4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /*
27 * Processes name2sid & sid2name batched lookups for a given user or
28 * computer from an AD Directory server using GSSAPI authentication
29 */
30
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <alloca.h>
34 #include <string.h>
35 #include <strings.h>
36 #include <lber.h>
37 #include <ldap.h>
38 #include <sasl/sasl.h>
39 #include <string.h>
40 #include <ctype.h>
41 #include <pthread.h>
42 #include <synch.h>
43 #include <atomic.h>
44 #include <errno.h>
45 #include <assert.h>
46 #include <limits.h>
47 #include <time.h>
48 #include <sys/u8_textprep.h>
49 #include "libadutils.h"
50 #include "nldaputils.h"
51 #include "idmapd.h"
52
53 /* Attribute names and filter format strings */
54 #define SAN "sAMAccountName"
55 #define OBJSID "objectSid"
56 #define OBJCLASS "objectClass"
57 #define UIDNUMBER "uidNumber"
58 #define GIDNUMBER "gidNumber"
59 #define UIDNUMBERFILTER "(&(objectclass=user)(uidNumber=%u))"
60 #define GIDNUMBERFILTER "(&(objectclass=group)(gidNumber=%u))"
61 #define SANFILTER "(sAMAccountName=%s)"
62 #define OBJSIDFILTER "(objectSid=%s)"
63
64 void idmap_ldap_res_search_cb(LDAP *ld, LDAPMessage **res, int rc,
65 int qid, void *argp);
66
67 /*
68 * A place to put the results of a batched (async) query
69 *
70 * There is one of these for every query added to a batch object
71 * (idmap_query_state, see below).
72 */
73 typedef struct idmap_q {
74 /*
75 * data used for validating search result entries for name->SID
76 * lookups
77 */
78 char *ecanonname; /* expected canon name */
79 char *edomain; /* expected domain name */
80 idmap_id_type esidtype; /* expected SID type */
81 /* results */
82 char **canonname; /* actual canon name */
775 int ret;
776 char *filter;
777 char cbinsid[ADUTILS_MAXHEXBINSID + 1];
778
779 /*
780 * Strategy: search [the global catalog] for user/group by
781 * objectSid = SID with empty base DN. The DN, sAMAccountName
782 * and objectClass of the result are all we need to figure out
783 * the name of the SID and whether it is a user, a group or a
784 * computer.
785 */
786
787 if (!adutils_lookup_check_sid_prefix(state->qs, sid))
788 return (IDMAP_ERR_DOMAIN_NOTFOUND);
789
790 ret = adutils_txtsid2hexbinsid(sid, rid, &cbinsid[0], sizeof (cbinsid));
791 if (ret != 0)
792 return (IDMAP_ERR_SID);
793
794 /* Assemble filter */
795 (void) asprintf(&filter, OBJSIDFILTER, cbinsid);
796 if (filter == NULL)
797 return (IDMAP_ERR_MEMORY);
798
799 retcode = idmap_batch_add1(state, filter, NULL, NULL, esidtype,
800 dn, attr, value, name, dname, NULL, NULL, sid_type, unixname,
801 pid, rc);
802
803 free(filter);
804
805 return (retcode);
806 }
807
808 idmap_retcode
809 idmap_unixname2sid_batch_add1(idmap_query_state_t *state,
810 const char *unixname, int is_user, int is_wuser,
811 char **dn, char **attr, char **value,
812 char **sid, rid_t *rid, char **name,
813 char **dname, idmap_id_type *sid_type, idmap_retcode *rc)
814 {
815 idmap_retcode retcode;
|
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
24 *
25 * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
26 */
27
28 /*
29 * Processes name2sid & sid2name batched lookups for a given user or
30 * computer from an AD Directory server using GSSAPI authentication
31 */
32
33 #include <stdio.h>
34 #include <stdlib.h>
35 #include <alloca.h>
36 #include <string.h>
37 #include <strings.h>
38 #include <lber.h>
39 #include <ldap.h>
40 #include <sasl/sasl.h>
41 #include <string.h>
42 #include <ctype.h>
43 #include <pthread.h>
44 #include <synch.h>
45 #include <atomic.h>
46 #include <errno.h>
47 #include <assert.h>
48 #include <limits.h>
49 #include <time.h>
50 #include <sys/u8_textprep.h>
51 #include "libadutils.h"
52 #include "nldaputils.h"
53 #include "idmapd.h"
54
55 /* Attribute names and filter format strings */
56 #define SAN "sAMAccountName"
57 #define OBJSID "objectSid"
58 #define OBJCLASS "objectClass"
59 #define UIDNUMBER "uidNumber"
60 #define GIDNUMBER "gidNumber"
61 #define UIDNUMBERFILTER "(&(objectclass=user)(uidNumber=%u))"
62 #define GIDNUMBERFILTER "(&(objectclass=group)(gidNumber=%u))"
63 #define SANFILTER "(sAMAccountName=%s)"
64 #define OBJSIDFILTER "(|(objectSid=%s)(sIDHistory=%s))"
65
66 void idmap_ldap_res_search_cb(LDAP *ld, LDAPMessage **res, int rc,
67 int qid, void *argp);
68
69 /*
70 * A place to put the results of a batched (async) query
71 *
72 * There is one of these for every query added to a batch object
73 * (idmap_query_state, see below).
74 */
75 typedef struct idmap_q {
76 /*
77 * data used for validating search result entries for name->SID
78 * lookups
79 */
80 char *ecanonname; /* expected canon name */
81 char *edomain; /* expected domain name */
82 idmap_id_type esidtype; /* expected SID type */
83 /* results */
84 char **canonname; /* actual canon name */
777 int ret;
778 char *filter;
779 char cbinsid[ADUTILS_MAXHEXBINSID + 1];
780
781 /*
782 * Strategy: search [the global catalog] for user/group by
783 * objectSid = SID with empty base DN. The DN, sAMAccountName
784 * and objectClass of the result are all we need to figure out
785 * the name of the SID and whether it is a user, a group or a
786 * computer.
787 */
788
789 if (!adutils_lookup_check_sid_prefix(state->qs, sid))
790 return (IDMAP_ERR_DOMAIN_NOTFOUND);
791
792 ret = adutils_txtsid2hexbinsid(sid, rid, &cbinsid[0], sizeof (cbinsid));
793 if (ret != 0)
794 return (IDMAP_ERR_SID);
795
796 /* Assemble filter */
797 (void) asprintf(&filter, OBJSIDFILTER, cbinsid, cbinsid);
798 if (filter == NULL)
799 return (IDMAP_ERR_MEMORY);
800
801 retcode = idmap_batch_add1(state, filter, NULL, NULL, esidtype,
802 dn, attr, value, name, dname, NULL, NULL, sid_type, unixname,
803 pid, rc);
804
805 free(filter);
806
807 return (retcode);
808 }
809
810 idmap_retcode
811 idmap_unixname2sid_batch_add1(idmap_query_state_t *state,
812 const char *unixname, int is_user, int is_wuser,
813 char **dn, char **attr, char **value,
814 char **sid, rid_t *rid, char **name,
815 char **dname, idmap_id_type *sid_type, idmap_retcode *rc)
816 {
817 idmap_retcode retcode;
|