From 8be5e4497e5008f7807178acdfcbf97365ec4e73 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Mon, 23 Apr 2012 08:05:07 -0400 Subject: LDAP: Add helper function to map IDs This function will also auto-create a new ID map if the domain has not been seen previously. --- src/providers/ldap/sdap_async_groups.c | 48 +---------------------- src/providers/ldap/sdap_async_initgroups.c | 21 +++------- src/providers/ldap/sdap_async_users.c | 63 +++--------------------------- src/providers/ldap/sdap_idmap.c | 62 +++++++++++++++++++++++++++++ src/providers/ldap/sdap_idmap.h | 6 +++ 5 files changed, 81 insertions(+), 119 deletions(-) diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index eb3cb9571..54fe5a7ae 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -199,8 +199,6 @@ static int sdap_save_group(TALLOC_CTX *memctx, bool posix_group; bool use_id_mapping = dp_opt_get_bool(opts->basic, SDAP_ID_MAPPING); char *sid_str; - char *dom_sid_str; - enum idmap_error_code err; tmpctx = talloc_new(memctx); if (!tmpctx) { @@ -241,50 +239,8 @@ static int sdap_save_group(TALLOC_CTX *memctx, if (ret != EOK) goto fail; /* Convert the SID into a UNIX group ID */ - err = sss_idmap_sid_to_unix(opts->idmap_ctx->map, - sid_str, - (uint32_t *)&gid); - if (err != IDMAP_SUCCESS && err != IDMAP_NO_DOMAIN) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not convert objectSID [%s] to a UNIX ID\n", - sid_str)); - ret = EIO; - goto fail; - } else if (err == IDMAP_NO_DOMAIN) { - /* This is the first time we've seen this domain - * Create a new domain for it. We'll use the dom-sid - * as the domain name for now, since we don't have - * any way to get the real name. - */ - ret = sdap_idmap_get_dom_sid_from_object(tmpctx, sid_str, - &dom_sid_str); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not parse domain SID from [%s]\n", sid_str)); - goto fail; - } - - ret = sdap_idmap_add_domain(opts->idmap_ctx, - dom_sid_str, dom_sid_str, - -1); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not add new domain for sid [%s]\n", sid_str)); - goto fail; - } - - /* Now try converting to a UNIX ID again */ - err = sss_idmap_sid_to_unix(opts->idmap_ctx->map, - sid_str, - (uint32_t *)&gid); - if (err != IDMAP_SUCCESS) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not convert objectSID [%s] to a UNIX ID\n", - sid_str)); - ret = EIO; - goto fail; - } - } + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &gid); + if (ret != EOK) goto fail; /* Store the GID in the ldap_attrs so it doesn't get * treated as a missing attribute from LDAP and removed. diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index ff9905f31..0a864c7d7 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -46,7 +46,6 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, bool posix; time_t now; char *sid_str; - enum idmap_error_code err; bool use_id_mapping = dp_opt_get_bool(opts->basic, SDAP_ID_MAPPING); /* There are no groups in LDAP but we should add user to groups ?? */ @@ -124,10 +123,9 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, name, sid_str)); /* Convert the SID into a UNIX group ID */ - err = sss_idmap_sid_to_unix(opts->idmap_ctx->map, - sid_str, - (uint32_t *)&gid); - if (err != IDMAP_SUCCESS && err != IDMAP_NO_DOMAIN) { + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, + &gid); + if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, ("Could not convert objectSID [%s] to a UNIX ID\n", sid_str)); @@ -2719,7 +2717,6 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) char *sid_str; char *dom_sid_str; char *group_sid_str; - enum idmap_error_code err; struct sdap_options *opts = state->opts; bool use_id_mapping = dp_opt_get_bool(opts->basic, SDAP_ID_MAPPING); @@ -2810,16 +2807,8 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) } /* Convert the SID into a UNIX group ID */ - err = sss_idmap_sid_to_unix(opts->idmap_ctx->map, - sid_str, - (uint32_t *)&primary_gid); - if (err != IDMAP_SUCCESS) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not convert objectSID [%s] to a UNIX ID\n", - sid_str)); - ret = EIO; - goto fail; - } + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &primary_gid); + if (ret != EOK) goto fail; } else { ret = sysdb_attrs_get_uint32_t(state->orig_user, SYSDB_GIDNUM, &primary_gid); diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index 11574f9e6..bc9e5551b 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -59,7 +59,6 @@ int sdap_save_user(TALLOC_CTX *memctx, char *sid_str; char *dom_sid_str = NULL; char *group_sid_str; - enum idmap_error_code err; DEBUG(9, ("Save user\n")); @@ -134,50 +133,8 @@ int sdap_save_user(TALLOC_CTX *memctx, if (ret != EOK) goto fail; /* Convert the SID into a UNIX user ID */ - err = sss_idmap_sid_to_unix(opts->idmap_ctx->map, - sid_str, - (uint32_t *)&uid); - if (err != IDMAP_SUCCESS && err != IDMAP_NO_DOMAIN) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not convert objectSID [%s] to a UNIX ID\n", - sid_str)); - ret = EIO; - goto fail; - } else if (err == IDMAP_NO_DOMAIN) { - /* This is the first time we've seen this domain - * Create a new domain for it. We'll use the dom-sid - * as the domain name for now, since we don't have - * any way to get the real name. - */ - ret = sdap_idmap_get_dom_sid_from_object(tmpctx, sid_str, - &dom_sid_str); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not parse domain SID from [%s]\n", sid_str)); - goto fail; - } - - ret = sdap_idmap_add_domain(opts->idmap_ctx, - dom_sid_str, dom_sid_str, - -1); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not add new domain for sid [%s]\n", sid_str)); - goto fail; - } - - /* Now try converting to a UNIX ID again */ - err = sss_idmap_sid_to_unix(opts->idmap_ctx->map, - sid_str, - (uint32_t *)&uid); - if (err != IDMAP_SUCCESS) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not convert objectSID [%s] to a UNIX ID\n", - sid_str)); - ret = EIO; - goto fail; - } - } + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &uid); + if (ret != EOK) goto fail; /* Store the UID in the ldap_attrs so it doesn't get * treated as a missing attribute from LDAP and removed. @@ -197,7 +154,7 @@ int sdap_save_user(TALLOC_CTX *memctx, } /* check that the uid is valid for this domain */ if (OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) { - DEBUG(2, ("User [%s] filtered out! (id out of range)\n", + DEBUG(2, ("User [%s] filtered out! (uid out of range)\n", name)); ret = EINVAL; goto fail; @@ -242,16 +199,8 @@ int sdap_save_user(TALLOC_CTX *memctx, } /* Convert the SID into a UNIX group ID */ - err = sss_idmap_sid_to_unix(opts->idmap_ctx->map, - group_sid_str, - (uint32_t *)&gid); - if (err != IDMAP_SUCCESS) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not convert objectSID [%s] to a UNIX ID\n", - group_sid_str)); - ret = EIO; - goto fail; - } + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, group_sid_str, &gid); + if (ret != EOK) goto fail; /* Store the GID in the ldap_attrs so it doesn't get * treated as a missing attribute from LDAP and removed. @@ -272,7 +221,7 @@ int sdap_save_user(TALLOC_CTX *memctx, /* check that the gid is valid for this domain */ if (OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) { - DEBUG(2, ("User [%s] filtered out! (id out of range)\n", + DEBUG(2, ("User [%s] filtered out! (primary gid out of range)\n", name)); ret = EINVAL; goto fail; diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c index 96ad65b19..b41958bbe 100644 --- a/src/providers/ldap/sdap_idmap.c +++ b/src/providers/ldap/sdap_idmap.c @@ -366,3 +366,65 @@ sdap_idmap_get_dom_sid_from_object(TALLOC_CTX *mem_ctx, return EOK; } + +errno_t +sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx, + const char *sid_str, + id_t *id) +{ + errno_t ret; + enum idmap_error_code err; + char *dom_sid_str = NULL; + + /* Convert the SID into a UNIX ID */ + err = sss_idmap_sid_to_unix(idmap_ctx->map, + sid_str, + (uint32_t *)id); + if (err != IDMAP_SUCCESS && err != IDMAP_NO_DOMAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not convert objectSID [%s] to a UNIX ID\n", + sid_str)); + ret = EIO; + goto done; + } else if (err == IDMAP_NO_DOMAIN) { + /* This is the first time we've seen this domain + * Create a new domain for it. We'll use the dom-sid + * as the domain name for now, since we don't have + * any way to get the real name. + */ + ret = sdap_idmap_get_dom_sid_from_object(NULL, sid_str, + &dom_sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not parse domain SID from [%s]\n", sid_str)); + goto done; + } + + ret = sdap_idmap_add_domain(idmap_ctx, + dom_sid_str, dom_sid_str, + -1); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not add new domain for sid [%s]\n", sid_str)); + goto done; + } + + /* Now try converting to a UNIX ID again */ + err = sss_idmap_sid_to_unix(idmap_ctx->map, + sid_str, + (uint32_t *)id); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not convert objectSID [%s] to a UNIX ID\n", + sid_str)); + ret = EIO; + goto done; + } + } + + ret = EOK; + +done: + talloc_free(dom_sid_str); + return ret; +} diff --git a/src/providers/ldap/sdap_idmap.h b/src/providers/ldap/sdap_idmap.h index ee71da285..99f2ad9e1 100644 --- a/src/providers/ldap/sdap_idmap.h +++ b/src/providers/ldap/sdap_idmap.h @@ -54,4 +54,10 @@ errno_t sdap_idmap_get_dom_sid_from_object(TALLOC_CTX *mem_ctx, const char *object_sid, char **dom_sid_str); + +errno_t +sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx, + const char *sid_str, + id_t *id); + #endif /* SDAP_IDMAP_H_ */ -- cgit