search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
VERSION: Raise version number up to 3.0.36.
[Samba.git] / source / nsswitch / idmap_ldap.c
blobd1639c07721b684f0ad2d3842dc2e71b57f40293
1 /*
2 Unix SMB/CIFS implementation.
3
4 idmap LDAP backend
5
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Gerald Carter 2003
9 Copyright (C) Simo Sorce 2003-2007
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 */
25
26 #include "includes.h"
27
28 #undef DBGC_CLASS
29 #define DBGC_CLASS DBGC_IDMAP
30
31 #include <lber.h>
32 #include <ldap.h>
33
34 #include "smbldap.h"
35
36 struct idmap_ldap_context {
37 struct smbldap_state *smbldap_state;
38 char *url;
39 char *suffix;
40 char *user_dn;
41 uint32_t filter_low_id, filter_high_id; /* Filter range */
42 BOOL anon;
43 };
44
45 struct idmap_ldap_alloc_context {
46 struct smbldap_state *smbldap_state;
47 char *url;
48 char *suffix;
49 char *user_dn;
50 uid_t low_uid, high_uid; /* Range of uids */
51 gid_t low_gid, high_gid; /* Range of gids */
52
53 };
54
55 #define CHECK_ALLOC_DONE(mem) do { \
56 if (!mem) { \
57 DEBUG(0, ("Out of memory!\n")); \
58 ret = NT_STATUS_NO_MEMORY; \
59 goto done; \
60 } } while (0)
61
62 /**********************************************************************
63 IDMAP ALLOC TDB BACKEND
64 **********************************************************************/
65
66 static struct idmap_ldap_alloc_context *idmap_alloc_ldap;
67
68 /*********************************************************************
69 ********************************************************************/
70
71 static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx,
72 struct smbldap_state *ldap_state,
73 const char *config_option,
74 struct idmap_domain *dom,
75 char **dn )
76 {
77 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
78 char *secret = NULL;
79 const char *tmp = NULL;
80 char *user_dn = NULL;
81 BOOL anon = False;
82
83 /* assume anonymous if we don't have a specified user */
84
85 tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL);
86
87 if ( tmp ) {
88 if (!dom) {
89 /* only the alloc backend can pass in a NULL dom */
90 secret = idmap_fetch_secret("ldap", True,
91 NULL, tmp);
92 } else {
93 secret = idmap_fetch_secret("ldap", False,
94 dom->name, tmp);
95 }
96
97 if (!secret) {
98 DEBUG(0, ("get_credentials: Unable to fetch "
99 "auth credentials for %s in %s\n",
100 tmp, (dom==NULL)?"ALLOC":dom->name));
101 ret = NT_STATUS_ACCESS_DENIED;
102 goto done;
103 }
104 *dn = talloc_strdup(mem_ctx, tmp);
105 CHECK_ALLOC_DONE(*dn);
106 } else {
107 if (!fetch_ldap_pw(&user_dn, &secret)) {
108 DEBUG(2, ("get_credentials: Failed to lookup ldap "
109 "bind creds. Using anonymous connection.\n"));
110 anon = True;
111 } else {
112 *dn = talloc_strdup(mem_ctx, user_dn);
113 SAFE_FREE( user_dn );
114 CHECK_ALLOC_DONE(*dn);
115 }
116 }
117
118 smbldap_set_creds(ldap_state, anon, *dn, secret);
119 ret = NT_STATUS_OK;
120
121 done:
122 SAFE_FREE(secret);
123
124 return ret;
125 }
126
127
128 /**********************************************************************
129 Verify the sambaUnixIdPool entry in the directory.
130 **********************************************************************/
131
132 static NTSTATUS verify_idpool(void)
133 {
134 NTSTATUS ret;
135 TALLOC_CTX *ctx;
136 LDAPMessage *result = NULL;
137 LDAPMod **mods = NULL;
138 const char **attr_list;
139 char *filter;
140 int count;
141 int rc;
142
143 if ( ! idmap_alloc_ldap) {
144 return NT_STATUS_UNSUCCESSFUL;
145 }
146
147 ctx = talloc_new(idmap_alloc_ldap);
148 if ( ! ctx) {
149 DEBUG(0, ("Out of memory!\n"));
150 return NT_STATUS_NO_MEMORY;
151 }
152
153 filter = talloc_asprintf(ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL);
154 CHECK_ALLOC_DONE(filter);
155
156 attr_list = get_attr_list(ctx, idpool_attr_list);
157 CHECK_ALLOC_DONE(attr_list);
158
159 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
160 idmap_alloc_ldap->suffix,
161 LDAP_SCOPE_SUBTREE,
162 filter,
163 attr_list,
164 0,
165 &result);
166
167 if (rc != LDAP_SUCCESS) {
168 DEBUG(1, ("Unable to verify the idpool, "
169 "cannot continue initialization!\n"));
170 return NT_STATUS_UNSUCCESSFUL;
171 }
172
173 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
174 result);
175
176 ldap_msgfree(result);
177
178 if ( count > 1 ) {
179 DEBUG(0,("Multiple entries returned from %s (base == %s)\n",
180 filter, idmap_alloc_ldap->suffix));
181 ret = NT_STATUS_UNSUCCESSFUL;
182 goto done;
183 }
184 else if (count == 0) {
185 char *uid_str, *gid_str;
186
187 uid_str = talloc_asprintf(ctx, "%lu",
188 (unsigned long)idmap_alloc_ldap->low_uid);
189 gid_str = talloc_asprintf(ctx, "%lu",
190 (unsigned long)idmap_alloc_ldap->low_gid);
191
192 smbldap_set_mod(&mods, LDAP_MOD_ADD,
193 "objectClass", LDAP_OBJ_IDPOOL);
194 smbldap_set_mod(&mods, LDAP_MOD_ADD,
195 get_attr_key2string(idpool_attr_list,
196 LDAP_ATTR_UIDNUMBER),
197 uid_str);
198 smbldap_set_mod(&mods, LDAP_MOD_ADD,
199 get_attr_key2string(idpool_attr_list,
200 LDAP_ATTR_GIDNUMBER),
201 gid_str);
202 if (mods) {
203 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state,
204 idmap_alloc_ldap->suffix,
205 mods);
206 ldap_mods_free(mods, True);
207 } else {
208 ret = NT_STATUS_UNSUCCESSFUL;
209 goto done;
210 }
211 }
212
213 ret = (rc == LDAP_SUCCESS)?NT_STATUS_OK:NT_STATUS_UNSUCCESSFUL;
214 done:
215 talloc_free(ctx);
216 return ret;
217 }
218
219 /*****************************************************************************
220 Initialise idmap database.
221 *****************************************************************************/
222
223 static NTSTATUS idmap_ldap_alloc_init(const char *params)
224 {
225 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
226 const char *range;
227 const char *tmp;
228 uid_t low_uid = 0;
229 uid_t high_uid = 0;
230 gid_t low_gid = 0;
231 gid_t high_gid = 0;
232
233 /* Only do init if we are online */
234 if (idmap_is_offline()) {
235 return NT_STATUS_FILE_IS_OFFLINE;
236 }
237
238 idmap_alloc_ldap = TALLOC_ZERO_P(NULL, struct idmap_ldap_alloc_context);
239 CHECK_ALLOC_DONE( idmap_alloc_ldap );
240
241 /* load ranges */
242
243 idmap_alloc_ldap->low_uid = 0;
244 idmap_alloc_ldap->high_uid = 0;
245 idmap_alloc_ldap->low_gid = 0;
246 idmap_alloc_ldap->high_gid = 0;
247
248 range = lp_parm_const_string(-1, "idmap alloc config", "range", NULL);
249 if (range && range[0]) {
250 unsigned low_id, high_id;
251
252 if (sscanf(range, "%u - %u", &low_id, &high_id) == 2) {
253 if (low_id < high_id) {
254 idmap_alloc_ldap->low_gid = low_id;
255 idmap_alloc_ldap->low_uid = low_id;
256 idmap_alloc_ldap->high_gid = high_id;
257 idmap_alloc_ldap->high_uid = high_id;
258 } else {
259 DEBUG(1, ("ERROR: invalid idmap alloc range "
260 "[%s]", range));
261 }
262 } else {
263 DEBUG(1, ("ERROR: invalid syntax for idmap alloc "
264 "config:range [%s]", range));
265 }
266 }
267
268 if (lp_idmap_uid(&low_uid, &high_uid)) {
269 idmap_alloc_ldap->low_uid = low_uid;
270 idmap_alloc_ldap->high_uid = high_uid;
271 }
272
273 if (lp_idmap_gid(&low_gid, &high_gid)) {
274 idmap_alloc_ldap->low_gid = low_gid;
275 idmap_alloc_ldap->high_gid= high_gid;
276 }
277
278 if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) {
279 DEBUG(1, ("idmap uid range missing or invalid\n"));
280 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
281 ret = NT_STATUS_UNSUCCESSFUL;
282 goto done;
283 }
284
285 if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) {
286 DEBUG(1, ("idmap gid range missing or invalid\n"));
287 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
288 ret = NT_STATUS_UNSUCCESSFUL;
289 goto done;
290 }
291
292 if (params && *params) {
293 /* assume location is the only parameter */
294 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params);
295 } else {
296 tmp = lp_parm_const_string(-1, "idmap alloc config",
297 "ldap_url", NULL);
298
299 if ( ! tmp) {
300 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
301 ret = NT_STATUS_UNSUCCESSFUL;
302 goto done;
303 }
304
305 idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp);
306 }
307 CHECK_ALLOC_DONE( idmap_alloc_ldap->url );
308
309 tmp = lp_parm_const_string(-1, "idmap alloc config",
310 "ldap_base_dn", NULL);
311 if ( ! tmp || ! *tmp) {
312 tmp = lp_ldap_idmap_suffix();
313 if ( ! tmp) {
314 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
315 ret = NT_STATUS_UNSUCCESSFUL;
316 goto done;
317 }
318 }
319
320 idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp);
321 CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix );
322
323 ret = smbldap_init(idmap_alloc_ldap, idmap_alloc_ldap->url,
324 &idmap_alloc_ldap->smbldap_state);
325 if (!NT_STATUS_IS_OK(ret)) {
326 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n",
327 idmap_alloc_ldap->url));
328 goto done;
329 }
330
331 ret = get_credentials( idmap_alloc_ldap,
332 idmap_alloc_ldap->smbldap_state,
333 "idmap alloc config", NULL,
334 &idmap_alloc_ldap->user_dn );
335 if ( !NT_STATUS_IS_OK(ret) ) {
336 DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection "
337 "credentials (%s)\n", nt_errstr(ret)));
338 goto done;
339 }
340
341 /* see if the idmap suffix and sub entries exists */
342
343 ret = verify_idpool();
344
345 done:
346 if ( !NT_STATUS_IS_OK( ret ) )
347 TALLOC_FREE( idmap_alloc_ldap );
348
349 return ret;
350 }
351
352 /********************************
353 Allocate a new uid or gid
354 ********************************/
355
356 static NTSTATUS idmap_ldap_allocate_id(struct unixid *xid)
357 {
358 TALLOC_CTX *ctx;
359 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
360 int rc = LDAP_SERVER_DOWN;
361 int count = 0;
362 LDAPMessage *result = NULL;
363 LDAPMessage *entry = NULL;
364 LDAPMod **mods = NULL;
365 char *id_str;
366 char *new_id_str;
367 char *filter = NULL;
368 const char *dn = NULL;
369 const char **attr_list;
370 const char *type;
371
372 /* Only do query if we are online */
373 if (idmap_is_offline()) {
374 return NT_STATUS_FILE_IS_OFFLINE;
375 }
376
377 if ( ! idmap_alloc_ldap) {
378 return NT_STATUS_UNSUCCESSFUL;
379 }
380
381 ctx = talloc_new(idmap_alloc_ldap);
382 if ( ! ctx) {
383 DEBUG(0, ("Out of memory!\n"));
384 return NT_STATUS_NO_MEMORY;
385 }
386
387 /* get type */
388 switch (xid->type) {
389
390 case ID_TYPE_UID:
391 type = get_attr_key2string(idpool_attr_list,
392 LDAP_ATTR_UIDNUMBER);
393 break;
394
395 case ID_TYPE_GID:
396 type = get_attr_key2string(idpool_attr_list,
397 LDAP_ATTR_GIDNUMBER);
398 break;
399
400 default:
401 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
402 return NT_STATUS_INVALID_PARAMETER;
403 }
404
405 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
406 CHECK_ALLOC_DONE(filter);
407
408 attr_list = get_attr_list(ctx, idpool_attr_list);
409 CHECK_ALLOC_DONE(attr_list);
410
411 DEBUG(10, ("Search of the id pool (filter: %s)\n", filter));
412
413 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
414 idmap_alloc_ldap->suffix,
415 LDAP_SCOPE_SUBTREE, filter,
416 attr_list, 0, &result);
417
418 if (rc != LDAP_SUCCESS) {
419 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
420 goto done;
421 }
422
423 talloc_autofree_ldapmsg(ctx, result);
424
425 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
426 result);
427 if (count != 1) {
428 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
429 goto done;
430 }
431
432 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct,
433 result);
434
435 dn = smbldap_talloc_dn(ctx,
436 idmap_alloc_ldap->smbldap_state->ldap_struct,
437 entry);
438 if ( ! dn) {
439 goto done;
440 }
441
442 if ( ! (id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
443 entry, type, ctx))) {
444 DEBUG(0,("%s attribute not found\n", type));
445 goto done;
446 }
447 if ( ! id_str) {
448 DEBUG(0,("Out of memory\n"));
449 ret = NT_STATUS_NO_MEMORY;
450 goto done;
451 }
452
453 xid->id = strtoul(id_str, NULL, 10);
454
455 /* make sure we still have room to grow */
456
457 switch (xid->type) {
458 case ID_TYPE_UID:
459 if (xid->id > idmap_alloc_ldap->high_uid) {
460 DEBUG(0,("Cannot allocate uid above %lu!\n",
461 (unsigned long)idmap_alloc_ldap->high_uid));
462 goto done;
463 }
464 break;
465
466 case ID_TYPE_GID:
467 if (xid->id > idmap_alloc_ldap->high_gid) {
468 DEBUG(0,("Cannot allocate gid above %lu!\n",
469 (unsigned long)idmap_alloc_ldap->high_uid));
470 goto done;
471 }
472 break;
473
474 default:
475 /* impossible */
476 goto done;
477 }
478
479 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id + 1);
480 if ( ! new_id_str) {
481 DEBUG(0,("Out of memory\n"));
482 ret = NT_STATUS_NO_MEMORY;
483 goto done;
484 }
485
486 smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str);
487 smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str);
488
489 if (mods == NULL) {
490 DEBUG(0,("smbldap_set_mod() failed.\n"));
491 goto done;
492 }
493
494 DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n",
495 id_str, new_id_str));
496
497 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
498
499 ldap_mods_free(mods, True);
500
501 if (rc != LDAP_SUCCESS) {
502 DEBUG(1,("Failed to allocate new %s. "
503 "smbldap_modify() failed.\n", type));
504 goto done;
505 }
506
507 ret = NT_STATUS_OK;
508
509 done:
510 talloc_free(ctx);
511 return ret;
512 }
513
514 /**********************************
515 Get current highest id.
516 **********************************/
517
518 static NTSTATUS idmap_ldap_get_hwm(struct unixid *xid)
519 {
520 TALLOC_CTX *memctx;
521 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
522 int rc = LDAP_SERVER_DOWN;
523 int count = 0;
524 LDAPMessage *result = NULL;
525 LDAPMessage *entry = NULL;
526 char *id_str;
527 char *filter = NULL;
528 const char **attr_list;
529 const char *type;
530
531 /* Only do query if we are online */
532 if (idmap_is_offline()) {
533 return NT_STATUS_FILE_IS_OFFLINE;
534 }
535
536 if ( ! idmap_alloc_ldap) {
537 return NT_STATUS_UNSUCCESSFUL;
538 }
539
540 memctx = talloc_new(idmap_alloc_ldap);
541 if ( ! memctx) {
542 DEBUG(0, ("Out of memory!\n"));
543 return NT_STATUS_NO_MEMORY;
544 }
545
546 /* get type */
547 switch (xid->type) {
548
549 case ID_TYPE_UID:
550 type = get_attr_key2string(idpool_attr_list,
551 LDAP_ATTR_UIDNUMBER);
552 break;
553
554 case ID_TYPE_GID:
555 type = get_attr_key2string(idpool_attr_list,
556 LDAP_ATTR_GIDNUMBER);
557 break;
558
559 default:
560 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
561 return NT_STATUS_INVALID_PARAMETER;
562 }
563
564 filter = talloc_asprintf(memctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
565 CHECK_ALLOC_DONE(filter);
566
567 attr_list = get_attr_list(memctx, idpool_attr_list);
568 CHECK_ALLOC_DONE(attr_list);
569
570 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
571 idmap_alloc_ldap->suffix,
572 LDAP_SCOPE_SUBTREE, filter,
573 attr_list, 0, &result);
574
575 if (rc != LDAP_SUCCESS) {
576 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
577 goto done;
578 }
579
580 talloc_autofree_ldapmsg(memctx, result);
581
582 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
583 result);
584 if (count != 1) {
585 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
586 goto done;
587 }
588
589 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct,
590 result);
591
592 id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct,
593 entry, type, memctx);
594 if ( ! id_str) {
595 DEBUG(0,("%s attribute not found\n", type));
596 goto done;
597 }
598 if ( ! id_str) {
599 DEBUG(0,("Out of memory\n"));
600 ret = NT_STATUS_NO_MEMORY;
601 goto done;
602 }
603
604 xid->id = strtoul(id_str, NULL, 10);
605
606 ret = NT_STATUS_OK;
607 done:
608 talloc_free(memctx);
609 return ret;
610 }
611 /**********************************
612 Set highest id.
613 **********************************/
614
615 static NTSTATUS idmap_ldap_set_hwm(struct unixid *xid)
616 {
617 TALLOC_CTX *ctx;
618 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
619 int rc = LDAP_SERVER_DOWN;
620 int count = 0;
621 LDAPMessage *result = NULL;
622 LDAPMessage *entry = NULL;
623 LDAPMod **mods = NULL;
624 char *new_id_str;
625 char *filter = NULL;
626 const char *dn = NULL;
627 const char **attr_list;
628 const char *type;
629
630 /* Only do query if we are online */
631 if (idmap_is_offline()) {
632 return NT_STATUS_FILE_IS_OFFLINE;
633 }
634
635 if ( ! idmap_alloc_ldap) {
636 return NT_STATUS_UNSUCCESSFUL;
637 }
638
639 ctx = talloc_new(idmap_alloc_ldap);
640 if ( ! ctx) {
641 DEBUG(0, ("Out of memory!\n"));
642 return NT_STATUS_NO_MEMORY;
643 }
644
645 /* get type */
646 switch (xid->type) {
647
648 case ID_TYPE_UID:
649 type = get_attr_key2string(idpool_attr_list,
650 LDAP_ATTR_UIDNUMBER);
651 break;
652
653 case ID_TYPE_GID:
654 type = get_attr_key2string(idpool_attr_list,
655 LDAP_ATTR_GIDNUMBER);
656 break;
657
658 default:
659 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
660 return NT_STATUS_INVALID_PARAMETER;
661 }
662
663 filter = talloc_asprintf(ctx, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
664 CHECK_ALLOC_DONE(filter);
665
666 attr_list = get_attr_list(ctx, idpool_attr_list);
667 CHECK_ALLOC_DONE(attr_list);
668
669 rc = smbldap_search(idmap_alloc_ldap->smbldap_state,
670 idmap_alloc_ldap->suffix,
671 LDAP_SCOPE_SUBTREE, filter,
672 attr_list, 0, &result);
673
674 if (rc != LDAP_SUCCESS) {
675 DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL));
676 goto done;
677 }
678
679 talloc_autofree_ldapmsg(ctx, result);
680
681 count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct,
682 result);
683 if (count != 1) {
684 DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL));
685 goto done;
686 }
687
688 entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct,
689 result);
690
691 dn = smbldap_talloc_dn(ctx,
692 idmap_alloc_ldap->smbldap_state->ldap_struct,
693 entry);
694 if ( ! dn) {
695 goto done;
696 }
697
698 new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id);
699 if ( ! new_id_str) {
700 DEBUG(0,("Out of memory\n"));
701 ret = NT_STATUS_NO_MEMORY;
702 goto done;
703 }
704
705 smbldap_set_mod(&mods, LDAP_MOD_REPLACE, type, new_id_str);
706
707 if (mods == NULL) {
708 DEBUG(0,("smbldap_set_mod() failed.\n"));
709 goto done;
710 }
711
712 rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods);
713
714 ldap_mods_free(mods, True);
715
716 if (rc != LDAP_SUCCESS) {
717 DEBUG(1,("Failed to allocate new %s. "
718 "smbldap_modify() failed.\n", type));
719 goto done;
720 }
721
722 ret = NT_STATUS_OK;
723
724 done:
725 talloc_free(ctx);
726 return ret;
727 }
728
729 /**********************************
730 Close idmap ldap alloc
731 **********************************/
732
733 static NTSTATUS idmap_ldap_alloc_close(void)
734 {
735 if (idmap_alloc_ldap) {
736 smbldap_free_struct(&idmap_alloc_ldap->smbldap_state);
737 DEBUG(5,("The connection to the LDAP server was closed\n"));
738 /* maybe free the results here --metze */
739 TALLOC_FREE(idmap_alloc_ldap);
740 }
741 return NT_STATUS_OK;
742 }
743
744
745 /**********************************************************************
746 IDMAP MAPPING LDAP BACKEND
747 **********************************************************************/
748
749 static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx)
750 {
751 smbldap_free_struct(&ctx->smbldap_state);
752 DEBUG(5,("The connection to the LDAP server was closed\n"));
753 /* maybe free the results here --metze */
754
755 return 0;
756 }
757
758 /********************************
759 Initialise idmap database.
760 ********************************/
761
762 static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom)
763 {
764 NTSTATUS ret;
765 struct idmap_ldap_context *ctx = NULL;
766 char *config_option = NULL;
767 const char *range = NULL;
768 const char *tmp = NULL;
769
770 /* Only do init if we are online */
771 if (idmap_is_offline()) {
772 return NT_STATUS_FILE_IS_OFFLINE;
773 }
774
775 ctx = TALLOC_ZERO_P(dom, struct idmap_ldap_context);
776 if ( ! ctx) {
777 DEBUG(0, ("Out of memory!\n"));
778 return NT_STATUS_NO_MEMORY;
779 }
780
781 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
782 if ( ! config_option) {
783 DEBUG(0, ("Out of memory!\n"));
784 ret = NT_STATUS_NO_MEMORY;
785 goto done;
786 }
787
788 /* load ranges */
789 range = lp_parm_const_string(-1, config_option, "range", NULL);
790 if (range && range[0]) {
791 if ((sscanf(range, "%u - %u", &ctx->filter_low_id,
792 &ctx->filter_high_id) != 2) ||
793 (ctx->filter_low_id > ctx->filter_high_id)) {
794 DEBUG(1, ("ERROR: invalid filter range [%s]", range));
795 ctx->filter_low_id = 0;
796 ctx->filter_high_id = 0;
797 }
798 }
799
800 if (dom->params && *(dom->params)) {
801 /* assume location is the only parameter */
802 ctx->url = talloc_strdup(ctx, dom->params);
803 } else {
804 tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
805
806 if ( ! tmp) {
807 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
808 ret = NT_STATUS_UNSUCCESSFUL;
809 goto done;
810 }
811
812 ctx->url = talloc_strdup(ctx, tmp);
813 }
814 CHECK_ALLOC_DONE(ctx->url);
815
816 tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
817 if ( ! tmp || ! *tmp) {
818 tmp = lp_ldap_idmap_suffix();
819 if ( ! tmp) {
820 DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
821 ret = NT_STATUS_UNSUCCESSFUL;
822 goto done;
823 }
824 }
825
826 ctx->suffix = talloc_strdup(ctx, tmp);
827 CHECK_ALLOC_DONE(ctx->suffix);
828
829 ret = smbldap_init(ctx, ctx->url, &ctx->smbldap_state);
830 if (!NT_STATUS_IS_OK(ret)) {
831 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
832 goto done;
833 }
834
835 ret = get_credentials( ctx, ctx->smbldap_state, config_option,
836 dom, &ctx->user_dn );
837 if ( !NT_STATUS_IS_OK(ret) ) {
838 DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
839 "credentials (%s)\n", nt_errstr(ret)));
840 goto done;
841 }
842
843 /* set the destructor on the context, so that resource are properly
844 freed if the contexts is released */
845
846 talloc_set_destructor(ctx, idmap_ldap_close_destructor);
847
848 dom->private_data = ctx;
849 dom->initialized = True;
850
851 talloc_free(config_option);
852 return NT_STATUS_OK;
853
854 /*failed */
855 done:
856 talloc_free(ctx);
857 return ret;
858 }
859
860 /* max number of ids requested per batch query */
861 #define IDMAP_LDAP_MAX_IDS 30
862
863 /**********************************
864 lookup a set of unix ids.
865 **********************************/
866
867 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
868 * in maps for a match */
869 static struct id_map *find_map_by_id(struct id_map **maps,
870 enum id_type type,
871 uint32_t id)
872 {
873 int i;
874
875 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
876 if (maps[i] == NULL) { /* end of the run */
877 return NULL;
878 }
879 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
880 return maps[i];
881 }
882 }
883
884 return NULL;
885 }
886
887 static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom,
888 struct id_map **ids)
889 {
890 NTSTATUS ret;
891 TALLOC_CTX *memctx;
892 struct idmap_ldap_context *ctx;
893 LDAPMessage *result = NULL;
894 const char *uidNumber;
895 const char *gidNumber;
896 const char **attr_list;
897 char *filter = NULL;
898 BOOL multi = False;
899 int idx = 0;
900 int bidx = 0;
901 int count;
902 int rc;
903 int i;
904
905 /* Only do query if we are online */
906 if (idmap_is_offline()) {
907 return NT_STATUS_FILE_IS_OFFLINE;
908 }
909
910 /* Initilization my have been deferred because we were offline */
911 if ( ! dom->initialized) {
912 ret = idmap_ldap_db_init(dom);
913 if ( ! NT_STATUS_IS_OK(ret)) {
914 return ret;
915 }
916 }
917
918 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
919
920 memctx = talloc_new(ctx);
921 if ( ! memctx) {
922 DEBUG(0, ("Out of memory!\n"));
923 return NT_STATUS_NO_MEMORY;
924 }
925
926 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
927 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
928
929 attr_list = get_attr_list(memctx, sidmap_attr_list);
930
931 if ( ! ids[1]) {
932 /* if we are requested just one mapping use the simple filter */
933
934 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%lu))",
935 LDAP_OBJ_IDMAP_ENTRY,
936 (ids[0]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
937 (unsigned long)ids[0]->xid.id);
938 CHECK_ALLOC_DONE(filter);
939 DEBUG(10, ("Filter: [%s]\n", filter));
940 } else {
941 /* multiple mappings */
942 multi = True;
943 }
944
945 again:
946 if (multi) {
947
948 talloc_free(filter);
949 filter = talloc_asprintf(memctx,
950 "(&(objectClass=%s)(|",
951 LDAP_OBJ_IDMAP_ENTRY);
952 CHECK_ALLOC_DONE(filter);
953
954 bidx = idx;
955 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
956 filter = talloc_asprintf_append(filter, "(%s=%lu)",
957 (ids[idx]->xid.type==ID_TYPE_UID)?uidNumber:gidNumber,
958 (unsigned long)ids[idx]->xid.id);
959 CHECK_ALLOC_DONE(filter);
960 }
961 filter = talloc_asprintf_append(filter, "))");
962 CHECK_ALLOC_DONE(filter);
963 DEBUG(10, ("Filter: [%s]\n", filter));
964 } else {
965 bidx = 0;
966 idx = 1;
967 }
968
969 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
970 filter, attr_list, 0, &result);
971
972 if (rc != LDAP_SUCCESS) {
973 DEBUG(3,("Failure looking up ids (%s)\n", ldap_err2string(rc)));
974 ret = NT_STATUS_UNSUCCESSFUL;
975 goto done;
976 }
977
978 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
979
980 if (count == 0) {
981 DEBUG(10, ("NO SIDs found\n"));
982 }
983
984 for (i = 0; i < count; i++) {
985 LDAPMessage *entry = NULL;
986 char *sidstr = NULL;
987 char *tmp = NULL;
988 enum id_type type;
989 struct id_map *map;
990 uint32_t id;
991
992 if (i == 0) { /* first entry */
993 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
994 result);
995 } else { /* following ones */
996 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
997 entry);
998 }
999 if ( ! entry) {
1000 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
1001 "from results\n"));
1002 break;
1003 }
1004
1005 /* first check if the SID is present */
1006 sidstr = smbldap_talloc_single_attribute(
1007 ctx->smbldap_state->ldap_struct,
1008 entry, LDAP_ATTRIBUTE_SID, memctx);
1009 if ( ! sidstr) { /* no sid, skip entry */
1010 DEBUG(2, ("WARNING SID not found on entry\n"));
1011 continue;
1012 }
1013
1014 /* now try to see if it is a uid, if not try with a gid
1015 * (gid is more common, but in case both uidNumber and
1016 * gidNumber are returned the SID is mapped to the uid
1017 *not the gid) */
1018 type = ID_TYPE_UID;
1019 tmp = smbldap_talloc_single_attribute(
1020 ctx->smbldap_state->ldap_struct,
1021 entry, uidNumber, memctx);
1022 if ( ! tmp) {
1023 type = ID_TYPE_GID;
1024 tmp = smbldap_talloc_single_attribute(
1025 ctx->smbldap_state->ldap_struct,
1026 entry, gidNumber, memctx);
1027 }
1028 if ( ! tmp) { /* wow very strange entry, how did it match ? */
1029 DEBUG(5, ("Unprobable match on (%s), no uidNumber, "
1030 "nor gidNumber returned\n", sidstr));
1031 TALLOC_FREE(sidstr);
1032 continue;
1033 }
1034
1035 id = strtoul(tmp, NULL, 10);
1036 if ((id == 0) ||
1037 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
1038 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
1039 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1040 "Filtered!\n", id,
1041 ctx->filter_low_id, ctx->filter_high_id));
1042 TALLOC_FREE(sidstr);
1043 TALLOC_FREE(tmp);
1044 continue;
1045 }
1046 TALLOC_FREE(tmp);
1047
1048 map = find_map_by_id(&ids[bidx], type, id);
1049 if (!map) {
1050 DEBUG(2, ("WARNING: couldn't match sid (%s) "
1051 "with requested ids\n", sidstr));
1052 TALLOC_FREE(sidstr);
1053 continue;
1054 }
1055
1056 if ( ! string_to_sid(map->sid, sidstr)) {
1057 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1058 TALLOC_FREE(sidstr);
1059 continue;
1060 }
1061 TALLOC_FREE(sidstr);
1062
1063 /* mapped */
1064 map->status = ID_MAPPED;
1065
1066 DEBUG(10, ("Mapped %s -> %lu (%d)\n",
1067 sid_string_static(map->sid),
1068 (unsigned long)map->xid.id, map->xid.type));
1069 }
1070
1071 /* free the ldap results */
1072 if (result) {
1073 ldap_msgfree(result);
1074 result = NULL;
1075 }
1076
1077 if (multi && ids[idx]) { /* still some values to map */
1078 goto again;
1079 }
1080
1081 ret = NT_STATUS_OK;
1082
1083 /* mark all unknwon/expired ones as unmapped */
1084 for (i = 0; ids[i]; i++) {
1085 if (ids[i]->status != ID_MAPPED)
1086 ids[i]->status = ID_UNMAPPED;
1087 }
1088
1089 done:
1090 talloc_free(memctx);
1091 return ret;
1092 }
1093
1094 /**********************************
1095 lookup a set of sids.
1096 **********************************/
1097
1098 /* this function searches up to IDMAP_LDAP_MAX_IDS entries
1099 * in maps for a match */
1100 static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid)
1101 {
1102 int i;
1103
1104 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
1105 if (maps[i] == NULL) { /* end of the run */
1106 return NULL;
1107 }
1108 if (sid_equal(maps[i]->sid, sid)) {
1109 return maps[i];
1110 }
1111 }
1112
1113 return NULL;
1114 }
1115
1116 static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
1117 struct id_map **ids)
1118 {
1119 LDAPMessage *entry = NULL;
1120 NTSTATUS ret;
1121 TALLOC_CTX *memctx;
1122 struct idmap_ldap_context *ctx;
1123 LDAPMessage *result = NULL;
1124 const char *uidNumber;
1125 const char *gidNumber;
1126 const char **attr_list;
1127 char *filter = NULL;
1128 BOOL multi = False;
1129 int idx = 0;
1130 int bidx = 0;
1131 int count;
1132 int rc;
1133 int i;
1134
1135 /* Only do query if we are online */
1136 if (idmap_is_offline()) {
1137 return NT_STATUS_FILE_IS_OFFLINE;
1138 }
1139
1140 /* Initilization my have been deferred because we were offline */
1141 if ( ! dom->initialized) {
1142 ret = idmap_ldap_db_init(dom);
1143 if ( ! NT_STATUS_IS_OK(ret)) {
1144 return ret;
1145 }
1146 }
1147
1148 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1149
1150 memctx = talloc_new(ctx);
1151 if ( ! memctx) {
1152 DEBUG(0, ("Out of memory!\n"));
1153 return NT_STATUS_NO_MEMORY;
1154 }
1155
1156 uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
1157 gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
1158
1159 attr_list = get_attr_list(memctx, sidmap_attr_list);
1160
1161 if ( ! ids[1]) {
1162 /* if we are requested just one mapping use the simple filter */
1163
1164 filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
1165 LDAP_OBJ_IDMAP_ENTRY,
1166 LDAP_ATTRIBUTE_SID,
1167 sid_string_static(ids[0]->sid));
1168 CHECK_ALLOC_DONE(filter);
1169 DEBUG(10, ("Filter: [%s]\n", filter));
1170 } else {
1171 /* multiple mappings */
1172 multi = True;
1173 }
1174
1175 again:
1176 if (multi) {
1177
1178 TALLOC_FREE(filter);
1179 filter = talloc_asprintf(memctx,
1180 "(&(objectClass=%s)(|",
1181 LDAP_OBJ_IDMAP_ENTRY);
1182 CHECK_ALLOC_DONE(filter);
1183
1184 bidx = idx;
1185 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
1186 filter = talloc_asprintf_append(filter, "(%s=%s)",
1187 LDAP_ATTRIBUTE_SID,
1188 sid_string_static(ids[idx]->sid));
1189 CHECK_ALLOC_DONE(filter);
1190 }
1191 filter = talloc_asprintf_append(filter, "))");
1192 CHECK_ALLOC_DONE(filter);
1193 DEBUG(10, ("Filter: [%s]", filter));
1194 } else {
1195 bidx = 0;
1196 idx = 1;
1197 }
1198
1199 rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
1200 filter, attr_list, 0, &result);
1201
1202 if (rc != LDAP_SUCCESS) {
1203 DEBUG(3,("Failure looking up sids (%s)\n",
1204 ldap_err2string(rc)));
1205 ret = NT_STATUS_UNSUCCESSFUL;
1206 goto done;
1207 }
1208
1209 count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
1210
1211 if (count == 0) {
1212 DEBUG(10, ("NO SIDs found\n"));
1213 }
1214
1215 for (i = 0; i < count; i++) {
1216 char *sidstr = NULL;
1217 char *tmp = NULL;
1218 enum id_type type;
1219 struct id_map *map;
1220 DOM_SID sid;
1221 uint32_t id;
1222
1223 if (i == 0) { /* first entry */
1224 entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
1225 result);
1226 } else { /* following ones */
1227 entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
1228 entry);
1229 }
1230 if ( ! entry) {
1231 DEBUG(2, ("ERROR: Unable to fetch ldap entries "
1232 "from results\n"));
1233 break;
1234 }
1235
1236 /* first check if the SID is present */
1237 sidstr = smbldap_talloc_single_attribute(
1238 ctx->smbldap_state->ldap_struct,
1239 entry, LDAP_ATTRIBUTE_SID, memctx);
1240 if ( ! sidstr) { /* no sid ??, skip entry */
1241 DEBUG(2, ("WARNING SID not found on entry\n"));
1242 continue;
1243 }
1244
1245 if ( ! string_to_sid(&sid, sidstr)) {
1246 DEBUG(2, ("ERROR: Invalid SID on entry\n"));
1247 TALLOC_FREE(sidstr);
1248 continue;
1249 }
1250
1251 map = find_map_by_sid(&ids[bidx], &sid);
1252 if (!map) {
1253 DEBUG(2, ("WARNING: couldn't find entry sid (%s) "
1254 "in ids", sidstr));
1255 TALLOC_FREE(sidstr);
1256 continue;
1257 }
1258
1259 TALLOC_FREE(sidstr);
1260
1261 /* now try to see if it is a uid, if not try with a gid
1262 * (gid is more common, but in case both uidNumber and
1263 * gidNumber are returned the SID is mapped to the uid
1264 * not the gid) */
1265 type = ID_TYPE_UID;
1266 tmp = smbldap_talloc_single_attribute(
1267 ctx->smbldap_state->ldap_struct,
1268 entry, uidNumber, memctx);
1269 if ( ! tmp) {
1270 type = ID_TYPE_GID;
1271 tmp = smbldap_talloc_single_attribute(
1272 ctx->smbldap_state->ldap_struct,
1273 entry, gidNumber, memctx);
1274 }
1275 if ( ! tmp) { /* no ids ?? */
1276 DEBUG(5, ("no uidNumber, "
1277 "nor gidNumber attributes found\n"));
1278 continue;
1279 }
1280
1281 id = strtoul(tmp, NULL, 10);
1282 if ((id == 0) ||
1283 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
1284 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
1285 DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
1286 "Filtered!\n", id,
1287 ctx->filter_low_id, ctx->filter_high_id));
1288 TALLOC_FREE(tmp);
1289 continue;
1290 }
1291 TALLOC_FREE(tmp);
1292
1293 /* mapped */
1294 map->xid.type = type;
1295 map->xid.id = id;
1296 map->status = ID_MAPPED;
1297
1298 DEBUG(10, ("Mapped %s -> %lu (%d)\n",
1299 sid_string_static(map->sid),
1300 (unsigned long)map->xid.id, map->xid.type));
1301 }
1302
1303 /* free the ldap results */
1304 if (result) {
1305 ldap_msgfree(result);
1306 result = NULL;
1307 }
1308
1309 if (multi && ids[idx]) { /* still some values to map */
1310 goto again;
1311 }
1312
1313 ret = NT_STATUS_OK;
1314
1315 /* mark all unknwon/expired ones as unmapped */
1316 for (i = 0; ids[i]; i++) {
1317 if (ids[i]->status != ID_MAPPED)
1318 ids[i]->status = ID_UNMAPPED;
1319 }
1320
1321 done:
1322 talloc_free(memctx);
1323 return ret;
1324 }
1325
1326 /**********************************
1327 set a mapping.
1328 **********************************/
1329
1330 /* TODO: change this: This function cannot be called to modify a mapping,
1331 * only set a new one */
1332
1333 static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
1334 const struct id_map *map)
1335 {
1336 NTSTATUS ret;
1337 TALLOC_CTX *memctx;
1338 struct idmap_ldap_context *ctx;
1339 LDAPMessage *entry = NULL;
1340 LDAPMod **mods = NULL;
1341 const char *type;
1342 char *id_str;
1343 char *sid;
1344 char *dn;
1345 int rc = -1;
1346
1347 /* Only do query if we are online */
1348 if (idmap_is_offline()) {
1349 return NT_STATUS_FILE_IS_OFFLINE;
1350 }
1351
1352 /* Initilization my have been deferred because we were offline */
1353 if ( ! dom->initialized) {
1354 ret = idmap_ldap_db_init(dom);
1355 if ( ! NT_STATUS_IS_OK(ret)) {
1356 return ret;
1357 }
1358 }
1359
1360 ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
1361
1362 switch(map->xid.type) {
1363 case ID_TYPE_UID:
1364 type = get_attr_key2string(sidmap_attr_list,
1365 LDAP_ATTR_UIDNUMBER);
1366 break;
1367
1368 case ID_TYPE_GID:
1369 type = get_attr_key2string(sidmap_attr_list,
1370 LDAP_ATTR_GIDNUMBER);
1371 break;
1372
1373 default:
1374 return NT_STATUS_INVALID_PARAMETER;
1375 }
1376
1377 memctx = talloc_new(ctx);
1378 if ( ! memctx) {
1379 DEBUG(0, ("Out of memory!\n"));
1380 return NT_STATUS_NO_MEMORY;
1381 }
1382
1383 id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
1384 CHECK_ALLOC_DONE(id_str);
1385
1386 sid = talloc_strdup(memctx, sid_string_static(map->sid));
1387 CHECK_ALLOC_DONE(sid);
1388
1389 dn = talloc_asprintf(memctx, "%s=%s,%s",
1390 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
1391 sid,
1392 ctx->suffix);
1393 CHECK_ALLOC_DONE(dn);
1394
1395 smbldap_set_mod(&mods, LDAP_MOD_ADD,
1396 "objectClass", LDAP_OBJ_IDMAP_ENTRY);
1397
1398 smbldap_make_mod(ctx->smbldap_state->ldap_struct,
1399 entry, &mods, type, id_str);
1400
1401 smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
1402 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
1403 sid);
1404
1405 if ( ! mods) {
1406 DEBUG(2, ("ERROR: No mods?\n"));
1407 ret = NT_STATUS_UNSUCCESSFUL;
1408 goto done;
1409 }
1410
1411 /* TODO: remove conflicting mappings! */
1412
1413 smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
1414
1415 DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
1416
1417 rc = smbldap_add(ctx->smbldap_state, dn, mods);
1418 ldap_mods_free(mods, True);
1419
1420 if (rc != LDAP_SUCCESS) {
1421 char *ld_error = NULL;
1422 ldap_get_option(ctx->smbldap_state->ldap_struct,
1423 LDAP_OPT_ERROR_STRING, &ld_error);
1424 DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu "
1425 "mapping [%s]\n", sid,
1426 (unsigned long)map->xid.id, type));
1427 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
1428 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
1429 if (ld_error) {
1430 ldap_memfree(ld_error);
1431 }
1432 ret = NT_STATUS_UNSUCCESSFUL;
1433 goto done;
1434 }
1435
1436 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to "
1437 "%lu [%s]\n", sid, (unsigned long)map->xid.id, type));
1438
1439 ret = NT_STATUS_OK;
1440
1441 done:
1442 talloc_free(memctx);
1443 return ret;
1444 }
1445
1446 /**********************************
1447 Close the idmap ldap instance
1448 **********************************/
1449
1450 static NTSTATUS idmap_ldap_close(struct idmap_domain *dom)
1451 {
1452 struct idmap_ldap_context *ctx;
1453
1454 if (dom->private_data) {
1455 ctx = talloc_get_type(dom->private_data,
1456 struct idmap_ldap_context);
1457
1458 talloc_free(ctx);
1459 dom->private_data = NULL;
1460 }
1461
1462 return NT_STATUS_OK;
1463 }
1464
1465 static struct idmap_methods idmap_ldap_methods = {
1466
1467 .init = idmap_ldap_db_init,
1468 .unixids_to_sids = idmap_ldap_unixids_to_sids,
1469 .sids_to_unixids = idmap_ldap_sids_to_unixids,
1470 .set_mapping = idmap_ldap_set_mapping,
1471 .close_fn = idmap_ldap_close
1472 };
1473
1474 static struct idmap_alloc_methods idmap_ldap_alloc_methods = {
1475
1476 .init = idmap_ldap_alloc_init,
1477 .allocate_id = idmap_ldap_allocate_id,
1478 .get_id_hwm = idmap_ldap_get_hwm,
1479 .set_id_hwm = idmap_ldap_set_hwm,
1480 .close_fn = idmap_ldap_alloc_close,
1481 /* .dump_data = TODO */
1482 };
1483
1484 NTSTATUS idmap_alloc_ldap_init(void)
1485 {
1486 return smb_register_idmap_alloc(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1487 &idmap_ldap_alloc_methods);
1488 }
1489
1490 NTSTATUS idmap_ldap_init(void)
1491 {
1492 NTSTATUS ret;
1493
1494 /* FIXME: bad hack to actually register also the alloc_ldap module
1495 * without changining configure.in */
1496 ret = idmap_alloc_ldap_init();
1497 if (! NT_STATUS_IS_OK(ret)) {
1498 return ret;
1499 }
1500 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap",
1501 &idmap_ldap_methods);
1502 }
1503
Samba GIT mirror