summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/providers/ldap/ldap_id.c49
1 files changed, 43 insertions, 6 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index a433a8d5..a210a472 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -31,6 +31,7 @@
#include "db/sysdb.h"
#include "providers/ldap/ldap_common.h"
#include "providers/ldap/sdap_async.h"
+#include "providers/ldap/sdap_idmap.h"
/* =Users-Related-Functions-(by-name,by-uid)============================== */
@@ -65,7 +66,11 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
struct users_get_state *state;
const char *attr_name;
char *clean_name;
+ char *endptr;
int ret;
+ uid_t uid;
+ enum idmap_error_code err;
+ char *sid;
req = tevent_req_create(memctx, &state, struct users_get_state);
if (!req) return NULL;
@@ -89,20 +94,52 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
switch (filter_type) {
case BE_FILTER_NAME:
attr_name = ctx->opts->user_map[SDAP_AT_USER_NAME].name;
+ ret = sss_filter_sanitize(state, name, &clean_name);
+ if (ret != EOK) {
+ goto fail;
+ }
break;
case BE_FILTER_IDNUM:
- attr_name = ctx->opts->user_map[SDAP_AT_USER_UID].name;
+ if (dp_opt_get_bool(ctx->opts->basic, SDAP_ID_MAPPING)) {
+ /* If we're ID-mapping, we need to use the objectSID
+ * in the search filter.
+ */
+ uid = strtouint32(name, &endptr, 10);
+ if (errno != EOK) {
+ ret = EINVAL;
+ goto fail;
+ }
+
+ /* Convert the UID to its objectSID */
+ err = sss_idmap_unix_to_sid(ctx->opts->idmap_ctx->map,
+ uid, &sid);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Mapping ID [%s] to SID failed: [%s]\n",
+ name, idmap_error_string(err)));
+ ret = EIO;
+ goto fail;
+ }
+
+ attr_name = ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name;
+ ret = sss_filter_sanitize(state, sid, &clean_name);
+ if (ret != EOK) {
+ goto fail;
+ }
+
+ } else {
+ attr_name = ctx->opts->user_map[SDAP_AT_USER_UID].name;
+ ret = sss_filter_sanitize(state, name, &clean_name);
+ if (ret != EOK) {
+ goto fail;
+ }
+ }
break;
default:
ret = EINVAL;
goto fail;
}
- ret = sss_filter_sanitize(state, name, &clean_name);
- if (ret != EOK) {
- goto fail;
- }
-
state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
attr_name, clean_name,
ctx->opts->user_map[SDAP_OC_USER].name);