providers/ldap/sdap_idmap.c

505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher/*
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    SSSD
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    Authors:
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        Stephen Gallagher <sgallagh@redhat.com>
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    Copyright (C) 2012 Red Hat
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    This program is free software; you can redistribute it and/or modify
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    it under the terms of the GNU General Public License as published by
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    the Free Software Foundation; either version 3 of the License, or
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    (at your option) any later version.
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    This program is distributed in the hope that it will be useful,
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    but WITHOUT ANY WARRANTY; without even the implied warranty of
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    GNU General Public License for more details.
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    You should have received a copy of the GNU General Public License
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    along with this program.  If not, see <http://www.gnu.org/licenses/>.
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher*/
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
3996e391054a1c02ab62e1541ae21a8204bd5d0aAmitKumar#include "shared/murmurhash3.h"
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher#include "util/util.h"
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher#include "util/dlinklist.h"
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher#include "providers/ldap/sdap_idmap.h"
a473fb88e6015cf0ccbd2e9005c7e6acca18f452Pavel Březina#include "util/util_sss_idmap.h"
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bosestatic errno_t
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bosesdap_idmap_get_configured_external_range(struct sdap_idmap_ctx *idmap_ctx,
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose                                         struct sss_idmap_range *range)
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose{
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    int int_id;
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    struct sdap_id_ctx *id_ctx;
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    uint32_t min;
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    uint32_t max;
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    if (idmap_ctx == NULL) {
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose        return EINVAL;
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    }
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    id_ctx = idmap_ctx->id_ctx;
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    int_id = dp_opt_get_int(id_ctx->opts->basic, SDAP_MIN_ID);
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    if (int_id < 0) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_CONF_SETTINGS, "ldap_min_id must be greater than 0.\n");
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose        return EINVAL;
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    }
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    min = int_id;
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    int_id = dp_opt_get_int(id_ctx->opts->basic, SDAP_MAX_ID);
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    if (int_id < 0) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_CONF_SETTINGS, "ldap_max_id must be greater than 0.\n");
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose        return EINVAL;
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    }
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    max = int_id;
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    if ((min == 0 && max != 0) || (min != 0 && max == 0)) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_CONF_SETTINGS, "Both ldap_min_id and ldap_max_id " \
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose                                     "either must be 0 (not set) " \
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                                     "or positive integers.\n");
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose        return EINVAL;
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    }
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    if (min == 0 && max == 0) {
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose        /* ldap_min_id and ldap_max_id not set, using min_id and max_id */
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose        min = id_ctx->be->domain->id_min;
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose        max = id_ctx->be->domain->id_max;
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose        if (max == 0) {
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose            max = UINT32_MAX;
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose        }
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    }
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    range->min = min;
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    range->max =max;
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    return EOK;
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose}
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bosestatic errno_t
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bosesdap_idmap_add_configured_external_range(struct sdap_idmap_ctx *idmap_ctx)
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose{
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    int ret;
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    struct sss_idmap_range range;
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    struct sdap_id_ctx *id_ctx;
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    enum idmap_error_code err;
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    ret = sdap_idmap_get_configured_external_range(idmap_ctx, &range);
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    if (ret != EOK) {
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose        DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "sdap_idmap_get_configured_external_range failed.\n");
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose        return ret;
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    }
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose    id_ctx = idmap_ctx->id_ctx;
3d9bafcbb5c0fbf23351004ded4dea6aa13127fcSumit Bose
8babbeee01e67893af4828ddfc922ecac0be4197Pavel Reichl    err = sss_idmap_add_auto_domain_ex(idmap_ctx->map,
8babbeee01e67893af4828ddfc922ecac0be4197Pavel Reichl                                       id_ctx->be->domain->name,
8babbeee01e67893af4828ddfc922ecac0be4197Pavel Reichl                                       id_ctx->be->domain->domain_id, &range,
8babbeee01e67893af4828ddfc922ecac0be4197Pavel Reichl                                       NULL, 0, true, NULL, NULL);
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    if (err != IDMAP_SUCCESS) {
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose        DEBUG(SSSDBG_CRIT_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Could not add domain [%s] to the map: [%d]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov               id_ctx->be->domain->name, err);
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose        return EIO;
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    }
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    return EOK;
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose}
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Boseerrno_t sdap_idmap_find_new_domain(struct sdap_idmap_ctx *idmap_ctx,
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose                                   const char *dom_name,
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose                                   const char *dom_sid_str)
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose{
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose    int ret;
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose    ret = sdap_idmap_add_domain(idmap_ctx,
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose                                dom_name, dom_sid_str,
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose                                -1);
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose    if (ret != EOK) {
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose        DEBUG(SSSDBG_MINOR_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Could not add new domain [%s]\n", dom_name);
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose        return ret;
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose    }
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose    return EOK;
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose}
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallaghererrno_t
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallaghersdap_idmap_init(TALLOC_CTX *mem_ctx,
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                struct sdap_id_ctx *id_ctx,
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                struct sdap_idmap_ctx **_idmap_ctx)
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher{
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    errno_t ret;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    TALLOC_CTX *tmp_ctx;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    enum idmap_error_code err;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    size_t i;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    struct ldb_result *res;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    const char *dom_name;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    const char *sid_str;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    id_t slice_num;
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    id_t idmap_lower;
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    id_t idmap_upper;
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    id_t rangesize;
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    bool autorid_mode;
8babbeee01e67893af4828ddfc922ecac0be4197Pavel Reichl    int extra_slice_init;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    struct sdap_idmap_ctx *idmap_ctx = NULL;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    tmp_ctx = talloc_new(NULL);
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    if (!tmp_ctx) return ENOMEM;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    idmap_ctx = talloc_zero(tmp_ctx, struct sdap_idmap_ctx);
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    if (!idmap_ctx) {
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        ret = ENOMEM;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        goto done;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    idmap_ctx->id_ctx = id_ctx;
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose    idmap_ctx->find_new_domain = sdap_idmap_find_new_domain;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    idmap_lower = dp_opt_get_int(idmap_ctx->id_ctx->opts->basic,
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek                                 SDAP_IDMAP_LOWER);
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    idmap_upper = dp_opt_get_int(idmap_ctx->id_ctx->opts->basic,
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek                                 SDAP_IDMAP_UPPER);
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    rangesize = dp_opt_get_int(idmap_ctx->id_ctx->opts->basic,
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek                               SDAP_IDMAP_RANGESIZE);
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    autorid_mode = dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic,
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek                                   SDAP_IDMAP_AUTORID_COMPAT);
8babbeee01e67893af4828ddfc922ecac0be4197Pavel Reichl    extra_slice_init = dp_opt_get_int(idmap_ctx->id_ctx->opts->basic,
8babbeee01e67893af4828ddfc922ecac0be4197Pavel Reichl                                     SDAP_IDMAP_EXTRA_SLICE_INIT);
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    /* Validate that the values make sense */
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    if (rangesize <= 0
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek            || idmap_upper <= idmap_lower
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek            || (idmap_upper-idmap_lower) < rangesize)
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    {
bfdb2eeed95bde6cd065a9a47a7cb1773990ccfbOndrej Kos        DEBUG(SSSDBG_FATAL_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Invalid settings for range selection: "
af58b15fa7f20e33736d79c6a4b3becb568517caLukas Slebodnik               "[%"SPRIid"][%"SPRIid"][%"SPRIid"]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov               idmap_lower, idmap_upper, rangesize);
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek        ret = EINVAL;
bfdb2eeed95bde6cd065a9a47a7cb1773990ccfbOndrej Kos        goto done;
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    }
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    if (((idmap_upper - idmap_lower) % rangesize) != 0) {
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek        DEBUG(SSSDBG_CONF_SETTINGS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Range size does not divide evenly. Uppermost range will "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov               "not be used\n");
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    }
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    /* Initialize the map */
a473fb88e6015cf0ccbd2e9005c7e6acca18f452Pavel Březina    err = sss_idmap_init(sss_idmap_talloc, idmap_ctx,
a473fb88e6015cf0ccbd2e9005c7e6acca18f452Pavel Březina                         sss_idmap_talloc_free,
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                         &idmap_ctx->map);
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    if (err != IDMAP_SUCCESS) {
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        DEBUG(SSSDBG_CRIT_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Could not initialize the ID map: [%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov               idmap_error_string(err));
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        if (err == IDMAP_OUT_OF_MEMORY) {
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            ret = ENOMEM;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        } else {
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            ret = EINVAL;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        goto done;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    err = sss_idmap_ctx_set_autorid(idmap_ctx->map, autorid_mode);
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    err |= sss_idmap_ctx_set_lower(idmap_ctx->map, idmap_lower);
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    err |= sss_idmap_ctx_set_upper(idmap_ctx->map, idmap_upper);
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    err |= sss_idmap_ctx_set_rangesize(idmap_ctx->map, rangesize);
8babbeee01e67893af4828ddfc922ecac0be4197Pavel Reichl    err |= sss_idmap_ctx_set_extra_slice_init(idmap_ctx->map, extra_slice_init);
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    if (err != IDMAP_SUCCESS) {
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek        /* This should never happen */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov        DEBUG(SSSDBG_CRIT_FAILURE, "sss_idmap_ctx corrupted\n");
3fa03d5816d6a401d8e894b77236d3cfd95dbd96Pavel Reichl        ret = EIO;
3fa03d5816d6a401d8e894b77236d3cfd95dbd96Pavel Reichl        goto done;
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    }
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    /* Setup range for externally managed IDs, i.e. IDs are read from the
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose     * ldap_user_uid_number and ldap_group_gid_number attributes. */
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    if (!dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic, SDAP_ID_MAPPING)) {
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose        ret = sdap_idmap_add_configured_external_range(idmap_ctx);
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose        if (ret != EOK) {
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose            DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                  "sdap_idmap_add_configured_external_range failed.\n");
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose            goto done;
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose        }
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose    }
949fbc93defad394648b2651b43a7bbfa5bff42bSumit Bose
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    /* Read in any existing mappings from the cache */
7d056853e4a5fe6daa5743e38d21b4493f4fca27Jakub Hrozek    ret = sysdb_idmap_get_mappings(tmp_ctx, id_ctx->be->domain, &res);
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    if (ret != EOK && ret != ENOENT) {
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        DEBUG(SSSDBG_FATAL_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Could not read ID mappings from the cache: [%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov               strerror(ret));
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        goto done;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
a5b55bdfcda8bfce8cb2ced981773998093d7857Pavel Reichl    if (ret == EOK) {
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        DEBUG(SSSDBG_CONF_SETTINGS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Initializing [%d] domains for ID-mapping\n", res->count);
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        for (i = 0; i < res->count; i++) {
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            dom_name = ldb_msg_find_attr_as_string(res->msgs[i],
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                                                   SYSDB_NAME,
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                                                   NULL);
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            if (!dom_name) {
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                /* This should never happen */
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                ret = EINVAL;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                goto done;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            sid_str = ldb_msg_find_attr_as_string(res->msgs[i],
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                                                  SYSDB_IDMAP_SID_ATTR,
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                                                  NULL);
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            if (!sid_str) {
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                /* This should never happen */
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                ret = EINVAL;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                goto done;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            slice_num = ldb_msg_find_attr_as_int(res->msgs[i],
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                                                 SYSDB_IDMAP_SLICE_ATTR,
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                                                 -1);
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            if (slice_num == -1) {
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                /* This should never happen */
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                ret = EINVAL;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                goto done;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            ret = sdap_idmap_add_domain(idmap_ctx, dom_name,
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                                        sid_str, slice_num);
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            if (ret != EOK) {
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                DEBUG(SSSDBG_CRIT_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      "Could not add domain [%s][%s][%"SPRIid"] "
af58b15fa7f20e33736d79c6a4b3becb568517caLukas Slebodnik                       "to ID map: [%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                       dom_name, sid_str, slice_num, strerror(ret));
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                goto done;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher            }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        }
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher    } else {
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher        /* This is the first time we're setting up id-mapping
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher         * Store the default domain as slice 0
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher         */
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher        dom_name = dp_opt_get_string(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_DEFAULT_DOMAIN);
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher        if (!dom_name) {
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher            /* If it's not explicitly specified, use the SSSD domain name */
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher            dom_name = idmap_ctx->id_ctx->be->domain->name;
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher            ret = dp_opt_set_string(idmap_ctx->id_ctx->opts->basic,
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher                                    SDAP_IDMAP_DEFAULT_DOMAIN,
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher                                    dom_name);
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher            if (ret != EOK) goto done;
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher        }
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher        sid_str = dp_opt_get_string(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_DEFAULT_DOMAIN_SID);
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher        if (sid_str) {
21687d1d553579e81aa43bfa20f2e70fb39e8461Lukas Slebodnik            struct sss_domain_info *domain = idmap_ctx->id_ctx->be->domain;
21687d1d553579e81aa43bfa20f2e70fb39e8461Lukas Slebodnik            domain->domain_id = talloc_strdup(domain, sid_str);
21687d1d553579e81aa43bfa20f2e70fb39e8461Lukas Slebodnik            if (domain->domain_id == NULL) {
21687d1d553579e81aa43bfa20f2e70fb39e8461Lukas Slebodnik                ret = ENOMEM;
21687d1d553579e81aa43bfa20f2e70fb39e8461Lukas Slebodnik                goto done;
21687d1d553579e81aa43bfa20f2e70fb39e8461Lukas Slebodnik            }
21687d1d553579e81aa43bfa20f2e70fb39e8461Lukas Slebodnik
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher            /* Set the default domain as slice 0 */
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher            ret = sdap_idmap_add_domain(idmap_ctx, dom_name,
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher                                        sid_str, 0);
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher            if (ret != EOK) {
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher                DEBUG(SSSDBG_CRIT_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      "Could not add domain [%s][%s][%u] to ID map: [%s]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                       dom_name, sid_str, 0, strerror(ret));
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher                goto done;
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher            }
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher        } else {
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher            if (dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_AUTORID_COMPAT)) {
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher                /* In autorid compatibility mode, we MUST have a slice 0 */
5dedd73d90f0c1f23299f0c613f384ef902c3653Stephen Gallagher                DEBUG(SSSDBG_CRIT_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                      "WARNING: Autorid compatibility mode selected, "
5dedd73d90f0c1f23299f0c613f384ef902c3653Stephen Gallagher                       "but %s is not set. UID/GID values may differ "
5dedd73d90f0c1f23299f0c613f384ef902c3653Stephen Gallagher                       "between clients.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                       idmap_ctx->id_ctx->opts->basic[SDAP_IDMAP_DEFAULT_DOMAIN_SID].opt_name);
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher            }
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher            /* Otherwise, we'll just fall back to hash values as they are seen */
4f3fd1fb264a7eaf3a9d062d49e071b0d17e4debStephen Gallagher        }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    *_idmap_ctx = talloc_steal(mem_ctx, idmap_ctx);
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    ret = EOK;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagherdone:
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    talloc_free(tmp_ctx);
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    return ret;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher}
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallaghererrno_t
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallaghersdap_idmap_add_domain(struct sdap_idmap_ctx *idmap_ctx,
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                      const char *dom_name,
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                      const char *dom_sid,
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher                      id_t slice)
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher{
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    errno_t ret;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    struct sss_idmap_range range;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    enum idmap_error_code err;
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    id_t idmap_upper;
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose    bool external_mapping = true;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    ret = sss_idmap_ctx_get_upper(idmap_ctx->map, &idmap_upper);
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek    if (ret != IDMAP_SUCCESS) {
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        DEBUG(SSSDBG_CRIT_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Failed to get upper bound of available ID range.\n");
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek        ret = EIO;
46222e5191473f9a46aec581273eb2eef22e23beMichal Zidek        goto done;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose    if (dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic, SDAP_ID_MAPPING)) {
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose        external_mapping = false;
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose        ret = sss_idmap_calculate_range(idmap_ctx->map, dom_sid, &slice, &range);
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose        if (ret != IDMAP_SUCCESS) {
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose            DEBUG(SSSDBG_CRIT_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                  "Failed to calculate range for domain [%s]: [%d]\n", dom_name,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                   ret);
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose            ret = EIO;
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose            goto done;
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose        }
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose        DEBUG(SSSDBG_TRACE_LIBS,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Adding domain [%s] as slice [%"SPRIid"]\n", dom_sid, slice);
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose        if (range.max > idmap_upper) {
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose            /* This should never happen */
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose            DEBUG(SSSDBG_CRIT_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                  "BUG: Range maximum exceeds the global maximum: "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                   "%u > %"SPRIid"\n", range.max, idmap_upper);
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose            ret = EINVAL;
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose            goto done;
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose        }
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose    } else {
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose        ret = sdap_idmap_get_configured_external_range(idmap_ctx, &range);
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose        if (ret != EOK) {
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose            DEBUG(SSSDBG_OP_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                  "sdap_idmap_get_configured_external_range failed.\n");
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose            return ret;
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose        }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    /* Add this domain to the map */
8babbeee01e67893af4828ddfc922ecac0be4197Pavel Reichl    err = sss_idmap_add_auto_domain_ex(idmap_ctx->map, dom_name, dom_sid,
8babbeee01e67893af4828ddfc922ecac0be4197Pavel Reichl                                       &range, NULL, 0, external_mapping,
8babbeee01e67893af4828ddfc922ecac0be4197Pavel Reichl                                       NULL, NULL);
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    if (err != IDMAP_SUCCESS) {
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        DEBUG(SSSDBG_CRIT_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Could not add domain [%s] to the map: [%d]\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov               dom_name, err);
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        ret = EIO;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher        goto done;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    }
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose    /* If algorithmic mapping is used add this domain to the SYSDB cache so it
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose     * will survive reboot */
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose    if (!external_mapping) {
7d056853e4a5fe6daa5743e38d21b4493f4fca27Jakub Hrozek        ret = sysdb_idmap_store_mapping(idmap_ctx->id_ctx->be->domain,
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose                                        dom_name, dom_sid,
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose                                        slice);
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose        if (ret != EOK) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov            DEBUG(SSSDBG_OP_FAILURE, "sysdb_idmap_store_mapping failed.\n");
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose            goto done;
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose        }
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose    }
cb446b6149d28c204954ae75143b89aef14115dcSumit Bose
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagherdone:
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher    return ret;
505e75ba28b42bb3de7a6d55de825091b70cc2b2Stephen Gallagher}
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallaghererrno_t
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallaghersdap_idmap_get_dom_sid_from_object(TALLOC_CTX *mem_ctx,
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher                                   const char *object_sid,
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher                                   char **dom_sid_str)
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher{
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    const char *p;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    long long a;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    size_t c;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    char *endptr;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    if (object_sid == NULL
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher            || strncmp(object_sid, DOM_SID_PREFIX, DOM_SID_PREFIX_LEN) != 0) {
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher        return EINVAL;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    }
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    p = object_sid + DOM_SID_PREFIX_LEN;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    c = 0;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    do {
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher        errno = 0;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher        a = strtoull(p, &endptr, 10);
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher        if (errno != 0 || a > UINT32_MAX) {
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher            return EINVAL;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher        }
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher        if (*endptr == '-') {
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher            p = endptr + 1;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher        } else {
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher            return EINVAL;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher        }
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher        c++;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    } while(c < 3);
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    /* If we made it here, we are now one character past
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher     * the last hyphen in the object-sid.
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher     * Copy the dom-sid substring.
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher     */
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    *dom_sid_str = talloc_strndup(mem_ctx, object_sid,
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher                                  (endptr-object_sid));
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    if (!*dom_sid_str) return ENOMEM;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher    return EOK;
45f75fc8e98092fa48faa3d180fd42f7efd51486Stephen Gallagher}
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallaghererrno_t
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallaghersdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx,
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher                       const char *sid_str,
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher                       id_t *id)
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher{
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher    errno_t ret;
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher    enum idmap_error_code err;
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher    char *dom_sid_str = NULL;
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher    /* Convert the SID into a UNIX ID */
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher    err = sss_idmap_sid_to_unix(idmap_ctx->map,
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher                                sid_str,
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher                                (uint32_t *)id);
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek    switch (err) {
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek    case IDMAP_SUCCESS:
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek        break;
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek    case IDMAP_NO_DOMAIN:
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher        /* This is the first time we've seen this domain
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher         * Create a new domain for it. We'll use the dom-sid
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher         * as the domain name for now, since we don't have
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher         * any way to get the real name.
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher         */
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher        ret = sdap_idmap_get_dom_sid_from_object(NULL, sid_str,
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher                                                 &dom_sid_str);
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher        if (ret != EOK) {
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher            DEBUG(SSSDBG_MINOR_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                  "Could not parse domain SID from [%s]\n", sid_str);
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher            goto done;
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher        }
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher
bfb40893be20b45279a40188cf16ef0eec1f9423Sumit Bose        ret = idmap_ctx->find_new_domain(idmap_ctx, dom_sid_str, dom_sid_str);
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher        if (ret != EOK) {
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher            DEBUG(SSSDBG_MINOR_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                  "Could not add new domain for sid [%s]\n", sid_str);
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher            goto done;
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher        }
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher        /* Now try converting to a UNIX ID again */
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher        err = sss_idmap_sid_to_unix(idmap_ctx->map,
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher                                    sid_str,
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher                                    (uint32_t *)id);
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher        if (err != IDMAP_SUCCESS) {
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher            DEBUG(SSSDBG_MINOR_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                  "Could not convert objectSID [%s] to a UNIX ID\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                   sid_str);
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher            ret = EIO;
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher            goto done;
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher        }
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek        break;
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek    case IDMAP_BUILTIN_SID:
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek        DEBUG(SSSDBG_TRACE_FUNC,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Object SID [%s] is a built-in one.\n", sid_str);
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek        /* ENOTSUP indicates built-in SID */
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek        ret = ENOTSUP;
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek        goto done;
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek        break;
a47102e74050d8ab14a9ea835ab2640c9aa65856Stephen Gallagher    case IDMAP_NO_RANGE:
a47102e74050d8ab14a9ea835ab2640c9aa65856Stephen Gallagher        DEBUG(SSSDBG_IMPORTANT_INFO,
a47102e74050d8ab14a9ea835ab2640c9aa65856Stephen Gallagher              "Object SID [%s] has a RID that is larger than the "
a47102e74050d8ab14a9ea835ab2640c9aa65856Stephen Gallagher              "ldap_idmap_range_size. See the \"ID MAPPING\" section of "
de1131abe5ba7aaeb59f81fc3a9cd2a71c0b52ddLukas Slebodnik              "sssd-ad(5) for an explanation of how to resolve this issue.\n",
a47102e74050d8ab14a9ea835ab2640c9aa65856Stephen Gallagher              sid_str);
a47102e74050d8ab14a9ea835ab2640c9aa65856Stephen Gallagher        /* Fall through intentionally */
2e505786d6d9d537f5b6631099862f6b93e2e687Lukas Slebodnik        SSS_ATTRIBUTE_FALLTHROUGH;
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek    default:
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek        DEBUG(SSSDBG_MINOR_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Could not convert objectSID [%s] to a UNIX ID\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov               sid_str);
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek        ret = EIO;
d6f283302268520c1506fb3da4f2a22f5a741be5Michal Zidek        goto done;
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher    }
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher    ret = EOK;
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagherdone:
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher    talloc_free(dom_sid_str);
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher    return ret;
8be5e4497e5008f7807178acdfcbf97365ec4e73Stephen Gallagher}
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bosebool sdap_idmap_domain_has_algorithmic_mapping(struct sdap_idmap_ctx *ctx,
fdda4b659fa3be3027df91a2b053835186ec2c59Sumit Bose                                               const char *dom_name,
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose                                               const char *dom_sid)
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose{
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    enum idmap_error_code err;
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    bool has_algorithmic_mapping;
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    char *new_dom_sid;
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    int ret;
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    TALLOC_CTX *tmp_ctx = NULL;
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose
1e4a582e29c119e2c0e58a02dcb41b829e6b5e39Lukas Slebodnik    if (dp_opt_get_bool(ctx->id_ctx->opts->basic, SDAP_ID_MAPPING)
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina        && dp_target_enabled(ctx->id_ctx->be->provider, "ldap", DPT_ID)) {
1e4a582e29c119e2c0e58a02dcb41b829e6b5e39Lukas Slebodnik        return true;
1e4a582e29c119e2c0e58a02dcb41b829e6b5e39Lukas Slebodnik    }
1e4a582e29c119e2c0e58a02dcb41b829e6b5e39Lukas Slebodnik
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    err = sss_idmap_domain_has_algorithmic_mapping(ctx->map, dom_sid,
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose                                                   &has_algorithmic_mapping);
cdcca90249aadb72bf2978a63c202c5b68642224Lukas Slebodnik    switch (err){
cdcca90249aadb72bf2978a63c202c5b68642224Lukas Slebodnik    case IDMAP_SUCCESS:
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose        return has_algorithmic_mapping;
cdcca90249aadb72bf2978a63c202c5b68642224Lukas Slebodnik    case IDMAP_SID_INVALID: /* FALLTHROUGH */
cdcca90249aadb72bf2978a63c202c5b68642224Lukas Slebodnik    case IDMAP_SID_UNKNOWN: /* FALLTHROUGH */
cdcca90249aadb72bf2978a63c202c5b68642224Lukas Slebodnik    case IDMAP_NO_DOMAIN:   /* FALLTHROUGH */
cdcca90249aadb72bf2978a63c202c5b68642224Lukas Slebodnik        /* continue with idmap_domain_by_name */
cdcca90249aadb72bf2978a63c202c5b68642224Lukas Slebodnik        break;
cdcca90249aadb72bf2978a63c202c5b68642224Lukas Slebodnik    default:
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose        return false;
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    }
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose
fdda4b659fa3be3027df91a2b053835186ec2c59Sumit Bose    err = sss_idmap_domain_by_name_has_algorithmic_mapping(ctx->map,
fdda4b659fa3be3027df91a2b053835186ec2c59Sumit Bose                                                  dom_name,
fdda4b659fa3be3027df91a2b053835186ec2c59Sumit Bose                                                  &has_algorithmic_mapping);
fdda4b659fa3be3027df91a2b053835186ec2c59Sumit Bose    if (err == IDMAP_SUCCESS) {
fdda4b659fa3be3027df91a2b053835186ec2c59Sumit Bose        return has_algorithmic_mapping;
fdda4b659fa3be3027df91a2b053835186ec2c59Sumit Bose    } else if (err != IDMAP_NAME_UNKNOWN && err != IDMAP_NO_DOMAIN) {
fdda4b659fa3be3027df91a2b053835186ec2c59Sumit Bose        return false;
fdda4b659fa3be3027df91a2b053835186ec2c59Sumit Bose    }
fdda4b659fa3be3027df91a2b053835186ec2c59Sumit Bose
1e6ad2b73851049197c7756787d14c78f64e1128Sumit Bose    /* If there is no SID, e.g. IPA without enabled trust support, we cannot
1e6ad2b73851049197c7756787d14c78f64e1128Sumit Bose     * have algorithmic mapping */
1e6ad2b73851049197c7756787d14c78f64e1128Sumit Bose    if (dom_sid == NULL) {
1e6ad2b73851049197c7756787d14c78f64e1128Sumit Bose        return false;
1e6ad2b73851049197c7756787d14c78f64e1128Sumit Bose    }
1e6ad2b73851049197c7756787d14c78f64e1128Sumit Bose
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    /* This is the first time we've seen this domain
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose     * Create a new domain for it. We'll use the dom-sid
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose     * as the domain name for now, since we don't have
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose     * any way to get the real name.
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose     */
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    if (is_domain_sid(dom_sid)) {
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose        new_dom_sid = discard_const(dom_sid);
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    } else {
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose        tmp_ctx = talloc_new(NULL);
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose        if (tmp_ctx == NULL) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov            DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose            return false;
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose        }
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose        ret = sdap_idmap_get_dom_sid_from_object(tmp_ctx, dom_sid,
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose                                                 &new_dom_sid);
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose        if (ret != EOK) {
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose            DEBUG(SSSDBG_MINOR_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov                  "Could not parse domain SID from [%s]\n", dom_sid);
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose            talloc_free(tmp_ctx);
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose            return false;
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose        }
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    }
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose
fdda4b659fa3be3027df91a2b053835186ec2c59Sumit Bose    ret = ctx->find_new_domain(ctx, dom_name, new_dom_sid);
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    talloc_free(tmp_ctx);
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    if (ret != EOK) {
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose        DEBUG(SSSDBG_MINOR_FAILURE,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov              "Could not add new domain for sid [%s]\n", dom_sid);
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose        return false;
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    }
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    err = sss_idmap_domain_has_algorithmic_mapping(ctx->map, dom_sid,
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose                                                   &has_algorithmic_mapping);
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    if (err == IDMAP_SUCCESS) {
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose        return has_algorithmic_mapping;
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    }
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose    return false;
b2c7b6fe7a6b9ef3af8d4d3037fe83d6e9bfd6a5Sumit Bose}