Merge of my 'ldap trust ids' patch from HEAD.

This hopefully provides a peformance boost by not hitting getpwnam() for every
entry in an enumeration, instead reteriving entries directly (if available).

idra has reviewed this patch.

Andrew Bartlett
(This used to be commit 8abe71c4d7a796001c5765f4dd88c2e6f5637802)

3 files changed, 138 insertions, 43 deletions

diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml
index e4c4587c1f..621b764a11 100644
--- a/docs/docbook/manpages/smb.conf.5.sgml
+++ b/docs/docbook/manpages/smb.conf.5.sgml
@@ -663,6 +663,7 @@
 		<listitem><para><link linkend="LDAPUSERSUFFIX"><parameter>ldap user suffix</parameter></link></para></listitem>
 		<listitem><para><link linkend="LDAPMACHINESUFFIX"><parameter>ldap machine suffix</parameter></link></para></listitem>
 		<listitem><para><link linkend="LDAPPASSWDSYNC"><parameter>ldap passwd sync</parameter></link></para></listitem>
+		<listitem><para><link linkend="LDAPTRUSTIDS"><parameter>ldap trust ids</parameter></link></para></listitem>
 
 		<listitem><para><link linkend="LMANNOUNCE"><parameter>lm announce</parameter></link></para></listitem>
 		<listitem><para><link linkend="LMINTERVAL"><parameter>lm interval</parameter></link></para></listitem>
@@ -3464,16 +3465,20 @@
 		The <parameter>ldap ssl</parameter> can be set to one of three values:
 		</para>	
 		<itemizedlist>
-			<listitem><para><parameter>On</parameter>  =  Always use SSL when contacting the 
-			<parameter>ldap	server</parameter>.</para></listitem>
-			
 			<listitem><para><parameter>Off</parameter> = Never use SSL when querying the directory.</para></listitem>
 
 			<listitem><para><parameter>Start_tls</parameter> = Use the LDAPv3 StartTLS extended operation 
 			(RFC2830) for communicating with the directory server.</para></listitem>
+	    
+			<listitem><para><parameter>On</parameter>  =
+			Use SSL on the ldaps port when contacting the 
+			<parameter>ldap	server</parameter>.  Only
+			available when the backwards-compatiblity <command>
+			--with-ldapsam</command> option is specified
+			to configure.  See <link linkend="PASSDBBACKEND"><paramater>passdb backend</parameter></link></para></listitem>
 		</itemizedlist>		
 		
-		<para>Default : <command>ldap ssl = on</command></para>
+		<para>Default : <command>ldap ssl = start_tls</command></para>
 		</listitem>
 		</varlistentry>
 
@@ -3540,9 +3545,24 @@
 		</listitem>
 		</varlistentry>
 
+		<varlistentry>
+		<term><anchor id="LDAPTRUSTIDS">ldap trust ids (G)</term>
+		<listitem><para>Normally, Samba validates each entry
+		in the LDAP server against getpwnam().  This allows
+		LDAP to be used for Samba with the unix system using
+		NIS (for example) and also ensures that Samba does not
+		present accounts that do not otherwise exist.  </para>
+	        <para>This option is used to disable this functionality, and
+		instead to rely on the presence of the appropriate
+		attributes in LDAP directly, which can result in a
+		significant performance boost in some situations.  
+                Setting this option to yes effectivly assumes
+		that the local machine is running <command>nss_ldap</command> against the
+		same LDAP server.</para>
 
-
-
+		<para>Default: <command>ldap trust ids = No</command></para>
+		</listitem>
+		</varlistentry>
 
 		<varlistentry>
 		<term><anchor id="LEVEL2OPLOCKS">level2 oplocks (S)</term>
@@ -5357,8 +5377,20 @@
 			<listitem><para><command>ldapsam_nua</command> - The LDAP based passdb 
                         backend, with non unix account support.  Takes an LDAP URL as an optional argument (defaults to 
                         <command>ldap://localhost</command>)</para>
+		        <para>Note:  In this module, any account
+                        without a matching POSIX account is regarded
+                        as 'non unix'.
                         <para>See also <link linkend="NONUNIXACCOUNTRANGE">
-                        <parameter>non unix account range</parameter></link></para></listitem>
+                        <parameter>non unix account
+                        range</parameter></link></para>
+	                
+		        <para>LDAP connections should be secured where
+                        possible.  This may be done using either
+                        Start-TLS (see <link linkend="LDAPSSL">
+                        <parameter>ldap ssl</parameter>) or by
+                        specifying <paramater>ldaps://</paramater> in
+                        the URL argument.  
+                        </para></listitem>
 			
 			<listitem><para><command>nisplussam</command> - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. </para></listitem>
 			
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 7c87a51684..883d271980 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -216,6 +216,7 @@ typedef struct
 	char *szLdapSuffix;
 	char *szLdapFilter;
 	char *szLdapAdminDn;
+	BOOL ldap_trust_ids;
 	char *szAclCompat;
 	int ldap_passwd_sync; 
 	BOOL bMsAddPrinterWizard;
@@ -1008,6 +1009,7 @@ static struct parm_struct parm_table[] = {
 	{"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"ldap passwd sync", P_ENUM, P_GLOBAL, &Globals.ldap_passwd_sync, NULL, enum_ldap_passwd_sync, FLAG_ADVANCED | FLAG_DEVELOPER},
+	{"ldap trust ids", P_BOOL, P_GLOBAL, &Globals.ldap_trust_ids, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 
 	{"Miscellaneous Options", P_SEP, P_SEPARATOR},
 	{"add share command", P_STRING, P_GLOBAL, &Globals.szAddShareCommand, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -1602,6 +1604,7 @@ FN_GLOBAL_STRING(lp_ldap_filter, &Globals.szLdapFilter)
 FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
 FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
 FN_GLOBAL_INTEGER(lp_ldap_passwd_sync, &Globals.ldap_passwd_sync)
+FN_GLOBAL_BOOL(lp_ldap_trust_ids, &Globals.ldap_trust_ids)
 FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand)
 FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand)
 FN_GLOBAL_STRING(lp_delete_share_cmd, &Globals.szDeleteShareCommand)
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 9ab10b8c08..22358cb47d 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -146,15 +146,17 @@ static BOOL fetch_ldapsam_pw(char **dn, char** pw)
 }
 
 static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
-		"logoffTime", "kickoffTime", "cn",
-		"pwdCanChange", "pwdMustChange",
-		"displayName", "homeDrive",
-		"smbHome", "scriptPath",
-		"profilePath", "description",
-		"userWorkstations", "rid",
-		"primaryGroupID", "lmPassword",
-		"ntPassword", "acctFlags",
-		"domain", NULL };
+			     "logoffTime", "kickoffTime", "cn",
+			     "pwdCanChange", "pwdMustChange",
+			     "displayName", "homeDrive",
+			     "smbHome", "scriptPath",
+			     "profilePath", "description",
+			     "userWorkstations", "rid",
+			     "primaryGroupID", "lmPassword",
+			     "ntPassword", "acctFlags",
+			     "domain", "objectClass", 
+			     "uidNumber", "gidNumber", 
+			     "homeDirectory", NULL };
 
 /*******************************************************************
  open a connection to the ldap server.
@@ -818,6 +820,60 @@ static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, c
 /* New Interface is being implemented here */
 
 /**********************************************************************
+Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
+*********************************************************************/
+static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state, 
+				SAM_ACCOUNT * sampass,
+				LDAPMessage * entry)
+{
+	pstring  homedir;
+	pstring  temp;
+	uid_t uid;
+	gid_t gid;
+	char **ldap_values;
+	char **values;
+
+	if ((ldap_values = ldap_get_values (ldap_state->ldap_struct, entry, "objectClass")) == NULL) {
+		DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
+		return False;
+	}
+
+	for (values=ldap_values;*values;values++) {
+		if (strcasecmp(*values, "posixAccount") == 0) {
+			break;
+		}
+	}
+	
+	if (!*values) { /*end of array, no posixAccount */
+		DEBUG(10, ("user does not have posixAcccount attributes\n"));
+		ldap_value_free(ldap_values);
+		return False;
+	}
+	ldap_value_free(ldap_values);
+
+	if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir)) 
+		return False;
+	
+	if (!get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp))
+		return False;
+	
+	uid = (uid_t)atol(temp);
+	
+	if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
+		return False;
+	
+	gid = (gid_t)atol(temp);
+
+	pdb_set_unix_homedir(sampass, homedir, PDB_SET);
+	pdb_set_uid(sampass, uid, PDB_SET);
+	pdb_set_gid(sampass, gid, PDB_SET);
+	
+	DEBUG(10, ("user has posixAcccount attributes\n"));
+	return True;
+}
+
+
+/**********************************************************************
 Initialize SAM_ACCOUNT from an LDAP query
 (Based on init_sam_from_buffer in pdb_tdb.c)
 *********************************************************************/
@@ -906,40 +962,44 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
 		pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
 	}
 
-	if ((ldap_state->permit_non_unix_accounts) 
-	    && (user_rid >= ldap_state->low_nua_rid)
-	    && (user_rid <= ldap_state->high_nua_rid)) {
-		
-	} else {
+
+	/* 
+	 * If so configured, try and get the values from LDAP 
+	 */
+
+	if (!lp_ldap_trust_ids() || (!get_unix_attributes(ldap_state, sampass, entry))) {
 		
-		/* These values MAY be in LDAP, but they can also be retrieved through 
-		 *  sys_getpw*() which is how we're doing it 
+		/* 
+		 * Otherwise just ask the system getpw() calls.
 		 */
 	
 		pw = getpwnam_alloc(username);
 		if (pw == NULL) {
-			DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
-			return False;
-		}
-		uid = pw->pw_uid;
-		gid = pw->pw_gid;
-
-		pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
-
-		passwd_free(&pw);
+			if (! ldap_state->permit_non_unix_accounts) {
+				DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
+				return False;
+			}
+		} else {
+			uid = pw->pw_uid;
+			pdb_set_uid(sampass, uid, PDB_SET);
+			gid = pw->pw_gid;
+			pdb_set_gid(sampass, gid, PDB_SET);
+			
+			pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
 
-		pdb_set_uid(sampass, uid, PDB_SET);
-		pdb_set_gid(sampass, gid, PDB_SET);
+			passwd_free(&pw);
+		}
+	}
 
-		if (group_rid == 0) {
-			GROUP_MAP map;
-			/* call the mapping code here */
-			if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
-				pdb_set_group_sid(sampass, &map.sid, PDB_SET);
-			} 
-			else {
-				pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
-			}
+	if (group_rid == 0 && pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT) {
+		GROUP_MAP map;
+		gid = pdb_get_gid(sampass);
+		/* call the mapping code here */
+		if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
+			pdb_set_group_sid(sampass, &map.sid, PDB_SET);
+		} 
+		else {
+			pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
 		}
 	}