2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2007
10 Copyright (C) Michael Adam 2010
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
31 #include "../libcli/security/security.h"
34 #define DBGC_CLASS DBGC_IDMAP
41 static char *idmap_fetch_secret(const char *backend,
42 const char *domain, const char *identity)
47 r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
52 strupper_m(tmp); /* make sure the key is case insensitive */
53 ret = secrets_fetch_generic(tmp, identity);
60 struct idmap_ldap_context {
61 struct smbldap_state *smbldap_state;
66 struct idmap_rw_ops *rw_ops;
69 #define CHECK_ALLOC_DONE(mem) do { \
71 DEBUG(0, ("Out of memory!\n")); \
72 ret = NT_STATUS_NO_MEMORY; \
76 /**********************************************************************
77 IDMAP ALLOC TDB BACKEND
78 **********************************************************************/
80 /*********************************************************************
81 ********************************************************************/
83 static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
84 struct smbldap_state *ldap_state,
85 const char *config_option,
86 struct idmap_domain *dom,
89 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
91 const char *tmp = NULL;
95 /* assume anonymous if we don't have a specified user */
97 tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
101 DEBUG(0, ("get_credentials: Invalid domain 'NULL' "
102 "encountered for user DN %s\n",
104 ret = NT_STATUS_UNSUCCESSFUL;
107 secret = idmap_fetch_secret("ldap", dom->name, tmp);
111 DEBUG(0, ("get_credentials: Unable to fetch "
112 "auth credentials for %s in %s\n",
113 tmp, (dom==NULL)?"ALLOC":dom->name));
114 ret = NT_STATUS_ACCESS_DENIED;
117 *dn = talloc_strdup(mem_ctx, tmp);
118 CHECK_ALLOC_DONE(*dn);
120 if (!fetch_ldap_pw(&user_dn, &secret)) {
121 DEBUG(2, ("get_credentials: Failed to lookup ldap "
122 "bind creds. Using anonymous connection.\n"));
126 *dn = talloc_strdup(mem_ctx, user_dn);
127 SAFE_FREE( user_dn );
128 CHECK_ALLOC_DONE(*dn);
132 smbldap_set_creds(ldap_state, anon, *dn, secret);
142 /**********************************************************************
143 Verify the sambaUnixIdPool entry in the directory.
144 **********************************************************************/
146 static NTSTATUS verify_idpool(struct idmap_domain *dom)
150 LDAPMessage *result = NULL;
151 LDAPMod **mods = NULL;
152 const char **attr_list;
156 struct idmap_ldap_context *ctx;
158 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
160 mem_ctx = talloc_new(ctx);
161 if (mem_ctx == NULL) {
162 DEBUG(0, ("Out of memory!\n"));
163 return NT_STATUS_NO_MEMORY;
166 filter = talloc_asprintf(mem_ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
167 CHECK_ALLOC_DONE(filter);
169 attr_list = get_attr_list(mem_ctx, idpool_attr_list);
170 CHECK_ALLOC_DONE(attr_list);
172 rc = smbldap_search(ctx->smbldap_state,
180 if (rc != LDAP_SUCCESS) {
181 DEBUG(1, ("Unable to verify the idpool, "
182 "cannot continue initialization!\n"));
183 return NT_STATUS_UNSUCCESSFUL;
186 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
188 ldap_msgfree(result);
191 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
192 filter, ctx->suffix));
193 ret = NT_STATUS_UNSUCCESSFUL;
196 else if (count == 0) {
197 char *uid_str, *gid_str;
199 uid_str = talloc_asprintf(mem_ctx, "%lu",
200 (unsigned long)dom->low_id);
201 gid_str = talloc_asprintf(mem_ctx, "%lu",
202 (unsigned long)dom->low_id);
204 smbldap_set_mod(&mods, LDAP_MOD_ADD,
205 "objectClass", LDAP_OBJ_IDPOOL);
206 smbldap_set_mod(&mods, LDAP_MOD_ADD,
207 get_attr_key2string(idpool_attr_list,
208 LDAP_ATTR_UIDNUMBER),
210 smbldap_set_mod(&mods, LDAP_MOD_ADD,
211 get_attr_key2string(idpool_attr_list,
212 LDAP_ATTR_GIDNUMBER),
215 rc = smbldap_modify(ctx->smbldap_state,
218 ldap_mods_free(mods, True);
220 ret = NT_STATUS_UNSUCCESSFUL;
225 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
227 talloc_free(mem_ctx);
231 /********************************
232 Allocate a new uid or gid
233 ********************************/
235 static NTSTATUS idmap_ldap_allocate_id(struct idmap_domain *dom,
239 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
240 int rc = LDAP_SERVER_DOWN;
242 LDAPMessage *result = NULL;
243 LDAPMessage *entry = NULL;
244 LDAPMod **mods = NULL;
248 const char *dn = NULL;
249 const char **attr_list;
251 struct idmap_ldap_context *ctx;
253 /* Only do query if we are online */
254 if (idmap_is_offline()) {
255 return NT_STATUS_FILE_IS_OFFLINE;
258 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
260 mem_ctx = talloc_new(ctx);
262 DEBUG(0, ("Out of memory!\n"));
263 return NT_STATUS_NO_MEMORY;
270 type = get_attr_key2string(idpool_attr_list,
271 LDAP_ATTR_UIDNUMBER);
275 type = get_attr_key2string(idpool_attr_list,
276 LDAP_ATTR_GIDNUMBER);
280 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
281 return NT_STATUS_INVALID_PARAMETER;
284 filter = talloc_asprintf(mem_ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
285 CHECK_ALLOC_DONE(filter);
287 attr_list = get_attr_list(mem_ctx, idpool_attr_list);
288 CHECK_ALLOC_DONE(attr_list);
290 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
292 rc = smbldap_search(ctx->smbldap_state,
294 LDAP_SCOPE_SUBTREE, filter,
295 attr_list, 0, &result);
297 if (rc != LDAP_SUCCESS) {
298 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
302 talloc_autofree_ldapmsg(mem_ctx, result);
304 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
306 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
310 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, result);
312 dn = smbldap_talloc_dn(mem_ctx,
313 ctx->smbldap_state->ldap_struct,
319 id_str = smbldap_talloc_single_attribute(
320 ctx->smbldap_state->ldap_struct,
321 entry, type, mem_ctx);
322 if (id_str == NULL) {
323 DEBUG(0,("%s attribute not found\n", type));
324 ret = NT_STATUS_UNSUCCESSFUL;
328 xid->id = strtoul(id_str, NULL, 10);
330 /* make sure we still have room to grow */
334 if (xid->id > dom->high_id) {
335 DEBUG(0,("Cannot allocate uid above %lu!\n",
336 (unsigned long)dom->high_id));
342 if (xid->id > dom->high_id) {
343 DEBUG(0,("Cannot allocate gid above %lu!\n",
344 (unsigned long)dom->high_id));
354 new_id_str = talloc_asprintf(mem_ctx, "%lu", (unsigned long)xid->id + 1);
356 DEBUG(0,("Out of memory\n"));
357 ret = NT_STATUS_NO_MEMORY;
361 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
362 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
365 DEBUG(0,("smbldap_set_mod() failed.\n"));
369 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n",
370 id_str, new_id_str));
372 rc = smbldap_modify(ctx->smbldap_state, dn, mods);
374 ldap_mods_free(mods, True);
376 if (rc != LDAP_SUCCESS) {
377 DEBUG(1,("Failed to allocate new %s. "
378 "smbldap_modify() failed.\n", type));
385 talloc_free(mem_ctx);
390 * Allocate a new unix-ID.
391 * For now this is for the default idmap domain only.
392 * Should be extended later on.
394 static NTSTATUS idmap_ldap_get_new_id(struct idmap_domain *dom,
399 if (!strequal(dom->name, "*")) {
400 DEBUG(3, ("idmap_ldap_get_new_id: "
401 "Refusing allocation of a new unixid for domain'%s'. "
402 "Currently only supported for the default "
405 return NT_STATUS_NOT_IMPLEMENTED;
408 ret = idmap_ldap_allocate_id(dom, id);
414 /**********************************************************************
415 IDMAP MAPPING LDAP BACKEND
416 **********************************************************************/
418 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
420 smbldap_free_struct(&ctx->smbldap_state);
421 DEBUG(5,("The connection to the LDAP server was closed\n"));
422 /* maybe free the results here --metze */
427 /********************************
428 Initialise idmap database.
429 ********************************/
431 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
432 const struct id_map *map);
434 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom,
438 struct idmap_ldap_context *ctx = NULL;
439 char *config_option = NULL;
440 const char *tmp = NULL;
442 /* Only do init if we are online */
443 if (idmap_is_offline()) {
444 return NT_STATUS_FILE_IS_OFFLINE;
447 ctx = TALLOC_ZERO_P(dom, struct idmap_ldap_context);
449 DEBUG(0, ("Out of memory!\n"));
450 return NT_STATUS_NO_MEMORY;
453 if (strequal(dom->name, "*")) {
454 /* more specific configuration can go here */
456 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
457 if ( ! config_option) {
458 DEBUG(0, ("Out of memory!\n"));
459 ret = NT_STATUS_NO_MEMORY;
464 if (params != NULL) {
465 /* assume location is the only parameter */
466 ctx->url = talloc_strdup(ctx, params);
468 tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
471 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
472 ret = NT_STATUS_UNSUCCESSFUL;
476 ctx->url = talloc_strdup(ctx, tmp);
478 CHECK_ALLOC_DONE(ctx->url);
480 trim_char(ctx->url, '\"', '\"');
482 tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
483 if ( ! tmp || ! *tmp) {
484 tmp = lp_ldap_idmap_suffix();
486 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
487 ret = NT_STATUS_UNSUCCESSFUL;
492 ctx->suffix = talloc_strdup(ctx, tmp);
493 CHECK_ALLOC_DONE(ctx->suffix);
495 ctx->rw_ops = talloc_zero(ctx, struct idmap_rw_ops);
496 CHECK_ALLOC_DONE(ctx->rw_ops);
498 ctx->rw_ops->get_new_id = idmap_ldap_get_new_id;
499 ctx->rw_ops->set_mapping = idmap_ldap_set_mapping;
501 ret = smbldap_init(ctx, winbind_event_context(), ctx->url,
502 &ctx->smbldap_state);
503 if (!NT_STATUS_IS_OK(ret)) {
504 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
508 ret = get_credentials( ctx, ctx->smbldap_state, config_option,
509 dom, &ctx->user_dn );
510 if ( !NT_STATUS_IS_OK(ret) ) {
511 DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
512 "credentials (%s)\n", nt_errstr(ret)));
517 * Set the destructor on the context, so that resources are
518 * properly freed when the context is released.
520 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
522 dom->private_data = ctx;
524 ret = verify_idpool(dom);
525 if (!NT_STATUS_IS_OK(ret)) {
526 DEBUG(1, ("idmap_ldap_db_init: failed to verify ID pool (%s)\n",
531 talloc_free(config_option);
544 /* TODO: change this: This function cannot be called to modify a mapping,
545 * only set a new one */
547 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
548 const struct id_map *map)
552 struct idmap_ldap_context *ctx;
553 LDAPMessage *entry = NULL;
554 LDAPMod **mods = NULL;
561 /* Only do query if we are online */
562 if (idmap_is_offline()) {
563 return NT_STATUS_FILE_IS_OFFLINE;
566 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
568 switch(map->xid.type) {
570 type = get_attr_key2string(sidmap_attr_list,
571 LDAP_ATTR_UIDNUMBER);
575 type = get_attr_key2string(sidmap_attr_list,
576 LDAP_ATTR_GIDNUMBER);
580 return NT_STATUS_INVALID_PARAMETER;
583 memctx = talloc_new(ctx);
585 DEBUG(0, ("Out of memory!\n"));
586 return NT_STATUS_NO_MEMORY;
589 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
590 CHECK_ALLOC_DONE(id_str);
592 sid = talloc_strdup(memctx, sid_string_talloc(memctx, map->sid));
593 CHECK_ALLOC_DONE(sid);
595 dn = talloc_asprintf(memctx, "%s=%s,%s",
596 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
599 CHECK_ALLOC_DONE(dn);
601 smbldap_set_mod(&mods, LDAP_MOD_ADD,
602 "objectClass", LDAP_OBJ_IDMAP_ENTRY);
604 smbldap_make_mod(ctx->smbldap_state->ldap_struct,
605 entry, &mods, type, id_str);
607 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
608 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
612 DEBUG(2, ("ERROR: No mods?\n"));
613 ret = NT_STATUS_UNSUCCESSFUL;
617 /* TODO: remove conflicting mappings! */
619 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
621 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
623 rc = smbldap_add(ctx->smbldap_state, dn, mods);
624 ldap_mods_free(mods, True);
626 if (rc != LDAP_SUCCESS) {
627 char *ld_error = NULL;
628 ldap_get_option(ctx->smbldap_state->ldap_struct,
629 LDAP_OPT_ERROR_STRING, &ld_error);
630 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu "
631 "mapping [%s]\n", sid,
632 (unsigned long)map->xid.id, type));
633 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
634 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
636 ldap_memfree(ld_error);
638 ret = NT_STATUS_UNSUCCESSFUL;
642 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to "
643 "%lu [%s]\n", sid, (unsigned long)map->xid.id, type));
653 * Create a new mapping for an unmapped SID, also allocating a new ID.
654 * If possible, this should be run inside a transaction to make the
657 static NTSTATUS idmap_ldap_new_mapping(struct idmap_domain *dom, struct id_map *map)
660 struct idmap_ldap_context *ctx;
662 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
664 ret = idmap_rw_new_mapping(dom, ctx->rw_ops, map);
670 /* max number of ids requested per batch query */
671 #define IDMAP_LDAP_MAX_IDS 30
673 /**********************************
674 lookup a set of unix ids.
675 **********************************/
677 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
678 * in maps for a match */
679 static struct id_map *find_map_by_id(struct id_map **maps,
685 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
686 if (maps[i] == NULL) { /* end of the run */
689 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
697 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom,
702 struct idmap_ldap_context *ctx;
703 LDAPMessage *result = NULL;
704 LDAPMessage *entry = NULL;
705 const char *uidNumber;
706 const char *gidNumber;
707 const char **attr_list;
716 /* Only do query if we are online */
717 if (idmap_is_offline()) {
718 return NT_STATUS_FILE_IS_OFFLINE;
721 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
723 memctx = talloc_new(ctx);
725 DEBUG(0, ("Out of memory!\n"));
726 return NT_STATUS_NO_MEMORY;
729 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
730 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
732 attr_list = get_attr_list(memctx, sidmap_attr_list);
735 /* if we are requested just one mapping use the simple filter */
737 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
738 LDAP_OBJ_IDMAP_ENTRY,
739 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
740 (unsigned long)ids[0]->xid.id);
741 CHECK_ALLOC_DONE(filter);
742 DEBUG(10, ("Filter: [%s]\n", filter));
744 /* multiple mappings */
748 for (i = 0; ids[i]; i++) {
749 ids[i]->status = ID_UNKNOWN;
756 filter = talloc_asprintf(memctx,
757 "(&(objectClass=%s)(|",
758 LDAP_OBJ_IDMAP_ENTRY);
759 CHECK_ALLOC_DONE(filter);
762 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
763 filter = talloc_asprintf_append_buffer(filter, "(%s=%lu)",
764 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
765 (unsigned long)ids[idx]->xid.id);
766 CHECK_ALLOC_DONE(filter);
768 filter = talloc_asprintf_append_buffer(filter, "))");
769 CHECK_ALLOC_DONE(filter);
770 DEBUG(10, ("Filter: [%s]\n", filter));
776 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
777 filter, attr_list, 0, &result);
779 if (rc != LDAP_SUCCESS) {
780 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
781 ret = NT_STATUS_UNSUCCESSFUL;
785 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
788 DEBUG(10, ("NO SIDs found\n"));
791 for (i = 0; i < count; i++) {
798 if (i == 0) { /* first entry */
799 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
801 } else { /* following ones */
802 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
806 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
811 /* first check if the SID is present */
812 sidstr = smbldap_talloc_single_attribute(
813 ctx->smbldap_state->ldap_struct,
814 entry, LDAP_ATTRIBUTE_SID, memctx);
815 if ( ! sidstr) { /* no sid, skip entry */
816 DEBUG(2, ("WARNING SID not found on entry\n"));
820 /* now try to see if it is a uid, if not try with a gid
821 * (gid is more common, but in case both uidNumber and
822 * gidNumber are returned the SID is mapped to the uid
825 tmp = smbldap_talloc_single_attribute(
826 ctx->smbldap_state->ldap_struct,
827 entry, uidNumber, memctx);
830 tmp = smbldap_talloc_single_attribute(
831 ctx->smbldap_state->ldap_struct,
832 entry, gidNumber, memctx);
834 if ( ! tmp) { /* wow very strange entry, how did it match ? */
835 DEBUG(5, ("Unprobable match on (%s), no uidNumber, "
836 "nor gidNumber returned\n", sidstr));
841 id = strtoul(tmp, NULL, 10);
842 if (!idmap_unix_id_is_in_range(id, dom)) {
843 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
845 dom->low_id, dom->high_id));
852 map = find_map_by_id(&ids[bidx], type, id);
854 DEBUG(2, ("WARNING: couldn't match sid (%s) "
855 "with requested ids\n", sidstr));
860 if ( ! string_to_sid(map->sid, sidstr)) {
861 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
866 if (map->status == ID_MAPPED) {
867 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
868 "overwriting mapping %u -> %s with %u -> %s\n",
869 (type == ID_TYPE_UID) ? "UID" : "GID",
870 id, sid_string_dbg(map->sid), id, sidstr));
876 map->status = ID_MAPPED;
878 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
879 (unsigned long)map->xid.id, map->xid.type));
882 /* free the ldap results */
884 ldap_msgfree(result);
888 if (multi && ids[idx]) { /* still some values to map */
894 /* mark all unknwon/expired ones as unmapped */
895 for (i = 0; ids[i]; i++) {
896 if (ids[i]->status != ID_MAPPED)
897 ids[i]->status = ID_UNMAPPED;
905 /**********************************
906 lookup a set of sids.
907 **********************************/
909 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
910 * in maps for a match */
911 static struct id_map *find_map_by_sid(struct id_map **maps, struct dom_sid *sid)
915 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
916 if (maps[i] == NULL) { /* end of the run */
919 if (dom_sid_equal(maps[i]->sid, sid)) {
927 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
930 LDAPMessage *entry = NULL;
933 struct idmap_ldap_context *ctx;
934 LDAPMessage *result = NULL;
935 const char *uidNumber;
936 const char *gidNumber;
937 const char **attr_list;
946 /* Only do query if we are online */
947 if (idmap_is_offline()) {
948 return NT_STATUS_FILE_IS_OFFLINE;
951 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
953 memctx = talloc_new(ctx);
955 DEBUG(0, ("Out of memory!\n"));
956 return NT_STATUS_NO_MEMORY;
959 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
960 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
962 attr_list = get_attr_list(memctx, sidmap_attr_list);
965 /* if we are requested just one mapping use the simple filter */
967 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
968 LDAP_OBJ_IDMAP_ENTRY,
970 sid_string_talloc(memctx, ids[0]->sid));
971 CHECK_ALLOC_DONE(filter);
972 DEBUG(10, ("Filter: [%s]\n", filter));
974 /* multiple mappings */
978 for (i = 0; ids[i]; i++) {
979 ids[i]->status = ID_UNKNOWN;
986 filter = talloc_asprintf(memctx,
987 "(&(objectClass=%s)(|",
988 LDAP_OBJ_IDMAP_ENTRY);
989 CHECK_ALLOC_DONE(filter);
992 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
993 filter = talloc_asprintf_append_buffer(filter, "(%s=%s)",
995 sid_string_talloc(memctx,
997 CHECK_ALLOC_DONE(filter);
999 filter = talloc_asprintf_append_buffer(filter, "))");
1000 CHECK_ALLOC_DONE(filter);
1001 DEBUG(10, ("Filter: [%s]", filter));
1007 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
1008 filter, attr_list, 0, &result);
1010 if (rc != LDAP_SUCCESS) {
1011 DEBUG(3,("Failure looking up sids (%s)\n",
1012 ldap_err2string(rc)));
1013 ret = NT_STATUS_UNSUCCESSFUL;
1017 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
1020 DEBUG(10, ("NO SIDs found\n"));
1023 for (i = 0; i < count; i++) {
1024 char *sidstr = NULL;
1031 if (i == 0) { /* first entry */
1032 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
1034 } else { /* following ones */
1035 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
1039 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
1044 /* first check if the SID is present */
1045 sidstr = smbldap_talloc_single_attribute(
1046 ctx->smbldap_state->ldap_struct,
1047 entry, LDAP_ATTRIBUTE_SID, memctx);
1048 if ( ! sidstr) { /* no sid ??, skip entry */
1049 DEBUG(2, ("WARNING SID not found on entry\n"));
1053 if ( ! string_to_sid(&sid, sidstr)) {
1054 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1055 TALLOC_FREE(sidstr);
1059 map = find_map_by_sid(&ids[bidx], &sid);
1061 DEBUG(2, ("WARNING: couldn't find entry sid (%s) "
1063 TALLOC_FREE(sidstr);
1067 /* now try to see if it is a uid, if not try with a gid
1068 * (gid is more common, but in case both uidNumber and
1069 * gidNumber are returned the SID is mapped to the uid
1072 tmp = smbldap_talloc_single_attribute(
1073 ctx->smbldap_state->ldap_struct,
1074 entry, uidNumber, memctx);
1077 tmp = smbldap_talloc_single_attribute(
1078 ctx->smbldap_state->ldap_struct,
1079 entry, gidNumber, memctx);
1081 if ( ! tmp) { /* no ids ?? */
1082 DEBUG(5, ("no uidNumber, "
1083 "nor gidNumber attributes found\n"));
1084 TALLOC_FREE(sidstr);
1088 id = strtoul(tmp, NULL, 10);
1089 if (!idmap_unix_id_is_in_range(id, dom)) {
1090 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1092 dom->low_id, dom->high_id));
1093 TALLOC_FREE(sidstr);
1099 if (map->status == ID_MAPPED) {
1100 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
1101 "overwriting mapping %s -> %u with %s -> %u\n",
1102 (type == ID_TYPE_UID) ? "UID" : "GID",
1103 sidstr, map->xid.id, sidstr, id));
1106 TALLOC_FREE(sidstr);
1109 map->xid.type = type;
1111 map->status = ID_MAPPED;
1113 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
1114 (unsigned long)map->xid.id, map->xid.type));
1117 /* free the ldap results */
1119 ldap_msgfree(result);
1123 if (multi && ids[idx]) { /* still some values to map */
1128 * try to create new mappings for unmapped sids
1130 for (i = 0; ids[i]; i++) {
1131 if (ids[i]->status != ID_MAPPED) {
1132 ids[i]->status = ID_UNMAPPED;
1133 if (ids[i]->sid != NULL) {
1134 ret = idmap_ldap_new_mapping(dom, ids[i]);
1135 if (!NT_STATUS_IS_OK(ret)) {
1145 talloc_free(memctx);
1149 /**********************************
1150 Close the idmap ldap instance
1151 **********************************/
1153 static struct idmap_methods idmap_ldap_methods = {
1155 .init = idmap_ldap_db_init,
1156 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1157 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1158 .allocate_id = idmap_ldap_get_new_id,
1161 NTSTATUS idmap_ldap_init(void);
1162 NTSTATUS idmap_ldap_init(void)
1164 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1165 &idmap_ldap_methods);