s3:idmap_ldap: filter out of range mappings in default idmap config

[kai/samba.git] / source3 / winbindd / idmap_ldap.c

diff --git a/source3/winbindd/idmap_ldap.c b/source3/winbindd/idmap_ldap.c
index 88ece8c7de4706d0eff30a38da73524a3165fec0..3d1dd488d6bb11b55513659a2e2d0d1bf9454f66 100644 (file)
--- a/source3/winbindd/idmap_ldap.c
+++ b/source3/winbindd/idmap_ldap.c
@@ -765,7 +765,6 @@ static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom,
        NTSTATUS ret;
        struct idmap_ldap_context *ctx = NULL;
        char *config_option = NULL;
-       const char *range = NULL;
        const char *tmp = NULL;
 
        /* Only do init if we are online */
@@ -779,23 +778,63 @@ static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom,
                return NT_STATUS_NO_MEMORY;
        }
 
-       config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
-       if ( ! config_option) {
-               DEBUG(0, ("Out of memory!\n"));
-               ret = NT_STATUS_NO_MEMORY;
-               goto done;
-       }
+       if (strequal(dom->name, "*")) {
+               uid_t low_uid = 0;
+               uid_t high_uid = 0;
+               gid_t low_gid = 0;
+               gid_t high_gid = 0;
 
-       /* load ranges */
-       range = lp_parm_const_string(-1, config_option, "range", NULL);
-       if (range && range[0]) {
-               if ((sscanf(range, "%u - %u", &ctx->filter_low_id,
-                                               &ctx->filter_high_id) != 2) ||
-                   (ctx->filter_low_id > ctx->filter_high_id)) {
-                       DEBUG(1, ("ERROR: invalid filter range [%s]", range));
-                       ctx->filter_low_id = 0;
-                       ctx->filter_high_id = 0;
+               ctx->filter_low_id = 0;
+               ctx->filter_high_id = 0;
+
+               if (lp_idmap_uid(&low_uid, &high_uid)) {
+                       ctx->filter_low_id = low_uid;
+                       ctx->filter_high_id = high_uid;
+               } else {
+                       DEBUG(3, ("Warning: 'idmap uid' not set!\n"));
+               }
+
+               if (lp_idmap_gid(&low_gid, &high_gid)) {
+                       if ((low_gid != low_uid) || (high_gid != high_uid)) {
+                               DEBUG(1, ("Warning: 'idmap uid' and 'idmap gid'"
+                                     " ranges do not agree -- building "
+                                     "intersection\n"));
+                               ctx->filter_low_id = MAX(ctx->filter_low_id,
+                                                        low_gid);
+                               ctx->filter_high_id = MIN(ctx->filter_high_id,
+                                                         high_gid);
+                       }
+               } else {
+                       DEBUG(3, ("Warning: 'idmap gid' not set!\n"));
+               }
+       } else {
+               const char *range = NULL;
+
+               config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
+               if ( ! config_option) {
+                       DEBUG(0, ("Out of memory!\n"));
+                       ret = NT_STATUS_NO_MEMORY;
+                       goto done;
                }
+
+               /* load ranges */
+               range = lp_parm_const_string(-1, config_option, "range", NULL);
+               if (range && range[0]) {
+                       if ((sscanf(range, "%u - %u", &ctx->filter_low_id,
+                                                       &ctx->filter_high_id) != 2))
+                       {
+                               DEBUG(1, ("ERROR: invalid filter range [%s]", range));
+                               ctx->filter_low_id = 0;
+                               ctx->filter_high_id = 0;
+                       }
+               }
+       }
+
+       if (ctx->filter_low_id > ctx->filter_high_id) {
+               DEBUG(1, ("ERROR: invalid filter range [%u-%u]",
+                     ctx->filter_low_id, ctx->filter_high_id));
+               ctx->filter_low_id = 0;
+               ctx->filter_high_id = 0;
        }
 
        if (params != NULL) {