e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * CDDL HEADER START
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * The contents of this file are subject to the terms of the
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * Common Development and Distribution License (the "License").
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * You may not use this file except in compliance with the License.
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * See the License for the specific language governing permissions
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * and limitations under the License.
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * When distributing Covered Code, include this CDDL HEADER in each
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * If applicable, add the following below this CDDL HEADER, with the
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * fields enclosed by brackets "[]" replaced with your own identifying
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * information: Portions Copyright [yyyy] [name of copyright owner]
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * CDDL HEADER END
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
528b7d8ba791f2da280ff1ddd45c61eb47a2744eRichard Lowe * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban * native LDAP related utility routines
479ac37569625bae44ffb80071d4bc865fc710eddm * The following are format strings used to construct LDAP search filters
479ac37569625bae44ffb80071d4bc865fc710eddm * when looking up Native LDAP directory service. The _F_XXX_SSD format
479ac37569625bae44ffb80071d4bc865fc710eddm * is used by the libsldap API if a corresponding SSD is defined in
479ac37569625bae44ffb80071d4bc865fc710eddm * Native LDAP configuration. The SSD contains a string that replaces
479ac37569625bae44ffb80071d4bc865fc710eddm * the first %s in _F_XXX_SSD. If no SSD is defined then the regular
479ac37569625bae44ffb80071d4bc865fc710eddm * _F_XXX format is used.
479ac37569625bae44ffb80071d4bc865fc710eddm * Note that '\\' needs to be represented as "\\5c" in LDAP filters.
479ac37569625bae44ffb80071d4bc865fc710eddm/* Native LDAP lookup using UNIX username */
479ac37569625bae44ffb80071d4bc865fc710eddm#define _F_GETPWNAM "(&(objectClass=posixAccount)(uid=%s))"
479ac37569625bae44ffb80071d4bc865fc710eddm * Native LDAP user lookup using names of well-known SIDs
479ac37569625bae44ffb80071d4bc865fc710eddm * Note the use of 1$, 2$ in the format string which basically
479ac37569625bae44ffb80071d4bc865fc710eddm * allows snprintf to re-use its first two arguments.
479ac37569625bae44ffb80071d4bc865fc710eddm "(&(objectClass=posixAccount)(|(%s=%s)(%1$s=BUILTIN\\5c%2$s)))"
479ac37569625bae44ffb80071d4bc865fc710eddm#define _F_GETPWWNAMWK_SSD "(&(%%s)(|(%s=%s)(%1$s=BUILTIN\\5c%2$s)))"
479ac37569625bae44ffb80071d4bc865fc710eddm/* Native LDAP user lookup using winname@windomain OR windomain\winname */
479ac37569625bae44ffb80071d4bc865fc710eddm "(&(objectClass=posixAccount)(|(%s=%s@%s)(%1$s=%3$s\\5c%2$s)))"
479ac37569625bae44ffb80071d4bc865fc710eddm#define _F_GETPWWNAMDOM_SSD "(&(%%s)(|(%s=%s@%s)(%1$s=%3$s\\5c%2$s)))"
479ac37569625bae44ffb80071d4bc865fc710eddm/* Native LDAP lookup using UID */
479ac37569625bae44ffb80071d4bc865fc710eddm#define _F_GETPWUID "(&(objectClass=posixAccount)(uidNumber=%u))"
479ac37569625bae44ffb80071d4bc865fc710eddm/* Native LDAP lookup using UNIX groupname */
479ac37569625bae44ffb80071d4bc865fc710eddm/* Native LDAP group lookup using names of well-known SIDs */
479ac37569625bae44ffb80071d4bc865fc710eddm "(&(objectClass=posixGroup)(|(%s=%s)(%1$s=BUILTIN\\5c%2$s)))"
479ac37569625bae44ffb80071d4bc865fc710eddm#define _F_GETGRWNAMWK_SSD "(&(%%s)(|(%s=%s)(%1$s=BUILTIN\\5c%2$s)))"
479ac37569625bae44ffb80071d4bc865fc710eddm/* Native LDAP group lookup using winname@windomain OR windomain\winname */
479ac37569625bae44ffb80071d4bc865fc710eddm "(&(objectClass=posixGroup)(|(%s=%s@%s)(%1$s=%3$s\\5c%2$s)))"
479ac37569625bae44ffb80071d4bc865fc710eddm#define _F_GETGRWNAMDOM_SSD "(&(%%s)(|(%s=%s@%s)(%1$s=%3$s\\5c%2$s)))"
479ac37569625bae44ffb80071d4bc865fc710eddm/* Native LDAP lookup using GID */
479ac37569625bae44ffb80071d4bc865fc710eddm#define _F_GETGRGID "(&(objectClass=posixGroup)(gidNumber=%u))"
479ac37569625bae44ffb80071d4bc865fc710eddm/* Native LDAP attribute names */
479ac37569625bae44ffb80071d4bc865fc710eddm#define IS_NLDAP_RC_FATAL(x) ((x == NS_LDAP_MEMORY) ? 1 : 0)
479ac37569625bae44ffb80071d4bc865fc710eddm * This routine has been copied from lib/nsswitch/ldap/common/ldap_utils.c
479ac37569625bae44ffb80071d4bc865fc710eddm * after removing the debug statements.
479ac37569625bae44ffb80071d4bc865fc710eddm * This is a generic filter callback function for merging the filter
479ac37569625bae44ffb80071d4bc865fc710eddm * from service search descriptor with an existing search filter. This
479ac37569625bae44ffb80071d4bc865fc710eddm * routine expects userdata to contain a format string with a single %s
479ac37569625bae44ffb80071d4bc865fc710eddm * in it, and will use the format string with sprintf() to insert the
479ac37569625bae44ffb80071d4bc865fc710eddm * SSD filter.
479ac37569625bae44ffb80071d4bc865fc710eddm * This routine and userdata are passed to the __ns_ldap_list_batch_add()
479ac37569625bae44ffb80071d4bc865fc710eddm * Consider an example that uses __ns_ldap_list_batch_add() to lookup
479ac37569625bae44ffb80071d4bc865fc710eddm * native LDAP directory using a given userid 'xy12345'. In this
479ac37569625bae44ffb80071d4bc865fc710eddm * example the userdata will contain the filter "(&(%s)(cn=xy1234))".
479ac37569625bae44ffb80071d4bc865fc710eddm * If a SSD is defined to replace the rfc2307bis specified filter
479ac37569625bae44ffb80071d4bc865fc710eddm * i.e. (objectClass=posixAccount) by a site-specific filter
479ac37569625bae44ffb80071d4bc865fc710eddm * say (department=sds) then this routine when called will produce
479ac37569625bae44ffb80071d4bc865fc710eddm * "(&(department=sds)(uid=xy1234))" as the real search filter.
479ac37569625bae44ffb80071d4bc865fc710eddm if (desc == NULL || desc->filter == NULL || userdata == NULL)
528b7d8ba791f2da280ff1ddd45c61eb47a2744eRichard Lowe /* Parameter check. We only want one %s here, otherwise bail. */
528b7d8ba791f2da280ff1ddd45c61eb47a2744eRichard Lowe len = 0; /* Reuse 'len' as "Number of %s hits"... */
479ac37569625bae44ffb80071d4bc865fc710eddm (void) sprintf(*realfilter, (char *)userdata, desc->filter);
479ac37569625bae44ffb80071d4bc865fc710eddm * If the input string contains special characters that needs to be
479ac37569625bae44ffb80071d4bc865fc710eddm * escaped before the string can be used in a LDAP filter then this
479ac37569625bae44ffb80071d4bc865fc710eddm * function will return a new sanitized string. Otherwise this function
479ac37569625bae44ffb80071d4bc865fc710eddm * returns the input string (This saves us un-necessary memory allocations
479ac37569625bae44ffb80071d4bc865fc710eddm * especially when processing a batch of requests). The caller must free
479ac37569625bae44ffb80071d4bc865fc710eddm * the returned string if it isn't the input string.
479ac37569625bae44ffb80071d4bc865fc710eddm * The escape mechanism for LDAP filter is described in RFC2254 basically
479ac37569625bae44ffb80071d4bc865fc710eddm * it's \hh where hh are the two hexadecimal digits representing the ASCII
479ac37569625bae44ffb80071d4bc865fc710eddm * value of the encoded character (case of hh is not significant).
479ac37569625bae44ffb80071d4bc865fc710eddm * Example: * -> \2a, ( -> \28, ) -> \29, \ -> \5c,
479ac37569625bae44ffb80071d4bc865fc710eddm * outstring = sanitize_for_ldap_filter(instring);
479ac37569625bae44ffb80071d4bc865fc710eddm * if (outstring == NULL)
479ac37569625bae44ffb80071d4bc865fc710eddm * Out of memory
479ac37569625bae44ffb80071d4bc865fc710eddm * Use outstring
479ac37569625bae44ffb80071d4bc865fc710eddm * if (outstring != instring)
479ac37569625bae44ffb80071d4bc865fc710eddm * free(outstring);
479ac37569625bae44ffb80071d4bc865fc710eddm const char *p;
479ac37569625bae44ffb80071d4bc865fc710eddm /* Get a count of special characters */
479ac37569625bae44ffb80071d4bc865fc710eddm for (p = str, n = 0; *p; p++)
479ac37569625bae44ffb80071d4bc865fc710eddm /* If count is zero then no need to sanitize */
479ac37569625bae44ffb80071d4bc865fc710eddm if (n == 0)
479ac37569625bae44ffb80071d4bc865fc710eddm return ((char *)str);
479ac37569625bae44ffb80071d4bc865fc710eddm /* Create output buffer that will contain the sanitized value */
479ac37569625bae44ffb80071d4bc865fc710eddm *q++ = '\\';
479ac37569625bae44ffb80071d4bc865fc710eddm *q++ = *p;
479ac37569625bae44ffb80071d4bc865fc710eddm * Map libsldap status to idmap status
479ac37569625bae44ffb80071d4bc865fc710eddm switch (rc) {
479ac37569625bae44ffb80071d4bc865fc710eddm /*NOTREACHED*/
479ac37569625bae44ffb80071d4bc865fc710eddm * Create a batch for native LDAP lookup.
479ac37569625bae44ffb80071d4bc865fc710eddmidmap_nldap_lookup_batch_start(int nqueries, idmap_nldap_query_state_t **qs)
479ac37569625bae44ffb80071d4bc865fc710eddm if (__ns_ldap_list_batch_start(&s->batch) != NS_LDAP_SUCCESS) {
479ac37569625bae44ffb80071d4bc865fc710eddm * Add a lookup by winname request to the batch.
479ac37569625bae44ffb80071d4bc865fc710eddmidmap_nldap_bywinname_batch_add(idmap_nldap_query_state_t *qs,
08f0d8da054d72c87f9a35f2ea891d2c3541ceb5afshin salek ardakani - Sun Microsystems - Irvine United States if (lookup_wksids_name2sid(winname, NULL, NULL, NULL, NULL,
08f0d8da054d72c87f9a35f2ea891d2c3541ceb5afshin salek ardakani - Sun Microsystems - Irvine United States NULL, NULL) == IDMAP_SUCCESS) {
08f0d8da054d72c87f9a35f2ea891d2c3541ceb5afshin salek ardakani - Sun Microsystems - Irvine United States if (lookup_wksids_name2sid(winname, NULL, NULL, NULL, NULL,
08f0d8da054d72c87f9a35f2ea891d2c3541ceb5afshin salek ardakani - Sun Microsystems - Irvine United States NULL, NULL) == IDMAP_SUCCESS) {
479ac37569625bae44ffb80071d4bc865fc710eddm * Sanitize names. No need to sanitize qs->nldap_winname_attr
479ac37569625bae44ffb80071d4bc865fc710eddm * because if it contained any of the special characters then
479ac37569625bae44ffb80071d4bc865fc710eddm * it would have been rejected by the function that reads it
479ac37569625bae44ffb80071d4bc865fc710eddm * from the SMF config. LDAP attribute names can only contain
479ac37569625bae44ffb80071d4bc865fc710eddm * letters, digits or hyphens.
479ac37569625bae44ffb80071d4bc865fc710eddm /* windomain could be NULL for names of well-known SIDs */
479ac37569625bae44ffb80071d4bc865fc710eddm /* Construct the filter and udata using snprintf. */
479ac37569625bae44ffb80071d4bc865fc710eddm q->lrc = __ns_ldap_list_batch_add(qs->batch, db, q->filter,
479ac37569625bae44ffb80071d4bc865fc710eddm /* query q and its content will be freed by batch_release */
479ac37569625bae44ffb80071d4bc865fc710eddm return (*q->rc);
479ac37569625bae44ffb80071d4bc865fc710eddm * Add a lookup by uid/gid request to the batch.
479ac37569625bae44ffb80071d4bc865fc710eddmidmap_nldap_bypid_batch_add(idmap_nldap_query_state_t *qs,
479ac37569625bae44ffb80071d4bc865fc710eddm uid_t pid, int is_user, char **dn, char **attr, char **value,
479ac37569625bae44ffb80071d4bc865fc710eddm q->lrc = __ns_ldap_list_batch_add(qs->batch, db, q->filter,
479ac37569625bae44ffb80071d4bc865fc710eddm * Add a lookup by user/group name request to the batch.
479ac37569625bae44ffb80071d4bc865fc710eddmidmap_nldap_byunixname_batch_add(idmap_nldap_query_state_t *qs,
479ac37569625bae44ffb80071d4bc865fc710eddm char **winname, char **windomain, uid_t *pid, idmap_retcode *rc)
479ac37569625bae44ffb80071d4bc865fc710eddm q->lrc = __ns_ldap_list_batch_add(qs->batch, db, q->filter,
479ac37569625bae44ffb80071d4bc865fc710eddm * Free the batch
479ac37569625bae44ffb80071d4bc865fc710eddmidmap_nldap_lookup_batch_release(idmap_nldap_query_state_t *qs)
479ac37569625bae44ffb80071d4bc865fc710eddm * Process all requests added to the batch and then free the batch.
479ac37569625bae44ffb80071d4bc865fc710eddm * The results for individual requests will be accessible using the
479ac37569625bae44ffb80071d4bc865fc710eddm * pointers passed during idmap_nldap_lookup_batch_end.
479ac37569625bae44ffb80071d4bc865fc710eddmidmap_nldap_lookup_batch_end(idmap_nldap_query_state_t *qs)
479ac37569625bae44ffb80071d4bc865fc710eddm /* Get uid/gid */
479ac37569625bae44ffb80071d4bc865fc710eddm /* Get unixname */
479ac37569625bae44ffb80071d4bc865fc710eddm /* Get DN for how info */
479ac37569625bae44ffb80071d4bc865fc710eddm /* Get nldap name mapping attr name for how info */
479ac37569625bae44ffb80071d4bc865fc710eddm /* Get nldap name mapping attr value for how info */
479ac37569625bae44ffb80071d4bc865fc710eddm /* Get winname and windomain */
479ac37569625bae44ffb80071d4bc865fc710eddm * We need to split the value into winname and
479ac37569625bae44ffb80071d4bc865fc710eddm * windomain. The value could be either in NT4
479ac37569625bae44ffb80071d4bc865fc710eddm * style (i.e. dom\name) or AD-style (i.e. name@dom).
479ac37569625bae44ffb80071d4bc865fc710eddm * We choose the first '\\' if it's in NT4 style and
479ac37569625bae44ffb80071d4bc865fc710eddm * the last '@' if it's in AD-style for the split.
08f0d8da054d72c87f9a35f2ea891d2c3541ceb5afshin salek ardakani - Sun Microsystems - Irvine United States if (lookup_wksids_name2sid(*val, NULL, NULL, NULL, NULL, NULL,
08f0d8da054d72c87f9a35f2ea891d2c3541ceb5afshin salek ardakani - Sun Microsystems - Irvine United States NULL) == IDMAP_SUCCESS) {
479ac37569625bae44ffb80071d4bc865fc710eddm return (rc);
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3baban/* ARGSUSED */
e8c27ec857e6e2db8c4fe56938b70a89b5bed9f3babannldap_lookup_batch(lookup_state_t *state, idmap_mapping_batch *batch,
479ac37569625bae44ffb80071d4bc865fc710eddm /* Create nldap lookup batch */
479ac37569625bae44ffb80071d4bc865fc710eddm retcode = idmap_nldap_lookup_batch_start(state->nldap_nqueries, &qs);
479ac37569625bae44ffb80071d4bc865fc710eddm "Failed to create batch for native LDAP lookup");
479ac37569625bae44ffb80071d4bc865fc710eddm /* Add requests to the batch */
479ac37569625bae44ffb80071d4bc865fc710eddm for (i = 0, add = 0; i < batch->idmap_mapping_batch_len; i++) {
479ac37569625bae44ffb80071d4bc865fc710eddm /* Skip if not marked for nldap lookup */
479ac37569625bae44ffb80071d4bc865fc710eddm /* win2unix request: */
479ac37569625bae44ffb80071d4bc865fc710eddm * When processing a win2unix request, nldap lookup
479ac37569625bae44ffb80071d4bc865fc710eddm * is performed after AD lookup or a successful
479ac37569625bae44ffb80071d4bc865fc710eddm * name-cache lookup. Therefore we should already
479ac37569625bae44ffb80071d4bc865fc710eddm * have sid, winname and sidtype. Note that
479ac37569625bae44ffb80071d4bc865fc710eddm * windomain could be NULL e.g. well-known SIDs.
479ac37569625bae44ffb80071d4bc865fc710eddm /* Skip if we already have pid and unixname */
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States res->id.idmap_id_u.uid != IDMAP_SENTINEL_PID) {
479ac37569625bae44ffb80071d4bc865fc710eddm /* Clear leftover value */
479ac37569625bae44ffb80071d4bc865fc710eddm /* Lookup nldap by winname to get pid and unixname */
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright } else if (IS_ID_UID(req->id1) || IS_ID_GID(req->id1)) {
479ac37569625bae44ffb80071d4bc865fc710eddm /* unix2win request: */
479ac37569625bae44ffb80071d4bc865fc710eddm /* Skip if we already have winname */
479ac37569625bae44ffb80071d4bc865fc710eddm /* Clear old value */
479ac37569625bae44ffb80071d4bc865fc710eddm /* Set how info */
479ac37569625bae44ffb80071d4bc865fc710eddm /* Lookup nldap by pid or unixname to get winname */
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States if (req->id1.idmap_id_u.uid != IDMAP_SENTINEL_PID) {
479ac37569625bae44ffb80071d4bc865fc710eddm * nldap_batch_add API returns error only on fatal failures
479ac37569625bae44ffb80071d4bc865fc710eddm * otherwise it returns success and the actual status
479ac37569625bae44ffb80071d4bc865fc710eddm * is stored in the individual request (res->retcode).
479ac37569625bae44ffb80071d4bc865fc710eddm * Stop adding requests to this batch on fatal failures
479ac37569625bae44ffb80071d4bc865fc710eddm * (i.e. if retcode != success)
479ac37569625bae44ffb80071d4bc865fc710eddm /* Reset nldap flag */
479ac37569625bae44ffb80071d4bc865fc710eddm * As noted earlier retcode != success if there were fatal
479ac37569625bae44ffb80071d4bc865fc710eddm * errors during batch_start and batch_adds. If so then set
479ac37569625bae44ffb80071d4bc865fc710eddm * the status of each nldap request to that error.
479ac37569625bae44ffb80071d4bc865fc710eddm * If we successfully retrieved winname from nldap entry
479ac37569625bae44ffb80071d4bc865fc710eddm * then lookup winname2sid locally. If not found locally
479ac37569625bae44ffb80071d4bc865fc710eddm * then mark this request for AD lookup.
08f0d8da054d72c87f9a35f2ea891d2c3541ceb5afshin salek ardakani - Sun Microsystems - Irvine United States NULL, NULL,
479ac37569625bae44ffb80071d4bc865fc710eddm * Unset non-fatal errors in individual request. This allows
479ac37569625bae44ffb80071d4bc865fc710eddm * the next pass to process other mapping mechanisms for
479ac37569625bae44ffb80071d4bc865fc710eddm * this request.