Add a 'ldap trust ids' option that lets pdb_ldap check for posixAccount

attributes rather than calling getpwnam() on the user.

This should help fix some of metze's performance issues - particularly on
enumerations.

There is a consequential change to the operation of 'non unix account's in LDAP
- they are no longer restricted to being 'within' the NUA range, but will
always be added to that range.

Finally, there is the doco for this and the previous LDAP SSL changes.
(This used to be commit 18abaeffda300074a507561d8372d5bfddc8fe50)

1 files changed, 92 insertions, 33 deletions

diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 9ab10b8c08..866c4f6b76 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -146,15 +146,17 @@ static BOOL fetch_ldapsam_pw(char **dn, char** pw)
 }
 
 static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
-		"logoffTime", "kickoffTime", "cn",
-		"pwdCanChange", "pwdMustChange",
-		"displayName", "homeDrive",
-		"smbHome", "scriptPath",
-		"profilePath", "description",
-		"userWorkstations", "rid",
-		"primaryGroupID", "lmPassword",
-		"ntPassword", "acctFlags",
-		"domain", NULL };
+			     "logoffTime", "kickoffTime", "cn",
+			     "pwdCanChange", "pwdMustChange",
+			     "displayName", "homeDrive",
+			     "smbHome", "scriptPath",
+			     "profilePath", "description",
+			     "userWorkstations", "rid",
+			     "primaryGroupID", "lmPassword",
+			     "ntPassword", "acctFlags",
+			     "domain", "objectClass", 
+			     "uidNumber", "gidNumber", 
+			     "homeDirectory", NULL };
 
 /*******************************************************************
  open a connection to the ldap server.
@@ -818,6 +820,60 @@ static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, c
 /* New Interface is being implemented here */
 
 /**********************************************************************
+Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
+*********************************************************************/
+static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state, 
+				SAM_ACCOUNT * sampass,
+				LDAPMessage * entry)
+{
+	pstring  homedir;
+	pstring  temp;
+	uid_t uid;
+	gid_t gid;
+	char **ldap_values;
+	char **values;
+
+	if ((ldap_values = ldap_get_values (ldap_state->ldap_struct, entry, "objectClass")) == NULL) {
+		DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
+		return False;
+	}
+
+	for (values=ldap_values;*values;values++) {
+		if (strcasecmp(*values, "posixAccount") == 0) {
+			break;
+		}
+	}
+	
+	if (!*values) { /*end of array, no posixAccount */
+		DEBUG(10, ("user does not have posixAcccount attributes\n"));
+		ldap_value_free(ldap_values);
+		return False;
+	}
+	ldap_value_free(ldap_values);
+
+	if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir)) 
+		return False;
+	
+	if (!get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp))
+		return False;
+	
+	uid = (uid_t)atol(temp);
+	
+	if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
+		return False;
+	
+	gid = (gid_t)atol(temp);
+
+	pdb_set_unix_homedir(sampass, homedir, PDB_SET);
+	pdb_set_uid(sampass, uid, PDB_SET);
+	pdb_set_gid(sampass, gid, PDB_SET);
+	
+	DEBUG(10, ("user has posixAcccount attributes\n"));
+	return True;
+}
+
+
+/**********************************************************************
 Initialize SAM_ACCOUNT from an LDAP query
 (Based on init_sam_from_buffer in pdb_tdb.c)
 *********************************************************************/
@@ -906,40 +962,43 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
 		pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
 	}
 
-	if ((ldap_state->permit_non_unix_accounts) 
-	    && (user_rid >= ldap_state->low_nua_rid)
-	    && (user_rid <= ldap_state->high_nua_rid)) {
+
+
+	if (lp_ldap_trust_ids() && (get_unix_attributes(ldap_state,sampass, entry))) {
 		
 	} else {
-		
+
 		/* These values MAY be in LDAP, but they can also be retrieved through 
 		 *  sys_getpw*() which is how we're doing it 
 		 */
 	
 		pw = getpwnam_alloc(username);
 		if (pw == NULL) {
-			DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
-			return False;
-		}
-		uid = pw->pw_uid;
-		gid = pw->pw_gid;
-
-		pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
-
-		passwd_free(&pw);
+			if (! ldap_state->permit_non_unix_accounts) {
+				DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
+				return False;
+			}
+		} else {
+			uid = pw->pw_uid;
+			pdb_set_uid(sampass, uid, PDB_SET);
+			gid = pw->pw_gid;
+			pdb_set_gid(sampass, gid, PDB_SET);
+			
+			pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
 
-		pdb_set_uid(sampass, uid, PDB_SET);
-		pdb_set_gid(sampass, gid, PDB_SET);
+			passwd_free(&pw);
+		}
+	}
 
-		if (group_rid == 0) {
-			GROUP_MAP map;
-			/* call the mapping code here */
-			if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
-				pdb_set_group_sid(sampass, &map.sid, PDB_SET);
-			} 
-			else {
-				pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
-			}
+	if (group_rid == 0 && pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT) {
+		GROUP_MAP map;
+		gid = pdb_get_gid(sampass);
+		/* call the mapping code here */
+		if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
+			pdb_set_group_sid(sampass, &map.sid, PDB_SET);
+		} 
+		else {
+			pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
 		}
 	}