search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge remote-tracking branch 'origin/master'
[unleashed/lotheac.git] / usr / src / lib / nsswitch / ldap / common / getgrent.c
blob598214af4b480717229b35d8c62ae7a37751296f
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 *
25 * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
26 */
27
28 #include <sys/param.h>
29 #include <grp.h>
30 #include "ldap_common.h"
31 #include <string.h>
32
33 /* String which may need to be removed from beginning of group password */
34 #define _CRYPT "{CRYPT}"
35 #define _NO_PASSWD_VAL ""
36
37 /* Group attributes filters */
38 #define _G_NAME "cn"
39 #define _G_GID "gidnumber"
40 #define _G_PASSWD "userpassword"
41 #define _G_MEM "memberuid"
42
43 #define _F_GETGRNAM "(&(objectClass=posixGroup)(cn=%s))"
44 #define _F_GETGRNAM_SSD "(&(%%s)(cn=%s))"
45 #define _F_GETGRGID "(&(objectClass=posixGroup)(gidNumber=%u))"
46 #define _F_GETGRGID_SSD "(&(%%s)(gidNumber=%u))"
47 /*
48 * Group membership can be defined by either username or DN, so when searching
49 * for groups by member we need to consider both. The first parameter in the
50 * filter is replaced by username, the second by DN.
51 */
52 #define _F_GETGRMEM \
53 "(&(objectClass=posixGroup)(|(memberUid=%s)(memberUid=%s)))"
54 #define _F_GETGRMEM_SSD "(&(%%s)(|(memberUid=%s)(memberUid=%s)))"
55
56 /*
57 * Copied from getpwnam.c, needed to look up user DN.
58 * Would it be better to move to ldap_common.h rather than duplicate?
59 */
60 #define _F_GETPWNAM "(&(objectClass=posixAccount)(uid=%s))"
61 #define _F_GETPWNAM_SSD "(&(%%s)(uid=%s))"
62
63 static const char *gr_attrs[] = {
64 _G_NAME,
65 _G_GID,
66 _G_PASSWD,
67 _G_MEM,
68 NULL
69 };
70
71
72 /*
73 * _nss_ldap_group2str is the data marshaling method for the group getXbyY
74 * (e.g., getgrnam(), getgrgid(), getgrent()) backend processes. This method
75 * is called after a successful ldap search has been performed. This method
76 * will parse the ldap search values into the file format.
77 * e.g.
78 *
79 * adm::4:root,adm,daemon
80 *
81 */
82
83 static int
84 _nss_ldap_group2str(ldap_backend_ptr be, nss_XbyY_args_t *argp)
85 {
86 int i;
87 int nss_result;
88 int buflen = 0, len;
89 int firstime = 1;
90 char *buffer = NULL;
91 ns_ldap_result_t *result = be->result;
92 char **gname, **passwd, **gid, *password, *end;
93 char gid_nobody[NOBODY_STR_LEN];
94 char *gid_nobody_v[1];
95 char *member_str, *strtok_state;
96 ns_ldap_attr_t *members;
97
98 (void) snprintf(gid_nobody, sizeof (gid_nobody), "%u", GID_NOBODY);
99 gid_nobody_v[0] = gid_nobody;
100
101 if (result == NULL)
102 return (NSS_STR_PARSE_PARSE);
103 buflen = argp->buf.buflen;
104
105 if (argp->buf.result != NULL) {
106 if ((be->buffer = calloc(1, buflen)) == NULL) {
107 nss_result = NSS_STR_PARSE_PARSE;
108 goto result_grp2str;
109 }
110 buffer = be->buffer;
111 } else
112 buffer = argp->buf.buffer;
113
114 nss_result = NSS_STR_PARSE_SUCCESS;
115 (void) memset(buffer, 0, buflen);
116
117 gname = __ns_ldap_getAttr(result->entry, _G_NAME);
118 if (gname == NULL || gname[0] == NULL || (strlen(gname[0]) < 1)) {
119 nss_result = NSS_STR_PARSE_PARSE;
120 goto result_grp2str;
121 }
122 passwd = __ns_ldap_getAttr(result->entry, _G_PASSWD);
123 if (passwd == NULL || passwd[0] == NULL || (strlen(passwd[0]) == 0)) {
124 /* group password could be NULL, replace it with "" */
125 password = _NO_PASSWD_VAL;
126 } else {
127 /*
128 * Preen "{crypt}" if necessary.
129 * If the password does not include the {crypt} prefix
130 * then the password may be plain text. And thus
131 * perhaps crypt(3c) should be used to encrypt it.
132 * Currently the password is copied verbatim.
133 */
134 if (strncasecmp(passwd[0], _CRYPT, strlen(_CRYPT)) == 0)
135 password = passwd[0] + strlen(_CRYPT);
136 else
137 password = passwd[0];
138 }
139 gid = __ns_ldap_getAttr(result->entry, _G_GID);
140 if (gid == NULL || gid[0] == NULL || (strlen(gid[0]) < 1)) {
141 nss_result = NSS_STR_PARSE_PARSE;
142 goto result_grp2str;
143 }
144 /* Validate GID */
145 if (strtoul(gid[0], &end, 10) > MAXUID)
146 gid = gid_nobody_v;
147 len = snprintf(buffer, buflen, "%s:%s:%s:", gname[0], password, gid[0]);
148 TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
149
150 members = __ns_ldap_getAttrStruct(result->entry, _G_MEM);
151 if (members == NULL || members->attrvalue == NULL) {
152 /* no member is fine, skip processing the member list */
153 goto nomember;
154 }
155
156 for (i = 0; i < members->value_count; i++) {
157 if (members->attrvalue[i] == NULL) {
158 nss_result = NSS_STR_PARSE_PARSE;
159 goto result_grp2str;
160 }
161 /*
162 * If we find an '=' in the member attribute value, treat it as
163 * a DN, otherwise as a username.
164 */
165 if (member_str = strchr(members->attrvalue[i], '=')) {
166 member_str++; /* skip over the '=' */
167 /* Fail if we can't pull a username out of the RDN */
168 if (! (member_str = strtok_r(member_str,
169 ",", &strtok_state))) {
170 nss_result = NSS_STR_PARSE_PARSE;
171 goto result_grp2str;
172 }
173 } else {
174 member_str = members->attrvalue[i];
175 }
176 if (*member_str != '\0') {
177 if (firstime) {
178 len = snprintf(buffer, buflen, "%s",
179 member_str);
180 TEST_AND_ADJUST(len, buffer, buflen,
181 result_grp2str);
182 firstime = 0;
183 } else {
184 len = snprintf(buffer, buflen, ",%s",
185 member_str);
186 TEST_AND_ADJUST(len, buffer, buflen,
187 result_grp2str);
188 }
189 }
190 }
191 nomember:
192 /* The front end marshaller doesn't need the trailing nulls */
193 if (argp->buf.result != NULL)
194 be->buflen = strlen(be->buffer);
195 result_grp2str:
196 (void) __ns_ldap_freeResult(&be->result);
197 return (nss_result);
198 }
199
200 /*
201 * getbynam gets a group entry by name. This function constructs an ldap
202 * search filter using the name invocation parameter and the getgrnam search
203 * filter defined. Once the filter is constructed, we searche for a matching
204 * entry and marshal the data results into struct group for the frontend
205 * process. The function _nss_ldap_group2ent performs the data marshaling.
206 */
207
208 static nss_status_t
209 getbynam(ldap_backend_ptr be, void *a)
210 {
211 nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a;
212 char searchfilter[SEARCHFILTERLEN];
213 char userdata[SEARCHFILTERLEN];
214 char groupname[SEARCHFILTERLEN];
215 int ret;
216
217 if (_ldap_filter_name(groupname, argp->key.name, sizeof (groupname)) !=
218 0)
219 return ((nss_status_t)NSS_NOTFOUND);
220
221 ret = snprintf(searchfilter, sizeof (searchfilter),
222 _F_GETGRNAM, groupname);
223 if (ret >= sizeof (searchfilter) || ret < 0)
224 return ((nss_status_t)NSS_NOTFOUND);
225
226 ret = snprintf(userdata, sizeof (userdata), _F_GETGRNAM_SSD, groupname);
227 if (ret >= sizeof (userdata) || ret < 0)
228 return ((nss_status_t)NSS_NOTFOUND);
229
230 return ((nss_status_t)_nss_ldap_lookup(be, argp,
231 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
232 }
233
234
235 /*
236 * getbygid gets a group entry by number. This function constructs an ldap
237 * search filter using the name invocation parameter and the getgrgid search
238 * filter defined. Once the filter is constructed, we searche for a matching
239 * entry and marshal the data results into struct group for the frontend
240 * process. The function _nss_ldap_group2ent performs the data marshaling.
241 */
242
243 static nss_status_t
244 getbygid(ldap_backend_ptr be, void *a)
245 {
246 nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a;
247 char searchfilter[SEARCHFILTERLEN];
248 char userdata[SEARCHFILTERLEN];
249 int ret;
250
251 if (argp->key.uid > MAXUID)
252 return ((nss_status_t)NSS_NOTFOUND);
253
254 ret = snprintf(searchfilter, sizeof (searchfilter),
255 _F_GETGRGID, argp->key.uid);
256 if (ret >= sizeof (searchfilter) || ret < 0)
257 return ((nss_status_t)NSS_NOTFOUND);
258
259 ret = snprintf(userdata, sizeof (userdata),
260 _F_GETGRGID_SSD, argp->key.uid);
261 if (ret >= sizeof (userdata) || ret < 0)
262 return ((nss_status_t)NSS_NOTFOUND);
263
264 return ((nss_status_t)_nss_ldap_lookup(be, argp,
265 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
266
267 }
268
269
270 /*
271 * getbymember returns all groups a user is defined in. This function
272 * uses different architectural procedures than the other group backend
273 * system calls because it's a private interface. This function constructs
274 * an ldap search filter using the name invocation parameter. Once the
275 * filter is constructed, we search for all matching groups counting
276 * and storing each group name, gid, etc. Data marshaling is used for
277 * group processing. The function _nss_ldap_group2ent() performs the
278 * data marshaling.
279 *
280 * (const char *)argp->username; (size_t)strlen(argp->username);
281 * (gid_t)argp->gid_array; (int)argp->maxgids;
282 * (int)argp->numgids;
283 */
284
285 static nss_status_t
286 getbymember(ldap_backend_ptr be, void *a)
287 {
288 int i, j, k;
289 int gcnt = (int)0;
290 char **groupvalue, **membervalue, *member_str;
291 char *strtok_state;
292 nss_status_t lstat;
293 struct nss_groupsbymem *argp = (struct nss_groupsbymem *)a;
294 char searchfilter[SEARCHFILTERLEN];
295 char userdata[SEARCHFILTERLEN];
296 char name[SEARCHFILTERLEN];
297 ns_ldap_result_t *result;
298 ns_ldap_entry_t *curEntry;
299 char *username, **dn_attr, *dn;
300 gid_t gid;
301 int ret;
302
303 if (strcmp(argp->username, "") == 0 ||
304 strcmp(argp->username, "root") == 0)
305 return ((nss_status_t)NSS_NOTFOUND);
306
307 if (_ldap_filter_name(name, argp->username, sizeof (name)) != 0)
308 return ((nss_status_t)NSS_NOTFOUND);
309
310 ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETPWNAM, name);
311 if (ret >= sizeof (searchfilter) || ret < 0)
312 return ((nss_status_t)NSS_NOTFOUND);
313
314 ret = snprintf(userdata, sizeof (userdata), _F_GETPWNAM_SSD, name);
315 if (ret >= sizeof (userdata) || ret < 0)
316 return ((nss_status_t)NSS_NOTFOUND);
317
318 /*
319 * Look up the user DN in ldap. If it's not found, search solely by
320 * username.
321 */
322 lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, NULL,
323 _PASSWD, searchfilter, NULL, _merge_SSD_filter, userdata);
324 if (lstat != (nss_status_t)NS_LDAP_SUCCESS)
325 return ((nss_status_t)lstat);
326
327 if (be->result == NULL ||
328 !(dn_attr = __ns_ldap_getAttr(be->result->entry, "dn")))
329 dn = name;
330 else
331 dn = dn_attr[0];
332
333 ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETGRMEM, name,
334 dn);
335 if (ret >= sizeof (searchfilter) || ret < 0)
336 return ((nss_status_t)NSS_NOTFOUND);
337
338 ret = snprintf(userdata, sizeof (userdata), _F_GETGRMEM_SSD, name,
339 dn);
340 if (ret >= sizeof (userdata) || ret < 0)
341 return ((nss_status_t)NSS_NOTFOUND);
342
343 /*
344 * Free up resources from user DN search before performing group
345 * search.
346 */
347 (void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result);
348
349 gcnt = (int)argp->numgids;
350 lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, NULL,
351 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata);
352 if (lstat != (nss_status_t)NS_LDAP_SUCCESS)
353 return ((nss_status_t)lstat);
354 if (be->result == NULL)
355 return (NSS_NOTFOUND);
356 username = (char *)argp->username;
357 result = (ns_ldap_result_t *)be->result;
358 curEntry = (ns_ldap_entry_t *)result->entry;
359 for (i = 0; i < result->entries_count && curEntry != NULL; i++) {
360 membervalue = __ns_ldap_getAttr(curEntry, "memberUid");
361 if (membervalue == NULL) {
362 curEntry = curEntry->next;
363 continue;
364 }
365 for (j = 0; membervalue[j]; j++) {
366 /*
367 * If we find an '=' in the member attribute
368 * value, treat it as a DN, otherwise as a
369 * username.
370 */
371 if (member_str = strchr(membervalue[j], '=')) {
372 member_str++; /* skip over the '=' */
373 member_str = strtok_r(member_str, ",",
374 &strtok_state);
375 } else {
376 member_str = membervalue[j];
377 }
378 if (member_str != NULL &&
379 strcmp(member_str, username) == 0) {
380 groupvalue = __ns_ldap_getAttr(curEntry,
381 "gidnumber");
382 if (groupvalue == NULL ||
383 groupvalue[0] == NULL) {
384 /* Drop this group from the list */
385 break;
386 }
387 errno = 0;
388 gid = (gid_t)strtol(groupvalue[0],
389 (char **)NULL, 10);
390
391 if (errno == 0 &&
392 argp->numgids < argp->maxgids) {
393 for (k = 0; k < argp->numgids; k++) {
394 if (argp->gid_array[k] == gid)
395 /* already exists */
396 break;
397 }
398 if (k == argp->numgids)
399 argp->gid_array[argp->numgids++]
400 = gid;
401 }
402 break;
403 }
404 }
405 curEntry = curEntry->next;
406 }
407
408 (void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result);
409 if (gcnt == argp->numgids)
410 return ((nss_status_t)NSS_NOTFOUND);
411
412 /*
413 * Return NSS_SUCCESS only if array is full.
414 * Explained in <nss_dbdefs.h>.
415 */
416 return ((nss_status_t)((argp->numgids == argp->maxgids)
417 ? NSS_SUCCESS
418 : NSS_NOTFOUND));
419 }
420
421 static ldap_backend_op_t gr_ops[] = {
422 _nss_ldap_destr,
423 _nss_ldap_endent,
424 _nss_ldap_setent,
425 _nss_ldap_getent,
426 getbynam,
427 getbygid,
428 getbymember
429 };
430
431
432 /*ARGSUSED0*/
433 nss_backend_t *
434 _nss_ldap_group_constr(const char *dummy1, const char *dummy2,
435 const char *dummy3)
436 {
437
438 return ((nss_backend_t *)_nss_ldap_constr(gr_ops,
439 sizeof (gr_ops)/sizeof (gr_ops[0]), _GROUP, gr_attrs,
440 _nss_ldap_group2str));
441 }