmap_ldap_new_mapping(struct idmap_domain *dom, struct id_map *map)
652 struct idmap_ldap_context *ctx;
654 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
656 ret = idmap_rw_new_mapping(dom, ctx->rw_ops, map);
662 /* max number of ids requested per batch query */
663 #define IDMAP_LDAP_MAX_IDS 30
665 /**********************************
666 lookup a set of unix ids.
667 **********************************/
669 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
670 * in maps for a match */
671 static struct id_map *find_map_by_id(struct id_map **maps,
677 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
678 if (maps[i] == NULL) { /* end of the run */
681 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
689 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom,
694 struct idmap_ldap_context *ctx;
695 LDAPMessage *result = NULL;
696 LDAPMessage *entry = NULL;
697 const char *uidNumber;
698 const char *gidNumber;
699 const char **attr_list;
708 /* Only do query if we are online */
709 if (idmap_is_offline()) {
710 return NT_STATUS_FILE_IS_OFFLINE;
713 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
715 memctx = talloc_new(ctx);
717 DEBUG(0, ("Out of memory!\n"));
718 return NT_STATUS_NO_MEMORY;
721 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
722 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
724 attr_list = get_attr_list(memctx, sidmap_attr_list);
727 /* if we are requested just one mapping use the simple filter */
729 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
730 LDAP_OBJ_IDMAP_ENTRY,
731 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
732 (unsigned long)ids[0]->xid.id);
733 CHECK_ALLOC_DONE(filter);
734 DEBUG(10, ("Filter: [%s]\n", filter));
736 /* multiple mappings */
740 for (i = 0; ids[i]; i++) {
741 ids[i]->status = ID_UNKNOWN;
748 filter = talloc_asprintf(memctx,
749 "(&(objectClass=%s)(|",
750 LDAP_OBJ_IDMAP_ENTRY);
751 CHECK_ALLOC_DONE(filter);
754 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
755 filter = talloc_asprintf_append_buffer(filter, "(%s=%lu)",
756 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
757 (unsigned long)ids[idx]->xid.id);
758 CHECK_ALLOC_DONE(filter);
760 filter = talloc_asprintf_append_buffer(filter, "))");
761 CHECK_ALLOC_DONE(filter);
762 DEBUG(10, ("Filter: [%s]\n", filter));
768 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
769 filter, attr_list, 0, &result);
771 if (rc != LDAP_SUCCESS) {
772 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
773 ret = NT_STATUS_UNSUCCESSFUL;
777 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
780 DEBUG(10, ("NO SIDs found\n"));
783 for (i = 0; i < count; i++) {
790 if (i == 0) { /* first entry */
791 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
793 } else { /* following ones */
794 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
798 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
803 /* first check if the SID is present */
804 sidstr = smbldap_talloc_single_attribute(
805 ctx->smbldap_state->ldap_struct,
806 entry, LDAP_ATTRIBUTE_SID, memctx);
807 if ( ! sidstr) { /* no sid, skip entry */
808 DEBUG(2, ("WARNING SID not found on entry\n"));
812 /* now try to see if it is a uid, if not try with a gid
813 * (gid is more common, but in case both uidNumber and
814 * gidNumber are returned the SID is mapped to the uid
817 tmp = smbldap_talloc_single_attribute(
818 ctx->smbldap_state->ldap_struct,
819 entry, uidNumber, memctx);
822 tmp = smbldap_talloc_single_attribute(
823 ctx->smbldap_state->ldap_struct,
824 entry, gidNumber, memctx);
826 if ( ! tmp) { /* wow very strange entry, how did it match ? */
827 DEBUG(5, ("Unprobable match on (%s), no uidNumber, "
828 "nor gidNumber returned\n", sidstr));
833 id = strtoul(tmp, NULL, 10);
834 if (!idmap_unix_id_is_in_range(id, dom)) {
835 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
837 dom->low_id, dom->high_id));
844 map = find_map_by_id(&ids[bidx], type, id);
846 DEBUG(2, ("WARNING: couldn't match sid (%s) "
847 "with requested ids\n", sidstr));
852 if ( ! string_to_sid(map->sid, sidstr)) {
853 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
858 if (map->status == ID_MAPPED) {
859 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
860 "overwriting mapping %u -> %s with %u -> %s\n",
861 (type == ID_TYPE_UID) ? "UID" : "GID",
862 id, sid_string_dbg(map->sid), id, sidstr));
868 map->status = ID_MAPPED;
870 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
871 (unsigned long)map->xid.id, map->xid.type));
874 /* free the ldap results */
876 ldap_msgfree(result);
880 if (multi && ids[idx]) { /* still some values to map */
886 /* mark all unknwon/expired ones as unmapped */
887 for (i = 0; ids[i]; i++) {
888 if (ids[i]->status != ID_MAPPED)
889 ids[i]->status = ID_UNMAPPED;
897 /**********************************
898 lookup a set of sids.
899 **********************************/
901 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
902 * in maps for a match */
903 static struct id_map *find_map_by_sid(struct id_map **maps, struct dom_sid *sid)
907 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
908 if (maps[i] == NULL) { /* end of the run */
911 if (dom_sid_equal(maps[i]->sid, sid)) {
919 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
922 LDAPMessage *entry = NULL;
925 struct idmap_ldap_context *ctx;
926 LDAPMessage *result = NULL;
927 const char *uidNumber;
928 const char *gidNumber;
929 const char **attr_list;
938 /* Only do query if we are online */
939 if (idmap_is_offline()) {
940 return NT_STATUS_FILE_IS_OFFLINE;
943 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
945 memctx = talloc_new(ctx);
947 DEBUG(0, ("Out of memory!\n"));
948 return NT_STATUS_NO_MEMORY;
951 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
952 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
954 attr_list = get_attr_list(memctx, sidmap_attr_list);
957 /* if we are requested just one mapping use the simple filter */
959 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
960 LDAP_OBJ_IDMAP_ENTRY,
962 sid_string_talloc(memctx, ids[0]->sid));
963 CHECK_ALLOC_DONE(filter);
964 DEBUG(10, ("Filter: [%s]\n", filter));
966 /* multiple mappings */
970 for (i = 0; ids[i]; i++) {
971 ids[i]->status = ID_UNKNOWN;
978 filter = talloc_asprintf(memctx,
979 "(&(objectClass=%s)(|",
980 LDAP_OBJ_IDMAP_ENTRY);
981 CHECK_ALLOC_DONE(filter);
984 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
985 filter = talloc_asprintf_append_buffer(filter, "(%s=%s)",
987 sid_string_talloc(memctx,
989 CHECK_ALLOC_DONE(filter);
991 filter = talloc_asprintf_append_buffer(filter, "))");
992 CHECK_ALLOC_DONE(filter);
993 DEBUG(10, ("Filter: [%s]", filter));
999 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
1000 filter, attr_list, 0, &result);
1002 if (rc != LDAP_SUCCESS) {
1003 DEBUG(3,("Failure looking up sids (%s)\n",
1004 ldap_err2string(rc)));
1005 ret = NT_STATUS_UNSUCCESSFUL;
1009 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
1012 DEBUG(10, ("NO SIDs found\n"));
1015 for (i = 0; i < count; i++) {
1016 char *sidstr = NULL;
1023 if (i == 0) { /* first entry */
1024 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
1026 } else { /* following ones */
1027 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
1031 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
1036 /* first check if the SID is present */
1037 sidstr = smbldap_talloc_single_attribute(
1038 ctx->smbldap_state->ldap_struct,
1039 entry, LDAP_ATTRIBUTE_SID, memctx);
1040 if ( ! sidstr) { /* no sid ??, skip entry */
1041 DEBUG(2, ("WARNING SID not found on entry\n"));
1045 if ( ! string_to_sid(&sid, sidstr)) {
1046 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1047 TALLOC_FREE(sidstr);
1051 map = find_map_by_sid(&ids[bidx], &sid);
1053 DEBUG(2, ("WARNING: couldn't find entry sid (%s) "
1055 TALLOC_FREE(sidstr);
1059 /* now try to see if it is a uid, if not try with a gid
1060 * (gid is more common, but in case both uidNumber and
1061 * gidNumber are returned the SID is mapped to the uid
1064 tmp = smbldap_talloc_single_attribute(
1065 ctx->smbldap_state->ldap_struct,
1066 entry, uidNumber, memctx);
1069 tmp = smbldap_talloc_single_attribute(
1070 ctx->smbldap_state->ldap_struct,
1071 entry, gidNumber, memctx);
1073 if ( ! tmp) { /* no ids ?? */
1074 DEBUG(5, ("no uidNumber, "
1075 "nor gidNumber attributes found\n"));
1076 TALLOC_FREE(sidstr);
1080 id = strtoul(tmp, NULL, 10);
1081 if (!idmap_unix_id_is_in_range(id, dom)) {
1082 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1084 dom->low_id, dom->high_id));
1085 TALLOC_FREE(sidstr);
1091 if (map->status == ID_MAPPED) {
1092 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
1093 "overwriting mapping %s -> %u with %s -> %u\n",
1094 (type == ID_TYPE_UID) ? "UID" : "GID",
1095 sidstr, map->xid.id, sidstr, id));
1098 TALLOC_FREE(sidstr);
1101 map->xid.type = type;
1103 map->status = ID_MAPPED;
1105 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
1106 (unsigned long)map->xid.id, map->xid.type));
1109 /* free the ldap results */
1111 ldap_msgfree(result);
1115 if (multi && ids[idx]) { /* still some values to map */
1120 * try to create new mappings for unmapped sids
1122 for (i = 0; ids[i]; i++) {
1123 if (ids[i]->status != ID_MAPPED) {
1124 ids[i]->status = ID_UNMAPPED;
1125 if (ids[i]->sid != NULL) {
1126 ret = idmap_ldap_new_mapping(dom, ids[i]);
1127 if (!NT_STATUS_IS_OK(ret)) {
1137 talloc_free(memctx);
1141 /**********************************
1142 Close the idmap ldap instance
1143 **********************************/
1145 static struct idmap_methods idmap_ldap_methods = {
1147 .init = idmap_ldap_db_init,
1148 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1149 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1150 .allocate_id = idmap_ldap_allocate_id,
1153 NTSTATUS idmap_ldap_init(void);
1154 NTSTATUS idmap_ldap_init(void)
1156 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1157 &idmap_ldap_methods);
git.samba.org / kai / samba.git / blob