summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-06-06 13:48:39 +0000
committerGerald Carter <jerry@samba.org>2003-06-06 13:48:39 +0000
commit1665926281ed2be3c5affca551c9d458d013fc7f (patch)
tree83c4c765fe424dca70d030c0df9c6380a8da1f1d
parent999cde3227210c90132ade3812e964087f04e541 (diff)
downloadsamba-1665926281ed2be3c5affca551c9d458d013fc7f.tar.gz
* break out more common code used between pdb_ldap and idmap_ldap
* remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function
-rw-r--r--source/Makefile.in22
-rw-r--r--source/configure.in21
-rw-r--r--source/include/idmap.h2
-rw-r--r--source/include/smbldap.h2
-rw-r--r--source/lib/smbldap.c99
-rw-r--r--source/param/loadparm.c126
-rw-r--r--source/passdb/pdb_ldap.c164
-rw-r--r--source/sam/idmap.c15
-rw-r--r--source/sam/idmap_ldap.c253
-rw-r--r--source/sam/idmap_tdb.c2
-rw-r--r--source/sam/idmap_winbind.c2
11 files changed, 382 insertions, 326 deletions
diff --git a/source/Makefile.in b/source/Makefile.in
index df66f6a7243..1ebaa37d0b1 100644
--- a/source/Makefile.in
+++ b/source/Makefile.in
@@ -279,13 +279,13 @@ PASSDB_GET_SET_OBJ = passdb/pdb_get_set.o
PASSDB_OBJ = $(PASSDB_GET_SET_OBJ) passdb/passdb.o passdb/pdb_interface.o \
passdb/machine_sid.o passdb/util_sam_sid.o passdb/pdb_compat.o \
- passdb/privileges.o @PDB_STATIC@ $(SMBLDAP__OBJ)
+ passdb/privileges.o @PDB_STATIC@
XML_OBJ = passdb/pdb_xml.o
MYSQL_OBJ = passdb/pdb_mysql.o
DEVEL_HELP_OBJ = modules/weird.o
-IDMAP_OBJ = sam/idmap.o sam/idmap_util.o @IDMAP_STATIC@ $(SMBLDAP_OBJ)
+IDMAP_OBJ = sam/idmap.o sam/idmap_util.o @IDMAP_STATIC@
GROUPDB_OBJ = groupdb/mapping.o
@@ -349,7 +349,7 @@ SMBD_OBJ_BASE = $(PARAM_OBJ) $(SMBD_OBJ_SRV) $(MSDFS_OBJ) $(LIBSMB_OBJ) \
$(LIBMSRPC_OBJ) $(LIBMSRPC_SERVER_OBJ) \
$(LIBADS_OBJ) $(KRBCLIENT_OBJ) $(LIBADS_SERVER_OBJ) \
$(LIB_SMBD_OBJ) $(REGISTRY_OBJ) $(POPT_LIB_OBJ) $(IDMAP_OBJ) \
- $(UBIQX_OBJ) $(BUILDOPT_OBJ)
+ $(UBIQX_OBJ) $(BUILDOPT_OBJ) $(SMBLDAP_OBJ)
PRINTING_OBJ = printing/pcap.o printing/print_svid.o \
printing/print_cups.o printing/print_generic.o \
@@ -389,7 +389,7 @@ SWAT_OBJ1 = web/cgi.o web/diagnose.o web/startstop.o web/statuspage.o \
SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(PRINTING_OBJ) $(LIBSMB_OBJ) \
$(LOCKING_OBJ) $(PASSDB_OBJ) $(SECRETS_OBJ) $(KRBCLIENT_OBJ) \
$(UBIQX_OBJ) $(LIB_OBJ) $(GROUPDB_OBJ) $(PLAINTEXT_AUTH_OBJ) \
- $(POPT_LIB_OBJ) $(IDMAP_OBJ)
+ $(POPT_LIB_OBJ) $(IDMAP_OBJ) $(SMBLDAP_OBJ)
SMBSH_OBJ = smbwrapper/smbsh.o smbwrapper/shared.o \
$(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ)
@@ -414,11 +414,11 @@ TESTPRNS_OBJ = utils/testprns.o $(PARAM_OBJ) $(PRINTING_OBJ) $(UBIQX_OBJ) \
SMBPASSWD_OBJ = utils/smbpasswd.o $(PARAM_OBJ) $(SECRETS_OBJ) \
$(LIBSMB_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ)\
$(UBIQX_OBJ) $(LIB_OBJ) $(KRBCLIENT_OBJ) \
- $(IDMAP_OBJ)
+ $(IDMAP_OBJ) $(SMBLDAP_OBJ)
PDBEDIT_OBJ = utils/pdbedit.o $(PARAM_OBJ) $(PASSDB_OBJ) $(LIBSAMBA_OBJ) \
$(UBIQX_OBJ) $(LIB_OBJ) $(GROUPDB_OBJ) $(SECRETS_OBJ) \
- $(POPT_LIB_OBJ) $(IDMAP_OBJ)
+ $(POPT_LIB_OBJ) $(IDMAP_OBJ) $(SMBLDAP_OBJ)
RPCCLIENT_OBJ1 = rpcclient/rpcclient.o rpcclient/cmd_lsarpc.o \
rpcclient/cmd_samr.o rpcclient/cmd_spoolss.o \
@@ -432,7 +432,7 @@ RPCCLIENT_OBJ = $(RPCCLIENT_OBJ1) \
$(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(LIBMSRPC_OBJ) \
$(READLINE_OBJ) $(GROUPDB_OBJ) $(KRBCLIENT_OBJ) \
$(LIBADS_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ) \
- $(IDMAP_OBJ)
+ $(IDMAP_OBJ) $(SMBLDAP_OBJ)
PAM_WINBIND_OBJ = nsswitch/pam_winbind.po nsswitch/wb_common.po lib/snprintf.po
@@ -460,7 +460,7 @@ LIBBIGBALLOFMUD_MAJOR = 0
LIBBIGBALLOFMUD_OBJ = $(PARAM_OBJ) $(LIB_OBJ) $(UBIQX_OBJ) $(SECRETS_OBJ) \
$(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_OBJ) \
- $(GROUPDB_OBJ) $(KRBCLIENT_OBJ)
+ $(GROUPDB_OBJ) $(KRBCLIENT_OBJ) $(SMBLDAP_OBJ)
LIBBIGBALLOFMUD_PICOBJS = $(LIBBIGBALLOFMUD_OBJ:.o=.po)
@@ -480,7 +480,7 @@ NET_OBJ = $(NET_OBJ1) $(PARAM_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \
$(KRBCLIENT_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \
$(LIBMSRPC_OBJ) $(LIBMSRPC_SERVER_OBJ) \
$(LIBADS_OBJ) $(LIBADS_SERVER_OBJ) $(POPT_LIB_OBJ) \
- $(IDMAP_OBJ)
+ $(IDMAP_OBJ) $(SMBLDAP_OBJ)
CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) \
$(LIB_OBJ) $(KRBCLIENT_OBJ)
@@ -559,7 +559,7 @@ PROTO_OBJ = $(SMBD_OBJ_MAIN) \
$(LIB_SMBD_OBJ) $(SAM_OBJ) $(REGISTRY_OBJ) $(POPT_LIB_OBJ) \
$(RPC_LSA_OBJ) $(RPC_NETLOG_OBJ) $(RPC_SAMR_OBJ) $(RPC_REG_OBJ) \
$(RPC_SVC_OBJ) $(RPC_WKS_OBJ) $(RPC_DFS_OBJ) $(RPC_SPOOLSS_OBJ) \
- $(IDMAP_OBJ) $(RPC_ECHO_OBJ)
+ $(IDMAP_OBJ) $(RPC_ECHO_OBJ) $(SMBLDAP_OBJ)
NSS_OBJ_0 = nsswitch/wins.o $(PARAM_OBJ) $(UBIQX_OBJ) $(LIBSMB_OBJ) \
$(LIB_OBJ) $(NSSWINS_OBJ)
@@ -598,7 +598,7 @@ WINBINDD_OBJ = \
$(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
$(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \
$(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \
- $(PROFILE_OBJ) $(UNIGRP_OBJ) $(IDMAP_OBJ) \
+ $(PROFILE_OBJ) $(UNIGRP_OBJ) $(IDMAP_OBJ) $(SMBLDAP_OBJ) \
$(SECRETS_OBJ) $(LIBADS_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ)
WBINFO_OBJ = nsswitch/wbinfo.o $(LIBSAMBA_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \
diff --git a/source/configure.in b/source/configure.in
index b9315ba2446..64051381856 100644
--- a/source/configure.in
+++ b/source/configure.in
@@ -2537,27 +2537,6 @@ AC_ARG_WITH(ldapsam,
AC_MSG_RESULT(no)
)
-#################################################
-# check for IDMAP
-
-AC_DEFINE(WITH_IDMAP,1, [Include IDMAP support])
-
-AC_MSG_CHECKING(whether to use IDMAP only for [ug]id mapping)
-AC_ARG_WITH(idmap,
-[ --with-idmap Include experimental IDMAP support (default=yes)],
-[ case "$withval" in
- yes)
- AC_MSG_RESULT(yes)
- AC_DEFINE(WITH_IDMAP,1,[Whether to include experimental IDMAP support])
- ;;
- no)
- AC_MSG_RESULT(no)
- AC_DEFINE(WITH_IDMAP,0,[Whether to include experimental IDMAP support])
- ;;
- esac ],
- AC_MSG_RESULT(yes)
-)
-
########################################################################################
##
## END OF TESTS FOR SAM BACKENDS.
diff --git a/source/include/idmap.h b/source/include/idmap.h
index 1267ac27bc1..4b38128c2f2 100644
--- a/source/include/idmap.h
+++ b/source/include/idmap.h
@@ -39,7 +39,7 @@
struct idmap_methods {
/* Called when backend is first loaded */
- NTSTATUS (*init)(void);
+ NTSTATUS (*init)( char *params );
NTSTATUS (*get_sid_from_id)(DOM_SID *sid, unid_t id, int id_type);
NTSTATUS (*get_id_from_sid)(unid_t *id, int *id_type, const DOM_SID *sid);
diff --git a/source/include/smbldap.h b/source/include/smbldap.h
index 13451fa24f1..c669f77425f 100644
--- a/source/include/smbldap.h
+++ b/source/include/smbldap.h
@@ -39,6 +39,7 @@
#define LDAP_OBJ_ACCOUNT "account"
#define LDAP_OBJ_POSIXACCOUNT "posixAccount"
#define LDAP_OBJ_POSIXGROUP "posixGroup"
+#define LDAP_OBJ_OU "organizationalUnit"
/* some generic attributes that get reused a lot */
@@ -81,6 +82,7 @@
#define LDAP_ATTR_HOME_DRIVE 29
#define LDAP_ATTR_GROUP_SID 30
#define LDAP_ATTR_GROUP_TYPE 31
+#define LDAP_ATTR_SID 32
typedef struct _attrib_map_entry {
diff --git a/source/lib/smbldap.c b/source/lib/smbldap.c
index 5dbea0669ff..bb37222d5af 100644
--- a/source/lib/smbldap.c
+++ b/source/lib/smbldap.c
@@ -74,7 +74,7 @@ ATTRIB_MAP_ENTRY attrib_map_v30[] = {
{ LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" },
{ LDAP_ATTR_DESC, "description" },
{ LDAP_ATTR_USER_WKS, "sambaUserWorkstations" },
- { LDAP_ATTR_USER_SID, "sambaSID" },
+ { LDAP_ATTR_USER_SID, LDAP_ATTRIBUTE_SID },
{ LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" },
{ LDAP_ATTR_LMPW, "sambaLMPassword" },
{ LDAP_ATTR_NTPW, "sambaNTPassword" },
@@ -90,7 +90,7 @@ ATTRIB_MAP_ENTRY dominfo_attr_list[] = {
{ LDAP_ATTR_DOMAIN, "sambaDomainName" },
{ LDAP_ATTR_NEXT_USERRID, "sambaNextUserRid" },
{ LDAP_ATTR_NEXT_GROUPRID, "sambaNextGroupRid" },
- { LDAP_ATTR_DOM_SID, "sambaSID" },
+ { LDAP_ATTR_DOM_SID, LDAP_ATTRIBUTE_SID },
{ LDAP_ATTR_LIST_END, NULL },
};
@@ -98,7 +98,7 @@ ATTRIB_MAP_ENTRY dominfo_attr_list[] = {
ATTRIB_MAP_ENTRY groupmap_attr_list[] = {
{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
- { LDAP_ATTR_GROUP_SID, "sambaSID" },
+ { LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
{ LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
{ LDAP_ATTR_DESC, "description" },
{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
@@ -107,14 +107,14 @@ ATTRIB_MAP_ENTRY groupmap_attr_list[] = {
};
ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[] = {
- { LDAP_ATTR_GROUP_SID, "sambaSID" },
+ { LDAP_ATTR_GROUP_SID, LDAP_ATTRIBUTE_SID },
{ LDAP_ATTR_GROUP_TYPE, "sambaGroupType" },
{ LDAP_ATTR_DESC, "description" },
{ LDAP_ATTR_DISPLAY_NAME, "displayName" },
{ LDAP_ATTR_LIST_END, NULL }
};
-/* idmap_ldap samba[U|G]idPool */
+/* idmap_ldap sambaUnixIdPool */
ATTRIB_MAP_ENTRY idpool_attr_list[] = {
{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
@@ -123,7 +123,7 @@ ATTRIB_MAP_ENTRY idpool_attr_list[] = {
};
ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
- { LDAP_ATTR_GROUP_SID, "sambaSID" },
+ { LDAP_ATTR_SID, LDAP_ATTRIBUTE_SID },
{ LDAP_ATTR_UIDNUMBER, LDAP_ATTRIBUTE_UIDNUMBER},
{ LDAP_ATTR_GIDNUMBER, LDAP_ATTRIBUTE_GIDNUMBER},
{ LDAP_ATTR_LIST_END, NULL }
@@ -257,3 +257,90 @@ BOOL fetch_ldap_pw(char **dn, char** pw)
return True;
}
+/************************************************************************
+ Routine to manage the LDAPMod structure array
+ manage memory used by the array, by each struct, and values
+ ***********************************************************************/
+
+void ldap_set_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
+{
+ LDAPMod **mods;
+ int i;
+ int j;
+
+ mods = *modlist;
+
+ /* sanity checks on the mod values */
+
+ if (attribute == NULL || *attribute == '\0')
+ return;
+#if 0 /* commented out after discussion with abartlet. Do not reenable.
+ left here so other so re-add similar code --jerry */
+ if (value == NULL || *value == '\0')
+ return;
+#endif
+
+ if (mods == NULL)
+ {
+ mods = (LDAPMod **) malloc(sizeof(LDAPMod *));
+ if (mods == NULL)
+ {
+ DEBUG(0, ("make_a_mod: out of memory!\n"));
+ return;
+ }
+ mods[0] = NULL;
+ }
+
+ for (i = 0; mods[i] != NULL; ++i) {
+ if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute))
+ break;
+ }
+
+ if (mods[i] == NULL)
+ {
+ mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *));
+ if (mods == NULL)
+ {
+ DEBUG(0, ("make_a_mod: out of memory!\n"));
+ return;
+ }
+ mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
+ if (mods[i] == NULL)
+ {
+ DEBUG(0, ("make_a_mod: out of memory!\n"));
+ return;
+ }
+ mods[i]->mod_op = modop;
+ mods[i]->mod_values = NULL;
+ mods[i]->mod_type = strdup(attribute);
+ mods[i + 1] = NULL;
+ }
+
+ if (value != NULL)
+ {
+ char *utf8_value = NULL;
+
+ j = 0;
+ if (mods[i]->mod_values != NULL) {
+ for (; mods[i]->mod_values[j] != NULL; j++);
+ }
+ mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,
+ (j + 2) * sizeof (char *));
+
+ if (mods[i]->mod_values == NULL) {
+ DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
+ return;
+ }
+
+ if (push_utf8_allocate(&utf8_value, value) == (size_t)-1) {
+ DEBUG (0, ("make_a_mod: String conversion failure!\n"));
+ return;
+ }
+
+ mods[i]->mod_values[j] = utf8_value;
+
+ mods[i]->mod_values[j + 1] = NULL;
+ }
+ *modlist = mods;
+}
+
diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index 16735673217..a5e9b1467f2 100644
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -223,6 +223,8 @@ typedef struct
int iLockSpinTime;
char *szLdapMachineSuffix;
char *szLdapUserSuffix;
+ char *szLdapIdmapSuffix;
+ char *szLdapGroupSuffix;
#ifdef WITH_LDAP_SAMCONFIG
int ldap_port;
char *szLdapServer;
@@ -560,9 +562,8 @@ static BOOL handle_workgroup( const char *pszParmValue, char **ptr );
static BOOL handle_netbios_aliases( const char *pszParmValue, char **ptr );
static BOOL handle_netbios_scope( const char *pszParmValue, char **ptr );
-static BOOL handle_ldap_machine_suffix ( const char *pszParmValue, char **ptr );
-static BOOL handle_ldap_user_suffix ( const char *pszParmValue, char **ptr );
static BOOL handle_ldap_suffix ( const char *pszParmValue, char **ptr );
+static BOOL handle_ldap_sub_suffix ( const char *pszParmValue, char **ptr );
static BOOL handle_acl_compatibility(const char *pszParmValue, char **ptr);
@@ -1035,8 +1036,10 @@ static struct parm_struct parm_table[] = {
{"ldap port", P_INTEGER, P_GLOBAL, &Globals.ldap_port, NULL, NULL, 0},
#endif
{"ldap suffix", P_STRING, P_GLOBAL, &Globals.szLdapSuffix, handle_ldap_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
- {"ldap machine suffix", P_STRING, P_GLOBAL, &Globals.szLdapMachineSuffix, handle_ldap_machine_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
- {"ldap user suffix", P_STRING, P_GLOBAL, &Globals.szLdapUserSuffix, handle_ldap_user_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"ldap machine suffix", P_STRING, P_GLOBAL, &Globals.szLdapMachineSuffix, handle_ldap_sub_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"ldap user suffix", P_STRING, P_GLOBAL, &Globals.szLdapUserSuffix, handle_ldap_sub_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"ldap group suffix", P_STRING, P_GLOBAL, &Globals.szLdapGroupSuffix, handle_ldap_sub_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"ldap idmap suffix", P_STRING, P_GLOBAL, &Globals.szLdapIdmapSuffix, handle_ldap_sub_suffix, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"ldap filter", P_STRING, P_GLOBAL, &Globals.szLdapFilter, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"ldap admin dn", P_STRING, P_GLOBAL, &Globals.szLdapAdminDn, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"ldap ssl", P_ENUM, P_GLOBAL, &Globals.ldap_ssl, NULL, enum_ldap_ssl, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -1119,9 +1122,7 @@ static struct parm_struct parm_table[] = {
{"idmap only", P_BOOL, P_GLOBAL, &Globals.bIdmapOnly, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"idmap backend", P_STRING, P_GLOBAL, &Globals.szIdmapBackend, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"idmap uid", P_STRING, P_GLOBAL, &Globals.szIdmapUID, handle_idmap_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
- {"winbind uid", P_STRING, P_GLOBAL, &Globals.szIdmapUID, handle_idmap_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER | FLAG_HIDE},
{"idmap gid", P_STRING, P_GLOBAL, &Globals.szIdmapGID, handle_idmap_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
- {"winbind gid", P_STRING, P_GLOBAL, &Globals.szIdmapGID, handle_idmap_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER | FLAG_HIDE},
{"template homedir", P_STRING, P_GLOBAL, &Globals.szTemplateHomedir, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"template shell", P_STRING, P_GLOBAL, &Globals.szTemplateShell, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"winbind separator", P_STRING, P_GLOBAL, &Globals.szWinbindSeparator, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -1419,6 +1420,8 @@ static void init_globals(void)
string_set(&Globals.szLdapFilter, "(uid=%u)");
string_set(&Globals.szLdapMachineSuffix, "");
string_set(&Globals.szLdapUserSuffix, "");
+ string_set(&Globals.szLdapGroupSuffix, "");
+ string_set(&Globals.szLdapIdmapSuffix, "");
string_set(&Globals.szLdapAdminDn, "");
Globals.ldap_ssl = LDAP_SSL_ON;
@@ -1643,6 +1646,8 @@ FN_GLOBAL_INTEGER(lp_ldap_port, &Globals.ldap_port)
FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix)
FN_GLOBAL_STRING(lp_ldap_machine_suffix, &Globals.szLdapMachineSuffix)
FN_GLOBAL_STRING(lp_ldap_user_suffix, &Globals.szLdapUserSuffix)
+FN_GLOBAL_STRING(lp_ldap_idmap_suffix, &Globals.szLdapIdmapSuffix)
+FN_GLOBAL_STRING(lp_ldap_group_suffix, &Globals.szLdapGroupSuffix)
FN_GLOBAL_STRING(lp_ldap_filter, &Globals.szLdapFilter)
FN_GLOBAL_STRING(lp_ldap_admin_dn, &Globals.szLdapAdminDn)
FN_GLOBAL_INTEGER(lp_ldap_ssl, &Globals.ldap_ssl)
@@ -2933,91 +2938,61 @@ static BOOL handle_debug_list( const char *pszParmValueIn, char **ptr )
}
/***************************************************************************
- Handle the ldap machine suffix option.
+ Handle setting ldap suffix and determines whether ldap machine suffix needs
+ to be set as well.
+
+ Set all of the sub suffix strings to be the 'ldap suffix' by default
***************************************************************************/
-static BOOL handle_ldap_machine_suffix( const char *pszParmValue, char **ptr)
+static BOOL handle_ldap_suffix( const char *pszParmValue, char **ptr )
{
- pstring suffix;
-
- pstrcpy(suffix, pszParmValue);
-
- if (! *Globals.szLdapSuffix ) {
- string_set( ptr, suffix );
- return True;
- }
-
- if (! strstr(suffix, Globals.szLdapSuffix) ) {
- if ( *pszParmValue )
- pstrcat(suffix, ",");
- pstrcat(suffix, Globals.szLdapSuffix);
- }
- string_set( ptr, suffix );
- return True;
+ pstring suffix;
+
+ pstrcpy(suffix, pszParmValue);
+
+ /* set defaults for the the sub-suffixes */
+
+ if (! *Globals.szLdapMachineSuffix )
+ string_set(&Globals.szLdapMachineSuffix, suffix);
+ if (! *Globals.szLdapUserSuffix )
+ string_set(&Globals.szLdapUserSuffix, suffix);
+ if (! *Globals.szLdapGroupSuffix )
+ string_set(&Globals.szLdapGroupSuffix, suffix);
+ if (! *Globals.szLdapIdmapSuffix )
+ string_set(&Globals.szLdapIdmapSuffix, suffix);
+
+ string_set(ptr, suffix);
+ return True;
}
/***************************************************************************
- Handle the ldap user suffix option.
+ Handle the ldap sub suffix option.
+ Always append the 'ldap suffix' if it is set
***************************************************************************/
-static BOOL handle_ldap_user_suffix( const char *pszParmValue, char **ptr)
+static BOOL handle_ldap_sub_suffix( const char *pszParmValue, char **ptr)
{
- pstring suffix;
+ pstring suffix;
- pstrcpy(suffix, pszParmValue);
+ pstrcpy(suffix, pszParmValue);
- if (! *Globals.szLdapSuffix ) {
- string_set( ptr, suffix );
- return True;
- }
-
- if (! strstr(suffix, Globals.szLdapSuffix) ) {
- if ( *pszParmValue )
- pstrcat(suffix, ",");
- pstrcat(suffix, Globals.szLdapSuffix);
- }
- string_set( ptr, suffix );
- return True;
+ if (! *Globals.szLdapSuffix ) {
+ string_set( ptr, suffix );
+ return True;
+ }
+ else {
+ if ( *pszParmValue )
+ pstrcat(suffix, ",");
+ pstrcat(suffix, Globals.szLdapSuffix);
+ }
+
+ string_set( ptr, suffix );
+ return True;
}
/***************************************************************************
- Handle setting ldap suffix and determines whether ldap machine suffix needs
- to be set as well.
***************************************************************************/
-static BOOL handle_ldap_suffix( const char *pszParmValue, char **ptr)
-{
- pstring suffix;
- pstring user_suffix;
- pstring machine_suffix;
-
- pstrcpy(suffix, pszParmValue);
-
- if (! *Globals.szLdapMachineSuffix )
- string_set(&Globals.szLdapMachineSuffix, suffix);
- if (! *Globals.szLdapUserSuffix )
- string_set(&Globals.szLdapUserSuffix, suffix);
-
- if (! strstr(Globals.szLdapMachineSuffix, suffix)) {
- pstrcpy(machine_suffix, Globals.szLdapMachineSuffix);
- if ( *Globals.szLdapMachineSuffix )
- pstrcat(machine_suffix, ",");
- pstrcat(machine_suffix, suffix);
- string_set(&Globals.szLdapMachineSuffix, machine_suffix);
- }
-
- if (! strstr(Globals.szLdapUserSuffix, suffix)) {
- pstrcpy(user_suffix, Globals.szLdapUserSuffix);
- if ( *Globals.szLdapUserSuffix )
- pstrcat(user_suffix, ",");
- pstrcat(user_suffix, suffix);
- string_set(&Globals.szLdapUserSuffix, user_suffix);
- }
-
- string_set(ptr, suffix);
- return True;
-}
-
static BOOL handle_acl_compatibility(const char *pszParmValue, char **ptr)
{
if (strequal(pszParmValue, "auto"))
@@ -3031,6 +3006,7 @@ static BOOL handle_acl_compatibility(const char *pszParmValue, char **ptr)
return True;
}
+
/***************************************************************************
Initialise a copymap.
***************************************************************************/
diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c
index e6fd12fd0e3..3ddbd99ca3b 100644
--- a/source/passdb/pdb_ldap.c
+++ b/source/passdb/pdb_ldap.c
@@ -818,93 +818,6 @@ static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
return True;
}
-/************************************************************************
-Routine to manage the LDAPMod structure array
-manage memory used by the array, by each struct, and values
-
-************************************************************************/
-static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
-{
- LDAPMod **mods;
- int i;
- int j;
-
- mods = *modlist;
-
- /* sanity checks on the mod values */
-
- if (attribute == NULL || *attribute == '\0')
- return;
-#if 0 /* commented out after discussion with abartlet. Do not reenable.
- left here so other so re-add similar code --jerry */
- if (value == NULL || *value == '\0')
- return;
-#endif
-
- if (mods == NULL)
- {
- mods = (LDAPMod **) malloc(sizeof(LDAPMod *));
- if (mods == NULL)
- {
- DEBUG(0, ("make_a_mod: out of memory!\n"));
- return;
- }
- mods[0] = NULL;
- }
-
- for (i = 0; mods[i] != NULL; ++i) {
- if (mods[i]->mod_op == modop && !strcasecmp(mods[i]->mod_type, attribute))
- break;
- }
-
- if (mods[i] == NULL)
- {
- mods = (LDAPMod **) Realloc (mods, (i + 2) * sizeof (LDAPMod *));
- if (mods == NULL)
- {
- DEBUG(0, ("make_a_mod: out of memory!\n"));
- return;
- }
- mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod));
- if (mods[i] == NULL)
- {
- DEBUG(0, ("make_a_mod: out of memory!\n"));
- return;
- }
- mods[i]->mod_op = modop;
- mods[i]->mod_values = NULL;
- mods[i]->mod_type = strdup(attribute);
- mods[i + 1] = NULL;
- }
-
- if (value != NULL)
- {
- char *utf8_value = NULL;
-
- j = 0;
- if (mods[i]->mod_values != NULL) {
- for (; mods[i]->mod_values[j] != NULL; j++);
- }
- mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,
- (j + 2) * sizeof (char *));
-
- if (mods[i]->mod_values == NULL) {
- DEBUG (0, ("make_a_mod: Memory allocation failure!\n"));
- return;
- }
-
- if (push_utf8_allocate(&utf8_value, value) == (size_t)-1) {
- DEBUG (0, ("make_a_mod: String conversion failure!\n"));
- return;
- }
-
- mods[i]->mod_values[j] = utf8_value;
-
- mods[i]->mod_values[j + 1] = NULL;
- }
- *modlist = mods;
-}
-
/**********************************************************************
Set attribute to newval in LDAP, regardless of what value the
attribute had in LDAP before.
@@ -938,7 +851,7 @@ static void make_ldap_mod(LDAP *ldap_struct, LDAPMessage *existing,
the old value, should it exist. */
if ((newval != NULL) && (strlen(newval) > 0)) {
- make_a_mod(mods, LDAP_MOD_ADD, attribute, newval);
+ ldap_set_mod(mods, LDAP_MOD_ADD, attribute, newval);
}
if (values == NULL) {
@@ -953,7 +866,7 @@ static void make_ldap_mod(LDAP *ldap_struct, LDAPMessage *existing,
deny the complete operation if somebody changed the
attribute behind our back. */
- make_a_mod(mods, LDAP_MOD_DELETE, attribute, values[0]);
+ ldap_set_mod(mods, LDAP_MOD_DELETE, attribute, values[0]);
ldap_value_free(values);
}
@@ -1009,7 +922,7 @@ static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
{
if (StrCaseCmp(*attrib, name) == 0) {
DEBUG(10, ("deleting attribute %s\n", name));
- make_a_mod(&mods, LDAP_MOD_DELETE, name, NULL);
+ ldap_set_mod(&mods, LDAP_MOD_DELETE, name, NULL);
}
}
@@ -1020,10 +933,10 @@ static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state,
ber_free(ptr, 0);
}
- make_a_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
+ ldap_set_mod(&mods, LDAP_MOD_DELETE, "objectClass", objectclass);
rc = ldapsam_modify(ldap_state, dn, mods);
- ldap_mods_free(mods, 1);
+ ldap_mods_free(mods, True);
if (rc != LDAP_SUCCESS) {
char *ld_error = NULL;
@@ -1209,12 +1122,11 @@ static uint32 search_next_allocated_rid(struct ldapsam_privates *ldap_state, int
static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state)
{
pstring tmp;
- pstring filter;
+ pstring filter, dn;
LDAPMod **mods = NULL;
int rc;
int ldap_op;
LDAPMessage *result = NULL;
- char *dn = NULL;
int num_result;
char **attr_list;
@@ -1254,29 +1166,26 @@ static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state)
/* Check if we need to add an entry */
DEBUG(3,("Adding new domain\n"));
ldap_op = LDAP_MOD_ADD;
- asprintf (&dn, "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+ snprintf(dn, sizeof(dn), "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
ldap_state->domain_name, lp_ldap_suffix());
/* Free original search */
ldap_msgfree(result);
- if (!dn)
- return NT_STATUS_NO_MEMORY;
-
/* make the changes - the entry *must* not already have samba attributes */
- make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+ ldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
ldap_state->domain_name);
sid_to_string(tmp, &ldap_state->domain_sid);
- make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID), tmp);
+ ldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID), tmp);
snprintf(tmp, sizeof(tmp)-1, "%i", next_allocated_user_rid);
- make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID), tmp);
+ ldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID), tmp);
snprintf(tmp, sizeof(tmp)-1, "%i", next_allocated_group_rid);
- make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID), tmp);
+ ldap_set_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID), tmp);
- make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO);
+ ldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO);
switch(ldap_op)
{
@@ -1302,12 +1211,12 @@ static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state)
ld_error?ld_error:"unknown"));
SAFE_FREE(ld_error);
- ldap_mods_free(mods,1);
+ ldap_mods_free(mods, True);
return NT_STATUS_UNSUCCESSFUL;
}
DEBUG(2,("added: domain = %s in the LDAP database\n", ldap_state->domain_name));
- ldap_mods_free(mods, 1);
+ ldap_mods_free(mods, True);
return NT_STATUS_OK;
}
@@ -1487,20 +1396,20 @@ static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *ri
get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID),
domain_sid_string))
{
- ldap_mods_free(mods, 1);
+ ldap_mods_free(mods, True);
ldap_memfree(dn);
ldap_msgfree(result);
return ret;
}
if (!string_to_sid(&dom_sid, domain_sid_string)) {
- ldap_mods_free(mods, 1);
+ ldap_mods_free(mods, True);
ldap_memfree(dn);
ldap_msgfree(result);
return ret;
}
- ldap_mods_free(mods, 1);
+ ldap_mods_free(mods, True);
mods = NULL;
ldap_memfree(dn);
ldap_msgfree(result);
@@ -1523,7 +1432,7 @@ static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *ri
DEBUG(2, ("Failed to modify rid: %s\n", ld_error));
SAFE_FREE(ld_error);
- ldap_mods_free(mods, 1);
+ ldap_mods_free(mods, True);
mods = NULL;
ldap_memfree(dn);
@@ -1989,13 +1898,13 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
"finding next available NUA RID failed, "
"cannot store!\n",
pdb_get_username(sampass)));
- ldap_mods_free(*mods, 1);
+ ldap_mods_free(*mods, True);
return False;
}
} else {
DEBUG(0, ("NO user RID specified on account %s, "
"cannot store!\n", pdb_get_username(sampass)));
- ldap_mods_free(*mods, 1);
+ ldap_mods_free(*mods, True);
return False;
}
@@ -2005,7 +1914,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
if (!pdb_set_user_sid_from_rid(sampass, rid, PDB_CHANGED)) {
DEBUG(0, ("Could not store RID back onto SAM_ACCOUNT for user %s!\n",
pdb_get_username(sampass)));
- ldap_mods_free(*mods, 1);
+ ldap_mods_free(*mods, True);
return False;
}
}
@@ -2414,7 +2323,7 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
switch(ldap_op)
{
case LDAP_MOD_ADD:
- make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_ACCOUNT);
+ ldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_ACCOUNT);
rc = ldapsam_add(ldap_state, dn, mods);
break;
case LDAP_MOD_REPLACE:
@@ -2605,12 +2514,12 @@ static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_A
if (mods == NULL) {
DEBUG(4,("mods is empty: nothing to update for user: %s\n",
pdb_get_username(newpwd)));
- ldap_mods_free(mods, 1);
+ ldap_mods_free(mods, True);
return NT_STATUS_OK;
}
ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
- ldap_mods_free(mods,1);
+ ldap_mods_free(mods,True);
if (!NT_STATUS_IS_OK(ret)) {
char *ld_error = NULL;
@@ -2741,10 +2650,10 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO
switch ( ldap_state->schema_ver )
{
case SCHEMAVER_SAMBAACCOUNT:
- make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
+ ldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT);
break;
case SCHEMAVER_SAMBASAMACCOUNT:
- make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
+ ldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
break;
default:
DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n"));
@@ -2755,12 +2664,12 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO
if (NT_STATUS_IS_ERR(ret)) {
DEBUG(0,("failed to modify/add user with uid = %s (dn = %s)\n",
pdb_get_username(newpwd),dn));
- ldap_mods_free(mods,1);
+ ldap_mods_free(mods, True);
return ret;
}
DEBUG(2,("added: uid == %s in the LDAP database\n", pdb_get_username(newpwd)));
- ldap_mods_free(mods, 1);
+ ldap_mods_free(mods, True);
return NT_STATUS_OK;
}
@@ -2804,7 +2713,7 @@ static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
attr_list = get_attr_list(groupmap_attr_list);
- rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope,
+ rc = ldapsam_search(ldap_state, lp_ldap_group_suffix (), scope,
filter, attr_list, 0, result);
free_attr_list( attr_list );
@@ -2816,7 +2725,7 @@ static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state,
"Problem during the LDAP search: LDAP error: %s (%s)",
ld_error?ld_error:"(unknown)", ldap_err2string(rc)));
DEBUG(3, ("ldapsam_search_one_group: Query was: %s, %s\n",
- lp_ldap_suffix(), filter));
+ lp_ldap_group_suffix(), filter));
SAFE_FREE(ld_error);
}
@@ -3093,7 +3002,7 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
if (!init_ldap_from_group(ldap_state->ldap_struct,
result, &mods, map)) {
DEBUG(0, ("init_ldap_from_group failed!\n"));
- ldap_mods_free(mods, 1);
+ ldap_mods_free(mods, True);
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
@@ -3105,11 +3014,10 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
return NT_STATUS_UNSUCCESSFUL;
}
- make_a_mod(&mods, LDAP_MOD_ADD, "objectClass",
- "sambaGroupMapping");
+ ldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP );
rc = ldapsam_modify(ldap_state, dn, mods);
- ldap_mods_free(mods, 1);
+ ldap_mods_free(mods, True);
if (rc != LDAP_SUCCESS) {
char *ld_error = NULL;
@@ -3170,7 +3078,7 @@ static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods,
rc = ldapsam_modify(ldap_state, dn, mods);
- ldap_mods_free(mods, 1);
+ ldap_mods_free(mods, True);
if (rc != LDAP_SUCCESS) {
char *ld_error = NULL;
@@ -3230,14 +3138,14 @@ static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, BOOL update)
snprintf( filter, sizeof(filter)-1, "(objectclass=%s)", LDAP_OBJ_GROUPMAP);
attr_list = get_attr_list( groupmap_attr_list );
- rc = ldapsam_search(ldap_state, lp_ldap_suffix(),
+ rc = ldapsam_search(ldap_state, lp_ldap_group_suffix(),
LDAP_SCOPE_SUBTREE, filter,
attr_list, 0, &ldap_state->result);
free_attr_list( attr_list );
if (rc != LDAP_SUCCESS) {
DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc)));
- DEBUG(3, ("Query was: %s, %s\n", lp_ldap_suffix(), filter));
+ DEBUG(3, ("Query was: %s, %s\n", lp_ldap_group_suffix(), filter));
ldap_msgfree(ldap_state->result);
ldap_state->result = NULL;
return NT_STATUS_UNSUCCESSFUL;
diff --git a/source/sam/idmap.c b/source/sam/idmap.c
index 62377a9228e..d031c49e257 100644
--- a/source/sam/idmap.c
+++ b/source/sam/idmap.c
@@ -105,19 +105,30 @@ BOOL idmap_init(void)
return False;
}
- if (NT_STATUS_IS_ERR(local_map->init())) {
+ if (NT_STATUS_IS_ERR(local_map->init( NULL ))) {
DEBUG(0, ("idmap_init: could not load or create local backend!\n"));
return False;
}
}
if (!remote_map && remote_backend && *remote_backend != 0) {
+ fstring params = "";
+ char *pparams;
+
+ /* get any mode parameters passed in */
+
+ if ( (pparams = strchr( remote_backend, ':' )) != NULL ) {
+ pparams = '\0';
+ pparams++;
+ fstrcpy( params, pparams );
+ }
+
DEBUG(3, ("idmap_init: using '%s' as remote backend\n", remote_backend));
if((remote_map = get_methods(remote_backend)) ||
(NT_STATUS_IS_OK(smb_probe_module("idmap", remote_backend)) &&
(remote_map = get_methods(remote_backend)))) {
- remote_map->init();
+ remote_map->init(params);
} else {
DEBUG(0, ("idmap_init: could not load remote backend '%s'\n", remote_backend));
return False;
diff --git a/source/sam/idmap_ldap.c b/source/sam/idmap_ldap.c
index 352b998cef3..379f7729abb 100644
--- a/source/sam/idmap_ldap.c
+++ b/source/sam/idmap_ldap.c
@@ -34,11 +34,14 @@
#include "smbldap.h"
+#define IDMAP_GROUP_SUFFIX "ou=idmap group"
+#define IDMAP_USER_SUFFIX "ou=idmap people"
+
struct ldap_idmap_state {
LDAP *ldap_struct;
time_t last_ping;
- const char *uri;
+ char *uri;
char *bind_dn;
char *bind_secret;
unsigned int num_failures;
@@ -505,13 +508,13 @@ static NTSTATUS ldap_allocate_id(unid_t *id, int id_type)
LDAPMessage *result = 0;
LDAPMessage *entry = 0;
pstring id_str, new_id_str;
- LDAPMod mod[2];
- LDAPMod *mods[3];
+ LDAPMod **mods = NULL;
const char *type;
- char *val[4];
char *dn;
char **attr_list;
pstring filter;
+ uid_t luid, huid;
+ gid_t lgid, hgid;
type = (id_type & ID_USERID) ?
@@ -522,7 +525,7 @@ static NTSTATUS ldap_allocate_id(unid_t *id, int id_type)
attr_list = get_attr_list( idpool_attr_list );
- rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(),
+ rc = ldap_idmap_search(&ldap_state, lp_ldap_idmap_suffix(),
LDAP_SCOPE_SUBTREE, filter,
attr_list, 0, &result);
free_attr_list( attr_list );
@@ -546,38 +549,40 @@ static NTSTATUS ldap_allocate_id(unid_t *id, int id_type)
type));
goto out;
}
+
+ /* this must succeed or else we wouldn't have initialized */
+
+ lp_idmap_uid( &luid, &huid);
+ lp_idmap_gid( &lgid, &hgid);
- if (id_type & ID_USERID)
+ /* make sure we still have room to grow */
+
+ if (id_type & ID_USERID) {
id->uid = strtoul(id_str, NULL, 10);
- else
+ if (id->uid > huid ) {
+ DEBUG(0,("ldap_allocate_id: Cannot allocate uid above %d!\n", huid));
+ goto out;
+ }
+ }
+ else {
id->gid = strtoul(id_str, NULL, 10);
+ if (id->gid > hgid ) {
+ DEBUG(0,("ldap_allocate_id: Cannot allocate gid above %d!\n", hgid));
+ goto out;
+ }
+ }
-
- mod[0].mod_op = LDAP_MOD_DELETE;
- mod[0].mod_type = strdup(type);
- val[0] = id_str;
- val[1] = NULL;
- mod[0].mod_values = val;
-
snprintf(new_id_str, sizeof(new_id_str), "%u",
((id_type & ID_USERID) ? id->uid : id->gid) + 1);
- mod[1].mod_op = LDAP_MOD_ADD;
- mod[1].mod_type = strdup(type);
- val[2] = new_id_str;
- val[3] = NULL;
- mod[1].mod_values = val + 2;
-
- mods[0] = mod; \
- mods[1] = mod + 1;
- mods[2] = NULL;
+
+ ldap_set_mod( &mods, LDAP_MOD_DELETE, type, id_str );
+ ldap_set_mod( &mods, LDAP_MOD_ADD, type, new_id_str );
rc = ldap_modify_s(ldap_state.ldap_struct, dn, mods);
ldap_memfree(dn);
+ ldap_mods_free( mods, True );
- SAFE_FREE( mod[0].mod_type );
- SAFE_FREE( mod[1].mod_type );
-
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldap_allocate_id: Failed to allocate new %s. ldap_modify() failed.\n",
type));
@@ -599,29 +604,30 @@ static NTSTATUS ldap_get_sid_from_id(DOM_SID *sid, unid_t id, int id_type)
LDAPMessage *entry = 0;
pstring sid_str;
pstring filter;
+ pstring suffix;
const char *type;
int rc;
int count;
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
char **attr_list;
- type = (id_type & ID_USERID) ?
- get_attr_key2string( idpool_attr_list, LDAP_ATTR_UIDNUMBER ) :
- get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER );
-
/* first we try for a samba user or group mapping */
if ( id_type & ID_USERID ) {
+ type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_UIDNUMBER );
snprintf(filter, sizeof(filter), "(&(objectClass=%s)(%s=%u))",
LDAP_OBJ_SAMBASAMACCOUNT, type, id.uid );
+ pstrcpy( suffix, lp_ldap_suffix());
}
else {
+ type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER );
snprintf(filter, sizeof(filter), "(&(objectClass=%s)(%s=%u))",
LDAP_OBJ_GROUPMAP, type, id.gid );
+ pstrcpy( suffix, lp_ldap_group_suffix() );
}
attr_list = get_attr_list( sidmap_attr_list );
- rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE,
+ rc = ldap_idmap_search(&ldap_state, suffix, LDAP_SCOPE_SUBTREE,
filter, attr_list, 0, &result);
if (rc != LDAP_SUCCESS)
@@ -635,9 +641,19 @@ static NTSTATUS ldap_get_sid_from_id(DOM_SID *sid, unid_t id, int id_type)
if (count == 0) {
snprintf(filter, sizeof(filter), "(&(objectClass=%s)(%s=%u))",
LDAP_OBJ_IDMAP_ENTRY, type, ((id_type & ID_USERID) ? id.uid : id.gid));
-
- rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(),
- LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result);
+
+#if 0 /* commented out for now -- jerry */
+ if ( id_type & ID_USERID )
+ snprintf( suffix, sizeof(suffix), "%s,%s", IDMAP_USER_SUFFIX, lp_ldap_idmap_suffix() );
+ else
+ snprintf( suffix, sizeof(suffix), "%s,%s", IDMAP_GROUP_SUFFIX, lp_ldap_idmap_suffix() );
+#else
+ pstrcpy( suffix, lp_ldap_idmap_suffix() );
+#endif
+
+ rc = ldap_idmap_search(&ldap_state, suffix, LDAP_SCOPE_SUBTREE,
+ filter, attr_list, 0, &result);
+
if (rc != LDAP_SUCCESS)
goto out;
@@ -676,6 +692,7 @@ static NTSTATUS ldap_get_id_from_sid(unid_t *id, int *id_type, const DOM_SID *si
pstring sid_str;
pstring filter;
pstring id_str;
+ pstring suffix;
const char *type;
const char *obj_class;
int rc;
@@ -688,10 +705,12 @@ static NTSTATUS ldap_get_id_from_sid(unid_t *id, int *id_type, const DOM_SID *si
if ( *id_type & ID_USERID ) {
type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_UIDNUMBER );
obj_class = LDAP_OBJ_SAMBASAMACCOUNT;
+ pstrcpy( suffix, lp_ldap_suffix() );
}
else {
type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER );
obj_class = LDAP_OBJ_GROUPMAP;
+ pstrcpy( suffix, lp_ldap_group_suffix() );
}
sid_to_string(sid_str, sid);
@@ -699,7 +718,7 @@ static NTSTATUS ldap_get_id_from_sid(unid_t *id, int *id_type, const DOM_SID *si
LDAP_ATTRIBUTE_SID, sid_str);
attr_list = get_attr_list( sidmap_attr_list );
- rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE,
+ rc = ldap_idmap_search(&ldap_state, suffix, LDAP_SCOPE_SUBTREE,
filter, attr_list, 0, &result);
if (rc != LDAP_SUCCESS)
@@ -714,8 +733,17 @@ static NTSTATUS ldap_get_id_from_sid(unid_t *id, int *id_type, const DOM_SID *si
snprintf(filter, sizeof(filter), "(&(objectClass=%s)(%s=%s))",
LDAP_OBJ_IDMAP_ENTRY, LDAP_ATTRIBUTE_SID, sid_str);
- rc = ldap_idmap_search(&ldap_state, lp_ldap_suffix(),
- LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result);
+#if 0 /* commented out for now -- jerry */
+ if ( *id_type & ID_USERID )
+ snprintf( suffix, sizeof(suffix), "%s,%s", IDMAP_USER_SUFFIX, lp_ldap_idmap_suffix() );
+ else
+ snprintf( suffix, sizeof(suffix), "%s,%s", IDMAP_GROUP_SUFFIX, lp_ldap_idmap_suffix() );
+#else
+ pstrcpy( suffix, lp_ldap_idmap_suffix() );
+#endif
+
+ rc = ldap_idmap_search(&ldap_state, suffix, LDAP_SCOPE_SUBTREE,
+ filter, attr_list, 0, &result);
if (rc != LDAP_SUCCESS)
goto out;
@@ -777,10 +805,8 @@ out:
static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
{
pstring dn, sid_str, id_str;
- fstring type, obj_str, obj_str_val, attr_sid;
- LDAPMod *mods[4];
- LDAPMod mod[3];
- char *val[6];
+ fstring type;
+ LDAPMod **mods = NULL;
int rc;
int attempts = 0;
@@ -789,43 +815,24 @@ static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
else
fstrcpy( type, get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER ) );
- snprintf(dn, sizeof(dn), "%s=%u,%s", type, ((id_type & ID_USERID) ? id.uid : id.gid),
- lp_ldap_suffix());
-
- fstrcpy( obj_str, "objectClass" );
- fstrcpy( obj_str_val, LDAP_OBJ_IDMAP_ENTRY );
- fstrcpy( attr_sid, LDAP_ATTRIBUTE_SID );
-
- /* objectClass */
-
- mod[0].mod_op = LDAP_MOD_ADD;
- mod[0].mod_type = obj_str;
- val[0] = obj_str_val;
- val[1] = NULL;
- mod[0].mod_values = val;
+#if 0
+ snprintf(dn, sizeof(dn), "%s=%u,%s,%s", type,
+ ((id_type & ID_USERID) ? id.uid : id.gid),
+ ((id_type & ID_USERID) ? IDMAP_USER_SUFFIX : IDMAP_GROUP_SUFFIX ),
+ lp_ldap_idmap_suffix());
+#else
+ snprintf(dn, sizeof(dn), "%s=%u,%s", type,
+ ((id_type & ID_USERID) ? id.uid : id.gid),
+ lp_ldap_idmap_suffix());
+#endif
- /* uid or gid */
-
snprintf(id_str, sizeof(id_str), "%u", ((id_type & ID_USERID) ? id.uid : id.gid));
- mod[1].mod_op = LDAP_MOD_ADD;
- mod[1].mod_type = type;
- val[2] = id_str;
- val[3] = NULL;
- mod[1].mod_values = val+2;
-
- /* SID */
+ sid_to_string( sid_str, sid );
- sid_to_string(sid_str, sid);
- mod[2].mod_op = LDAP_MOD_ADD;
- mod[2].mod_type = attr_sid;
- val[4] = sid_str;
- val[5] = NULL;
- mod[2].mod_values = val+4;
-
- mods[0] = mod;
- mods[1] = mod + 1;
- mods[2] = mod + 2;
- mods[3] = NULL;
+ ldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDMAP_ENTRY );
+ ldap_set_mod( &mods, LDAP_MOD_ADD, type, id_str );
+ ldap_set_mod( &mods, LDAP_MOD_ADD,
+ get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID), sid_str );
do {
if ((rc = ldap_idmap_retry_open(&ldap_state, &attempts)) != LDAP_SUCCESS)
@@ -833,7 +840,8 @@ static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
rc = ldap_add_s(ldap_state.ldap_struct, dn, mods);
} while ((rc == LDAP_SERVER_DOWN) && (attempts <= 8));
-
+
+ ldap_mods_free( mods, True );
if (rc != LDAP_SUCCESS) {
DEBUG(0,("ldap_set_mapping: Failed to create mapping from %s to %d [%s]\n",
@@ -850,11 +858,92 @@ static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
/*****************************************************************************
Initialise idmap database.
*****************************************************************************/
-static NTSTATUS ldap_idmap_init(void)
+static NTSTATUS ldap_idmap_init( char *params )
{
- /* We wait for the first search request before we try to connect to
- the LDAP server. We may want to connect upon initialization though
- -- aliguori */
+ fstring filter;
+#if 0
+ pstring dn;
+#endif
+ int rc;
+ char **attr_list;
+ LDAPMessage *result = NULL;
+ LDAPMod **mods = NULL;
+ int count;
+
+ /* parse out the server (assuming only parameter is a URI) */
+
+ if ( params )
+ ldap_state.uri = smb_xstrdup( params );
+ else
+ ldap_state.uri = smb_xstrdup( "ldap://localhost/" );
+
+ /* see if the idmap suffix and sub entries exists */
+
+ snprintf( filter, sizeof(filter), "(objectclass=%s)", LDAP_OBJ_IDPOOL );
+
+ attr_list = get_attr_list( idpool_attr_list );
+ rc = ldap_idmap_search(&ldap_state, lp_ldap_idmap_suffix(),
+ LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result);
+ free_attr_list ( attr_list );
+
+ if (rc != LDAP_SUCCESS)
+ return NT_STATUS_UNSUCCESSFUL;
+
+ count = ldap_count_entries(ldap_state.ldap_struct, result);
+
+ if ( count > 1 ) {
+ DEBUG(0,("ldap_idmap_init: multiple entries returned from %s (base == %s)\n",
+ filter, lp_ldap_idmap_suffix() ));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ else if (count == 0) {
+ uid_t luid, huid;
+ gid_t lgid, hgid;
+ fstring uid_str, gid_str;
+ int attempts = 0;
+
+ if ( !lp_idmap_uid(&luid, &huid) || !lp_idmap_gid( &lgid, &hgid ) ) {
+ DEBUG(0,("ldap_idmap_init: idmap uid/gid parameters not specified\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ snprintf( uid_str, sizeof(uid_str), "%d", luid );
+ snprintf( gid_str, sizeof(gid_str), "%d", lgid );
+
+ ldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDPOOL );
+ ldap_set_mod( &mods, LDAP_MOD_ADD,
+ get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER), uid_str );
+ ldap_set_mod( &mods, LDAP_MOD_ADD,
+ get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER), gid_str );
+
+ do {
+ if ((rc = ldap_idmap_retry_open(&ldap_state, &attempts)) != LDAP_SUCCESS)
+ continue;
+
+ rc = ldap_modify_s(ldap_state.ldap_struct, lp_ldap_idmap_suffix(), mods);
+ } while ((rc == LDAP_SERVER_DOWN) && (attempts <= 8));
+ }
+
+ /* we have the initial entry now; let's create the sub entries */
+ /* if they already exist then this will fail, but we don't care */
+
+#if 0 /* commenting out for now, but I will come back to this --jerry */
+
+ mods = NULL;
+ snprintf( dn, sizeof(dn), "%s,%s", IDMAP_USER_SUFFIX, lp_ldap_idmap_suffix() );
+ ldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_OU );
+ ldap_set_mod( &mods, LDAP_MOD_ADD, "ou", "idmap people" );
+ ldap_add_s(ldap_state.ldap_struct, dn, mods);
+ ldap_mods_free( mods, True );
+
+ mods = NULL;
+ snprintf( dn, sizeof(dn), "%s,%s", IDMAP_GROUP_SUFFIX, lp_ldap_idmap_suffix() );
+ ldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_OU );
+ ldap_set_mod( &mods, LDAP_MOD_ADD, "ou", "idmap group" );
+ ldap_add_s(ldap_state.ldap_struct, dn, mods);
+ ldap_mods_free( mods, True );
+#endif
+
return NT_STATUS_OK;
}
@@ -868,6 +957,10 @@ static NTSTATUS ldap_idmap_close(void)
ldap_unbind_ext(ldap_state.ldap_struct, NULL, NULL);
ldap_state.ldap_struct = NULL;
}
+
+ SAFE_FREE( ldap_state.uri );
+ SAFE_FREE( ldap_state.bind_dn );
+ SAFE_FREE( ldap_state.bind_secret );
DEBUG(5,("The connection to the LDAP server was closed\n"));
/* maybe free the results here --metze */
diff --git a/source/sam/idmap_tdb.c b/source/sam/idmap_tdb.c
index 3098184c829..278269e8198 100644
--- a/source/sam/idmap_tdb.c
+++ b/source/sam/idmap_tdb.c
@@ -263,7 +263,7 @@ static NTSTATUS db_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
/*****************************************************************************
Initialise idmap database.
*****************************************************************************/
-static NTSTATUS db_idmap_init(void)
+static NTSTATUS db_idmap_init( char *params )
{
SMB_STRUCT_STAT stbuf;
char *tdbfile = NULL;
diff --git a/source/sam/idmap_winbind.c b/source/sam/idmap_winbind.c
index bff870b8fcf..d15d8f20a15 100644
--- a/source/sam/idmap_winbind.c
+++ b/source/sam/idmap_winbind.c
@@ -122,7 +122,7 @@ static NTSTATUS db_set_mapping(const DOM_SID *sid, unid_t id, int id_type) {
/*****************************************************************************
Initialise idmap database.
*****************************************************************************/
-static NTSTATUS db_init(void) {
+static NTSTATUS db_init( char *params ) {
return NT_STATUS_OK;
}