summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2002-11-02 07:09:17 +0000
committerAndrew Bartlett <abartlet@samba.org>2002-11-02 07:09:17 +0000
commitb017064cec857b3fd533c5c1b1cd4e6327906b45 (patch)
tree5dcc2ab682fe315f433bc4ec95906177cdd86310 /source3
parent949133f5f232622b5dd8ec6a03b6287a7b59853d (diff)
downloadsamba-b017064cec857b3fd533c5c1b1cd4e6327906b45.tar.gz
samba-b017064cec857b3fd533c5c1b1cd4e6327906b45.tar.bz2
samba-b017064cec857b3fd533c5c1b1cd4e6327906b45.zip
Add a 'ldap trust ids' option that lets pdb_ldap check for posixAccount
attributes rather than calling getpwnam() on the user. This should help fix some of metze's performance issues - particularly on enumerations. There is a consequential change to the operation of 'non unix account's in LDAP - they are no longer restricted to being 'within' the NUA range, but will always be added to that range. Finally, there is the doco for this and the previous LDAP SSL changes. (This used to be commit 18abaeffda300074a507561d8372d5bfddc8fe50)
Diffstat (limited to 'source3')
-rw-r--r--source3/param/loadparm.c3
-rw-r--r--source3/passdb/pdb_ldap.c125
2 files changed, 95 insertions, 33 deletions
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 7c87a51684..883d271980 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -216,6 +216,7 @@ typedef struct
char *szLdapSuffix;
char *szLdapFilter;
char *szLdapAdminDn;
+ BOOL ldap_trust_ids;
char *szAclCompat;
int ldap_passwd_sync;
BOOL bMsAddPrinterWizard;
@@ -1008,6 +1009,7 @@ static struct parm_struct parm_table[] = {
{"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, FLAG_ADVANCED | FLAG_DEVELOPER},
{"ldap passwd sync", P_ENUM, P_GLOBAL, &Globals.ldap_passwd_sync, NULL, enum_ldap_passwd_sync, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"ldap trust ids", P_BOOL, P_GLOBAL, &Globals.ldap_trust_ids, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"Miscellaneous Options", P_SEP, P_SEPARATOR},
{"add share command", P_STRING, P_GLOBAL, &Globals.szAddShareCommand, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -1602,6 +1604,7 @@ FN_GLOBAL_STRING(lp_ldap_filter, &Globals.szLdapFilter)
FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
FN_GLOBAL_INTEGER(lp_ldap_passwd_sync, &Globals.ldap_passwd_sync)
+FN_GLOBAL_BOOL(lp_ldap_trust_ids, &Globals.ldap_trust_ids)
FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand)
FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand)
FN_GLOBAL_STRING(lp_delete_share_cmd, &Globals.szDeleteShareCommand)
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 9ab10b8c08..866c4f6b76 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -146,15 +146,17 @@ static BOOL fetch_ldapsam_pw(char **dn, char** pw)
}
static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
- "logoffTime", "kickoffTime", "cn",
- "pwdCanChange", "pwdMustChange",
- "displayName", "homeDrive",
- "smbHome", "scriptPath",
- "profilePath", "description",
- "userWorkstations", "rid",
- "primaryGroupID", "lmPassword",
- "ntPassword", "acctFlags",
- "domain", NULL };
+ "logoffTime", "kickoffTime", "cn",
+ "pwdCanChange", "pwdMustChange",
+ "displayName", "homeDrive",
+ "smbHome", "scriptPath",
+ "profilePath", "description",
+ "userWorkstations", "rid",
+ "primaryGroupID", "lmPassword",
+ "ntPassword", "acctFlags",
+ "domain", "objectClass",
+ "uidNumber", "gidNumber",
+ "homeDirectory", NULL };
/*******************************************************************
open a connection to the ldap server.
@@ -818,6 +820,60 @@ static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, c
/* New Interface is being implemented here */
/**********************************************************************
+Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
+*********************************************************************/
+static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
+ SAM_ACCOUNT * sampass,
+ LDAPMessage * entry)
+{
+ pstring homedir;
+ pstring temp;
+ uid_t uid;
+ gid_t gid;
+ char **ldap_values;
+ char **values;
+
+ if ((ldap_values = ldap_get_values (ldap_state->ldap_struct, entry, "objectClass")) == NULL) {
+ DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
+ return False;
+ }
+
+ for (values=ldap_values;*values;values++) {
+ if (strcasecmp(*values, "posixAccount") == 0) {
+ break;
+ }
+ }
+
+ if (!*values) { /*end of array, no posixAccount */
+ DEBUG(10, ("user does not have posixAcccount attributes\n"));
+ ldap_value_free(ldap_values);
+ return False;
+ }
+ ldap_value_free(ldap_values);
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir))
+ return False;
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp))
+ return False;
+
+ uid = (uid_t)atol(temp);
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
+ return False;
+
+ gid = (gid_t)atol(temp);
+
+ pdb_set_unix_homedir(sampass, homedir, PDB_SET);
+ pdb_set_uid(sampass, uid, PDB_SET);
+ pdb_set_gid(sampass, gid, PDB_SET);
+
+ DEBUG(10, ("user has posixAcccount attributes\n"));
+ return True;
+}
+
+
+/**********************************************************************
Initialize SAM_ACCOUNT from an LDAP query
(Based on init_sam_from_buffer in pdb_tdb.c)
*********************************************************************/
@@ -906,40 +962,43 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
}
- if ((ldap_state->permit_non_unix_accounts)
- && (user_rid >= ldap_state->low_nua_rid)
- && (user_rid <= ldap_state->high_nua_rid)) {
+
+
+ if (lp_ldap_trust_ids() && (get_unix_attributes(ldap_state,sampass, entry))) {
} else {
-
+
/* These values MAY be in LDAP, but they can also be retrieved through
* sys_getpw*() which is how we're doing it
*/
pw = getpwnam_alloc(username);
if (pw == NULL) {
- DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
- return False;
- }
- uid = pw->pw_uid;
- gid = pw->pw_gid;
-
- pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
-
- passwd_free(&pw);
+ if (! ldap_state->permit_non_unix_accounts) {
+ DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
+ return False;
+ }
+ } else {
+ uid = pw->pw_uid;
+ pdb_set_uid(sampass, uid, PDB_SET);
+ gid = pw->pw_gid;
+ pdb_set_gid(sampass, gid, PDB_SET);
+
+ pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
- pdb_set_uid(sampass, uid, PDB_SET);
- pdb_set_gid(sampass, gid, PDB_SET);
+ passwd_free(&pw);
+ }
+ }
- if (group_rid == 0) {
- GROUP_MAP map;
- /* call the mapping code here */
- if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
- pdb_set_group_sid(sampass, &map.sid, PDB_SET);
- }
- else {
- pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
- }
+ if (group_rid == 0 && pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT) {
+ GROUP_MAP map;
+ gid = pdb_get_gid(sampass);
+ /* call the mapping code here */
+ if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
+ pdb_set_group_sid(sampass, &map.sid, PDB_SET);
+ }
+ else {
+ pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
}
}