static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom)
{
NTSTATUS ret;
struct idmap_ldap_context *ctx = NULL;
char *config_option = NULL;
const char *tmp = NULL;
/* Only do init if we are online */
if (idmap_is_offline()) {
return NT_STATUS_FILE_IS_OFFLINE;
}
ctx = talloc_zero(dom, struct idmap_ldap_context);
if ( ! ctx) {
DEBUG(0, ("Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
if (!config_option) {
DEBUG(0, ("Out of memory!\n"));
ret = NT_STATUS_NO_MEMORY;
goto done;
}
tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
if ( ! tmp) {
DEBUG(1, ("ERROR: missing idmap ldap url\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
ctx->url = talloc_strdup(ctx, tmp);
trim_char(ctx->url, '\"', '\"');
tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
if ( ! tmp || ! *tmp) {
tmp = lp_ldap_idmap_suffix(talloc_tos());
if ( ! tmp) {
DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
}
ctx->suffix = talloc_strdup(ctx, tmp);
CHECK_ALLOC_DONE(ctx->suffix);
ctx->rw_ops = talloc_zero(ctx, struct idmap_rw_ops);
CHECK_ALLOC_DONE(ctx->rw_ops);
ctx->rw_ops->get_new_id = idmap_ldap_allocate_id_internal;
ctx->rw_ops->set_mapping = idmap_ldap_set_mapping;
/* get_credentials deals with setting up creds */
ret = smbldap_init(ctx, winbind_event_context(), ctx->url,
false, NULL, NULL, &ctx->smbldap_state);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
goto done;
}
ret = get_credentials( ctx, ctx->smbldap_state, config_option,
dom, &ctx->user_dn );
if ( !NT_STATUS_IS_OK(ret) ) {
DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
"credentials (%s)\n", nt_errstr(ret)));
goto done;
}
/*
* Set the destructor on the context, so that resources are
* properly freed when the context is released.
*/
talloc_set_destructor(ctx, idmap_ldap_close_destructor);
dom->private_data = ctx;
ret = verify_idpool(dom);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(1, ("idmap_ldap_db_init: failed to verify ID pool (%s)\n",
nt_errstr(ret)));
goto done;
}
talloc_free(config_option);
return NT_STATUS_OK;
/*failed */
done:
talloc_free(ctx);
return ret;
}
static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom)
{
NTSTATUS ret;
struct idmap_ldap_context *ctx = NULL;
char *config_option = NULL;
const char *range = NULL;
const char *tmp = NULL;
/* Only do init if we are online */
if (idmap_is_offline()) {
return NT_STATUS_FILE_IS_OFFLINE;
}
ctx = TALLOC_ZERO_P(dom, struct idmap_ldap_context);
if ( ! ctx) {
DEBUG(0, ("Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
if ( ! config_option) {
DEBUG(0, ("Out of memory!\n"));
ret = NT_STATUS_NO_MEMORY;
goto done;
}
/* load ranges */
range = lp_parm_const_string(-1, config_option, "range", NULL);
if (range && range[0]) {
if ((sscanf(range, "%u - %u", &ctx->filter_low_id,
&ctx->filter_high_id) != 2) ||
(ctx->filter_low_id > ctx->filter_high_id)) {
DEBUG(1, ("ERROR: invalid filter range [%s]", range));
ctx->filter_low_id = 0;
ctx->filter_high_id = 0;
}
}
if (dom->params && *(dom->params)) {
/* assume location is the only parameter */
ctx->url = talloc_strdup(ctx, dom->params);
} else {
tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
if ( ! tmp) {
DEBUG(1, ("ERROR: missing idmap ldap url\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
ctx->url = talloc_strdup(ctx, tmp);
}
CHECK_ALLOC_DONE(ctx->url);
tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL);
if ( ! tmp || ! *tmp) {
tmp = lp_ldap_idmap_suffix();
if ( ! tmp) {
DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
}
ctx->suffix = talloc_strdup(ctx, tmp);
CHECK_ALLOC_DONE(ctx->suffix);
ret = smbldap_init(ctx, winbind_event_context(), ctx->url,
&ctx->smbldap_state);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url));
goto done;
}
ret = get_credentials( ctx, ctx->smbldap_state, config_option,
dom, &ctx->user_dn );
if ( !NT_STATUS_IS_OK(ret) ) {
DEBUG(1,("idmap_ldap_db_init: Failed to get connection "
"credentials (%s)\n", nt_errstr(ret)));
goto done;
}
/* set the destructor on the context, so that resource are properly
freed if the contexts is released */
talloc_set_destructor(ctx, idmap_ldap_close_destructor);
dom->private_data = ctx;
dom->initialized = True;
talloc_free(config_option);
return NT_STATUS_OK;
/*failed */
done:
talloc_free(ctx);
return ret;
}
static NTSTATUS populate_ldap_for_ldif(const char *sid,
const char *suffix,
const char *builtin_sid,
FILE *add_fd)
{
const char *user_suffix, *group_suffix, *machine_suffix, *idmap_suffix;
char *user_attr=NULL, *group_attr=NULL;
char *suffix_attr;
int len;
/* Get the suffix attribute */
suffix_attr = sstring_sub(suffix, '=', ',');
if (suffix_attr == NULL) {
len = strlen(suffix);
suffix_attr = (char*)SMB_MALLOC(len+1);
if (!suffix_attr) {
return NT_STATUS_NO_MEMORY;
}
memcpy(suffix_attr, suffix, len);
suffix_attr[len] = '\0';
}
/* Write the base */
fprintf(add_fd, "# %s\n", suffix);
fprintf(add_fd, "dn: %s\n", suffix);
fprintf(add_fd, "objectClass: dcObject\n");
fprintf(add_fd, "objectClass: organization\n");
fprintf(add_fd, "o: %s\n", suffix_attr);
fprintf(add_fd, "dc: %s\n", suffix_attr);
fprintf(add_fd, "\n");
fflush(add_fd);
user_suffix = lp_ldap_user_suffix(talloc_tos());
if (user_suffix == NULL) {
SAFE_FREE(suffix_attr);
return NT_STATUS_NO_MEMORY;
}
/* If it exists and is distinct from other containers,
Write the Users entity */
if (*user_suffix && strcmp(user_suffix, suffix)) {
user_attr = sstring_sub(lp_ldap_user_suffix(talloc_tos()), '=', ',');
fprintf(add_fd, "# %s\n", user_suffix);
fprintf(add_fd, "dn: %s\n", user_suffix);
fprintf(add_fd, "objectClass: organizationalUnit\n");
fprintf(add_fd, "ou: %s\n", user_attr);
fprintf(add_fd, "\n");
fflush(add_fd);
}
group_suffix = lp_ldap_group_suffix(talloc_tos());
if (group_suffix == NULL) {
SAFE_FREE(suffix_attr);
SAFE_FREE(user_attr);
return NT_STATUS_NO_MEMORY;
}
/* If it exists and is distinct from other containers,
Write the Groups entity */
if (*group_suffix && strcmp(group_suffix, suffix)) {
group_attr = sstring_sub(lp_ldap_group_suffix(talloc_tos()), '=', ',');
fprintf(add_fd, "# %s\n", group_suffix);
fprintf(add_fd, "dn: %s\n", group_suffix);
fprintf(add_fd, "objectClass: organizationalUnit\n");
fprintf(add_fd, "ou: %s\n", group_attr);
fprintf(add_fd, "\n");
fflush(add_fd);
}
/* If it exists and is distinct from other containers,
Write the Computers entity */
machine_suffix = lp_ldap_machine_suffix(talloc_tos());
if (machine_suffix == NULL) {
SAFE_FREE(suffix_attr);
SAFE_FREE(user_attr);
SAFE_FREE(group_attr);
return NT_STATUS_NO_MEMORY;
}
if (*machine_suffix && strcmp(machine_suffix, user_suffix) &&
strcmp(machine_suffix, suffix)) {
char *machine_ou = NULL;
fprintf(add_fd, "# %s\n", machine_suffix);
fprintf(add_fd, "dn: %s\n", machine_suffix);
fprintf(add_fd, "objectClass: organizationalUnit\n");
/* this isn't totally correct as it assumes that
there _must_ be an ou. just fixing memleak now. jmcd */
machine_ou = sstring_sub(lp_ldap_machine_suffix(talloc_tos()), '=', ',');
fprintf(add_fd, "ou: %s\n", machine_ou);
SAFE_FREE(machine_ou);
fprintf(add_fd, "\n");
fflush(add_fd);
}
/* If it exists and is distinct from other containers,
Write the IdMap entity */
idmap_suffix = lp_ldap_idmap_suffix(talloc_tos());
if (idmap_suffix == NULL) {
SAFE_FREE(suffix_attr);
SAFE_FREE(user_attr);
SAFE_FREE(group_attr);
return NT_STATUS_NO_MEMORY;
}
if (*idmap_suffix &&
strcmp(idmap_suffix, user_suffix) &&
strcmp(idmap_suffix, suffix)) {
char *s;
fprintf(add_fd, "# %s\n", idmap_suffix);
fprintf(add_fd, "dn: %s\n", idmap_suffix);
fprintf(add_fd, "ObjectClass: organizationalUnit\n");
s = sstring_sub(lp_ldap_idmap_suffix(talloc_tos()), '=', ',');
fprintf(add_fd, "ou: %s\n", s);
SAFE_FREE(s);
fprintf(add_fd, "\n");
fflush(add_fd);
}
/* Write the domain entity */
fprintf(add_fd, "# %s, %s\n", lp_workgroup(), suffix);
fprintf(add_fd, "dn: sambaDomainName=%s,%s\n", lp_workgroup(),
suffix);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_DOMINFO);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_IDPOOL);
fprintf(add_fd, "sambaDomainName: %s\n", lp_workgroup());
fprintf(add_fd, "sambaSID: %s\n", sid);
fprintf(add_fd, "uidNumber: %d\n", ++ldif_uid);
fprintf(add_fd, "gidNumber: %d\n", ++ldif_gid);
fprintf(add_fd, "\n");
fflush(add_fd);
/* Write the Domain Admins entity */
fprintf(add_fd, "# Domain Admins, %s, %s\n", group_attr,
suffix);
fprintf(add_fd, "dn: cn=Domain Admins,ou=%s,%s\n", group_attr,
suffix);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
fprintf(add_fd, "cn: Domain Admins\n");
fprintf(add_fd, "memberUid: Administrator\n");
fprintf(add_fd, "description: Netbios Domain Administrators\n");
fprintf(add_fd, "gidNumber: 512\n");
fprintf(add_fd, "sambaSID: %s-512\n", sid);
fprintf(add_fd, "sambaGroupType: 2\n");
fprintf(add_fd, "displayName: Domain Admins\n");
fprintf(add_fd, "\n");
fflush(add_fd);
/* Write the Domain Users entity */
fprintf(add_fd, "# Domain Users, %s, %s\n", group_attr,
suffix);
fprintf(add_fd, "dn: cn=Domain Users,ou=%s,%s\n", group_attr,
suffix);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
fprintf(add_fd, "cn: Domain Users\n");
fprintf(add_fd, "description: Netbios Domain Users\n");
fprintf(add_fd, "gidNumber: 513\n");
fprintf(add_fd, "sambaSID: %s-513\n", sid);
fprintf(add_fd, "sambaGroupType: 2\n");
fprintf(add_fd, "displayName: Domain Users\n");
fprintf(add_fd, "\n");
fflush(add_fd);
/* Write the Domain Guests entity */
fprintf(add_fd, "# Domain Guests, %s, %s\n", group_attr,
suffix);
fprintf(add_fd, "dn: cn=Domain Guests,ou=%s,%s\n", group_attr,
suffix);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
fprintf(add_fd, "cn: Domain Guests\n");
fprintf(add_fd, "description: Netbios Domain Guests\n");
fprintf(add_fd, "gidNumber: 514\n");
fprintf(add_fd, "sambaSID: %s-514\n", sid);
fprintf(add_fd, "sambaGroupType: 2\n");
fprintf(add_fd, "displayName: Domain Guests\n");
fprintf(add_fd, "\n");
fflush(add_fd);
/* Write the Domain Computers entity */
fprintf(add_fd, "# Domain Computers, %s, %s\n", group_attr,
suffix);
fprintf(add_fd, "dn: cn=Domain Computers,ou=%s,%s\n",
group_attr, suffix);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
fprintf(add_fd, "gidNumber: 515\n");
fprintf(add_fd, "cn: Domain Computers\n");
fprintf(add_fd, "description: Netbios Domain Computers accounts\n");
fprintf(add_fd, "sambaSID: %s-515\n", sid);
fprintf(add_fd, "sambaGroupType: 2\n");
fprintf(add_fd, "displayName: Domain Computers\n");
fprintf(add_fd, "\n");
fflush(add_fd);
/* Write the Admininistrators Groups entity */
fprintf(add_fd, "# Administrators, %s, %s\n", group_attr,
suffix);
fprintf(add_fd, "dn: cn=Administrators,ou=%s,%s\n", group_attr,
suffix);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
fprintf(add_fd, "gidNumber: 544\n");
fprintf(add_fd, "cn: Administrators\n");
fprintf(add_fd, "description: Netbios Domain Members can fully administer the computer/sambaDomainName\n");
fprintf(add_fd, "sambaSID: %s-544\n", builtin_sid);
fprintf(add_fd, "sambaGroupType: 5\n");
fprintf(add_fd, "displayName: Administrators\n");
fprintf(add_fd, "\n");
/* Write the Print Operator entity */
fprintf(add_fd, "# Print Operators, %s, %s\n", group_attr,
suffix);
fprintf(add_fd, "dn: cn=Print Operators,ou=%s,%s\n",
group_attr, suffix);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
fprintf(add_fd, "gidNumber: 550\n");
fprintf(add_fd, "cn: Print Operators\n");
fprintf(add_fd, "description: Netbios Domain Print Operators\n");
fprintf(add_fd, "sambaSID: %s-550\n", builtin_sid);
fprintf(add_fd, "sambaGroupType: 5\n");
fprintf(add_fd, "displayName: Print Operators\n");
fprintf(add_fd, "\n");
fflush(add_fd);
/* Write the Backup Operators entity */
fprintf(add_fd, "# Backup Operators, %s, %s\n", group_attr,
suffix);
fprintf(add_fd, "dn: cn=Backup Operators,ou=%s,%s\n",
group_attr, suffix);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
fprintf(add_fd, "gidNumber: 551\n");
fprintf(add_fd, "cn: Backup Operators\n");
fprintf(add_fd, "description: Netbios Domain Members can bypass file security to back up files\n");
fprintf(add_fd, "sambaSID: %s-551\n", builtin_sid);
fprintf(add_fd, "sambaGroupType: 5\n");
fprintf(add_fd, "displayName: Backup Operators\n");
fprintf(add_fd, "\n");
fflush(add_fd);
/* Write the Replicators entity */
fprintf(add_fd, "# Replicators, %s, %s\n", group_attr, suffix);
fprintf(add_fd, "dn: cn=Replicators,ou=%s,%s\n", group_attr,
suffix);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP);
fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP);
fprintf(add_fd, "gidNumber: 552\n");
fprintf(add_fd, "cn: Replicators\n");
fprintf(add_fd, "description: Netbios Domain Supports file replication in a sambaDomainName\n");
fprintf(add_fd, "sambaSID: %s-552\n", builtin_sid);
fprintf(add_fd, "sambaGroupType: 5\n");
fprintf(add_fd, "displayName: Replicators\n");
fprintf(add_fd, "\n");
fflush(add_fd);
/* Deallocate memory, and return */
SAFE_FREE(suffix_attr);
SAFE_FREE(user_attr);
SAFE_FREE(group_attr);
return NT_STATUS_OK;
}
static NTSTATUS idmap_ldap_alloc_init(const char *params)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
const char *range;
const char *tmp;
uid_t low_uid = 0;
uid_t high_uid = 0;
gid_t low_gid = 0;
gid_t high_gid = 0;
/* Only do init if we are online */
if (idmap_is_offline()) {
return NT_STATUS_FILE_IS_OFFLINE;
}
idmap_alloc_ldap = TALLOC_ZERO_P(NULL, struct idmap_ldap_alloc_context);
CHECK_ALLOC_DONE( idmap_alloc_ldap );
/* load ranges */
idmap_alloc_ldap->low_uid = 0;
idmap_alloc_ldap->high_uid = 0;
idmap_alloc_ldap->low_gid = 0;
idmap_alloc_ldap->high_gid = 0;
range = lp_parm_const_string(-1, "idmap alloc config", "range", NULL);
if (range && range[0]) {
unsigned low_id, high_id;
if (sscanf(range, "%u - %u", &low_id, &high_id) == 2) {
if (low_id < high_id) {
idmap_alloc_ldap->low_gid = low_id;
idmap_alloc_ldap->low_uid = low_id;
idmap_alloc_ldap->high_gid = high_id;
idmap_alloc_ldap->high_uid = high_id;
} else {
DEBUG(1, ("ERROR: invalid idmap alloc range "
"[%s]", range));
}
} else {
DEBUG(1, ("ERROR: invalid syntax for idmap alloc "
"config:range [%s]", range));
}
}
if (lp_idmap_uid(&low_uid, &high_uid)) {
idmap_alloc_ldap->low_uid = low_uid;
idmap_alloc_ldap->high_uid = high_uid;
}
if (lp_idmap_gid(&low_gid, &high_gid)) {
idmap_alloc_ldap->low_gid = low_gid;
idmap_alloc_ldap->high_gid= high_gid;
}
if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) {
DEBUG(1, ("idmap uid range missing or invalid\n"));
DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) {
DEBUG(1, ("idmap gid range missing or invalid\n"));
DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
if (params && *params) {
/* assume location is the only parameter */
idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params);
} else {
tmp = lp_parm_const_string(-1, "idmap alloc config",
"ldap_url", NULL);
if ( ! tmp) {
DEBUG(1, ("ERROR: missing idmap ldap url\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp);
}
CHECK_ALLOC_DONE( idmap_alloc_ldap->url );
tmp = lp_parm_const_string(-1, "idmap alloc config",
"ldap_base_dn", NULL);
if ( ! tmp || ! *tmp) {
tmp = lp_ldap_idmap_suffix();
if ( ! tmp) {
DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
}
idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp);
CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix );
ret = smbldap_init(idmap_alloc_ldap, winbind_event_context(),
idmap_alloc_ldap->url,
&idmap_alloc_ldap->smbldap_state);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n",
idmap_alloc_ldap->url));
goto done;
}
ret = get_credentials( idmap_alloc_ldap,
idmap_alloc_ldap->smbldap_state,
"idmap alloc config", NULL,
&idmap_alloc_ldap->user_dn );
if ( !NT_STATUS_IS_OK(ret) ) {
DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection "
"credentials (%s)\n", nt_errstr(ret)));
goto done;
}
/* see if the idmap suffix and sub entries exists */
ret = verify_idpool();
done:
if ( !NT_STATUS_IS_OK( ret ) )
TALLOC_FREE( idmap_alloc_ldap );
return ret;
}
