static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom) { NTSTATUS ret; struct idmap_ldap_context *ctx = NULL; char *config_option = NULL; const char *tmp = NULL; /* Only do init if we are online */ if (idmap_is_offline()) { return NT_STATUS_FILE_IS_OFFLINE; } ctx = talloc_zero(dom, struct idmap_ldap_context); if ( ! ctx) { DEBUG(0, ("Out of memory!\n")); return NT_STATUS_NO_MEMORY; } config_option = talloc_asprintf(ctx, "idmap config %s", dom->name); if (!config_option) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; goto done; } tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL); if ( ! tmp) { DEBUG(1, ("ERROR: missing idmap ldap url\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } ctx->url = talloc_strdup(ctx, tmp); trim_char(ctx->url, '\"', '\"'); tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL); if ( ! tmp || ! *tmp) { tmp = lp_ldap_idmap_suffix(talloc_tos()); if ( ! tmp) { DEBUG(1, ("ERROR: missing idmap ldap suffix\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } } ctx->suffix = talloc_strdup(ctx, tmp); CHECK_ALLOC_DONE(ctx->suffix); ctx->rw_ops = talloc_zero(ctx, struct idmap_rw_ops); CHECK_ALLOC_DONE(ctx->rw_ops); ctx->rw_ops->get_new_id = idmap_ldap_allocate_id_internal; ctx->rw_ops->set_mapping = idmap_ldap_set_mapping; /* get_credentials deals with setting up creds */ ret = smbldap_init(ctx, winbind_event_context(), ctx->url, false, NULL, NULL, &ctx->smbldap_state); if (!NT_STATUS_IS_OK(ret)) { DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url)); goto done; } ret = get_credentials( ctx, ctx->smbldap_state, config_option, dom, &ctx->user_dn ); if ( !NT_STATUS_IS_OK(ret) ) { DEBUG(1,("idmap_ldap_db_init: Failed to get connection " "credentials (%s)\n", nt_errstr(ret))); goto done; } /* * Set the destructor on the context, so that resources are * properly freed when the context is released. */ talloc_set_destructor(ctx, idmap_ldap_close_destructor); dom->private_data = ctx; ret = verify_idpool(dom); if (!NT_STATUS_IS_OK(ret)) { DEBUG(1, ("idmap_ldap_db_init: failed to verify ID pool (%s)\n", nt_errstr(ret))); goto done; } talloc_free(config_option); return NT_STATUS_OK; /*failed */ done: talloc_free(ctx); return ret; }
static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom) { NTSTATUS ret; struct idmap_ldap_context *ctx = NULL; char *config_option = NULL; const char *range = NULL; const char *tmp = NULL; /* Only do init if we are online */ if (idmap_is_offline()) { return NT_STATUS_FILE_IS_OFFLINE; } ctx = TALLOC_ZERO_P(dom, struct idmap_ldap_context); if ( ! ctx) { DEBUG(0, ("Out of memory!\n")); return NT_STATUS_NO_MEMORY; } config_option = talloc_asprintf(ctx, "idmap config %s", dom->name); if ( ! config_option) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; goto done; } /* load ranges */ range = lp_parm_const_string(-1, config_option, "range", NULL); if (range && range[0]) { if ((sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2) || (ctx->filter_low_id > ctx->filter_high_id)) { DEBUG(1, ("ERROR: invalid filter range [%s]", range)); ctx->filter_low_id = 0; ctx->filter_high_id = 0; } } if (dom->params && *(dom->params)) { /* assume location is the only parameter */ ctx->url = talloc_strdup(ctx, dom->params); } else { tmp = lp_parm_const_string(-1, config_option, "ldap_url", NULL); if ( ! tmp) { DEBUG(1, ("ERROR: missing idmap ldap url\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } ctx->url = talloc_strdup(ctx, tmp); } CHECK_ALLOC_DONE(ctx->url); tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL); if ( ! tmp || ! *tmp) { tmp = lp_ldap_idmap_suffix(); if ( ! tmp) { DEBUG(1, ("ERROR: missing idmap ldap suffix\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } } ctx->suffix = talloc_strdup(ctx, tmp); CHECK_ALLOC_DONE(ctx->suffix); ret = smbldap_init(ctx, winbind_event_context(), ctx->url, &ctx->smbldap_state); if (!NT_STATUS_IS_OK(ret)) { DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", ctx->url)); goto done; } ret = get_credentials( ctx, ctx->smbldap_state, config_option, dom, &ctx->user_dn ); if ( !NT_STATUS_IS_OK(ret) ) { DEBUG(1,("idmap_ldap_db_init: Failed to get connection " "credentials (%s)\n", nt_errstr(ret))); goto done; } /* set the destructor on the context, so that resource are properly freed if the contexts is released */ talloc_set_destructor(ctx, idmap_ldap_close_destructor); dom->private_data = ctx; dom->initialized = True; talloc_free(config_option); return NT_STATUS_OK; /*failed */ done: talloc_free(ctx); return ret; }
static NTSTATUS populate_ldap_for_ldif(const char *sid, const char *suffix, const char *builtin_sid, FILE *add_fd) { const char *user_suffix, *group_suffix, *machine_suffix, *idmap_suffix; char *user_attr=NULL, *group_attr=NULL; char *suffix_attr; int len; /* Get the suffix attribute */ suffix_attr = sstring_sub(suffix, '=', ','); if (suffix_attr == NULL) { len = strlen(suffix); suffix_attr = (char*)SMB_MALLOC(len+1); if (!suffix_attr) { return NT_STATUS_NO_MEMORY; } memcpy(suffix_attr, suffix, len); suffix_attr[len] = '\0'; } /* Write the base */ fprintf(add_fd, "# %s\n", suffix); fprintf(add_fd, "dn: %s\n", suffix); fprintf(add_fd, "objectClass: dcObject\n"); fprintf(add_fd, "objectClass: organization\n"); fprintf(add_fd, "o: %s\n", suffix_attr); fprintf(add_fd, "dc: %s\n", suffix_attr); fprintf(add_fd, "\n"); fflush(add_fd); user_suffix = lp_ldap_user_suffix(talloc_tos()); if (user_suffix == NULL) { SAFE_FREE(suffix_attr); return NT_STATUS_NO_MEMORY; } /* If it exists and is distinct from other containers, Write the Users entity */ if (*user_suffix && strcmp(user_suffix, suffix)) { user_attr = sstring_sub(lp_ldap_user_suffix(talloc_tos()), '=', ','); fprintf(add_fd, "# %s\n", user_suffix); fprintf(add_fd, "dn: %s\n", user_suffix); fprintf(add_fd, "objectClass: organizationalUnit\n"); fprintf(add_fd, "ou: %s\n", user_attr); fprintf(add_fd, "\n"); fflush(add_fd); } group_suffix = lp_ldap_group_suffix(talloc_tos()); if (group_suffix == NULL) { SAFE_FREE(suffix_attr); SAFE_FREE(user_attr); return NT_STATUS_NO_MEMORY; } /* If it exists and is distinct from other containers, Write the Groups entity */ if (*group_suffix && strcmp(group_suffix, suffix)) { group_attr = sstring_sub(lp_ldap_group_suffix(talloc_tos()), '=', ','); fprintf(add_fd, "# %s\n", group_suffix); fprintf(add_fd, "dn: %s\n", group_suffix); fprintf(add_fd, "objectClass: organizationalUnit\n"); fprintf(add_fd, "ou: %s\n", group_attr); fprintf(add_fd, "\n"); fflush(add_fd); } /* If it exists and is distinct from other containers, Write the Computers entity */ machine_suffix = lp_ldap_machine_suffix(talloc_tos()); if (machine_suffix == NULL) { SAFE_FREE(suffix_attr); SAFE_FREE(user_attr); SAFE_FREE(group_attr); return NT_STATUS_NO_MEMORY; } if (*machine_suffix && strcmp(machine_suffix, user_suffix) && strcmp(machine_suffix, suffix)) { char *machine_ou = NULL; fprintf(add_fd, "# %s\n", machine_suffix); fprintf(add_fd, "dn: %s\n", machine_suffix); fprintf(add_fd, "objectClass: organizationalUnit\n"); /* this isn't totally correct as it assumes that there _must_ be an ou. just fixing memleak now. jmcd */ machine_ou = sstring_sub(lp_ldap_machine_suffix(talloc_tos()), '=', ','); fprintf(add_fd, "ou: %s\n", machine_ou); SAFE_FREE(machine_ou); fprintf(add_fd, "\n"); fflush(add_fd); } /* If it exists and is distinct from other containers, Write the IdMap entity */ idmap_suffix = lp_ldap_idmap_suffix(talloc_tos()); if (idmap_suffix == NULL) { SAFE_FREE(suffix_attr); SAFE_FREE(user_attr); SAFE_FREE(group_attr); return NT_STATUS_NO_MEMORY; } if (*idmap_suffix && strcmp(idmap_suffix, user_suffix) && strcmp(idmap_suffix, suffix)) { char *s; fprintf(add_fd, "# %s\n", idmap_suffix); fprintf(add_fd, "dn: %s\n", idmap_suffix); fprintf(add_fd, "ObjectClass: organizationalUnit\n"); s = sstring_sub(lp_ldap_idmap_suffix(talloc_tos()), '=', ','); fprintf(add_fd, "ou: %s\n", s); SAFE_FREE(s); fprintf(add_fd, "\n"); fflush(add_fd); } /* Write the domain entity */ fprintf(add_fd, "# %s, %s\n", lp_workgroup(), suffix); fprintf(add_fd, "dn: sambaDomainName=%s,%s\n", lp_workgroup(), suffix); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_DOMINFO); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_IDPOOL); fprintf(add_fd, "sambaDomainName: %s\n", lp_workgroup()); fprintf(add_fd, "sambaSID: %s\n", sid); fprintf(add_fd, "uidNumber: %d\n", ++ldif_uid); fprintf(add_fd, "gidNumber: %d\n", ++ldif_gid); fprintf(add_fd, "\n"); fflush(add_fd); /* Write the Domain Admins entity */ fprintf(add_fd, "# Domain Admins, %s, %s\n", group_attr, suffix); fprintf(add_fd, "dn: cn=Domain Admins,ou=%s,%s\n", group_attr, suffix); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP); fprintf(add_fd, "cn: Domain Admins\n"); fprintf(add_fd, "memberUid: Administrator\n"); fprintf(add_fd, "description: Netbios Domain Administrators\n"); fprintf(add_fd, "gidNumber: 512\n"); fprintf(add_fd, "sambaSID: %s-512\n", sid); fprintf(add_fd, "sambaGroupType: 2\n"); fprintf(add_fd, "displayName: Domain Admins\n"); fprintf(add_fd, "\n"); fflush(add_fd); /* Write the Domain Users entity */ fprintf(add_fd, "# Domain Users, %s, %s\n", group_attr, suffix); fprintf(add_fd, "dn: cn=Domain Users,ou=%s,%s\n", group_attr, suffix); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP); fprintf(add_fd, "cn: Domain Users\n"); fprintf(add_fd, "description: Netbios Domain Users\n"); fprintf(add_fd, "gidNumber: 513\n"); fprintf(add_fd, "sambaSID: %s-513\n", sid); fprintf(add_fd, "sambaGroupType: 2\n"); fprintf(add_fd, "displayName: Domain Users\n"); fprintf(add_fd, "\n"); fflush(add_fd); /* Write the Domain Guests entity */ fprintf(add_fd, "# Domain Guests, %s, %s\n", group_attr, suffix); fprintf(add_fd, "dn: cn=Domain Guests,ou=%s,%s\n", group_attr, suffix); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP); fprintf(add_fd, "cn: Domain Guests\n"); fprintf(add_fd, "description: Netbios Domain Guests\n"); fprintf(add_fd, "gidNumber: 514\n"); fprintf(add_fd, "sambaSID: %s-514\n", sid); fprintf(add_fd, "sambaGroupType: 2\n"); fprintf(add_fd, "displayName: Domain Guests\n"); fprintf(add_fd, "\n"); fflush(add_fd); /* Write the Domain Computers entity */ fprintf(add_fd, "# Domain Computers, %s, %s\n", group_attr, suffix); fprintf(add_fd, "dn: cn=Domain Computers,ou=%s,%s\n", group_attr, suffix); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP); fprintf(add_fd, "gidNumber: 515\n"); fprintf(add_fd, "cn: Domain Computers\n"); fprintf(add_fd, "description: Netbios Domain Computers accounts\n"); fprintf(add_fd, "sambaSID: %s-515\n", sid); fprintf(add_fd, "sambaGroupType: 2\n"); fprintf(add_fd, "displayName: Domain Computers\n"); fprintf(add_fd, "\n"); fflush(add_fd); /* Write the Admininistrators Groups entity */ fprintf(add_fd, "# Administrators, %s, %s\n", group_attr, suffix); fprintf(add_fd, "dn: cn=Administrators,ou=%s,%s\n", group_attr, suffix); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP); fprintf(add_fd, "gidNumber: 544\n"); fprintf(add_fd, "cn: Administrators\n"); fprintf(add_fd, "description: Netbios Domain Members can fully administer the computer/sambaDomainName\n"); fprintf(add_fd, "sambaSID: %s-544\n", builtin_sid); fprintf(add_fd, "sambaGroupType: 5\n"); fprintf(add_fd, "displayName: Administrators\n"); fprintf(add_fd, "\n"); /* Write the Print Operator entity */ fprintf(add_fd, "# Print Operators, %s, %s\n", group_attr, suffix); fprintf(add_fd, "dn: cn=Print Operators,ou=%s,%s\n", group_attr, suffix); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP); fprintf(add_fd, "gidNumber: 550\n"); fprintf(add_fd, "cn: Print Operators\n"); fprintf(add_fd, "description: Netbios Domain Print Operators\n"); fprintf(add_fd, "sambaSID: %s-550\n", builtin_sid); fprintf(add_fd, "sambaGroupType: 5\n"); fprintf(add_fd, "displayName: Print Operators\n"); fprintf(add_fd, "\n"); fflush(add_fd); /* Write the Backup Operators entity */ fprintf(add_fd, "# Backup Operators, %s, %s\n", group_attr, suffix); fprintf(add_fd, "dn: cn=Backup Operators,ou=%s,%s\n", group_attr, suffix); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP); fprintf(add_fd, "gidNumber: 551\n"); fprintf(add_fd, "cn: Backup Operators\n"); fprintf(add_fd, "description: Netbios Domain Members can bypass file security to back up files\n"); fprintf(add_fd, "sambaSID: %s-551\n", builtin_sid); fprintf(add_fd, "sambaGroupType: 5\n"); fprintf(add_fd, "displayName: Backup Operators\n"); fprintf(add_fd, "\n"); fflush(add_fd); /* Write the Replicators entity */ fprintf(add_fd, "# Replicators, %s, %s\n", group_attr, suffix); fprintf(add_fd, "dn: cn=Replicators,ou=%s,%s\n", group_attr, suffix); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_POSIXGROUP); fprintf(add_fd, "objectClass: %s\n", LDAP_OBJ_GROUPMAP); fprintf(add_fd, "gidNumber: 552\n"); fprintf(add_fd, "cn: Replicators\n"); fprintf(add_fd, "description: Netbios Domain Supports file replication in a sambaDomainName\n"); fprintf(add_fd, "sambaSID: %s-552\n", builtin_sid); fprintf(add_fd, "sambaGroupType: 5\n"); fprintf(add_fd, "displayName: Replicators\n"); fprintf(add_fd, "\n"); fflush(add_fd); /* Deallocate memory, and return */ SAFE_FREE(suffix_attr); SAFE_FREE(user_attr); SAFE_FREE(group_attr); return NT_STATUS_OK; }
static NTSTATUS idmap_ldap_alloc_init(const char *params) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; const char *range; const char *tmp; uid_t low_uid = 0; uid_t high_uid = 0; gid_t low_gid = 0; gid_t high_gid = 0; /* Only do init if we are online */ if (idmap_is_offline()) { return NT_STATUS_FILE_IS_OFFLINE; } idmap_alloc_ldap = TALLOC_ZERO_P(NULL, struct idmap_ldap_alloc_context); CHECK_ALLOC_DONE( idmap_alloc_ldap ); /* load ranges */ idmap_alloc_ldap->low_uid = 0; idmap_alloc_ldap->high_uid = 0; idmap_alloc_ldap->low_gid = 0; idmap_alloc_ldap->high_gid = 0; range = lp_parm_const_string(-1, "idmap alloc config", "range", NULL); if (range && range[0]) { unsigned low_id, high_id; if (sscanf(range, "%u - %u", &low_id, &high_id) == 2) { if (low_id < high_id) { idmap_alloc_ldap->low_gid = low_id; idmap_alloc_ldap->low_uid = low_id; idmap_alloc_ldap->high_gid = high_id; idmap_alloc_ldap->high_uid = high_id; } else { DEBUG(1, ("ERROR: invalid idmap alloc range " "[%s]", range)); } } else { DEBUG(1, ("ERROR: invalid syntax for idmap alloc " "config:range [%s]", range)); } } if (lp_idmap_uid(&low_uid, &high_uid)) { idmap_alloc_ldap->low_uid = low_uid; idmap_alloc_ldap->high_uid = high_uid; } if (lp_idmap_gid(&low_gid, &high_gid)) { idmap_alloc_ldap->low_gid = low_gid; idmap_alloc_ldap->high_gid= high_gid; } if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) { DEBUG(1, ("idmap uid range missing or invalid\n")); DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) { DEBUG(1, ("idmap gid range missing or invalid\n")); DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } if (params && *params) { /* assume location is the only parameter */ idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params); } else { tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_url", NULL); if ( ! tmp) { DEBUG(1, ("ERROR: missing idmap ldap url\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp); } CHECK_ALLOC_DONE( idmap_alloc_ldap->url ); tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_base_dn", NULL); if ( ! tmp || ! *tmp) { tmp = lp_ldap_idmap_suffix(); if ( ! tmp) { DEBUG(1, ("ERROR: missing idmap ldap suffix\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } } idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp); CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix ); ret = smbldap_init(idmap_alloc_ldap, winbind_event_context(), idmap_alloc_ldap->url, &idmap_alloc_ldap->smbldap_state); if (!NT_STATUS_IS_OK(ret)) { DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", idmap_alloc_ldap->url)); goto done; } ret = get_credentials( idmap_alloc_ldap, idmap_alloc_ldap->smbldap_state, "idmap alloc config", NULL, &idmap_alloc_ldap->user_dn ); if ( !NT_STATUS_IS_OK(ret) ) { DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection " "credentials (%s)\n", nt_errstr(ret))); goto done; } /* see if the idmap suffix and sub entries exists */ ret = verify_idpool(); done: if ( !NT_STATUS_IS_OK( ret ) ) TALLOC_FREE( idmap_alloc_ldap ); return ret; }