int cifs_idmap_init_plugin(void **handle, const char **errmsg)
{
struct sssd_ctx *ctx;
enum idmap_error_code err;
if (handle == NULL || errmsg == NULL)
return EINVAL;
ctx = malloc(sizeof *ctx);
if (!ctx) {
*errmsg = "Failed to allocate context";
return -1;
}
ctx->errmsg = errmsg;
ctx_set_error(ctx, NULL);
err = sss_idmap_init(NULL, NULL, NULL, &ctx->idmap);
if (err != IDMAP_SUCCESS) {
ctx_set_error(ctx, idmap_error_string(err));
free(ctx);
return -1;
}
*handle = ctx;
return 0;
}
errno_t ipa_idmap_init(TALLOC_CTX *mem_ctx,
struct sdap_id_ctx *id_ctx,
struct sdap_idmap_ctx **_idmap_ctx)
{
errno_t ret;
TALLOC_CTX *tmp_ctx;
enum idmap_error_code err;
struct sdap_idmap_ctx *idmap_ctx = NULL;
tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) return ENOMEM;
idmap_ctx = talloc_zero(tmp_ctx, struct sdap_idmap_ctx);
if (!idmap_ctx) {
ret = ENOMEM;
goto done;
}
idmap_ctx->id_ctx = id_ctx;
idmap_ctx->find_new_domain = ipa_idmap_find_new_domain;
/* Initialize the map */
err = sss_idmap_init(sss_idmap_talloc, idmap_ctx,
sss_idmap_talloc_free,
&idmap_ctx->map);
if (err != IDMAP_SUCCESS) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Could not initialize the ID map: [%s]\n",
idmap_error_string(err));
if (err == IDMAP_OUT_OF_MEMORY) {
ret = ENOMEM;
} else {
ret = EINVAL;
}
goto done;
}
ret = ipa_idmap_get_ranges_from_sysdb(idmap_ctx, NULL, NULL, false);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ipa_idmap_get_ranges_from_sysdb failed.\n");
goto done;
}
*_idmap_ctx = talloc_steal(mem_ctx, idmap_ctx);
ret = EOK;
done:
talloc_free(tmp_ctx);
return ret;
}
static int test_sss_idmap_setup(void **state)
{
struct test_ctx *test_ctx;
enum idmap_error_code err;
assert_true(leak_check_setup());
test_ctx = talloc_zero(global_talloc_context, struct test_ctx);
assert_non_null(test_ctx);
check_leaks_push(test_ctx);
test_ctx->mem_idmap = talloc_new(test_ctx);
assert_non_null(test_ctx->mem_idmap);
err = sss_idmap_init(idmap_talloc, test_ctx->mem_idmap, idmap_free,
&test_ctx->idmap_ctx);
assert_int_equal(err, IDMAP_SUCCESS);
*state = test_ctx;
return 0;
}
/* Mock NSS structure */
static struct nss_ctx *
mock_nctx(TALLOC_CTX *mem_ctx)
{
struct nss_ctx *nctx;
enum idmap_error_code err;
nctx = talloc_zero(mem_ctx, struct nss_ctx);
if (!nctx) {
return NULL;
}
nctx->pwfield = discard_const("*");
err = sss_idmap_init(sss_idmap_talloc, nctx, sss_idmap_talloc_free,
&nctx->idmap_ctx);
if (err != IDMAP_SUCCESS) {
DEBUG(SSSDBG_FATAL_FAILURE, ("sss_idmap_init failed.\n"));
talloc_free(nctx);
return NULL;
}
return nctx;
}
errno_t
sdap_idmap_init(TALLOC_CTX *mem_ctx,
struct sdap_id_ctx *id_ctx,
struct sdap_idmap_ctx **_idmap_ctx)
{
errno_t ret;
TALLOC_CTX *tmp_ctx;
enum idmap_error_code err;
size_t i;
struct ldb_result *res;
const char *dom_name;
const char *sid_str;
id_t slice_num;
id_t idmap_lower;
id_t idmap_upper;
id_t rangesize;
bool autorid_mode;
struct sdap_idmap_ctx *idmap_ctx = NULL;
tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) return ENOMEM;
idmap_ctx = talloc_zero(tmp_ctx, struct sdap_idmap_ctx);
if (!idmap_ctx) {
ret = ENOMEM;
goto done;
}
idmap_ctx->id_ctx = id_ctx;
idmap_ctx->find_new_domain = sdap_idmap_find_new_domain;
idmap_lower = dp_opt_get_int(idmap_ctx->id_ctx->opts->basic,
SDAP_IDMAP_LOWER);
idmap_upper = dp_opt_get_int(idmap_ctx->id_ctx->opts->basic,
SDAP_IDMAP_UPPER);
rangesize = dp_opt_get_int(idmap_ctx->id_ctx->opts->basic,
SDAP_IDMAP_RANGESIZE);
autorid_mode = dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic,
SDAP_IDMAP_AUTORID_COMPAT);
/* Validate that the values make sense */
if (rangesize <= 0
|| idmap_upper <= idmap_lower
|| (idmap_upper-idmap_lower) < rangesize)
{
DEBUG(SSSDBG_FATAL_FAILURE,
"Invalid settings for range selection: "
"[%"SPRIid"][%"SPRIid"][%"SPRIid"]\n",
idmap_lower, idmap_upper, rangesize);
ret = EINVAL;
goto done;
}
if (((idmap_upper - idmap_lower) % rangesize) != 0) {
DEBUG(SSSDBG_CONF_SETTINGS,
"Range size does not divide evenly. Uppermost range will "
"not be used\n");
}
/* Initialize the map */
err = sss_idmap_init(sss_idmap_talloc, idmap_ctx,
sss_idmap_talloc_free,
&idmap_ctx->map);
if (err != IDMAP_SUCCESS) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Could not initialize the ID map: [%s]\n",
idmap_error_string(err));
if (err == IDMAP_OUT_OF_MEMORY) {
ret = ENOMEM;
} else {
ret = EINVAL;
}
goto done;
}
err = sss_idmap_ctx_set_autorid(idmap_ctx->map, autorid_mode);
err |= sss_idmap_ctx_set_lower(idmap_ctx->map, idmap_lower);
err |= sss_idmap_ctx_set_upper(idmap_ctx->map, idmap_upper);
err |= sss_idmap_ctx_set_rangesize(idmap_ctx->map, rangesize);
if (err != IDMAP_SUCCESS) {
/* This should never happen */
DEBUG(SSSDBG_CRIT_FAILURE, "sss_idmap_ctx corrupted\n");
return EIO;
}
/* Setup range for externally managed IDs, i.e. IDs are read from the
* ldap_user_uid_number and ldap_group_gid_number attributes. */
if (!dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic, SDAP_ID_MAPPING)) {
ret = sdap_idmap_add_configured_external_range(idmap_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sdap_idmap_add_configured_external_range failed.\n");
goto done;
}
}
/* Read in any existing mappings from the cache */
ret = sysdb_idmap_get_mappings(tmp_ctx, id_ctx->be->domain, &res);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Could not read ID mappings from the cache: [%s]\n",
strerror(ret));
goto done;
}
if (ret == EOK && res->count > 0) {
DEBUG(SSSDBG_CONF_SETTINGS,
"Initializing [%d] domains for ID-mapping\n", res->count);
for (i = 0; i < res->count; i++) {
dom_name = ldb_msg_find_attr_as_string(res->msgs[i],
SYSDB_NAME,
NULL);
if (!dom_name) {
/* This should never happen */
ret = EINVAL;
goto done;
}
sid_str = ldb_msg_find_attr_as_string(res->msgs[i],
SYSDB_IDMAP_SID_ATTR,
NULL);
if (!sid_str) {
/* This should never happen */
ret = EINVAL;
goto done;
}
slice_num = ldb_msg_find_attr_as_int(res->msgs[i],
SYSDB_IDMAP_SLICE_ATTR,
-1);
if (slice_num == -1) {
/* This should never happen */
ret = EINVAL;
goto done;
}
ret = sdap_idmap_add_domain(idmap_ctx, dom_name,
sid_str, slice_num);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Could not add domain [%s][%s][%"SPRIid"] "
"to ID map: [%s]\n",
dom_name, sid_str, slice_num, strerror(ret));
goto done;
}
}
} else {
/* This is the first time we're setting up id-mapping
* Store the default domain as slice 0
*/
dom_name = dp_opt_get_string(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_DEFAULT_DOMAIN);
if (!dom_name) {
/* If it's not explicitly specified, use the SSSD domain name */
dom_name = idmap_ctx->id_ctx->be->domain->name;
ret = dp_opt_set_string(idmap_ctx->id_ctx->opts->basic,
SDAP_IDMAP_DEFAULT_DOMAIN,
dom_name);
if (ret != EOK) goto done;
}
sid_str = dp_opt_get_string(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_DEFAULT_DOMAIN_SID);
if (sid_str) {
/* Set the default domain as slice 0 */
ret = sdap_idmap_add_domain(idmap_ctx, dom_name,
sid_str, 0);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Could not add domain [%s][%s][%u] to ID map: [%s]\n",
dom_name, sid_str, 0, strerror(ret));
goto done;
}
} else {
if (dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_AUTORID_COMPAT)) {
/* In autorid compatibility mode, we MUST have a slice 0 */
DEBUG(SSSDBG_CRIT_FAILURE,
"WARNING: Autorid compatibility mode selected, "
"but %s is not set. UID/GID values may differ "
"between clients.\n",
idmap_ctx->id_ctx->opts->basic[SDAP_IDMAP_DEFAULT_DOMAIN_SID].opt_name);
}
/* Otherwise, we'll just fall back to hash values as they are seen */
}
}
*_idmap_ctx = talloc_steal(mem_ctx, idmap_ctx);
ret = EOK;
done:
talloc_free(tmp_ctx);
return ret;
}
int pac_process_init(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct confdb_ctx *cdb)
{
struct resp_ctx *rctx;
struct sss_cmd_table *pac_cmds;
struct be_conn *iter;
struct pac_ctx *pac_ctx;
int ret, max_retries;
enum idmap_error_code err;
int fd_limit;
char *uid_str;
pac_cmds = get_pac_cmds();
ret = sss_process_init(mem_ctx, ev, cdb,
pac_cmds,
SSS_PAC_SOCKET_NAME, -1, NULL, -1,
CONFDB_PAC_CONF_ENTRY,
PAC_SBUS_SERVICE_NAME,
PAC_SBUS_SERVICE_VERSION,
&monitor_pac_methods,
"PAC", &pac_dp_methods.vtable,
sss_connection_setup,
&rctx);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "sss_process_init() failed\n");
return ret;
}
pac_ctx = talloc_zero(rctx, struct pac_ctx);
if (!pac_ctx) {
DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing pac_ctx\n");
ret = ENOMEM;
goto fail;
}
pac_ctx->rctx = rctx;
pac_ctx->rctx->pvt_ctx = pac_ctx;
ret = confdb_get_string(pac_ctx->rctx->cdb, pac_ctx->rctx,
CONFDB_PAC_CONF_ENTRY, CONFDB_SERVICE_ALLOWED_UIDS,
DEFAULT_ALLOWED_UIDS, &uid_str);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get allowed UIDs.\n");
goto fail;
}
ret = csv_string_to_uid_array(pac_ctx->rctx, uid_str, true,
&pac_ctx->rctx->allowed_uids_count,
&pac_ctx->rctx->allowed_uids);
talloc_free(uid_str);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n");
goto fail;
}
/* Enable automatic reconnection to the Data Provider */
ret = confdb_get_int(pac_ctx->rctx->cdb,
CONFDB_PAC_CONF_ENTRY,
CONFDB_SERVICE_RECON_RETRIES,
3, &max_retries);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set up automatic reconnection\n");
goto fail;
}
for (iter = pac_ctx->rctx->be_conns; iter; iter = iter->next) {
sbus_reconnect_init(iter->conn, max_retries,
pac_dp_reconnect_init, iter);
}
err = sss_idmap_init(sss_idmap_talloc, pac_ctx, sss_idmap_talloc_free,
&pac_ctx->idmap_ctx);
if (err != IDMAP_SUCCESS) {
DEBUG(SSSDBG_FATAL_FAILURE, "sss_idmap_init failed.\n");
ret = EFAULT;
goto fail;
}
/* Set up file descriptor limits */
ret = confdb_get_int(pac_ctx->rctx->cdb,
CONFDB_PAC_CONF_ENTRY,
CONFDB_SERVICE_FD_LIMIT,
DEFAULT_PAC_FD_LIMIT,
&fd_limit);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Failed to set up file descriptor limit\n");
goto fail;
}
responder_set_fd_limit(fd_limit);
ret = confdb_get_int(pac_ctx->rctx->cdb, CONFDB_PAC_CONF_ENTRY,
CONFDB_PAC_LIFETIME, 300,
&pac_ctx->pac_lifetime);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Failed to setup negative cache timeout.\n");
goto fail;
}
ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
goto fail;
}
DEBUG(SSSDBG_TRACE_FUNC, "PAC Initialization complete\n");
return EOK;
fail:
talloc_free(rctx);
return ret;
}
