2 * Unix SMB/CIFS implementation.
4 * Id mapping using LDAP records as defined in RFC 2307
6 * The SID<->uid/gid mapping is performed in two steps: 1) Query the
7 * AD server for the name<->sid mapping. 2) Query an LDAP server
8 * according to RFC 2307 for the name<->uid/gid mapping.
10 * Copyright (C) Christof Schmitt 2012,2013
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 3 of the License, or
15 * (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, see <http://www.gnu.org/licenses/>.
31 #include "nsswitch/winbind_client.h"
32 #include "lib/winbind_util.h"
35 * Config and connection info per domain.
37 struct idmap_rfc2307_context
{
38 const char *bind_path_user
;
39 const char *bind_path_group
;
40 const char *ldap_domain
;
45 * Pointer to ldap struct in ads or smbldap_state, has to be
46 * updated after connecting to server
50 /* Optional function to check connection to server */
51 NTSTATUS (*check_connection
)(struct idmap_domain
*dom
);
53 /* Issue ldap query */
54 NTSTATUS (*search
)(struct idmap_rfc2307_context
*ctx
,
55 const char *bind_path
, const char *expr
,
56 const char **attrs
, LDAPMessage
**res
);
58 /* Access to LDAP in AD server */
61 /* Access to stand-alone LDAP server */
62 struct smbldap_state
*smbldap_state
;
66 * backend functions for LDAP queries through ADS
69 static NTSTATUS
idmap_rfc2307_ads_check_connection(struct idmap_domain
*dom
)
71 struct idmap_rfc2307_context
*ctx
;
72 const char *dom_name
= dom
->name
;
75 DEBUG(10, ("ad_idmap_cached_connection: called for domain '%s'\n",
78 ctx
= talloc_get_type(dom
->private_data
, struct idmap_rfc2307_context
);
79 dom_name
= ctx
->ldap_domain
? ctx
->ldap_domain
: dom
->name
;
81 status
= ads_idmap_cached_connection(&ctx
->ads
, dom_name
);
82 if (ADS_ERR_OK(status
)) {
83 ctx
->ldap
= ctx
->ads
->ldap
.ld
;
85 DEBUG(1, ("Could not connect to domain %s: %s\n", dom
->name
,
89 return ads_ntstatus(status
);
92 static NTSTATUS
idmap_rfc2307_ads_search(struct idmap_rfc2307_context
*ctx
,
93 const char *bind_path
,
100 status
= ads_do_search_retry(ctx
->ads
, bind_path
,
101 LDAP_SCOPE_SUBTREE
, expr
, attrs
, result
);
103 if (!ADS_ERR_OK(status
)) {
104 return ads_ntstatus(status
);
107 ctx
->ldap
= ctx
->ads
->ldap
.ld
;
108 return ads_ntstatus(status
);
111 static NTSTATUS
idmap_rfc2307_init_ads(struct idmap_rfc2307_context
*ctx
,
114 const char *ldap_domain
;
116 ctx
->search
= idmap_rfc2307_ads_search
;
117 ctx
->check_connection
= idmap_rfc2307_ads_check_connection
;
119 ldap_domain
= lp_parm_const_string(-1, cfg_opt
, "ldap_domain",
122 ctx
->ldap_domain
= talloc_strdup(ctx
, ldap_domain
);
123 if (ctx
->ldap_domain
== NULL
) {
124 return NT_STATUS_NO_MEMORY
;
132 * backend function for LDAP queries through stand-alone LDAP server
135 static NTSTATUS
idmap_rfc2307_ldap_search(struct idmap_rfc2307_context
*ctx
,
136 const char *bind_path
,
139 LDAPMessage
**result
)
143 ret
= smbldap_search(ctx
->smbldap_state
, bind_path
, LDAP_SCOPE_SUBTREE
,
144 expr
, attrs
, 0, result
);
145 ctx
->ldap
= ctx
->smbldap_state
->ldap_struct
;
147 if (ret
== LDAP_SUCCESS
) {
151 return NT_STATUS_LDAP(ret
);
154 static bool idmap_rfc2307_get_uint32(LDAP
*ldap
, LDAPMessage
*entry
,
155 const char *field
, uint32_t *value
)
160 b
= smbldap_get_single_attribute(ldap
, entry
, field
, str
, sizeof(str
));
169 static NTSTATUS
idmap_rfc2307_init_ldap(struct idmap_rfc2307_context
*ctx
,
170 struct idmap_domain
*dom
,
171 const char *config_option
)
176 const char *ldap_url
, *user_dn
;
177 TALLOC_CTX
*mem_ctx
= ctx
;
179 ldap_url
= lp_parm_const_string(-1, config_option
, "ldap_url", NULL
);
181 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
182 return NT_STATUS_UNSUCCESSFUL
;
185 url
= talloc_strdup(talloc_tos(), ldap_url
);
187 user_dn
= lp_parm_const_string(-1, config_option
, "ldap_user_dn", NULL
);
189 secret
= idmap_fetch_secret("ldap", dom
->name
, user_dn
);
191 ret
= NT_STATUS_ACCESS_DENIED
;
196 /* assume anonymous if we don't have a specified user */
197 ret
= smbldap_init(mem_ctx
, winbind_event_context(), url
,
198 (user_dn
== NULL
), user_dn
, secret
,
199 &ctx
->smbldap_state
);
201 if (!NT_STATUS_IS_OK(ret
)) {
202 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", url
));
206 ctx
->search
= idmap_rfc2307_ldap_search
;
214 * common code for stand-alone LDAP and ADS
217 static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context
*ctx
,
221 const char *dom_name
,
222 const char **attrs
, int type
)
227 count
= ldap_count_entries(ctx
->ldap
, result
);
229 for (i
= 0; i
< count
; i
++) {
231 enum lsa_SidType lsa_type
;
237 entry
= ldap_first_entry(ctx
->ldap
, result
);
239 entry
= ldap_next_entry(ctx
->ldap
, result
);
242 DEBUG(2, ("Unable to fetch entry.\n"));
246 name
= smbldap_talloc_single_attribute(ctx
->ldap
, entry
,
249 DEBUG(1, ("Could not get user name\n"));
253 b
= idmap_rfc2307_get_uint32(ctx
->ldap
, entry
, attrs
[1], &id
);
255 DEBUG(1, ("Could not pull id for record %s\n", name
));
259 map
= idmap_find_map_by_id(ids
, type
, id
);
261 DEBUG(1, ("Could not find id %d, name %s\n", id
, name
));
265 if (ctx
->realm
!= NULL
) {
266 /* Strip @realm from user or group name */
269 delim
= strchr(name
, '@');
275 /* by default calls to winbindd are disabled
276 the following call will not recurse so this is safe */
278 /* Lookup name from PDC using lsa_lookup_names() */
279 b
= winbind_lookup_name(dom_name
, name
, map
->sid
, &lsa_type
);
283 DEBUG(1, ("SID lookup failed for id %d, %s\n",
288 if (type
== ID_TYPE_UID
&& lsa_type
!= SID_NAME_USER
) {
289 DEBUG(1, ("Wrong type %d for user name %s\n",
294 if (type
== ID_TYPE_GID
&& lsa_type
!= SID_NAME_DOM_GRP
&&
295 lsa_type
!= SID_NAME_ALIAS
&&
296 lsa_type
!= SID_NAME_WKN_GRP
) {
297 DEBUG(1, ("Wrong type %d for group name %s\n",
302 map
->status
= ID_MAPPED
;
307 * Map unixids to names and then to sids.
309 static NTSTATUS
idmap_rfc2307_unixids_to_sids(struct idmap_domain
*dom
,
312 struct idmap_rfc2307_context
*ctx
;
313 char *fltr_usr
= NULL
, *fltr_grp
= NULL
;
315 int cnt_usr
= 0, cnt_grp
= 0, idx
= 0, bidx
= 0;
316 LDAPMessage
*result
= NULL
;
319 ctx
= talloc_get_type(dom
->private_data
, struct idmap_rfc2307_context
);
320 mem_ctx
= talloc_new(ctx
);
322 return NT_STATUS_NO_MEMORY
;
325 if (ctx
->check_connection
) {
326 ret
= ctx
->check_connection(dom
);
327 if (!NT_STATUS_IS_OK(ret
)) {
336 /* prepare new user query, see getpwuid() in RFC2307 */
337 fltr_usr
= talloc_asprintf(mem_ctx
,
338 "(&(objectClass=posixAccount)(|");
342 /* prepare new group query, see getgrgid() in RFC2307 */
343 fltr_grp
= talloc_asprintf(mem_ctx
,
344 "(&(objectClass=posixGroup)(|");
347 if (!fltr_usr
|| !fltr_grp
) {
348 ret
= NT_STATUS_NO_MEMORY
;
352 while (cnt_usr
< IDMAP_LDAP_MAX_IDS
&&
353 cnt_grp
< IDMAP_LDAP_MAX_IDS
&& ids
[idx
]) {
355 switch (ids
[idx
]->xid
.type
) {
357 fltr_usr
= talloc_asprintf_append_buffer(fltr_usr
,
358 "(uidNumber=%d)", ids
[idx
]->xid
.id
);
362 fltr_grp
= talloc_asprintf_append_buffer(fltr_grp
,
363 "(gidNumber=%d)", ids
[idx
]->xid
.id
);
367 DEBUG(3, ("Error: unknown ID type %d\n",
368 ids
[idx
]->xid
.type
));
369 ret
= NT_STATUS_UNSUCCESSFUL
;
373 if (!fltr_usr
|| !fltr_grp
) {
374 ret
= NT_STATUS_NO_MEMORY
;
381 if (cnt_usr
== IDMAP_LDAP_MAX_IDS
|| (cnt_usr
!= 0 && !ids
[idx
])) {
382 const char *attrs
[] = { NULL
, /* uid or cn */
386 fltr_usr
= talloc_strdup_append(fltr_usr
, "))");
388 ret
= NT_STATUS_NO_MEMORY
;
392 attrs
[0] = ctx
->user_cn
? "cn" : "uid";
393 ret
= ctx
->search(ctx
, ctx
->bind_path_user
, fltr_usr
, attrs
,
395 if (!NT_STATUS_IS_OK(ret
)) {
399 idmap_rfc2307_map_sid_results(ctx
, mem_ctx
, &ids
[bidx
], result
,
400 dom
->name
, attrs
, ID_TYPE_UID
);
402 TALLOC_FREE(fltr_usr
);
405 if (cnt_grp
== IDMAP_LDAP_MAX_IDS
|| (cnt_grp
!= 0 && !ids
[idx
])) {
406 const char *attrs
[] = { "cn", "gidNumber", NULL
};
408 fltr_grp
= talloc_strdup_append(fltr_grp
, "))");
410 ret
= NT_STATUS_NO_MEMORY
;
413 ret
= ctx
->search(ctx
, ctx
->bind_path_group
, fltr_grp
, attrs
,
415 if (!NT_STATUS_IS_OK(ret
)) {
419 idmap_rfc2307_map_sid_results(ctx
, mem_ctx
, &ids
[bidx
], result
,
420 dom
->name
, attrs
, ID_TYPE_GID
);
422 TALLOC_FREE(fltr_grp
);
432 talloc_free(mem_ctx
);
436 struct idmap_rfc2307_map
{
443 * Lookup names for SIDS and store the data in the local mapping
446 static NTSTATUS
idmap_rfc_2307_sids_to_names(TALLOC_CTX
*mem_ctx
,
448 struct idmap_rfc2307_map
*maps
,
449 struct idmap_rfc2307_context
*ctx
)
453 for (i
= 0; ids
[i
]; i
++) {
454 const char *domain
, *name
;
455 enum lsa_SidType lsa_type
;
456 struct id_map
*id
= ids
[i
];
457 struct idmap_rfc2307_map
*map
= &maps
[i
];
460 /* by default calls to winbindd are disabled
461 the following call will not recurse so this is safe */
463 b
= winbind_lookup_sid(mem_ctx
, ids
[i
]->sid
, &domain
, &name
,
468 DEBUG(1, ("Lookup sid %s failed.\n",
469 sid_string_dbg(ids
[i
]->sid
)));
475 id
->xid
.type
= map
->type
= ID_TYPE_UID
;
476 if (ctx
->user_cn
&& ctx
->realm
!= NULL
) {
477 name
= talloc_asprintf(mem_ctx
, "%s@%s",
480 id
->xid
.type
= map
->type
= ID_TYPE_UID
;
483 case SID_NAME_DOM_GRP
:
485 case SID_NAME_WKN_GRP
:
486 if (ctx
->realm
!= NULL
) {
487 name
= talloc_asprintf(mem_ctx
, "%s@%s",
490 id
->xid
.type
= map
->type
= ID_TYPE_GID
;
494 DEBUG(1, ("Unknown lsa type %d for sid %s\n",
495 lsa_type
, sid_string_dbg(id
->sid
)));
496 id
->status
= ID_UNMAPPED
;
501 id
->status
= ID_UNKNOWN
;
502 map
->name
= strupper_talloc(mem_ctx
, name
);
505 return NT_STATUS_NO_MEMORY
;
513 * Find id_map entry by looking up the name in the internal
516 static struct id_map
* idmap_rfc2307_find_map(struct idmap_rfc2307_map
*maps
,
522 DEBUG(10, ("Looking for name %s, type %d\n", name
, type
));
524 for (i
= 0; i
< IDMAP_LDAP_MAX_IDS
; i
++) {
525 if (maps
[i
].map
== NULL
) { /* end of the run */
528 DEBUG(10, ("Entry %d: name %s, type %d\n",
529 i
, maps
[i
].name
, maps
[i
].type
));
530 if (type
== maps
[i
].type
&& strcmp(name
, maps
[i
].name
) == 0) {
538 static void idmap_rfc2307_map_xid_results(struct idmap_rfc2307_context
*ctx
,
540 struct idmap_rfc2307_map
*maps
,
542 struct idmap_domain
*dom
,
543 const char **attrs
, enum id_type type
)
548 count
= ldap_count_entries(ctx
->ldap
, result
);
550 for (i
= 0; i
< count
; i
++) {
554 struct id_map
*id_map
;
557 entry
= ldap_first_entry(ctx
->ldap
, result
);
559 entry
= ldap_next_entry(ctx
->ldap
, result
);
562 DEBUG(2, ("Unable to fetch entry.\n"));
566 name
= smbldap_talloc_single_attribute(ctx
->ldap
, entry
,
569 DEBUG(1, ("Could not get user name\n"));
573 b
= idmap_rfc2307_get_uint32(ctx
->ldap
, entry
, attrs
[1], &id
);
575 DEBUG(5, ("Could not pull id for record %s\n", name
));
579 if (!idmap_unix_id_is_in_range(id
, dom
)) {
580 DEBUG(5, ("Requested id (%u) out of range (%u - %u).\n",
581 id
, dom
->low_id
, dom
->high_id
));
585 if (!strupper_m(name
)) {
586 DEBUG(5, ("Could not convert %s to uppercase\n", name
));
589 id_map
= idmap_rfc2307_find_map(maps
, type
, name
);
591 DEBUG(0, ("Could not find mapping entry for name %s\n",
597 id_map
->status
= ID_MAPPED
;
602 * Map sids to names and then to unixids.
604 static NTSTATUS
idmap_rfc2307_sids_to_unixids(struct idmap_domain
*dom
,
607 struct idmap_rfc2307_context
*ctx
;
609 struct idmap_rfc2307_map
*int_maps
;
610 int cnt_usr
= 0, cnt_grp
= 0, idx
= 0;
611 char *fltr_usr
= NULL
, *fltr_grp
= NULL
;
615 ctx
= talloc_get_type(dom
->private_data
, struct idmap_rfc2307_context
);
616 mem_ctx
= talloc_new(talloc_tos());
618 return NT_STATUS_NO_MEMORY
;
621 if (ctx
->check_connection
) {
622 ret
= ctx
->check_connection(dom
);
623 if (!NT_STATUS_IS_OK(ret
)) {
628 for (i
= 0; ids
[i
]; i
++);
629 int_maps
= talloc_zero_array(mem_ctx
, struct idmap_rfc2307_map
, i
);
631 ret
= NT_STATUS_NO_MEMORY
;
635 ret
= idmap_rfc_2307_sids_to_names(mem_ctx
, ids
, int_maps
, ctx
);
636 if (!NT_STATUS_IS_OK(ret
)) {
642 /* prepare new user query, see getpwuid() in RFC2307 */
643 fltr_usr
= talloc_asprintf(mem_ctx
,
644 "(&(objectClass=posixAccount)(|");
648 /* prepare new group query, see getgrgid() in RFC2307 */
649 fltr_grp
= talloc_asprintf(mem_ctx
,
650 "(&(objectClass=posixGroup)(|");
653 if (!fltr_usr
|| !fltr_grp
) {
654 ret
= NT_STATUS_NO_MEMORY
;
658 while (cnt_usr
< IDMAP_LDAP_MAX_IDS
&&
659 cnt_grp
< IDMAP_LDAP_MAX_IDS
&& ids
[idx
]) {
660 struct id_map
*id
= ids
[idx
];
661 struct idmap_rfc2307_map
*map
= &int_maps
[idx
];
663 switch(id
->xid
.type
) {
665 fltr_usr
= talloc_asprintf_append_buffer(fltr_usr
,
666 "(%s=%s)", (ctx
->user_cn
? "cn" : "uid"),
672 fltr_grp
= talloc_asprintf_append_buffer(fltr_grp
,
673 "(cn=%s)", map
->name
);
681 if (!fltr_usr
|| !fltr_grp
) {
682 ret
= NT_STATUS_NO_MEMORY
;
689 if (cnt_usr
== IDMAP_LDAP_MAX_IDS
|| (cnt_usr
!= 0 && !ids
[idx
])) {
690 const char *attrs
[] = { NULL
, /* uid or cn */
695 fltr_usr
= talloc_strdup_append(fltr_usr
, "))");
697 ret
= NT_STATUS_NO_MEMORY
;
701 attrs
[0] = ctx
->user_cn
? "cn" : "uid";
702 ret
= ctx
->search(ctx
, ctx
->bind_path_user
, fltr_usr
, attrs
,
704 if (!NT_STATUS_IS_OK(ret
)) {
708 idmap_rfc2307_map_xid_results(ctx
, mem_ctx
, int_maps
,
709 result
, dom
, attrs
, ID_TYPE_UID
);
712 TALLOC_FREE(fltr_usr
);
715 if (cnt_grp
== IDMAP_LDAP_MAX_IDS
|| (cnt_grp
!= 0 && !ids
[idx
])) {
716 const char *attrs
[] = {"cn", "gidNumber", NULL
};
719 fltr_grp
= talloc_strdup_append(fltr_grp
, "))");
721 ret
= NT_STATUS_NO_MEMORY
;
725 ret
= ctx
->search(ctx
, ctx
->bind_path_group
, fltr_grp
, attrs
,
727 if (!NT_STATUS_IS_OK(ret
)) {
731 idmap_rfc2307_map_xid_results(ctx
, mem_ctx
, int_maps
, result
,
732 dom
, attrs
, ID_TYPE_GID
);
734 TALLOC_FREE(fltr_grp
);
744 talloc_free(mem_ctx
);
748 static int idmap_rfc2307_context_destructor(struct idmap_rfc2307_context
*ctx
)
750 if (ctx
->ads
!= NULL
) {
751 /* we own this ADS_STRUCT so make sure it goes away */
752 ctx
->ads
->is_mine
= True
;
753 ads_destroy( &ctx
->ads
);
757 if (ctx
->smbldap_state
!= NULL
) {
758 smbldap_free_struct(&ctx
->smbldap_state
);
764 static NTSTATUS
idmap_rfc2307_initialize(struct idmap_domain
*domain
)
766 struct idmap_rfc2307_context
*ctx
;
768 const char *bind_path_user
, *bind_path_group
, *ldap_server
, *realm
;
771 ctx
= talloc_zero(domain
, struct idmap_rfc2307_context
);
773 return NT_STATUS_NO_MEMORY
;
775 talloc_set_destructor(ctx
, idmap_rfc2307_context_destructor
);
777 cfg_opt
= talloc_asprintf(ctx
, "idmap config %s", domain
->name
);
778 if (cfg_opt
== NULL
) {
779 status
= NT_STATUS_NO_MEMORY
;
783 bind_path_user
= lp_parm_const_string(-1, cfg_opt
, "bind_path_user",
785 if (bind_path_user
) {
786 ctx
->bind_path_user
= talloc_strdup(ctx
, bind_path_user
);
787 if (ctx
->bind_path_user
== NULL
) {
788 status
= NT_STATUS_NO_MEMORY
;
792 status
= NT_STATUS_INVALID_PARAMETER
;
796 bind_path_group
= lp_parm_const_string(-1, cfg_opt
, "bind_path_group",
798 if (bind_path_group
) {
799 ctx
->bind_path_group
= talloc_strdup(ctx
, bind_path_group
);
800 if (ctx
->bind_path_group
== NULL
) {
801 status
= NT_STATUS_NO_MEMORY
;
805 status
= NT_STATUS_INVALID_PARAMETER
;
809 ldap_server
= lp_parm_const_string(-1, cfg_opt
, "ldap_server", NULL
);
811 status
= NT_STATUS_INVALID_PARAMETER
;
815 if (strcmp(ldap_server
, "stand-alone") == 0) {
816 status
= idmap_rfc2307_init_ldap(ctx
, domain
, cfg_opt
);
818 } else if (strcmp(ldap_server
, "ad") == 0) {
819 status
= idmap_rfc2307_init_ads(ctx
, cfg_opt
);
822 status
= NT_STATUS_INVALID_PARAMETER
;
825 if (!NT_STATUS_IS_OK(status
)) {
829 realm
= lp_parm_const_string(-1, cfg_opt
, "realm", NULL
);
831 ctx
->realm
= talloc_strdup(ctx
, realm
);
832 if (ctx
->realm
== NULL
) {
833 status
= NT_STATUS_NO_MEMORY
;
838 ctx
->user_cn
= lp_parm_bool(-1, cfg_opt
, "user_cn", false);
840 domain
->private_data
= ctx
;
841 talloc_free(cfg_opt
);
845 talloc_free(cfg_opt
);
850 static struct idmap_methods rfc2307_methods
= {
851 .init
= idmap_rfc2307_initialize
,
852 .unixids_to_sids
= idmap_rfc2307_unixids_to_sids
,
853 .sids_to_unixids
= idmap_rfc2307_sids_to_unixids
,
857 NTSTATUS
idmap_rfc2307_init(void)
859 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION
, "rfc2307",