summaryrefslogtreecommitdiff
path: root/source4/winbind
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-06-20 12:51:43 +1000
committerAndrew Bartlett <abartlet@samba.org>2012-06-20 16:22:41 +1000
commit352dbddb6d3c1324862409dcfa8a8bee5c111b7c (patch)
treedfe9d66462f90688fd96960e3e2c53438d5ec63f /source4/winbind
parent2b50e8c534872117e7687d643dd8a849e8c044d7 (diff)
downloadsamba-352dbddb6d3c1324862409dcfa8a8bee5c111b7c.tar.gz
samba-352dbddb6d3c1324862409dcfa8a8bee5c111b7c.tar.bz2
samba-352dbddb6d3c1324862409dcfa8a8bee5c111b7c.zip
s4-idmap: Add parameter 'idmap_ldb:use rfc2307' and correct implementation errors
Diffstat (limited to 'source4/winbind')
-rw-r--r--source4/winbind/idmap.c65
1 files changed, 45 insertions, 20 deletions
diff --git a/source4/winbind/idmap.c b/source4/winbind/idmap.c
index af6f66af28..354507ca6f 100644
--- a/source4/winbind/idmap.c
+++ b/source4/winbind/idmap.c
@@ -230,11 +230,20 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
switch (unixid->type) {
case ID_TYPE_UID:
- ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, NULL, LDB_SCOPE_SUBTREE,
- sam_attrs, 0,
- "(&(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)(uidNumber=%u)(objectSid=*)"
- "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
- ATYPE_ACCOUNT, unixid->id);
+ if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) {
+ ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg,
+ ldb_get_default_basedn(idmap_ctx->samdb),
+ LDB_SCOPE_SUBTREE,
+ sam_attrs, 0,
+ "(&(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)"
+ "(uidNumber=%u)(objectSid=*)"
+ "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
+ ATYPE_ACCOUNT, unixid->id);
+ } else {
+ /* If we are not to use the rfc2307 attributes, we just emulate a non-match */
+ ret = LDB_ERR_NO_SUCH_OBJECT;
+ }
+
if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
DEBUG(1, ("Search for uidNumber=%lu gave duplicate results, failing to map to a SID!\n",
(unsigned long)unixid->id));
@@ -242,7 +251,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
goto failed;
} else if (ret == LDB_SUCCESS) {
*sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
- if (*sid) {
+ if (*sid == NULL) {
DEBUG(1, ("Search for uidNumber=%lu did not return an objectSid!\n",
(unsigned long)unixid->id));
status = NT_STATUS_NONE_MAPPED;
@@ -260,11 +269,19 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
id_type = "ID_TYPE_UID";
break;
case ID_TYPE_GID:
- ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, NULL, LDB_SCOPE_SUBTREE,
- sam_attrs, 0,
- "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u)"
- "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
- ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP, unixid->id);
+ if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) {
+ ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg,
+ ldb_get_default_basedn(idmap_ctx->samdb),
+ LDB_SCOPE_SUBTREE,
+ sam_attrs, 0,
+ "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u)"
+ "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
+ ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP,
+ unixid->id);
+ } else {
+ /* If we are not to use the rfc2307 attributes, we just emulate a non-match */
+ ret = LDB_ERR_NO_SUCH_OBJECT;
+ }
if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
DEBUG(1, ("Search for gidNumber=%lu gave duplicate results, failing to map to a SID!\n",
(unsigned long)unixid->id));
@@ -272,7 +289,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
goto failed;
} else if (ret == LDB_SUCCESS) {
*sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
- if (*sid) {
+ if (*sid == NULL) {
DEBUG(1, ("Search for gidNumber=%lu did not return an objectSid!\n",
(unsigned long)unixid->id));
status = NT_STATUS_NONE_MAPPED;
@@ -418,14 +435,22 @@ static NTSTATUS idmap_sid_to_xid(struct idmap_context *idmap_ctx,
* much like a winbindd member server running idmap_ad
*/
- ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &sam_msg, NULL, LDB_SCOPE_SUBTREE, sam_attrs, 0,
- "(&(objectSid=%s)"
- "(|(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)"
- "(sAMaccountType=%u)"
- "(sAMaccountType=%u))"
- "(|(uidNumber=*)(gidNumber=*))"
- "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
- dom_sid_string(tmp_ctx, sid), ATYPE_ACCOUNT, ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
+ if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) {
+ ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &sam_msg,
+ ldb_get_default_basedn(idmap_ctx->samdb),
+ LDB_SCOPE_SUBTREE, sam_attrs, 0,
+ "(&(objectSid=%s)"
+ "(|(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)"
+ "(sAMaccountType=%u)"
+ "(sAMaccountType=%u))"
+ "(|(uidNumber=*)(gidNumber=*))"
+ "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
+ dom_sid_string(tmp_ctx, sid), ATYPE_ACCOUNT, ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
+ } else {
+ /* If we are not to use the rfc2307 attributes, we just emulate a non-match */
+ ret = LDB_ERR_NO_SUCH_OBJECT;
+ }
+
if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
DEBUG(1, ("Search for objectSid=%s gave duplicate results, failing to map to a unix ID!\n",
dom_sid_string(tmp_ctx, sid)));