2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2007
10 Copyright (C) Michael Adam 2010
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
31 #include "../libcli/security/security.h"
34 #define DBGC_CLASS DBGC_IDMAP
41 static char *idmap_fetch_secret(const char *backend, bool alloc,
42 const char *domain, const char *identity)
48 r = asprintf(&tmp, "IDMAP_ALLOC_%s", backend);
50 r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
56 strupper_m(tmp); /* make sure the key is case insensitive */
57 ret = secrets_fetch_generic(tmp, identity);
64 struct idmap_ldap_alloc_context {
65 struct smbldap_state *smbldap_state;
71 struct idmap_ldap_context {
72 struct smbldap_state *smbldap_state;
77 struct idmap_rw_ops *rw_ops;
80 #define CHECK_ALLOC_DONE(mem) do { \
82 DEBUG(0, ("Out of memory!\n")); \
83 ret = NT_STATUS_NO_MEMORY; \
87 /**********************************************************************
88 IDMAP ALLOC TDB BACKEND
89 **********************************************************************/
91 /*********************************************************************
92 ********************************************************************/
94 static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
95 struct smbldap_state *ldap_state,
96 const char *config_option,
97 struct idmap_domain *dom,
100 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
102 const char *tmp = NULL;
103 char *user_dn = NULL;
106 /* assume anonymous if we don't have a specified user */
108 tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
112 /* only the alloc backend can pass in a NULL dom */
113 secret = idmap_fetch_secret("ldap", True,
116 secret = idmap_fetch_secret("ldap", False,
121 DEBUG(0, ("get_credentials: Unable to fetch "
122 "auth credentials for %s in %s\n",
123 tmp, (dom==NULL)?"ALLOC":dom->name));
124 ret = NT_STATUS_ACCESS_DENIED;
127 *dn = talloc_strdup(mem_ctx, tmp);
128 CHECK_ALLOC_DONE(*dn);
130 if (!fetch_ldap_pw(&user_dn, &secret)) {
131 DEBUG(2, ("get_credentials: Failed to lookup ldap "
132 "bind creds. Using anonymous connection.\n"));
136 *dn = talloc_strdup(mem_ctx, user_dn);
137 SAFE_FREE( user_dn );
138 CHECK_ALLOC_DONE(*dn);
142 smbldap_set_creds(ldap_state, anon, *dn, secret);
152 /**********************************************************************
153 Verify the sambaUnixIdPool entry in the directory.
154 **********************************************************************/
156 static NTSTATUS verify_idpool(struct idmap_domain *dom)
160 LDAPMessage *result = NULL;
161 LDAPMod **mods = NULL;
162 const char **attr_list;
166 struct idmap_ldap_context *ctx;
168 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
170 mem_ctx = talloc_new(ctx);
171 if (mem_ctx == NULL) {
172 DEBUG(0, ("Out of memory!\n"));
173 return NT_STATUS_NO_MEMORY;
176 filter = talloc_asprintf(mem_ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
177 CHECK_ALLOC_DONE(filter);
179 attr_list = get_attr_list(mem_ctx, idpool_attr_list);
180 CHECK_ALLOC_DONE(attr_list);
182 rc = smbldap_search(ctx->smbldap_state,
190 if (rc != LDAP_SUCCESS) {
191 DEBUG(1, ("Unable to verify the idpool, "
192 "cannot continue initialization!\n"));
193 return NT_STATUS_UNSUCCESSFUL;
196 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
198 ldap_msgfree(result);
201 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
202 filter, ctx->suffix));
203 ret = NT_STATUS_UNSUCCESSFUL;
206 else if (count == 0) {
207 char *uid_str, *gid_str;
209 uid_str = talloc_asprintf(mem_ctx, "%lu",
210 (unsigned long)dom->low_id);
211 gid_str = talloc_asprintf(mem_ctx, "%lu",
212 (unsigned long)dom->low_id);
214 smbldap_set_mod(&mods, LDAP_MOD_ADD,
215 "objectClass", LDAP_OBJ_IDPOOL);
216 smbldap_set_mod(&mods, LDAP_MOD_ADD,
217 get_attr_key2string(idpool_attr_list,
218 LDAP_ATTR_UIDNUMBER),
220 smbldap_set_mod(&mods, LDAP_MOD_ADD,
221 get_attr_key2string(idpool_attr_list,
222 LDAP_ATTR_GIDNUMBER),
225 rc = smbldap_modify(ctx->smbldap_state,
228 ldap_mods_free(mods, True);
230 ret = NT_STATUS_UNSUCCESSFUL;
235 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
237 talloc_free(mem_ctx);
241 /********************************
242 Allocate a new uid or gid
243 ********************************/
245 static NTSTATUS idmap_ldap_allocate_id(struct idmap_domain *dom,
249 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
250 int rc = LDAP_SERVER_DOWN;
252 LDAPMessage *result = NULL;
253 LDAPMessage *entry = NULL;
254 LDAPMod **mods = NULL;
258 const char *dn = NULL;
259 const char **attr_list;
261 struct idmap_ldap_context *ctx;
263 /* Only do query if we are online */
264 if (idmap_is_offline()) {
265 return NT_STATUS_FILE_IS_OFFLINE;
268 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
270 mem_ctx = talloc_new(ctx);
272 DEBUG(0, ("Out of memory!\n"));
273 return NT_STATUS_NO_MEMORY;
280 type = get_attr_key2string(idpool_attr_list,
281 LDAP_ATTR_UIDNUMBER);
285 type = get_attr_key2string(idpool_attr_list,
286 LDAP_ATTR_GIDNUMBER);
290 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
291 return NT_STATUS_INVALID_PARAMETER;
294 filter = talloc_asprintf(mem_ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
295 CHECK_ALLOC_DONE(filter);
297 attr_list = get_attr_list(mem_ctx, idpool_attr_list);
298 CHECK_ALLOC_DONE(attr_list);
300 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
302 rc = smbldap_search(ctx->smbldap_state,
304 LDAP_SCOPE_SUBTREE, filter,
305 attr_list, 0, &result);
307 if (rc != LDAP_SUCCESS) {
308 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
312 talloc_autofree_ldapmsg(mem_ctx, result);
314 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
316 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
320 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, result);
322 dn = smbldap_talloc_dn(mem_ctx,
323 ctx->smbldap_state->ldap_struct,
329 id_str = smbldap_talloc_single_attribute(
330 ctx->smbldap_state->ldap_struct,
331 entry, type, mem_ctx);
332 if (id_str == NULL) {
333 DEBUG(0,("%s attribute not found\n", type));
334 ret = NT_STATUS_UNSUCCESSFUL;
338 xid->id = strtoul(id_str, NULL, 10);
340 /* make sure we still have room to grow */
344 if (xid->id > dom->high_id) {
345 DEBUG(0,("Cannot allocate uid above %lu!\n",
346 (unsigned long)dom->high_id));
352 if (xid->id > dom->high_id) {
353 DEBUG(0,("Cannot allocate gid above %lu!\n",
354 (unsigned long)dom->high_id));
364 new_id_str = talloc_asprintf(mem_ctx, "%lu", (unsigned long)xid->id + 1);
366 DEBUG(0,("Out of memory\n"));
367 ret = NT_STATUS_NO_MEMORY;
371 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
372 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
375 DEBUG(0,("smbldap_set_mod() failed.\n"));
379 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n",
380 id_str, new_id_str));
382 rc = smbldap_modify(ctx->smbldap_state, dn, mods);
384 ldap_mods_free(mods, True);
386 if (rc != LDAP_SUCCESS) {
387 DEBUG(1,("Failed to allocate new %s. "
388 "smbldap_modify() failed.\n", type));
395 talloc_free(mem_ctx);
400 * Allocate a new unix-ID.
401 * For now this is for the default idmap domain only.
402 * Should be extended later on.
404 static NTSTATUS idmap_ldap_get_new_id(struct idmap_domain *dom,
409 if (!strequal(dom->name, "*")) {
410 DEBUG(3, ("idmap_ldap_get_new_id: "
411 "Refusing allocation of a new unixid for domain'%s'. "
412 "Currently only supported for the default "
415 return NT_STATUS_NOT_IMPLEMENTED;
418 ret = idmap_ldap_allocate_id(dom, id);
424 /**********************************************************************
425 IDMAP MAPPING LDAP BACKEND
426 **********************************************************************/
428 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
430 smbldap_free_struct(&ctx->smbldap_state);
431 DEBUG(5,("The connection to the LDAP server was closed\n"));
432 /* maybe free the results here --metze */
437 /********************************
438 Initialise idmap database.
439 ********************************/
441 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
442 const struct id_map *map);
444 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom,
448 struct idmap_ldap_context *ctx = NULL;
449 char *config_option = NULL;
450 const char *tmp = NULL;
452 /* Only do init if we are online */
453 if (idmap_is_offline()) {
454 return NT_STATUS_FILE_IS_OFFLINE;
457 ctx = TALLOC_ZERO_P(dom, struct idmap_ldap_context);
459 DEBUG(0, ("Out of memory!\n"));
460 return NT_STATUS_NO_MEMORY;
463 if (strequal(dom->name, "*")) {
464 /* more specific configuration can go here */
466 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
467 if ( ! config_option) {
468 DEBUG(0, ("Out of memory!\n"));
469 ret = NT_STATUS_NO_MEMORY;
474 if (params != NULL) {
475 /* assume location is the only parameter */
476 ctx->url = talloc_strdup(ctx, params);
478 tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
481 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
482 ret = NT_STATUS_UNSUCCESSFUL;
486 ctx->url = talloc_strdup(ctx, tmp);
488 CHECK_ALLOC_DONE(ctx->url);
490 trim_char(ctx->url, '\"', '\"');
492 tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
493 if ( ! tmp || ! *tmp) {
494 tmp = lp_ldap_idmap_suffix();
496 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
497 ret = NT_STATUS_UNSUCCESSFUL;
502 ctx->suffix = talloc_strdup(ctx, tmp);
503 CHECK_ALLOC_DONE(ctx->suffix);
505 ctx->rw_ops = talloc_zero(ctx, struct idmap_rw_ops);
506 CHECK_ALLOC_DONE(ctx->rw_ops);
508 ctx->rw_ops->get_new_id = idmap_ldap_get_new_id;
509 ctx->rw_ops->set_mapping = idmap_ldap_set_mapping;
511 ret = smbldap_init(ctx, winbind_event_context(), ctx->url,
512 &ctx->smbldap_state);
513 if (!NT_STATUS_IS_OK(ret)) {
514 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
518 ret = get_credentials( ctx, ctx->smbldap_state, config_option,
519 dom, &ctx->user_dn );
520 if ( !NT_STATUS_IS_OK(ret) ) {
521 DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
522 "credentials (%s)\n", nt_errstr(ret)));
526 /* set the destructor on the context, so that resource are properly
527 freed if the contexts is released */
529 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
531 dom->private_data = ctx;
533 ret = verify_idpool(dom);
534 if (!NT_STATUS_IS_OK(ret)) {
535 DEBUG(1, ("idmap_ldap_db_init: failed to verify ID pool (%s)\n",
540 talloc_free(config_option);
553 /* TODO: change this: This function cannot be called to modify a mapping,
554 * only set a new one */
556 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
557 const struct id_map *map)
561 struct idmap_ldap_context *ctx;
562 LDAPMessage *entry = NULL;
563 LDAPMod **mods = NULL;
570 /* Only do query if we are online */
571 if (idmap_is_offline()) {
572 return NT_STATUS_FILE_IS_OFFLINE;
575 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
577 switch(map->xid.type) {
579 type = get_attr_key2string(sidmap_attr_list,
580 LDAP_ATTR_UIDNUMBER);
584 type = get_attr_key2string(sidmap_attr_list,
585 LDAP_ATTR_GIDNUMBER);
589 return NT_STATUS_INVALID_PARAMETER;
592 memctx = talloc_new(ctx);
594 DEBUG(0, ("Out of memory!\n"));
595 return NT_STATUS_NO_MEMORY;
598 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
599 CHECK_ALLOC_DONE(id_str);
601 sid = talloc_strdup(memctx, sid_string_talloc(memctx, map->sid));
602 CHECK_ALLOC_DONE(sid);
604 dn = talloc_asprintf(memctx, "%s=%s,%s",
605 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
608 CHECK_ALLOC_DONE(dn);
610 smbldap_set_mod(&mods, LDAP_MOD_ADD,
611 "objectClass", LDAP_OBJ_IDMAP_ENTRY);
613 smbldap_make_mod(ctx->smbldap_state->ldap_struct,
614 entry, &mods, type, id_str);
616 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
617 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
621 DEBUG(2, ("ERROR: No mods?\n"));
622 ret = NT_STATUS_UNSUCCESSFUL;
626 /* TODO: remove conflicting mappings! */
628 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
630 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
632 rc = smbldap_add(ctx->smbldap_state, dn, mods);
633 ldap_mods_free(mods, True);
635 if (rc != LDAP_SUCCESS) {
636 char *ld_error = NULL;
637 ldap_get_option(ctx->smbldap_state->ldap_struct,
638 LDAP_OPT_ERROR_STRING, &ld_error);
639 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu "
640 "mapping [%s]\n", sid,
641 (unsigned long)map->xid.id, type));
642 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
643 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
645 ldap_memfree(ld_error);
647 ret = NT_STATUS_UNSUCCESSFUL;
651 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to "
652 "%lu [%s]\n", sid, (unsigned long)map->xid.id, type));
662 * Create a new mapping for an unmapped SID, also allocating a new ID.
663 * If possible, this should be run inside a transaction to make the
666 static NTSTATUS idmap_ldap_new_mapping(struct idmap_domain *dom, struct id_map *map)
669 struct idmap_ldap_context *ctx;
671 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
673 ret = idmap_rw_new_mapping(dom, ctx->rw_ops, map);
679 /* max number of ids requested per batch query */
680 #define IDMAP_LDAP_MAX_IDS 30
682 /**********************************
683 lookup a set of unix ids.
684 **********************************/
686 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
687 * in maps for a match */
688 static struct id_map *find_map_by_id(struct id_map **maps,
694 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
695 if (maps[i] == NULL) { /* end of the run */
698 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
706 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom,
711 struct idmap_ldap_context *ctx;
712 LDAPMessage *result = NULL;
713 LDAPMessage *entry = NULL;
714 const char *uidNumber;
715 const char *gidNumber;
716 const char **attr_list;
725 /* Only do query if we are online */
726 if (idmap_is_offline()) {
727 return NT_STATUS_FILE_IS_OFFLINE;
730 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
732 memctx = talloc_new(ctx);
734 DEBUG(0, ("Out of memory!\n"));
735 return NT_STATUS_NO_MEMORY;
738 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
739 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
741 attr_list = get_attr_list(memctx, sidmap_attr_list);
744 /* if we are requested just one mapping use the simple filter */
746 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
747 LDAP_OBJ_IDMAP_ENTRY,
748 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
749 (unsigned long)ids[0]->xid.id);
750 CHECK_ALLOC_DONE(filter);
751 DEBUG(10, ("Filter: [%s]\n", filter));
753 /* multiple mappings */
757 for (i = 0; ids[i]; i++) {
758 ids[i]->status = ID_UNKNOWN;
765 filter = talloc_asprintf(memctx,
766 "(&(objectClass=%s)(|",
767 LDAP_OBJ_IDMAP_ENTRY);
768 CHECK_ALLOC_DONE(filter);
771 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
772 filter = talloc_asprintf_append_buffer(filter, "(%s=%lu)",
773 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
774 (unsigned long)ids[idx]->xid.id);
775 CHECK_ALLOC_DONE(filter);
777 filter = talloc_asprintf_append_buffer(filter, "))");
778 CHECK_ALLOC_DONE(filter);
779 DEBUG(10, ("Filter: [%s]\n", filter));
785 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
786 filter, attr_list, 0, &result);
788 if (rc != LDAP_SUCCESS) {
789 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
790 ret = NT_STATUS_UNSUCCESSFUL;
794 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
797 DEBUG(10, ("NO SIDs found\n"));
800 for (i = 0; i < count; i++) {
807 if (i == 0) { /* first entry */
808 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
810 } else { /* following ones */
811 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
815 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
820 /* first check if the SID is present */
821 sidstr = smbldap_talloc_single_attribute(
822 ctx->smbldap_state->ldap_struct,
823 entry, LDAP_ATTRIBUTE_SID, memctx);
824 if ( ! sidstr) { /* no sid, skip entry */
825 DEBUG(2, ("WARNING SID not found on entry\n"));
829 /* now try to see if it is a uid, if not try with a gid
830 * (gid is more common, but in case both uidNumber and
831 * gidNumber are returned the SID is mapped to the uid
834 tmp = smbldap_talloc_single_attribute(
835 ctx->smbldap_state->ldap_struct,
836 entry, uidNumber, memctx);
839 tmp = smbldap_talloc_single_attribute(
840 ctx->smbldap_state->ldap_struct,
841 entry, gidNumber, memctx);
843 if ( ! tmp) { /* wow very strange entry, how did it match ? */
844 DEBUG(5, ("Unprobable match on (%s), no uidNumber, "
845 "nor gidNumber returned\n", sidstr));
850 id = strtoul(tmp, NULL, 10);
851 if (!idmap_unix_id_is_in_range(id, dom)) {
852 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
854 dom->low_id, dom->high_id));
861 map = find_map_by_id(&ids[bidx], type, id);
863 DEBUG(2, ("WARNING: couldn't match sid (%s) "
864 "with requested ids\n", sidstr));
869 if ( ! string_to_sid(map->sid, sidstr)) {
870 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
875 if (map->status == ID_MAPPED) {
876 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
877 "overwriting mapping %u -> %s with %u -> %s\n",
878 (type == ID_TYPE_UID) ? "UID" : "GID",
879 id, sid_string_dbg(map->sid), id, sidstr));
885 map->status = ID_MAPPED;
887 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
888 (unsigned long)map->xid.id, map->xid.type));
891 /* free the ldap results */
893 ldap_msgfree(result);
897 if (multi && ids[idx]) { /* still some values to map */
903 /* mark all unknwon/expired ones as unmapped */
904 for (i = 0; ids[i]; i++) {
905 if (ids[i]->status != ID_MAPPED)
906 ids[i]->status = ID_UNMAPPED;
914 /**********************************
915 lookup a set of sids.
916 **********************************/
918 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
919 * in maps for a match */
920 static struct id_map *find_map_by_sid(struct id_map **maps, struct dom_sid *sid)
924 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
925 if (maps[i] == NULL) { /* end of the run */
928 if (dom_sid_equal(maps[i]->sid, sid)) {
936 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
939 LDAPMessage *entry = NULL;
942 struct idmap_ldap_context *ctx;
943 LDAPMessage *result = NULL;
944 const char *uidNumber;
945 const char *gidNumber;
946 const char **attr_list;
955 /* Only do query if we are online */
956 if (idmap_is_offline()) {
957 return NT_STATUS_FILE_IS_OFFLINE;
960 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
962 memctx = talloc_new(ctx);
964 DEBUG(0, ("Out of memory!\n"));
965 return NT_STATUS_NO_MEMORY;
968 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
969 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
971 attr_list = get_attr_list(memctx, sidmap_attr_list);
974 /* if we are requested just one mapping use the simple filter */
976 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
977 LDAP_OBJ_IDMAP_ENTRY,
979 sid_string_talloc(memctx, ids[0]->sid));
980 CHECK_ALLOC_DONE(filter);
981 DEBUG(10, ("Filter: [%s]\n", filter));
983 /* multiple mappings */
987 for (i = 0; ids[i]; i++) {
988 ids[i]->status = ID_UNKNOWN;
995 filter = talloc_asprintf(memctx,
996 "(&(objectClass=%s)(|",
997 LDAP_OBJ_IDMAP_ENTRY);
998 CHECK_ALLOC_DONE(filter);
1001 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
1002 filter = talloc_asprintf_append_buffer(filter, "(%s=%s)",
1004 sid_string_talloc(memctx,
1006 CHECK_ALLOC_DONE(filter);
1008 filter = talloc_asprintf_append_buffer(filter, "))");
1009 CHECK_ALLOC_DONE(filter);
1010 DEBUG(10, ("Filter: [%s]", filter));
1016 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
1017 filter, attr_list, 0, &result);
1019 if (rc != LDAP_SUCCESS) {
1020 DEBUG(3,("Failure looking up sids (%s)\n",
1021 ldap_err2string(rc)));
1022 ret = NT_STATUS_UNSUCCESSFUL;
1026 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
1029 DEBUG(10, ("NO SIDs found\n"));
1032 for (i = 0; i < count; i++) {
1033 char *sidstr = NULL;
1040 if (i == 0) { /* first entry */
1041 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
1043 } else { /* following ones */
1044 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
1048 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
1053 /* first check if the SID is present */
1054 sidstr = smbldap_talloc_single_attribute(
1055 ctx->smbldap_state->ldap_struct,
1056 entry, LDAP_ATTRIBUTE_SID, memctx);
1057 if ( ! sidstr) { /* no sid ??, skip entry */
1058 DEBUG(2, ("WARNING SID not found on entry\n"));
1062 if ( ! string_to_sid(&sid, sidstr)) {
1063 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1064 TALLOC_FREE(sidstr);
1068 map = find_map_by_sid(&ids[bidx], &sid);
1070 DEBUG(2, ("WARNING: couldn't find entry sid (%s) "
1072 TALLOC_FREE(sidstr);
1076 /* now try to see if it is a uid, if not try with a gid
1077 * (gid is more common, but in case both uidNumber and
1078 * gidNumber are returned the SID is mapped to the uid
1081 tmp = smbldap_talloc_single_attribute(
1082 ctx->smbldap_state->ldap_struct,
1083 entry, uidNumber, memctx);
1086 tmp = smbldap_talloc_single_attribute(
1087 ctx->smbldap_state->ldap_struct,
1088 entry, gidNumber, memctx);
1090 if ( ! tmp) { /* no ids ?? */
1091 DEBUG(5, ("no uidNumber, "
1092 "nor gidNumber attributes found\n"));
1093 TALLOC_FREE(sidstr);
1097 id = strtoul(tmp, NULL, 10);
1098 if (!idmap_unix_id_is_in_range(id, dom)) {
1099 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1101 dom->low_id, dom->high_id));
1102 TALLOC_FREE(sidstr);
1108 if (map->status == ID_MAPPED) {
1109 DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
1110 "overwriting mapping %s -> %u with %s -> %u\n",
1111 (type == ID_TYPE_UID) ? "UID" : "GID",
1112 sidstr, map->xid.id, sidstr, id));
1115 TALLOC_FREE(sidstr);
1118 map->xid.type = type;
1120 map->status = ID_MAPPED;
1122 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
1123 (unsigned long)map->xid.id, map->xid.type));
1126 /* free the ldap results */
1128 ldap_msgfree(result);
1132 if (multi && ids[idx]) { /* still some values to map */
1137 * try to create new mappings for unmapped sids
1139 for (i = 0; ids[i]; i++) {
1140 if (ids[i]->status != ID_MAPPED) {
1141 ids[i]->status = ID_UNMAPPED;
1142 if (ids[i]->sid != NULL) {
1143 ret = idmap_ldap_new_mapping(dom, ids[i]);
1144 if (!NT_STATUS_IS_OK(ret)) {
1154 talloc_free(memctx);
1158 /**********************************
1159 Close the idmap ldap instance
1160 **********************************/
1162 static NTSTATUS idmap_ldap_close(struct idmap_domain *dom)
1164 struct idmap_ldap_context *ctx;
1166 if (dom->private_data) {
1167 ctx = talloc_get_type(dom->private_data,
1168 struct idmap_ldap_context);
1171 dom->private_data = NULL;
1174 return NT_STATUS_OK;
1177 static struct idmap_methods idmap_ldap_methods = {
1179 .init = idmap_ldap_db_init,
1180 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1181 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1182 .allocate_id = idmap_ldap_get_new_id,
1183 .close_fn = idmap_ldap_close
1186 NTSTATUS idmap_ldap_init(void);
1187 NTSTATUS idmap_ldap_init(void)
1189 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1190 &idmap_ldap_methods);