sdap_async_groups.c revision e2ac9be4f293b96f3c8992f1171e44bc1da5cfca
/*
SSSD
Async LDAP Helper routines - retrieving groups
Copyright (C) Simo Sorce <ssorce@redhat.com> - 2009
Copyright (C) 2010, Ralf Haferkamp <rhafer@suse.de>, Novell Inc.
Copyright (C) Jan Zeleny <jzeleny@redhat.com> - 2011
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "providers/ldap/sdap_async_private.h"
#include "providers/ldap/ldap_common.h"
#include "providers/ldap/sdap_idmap.h"
/* ==Group-Parsing Routines=============================================== */
struct sss_domain_info *domain,
const char *orig_dn,
char **localdn)
{
char *filter;
struct ldb_message **msgs;
int ret;
char *sanitized_dn;
if (!tmpctx) {
return ENOMEM;
}
goto done;
}
if (!filter) {
goto done;
}
if (!base_dn) {
goto done;
}
if (ret) {
goto done;
}
if (num_msgs != 1) {
goto done;
}
if (!*localdn) {
goto done;
}
done:
return ret;
}
static errno_t
struct sss_domain_info *domain,
{
char *filter;
struct ldb_message **msgs;
size_t i;
char **localdn;
/* Don't search if the group is non-posix */
(unsigned long long) gid);
if (!filter) {
return ENOMEM;
}
*_ndn = 0;
return EOK;
return ret;
}
if (!localdn) {
return ENOMEM;
}
for (i=0; i < count; i++) {
if (!localdn[i]) {
return ENOMEM;
}
}
return EOK;
}
static errno_t
struct sdap_options *opts,
{
&gid);
/* Non-posix AD group. Skip. */
*_count = 0;
return EOK;
return ret;
}
return EOK;
}
struct sysdb_attrs *group_attrs,
struct sss_domain_info *domain,
int num_values,
char **userdns,
{
struct ldb_message_element *el;
int i, j;
int ret;
struct sdap_domain *sdom;
struct sysdb_ctx *member_sysdb;
struct sss_domain_info *member_dom;
if (ret) {
goto done;
}
/* Just allocate both big enough to contain all members for now */
goto done;
}
j = el->num_values;
for (i = 0; i < num_values; i++) {
} else {
}
if (hret == HASH_ERROR_KEY_NOT_FOUND) {
member_sysdb = ctx;
member_dom = domain;
} else {
}
/* sync search entry with this as origDN */
/* member may be outside of the configured search bases
* or out of scope of nesting limit */
continue;
}
goto done;
}
j++;
} else if (hret != HASH_SUCCESS) {
goto done;
}
/* If the member is in ghost table, it has
* already been processed - just skip it */
}
el->num_values = j;
for (i=0; i < nuserdns; i++) {
}
done:
return ret;
}
/* ==Save-Group-Entry===================================================== */
/* FIXME: support non legacy */
/* FIXME: support storing additional attributes */
static errno_t
struct sss_domain_info *domain,
const char *name,
struct sysdb_attrs *group_attrs,
bool posix_group,
{
/* make sure that non-posix (empty or explicit gid=0) groups have the
* gidNumber set to zero even if updating existing group */
if (!posix_group) {
if (ret) {
return ret;
}
}
cache_timeout, now);
if (ret) {
return ret;
}
return ret;
}
static errno_t
struct sdap_options *opts,
bool populate_members,
bool store_original_member,
struct sysdb_attrs *sysdb_attrs)
{
struct ldb_message_element *gh;
struct ldb_message_element *memberel;
struct ldb_message_element *sysdb_memberel;
struct ldb_message_element *ghostel;
int i;
int hret;
("Error reading ghost attributes: [%s]\n",
return ret;
}
false, &memberel);
/* Create a dummy element with no values in order for the loop to just
* fall through and make sure the attrs array is not reallocated.
*/
return ENOMEM;
}
memberel->num_values = 0;
return ret;
}
if (store_original_member) {
for (i = 0; i < memberel->num_values; i++) {
if (ret) {
return ret;
}
}
}
if (populate_members) {
("Error reading group members from group_attrs: [%s]\n",
return ret;
}
}
return ret;
}
/* Now process RFC2307bis ghost hash table */
return ENOMEM;
}
for (i = 0; i < memberel->num_values; i++) {
if (hret == HASH_ERROR_KEY_NOT_FOUND) {
continue;
} else if (hret != HASH_SUCCESS) {
("Error checking hash table: [%s]\n",
return EFAULT;
}
return ENOMEM;
}
ghostel->num_values++;
}
}
return EOK;
}
struct sdap_options *opts,
struct sss_domain_info *dom,
struct sysdb_attrs *attrs,
bool populate_members,
bool store_original_member,
char **_usn_value,
{
struct ldb_message_element *el;
struct sysdb_attrs *group_attrs;
const char *group_name = NULL;
bool posix_group;
bool use_id_mapping;
char *sid_str;
if (!tmpctx) {
goto done;
}
if (group_attrs == NULL) {
goto done;
}
/* Always store SID string if available */
&sid_str);
goto done;
}
group_name));
} else {
}
/* If this object has a SID available, we will determine the correct
* domain by its SID. */
"domain\n", sid_str));
return ERR_DOMAIN_NOT_FOUND;
}
}
goto done;
}
sid_str);
if (use_id_mapping) {
posix_group = true;
"unix ID to group [%s].\n", group_name));
goto done;
}
("Mapping group [%s] objectSID [%s] to unix ID\n",
group_name, sid_str));
/* Convert the SID into a UNIX group ID */
/* ENOTSUP is returned if built-in SID was provided
* => do not store the group, but return EOK */
goto done;
("Could not convert SID string: [%s]\n",
goto done;
}
/* Store the GID in the ldap_attrs so it doesn't get
* treated as a missing attribute from LDAP and removed.
*/
if (ret) {
goto done;
}
} else {
posix_group = true;
("Error reading posix attribute: [%s]\n",
goto done;
}
("Error setting posix attribute: [%s]\n",
goto done;
}
&gid);
goto done;
}
}
/* check that the gid is valid for this domain */
if (posix_group) {
("Group [%s] filtered out! (id out of range)\n", group_name));
goto done;
}
/* Group ID OK */
}
("Error setting original DN: [%s]\n",
goto done;
}
"original mod-Timestamp",
("Error setting mod timestamp: [%s]\n",
goto done;
}
if (ret) {
("Error looking up group USN: [%s]\n",
goto done;
}
if (el->num_values == 0) {
("Original USN value is not available for [%s].\n", group_name));
} else {
if (ret) {
("Error setting group USN: [%s]\n",
goto done;
}
if (!usn_value) {
goto done;
}
}
goto done;
}
goto done;
}
posix_group, now);
if (ret) {
("Could not store group with GID: [%s]\n",
goto done;
}
if (_usn_value) {
}
done:
if (ret) {
("Failed to save group [%s]: [%s]\n",
}
return ret;
}
/* ==Save-Group-Memebrs=================================================== */
/* FIXME: support non legacy */
/* FIXME: support storing additional attributes */
struct sdap_options *opts,
struct sss_domain_info *dom,
struct sysdb_attrs *attrs,
{
struct ldb_message_element *el;
const char *group_name;
int ret;
goto fail;
}
/* With AD we also want to merge in parent groups of primary GID as they
* are reported with tokenGroups, too
*/
goto fail;
}
}
goto fail;
}
("No members for group [%s]\n", group_name));
} else {
("Adding member users to group [%s]\n", group_name));
if (!group_attrs) {
goto fail;
}
if (ret) {
goto fail;
}
}
return EOK;
fail:
("Failed to save members of group %s\n", group_name));
return ret;
}
/* ==Generic-Function-to-save-multiple-groups============================= */
struct sss_domain_info *dom,
struct sdap_options *opts,
struct sysdb_attrs **groups,
int num_groups,
bool populate_members,
char **_usn_value)
{
char *higher_usn = NULL;
char *usn_value;
bool twopass;
bool has_nesting = false;
int ret;
int i;
int nsaved_groups = 0;
bool in_transaction = false;
switch (opts->schema_type) {
case SDAP_SCHEMA_RFC2307:
twopass = false;
break;
case SDAP_SCHEMA_RFC2307BIS:
case SDAP_SCHEMA_IPA_V1:
case SDAP_SCHEMA_AD:
twopass = true;
has_nesting = true;
break;
default:
return EINVAL;
}
if (!tmpctx) {
return ENOMEM;
}
if (ret) {
goto done;
}
in_transaction = true;
if (twopass && !populate_members) {
if (!saved_groups) {
goto done;
}
}
for (i = 0; i < num_groups; i++) {
/* if 2 pass savemembers = false */
/* Do not fail completely on errors.
* Just report the failure to save and go on */
if (ret) {
} else {
if (twopass && !populate_members) {
}
}
if (usn_value) {
if (higher_usn) {
} else {
}
} else {
}
}
}
if (twopass && !populate_members) {
for (i = 0; i < nsaved_groups; i++) {
/* Do not fail completely on errors.
* Just report the failure to save and go on */
if (ret) {
} else {
}
}
}
if (ret) {
goto done;
}
in_transaction = false;
if (_usn_value) {
}
done:
if (in_transaction) {
}
}
return ret;
}
/* ==Process-Groups======================================================= */
struct sdap_process_group_state {
struct tevent_context *ev;
struct sdap_options *opts;
struct sdap_handle *sh;
struct sss_domain_info *dom;
struct sysdb_attrs *group;
struct ldb_message_element* sysdb_dns;
struct ldb_message_element* ghost_dns;
char **queued_members;
int queue_len;
const char **attrs;
const char *filter;
bool enumeration;
};
#define GROUPMEMBER_REQ_PARALLEL 50
struct sdap_process_group_state *state,
struct ldb_message_element *memberel);
struct ldb_message_element *memberel,
struct ldb_message_element *ghostel);
struct ldb_message_element **_dns)
{
struct ldb_message_element *dns;
return ENOMEM;
}
dns->num_values = 0;
return ENOMEM;
}
return EOK;
}
struct tevent_context *ev,
struct sss_domain_info *dom,
struct sdap_options *opts,
struct sdap_handle *sh,
struct sysdb_attrs *group,
bool enumeration)
{
struct ldb_message_element *el;
struct ldb_message_element *ghostel;
struct sdap_process_group_state *grp_state;
const char **attrs;
char* filter;
int ret;
struct sdap_process_group_state);
if (ret) {
goto done;
}
/* FIXME: we ignore nested rfc2307bis groups for now */
if (!filter) {
return NULL;
}
grp_state->check_count = 0;
&el);
if (ret) {
goto done;
}
/* Group without members */
if (el->num_values == 0) {
goto done;
}
&ghostel);
if (ret) {
goto done;
}
if (ghostel->num_values == 0) {
/* Element was probably newly created, look for "member" again */
&el);
goto done;
}
}
goto done;
}
goto done;
}
switch (opts->schema_type) {
case SDAP_SCHEMA_RFC2307:
break;
case SDAP_SCHEMA_IPA_V1:
case SDAP_SCHEMA_AD:
case SDAP_SCHEMA_RFC2307BIS:
/* Note that this code branch will be used only if
* ldap_nesting_level = 0 is set in config file
*/
break;
default:
break;
}
done:
/* We managed to process all the entries */
/* EBUSY means we need to wait for entries in LDAP */
}
}
return req;
}
static int
char *user_dn,
unsigned num_users)
{
struct sdap_process_group_state *grp_state =
struct tevent_req *subreq;
/*
* Issue at most GROUPMEMBER_REQ_PARALLEL LDAP searches at once.
* The rest is sent while the results are being processed.
* We limit the number as of request here, as the Server might
* enforce limits on the number of pending operations per
* connection.
*/
if (!grp_state->queued_members) {
("Allocating queue for %zu members\n",
if (!grp_state->queued_members) {
return ENOMEM;
}
}
} else {
false);
if (!subreq) {
return ENOMEM;
}
}
grp_state->check_count++;
return EOK;
}
static int
struct sdap_process_group_state *state,
struct ldb_message_element *memberel)
{
char *member_dn;
char *strdn;
int ret;
int i;
for (i=0; i < memberel->num_values; i++) {
&strdn);
/*
* User already cached in sysdb. Remember the sysdb DN for later
* use by sdap_save_groups()
*/
if (!state->enumeration) {
/* The user is not in sysdb, need to add it
* We don't need to do this if we're in an enumeration,
* because all real members should all be populated
* already by the first pass of the enumeration.
* Also, we don't want to be holding the sysdb
* transaction while we're performing LDAP lookups.
*/
i, member_dn));
return ret;
}
}
} else {
return ret;
}
}
}
if (state->check_count == 0) {
/*
* All group members are already cached in sysdb, we are done
* with this group. To avoid redundant sysdb lookups, populate the
* "member" attribute of the group entry with the sysdb DNs of
* the members.
*/
} else {
}
return ret;
}
static int
struct sss_domain_info *dom,
const char *username)
{
return ENOMEM;
}
sysdb_dns->num_values++;
return EOK;
}
static int
{
int ret;
const char *filter;
const char *username;
const char *user_dn;
/* Check for the alias in the sysdb */
if (!filter) {
goto done;
}
/* Entry exists but the group references it with an alias. */
if (count != 1) {
goto done;
}
/* fill username with primary name */
"without primary name?\n"));
goto done;
}
return ENOMEM;
}
}
/* The entry really does not exist, add a ghost */
}
} else {
}
done:
return ret;
}
static int
struct ldb_message_element *memberel,
struct ldb_message_element *ghostel)
{
struct ldb_message *msg;
char *member_name;
char *userdn;
int ret;
int i;
for (i=0; i < memberel->num_values; i++) {
/* We need to skip over zero-length usernames */
if (member_name[0] == '\0') continue;
/*
* User already cached in sysdb. Remember the sysdb DN for later
* use by sdap_save_groups()
*/
return ENOMEM;
}
goto done;
}
/* The user is not in sysdb, need to add it */
i, member_name));
i, member_name));
goto done;
}
} else {
goto done;
}
}
done:
return ret;
}
{
struct sysdb_attrs **usr_attrs;
int ret;
struct tevent_req *req =
struct sdap_process_group_state *state =
struct ldb_message_element *el;
state->check_count--;
if (ret) {
goto next;
}
if (count != 1) {
("Expected one user entry and got %zu\n", count));
goto next;
}
if (el->num_values == 0) {
}
if (ret) {
goto next;
}
strlen((char *)name_string);
next:
if (ret) {
("Error reading group member[%d]: %s. Skipping\n",
}
/* Are there more searches for uncached users to submit ? */
false);
if (!subreq) {
return;
}
}
if (state->check_count == 0) {
/*
* To avoid redundant sysdb lookups, populate the "member" attribute
* of the group entry with the sysdb DNs of the members.
*/
&el);
("Failed to get the group member attribute [%d]: %s\n",
return;
}
return;
}
}
}
{
return EOK;
}
/* ==Search-Groups-with-filter============================================ */
struct sdap_get_groups_state {
struct tevent_context *ev;
struct sdap_options *opts;
struct sdap_handle *sh;
struct sss_domain_info *dom;
struct sdap_domain *sdom;
const char **attrs;
const char *base_filter;
char *filter;
int timeout;
bool enumeration;
char *higher_usn;
struct sysdb_attrs **groups;
struct sdap_search_base **search_bases;
};
struct tevent_context *ev,
struct sdap_domain *sdom,
struct sdap_options *opts,
struct sdap_handle *sh,
const char **attrs,
const char *filter,
int timeout,
bool enumeration)
{
struct tevent_req *req;
struct sdap_get_groups_state *state;
if (!state->search_bases) {
("Group lookup request without a search base\n"));
goto done;
}
done:
}
return req;
}
{
struct tevent_req *subreq;
struct sdap_get_groups_state *state;
return ENOMEM;
}
("Searching for groups with base [%s]\n",
if (!subreq) {
return ENOMEM;
}
return EOK;
}
{
struct tevent_req *req =
struct sdap_get_groups_state *state =
int ret;
int i;
bool next_base = false;
struct sysdb_attrs **groups;
if (ret) {
return;
}
("Search for groups, returned %zu results.\n", count));
("Individual group search returned multiple results\n"));
return;
}
next_base = true;
}
/* Add this batch of groups to the list */
if (count > 0) {
struct sysdb_attrs *,
return;
}
/* Copy the new groups into the list
*/
for (i = 0; i < count; i++) {
}
}
if (next_base) {
/* There are more search bases to try */
}
return;
}
}
/* No more search bases
* Return ENOENT if no groups were found
*/
return;
}
/* Check whether we need to do nested searches
* for RFC2307bis/FreeIPA/ActiveDirectory
* We don't need to do this for enumeration,
* because all groups will be picked up anyway.
*
* We can also skip this if we're using the
* LDAP_MATCHING_RULE_IN_CHAIN available in
* AD 2008 and later
*/
if (!state->enumeration) {
if (!subreq) {
return;
}
return;
}
}
/* We have all of the groups. Save them to the sysdb */
/* If we're using LDAP_MATCHING_RULE_IN_CHAIN, start a subreq to
* retrieve the members so we can save them in a single step.
*/
if (!state->enumeration
if (!subreq) {
return;
}
req);
return;
}
DEBUG(0, ("Failed to start transaction\n"));
return;
}
if (state->enumeration
"to allow unrolling of nested groups.\n"));
if (ret) {
return;
}
}
state->enumeration);
if (!subreq) {
return;
}
}
}
{
struct tevent_req *req =
struct sdap_get_groups_state *state =
int ret;
if (ret) {
DEBUG(0, ("Could not cancel sysdb transaction\n"));
}
return;
}
state->check_count--;
if (state->check_count == 0) {
/* If ignore_group_members is set for the domain, don't update
* group memberships in the cache.
*/
&state->higher_usn);
if (ret) {
return;
}
DEBUG(0, ("Couldn't commit transaction\n"));
} else {
}
}
}
struct sss_domain_info *domain,
struct sdap_options *opts,
struct sysdb_attrs **users,
int num_users,
hash_table_t **_ghosts);
{
struct tevent_req *req =
struct sdap_get_groups_state);
struct sysdb_attrs **users;
struct ldb_message_element *member_el;
struct ldb_message_element *orig_dn_el;
size_t i;
("Could not retrieve members using AD match rule. [%s]\n",
goto done;
}
/* Save the group and users to the cache */
/* Truncate the member attribute of the group.
* It will be repopulated below, and it may currently
* be incomplete anyway, thanks to the range extension.
*/
goto done;
}
member_el->num_values = 0;
if (!tmp_ctx) {
goto done;
}
/* Figure out which users are already cached in the sysdb and
* which ones need to be added as ghost users.
*/
&ghosts);
("Could not determine which users are ghosts: [%s]\n",
goto done;
}
/* Add any entries that aren't in the ghost hash table to the
* member element of the group. This will get converted to a
* native sysdb representation later in sdap_save_groups().
*/
/* Add all of the users as members
*/
goto done;
}
/* Copy the origDN values of the users into the member element */
for (i = 0; i < count; i++) {
&orig_dn_el);
/* This should never happen. Every entry should have
* an originalDN.
*/
("BUG: Missing originalDN for user?\n"));
goto done;
}
/* These values will have the same lifespan, so instead
* of copying them, just point at the data.
*/
}
/* Now save the group, users and ghosts to the cache */
("Could not save group to the cache: [%s]\n",
goto done;
}
done:
} else {
}
}
{
struct sdap_get_groups_state);
if (usn_value) {
}
return EOK;
}
{
unsigned long user_count;
unsigned long group_count;
bool in_transaction = false;
struct tevent_req);
struct sdap_get_groups_state);
&group_count, &groups);
goto fail;
}
/* Save all of the users first so that they are in
* place for the groups to add them.
*/
goto fail;
}
in_transaction = true;
goto fail;
}
&state->higher_usn);
goto fail;
}
goto fail;
}
in_transaction = false;
/* Processing complete */
return;
fail:
if (in_transaction) {
}
}
}
struct sss_domain_info *domain,
struct sdap_options *opts,
struct sysdb_attrs **users,
int num_users,
{
int i;
struct ldb_message_element *el;
const char *username;
char *clean_orig_dn;
const char *original_dn;
struct sss_domain_info *user_dom;
struct sdap_domain *sdap_dom;
struct ldb_message **msgs;
char *filter;
const char *sysdb_name;
struct sysdb_attrs *attrs;
bool in_transaction = false;
return EINVAL;
}
if (num_users == 0) {
/* Nothing to do if there are no users */
return EOK;
}
if (ret != HASH_SUCCESS) {
goto done;
}
if (ret) {
goto done;
}
in_transaction = true;
for (i = 0; i < num_users; i++) {
if (el->num_values == 0) {
}
("User entry %d has no originalDN attribute\n", i));
goto done;
}
("Cannot sanitize originalDN [%s]\n", original_dn));
goto done;
}
("User entry %d has no name attribute. Skipping\n", i));
continue;
}
/* Check for the specified origDN in the sysdb */
if (!filter) {
goto done;
}
goto done;
/* The entry is cached but expired. Update the username
* if needed. */
if (count != 1) {
continue;
}
/* Username is correct, continue */
continue;
}
if (!attrs) {
goto done;
}
} else {
if (ret != HASH_SUCCESS) {
goto done;
}
}
}
if (ret) {
goto done;
}
in_transaction = false;
done:
if (in_transaction) {
}
}
} else {
}
return ret;
}