2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2006
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 #define DBGC_CLASS DBGC_IDMAP
36 struct idmap_ldap_alloc_context {
37 struct smbldap_state *smbldap_state;
41 uid_t low_uid, high_uid; /* Range of uids */
42 gid_t low_gid, high_gid; /* Range of gids */
46 #define CHECK_ALLOC_DONE(mem) do { if (!mem) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; goto done; } } while (0)
48 /**********************************************************************
49 IDMAP ALLOC TDB BACKEND
50 **********************************************************************/
52 static struct idmap_ldap_alloc_context *idmap_alloc_ldap;
54 /**********************************************************************
55 Verify the sambaUnixIdPool entry in the directory.
56 **********************************************************************/
58 static NTSTATUS verify_idpool(void)
62 LDAPMessage *result = NULL;
63 LDAPMod **mods = NULL;
64 const char **attr_list;
69 if ( ! idmap_alloc_ldap) {
70 return NT_STATUS_UNSUCCESSFUL;
73 ctx = talloc_new(idmap_alloc_ldap);
75 DEBUG(0, ("Out of memory!\n"));
76 return NT_STATUS_NO_MEMORY;
79 filter = talloc_asprintf(ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
80 CHECK_ALLOC_DONE(filter);
82 attr_list = get_attr_list(ctx, idpool_attr_list);
83 CHECK_ALLOC_DONE(attr_list);
85 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
86 idmap_alloc_ldap->suffix,
93 if (rc != LDAP_SUCCESS) {
94 return NT_STATUS_UNSUCCESSFUL;
97 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
102 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
103 filter, idmap_alloc_ldap->suffix));
104 ret = NT_STATUS_UNSUCCESSFUL;
107 else if (count == 0) {
108 char *uid_str, *gid_str;
110 uid_str = talloc_asprintf(ctx, "%lu", (unsigned long)idmap_alloc_ldap->low_uid);
111 gid_str = talloc_asprintf(ctx, "%lu", (unsigned long)idmap_alloc_ldap->low_gid);
113 smbldap_set_mod(&mods, LDAP_MOD_ADD,
114 "objectClass", LDAP_OBJ_IDPOOL);
115 smbldap_set_mod(&mods, LDAP_MOD_ADD,
116 get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER),
118 smbldap_set_mod(&mods, LDAP_MOD_ADD,
119 get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER),
122 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state,
123 idmap_alloc_ldap->suffix,
125 ldap_mods_free(mods, True);
127 ret = NT_STATUS_UNSUCCESSFUL;
132 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
138 /*****************************************************************************
139 Initialise idmap database.
140 *****************************************************************************/
142 static NTSTATUS idmap_ldap_alloc_init(const char *params)
149 uint32_t high_id = 0;
151 idmap_alloc_ldap = talloc_zero(NULL, struct idmap_ldap_alloc_context);
152 if (!idmap_alloc_ldap) {
153 DEBUG(0, ("Out of memory!\n"));
154 return NT_STATUS_NO_MEMORY;
158 idmap_alloc_ldap->low_uid = 0;
159 idmap_alloc_ldap->high_uid = 0;
160 idmap_alloc_ldap->low_gid = 0;
161 idmap_alloc_ldap->high_gid = 0;
163 range = lp_parm_const_string(-1, "idmap alloc config", "range", NULL);
164 if (range && range[0]) {
165 if (sscanf(range, "%u - %u", &low_id, &high_id) == 2) {
166 if (low_id < high_id) {
167 idmap_alloc_ldap->low_gid = idmap_alloc_ldap->low_uid = low_id;
168 idmap_alloc_ldap->high_gid = idmap_alloc_ldap->high_uid = high_id;
170 DEBUG(1, ("ERROR: invalid idmap alloc range [%s]", range));
173 DEBUG(1, ("ERROR: invalid syntax for idmap alloc config:range [%s]", range));
177 if (lp_idmap_uid(&low_id, &high_id)) {
178 idmap_alloc_ldap->low_uid = low_id;
179 idmap_alloc_ldap->high_uid = high_id;
182 if (lp_idmap_gid(&low_id, &high_id)) {
183 idmap_alloc_ldap->low_gid = low_id;
184 idmap_alloc_ldap->high_gid= high_id;
187 if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) {
188 DEBUG(1, ("idmap uid range missing or invalid\n"));
189 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
190 talloc_free(idmap_alloc_ldap);
191 return NT_STATUS_UNSUCCESSFUL;
194 if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) {
195 DEBUG(1, ("idmap gid range missing or invalid\n"));
196 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
197 talloc_free(idmap_alloc_ldap);
198 return NT_STATUS_UNSUCCESSFUL;
201 if (params && *params) {
202 /* assume location is the only parameter */
203 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params);
205 tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_url", NULL);
208 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
209 talloc_free(idmap_alloc_ldap);
210 return NT_STATUS_UNSUCCESSFUL;
213 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp);
215 if ( ! idmap_alloc_ldap->url) {
216 talloc_free(idmap_alloc_ldap);
217 DEBUG(0, ("Out of memory!\n"));
218 return NT_STATUS_NO_MEMORY;
221 tmp = lp_ldap_idmap_suffix();
222 if ( ! tmp || ! *tmp) {
223 tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_base_dn", NULL);
226 tmp = lp_ldap_suffix();
228 DEBUG(1, ("WARNING: Trying to use the global ldap suffix(%s)\n", tmp));
229 DEBUGADD(1, ("as suffix. This may not be what you want!\n"));
233 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
234 talloc_free(idmap_alloc_ldap);
235 return NT_STATUS_UNSUCCESSFUL;
237 idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp);
238 if ( ! idmap_alloc_ldap->suffix) {
239 talloc_free(idmap_alloc_ldap);
240 DEBUG(0, ("Out of memory!\n"));
241 return NT_STATUS_NO_MEMORY;
244 tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_user_dn", NULL);
247 tmp = lp_ldap_admin_dn();
249 if (! tmp || ! *tmp) {
250 DEBUG(1, ("ERROR: missing idmap ldap user dn\n"));
251 talloc_free(idmap_alloc_ldap);
252 return NT_STATUS_UNSUCCESSFUL;
255 idmap_alloc_ldap->user_dn = talloc_strdup(idmap_alloc_ldap, tmp);
256 if ( ! idmap_alloc_ldap->user_dn) {
257 talloc_free(idmap_alloc_ldap);
258 DEBUG(0, ("Out of memory!\n"));
259 return NT_STATUS_NO_MEMORY;
262 if (!NT_STATUS_IS_OK(nt_status =
263 smbldap_init(idmap_alloc_ldap, idmap_alloc_ldap->url,
264 &idmap_alloc_ldap->smbldap_state))) {
265 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n",
266 idmap_alloc_ldap->url));
267 talloc_free(idmap_alloc_ldap);
271 /* fetch credentials from secrets.tdb */
272 secret = idmap_fecth_secret("ldap", true, NULL, idmap_alloc_ldap->user_dn);
274 DEBUG(1, ("ERROR: unable to fetch auth credentials\n"));
275 talloc_free(idmap_alloc_ldap);
276 return NT_STATUS_ACCESS_DENIED;
278 /* now set credentials */
279 smbldap_set_creds(idmap_alloc_ldap->smbldap_state, false, idmap_alloc_ldap->user_dn, secret);
281 /* see if the idmap suffix and sub entries exists */
282 nt_status = verify_idpool();
283 if (!NT_STATUS_IS_OK(nt_status)) {
284 talloc_free(idmap_alloc_ldap);
291 /********************************
292 Allocate a new uid or gid
293 ********************************/
295 static NTSTATUS idmap_ldap_allocate_id(struct unixid *xid)
298 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
299 int rc = LDAP_SERVER_DOWN;
301 LDAPMessage *result = NULL;
302 LDAPMessage *entry = NULL;
303 LDAPMod **mods = NULL;
307 const char *dn = NULL;
308 const char **attr_list;
311 if ( ! idmap_alloc_ldap) {
312 return NT_STATUS_UNSUCCESSFUL;
315 ctx = talloc_new(idmap_alloc_ldap);
317 DEBUG(0, ("Out of memory!\n"));
318 return NT_STATUS_NO_MEMORY;
325 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
329 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
333 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
334 return NT_STATUS_INVALID_PARAMETER;
337 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
338 CHECK_ALLOC_DONE(filter);
340 attr_list = get_attr_list(ctx, idpool_attr_list);
341 CHECK_ALLOC_DONE(attr_list);
343 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
345 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
346 idmap_alloc_ldap->suffix,
347 LDAP_SCOPE_SUBTREE, filter,
348 attr_list, 0, &result);
350 if (rc != LDAP_SUCCESS) {
351 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
355 talloc_autofree_ldapmsg(ctx, result);
357 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
359 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
363 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
365 dn = smbldap_talloc_dn(ctx, idmap_alloc_ldap->smbldap_state->ldap_struct, entry);
370 if ( ! (id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
371 entry, type, ctx))) {
372 DEBUG(0,("%s attribute not found\n", type));
376 DEBUG(0,("Out of memory\n"));
377 ret = NT_STATUS_NO_MEMORY;
381 xid->id = strtoul(id_str, NULL, 10);
383 /* make sure we still have room to grow */
387 if (xid->id > idmap_alloc_ldap->high_uid) {
388 DEBUG(0,("Cannot allocate uid above %lu!\n",
389 (unsigned long)idmap_alloc_ldap->high_uid));
395 if (xid->id > idmap_alloc_ldap->high_gid) {
396 DEBUG(0,("Cannot allocate gid above %lu!\n",
397 (unsigned long)idmap_alloc_ldap->high_uid));
407 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id + 1);
409 DEBUG(0,("Out of memory\n"));
410 ret = NT_STATUS_NO_MEMORY;
414 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
415 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
418 DEBUG(0,("smbldap_set_mod() failed.\n"));
422 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n", id_str, new_id_str));
424 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
426 ldap_mods_free(mods, True);
428 if (rc != LDAP_SUCCESS) {
429 DEBUG(1,("Failed to allocate new %s. smbldap_modify() failed.\n", type));
440 /**********************************
441 Get current highest id.
442 **********************************/
444 static NTSTATUS idmap_ldap_get_hwm(struct unixid *xid)
447 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
448 int rc = LDAP_SERVER_DOWN;
450 LDAPMessage *result = NULL;
451 LDAPMessage *entry = NULL;
454 const char **attr_list;
457 if ( ! idmap_alloc_ldap) {
458 return NT_STATUS_UNSUCCESSFUL;
461 memctx = talloc_new(idmap_alloc_ldap);
463 DEBUG(0, ("Out of memory!\n"));
464 return NT_STATUS_NO_MEMORY;
471 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
475 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
479 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
480 return NT_STATUS_INVALID_PARAMETER;
483 filter = talloc_asprintf(memctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
484 CHECK_ALLOC_DONE(filter);
486 attr_list = get_attr_list(memctx, idpool_attr_list);
487 CHECK_ALLOC_DONE(attr_list);
489 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
490 idmap_alloc_ldap->suffix,
491 LDAP_SCOPE_SUBTREE, filter,
492 attr_list, 0, &result);
494 if (rc != LDAP_SUCCESS) {
495 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
499 talloc_autofree_ldapmsg(memctx, result);
501 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
503 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
507 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
509 id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
510 entry, type, memctx);
512 DEBUG(0,("%s attribute not found\n", type));
516 DEBUG(0,("Out of memory\n"));
517 ret = NT_STATUS_NO_MEMORY;
521 xid->id = strtoul(id_str, NULL, 10);
528 /**********************************
530 **********************************/
532 static NTSTATUS idmap_ldap_set_hwm(struct unixid *xid)
535 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
536 int rc = LDAP_SERVER_DOWN;
538 LDAPMessage *result = NULL;
539 LDAPMessage *entry = NULL;
540 LDAPMod **mods = NULL;
543 const char *dn = NULL;
544 const char **attr_list;
547 if ( ! idmap_alloc_ldap) {
548 return NT_STATUS_UNSUCCESSFUL;
551 ctx = talloc_new(idmap_alloc_ldap);
553 DEBUG(0, ("Out of memory!\n"));
554 return NT_STATUS_NO_MEMORY;
561 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
565 type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
569 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
570 return NT_STATUS_INVALID_PARAMETER;
573 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
574 CHECK_ALLOC_DONE(filter);
576 attr_list = get_attr_list(ctx, idpool_attr_list);
577 CHECK_ALLOC_DONE(attr_list);
579 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
580 idmap_alloc_ldap->suffix,
581 LDAP_SCOPE_SUBTREE, filter,
582 attr_list, 0, &result);
584 if (rc != LDAP_SUCCESS) {
585 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
589 talloc_autofree_ldapmsg(ctx, result);
591 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
593 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
597 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, result);
599 dn = smbldap_talloc_dn(ctx, idmap_alloc_ldap->smbldap_state->ldap_struct, entry);
604 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id);
606 DEBUG(0,("Out of memory\n"));
607 ret = NT_STATUS_NO_MEMORY;
611 smbldap_set_mod(&mods, LDAP_MOD_REPLACE, type, new_id_str);
614 DEBUG(0,("smbldap_set_mod() failed.\n"));
618 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
620 ldap_mods_free(mods, True);
622 if (rc != LDAP_SUCCESS) {
623 DEBUG(1,("Failed to allocate new %s. smbldap_modify() failed.\n", type));
634 /**********************************
635 Close idmap ldap alloc
636 **********************************/
638 static NTSTATUS idmap_ldap_alloc_close(void)
640 if (idmap_alloc_ldap) {
641 smbldap_free_struct(&idmap_alloc_ldap->smbldap_state);
642 DEBUG(5,("The connection to the LDAP server was closed\n"));
643 /* maybe free the results here --metze */
644 TALLOC_FREE(idmap_alloc_ldap);
650 /**********************************************************************
651 IDMAP MAPPING LDAP BACKEND
652 **********************************************************************/
654 struct idmap_ldap_context {
655 struct smbldap_state *smbldap_state;
659 uint32_t filter_low_id, filter_high_id; /* Filter range */
663 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
665 smbldap_free_struct(&ctx->smbldap_state);
666 DEBUG(5,("The connection to the LDAP server was closed\n"));
667 /* maybe free the results here --metze */
672 /********************************
673 Initialise idmap database.
674 ********************************/
676 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom, const char *params)
679 struct idmap_ldap_context *ctx;
685 ctx = talloc_zero(dom, struct idmap_ldap_context);
687 DEBUG(0, ("Out of memory!\n"));
688 return NT_STATUS_NO_MEMORY;
691 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
692 if ( ! config_option) {
693 DEBUG(0, ("Out of memory!\n"));
694 ret = NT_STATUS_NO_MEMORY;
699 range = lp_parm_const_string(-1, config_option, "range", NULL);
700 if (range && range[0]) {
701 if ((sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2) ||
702 (ctx->filter_low_id > ctx->filter_high_id)) {
703 DEBUG(1, ("ERROR: invalid filter range [%s]", range));
704 ctx->filter_low_id = 0;
705 ctx->filter_high_id = 0;
709 if (params && *params) {
710 /* assume location is the only parameter */
711 ctx->url = talloc_strdup(ctx, params);
713 tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
716 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
717 ret = NT_STATUS_UNSUCCESSFUL;
721 ctx->url = talloc_strdup(ctx, tmp);
723 CHECK_ALLOC_DONE(ctx->url);
725 tmp = lp_ldap_idmap_suffix();
726 if ( ! tmp || ! *tmp) {
727 tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
730 tmp = lp_ldap_suffix();
732 DEBUG(1, ("WARNING: Trying to use the global ldap suffix(%s)\n", tmp));
733 DEBUGADD(1, ("as suffix. This may not be what you want!\n"));
737 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
738 ret = NT_STATUS_UNSUCCESSFUL;
741 ctx->suffix = talloc_strdup(ctx, tmp);
742 CHECK_ALLOC_DONE(ctx->suffix);
744 ctx->anon = lp_parm_bool(-1, config_option, "ldap_anon", False);
746 ret = smbldap_init(ctx, ctx->url, &ctx->smbldap_state);
747 if (!NT_STATUS_IS_OK(ret)) {
748 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
753 tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
756 tmp = lp_ldap_admin_dn();
758 if (! tmp || ! *tmp) {
759 DEBUG(1, ("ERROR: missing idmap ldap user dn\n"));
760 ret = NT_STATUS_UNSUCCESSFUL;
764 ctx->user_dn = talloc_strdup(ctx, tmp);
765 CHECK_ALLOC_DONE(ctx->user_dn);
767 /* fetch credentials */
768 secret = idmap_fecth_secret("ldap", false, dom->name, ctx->user_dn);
770 DEBUG(1, ("ERROR: unable to fetch auth credentials\n"));
771 ret = NT_STATUS_ACCESS_DENIED;
774 /* now set credentials */
775 smbldap_set_creds(ctx->smbldap_state, false, ctx->user_dn, secret);
777 smbldap_set_creds(ctx->smbldap_state, true, NULL, NULL);
780 /* set the destructor on the context, so that resource are properly
781 * freed if the contexts is released */
782 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
784 dom->private_data = ctx;
786 talloc_free(config_option);
795 /* max number of ids requested per batch query */
796 #define IDMAP_LDAP_MAX_IDS 30
798 /**********************************
799 lookup a set of unix ids.
800 **********************************/
802 /* this function searches up to IDMAP_LDAP_MAX_IDS entries in maps for a match */
803 static struct id_map *find_map_by_id(struct id_map **maps, enum id_type type, uint32_t id)
807 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
808 if (maps[i] == NULL) { /* end of the run */
811 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
819 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
823 struct idmap_ldap_context *ctx;
824 LDAPMessage *result = NULL;
825 const char *uidNumber;
826 const char *gidNumber;
827 const char **attr_list;
836 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
838 memctx = talloc_new(ctx);
840 DEBUG(0, ("Out of memory!\n"));
841 return NT_STATUS_NO_MEMORY;
844 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
845 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
847 attr_list = get_attr_list(ctx, sidmap_attr_list);
850 /* if we are requested just one mapping use the simple filter */
852 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
853 LDAP_OBJ_IDMAP_ENTRY,
854 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
855 (unsigned long)ids[0]->xid.id);
856 CHECK_ALLOC_DONE(filter);
857 DEBUG(10, ("Filter: [%s]\n", filter));
859 /* multiple mappings */
867 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(|", LDAP_OBJ_IDMAP_ENTRY);
868 CHECK_ALLOC_DONE(filter);
871 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
872 filter = talloc_asprintf_append(filter, "(%s=%lu)",
873 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
874 (unsigned long)ids[idx]->xid.id);
875 CHECK_ALLOC_DONE(filter);
877 filter = talloc_asprintf_append(filter, "))");
878 CHECK_ALLOC_DONE(filter);
879 DEBUG(10, ("Filter: [%s]\n", filter));
885 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
886 filter, attr_list, 0, &result);
888 if (rc != LDAP_SUCCESS) {
889 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
890 ret = NT_STATUS_UNSUCCESSFUL;
894 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
897 DEBUG(10, ("NO SIDs found\n"));
900 for (i = 0; i < count; i++) {
901 LDAPMessage *entry = NULL;
908 if (i == 0) { /* first entry */
909 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, result);
910 } else { /* following ones */
911 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct, entry);
914 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
918 /* first check if the SID is present */
919 sidstr = smbldap_talloc_single_attribute(
920 ctx->smbldap_state->ldap_struct,
921 entry, LDAP_ATTRIBUTE_SID, memctx);
922 if ( ! sidstr) { /* no sid, skip entry */
923 DEBUG(2, ("WARNING SID not found on entry\n"));
927 /* now try to see if it is a uid, if not try with a gid
928 * (gid is more common, but in case both uidNumber and
929 * gidNumber are returned the SID is mapped to the uid not the gid) */
931 tmp = smbldap_talloc_single_attribute(
932 ctx->smbldap_state->ldap_struct,
933 entry, uidNumber, memctx);
936 tmp = smbldap_talloc_single_attribute(
937 ctx->smbldap_state->ldap_struct,
938 entry, gidNumber, memctx);
940 if ( ! tmp) { /* wow very strange entry, how did it match ? */
941 DEBUG(5, ("Unprobable match on (%s), no uidNumber, nor gidNumber returned\n", sidstr));
946 id = strtoul(tmp, NULL, 10);
948 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
949 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
950 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
951 id, ctx->filter_low_id, ctx->filter_high_id));
958 map = find_map_by_id(&ids[bidx], type, id);
960 DEBUG(2, ("WARNING: couldn't match sid (%s) with requested ids\n", sidstr));
965 if ( ! string_to_sid(map->sid, sidstr)) {
966 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
975 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_static(map->sid), (unsigned long)map->xid.id, map->xid.type));
978 /* free the ldap results */
980 ldap_msgfree(result);
984 if (multi && ids[idx]) { /* still some values to map */
995 /**********************************
996 lookup a set of sids.
997 **********************************/
999 /* this function searches up to IDMAP_LDAP_MAX_IDS entries in maps for a match */
1000 static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid)
1004 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
1005 if (maps[i] == NULL) { /* end of the run */
1008 if (sid_equal(maps[i]->sid, sid)) {
1016 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
1020 struct idmap_ldap_context *ctx;
1021 LDAPMessage *result = NULL;
1022 const char *uidNumber;
1023 const char *gidNumber;
1024 const char **attr_list;
1025 char *filter = NULL;
1033 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1035 memctx = talloc_new(ctx);
1037 DEBUG(0, ("Out of memory!\n"));
1038 return NT_STATUS_NO_MEMORY;
1041 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
1042 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
1044 attr_list = get_attr_list(ctx, sidmap_attr_list);
1047 /* if we are requested just one mapping use the simple filter */
1049 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
1050 LDAP_OBJ_IDMAP_ENTRY,
1052 sid_string_static(ids[0]->sid));
1053 CHECK_ALLOC_DONE(filter);
1054 DEBUG(10, ("Filter: [%s]\n", filter));
1056 /* multiple mappings */
1063 TALLOC_FREE(filter);
1064 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(|", LDAP_OBJ_IDMAP_ENTRY);
1065 CHECK_ALLOC_DONE(filter);
1068 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
1069 filter = talloc_asprintf_append(filter, "(%s=%s)",
1071 sid_string_static(ids[idx]->sid));
1072 CHECK_ALLOC_DONE(filter);
1074 filter = talloc_asprintf_append(filter, "))");
1075 CHECK_ALLOC_DONE(filter);
1076 DEBUG(10, ("Filter: [%s]", filter));
1082 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
1083 filter, attr_list, 0, &result);
1085 if (rc != LDAP_SUCCESS) {
1086 DEBUG(3,("Failure looking up sids (%s)\n", ldap_err2string(rc)));
1087 ret = NT_STATUS_UNSUCCESSFUL;
1091 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
1094 DEBUG(10, ("NO SIDs found\n"));
1097 for (i = 0; i < count; i++) {
1098 LDAPMessage *entry = NULL;
1099 char *sidstr = NULL;
1106 if (i == 0) { /* first entry */
1107 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, result);
1108 } else { /* following ones */
1109 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct, entry);
1112 /* first check if the SID is present */
1113 sidstr = smbldap_talloc_single_attribute(
1114 ctx->smbldap_state->ldap_struct,
1115 entry, LDAP_ATTRIBUTE_SID, memctx);
1116 if ( ! sidstr) { /* no sid ??, skip entry */
1117 DEBUG(2, ("WARNING SID not found on entry\n"));
1121 if ( ! string_to_sid(&sid, sidstr)) {
1122 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1123 TALLOC_FREE(sidstr);
1127 map = find_map_by_sid(&ids[bidx], &sid);
1129 DEBUG(2, ("WARNING: couldn't find entry sid (%s) in ids", sidstr));
1130 TALLOC_FREE(sidstr);
1134 TALLOC_FREE(sidstr);
1136 /* now try to see if it is a uid, if not try with a gid
1137 * (gid is more common, but in case both uidNumber and
1138 * gidNumber are returned the SID is mapped to the uid not the gid) */
1140 tmp = smbldap_talloc_single_attribute(
1141 ctx->smbldap_state->ldap_struct,
1142 entry, uidNumber, memctx);
1145 tmp = smbldap_talloc_single_attribute(
1146 ctx->smbldap_state->ldap_struct,
1147 entry, gidNumber, memctx);
1149 if ( ! tmp) { /* no ids ?? */
1150 DEBUG(5, ("no uidNumber, nor gidNumber attributes found\n"));
1154 id = strtoul(tmp, NULL, 10);
1156 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
1157 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
1158 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
1159 id, ctx->filter_low_id, ctx->filter_high_id));
1166 map->xid.type = type;
1170 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_static(map->sid), (unsigned long)map->xid.id, map->xid.type));
1173 /* free the ldap results */
1175 ldap_msgfree(result);
1179 if (multi && ids[idx]) { /* still some values to map */
1186 talloc_free(memctx);
1190 /**********************************
1192 **********************************/
1194 /* TODO: change this: This function cannot be called to modify a mapping, only set a new one */
1196 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom, const struct id_map *map)
1200 struct idmap_ldap_context *ctx;
1201 LDAPMessage *entry = NULL;
1202 LDAPMod **mods = NULL;
1209 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1211 switch(map->xid.type) {
1213 type = get_attr_key2string(sidmap_attr_list, LDAP_ATTR_UIDNUMBER);
1217 type = get_attr_key2string(sidmap_attr_list, LDAP_ATTR_GIDNUMBER);
1221 return NT_STATUS_INVALID_PARAMETER;
1224 memctx = talloc_new(ctx);
1226 DEBUG(0, ("Out of memory!\n"));
1227 return NT_STATUS_NO_MEMORY;
1230 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
1231 CHECK_ALLOC_DONE(id_str);
1233 sid = talloc_strdup(memctx, sid_string_static(map->sid));
1234 CHECK_ALLOC_DONE(sid);
1236 dn = talloc_asprintf(memctx, "%s=%s,%s",
1237 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
1240 CHECK_ALLOC_DONE(dn);
1242 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDMAP_ENTRY);
1244 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods, type, id_str);
1246 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
1247 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID), sid);
1250 DEBUG(2, ("ERROR: No mods?\n"));
1251 ret = NT_STATUS_UNSUCCESSFUL;
1255 /* TODO: remove conflicting mappings! */
1257 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
1259 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
1261 rc = smbldap_add(ctx->smbldap_state, dn, mods);
1262 ldap_mods_free(mods, True);
1264 if (rc != LDAP_SUCCESS) {
1265 char *ld_error = NULL;
1266 ldap_get_option(ctx->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
1267 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu mapping [%s]\n",
1268 sid, (unsigned long)map->xid.id, type));
1269 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
1270 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
1271 ret = NT_STATUS_UNSUCCESSFUL;
1275 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to %lu [%s]\n",
1276 sid, (unsigned long)map->xid.id, type));
1281 talloc_free(memctx);
1285 /**********************************
1287 **********************************/
1289 static NTSTATUS idmap_ldap_remove_mapping(struct idmap_domain *dom, const struct id_map *map)
1291 return NT_STATUS_UNSUCCESSFUL;
1294 /**********************************
1295 Close the idmap ldap instance
1296 **********************************/
1298 static NTSTATUS idmap_ldap_close(struct idmap_domain *dom)
1300 struct idmap_ldap_context *ctx;
1302 if (dom->private_data) {
1303 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1306 dom->private_data = NULL;
1309 return NT_STATUS_OK;
1312 static struct idmap_methods idmap_ldap_methods = {
1314 .init = idmap_ldap_db_init,
1315 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1316 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1317 .set_mapping = idmap_ldap_set_mapping,
1318 .remove_mapping = idmap_ldap_remove_mapping,
1319 /* .dump_data = TODO */
1320 .close_fn = idmap_ldap_close
1323 static struct idmap_alloc_methods idmap_ldap_alloc_methods = {
1325 .init = idmap_ldap_alloc_init,
1326 .allocate_id = idmap_ldap_allocate_id,
1327 .get_id_hwm = idmap_ldap_get_hwm,
1328 .set_id_hwm = idmap_ldap_set_hwm,
1329 .close_fn = idmap_ldap_alloc_close,
1330 /* .dump_data = TODO */
1333 NTSTATUS idmap_alloc_ldap_init(void)
1335 return smb_register_idmap_alloc(SMB_IDMAP_INTERFACE_VERSION, "ldap", &idmap_ldap_alloc_methods);
1338 NTSTATUS idmap_ldap_init(void)
1342 /* FIXME: bad hack to actually register also the alloc_ldap module without changining configure.in */
1343 ret = idmap_alloc_ldap_init();
1344 if (! NT_STATUS_IS_OK(ret)) {
1347 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap", &idmap_ldap_methods);