summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/docbook/manpages/smb.conf.5.sgml46
-rw-r--r--source3/param/loadparm.c3
-rw-r--r--source3/passdb/pdb_ldap.c125
3 files changed, 134 insertions, 40 deletions
diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml
index e4c4587c1f..5cb8f088a6 100644
--- a/docs/docbook/manpages/smb.conf.5.sgml
+++ b/docs/docbook/manpages/smb.conf.5.sgml
@@ -663,6 +663,7 @@
<listitem><para><link linkend="LDAPUSERSUFFIX"><parameter>ldap user suffix</parameter></link></para></listitem>
<listitem><para><link linkend="LDAPMACHINESUFFIX"><parameter>ldap machine suffix</parameter></link></para></listitem>
<listitem><para><link linkend="LDAPPASSWDSYNC"><parameter>ldap passwd sync</parameter></link></para></listitem>
+ <listitem><para><link linkend="LDAPTRUSTIDS"><parameter>ldap trust ids</parameter></link></para></listitem>
<listitem><para><link linkend="LMANNOUNCE"><parameter>lm announce</parameter></link></para></listitem>
<listitem><para><link linkend="LMINTERVAL"><parameter>lm interval</parameter></link></para></listitem>
@@ -3464,16 +3465,20 @@
The <parameter>ldap ssl</parameter> can be set to one of three values:
</para>
<itemizedlist>
- <listitem><para><parameter>On</parameter> = Always use SSL when contacting the
- <parameter>ldap server</parameter>.</para></listitem>
-
<listitem><para><parameter>Off</parameter> = Never use SSL when querying the directory.</para></listitem>
<listitem><para><parameter>Start_tls</parameter> = Use the LDAPv3 StartTLS extended operation
(RFC2830) for communicating with the directory server.</para></listitem>
+
+ <listitem><para><parameter>On</parameter> =
+ Use SSL on the ldaps port when contacting the
+ <parameter>ldap server</parameter>. Only
+ available when the backwards-compatiblity <command>
+ --with-ldapsam</command> option is specified
+ to configure. See <link linkend="PASSDBBACKEND"><paramater>passdb backend</parameter></link></para></listitem>
</itemizedlist>
- <para>Default : <command>ldap ssl = on</command></para>
+ <para>Default : <command>ldap ssl = start_tls</command></para>
</listitem>
</varlistentry>
@@ -3540,9 +3545,24 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><anchor id="LDAPTRUSTUIDS">ldap trust uids (G)</term>
+ <listitem><para>Normally, Samba validates each entry
+ in the LDAP server against getpwnam(). This allows
+ LDAP to be used for Samba with the unix system using
+ NIS (for example) and also ensures that Samba does not
+ present accounts that do not otherwise exist. </para>
+ <para>This option is used to disable this functionality, and
+ instead to rely on the presence of the appropriate
+ attributes in LDAP directly, which can result in a
+ significant performance boost in some situations.
+ Setting this option to yes effectivly assumes
+ that the local machine is running <command>nss_ldap</command> against the
+ same LDAP server.</para>
-
-
+ <para>Default: <command>ldap trust ids = No</command></para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><anchor id="LEVEL2OPLOCKS">level2 oplocks (S)</term>
@@ -5357,8 +5377,20 @@
<listitem><para><command>ldapsam_nua</command> - The LDAP based passdb
backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to
<command>ldap://localhost</command>)</para>
+ <para>Note: In this module, any account
+ without a matching POSIX account is regarded
+ as 'non unix'.
<para>See also <link linkend="NONUNIXACCOUNTRANGE">
- <parameter>non unix account range</parameter></link></para></listitem>
+ <parameter>non unix account
+ range</parameter></link></para>
+
+ <para>LDAP connections should be secured where
+ possible. This may be done using either
+ Start-TLS (see <link linkend="LDAPSSL">
+ <parameter>ldap ssl</parameter>) or by
+ specifying <paramater>ldaps://</paramater> in
+ the URL argument.
+ </para></listitem>
<listitem><para><command>nisplussam</command> - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. </para></listitem>
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 7c87a51684..883d271980 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -216,6 +216,7 @@ typedef struct
char *szLdapSuffix;
char *szLdapFilter;
char *szLdapAdminDn;
+ BOOL ldap_trust_ids;
char *szAclCompat;
int ldap_passwd_sync;
BOOL bMsAddPrinterWizard;
@@ -1008,6 +1009,7 @@ static struct parm_struct parm_table[] = {
{"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, FLAG_ADVANCED | FLAG_DEVELOPER},
{"ldap passwd sync", P_ENUM, P_GLOBAL, &Globals.ldap_passwd_sync, NULL, enum_ldap_passwd_sync, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"ldap trust ids", P_BOOL, P_GLOBAL, &Globals.ldap_trust_ids, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"Miscellaneous Options", P_SEP, P_SEPARATOR},
{"add share command", P_STRING, P_GLOBAL, &Globals.szAddShareCommand, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -1602,6 +1604,7 @@ FN_GLOBAL_STRING(lp_ldap_filter, &Globals.szLdapFilter)
FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
FN_GLOBAL_INTEGER(lp_ldap_passwd_sync, &Globals.ldap_passwd_sync)
+FN_GLOBAL_BOOL(lp_ldap_trust_ids, &Globals.ldap_trust_ids)
FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand)
FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand)
FN_GLOBAL_STRING(lp_delete_share_cmd, &Globals.szDeleteShareCommand)
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 9ab10b8c08..866c4f6b76 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -146,15 +146,17 @@ static BOOL fetch_ldapsam_pw(char **dn, char** pw)
}
static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
- "logoffTime", "kickoffTime", "cn",
- "pwdCanChange", "pwdMustChange",
- "displayName", "homeDrive",
- "smbHome", "scriptPath",
- "profilePath", "description",
- "userWorkstations", "rid",
- "primaryGroupID", "lmPassword",
- "ntPassword", "acctFlags",
- "domain", NULL };
+ "logoffTime", "kickoffTime", "cn",
+ "pwdCanChange", "pwdMustChange",
+ "displayName", "homeDrive",
+ "smbHome", "scriptPath",
+ "profilePath", "description",
+ "userWorkstations", "rid",
+ "primaryGroupID", "lmPassword",
+ "ntPassword", "acctFlags",
+ "domain", "objectClass",
+ "uidNumber", "gidNumber",
+ "homeDirectory", NULL };
/*******************************************************************
open a connection to the ldap server.
@@ -818,6 +820,60 @@ static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, c
/* New Interface is being implemented here */
/**********************************************************************
+Initialize SAM_ACCOUNT from an LDAP query (unix attributes only)
+*********************************************************************/
+static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state,
+ SAM_ACCOUNT * sampass,
+ LDAPMessage * entry)
+{
+ pstring homedir;
+ pstring temp;
+ uid_t uid;
+ gid_t gid;
+ char **ldap_values;
+ char **values;
+
+ if ((ldap_values = ldap_get_values (ldap_state->ldap_struct, entry, "objectClass")) == NULL) {
+ DEBUG (1, ("get_unix_attributes: no objectClass! \n"));
+ return False;
+ }
+
+ for (values=ldap_values;*values;values++) {
+ if (strcasecmp(*values, "posixAccount") == 0) {
+ break;
+ }
+ }
+
+ if (!*values) { /*end of array, no posixAccount */
+ DEBUG(10, ("user does not have posixAcccount attributes\n"));
+ ldap_value_free(ldap_values);
+ return False;
+ }
+ ldap_value_free(ldap_values);
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir))
+ return False;
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp))
+ return False;
+
+ uid = (uid_t)atol(temp);
+
+ if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp))
+ return False;
+
+ gid = (gid_t)atol(temp);
+
+ pdb_set_unix_homedir(sampass, homedir, PDB_SET);
+ pdb_set_uid(sampass, uid, PDB_SET);
+ pdb_set_gid(sampass, gid, PDB_SET);
+
+ DEBUG(10, ("user has posixAcccount attributes\n"));
+ return True;
+}
+
+
+/**********************************************************************
Initialize SAM_ACCOUNT from an LDAP query
(Based on init_sam_from_buffer in pdb_tdb.c)
*********************************************************************/
@@ -906,40 +962,43 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
}
- if ((ldap_state->permit_non_unix_accounts)
- && (user_rid >= ldap_state->low_nua_rid)
- && (user_rid <= ldap_state->high_nua_rid)) {
+
+
+ if (lp_ldap_trust_ids() && (get_unix_attributes(ldap_state,sampass, entry))) {
} else {
-
+
/* These values MAY be in LDAP, but they can also be retrieved through
* sys_getpw*() which is how we're doing it
*/
pw = getpwnam_alloc(username);
if (pw == NULL) {
- DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
- return False;
- }
- uid = pw->pw_uid;
- gid = pw->pw_gid;
-
- pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
-
- passwd_free(&pw);
+ if (! ldap_state->permit_non_unix_accounts) {
+ DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username));
+ return False;
+ }
+ } else {
+ uid = pw->pw_uid;
+ pdb_set_uid(sampass, uid, PDB_SET);
+ gid = pw->pw_gid;
+ pdb_set_gid(sampass, gid, PDB_SET);
+
+ pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET);
- pdb_set_uid(sampass, uid, PDB_SET);
- pdb_set_gid(sampass, gid, PDB_SET);
+ passwd_free(&pw);
+ }
+ }
- if (group_rid == 0) {
- GROUP_MAP map;
- /* call the mapping code here */
- if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
- pdb_set_group_sid(sampass, &map.sid, PDB_SET);
- }
- else {
- pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
- }
+ if (group_rid == 0 && pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT) {
+ GROUP_MAP map;
+ gid = pdb_get_gid(sampass);
+ /* call the mapping code here */
+ if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
+ pdb_set_group_sid(sampass, &map.sid, PDB_SET);
+ }
+ else {
+ pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET);
}
}