sysdb_ops.c revision 95d3cb8d4ff2e3e8fdc186f2ebf617fd29ddfdec
/*
SSSD
System Database
Copyright (C) Simo Sorce <ssorce@redhat.com> 2008
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "db/sysdb_private.h"
#include "util/crypto/sss_crypto.h"
#include <time.h>
{
int ret;
if (ret == LDB_SUCCESS) {
}
return ENOMEM;
}
{
int ret;
if (ret == LDB_SUCCESS) {
}
return ENOMEM;
}
{
long long int l;
if (!v || !v->data) {
return 0;
}
errno = 0;
if (errno) {
return (uint32_t)-1;
}
if (l < 0 || l > ((uint32_t)(-1))) {
return (uint32_t)-1;
}
return l;
}
#define ERROR_OUT(v, r, l) do { v = r; goto l; } while(0)
/* =Remove-Entry-From-Sysdb=============================================== */
bool ignore_not_found)
{
int ret;
switch (ret) {
case LDB_SUCCESS:
return EOK;
case LDB_ERR_NO_SUCH_OBJECT:
if (ignore_not_found) {
return EOK;
}
/* fall through */
default:
return sysdb_error_to_errno(ret);
}
}
/* =Remove-Subentries-From-Sysdb=========================================== */
bool ignore_not_found)
{
struct ldb_message **msgs;
int ret;
int i;
if (!tmp_ctx) {
return ENOMEM;
}
if (ret) {
goto done;
}
LDB_SCOPE_SUBTREE, "(distinguishedName=*)",
if (ret) {
}
if (ret) {
}
goto done;
}
sizeof(struct ldb_message *), compare_ldb_dn_comp_num);
for (i = 0; i < msgs_count; i++) {
if (ret) {
goto done;
}
}
done:
} else {
}
return ret;
}
/* =Search-Entry========================================================== */
int scope,
const char *filter,
const char **attrs,
struct ldb_message ***msgs)
{
struct ldb_result *res;
int ret;
if (ret) {
return sysdb_error_to_errno(ret);
}
return ENOENT;
}
return EOK;
}
const char *name,
const char **attrs,
struct ldb_message **msg)
{
size_t msgs_count = 0;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (!basedn) {
goto done;
}
if (ret) {
goto done;
}
done:
if (ret) {
}
return ret;
}
const char **attrs,
struct ldb_message **msg)
{
size_t msgs_count = 0;
char *filter;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (!basedn) {
goto done;
}
if (!filter) {
goto done;
}
/* Use SUBTREE scope here, not ONELEVEL
* There is a bug in LDB that makes ONELEVEL searches extremely
* slow (it ignores indexing)
*/
if (ret) {
goto done;
}
done:
if (ret) {
}
return ret;
}
const char *name,
const char **attrs,
struct ldb_message **msg)
{
size_t msgs_count = 0;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (!basedn) {
goto done;
}
if (ret) {
goto done;
}
done:
if (ret) {
}
return ret;
}
const char **attrs,
struct ldb_message **msg)
{
size_t msgs_count = 0;
char *filter;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (!basedn) {
goto done;
}
if (!filter) {
goto done;
}
/* Use SUBTREE scope here, not ONELEVEL
* There is a bug in LDB that makes ONELEVEL searches extremely
* slow (it ignores indexing)
*/
if (ret) {
goto done;
}
done:
if (ret) {
}
return ret;
}
/* =Search-Group-by-Name============================================ */
const char *name,
const char **attrs,
struct ldb_message **msg)
{
size_t msgs_count = 0;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (!basedn) {
goto done;
}
if (ret) {
goto done;
}
done:
if (ret) {
}
return ret;
}
/* =Replace-Attributes-On-Entry=========================================== */
struct sysdb_attrs *attrs,
int mod_op)
{
struct ldb_message *msg;
int i, ret;
if (!tmp_ctx) {
return ENOMEM;
}
return EINVAL;
}
if (!msg) {
return ENOMEM;
}
goto fail;
}
}
fail:
if (ret) {
}
return ret;
}
/* =Replace-Attributes-On-User============================================ */
const char *name,
struct sysdb_attrs *attrs,
int mod_op)
{
if (!tmp_ctx) {
return ENOMEM;
}
if (!dn) {
return ENOMEM;
}
}
/* =Replace-Attributes-On-Group=========================================== */
const char *name,
struct sysdb_attrs *attrs,
int mod_op)
{
if (!tmp_ctx) {
return ENOMEM;
}
if (!dn) {
return ENOMEM;
}
}
/* =Replace-Attributes-On-Netgroup=========================================== */
const char *name,
struct sysdb_attrs *attrs,
int mod_op)
{
if (!tmp_ctx) {
return ENOMEM;
}
if (!dn) {
goto done;
}
done:
return ret;
}
/* =Get-New-ID============================================================ */
{
char *filter;
struct ldb_message **msgs;
struct ldb_message *msg;
int ret;
int i;
if (!tmp_ctx) {
return ENOMEM;
}
if (!base_dn) {
return ENOMEM;
}
if (ret) {
return ret;
}
switch (ret) {
case EOK:
goto done;
}
}
DEBUG(0, ("Failed to allocate new id, out of range (%u/%u)\n",
goto done;
}
break;
case ENOENT:
/* looks like the domain is not initialized yet, use min_id */
break;
default:
goto done;
}
count = 0;
/* verify the id is actually really free.
* search all entries with id >= new_id and < max_id */
"(|(&(%s>=%u)(%s<=%u))(&(%s>=%u)(%s<=%u)))",
}
else {
"(|(%s>=%u)(%s>=%u))",
}
if (!filter) {
goto done;
}
switch (ret) {
/* if anything was found, find the maximum and increment past it */
case EOK:
for (i = 0; i < count; i++) {
}
}
}
new_id++;
/* check again we are not falling out of range */
DEBUG(0, ("Failed to allocate new id, out of range (%u/%u)\n",
goto done;
}
break;
case ENOENT:
break;
default:
goto done;
}
count = 0;
/* finally store the new next id */
if (!msg) {
goto done;
}
if (ret) {
goto done;
}
done:
} else {
}
if (ret) {
}
return ret;
}
/* =Add-Basic-User-NO-CHECKS============================================== */
const char *name,
const char *gecos,
const char *homedir,
const char *shell)
{
struct ldb_message *msg;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (!msg) {
return ENOMEM;
}
/* user dn */
}
/* We set gecos to be the same as fullname on user creation,
* But we will not enforce coherency after that, it's up to
* admins to decide if they want to keep it in sync if they change
* one of the 2 */
}
}
}
/* creation time */
done:
if (ret) {
}
return ret;
}
/* =Add-User-Function===================================================== */
const char *name,
const char *gecos,
const char *homedir,
const char *shell,
struct sysdb_attrs *attrs,
int cache_timeout)
{
struct ldb_message *msg;
struct sysdb_attrs *id_attrs;
int ret;
if (gid != 0) {
DEBUG(0, ("Cannot add user with arbitrary GID in MPG domain!\n"));
return EINVAL;
}
}
return ERANGE;
}
return ERANGE;
}
if (!tmp_ctx) {
return ENOMEM;
}
if (ret) {
return ret;
}
/* In MPG domains you can't have groups with the same name as users,
* search if a group with the same name exists.
* Don't worry about users, if we try to add a user with the same
* name the operation will fail */
goto done;
}
}
/* check no other user with the same uid exist */
if (uid != 0) {
goto done;
}
}
/* try to add the user */
if (uid == 0) {
if (!id_attrs) {
goto done;
}
}
goto done;
}
if (!attrs) {
if (!attrs) {
goto done;
}
}
((cache_timeout) ?
(now + cache_timeout) : 0));
done:
} else {
}
return ret;
}
const char *name,
const char *original_dn)
{
struct ldb_message *msg;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (!msg) {
}
/* user dn */
}
(unsigned long) now);
/* set last login so that the fake entry does not get cleaned up
* immediately */
(unsigned long) now);
(unsigned long) now);
(unsigned long) now-1);
if (original_dn) {
}
done:
}
return ret;
}
/* =Add-Basic-Group-NO-CHECKS============================================= */
{
struct ldb_message *msg;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (!msg) {
return ENOMEM;
}
/* group dn */
}
/* creation time */
done:
if (ret) {
}
return ret;
}
/* =Add-Group-Function==================================================== */
struct sysdb_attrs *attrs,
int cache_timeout)
{
struct ldb_message *msg;
int ret;
bool posix;
return ERANGE;
}
if (!tmp_ctx) {
return ENOMEM;
}
if (ret) {
return ret;
}
/* In MPG domains you can't have groups with the same name as users,
* search if a group with the same name exists.
* Don't worry about users, if we try to add a user with the same
* name the operation will fail */
goto done;
}
}
/* check no other groups with the same gid exist */
if (gid != 0) {
goto done;
}
}
/* try to add the group */
if (!attrs) {
if (!attrs) {
goto done;
}
}
posix = true;
goto done;
}
}
((cache_timeout) ?
(now + cache_timeout) : 0));
done:
} else {
}
return ret;
}
const char *name,
const char *original_dn,
bool posix)
{
int ret;
struct sysdb_attrs *attrs;
if (!tmp_ctx) {
return ENOMEM;
}
/* try to add the group */
if (!attrs) {
goto done;
}
now-1);
if (original_dn) {
}
done:
}
return ret;
}
/* =Add-Or-Remove-Group-Memeber=========================================== */
/* mod_op must be either SYSDB_MOD_ADD or SYSDB_MOD_DEL */
int mod_op)
{
struct ldb_message *msg;
const char *dn;
int ret;
if (!msg) {
}
if (ret != LDB_SUCCESS) {
}
if (!dn) {
}
if (ret != LDB_SUCCESS) {
}
fail:
if (ret) {
}
return ret;
}
/* =Add-Basic-Netgroup-NO-CHECKS============================================= */
const char *name, const char *description)
{
struct ldb_message *msg;
int ret;
if (!msg) {
return ENOMEM;
}
/* netgroup dn */
}
if (description && *description) {
}
/* creation time */
done:
if (ret) {
}
return ret;
}
/* =Add-Netgroup-Function==================================================== */
const char *name,
const char *description,
struct sysdb_attrs *attrs,
int cache_timeout)
{
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (ret) {
return ret;
}
/* try to add the netgroup */
if (!attrs) {
if (!attrs) {
goto done;
}
}
((cache_timeout) ?
(now + cache_timeout) : 0));
done:
}
}
return ret;
}
/* if one of the basic attributes is empty ("") as opposed to NULL,
* this will just remove it */
const char *name,
const char *pwd,
const char *gecos,
const char *homedir,
const char *shell,
struct sysdb_attrs *attrs,
char **remove_attrs,
{
struct ldb_message *msg;
int ret;
bool in_transaction = false;
if (!tmp_ctx) {
return ENOMEM;
}
if (!attrs) {
if (!attrs) {
goto done;
}
}
}
in_transaction = true;
goto done;
}
/* users doesn't exist, turn into adding a user */
goto done;
}
/* the user exists, let's just replace attributes when set */
if (uid) {
}
if (gid) {
}
}
if (gecos) {
}
if (homedir) {
}
if (shell) {
}
((cache_timeout) ?
(now + cache_timeout) : 0));
if (remove_attrs) {
}
}
done:
if (in_transaction) {
}
}
}
}
}
if (ret) {
}
return ret;
}
/* this function does not check that all user members are actually present */
const char *name,
struct sysdb_attrs *attrs,
{
struct ldb_message *msg;
bool new_group = false;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
goto done;
}
new_group = true;
}
if (!attrs) {
if (!attrs) {
goto done;
}
}
/* FIXME: use the remote modification timestamp to know if the
* group needs any update */
if (new_group) {
/* group doesn't exist, turn into adding a group */
goto done;
}
/* the group exists, let's just replace attributes when set */
if (gid) {
}
((cache_timeout) ?
(now + cache_timeout) : 0));
done:
if (ret) {
}
return ret;
}
const char *group,
const char *member,
enum sysdb_member_type type)
{
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (!group_dn) {
goto done;
}
if (type == SYSDB_MEMBER_USER) {
if (!member_dn) {
goto done;
}
} else if (type == SYSDB_MEMBER_GROUP) {
if (!member_dn) {
goto done;
}
} else {
goto done;
}
done:
return ret;
}
const char *group,
const char *member,
enum sysdb_member_type type)
{
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (!group_dn) {
goto done;
}
if (type == SYSDB_MEMBER_USER) {
if (!member_dn) {
goto done;
}
} else if (type == SYSDB_MEMBER_GROUP) {
if (!member_dn) {
goto done;
}
} else {
goto done;
}
done:
return ret;
}
/* =Password-Caching====================================================== */
const char *username,
const char *password)
{
struct sysdb_attrs *attrs;
char *salt;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (ret) {
goto fail;
}
if (ret) {
goto fail;
}
if (!attrs) {
}
/* FIXME: should we use a different attribute for chache passwords ?? */
if (ret) {
goto fail;
}
return EOK;
fail:
if (ret) {
}
return ret;
}
/* =Custom Search================== */
const char *filter,
const char *subtree_name,
const char **attrs,
struct ldb_message ***msgs)
{
int ret;
return EINVAL;
}
return ENOMEM;
}
if (!ldb_dn_validate(basedn)) {
return EINVAL;
}
msgs_count, msgs);
return ret;
}
const char *object_name,
const char *subtree_name,
const char **attrs,
struct ldb_message ***_msgs)
{
struct ldb_message **msgs;
int ret;
return EINVAL;
}
if (!tmp_ctx) {
return ENOMEM;
}
goto done;
}
if (!ldb_dn_validate(basedn)) {
goto done;
}
if (ret) {
goto done;
}
if (count > 1) {
goto done;
}
done:
return ret;
}
/* =Custom Store (replaces-existing-data)================== */
const char *object_name,
const char *subtree_name,
struct sysdb_attrs *attrs)
{
size_t resp_count = 0;
struct ldb_message **resp;
struct ldb_message *msg;
struct ldb_message_element *el;
bool add_object = false;
int ret;
int i;
return EINVAL;
}
if (ret) {
return sysdb_error_to_errno(ret);
}
if (!tmp_ctx) {
goto done;
}
goto done;
}
add_object = true;
}
goto done;
}
goto done;
}
goto done;
}
if (add_object) {
} else {
} else {
}
}
}
if (add_object) {
} else {
}
if (ret != LDB_SUCCESS) {
}
done:
if (ret) {
} else {
}
return ret;
}
/* = Custom Delete======================================= */
const char *object_name,
const char *subtree_name)
{
int ret;
return EINVAL;
}
if (!tmp_ctx) {
return ENOMEM;
}
goto done;
}
switch (ret) {
case LDB_SUCCESS:
case LDB_ERR_NO_SUCH_OBJECT:
break;
default:
break;
}
done:
return ret;
}
/* = ASQ search request ======================================== */
const char *expression,
const char *asq_attribute,
const char **attrs,
struct ldb_message ***msgs)
{
struct ldb_request *ldb_req;
struct ldb_control **ctrl;
struct ldb_asq_control *asq_control;
struct ldb_result *res;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
goto fail;
}
goto fail;
}
if (asq_control == NULL) {
goto fail;
}
goto fail;
}
if (!res) {
return ENOMEM;
}
if (ret != LDB_SUCCESS) {
goto fail;
}
if (ret == LDB_SUCCESS) {
}
if (ret) {
goto fail;
}
return EOK;
fail:
return ret;
}
/* =Search-Users-with-Custom-Filter====================================== */
const char *sub_filter,
const char **attrs,
struct ldb_message ***msgs)
{
char *filter;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (!basedn) {
goto fail;
}
if (!filter) {
goto fail;
}
msgs_count, msgs);
if (ret) {
goto fail;
}
return EOK;
fail:
return ret;
}
/* =Delete-User-by-Name-OR-uid============================================ */
{
struct ldb_message *msg;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (name) {
} else {
}
if (ret) {
goto fail;
}
const char *c_name;
goto fail;
}
/* this is not the entry we are looking for */
goto fail;
}
}
if (ret) {
goto fail;
}
return EOK;
fail:
return ret;
}
/* =Search-Groups-with-Custom-Filter===================================== */
const char *sub_filter,
const char **attrs,
struct ldb_message ***msgs)
{
char *filter;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (!basedn) {
goto fail;
}
if (!filter) {
goto fail;
}
msgs_count, msgs);
if (ret) {
goto fail;
}
return EOK;
fail:
return ret;
}
/* =Delete-Group-by-Name-OR-gid=========================================== */
{
struct ldb_message *msg;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (name) {
} else {
}
if (ret) {
goto fail;
}
const char *c_name;
goto fail;
}
/* this is not the entry we are looking for */
goto fail;
}
}
if (ret) {
goto fail;
}
return EOK;
fail:
return ret;
}
/* =Search-Netgroups-with-Custom-Filter===================================== */
const char *sub_filter,
const char **attrs,
struct ldb_message ***msgs)
{
char *filter;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
if (!basedn) {
goto fail;
}
if (!filter) {
goto fail;
}
msgs_count, msgs);
if (ret) {
goto fail;
}
return EOK;
fail:
return ret;
}
/* =Delete-Netgroup-by-Name============================================== */
const char *name)
{
struct ldb_message *msg;
int ret;
if (!tmp_ctx) {
return ENOMEM;
}
goto done;
goto done;
}
goto done;
}
done:
}
return ret;
}
/* ========= Authentication against cached password ============ */
struct ldb_message *ldb_msg,
{
int ret;
int failed_login_delay;
if (!tmp_ctx) {
return ENOMEM;
}
*delayed_until = -1;
"attempts.\n"));
return EIO;
}
return EIO;
}
"failed login delay [%d].\n", *failed_login_attempts,
if (failed_login_delay) {
"resetting failed_login_attempts.\n"));
*failed_login_attempts = 0;
} else {
*delayed_until = end;
return EACCES;
}
} else {
return EACCES;
}
}
}
return EOK;
}
const char *name,
struct confdb_ctx *cdb,
bool just_check,
{
"lastCachedPasswordChange",
"accountExpires", SYSDB_FAILED_LOGIN_ATTEMPTS,
struct ldb_message *ldb_msg;
const char *userhash;
char *comphash;
int cred_expiration;
struct sysdb_attrs *update_attrs;
bool authentication_successful = false;
int ret;
int i;
return EINVAL;
}
return EINVAL;
}
return EINVAL;
}
return EINVAL;
}
if (!tmp_ctx) {
return ENOMEM;
}
if (ret) {
return ret;
}
goto done;
}
/* Check offline_auth_cache_timeout */
0);
goto done;
}
if (cred_expiration) {
expire_date = 0;
goto done;
}
} else {
expire_date = 0;
}
goto done;
}
/* TODO: verify user account (disabled, expired ...) */
goto done;
}
goto done;
}
if (ret) {
goto done;
}
if (update_attrs == NULL) {
goto done;
}
/* TODO: probable good point for audit logging */
authentication_successful = true;
if (just_check) {
goto done;
}
"but authentication is successful.\n"));
goto done;
}
"but authentication is successful.\n"));
goto done;
}
} else {
authentication_successful = false;
goto done;
}
goto done;
}
}
if (ret) {
}
done:
if (_expire_date != NULL) {
}
if (_delayed_until != NULL) {
}
if (ret) {
} else {
if (ret) {
}
}
if (authentication_successful) {
} else {
}
}
return ret;
}
const char *member,
enum sysdb_member_type type,
const char *const *add_groups,
const char *const *del_groups)
{
int i;
if(!tmp_ctx) {
return ENOMEM;
}
DEBUG(0, ("Failed to start update transaction\n"));
goto done;
}
if (add_groups) {
/* Add the user to all add_groups */
for (i = 0; add_groups[i]; i++) {
type);
/* Continue on, we should try to finish the rest */
}
}
}
if (del_groups) {
/* Remove the user from all del_groups */
for (i = 0; del_groups[i]; i++) {
type);
/* Continue on, we should try to finish the rest */
}
}
}
done:
}
return ret;
}
const char *netgroup,
const char *hostname,
const char *username,
const char *domainname)
{
}
const char *netgroup,
const char *hostname,
const char *username,
const char *domainname)
{
}
const char *netgroup,
const char *hostname,
const char *username,
const char *domainname,
int mod_op)
{
int lret;
struct ldb_message *msg;
char *triple;
if (!msg) {
}
}
if (!triple) {
}
goto done;
}
done:
if (ret) {
}
return ret;
}
const char *netgroup,
const char *member_netgroup)
{
}
const char *netgroup,
const char *member_netgroup)
{
}
const char *netgroup,
const char *member_netgroup,
int mod_op)
{
int lret;
struct ldb_message *msg;
char *member;
if (!msg) {
}
}
if (!member) {
goto done;
}
goto done;
}
done:
if (ret) {
}
return ret;
}
const char *name,
enum sysdb_member_type type,
char **remove_attrs)
{
bool in_transaction = false;
struct ldb_message *msg;
int lret;
size_t i;
if (type == SYSDB_MEMBER_USER) {
goto done;
}
} else if (type == SYSDB_MEMBER_GROUP) {
goto done;
}
} else {
goto done;
}
in_transaction = true;
for (i = 0; remove_attrs[i]; i++) {
/* SYSDB_MEMBEROF is exclusively handled by the memberof plugin */
continue;
}
remove_attrs[i], name));
if (lret != LDB_SUCCESS) {
goto done;
}
/* We need to do individual modifies so that we can
* skip unknown attributes. Otherwise, any nonexistent
* attribute in the sysdb will cause other removals to
* fail.
*/
goto done;
}
/* Remove this attribute and move on to the next one */
}
done:
if (in_transaction) {
}
}
}
}
}
return ret;
}