summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/nsswitch/winbindd_ads.c174
1 files changed, 75 insertions, 99 deletions
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 8391a985fc..f189123d7d 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -609,13 +609,15 @@ static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
{
ADS_STATUS rc;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- int count;
LDAPMessage *res = NULL;
ADS_STRUCT *ads;
const char *attrs[] = {"memberOf", NULL};
size_t num_groups = 0;
DOM_SID *group_sids = NULL;
int i;
+ char **strings;
+ size_t num_strings = 0;
+
DEBUG(3,("ads: lookup_usergroups_memberof\n"));
@@ -626,22 +628,16 @@ static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
goto done;
}
- rc = ads_search_retry_extended_dn(ads, &res, user_dn, attrs,
- ADS_EXTENDED_DN_HEX_STRING);
-
- if (!ADS_ERR_OK(rc) || !res) {
+ rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
+ ADS_EXTENDED_DN_HEX_STRING,
+ &strings, &num_strings);
+
+ if (!ADS_ERR_OK(rc)) {
DEBUG(1,("lookup_usergroups_memberof ads_search member=%s: %s\n",
user_dn, ads_errstr(rc)));
return ads_ntstatus(rc);
}
- count = ads_count_replies(ads, res);
-
- if (count == 0) {
- status = NT_STATUS_NO_SUCH_USER;
- goto done;
- }
-
*user_sids = NULL;
num_groups = 0;
@@ -651,16 +647,32 @@ static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
goto done;
}
- count = ads_pull_sids_from_extendeddn(ads, mem_ctx, res, "memberOf",
- ADS_EXTENDED_DN_HEX_STRING,
- &group_sids);
- if (count == 0) {
+ group_sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, num_strings + 1);
+ if (!group_sids) {
+ TALLOC_FREE(strings);
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ for (i=0; i<num_strings; i++) {
+
+ if (!ads_get_sid_from_extended_dn(mem_ctx, strings[i],
+ ADS_EXTENDED_DN_HEX_STRING,
+ &(group_sids)[i])) {
+ TALLOC_FREE(group_sids);
+ TALLOC_FREE(strings);
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ }
+
+ if (i == 0) {
DEBUG(1,("No memberOf for this user?!?\n"));
status = NT_STATUS_NO_MEMORY;
goto done;
}
- for (i=0; i<count; i++) {
+ for (i=0; i<num_strings; i++) {
/* ignore Builtin groups from ADS - Guenther */
if (sid_check_is_in_builtin(&group_sids[i])) {
@@ -841,7 +853,6 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
uint32 **name_types)
{
ADS_STATUS rc;
- int count;
LDAPMessage *res=NULL;
ADS_STRUCT *ads = NULL;
char *ldap_exp;
@@ -851,11 +862,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
int i;
size_t num_members;
fstring sid_string;
- BOOL more_values;
- const char **attrs;
- uint32 first_usn;
- uint32 current_usn;
- int num_retries = 0;
+ ads_control args;
DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name,
sid_string_static(group_sid)));
@@ -886,77 +893,19 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
members = NULL;
num_members = 0;
- if ((attrs = TALLOC_ARRAY(mem_ctx, const char *, 3)) == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- attrs[1] = talloc_strdup(mem_ctx, "usnChanged");
- attrs[2] = NULL;
-
- do {
- if (num_members == 0)
- attrs[0] = talloc_strdup(mem_ctx, "member");
-
- DEBUG(10, ("Searching for attrs[0] = %s, attrs[1] = %s\n", attrs[0], attrs[1]));
-
- rc = ads_search_retry(ads, &res, ldap_exp, attrs);
-
- if (!ADS_ERR_OK(rc) || !res) {
- DEBUG(1,("ads: lookup_groupmem ads_search: %s\n",
- ads_errstr(rc)));
- status = ads_ntstatus(rc);
- goto done;
- }
+ args.control = ADS_EXTENDED_DN_OID;
+ args.val = ADS_EXTENDED_DN_HEX_STRING;
+ args.critical = True;
- count = ads_count_replies(ads, res);
- if (count == 0)
- break;
+ rc = ads_ranged_search(ads, mem_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path,
+ ldap_exp, &args, "member", &members, &num_members);
- if (num_members == 0) {
- if (!ads_pull_uint32(ads, res, "usnChanged", &first_usn)) {
- DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
- goto done;
- }
- }
-
- if (!ads_pull_uint32(ads, res, "usnChanged", &current_usn)) {
- DEBUG(1, ("ads: lookup_groupmem could not pull usnChanged!\n"));
- goto done;
- }
-
- if (first_usn != current_usn) {
- DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
- " - restarting search\n"));
- if (num_retries < 5) {
- num_retries++;
- num_members = 0;
- ads_msgfree(ads, res);
- res = NULL;
- continue;
- } else {
- DEBUG(5, ("ads: lookup_groupmem USN on this record changed"
- " - restarted search too many times, aborting!\n"));
- status = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
- }
-
- members = ads_pull_strings_range(ads, mem_ctx, res,
- "member",
- members,
- &attrs[0],
- &num_members,
- &more_values);
-
- ads_msgfree(ads, res);
- res = NULL;
-
- if ((members == NULL) || (num_members == 0))
- break;
-
- } while (more_values);
-
+ if (!ADS_ERR_OK(rc)) {
+ DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc)));
+ status = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
/* now we need to turn a list of members into rids, names and name types
the problem is that the members are in the form of distinguised names
*/
@@ -975,19 +924,46 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
for (i=0;i<num_members;i++) {
uint32 name_type;
- char *name;
+ char *name, *domain_name, *dn;
DOM_SID sid;
- if (dn_lookup(ads, mem_ctx, members[i], &name, &name_type, &sid)) {
- (*names)[*num_names] = name;
- (*name_types)[*num_names] = name_type;
- sid_copy(&(*sid_mem)[*num_names], &sid);
- (*num_names)++;
+ if ((!ads_get_sid_from_extended_dn(mem_ctx, members[i], ADS_EXTENDED_DN_HEX_STRING, &sid)) ||
+ (!ads_get_dn_from_extended_dn(mem_ctx, members[i], &dn)))
+ {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ if (lookup_cached_sid(mem_ctx, &sid, &domain_name, &name, &name_type)) {
+
+ DEBUG(10,("ads: lookup_groupmem: got sid %s from cache\n",
+ sid_string_static(&sid)));
+
+ (*names)[*num_names] = CONST_DISCARD(char *,name);
+ (*name_types)[*num_names] = name_type;
+ sid_copy(&(*sid_mem)[*num_names], &sid);
+
+ (*num_names)++;
+
+ continue;
+ }
+
+ if (dn_lookup(ads, mem_ctx, dn, &name, &name_type, &sid)) {
+
+ DEBUG(10,("ads: lookup_groupmem: got sid %s from dn_lookup\n",
+ sid_string_static(&sid)));
+
+ (*names)[*num_names] = name;
+ (*name_types)[*num_names] = name_type;
+ sid_copy(&(*sid_mem)[*num_names], &sid);
+
+ (*num_names)++;
+
}
}
status = NT_STATUS_OK;
- DEBUG(3,("ads lookup_groupmem for sid=%s\n", sid_to_string(sid_string, group_sid)));
+ DEBUG(3,("ads lookup_groupmem for sid=%s succeeded\n", sid_to_string(sid_string, group_sid)));
done:
if (res)