/*
SSSD
Authors:
Stephen Gallagher <sgallagh@redhat.com>
Copyright (C) 2012 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "util/strtonum.h"
#include "providers/ad/ad_common.h"
#include "providers/ad/ad_domain_info.h"
#include "providers/ldap/sdap_async_enum.h"
#include "providers/ldap/sdap_idmap.h"
#include "providers/ldap/sdap_async.h"
static void
{
return;
}
"but are not present on the server side. Global Catalog "
"lookups will be disabled\n");
AD_ENABLE_GC, false);
"Could not turn off GC support\n");
/* Not fatal */
}
}
struct sss_domain_info *domain,
int filter_type,
const char *filter_value)
{
bool shortcut = false;
goto done;
}
switch (filter_type) {
case BE_FILTER_IDNUM:
/* convert value to ID */
errno = 0;
if (errno != 0) {
goto done;
}
/* convert the ID to its SID equivalent */
if (err != IDMAP_SUCCESS) {
/* assume id is from a different domain */
shortcut = true;
goto done;
}
/* fall through */
case BE_FILTER_SECID:
goto done;
}
goto done;
}
shortcut = true;
}
break;
default:
break;
}
done:
}
return shortcut;
}
struct ad_handle_acct_info_state {
bool using_pac;
int dp_error;
const char *err;
};
struct tevent_req *
struct dp_id_data *ar,
struct sdap_id_ctx *ctx,
struct ad_options *ad_options,
struct sdap_domain *sdom,
struct sdap_id_conn_ctx **conn)
{
bool shortcut;
return NULL;
}
/* Try to shortcut if this is ID or SID search and it belongs to
* other domain range than is in ar->domain. */
ar->filter_value);
if (shortcut) {
goto immediate;
}
goto immediate;
}
goto immediate;
}
/* Lookup in progress */
return req;
} else {
}
return req;
}
static errno_t
{
struct ad_handle_acct_info_state);
bool noexist_delete = false;
int ret;
return EOK;
}
noexist_delete = true;
}
/* evaluate PAC */
msg);
return ENOMEM;
}
}
/* Fall through if there is no PAC or any other error */
}
return ENOMEM;
}
}
return EAGAIN;
}
static void
{
int dp_error;
int sdap_err;
const char *err;
struct tevent_req);
struct ad_handle_acct_info_state);
} else {
}
if (dp_error == DP_ERR_OFFLINE
/* This is a special case: GC does not work.
* We need to Fall back to ldap
*/
}
/* if GC was not used dp error should be set */
goto fail;
}
return;
} else if (sdap_err == ERR_NO_POSIX) {
goto fail;
}
/* Ret is only ENOENT or ERR_NO_POSIX now. Try the next connection */
/* No additional search in progress. Save the last
* error status, we'll be returning it.
*/
/* No more connections */
} else {
goto fail;
}
return;
}
/* Another lookup in progress */
return;
fail:
/* Deactivate subdomain on lookup errors instead of going
* offline completely.
* This is a stopgap, until our failover is per-domain,
* not per-backend. Unfortunately, we can't rewrite the error
* code on some reported codes only, because sdap_id_op code
* encapsulated the failover as well..
*/
}
return;
}
{
struct ad_handle_acct_info_state);
if (_dp_error) {
}
if (_err) {
}
return EOK;
}
struct sdap_id_conn_ctx **
{
case BE_REQ_USER: /* user */
break;
case BE_REQ_BY_SECID: /* by SID */
case BE_REQ_USER_AND_GROUP: /* get SID */
case BE_REQ_GROUP: /* group */
case BE_REQ_INITGROUPS: /* init groups for user */
break;
default:
/* Requests for other object should only contact LDAP by default */
break;
}
return clist;
}
struct ad_account_info_handler_state {
};
struct tevent_req *
struct dp_id_data *data,
struct dp_req_params *params)
{
struct ad_account_info_handler_state);
return NULL;
}
if (sdap_is_enum_request(data)) {
goto immediately;
}
/* Subdomain request, verify subdomain. */
}
goto immediately;
}
/* Determine whether to connect to GC, LDAP or try both. */
goto immediately;
}
goto immediately;
}
goto immediately;
}
return req;
/* TODO For backward compatibility we always return EOK to DP now. */
return req;
}
{
const char *err_msg;
int dp_error;
/* TODO For backward compatibility we always return EOK to DP now. */
}
struct tevent_req *req,
struct dp_reply_std *data)
{
return EOK;
}
struct ad_enumeration_state {
const char *realm;
};
struct tevent_req *
struct tevent_context *ev,
void *pvt)
{
goto fail;
}
goto fail;
}
goto fail;
}
goto fail;
}
return req;
fail:
return req;
}
static void
{
struct tevent_req);
struct ad_enumeration_state);
if (dp_error == DP_ERR_OFFLINE) {
"Backend is marked offline, retry later!\n");
} else {
"Domain enumeration failed to connect to " \
}
return;
}
return;
}
}
static void
{
struct tevent_req);
struct ad_enumeration_state);
char *flat_name;
char *master_sid;
char *forest;
return;
}
return;
}
return;
}
/* Execution will resume in ad_enumeration_done */
}
static errno_t
struct sdap_domain *sd,
{
struct ad_enumeration_state);
} else {
}
/* Groups are searched for in LDAP, users in GC. Services (if present,
* which is unlikely in AD) from LDAP as well
*/
sd,
user_conn, /* Users */
/* The ptask API will reschedule the enumeration on its own on
* failure */
"Failed to schedule enumeration, retrying later!\n");
return ENOMEM;
}
return EOK;
}
struct sss_domain_info *dom);
static void
{
struct tevent_req);
struct ad_enumeration_state);
if (ret == ERR_NO_POSIX) {
/* Retry enumerating the same domain again, this time w/o
* connecting to GC
*/
return;
}
/* Execution will resume in ad_enumeration_done */
return;
return;
}
do {
return;
}
/* Execution will resume in ad_enumeration_done */
return;
}
/* No more subdomains to enumerate. Check if we need to fixup
* cross-domain membership
*/
/* We did enumerate at least one subdomain. Walk the subdomains
* and fixup members for each of them
*/
"memberships for %s, group memberships might be "
continue;
}
}
}
}
const struct ldb_message *group,
struct sss_domain_info *dom,
char ***_group_only);
struct sss_domain_info *group_domain,
const char *member);
static errno_t
struct sss_domain_info *dom)
{
char *filter;
const char *attrs[] = {
};
bool in_transaction = false;
char **group_only;
goto done;
}
in_transaction = true;
goto done;
}
goto done;
}
for (i = 0; i < count; i++) {
continue;
} else if (group_only == NULL) {
continue;
}
/* Group has extra members */
continue;
}
}
}
goto done;
}
in_transaction = false;
done:
if (in_transaction) {
}
}
return ret;
}
static errno_t
static errno_t
{
const char *name;
char **sysdb_odn_list;
const char **group_odn_list;
*_group_only = NULL;
goto done;
}
goto done;
}
"Group %s has %d members but %d original members\n",
/* Get the list of originalDN attributes that are already
* linked to the group
*/
"Could not retrieve list of original members for %s\n",
name);
goto done;
}
/* Get the list of original DN attributes the group had in AD */
if (group_odn_list == NULL) {
goto done;
}
/* Compare the two lists */
"Could not compare lists of members for %s\n", name);
goto done;
}
}
done:
return ret;
}
static errno_t
{
const char *attrs[] = {
};
char **odn_list;
const char *odn;
/* Get all entries member element points to */
goto done;
}
goto done;
}
/* Get a list of their original DNs */
oi = 0;
for (i = 0; i < m_count; i++) {
continue;
}
goto done;
}
oi++;
}
done:
return ret;
}
static errno_t
struct sss_domain_info *group_domain,
const char *member)
{
const char *mem_filter;
/* This member would be from a different domain */
return ENOENT;
}
if (mem_filter == NULL) {
goto done;
}
goto done;
}
&msgs_count, &msgs);
goto done;
goto done;
}
if (msgs_count != 1) {
"Search by orig DN returned %zd results!\n", msgs_count);
goto done;
}
goto done;
}
done:
return ret;
}
{
return EOK;
}
struct ad_get_account_domain_state {
char *clean_filter;
bool twopass;
const char *base_filter;
char *filter;
const char **attrs;
int dp_error;
const char *found_domain_name;
};
struct tevent_req *
struct dp_get_acct_domain_data *data,
struct dp_req_params *params)
{
bool use_id_mapping;
struct ad_get_account_domain_state);
return NULL;
}
goto immediately;
}
}
}
/* The get-account-domain request only works with GC */
"Global catalog support is not enabled, "
"cannot locate the account domain\n");
goto immediately;
}
goto immediately;
}
/* Currently we only support locating the account domain
* if ID mapping is disabled. With ID mapping enabled, we can
* already shortcut the 'real' ID request
*/
if (use_id_mapping == true) {
"No point in locating domain with GC if ID-mapping "
"is enabled\n");
goto immediately;
}
goto immediately;
}
goto immediately;
}
/* FIXME - should gc_ctx always default to ignore_offline on creation
* time rather than setting the flag on first use?
*/
goto immediately;
}
goto immediately;
}
return req;
/* TODO For backward compatibility we always return EOK to DP now. */
return req;
}
{
struct ad_get_account_domain_state);
switch (state->entry_type) {
case BE_REQ_USER:
break;
case BE_REQ_GROUP:
break;
default:
"Unsupported request type %X\n",
return EINVAL;
}
switch (state->filter_type) {
case BE_FILTER_IDNUM:
break;
default:
return EINVAL;
}
"(&(%s=%s)(objectclass=%s))",
return ENOMEM;
}
return EOK;
}
{
struct ad_get_account_domain_state);
return ENOMEM;
}
return ret;
}
{
struct tevent_req);
struct ad_get_account_domain_state);
return;
}
/* If POSIX attributes have been requested with an AD server and we
* have no idea about POSIX attributes support, run a one-time check
*/
return;
}
return;
}
}
{
struct tevent_req);
struct ad_get_account_domain_state);
bool has_posix;
/* We can only finish the id_op on error as the connection
* is re-used by the real search
*/
/* retry */
}
return;
}
return;
}
/*
* If the GC has no POSIX attributes, there is nothing we can do.
* Return an error and let the responders disable the functionality
* from now on.
*/
if (has_posix == false) {
"The Global Catalog has no POSIX attributes\n");
NULL);
return;
}
}
{
struct ad_get_account_domain_state);
return;
}
"",
false);
return;
}
}
{
struct tevent_req);
struct ad_get_account_domain_state);
if (ret) {
return;
}
"Search returned %zu results.\n", count);
if (count > 0) {
struct sysdb_attrs *,
return;
}
NULL,
false);
}
/* Even though we search with an empty search base (=across all domains)
* the reason we iterate over search bases is that the search bases can
* also contain a filter which might restrict the IDs we find
*/
/* There are more search bases to try */
return;
}
/* No more searches, evaluate results */
}
{
struct ad_get_account_domain_state);
return;
}
return;
}
return;
/* FIXME: If more than one entry was found, return error for now
* as the account requsts have no way of returning multiple
* messages back until we switch to the rdp_* requests
* from the responder side
*/
return;
}
/* Exactly one entry was found */
"Could not match entry with domain!\n");
return;
}
}
struct tevent_req *req,
struct dp_reply_std *data)
{
return EOK;
}