xref: /illumos-gate/usr/src/cmd/idmap/idmapd/nldaputils.c (revision b1d7ec75953cd517f5b7c3d9cb427ff8ec5d7d07)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*
27  * native LDAP related utility routines
28  */
29 
30 #include "idmapd.h"
31 #include "idmap_priv.h"
32 #include "ns_sldap.h"
33 #include "nldaputils.h"
34 #include <assert.h>
35 
36 /*
37  * The following are format strings used to construct LDAP search filters
38  * when looking up Native LDAP directory service. The _F_XXX_SSD format
39  * is used by the libsldap API if a corresponding SSD is defined in
40  * Native LDAP configuration. The SSD contains a string that replaces
41  * the first %s in _F_XXX_SSD. If no SSD is defined then the regular
42  * _F_XXX format is used.
43  *
44  * Note that '\\' needs to be represented as "\\5c" in LDAP filters.
45  */
46 
47 /* Native LDAP lookup using UNIX username */
48 #define	_F_GETPWNAM		"(&(objectClass=posixAccount)(uid=%s))"
49 #define	_F_GETPWNAM_SSD		"(&(%%s)(uid=%s))"
50 
51 /*
52  * Native LDAP user lookup using names of well-known SIDs
53  * Note the use of 1$, 2$ in the format string which basically
54  * allows snprintf to re-use its first two arguments.
55  */
56 #define	_F_GETPWWNAMWK \
57 		"(&(objectClass=posixAccount)(|(%s=%s)(%1$s=BUILTIN\\5c%2$s)))"
58 #define	_F_GETPWWNAMWK_SSD	"(&(%%s)(|(%s=%s)(%1$s=BUILTIN\\5c%2$s)))"
59 
60 /* Native LDAP user lookup using winname@windomain OR windomain\winname */
61 #define	_F_GETPWWNAMDOM \
62 	"(&(objectClass=posixAccount)(|(%s=%s@%s)(%1$s=%3$s\\5c%2$s)))"
63 #define	_F_GETPWWNAMDOM_SSD	"(&(%%s)(|(%s=%s@%s)(%1$s=%3$s\\5c%2$s)))"
64 
65 /* Native LDAP lookup using UID */
66 #define	_F_GETPWUID		"(&(objectClass=posixAccount)(uidNumber=%u))"
67 #define	_F_GETPWUID_SSD		"(&(%%s)(uidNumber=%u))"
68 
69 /* Native LDAP lookup using UNIX groupname */
70 #define	_F_GETGRNAM		"(&(objectClass=posixGroup)(cn=%s))"
71 #define	_F_GETGRNAM_SSD		"(&(%%s)(cn=%s))"
72 
73 /* Native LDAP group lookup using names of well-known SIDs */
74 #define	_F_GETGRWNAMWK \
75 		"(&(objectClass=posixGroup)(|(%s=%s)(%1$s=BUILTIN\\5c%2$s)))"
76 #define	_F_GETGRWNAMWK_SSD	"(&(%%s)(|(%s=%s)(%1$s=BUILTIN\\5c%2$s)))"
77 
78 /* Native LDAP group lookup using winname@windomain OR windomain\winname */
79 #define	_F_GETGRWNAMDOM \
80 		"(&(objectClass=posixGroup)(|(%s=%s@%s)(%1$s=%3$s\\5c%2$s)))"
81 #define	_F_GETGRWNAMDOM_SSD	"(&(%%s)(|(%s=%s@%s)(%1$s=%3$s\\5c%2$s)))"
82 
83 /* Native LDAP lookup using GID */
84 #define	_F_GETGRGID		"(&(objectClass=posixGroup)(gidNumber=%u))"
85 #define	_F_GETGRGID_SSD		"(&(%%s)(gidNumber=%u))"
86 
87 /* Native LDAP attribute names */
88 #define	UID			"uid"
89 #define	CN			"cn"
90 #define	UIDNUMBER		"uidnumber"
91 #define	GIDNUMBER		"gidnumber"
92 #define	DN			"dn"
93 
94 #define	IS_NLDAP_RC_FATAL(x)	((x == NS_LDAP_MEMORY) ? 1 : 0)
95 
96 typedef struct idmap_nldap_q {
97 	char			**winname;
98 	char			**windomain;
99 	char			**unixname;
100 	uid_t			*pid;
101 	char			**dn;
102 	char			**attr;
103 	char			**value;
104 	int			is_user;
105 	idmap_retcode		*rc;
106 	int			lrc;
107 	ns_ldap_result_t	*result;
108 	ns_ldap_error_t		*errorp;
109 	char			*filter;
110 	char			*udata;
111 } idmap_nldap_q_t;
112 
113 typedef struct idmap_nldap_query_state {
114 	const char		*nldap_winname_attr;
115 	const char		*defdom;
116 	int			nqueries;
117 	int			qid;
118 	int			flag;
119 	ns_ldap_list_batch_t	*batch;
120 	idmap_nldap_q_t		queries[1];
121 } idmap_nldap_query_state_t;
122 
123 /*
124  * This routine has been copied from lib/nsswitch/ldap/common/ldap_utils.c
125  * after removing the debug statements.
126  *
127  * This is a generic filter callback function for merging the filter
128  * from service search descriptor with an existing search filter. This
129  * routine expects userdata to contain a format string with a single %s
130  * in it, and will use the format string with sprintf() to insert the
131  * SSD filter.
132  *
133  * This routine and userdata are passed to the __ns_ldap_list_batch_add()
134  * API.
135  *
136  * Consider an example that uses __ns_ldap_list_batch_add() to lookup
137  * native LDAP directory using a given userid 'xy12345'. In this
138  * example the userdata will contain the filter "(&(%s)(cn=xy1234))".
139  * If a SSD is defined to replace the rfc2307bis specified filter
140  * i.e. (objectClass=posixAccount) by a site-specific filter
141  * say (department=sds) then this routine when called will produce
142  * "(&(department=sds)(uid=xy1234))" as the real search filter.
143  */
144 static
145 int
146 merge_SSD_filter(const ns_ldap_search_desc_t *desc,
147 	char **realfilter, const void *userdata)
148 {
149 	int	len;
150 	if (realfilter == NULL)
151 		return (NS_LDAP_INVALID_PARAM);
152 	*realfilter = NULL;
153 	if (desc == NULL || desc->filter == NULL || userdata == NULL)
154 		return (NS_LDAP_INVALID_PARAM);
155 	len = strlen(userdata) + strlen(desc->filter) + 1;
156 	*realfilter = (char *)malloc(len);
157 	if (*realfilter == NULL)
158 		return (NS_LDAP_MEMORY);
159 	(void) sprintf(*realfilter, (char *)userdata, desc->filter);
160 	return (NS_LDAP_SUCCESS);
161 }
162 
163 static
164 char
165 hex_char(int n)
166 {
167 	return ("0123456789abcdef"[n & 0xf]);
168 }
169 
170 /*
171  * If the input string contains special characters that needs to be
172  * escaped before the string can be used in a LDAP filter then this
173  * function will return a new sanitized string. Otherwise this function
174  * returns the input string (This saves us un-necessary memory allocations
175  * especially when processing a batch of requests). The caller must free
176  * the returned string if it isn't the input string.
177  *
178  * The escape mechanism for LDAP filter is described in RFC2254 basically
179  * it's \hh where hh are the two hexadecimal digits representing the ASCII
180  * value of the encoded character (case of hh is not significant).
181  * Example: * -> \2a, ( -> \28, ) -> \29, \ -> \5c,
182  *
183  * outstring = sanitize_for_ldap_filter(instring);
184  * if (outstring == NULL)
185  *	Out of memory
186  * else
187  *	Use outstring
188  *	if (outstring != instring)
189  *		free(outstring);
190  * done
191  */
192 char *
193 sanitize_for_ldap_filter(const char *str)
194 {
195 	const char	*p;
196 	char		*q, *s_str = NULL;
197 	int		n;
198 
199 	/* Get a count of special characters */
200 	for (p = str, n = 0; *p; p++)
201 		if (*p == '*' || *p == '(' || *p == ')' ||
202 		    *p == '\\' || *p == '%')
203 			n++;
204 	/* If count is zero then no need to sanitize */
205 	if (n == 0)
206 		return ((char *)str);
207 	/* Create output buffer that will contain the sanitized value */
208 	s_str = calloc(1, n * 2 + strlen(str) + 1);
209 	if (s_str == NULL)
210 		return (NULL);
211 	for (p = str, q = s_str; *p; p++) {
212 		if (*p == '*' || *p == '(' || *p == ')' ||
213 		    *p == '\\' || *p == '%') {
214 			*q++ = '\\';
215 			*q++ = hex_char(*p >> 4);
216 			*q++ = hex_char(*p & 0xf);
217 		} else
218 			*q++ = *p;
219 	}
220 	return (s_str);
221 }
222 
223 /*
224  * Map libsldap status to idmap  status
225  */
226 static
227 idmap_retcode
228 nldaprc2retcode(int rc)
229 {
230 	switch (rc) {
231 	case NS_LDAP_SUCCESS:
232 	case NS_LDAP_SUCCESS_WITH_INFO:
233 		return (IDMAP_SUCCESS);
234 	case NS_LDAP_NOTFOUND:
235 		return (IDMAP_ERR_NOTFOUND);
236 	case NS_LDAP_MEMORY:
237 		return (IDMAP_ERR_MEMORY);
238 	case NS_LDAP_CONFIG:
239 		return (IDMAP_ERR_NS_LDAP_CFG);
240 	case NS_LDAP_OP_FAILED:
241 		return (IDMAP_ERR_NS_LDAP_OP_FAILED);
242 	case NS_LDAP_PARTIAL:
243 		return (IDMAP_ERR_NS_LDAP_PARTIAL);
244 	case NS_LDAP_INTERNAL:
245 		return (IDMAP_ERR_INTERNAL);
246 	case NS_LDAP_INVALID_PARAM:
247 		return (IDMAP_ERR_ARG);
248 	default:
249 		return (IDMAP_ERR_OTHER);
250 	}
251 	/*NOTREACHED*/
252 }
253 
254 /*
255  * Create a batch for native LDAP lookup.
256  */
257 static
258 idmap_retcode
259 idmap_nldap_lookup_batch_start(int nqueries, idmap_nldap_query_state_t **qs)
260 {
261 	idmap_nldap_query_state_t	*s;
262 
263 	s = calloc(1, sizeof (*s) +
264 	    (nqueries - 1) * sizeof (idmap_nldap_q_t));
265 	if (s == NULL)
266 		return (IDMAP_ERR_MEMORY);
267 	if (__ns_ldap_list_batch_start(&s->batch) != NS_LDAP_SUCCESS) {
268 		free(s);
269 		return (IDMAP_ERR_MEMORY);
270 	}
271 	s->nqueries = nqueries;
272 	s->flag = NS_LDAP_KEEP_CONN;
273 	*qs = s;
274 	return (IDMAP_SUCCESS);
275 }
276 
277 /*
278  * Add a lookup by winname request to the batch.
279  */
280 static
281 idmap_retcode
282 idmap_nldap_bywinname_batch_add(idmap_nldap_query_state_t *qs,
283 	const char *winname, const char *windomain, int is_user,
284 	char **dn, char **attr, char **value,
285 	char **unixname, uid_t *pid, idmap_retcode *rc)
286 {
287 	idmap_nldap_q_t		*q;
288 	const char		*db, *filter, *udata;
289 	int			flen, ulen, wksid = 0;
290 	char			*s_winname, *s_windomain;
291 	const char		**attrs;
292 	const char		*pwd_attrs[] = {UID, UIDNUMBER, NULL, NULL};
293 	const char		*grp_attrs[] = {CN, GIDNUMBER, NULL, NULL};
294 
295 	s_winname = s_windomain = NULL;
296 	q = &(qs->queries[qs->qid++]);
297 	q->unixname = unixname;
298 	q->pid = pid;
299 	q->rc = rc;
300 	q->is_user = is_user;
301 	q->dn = dn;
302 	q->attr = attr;
303 	q->value = value;
304 
305 	if (is_user) {
306 		db = "passwd";
307 		if (lookup_wksids_name2sid(winname, NULL, NULL, NULL, NULL,
308 		    NULL, NULL) == IDMAP_SUCCESS) {
309 			filter = _F_GETPWWNAMWK;
310 			udata = _F_GETPWWNAMWK_SSD;
311 			wksid = 1;
312 		} else if (windomain != NULL) {
313 			filter = _F_GETPWWNAMDOM;
314 			udata = _F_GETPWWNAMDOM_SSD;
315 		} else {
316 			*q->rc = IDMAP_ERR_DOMAIN_NOTFOUND;
317 			goto errout;
318 		}
319 		pwd_attrs[2] = qs->nldap_winname_attr;
320 		attrs = pwd_attrs;
321 	} else {
322 		db = "group";
323 		if (lookup_wksids_name2sid(winname, NULL, NULL, NULL, NULL,
324 		    NULL, NULL) == IDMAP_SUCCESS) {
325 			filter = _F_GETGRWNAMWK;
326 			udata = _F_GETGRWNAMWK_SSD;
327 			wksid = 1;
328 		} else if (windomain != NULL) {
329 			filter = _F_GETGRWNAMDOM;
330 			udata = _F_GETGRWNAMDOM_SSD;
331 		} else {
332 			*q->rc = IDMAP_ERR_DOMAIN_NOTFOUND;
333 			goto errout;
334 		}
335 		grp_attrs[2] = qs->nldap_winname_attr;
336 		attrs = grp_attrs;
337 	}
338 
339 	/*
340 	 * Sanitize names. No need to sanitize qs->nldap_winname_attr
341 	 * because if it contained any of the special characters then
342 	 * it would have been rejected by the function that reads it
343 	 * from the SMF config. LDAP attribute names can only contain
344 	 * letters, digits or hyphens.
345 	 */
346 	s_winname = sanitize_for_ldap_filter(winname);
347 	if (s_winname == NULL) {
348 		*q->rc = IDMAP_ERR_MEMORY;
349 		goto errout;
350 	}
351 	/* windomain could be NULL for names of well-known SIDs */
352 	if (windomain != NULL) {
353 		s_windomain = sanitize_for_ldap_filter(windomain);
354 		if (s_windomain == NULL) {
355 			*q->rc = IDMAP_ERR_MEMORY;
356 			goto errout;
357 		}
358 	}
359 
360 	/* Construct the filter and udata using snprintf. */
361 	if (wksid) {
362 		flen = snprintf(NULL, 0, filter, qs->nldap_winname_attr,
363 		    s_winname) + 1;
364 		ulen = snprintf(NULL, 0, udata, qs->nldap_winname_attr,
365 		    s_winname) + 1;
366 	} else {
367 		flen = snprintf(NULL, 0, filter, qs->nldap_winname_attr,
368 		    s_winname, s_windomain) + 1;
369 		ulen = snprintf(NULL, 0, udata, qs->nldap_winname_attr,
370 		    s_winname, s_windomain) + 1;
371 	}
372 
373 	q->filter = malloc(flen);
374 	if (q->filter == NULL) {
375 		*q->rc = IDMAP_ERR_MEMORY;
376 		goto errout;
377 	}
378 	q->udata = malloc(ulen);
379 	if (q->udata == NULL) {
380 		*q->rc = IDMAP_ERR_MEMORY;
381 		goto errout;
382 	}
383 
384 	if (wksid) {
385 		(void) snprintf(q->filter, flen, filter,
386 		    qs->nldap_winname_attr, s_winname);
387 		(void) snprintf(q->udata, ulen, udata,
388 		    qs->nldap_winname_attr, s_winname);
389 	} else {
390 		(void) snprintf(q->filter, flen, filter,
391 		    qs->nldap_winname_attr, s_winname, s_windomain);
392 		(void) snprintf(q->udata, ulen, udata,
393 		    qs->nldap_winname_attr, s_winname, s_windomain);
394 	}
395 
396 	if (s_winname != winname)
397 		free(s_winname);
398 	if (s_windomain != windomain)
399 		free(s_windomain);
400 
401 	q->lrc = __ns_ldap_list_batch_add(qs->batch, db, q->filter,
402 	    merge_SSD_filter, attrs, NULL, qs->flag, &q->result,
403 	    &q->errorp, &q->lrc, NULL, q->udata);
404 
405 	if (IS_NLDAP_RC_FATAL(q->lrc))
406 		return (nldaprc2retcode(q->lrc));
407 	return (IDMAP_SUCCESS);
408 
409 errout:
410 	/* query q and its content will be freed by batch_release */
411 	if (s_winname != winname)
412 		free(s_winname);
413 	if (s_windomain != windomain)
414 		free(s_windomain);
415 	return (*q->rc);
416 }
417 
418 /*
419  * Add a lookup by uid/gid request to the batch.
420  */
421 static
422 idmap_retcode
423 idmap_nldap_bypid_batch_add(idmap_nldap_query_state_t *qs,
424 	uid_t pid, int is_user, char **dn, char **attr, char **value,
425 	char **winname, char **windomain,
426 	char **unixname, idmap_retcode *rc)
427 {
428 	idmap_nldap_q_t		*q;
429 	const char		*db, *filter, *udata;
430 	int			len;
431 	const char		**attrs;
432 	const char		*pwd_attrs[] = {UID, NULL, NULL};
433 	const char		*grp_attrs[] = {CN, NULL, NULL};
434 
435 	q = &(qs->queries[qs->qid++]);
436 	q->winname = winname;
437 	q->windomain = windomain;
438 	q->unixname = unixname;
439 	q->rc = rc;
440 	q->is_user = is_user;
441 	q->dn = dn;
442 	q->attr = attr;
443 	q->value = value;
444 
445 	if (is_user) {
446 		db = "passwd";
447 		filter = _F_GETPWUID;
448 		udata = _F_GETPWUID_SSD;
449 		pwd_attrs[1] = qs->nldap_winname_attr;
450 		attrs = pwd_attrs;
451 	} else {
452 		db = "group";
453 		filter = _F_GETGRGID;
454 		udata = _F_GETGRGID_SSD;
455 		grp_attrs[1] = qs->nldap_winname_attr;
456 		attrs = grp_attrs;
457 	}
458 
459 	len = snprintf(NULL, 0, filter, pid) + 1;
460 	q->filter = malloc(len);
461 	if (q->filter == NULL) {
462 		*q->rc = IDMAP_ERR_MEMORY;
463 		return (IDMAP_ERR_MEMORY);
464 	}
465 	(void) snprintf(q->filter, len, filter, pid);
466 
467 	len = snprintf(NULL, 0, udata, pid) + 1;
468 	q->udata = malloc(len);
469 	if (q->udata == NULL) {
470 		*q->rc = IDMAP_ERR_MEMORY;
471 		return (IDMAP_ERR_MEMORY);
472 	}
473 	(void) snprintf(q->udata, len, udata, pid);
474 
475 	q->lrc = __ns_ldap_list_batch_add(qs->batch, db, q->filter,
476 	    merge_SSD_filter, attrs, NULL, qs->flag, &q->result,
477 	    &q->errorp, &q->lrc, NULL, q->udata);
478 
479 	if (IS_NLDAP_RC_FATAL(q->lrc))
480 		return (nldaprc2retcode(q->lrc));
481 	return (IDMAP_SUCCESS);
482 }
483 
484 /*
485  * Add a lookup by user/group name request to the batch.
486  */
487 static
488 idmap_retcode
489 idmap_nldap_byunixname_batch_add(idmap_nldap_query_state_t *qs,
490 	const char *unixname, int is_user,
491 	char **dn, char **attr, char **value,
492 	char **winname, char **windomain, uid_t *pid, idmap_retcode *rc)
493 {
494 	idmap_nldap_q_t		*q;
495 	const char		*db, *filter, *udata;
496 	int			len;
497 	char			*s_unixname = NULL;
498 	const char		**attrs;
499 	const char		*pwd_attrs[] = {UIDNUMBER, NULL, NULL};
500 	const char		*grp_attrs[] = {GIDNUMBER, NULL, NULL};
501 
502 	q = &(qs->queries[qs->qid++]);
503 	q->winname = winname;
504 	q->windomain = windomain;
505 	q->pid = pid;
506 	q->rc = rc;
507 	q->is_user = is_user;
508 	q->dn = dn;
509 	q->attr = attr;
510 	q->value = value;
511 
512 	if (is_user) {
513 		db = "passwd";
514 		filter = _F_GETPWNAM;
515 		udata = _F_GETPWNAM_SSD;
516 		pwd_attrs[1] = qs->nldap_winname_attr;
517 		attrs = pwd_attrs;
518 	} else {
519 		db = "group";
520 		filter = _F_GETGRNAM;
521 		udata = _F_GETGRNAM_SSD;
522 		grp_attrs[1] = qs->nldap_winname_attr;
523 		attrs = grp_attrs;
524 	}
525 
526 	s_unixname = sanitize_for_ldap_filter(unixname);
527 	if (s_unixname == NULL) {
528 		*q->rc = IDMAP_ERR_MEMORY;
529 		return (IDMAP_ERR_MEMORY);
530 	}
531 
532 	len = snprintf(NULL, 0, filter, s_unixname) + 1;
533 	q->filter = malloc(len);
534 	if (q->filter == NULL) {
535 		if (s_unixname != unixname)
536 			free(s_unixname);
537 		*q->rc = IDMAP_ERR_MEMORY;
538 		return (IDMAP_ERR_MEMORY);
539 	}
540 	(void) snprintf(q->filter, len, filter, s_unixname);
541 
542 	len = snprintf(NULL, 0, udata, s_unixname) + 1;
543 	q->udata = malloc(len);
544 	if (q->udata == NULL) {
545 		if (s_unixname != unixname)
546 			free(s_unixname);
547 		*q->rc = IDMAP_ERR_MEMORY;
548 		return (IDMAP_ERR_MEMORY);
549 	}
550 	(void) snprintf(q->udata, len, udata, s_unixname);
551 
552 	if (s_unixname != unixname)
553 		free(s_unixname);
554 
555 	q->lrc = __ns_ldap_list_batch_add(qs->batch, db, q->filter,
556 	    merge_SSD_filter, attrs, NULL, qs->flag, &q->result,
557 	    &q->errorp, &q->lrc, NULL, q->udata);
558 
559 	if (IS_NLDAP_RC_FATAL(q->lrc))
560 		return (nldaprc2retcode(q->lrc));
561 	return (IDMAP_SUCCESS);
562 }
563 
564 /*
565  * Free the batch
566  */
567 static
568 void
569 idmap_nldap_lookup_batch_release(idmap_nldap_query_state_t *qs)
570 {
571 	idmap_nldap_q_t		*q;
572 	int			i;
573 
574 	if (qs->batch != NULL)
575 		(void) __ns_ldap_list_batch_release(qs->batch);
576 	for (i = 0; i < qs->qid; i++) {
577 		q = &(qs->queries[i]);
578 		free(q->filter);
579 		free(q->udata);
580 		if (q->errorp != NULL)
581 			(void) __ns_ldap_freeError(&q->errorp);
582 		if (q->result != NULL)
583 			(void) __ns_ldap_freeResult(&q->result);
584 	}
585 	free(qs);
586 }
587 
588 /*
589  * Process all requests added to the batch and then free the batch.
590  * The results for individual requests will be accessible using the
591  * pointers passed during idmap_nldap_lookup_batch_end.
592  */
593 static
594 idmap_retcode
595 idmap_nldap_lookup_batch_end(idmap_nldap_query_state_t *qs)
596 {
597 	idmap_nldap_q_t		*q;
598 	int			i;
599 	ns_ldap_entry_t		*entry;
600 	char			**val, *end, *str, *name, *dom;
601 	idmap_retcode		rc = IDMAP_SUCCESS;
602 
603 	(void) __ns_ldap_list_batch_end(qs->batch);
604 	qs->batch = NULL;
605 	for (i = 0; i < qs->qid; i++) {
606 		q = &(qs->queries[i]);
607 		*q->rc = nldaprc2retcode(q->lrc);
608 		if (*q->rc != IDMAP_SUCCESS)
609 			continue;
610 		if (q->result == NULL ||
611 		    !q->result->entries_count ||
612 		    (entry = q->result->entry) == NULL ||
613 		    !entry->attr_count) {
614 			*q->rc = IDMAP_ERR_NOTFOUND;
615 			continue;
616 		}
617 		/* Get uid/gid */
618 		if (q->pid != NULL) {
619 			val = __ns_ldap_getAttr(entry,
620 			    (q->is_user) ? UIDNUMBER : GIDNUMBER);
621 			if (val != NULL && *val != NULL)
622 				*q->pid = strtoul(*val, &end, 10);
623 		}
624 		/* Get unixname */
625 		if (q->unixname != NULL) {
626 			val = __ns_ldap_getAttr(entry,
627 			    (q->is_user) ? UID : CN);
628 			if (val != NULL && *val != NULL) {
629 				*q->unixname = strdup(*val);
630 				if (*q->unixname == NULL) {
631 					rc = *q->rc = IDMAP_ERR_MEMORY;
632 					goto out;
633 				}
634 			}
635 		}
636 		/* Get DN for how info */
637 		if (q->dn != NULL) {
638 			val = __ns_ldap_getAttr(entry, DN);
639 			if (val != NULL && *val != NULL) {
640 				*q->dn = strdup(*val);
641 				if (*q->dn == NULL) {
642 					rc = *q->rc = IDMAP_ERR_MEMORY;
643 					goto out;
644 				}
645 			}
646 		}
647 		/* Get nldap name mapping attr name for how info */
648 		if (q->attr != NULL) {
649 			*q->attr = strdup(qs->nldap_winname_attr);
650 			if (*q->attr == NULL) {
651 				rc = *q->rc = IDMAP_ERR_MEMORY;
652 				goto out;
653 			}
654 		}
655 		/* Get nldap name mapping attr value for how info */
656 		val =  __ns_ldap_getAttr(entry, qs->nldap_winname_attr);
657 		if (val == NULL || *val == NULL)
658 			continue;
659 		if (q->value != NULL) {
660 			*q->value = strdup(*val);
661 			if (*q->value == NULL) {
662 				rc = *q->rc = IDMAP_ERR_MEMORY;
663 				goto out;
664 			}
665 		}
666 
667 		/* Get winname and windomain */
668 		if (q->winname == NULL && q->windomain == NULL)
669 			continue;
670 		/*
671 		 * We need to split the value into winname and
672 		 * windomain. The value could be either in NT4
673 		 * style (i.e. dom\name) or AD-style (i.e. name@dom).
674 		 * We choose the first '\\' if it's in NT4 style and
675 		 * the last '@' if it's in AD-style for the split.
676 		 */
677 		name = dom = NULL;
678 		if (lookup_wksids_name2sid(*val, NULL, NULL, NULL, NULL, NULL,
679 		    NULL) == IDMAP_SUCCESS) {
680 			name = *val;
681 			dom = NULL;
682 		} else if ((str = strchr(*val, '\\')) != NULL) {
683 			*str = '\0';
684 			name = str + 1;
685 			dom = *val;
686 		} else if ((str = strrchr(*val, '@')) != NULL) {
687 			*str = '\0';
688 			name = *val;
689 			dom = str + 1;
690 		} else {
691 			idmapdlog(LOG_INFO, "Domain-less "
692 			    "winname (%s) found in Native LDAP", *val);
693 			*q->rc = IDMAP_ERR_NS_LDAP_BAD_WINNAME;
694 			continue;
695 		}
696 		if (q->winname != NULL) {
697 			*q->winname = strdup(name);
698 			if (*q->winname == NULL) {
699 				rc = *q->rc = IDMAP_ERR_MEMORY;
700 				goto out;
701 			}
702 		}
703 		if (q->windomain != NULL && dom != NULL) {
704 			*q->windomain = strdup(dom);
705 			if (*q->windomain == NULL) {
706 				rc = *q->rc = IDMAP_ERR_MEMORY;
707 				goto out;
708 			}
709 		}
710 	}
711 
712 out:
713 	(void) idmap_nldap_lookup_batch_release(qs);
714 	return (rc);
715 }
716 
717 /* ARGSUSED */
718 idmap_retcode
719 nldap_lookup_batch(lookup_state_t *state, idmap_mapping_batch *batch,
720 		idmap_ids_res *result)
721 {
722 	idmap_retcode			retcode, rc1;
723 	int				i, add;
724 	idmap_mapping			*req;
725 	idmap_id_res			*res;
726 	idmap_nldap_query_state_t	*qs = NULL;
727 	idmap_how			*how;
728 
729 	if (state->nldap_nqueries == 0)
730 		return (IDMAP_SUCCESS);
731 
732 	/* Create nldap lookup batch */
733 	retcode = idmap_nldap_lookup_batch_start(state->nldap_nqueries, &qs);
734 	if (retcode != IDMAP_SUCCESS) {
735 		idmapdlog(LOG_ERR,
736 		    "Failed to create batch for native LDAP lookup");
737 		goto out;
738 	}
739 
740 	qs->nldap_winname_attr = state->nldap_winname_attr;
741 	qs->defdom = state->defdom;
742 
743 	/* Add requests to the batch */
744 	for (i = 0, add = 0; i < batch->idmap_mapping_batch_len; i++) {
745 		req = &batch->idmap_mapping_batch_val[i];
746 		res = &result->ids.ids_val[i];
747 		retcode = IDMAP_SUCCESS;
748 
749 		/* Skip if not marked for nldap lookup */
750 		if (!(req->direction & _IDMAP_F_LOOKUP_NLDAP))
751 			continue;
752 
753 		if (IS_ID_SID(req->id1)) {
754 
755 			/* win2unix request: */
756 
757 			/*
758 			 * When processing a win2unix request, nldap lookup
759 			 * is performed after AD lookup or a successful
760 			 * name-cache lookup. Therefore we should already
761 			 * have sid, winname and sidtype. Note that
762 			 * windomain could be NULL e.g. well-known SIDs.
763 			 */
764 			assert(req->id1name != NULL &&
765 			    (res->id.idtype == IDMAP_UID ||
766 			    res->id.idtype == IDMAP_GID));
767 
768 			/* Skip if we already have pid and unixname */
769 			if (req->id2name != NULL &&
770 			    res->id.idmap_id_u.uid != IDMAP_SENTINEL_PID) {
771 				res->retcode = IDMAP_SUCCESS;
772 				continue;
773 			}
774 
775 			/* Clear leftover value */
776 			free(req->id2name);
777 			req->id2name = NULL;
778 
779 			/* Lookup nldap by winname to get pid and unixname */
780 			add = 1;
781 			idmap_how_clear(&res->info.how);
782 			res->info.src = IDMAP_MAP_SRC_NEW;
783 			how = &res->info.how;
784 			how->map_type = IDMAP_MAP_TYPE_DS_NLDAP;
785 			retcode = idmap_nldap_bywinname_batch_add(
786 			    qs, req->id1name, req->id1domain,
787 			    (res->id.idtype == IDMAP_UID) ? 1 : 0,
788 			    &how->idmap_how_u.nldap.dn,
789 			    &how->idmap_how_u.nldap.attr,
790 			    &how->idmap_how_u.nldap.value,
791 			    &req->id2name, &res->id.idmap_id_u.uid,
792 			    &res->retcode);
793 
794 		} else if (IS_ID_UID(req->id1) || IS_ID_GID(req->id1)) {
795 
796 			/* unix2win request: */
797 
798 			/* Skip if we already have winname */
799 			if (req->id2name != NULL) {
800 				res->retcode = IDMAP_SUCCESS;
801 				continue;
802 			}
803 
804 			/* Clear old value */
805 			free(req->id2domain);
806 			req->id2domain = NULL;
807 
808 			/* Set how info */
809 			idmap_how_clear(&res->info.how);
810 			res->info.src = IDMAP_MAP_SRC_NEW;
811 			how = &res->info.how;
812 			how->map_type = IDMAP_MAP_TYPE_DS_NLDAP;
813 
814 			/* Lookup nldap by pid or unixname to get winname */
815 			if (req->id1.idmap_id_u.uid != IDMAP_SENTINEL_PID) {
816 				add = 1;
817 				retcode = idmap_nldap_bypid_batch_add(
818 				    qs, req->id1.idmap_id_u.uid,
819 				    (req->id1.idtype == IDMAP_UID) ? 1 : 0,
820 				    &how->idmap_how_u.nldap.dn,
821 				    &how->idmap_how_u.nldap.attr,
822 				    &how->idmap_how_u.nldap.value,
823 				    &req->id2name, &req->id2domain,
824 				    (req->id1name == NULL) ?
825 				    &req->id1name : NULL,
826 				    &res->retcode);
827 			} else if (req->id1name != NULL) {
828 				add = 1;
829 				retcode = idmap_nldap_byunixname_batch_add(
830 				    qs, req->id1name,
831 				    (req->id1.idtype == IDMAP_UID) ? 1 : 0,
832 				    &how->idmap_how_u.nldap.dn,
833 				    &how->idmap_how_u.nldap.attr,
834 				    &how->idmap_how_u.nldap.value,
835 				    &req->id2name, &req->id2domain,
836 				    &req->id1.idmap_id_u.uid, &res->retcode);
837 			}
838 
839 		}
840 
841 		/*
842 		 * nldap_batch_add API returns error only on fatal failures
843 		 * otherwise it returns success and the actual status
844 		 * is stored in the individual request (res->retcode).
845 		 * Stop adding requests to this batch on fatal failures
846 		 * (i.e. if retcode != success)
847 		 */
848 		if (retcode != IDMAP_SUCCESS)
849 			break;
850 	}
851 
852 	if (!add)
853 		idmap_nldap_lookup_batch_release(qs);
854 	else if (retcode != IDMAP_SUCCESS)
855 		idmap_nldap_lookup_batch_release(qs);
856 	else
857 		retcode = idmap_nldap_lookup_batch_end(qs);
858 
859 out:
860 	for (i = 0; i < batch->idmap_mapping_batch_len; i++) {
861 		req = &batch->idmap_mapping_batch_val[i];
862 		res = &result->ids.ids_val[i];
863 		if (!(req->direction & _IDMAP_F_LOOKUP_NLDAP))
864 			continue;
865 
866 		/* Reset nldap flag */
867 		req->direction &= ~(_IDMAP_F_LOOKUP_NLDAP);
868 
869 		/*
870 		 * As noted earlier retcode != success if there were fatal
871 		 * errors during batch_start and batch_adds. If so then set
872 		 * the status of each nldap request to that error.
873 		 */
874 		if (retcode != IDMAP_SUCCESS) {
875 			res->retcode = retcode;
876 			continue;
877 		}
878 		if (!add)
879 			continue;
880 
881 		/*
882 		 * If we successfully retrieved winname from nldap entry
883 		 * then lookup winname2sid locally. If not found locally
884 		 * then mark this request for AD lookup.
885 		 */
886 		if (res->retcode == IDMAP_SUCCESS &&
887 		    req->id2name != NULL &&
888 		    res->id.idmap_id_u.sid.prefix == NULL &&
889 		    (IS_ID_UID(req->id1) || IS_ID_GID(req->id1))) {
890 
891 			rc1 = lookup_name2sid(state->cache,
892 			    req->id2name, req->id2domain, -1,
893 			    NULL, NULL,
894 			    &res->id.idmap_id_u.sid.prefix,
895 			    &res->id.idmap_id_u.sid.rid,
896 			    &res->id.idtype,
897 			    req, 1);
898 			if (rc1 == IDMAP_ERR_NOTFOUND) {
899 				req->direction |= _IDMAP_F_LOOKUP_AD;
900 				state->ad_nqueries++;
901 			} else
902 				res->retcode = rc1;
903 		}
904 
905 		/*
906 		 * Unset non-fatal errors in individual request. This allows
907 		 * the next pass to process other mapping mechanisms for
908 		 * this request.
909 		 */
910 		if (res->retcode != IDMAP_SUCCESS &&
911 		    res->retcode != IDMAP_ERR_NS_LDAP_BAD_WINNAME &&
912 		    !(IDMAP_FATAL_ERROR(res->retcode))) {
913 			idmap_how_clear(&res->info.how);
914 			res->retcode = IDMAP_SUCCESS;
915 		}
916 	}
917 
918 	state->nldap_nqueries = 0;
919 	return (retcode);
920 }
921