search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-tests: Update statd-callout tests to handle both modes
[samba4-gss.git] / source3 / winbindd / idmap_rfc2307.c
blob2b3223829e2e36d98283249c7a329ad95c46bffa
1 /*
2 * Unix SMB/CIFS implementation.
3 *
4 * Id mapping using LDAP records as defined in RFC 2307
5 *
6 * The SID<->uid/gid mapping is performed in two steps: 1) Query the
7 * AD server for the name<->sid mapping. 2) Query an LDAP server
8 * according to RFC 2307 for the name<->uid/gid mapping.
9 *
10 * Copyright (C) Christof Schmitt 2012,2013
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 3 of the License, or
15 * (at your option) any later version.
16 *
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, see <http://www.gnu.org/licenses/>.
24 */
25
26 #include "includes.h"
27 #include "winbindd.h"
28 #include "winbindd_ads.h"
29 #include "idmap.h"
30 #include "smbldap.h"
31 #include "nsswitch/winbind_client.h"
32 #include "lib/winbind_util.h"
33 #include "libcli/security/dom_sid.h"
34 #include "lib/global_contexts.h"
35
36 /*
37 * Config and connection info per domain.
38 */
39 struct idmap_rfc2307_context {
40 const char *bind_path_user;
41 const char *bind_path_group;
42 const char *ldap_domain;
43 bool user_cn;
44 const char *realm;
45
46 /*
47 * Pointer to ldap struct in ads or smbldap_state, has to be
48 * updated after connecting to server
49 */
50 LDAP *ldap;
51
52 /* Optional function to check connection to server */
53 NTSTATUS (*check_connection)(struct idmap_domain *dom);
54
55 /* Issue ldap query */
56 NTSTATUS (*search)(struct idmap_rfc2307_context *ctx,
57 const char *bind_path, const char *expr,
58 const char **attrs, LDAPMessage **res);
59
60 /* Access to LDAP in AD server */
61 ADS_STRUCT *ads;
62
63 /* Access to stand-alone LDAP server */
64 struct smbldap_state *smbldap_state;
65 };
66
67 /*
68 * backend functions for LDAP queries through ADS
69 */
70
71 static NTSTATUS idmap_rfc2307_ads_check_connection(struct idmap_domain *dom)
72 {
73 struct idmap_rfc2307_context *ctx;
74 const char *dom_name = dom->name;
75 ADS_STATUS status;
76
77 DEBUG(10, ("ad_idmap_cached_connection: called for domain '%s'\n",
78 dom->name));
79
80 ctx = talloc_get_type(dom->private_data, struct idmap_rfc2307_context);
81 dom_name = ctx->ldap_domain ? ctx->ldap_domain : dom->name;
82
83 status = ads_idmap_cached_connection(dom_name, ctx, &ctx->ads);
84 if (ADS_ERR_OK(status)) {
85 ctx->ldap = ctx->ads->ldap.ld;
86 } else {
87 DEBUG(1, ("Could not connect to domain %s: %s\n", dom->name,
88 ads_errstr(status)));
89 }
90
91 return ads_ntstatus(status);
92 }
93
94 static NTSTATUS idmap_rfc2307_ads_search(struct idmap_rfc2307_context *ctx,
95 const char *bind_path,
96 const char *expr,
97 const char **attrs,
98 LDAPMessage **result)
99 {
100 ADS_STATUS status;
101
102 status = ads_do_search_retry(ctx->ads, bind_path,
103 LDAP_SCOPE_SUBTREE, expr, attrs, result);
104
105 if (!ADS_ERR_OK(status)) {
106 return ads_ntstatus(status);
107 }
108
109 ctx->ldap = ctx->ads->ldap.ld;
110 return ads_ntstatus(status);
111 }
112
113 static NTSTATUS idmap_rfc2307_init_ads(struct idmap_rfc2307_context *ctx,
114 const char *domain_name)
115 {
116 const char *ldap_domain;
117
118 ctx->search = idmap_rfc2307_ads_search;
119 ctx->check_connection = idmap_rfc2307_ads_check_connection;
120
121 ldap_domain = idmap_config_const_string(domain_name, "ldap_domain",
122 NULL);
123 if (ldap_domain) {
124 ctx->ldap_domain = talloc_strdup(ctx, ldap_domain);
125 if (ctx->ldap_domain == NULL) {
126 return NT_STATUS_NO_MEMORY;
127 }
128 }
129
130 return NT_STATUS_OK;
131 }
132
133 /*
134 * backend function for LDAP queries through stand-alone LDAP server
135 */
136
137 static NTSTATUS idmap_rfc2307_ldap_search(struct idmap_rfc2307_context *ctx,
138 const char *bind_path,
139 const char *expr,
140 const char **attrs,
141 LDAPMessage **result)
142 {
143 int ret;
144
145 ret = smbldap_search(ctx->smbldap_state, bind_path, LDAP_SCOPE_SUBTREE,
146 expr, attrs, 0, result);
147 ctx->ldap = smbldap_get_ldap(ctx->smbldap_state);
148
149 if (ret == LDAP_SUCCESS) {
150 return NT_STATUS_OK;
151 }
152
153 return NT_STATUS_LDAP(ret);
154 }
155
156 static bool idmap_rfc2307_get_uint32(LDAP *ldap, LDAPMessage *entry,
157 const char *field, uint32_t *value)
158 {
159 bool b;
160 char str[20];
161
162 b = smbldap_get_single_attribute(ldap, entry, field, str, sizeof(str));
163
164 if (b) {
165 *value = atoi(str);
166 }
167
168 return b;
169 }
170
171 static NTSTATUS idmap_rfc2307_init_ldap(struct idmap_rfc2307_context *ctx,
172 const char *domain_name)
173 {
174 NTSTATUS ret;
175 char *url;
176 char *secret = NULL;
177 const char *ldap_url, *user_dn;
178 TALLOC_CTX *mem_ctx = ctx;
179
180 ldap_url = idmap_config_const_string(domain_name, "ldap_url", NULL);
181 if (!ldap_url) {
182 DEBUG(1, ("ERROR: missing idmap ldap url\n"));
183 return NT_STATUS_UNSUCCESSFUL;
184 }
185
186 url = talloc_strdup(talloc_tos(), ldap_url);
187
188 user_dn = idmap_config_const_string(domain_name, "ldap_user_dn", NULL);
189 if (user_dn) {
190 secret = idmap_fetch_secret("ldap", domain_name, user_dn);
191 if (!secret) {
192 ret = NT_STATUS_ACCESS_DENIED;
193 goto done;
194 }
195 }
196
197 /* assume anonymous if we don't have a specified user */
198 ret = smbldap_init(mem_ctx, global_event_context(), url,
199 (user_dn == NULL), user_dn, secret,
200 &ctx->smbldap_state);
201 BURN_FREE_STR(secret);
202 if (!NT_STATUS_IS_OK(ret)) {
203 DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", url));
204 goto done;
205 }
206
207 ctx->search = idmap_rfc2307_ldap_search;
208
209 done:
210 talloc_free(url);
211 return ret;
212 }
213
214 /*
215 * common code for stand-alone LDAP and ADS
216 */
217
218 static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx,
219 TALLOC_CTX *mem_ctx,
220 struct id_map **ids,
221 LDAPMessage *result,
222 const char *dom_name,
223 const char **attrs, int type)
224 {
225 int count, i;
226 LDAPMessage *entry;
227
228 count = ldap_count_entries(ctx->ldap, result);
229
230 for (i = 0; i < count; i++) {
231 char *name;
232 struct dom_sid sid;
233 enum lsa_SidType lsa_type;
234 struct id_map *map;
235 uint32_t id;
236 bool b;
237
238 if (i == 0) {
239 entry = ldap_first_entry(ctx->ldap, result);
240 } else {
241 entry = ldap_next_entry(ctx->ldap, entry);
242 }
243 if (!entry) {
244 DEBUG(2, ("Unable to fetch entry.\n"));
245 break;
246 }
247
248 name = smbldap_talloc_single_attribute(ctx->ldap, entry,
249 attrs[0], mem_ctx);
250 if (!name) {
251 DEBUG(1, ("Could not get user name\n"));
252 continue;
253 }
254
255 b = idmap_rfc2307_get_uint32(ctx->ldap, entry, attrs[1], &id);
256 if (!b) {
257 DEBUG(1, ("Could not pull id for record %s\n", name));
258 continue;
259 }
260
261 map = idmap_find_map_by_id(ids, type, id);
262 if (!map) {
263 DEBUG(1, ("Could not find id %d, name %s\n", id, name));
264 continue;
265 }
266
267 if (ctx->realm != NULL) {
268 /* Strip @realm from user or group name */
269 char *delim;
270
271 delim = strchr(name, '@');
272 if (delim) {
273 *delim = '\0';
274 }
275 }
276
277 /* by default calls to winbindd are disabled
278 the following call will not recurse so this is safe */
279 (void)winbind_on();
280 /* Lookup name from PDC using lsa_lookup_names() */
281 b = winbind_lookup_name(dom_name, name, &sid, &lsa_type);
282 (void)winbind_off();
283
284 if (!b) {
285 DEBUG(1, ("SID lookup failed for id %d, %s\n",
286 id, name));
287 continue;
288 }
289
290 if (type == ID_TYPE_UID && lsa_type != SID_NAME_USER) {
291 DEBUG(1, ("Wrong type %d for user name %s\n",
292 type, name));
293 continue;
294 }
295
296 if (type == ID_TYPE_GID && lsa_type != SID_NAME_DOM_GRP &&
297 lsa_type != SID_NAME_ALIAS &&
298 lsa_type != SID_NAME_WKN_GRP) {
299 DEBUG(1, ("Wrong type %d for group name %s\n",
300 type, name));
301 continue;
302 }
303
304 map->status = ID_MAPPED;
305 sid_copy(map->sid, &sid);
306 }
307 }
308
309 /*
310 * Map unixids to names and then to sids.
311 */
312 static NTSTATUS idmap_rfc2307_unixids_to_sids(struct idmap_domain *dom,
313 struct id_map **ids)
314 {
315 struct idmap_rfc2307_context *ctx;
316 char *fltr_usr = NULL, *fltr_grp = NULL;
317 TALLOC_CTX *mem_ctx;
318 int cnt_usr = 0, cnt_grp = 0, idx = 0, bidx = 0;
319 LDAPMessage *result = NULL;
320 NTSTATUS ret;
321
322 ctx = talloc_get_type(dom->private_data, struct idmap_rfc2307_context);
323 mem_ctx = talloc_new(ctx);
324 if (!mem_ctx) {
325 return NT_STATUS_NO_MEMORY;
326 }
327
328 if (ctx->check_connection) {
329 ret = ctx->check_connection(dom);
330 if (!NT_STATUS_IS_OK(ret)) {
331 goto out;
332 }
333 }
334
335 again:
336 bidx = idx;
337
338 if (!fltr_usr) {
339 /* prepare new user query, see getpwuid() in RFC2307 */
340 fltr_usr = talloc_asprintf(mem_ctx,
341 "(&(objectClass=posixAccount)(|");
342 }
343
344 if (!fltr_grp) {
345 /* prepare new group query, see getgrgid() in RFC2307 */
346 fltr_grp = talloc_asprintf(mem_ctx,
347 "(&(objectClass=posixGroup)(|");
348 }
349
350 if (!fltr_usr || !fltr_grp) {
351 ret = NT_STATUS_NO_MEMORY;
352 goto out;
353 }
354
355 while (cnt_usr < IDMAP_LDAP_MAX_IDS &&
356 cnt_grp < IDMAP_LDAP_MAX_IDS && ids[idx]) {
357
358 switch (ids[idx]->xid.type) {
359 case ID_TYPE_UID:
360 fltr_usr = talloc_asprintf_append_buffer(fltr_usr,
361 "(uidNumber=%d)", ids[idx]->xid.id);
362 cnt_usr++;
363 break;
364 case ID_TYPE_GID:
365 fltr_grp = talloc_asprintf_append_buffer(fltr_grp,
366 "(gidNumber=%d)", ids[idx]->xid.id);
367 cnt_grp++;
368 break;
369 default:
370 DEBUG(3, ("Error: unknown ID type %d\n",
371 ids[idx]->xid.type));
372 ret = NT_STATUS_UNSUCCESSFUL;
373 goto out;
374 }
375
376 if (!fltr_usr || !fltr_grp) {
377 ret = NT_STATUS_NO_MEMORY;
378 goto out;
379 }
380
381 idx++;
382 }
383
384 if (cnt_usr == IDMAP_LDAP_MAX_IDS || (cnt_usr != 0 && !ids[idx])) {
385 const char *attrs[] = { NULL, /* uid or cn */
386 "uidNumber",
387 NULL };
388
389 fltr_usr = talloc_strdup_append(fltr_usr, "))");
390 if (!fltr_usr) {
391 ret = NT_STATUS_NO_MEMORY;
392 goto out;
393 }
394
395 attrs[0] = ctx->user_cn ? "cn" : "uid";
396 ret = ctx->search(ctx, ctx->bind_path_user, fltr_usr, attrs,
397 &result);
398 if (!NT_STATUS_IS_OK(ret)) {
399 goto out;
400 }
401
402 idmap_rfc2307_map_sid_results(ctx, mem_ctx, &ids[bidx], result,
403 dom->name, attrs, ID_TYPE_UID);
404 cnt_usr = 0;
405 TALLOC_FREE(fltr_usr);
406 }
407
408 if (cnt_grp == IDMAP_LDAP_MAX_IDS || (cnt_grp != 0 && !ids[idx])) {
409 const char *attrs[] = { "cn", "gidNumber", NULL };
410
411 fltr_grp = talloc_strdup_append(fltr_grp, "))");
412 if (!fltr_grp) {
413 ret = NT_STATUS_NO_MEMORY;
414 goto out;
415 }
416 ret = ctx->search(ctx, ctx->bind_path_group, fltr_grp, attrs,
417 &result);
418 if (!NT_STATUS_IS_OK(ret)) {
419 goto out;
420 }
421
422 idmap_rfc2307_map_sid_results(ctx, mem_ctx, &ids[bidx], result,
423 dom->name, attrs, ID_TYPE_GID);
424 cnt_grp = 0;
425 TALLOC_FREE(fltr_grp);
426 }
427
428 if (ids[idx]) {
429 goto again;
430 }
431
432 ret = NT_STATUS_OK;
433
434 out:
435 talloc_free(mem_ctx);
436 return ret;
437 }
438
439 struct idmap_rfc2307_map {
440 struct id_map *map;
441 const char *name;
442 enum id_type type;
443 };
444
445 /*
446 * Lookup names for SIDS and store the data in the local mapping
447 * array.
448 */
449 static NTSTATUS idmap_rfc_2307_sids_to_names(TALLOC_CTX *mem_ctx,
450 struct id_map **ids,
451 struct idmap_rfc2307_map *maps,
452 struct idmap_rfc2307_context *ctx)
453 {
454 int i;
455
456 for (i = 0; ids[i]; i++) {
457 const char *domain, *name;
458 enum lsa_SidType lsa_type;
459 struct id_map *id = ids[i];
460 struct idmap_rfc2307_map *map = &maps[i];
461 struct dom_sid_buf buf;
462 bool b;
463
464 /* by default calls to winbindd are disabled
465 the following call will not recurse so this is safe */
466 (void)winbind_on();
467 b = winbind_lookup_sid(mem_ctx, ids[i]->sid, &domain, &name,
468 &lsa_type);
469 (void)winbind_off();
470
471 if (!b) {
472 DEBUG(1, ("Lookup sid %s failed.\n",
473 dom_sid_str_buf(ids[i]->sid, &buf)));
474 continue;
475 }
476
477 switch(lsa_type) {
478 case SID_NAME_USER:
479 id->xid.type = map->type = ID_TYPE_UID;
480 if (ctx->user_cn && ctx->realm != NULL) {
481 name = talloc_asprintf(mem_ctx, "%s@%s",
482 name, ctx->realm);
483 }
484 id->xid.type = map->type = ID_TYPE_UID;
485 break;
486
487 case SID_NAME_DOM_GRP:
488 case SID_NAME_ALIAS:
489 case SID_NAME_WKN_GRP:
490 if (ctx->realm != NULL) {
491 name = talloc_asprintf(mem_ctx, "%s@%s",
492 name, ctx->realm);
493 }
494 id->xid.type = map->type = ID_TYPE_GID;
495 break;
496
497 default:
498 DEBUG(1, ("Unknown lsa type %d for sid %s\n",
499 lsa_type,
500 dom_sid_str_buf(id->sid, &buf)));
501 id->status = ID_UNMAPPED;
502 continue;
503 }
504
505 map->map = id;
506 id->status = ID_UNKNOWN;
507 map->name = strupper_talloc(mem_ctx, name);
508
509 if (!map->name) {
510 return NT_STATUS_NO_MEMORY;
511 }
512 }
513
514 return NT_STATUS_OK;
515 }
516
517 /*
518 * Find id_map entry by looking up the name in the internal
519 * mapping array.
520 */
521 static struct id_map* idmap_rfc2307_find_map(struct idmap_rfc2307_map *maps,
522 enum id_type type,
523 const char *name)
524 {
525 int i;
526
527 DEBUG(10, ("Looking for name %s, type %d\n", name, type));
528
529 for (i = 0; maps[i].map != NULL; i++) {
530 DEBUG(10, ("Entry %d: name %s, type %d\n",
531 i, maps[i].name, maps[i].type));
532 if (type == maps[i].type && strcmp(name, maps[i].name) == 0) {
533 return maps[i].map;
534 }
535 }
536
537 return NULL;
538 }
539
540 static void idmap_rfc2307_map_xid_results(struct idmap_rfc2307_context *ctx,
541 TALLOC_CTX *mem_ctx,
542 struct idmap_rfc2307_map *maps,
543 LDAPMessage *result,
544 struct idmap_domain *dom,
545 const char **attrs, enum id_type type)
546 {
547 int count, i;
548 LDAPMessage *entry;
549
550 count = ldap_count_entries(ctx->ldap, result);
551
552 for (i = 0; i < count; i++) {
553 uint32_t id;
554 char *name;
555 bool b;
556 struct id_map *id_map;
557
558 if (i == 0) {
559 entry = ldap_first_entry(ctx->ldap, result);
560 } else {
561 entry = ldap_next_entry(ctx->ldap, entry);
562 }
563 if (!entry) {
564 DEBUG(2, ("Unable to fetch entry.\n"));
565 break;
566 }
567
568 name = smbldap_talloc_single_attribute(ctx->ldap, entry,
569 attrs[0], mem_ctx);
570 if (!name) {
571 DEBUG(1, ("Could not get user name\n"));
572 continue;
573 }
574
575 b = idmap_rfc2307_get_uint32(ctx->ldap, entry, attrs[1], &id);
576 if (!b) {
577 DEBUG(5, ("Could not pull id for record %s\n", name));
578 continue;
579 }
580
581 if (!idmap_unix_id_is_in_range(id, dom)) {
582 DEBUG(5, ("Requested id (%u) out of range (%u - %u).\n",
583 id, dom->low_id, dom->high_id));
584 continue;
585 }
586
587 if (!strupper_m(name)) {
588 DEBUG(5, ("Could not convert %s to uppercase\n", name));
589 continue;
590 }
591 id_map = idmap_rfc2307_find_map(maps, type, name);
592 if (!id_map) {
593 DEBUG(0, ("Could not find mapping entry for name %s\n",
594 name));
595 continue;
596 }
597
598 id_map->xid.id = id;
599 id_map->status = ID_MAPPED;
600 }
601 }
602
603 /*
604 * Map sids to names and then to unixids.
605 */
606 static NTSTATUS idmap_rfc2307_sids_to_unixids(struct idmap_domain *dom,
607 struct id_map **ids)
608 {
609 struct idmap_rfc2307_context *ctx;
610 TALLOC_CTX *mem_ctx;
611 struct idmap_rfc2307_map *int_maps;
612 int cnt_usr = 0, cnt_grp = 0, idx = 0;
613 char *fltr_usr = NULL, *fltr_grp = NULL;
614 NTSTATUS ret;
615 int i;
616
617 ctx = talloc_get_type(dom->private_data, struct idmap_rfc2307_context);
618 mem_ctx = talloc_new(talloc_tos());
619 if (!mem_ctx) {
620 return NT_STATUS_NO_MEMORY;
621 }
622
623 if (ctx->check_connection) {
624 ret = ctx->check_connection(dom);
625 if (!NT_STATUS_IS_OK(ret)) {
626 goto out;
627 }
628 }
629
630 for (i = 0; ids[i]; i++);
631 int_maps = talloc_zero_array(mem_ctx, struct idmap_rfc2307_map, i);
632 if (!int_maps) {
633 ret = NT_STATUS_NO_MEMORY;
634 goto out;
635 }
636
637 ret = idmap_rfc_2307_sids_to_names(mem_ctx, ids, int_maps, ctx);
638 if (!NT_STATUS_IS_OK(ret)) {
639 goto out;
640 }
641
642 again:
643 if (!fltr_usr) {
644 /* prepare new user query, see getpwuid() in RFC2307 */
645 fltr_usr = talloc_asprintf(mem_ctx,
646 "(&(objectClass=posixAccount)(|");
647 }
648
649 if (!fltr_grp) {
650 /* prepare new group query, see getgrgid() in RFC2307 */
651 fltr_grp = talloc_asprintf(mem_ctx,
652 "(&(objectClass=posixGroup)(|");
653 }
654
655 if (!fltr_usr || !fltr_grp) {
656 ret = NT_STATUS_NO_MEMORY;
657 goto out;
658 }
659
660 while (cnt_usr < IDMAP_LDAP_MAX_IDS &&
661 cnt_grp < IDMAP_LDAP_MAX_IDS && ids[idx]) {
662 struct id_map *id = ids[idx];
663 struct idmap_rfc2307_map *map = &int_maps[idx];
664
665 switch(id->xid.type) {
666 case ID_TYPE_UID:
667 fltr_usr = talloc_asprintf_append_buffer(fltr_usr,
668 "(%s=%s)", (ctx->user_cn ? "cn" : "uid"),
669 map->name);
670 cnt_usr++;
671 break;
672
673 case ID_TYPE_GID:
674 fltr_grp = talloc_asprintf_append_buffer(fltr_grp,
675 "(cn=%s)", map->name);
676 cnt_grp++;
677 break;
678
679 default:
680 break;
681 }
682
683 if (!fltr_usr || !fltr_grp) {
684 ret = NT_STATUS_NO_MEMORY;
685 goto out;
686 }
687
688 idx++;
689 }
690
691 if (cnt_usr == IDMAP_LDAP_MAX_IDS || (cnt_usr != 0 && !ids[idx])) {
692 const char *attrs[] = { NULL, /* uid or cn */
693 "uidNumber",
694 NULL };
695 LDAPMessage *result;
696
697 fltr_usr = talloc_strdup_append(fltr_usr, "))");
698 if (!fltr_usr) {
699 ret = NT_STATUS_NO_MEMORY;
700 goto out;
701 }
702
703 attrs[0] = ctx->user_cn ? "cn" : "uid";
704 ret = ctx->search(ctx, ctx->bind_path_user, fltr_usr, attrs,
705 &result);
706 if (!NT_STATUS_IS_OK(ret)) {
707 goto out;
708 }
709
710 idmap_rfc2307_map_xid_results(ctx, mem_ctx, int_maps,
711 result, dom, attrs, ID_TYPE_UID);
712
713 cnt_usr = 0;
714 TALLOC_FREE(fltr_usr);
715 }
716
717 if (cnt_grp == IDMAP_LDAP_MAX_IDS || (cnt_grp != 0 && !ids[idx])) {
718 const char *attrs[] = {"cn", "gidNumber", NULL };
719 LDAPMessage *result;
720
721 fltr_grp = talloc_strdup_append(fltr_grp, "))");
722 if (!fltr_grp) {
723 ret = NT_STATUS_NO_MEMORY;
724 goto out;
725 }
726
727 ret = ctx->search(ctx, ctx->bind_path_group, fltr_grp, attrs,
728 &result);
729 if (!NT_STATUS_IS_OK(ret)) {
730 goto out;
731 }
732
733 idmap_rfc2307_map_xid_results(ctx, mem_ctx, int_maps, result,
734 dom, attrs, ID_TYPE_GID);
735 cnt_grp = 0;
736 TALLOC_FREE(fltr_grp);
737 }
738
739 if (ids[idx]) {
740 goto again;
741 }
742
743 ret = NT_STATUS_OK;
744
745 out:
746 talloc_free(mem_ctx);
747 return ret;
748 }
749
750 static int idmap_rfc2307_context_destructor(struct idmap_rfc2307_context *ctx)
751 {
752 TALLOC_FREE(ctx->ads);
753
754 if (ctx->smbldap_state != NULL) {
755 smbldap_free_struct(&ctx->smbldap_state);
756 }
757
758 return 0;
759 }
760
761 static NTSTATUS idmap_rfc2307_initialize(struct idmap_domain *domain)
762 {
763 struct idmap_rfc2307_context *ctx;
764 const char *bind_path_user, *bind_path_group, *ldap_server, *realm;
765 NTSTATUS status;
766
767 ctx = talloc_zero(domain, struct idmap_rfc2307_context);
768 if (ctx == NULL) {
769 return NT_STATUS_NO_MEMORY;
770 }
771 talloc_set_destructor(ctx, idmap_rfc2307_context_destructor);
772
773 bind_path_user = idmap_config_const_string(
774 domain->name, "bind_path_user", NULL);
775 if (bind_path_user == NULL) {
776 status = NT_STATUS_INVALID_PARAMETER;
777 goto err;
778 }
779 ctx->bind_path_user = talloc_strdup(ctx, bind_path_user);
780 if (ctx->bind_path_user == NULL) {
781 status = NT_STATUS_NO_MEMORY;
782 goto err;
783 }
784
785 bind_path_group = idmap_config_const_string(
786 domain->name, "bind_path_group", NULL);
787 if (bind_path_group == NULL) {
788 status = NT_STATUS_INVALID_PARAMETER;
789 goto err;
790 }
791 ctx->bind_path_group = talloc_strdup(ctx, bind_path_group);
792 if (ctx->bind_path_group == NULL) {
793 status = NT_STATUS_NO_MEMORY;
794 goto err;
795 }
796
797 ldap_server = idmap_config_const_string(
798 domain->name, "ldap_server", NULL);
799 if (!ldap_server) {
800 status = NT_STATUS_INVALID_PARAMETER;
801 goto err;
802 }
803
804 if (strcmp(ldap_server, "stand-alone") == 0) {
805 status = idmap_rfc2307_init_ldap(ctx, domain->name);
806
807 } else if (strcmp(ldap_server, "ad") == 0) {
808 status = idmap_rfc2307_init_ads(ctx, domain->name);
809
810 } else {
811 status = NT_STATUS_INVALID_PARAMETER;
812 }
813
814 if (!NT_STATUS_IS_OK(status)) {
815 goto err;
816 }
817
818 realm = idmap_config_const_string(domain->name, "realm", NULL);
819 if (realm) {
820 ctx->realm = talloc_strdup(ctx, realm);
821 if (ctx->realm == NULL) {
822 status = NT_STATUS_NO_MEMORY;
823 goto err;
824 }
825 }
826
827 ctx->user_cn = idmap_config_bool(domain->name, "user_cn", false);
828
829 domain->private_data = ctx;
830 return NT_STATUS_OK;
831
832 err:
833 talloc_free(ctx);
834 return status;
835 }
836
837 static const struct idmap_methods rfc2307_methods = {
838 .init = idmap_rfc2307_initialize,
839 .unixids_to_sids = idmap_rfc2307_unixids_to_sids,
840 .sids_to_unixids = idmap_rfc2307_sids_to_unixids,
841 };
842
843 static_decl_idmap;
844 NTSTATUS idmap_rfc2307_init(TALLOC_CTX *ctx)
845 {
846 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "rfc2307",
847 &rfc2307_methods);
848 }
GSS-enabled samba4