summaryrefslogtreecommitdiff
path: root/source3/sam/idmap_ldap.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/sam/idmap_ldap.c')
-rw-r--r--source3/sam/idmap_ldap.c838
1 files changed, 838 insertions, 0 deletions
diff --git a/source3/sam/idmap_ldap.c b/source3/sam/idmap_ldap.c
new file mode 100644
index 0000000000..33cf5fb030
--- /dev/null
+++ b/source3/sam/idmap_ldap.c
@@ -0,0 +1,838 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ idmap LDAP backend
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Anthony Liguori 2003
+ Copyright (C) Simo Sorce 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+
+#include <lber.h>
+#include <ldap.h>
+
+struct ldap_idmap_state {
+ LDAP *ldap_struct;
+ time_t last_ping;
+ const char *uri;
+ char *bind_dn;
+ char *bind_secret;
+ unsigned int num_failures;
+ struct ldap_idmap_state *prev, *next;
+};
+
+#define LDAP_IDMAP_DONT_PING_TIME 10 /* ping only all 10 seconds */
+#define LDAP_MAX_ALLOC_ID 128 /* number tries while allocating
+ new id */
+
+static struct ldap_idmap_state ldap_state;
+
+static int ldap_idmap_connect_system(struct ldap_idmap_state *state);
+static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type);
+static NTSTATUS ldap_idmap_close(void);
+
+
+/*******************************************************************
+ find the ldap password
+******************************************************************/
+static BOOL fetch_ldapsam_pw(char **dn, char** pw)
+{
+ char *key = NULL;
+ size_t size;
+
+ *dn = smb_xstrdup(lp_ldap_admin_dn());
+
+ if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, *dn) < 0) {
+ SAFE_FREE(*dn);
+ DEBUG(0, ("fetch_ldapsam_pw: asprintf failed!\n"));
+ }
+
+ *pw=secrets_fetch(key, &size);
+ SAFE_FREE(key);
+
+ if (!size) {
+ /* Upgrade 2.2 style entry */
+ char *p;
+ char* old_style_key = strdup(*dn);
+ char *data;
+ fstring old_style_pw;
+
+ if (!old_style_key) {
+ DEBUG(0, ("fetch_ldapsam_pw: strdup failed!\n"));
+ return False;
+ }
+
+ for (p=old_style_key; *p; p++)
+ if (*p == ',') *p = '/';
+
+ data=secrets_fetch(old_style_key, &size);
+ if (!size && size < sizeof(old_style_pw)) {
+ DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
+ SAFE_FREE(old_style_key);
+ SAFE_FREE(*dn);
+ return False;
+ }
+
+ strncpy(old_style_pw, data, size);
+ old_style_pw[size] = 0;
+
+ SAFE_FREE(data);
+
+ if (!secrets_store_ldap_pw(*dn, old_style_pw)) {
+ DEBUG(0,("fetch_ldap_pw: ldap secret could not be upgraded!\n"));
+ SAFE_FREE(old_style_key);
+ SAFE_FREE(*dn);
+ return False;
+ }
+ if (!secrets_delete(old_style_key)) {
+ DEBUG(0,("fetch_ldap_pw: old ldap secret could not be deleted!\n"));
+ }
+
+ SAFE_FREE(old_style_key);
+
+ *pw = smb_xstrdup(old_style_pw);
+ }
+
+ return True;
+}
+
+/*******************************************************************
+ open a connection to the ldap server.
+******************************************************************/
+static int ldap_idmap_open_connection(struct ldap_idmap_state *state)
+{
+ int rc = LDAP_SUCCESS;
+ int version;
+ BOOL ldap_v3 = False;
+
+#ifdef HAVE_LDAP_INITIALIZE
+ DEBUG(10, ("ldap_idmap_open_connection: %s\n", state->uri));
+
+ if ((rc = ldap_initialize(&state->ldap_struct, state->uri))
+ != LDAP_SUCCESS) {
+ DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
+ return rc;
+ }
+#else
+ /* Parse the string manually */
+ {
+ int port = 0;
+ fstring protocol;
+ fstring host;
+ const char *p = state->uri;
+ SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
+
+ /* skip leading "URL:" (if any) */
+ if ( strncasecmp( p, "URL:", 4 ) == 0 ) {
+ p += 4;
+ }
+
+ sscanf(p, "%10[^:]://%254s[^:]:%d", protocol, host, &port);
+
+ if (port == 0) {
+ if (strequal(protocol, "ldap")) {
+ port = LDAP_PORT;
+ } else if (strequal(protocol, "ldaps")) {
+ port = LDAPS_PORT;
+ } else {
+ DEBUG(0, ("unrecognised protocol (%s)!\n",
+ protocol));
+ }
+ }
+
+ if ((state->ldap_struct = ldap_init(host, port)) == NULL) {
+ DEBUG(0, ("ldap_init failed !\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+
+ if (strequal(protocol, "ldaps")) {
+#ifdef LDAP_OPT_X_TLS
+ int tls = LDAP_OPT_X_TLS_HARD;
+ if (ldap_set_option (state->ldap_struct,
+ LDAP_OPT_X_TLS, &tls) !=
+ LDAP_SUCCESS)
+ {
+ DEBUG(0, ("Failed to setup a TLS session\n"));
+ }
+
+ DEBUG(3,("LDAPS option set...!\n"));
+#else
+ DEBUG(0,("ldap_idmap_open_connection: Secure "
+ "connection not supported by LDAP client "
+ "libraries!\n"));
+ return LDAP_OPERATIONS_ERROR;
+#endif
+ }
+ }
+#endif
+
+ if (ldap_get_option(state->ldap_struct, LDAP_OPT_PROTOCOL_VERSION,
+ &version) == LDAP_OPT_SUCCESS) {
+ if (version != LDAP_VERSION3) {
+ version = LDAP_VERSION3;
+ if (ldap_set_option(state->ldap_struct,
+ LDAP_OPT_PROTOCOL_VERSION,
+ &version) == LDAP_OPT_SUCCESS) {
+ ldap_v3 = True;
+ }
+ } else {
+ ldap_v3 = True;
+ }
+ }
+
+ if (lp_ldap_ssl() == LDAP_SSL_START_TLS) {
+#ifdef LDAP_OPT_X_TLS
+ if (ldap_v3) {
+ if ((rc = ldap_start_tls_s(state->ldap_struct, NULL,
+ NULL)) != LDAP_SUCCESS) {
+ DEBUG(0,("Failed to issue the StartTLS "
+ "instruction: %s\n",
+ ldap_err2string(rc)));
+ return rc;
+ }
+ DEBUG (3, ("StartTLS issued: using a TLS "
+ "connection\n"));
+ } else {
+
+ DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+#else
+ DEBUG(0,("ldap_idmap_open_connection: StartTLS not supported by "
+ "LDAP client libraries!\n"));
+ return LDAP_OPERATIONS_ERROR;
+#endif
+ }
+
+ DEBUG(2, ("ldap_idmap_open_connection: connection opened\n"));
+ return rc;
+}
+
+/**********************************************************************
+Connect to LDAP server
+*********************************************************************/
+static int ldap_idmap_open(struct ldap_idmap_state *state)
+{
+ int rc;
+ SMB_ASSERT(state);
+
+#ifndef NO_LDAP_SECURITY
+ if (geteuid() != 0) {
+ DEBUG(0,
+ ("ldap_idmap_open: cannot access LDAP when not root\n"));
+ return LDAP_INSUFFICIENT_ACCESS;
+ }
+#endif
+
+ if ((state->ldap_struct != NULL) &&
+ ((state->last_ping + LDAP_IDMAP_DONT_PING_TIME)<time(NULL))) {
+ struct sockaddr_un addr;
+ socklen_t len = sizeof(addr);
+ int sd;
+
+ if (!ldap_get_option(state->ldap_struct, LDAP_OPT_DESC, &sd)&&
+ getpeername(sd, (struct sockaddr *) &addr, &len) < 0) {
+ /* the other end has died. reopen. */
+ ldap_unbind_ext(state->ldap_struct, NULL, NULL);
+ state->ldap_struct = NULL;
+ state->last_ping = (time_t)0;
+ } else {
+ state->last_ping = time(NULL);
+ }
+ }
+
+ if (state->ldap_struct != NULL) {
+ DEBUG(5,("ldap_idmap_open: already connected to the LDAP "
+ "server\n"));
+ return LDAP_SUCCESS;
+ }
+
+ if ((rc = ldap_idmap_open_connection(state))) {
+ return rc;
+ }
+
+ if ((rc = ldap_idmap_connect_system(state))) {
+ ldap_unbind_ext(state->ldap_struct, NULL, NULL);
+ state->ldap_struct = NULL;
+ return rc;
+ }
+
+
+ state->last_ping = time(NULL);
+ DEBUG(4,("The LDAP server is succesful connected\n"));
+
+ return LDAP_SUCCESS;
+}
+
+static int ldap_idmap_retry_open(struct ldap_idmap_state *state, int *attempts)
+{
+ int rc;
+
+ SMB_ASSERT(state && attempts);
+
+ if (*attempts != 0) {
+ unsigned int sleep_time;
+ uint8 rand_byte = 128; /* a reasonable place to start */
+
+ generate_random_buffer(&rand_byte, 1, False);
+
+ sleep_time = (((*attempts)*(*attempts))/2)*rand_byte*2;
+ /* we retry after (0.5, 1, 2, 3, 4.5, 6) seconds
+ on average.
+ */
+ DEBUG(3, ("Sleeping for %u milliseconds before reconnecting\n",
+ sleep_time));
+ msleep(sleep_time);
+ }
+ (*attempts)++;
+
+ if ((rc = ldap_idmap_open(state))) {
+ DEBUG(1,("Connection to LDAP Server failed for the %d try!\n",
+ *attempts));
+ return rc;
+ }
+
+ return LDAP_SUCCESS;
+}
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ This version takes a void* that we can shove useful stuff in :-)
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+#else
+static int rebindproc_with_state (LDAP * ld, char **whop, char **credp,
+ int *methodp, int freeit, void *arg)
+{
+ struct ldap_idmap_state *state = arg;
+
+ /** @TODO Should we be doing something to check what servers we rebind
+ to? Could we get a referral to a machine that we don't want to
+ give our username and password to? */
+
+ if (freeit) {
+ SAFE_FREE(*whop);
+ memset(*credp, '\0', strlen(*credp));
+ SAFE_FREE(*credp);
+ } else {
+ DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n",
+ state->bind_dn));
+
+ *whop = strdup(state->bind_dn);
+ if (!*whop) {
+ return LDAP_NO_MEMORY;
+ }
+ *credp = strdup(state->bind_secret);
+ if (!*credp) {
+ SAFE_FREE(*whop);
+ return LDAP_NO_MEMORY;
+ }
+ *methodp = LDAP_AUTH_SIMPLE;
+ }
+ return 0;
+}
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ This version takes a void* that we can shove useful stuff in :-)
+ and actually does the connection.
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+static int rebindproc_connect_with_state (LDAP *ldap_struct,
+ LDAP_CONST char *url,
+ ber_tag_t request,
+ ber_int_t msgid, void *arg)
+{
+ struct ldap_idmap_state *state = arg;
+ int rc;
+ DEBUG(5,("rebindproc_connect_with_state: Rebinding as \"%s\"\n",
+ state->bind_dn));
+
+ /** @TODO Should we be doing something to check what servers we rebind
+ to? Could we get a referral to a machine that we don't want to
+ give our username and password to? */
+
+ rc = ldap_simple_bind_s(ldap_struct, state->bind_dn,
+ state->bind_secret);
+
+ return rc;
+}
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ Add a rebind function for authenticated referrals
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+#else
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+static int rebindproc (LDAP *ldap_struct, char **whop, char **credp,
+ int *method, int freeit )
+{
+ return rebindproc_with_state(ldap_struct, whop, credp,
+ method, freeit, &ldap_state);
+
+}
+# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ this also does the connection, but no void*.
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
+ ber_int_t msgid)
+{
+ return rebindproc_connect_with_state(ld, url, (ber_tag_t)request,
+ msgid, &ldap_state);
+}
+# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ connect to the ldap server under system privilege.
+******************************************************************/
+static int ldap_idmap_connect_system(struct ldap_idmap_state *state)
+{
+ int rc;
+ char *ldap_dn;
+ char *ldap_secret;
+
+ /* get the password */
+ if (!fetch_ldapsam_pw(&ldap_dn, &ldap_secret))
+ {
+ DEBUG(0, ("ldap_idmap_connect_system: Failed to retrieve "
+ "password from secrets.tdb\n"));
+ return LDAP_INVALID_CREDENTIALS;
+ }
+
+ state->bind_dn = ldap_dn;
+ state->bind_secret = ldap_secret;
+
+ /* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
+ (OpenLDAP) doesnt' seem to support it */
+
+ DEBUG(10,("ldap_idmap_connect_system: Binding to ldap server %s as "
+ "\"%s\"\n", state->uri, ldap_dn));
+
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+ ldap_set_rebind_proc(state->ldap_struct, &rebindproc_connect);
+# endif
+# if LDAP_SET_REBIND_PROC_ARGS == 3
+ ldap_set_rebind_proc(state->ldap_struct,
+ &rebindproc_connect_with_state, (void *)state);
+# endif
+#else /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+ ldap_set_rebind_proc(state->ldap_struct, &rebindproc);
+# endif
+# if LDAP_SET_REBIND_PROC_ARGS == 3
+ ldap_set_rebind_proc(state->ldap_struct, &rebindproc_with_state,
+ (void *)state);
+# endif
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+ rc = ldap_simple_bind_s(state->ldap_struct, ldap_dn, ldap_secret);
+
+ if (rc != LDAP_SUCCESS) {
+ char *ld_error = NULL;
+ ldap_get_option(state->ldap_struct, LDAP_OPT_ERROR_STRING,
+ &ld_error);
+ DEBUG(state->num_failures ? 2 : 0,
+ ("failed to bind to server with dn= %s Error: "
+ "%s\n\t%s\n",
+ ldap_dn ? ld_error : "(unknown)",
+ ldap_err2string(rc), ld_error));
+ SAFE_FREE(ld_error);
+ state->num_failures++;
+ return rc;
+ }
+
+ state->num_failures = 0;
+
+ DEBUG(3, ("ldap_idmap_connect_system: succesful connection to the "
+ "LDAP server\n"));
+ return rc;
+}
+
+static int ldap_idmap_search(struct ldap_idmap_state *state,
+ const char *base, int scope, const char *filter,
+ const char *attrs[], int attrsonly,
+ LDAPMessage **res)
+{
+ int rc = LDAP_SERVER_DOWN;
+ int attempts = 0;
+ char *utf8_filter;
+
+ SMB_ASSERT(state);
+
+ if (push_utf8_allocate(&utf8_filter, filter) == (size_t)-1) {
+ return LDAP_NO_MEMORY;
+ }
+
+ while ((rc == LDAP_SERVER_DOWN) && (attempts < 8)) {
+ if ((rc = ldap_idmap_retry_open(state, &attempts)) !=
+ LDAP_SUCCESS) continue;
+
+ rc = ldap_search_s(state->ldap_struct, base, scope,
+ utf8_filter, (char**)attrs, attrsonly, res);
+ }
+
+ if (rc == LDAP_SERVER_DOWN) {
+ DEBUG(0,("ldap_idmap_search: LDAP server is down!\n"));
+ ldap_idmap_close();
+ }
+
+ SAFE_FREE(utf8_filter);
+ return rc;
+}
+
+/*******************************************************************
+search an attribute and return the first value found.
+******************************************************************/
+static BOOL ldap_idmap_attribute (struct ldap_idmap_state *state,
+ LDAPMessage * entry,
+ const char *attribute, pstring value)
+{
+ char **values;
+ value[0] = '\0';
+
+ if ((values = ldap_get_values (state->ldap_struct, entry, attribute))
+ == NULL) {
+ DEBUG(10,("get_single_attribute: [%s] = [<does not exist>]\n",
+ attribute));
+ return False;
+ }
+ if (convert_string(CH_UTF8, CH_UNIX,
+ values[0], -1,
+ value, sizeof(pstring)) == (size_t)-1)
+ {
+ DEBUG(1, ("ldap_idmap_attribute: string conversion of [%s] = "
+ "[%s] failed!\n", attribute, values[0]));
+ ldap_value_free(values);
+ return False;
+ }
+ ldap_value_free(values);
+
+ return True;
+}
+
+static const char *attrs[] = {"objectClass", "uidNumber", "gidNumber",
+ "ntSid", NULL};
+static const char *pool_attr[] = {"uidNumber", "gidNumber", NULL};
+
+static NTSTATUS ldap_allocate_id(unid_t *id, int id_type)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ int rc = LDAP_SERVER_DOWN;
+ int count = 0;
+ LDAPMessage *result = 0;
+ LDAPMessage *entry = 0;
+ pstring id_str, new_id_str;
+ LDAPMod mod[2];
+ LDAPMod *mods[3];
+ const char *type = (id_type & ID_USERID) ? "uidNumber" : "gidNumber";
+ char *val[4];
+ char *dn;
+
+ rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(),
+ LDAP_SCOPE_SUBTREE, "(objectClass=unixIdPool)",
+ pool_attr, 0, &result);
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(0,("ldap_allocate_id: unixIdPool object not found\n"));
+ goto out;
+ }
+
+ count = ldap_count_entries(ldap_state.ldap_struct, result);
+ if (count != 1) {
+ DEBUG(0,("ldap_allocate_id: single unixIdPool not found\n"));
+ goto out;
+ }
+
+ dn = ldap_get_dn(ldap_state.ldap_struct, result);
+ entry = ldap_first_entry(ldap_state.ldap_struct, result);
+
+ if (!ldap_idmap_attribute(&ldap_state, entry, type, id_str)) {
+ DEBUG(0,("ldap_allocate_id: %s attribute not found\n",
+ type));
+ goto out;
+ }
+ if (id_type & ID_USERID) {
+ id->uid = strtoul(id_str, NULL, 10);
+ } else {
+ id->gid = strtoul(id_str, NULL, 10);
+ }
+
+ mod[0].mod_op = LDAP_MOD_DELETE;
+ mod[0].mod_type = strdup(type);
+ val[0] = id_str; val[1] = NULL;
+ mod[0].mod_values = val;
+
+ pstr_sprintf(new_id_str, "%ud",
+ ((id_type & ID_USERID) ? id->uid : id->gid) + 1);
+ mod[1].mod_op = LDAP_MOD_ADD;
+ mod[1].mod_type = strdup(type);
+ val[3] = new_id_str; val[4] = NULL;
+ mod[1].mod_values = val + 2;
+
+ mods[0] = mod; mods[1] = mod + 1; mods[2] = NULL;
+ rc = ldap_modify_s(ldap_state.ldap_struct, dn, mods);
+ ldap_memfree(dn);
+
+ if (rc == LDAP_SUCCESS) ret = NT_STATUS_OK;
+out:
+ return ret;
+}
+
+/* Get a sid from an id */
+static NTSTATUS ldap_get_sid_from_id(DOM_SID *sid, unid_t id, int id_type)
+{
+ LDAPMessage *result = 0;
+ LDAPMessage *entry = 0;
+ pstring sid_str;
+ pstring filter;
+ char type = (id_type & ID_USERID) ? 'u' : 'g';
+ int rc;
+ int count;
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ pstr_sprintf(filter, "(&(%cidNumber=%ud)(objectClass=sambaAccount))",
+ type, ((id_type & ID_USERID) ? id.uid : id.gid));
+ rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(),
+ LDAP_SCOPE_SUBTREE, filter, attrs, 0,
+ &result);
+ if (rc != LDAP_SUCCESS) {
+ goto out;
+ }
+
+ count = ldap_count_entries(ldap_state.ldap_struct, result);
+ if (count == 0) {
+ pstr_sprintf(filter,
+ "(&(objectClass=idmapEntry)(%cidNumber=%ud))",
+ type, ((id_type & ID_USERID) ? id.uid : id.gid));
+ rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(),
+ LDAP_SCOPE_SUBTREE, filter,
+ attrs, 0, &result);
+ if (rc != LDAP_SUCCESS) {
+ goto out;
+ }
+ count = ldap_count_entries(ldap_state.ldap_struct, result);
+ }
+
+ if (count != 1) {
+ DEBUG(0,("ldap_get_sid_from_id: mapping not found for "
+ "%cid: %ud\n", (id_type&ID_USERID)?'u':'g',
+ ((id_type & ID_USERID) ? id.uid : id.gid)));
+ goto out;
+ }
+
+ entry = ldap_first_entry(ldap_state.ldap_struct, result);
+
+ if (!ldap_idmap_attribute(&ldap_state, entry, "ntSid", sid_str)) {
+ goto out;
+ }
+
+ if (!string_to_sid(sid, sid_str)) {
+ goto out;
+ }
+
+ ret = NT_STATUS_OK;
+out:
+ return ret;
+}
+
+/* Get an id from a sid */
+static NTSTATUS ldap_get_id_from_sid(unid_t *id, int *id_type,
+ const DOM_SID *sid)
+{
+ LDAPMessage *result = 0;
+ LDAPMessage *entry = 0;
+ pstring sid_str;
+ pstring filter;
+ pstring id_str;
+ const char *type = (*id_type & ID_USERID) ? "uidNumber" : "gidNumber";
+ const char *class =
+ (*id_type & ID_USERID) ? "sambaAccount" : "sambaGroupMapping";
+ int rc;
+ int count;
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ sid_to_string(sid_str, sid);
+ pstr_sprintf(filter, "(&(objectClass=%s)(ntSid=%s)", class, sid_str);
+ rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(),
+ LDAP_SCOPE_SUBTREE, filter, attrs, 0, &result);
+ if (rc != LDAP_SUCCESS) {
+ goto out;
+ }
+ count = ldap_count_entries(ldap_state.ldap_struct, result);
+ if (count == 0) {
+ pstr_sprintf(filter,
+ "(&(objectClass=idmapEntry)(ntSid=%s))", sid_str);
+
+ rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(),
+ LDAP_SCOPE_SUBTREE, filter,
+ attrs, 0, &result);
+ if (rc != LDAP_SUCCESS) {
+ goto out;
+ }
+ count = ldap_count_entries(ldap_state.ldap_struct, result);
+ }
+
+ /* our search filters may 2 objects in the case that a user and group
+ rid are the same */
+ if (count != 1 && count != 2) {
+ DEBUG(0,
+ ("ldap_get_id_from_sid: incorrect number of objects\n"));
+ goto out;
+ }
+
+ entry = ldap_first_entry(ldap_state.ldap_struct, result);
+ if (!ldap_idmap_attribute(&ldap_state, entry, type, id_str)) {
+ entry = ldap_next_entry(ldap_state.ldap_struct, entry);
+
+ if (!ldap_idmap_attribute(&ldap_state, entry, type, id_str)) {
+ int i;
+
+ for (i = 0; i < LDAP_MAX_ALLOC_ID; i++) {
+ ret = ldap_allocate_id(id, *id_type);
+ if (NT_STATUS_IS_OK(ret)) {
+ break;
+ }
+ }
+ if (NT_STATUS_IS_OK(ret)) {
+ ret = ldap_set_mapping(sid, *id, *id_type);
+ } else {
+ DEBUG(0,("ldap_allocate_id: cannot acquire id"
+ " lock\n"));
+ }
+ } else {
+ if ((*id_type & ID_USERID)) {
+ id->uid = strtoul(id_str, NULL, 10);
+ } else {
+ id->gid = strtoul(id_str, NULL, 10);
+ }
+ ret = NT_STATUS_OK;
+ }
+ } else {
+ if ((*id_type & ID_USERID)) {
+ id->uid = strtoul(id_str, NULL, 10);
+ } else {
+ id->gid = strtoul(id_str, NULL, 10);
+ }
+ ret = NT_STATUS_OK;
+ }
+out:
+ return ret;
+}
+
+/* This function cannot be called to modify a mapping, only set a new one */
+static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
+{
+ pstring dn, sid_str, id_str;
+ const char *type = (id_type & ID_USERID) ? "uidNumber" : "gidNumber";
+ LDAPMod *mods[3];
+ LDAPMod mod[2];
+ char *val[4];
+ int rc;
+ int attempts = 0;
+
+ pstr_sprintf(id_str, "%ud", ((id_type & ID_USERID) ? id.uid : id.gid));
+ sid_to_string(sid_str, sid);
+ pstr_sprintf(dn, "%s=%ud,%s", type, ((id_type & ID_USERID) ? id.uid : id.gid), lp_ldap_suffix());
+ mod[0].mod_op = LDAP_MOD_REPLACE;
+ mod[0].mod_type = strdup(type);
+ val[0] = id_str; val[1] = NULL;
+ mod[0].mod_values = val;
+
+ mod[1].mod_op = LDAP_MOD_REPLACE;
+ mod[1].mod_type = strdup("ntSid");
+ val[2] = sid_str; val[3] = NULL;
+ mod[1].mod_values = val + 2;
+
+ mods[0] = mod; mods[1] = mod + 1; mods[2] = NULL;
+
+ do {
+ if ((rc = ldap_idmap_retry_open(&ldap_state, &attempts)) !=
+ LDAP_SUCCESS) continue;
+
+ rc = ldap_modify_s(ldap_state.ldap_struct, dn, mods);
+ } while ((rc == LDAP_SERVER_DOWN) && (attempts <= 8));
+
+ if (rc != LDAP_SUCCESS) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/*****************************************************************************
+ Initialise idmap database.
+*****************************************************************************/
+static NTSTATUS ldap_idmap_init(void)
+{
+ /* We wait for the first search request before we try to connect to
+ the LDAP server. We may want to connect upon initialization though
+ -- aliguori */
+ return NT_STATUS_OK;
+}
+
+/* End the LDAP session */
+static NTSTATUS ldap_idmap_close(void)
+{
+ if (ldap_state.ldap_struct != NULL) {
+ ldap_unbind_ext(ldap_state.ldap_struct, NULL, NULL);
+ ldap_state.ldap_struct = NULL;
+ }
+
+ DEBUG(5,("The connection to the LDAP server was closed\n"));
+ /* maybe free the results here --metze */
+
+ return NT_STATUS_OK;
+}
+
+
+/* This function doesn't make as much sense in an LDAP world since the calling
+ node doesn't really control the ID ranges */
+static void ldap_idmap_status(void)
+{
+ DEBUG(0, ("LDAP IDMAP Status not available\n"));
+}
+
+static struct idmap_methods ldap_methods = {
+ ldap_idmap_init,
+ ldap_get_sid_from_id,
+ ldap_get_id_from_sid,
+ ldap_set_mapping,
+ ldap_idmap_close,
+ ldap_idmap_status
+
+};
+
+NTSTATUS idmap_ldap_init(void)
+{
+ DEBUG(0,("idmap_reg_ldap: no LDAP support\n"));
+ return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap", &ldap_methods);
+}