c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * CDDL HEADER START
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * The contents of this file are subject to the terms of the
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * Common Development and Distribution License (the "License").
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * You may not use this file except in compliance with the License.
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * See the License for the specific language governing permissions
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * and limitations under the License.
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * When distributing Covered Code, include this CDDL HEADER in each
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * If applicable, add the following below this CDDL HEADER, with the
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * fields enclosed by brackets "[]" replaced with your own identifying
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * information: Portions Copyright [yyyy] [name of copyright owner]
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * CDDL HEADER END
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * Processes name2sid & sid2name batched lookups for a given user or
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * computer from an AD Directory server using GSSAPI authentication
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw/* Attribute names and filter format strings */
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai#define UIDNUMBERFILTER "(&(objectclass=user)(uidNumber=%u))"
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai#define GIDNUMBERFILTER "(&(objectclass=group)(gidNumber=%u))"
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkrevoid idmap_ldap_res_search_cb(LDAP *ld, LDAPMessage **res, int rc,
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * A place to put the results of a batched (async) query
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * There is one of these for every query added to a batch object
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * (idmap_query_state, see below).
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * data used for validating search result entries for name->SID
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw /* results */
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright idmap_id_type *sid_type; /* user or group SID? */
bcced03bbdd2d55d8573d1da7b39a496f30d68cbjp * The LDAP search entry result is placed here to be processed
bcced03bbdd2d55d8573d1da7b39a496f30d68cbjp * when the search done result is received.
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw/* Batch context structure; typedef is in header file */
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen uint32_t qcount; /* Number of queued requests */
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * Keep connection management simple for now, extend or replace later
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * with updated libsldap code.
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * Idle connection reaping side of connection management
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * Every minute wake up and look for connections that have been idle for
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * five minutes or more and close them.
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw/*ARGSUSED*/
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw for (;;) {
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * nanosleep(3RT) is thead-safe (no SIGALRM) and more
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * portable than usleep(3C)
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * Take ad_host_config_t information, create a ad_host_t,
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * populate it and add it to the list of hosts.
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkreidmap_add_ds(adutils_ad_t *ad, const char *host, int port)
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre if (adutils_add_ds(ad, host, port) == ADUTILS_SUCCESS)
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw /* Start reaper if it doesn't exist */
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre /* NOTREACHED */
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkreidmap_lookup_batch_start(adutils_ad_t *ad, int nqueries,
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai int directory_based_mapping, const char *default_domain,
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre if ((rc = adutils_lookup_batch_start(ad, nqueries,
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre idmap_ldap_res_search_cb, new_state, &new_state->qs))
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai new_state->default_domain = strdup(default_domain);
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai new_state->directory_based_mapping = directory_based_mapping;
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * Set unixuser_attr and unixgroup_attr for AD-based name mapping
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3babanidmap_lookup_batch_set_unixattr(idmap_query_state_t *state,
cd37da7426f0c49c14ad9a8a07638ca971477566nw * Take parsed attribute values from a search result entry and check if
cd37da7426f0c49c14ad9a8a07638ca971477566nw * it is the result that was desired and, if so, set the result fields
cd37da7426f0c49c14ad9a8a07638ca971477566nw * of the given idmap_q_t.
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * Except for dn and attr, all strings are consumed, either by transferring
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * them over into the request results (where the caller will eventually free
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * them) or by freeing them here. Note that this aligns with the "const"
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * declarations below.
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai const char *dn,
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai const char *attr,
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban /* Check that this is the canonname that we were looking for */
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban /* Check that this is the domain that we were looking for */
48258c6b4e17f36ab09fba0bd6307d1fec9dcbcejp /* Copy the DN and attr and value */
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban /* Set results */
479ac37569625bae44ffb80071d4bc865fc710eddm * The caller may be replacing the given winname by its
479ac37569625bae44ffb80071d4bc865fc710eddm * canonical name and therefore free any old name before
479ac37569625bae44ffb80071d4bc865fc710eddm * overwriting the field by the canonical name.
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States if (q->pid != NULL && pid != IDMAP_SENTINEL_PID) {
cd37da7426f0c49c14ad9a8a07638ca971477566nw /* Free unused attribute values */
cd37da7426f0c49c14ad9a8a07638ca971477566nw * Extract the class of the result entry. Returns 1 on success, 0 on
cd37da7426f0c49c14ad9a8a07638ca971477566nw * failure.
cd37da7426f0c49c14ad9a8a07638ca971477566nwidmap_bv_objclass2sidtype(BerValue **bvalues, int *sid_type)
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw return (0);
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * We consider Computer to be a subclass of User, so we can just
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * ignore Computer entries and pay attention to the accompanying
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * User entries.
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright * "else if (*sid_type = IDMAP_USID)" then this is a
cd37da7426f0c49c14ad9a8a07638ca971477566nw * new sub-class of user -- what to do with it??
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw return (1);
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * Handle a given search result entry
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkreidmap_extract_object(idmap_query_state_t *state, idmap_q_t *q,
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States posix_id_t pid = IDMAP_SENTINEL_PID;
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai assert(q->domain == NULL || *q->domain == NULL);
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai bvalues = ldap_get_values_len(ld, res, OBJCLASS);
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * Didn't find objectclass. Something's wrong with our
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai idmapdlog(LOG_ERR, "%s has no %s", dn, OBJCLASS);
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai ok = idmap_bv_objclass2sidtype(bvalues, &sid_type);
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * Didn't understand objectclass. Something's wrong with our
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai idmapdlog(LOG_ERR, "%s has unexpected %s", dn, OBJCLASS);
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai if (state->directory_based_mapping == DIRECTORY_MAPPING_IDMU &&
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai "%s has Invalid %s value \"%s\"",
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai if (state->directory_based_mapping == DIRECTORY_MAPPING_NAME &&
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * If the caller has requested unixname then determine the
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * AD attribute name that will have the unixname, and retrieve
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * its value.
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright * Determine the target type.
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * If the caller specified one, use that. Otherwise, give the
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai * same type that as we found for the Windows user.
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai sid = adutils_bv_objsid2sidstr(bvalues[0], &rid);
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkreidmap_ldap_res_search_cb(LDAP *ld, LDAPMessage **res, int rc, int qid,
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre idmap_query_state_t *state = (idmap_query_state_t *)argp;
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw switch (rc) {
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre idmap_extract_object(state, q, q->search_res, ld);
84decf41e1c0970e397cc8710dfcf81db5b8c6dajp * This routine frees the idmap_query_state_t structure
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre * Map adutils rc to idmap_retcode in each
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre * query because consumers in dbutils.c
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre * expects idmap_retcode.
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * Send one prepared search, queue up msgid, process what results are
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * available
48258c6b4e17f36ab09fba0bd6307d1fec9dcbcejpidmap_batch_add1(idmap_query_state_t *state, const char *filter,
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright char *ecanonname, char *edomain, idmap_id_type esidtype,
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright char **sid, rid_t *rid, idmap_id_type *sid_type, char **unixname,
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre * Remember the expected canonname, domainname and unix type
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre * so we can check the results * against it
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw /* Remember where to put the results */
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai /* Add attributes that are not always needed */
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai /* Add unixuser/unixgroup attribute names to the attrs list */
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * Provide sane defaults for the results in case we never hear
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * back from the DS before closing the connection.
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * In particular we default the result to indicate a retriable
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * error. The first complete matching result entry will cause
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * this to be set to IDMAP_SUCCESS, and the end of the results
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * for this search will cause this to indicate "not found" if no
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * result entries arrived or no complete ones matched the lookup
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * we were doing.
479ac37569625bae44ffb80071d4bc865fc710eddm * Don't set *canonname to NULL because it may be pointing to the
479ac37569625bae44ffb80071d4bc865fc710eddm * given winname. Later on if we get a canonical name from AD the
479ac37569625bae44ffb80071d4bc865fc710eddm * old name if any will be freed before assigning the new name.
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre * Invoke the mother of all APIs i.e. the adutils API
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre ad_rc = adutils_lookup_batch_add(state->qs, filter,
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre (const char **)attrs,
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright const char *name, const char *dname, idmap_id_type esidtype,
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * Strategy: search the global catalog for user/group by
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * sAMAccountName = user/groupname with "" as the base DN and by
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * userPrincipalName = user/groupname@domain. The result
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * entries will be checked to conform to the name and domain
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * name given here. The DN, sAMAccountName, userPrincipalName,
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * objectSid and objectClass of the result entries are all we
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * need to figure out which entries match the lookup, the SID of
e3c2d6aa3bc760b22fad3c83f876553f0d2c5b66nw * the user/group and whether it is a user or a group.
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai /* 'name' not qualified and dname not given */
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen if (!adutils_lookup_check_domain(state->qs, dname)) {
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw /* Assemble filter */
cd37da7426f0c49c14ad9a8a07638ca971477566nw retcode = idmap_batch_add1(state, filter, ecanonname, edomain,
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright esidtype, dn, attr, value, canonname, NULL, sid, rid, sid_type,
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright const char *sid, const rid_t *rid, idmap_id_type esidtype,
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright char **name, char **dname, idmap_id_type *sid_type,
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai char **unixname, posix_id_t *pid, idmap_retcode *rc)
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * Strategy: search [the global catalog] for user/group by
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * objectSid = SID with empty base DN. The DN, sAMAccountName
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * and objectClass of the result are all we need to figure out
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * the name of the SID and whether it is a user, a group or a
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw * computer.
4d61c878ad5fbf36c5338bef5994cc5fe88a589aJulian Pullen if (!adutils_lookup_check_sid_prefix(state->qs, sid))
2b4a78020b9c38d1b95e2f3fefa6d6e4be382d1fBaban Kenkre ret = adutils_txtsid2hexbinsid(sid, rid, &cbinsid[0], sizeof (cbinsid));
c5c4113dfcabb1eed3d4bdf7609de5170027a794nw /* Assemble filter */
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai (void) asprintf(&filter, OBJSIDFILTER, cbinsid);
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright retcode = idmap_batch_add1(state, filter, NULL, NULL, esidtype,
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai dn, attr, value, name, dname, NULL, NULL, sid_type, unixname,
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3babanidmap_unixname2sid_batch_add1(idmap_query_state_t *state,
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright char **dname, idmap_id_type *sid_type, idmap_retcode *rc)
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban /* Get unixuser or unixgroup AD attribute name */
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban /* Assemble filter */
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai (void) asprintf(&filter, "(&(objectclass=%s)(%s=%s))",
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai is_wuser ? "user" : "group", attrname, s_unixname);
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright IDMAP_POSIXID, dn, NULL, NULL, name, dname, sid, rid, sid_type,
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desaiidmap_pid2sid_batch_add1(idmap_query_state_t *state,
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright char **dname, idmap_id_type *sid_type, idmap_retcode *rc)
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai /* Assemble filter */
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai retcode = idmap_batch_add1(state, filter, NULL, NULL,
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright IDMAP_POSIXID, dn, NULL, NULL, name, dname, sid, rid, sid_type,
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai if (retcode == IDMAP_SUCCESS && value != NULL) {