diff options
author | Gerald Carter <jerry@samba.org> | 2003-06-03 18:19:59 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2003-06-03 18:19:59 +0000 |
commit | 9a4b030e2cca0d12281444b284c17cc534357e4b (patch) | |
tree | e33911f4b75e176ba0a6e92a4f5fd716db61343e /source3/sam/idmap_ldap.c | |
parent | e1e363e4e90237c638e5adea3bb3493a35a61268 (diff) | |
download | samba-9a4b030e2cca0d12281444b284c17cc534357e4b.tar.gz samba-9a4b030e2cca0d12281444b284c17cc534357e4b.tar.xz samba-9a4b030e2cca0d12281444b284c17cc534357e4b.zip |
initial version of idmap_ldap.c; lots of updates to come
(This used to be commit 69c84ad06b759da2246b3c00155a43e90f45a7f6)
Diffstat (limited to 'source3/sam/idmap_ldap.c')
-rw-r--r-- | source3/sam/idmap_ldap.c | 838 |
1 files changed, 838 insertions, 0 deletions
diff --git a/source3/sam/idmap_ldap.c b/source3/sam/idmap_ldap.c new file mode 100644 index 0000000000..33cf5fb030 --- /dev/null +++ b/source3/sam/idmap_ldap.c @@ -0,0 +1,838 @@ +/* + Unix SMB/CIFS implementation. + + idmap LDAP backend + + Copyright (C) Tim Potter 2000 + Copyright (C) Anthony Liguori 2003 + Copyright (C) Simo Sorce 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_IDMAP + + +#include <lber.h> +#include <ldap.h> + +struct ldap_idmap_state { + LDAP *ldap_struct; + time_t last_ping; + const char *uri; + char *bind_dn; + char *bind_secret; + unsigned int num_failures; + struct ldap_idmap_state *prev, *next; +}; + +#define LDAP_IDMAP_DONT_PING_TIME 10 /* ping only all 10 seconds */ +#define LDAP_MAX_ALLOC_ID 128 /* number tries while allocating + new id */ + +static struct ldap_idmap_state ldap_state; + +static int ldap_idmap_connect_system(struct ldap_idmap_state *state); +static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type); +static NTSTATUS ldap_idmap_close(void); + + +/******************************************************************* + find the ldap password +******************************************************************/ +static BOOL fetch_ldapsam_pw(char **dn, char** pw) +{ + char *key = NULL; + size_t size; + + *dn = smb_xstrdup(lp_ldap_admin_dn()); + + if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, *dn) < 0) { + SAFE_FREE(*dn); + DEBUG(0, ("fetch_ldapsam_pw: asprintf failed!\n")); + } + + *pw=secrets_fetch(key, &size); + SAFE_FREE(key); + + if (!size) { + /* Upgrade 2.2 style entry */ + char *p; + char* old_style_key = strdup(*dn); + char *data; + fstring old_style_pw; + + if (!old_style_key) { + DEBUG(0, ("fetch_ldapsam_pw: strdup failed!\n")); + return False; + } + + for (p=old_style_key; *p; p++) + if (*p == ',') *p = '/'; + + data=secrets_fetch(old_style_key, &size); + if (!size && size < sizeof(old_style_pw)) { + DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n")); + SAFE_FREE(old_style_key); + SAFE_FREE(*dn); + return False; + } + + strncpy(old_style_pw, data, size); + old_style_pw[size] = 0; + + SAFE_FREE(data); + + if (!secrets_store_ldap_pw(*dn, old_style_pw)) { + DEBUG(0,("fetch_ldap_pw: ldap secret could not be upgraded!\n")); + SAFE_FREE(old_style_key); + SAFE_FREE(*dn); + return False; + } + if (!secrets_delete(old_style_key)) { + DEBUG(0,("fetch_ldap_pw: old ldap secret could not be deleted!\n")); + } + + SAFE_FREE(old_style_key); + + *pw = smb_xstrdup(old_style_pw); + } + + return True; +} + +/******************************************************************* + open a connection to the ldap server. +******************************************************************/ +static int ldap_idmap_open_connection(struct ldap_idmap_state *state) +{ + int rc = LDAP_SUCCESS; + int version; + BOOL ldap_v3 = False; + +#ifdef HAVE_LDAP_INITIALIZE + DEBUG(10, ("ldap_idmap_open_connection: %s\n", state->uri)); + + if ((rc = ldap_initialize(&state->ldap_struct, state->uri)) + != LDAP_SUCCESS) { + DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc))); + return rc; + } +#else + /* Parse the string manually */ + { + int port = 0; + fstring protocol; + fstring host; + const char *p = state->uri; + SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254); + + /* skip leading "URL:" (if any) */ + if ( strncasecmp( p, "URL:", 4 ) == 0 ) { + p += 4; + } + + sscanf(p, "%10[^:]://%254s[^:]:%d", protocol, host, &port); + + if (port == 0) { + if (strequal(protocol, "ldap")) { + port = LDAP_PORT; + } else if (strequal(protocol, "ldaps")) { + port = LDAPS_PORT; + } else { + DEBUG(0, ("unrecognised protocol (%s)!\n", + protocol)); + } + } + + if ((state->ldap_struct = ldap_init(host, port)) == NULL) { + DEBUG(0, ("ldap_init failed !\n")); + return LDAP_OPERATIONS_ERROR; + } + + if (strequal(protocol, "ldaps")) { +#ifdef LDAP_OPT_X_TLS + int tls = LDAP_OPT_X_TLS_HARD; + if (ldap_set_option (state->ldap_struct, + LDAP_OPT_X_TLS, &tls) != + LDAP_SUCCESS) + { + DEBUG(0, ("Failed to setup a TLS session\n")); + } + + DEBUG(3,("LDAPS option set...!\n")); +#else + DEBUG(0,("ldap_idmap_open_connection: Secure " + "connection not supported by LDAP client " + "libraries!\n")); + return LDAP_OPERATIONS_ERROR; +#endif + } + } +#endif + + if (ldap_get_option(state->ldap_struct, LDAP_OPT_PROTOCOL_VERSION, + &version) == LDAP_OPT_SUCCESS) { + if (version != LDAP_VERSION3) { + version = LDAP_VERSION3; + if (ldap_set_option(state->ldap_struct, + LDAP_OPT_PROTOCOL_VERSION, + &version) == LDAP_OPT_SUCCESS) { + ldap_v3 = True; + } + } else { + ldap_v3 = True; + } + } + + if (lp_ldap_ssl() == LDAP_SSL_START_TLS) { +#ifdef LDAP_OPT_X_TLS + if (ldap_v3) { + if ((rc = ldap_start_tls_s(state->ldap_struct, NULL, + NULL)) != LDAP_SUCCESS) { + DEBUG(0,("Failed to issue the StartTLS " + "instruction: %s\n", + ldap_err2string(rc))); + return rc; + } + DEBUG (3, ("StartTLS issued: using a TLS " + "connection\n")); + } else { + + DEBUG(0, ("Need LDAPv3 for Start TLS\n")); + return LDAP_OPERATIONS_ERROR; + } +#else + DEBUG(0,("ldap_idmap_open_connection: StartTLS not supported by " + "LDAP client libraries!\n")); + return LDAP_OPERATIONS_ERROR; +#endif + } + + DEBUG(2, ("ldap_idmap_open_connection: connection opened\n")); + return rc; +} + +/********************************************************************** +Connect to LDAP server +*********************************************************************/ +static int ldap_idmap_open(struct ldap_idmap_state *state) +{ + int rc; + SMB_ASSERT(state); + +#ifndef NO_LDAP_SECURITY + if (geteuid() != 0) { + DEBUG(0, + ("ldap_idmap_open: cannot access LDAP when not root\n")); + return LDAP_INSUFFICIENT_ACCESS; + } +#endif + + if ((state->ldap_struct != NULL) && + ((state->last_ping + LDAP_IDMAP_DONT_PING_TIME)<time(NULL))) { + struct sockaddr_un addr; + socklen_t len = sizeof(addr); + int sd; + + if (!ldap_get_option(state->ldap_struct, LDAP_OPT_DESC, &sd)&& + getpeername(sd, (struct sockaddr *) &addr, &len) < 0) { + /* the other end has died. reopen. */ + ldap_unbind_ext(state->ldap_struct, NULL, NULL); + state->ldap_struct = NULL; + state->last_ping = (time_t)0; + } else { + state->last_ping = time(NULL); + } + } + + if (state->ldap_struct != NULL) { + DEBUG(5,("ldap_idmap_open: already connected to the LDAP " + "server\n")); + return LDAP_SUCCESS; + } + + if ((rc = ldap_idmap_open_connection(state))) { + return rc; + } + + if ((rc = ldap_idmap_connect_system(state))) { + ldap_unbind_ext(state->ldap_struct, NULL, NULL); + state->ldap_struct = NULL; + return rc; + } + + + state->last_ping = time(NULL); + DEBUG(4,("The LDAP server is succesful connected\n")); + + return LDAP_SUCCESS; +} + +static int ldap_idmap_retry_open(struct ldap_idmap_state *state, int *attempts) +{ + int rc; + + SMB_ASSERT(state && attempts); + + if (*attempts != 0) { + unsigned int sleep_time; + uint8 rand_byte = 128; /* a reasonable place to start */ + + generate_random_buffer(&rand_byte, 1, False); + + sleep_time = (((*attempts)*(*attempts))/2)*rand_byte*2; + /* we retry after (0.5, 1, 2, 3, 4.5, 6) seconds + on average. + */ + DEBUG(3, ("Sleeping for %u milliseconds before reconnecting\n", + sleep_time)); + msleep(sleep_time); + } + (*attempts)++; + + if ((rc = ldap_idmap_open(state))) { + DEBUG(1,("Connection to LDAP Server failed for the %d try!\n", + *attempts)); + return rc; + } + + return LDAP_SUCCESS; +} + +/******************************************************************* + a rebind function for authenticated referrals + This version takes a void* that we can shove useful stuff in :-) +******************************************************************/ +#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000) +#else +static int rebindproc_with_state (LDAP * ld, char **whop, char **credp, + int *methodp, int freeit, void *arg) +{ + struct ldap_idmap_state *state = arg; + + /** @TODO Should we be doing something to check what servers we rebind + to? Could we get a referral to a machine that we don't want to + give our username and password to? */ + + if (freeit) { + SAFE_FREE(*whop); + memset(*credp, '\0', strlen(*credp)); + SAFE_FREE(*credp); + } else { + DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n", + state->bind_dn)); + + *whop = strdup(state->bind_dn); + if (!*whop) { + return LDAP_NO_MEMORY; + } + *credp = strdup(state->bind_secret); + if (!*credp) { + SAFE_FREE(*whop); + return LDAP_NO_MEMORY; + } + *methodp = LDAP_AUTH_SIMPLE; + } + return 0; +} +#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/ + +/******************************************************************* + a rebind function for authenticated referrals + This version takes a void* that we can shove useful stuff in :-) + and actually does the connection. +******************************************************************/ +#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000) +static int rebindproc_connect_with_state (LDAP *ldap_struct, + LDAP_CONST char *url, + ber_tag_t request, + ber_int_t msgid, void *arg) +{ + struct ldap_idmap_state *state = arg; + int rc; + DEBUG(5,("rebindproc_connect_with_state: Rebinding as \"%s\"\n", + state->bind_dn)); + + /** @TODO Should we be doing something to check what servers we rebind + to? Could we get a referral to a machine that we don't want to + give our username and password to? */ + + rc = ldap_simple_bind_s(ldap_struct, state->bind_dn, + state->bind_secret); + + return rc; +} +#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/ + +/******************************************************************* + Add a rebind function for authenticated referrals +******************************************************************/ +#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000) +#else +# if LDAP_SET_REBIND_PROC_ARGS == 2 +static int rebindproc (LDAP *ldap_struct, char **whop, char **credp, + int *method, int freeit ) +{ + return rebindproc_with_state(ldap_struct, whop, credp, + method, freeit, &ldap_state); + +} +# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/ +#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/ + +/******************************************************************* + a rebind function for authenticated referrals + this also does the connection, but no void*. +******************************************************************/ +#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000) +# if LDAP_SET_REBIND_PROC_ARGS == 2 +static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request, + ber_int_t msgid) +{ + return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, + msgid, &ldap_state); +} +# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/ +#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/ + +/******************************************************************* + connect to the ldap server under system privilege. +******************************************************************/ +static int ldap_idmap_connect_system(struct ldap_idmap_state *state) +{ + int rc; + char *ldap_dn; + char *ldap_secret; + + /* get the password */ + if (!fetch_ldapsam_pw(&ldap_dn, &ldap_secret)) + { + DEBUG(0, ("ldap_idmap_connect_system: Failed to retrieve " + "password from secrets.tdb\n")); + return LDAP_INVALID_CREDENTIALS; + } + + state->bind_dn = ldap_dn; + state->bind_secret = ldap_secret; + + /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite + (OpenLDAP) doesnt' seem to support it */ + + DEBUG(10,("ldap_idmap_connect_system: Binding to ldap server %s as " + "\"%s\"\n", state->uri, ldap_dn)); + +#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000) +# if LDAP_SET_REBIND_PROC_ARGS == 2 + ldap_set_rebind_proc(state->ldap_struct, &rebindproc_connect); +# endif +# if LDAP_SET_REBIND_PROC_ARGS == 3 + ldap_set_rebind_proc(state->ldap_struct, + &rebindproc_connect_with_state, (void *)state); +# endif +#else /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/ +# if LDAP_SET_REBIND_PROC_ARGS == 2 + ldap_set_rebind_proc(state->ldap_struct, &rebindproc); +# endif +# if LDAP_SET_REBIND_PROC_ARGS == 3 + ldap_set_rebind_proc(state->ldap_struct, &rebindproc_with_state, + (void *)state); +# endif +#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/ + + rc = ldap_simple_bind_s(state->ldap_struct, ldap_dn, ldap_secret); + + if (rc != LDAP_SUCCESS) { + char *ld_error = NULL; + ldap_get_option(state->ldap_struct, LDAP_OPT_ERROR_STRING, + &ld_error); + DEBUG(state->num_failures ? 2 : 0, + ("failed to bind to server with dn= %s Error: " + "%s\n\t%s\n", + ldap_dn ? ld_error : "(unknown)", + ldap_err2string(rc), ld_error)); + SAFE_FREE(ld_error); + state->num_failures++; + return rc; + } + + state->num_failures = 0; + + DEBUG(3, ("ldap_idmap_connect_system: succesful connection to the " + "LDAP server\n")); + return rc; +} + +static int ldap_idmap_search(struct ldap_idmap_state *state, + const char *base, int scope, const char *filter, + const char *attrs[], int attrsonly, + LDAPMessage **res) +{ + int rc = LDAP_SERVER_DOWN; + int attempts = 0; + char *utf8_filter; + + SMB_ASSERT(state); + + if (push_utf8_allocate(&utf8_filter, filter) == (size_t)-1) { + return LDAP_NO_MEMORY; + } + + while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) { + if ((rc = ldap_idmap_retry_open(state, &attempts)) != + LDAP_SUCCESS) continue; + + rc = ldap_search_s(state->ldap_struct, base, scope, + utf8_filter, (char**)attrs, attrsonly, res); + } + + if (rc == LDAP_SERVER_DOWN) { + DEBUG(0,("ldap_idmap_search: LDAP server is down!\n")); + ldap_idmap_close(); + } + + SAFE_FREE(utf8_filter); + return rc; +} + +/******************************************************************* +search an attribute and return the first value found. +******************************************************************/ +static BOOL ldap_idmap_attribute (struct ldap_idmap_state *state, + LDAPMessage * entry, + const char *attribute, pstring value) +{ + char **values; + value[0] = '\0'; + + if ((values = ldap_get_values (state->ldap_struct, entry, attribute)) + == NULL) { + DEBUG(10,("get_single_attribute: [%s] = [<does not exist>]\n", + attribute)); + return False; + } + if (convert_string(CH_UTF8, CH_UNIX, + values[0], -1, + value, sizeof(pstring)) == (size_t)-1) + { + DEBUG(1, ("ldap_idmap_attribute: string conversion of [%s] = " + "[%s] failed!\n", attribute, values[0])); + ldap_value_free(values); + return False; + } + ldap_value_free(values); + + return True; +} + +static const char *attrs[] = {"objectClass", "uidNumber", "gidNumber", + "ntSid", NULL}; +static const char *pool_attr[] = {"uidNumber", "gidNumber", NULL}; + +static NTSTATUS ldap_allocate_id(unid_t *id, int id_type) +{ + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + int rc = LDAP_SERVER_DOWN; + int count = 0; + LDAPMessage *result = 0; + LDAPMessage *entry = 0; + pstring id_str, new_id_str; + LDAPMod mod[2]; + LDAPMod *mods[3]; + const char *type = (id_type & ID_USERID) ? "uidNumber" : "gidNumber"; + char *val[4]; + char *dn; + + rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(), + LDAP_SCOPE_SUBTREE, "(objectClass=unixIdPool)", + pool_attr, 0, &result); + if (rc != LDAP_SUCCESS) { + DEBUG(0,("ldap_allocate_id: unixIdPool object not found\n")); + goto out; + } + + count = ldap_count_entries(ldap_state.ldap_struct, result); + if (count != 1) { + DEBUG(0,("ldap_allocate_id: single unixIdPool not found\n")); + goto out; + } + + dn = ldap_get_dn(ldap_state.ldap_struct, result); + entry = ldap_first_entry(ldap_state.ldap_struct, result); + + if (!ldap_idmap_attribute(&ldap_state, entry, type, id_str)) { + DEBUG(0,("ldap_allocate_id: %s attribute not found\n", + type)); + goto out; + } + if (id_type & ID_USERID) { + id->uid = strtoul(id_str, NULL, 10); + } else { + id->gid = strtoul(id_str, NULL, 10); + } + + mod[0].mod_op = LDAP_MOD_DELETE; + mod[0].mod_type = strdup(type); + val[0] = id_str; val[1] = NULL; + mod[0].mod_values = val; + + pstr_sprintf(new_id_str, "%ud", + ((id_type & ID_USERID) ? id->uid : id->gid) + 1); + mod[1].mod_op = LDAP_MOD_ADD; + mod[1].mod_type = strdup(type); + val[3] = new_id_str; val[4] = NULL; + mod[1].mod_values = val + 2; + + mods[0] = mod; mods[1] = mod + 1; mods[2] = NULL; + rc = ldap_modify_s(ldap_state.ldap_struct, dn, mods); + ldap_memfree(dn); + + if (rc == LDAP_SUCCESS) ret = NT_STATUS_OK; +out: + return ret; +} + +/* Get a sid from an id */ +static NTSTATUS ldap_get_sid_from_id(DOM_SID *sid, unid_t id, int id_type) +{ + LDAPMessage *result = 0; + LDAPMessage *entry = 0; + pstring sid_str; + pstring filter; + char type = (id_type & ID_USERID) ? 'u' : 'g'; + int rc; + int count; + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + + pstr_sprintf(filter, "(&(%cidNumber=%ud)(objectClass=sambaAccount))", + type, ((id_type & ID_USERID) ? id.uid : id.gid)); + rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(), + LDAP_SCOPE_SUBTREE, filter, attrs, 0, + &result); + if (rc != LDAP_SUCCESS) { + goto out; + } + + count = ldap_count_entries(ldap_state.ldap_struct, result); + if (count == 0) { + pstr_sprintf(filter, + "(&(objectClass=idmapEntry)(%cidNumber=%ud))", + type, ((id_type & ID_USERID) ? id.uid : id.gid)); + rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(), + LDAP_SCOPE_SUBTREE, filter, + attrs, 0, &result); + if (rc != LDAP_SUCCESS) { + goto out; + } + count = ldap_count_entries(ldap_state.ldap_struct, result); + } + + if (count != 1) { + DEBUG(0,("ldap_get_sid_from_id: mapping not found for " + "%cid: %ud\n", (id_type&ID_USERID)?'u':'g', + ((id_type & ID_USERID) ? id.uid : id.gid))); + goto out; + } + + entry = ldap_first_entry(ldap_state.ldap_struct, result); + + if (!ldap_idmap_attribute(&ldap_state, entry, "ntSid", sid_str)) { + goto out; + } + + if (!string_to_sid(sid, sid_str)) { + goto out; + } + + ret = NT_STATUS_OK; +out: + return ret; +} + +/* Get an id from a sid */ +static NTSTATUS ldap_get_id_from_sid(unid_t *id, int *id_type, + const DOM_SID *sid) +{ + LDAPMessage *result = 0; + LDAPMessage *entry = 0; + pstring sid_str; + pstring filter; + pstring id_str; + const char *type = (*id_type & ID_USERID) ? "uidNumber" : "gidNumber"; + const char *class = + (*id_type & ID_USERID) ? "sambaAccount" : "sambaGroupMapping"; + int rc; + int count; + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + + sid_to_string(sid_str, sid); + pstr_sprintf(filter, "(&(objectClass=%s)(ntSid=%s)", class, sid_str); + rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(), + LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result); + if (rc != LDAP_SUCCESS) { + goto out; + } + count = ldap_count_entries(ldap_state.ldap_struct, result); + if (count == 0) { + pstr_sprintf(filter, + "(&(objectClass=idmapEntry)(ntSid=%s))", sid_str); + + rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(), + LDAP_SCOPE_SUBTREE, filter, + attrs, 0, &result); + if (rc != LDAP_SUCCESS) { + goto out; + } + count = ldap_count_entries(ldap_state.ldap_struct, result); + } + + /* our search filters may 2 objects in the case that a user and group + rid are the same */ + if (count != 1 && count != 2) { + DEBUG(0, + ("ldap_get_id_from_sid: incorrect number of objects\n")); + goto out; + } + + entry = ldap_first_entry(ldap_state.ldap_struct, result); + if (!ldap_idmap_attribute(&ldap_state, entry, type, id_str)) { + entry = ldap_next_entry(ldap_state.ldap_struct, entry); + + if (!ldap_idmap_attribute(&ldap_state, entry, type, id_str)) { + int i; + + for (i = 0; i < LDAP_MAX_ALLOC_ID; i++) { + ret = ldap_allocate_id(id, *id_type); + if (NT_STATUS_IS_OK(ret)) { + break; + } + } + if (NT_STATUS_IS_OK(ret)) { + ret = ldap_set_mapping(sid, *id, *id_type); + } else { + DEBUG(0,("ldap_allocate_id: cannot acquire id" + " lock\n")); + } + } else { + if ((*id_type & ID_USERID)) { + id->uid = strtoul(id_str, NULL, 10); + } else { + id->gid = strtoul(id_str, NULL, 10); + } + ret = NT_STATUS_OK; + } + } else { + if ((*id_type & ID_USERID)) { + id->uid = strtoul(id_str, NULL, 10); + } else { + id->gid = strtoul(id_str, NULL, 10); + } + ret = NT_STATUS_OK; + } +out: + return ret; +} + +/* This function cannot be called to modify a mapping, only set a new one */ +static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type) +{ + pstring dn, sid_str, id_str; + const char *type = (id_type & ID_USERID) ? "uidNumber" : "gidNumber"; + LDAPMod *mods[3]; + LDAPMod mod[2]; + char *val[4]; + int rc; + int attempts = 0; + + pstr_sprintf(id_str, "%ud", ((id_type & ID_USERID) ? id.uid : id.gid)); + sid_to_string(sid_str, sid); + pstr_sprintf(dn, "%s=%ud,%s", type, ((id_type & ID_USERID) ? id.uid : id.gid), lp_ldap_suffix()); + mod[0].mod_op = LDAP_MOD_REPLACE; + mod[0].mod_type = strdup(type); + val[0] = id_str; val[1] = NULL; + mod[0].mod_values = val; + + mod[1].mod_op = LDAP_MOD_REPLACE; + mod[1].mod_type = strdup("ntSid"); + val[2] = sid_str; val[3] = NULL; + mod[1].mod_values = val + 2; + + mods[0] = mod; mods[1] = mod + 1; mods[2] = NULL; + + do { + if ((rc = ldap_idmap_retry_open(&ldap_state, &attempts)) != + LDAP_SUCCESS) continue; + + rc = ldap_modify_s(ldap_state.ldap_struct, dn, mods); + } while ((rc == LDAP_SERVER_DOWN) && (attempts <= 8)); + + if (rc != LDAP_SUCCESS) { + return NT_STATUS_UNSUCCESSFUL; + } + + return NT_STATUS_OK; +} + +/***************************************************************************** + Initialise idmap database. +*****************************************************************************/ +static NTSTATUS ldap_idmap_init(void) +{ + /* We wait for the first search request before we try to connect to + the LDAP server. We may want to connect upon initialization though + -- aliguori */ + return NT_STATUS_OK; +} + +/* End the LDAP session */ +static NTSTATUS ldap_idmap_close(void) +{ + if (ldap_state.ldap_struct != NULL) { + ldap_unbind_ext(ldap_state.ldap_struct, NULL, NULL); + ldap_state.ldap_struct = NULL; + } + + DEBUG(5,("The connection to the LDAP server was closed\n")); + /* maybe free the results here --metze */ + + return NT_STATUS_OK; +} + + +/* This function doesn't make as much sense in an LDAP world since the calling + node doesn't really control the ID ranges */ +static void ldap_idmap_status(void) +{ + DEBUG(0, ("LDAP IDMAP Status not available\n")); +} + +static struct idmap_methods ldap_methods = { + ldap_idmap_init, + ldap_get_sid_from_id, + ldap_get_id_from_sid, + ldap_set_mapping, + ldap_idmap_close, + ldap_idmap_status + +}; + +NTSTATUS idmap_ldap_init(void) +{ + DEBUG(0,("idmap_reg_ldap: no LDAP support\n")); + return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap", &ldap_methods); +} |