search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kill tsol ("Trusted Solaris") aka TX ("Trusted Extensions")
[unleashed.git] / usr / src / lib / nsswitch / ldap / common / getgrent.c
blob6e4a8b07f28b881a927ff15c0088b9a8c6798504
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #include <sys/param.h>
27 #include <grp.h>
28 #include "ldap_common.h"
29 #include <string.h>
30
31 /* String which may need to be removed from beginning of group password */
32 #define _CRYPT "{CRYPT}"
33 #define _NO_PASSWD_VAL ""
34
35 /* Group attributes filters */
36 #define _G_NAME "cn"
37 #define _G_GID "gidnumber"
38 #define _G_PASSWD "userpassword"
39 #define _G_MEM "memberuid"
40
41 #define _F_GETGRNAM "(&(objectClass=posixGroup)(cn=%s))"
42 #define _F_GETGRNAM_SSD "(&(%%s)(cn=%s))"
43 #define _F_GETGRGID "(&(objectClass=posixGroup)(gidNumber=%u))"
44 #define _F_GETGRGID_SSD "(&(%%s)(gidNumber=%u))"
45 /*
46 * Group membership can be defined by either username or DN, so when searching
47 * for groups by member we need to consider both. The first parameter in the
48 * filter is replaced by username, the second by DN.
49 */
50 #define _F_GETGRMEM \
51 "(&(objectClass=posixGroup)(|(memberUid=%s)(memberUid=%s)))"
52 #define _F_GETGRMEM_SSD "(&(%%s)(|(memberUid=%s)(memberUid=%s)))"
53
54 /*
55 * Copied from getpwnam.c, needed to look up user DN.
56 * Would it be better to move to ldap_common.h rather than duplicate?
57 */
58 #define _F_GETPWNAM "(&(objectClass=posixAccount)(uid=%s))"
59 #define _F_GETPWNAM_SSD "(&(%%s)(uid=%s))"
60
61 static const char *gr_attrs[] = {
62 _G_NAME,
63 _G_GID,
64 _G_PASSWD,
65 _G_MEM,
66 (char *)NULL
67 };
68
69
70 /*
71 * _nss_ldap_group2str is the data marshaling method for the group getXbyY
72 * (e.g., getgrnam(), getgrgid(), getgrent()) backend processes. This method
73 * is called after a successful ldap search has been performed. This method
74 * will parse the ldap search values into the file format.
75 * e.g.
76 *
77 * adm::4:root,adm,daemon
78 *
79 */
80
81 static int
82 _nss_ldap_group2str(ldap_backend_ptr be, nss_XbyY_args_t *argp)
83 {
84 int i;
85 int nss_result;
86 int buflen = 0, len;
87 int firstime = 1;
88 char *buffer = NULL;
89 ns_ldap_result_t *result = be->result;
90 char **gname, **passwd, **gid, *password, *end;
91 char gid_nobody[NOBODY_STR_LEN];
92 char *gid_nobody_v[1];
93 char *member_str, *strtok_state;
94 ns_ldap_attr_t *members;
95
96 (void) snprintf(gid_nobody, sizeof (gid_nobody), "%u", GID_NOBODY);
97 gid_nobody_v[0] = gid_nobody;
98
99 if (result == NULL)
100 return (NSS_STR_PARSE_PARSE);
101 buflen = argp->buf.buflen;
102
103 if (argp->buf.result != NULL) {
104 if ((be->buffer = calloc(1, buflen)) == NULL) {
105 nss_result = NSS_STR_PARSE_PARSE;
106 goto result_grp2str;
107 }
108 buffer = be->buffer;
109 } else
110 buffer = argp->buf.buffer;
111
112 nss_result = NSS_STR_PARSE_SUCCESS;
113 (void) memset(buffer, 0, buflen);
114
115 gname = __ns_ldap_getAttr(result->entry, _G_NAME);
116 if (gname == NULL || gname[0] == NULL || (strlen(gname[0]) < 1)) {
117 nss_result = NSS_STR_PARSE_PARSE;
118 goto result_grp2str;
119 }
120 passwd = __ns_ldap_getAttr(result->entry, _G_PASSWD);
121 if (passwd == NULL || passwd[0] == NULL || (strlen(passwd[0]) == 0)) {
122 /* group password could be NULL, replace it with "" */
123 password = _NO_PASSWD_VAL;
124 } else {
125 /*
126 * Preen "{crypt}" if necessary.
127 * If the password does not include the {crypt} prefix
128 * then the password may be plain text. And thus
129 * perhaps crypt(3c) should be used to encrypt it.
130 * Currently the password is copied verbatim.
131 */
132 if (strncasecmp(passwd[0], _CRYPT, strlen(_CRYPT)) == 0)
133 password = passwd[0] + strlen(_CRYPT);
134 else
135 password = passwd[0];
136 }
137 gid = __ns_ldap_getAttr(result->entry, _G_GID);
138 if (gid == NULL || gid[0] == NULL || (strlen(gid[0]) < 1)) {
139 nss_result = NSS_STR_PARSE_PARSE;
140 goto result_grp2str;
141 }
142 /* Validate GID */
143 if (strtoul(gid[0], &end, 10) > MAXUID)
144 gid = gid_nobody_v;
145 len = snprintf(buffer, buflen, "%s:%s:%s:", gname[0], password, gid[0]);
146 TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
147
148 members = __ns_ldap_getAttrStruct(result->entry, _G_MEM);
149 if (members == NULL || members->attrvalue == NULL) {
150 /* no member is fine, skip processing the member list */
151 goto nomember;
152 }
153
154 for (i = 0; i < members->value_count; i++) {
155 if (members->attrvalue[i] == NULL) {
156 nss_result = NSS_STR_PARSE_PARSE;
157 goto result_grp2str;
158 }
159 /*
160 * If we find an '=' in the member attribute value, treat it as
161 * a DN, otherwise as a username.
162 */
163 if (member_str = strchr(members->attrvalue[i], '=')) {
164 member_str++; /* skip over the '=' */
165 /* Fail if we can't pull a username out of the RDN */
166 if (! (member_str = strtok_r(member_str,
167 ",", &strtok_state))) {
168 nss_result = NSS_STR_PARSE_PARSE;
169 goto result_grp2str;
170 }
171 } else {
172 member_str = members->attrvalue[i];
173 }
174 if (*member_str != '\0') {
175 if (firstime) {
176 len = snprintf(buffer, buflen, "%s",
177 member_str);
178 TEST_AND_ADJUST(len, buffer, buflen,
179 result_grp2str);
180 firstime = 0;
181 } else {
182 len = snprintf(buffer, buflen, ",%s",
183 member_str);
184 TEST_AND_ADJUST(len, buffer, buflen,
185 result_grp2str);
186 }
187 }
188 }
189 nomember:
190 /* The front end marshaller doesn't need the trailing nulls */
191 if (argp->buf.result != NULL)
192 be->buflen = strlen(be->buffer);
193 result_grp2str:
194 (void) __ns_ldap_freeResult(&be->result);
195 return (nss_result);
196 }
197
198 /*
199 * getbynam gets a group entry by name. This function constructs an ldap
200 * search filter using the name invocation parameter and the getgrnam search
201 * filter defined. Once the filter is constructed, we searche for a matching
202 * entry and marshal the data results into struct group for the frontend
203 * process. The function _nss_ldap_group2ent performs the data marshaling.
204 */
205
206 static nss_status_t
207 getbynam(ldap_backend_ptr be, void *a)
208 {
209 nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a;
210 char searchfilter[SEARCHFILTERLEN];
211 char userdata[SEARCHFILTERLEN];
212 char groupname[SEARCHFILTERLEN];
213 int ret;
214
215 if (_ldap_filter_name(groupname, argp->key.name, sizeof (groupname)) !=
216 0)
217 return ((nss_status_t)NSS_NOTFOUND);
218
219 ret = snprintf(searchfilter, sizeof (searchfilter),
220 _F_GETGRNAM, groupname);
221 if (ret >= sizeof (searchfilter) || ret < 0)
222 return ((nss_status_t)NSS_NOTFOUND);
223
224 ret = snprintf(userdata, sizeof (userdata), _F_GETGRNAM_SSD, groupname);
225 if (ret >= sizeof (userdata) || ret < 0)
226 return ((nss_status_t)NSS_NOTFOUND);
227
228 return ((nss_status_t)_nss_ldap_lookup(be, argp,
229 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
230 }
231
232
233 /*
234 * getbygid gets a group entry by number. This function constructs an ldap
235 * search filter using the name invocation parameter and the getgrgid search
236 * filter defined. Once the filter is constructed, we searche for a matching
237 * entry and marshal the data results into struct group for the frontend
238 * process. The function _nss_ldap_group2ent performs the data marshaling.
239 */
240
241 static nss_status_t
242 getbygid(ldap_backend_ptr be, void *a)
243 {
244 nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a;
245 char searchfilter[SEARCHFILTERLEN];
246 char userdata[SEARCHFILTERLEN];
247 int ret;
248
249 if (argp->key.uid > MAXUID)
250 return ((nss_status_t)NSS_NOTFOUND);
251
252 ret = snprintf(searchfilter, sizeof (searchfilter),
253 _F_GETGRGID, argp->key.uid);
254 if (ret >= sizeof (searchfilter) || ret < 0)
255 return ((nss_status_t)NSS_NOTFOUND);
256
257 ret = snprintf(userdata, sizeof (userdata),
258 _F_GETGRGID_SSD, argp->key.uid);
259 if (ret >= sizeof (userdata) || ret < 0)
260 return ((nss_status_t)NSS_NOTFOUND);
261
262 return ((nss_status_t)_nss_ldap_lookup(be, argp,
263 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
264
265 }
266
267
268 /*
269 * getbymember returns all groups a user is defined in. This function
270 * uses different architectural procedures than the other group backend
271 * system calls because it's a private interface. This function constructs
272 * an ldap search filter using the name invocation parameter. Once the
273 * filter is constructed, we search for all matching groups counting
274 * and storing each group name, gid, etc. Data marshaling is used for
275 * group processing. The function _nss_ldap_group2ent() performs the
276 * data marshaling.
277 *
278 * (const char *)argp->username; (size_t)strlen(argp->username);
279 * (gid_t)argp->gid_array; (int)argp->maxgids;
280 * (int)argp->numgids;
281 */
282
283 static nss_status_t
284 getbymember(ldap_backend_ptr be, void *a)
285 {
286 int i, j, k;
287 int gcnt = (int)0;
288 char **groupvalue, **membervalue, *member_str;
289 char *strtok_state;
290 nss_status_t lstat;
291 struct nss_groupsbymem *argp = (struct nss_groupsbymem *)a;
292 char searchfilter[SEARCHFILTERLEN];
293 char userdata[SEARCHFILTERLEN];
294 char name[SEARCHFILTERLEN];
295 ns_ldap_result_t *result;
296 ns_ldap_entry_t *curEntry;
297 char *username, **dn_attr, *dn;
298 gid_t gid;
299 int ret;
300
301 if (strcmp(argp->username, "") == 0 ||
302 strcmp(argp->username, "root") == 0)
303 return ((nss_status_t)NSS_NOTFOUND);
304
305 if (_ldap_filter_name(name, argp->username, sizeof (name)) != 0)
306 return ((nss_status_t)NSS_NOTFOUND);
307
308 ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETPWNAM, name);
309 if (ret >= sizeof (searchfilter) || ret < 0)
310 return ((nss_status_t)NSS_NOTFOUND);
311
312 ret = snprintf(userdata, sizeof (userdata), _F_GETPWNAM_SSD, name);
313 if (ret >= sizeof (userdata) || ret < 0)
314 return ((nss_status_t)NSS_NOTFOUND);
315
316 /*
317 * Look up the user DN in ldap. If it's not found, search solely by
318 * username.
319 */
320 lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, NULL,
321 _PASSWD, searchfilter, NULL, _merge_SSD_filter, userdata);
322 if (lstat != (nss_status_t)NS_LDAP_SUCCESS)
323 return ((nss_status_t)lstat);
324
325 if (be->result == NULL ||
326 !(dn_attr = __ns_ldap_getAttr(be->result->entry, "dn")))
327 dn = name;
328 else
329 dn = dn_attr[0];
330
331 ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETGRMEM, name,
332 dn);
333 if (ret >= sizeof (searchfilter) || ret < 0)
334 return ((nss_status_t)NSS_NOTFOUND);
335
336 ret = snprintf(userdata, sizeof (userdata), _F_GETGRMEM_SSD, name,
337 dn);
338 if (ret >= sizeof (userdata) || ret < 0)
339 return ((nss_status_t)NSS_NOTFOUND);
340
341 /*
342 * Free up resources from user DN search before performing group
343 * search.
344 */
345 (void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result);
346
347 gcnt = (int)argp->numgids;
348 lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, NULL,
349 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata);
350 if (lstat != (nss_status_t)NS_LDAP_SUCCESS)
351 return ((nss_status_t)lstat);
352 if (be->result == NULL)
353 return (NSS_NOTFOUND);
354 username = (char *)argp->username;
355 result = (ns_ldap_result_t *)be->result;
356 curEntry = (ns_ldap_entry_t *)result->entry;
357 for (i = 0; i < result->entries_count; i++) {
358 membervalue = __ns_ldap_getAttr(curEntry, "memberUid");
359 if (membervalue) {
360 for (j = 0; membervalue[j]; j++) {
361 /*
362 * If we find an '=' in the member attribute
363 * value, treat it as a DN, otherwise as a
364 * username.
365 */
366 if (member_str = strchr(membervalue[j], '=')) {
367 member_str++; /* skip over the '=' */
368 member_str = strtok_r(member_str, ",",
369 &strtok_state);
370 } else {
371 member_str = membervalue[j];
372 }
373 if (member_str &&
374 strcmp(member_str, username) == NULL) {
375 groupvalue = __ns_ldap_getAttr(curEntry,
376 "gidnumber");
377 gid = (gid_t)strtol(groupvalue[0],
378 (char **)NULL, 10);
379 if (argp->numgids < argp->maxgids) {
380 for (k = 0; k < argp->numgids;
381 k++) {
382 if (argp->gid_array[k]
383 == gid)
384 /* already exists */
385 break;
386 }
387 if (k == argp->numgids)
388 argp->gid_array[argp->numgids++]
389 = gid;
390 }
391 break;
392 }
393 }
394 }
395 curEntry = curEntry->next;
396 }
397
398 (void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result);
399 if (gcnt == argp->numgids)
400 return ((nss_status_t)NSS_NOTFOUND);
401
402 /*
403 * Return NSS_SUCCESS only if array is full.
404 * Explained in <nss_dbdefs.h>.
405 */
406 return ((nss_status_t)((argp->numgids == argp->maxgids)
407 ? NSS_SUCCESS
408 : NSS_NOTFOUND));
409 }
410
411 static ldap_backend_op_t gr_ops[] = {
412 _nss_ldap_destr,
413 _nss_ldap_endent,
414 _nss_ldap_setent,
415 _nss_ldap_getent,
416 getbynam,
417 getbygid,
418 getbymember
419 };
420
421
422 /*ARGSUSED0*/
423 nss_backend_t *
424 _nss_ldap_group_constr(const char *dummy1, const char *dummy2,
425 const char *dummy3)
426 {
427
428 return ((nss_backend_t *)_nss_ldap_constr(gr_ops,
429 sizeof (gr_ops)/sizeof (gr_ops[0]), _GROUP, gr_attrs,
430 _nss_ldap_group2str));
431 }
Unleashed OS