diff options
-rw-r--r-- | src/providers/ldap/ldap_id.c | 49 |
1 files changed, 43 insertions, 6 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index a433a8d5..a210a472 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -31,6 +31,7 @@ #include "db/sysdb.h" #include "providers/ldap/ldap_common.h" #include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_idmap.h" /* =Users-Related-Functions-(by-name,by-uid)============================== */ @@ -65,7 +66,11 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, struct users_get_state *state; const char *attr_name; char *clean_name; + char *endptr; int ret; + uid_t uid; + enum idmap_error_code err; + char *sid; req = tevent_req_create(memctx, &state, struct users_get_state); if (!req) return NULL; @@ -89,20 +94,52 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, switch (filter_type) { case BE_FILTER_NAME: attr_name = ctx->opts->user_map[SDAP_AT_USER_NAME].name; + ret = sss_filter_sanitize(state, name, &clean_name); + if (ret != EOK) { + goto fail; + } break; case BE_FILTER_IDNUM: - attr_name = ctx->opts->user_map[SDAP_AT_USER_UID].name; + if (dp_opt_get_bool(ctx->opts->basic, SDAP_ID_MAPPING)) { + /* If we're ID-mapping, we need to use the objectSID + * in the search filter. + */ + uid = strtouint32(name, &endptr, 10); + if (errno != EOK) { + ret = EINVAL; + goto fail; + } + + /* Convert the UID to its objectSID */ + err = sss_idmap_unix_to_sid(ctx->opts->idmap_ctx->map, + uid, &sid); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Mapping ID [%s] to SID failed: [%s]\n", + name, idmap_error_string(err))); + ret = EIO; + goto fail; + } + + attr_name = ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name; + ret = sss_filter_sanitize(state, sid, &clean_name); + if (ret != EOK) { + goto fail; + } + + } else { + attr_name = ctx->opts->user_map[SDAP_AT_USER_UID].name; + ret = sss_filter_sanitize(state, name, &clean_name); + if (ret != EOK) { + goto fail; + } + } break; default: ret = EINVAL; goto fail; } - ret = sss_filter_sanitize(state, name, &clean_name); - if (ret != EOK) { - goto fail; - } - state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", attr_name, clean_name, ctx->opts->user_map[SDAP_OC_USER].name); |