diff options
| -rw-r--r-- | source3/Makefile.in | 22 | ||||
| -rw-r--r-- | source3/configure.in | 21 | ||||
| -rw-r--r-- | source3/include/idmap.h | 2 | ||||
| -rw-r--r-- | source3/include/smbldap.h | 2 | ||||
| -rw-r--r-- | source3/lib/smbldap.c | 99 | ||||
| -rw-r--r-- | source3/param/loadparm.c | 126 | ||||
| -rw-r--r-- | source3/passdb/pdb_ldap.c | 164 | ||||
| -rw-r--r-- | source3/sam/idmap.c | 15 | ||||
| -rw-r--r-- | source3/sam/idmap_ldap.c | 253 | ||||
| -rw-r--r-- | source3/sam/idmap_tdb.c | 2 | ||||
| -rw-r--r-- | source3/sam/idmap_winbind.c | 2 |
11 files changed, 382 insertions, 326 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index df66f6a724..1ebaa37d0b 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -279,13 +279,13 @@ PASSDB_GET_SET_OBJ = passdb/pdb_get_set.o PASSDB_OBJ = $(PASSDB_GET_SET_OBJ) passdb/passdb.o passdb/pdb_interface.o \ passdb/machine_sid.o passdb/util_sam_sid.o passdb/pdb_compat.o \ - passdb/privileges.o @PDB_STATIC@ $(SMBLDAP__OBJ) + passdb/privileges.o @PDB_STATIC@ XML_OBJ = passdb/pdb_xml.o MYSQL_OBJ = passdb/pdb_mysql.o DEVEL_HELP_OBJ = modules/weird.o -IDMAP_OBJ = sam/idmap.o sam/idmap_util.o @IDMAP_STATIC@ $(SMBLDAP_OBJ) +IDMAP_OBJ = sam/idmap.o sam/idmap_util.o @IDMAP_STATIC@ GROUPDB_OBJ = groupdb/mapping.o @@ -349,7 +349,7 @@ SMBD_OBJ_BASE = $(PARAM_OBJ) $(SMBD_OBJ_SRV) $(MSDFS_OBJ) $(LIBSMB_OBJ) \ $(LIBMSRPC_OBJ) $(LIBMSRPC_SERVER_OBJ) \ $(LIBADS_OBJ) $(KRBCLIENT_OBJ) $(LIBADS_SERVER_OBJ) \ $(LIB_SMBD_OBJ) $(REGISTRY_OBJ) $(POPT_LIB_OBJ) $(IDMAP_OBJ) \ - $(UBIQX_OBJ) $(BUILDOPT_OBJ) + $(UBIQX_OBJ) $(BUILDOPT_OBJ) $(SMBLDAP_OBJ) PRINTING_OBJ = printing/pcap.o printing/print_svid.o \ printing/print_cups.o printing/print_generic.o \ @@ -389,7 +389,7 @@ SWAT_OBJ1 = web/cgi.o web/diagnose.o web/startstop.o web/statuspage.o \ SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(PRINTING_OBJ) $(LIBSMB_OBJ) \ $(LOCKING_OBJ) $(PASSDB_OBJ) $(SECRETS_OBJ) $(KRBCLIENT_OBJ) \ $(UBIQX_OBJ) $(LIB_OBJ) $(GROUPDB_OBJ) $(PLAINTEXT_AUTH_OBJ) \ - $(POPT_LIB_OBJ) $(IDMAP_OBJ) + $(POPT_LIB_OBJ) $(IDMAP_OBJ) $(SMBLDAP_OBJ) SMBSH_OBJ = smbwrapper/smbsh.o smbwrapper/shared.o \ $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) @@ -414,11 +414,11 @@ TESTPRNS_OBJ = utils/testprns.o $(PARAM_OBJ) $(PRINTING_OBJ) $(UBIQX_OBJ) \ SMBPASSWD_OBJ = utils/smbpasswd.o $(PARAM_OBJ) $(SECRETS_OBJ) \ $(LIBSMB_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ)\ $(UBIQX_OBJ) $(LIB_OBJ) $(KRBCLIENT_OBJ) \ - $(IDMAP_OBJ) + $(IDMAP_OBJ) $(SMBLDAP_OBJ) PDBEDIT_OBJ = utils/pdbedit.o $(PARAM_OBJ) $(PASSDB_OBJ) $(LIBSAMBA_OBJ) \ $(UBIQX_OBJ) $(LIB_OBJ) $(GROUPDB_OBJ) $(SECRETS_OBJ) \ - $(POPT_LIB_OBJ) $(IDMAP_OBJ) + $(POPT_LIB_OBJ) $(IDMAP_OBJ) $(SMBLDAP_OBJ) RPCCLIENT_OBJ1 = rpcclient/rpcclient.o rpcclient/cmd_lsarpc.o \ rpcclient/cmd_samr.o rpcclient/cmd_spoolss.o \ @@ -432,7 +432,7 @@ RPCCLIENT_OBJ = $(RPCCLIENT_OBJ1) \ $(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(LIBMSRPC_OBJ) \ $(READLINE_OBJ) $(GROUPDB_OBJ) $(KRBCLIENT_OBJ) \ $(LIBADS_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ) \ - $(IDMAP_OBJ) + $(IDMAP_OBJ) $(SMBLDAP_OBJ) PAM_WINBIND_OBJ = nsswitch/pam_winbind.po nsswitch/wb_common.po lib/snprintf.po @@ -460,7 +460,7 @@ LIBBIGBALLOFMUD_MAJOR = 0 LIBBIGBALLOFMUD_OBJ = $(PARAM_OBJ) $(LIB_OBJ) $(UBIQX_OBJ) $(SECRETS_OBJ) \ $(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_OBJ) \ - $(GROUPDB_OBJ) $(KRBCLIENT_OBJ) + $(GROUPDB_OBJ) $(KRBCLIENT_OBJ) $(SMBLDAP_OBJ) LIBBIGBALLOFMUD_PICOBJS = $(LIBBIGBALLOFMUD_OBJ:.o=.po) @@ -480,7 +480,7 @@ NET_OBJ = $(NET_OBJ1) $(PARAM_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \ $(KRBCLIENT_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \ $(LIBMSRPC_OBJ) $(LIBMSRPC_SERVER_OBJ) \ $(LIBADS_OBJ) $(LIBADS_SERVER_OBJ) $(POPT_LIB_OBJ) \ - $(IDMAP_OBJ) + $(IDMAP_OBJ) $(SMBLDAP_OBJ) CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) \ $(LIB_OBJ) $(KRBCLIENT_OBJ) @@ -559,7 +559,7 @@ PROTO_OBJ = $(SMBD_OBJ_MAIN) \ $(LIB_SMBD_OBJ) $(SAM_OBJ) $(REGISTRY_OBJ) $(POPT_LIB_OBJ) \ $(RPC_LSA_OBJ) $(RPC_NETLOG_OBJ) $(RPC_SAMR_OBJ) $(RPC_REG_OBJ) \ $(RPC_SVC_OBJ) $(RPC_WKS_OBJ) $(RPC_DFS_OBJ) $(RPC_SPOOLSS_OBJ) \ - $(IDMAP_OBJ) $(RPC_ECHO_OBJ) + $(IDMAP_OBJ) $(RPC_ECHO_OBJ) $(SMBLDAP_OBJ) NSS_OBJ_0 = nsswitch/wins.o $(PARAM_OBJ) $(UBIQX_OBJ) $(LIBSMB_OBJ) \ $(LIB_OBJ) $(NSSWINS_OBJ) @@ -598,7 +598,7 @@ WINBINDD_OBJ = \ $(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \ $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \ $(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \ - $(PROFILE_OBJ) $(UNIGRP_OBJ) $(IDMAP_OBJ) \ + $(PROFILE_OBJ) $(UNIGRP_OBJ) $(IDMAP_OBJ) $(SMBLDAP_OBJ) \ $(SECRETS_OBJ) $(LIBADS_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) WBINFO_OBJ = nsswitch/wbinfo.o $(LIBSAMBA_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \ diff --git a/source3/configure.in b/source3/configure.in index b9315ba244..6405138185 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -2537,27 +2537,6 @@ AC_ARG_WITH(ldapsam, AC_MSG_RESULT(no) ) -################################################# -# check for IDMAP - -AC_DEFINE(WITH_IDMAP,1, [Include IDMAP support]) - -AC_MSG_CHECKING(whether to use IDMAP only for [ug]id mapping) -AC_ARG_WITH(idmap, -[ --with-idmap Include experimental IDMAP support (default=yes)], -[ case "$withval" in - yes) - AC_MSG_RESULT(yes) - AC_DEFINE(WITH_IDMAP,1,[Whether to include experimental IDMAP support]) - ;; - no) - AC_MSG_RESULT(no) - AC_DEFINE(WITH_IDMAP,0,[Whether to include experimental IDMAP support]) - ;; - esac ], - AC_MSG_RESULT(yes) -) - ######################################################################################## ## ## END OF TESTS FOR SAM BACKENDS. diff --git a/source3/include/idmap.h b/source3/include/idmap.h index 1267ac27bc..4b38128c2f 100644 --- a/source3/include/idmap.h +++ b/source3/include/idmap.h @@ -39,7 +39,7 @@ struct idmap_methods { /* Called when backend is first loaded */ - NTSTATUS (*init)(void); + NTSTATUS (*init)( char *params ); NTSTATUS (*get_sid_from_id)(DOM_SID *sid, unid_t id, int id_type); NTSTATUS (*get_id_from_sid)(unid_t *id, int *id_type, const DOM_SID *sid); diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h index 13451fa24f..c669f77425 100644 --- a/source3/include/smbldap.h +++ b/source3/include/smbldap.h @@ -39,6 +39,7 @@ #define LDAP_OBJ_ACCOUNT "account" #define LDAP_OBJ_POSIXACCOUNT "posixAccount" #define LDAP_OBJ_POSIXGROUP "posixGroup" +#define LDAP_OBJ_OU "organizationalUnit" /* some generic attributes that get reused a lot */ @@ -81,6 +82,7 @@ #define LDAP_ATTR_HOME_DRIVE 29 #define LDAP_ATTR_GROUP_SID 30 #define LDAP_ATTR_GROUP_TYPE 31 +#define LDAP_ATTR_SID 32 typedef struct _attrib_map_entry { diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c index 5dbea0669f..bb37222d5a 100644 --- a/source3/lib/smbldap.c +++ b/source3/lib/smbldap.c @@ -74,7 +74,7 @@ ATTRIB_MAP_ENTRY attrib_map_v30[] = { { LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" }, { LDAP_ATTR_DESC, "description" }, { LDAP_ATTR_USER_WKS, "sambaUserWorkstations" }, - { LDAP_ATTR_USER_SID, "sambaSID" }, + { LDAP_ATTR_USER_SID, LDAP_ATTRIBUTE_SID }, { LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" }, { LDAP_ATTR_LMPW, "sambaLMPassword" }, { LDAP_ATTR_NTPW, "sambaNTPassword" }, @@ -90,7 +90,7 @@ ATTRIB_MAP_ENTRY dominfo_attr_list[] = { { LDAP_ATTR_DOMAIN, "sambaDomainName" }, { LDAP_ATTR_NEXT_USERRID, "sambaNextUserRid" }, { LDAP_ATTR_NEXT_GROUPRID, "sambaNextGroupRid" }, - { LDAP_ATTR_DOM_SID, "sambaSID" }, + { LDAP_ATTR_DOM_SID, LDAP_ATTRIBUTE_SID }, { LDAP_ATTR_LIST_END, NULL }, }; @@ -98,7 +98,7 @@ ATTRIB_MAP_ENTRY dominfo_attr_list[] = { ATTRIB_MAP_ENTRY groupmap_attr_list[] = { { LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER}, - { LDAP_ATTR_GROUP_SID, "sambaSID" }, + { LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID }, { LDAP_ATTR_GROUP_TYPE, "sambaGroupType" }, { LDAP_ATTR_DESC, "description" }, { LDAP_ATTR_DISPLAY_NAME, "displayName" }, @@ -107,14 +107,14 @@ ATTRIB_MAP_ENTRY groupmap_attr_list[] = { }; ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[] = { - { LDAP_ATTR_GROUP_SID, "sambaSID" }, + { LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID }, { LDAP_ATTR_GROUP_TYPE, "sambaGroupType" }, { LDAP_ATTR_DESC, "description" }, { LDAP_ATTR_DISPLAY_NAME, "displayName" }, { LDAP_ATTR_LIST_END, NULL } }; -/* idmap_ldap samba[U|G]idPool */ +/* idmap_ldap sambaUnixIdPool */ ATTRIB_MAP_ENTRY idpool_attr_list[] = { { LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER}, @@ -123,7 +123,7 @@ ATTRIB_MAP_ENTRY idpool_attr_list[] = { }; ATTRIB_MAP_ENTRY sidmap_attr_list[] = { - { LDAP_ATTR_GROUP_SID, "sambaSID" }, + { LDAP_ATTR_SID, LDAP_ATTRIBUTE_SID }, { LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER}, { LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER}, { LDAP_ATTR_LIST_END, NULL } @@ -257,3 +257,90 @@ BOOL fetch_ldap_pw(char **dn, char** pw) return True; } +/************************************************************************ + Routine to manage the LDAPMod structure array + manage memory used by the array, by each struct, and values + ***********************************************************************/ + +void ldap_set_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value) +{ + LDAPMod **mods; + int i; + int j; + + mods = *modlist; + + /* sanity checks on the mod values */ + + if (attribute == NULL || *attribute == '\0') + return; +#if 0 /* commented out after discussion with abartlet. Do not reenable. + left here so other so re-add similar code --jerry */ + if (value == NULL || *value == '\0') + return; +#endif + + if (mods == NULL) + { + mods = (LDAPMod **) malloc(sizeof(LDAPMod *)); + if (mods == NULL) + { + DEBUG(0, ("make_a_mod: out of memory!\n")); + return; + } + mods[0] = NULL; + } + + for (i = 0; mods[i] != NULL; ++i) { + if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute)) + break; + } + + if (mods[i] == NULL) + { + mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *)); + if (mods == NULL) + { + DEBUG(0, ("make_a_mod: out of memory!\n")); + return; + } + mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod)); + if (mods[i] == NULL) + { + DEBUG(0, ("make_a_mod: out of memory!\n")); + return; + } + mods[i]->mod_op = modop; + mods[i]->mod_values = NULL; + mods[i]->mod_type = strdup(attribute); + mods[i + 1] = NULL; + } + + if (value != NULL) + { + char *utf8_value = NULL; + + j = 0; + if (mods[i]->mod_values != NULL) { + for (; mods[i]->mod_values[j] != NULL; j++); + } + mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values, + (j + 2) * sizeof (char *)); + + if (mods[i]->mod_values == NULL) { + DEBUG (0, ("make_a_mod: Memory allocation failure!\n")); + return; + } + + if (push_utf8_allocate(&utf8_value, value) == (size_t)-1) { + DEBUG (0, ("make_a_mod: String conversion failure!\n")); + return; + } + + mods[i]->mod_values[j] = utf8_value; + + mods[i]->mod_values[j + 1] = NULL; + } + *modlist = mods; +} + diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 1673567321..a5e9b1467f 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -223,6 +223,8 @@ typedef struct int iLockSpinTime; char *szLdapMachineSuffix; char *szLdapUserSuffix; + char *szLdapIdmapSuffix; + char *szLdapGroupSuffix; #ifdef WITH_LDAP_SAMCONFIG int ldap_port; char *szLdapServer; @@ -560,9 +562,8 @@ static BOOL handle_workgroup( const char *pszParmValue, char **ptr ); static BOOL handle_netbios_aliases( const char *pszParmValue, char **ptr ); static BOOL handle_netbios_scope( const char *pszParmValue, char **ptr ); -static BOOL handle_ldap_machine_suffix ( const char *pszParmValue, char **ptr ); -static BOOL handle_ldap_user_suffix ( const char *pszParmValue, char **ptr ); static BOOL handle_ldap_suffix ( const char *pszParmValue, char **ptr ); +static BOOL handle_ldap_sub_suffix ( const char *pszParmValue, char **ptr ); static BOOL handle_acl_compatibility(const char *pszParmValue, char **ptr); @@ -1035,8 +1036,10 @@ static struct parm_struct parm_table[] = { {"ldap port", P_INTEGER, P_GLOBAL, &Globals.ldap_port, NULL, NULL, 0}, #endif {"ldap suffix", P_STRING, P_GLOBAL, &Globals.szLdapSuffix, handle_ldap_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, - {"ldap machine suffix", P_STRING, P_GLOBAL, &Globals.szLdapMachineSuffix, handle_ldap_machine_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, - {"ldap user suffix", P_STRING, P_GLOBAL, &Globals.szLdapUserSuffix, handle_ldap_user_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, + {"ldap machine suffix", P_STRING, P_GLOBAL, &Globals.szLdapMachineSuffix, handle_ldap_sub_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, + {"ldap user suffix", P_STRING, P_GLOBAL, &Globals.szLdapUserSuffix, handle_ldap_sub_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, + {"ldap group suffix", P_STRING, P_GLOBAL, &Globals.szLdapGroupSuffix, handle_ldap_sub_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, + {"ldap idmap suffix", P_STRING, P_GLOBAL, &Globals.szLdapIdmapSuffix, handle_ldap_sub_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"ldap filter", P_STRING, P_GLOBAL, &Globals.szLdapFilter, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, FLAG_ADVANCED | FLAG_DEVELOPER}, @@ -1119,9 +1122,7 @@ static struct parm_struct parm_table[] = { {"idmap only", P_BOOL, P_GLOBAL, &Globals.bIdmapOnly, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"idmap backend", P_STRING, P_GLOBAL, &Globals.szIdmapBackend, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"idmap uid", P_STRING, P_GLOBAL, &Globals.szIdmapUID, handle_idmap_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, - {"winbind uid", P_STRING, P_GLOBAL, &Globals.szIdmapUID, handle_idmap_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER | FLAG_HIDE}, {"idmap gid", P_STRING, P_GLOBAL, &Globals.szIdmapGID, handle_idmap_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, - {"winbind gid", P_STRING, P_GLOBAL, &Globals.szIdmapGID, handle_idmap_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER | FLAG_HIDE}, {"template homedir", P_STRING, P_GLOBAL, &Globals.szTemplateHomedir, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"template shell", P_STRING, P_GLOBAL, &Globals.szTemplateShell, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"winbind separator", P_STRING, P_GLOBAL, &Globals.szWinbindSeparator, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, @@ -1419,6 +1420,8 @@ static void init_globals(void) string_set(&Globals.szLdapFilter, "(uid=%u)"); string_set(&Globals.szLdapMachineSuffix, ""); string_set(&Globals.szLdapUserSuffix, ""); + string_set(&Globals.szLdapGroupSuffix, ""); + string_set(&Globals.szLdapIdmapSuffix, ""); string_set(&Globals.szLdapAdminDn, ""); Globals.ldap_ssl = LDAP_SSL_ON; @@ -1643,6 +1646,8 @@ FN_GLOBAL_INTEGER(lp_ldap_port, &Globals.ldap_port) FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix) FN_GLOBAL_STRING(lp_ldap_machine_suffix, &Globals.szLdapMachineSuffix) FN_GLOBAL_STRING(lp_ldap_user_suffix, &Globals.szLdapUserSuffix) +FN_GLOBAL_STRING(lp_ldap_idmap_suffix, &Globals.szLdapIdmapSuffix) +FN_GLOBAL_STRING(lp_ldap_group_suffix, &Globals.szLdapGroupSuffix) FN_GLOBAL_STRING(lp_ldap_filter, &Globals.szLdapFilter) FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn) FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl) @@ -2933,91 +2938,61 @@ static BOOL handle_debug_list( const char *pszParmValueIn, char **ptr ) } /*************************************************************************** - Handle the ldap machine suffix option. + Handle setting ldap suffix and determines whether ldap machine suffix needs + to be set as well. + + Set all of the sub suffix strings to be the 'ldap suffix' by default ***************************************************************************/ -static BOOL handle_ldap_machine_suffix( const char *pszParmValue, char **ptr) +static BOOL handle_ldap_suffix( const char *pszParmValue, char **ptr ) { - pstring suffix; - - pstrcpy(suffix, pszParmValue); - - if (! *Globals.szLdapSuffix ) { - string_set( ptr, suffix ); - return True; - } - - if (! strstr(suffix, Globals.szLdapSuffix) ) { - if ( *pszParmValue ) - pstrcat(suffix, ","); - pstrcat(suffix, Globals.szLdapSuffix); - } - string_set( ptr, suffix ); - return True; + pstring suffix; + + pstrcpy(suffix, pszParmValue); + + /* set defaults for the the sub-suffixes */ + + if (! *Globals.szLdapMachineSuffix ) + string_set(&Globals.szLdapMachineSuffix, suffix); + if (! *Globals.szLdapUserSuffix ) + string_set(&Globals.szLdapUserSuffix, suffix); + if (! *Globals.szLdapGroupSuffix ) + string_set(&Globals.szLdapGroupSuffix, suffix); + if (! *Globals.szLdapIdmapSuffix ) + string_set(&Globals.szLdapIdmapSuffix, suffix); + + string_set(ptr, suffix); + return True; } /*************************************************************************** - Handle the ldap user suffix option. + Handle the ldap sub suffix option. + Always append the 'ldap suffix' if it is set ***************************************************************************/ -static BOOL handle_ldap_user_suffix( const char *pszParmValue, char **ptr) +static BOOL handle_ldap_sub_suffix( const char *pszParmValue, char **ptr) { - pstring suffix; + pstring suffix; - pstrcpy(suffix, pszParmValue); + pstrcpy(suffix, pszParmValue); - if (! *Globals.szLdapSuffix ) { - string_set( ptr, suffix ); - return True; - } - - if (! strstr(suffix, Globals.szLdapSuffix) ) { - if ( *pszParmValue ) - pstrcat(suffix, ","); - pstrcat(suffix, Globals.szLdapSuffix); - } - string_set( ptr, suffix ); - return True; + if (! *Globals.szLdapSuffix ) { + string_set( ptr, suffix ); + return True; + } + else { + if ( *pszParmValue ) + pstrcat(suffix, ","); + pstrcat(suffix, Globals.szLdapSuffix); + } + + string_set( ptr, suffix ); + return True; } /*************************************************************************** - Handle setting ldap suffix and determines whether ldap machine suffix needs - to be set as well. ***************************************************************************/ -static BOOL handle_ldap_suffix( const char *pszParmValue, char **ptr) -{ - pstring suffix; - pstring user_suffix; - pstring machine_suffix; - - pstrcpy(suffix, pszParmValue); - - if (! *Globals.szLdapMachineSuffix ) - string_set(&Globals.szLdapMachineSuffix, suffix); - if (! *Globals.szLdapUserSuffix ) - string_set(&Globals.szLdapUserSuffix, suffix); - - if (! strstr(Globals.szLdapMachineSuffix, suffix)) { - pstrcpy(machine_suffix, Globals.szLdapMachineSuffix); - if ( *Globals.szLdapMachineSuffix ) - pstrcat(machine_suffix, ","); - pstrcat(machine_suffix, suffix); - string_set(&Globals.szLdapMachineSuffix, machine_suffix); - } - - if (! strstr(Globals.szLdapUserSuffix, suffix)) { - pstrcpy(user_suffix, Globals.szLdapUserSuffix); - if ( *Globals.szLdapUserSuffix ) - pstrcat(user_suffix, ","); - pstrcat(user_suffix, suffix); - string_set(&Globals.szLdapUserSuffix, user_suffix); - } - - string_set(ptr, suffix); - return True; -} - static BOOL handle_acl_compatibility(const char *pszParmValue, char **ptr) { if (strequal(pszParmValue, "auto")) @@ -3031,6 +3006,7 @@ static BOOL handle_acl_compatibility(const char *pszParmValue, char **ptr) return True; } + /*************************************************************************** Initialise a copymap. ***************************************************************************/ diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index e6fd12fd0e..3ddbd99ca3 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -818,93 +818,6 @@ static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry, return True; } -/************************************************************************ -Routine to manage the LDAPMod structure array -manage memory used by the array, by each struct, and values - -************************************************************************/ -static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value) -{ - LDAPMod **mods; - int i; - int j; - - mods = *modlist; - - /* sanity checks on the mod values */ - - if (attribute == NULL || *attribute == '\0') - return; -#if 0 /* commented out after discussion with abartlet. Do not reenable. - left here so other so re-add similar code --jerry */ - if (value == NULL || *value == '\0') - return; -#endif - - if (mods == NULL) - { - mods = (LDAPMod **) malloc(sizeof(LDAPMod *)); - if (mods == NULL) - { - DEBUG(0, ("make_a_mod: out of memory!\n")); - return; - } - mods[0] = NULL; - } - - for (i = 0; mods[i] != NULL; ++i) { - if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute)) - break; - } - - if (mods[i] == NULL) - { - mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *)); - if (mods == NULL) - { - DEBUG(0, ("make_a_mod: out of memory!\n")); - return; - } - mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod)); - if (mods[i] == NULL) - { - DEBUG(0, ("make_a_mod: out of memory!\n")); - return; - } - mods[i]->mod_op = modop; - mods[i]->mod_values = NULL; - mods[i]->mod_type = strdup(attribute); - mods[i + 1] = NULL; - } - - if (value != NULL) - { - char *utf8_value = NULL; - - j = 0; - if (mods[i]->mod_values != NULL) { - for (; mods[i]->mod_values[j] != NULL; j++); - } - mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values, - (j + 2) * sizeof (char *)); - - if (mods[i]->mod_values == NULL) { - DEBUG (0, ("make_a_mod: Memory allocation failure!\n")); - return; - } - - if (push_utf8_allocate(&utf8_value, value) == (size_t)-1) { - DEBUG (0, ("make_a_mod: String conversion failure!\n")); - return; - } - - mods[i]->mod_values[j] = utf8_value; - - mods[i]->mod_values[j + 1] = NULL; - } - *modlist = mods; -} - /********************************************************************** Set attribute to newval in LDAP, regardless of what value the attribute had in LDAP before. @@ -938,7 +851,7 @@ static void make_ldap_mod(LDAP *ldap_struct, LDAPMessage *existing, the old value, should it exist. */ if ((newval != NULL) && (strlen(newval) > 0)) { - make_a_mod(mods, LDAP_MOD_ADD, attribute, newval); + ldap_set_mod(mods, LDAP_MOD_ADD, attribute, newval); } if (values == NULL) { @@ -953,7 +866,7 @@ static void make_ldap_mod(LDAP *ldap_struct, LDAPMessage *existing, deny the complete operation if somebody changed the attribute behind our back. */ - make_a_mod(mods, LDAP_MOD_DELETE, attribute, values[0]); + ldap_set_mod(mods, LDAP_MOD_DELETE, attribute, values[0]); ldap_value_free(values); } @@ -1009,7 +922,7 @@ static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state, { if (StrCaseCmp(*attrib, name) == 0) { DEBUG(10, ("deleting attribute %s\n", name)); - make_a_mod(&mods, LDAP_MOD_DELETE, name, NULL); + ldap_set_mod(&mods, LDAP_MOD_DELETE, name, NULL); } } @@ -1020,10 +933,10 @@ static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state, ber_free(ptr, 0); } - make_a_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass); + ldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass); rc = ldapsam_modify(ldap_state, dn, mods); - ldap_mods_free(mods, 1); + ldap_mods_free(mods, True); if (rc != LDAP_SUCCESS) { char *ld_error = NULL; @@ -1209,12 +1122,11 @@ static uint32 search_next_allocated_rid(struct ldapsam_privates *ldap_state, int static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state) { pstring tmp; - pstring filter; + pstring filter, dn; LDAPMod **mods = NULL; int rc; int ldap_op; LDAPMessage *result = NULL; - char *dn = NULL; int num_result; char **attr_list; @@ -1254,29 +1166,26 @@ static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state) /* Check if we need to add an entry */ DEBUG(3,("Adding new domain\n")); ldap_op = LDAP_MOD_ADD; - asprintf (&dn, "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), + snprintf(dn, sizeof(dn), "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), ldap_state->domain_name, lp_ldap_suffix()); /* Free original search */ ldap_msgfree(result); - if (!dn) - return NT_STATUS_NO_MEMORY; - /* make the changes - the entry *must* not already have samba attributes */ - make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), + ldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), ldap_state->domain_name); sid_to_string(tmp, &ldap_state->domain_sid); - make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID), tmp); + ldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID), tmp); snprintf(tmp, sizeof(tmp)-1, "%i", next_allocated_user_rid); - make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID), tmp); + ldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID), tmp); snprintf(tmp, sizeof(tmp)-1, "%i", next_allocated_group_rid); - make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID), tmp); + ldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID), tmp); - make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO); + ldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO); switch(ldap_op) { @@ -1302,12 +1211,12 @@ static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state) ld_error?ld_error:"unknown")); SAFE_FREE(ld_error); - ldap_mods_free(mods,1); + ldap_mods_free(mods, True); return NT_STATUS_UNSUCCESSFUL; } DEBUG(2,("added: domain = %s in the LDAP database\n", ldap_state->domain_name)); - ldap_mods_free(mods, 1); + ldap_mods_free(mods, True); return NT_STATUS_OK; } @@ -1487,20 +1396,20 @@ static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *ri get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID), domain_sid_string)) { - ldap_mods_free(mods, 1); + ldap_mods_free(mods, True); ldap_memfree(dn); ldap_msgfree(result); return ret; } if (!string_to_sid(&dom_sid, domain_sid_string)) { - ldap_mods_free(mods, 1); + ldap_mods_free(mods, True); ldap_memfree(dn); ldap_msgfree(result); return ret; } - ldap_mods_free(mods, 1); + ldap_mods_free(mods, True); mods = NULL; ldap_memfree(dn); ldap_msgfree(result); @@ -1523,7 +1432,7 @@ static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *ri DEBUG(2, ("Failed to modify rid: %s\n", ld_error)); SAFE_FREE(ld_error); - ldap_mods_free(mods, 1); + ldap_mods_free(mods, True); mods = NULL; ldap_memfree(dn); @@ -1989,13 +1898,13 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, "finding next available NUA RID failed, " "cannot store!\n", pdb_get_username(sampass))); - ldap_mods_free(*mods, 1); + ldap_mods_free(*mods, True); return False; } } else { DEBUG(0, ("NO user RID specified on account %s, " "cannot store!\n", pdb_get_username(sampass))); - ldap_mods_free(*mods, 1); + ldap_mods_free(*mods, True); return False; } @@ -2005,7 +1914,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, if (!pdb_set_user_sid_from_rid(sampass, rid, PDB_CHANGED)) { DEBUG(0, ("Could not store RID back onto SAM_ACCOUNT for user %s!\n", pdb_get_username(sampass))); - ldap_mods_free(*mods, 1); + ldap_mods_free(*mods, True); return False; } } @@ -2414,7 +2323,7 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, switch(ldap_op) { case LDAP_MOD_ADD: - make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_ACCOUNT); + ldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_ACCOUNT); rc = ldapsam_add(ldap_state, dn, mods); break; case LDAP_MOD_REPLACE: @@ -2605,12 +2514,12 @@ static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_A if (mods == NULL) { DEBUG(4,("mods is empty: nothing to update for user: %s\n", pdb_get_username(newpwd))); - ldap_mods_free(mods, 1); + ldap_mods_free(mods, True); return NT_STATUS_OK; } ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed); - ldap_mods_free(mods,1); + ldap_mods_free(mods,True); if (!NT_STATUS_IS_OK(ret)) { char *ld_error = NULL; @@ -2741,10 +2650,10 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBAACCOUNT: - make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT); + ldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT); break; case SCHEMAVER_SAMBASAMACCOUNT: - make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT); + ldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT); break; default: DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n")); @@ -2755,12 +2664,12 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO if (NT_STATUS_IS_ERR(ret)) { DEBUG(0,("failed to modify/add user with uid = %s (dn = %s)\n", pdb_get_username(newpwd),dn)); - ldap_mods_free(mods,1); + ldap_mods_free(mods, True); return ret; } DEBUG(2,("added: uid == %s in the LDAP database\n", pdb_get_username(newpwd))); - ldap_mods_free(mods, 1); + ldap_mods_free(mods, True); return NT_STATUS_OK; } @@ -2804,7 +2713,7 @@ static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state, attr_list = get_attr_list(groupmap_attr_list); - rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope, + rc = ldapsam_search(ldap_state, lp_ldap_group_suffix (), scope, filter, attr_list, 0, result); free_attr_list( attr_list ); @@ -2816,7 +2725,7 @@ static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state, "Problem during the LDAP search: LDAP error: %s (%s)", ld_error?ld_error:"(unknown)", ldap_err2string(rc))); DEBUG(3, ("ldapsam_search_one_group: Query was: %s, %s\n", - lp_ldap_suffix(), filter)); + lp_ldap_group_suffix(), filter)); SAFE_FREE(ld_error); } @@ -3093,7 +3002,7 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods, if (!init_ldap_from_group(ldap_state->ldap_struct, result, &mods, map)) { DEBUG(0, ("init_ldap_from_group failed!\n")); - ldap_mods_free(mods, 1); + ldap_mods_free(mods, True); ldap_msgfree(result); return NT_STATUS_UNSUCCESSFUL; } @@ -3105,11 +3014,10 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods, return NT_STATUS_UNSUCCESSFUL; } - make_a_mod(&mods, LDAP_MOD_ADD, "objectClass", - "sambaGroupMapping"); + ldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP ); rc = ldapsam_modify(ldap_state, dn, mods); - ldap_mods_free(mods, 1); + ldap_mods_free(mods, True); if (rc != LDAP_SUCCESS) { char *ld_error = NULL; @@ -3170,7 +3078,7 @@ static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods, rc = ldapsam_modify(ldap_state, dn, mods); - ldap_mods_free(mods, 1); + ldap_mods_free(mods, True); if (rc != LDAP_SUCCESS) { char *ld_error = NULL; @@ -3230,14 +3138,14 @@ static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, BOOL update) snprintf( filter, sizeof(filter)-1, "(objectclass=%s)", LDAP_OBJ_GROUPMAP); attr_list = get_attr_list( groupmap_attr_list ); - rc = ldapsam_search(ldap_state, lp_ldap_suffix(), + rc = ldapsam_search(ldap_state, lp_ldap_group_suffix(), LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &ldap_state->result); free_attr_list( attr_list ); if (rc != LDAP_SUCCESS) { DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc))); - DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter)); + DEBUG(3, ("Query was: %s, %s\n", lp_ldap_group_suffix(), filter)); ldap_msgfree(ldap_state->result); ldap_state->result = NULL; return NT_STATUS_UNSUCCESSFUL; diff --git a/source3/sam/idmap.c b/source3/sam/idmap.c index 62377a9228..d031c49e25 100644 --- a/source3/sam/idmap.c +++ b/source3/sam/idmap.c @@ -105,19 +105,30 @@ BOOL idmap_init(void) return False; } - if (NT_STATUS_IS_ERR(local_map->init())) { + if (NT_STATUS_IS_ERR(local_map->init( NULL ))) { DEBUG(0, ("idmap_init: could not load or create local backend!\n")); return False; } } if (!remote_map && remote_backend && *remote_backend != 0) { + fstring params = ""; + char *pparams; + + /* get any mode parameters passed in */ + + if ( (pparams = strchr( remote_backend, ':' )) != NULL ) { + pparams = '\0'; + pparams++; + fstrcpy( params, pparams ); + } + DEBUG(3, ("idmap_init: using '%s' as remote backend\n", remote_backend)); if((remote_map = get_methods(remote_backend)) || (NT_STATUS_IS_OK(smb_probe_module("idmap", remote_backend)) && (remote_map = get_methods(remote_backend)))) { - remote_map->init(); + remote_map->init(params); } else { DEBUG(0, ("idmap_init: could not load remote backend '%s'\n", remote_backend)); return False; diff --git a/source3/sam/idmap_ldap.c b/source3/sam/idmap_ldap.c index 352b998cef..379f7729ab 100644 --- a/source3/sam/idmap_ldap.c +++ b/source3/sam/idmap_ldap.c @@ -34,11 +34,14 @@ #include "smbldap.h" +#define IDMAP_GROUP_SUFFIX "ou=idmap group" +#define IDMAP_USER_SUFFIX "ou=idmap people" + struct ldap_idmap_state { LDAP *ldap_struct; time_t last_ping; - const char *uri; + char *uri; char *bind_dn; char *bind_secret; unsigned int num_failures; @@ -505,13 +508,13 @@ static NTSTATUS ldap_allocate_id(unid_t *id, int id_type) LDAPMessage *result = 0; LDAPMessage *entry = 0; pstring id_str, new_id_str; - LDAPMod mod[2]; - LDAPMod *mods[3]; + LDAPMod **mods = NULL; const char *type; - char *val[4]; char *dn; char **attr_list; pstring filter; + uid_t luid, huid; + gid_t lgid, hgid; type = (id_type & ID_USERID) ? @@ -522,7 +525,7 @@ static NTSTATUS ldap_allocate_id(unid_t *id, int id_type) attr_list = get_attr_list( idpool_attr_list ); - rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(), + rc = ldap_idmap_search(&ldap_state, lp_ldap_idmap_suffix(), LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result); free_attr_list( attr_list ); @@ -546,38 +549,40 @@ static NTSTATUS ldap_allocate_id(unid_t *id, int id_type) type)); goto out; } + + /* this must succeed or else we wouldn't have initialized */ + + lp_idmap_uid( &luid, &huid); + lp_idmap_gid( &lgid, &hgid); - if (id_type & ID_USERID) + /* make sure we still have room to grow */ + + if (id_type & ID_USERID) { id->uid = strtoul(id_str, NULL, 10); - else + if (id->uid > huid ) { + DEBUG(0,("ldap_allocate_id: Cannot allocate uid above %d!\n", huid)); + goto out; + } + } + else { id->gid = strtoul(id_str, NULL, 10); + if (id->gid > hgid ) { + DEBUG(0,("ldap_allocate_id: Cannot allocate gid above %d!\n", hgid)); + goto out; + } + } - - mod[0].mod_op = LDAP_MOD_DELETE; - mod[0].mod_type = strdup(type); - val[0] = id_str; - val[1] = NULL; - mod[0].mod_values = val; - snprintf(new_id_str, sizeof(new_id_str), "%u", ((id_type & ID_USERID) ? id->uid : id->gid) + 1); - mod[1].mod_op = LDAP_MOD_ADD; - mod[1].mod_type = strdup(type); - val[2] = new_id_str; - val[3] = NULL; - mod[1].mod_values = val + 2; - - mods[0] = mod; \ - mods[1] = mod + 1; - mods[2] = NULL; + + ldap_set_mod( &mods, LDAP_MOD_DELETE, type, id_str ); + ldap_set_mod( &mods, LDAP_MOD_ADD, type, new_id_str ); rc = ldap_modify_s(ldap_state.ldap_struct, dn, mods); ldap_memfree(dn); + ldap_mods_free( mods, True ); - SAFE_FREE( mod[0].mod_type ); - SAFE_FREE( mod[1].mod_type ); - if (rc != LDAP_SUCCESS) { DEBUG(0,("ldap_allocate_id: Failed to allocate new %s. ldap_modify() failed.\n", type)); @@ -599,29 +604,30 @@ static NTSTATUS ldap_get_sid_from_id(DOM_SID *sid, unid_t id, int id_type) LDAPMessage *entry = 0; pstring sid_str; pstring filter; + pstring suffix; const char *type; int rc; int count; NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; char **attr_list; - type = (id_type & ID_USERID) ? - get_attr_key2string( idpool_attr_list, LDAP_ATTR_UIDNUMBER ) : - get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER ); - /* first we try for a samba user or group mapping */ if ( id_type & ID_USERID ) { + type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_UIDNUMBER ); snprintf(filter, sizeof(filter), "(&(objectClass=%s)(%s=%u))", LDAP_OBJ_SAMBASAMACCOUNT, type, id.uid ); + pstrcpy( suffix, lp_ldap_suffix()); } else { + type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER ); snprintf(filter, sizeof(filter), "(&(objectClass=%s)(%s=%u))", LDAP_OBJ_GROUPMAP, type, id.gid ); + pstrcpy( suffix, lp_ldap_group_suffix() ); } attr_list = get_attr_list( sidmap_attr_list ); - rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE, + rc = ldap_idmap_search(&ldap_state, suffix, LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result); if (rc != LDAP_SUCCESS) @@ -635,9 +641,19 @@ static NTSTATUS ldap_get_sid_from_id(DOM_SID *sid, unid_t id, int id_type) if (count == 0) { snprintf(filter, sizeof(filter), "(&(objectClass=%s)(%s=%u))", LDAP_OBJ_IDMAP_ENTRY, type, ((id_type & ID_USERID) ? id.uid : id.gid)); - - rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(), - LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result); + +#if 0 /* commented out for now -- jerry */ + if ( id_type & ID_USERID ) + snprintf( suffix, sizeof(suffix), "%s,%s", IDMAP_USER_SUFFIX, lp_ldap_idmap_suffix() ); + else + snprintf( suffix, sizeof(suffix), "%s,%s", IDMAP_GROUP_SUFFIX, lp_ldap_idmap_suffix() ); +#else + pstrcpy( suffix, lp_ldap_idmap_suffix() ); +#endif + + rc = ldap_idmap_search(&ldap_state, suffix, LDAP_SCOPE_SUBTREE, + filter, attr_list, 0, &result); + if (rc != LDAP_SUCCESS) goto out; @@ -676,6 +692,7 @@ static NTSTATUS ldap_get_id_from_sid(unid_t *id, int *id_type, const DOM_SID *si pstring sid_str; pstring filter; pstring id_str; + pstring suffix; const char *type; const char *obj_class; int rc; @@ -688,10 +705,12 @@ static NTSTATUS ldap_get_id_from_sid(unid_t *id, int *id_type, const DOM_SID *si if ( *id_type & ID_USERID ) { type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_UIDNUMBER ); obj_class = LDAP_OBJ_SAMBASAMACCOUNT; + pstrcpy( suffix, lp_ldap_suffix() ); } else { type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER ); obj_class = LDAP_OBJ_GROUPMAP; + pstrcpy( suffix, lp_ldap_group_suffix() ); } sid_to_string(sid_str, sid); @@ -699,7 +718,7 @@ static NTSTATUS ldap_get_id_from_sid(unid_t *id, int *id_type, const DOM_SID *si LDAP_ATTRIBUTE_SID, sid_str); attr_list = get_attr_list( sidmap_attr_list ); - rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE, + rc = ldap_idmap_search(&ldap_state, suffix, LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result); if (rc != LDAP_SUCCESS) @@ -714,8 +733,17 @@ static NTSTATUS ldap_get_id_from_sid(unid_t *id, int *id_type, const DOM_SID *si snprintf(filter, sizeof(filter), "(&(objectClass=%s)(%s=%s))", LDAP_OBJ_IDMAP_ENTRY, LDAP_ATTRIBUTE_SID, sid_str); - rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(), - LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result); +#if 0 /* commented out for now -- jerry */ + if ( *id_type & ID_USERID ) + snprintf( suffix, sizeof(suffix), "%s,%s", IDMAP_USER_SUFFIX, lp_ldap_idmap_suffix() ); + else + snprintf( suffix, sizeof(suffix), "%s,%s", IDMAP_GROUP_SUFFIX, lp_ldap_idmap_suffix() ); +#else + pstrcpy( suffix, lp_ldap_idmap_suffix() ); +#endif + + rc = ldap_idmap_search(&ldap_state, suffix, LDAP_SCOPE_SUBTREE, + filter, attr_list, 0, &result); if (rc != LDAP_SUCCESS) goto out; @@ -777,10 +805,8 @@ out: static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type) { pstring dn, sid_str, id_str; - fstring type, obj_str, obj_str_val, attr_sid; - LDAPMod *mods[4]; - LDAPMod mod[3]; - char *val[6]; + fstring type; + LDAPMod **mods = NULL; int rc; int attempts = 0; @@ -789,43 +815,24 @@ static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type) else fstrcpy( type, get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER ) ); - snprintf(dn, sizeof(dn), "%s=%u,%s", type, ((id_type & ID_USERID) ? id.uid : id.gid), - lp_ldap_suffix()); - - fstrcpy( obj_str, "objectClass" ); - fstrcpy( obj_str_val, LDAP_OBJ_IDMAP_ENTRY ); - fstrcpy( attr_sid, LDAP_ATTRIBUTE_SID ); - - /* objectClass */ - - mod[0].mod_op = LDAP_MOD_ADD; - mod[0].mod_type = obj_str; - val[0] = obj_str_val; - val[1] = NULL; - mod[0].mod_values = val; +#if 0 + snprintf(dn, sizeof(dn), "%s=%u,%s,%s", type, + ((id_type & ID_USERID) ? id.uid : id.gid), + ((id_type & ID_USERID) ? IDMAP_USER_SUFFIX : IDMAP_GROUP_SUFFIX ), + lp_ldap_idmap_suffix()); +#else + snprintf(dn, sizeof(dn), "%s=%u,%s", type, + ((id_type & ID_USERID) ? id.uid : id.gid), + lp_ldap_idmap_suffix()); +#endif - /* uid or gid */ - snprintf(id_str, sizeof(id_str), "%u", ((id_type & ID_USERID) ? id.uid : id.gid)); - mod[1].mod_op = LDAP_MOD_ADD; - mod[1].mod_type = type; - val[2] = id_str; - val[3] = NULL; - mod[1].mod_values = val+2; - - /* SID */ + sid_to_string( sid_str, sid ); - sid_to_string(sid_str, sid); - mod[2].mod_op = LDAP_MOD_ADD; - mod[2].mod_type = attr_sid; - val[4] = sid_str; - val[5] = NULL; - mod[2].mod_values = val+4; - - mods[0] = mod; - mods[1] = mod + 1; - mods[2] = mod + 2; - mods[3] = NULL; + ldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDMAP_ENTRY ); + ldap_set_mod( &mods, LDAP_MOD_ADD, type, id_str ); + ldap_set_mod( &mods, LDAP_MOD_ADD, + get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID), sid_str ); do { if ((rc = ldap_idmap_retry_open(&ldap_state, &attempts)) != LDAP_SUCCESS) @@ -833,7 +840,8 @@ static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type) rc = ldap_add_s(ldap_state.ldap_struct, dn, mods); } while ((rc == LDAP_SERVER_DOWN) && (attempts <= 8)); - + + ldap_mods_free( mods, True ); if (rc != LDAP_SUCCESS) { DEBUG(0,("ldap_set_mapping: Failed to create mapping from %s to %d [%s]\n", @@ -850,11 +858,92 @@ static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type) /***************************************************************************** Initialise idmap database. *****************************************************************************/ -static NTSTATUS ldap_idmap_init(void) +static NTSTATUS ldap_idmap_init( char *params ) { - /* We wait for the first search request before we try to connect to - the LDAP server. We may want to connect upon initialization though - -- aliguori */ + fstring filter; +#if 0 + pstring dn; +#endif + int rc; + char **attr_list; + LDAPMessage *result = NULL; + LDAPMod **mods = NULL; + int count; + + /* parse out the server (assuming only parameter is a URI) */ + + if ( params ) + ldap_state.uri = smb_xstrdup( params ); + else + ldap_state.uri = smb_xstrdup( "ldap://localhost/" ); + + /* see if the idmap suffix and sub entries exists */ + + snprintf( filter, sizeof(filter), "(objectclass=%s)", LDAP_OBJ_IDPOOL ); + + attr_list = get_attr_list( idpool_attr_list ); + rc = ldap_idmap_search(&ldap_state, lp_ldap_idmap_suffix(), + LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result); + free_attr_list ( attr_list ); + + if (rc != LDAP_SUCCESS) + return NT_STATUS_UNSUCCESSFUL; + + count = ldap_count_entries(ldap_state.ldap_struct, result); + + if ( count > 1 ) { + DEBUG(0,("ldap_idmap_init: multiple entries returned from %s (base == %s)\n", + filter, lp_ldap_idmap_suffix() )); + return NT_STATUS_UNSUCCESSFUL; + } + else if (count == 0) { + uid_t luid, huid; + gid_t lgid, hgid; + fstring uid_str, gid_str; + int attempts = 0; + + if ( !lp_idmap_uid(&luid, &huid) || !lp_idmap_gid( &lgid, &hgid ) ) { + DEBUG(0,("ldap_idmap_init: idmap uid/gid parameters not specified\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + snprintf( uid_str, sizeof(uid_str), "%d", luid ); + snprintf( gid_str, sizeof(gid_str), "%d", lgid ); + + ldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDPOOL ); + ldap_set_mod( &mods, LDAP_MOD_ADD, + get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER), uid_str ); + ldap_set_mod( &mods, LDAP_MOD_ADD, + get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER), gid_str ); + + do { + if ((rc = ldap_idmap_retry_open(&ldap_state, &attempts)) != LDAP_SUCCESS) + continue; + + rc = ldap_modify_s(ldap_state.ldap_struct, lp_ldap_idmap_suffix(), mods); + } while ((rc == LDAP_SERVER_DOWN) && (attempts <= 8)); + } + + /* we have the initial entry now; let's create the sub entries */ + /* if they already exist then this will fail, but we don't care */ + +#if 0 /* commenting out for now, but I will come back to this --jerry */ + + mods = NULL; + snprintf( dn, sizeof(dn), "%s,%s", IDMAP_USER_SUFFIX, lp_ldap_idmap_suffix() ); + ldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_OU ); + ldap_set_mod( &mods, LDAP_MOD_ADD, "ou", "idmap people" ); + ldap_add_s(ldap_state.ldap_struct, dn, mods); + ldap_mods_free( mods, True ); + + mods = NULL; + snprintf( dn, sizeof(dn), "%s,%s", IDMAP_GROUP_SUFFIX, lp_ldap_idmap_suffix() ); + ldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_OU ); + ldap_set_mod( &mods, LDAP_MOD_ADD, "ou", "idmap group" ); + ldap_add_s(ldap_state.ldap_struct, dn, mods); + ldap_mods_free( mods, True ); +#endif + return NT_STATUS_OK; } @@ -868,6 +957,10 @@ static NTSTATUS ldap_idmap_close(void) ldap_unbind_ext(ldap_state.ldap_struct, NULL, NULL); ldap_state.ldap_struct = NULL; } + + SAFE_FREE( ldap_state.uri ); + SAFE_FREE( ldap_state.bind_dn ); + SAFE_FREE( ldap_state.bind_secret ); DEBUG(5,("The connection to the LDAP server was closed\n")); /* maybe free the results here --metze */ diff --git a/source3/sam/idmap_tdb.c b/source3/sam/idmap_tdb.c index 3098184c82..278269e819 100644 --- a/source3/sam/idmap_tdb.c +++ b/source3/sam/idmap_tdb.c @@ -263,7 +263,7 @@ static NTSTATUS db_set_mapping(const DOM_SID *sid, unid_t id, int id_type) /***************************************************************************** Initialise idmap database. *****************************************************************************/ -static NTSTATUS db_idmap_init(void) +static NTSTATUS db_idmap_init( char *params ) { SMB_STRUCT_STAT stbuf; char *tdbfile = NULL; diff --git a/source3/sam/idmap_winbind.c b/source3/sam/idmap_winbind.c index bff870b8fc..d15d8f20a1 100644 --- a/source3/sam/idmap_winbind.c +++ b/source3/sam/idmap_winbind.c @@ -122,7 +122,7 @@ static NTSTATUS db_set_mapping(const DOM_SID *sid, unid_t id, int id_type) { /***************************************************************************** Initialise idmap database. *****************************************************************************/ -static NTSTATUS db_init(void) { +static NTSTATUS db_init( char *params ) { return NT_STATUS_OK; } |