diff options
-rw-r--r-- | docs/docbook/manpages/smb.conf.5.sgml | 46 | ||||
-rw-r--r-- | source3/param/loadparm.c | 3 | ||||
-rw-r--r-- | source3/passdb/pdb_ldap.c | 132 |
3 files changed, 138 insertions, 43 deletions
diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index e4c4587c1f..621b764a11 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -663,6 +663,7 @@ <listitem><para><link linkend="LDAPUSERSUFFIX"><parameter>ldap user suffix</parameter></link></para></listitem> <listitem><para><link linkend="LDAPMACHINESUFFIX"><parameter>ldap machine suffix</parameter></link></para></listitem> <listitem><para><link linkend="LDAPPASSWDSYNC"><parameter>ldap passwd sync</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPTRUSTIDS"><parameter>ldap trust ids</parameter></link></para></listitem> <listitem><para><link linkend="LMANNOUNCE"><parameter>lm announce</parameter></link></para></listitem> <listitem><para><link linkend="LMINTERVAL"><parameter>lm interval</parameter></link></para></listitem> @@ -3464,16 +3465,20 @@ The <parameter>ldap ssl</parameter> can be set to one of three values: </para> <itemizedlist> - <listitem><para><parameter>On</parameter> = Always use SSL when contacting the - <parameter>ldap server</parameter>.</para></listitem> - <listitem><para><parameter>Off</parameter> = Never use SSL when querying the directory.</para></listitem> <listitem><para><parameter>Start_tls</parameter> = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server.</para></listitem> + + <listitem><para><parameter>On</parameter> = + Use SSL on the ldaps port when contacting the + <parameter>ldap server</parameter>. Only + available when the backwards-compatiblity <command> + --with-ldapsam</command> option is specified + to configure. See <link linkend="PASSDBBACKEND"><paramater>passdb backend</parameter></link></para></listitem> </itemizedlist> - <para>Default : <command>ldap ssl = on</command></para> + <para>Default : <command>ldap ssl = start_tls</command></para> </listitem> </varlistentry> @@ -3540,9 +3545,24 @@ </listitem> </varlistentry> + <varlistentry> + <term><anchor id="LDAPTRUSTIDS">ldap trust ids (G)</term> + <listitem><para>Normally, Samba validates each entry + in the LDAP server against getpwnam(). This allows + LDAP to be used for Samba with the unix system using + NIS (for example) and also ensures that Samba does not + present accounts that do not otherwise exist. </para> + <para>This option is used to disable this functionality, and + instead to rely on the presence of the appropriate + attributes in LDAP directly, which can result in a + significant performance boost in some situations. + Setting this option to yes effectivly assumes + that the local machine is running <command>nss_ldap</command> against the + same LDAP server.</para> - - + <para>Default: <command>ldap trust ids = No</command></para> + </listitem> + </varlistentry> <varlistentry> <term><anchor id="LEVEL2OPLOCKS">level2 oplocks (S)</term> @@ -5357,8 +5377,20 @@ <listitem><para><command>ldapsam_nua</command> - The LDAP based passdb backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to <command>ldap://localhost</command>)</para> + <para>Note: In this module, any account + without a matching POSIX account is regarded + as 'non unix'. <para>See also <link linkend="NONUNIXACCOUNTRANGE"> - <parameter>non unix account range</parameter></link></para></listitem> + <parameter>non unix account + range</parameter></link></para> + + <para>LDAP connections should be secured where + possible. This may be done using either + Start-TLS (see <link linkend="LDAPSSL"> + <parameter>ldap ssl</parameter>) or by + specifying <paramater>ldaps://</paramater> in + the URL argument. + </para></listitem> <listitem><para><command>nisplussam</command> - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. </para></listitem> diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 7c87a51684..883d271980 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -216,6 +216,7 @@ typedef struct char *szLdapSuffix; char *szLdapFilter; char *szLdapAdminDn; + BOOL ldap_trust_ids; char *szAclCompat; int ldap_passwd_sync; BOOL bMsAddPrinterWizard; @@ -1008,6 +1009,7 @@ static struct parm_struct parm_table[] = { {"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, FLAG_ADVANCED | FLAG_DEVELOPER}, {"ldap passwd sync", P_ENUM, P_GLOBAL, &Globals.ldap_passwd_sync, NULL, enum_ldap_passwd_sync, FLAG_ADVANCED | FLAG_DEVELOPER}, + {"ldap trust ids", P_BOOL, P_GLOBAL, &Globals.ldap_trust_ids, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"Miscellaneous Options", P_SEP, P_SEPARATOR}, {"add share command", P_STRING, P_GLOBAL, &Globals.szAddShareCommand, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, @@ -1602,6 +1604,7 @@ FN_GLOBAL_STRING(lp_ldap_filter, &Globals.szLdapFilter) FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn) FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl) FN_GLOBAL_INTEGER(lp_ldap_passwd_sync, &Globals.ldap_passwd_sync) +FN_GLOBAL_BOOL(lp_ldap_trust_ids, &Globals.ldap_trust_ids) FN_GLOBAL_STRING(lp_add_share_cmd, &Globals.szAddShareCommand) FN_GLOBAL_STRING(lp_change_share_cmd, &Globals.szChangeShareCommand) FN_GLOBAL_STRING(lp_delete_share_cmd, &Globals.szDeleteShareCommand) diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index 9ab10b8c08..22358cb47d 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -146,15 +146,17 @@ static BOOL fetch_ldapsam_pw(char **dn, char** pw) } static const char *attr[] = {"uid", "pwdLastSet", "logonTime", - "logoffTime", "kickoffTime", "cn", - "pwdCanChange", "pwdMustChange", - "displayName", "homeDrive", - "smbHome", "scriptPath", - "profilePath", "description", - "userWorkstations", "rid", - "primaryGroupID", "lmPassword", - "ntPassword", "acctFlags", - "domain", NULL }; + "logoffTime", "kickoffTime", "cn", + "pwdCanChange", "pwdMustChange", + "displayName", "homeDrive", + "smbHome", "scriptPath", + "profilePath", "description", + "userWorkstations", "rid", + "primaryGroupID", "lmPassword", + "ntPassword", "acctFlags", + "domain", "objectClass", + "uidNumber", "gidNumber", + "homeDirectory", NULL }; /******************************************************************* open a connection to the ldap server. @@ -818,6 +820,60 @@ static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, c /* New Interface is being implemented here */ /********************************************************************** +Initialize SAM_ACCOUNT from an LDAP query (unix attributes only) +*********************************************************************/ +static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state, + SAM_ACCOUNT * sampass, + LDAPMessage * entry) +{ + pstring homedir; + pstring temp; + uid_t uid; + gid_t gid; + char **ldap_values; + char **values; + + if ((ldap_values = ldap_get_values (ldap_state->ldap_struct, entry, "objectClass")) == NULL) { + DEBUG (1, ("get_unix_attributes: no objectClass! \n")); + return False; + } + + for (values=ldap_values;*values;values++) { + if (strcasecmp(*values, "posixAccount") == 0) { + break; + } + } + + if (!*values) { /*end of array, no posixAccount */ + DEBUG(10, ("user does not have posixAcccount attributes\n")); + ldap_value_free(ldap_values); + return False; + } + ldap_value_free(ldap_values); + + if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir)) + return False; + + if (!get_single_attribute(ldap_state->ldap_struct, entry, "uidNumber", temp)) + return False; + + uid = (uid_t)atol(temp); + + if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp)) + return False; + + gid = (gid_t)atol(temp); + + pdb_set_unix_homedir(sampass, homedir, PDB_SET); + pdb_set_uid(sampass, uid, PDB_SET); + pdb_set_gid(sampass, gid, PDB_SET); + + DEBUG(10, ("user has posixAcccount attributes\n")); + return True; +} + + +/********************************************************************** Initialize SAM_ACCOUNT from an LDAP query (Based on init_sam_from_buffer in pdb_tdb.c) *********************************************************************/ @@ -906,40 +962,44 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET); } - if ((ldap_state->permit_non_unix_accounts) - && (user_rid >= ldap_state->low_nua_rid) - && (user_rid <= ldap_state->high_nua_rid)) { - - } else { + + /* + * If so configured, try and get the values from LDAP + */ + + if (!lp_ldap_trust_ids() || (!get_unix_attributes(ldap_state, sampass, entry))) { - /* These values MAY be in LDAP, but they can also be retrieved through - * sys_getpw*() which is how we're doing it + /* + * Otherwise just ask the system getpw() calls. */ pw = getpwnam_alloc(username); if (pw == NULL) { - DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username)); - return False; - } - uid = pw->pw_uid; - gid = pw->pw_gid; - - pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET); - - passwd_free(&pw); + if (! ldap_state->permit_non_unix_accounts) { + DEBUG (2,("init_sam_from_ldap: User [%s] does not exist via system getpwnam!\n", username)); + return False; + } + } else { + uid = pw->pw_uid; + pdb_set_uid(sampass, uid, PDB_SET); + gid = pw->pw_gid; + pdb_set_gid(sampass, gid, PDB_SET); + + pdb_set_unix_homedir(sampass, pw->pw_dir, PDB_SET); - pdb_set_uid(sampass, uid, PDB_SET); - pdb_set_gid(sampass, gid, PDB_SET); + passwd_free(&pw); + } + } - if (group_rid == 0) { - GROUP_MAP map; - /* call the mapping code here */ - if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { - pdb_set_group_sid(sampass, &map.sid, PDB_SET); - } - else { - pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET); - } + if (group_rid == 0 && pdb_get_init_flags(sampass,PDB_GID) != PDB_DEFAULT) { + GROUP_MAP map; + gid = pdb_get_gid(sampass); + /* call the mapping code here */ + if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { + pdb_set_group_sid(sampass, &map.sid, PDB_SET); + } + else { + pdb_set_group_sid_from_rid(sampass, pdb_gid_to_group_rid(gid), PDB_SET); } } |