summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2012-04-23 08:05:07 -0400
committerStephen Gallagher <sgallagh@redhat.com>2012-05-03 14:09:14 -0400
commit8be5e4497e5008f7807178acdfcbf97365ec4e73 (patch)
treeafa0e26dab895b020e7fac5e3a4f0e7979d7dcb1
parent3f2fa4c9290afdb393c760419a0ff686045a1ab3 (diff)
downloadsssd-8be5e4497e5008f7807178acdfcbf97365ec4e73.tar.gz
sssd-8be5e4497e5008f7807178acdfcbf97365ec4e73.tar.xz
sssd-8be5e4497e5008f7807178acdfcbf97365ec4e73.zip
LDAP: Add helper function to map IDs
This function will also auto-create a new ID map if the domain has not been seen previously.
-rw-r--r--src/providers/ldap/sdap_async_groups.c48
-rw-r--r--src/providers/ldap/sdap_async_initgroups.c21
-rw-r--r--src/providers/ldap/sdap_async_users.c63
-rw-r--r--src/providers/ldap/sdap_idmap.c62
-rw-r--r--src/providers/ldap/sdap_idmap.h6
5 files changed, 81 insertions, 119 deletions
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index eb3cb9571..54fe5a7ae 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -199,8 +199,6 @@ static int sdap_save_group(TALLOC_CTX *memctx,
bool posix_group;
bool use_id_mapping = dp_opt_get_bool(opts->basic, SDAP_ID_MAPPING);
char *sid_str;
- char *dom_sid_str;
- enum idmap_error_code err;
tmpctx = talloc_new(memctx);
if (!tmpctx) {
@@ -241,50 +239,8 @@ static int sdap_save_group(TALLOC_CTX *memctx,
if (ret != EOK) goto fail;
/* Convert the SID into a UNIX group ID */
- err = sss_idmap_sid_to_unix(opts->idmap_ctx->map,
- sid_str,
- (uint32_t *)&gid);
- if (err != IDMAP_SUCCESS && err != IDMAP_NO_DOMAIN) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Could not convert objectSID [%s] to a UNIX ID\n",
- sid_str));
- ret = EIO;
- goto fail;
- } else if (err == IDMAP_NO_DOMAIN) {
- /* This is the first time we've seen this domain
- * Create a new domain for it. We'll use the dom-sid
- * as the domain name for now, since we don't have
- * any way to get the real name.
- */
- ret = sdap_idmap_get_dom_sid_from_object(tmpctx, sid_str,
- &dom_sid_str);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Could not parse domain SID from [%s]\n", sid_str));
- goto fail;
- }
-
- ret = sdap_idmap_add_domain(opts->idmap_ctx,
- dom_sid_str, dom_sid_str,
- -1);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Could not add new domain for sid [%s]\n", sid_str));
- goto fail;
- }
-
- /* Now try converting to a UNIX ID again */
- err = sss_idmap_sid_to_unix(opts->idmap_ctx->map,
- sid_str,
- (uint32_t *)&gid);
- if (err != IDMAP_SUCCESS) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Could not convert objectSID [%s] to a UNIX ID\n",
- sid_str));
- ret = EIO;
- goto fail;
- }
- }
+ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &gid);
+ if (ret != EOK) goto fail;
/* Store the GID in the ldap_attrs so it doesn't get
* treated as a missing attribute from LDAP and removed.
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index ff9905f31..0a864c7d7 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -46,7 +46,6 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
bool posix;
time_t now;
char *sid_str;
- enum idmap_error_code err;
bool use_id_mapping = dp_opt_get_bool(opts->basic, SDAP_ID_MAPPING);
/* There are no groups in LDAP but we should add user to groups ?? */
@@ -124,10 +123,9 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
name, sid_str));
/* Convert the SID into a UNIX group ID */
- err = sss_idmap_sid_to_unix(opts->idmap_ctx->map,
- sid_str,
- (uint32_t *)&gid);
- if (err != IDMAP_SUCCESS && err != IDMAP_NO_DOMAIN) {
+ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str,
+ &gid);
+ if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
("Could not convert objectSID [%s] to a UNIX ID\n",
sid_str));
@@ -2719,7 +2717,6 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
char *sid_str;
char *dom_sid_str;
char *group_sid_str;
- enum idmap_error_code err;
struct sdap_options *opts = state->opts;
bool use_id_mapping = dp_opt_get_bool(opts->basic, SDAP_ID_MAPPING);
@@ -2810,16 +2807,8 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
}
/* Convert the SID into a UNIX group ID */
- err = sss_idmap_sid_to_unix(opts->idmap_ctx->map,
- sid_str,
- (uint32_t *)&primary_gid);
- if (err != IDMAP_SUCCESS) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Could not convert objectSID [%s] to a UNIX ID\n",
- sid_str));
- ret = EIO;
- goto fail;
- }
+ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &primary_gid);
+ if (ret != EOK) goto fail;
} else {
ret = sysdb_attrs_get_uint32_t(state->orig_user, SYSDB_GIDNUM,
&primary_gid);
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 11574f9e6..bc9e5551b 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -59,7 +59,6 @@ int sdap_save_user(TALLOC_CTX *memctx,
char *sid_str;
char *dom_sid_str = NULL;
char *group_sid_str;
- enum idmap_error_code err;
DEBUG(9, ("Save user\n"));
@@ -134,50 +133,8 @@ int sdap_save_user(TALLOC_CTX *memctx,
if (ret != EOK) goto fail;
/* Convert the SID into a UNIX user ID */
- err = sss_idmap_sid_to_unix(opts->idmap_ctx->map,
- sid_str,
- (uint32_t *)&uid);
- if (err != IDMAP_SUCCESS && err != IDMAP_NO_DOMAIN) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Could not convert objectSID [%s] to a UNIX ID\n",
- sid_str));
- ret = EIO;
- goto fail;
- } else if (err == IDMAP_NO_DOMAIN) {
- /* This is the first time we've seen this domain
- * Create a new domain for it. We'll use the dom-sid
- * as the domain name for now, since we don't have
- * any way to get the real name.
- */
- ret = sdap_idmap_get_dom_sid_from_object(tmpctx, sid_str,
- &dom_sid_str);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Could not parse domain SID from [%s]\n", sid_str));
- goto fail;
- }
-
- ret = sdap_idmap_add_domain(opts->idmap_ctx,
- dom_sid_str, dom_sid_str,
- -1);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Could not add new domain for sid [%s]\n", sid_str));
- goto fail;
- }
-
- /* Now try converting to a UNIX ID again */
- err = sss_idmap_sid_to_unix(opts->idmap_ctx->map,
- sid_str,
- (uint32_t *)&uid);
- if (err != IDMAP_SUCCESS) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Could not convert objectSID [%s] to a UNIX ID\n",
- sid_str));
- ret = EIO;
- goto fail;
- }
- }
+ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &uid);
+ if (ret != EOK) goto fail;
/* Store the UID in the ldap_attrs so it doesn't get
* treated as a missing attribute from LDAP and removed.
@@ -197,7 +154,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
}
/* check that the uid is valid for this domain */
if (OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) {
- DEBUG(2, ("User [%s] filtered out! (id out of range)\n",
+ DEBUG(2, ("User [%s] filtered out! (uid out of range)\n",
name));
ret = EINVAL;
goto fail;
@@ -242,16 +199,8 @@ int sdap_save_user(TALLOC_CTX *memctx,
}
/* Convert the SID into a UNIX group ID */
- err = sss_idmap_sid_to_unix(opts->idmap_ctx->map,
- group_sid_str,
- (uint32_t *)&gid);
- if (err != IDMAP_SUCCESS) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Could not convert objectSID [%s] to a UNIX ID\n",
- group_sid_str));
- ret = EIO;
- goto fail;
- }
+ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, group_sid_str, &gid);
+ if (ret != EOK) goto fail;
/* Store the GID in the ldap_attrs so it doesn't get
* treated as a missing attribute from LDAP and removed.
@@ -272,7 +221,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
/* check that the gid is valid for this domain */
if (OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
- DEBUG(2, ("User [%s] filtered out! (id out of range)\n",
+ DEBUG(2, ("User [%s] filtered out! (primary gid out of range)\n",
name));
ret = EINVAL;
goto fail;
diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c
index 96ad65b19..b41958bbe 100644
--- a/src/providers/ldap/sdap_idmap.c
+++ b/src/providers/ldap/sdap_idmap.c
@@ -366,3 +366,65 @@ sdap_idmap_get_dom_sid_from_object(TALLOC_CTX *mem_ctx,
return EOK;
}
+
+errno_t
+sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx,
+ const char *sid_str,
+ id_t *id)
+{
+ errno_t ret;
+ enum idmap_error_code err;
+ char *dom_sid_str = NULL;
+
+ /* Convert the SID into a UNIX ID */
+ err = sss_idmap_sid_to_unix(idmap_ctx->map,
+ sid_str,
+ (uint32_t *)id);
+ if (err != IDMAP_SUCCESS && err != IDMAP_NO_DOMAIN) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Could not convert objectSID [%s] to a UNIX ID\n",
+ sid_str));
+ ret = EIO;
+ goto done;
+ } else if (err == IDMAP_NO_DOMAIN) {
+ /* This is the first time we've seen this domain
+ * Create a new domain for it. We'll use the dom-sid
+ * as the domain name for now, since we don't have
+ * any way to get the real name.
+ */
+ ret = sdap_idmap_get_dom_sid_from_object(NULL, sid_str,
+ &dom_sid_str);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Could not parse domain SID from [%s]\n", sid_str));
+ goto done;
+ }
+
+ ret = sdap_idmap_add_domain(idmap_ctx,
+ dom_sid_str, dom_sid_str,
+ -1);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Could not add new domain for sid [%s]\n", sid_str));
+ goto done;
+ }
+
+ /* Now try converting to a UNIX ID again */
+ err = sss_idmap_sid_to_unix(idmap_ctx->map,
+ sid_str,
+ (uint32_t *)id);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Could not convert objectSID [%s] to a UNIX ID\n",
+ sid_str));
+ ret = EIO;
+ goto done;
+ }
+ }
+
+ ret = EOK;
+
+done:
+ talloc_free(dom_sid_str);
+ return ret;
+}
diff --git a/src/providers/ldap/sdap_idmap.h b/src/providers/ldap/sdap_idmap.h
index ee71da285..99f2ad9e1 100644
--- a/src/providers/ldap/sdap_idmap.h
+++ b/src/providers/ldap/sdap_idmap.h
@@ -54,4 +54,10 @@ errno_t
sdap_idmap_get_dom_sid_from_object(TALLOC_CTX *mem_ctx,
const char *object_sid,
char **dom_sid_str);
+
+errno_t
+sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx,
+ const char *sid_str,
+ id_t *id);
+
#endif /* SDAP_IDMAP_H_ */