diff options
Diffstat (limited to 'source/passdb/pdb_ldap.c')
-rw-r--r-- | source/passdb/pdb_ldap.c | 289 |
1 files changed, 38 insertions, 251 deletions
diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c index 3899949058a..3dab919cb46 100644 --- a/source/passdb/pdb_ldap.c +++ b/source/passdb/pdb_ldap.c @@ -462,7 +462,7 @@ static BOOL init_sam_from_ldap(struct ldapsam_privates *ldap_state, uint8 hours[MAX_HOURS_LEN]; pstring temp; LOGIN_CACHE *cache_entry = NULL; - uint32 pwHistLen; + int pwHistLen; pstring tmpstring; /* @@ -694,8 +694,8 @@ static BOOL init_sam_from_ldap(struct ldapsam_privates *ldap_state, if (ldap_state->is_nds_ldap) { char *user_dn; - int pwd_len; - char clear_text_pw[512]; + size_t pwd_len; + uchar clear_text_pw[512]; /* Make call to Novell eDirectory ldap extension to get clear text password. NOTE: This will only work if we have an SSL connection to eDirectory. */ @@ -1086,15 +1086,14 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, } if (need_update(sampass, PDB_PWHISTORY)) { - uint32 pwHistLen = 0; + int pwHistLen = 0; account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen); if (pwHistLen == 0) { /* Remove any password history from the LDAP store. */ memset(temp, '0', 64); /* NOTE !!!! '0' *NOT '\0' */ temp[64] = '\0'; } else { - int i; - uint32 currHistLen = 0; + int i, currHistLen = 0; const uint8 *pwhist = pdb_get_pw_history(sampass, &currHistLen); if (pwhist != NULL) { /* We can only store (sizeof(pstring)-1)/64 password history entries. */ @@ -1123,7 +1122,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, } if (need_update(sampass, PDB_HOURS)) { - const uint8 *hours = pdb_get_hours(sampass); + const char *hours = pdb_get_hours(sampass); if (hours) { pdb_sethexhours(temp, hours); smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, @@ -2208,39 +2207,6 @@ static void add_rid_to_array_unique(TALLOC_CTX *mem_ctx, *num += 1; } -static BOOL ldapsam_extract_rid_from_entry(LDAP *ldap_struct, - LDAPMessage *entry, - const DOM_SID *domain_sid, - uint32 *rid) -{ - fstring str; - DOM_SID sid; - - if (!smbldap_get_single_attribute(ldap_struct, entry, "sambaSID", - str, sizeof(str)-1)) { - DEBUG(10, ("Could not find sambaSID attribute\n")); - return False; - } - - if (!string_to_sid(&sid, str)) { - DEBUG(10, ("Could not convert string %s to sid\n", str)); - return False; - } - - if (sid_compare_domain(&sid, domain_sid) != 0) { - DEBUG(10, ("SID %s is not in expected domain %s\n", - str, sid_string_static(domain_sid))); - return False; - } - - if (!sid_peek_rid(&sid, rid)) { - DEBUG(10, ("Could not peek into RID\n")); - return False; - } - - return True; -} - static NTSTATUS ldapsam_enum_group_members(struct pdb_methods *methods, TALLOC_CTX *mem_ctx, const DOM_SID *group, @@ -2287,16 +2253,26 @@ static NTSTATUS ldapsam_enum_group_members(struct pdb_methods *methods, entry != NULL; entry = ldap_next_entry(conn->ldap_struct, entry)) { + fstring str; + DOM_SID sid; uint32 rid; - if (!ldapsam_extract_rid_from_entry(conn->ldap_struct, - entry, - get_global_sam_sid(), - &rid)) { - DEBUG(2, ("Could not find sid from ldap entry\n")); + if (!smbldap_get_single_attribute(conn->ldap_struct, + entry, "sambaSID", + str, sizeof(str)-1)) + continue; + + if (!string_to_sid(&sid, str)) + goto done; + + if (!sid_check_is_in_our_domain(&sid)) { + DEBUG(1, ("Inconsistent SAM -- group member uid not " + "in our domain\n")); continue; } + sid_peek_rid(&sid, &rid); + add_rid_to_array_unique(mem_ctx, rid, member_rids, num_members); } @@ -2436,6 +2412,7 @@ static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods, LDAPMessage *entry; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; int num_sids, num_gids; + extern DOM_SID global_sid_NULL; if (!lp_parm_bool(-1, "ldapsam", "trusted", False)) return pdb_default_enum_group_memberships(methods, username, @@ -2468,11 +2445,11 @@ static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods, /* We need to add the primary group as the first gid/sid */ - add_gid_to_array_unique(NULL, primary_gid, gids, &num_gids); + add_gid_to_array_unique(primary_gid, gids, &num_gids); /* This sid will be replaced later */ - add_sid_to_array_unique(NULL, &global_sid_NULL, sids, &num_sids); + add_sid_to_array_unique(&global_sid_NULL, sids, &num_sids); for (entry = ldap_first_entry(conn->ldap_struct, msg); entry != NULL; @@ -2504,8 +2481,8 @@ static NTSTATUS ldapsam_enum_group_memberships(struct pdb_methods *methods, if (gid == primary_gid) { sid_copy(&(*sids)[0], &sid); } else { - add_gid_to_array_unique(NULL, gid, gids, &num_gids); - add_sid_to_array_unique(NULL, &sid, sids, &num_sids); + add_gid_to_array_unique(gid, gids, &num_gids); + add_sid_to_array_unique(&sid, sids, &num_sids); } } @@ -3051,7 +3028,7 @@ static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods, if (!string_to_sid(&member, values[i])) continue; - add_sid_to_array(NULL, &member, members, num_members); + add_sid_to_array(&member, members, num_members); } ldap_value_free(values); @@ -3061,12 +3038,9 @@ static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods, } static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods, - TALLOC_CTX *mem_ctx, - const DOM_SID *domain_sid, const DOM_SID *members, int num_members, - uint32 **alias_rids, - int *num_alias_rids) + DOM_SID **aliases, int *num_aliases) { struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)methods->private_data; @@ -3079,6 +3053,12 @@ static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods, int i; int rc; char *filter; + TALLOC_CTX *mem_ctx; + + mem_ctx = talloc_init("ldapsam_alias_memberships"); + + if (mem_ctx == NULL) + return NT_STATUS_NO_MEMORY; /* This query could be further optimized by adding a (&(sambaSID=<domain-sid>*)) so that only those aliases that are @@ -3103,6 +3083,9 @@ static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods, if (rc != LDAP_SUCCESS) return NT_STATUS_UNSUCCESSFUL; + *aliases = NULL; + *num_aliases = 0; + ldap_struct = ldap_state->smbldap_state->ldap_struct; for (entry = ldap_first_entry(ldap_struct, result); @@ -3111,7 +3094,6 @@ static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods, { fstring sid_str; DOM_SID sid; - uint32 rid; if (!smbldap_get_single_attribute(ldap_struct, entry, LDAP_ATTRIBUTE_SID, @@ -3122,207 +3104,13 @@ static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods, if (!string_to_sid(&sid, sid_str)) continue; - if (!sid_peek_check_rid(domain_sid, &sid, &rid)) - continue; - - add_rid_to_array_unique(mem_ctx, rid, alias_rids, - num_alias_rids); + add_sid_to_array_unique(&sid, aliases, num_aliases); } ldap_msgfree(result); return NT_STATUS_OK; } -static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, - TALLOC_CTX *mem_ctx, - const DOM_SID *domain_sid, - int num_rids, - uint32 *rids, - const char ***names, - uint32 **attrs) -{ - struct ldapsam_privates *ldap_state = - (struct ldapsam_privates *)methods->private_data; - LDAP *ldap_struct = ldap_state->smbldap_state->ldap_struct; - LDAPMessage *msg = NULL; - LDAPMessage *entry; - char *allsids = NULL; - char *tmp; - int i, rc, num_mapped; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - - if (!lp_parm_bool(-1, "ldapsam", "trusted", False)) - return pdb_default_lookup_rids(methods, mem_ctx, domain_sid, - num_rids, rids, names, attrs); - - if (!sid_equal(domain_sid, get_global_sam_sid())) { - /* TODO: Sooner or later we need to look up BUILTIN rids as - * well. -- vl */ - goto done; - } - - (*names) = TALLOC_ZERO_ARRAY(mem_ctx, const char *, num_rids); - (*attrs) = TALLOC_ARRAY(mem_ctx, uint32, num_rids); - - if ((num_rids != 0) && (((*names) == NULL) || ((*attrs) == NULL))) - return NT_STATUS_NO_MEMORY; - - for (i=0; i<num_rids; i++) - (*attrs)[i] = SID_NAME_UNKNOWN; - - allsids = strdup(""); - if (allsids == NULL) return NT_STATUS_NO_MEMORY; - - for (i=0; i<num_rids; i++) { - DOM_SID sid; - sid_copy(&sid, domain_sid); - sid_append_rid(&sid, rids[i]); - tmp = allsids; - asprintf(&allsids, "%s(sambaSid=%s)", allsids, - sid_string_static(&sid)); - if (allsids == NULL) return NT_STATUS_NO_MEMORY; - free(tmp); - } - - /* First look for users */ - - { - char *filter; - const char *ldap_attrs[] = { "uid", "sambaSid", NULL }; - - asprintf(&filter, ("(&(objectClass=sambaSamAccount)(|%s))"), - allsids); - if (filter == NULL) return NT_STATUS_NO_MEMORY; - - rc = smbldap_search(ldap_state->smbldap_state, - lp_ldap_user_suffix(), - LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0, - &msg); - - SAFE_FREE(filter); - } - - if (rc != LDAP_SUCCESS) - goto done; - - num_mapped = 0; - - for (entry = ldap_first_entry(ldap_struct, msg); - entry != NULL; - entry = ldap_next_entry(ldap_struct, entry)) - { - uint32 rid; - int rid_index; - fstring str; - - if (!ldapsam_extract_rid_from_entry(ldap_struct, entry, - get_global_sam_sid(), - &rid)) { - DEBUG(2, ("Could not find sid from ldap entry\n")); - continue; - } - - if (!smbldap_get_single_attribute(ldap_struct, entry, - "uid", str, sizeof(str)-1)) { - DEBUG(2, ("Could not retrieve uid attribute\n")); - continue; - } - - for (rid_index = 0; rid_index < num_rids; rid_index++) { - if (rid == rids[rid_index]) - break; - } - - if (rid_index == num_rids) { - DEBUG(2, ("Got a RID not asked for: %d\n", rid)); - continue; - } - - (*attrs)[rid_index] = SID_NAME_USER; - (*names)[rid_index] = talloc_strdup(mem_ctx, str); - if ((*names)[rid_index] == NULL) return NT_STATUS_NO_MEMORY; - - num_mapped += 1; - } - - if (num_mapped == num_rids) { - /* No need to look for groups anymore -- we're done */ - result = NT_STATUS_OK; - goto done; - } - - /* Same game for groups */ - - { - char *filter; - const char *ldap_attrs[] = { "cn", "sambaSid", NULL }; - - asprintf(&filter, ("(&(objectClass=sambaGroupMapping)(|%s))"), - allsids); - if (filter == NULL) return NT_STATUS_NO_MEMORY; - - rc = smbldap_search(ldap_state->smbldap_state, - lp_ldap_group_suffix(), - LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0, - &msg); - - SAFE_FREE(filter); - } - - if (rc != LDAP_SUCCESS) - goto done; - - for (entry = ldap_first_entry(ldap_struct, msg); - entry != NULL; - entry = ldap_next_entry(ldap_struct, entry)) - { - uint32 rid; - int rid_index; - fstring str; - - if (!ldapsam_extract_rid_from_entry(ldap_struct, entry, - get_global_sam_sid(), - &rid)) { - DEBUG(2, ("Could not find sid from ldap entry\n")); - continue; - } - - if (!smbldap_get_single_attribute(ldap_struct, entry, - "cn", str, sizeof(str)-1)) { - DEBUG(2, ("Could not retrieve cn attribute\n")); - continue; - } - - for (rid_index = 0; rid_index < num_rids; rid_index++) { - if (rid == rids[rid_index]) - break; - } - - if (rid_index == num_rids) { - DEBUG(2, ("Got a RID not asked for: %d\n", rid)); - continue; - } - - (*attrs)[rid_index] = SID_NAME_DOM_GRP; - (*names)[rid_index] = talloc_strdup(mem_ctx, str); - if ((*names)[rid_index] == NULL) return NT_STATUS_NO_MEMORY; - num_mapped += 1; - } - - result = NT_STATUS_NONE_MAPPED; - - if (num_mapped > 0) - result = (num_mapped == num_rids) ? - NT_STATUS_OK : STATUS_SOME_UNMAPPED; - done: - SAFE_FREE(allsids); - - if (msg != NULL) - ldap_msgfree(msg); - - return result; -} - /********************************************************************** Housekeeping *********************************************************************/ @@ -3380,7 +3168,6 @@ static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS ** (*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping; (*pdb_method)->enum_group_members = ldapsam_enum_group_members; (*pdb_method)->enum_group_memberships = ldapsam_enum_group_memberships; - (*pdb_method)->lookup_rids = ldapsam_lookup_rids; /* TODO: Setup private data and free */ |