search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fix for bug 680 (heads up). This gist is to map the
[Samba.git] / source / sam / idmap_ldap.c
blob2a94de755ac1da1f9fb1ad740d290d9c12729a3d
1 /*
2 Unix SMB/CIFS implementation.
3
4 idmap LDAP backend
5
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Simo Sorce 2003
9 Copyright (C) Gerald Carter 2003
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 */
25
26 #include "includes.h"
27
28 #undef DBGC_CLASS
29 #define DBGC_CLASS DBGC_IDMAP
30
31
32 #include <lber.h>
33 #include <ldap.h>
34
35 #include "smbldap.h"
36
37 struct ldap_idmap_state {
38 struct smbldap_state *smbldap_state;
39 TALLOC_CTX *mem_ctx;
40 };
41
42 static struct ldap_idmap_state ldap_state;
43
44 /* number tries while allocating new id */
45 #define LDAP_MAX_ALLOC_ID 128
46
47
48 /***********************************************************************
49 This function cannot be called to modify a mapping, only set a new one
50 ***********************************************************************/
51
52 static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
53 {
54 pstring dn;
55 pstring id_str;
56 fstring type;
57 LDAPMod **mods = NULL;
58 int rc = -1;
59 int ldap_op;
60 fstring sid_string;
61 LDAPMessage *entry = NULL;
62
63 sid_to_string( sid_string, sid );
64
65 ldap_op = LDAP_MOD_ADD;
66 pstr_sprintf(dn, "%s=%s,%s", get_attr_key2string( sidmap_attr_list, LDAP_ATTR_SID),
67 sid_string, lp_ldap_idmap_suffix());
68
69 if ( id_type & ID_USERID )
70 fstrcpy( type, get_attr_key2string( sidmap_attr_list, LDAP_ATTR_UIDNUMBER ) );
71 else
72 fstrcpy( type, get_attr_key2string( sidmap_attr_list, LDAP_ATTR_GIDNUMBER ) );
73
74 pstr_sprintf(id_str, "%lu", ((id_type & ID_USERID) ? (unsigned long)id.uid :
75 (unsigned long)id.gid));
76
77 smbldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDMAP_ENTRY );
78
79 smbldap_make_mod( ldap_state.smbldap_state->ldap_struct,
80 entry, &mods, type, id_str );
81
82 smbldap_make_mod( ldap_state.smbldap_state->ldap_struct,
83 entry, &mods,
84 get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
85 sid_string );
86
87 /* There may well be nothing at all to do */
88
89 if (mods) {
90 smbldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY );
91 rc = smbldap_add(ldap_state.smbldap_state, dn, mods);
92 ldap_mods_free( mods, True );
93 } else {
94 rc = LDAP_SUCCESS;
95 }
96
97 if (rc != LDAP_SUCCESS) {
98 char *ld_error = NULL;
99 ldap_get_option(ldap_state.smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
100 &ld_error);
101 DEBUG(0,("ldap_set_mapping_internals: Failed to %s mapping from %s to %lu [%s]\n",
102 (ldap_op == LDAP_MOD_ADD) ? "add" : "replace",
103 sid_string, (unsigned long)((id_type & ID_USERID) ? id.uid : id.gid), type));
104 DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
105 ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
106 return NT_STATUS_UNSUCCESSFUL;
107 }
108
109 DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to %lu [%s]\n",
110 sid_string, ((id_type & ID_USERID) ? (unsigned long)id.uid :
111 (unsigned long)id.gid), type));
112
113 return NT_STATUS_OK;
114 }
115
116 /**********************************************************************
117 Even if the sambaDomain attribute in LDAP tells us that this RID is
118 safe to use, always check before use.
119 *********************************************************************/
120
121 static BOOL sid_in_use(struct ldap_idmap_state *state,
122 const DOM_SID *sid, int *error)
123 {
124 fstring filter;
125 fstring sid_string;
126 LDAPMessage *result = NULL;
127 int count;
128 int rc;
129 char *sid_attr[] = {LDAP_ATTRIBUTE_SID, NULL};
130
131 slprintf(filter, sizeof(filter)-1, "(%s=%s)", LDAP_ATTRIBUTE_SID, sid_to_string(sid_string, sid));
132
133 rc = smbldap_search_suffix(state->smbldap_state,
134 filter, sid_attr, &result);
135
136 if (rc != LDAP_SUCCESS) {
137 char *ld_error = NULL;
138 ldap_get_option(state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
139 DEBUG(2, ("Failed to check if sid %s is alredy in use: %s\n",
140 sid_string, ld_error));
141 SAFE_FREE(ld_error);
142
143 *error = rc;
144 return True;
145 }
146
147 if ((count = ldap_count_entries(state->smbldap_state->ldap_struct, result)) > 0) {
148 DEBUG(3, ("Sid %s already in use - trying next RID\n",
149 sid_string));
150 ldap_msgfree(result);
151 return True;
152 }
153
154 ldap_msgfree(result);
155
156 /* good, sid is not in use */
157 return False;
158 }
159
160 /**********************************************************************
161 Set the new nextRid attribute, and return one we can use.
162
163 This also checks that this RID is actually free - in case the admin
164 manually stole it :-).
165 *********************************************************************/
166
167 static NTSTATUS ldap_next_rid(struct ldap_idmap_state *state, uint32 *rid,
168 int rid_type)
169 {
170 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
171 int rc;
172 LDAPMessage *domain_result = NULL;
173 LDAPMessage *entry = NULL;
174 char *dn;
175 LDAPMod **mods = NULL;
176 fstring old_rid_string;
177 fstring next_rid_string;
178 fstring algorithmic_rid_base_string;
179 uint32 next_rid;
180 uint32 alg_rid_base;
181 int attempts = 0;
182 char *ld_error = NULL;
183
184 while (attempts < 10) {
185 if (!NT_STATUS_IS_OK(ret = smbldap_search_domain_info(state->smbldap_state,
186 &domain_result, get_global_sam_name(), True))) {
187 return ret;
188 }
189
190 entry = ldap_first_entry(state->smbldap_state->ldap_struct, domain_result);
191 if (!entry) {
192 DEBUG(0, ("Could not get domain info entry\n"));
193 ldap_msgfree(domain_result);
194 return ret;
195 }
196
197 if ((dn = smbldap_get_dn(state->smbldap_state->ldap_struct, entry)) == NULL) {
198 DEBUG(0, ("Could not get domain info DN\n"));
199 ldap_msgfree(domain_result);
200 return ret;
201 }
202
203 /* yes, we keep 3 seperate counters, one for rids between 1000 (BASE_RID) and
204 algorithmic_rid_base. The other two are to avoid stomping on the
205 different sets of algorithmic RIDs */
206
207 if (smbldap_get_single_attribute(state->smbldap_state->ldap_struct, entry,
208 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_ALGORITHMIC_RID_BASE),
209 algorithmic_rid_base_string)) {
210
211 alg_rid_base = (uint32)atol(algorithmic_rid_base_string);
212 } else {
213 alg_rid_base = algorithmic_rid_base();
214 /* Try to make the modification atomically by enforcing the
215 old value in the delete mod. */
216 slprintf(algorithmic_rid_base_string, sizeof(algorithmic_rid_base_string)-1, "%d", alg_rid_base);
217 smbldap_make_mod(state->smbldap_state->ldap_struct, entry, &mods,
218 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_ALGORITHMIC_RID_BASE),
219 algorithmic_rid_base_string);
220 }
221
222 next_rid = 0;
223
224 if (alg_rid_base > BASE_RID) {
225 /* we have a non-default 'algorithmic rid base', so we have 'low' rids that we
226 can allocate to new users */
227 if (smbldap_get_single_attribute(state->smbldap_state->ldap_struct, entry,
228 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_RID),
229 old_rid_string)) {
230 *rid = (uint32)atol(old_rid_string);
231 } else {
232 *rid = BASE_RID;
233 }
234
235 next_rid = *rid+1;
236 if (next_rid >= alg_rid_base) {
237 return NT_STATUS_UNSUCCESSFUL;
238 }
239
240 slprintf(next_rid_string, sizeof(next_rid_string)-1, "%d", next_rid);
241
242 /* Try to make the modification atomically by enforcing the
243 old value in the delete mod. */
244 smbldap_make_mod(state->smbldap_state->ldap_struct, entry, &mods,
245 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_RID),
246 next_rid_string);
247 }
248
249 if (!next_rid) { /* not got one already */
250 switch (rid_type) {
251 case USER_RID_TYPE:
252 if (smbldap_get_single_attribute(state->smbldap_state->ldap_struct, entry,
253 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID),
254 old_rid_string)) {
255 *rid = (uint32)atol(old_rid_string);
256 }
257 break;
258 case GROUP_RID_TYPE:
259 if (smbldap_get_single_attribute(state->smbldap_state->ldap_struct, entry,
260 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID),
261 old_rid_string)) {
262 *rid = (uint32)atol(old_rid_string);
263 }
264 break;
265 }
266
267 /* This is the core of the whole routine. If we had
268 scheme-style closures, there would be a *lot* less code
269 duplication... */
270
271 next_rid = *rid+RID_MULTIPLIER;
272 slprintf(next_rid_string, sizeof(next_rid_string)-1, "%d", next_rid);
273
274 switch (rid_type) {
275 case USER_RID_TYPE:
276 /* Try to make the modification atomically by enforcing the
277 old value in the delete mod. */
278 smbldap_make_mod(state->smbldap_state->ldap_struct, entry, &mods,
279 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID),
280 next_rid_string);
281 break;
282
283 case GROUP_RID_TYPE:
284 /* Try to make the modification atomically by enforcing the
285 old value in the delete mod. */
286 smbldap_make_mod(state->smbldap_state->ldap_struct, entry, &mods,
287 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID),
288 next_rid_string);
289 break;
290 }
291 }
292
293 if ((rc = smbldap_modify(state->smbldap_state, dn, mods)) == LDAP_SUCCESS) {
294 DOM_SID dom_sid;
295 DOM_SID sid;
296 pstring domain_sid_string;
297 int error = 0;
298
299 if (!smbldap_get_single_attribute(state->smbldap_state->ldap_struct, domain_result,
300 get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID),
301 domain_sid_string)) {
302 ldap_mods_free(mods, True);
303 SAFE_FREE(dn);
304 ldap_msgfree(domain_result);
305 return ret;
306 }
307
308 if (!string_to_sid(&dom_sid, domain_sid_string)) {
309 ldap_mods_free(mods, True);
310 SAFE_FREE(dn);
311 ldap_msgfree(domain_result);
312 return ret;
313 }
314
315 ldap_mods_free(mods, True);
316 mods = NULL;
317 SAFE_FREE(dn);
318 ldap_msgfree(domain_result);
319
320 sid_copy(&sid, &dom_sid);
321 sid_append_rid(&sid, *rid);
322
323 /* check RID is not in use */
324 if (sid_in_use(state, &sid, &error)) {
325 if (error) {
326 return ret;
327 }
328 continue;
329 }
330
331 return NT_STATUS_OK;
332 }
333
334 ld_error = NULL;
335 ldap_get_option(state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
336 DEBUG(2, ("Failed to modify rid: %s\n", ld_error ? ld_error : "(NULL"));
337 SAFE_FREE(ld_error);
338
339 ldap_mods_free(mods, True);
340 mods = NULL;
341
342 SAFE_FREE(dn);
343
344 ldap_msgfree(domain_result);
345 domain_result = NULL;
346
347 {
348 /* Sleep for a random timeout */
349 unsigned sleeptime = (sys_random()*sys_getpid()*attempts);
350 attempts += 1;
351
352 sleeptime %= 100;
353 msleep(sleeptime);
354 }
355 }
356
357 DEBUG(0, ("Failed to set new RID\n"));
358 return ret;
359 }
360
361
362 /*****************************************************************************
363 Allocate a new RID
364 *****************************************************************************/
365
366 static NTSTATUS ldap_allocate_rid(uint32 *rid, int rid_type)
367 {
368 return ldap_next_rid( &ldap_state, rid, rid_type );
369 }
370
371 /*****************************************************************************
372 Allocate a new uid or gid
373 *****************************************************************************/
374
375 static NTSTATUS ldap_allocate_id(unid_t *id, int id_type)
376 {
377 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
378 int rc = LDAP_SERVER_DOWN;
379 int count = 0;
380 LDAPMessage *result = NULL;
381 LDAPMessage *entry = NULL;
382 pstring id_str, new_id_str;
383 LDAPMod **mods = NULL;
384 const char *type;
385 char *dn;
386 char **attr_list;
387 pstring filter;
388 uid_t luid, huid;
389 gid_t lgid, hgid;
390
391
392 type = (id_type & ID_USERID) ?
393 get_attr_key2string( idpool_attr_list, LDAP_ATTR_UIDNUMBER ) :
394 get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER );
395
396 pstr_sprintf(filter, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
397
398 attr_list = get_attr_list( idpool_attr_list );
399
400 rc = smbldap_search(ldap_state.smbldap_state, lp_ldap_idmap_suffix(),
401 LDAP_SCOPE_SUBTREE, filter,
402 attr_list, 0, &result);
403 free_attr_list( attr_list );
404
405 if (rc != LDAP_SUCCESS) {
406 DEBUG(0,("ldap_allocate_id: %s object not found\n", LDAP_OBJ_IDPOOL));
407 goto out;
408 }
409
410 count = ldap_count_entries(ldap_state.smbldap_state->ldap_struct, result);
411 if (count != 1) {
412 DEBUG(0,("ldap_allocate_id: single %s object not found\n", LDAP_OBJ_IDPOOL));
413 goto out;
414 }
415
416 dn = smbldap_get_dn(ldap_state.smbldap_state->ldap_struct, result);
417 if (!dn) {
418 goto out;
419 }
420 entry = ldap_first_entry(ldap_state.smbldap_state->ldap_struct, result);
421
422 if (!smbldap_get_single_attribute(ldap_state.smbldap_state->ldap_struct, entry, type, id_str)) {
423 DEBUG(0,("ldap_allocate_id: %s attribute not found\n",
424 type));
425 goto out;
426 }
427
428 /* this must succeed or else we wouldn't have initialized */
429
430 lp_idmap_uid( &luid, &huid);
431 lp_idmap_gid( &lgid, &hgid);
432
433 /* make sure we still have room to grow */
434
435 if (id_type & ID_USERID) {
436 id->uid = strtoul(id_str, NULL, 10);
437 if (id->uid > huid ) {
438 DEBUG(0,("ldap_allocate_id: Cannot allocate uid above %lu!\n",
439 (unsigned long)huid));
440 goto out;
441 }
442 }
443 else {
444 id->gid = strtoul(id_str, NULL, 10);
445 if (id->gid > hgid ) {
446 DEBUG(0,("ldap_allocate_id: Cannot allocate gid above %lu!\n",
447 (unsigned long)hgid));
448 goto out;
449 }
450 }
451
452 pstr_sprintf(new_id_str, "%lu",
453 ((id_type & ID_USERID) ? (unsigned long)id->uid :
454 (unsigned long)id->gid) + 1);
455
456 smbldap_set_mod( &mods, LDAP_MOD_DELETE, type, id_str );
457 smbldap_set_mod( &mods, LDAP_MOD_ADD, type, new_id_str );
458
459 rc = smbldap_modify(ldap_state.smbldap_state, dn, mods);
460
461 SAFE_FREE(dn);
462 ldap_mods_free( mods, True );
463
464 if (rc != LDAP_SUCCESS) {
465 DEBUG(0,("ldap_allocate_id: Failed to allocate new %s. ldap_modify() failed.\n",
466 type));
467 goto out;
468 }
469
470 ret = NT_STATUS_OK;
471 out:
472 return ret;
473 }
474
475 /*****************************************************************************
476 get a sid from an id
477 *****************************************************************************/
478
479 static NTSTATUS ldap_get_sid_from_id(DOM_SID *sid, unid_t id, int id_type)
480 {
481 LDAPMessage *result = NULL;
482 LDAPMessage *entry = NULL;
483 pstring sid_str;
484 pstring filter;
485 pstring suffix;
486 const char *type;
487 int rc;
488 int count;
489 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
490 char **attr_list;
491
492 if ( id_type & ID_USERID )
493 type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_UIDNUMBER );
494 else
495 type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER );
496
497 pstrcpy( suffix, lp_ldap_idmap_suffix() );
498 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
499 LDAP_OBJ_IDMAP_ENTRY, type,
500 ((id_type & ID_USERID) ? (unsigned long)id.uid : (unsigned long)id.gid));
501
502
503 DEBUG(5,("ldap_get_sid_from_id: Searching \"%s\"\n", filter ));
504
505 attr_list = get_attr_list( sidmap_attr_list );
506 rc = smbldap_search(ldap_state.smbldap_state, suffix, LDAP_SCOPE_SUBTREE,
507 filter, attr_list, 0, &result);
508
509 if (rc != LDAP_SUCCESS) {
510 DEBUG(3,("ldap_get_isd_from_id: Failure looking up entry (%s)\n",
511 ldap_err2string(rc) ));
512 goto out;
513 }
514
515 count = ldap_count_entries(ldap_state.smbldap_state->ldap_struct, result);
516
517 if (count != 1) {
518 DEBUG(0,("ldap_get_sid_from_id: mapping not found for %s: %lu\n",
519 type, ((id_type & ID_USERID) ? (unsigned long)id.uid :
520 (unsigned long)id.gid)));
521 goto out;
522 }
523
524 entry = ldap_first_entry(ldap_state.smbldap_state->ldap_struct, result);
525
526 if ( !smbldap_get_single_attribute(ldap_state.smbldap_state->ldap_struct, entry, LDAP_ATTRIBUTE_SID, sid_str) )
527 goto out;
528
529 if (!string_to_sid(sid, sid_str))
530 goto out;
531
532 ret = NT_STATUS_OK;
533 out:
534 free_attr_list( attr_list );
535
536 if (result)
537 ldap_msgfree(result);
538
539 return ret;
540 }
541
542 /***********************************************************************
543 Get an id from a sid
544 ***********************************************************************/
545
546 static NTSTATUS ldap_get_id_from_sid(unid_t *id, int *id_type, const DOM_SID *sid)
547 {
548 LDAPMessage *result = NULL;
549 LDAPMessage *entry = NULL;
550 pstring sid_str;
551 pstring filter;
552 pstring id_str;
553 const char *suffix;
554 const char *type;
555 int rc;
556 int count;
557 char **attr_list;
558 char *dn = NULL;
559 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
560
561 sid_to_string(sid_str, sid);
562
563 DEBUG(8,("ldap_get_id_from_sid: %s (%s)\n", sid_str,
564 (*id_type & ID_GROUPID ? "group" : "user") ));
565
566 suffix = lp_ldap_idmap_suffix();
567 pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
568 LDAP_OBJ_IDMAP_ENTRY, LDAP_ATTRIBUTE_SID, sid_str);
569
570 if ( *id_type & ID_GROUPID )
571 type = get_attr_key2string( sidmap_attr_list, LDAP_ATTR_GIDNUMBER );
572 else
573 type = get_attr_key2string( sidmap_attr_list, LDAP_ATTR_UIDNUMBER );
574
575 DEBUG(10,("ldap_get_id_from_sid: Searching for \"%s\"\n", filter));
576
577 /* do the search and check for errors */
578
579 attr_list = get_attr_list( sidmap_attr_list );
580 rc = smbldap_search(ldap_state.smbldap_state, suffix, LDAP_SCOPE_SUBTREE,
581 filter, attr_list, 0, &result);
582
583 if (rc != LDAP_SUCCESS) {
584 DEBUG(3,("ldap_get_id_from_sid: Failure looking up idmap entry (%s)\n",
585 ldap_err2string(rc) ));
586 goto out;
587 }
588
589 /* check for the number of entries returned */
590
591 count = ldap_count_entries(ldap_state.smbldap_state->ldap_struct, result);
592
593 if ( count > 1 ) {
594 DEBUG(0, ("ldap_get_id_from_sid: (2nd) search %s returned [%d] entries!\n",
595 filter, count));
596 goto out;
597 }
598
599 /* try to allocate a new id if we still haven't found one */
600
601 if ( !count ) {
602 int i;
603
604 if (*id_type & ID_QUERY_ONLY) {
605 DEBUG(5,("ldap_get_id_from_sid: No matching entry found and QUERY_ONLY flag set\n"));
606 goto out;
607 }
608
609 DEBUG(8,("ldap_get_id_from_sid: Allocating new id\n"));
610
611 for (i = 0; i < LDAP_MAX_ALLOC_ID; i++) {
612 ret = ldap_allocate_id(id, *id_type);
613 if ( NT_STATUS_IS_OK(ret) )
614 break;
615 }
616
617 if ( !NT_STATUS_IS_OK(ret) ) {
618 DEBUG(0,("ldap_allocate_id: cannot acquire id lock!\n"));
619 goto out;
620 }
621
622 DEBUG(10,("ldap_get_id_from_sid: Allocated new %cid [%ul]\n",
623 (*id_type & ID_GROUPID ? 'g' : 'u'), (uint32)id->uid ));
624
625 ret = ldap_set_mapping(sid, *id, *id_type);
626
627 /* all done */
628
629 goto out;
630 }
631
632 DEBUG(10,("ldap_get_id_from_sid: success\n"));
633
634 entry = ldap_first_entry(ldap_state.smbldap_state->ldap_struct, result);
635
636 dn = smbldap_get_dn(ldap_state.smbldap_state->ldap_struct, result);
637 if (!dn)
638 goto out;
639
640 DEBUG(10, ("Found mapping entry at dn=%s, looking for %s\n", dn, type));
641
642 if ( smbldap_get_single_attribute(ldap_state.smbldap_state->ldap_struct, entry, type, id_str) ) {
643 if ( (*id_type & ID_USERID) )
644 id->uid = strtoul(id_str, NULL, 10);
645 else
646 id->gid = strtoul(id_str, NULL, 10);
647
648 ret = NT_STATUS_OK;
649 goto out;
650 }
651
652 out:
653 free_attr_list( attr_list );
654 if (result)
655 ldap_msgfree(result);
656 SAFE_FREE(dn);
657
658 return ret;
659 }
660
661 /**********************************************************************
662 Verify the sambaUnixIdPool entry in the directiry.
663 **********************************************************************/
664
665 static NTSTATUS verify_idpool( void )
666 {
667 fstring filter;
668 int rc;
669 char **attr_list;
670 LDAPMessage *result = NULL;
671 LDAPMod **mods = NULL;
672 int count;
673
674 fstr_sprintf( filter, "(objectclass=%s)", LDAP_OBJ_IDPOOL );
675
676 attr_list = get_attr_list( idpool_attr_list );
677 rc = smbldap_search(ldap_state.smbldap_state, lp_ldap_idmap_suffix(),
678 LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result);
679 free_attr_list ( attr_list );
680
681 if (rc != LDAP_SUCCESS)
682 return NT_STATUS_UNSUCCESSFUL;
683
684 count = ldap_count_entries(ldap_state.smbldap_state->ldap_struct, result);
685
686 if ( count > 1 ) {
687 DEBUG(0,("ldap_idmap_init: multiple entries returned from %s (base == %s)\n",
688 filter, lp_ldap_idmap_suffix() ));
689 return NT_STATUS_UNSUCCESSFUL;
690 }
691 else if (count == 0) {
692 uid_t luid, huid;
693 gid_t lgid, hgid;
694 fstring uid_str, gid_str;
695
696 if ( !lp_idmap_uid(&luid, &huid) || !lp_idmap_gid( &lgid, &hgid ) ) {
697 DEBUG(0,("ldap_idmap_init: idmap uid/gid parameters not specified\n"));
698 return NT_STATUS_UNSUCCESSFUL;
699 }
700
701 fstr_sprintf( uid_str, "%lu", (unsigned long)luid );
702 fstr_sprintf( gid_str, "%lu", (unsigned long)lgid );
703
704 smbldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDPOOL );
705 smbldap_set_mod( &mods, LDAP_MOD_ADD,
706 get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER), uid_str );
707 smbldap_set_mod( &mods, LDAP_MOD_ADD,
708 get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER), gid_str );
709
710 rc = smbldap_modify(ldap_state.smbldap_state, lp_ldap_idmap_suffix(), mods);
711 }
712
713 return ( rc==LDAP_SUCCESS ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL );
714 }
715
716 /*****************************************************************************
717 Initialise idmap database.
718 *****************************************************************************/
719
720 static NTSTATUS ldap_idmap_init( char *params )
721 {
722 NTSTATUS nt_status;
723
724 ldap_state.mem_ctx = talloc_init("idmap_ldap");
725 if (!ldap_state.mem_ctx) {
726 return NT_STATUS_NO_MEMORY;
727 }
728
729 /* assume location is the only parameter */
730 if (!NT_STATUS_IS_OK(nt_status =
731 smbldap_init(ldap_state.mem_ctx, params,
732 &ldap_state.smbldap_state))) {
733 talloc_destroy(ldap_state.mem_ctx);
734 return nt_status;
735 }
736
737 /* see if the idmap suffix and sub entries exists */
738
739 nt_status = verify_idpool();
740 if ( !NT_STATUS_IS_OK(nt_status) )
741 return nt_status;
742
743 return NT_STATUS_OK;
744 }
745
746 /*****************************************************************************
747 End the LDAP session
748 *****************************************************************************/
749
750 static NTSTATUS ldap_idmap_close(void)
751 {
752
753 smbldap_free_struct(&(ldap_state).smbldap_state);
754 talloc_destroy(ldap_state.mem_ctx);
755
756 DEBUG(5,("The connection to the LDAP server was closed\n"));
757 /* maybe free the results here --metze */
758
759 return NT_STATUS_OK;
760 }
761
762
763 /* This function doesn't make as much sense in an LDAP world since the calling
764 node doesn't really control the ID ranges */
765 static void ldap_idmap_status(void)
766 {
767 DEBUG(0, ("LDAP IDMAP Status not available\n"));
768 }
769
770 static struct idmap_methods ldap_methods = {
771 ldap_idmap_init,
772 ldap_allocate_rid,
773 ldap_allocate_id,
774 ldap_get_sid_from_id,
775 ldap_get_id_from_sid,
776 ldap_set_mapping,
777 ldap_idmap_close,
778 ldap_idmap_status
779
780 };
781
782 NTSTATUS idmap_ldap_init(void)
783 {
784 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap", &ldap_methods);
785 }
Samba GIT mirror