1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 #ifndef _ADUTILS_H 27 #define _ADUTILS_H 28 29 #ifdef __cplusplus 30 extern "C" { 31 #endif 32 33 /* 34 * Processes name2sid & sid2name lookups for a given user or computer 35 * from an AD Difrectory server using GSSAPI authentication 36 */ 37 38 #include <stdio.h> 39 #include <stdlib.h> 40 #include <unistd.h> 41 #include <lber.h> 42 #include <ldap.h> 43 #include <sasl/sasl.h> 44 #include <string.h> 45 #include <ctype.h> 46 #include <sys/types.h> 47 #include <time.h> 48 #include <thread.h> 49 #include <synch.h> 50 #include <rpcsvc/idmap_prot.h> 51 #include "libadutils.h" 52 #include <sys/idmap.h> 53 54 /* 55 * idmapd interfaces stolen? from other idmapd code? 56 */ 57 58 typedef uint32_t rid_t; 59 typedef uid_t posix_id_t; 60 61 typedef struct idmap_query_state idmap_query_state_t; 62 63 int idmap_add_ds(adutils_ad_t *ad, const char *host, int port); 64 65 66 /* 67 * Batch lookups 68 * 69 * Start a batch, add queries to the batch one by one (the output 70 * pointers should all differ, so that a query's results don't clobber 71 * any other's), end the batch to wait for replies for all outstanding 72 * queries. The output parameters of each query are initialized to NULL 73 * or -1 as appropriate. 74 * 75 * LDAP searches are sent one by one without waiting (i.e., blocking) 76 * for replies. Replies are handled as soon as they are available. 77 * Missing replies are waited for only when idmap_lookup_batch_end() is 78 * called. 79 * 80 * If an add1 function returns != 0 then abort the batch by calling 81 * idmap_lookup_batch_end(), but note that some queries may have been 82 * answered, so check the result code of each query. 83 */ 84 85 /* Start a batch of lookups */ 86 idmap_retcode idmap_lookup_batch_start(adutils_ad_t *ad, int nqueries, 87 int directory_based_mapping, const char *default_domain, 88 idmap_query_state_t **state); 89 90 /* End a batch and release its idmap_query_state_t object */ 91 idmap_retcode idmap_lookup_batch_end(idmap_query_state_t **state); 92 93 /* Abandon a batch and release its idmap_query_state_t object */ 94 void idmap_lookup_release_batch(idmap_query_state_t **state); 95 96 /* 97 * Add a name->SID lookup 98 * 99 * - 'dname' is optional; if NULL or empty string then 'name' has to be 100 * a user/group name qualified wih a domainname (e.g., foo@domain), 101 * else the 'name' must not be qualified and the domainname must be 102 * passed in 'dname'. 103 * 104 * - if 'rid' is NULL then the output SID string will include the last 105 * RID, else it won't and the last RID value will be stored in *rid. 106 * 107 * The caller must free() *sid. 108 */ 109 idmap_retcode idmap_name2sid_batch_add1(idmap_query_state_t *state, 110 const char *name, const char *dname, idmap_id_type esidtype, 111 char **dn, char **attr, char **value, char **canonname, 112 char **sid, rid_t *rid, idmap_id_type *sid_type, 113 char **unixname, 114 posix_id_t *pid, idmap_retcode *rc); 115 /* 116 * Add a SID->name lookup 117 * 118 * - 'rid' is optional; if NULL then 'sid' is expected to have the 119 * user/group RID present, else 'sid' is expected not to have it, and 120 * *rid will be used to qualify the given 'sid' 121 * 122 * - 'dname' is optional; if NULL then the fully qualified user/group 123 * name will be stored in *name, else the domain name will be stored in 124 * *dname and the user/group name will be stored in *name without a 125 * domain qualifier. 126 * 127 * The caller must free() *name and *dname (if present). 128 */ 129 idmap_retcode idmap_sid2name_batch_add1(idmap_query_state_t *state, 130 const char *sid, const rid_t *rid, idmap_id_type esidtype, 131 char **dn, char **attr, char **value, char **name, 132 char **dname, idmap_id_type *sid_type, char **unixname, 133 posix_id_t *pid, idmap_retcode *rc); 134 135 /* 136 * Add a unixname->SID lookup 137 */ 138 idmap_retcode idmap_unixname2sid_batch_add1(idmap_query_state_t *state, 139 const char *unixname, int is_user, int is_wuser, 140 char **dn, char **attr, char **value, char **sid, rid_t *rid, 141 char **name, char **dname, idmap_id_type *sid_type, 142 idmap_retcode *rc); 143 144 /* 145 * Add a PID->SID lookup 146 */ 147 idmap_retcode idmap_pid2sid_batch_add1(idmap_query_state_t *state, 148 posix_id_t pid, int is_user, 149 char **dn, char **attr, char **value, char **sid, rid_t *rid, 150 char **name, char **dname, idmap_id_type *sid_type, 151 idmap_retcode *rc); 152 153 /* 154 * Set unixname attribute names for the batch for AD-based name mapping 155 */ 156 void idmap_lookup_batch_set_unixattr(idmap_query_state_t *state, 157 const char *unixuser_attr, const char *unixgroup_attr); 158 159 #ifdef __cplusplus 160 } 161 #endif 162 163 #endif /* _ADUTILS_H */ 164