1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2017 Nexenta Systems, Inc. All rights reserved. 24 * Copyright 2020 Joyent, Inc. 25 */ 26 27 #include <stdio.h> 28 #include <sys/types.h> 29 #include <stdlib.h> 30 #include <libintl.h> 31 #include <ctype.h> 32 #include <syslog.h> 33 #include <sys/stat.h> 34 #include <fcntl.h> 35 #include <unistd.h> 36 #include <string.h> 37 #include <strings.h> 38 #include <priv.h> 39 40 #include "ns_sldap.h" 41 #include "ns_internal.h" 42 #include "ns_cache_door.h" 43 #include "ns_connmgmt.h" 44 45 #define _NIS_FILTER "nisdomain=*" 46 #define _NIS_DOMAIN "nisdomain" 47 static const char *nis_domain_attrs[] = { 48 _NIS_DOMAIN, 49 (char *)NULL 50 }; 51 52 static int validate_filter(ns_ldap_cookie_t *cookie); 53 54 void 55 __ns_ldap_freeEntry(ns_ldap_entry_t *ep) 56 { 57 int j, k = 0; 58 59 if (ep == NULL) 60 return; 61 62 if (ep->attr_pair == NULL) { 63 free(ep); 64 return; 65 } 66 for (j = 0; j < ep->attr_count; j++) { 67 if (ep->attr_pair[j] == NULL) 68 continue; 69 if (ep->attr_pair[j]->attrname) 70 free(ep->attr_pair[j]->attrname); 71 if (ep->attr_pair[j]->attrvalue) { 72 for (k = 0; (k < ep->attr_pair[j]->value_count) && 73 (ep->attr_pair[j]->attrvalue[k]); k++) { 74 free(ep->attr_pair[j]->attrvalue[k]); 75 } 76 free(ep->attr_pair[j]->attrvalue); 77 } 78 free(ep->attr_pair[j]); 79 } 80 free(ep->attr_pair); 81 free(ep); 82 } 83 84 static void 85 _freeControlList(LDAPControl ***ctrls) 86 { 87 LDAPControl **ctrl; 88 89 if (ctrls == NULL || *ctrls == NULL) 90 return; 91 92 for (ctrl = *ctrls; *ctrl != NULL; ctrl++) 93 ldap_control_free(*ctrl); 94 free(*ctrls); 95 *ctrls = NULL; 96 } 97 /* 98 * Convert attribute type in a RDN that has an attribute mapping to the 99 * original mappped type. 100 * e.g. 101 * cn<->cn-st and iphostnumber<->iphostnumber-st 102 * cn-st=aaa+iphostnumber-st=10.10.01.01 103 * is mapped to 104 * cn=aaa+iphostnumber=10.10.01.01 105 * 106 * Input - service: e.g. hosts, passwd etc. 107 * rdn: RDN 108 * Return: NULL - No attribute mapping in the RDN 109 * Non-NULL - The attribute type(s) in the RDN are mapped and 110 * the memory is allocated for the new rdn. 111 * 112 */ 113 static char * 114 _cvtRDN(const char *service, const char *rdn) 115 { 116 char **attrs, **mapped_attrs, **mapp, *type, *value, *attr; 117 char *new_rdn = NULL; 118 int nAttr = 0, i, attr_mapped, len = 0; 119 120 /* Break down "type=value\0" pairs. Assume RDN is normalized */ 121 if ((attrs = ldap_explode_rdn(rdn, 0)) == NULL) 122 return (NULL); 123 124 for (nAttr = 0; attrs[nAttr] != NULL; nAttr++) 125 ; 126 127 if ((mapped_attrs = (char **)calloc(nAttr, sizeof (char *))) == NULL) { 128 ldap_value_free(attrs); 129 return (NULL); 130 } 131 132 attr_mapped = 0; 133 for (i = 0; i < nAttr; i++) { 134 /* Parse type=value pair */ 135 if ((type = strtok_r(attrs[i], "=", &value)) == NULL || 136 value == NULL) 137 goto cleanup; 138 /* Reverse map: e.g. cn-sm -> cn */ 139 mapp = __ns_ldap_getOrigAttribute(service, type); 140 if (mapp != NULL && mapp[0] != NULL) { 141 /* The attribute mapping is found */ 142 type = mapp[0]; 143 attr_mapped = 1; 144 145 /* "type=value\0" */ 146 len = strlen(type) + strlen(value) + 2; 147 148 /* Reconstruct type=value pair. A string is allocated */ 149 if ((attr = (char *)calloc(1, len)) == NULL) { 150 __s_api_free2dArray(mapp); 151 goto cleanup; 152 } 153 (void) snprintf(attr, len, "%s=%s", type, value); 154 mapped_attrs[i] = attr; 155 } else { 156 /* 157 * No attribute mapping. attrs[i] is going to be copied 158 * later. Restore "type\0value\0" back to 159 * "type=value\0". 160 */ 161 type[strlen(type)] = '='; 162 } 163 __s_api_free2dArray(mapp); 164 } 165 if (attr_mapped == 0) 166 /* No attribute mapping. Don't bother to reconstruct RDN */ 167 goto cleanup; 168 169 len = 0; 170 /* Reconstruct RDN from type=value pairs */ 171 for (i = 0; i < nAttr; i++) { 172 if (mapped_attrs[i]) 173 len += strlen(mapped_attrs[i]); 174 else 175 len += strlen(attrs[i]); 176 /* Add 1 for "+" */ 177 len++; 178 } 179 if ((new_rdn = (char *)calloc(1, ++len)) == NULL) 180 goto cleanup; 181 for (i = 0; i < nAttr; i++) { 182 if (i > 0) 183 /* Add seperator */ 184 (void) strlcat(new_rdn, "+", len); 185 186 if (mapped_attrs[i]) 187 (void) strlcat(new_rdn, mapped_attrs[i], len); 188 else 189 (void) strlcat(new_rdn, attrs[i], len); 190 191 } 192 cleanup: 193 ldap_value_free(attrs); 194 if (mapped_attrs) { 195 if (attr_mapped) { 196 for (i = 0; i < nAttr; i++) { 197 if (mapped_attrs[i]) 198 free(mapped_attrs[i]); 199 } 200 } 201 free(mapped_attrs); 202 } 203 204 return (new_rdn); 205 } 206 /* 207 * Convert attribute type in a DN that has an attribute mapping to the 208 * original mappped type. 209 * e.g 210 * The mappings are cn<->cn-sm, iphostnumber<->iphostnumber-sm 211 * 212 * dn: cn-sm=aaa+iphostnumber-sm=9.9.9.9,dc=central,dc=sun,dc=com 213 * is converted to 214 * dn: cn=aaa+iphostnumber=9.9.9.9,dc=central,dc=sun,dc=com 215 * 216 * Input - service: e.g. hosts, passwd etc. 217 * dn: the value of a distinguished name 218 * Return - NULL: error 219 * non-NULL: A converted DN and the memory is allocated 220 */ 221 static char * 222 _cvtDN(const char *service, const char *dn) 223 { 224 char **mapped_rdns; 225 char **rdns, *new_rdn, *new_dn = NULL; 226 int nRdn = 0, i, len = 0, rdn_mapped; 227 228 if (service == NULL || dn == NULL) 229 return (NULL); 230 231 if ((rdns = ldap_explode_dn(dn, 0)) == NULL) 232 return (NULL); 233 234 for (nRdn = 0; rdns[nRdn] != NULL; nRdn++) 235 ; 236 237 if ((mapped_rdns = (char **)calloc(nRdn, sizeof (char *))) == NULL) { 238 ldap_value_free(rdns); 239 return (NULL); 240 } 241 242 rdn_mapped = 0; 243 /* Break down RDNs in a DN */ 244 for (i = 0; i < nRdn; i++) { 245 if ((new_rdn = _cvtRDN(service, rdns[i])) != NULL) { 246 mapped_rdns[i] = new_rdn; 247 rdn_mapped = 1; 248 } 249 } 250 if (rdn_mapped == 0) { 251 /* 252 * No RDN contains any attribute mapping. 253 * Don't bother to reconstruct DN from RDN. Copy DN directly. 254 */ 255 new_dn = strdup(dn); 256 goto cleanup; 257 } 258 /* 259 * Reconstruct dn from RDNs. 260 * Calculate the length first. 261 */ 262 for (i = 0; i < nRdn; i++) { 263 if (mapped_rdns[i]) 264 len += strlen(mapped_rdns[i]); 265 else 266 len += strlen(rdns[i]); 267 268 /* add 1 for ',' */ 269 len ++; 270 } 271 if ((new_dn = (char *)calloc(1, ++len)) == NULL) 272 goto cleanup; 273 for (i = 0; i < nRdn; i++) { 274 if (i > 0) 275 /* Add seperator */ 276 (void) strlcat(new_dn, ",", len); 277 278 if (mapped_rdns[i]) 279 (void) strlcat(new_dn, mapped_rdns[i], len); 280 else 281 (void) strlcat(new_dn, rdns[i], len); 282 283 } 284 285 cleanup: 286 ldap_value_free(rdns); 287 if (mapped_rdns) { 288 if (rdn_mapped) { 289 for (i = 0; i < nRdn; i++) { 290 if (mapped_rdns[i]) 291 free(mapped_rdns[i]); 292 } 293 } 294 free(mapped_rdns); 295 } 296 297 return (new_dn); 298 } 299 /* 300 * Convert a single ldap entry from a LDAPMessage 301 * into an ns_ldap_entry structure. 302 * Schema map the entry if specified in flags 303 */ 304 305 static int 306 __s_api_cvtEntry(LDAP *ld, const char *service, LDAPMessage *e, int flags, 307 ns_ldap_entry_t **ret, ns_ldap_error_t **error) 308 { 309 310 ns_ldap_entry_t *ep = NULL; 311 ns_ldap_attr_t **ap = NULL; 312 BerElement *ber; 313 char *attr = NULL; 314 char **vals = NULL; 315 char **mapping; 316 char *dn; 317 int nAttrs = 0; 318 int i, j, k = 0; 319 char **gecos_mapping = NULL; 320 int gecos_val_index[3] = { -1, -1, -1}; 321 char errstr[MAXERROR]; 322 int schema_mapping_existed = FALSE; 323 int gecos_mapping_existed = FALSE; 324 int gecos_attr_matched; 325 int auto_service = FALSE; 326 int rc = NS_LDAP_SUCCESS; 327 328 if (e == NULL || ret == NULL || error == NULL) 329 return (NS_LDAP_INVALID_PARAM); 330 331 *error = NULL; 332 333 ep = (ns_ldap_entry_t *)calloc(1, sizeof (ns_ldap_entry_t)); 334 if (ep == NULL) 335 return (NS_LDAP_MEMORY); 336 337 if (service != NULL && 338 (strncasecmp(service, "auto_", 5) == 0 || 339 strcasecmp(service, "automount") == 0)) 340 auto_service = TRUE; 341 /* 342 * see if schema mapping existed for the given service 343 */ 344 mapping = __ns_ldap_getOrigAttribute(service, 345 NS_HASH_SCHEMA_MAPPING_EXISTED); 346 if (mapping) { 347 schema_mapping_existed = TRUE; 348 __s_api_free2dArray(mapping); 349 mapping = NULL; 350 } else if (auto_service) { 351 /* 352 * If service == auto_* and no 353 * schema mapping found 354 * then try automount 355 * There is certain case that schema mapping exist 356 * but __ns_ldap_getOrigAttribute(service, 357 * NS_HASH_SCHEMA_MAPPING_EXISTED); 358 * returns NULL. 359 * e.g. 360 * NS_LDAP_ATTRIBUTEMAP = automount:automountMapName=AAA 361 * NS_LDAP_OBJECTCLASSMAP = automount:automountMap=MynisMap 362 * NS_LDAP_OBJECTCLASSMAP = automount:automount=MynisObject 363 * 364 * Make a check for schema_mapping_existed here 365 * so later on __s_api_convert_automountmapname won't be called 366 * unnecessarily. It is also used for attribute mapping 367 * and objectclass mapping. 368 */ 369 mapping = __ns_ldap_getOrigAttribute("automount", 370 NS_HASH_SCHEMA_MAPPING_EXISTED); 371 if (mapping) { 372 schema_mapping_existed = TRUE; 373 __s_api_free2dArray(mapping); 374 mapping = NULL; 375 } 376 } 377 378 nAttrs = 1; /* start with 1 for the DN attr */ 379 for (attr = ldap_first_attribute(ld, e, &ber); attr != NULL; 380 attr = ldap_next_attribute(ld, e, ber)) { 381 nAttrs++; 382 ldap_memfree(attr); 383 attr = NULL; 384 } 385 ber_free(ber, 0); 386 ber = NULL; 387 388 ep->attr_count = nAttrs; 389 390 /* 391 * add 1 for "gecos" 1 to N attribute mapping, 392 * just in case it is needed. 393 * ep->attr_count will be updated later if that is true. 394 */ 395 ap = (ns_ldap_attr_t **)calloc(ep->attr_count + 1, 396 sizeof (ns_ldap_attr_t *)); 397 if (ap == NULL) { 398 __ns_ldap_freeEntry(ep); 399 ep = NULL; 400 return (NS_LDAP_MEMORY); 401 } 402 ep->attr_pair = ap; 403 404 /* DN attribute */ 405 dn = ldap_get_dn(ld, e); 406 ap[0] = (ns_ldap_attr_t *)calloc(1, sizeof (ns_ldap_attr_t)); 407 if (ap[0] == NULL) { 408 ldap_memfree(dn); 409 dn = NULL; 410 __ns_ldap_freeEntry(ep); 411 ep = NULL; 412 return (NS_LDAP_MEMORY); 413 } 414 415 if ((ap[0]->attrname = strdup("dn")) == NULL) { 416 ldap_memfree(dn); 417 dn = NULL; 418 __ns_ldap_freeEntry(ep); 419 ep = NULL; 420 return (NS_LDAP_INVALID_PARAM); 421 } 422 ap[0]->value_count = 1; 423 if ((ap[0]->attrvalue = (char **) 424 calloc(2, sizeof (char *))) == NULL) { 425 ldap_memfree(dn); 426 dn = NULL; 427 __ns_ldap_freeEntry(ep); 428 ep = NULL; 429 return (NS_LDAP_MEMORY); 430 } 431 432 if (schema_mapping_existed && ((flags & NS_LDAP_NOT_CVT_DN) == 0)) 433 ap[0]->attrvalue[0] = _cvtDN(service, dn); 434 else 435 ap[0]->attrvalue[0] = strdup(dn); 436 437 if (ap[0]->attrvalue[0] == NULL) { 438 ldap_memfree(dn); 439 dn = NULL; 440 __ns_ldap_freeEntry(ep); 441 ep = NULL; 442 return (NS_LDAP_MEMORY); 443 } 444 ldap_memfree(dn); 445 dn = NULL; 446 447 if ((flags & NS_LDAP_NOMAP) == 0 && auto_service && 448 schema_mapping_existed) { 449 rc = __s_api_convert_automountmapname(service, 450 &ap[0]->attrvalue[0], 451 error); 452 if (rc != NS_LDAP_SUCCESS) { 453 __ns_ldap_freeEntry(ep); 454 ep = NULL; 455 return (rc); 456 } 457 } 458 459 /* other attributes */ 460 for (attr = ldap_first_attribute(ld, e, &ber), j = 1; 461 attr != NULL && j != nAttrs; 462 attr = ldap_next_attribute(ld, e, ber), j++) { 463 /* allocate new attr name */ 464 465 if ((ap[j] = (ns_ldap_attr_t *) 466 calloc(1, sizeof (ns_ldap_attr_t))) == NULL) { 467 ber_free(ber, 0); 468 ber = NULL; 469 __ns_ldap_freeEntry(ep); 470 ep = NULL; 471 if (gecos_mapping) 472 __s_api_free2dArray(gecos_mapping); 473 gecos_mapping = NULL; 474 return (NS_LDAP_MEMORY); 475 } 476 477 if ((flags & NS_LDAP_NOMAP) || schema_mapping_existed == FALSE) 478 mapping = NULL; 479 else 480 mapping = __ns_ldap_getOrigAttribute(service, attr); 481 482 if (mapping == NULL && auto_service && 483 schema_mapping_existed && (flags & NS_LDAP_NOMAP) == 0) 484 /* 485 * if service == auto_* and no schema mapping found 486 * and schema_mapping_existed is TRUE and NS_LDAP_NOMAP 487 * is not set then try automount e.g. 488 * NS_LDAP_ATTRIBUTEMAP = automount:automountMapName=AAA 489 */ 490 mapping = __ns_ldap_getOrigAttribute("automount", 491 attr); 492 493 if (mapping == NULL) { 494 if ((ap[j]->attrname = strdup(attr)) == NULL) { 495 ber_free(ber, 0); 496 ber = NULL; 497 __ns_ldap_freeEntry(ep); 498 ep = NULL; 499 if (gecos_mapping) 500 __s_api_free2dArray(gecos_mapping); 501 gecos_mapping = NULL; 502 return (NS_LDAP_MEMORY); 503 } 504 } else { 505 /* 506 * for "gecos" 1 to N mapping, 507 * do not remove the mapped attribute, 508 * just create a new gecos attribute 509 * and append it to the end of the attribute list 510 */ 511 if (strcasecmp(mapping[0], "gecos") == 0) { 512 ap[j]->attrname = strdup(attr); 513 gecos_mapping_existed = TRUE; 514 } else { 515 ap[j]->attrname = strdup(mapping[0]); 516 } 517 518 if (ap[j]->attrname == NULL) { 519 ber_free(ber, 0); 520 ber = NULL; 521 __ns_ldap_freeEntry(ep); 522 ep = NULL; 523 if (gecos_mapping) 524 __s_api_free2dArray(gecos_mapping); 525 gecos_mapping = NULL; 526 return (NS_LDAP_MEMORY); 527 } 528 /* 529 * 1 to N attribute mapping processing 530 * is only done for "gecos" 531 */ 532 533 if (strcasecmp(mapping[0], "gecos") == 0) { 534 /* 535 * get attribute mapping for "gecos", 536 * need to know the number and order of the 537 * mapped attributes 538 */ 539 if (gecos_mapping == NULL) { 540 gecos_mapping = 541 __ns_ldap_getMappedAttributes( 542 service, mapping[0]); 543 if (gecos_mapping == NULL || 544 gecos_mapping[0] == NULL) { 545 /* 546 * this should never happens, 547 * syslog the error 548 */ 549 (void) sprintf(errstr, 550 gettext( 551 "Attribute mapping " 552 "inconsistency " 553 "found for attributes " 554 "'%s' and '%s'."), 555 mapping[0], attr); 556 syslog(LOG_ERR, "libsldap: %s", 557 errstr); 558 559 ber_free(ber, 0); 560 ber = NULL; 561 __ns_ldap_freeEntry(ep); 562 ep = NULL; 563 __s_api_free2dArray(mapping); 564 mapping = NULL; 565 if (gecos_mapping) 566 __s_api_free2dArray( 567 gecos_mapping); 568 gecos_mapping = NULL; 569 return (NS_LDAP_INTERNAL); 570 } 571 } 572 573 /* 574 * is this attribute the 1st, 2nd, or 575 * 3rd attr in the mapping list? 576 */ 577 gecos_attr_matched = FALSE; 578 for (i = 0; i < 3 && gecos_mapping[i]; i++) { 579 if (gecos_mapping[i] && 580 strcasecmp(gecos_mapping[i], 581 attr) == 0) { 582 gecos_val_index[i] = j; 583 gecos_attr_matched = TRUE; 584 break; 585 } 586 } 587 if (gecos_attr_matched == FALSE) { 588 /* 589 * Not match found. 590 * This should never happens, 591 * syslog the error 592 */ 593 (void) sprintf(errstr, 594 gettext( 595 "Attribute mapping " 596 "inconsistency " 597 "found for attributes " 598 "'%s' and '%s'."), 599 mapping[0], attr); 600 syslog(LOG_ERR, "libsldap: %s", errstr); 601 602 ber_free(ber, 0); 603 ber = NULL; 604 __ns_ldap_freeEntry(ep); 605 ep = NULL; 606 __s_api_free2dArray(mapping); 607 mapping = NULL; 608 __s_api_free2dArray(gecos_mapping); 609 gecos_mapping = NULL; 610 return (NS_LDAP_INTERNAL); 611 } 612 } 613 __s_api_free2dArray(mapping); 614 mapping = NULL; 615 } 616 617 if ((vals = ldap_get_values(ld, e, attr)) != NULL) { 618 619 if ((ap[j]->value_count = 620 ldap_count_values(vals)) == 0) { 621 ldap_value_free(vals); 622 vals = NULL; 623 continue; 624 } else { 625 ap[j]->attrvalue = (char **) 626 calloc(ap[j]->value_count+1, 627 sizeof (char *)); 628 if (ap[j]->attrvalue == NULL) { 629 ber_free(ber, 0); 630 ber = NULL; 631 __ns_ldap_freeEntry(ep); 632 ep = NULL; 633 if (gecos_mapping) 634 __s_api_free2dArray( 635 gecos_mapping); 636 gecos_mapping = NULL; 637 return (NS_LDAP_MEMORY); 638 } 639 } 640 641 /* map object classes if necessary */ 642 if ((flags & NS_LDAP_NOMAP) == 0 && 643 schema_mapping_existed && ap[j]->attrname && 644 strcasecmp(ap[j]->attrname, "objectclass") == 0) { 645 for (k = 0; k < ap[j]->value_count; k++) { 646 mapping = 647 __ns_ldap_getOrigObjectClass( 648 service, vals[k]); 649 650 if (mapping == NULL && auto_service) 651 /* 652 * if service == auto_* and no 653 * schema mapping found 654 * then try automount 655 */ 656 mapping = 657 __ns_ldap_getOrigObjectClass( 658 "automount", vals[k]); 659 660 if (mapping == NULL) { 661 ap[j]->attrvalue[k] = 662 strdup(vals[k]); 663 } else { 664 ap[j]->attrvalue[k] = 665 strdup(mapping[0]); 666 __s_api_free2dArray(mapping); 667 mapping = NULL; 668 } 669 if (ap[j]->attrvalue[k] == NULL) { 670 ber_free(ber, 0); 671 ber = NULL; 672 __ns_ldap_freeEntry(ep); 673 ep = NULL; 674 if (gecos_mapping) 675 __s_api_free2dArray( 676 gecos_mapping); 677 gecos_mapping = NULL; 678 return (NS_LDAP_MEMORY); 679 } 680 } 681 } else { 682 for (k = 0; k < ap[j]->value_count; k++) { 683 if ((ap[j]->attrvalue[k] = 684 strdup(vals[k])) == NULL) { 685 ber_free(ber, 0); 686 ber = NULL; 687 __ns_ldap_freeEntry(ep); 688 ep = NULL; 689 if (gecos_mapping) 690 __s_api_free2dArray( 691 gecos_mapping); 692 gecos_mapping = NULL; 693 return (NS_LDAP_MEMORY); 694 } 695 } 696 } 697 698 ap[j]->attrvalue[k] = NULL; 699 ldap_value_free(vals); 700 vals = NULL; 701 } 702 703 ldap_memfree(attr); 704 attr = NULL; 705 } 706 707 ber_free(ber, 0); 708 ber = NULL; 709 710 if (gecos_mapping) { 711 __s_api_free2dArray(gecos_mapping); 712 gecos_mapping = NULL; 713 } 714 715 /* special processing for gecos 1 to up to 3 attribute mapping */ 716 if (schema_mapping_existed && gecos_mapping_existed) { 717 718 int f = -1; 719 720 for (i = 0; i < 3; i++) { 721 k = gecos_val_index[i]; 722 723 /* 724 * f is the index of the first returned 725 * attribute which "gecos" attribute mapped to 726 */ 727 if (k != -1 && f == -1) 728 f = k; 729 730 if (k != -1 && ap[k]->value_count > 0 && 731 ap[k]->attrvalue[0] && 732 strlen(ap[k]->attrvalue[0]) > 0) { 733 734 if (k == f) { 735 /* 736 * Create and fill in the last reserved 737 * ap with the data from the "gecos" 738 * mapping attributes 739 */ 740 ap[nAttrs] = (ns_ldap_attr_t *) 741 calloc(1, 742 sizeof (ns_ldap_attr_t)); 743 if (ap[nAttrs] == NULL) { 744 __ns_ldap_freeEntry(ep); 745 ep = NULL; 746 return (NS_LDAP_MEMORY); 747 } 748 ap[nAttrs]->attrvalue = (char **)calloc( 749 2, sizeof (char *)); 750 if (ap[nAttrs]->attrvalue == NULL) { 751 __ns_ldap_freeEntry(ep); 752 ep = NULL; 753 return (NS_LDAP_MEMORY); 754 } 755 /* add 1 more for a possible "," */ 756 ap[nAttrs]->attrvalue[0] = 757 (char *)calloc( 758 strlen(ap[f]->attrvalue[0]) + 759 2, 1); 760 if (ap[nAttrs]->attrvalue[0] == NULL) { 761 __ns_ldap_freeEntry(ep); 762 ep = NULL; 763 return (NS_LDAP_MEMORY); 764 } 765 (void) strcpy(ap[nAttrs]->attrvalue[0], 766 ap[f]->attrvalue[0]); 767 768 ap[nAttrs]->attrname = strdup("gecos"); 769 if (ap[nAttrs]->attrname == NULL) { 770 __ns_ldap_freeEntry(ep); 771 ep = NULL; 772 return (NS_LDAP_MEMORY); 773 } 774 775 ap[nAttrs]->value_count = 1; 776 ep->attr_count = nAttrs + 1; 777 778 } else { 779 char *tmp = NULL; 780 781 /* 782 * realloc to add "," and 783 * ap[k]->attrvalue[0] 784 */ 785 tmp = (char *)realloc( 786 ap[nAttrs]->attrvalue[0], 787 strlen(ap[nAttrs]-> 788 attrvalue[0]) + 789 strlen(ap[k]-> 790 attrvalue[0]) + 2); 791 if (tmp == NULL) { 792 __ns_ldap_freeEntry(ep); 793 ep = NULL; 794 return (NS_LDAP_MEMORY); 795 } 796 ap[nAttrs]->attrvalue[0] = tmp; 797 (void) strcat(ap[nAttrs]->attrvalue[0], 798 ","); 799 (void) strcat(ap[nAttrs]->attrvalue[0], 800 ap[k]->attrvalue[0]); 801 } 802 } 803 } 804 } 805 806 *ret = ep; 807 return (NS_LDAP_SUCCESS); 808 } 809 810 static int 811 __s_api_getEntry(ns_ldap_cookie_t *cookie) 812 { 813 ns_ldap_entry_t *curEntry = NULL; 814 int ret; 815 816 #ifdef DEBUG 817 (void) fprintf(stderr, "__s_api_getEntry START\n"); 818 #endif 819 820 if (cookie->resultMsg == NULL) { 821 return (NS_LDAP_INVALID_PARAM); 822 } 823 ret = __s_api_cvtEntry(cookie->conn->ld, cookie->service, 824 cookie->resultMsg, cookie->i_flags, 825 &curEntry, &cookie->errorp); 826 if (ret != NS_LDAP_SUCCESS) { 827 return (ret); 828 } 829 830 if (cookie->result == NULL) { 831 cookie->result = (ns_ldap_result_t *) 832 calloc(1, sizeof (ns_ldap_result_t)); 833 if (cookie->result == NULL) { 834 __ns_ldap_freeEntry(curEntry); 835 curEntry = NULL; 836 return (NS_LDAP_MEMORY); 837 } 838 cookie->result->entry = curEntry; 839 cookie->nextEntry = curEntry; 840 } else { 841 cookie->nextEntry->next = curEntry; 842 cookie->nextEntry = curEntry; 843 } 844 cookie->result->entries_count++; 845 846 return (NS_LDAP_SUCCESS); 847 } 848 849 static int 850 __s_api_get_cachemgr_data(const char *type, const char *from, char **to) 851 { 852 union { 853 ldap_data_t s_d; 854 char s_b[DOORBUFFERSIZE]; 855 } space; 856 ldap_data_t *sptr; 857 int ndata; 858 int adata; 859 int rc; 860 861 #ifdef DEBUG 862 (void) fprintf(stderr, "__s_api_get_cachemgr_data START\n"); 863 #endif 864 /* 865 * We are not going to perform DN to domain mapping 866 * in the Standalone mode 867 */ 868 if (__s_api_isStandalone()) { 869 return (-1); 870 } 871 872 if (from == NULL || from[0] == '\0' || to == NULL) 873 return (-1); 874 875 *to = NULL; 876 (void) memset(space.s_b, 0, DOORBUFFERSIZE); 877 878 space.s_d.ldap_call.ldap_callnumber = GETCACHE; 879 (void) snprintf(space.s_d.ldap_call.ldap_u.domainname, 880 DOORBUFFERSIZE - sizeof (space.s_d.ldap_call.ldap_callnumber), 881 "%s%s%s", 882 type, 883 DOORLINESEP, 884 from); 885 ndata = sizeof (space); 886 adata = sizeof (ldap_call_t) + 887 strlen(space.s_d.ldap_call.ldap_u.domainname) + 1; 888 sptr = &space.s_d; 889 890 rc = __ns_ldap_trydoorcall(&sptr, &ndata, &adata); 891 if (rc != NS_CACHE_SUCCESS) 892 return (-1); 893 else 894 *to = strdup(sptr->ldap_ret.ldap_u.buff); 895 return (NS_LDAP_SUCCESS); 896 } 897 898 static int 899 __s_api_set_cachemgr_data(const char *type, const char *from, const char *to) 900 { 901 union { 902 ldap_data_t s_d; 903 char s_b[DOORBUFFERSIZE]; 904 } space; 905 ldap_data_t *sptr; 906 int ndata; 907 int adata; 908 int rc; 909 910 #ifdef DEBUG 911 (void) fprintf(stderr, "__s_api_set_cachemgr_data START\n"); 912 #endif 913 /* 914 * We are not going to perform DN to domain mapping 915 * in the Standalone mode 916 */ 917 if (__s_api_isStandalone()) { 918 return (-1); 919 } 920 921 if ((from == NULL) || (from[0] == '\0') || 922 (to == NULL) || (to[0] == '\0')) 923 return (-1); 924 925 (void) memset(space.s_b, 0, DOORBUFFERSIZE); 926 927 space.s_d.ldap_call.ldap_callnumber = SETCACHE; 928 (void) snprintf(space.s_d.ldap_call.ldap_u.domainname, 929 DOORBUFFERSIZE - sizeof (space.s_d.ldap_call.ldap_callnumber), 930 "%s%s%s%s%s", 931 type, 932 DOORLINESEP, 933 from, 934 DOORLINESEP, 935 to); 936 937 ndata = sizeof (space); 938 adata = sizeof (ldap_call_t) + 939 strlen(space.s_d.ldap_call.ldap_u.domainname) + 1; 940 sptr = &space.s_d; 941 942 rc = __ns_ldap_trydoorcall(&sptr, &ndata, &adata); 943 if (rc != NS_CACHE_SUCCESS) 944 return (-1); 945 946 return (NS_LDAP_SUCCESS); 947 } 948 949 950 static char * 951 __s_api_remove_rdn_space(char *rdn) 952 { 953 char *tf, *tl, *vf, *vl, *eqsign; 954 955 /* if no space(s) to remove, return */ 956 if (strchr(rdn, SPACETOK) == NULL) 957 return (rdn); 958 959 /* if no '=' separator, return */ 960 eqsign = strchr(rdn, '='); 961 if (eqsign == NULL) 962 return (rdn); 963 964 tf = rdn; 965 tl = eqsign - 1; 966 vf = eqsign + 1; 967 vl = rdn + strlen(rdn) - 1; 968 969 /* now two strings, type and value */ 970 *eqsign = '\0'; 971 972 /* remove type's leading spaces */ 973 while (tf < tl && *tf == SPACETOK) 974 tf++; 975 /* remove type's trailing spaces */ 976 while (tf < tl && *tl == SPACETOK) 977 tl--; 978 /* add '=' separator back */ 979 *(++tl) = '='; 980 /* remove value's leading spaces */ 981 while (vf < vl && *vf == SPACETOK) 982 vf++; 983 /* remove value's trailing spaces */ 984 while (vf < vl && *vl == SPACETOK) 985 *vl-- = '\0'; 986 987 /* move value up if necessary */ 988 if (vf != tl + 1) 989 (void) strcpy(tl + 1, vf); 990 991 return (tf); 992 } 993 994 static 995 ns_ldap_cookie_t * 996 init_search_state_machine() 997 { 998 ns_ldap_cookie_t *cookie; 999 ns_config_t *cfg; 1000 1001 cookie = (ns_ldap_cookie_t *)calloc(1, sizeof (ns_ldap_cookie_t)); 1002 if (cookie == NULL) 1003 return (NULL); 1004 cookie->state = INIT; 1005 /* assign other state variables */ 1006 cfg = __s_api_loadrefresh_config(); 1007 cookie->connectionId = -1; 1008 if (cfg == NULL || 1009 cfg->paramList[NS_LDAP_SEARCH_TIME_P].ns_ptype == NS_UNKNOWN) { 1010 cookie->search_timeout.tv_sec = NS_DEFAULT_SEARCH_TIMEOUT; 1011 } else { 1012 cookie->search_timeout.tv_sec = 1013 cfg->paramList[NS_LDAP_SEARCH_TIME_P].ns_i; 1014 } 1015 if (cfg != NULL) 1016 __s_api_release_config(cfg); 1017 cookie->search_timeout.tv_usec = 0; 1018 1019 return (cookie); 1020 } 1021 1022 static void 1023 delete_search_cookie(ns_ldap_cookie_t *cookie) 1024 { 1025 if (cookie == NULL) 1026 return; 1027 if (cookie->connectionId > -1) 1028 DropConnection(cookie->connectionId, cookie->i_flags); 1029 if (cookie->filter) 1030 free(cookie->filter); 1031 if (cookie->i_filter) 1032 free(cookie->i_filter); 1033 if (cookie->service) 1034 free(cookie->service); 1035 if (cookie->sdlist) 1036 (void) __ns_ldap_freeSearchDescriptors(&(cookie->sdlist)); 1037 if (cookie->result) 1038 (void) __ns_ldap_freeResult(&cookie->result); 1039 if (cookie->attribute) 1040 __s_api_free2dArray(cookie->attribute); 1041 if (cookie->errorp) 1042 (void) __ns_ldap_freeError(&cookie->errorp); 1043 if (cookie->reflist) 1044 __s_api_deleteRefInfo(cookie->reflist); 1045 if (cookie->basedn) 1046 free(cookie->basedn); 1047 if (cookie->ctrlCookie) 1048 ber_bvfree(cookie->ctrlCookie); 1049 _freeControlList(&cookie->p_serverctrls); 1050 if (cookie->resultctrl) 1051 ldap_controls_free(cookie->resultctrl); 1052 free(cookie); 1053 } 1054 1055 static int 1056 get_mapped_filter(ns_ldap_cookie_t *cookie, char **new_filter) 1057 { 1058 1059 typedef struct filter_mapping_info { 1060 char oc_or_attr; 1061 char *name_start; 1062 char *name_end; 1063 char *veq_pos; 1064 char *from_name; 1065 char *to_name; 1066 char **mapping; 1067 } filter_mapping_info_t; 1068 1069 char *c, *last_copied; 1070 char *filter_c, *filter_c_next; 1071 char *key, *tail, *head; 1072 char errstr[MAXERROR]; 1073 int num_eq = 0, num_veq = 0; 1074 boolean_t in_quote = B_FALSE; 1075 boolean_t is_value = B_FALSE; 1076 int i, j, oc_len, len; 1077 boolean_t at_least_one = B_FALSE; 1078 filter_mapping_info_t **info, *info1; 1079 char **mapping; 1080 char *service, *filter, *err; 1081 boolean_t auto_service = B_FALSE; 1082 1083 if (cookie == NULL || new_filter == NULL) 1084 return (NS_LDAP_INVALID_PARAM); 1085 1086 *new_filter = NULL; 1087 service = cookie->service; 1088 filter = cookie->filter; 1089 1090 /* 1091 * count the number of '=' char 1092 */ 1093 for (c = filter; *c; c++) { 1094 if (*c == TOKENSEPARATOR) 1095 num_eq++; 1096 } 1097 1098 if (service != NULL && strncasecmp(service, "auto_", 5) == 0) 1099 auto_service = TRUE; 1100 1101 /* 1102 * See if schema mapping existed for the given service. 1103 * If not, just return success. 1104 */ 1105 mapping = __ns_ldap_getOrigAttribute(service, 1106 NS_HASH_SCHEMA_MAPPING_EXISTED); 1107 1108 if (mapping == NULL && auto_service) 1109 /* 1110 * if service == auto_* and no 1111 * schema mapping found 1112 * then try automount 1113 */ 1114 mapping = __ns_ldap_getOrigAttribute( 1115 "automount", NS_HASH_SCHEMA_MAPPING_EXISTED); 1116 1117 if (mapping) 1118 __s_api_free2dArray(mapping); 1119 else 1120 return (NS_LDAP_SUCCESS); 1121 1122 /* 1123 * no '=' sign, just say OK and return nothing 1124 */ 1125 if (num_eq == 0) 1126 return (NS_LDAP_SUCCESS); 1127 1128 /* 1129 * Make a copy of the filter string 1130 * for saving the name of the objectclasses or 1131 * attributes that need to be passed to the 1132 * objectclass or attribute mapping functions. 1133 * pointer "info->from_name" points to the locations 1134 * within this string. 1135 * 1136 * The input filter string, filter, will be used 1137 * to indicate where these names start and end. 1138 * pointers "info->name_start" and "info->name_end" 1139 * point to locations within the input filter string, 1140 * and are used at the end of this function to 1141 * merge the original filter data with the 1142 * mapped objectclass or attribute names. 1143 */ 1144 filter_c = strdup(filter); 1145 if (filter_c == NULL) 1146 return (NS_LDAP_MEMORY); 1147 filter_c_next = filter_c; 1148 1149 /* 1150 * get memory for info arrays 1151 */ 1152 info = (filter_mapping_info_t **)calloc(num_eq + 1, 1153 sizeof (filter_mapping_info_t *)); 1154 1155 if (info == NULL) { 1156 free(filter_c); 1157 return (NS_LDAP_MEMORY); 1158 } 1159 1160 /* 1161 * find valid '=' for further processing, 1162 * ignore the "escaped =" (.i.e. "\="), or 1163 * "=" in quoted string 1164 */ 1165 for (c = filter_c; *c; c++) { 1166 1167 switch (*c) { 1168 case TOKENSEPARATOR: 1169 if (!in_quote && !is_value) { 1170 info1 = (filter_mapping_info_t *)calloc(1, 1171 sizeof (filter_mapping_info_t)); 1172 if (info1 == NULL) { 1173 free(filter_c); 1174 for (i = 0; i < num_veq; i++) 1175 free(info[i]); 1176 free(info); 1177 return (NS_LDAP_MEMORY); 1178 } 1179 info[num_veq] = info1; 1180 1181 /* 1182 * remember the location of this "=" 1183 */ 1184 info[num_veq++]->veq_pos = c; 1185 1186 /* 1187 * skip until the end of the attribute value 1188 */ 1189 is_value = B_TRUE; 1190 } 1191 break; 1192 case CPARATOK: 1193 /* 1194 * mark the end of the attribute value 1195 */ 1196 if (!in_quote) 1197 is_value = B_FALSE; 1198 break; 1199 case QUOTETOK: 1200 /* 1201 * switch on/off the in_quote mode 1202 */ 1203 in_quote = (in_quote == B_FALSE); 1204 break; 1205 case '\\': 1206 /* 1207 * ignore escape characters 1208 * don't skip if next char is '\0' 1209 */ 1210 if (!in_quote) 1211 if (*(++c) == '\0') 1212 c--; 1213 break; 1214 } 1215 1216 } 1217 1218 /* 1219 * for each valid "=" found, get the name to 1220 * be mapped 1221 */ 1222 oc_len = strlen("objectclass"); 1223 for (i = 0; i < num_veq; i++) { 1224 1225 /* 1226 * look at the left side of "=" to see 1227 * if assertion is "objectclass=<ocname>" 1228 * or "<attribute name>=<attribute value>" 1229 * 1230 * first skip spaces before "=". 1231 * Note that filter_c_next may not point to the 1232 * start of the filter string. For i > 0, 1233 * it points to the end of the last name processed + 2 1234 */ 1235 for (tail = info[i]->veq_pos; (tail > filter_c_next) && 1236 (*(tail - 1) == SPACETOK); tail--) 1237 ; 1238 1239 /* 1240 * mark the end of the left side string (the key) 1241 */ 1242 *tail = '\0'; 1243 info[i]->name_end = tail - filter_c - 1 + filter; 1244 1245 /* 1246 * find the start of the key 1247 */ 1248 key = filter_c_next; 1249 for (c = tail; filter_c_next <= c; c--) { 1250 /* OPARATOK is '(' */ 1251 if (*c == OPARATOK || 1252 *c == SPACETOK) { 1253 key = c + 1; 1254 break; 1255 } 1256 } 1257 info[i]->name_start = key - filter_c + filter; 1258 1259 if ((key + oc_len) <= tail) { 1260 if (strncasecmp(key, "objectclass", 1261 oc_len) == 0) { 1262 /* 1263 * assertion is "objectclass=ocname", 1264 * ocname is the one needs to be mapped 1265 * 1266 * skip spaces after "=" to find start 1267 * of the ocname 1268 */ 1269 head = info[i]->veq_pos; 1270 for (head = info[i]->veq_pos + 1; 1271 *head && *head == SPACETOK; head++) 1272 ; 1273 1274 /* ignore empty ocname */ 1275 if (!(*head)) 1276 continue; 1277 1278 info[i]->name_start = head - filter_c + 1279 filter; 1280 1281 /* 1282 * now find the end of the ocname 1283 */ 1284 for (c = head; ; c++) { 1285 /* CPARATOK is ')' */ 1286 if (*c == CPARATOK || 1287 *c == '\0' || 1288 *c == SPACETOK) { 1289 *c = '\0'; 1290 info[i]->name_end = 1291 c - filter_c - 1 + 1292 filter; 1293 filter_c_next = c + 1; 1294 info[i]->oc_or_attr = 'o'; 1295 info[i]->from_name = head; 1296 break; 1297 } 1298 } 1299 } 1300 } 1301 1302 /* 1303 * assertion is not "objectclass=ocname", 1304 * assume assertion is "<key> = <value>", 1305 * <key> is the one needs to be mapped 1306 */ 1307 if (info[i]->from_name == NULL && strlen(key) > 0) { 1308 info[i]->oc_or_attr = 'a'; 1309 info[i]->from_name = key; 1310 } 1311 } 1312 1313 /* perform schema mapping */ 1314 for (i = 0; i < num_veq; i++) { 1315 if (info[i]->from_name == NULL) 1316 continue; 1317 1318 if (info[i]->oc_or_attr == 'a') 1319 info[i]->mapping = 1320 __ns_ldap_getMappedAttributes(service, 1321 info[i]->from_name); 1322 else 1323 info[i]->mapping = 1324 __ns_ldap_getMappedObjectClass(service, 1325 info[i]->from_name); 1326 1327 if (info[i]->mapping == NULL && auto_service) { 1328 /* 1329 * If no mapped attribute/objectclass is found 1330 * and service == auto* 1331 * try to find automount's 1332 * mapped attribute/objectclass 1333 */ 1334 if (info[i]->oc_or_attr == 'a') 1335 info[i]->mapping = 1336 __ns_ldap_getMappedAttributes("automount", 1337 info[i]->from_name); 1338 else 1339 info[i]->mapping = 1340 __ns_ldap_getMappedObjectClass("automount", 1341 info[i]->from_name); 1342 } 1343 1344 if (info[i]->mapping == NULL || 1345 info[i]->mapping[0] == NULL) { 1346 info[i]->to_name = NULL; 1347 } else if (info[i]->mapping[1] == NULL) { 1348 info[i]->to_name = info[i]->mapping[0]; 1349 at_least_one = TRUE; 1350 } else { 1351 __s_api_free2dArray(info[i]->mapping); 1352 /* 1353 * multiple mapping 1354 * not allowed 1355 */ 1356 (void) sprintf(errstr, 1357 gettext( 1358 "Multiple attribute or objectclass " 1359 "mapping for '%s' in filter " 1360 "'%s' not allowed."), 1361 info[i]->from_name, filter); 1362 err = strdup(errstr); 1363 if (err) { 1364 MKERROR(LOG_WARNING, cookie->errorp, 1365 NS_CONFIG_SYNTAX, 1366 err, NS_LDAP_MEMORY); 1367 } 1368 1369 free(filter_c); 1370 for (j = 0; j < num_veq; j++) { 1371 if (info[j]->mapping) 1372 __s_api_free2dArray( 1373 info[j]->mapping); 1374 free(info[j]); 1375 } 1376 free(info); 1377 return (NS_LDAP_CONFIG); 1378 } 1379 } 1380 1381 1382 if (at_least_one) { 1383 1384 len = strlen(filter); 1385 last_copied = filter - 1; 1386 1387 for (i = 0; i < num_veq; i++) { 1388 if (info[i]->to_name) 1389 len += strlen(info[i]->to_name); 1390 } 1391 1392 *new_filter = (char *)calloc(1, len); 1393 if (*new_filter == NULL) { 1394 free(filter_c); 1395 for (j = 0; j < num_veq; j++) { 1396 if (info[j]->mapping) 1397 __s_api_free2dArray( 1398 info[j]->mapping); 1399 free(info[j]); 1400 } 1401 free(info); 1402 return (NS_LDAP_MEMORY); 1403 } 1404 1405 for (i = 0; i < num_veq; i++) { 1406 if (info[i]->to_name != NULL && 1407 info[i]->to_name != NULL) { 1408 1409 /* 1410 * copy the original filter data 1411 * between the last name and current 1412 * name 1413 */ 1414 if ((last_copied + 1) != info[i]->name_start) 1415 (void) strncat(*new_filter, 1416 last_copied + 1, 1417 info[i]->name_start - 1418 last_copied - 1); 1419 1420 /* the data is copied */ 1421 last_copied = info[i]->name_end; 1422 1423 /* 1424 * replace the name with 1425 * the mapped name 1426 */ 1427 (void) strcat(*new_filter, info[i]->to_name); 1428 } 1429 1430 /* copy the filter data after the last name */ 1431 if (i == (num_veq -1) && 1432 info[i]->name_end < 1433 (filter + strlen(filter))) 1434 (void) strncat(*new_filter, last_copied + 1, 1435 filter + strlen(filter) - 1436 last_copied - 1); 1437 } 1438 1439 } 1440 1441 /* free memory */ 1442 free(filter_c); 1443 for (j = 0; j < num_veq; j++) { 1444 if (info[j]->mapping) 1445 __s_api_free2dArray(info[j]->mapping); 1446 free(info[j]); 1447 } 1448 free(info); 1449 1450 return (NS_LDAP_SUCCESS); 1451 } 1452 1453 static int 1454 setup_next_search(ns_ldap_cookie_t *cookie) 1455 { 1456 ns_ldap_search_desc_t *dptr; 1457 int scope; 1458 char *filter, *str; 1459 int baselen; 1460 int rc; 1461 void **param; 1462 1463 dptr = *cookie->sdpos; 1464 scope = cookie->i_flags & (NS_LDAP_SCOPE_BASE | 1465 NS_LDAP_SCOPE_ONELEVEL | 1466 NS_LDAP_SCOPE_SUBTREE); 1467 if (scope) 1468 cookie->scope = scope; 1469 else 1470 cookie->scope = dptr->scope; 1471 switch (cookie->scope) { 1472 case NS_LDAP_SCOPE_BASE: 1473 cookie->scope = LDAP_SCOPE_BASE; 1474 break; 1475 case NS_LDAP_SCOPE_ONELEVEL: 1476 cookie->scope = LDAP_SCOPE_ONELEVEL; 1477 break; 1478 case NS_LDAP_SCOPE_SUBTREE: 1479 cookie->scope = LDAP_SCOPE_SUBTREE; 1480 break; 1481 } 1482 1483 filter = NULL; 1484 if (cookie->use_filtercb && cookie->init_filter_cb && 1485 dptr->filter && strlen(dptr->filter) > 0) { 1486 (*cookie->init_filter_cb)(dptr, &filter, 1487 cookie->userdata); 1488 } 1489 if (filter == NULL) { 1490 if (cookie->i_filter == NULL) { 1491 cookie->err_rc = NS_LDAP_INVALID_PARAM; 1492 return (-1); 1493 } else { 1494 if (cookie->filter) 1495 free(cookie->filter); 1496 cookie->filter = strdup(cookie->i_filter); 1497 if (cookie->filter == NULL) { 1498 cookie->err_rc = NS_LDAP_MEMORY; 1499 return (-1); 1500 } 1501 } 1502 } else { 1503 if (cookie->filter) 1504 free(cookie->filter); 1505 cookie->filter = strdup(filter); 1506 free(filter); 1507 if (cookie->filter == NULL) { 1508 cookie->err_rc = NS_LDAP_MEMORY; 1509 return (-1); 1510 } 1511 } 1512 1513 /* 1514 * perform attribute/objectclass mapping on filter 1515 */ 1516 filter = NULL; 1517 1518 if (cookie->service) { 1519 rc = get_mapped_filter(cookie, &filter); 1520 if (rc != NS_LDAP_SUCCESS) { 1521 cookie->err_rc = rc; 1522 return (-1); 1523 } else { 1524 /* 1525 * get_mapped_filter returns 1526 * NULL filter pointer, if 1527 * no mapping was done 1528 */ 1529 if (filter) { 1530 free(cookie->filter); 1531 cookie->filter = filter; 1532 } 1533 } 1534 } 1535 1536 /* 1537 * validate filter to make sure it's legal 1538 * [remove redundant ()'s] 1539 */ 1540 rc = validate_filter(cookie); 1541 if (rc != NS_LDAP_SUCCESS) { 1542 cookie->err_rc = rc; 1543 return (-1); 1544 } 1545 1546 baselen = strlen(dptr->basedn); 1547 if (baselen > 0 && dptr->basedn[baselen-1] == COMMATOK) { 1548 rc = __ns_ldap_getParam(NS_LDAP_SEARCH_BASEDN_P, 1549 (void ***)¶m, &cookie->errorp); 1550 if (rc != NS_LDAP_SUCCESS) { 1551 cookie->err_rc = rc; 1552 return (-1); 1553 } 1554 str = ((char **)param)[0]; 1555 baselen += strlen(str)+1; 1556 if (cookie->basedn) 1557 free(cookie->basedn); 1558 cookie->basedn = (char *)malloc(baselen); 1559 if (cookie->basedn == NULL) { 1560 cookie->err_rc = NS_LDAP_MEMORY; 1561 return (-1); 1562 } 1563 (void) strcpy(cookie->basedn, dptr->basedn); 1564 (void) strcat(cookie->basedn, str); 1565 (void) __ns_ldap_freeParam(¶m); 1566 } else { 1567 if (cookie->basedn) 1568 free(cookie->basedn); 1569 cookie->basedn = strdup(dptr->basedn); 1570 } 1571 return (0); 1572 } 1573 1574 static int 1575 setup_referral_search(ns_ldap_cookie_t *cookie) 1576 { 1577 ns_referral_info_t *ref; 1578 1579 ref = cookie->refpos; 1580 cookie->scope = ref->refScope; 1581 if (cookie->filter) { 1582 free(cookie->filter); 1583 } 1584 cookie->filter = strdup(ref->refFilter); 1585 if (cookie->basedn) { 1586 free(cookie->basedn); 1587 } 1588 cookie->basedn = strdup(ref->refDN); 1589 if (cookie->filter == NULL || cookie->basedn == NULL) { 1590 cookie->err_rc = NS_LDAP_MEMORY; 1591 return (-1); 1592 } 1593 return (0); 1594 } 1595 1596 static int 1597 get_current_session(ns_ldap_cookie_t *cookie) 1598 { 1599 ConnectionID connectionId = -1; 1600 Connection *conp = NULL; 1601 int rc; 1602 int fail_if_new_pwd_reqd = 1; 1603 1604 rc = __s_api_getConnection(NULL, cookie->i_flags, 1605 cookie->i_auth, &connectionId, &conp, 1606 &cookie->errorp, fail_if_new_pwd_reqd, 1607 cookie->nopasswd_acct_mgmt, cookie->conn_user); 1608 1609 /* 1610 * If password control attached in *cookie->errorp, 1611 * e.g. rc == NS_LDAP_SUCCESS_WITH_INFO, 1612 * free the error structure (we do not need 1613 * the sec_to_expired info). 1614 * Reset rc to NS_LDAP_SUCCESS. 1615 */ 1616 if (rc == NS_LDAP_SUCCESS_WITH_INFO) { 1617 (void) __ns_ldap_freeError( 1618 &cookie->errorp); 1619 cookie->errorp = NULL; 1620 rc = NS_LDAP_SUCCESS; 1621 } 1622 1623 if (rc != NS_LDAP_SUCCESS) { 1624 cookie->err_rc = rc; 1625 return (-1); 1626 } 1627 cookie->conn = conp; 1628 cookie->connectionId = connectionId; 1629 1630 return (0); 1631 } 1632 1633 static int 1634 get_next_session(ns_ldap_cookie_t *cookie) 1635 { 1636 ConnectionID connectionId = -1; 1637 Connection *conp = NULL; 1638 int rc; 1639 int fail_if_new_pwd_reqd = 1; 1640 1641 if (cookie->connectionId > -1) { 1642 DropConnection(cookie->connectionId, cookie->i_flags); 1643 cookie->connectionId = -1; 1644 } 1645 1646 /* If using a MT connection, return it. */ 1647 if (cookie->conn_user != NULL && 1648 cookie->conn_user->conn_mt != NULL) 1649 __s_api_conn_mt_return(cookie->conn_user); 1650 1651 rc = __s_api_getConnection(NULL, cookie->i_flags, 1652 cookie->i_auth, &connectionId, &conp, 1653 &cookie->errorp, fail_if_new_pwd_reqd, 1654 cookie->nopasswd_acct_mgmt, cookie->conn_user); 1655 1656 /* 1657 * If password control attached in *cookie->errorp, 1658 * e.g. rc == NS_LDAP_SUCCESS_WITH_INFO, 1659 * free the error structure (we do not need 1660 * the sec_to_expired info). 1661 * Reset rc to NS_LDAP_SUCCESS. 1662 */ 1663 if (rc == NS_LDAP_SUCCESS_WITH_INFO) { 1664 (void) __ns_ldap_freeError( 1665 &cookie->errorp); 1666 cookie->errorp = NULL; 1667 rc = NS_LDAP_SUCCESS; 1668 } 1669 1670 if (rc != NS_LDAP_SUCCESS) { 1671 cookie->err_rc = rc; 1672 return (-1); 1673 } 1674 cookie->conn = conp; 1675 cookie->connectionId = connectionId; 1676 return (0); 1677 } 1678 1679 static int 1680 get_referral_session(ns_ldap_cookie_t *cookie) 1681 { 1682 ConnectionID connectionId = -1; 1683 Connection *conp = NULL; 1684 int rc; 1685 int fail_if_new_pwd_reqd = 1; 1686 1687 if (cookie->connectionId > -1) { 1688 DropConnection(cookie->connectionId, cookie->i_flags); 1689 cookie->connectionId = -1; 1690 } 1691 1692 /* set it up to use a connection opened for referral */ 1693 if (cookie->conn_user != NULL) { 1694 /* If using a MT connection, return it. */ 1695 if (cookie->conn_user->conn_mt != NULL) 1696 __s_api_conn_mt_return(cookie->conn_user); 1697 cookie->conn_user->referral = B_TRUE; 1698 } 1699 1700 rc = __s_api_getConnection(cookie->refpos->refHost, 0, 1701 cookie->i_auth, &connectionId, &conp, 1702 &cookie->errorp, fail_if_new_pwd_reqd, 1703 cookie->nopasswd_acct_mgmt, cookie->conn_user); 1704 1705 /* 1706 * If password control attached in *cookie->errorp, 1707 * e.g. rc == NS_LDAP_SUCCESS_WITH_INFO, 1708 * free the error structure (we do not need 1709 * the sec_to_expired info). 1710 * Reset rc to NS_LDAP_SUCCESS. 1711 */ 1712 if (rc == NS_LDAP_SUCCESS_WITH_INFO) { 1713 (void) __ns_ldap_freeError( 1714 &cookie->errorp); 1715 cookie->errorp = NULL; 1716 rc = NS_LDAP_SUCCESS; 1717 } 1718 1719 if (rc != NS_LDAP_SUCCESS) { 1720 cookie->err_rc = rc; 1721 return (-1); 1722 } 1723 cookie->conn = conp; 1724 cookie->connectionId = connectionId; 1725 return (0); 1726 } 1727 1728 static int 1729 paging_supported(ns_ldap_cookie_t *cookie) 1730 { 1731 int rc; 1732 1733 cookie->listType = 0; 1734 rc = __s_api_isCtrlSupported(cookie->conn, 1735 LDAP_CONTROL_VLVREQUEST); 1736 if (rc == NS_LDAP_SUCCESS) { 1737 cookie->listType = VLVCTRLFLAG; 1738 return (1); 1739 } 1740 rc = __s_api_isCtrlSupported(cookie->conn, 1741 LDAP_CONTROL_SIMPLE_PAGE); 1742 if (rc == NS_LDAP_SUCCESS) { 1743 cookie->listType = SIMPLEPAGECTRLFLAG; 1744 return (1); 1745 } 1746 return (0); 1747 } 1748 1749 typedef struct servicesorttype { 1750 char *service; 1751 ns_srvsidesort_t type; 1752 } servicesorttype_t; 1753 1754 static servicesorttype_t *sort_type = NULL; 1755 static int sort_type_size = 0; 1756 static int sort_type_hwm = 0; 1757 static mutex_t sort_type_mutex = DEFAULTMUTEX; 1758 1759 1760 static ns_srvsidesort_t 1761 get_srvsidesort_type(char *service) 1762 { 1763 int i; 1764 ns_srvsidesort_t type = SSS_UNKNOWN; 1765 1766 if (service == NULL) 1767 return (type); 1768 1769 (void) mutex_lock(&sort_type_mutex); 1770 if (sort_type != NULL) { 1771 for (i = 0; i < sort_type_hwm; i++) { 1772 if (strcmp(sort_type[i].service, service) == 0) { 1773 type = sort_type[i].type; 1774 break; 1775 } 1776 } 1777 } 1778 (void) mutex_unlock(&sort_type_mutex); 1779 return (type); 1780 } 1781 1782 static void 1783 update_srvsidesort_type(char *service, ns_srvsidesort_t type) 1784 { 1785 int i, size; 1786 servicesorttype_t *tmp; 1787 1788 if (service == NULL) 1789 return; 1790 1791 (void) mutex_lock(&sort_type_mutex); 1792 1793 for (i = 0; i < sort_type_hwm; i++) { 1794 if (strcmp(sort_type[i].service, service) == 0) { 1795 sort_type[i].type = type; 1796 (void) mutex_unlock(&sort_type_mutex); 1797 return; 1798 } 1799 } 1800 if (sort_type == NULL) { 1801 size = 10; 1802 tmp = malloc(size * sizeof (servicesorttype_t)); 1803 if (tmp == NULL) { 1804 (void) mutex_unlock(&sort_type_mutex); 1805 return; 1806 } 1807 sort_type = tmp; 1808 sort_type_size = size; 1809 } else if (sort_type_hwm >= sort_type_size) { 1810 size = sort_type_size + 10; 1811 tmp = realloc(sort_type, size * sizeof (servicesorttype_t)); 1812 if (tmp == NULL) { 1813 (void) mutex_unlock(&sort_type_mutex); 1814 return; 1815 } 1816 sort_type = tmp; 1817 sort_type_size = size; 1818 } 1819 sort_type[sort_type_hwm].service = strdup(service); 1820 if (sort_type[sort_type_hwm].service == NULL) { 1821 (void) mutex_unlock(&sort_type_mutex); 1822 return; 1823 } 1824 sort_type[sort_type_hwm].type = type; 1825 sort_type_hwm++; 1826 1827 (void) mutex_unlock(&sort_type_mutex); 1828 } 1829 1830 static int 1831 setup_vlv_params(ns_ldap_cookie_t *cookie) 1832 { 1833 LDAPControl **ctrls; 1834 LDAPsortkey **sortkeylist; 1835 LDAPControl *sortctrl = NULL; 1836 LDAPControl *vlvctrl = NULL; 1837 LDAPVirtualList vlist; 1838 char *sortattr; 1839 int rc; 1840 int free_sort = FALSE; 1841 1842 _freeControlList(&cookie->p_serverctrls); 1843 1844 if (cookie->sortTypeTry == SSS_UNKNOWN) 1845 cookie->sortTypeTry = get_srvsidesort_type(cookie->service); 1846 if (cookie->sortTypeTry == SSS_UNKNOWN) 1847 cookie->sortTypeTry = SSS_SINGLE_ATTR; 1848 1849 if (cookie->sortTypeTry == SSS_SINGLE_ATTR) { 1850 if ((cookie->i_flags & NS_LDAP_NOMAP) == 0 && 1851 cookie->i_sortattr) { 1852 sortattr = __ns_ldap_mapAttribute(cookie->service, 1853 cookie->i_sortattr); 1854 free_sort = TRUE; 1855 } else if (cookie->i_sortattr) { 1856 sortattr = (char *)cookie->i_sortattr; 1857 } else { 1858 sortattr = "cn"; 1859 } 1860 } else { 1861 sortattr = "cn uid"; 1862 } 1863 1864 rc = ldap_create_sort_keylist(&sortkeylist, sortattr); 1865 if (free_sort) 1866 free(sortattr); 1867 if (rc != LDAP_SUCCESS) { 1868 (void) ldap_get_option(cookie->conn->ld, 1869 LDAP_OPT_ERROR_NUMBER, &rc); 1870 return (rc); 1871 } 1872 rc = ldap_create_sort_control(cookie->conn->ld, 1873 sortkeylist, 1, &sortctrl); 1874 ldap_free_sort_keylist(sortkeylist); 1875 if (rc != LDAP_SUCCESS) { 1876 (void) ldap_get_option(cookie->conn->ld, 1877 LDAP_OPT_ERROR_NUMBER, &rc); 1878 return (rc); 1879 } 1880 1881 vlist.ldvlist_index = cookie->index; 1882 vlist.ldvlist_size = 0; 1883 1884 vlist.ldvlist_before_count = 0; 1885 vlist.ldvlist_after_count = LISTPAGESIZE-1; 1886 vlist.ldvlist_attrvalue = NULL; 1887 vlist.ldvlist_extradata = NULL; 1888 1889 rc = ldap_create_virtuallist_control(cookie->conn->ld, 1890 &vlist, &vlvctrl); 1891 if (rc != LDAP_SUCCESS) { 1892 ldap_control_free(sortctrl); 1893 (void) ldap_get_option(cookie->conn->ld, LDAP_OPT_ERROR_NUMBER, 1894 &rc); 1895 return (rc); 1896 } 1897 1898 ctrls = (LDAPControl **)calloc(3, sizeof (LDAPControl *)); 1899 if (ctrls == NULL) { 1900 ldap_control_free(sortctrl); 1901 ldap_control_free(vlvctrl); 1902 return (LDAP_NO_MEMORY); 1903 } 1904 1905 ctrls[0] = sortctrl; 1906 ctrls[1] = vlvctrl; 1907 1908 cookie->p_serverctrls = ctrls; 1909 return (LDAP_SUCCESS); 1910 } 1911 1912 static int 1913 setup_simplepg_params(ns_ldap_cookie_t *cookie) 1914 { 1915 LDAPControl **ctrls; 1916 LDAPControl *pgctrl = NULL; 1917 int rc; 1918 1919 _freeControlList(&cookie->p_serverctrls); 1920 1921 rc = ldap_create_page_control(cookie->conn->ld, LISTPAGESIZE, 1922 cookie->ctrlCookie, (char)0, &pgctrl); 1923 if (rc != LDAP_SUCCESS) { 1924 (void) ldap_get_option(cookie->conn->ld, LDAP_OPT_ERROR_NUMBER, 1925 &rc); 1926 return (rc); 1927 } 1928 1929 ctrls = (LDAPControl **)calloc(2, sizeof (LDAPControl *)); 1930 if (ctrls == NULL) { 1931 ldap_control_free(pgctrl); 1932 return (LDAP_NO_MEMORY); 1933 } 1934 ctrls[0] = pgctrl; 1935 cookie->p_serverctrls = ctrls; 1936 return (LDAP_SUCCESS); 1937 } 1938 1939 static void 1940 proc_result_referrals(ns_ldap_cookie_t *cookie) 1941 { 1942 int errCode, i, rc; 1943 char **referrals = NULL; 1944 1945 /* 1946 * Only follow one level of referrals, i.e. 1947 * if already in referral mode, do nothing 1948 */ 1949 if (cookie->refpos == NULL) { 1950 cookie->new_state = END_RESULT; 1951 rc = ldap_parse_result(cookie->conn->ld, 1952 cookie->resultMsg, 1953 &errCode, NULL, 1954 NULL, &referrals, 1955 NULL, 0); 1956 if (rc != NS_LDAP_SUCCESS) { 1957 (void) ldap_get_option(cookie->conn->ld, 1958 LDAP_OPT_ERROR_NUMBER, 1959 &cookie->err_rc); 1960 cookie->new_state = LDAP_ERROR; 1961 return; 1962 } 1963 if (errCode == LDAP_REFERRAL) { 1964 for (i = 0; referrals[i] != NULL; 1965 i++) { 1966 /* add to referral list */ 1967 rc = __s_api_addRefInfo( 1968 &cookie->reflist, 1969 referrals[i], 1970 cookie->basedn, 1971 &cookie->scope, 1972 cookie->filter, 1973 cookie->conn->ld); 1974 if (rc != NS_LDAP_SUCCESS) { 1975 cookie->new_state = 1976 ERROR; 1977 break; 1978 } 1979 } 1980 ldap_value_free(referrals); 1981 } 1982 } 1983 } 1984 1985 static void 1986 proc_search_references(ns_ldap_cookie_t *cookie) 1987 { 1988 char **refurls = NULL; 1989 int i, rc; 1990 1991 /* 1992 * Only follow one level of referrals, i.e. 1993 * if already in referral mode, do nothing 1994 */ 1995 if (cookie->refpos == NULL) { 1996 refurls = ldap_get_reference_urls( 1997 cookie->conn->ld, 1998 cookie->resultMsg); 1999 if (refurls == NULL) { 2000 (void) ldap_get_option(cookie->conn->ld, 2001 LDAP_OPT_ERROR_NUMBER, 2002 &cookie->err_rc); 2003 cookie->new_state = LDAP_ERROR; 2004 return; 2005 } 2006 for (i = 0; refurls[i] != NULL; i++) { 2007 /* add to referral list */ 2008 rc = __s_api_addRefInfo( 2009 &cookie->reflist, 2010 refurls[i], 2011 cookie->basedn, 2012 &cookie->scope, 2013 cookie->filter, 2014 cookie->conn->ld); 2015 if (rc != NS_LDAP_SUCCESS) { 2016 cookie->new_state = 2017 ERROR; 2018 break; 2019 } 2020 } 2021 /* free allocated storage */ 2022 for (i = 0; refurls[i] != NULL; i++) 2023 free(refurls[i]); 2024 } 2025 } 2026 2027 static ns_state_t 2028 multi_result(ns_ldap_cookie_t *cookie) 2029 { 2030 char errstr[MAXERROR]; 2031 char *err; 2032 ns_ldap_error_t **errorp = NULL; 2033 LDAPControl **retCtrls = NULL; 2034 int i, rc; 2035 int errCode; 2036 boolean_t finished = B_FALSE; 2037 unsigned long target_posp = 0; 2038 unsigned long list_size = 0; 2039 unsigned int count = 0; 2040 char **referrals = NULL; 2041 2042 if (cookie->listType == VLVCTRLFLAG) { 2043 rc = ldap_parse_result(cookie->conn->ld, cookie->resultMsg, 2044 &errCode, NULL, NULL, &referrals, &retCtrls, 0); 2045 if (rc != LDAP_SUCCESS) { 2046 (void) ldap_get_option(cookie->conn->ld, 2047 LDAP_OPT_ERROR_NUMBER, 2048 &cookie->err_rc); 2049 (void) sprintf(errstr, 2050 gettext("LDAP ERROR (%d): %s.\n"), 2051 cookie->err_rc, 2052 gettext(ldap_err2string(cookie->err_rc))); 2053 err = strdup(errstr); 2054 MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, err, 2055 NS_LDAP_MEMORY); 2056 cookie->err_rc = NS_LDAP_INTERNAL; 2057 cookie->errorp = *errorp; 2058 return (LDAP_ERROR); 2059 } 2060 if (errCode == LDAP_REFERRAL) { 2061 for (i = 0; referrals[i] != NULL; 2062 i++) { 2063 /* add to referral list */ 2064 rc = __s_api_addRefInfo( 2065 &cookie->reflist, 2066 referrals[i], 2067 cookie->basedn, 2068 &cookie->scope, 2069 cookie->filter, 2070 cookie->conn->ld); 2071 if (rc != NS_LDAP_SUCCESS) { 2072 ldap_value_free( 2073 referrals); 2074 if (retCtrls) 2075 ldap_controls_free( 2076 retCtrls); 2077 return (ERROR); 2078 } 2079 } 2080 ldap_value_free(referrals); 2081 if (retCtrls) 2082 ldap_controls_free(retCtrls); 2083 return (END_RESULT); 2084 } 2085 if (retCtrls) { 2086 rc = ldap_parse_virtuallist_control( 2087 cookie->conn->ld, retCtrls, 2088 &target_posp, &list_size, &errCode); 2089 if (rc == LDAP_SUCCESS) { 2090 /* 2091 * AD does not return valid target_posp 2092 * and list_size 2093 */ 2094 if (target_posp != 0 && list_size != 0) { 2095 cookie->index = 2096 target_posp + LISTPAGESIZE; 2097 if (cookie->index > list_size) 2098 finished = B_TRUE; 2099 } else { 2100 if (cookie->entryCount < LISTPAGESIZE) 2101 finished = B_TRUE; 2102 else 2103 cookie->index += 2104 cookie->entryCount; 2105 } 2106 } 2107 ldap_controls_free(retCtrls); 2108 retCtrls = NULL; 2109 } else { 2110 finished = B_TRUE; 2111 } 2112 } else if (cookie->listType == SIMPLEPAGECTRLFLAG) { 2113 rc = ldap_parse_result(cookie->conn->ld, cookie->resultMsg, 2114 &errCode, NULL, NULL, &referrals, &retCtrls, 0); 2115 if (rc != LDAP_SUCCESS) { 2116 (void) ldap_get_option(cookie->conn->ld, 2117 LDAP_OPT_ERROR_NUMBER, 2118 &cookie->err_rc); 2119 (void) sprintf(errstr, 2120 gettext("LDAP ERROR (%d): %s.\n"), 2121 cookie->err_rc, 2122 gettext(ldap_err2string(cookie->err_rc))); 2123 err = strdup(errstr); 2124 MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, err, 2125 NS_LDAP_MEMORY); 2126 cookie->err_rc = NS_LDAP_INTERNAL; 2127 cookie->errorp = *errorp; 2128 return (LDAP_ERROR); 2129 } 2130 if (errCode == LDAP_REFERRAL) { 2131 for (i = 0; referrals[i] != NULL; 2132 i++) { 2133 /* add to referral list */ 2134 rc = __s_api_addRefInfo( 2135 &cookie->reflist, 2136 referrals[i], 2137 cookie->basedn, 2138 &cookie->scope, 2139 cookie->filter, 2140 cookie->conn->ld); 2141 if (rc != NS_LDAP_SUCCESS) { 2142 ldap_value_free( 2143 referrals); 2144 if (retCtrls) 2145 ldap_controls_free( 2146 retCtrls); 2147 return (ERROR); 2148 } 2149 } 2150 ldap_value_free(referrals); 2151 if (retCtrls) 2152 ldap_controls_free(retCtrls); 2153 return (END_RESULT); 2154 } 2155 if (retCtrls) { 2156 if (cookie->ctrlCookie) 2157 ber_bvfree(cookie->ctrlCookie); 2158 cookie->ctrlCookie = NULL; 2159 rc = ldap_parse_page_control( 2160 cookie->conn->ld, retCtrls, 2161 &count, &cookie->ctrlCookie); 2162 if (rc == LDAP_SUCCESS) { 2163 if ((cookie->ctrlCookie == NULL) || 2164 (cookie->ctrlCookie->bv_val == NULL) || 2165 (cookie->ctrlCookie->bv_len == 0)) 2166 finished = B_TRUE; 2167 } 2168 ldap_controls_free(retCtrls); 2169 retCtrls = NULL; 2170 } else { 2171 finished = B_TRUE; 2172 } 2173 } 2174 if (!finished && cookie->listType == VLVCTRLFLAG) 2175 return (NEXT_VLV); 2176 if (!finished && cookie->listType == SIMPLEPAGECTRLFLAG) 2177 return (NEXT_PAGE); 2178 if (finished) 2179 return (END_RESULT); 2180 return (ERROR); 2181 } 2182 2183 /* 2184 * clear_results(ns_ldap_cookie_t): 2185 * 2186 * Attempt to obtain remnants of ldap responses and free them. If remnants are 2187 * not obtained within a certain time period tell the server we wish to abandon 2188 * the request. 2189 * 2190 * Note that we do not initially tell the server to abandon the request as that 2191 * can be an expensive operation for the server, while it is cheap for us to 2192 * just flush the input. 2193 * 2194 * If something was to remain in libldap queue as a result of some error then 2195 * it would be freed later during drop connection call or when no other 2196 * requests share the connection. 2197 */ 2198 static void 2199 clear_results(ns_ldap_cookie_t *cookie) 2200 { 2201 int rc; 2202 if (cookie->conn != NULL && cookie->conn->ld != NULL && 2203 (cookie->connectionId != -1 || 2204 (cookie->conn_user != NULL && 2205 cookie->conn_user->conn_mt != NULL)) && 2206 cookie->msgId != 0) { 2207 /* 2208 * We need to cleanup the rest of response (if there is such) 2209 * and LDAP abandon is too heavy for LDAP servers, so we will 2210 * wait for the rest of response till timeout and "process" it. 2211 */ 2212 rc = ldap_result(cookie->conn->ld, cookie->msgId, LDAP_MSG_ALL, 2213 (struct timeval *)&cookie->search_timeout, 2214 &cookie->resultMsg); 2215 if (rc != -1 && rc != 0 && cookie->resultMsg != NULL) { 2216 (void) ldap_msgfree(cookie->resultMsg); 2217 cookie->resultMsg = NULL; 2218 } 2219 2220 /* 2221 * If there was timeout then we will send ABANDON request to 2222 * LDAP server to decrease load. 2223 */ 2224 if (rc == 0) 2225 (void) ldap_abandon_ext(cookie->conn->ld, cookie->msgId, 2226 NULL, NULL); 2227 /* Disassociate cookie with msgId */ 2228 cookie->msgId = 0; 2229 } 2230 } 2231 2232 /* 2233 * This state machine performs one or more LDAP searches to a given 2234 * directory server using service search descriptors and schema 2235 * mapping as appropriate. The approximate pseudocode for 2236 * this routine is the following: 2237 * Given the current configuration [set/reset connection etc.] 2238 * and the current service search descriptor list 2239 * or default search filter parameters 2240 * foreach (service search filter) { 2241 * initialize the filter [via filter_init if appropriate] 2242 * get a valid session/connection (preferably the current one) 2243 * Recover if the connection is lost 2244 * perform the search 2245 * foreach (result entry) { 2246 * process result [via callback if appropriate] 2247 * save result for caller if accepted. 2248 * exit and return all collected if allResults found; 2249 * } 2250 * } 2251 * return collected results and exit 2252 */ 2253 2254 static 2255 ns_state_t 2256 search_state_machine(ns_ldap_cookie_t *cookie, ns_state_t state, int cycle) 2257 { 2258 char errstr[MAXERROR]; 2259 char *err; 2260 int rc, ret; 2261 int rc_save; 2262 ns_ldap_entry_t *nextEntry; 2263 ns_ldap_error_t *error = NULL; 2264 ns_ldap_error_t **errorp; 2265 struct timeval tv; 2266 2267 errorp = &error; 2268 cookie->state = state; 2269 errstr[0] = '\0'; 2270 2271 for (;;) { 2272 switch (cookie->state) { 2273 case CLEAR_RESULTS: 2274 clear_results(cookie); 2275 cookie->new_state = EXIT; 2276 break; 2277 case GET_ACCT_MGMT_INFO: 2278 /* 2279 * Set the flag to get ldap account management controls. 2280 */ 2281 cookie->nopasswd_acct_mgmt = 1; 2282 cookie->new_state = INIT; 2283 break; 2284 case EXIT: 2285 /* state engine/connection cleaned up in delete */ 2286 if (cookie->attribute) { 2287 __s_api_free2dArray(cookie->attribute); 2288 cookie->attribute = NULL; 2289 } 2290 if (cookie->reflist) { 2291 __s_api_deleteRefInfo(cookie->reflist); 2292 cookie->reflist = NULL; 2293 } 2294 return (EXIT); 2295 case INIT: 2296 cookie->sdpos = NULL; 2297 cookie->new_state = NEXT_SEARCH_DESCRIPTOR; 2298 if (cookie->attribute) { 2299 __s_api_free2dArray(cookie->attribute); 2300 cookie->attribute = NULL; 2301 } 2302 if ((cookie->i_flags & NS_LDAP_NOMAP) == 0 && 2303 cookie->i_attr) { 2304 cookie->attribute = 2305 __ns_ldap_mapAttributeList( 2306 cookie->service, 2307 cookie->i_attr); 2308 } 2309 break; 2310 case REINIT: 2311 /* Check if we've reached MAX retries. */ 2312 cookie->retries++; 2313 if (cookie->retries > NS_LIST_TRY_MAX - 1) { 2314 cookie->new_state = LDAP_ERROR; 2315 break; 2316 } 2317 2318 /* 2319 * Even if we still have retries left, check 2320 * if retry is possible. 2321 */ 2322 if (cookie->conn_user != NULL) { 2323 int retry; 2324 ns_conn_mgmt_t *cmg; 2325 cmg = cookie->conn_user->conn_mgmt; 2326 retry = cookie->conn_user->retry; 2327 if (cmg != NULL && cmg->cfg_reloaded == 1) 2328 retry = 1; 2329 if (retry == 0) { 2330 cookie->new_state = LDAP_ERROR; 2331 break; 2332 } 2333 } 2334 /* 2335 * Free results if any, reset to the first 2336 * search descriptor and start a new session. 2337 */ 2338 if (cookie->resultMsg != NULL) { 2339 (void) ldap_msgfree(cookie->resultMsg); 2340 cookie->resultMsg = NULL; 2341 } 2342 (void) __ns_ldap_freeError(&cookie->errorp); 2343 (void) __ns_ldap_freeResult(&cookie->result); 2344 cookie->sdpos = cookie->sdlist; 2345 cookie->err_from_result = 0; 2346 cookie->err_rc = 0; 2347 cookie->new_state = NEXT_SESSION; 2348 break; 2349 case NEXT_SEARCH_DESCRIPTOR: 2350 /* get next search descriptor */ 2351 if (cookie->sdpos == NULL) { 2352 cookie->sdpos = cookie->sdlist; 2353 cookie->new_state = GET_SESSION; 2354 } else { 2355 cookie->sdpos++; 2356 cookie->new_state = NEXT_SEARCH; 2357 } 2358 if (*cookie->sdpos == NULL) 2359 cookie->new_state = EXIT; 2360 break; 2361 case GET_SESSION: 2362 if (get_current_session(cookie) < 0) 2363 cookie->new_state = NEXT_SESSION; 2364 else 2365 cookie->new_state = NEXT_SEARCH; 2366 break; 2367 case NEXT_SESSION: 2368 if (get_next_session(cookie) < 0) 2369 cookie->new_state = RESTART_SESSION; 2370 else 2371 cookie->new_state = NEXT_SEARCH; 2372 break; 2373 case RESTART_SESSION: 2374 if (cookie->i_flags & NS_LDAP_HARD) { 2375 cookie->new_state = NEXT_SESSION; 2376 break; 2377 } 2378 (void) sprintf(errstr, 2379 gettext("Session error no available conn.\n"), 2380 state); 2381 err = strdup(errstr); 2382 MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, err, 2383 NS_LDAP_MEMORY); 2384 cookie->err_rc = NS_LDAP_INTERNAL; 2385 cookie->errorp = *errorp; 2386 cookie->new_state = EXIT; 2387 break; 2388 case NEXT_SEARCH: 2389 /* setup referrals search if necessary */ 2390 if (cookie->refpos) { 2391 if (setup_referral_search(cookie) < 0) { 2392 cookie->new_state = EXIT; 2393 break; 2394 } 2395 } else if (setup_next_search(cookie) < 0) { 2396 cookie->new_state = EXIT; 2397 break; 2398 } 2399 /* only do VLV/PAGE on scopes onelevel/subtree */ 2400 if (paging_supported(cookie)) { 2401 if (cookie->use_paging && 2402 (cookie->scope != LDAP_SCOPE_BASE)) { 2403 cookie->index = 1; 2404 if (cookie->listType == VLVCTRLFLAG) 2405 cookie->new_state = NEXT_VLV; 2406 else 2407 cookie->new_state = NEXT_PAGE; 2408 break; 2409 } 2410 } 2411 cookie->new_state = ONE_SEARCH; 2412 break; 2413 case NEXT_VLV: 2414 rc = setup_vlv_params(cookie); 2415 if (rc != LDAP_SUCCESS) { 2416 cookie->err_rc = rc; 2417 cookie->new_state = LDAP_ERROR; 2418 break; 2419 } 2420 cookie->next_state = MULTI_RESULT; 2421 cookie->new_state = DO_SEARCH; 2422 break; 2423 case NEXT_PAGE: 2424 rc = setup_simplepg_params(cookie); 2425 if (rc != LDAP_SUCCESS) { 2426 cookie->err_rc = rc; 2427 cookie->new_state = LDAP_ERROR; 2428 break; 2429 } 2430 cookie->next_state = MULTI_RESULT; 2431 cookie->new_state = DO_SEARCH; 2432 break; 2433 case ONE_SEARCH: 2434 cookie->next_state = NEXT_RESULT; 2435 cookie->new_state = DO_SEARCH; 2436 break; 2437 case DO_SEARCH: 2438 cookie->entryCount = 0; 2439 rc = ldap_search_ext(cookie->conn->ld, 2440 cookie->basedn, 2441 cookie->scope, 2442 cookie->filter, 2443 cookie->attribute, 2444 0, 2445 cookie->p_serverctrls, 2446 NULL, 2447 &cookie->search_timeout, 0, 2448 &cookie->msgId); 2449 if (rc != LDAP_SUCCESS) { 2450 if (rc == LDAP_BUSY || 2451 rc == LDAP_UNAVAILABLE || 2452 rc == LDAP_UNWILLING_TO_PERFORM || 2453 rc == LDAP_CONNECT_ERROR || 2454 rc == LDAP_SERVER_DOWN) { 2455 2456 if (cookie->reinit_on_retriable_err) { 2457 cookie->err_rc = rc; 2458 cookie->new_state = REINIT; 2459 } else { 2460 cookie->new_state = 2461 NEXT_SESSION; 2462 } 2463 2464 /* 2465 * If not able to reach the 2466 * server, inform the ldap 2467 * cache manager that the 2468 * server should be removed 2469 * from it's server list. 2470 * Thus, the manager will not 2471 * return this server on the next 2472 * get-server request and will 2473 * also reduce the server list 2474 * refresh TTL, so that it will 2475 * find out sooner when the server 2476 * is up again. 2477 */ 2478 if ((rc == LDAP_CONNECT_ERROR || 2479 rc == LDAP_SERVER_DOWN) && 2480 (cookie->conn_user == NULL || 2481 cookie->conn_user->conn_mt == 2482 NULL)) { 2483 ret = __s_api_removeServer( 2484 cookie->conn->serverAddr); 2485 if (ret == NS_CACHE_NOSERVER && 2486 cookie->conn_auth_type 2487 == NS_LDAP_AUTH_NONE) { 2488 /* 2489 * Couldn't remove 2490 * server from server 2491 * list. 2492 * Exit to avoid 2493 * potential infinite 2494 * loop. 2495 */ 2496 cookie->err_rc = rc; 2497 cookie->new_state = 2498 LDAP_ERROR; 2499 } 2500 if (cookie->connectionId > -1) { 2501 /* 2502 * NS_LDAP_NEW_CONN 2503 * indicates that the 2504 * connection should 2505 * be deleted, not 2506 * kept alive 2507 */ 2508 DropConnection( 2509 cookie-> 2510 connectionId, 2511 NS_LDAP_NEW_CONN); 2512 cookie->connectionId = 2513 -1; 2514 } 2515 } else if ((rc == LDAP_CONNECT_ERROR || 2516 rc == LDAP_SERVER_DOWN) && 2517 cookie->conn_user != NULL) { 2518 if (cookie-> 2519 reinit_on_retriable_err) { 2520 /* 2521 * MT connection not 2522 * usable, close it 2523 * before REINIT. 2524 * rc has already 2525 * been saved in 2526 * cookie->err_rc above. 2527 */ 2528 __s_api_conn_mt_close( 2529 cookie->conn_user, 2530 rc, 2531 &cookie->errorp); 2532 } else { 2533 /* 2534 * MT connection not 2535 * usable, close it in 2536 * the LDAP_ERROR state. 2537 * A retry will be done 2538 * next if allowed. 2539 */ 2540 cookie->err_rc = rc; 2541 cookie->new_state = 2542 LDAP_ERROR; 2543 } 2544 } 2545 break; 2546 } 2547 cookie->err_rc = rc; 2548 cookie->new_state = LDAP_ERROR; 2549 break; 2550 } 2551 cookie->new_state = cookie->next_state; 2552 break; 2553 case NEXT_RESULT: 2554 /* 2555 * Caller (e.g. __ns_ldap_list_batch_add) 2556 * does not want to block on ldap_result(). 2557 * Therefore we execute ldap_result() with 2558 * a zeroed timeval. 2559 */ 2560 if (cookie->no_wait == B_TRUE) 2561 (void) memset(&tv, 0, sizeof (tv)); 2562 else 2563 tv = cookie->search_timeout; 2564 rc = ldap_result(cookie->conn->ld, cookie->msgId, 2565 LDAP_MSG_ONE, 2566 &tv, 2567 &cookie->resultMsg); 2568 if (rc == LDAP_RES_SEARCH_RESULT) { 2569 cookie->new_state = END_RESULT; 2570 /* check and process referrals info */ 2571 if (cookie->followRef) 2572 proc_result_referrals( 2573 cookie); 2574 (void) ldap_msgfree(cookie->resultMsg); 2575 cookie->resultMsg = NULL; 2576 break; 2577 } 2578 /* handle referrals if necessary */ 2579 if (rc == LDAP_RES_SEARCH_REFERENCE) { 2580 if (cookie->followRef) 2581 proc_search_references(cookie); 2582 (void) ldap_msgfree(cookie->resultMsg); 2583 cookie->resultMsg = NULL; 2584 break; 2585 } 2586 if (rc != LDAP_RES_SEARCH_ENTRY) { 2587 switch (rc) { 2588 case 0: 2589 if (cookie->no_wait == B_TRUE) { 2590 (void) ldap_msgfree( 2591 cookie->resultMsg); 2592 cookie->resultMsg = NULL; 2593 return (cookie->new_state); 2594 } 2595 rc = LDAP_TIMEOUT; 2596 break; 2597 case -1: 2598 rc = ldap_get_lderrno(cookie->conn->ld, 2599 NULL, NULL); 2600 break; 2601 default: 2602 rc = ldap_result2error(cookie->conn->ld, 2603 cookie->resultMsg, 1); 2604 break; 2605 } 2606 if ((rc == LDAP_TIMEOUT || 2607 rc == LDAP_SERVER_DOWN) && 2608 (cookie->conn_user == NULL || 2609 cookie->conn_user->conn_mt == NULL)) { 2610 if (rc == LDAP_TIMEOUT) 2611 (void) __s_api_removeServer( 2612 cookie->conn->serverAddr); 2613 if (cookie->connectionId > -1) { 2614 DropConnection( 2615 cookie->connectionId, 2616 NS_LDAP_NEW_CONN); 2617 cookie->connectionId = -1; 2618 } 2619 cookie->err_from_result = 1; 2620 } 2621 (void) ldap_msgfree(cookie->resultMsg); 2622 cookie->resultMsg = NULL; 2623 if (rc == LDAP_BUSY || 2624 rc == LDAP_UNAVAILABLE || 2625 rc == LDAP_UNWILLING_TO_PERFORM) { 2626 if (cookie->reinit_on_retriable_err) { 2627 cookie->err_rc = rc; 2628 cookie->err_from_result = 1; 2629 cookie->new_state = REINIT; 2630 } else { 2631 cookie->new_state = 2632 NEXT_SESSION; 2633 } 2634 break; 2635 } 2636 if ((rc == LDAP_CONNECT_ERROR || 2637 rc == LDAP_SERVER_DOWN) && 2638 cookie->reinit_on_retriable_err) { 2639 ns_ldap_error_t *errorp = NULL; 2640 cookie->err_rc = rc; 2641 cookie->err_from_result = 1; 2642 cookie->new_state = REINIT; 2643 if (cookie->conn_user != NULL) 2644 __s_api_conn_mt_close( 2645 cookie->conn_user, 2646 rc, &errorp); 2647 if (errorp != NULL) { 2648 (void) __ns_ldap_freeError( 2649 &cookie->errorp); 2650 cookie->errorp = errorp; 2651 } 2652 break; 2653 } 2654 cookie->err_rc = rc; 2655 cookie->new_state = LDAP_ERROR; 2656 break; 2657 } 2658 /* else LDAP_RES_SEARCH_ENTRY */ 2659 /* get account management response control */ 2660 if (cookie->nopasswd_acct_mgmt == 1) { 2661 rc = ldap_get_entry_controls(cookie->conn->ld, 2662 cookie->resultMsg, 2663 &(cookie->resultctrl)); 2664 if (rc != LDAP_SUCCESS) { 2665 cookie->new_state = LDAP_ERROR; 2666 cookie->err_rc = rc; 2667 break; 2668 } 2669 } 2670 rc = __s_api_getEntry(cookie); 2671 (void) ldap_msgfree(cookie->resultMsg); 2672 cookie->resultMsg = NULL; 2673 if (rc != NS_LDAP_SUCCESS) { 2674 cookie->new_state = LDAP_ERROR; 2675 break; 2676 } 2677 cookie->new_state = PROCESS_RESULT; 2678 cookie->next_state = NEXT_RESULT; 2679 break; 2680 case MULTI_RESULT: 2681 if (cookie->no_wait == B_TRUE) 2682 (void) memset(&tv, 0, sizeof (tv)); 2683 else 2684 tv = cookie->search_timeout; 2685 rc = ldap_result(cookie->conn->ld, cookie->msgId, 2686 LDAP_MSG_ONE, 2687 &tv, 2688 &cookie->resultMsg); 2689 if (rc == LDAP_RES_SEARCH_RESULT) { 2690 rc = ldap_result2error(cookie->conn->ld, 2691 cookie->resultMsg, 0); 2692 if (rc == LDAP_ADMINLIMIT_EXCEEDED && 2693 cookie->listType == VLVCTRLFLAG && 2694 cookie->sortTypeTry == SSS_SINGLE_ATTR) { 2695 /* Try old "cn uid" server side sort */ 2696 cookie->sortTypeTry = SSS_CN_UID_ATTRS; 2697 cookie->new_state = NEXT_VLV; 2698 (void) ldap_msgfree(cookie->resultMsg); 2699 cookie->resultMsg = NULL; 2700 break; 2701 } 2702 if (rc != LDAP_SUCCESS) { 2703 cookie->err_rc = rc; 2704 cookie->new_state = LDAP_ERROR; 2705 (void) ldap_msgfree(cookie->resultMsg); 2706 cookie->resultMsg = NULL; 2707 break; 2708 } 2709 cookie->new_state = multi_result(cookie); 2710 (void) ldap_msgfree(cookie->resultMsg); 2711 cookie->resultMsg = NULL; 2712 break; 2713 } 2714 /* handle referrals if necessary */ 2715 if (rc == LDAP_RES_SEARCH_REFERENCE && 2716 cookie->followRef) { 2717 proc_search_references(cookie); 2718 (void) ldap_msgfree(cookie->resultMsg); 2719 cookie->resultMsg = NULL; 2720 break; 2721 } 2722 if (rc != LDAP_RES_SEARCH_ENTRY) { 2723 switch (rc) { 2724 case 0: 2725 if (cookie->no_wait == B_TRUE) { 2726 (void) ldap_msgfree( 2727 cookie->resultMsg); 2728 cookie->resultMsg = NULL; 2729 return (cookie->new_state); 2730 } 2731 rc = LDAP_TIMEOUT; 2732 break; 2733 case -1: 2734 rc = ldap_get_lderrno(cookie->conn->ld, 2735 NULL, NULL); 2736 break; 2737 default: 2738 rc = ldap_result2error(cookie->conn->ld, 2739 cookie->resultMsg, 1); 2740 break; 2741 } 2742 if ((rc == LDAP_TIMEOUT || 2743 rc == LDAP_SERVER_DOWN) && 2744 (cookie->conn_user == NULL || 2745 cookie->conn_user->conn_mt == NULL)) { 2746 if (rc == LDAP_TIMEOUT) 2747 (void) __s_api_removeServer( 2748 cookie->conn->serverAddr); 2749 if (cookie->connectionId > -1) { 2750 DropConnection( 2751 cookie->connectionId, 2752 NS_LDAP_NEW_CONN); 2753 cookie->connectionId = -1; 2754 } 2755 cookie->err_from_result = 1; 2756 } 2757 (void) ldap_msgfree(cookie->resultMsg); 2758 cookie->resultMsg = NULL; 2759 if (rc == LDAP_BUSY || 2760 rc == LDAP_UNAVAILABLE || 2761 rc == LDAP_UNWILLING_TO_PERFORM) { 2762 if (cookie->reinit_on_retriable_err) { 2763 cookie->err_rc = rc; 2764 cookie->err_from_result = 1; 2765 cookie->new_state = REINIT; 2766 } else { 2767 cookie->new_state = 2768 NEXT_SESSION; 2769 } 2770 break; 2771 } 2772 2773 if ((rc == LDAP_CONNECT_ERROR || 2774 rc == LDAP_SERVER_DOWN) && 2775 cookie->reinit_on_retriable_err) { 2776 ns_ldap_error_t *errorp = NULL; 2777 cookie->err_rc = rc; 2778 cookie->err_from_result = 1; 2779 cookie->new_state = REINIT; 2780 if (cookie->conn_user != NULL) 2781 __s_api_conn_mt_close( 2782 cookie->conn_user, 2783 rc, &errorp); 2784 if (errorp != NULL) { 2785 (void) __ns_ldap_freeError( 2786 &cookie->errorp); 2787 cookie->errorp = errorp; 2788 } 2789 break; 2790 } 2791 cookie->err_rc = rc; 2792 cookie->new_state = LDAP_ERROR; 2793 break; 2794 } 2795 /* else LDAP_RES_SEARCH_ENTRY */ 2796 cookie->entryCount++; 2797 rc = __s_api_getEntry(cookie); 2798 (void) ldap_msgfree(cookie->resultMsg); 2799 cookie->resultMsg = NULL; 2800 if (rc != NS_LDAP_SUCCESS) { 2801 cookie->new_state = LDAP_ERROR; 2802 break; 2803 } 2804 /* 2805 * If VLV search was successfull save the server 2806 * side sort type tried. 2807 */ 2808 if (cookie->listType == VLVCTRLFLAG) 2809 update_srvsidesort_type(cookie->service, 2810 cookie->sortTypeTry); 2811 2812 cookie->new_state = PROCESS_RESULT; 2813 cookie->next_state = MULTI_RESULT; 2814 break; 2815 case PROCESS_RESULT: 2816 /* NOTE THIS STATE MAY BE PROCESSED BY CALLER */ 2817 if (cookie->use_usercb && cookie->callback) { 2818 rc = 0; 2819 for (nextEntry = cookie->result->entry; 2820 nextEntry != NULL; 2821 nextEntry = nextEntry->next) { 2822 rc = (*cookie->callback)(nextEntry, 2823 cookie->userdata); 2824 2825 if (rc == NS_LDAP_CB_DONE) { 2826 /* cb doesn't want any more data */ 2827 rc = NS_LDAP_PARTIAL; 2828 cookie->err_rc = rc; 2829 break; 2830 } else if (rc != NS_LDAP_CB_NEXT) { 2831 /* invalid return code */ 2832 rc = NS_LDAP_OP_FAILED; 2833 cookie->err_rc = rc; 2834 break; 2835 } 2836 } 2837 (void) __ns_ldap_freeResult(&cookie->result); 2838 cookie->result = NULL; 2839 } 2840 if (rc != 0) { 2841 cookie->new_state = EXIT; 2842 break; 2843 } 2844 /* NOTE PREVIOUS STATE SPECIFIES NEXT STATE */ 2845 cookie->new_state = cookie->next_state; 2846 break; 2847 case END_PROCESS_RESULT: 2848 cookie->new_state = cookie->next_state; 2849 break; 2850 case END_RESULT: 2851 /* 2852 * XXX DO WE NEED THIS CASE? 2853 * if (search is complete) { 2854 * cookie->new_state = EXIT; 2855 * } else 2856 */ 2857 /* 2858 * entering referral mode if necessary 2859 */ 2860 if (cookie->followRef && cookie->reflist) 2861 cookie->new_state = 2862 NEXT_REFERRAL; 2863 else 2864 cookie->new_state = 2865 NEXT_SEARCH_DESCRIPTOR; 2866 break; 2867 case NEXT_REFERRAL: 2868 /* get next referral info */ 2869 if (cookie->refpos == NULL) 2870 cookie->refpos = 2871 cookie->reflist; 2872 else 2873 cookie->refpos = 2874 cookie->refpos->next; 2875 /* check see if done with all referrals */ 2876 if (cookie->refpos != NULL) { 2877 cookie->new_state = 2878 GET_REFERRAL_SESSION; 2879 } else { 2880 __s_api_deleteRefInfo(cookie->reflist); 2881 cookie->reflist = NULL; 2882 cookie->new_state = 2883 NEXT_SEARCH_DESCRIPTOR; 2884 if (cookie->conn_user != NULL) 2885 cookie->conn_user->referral = B_FALSE; 2886 } 2887 break; 2888 case GET_REFERRAL_SESSION: 2889 if (get_referral_session(cookie) < 0) { 2890 cookie->new_state = EXIT; 2891 } else { 2892 cookie->new_state = NEXT_SEARCH; 2893 } 2894 break; 2895 case LDAP_ERROR: 2896 rc_save = cookie->err_rc; 2897 if (cookie->err_from_result) { 2898 if (cookie->err_rc == LDAP_SERVER_DOWN) { 2899 (void) sprintf(errstr, 2900 gettext("LDAP ERROR (%d): " 2901 "Error occurred during" 2902 " receiving results. " 2903 "Connection to server lost."), 2904 cookie->err_rc); 2905 } else if (cookie->err_rc == LDAP_TIMEOUT) { 2906 (void) sprintf(errstr, 2907 gettext("LDAP ERROR (%d): " 2908 "Error occurred during" 2909 " receiving results. %s" 2910 "."), cookie->err_rc, 2911 ldap_err2string( 2912 cookie->err_rc)); 2913 } 2914 } else { 2915 (void) sprintf(errstr, 2916 gettext("LDAP ERROR (%d): %s."), 2917 cookie->err_rc, 2918 ldap_err2string(cookie->err_rc)); 2919 } 2920 err = strdup(errstr); 2921 if (cookie->err_from_result) { 2922 if (cookie->err_rc == LDAP_SERVER_DOWN) { 2923 MKERROR(LOG_INFO, *errorp, 2924 cookie->err_rc, err, 2925 NS_LDAP_MEMORY); 2926 } else { 2927 MKERROR(LOG_WARNING, *errorp, 2928 cookie->err_rc, err, 2929 NS_LDAP_MEMORY); 2930 } 2931 } else { 2932 MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, 2933 err, NS_LDAP_MEMORY); 2934 } 2935 cookie->err_rc = NS_LDAP_INTERNAL; 2936 cookie->errorp = *errorp; 2937 if (cookie->conn_user != NULL) { 2938 if (rc_save == LDAP_SERVER_DOWN || 2939 rc_save == LDAP_CONNECT_ERROR) { 2940 /* 2941 * MT connection is not usable, 2942 * close it. 2943 */ 2944 __s_api_conn_mt_close(cookie->conn_user, 2945 rc_save, &cookie->errorp); 2946 return (ERROR); 2947 } 2948 } 2949 return (ERROR); 2950 default: 2951 case ERROR: 2952 (void) sprintf(errstr, 2953 gettext("Internal State machine exit (%d).\n"), 2954 cookie->state); 2955 err = strdup(errstr); 2956 MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, err, 2957 NS_LDAP_MEMORY); 2958 cookie->err_rc = NS_LDAP_INTERNAL; 2959 cookie->errorp = *errorp; 2960 return (ERROR); 2961 } 2962 2963 if (cookie->conn_user != NULL && 2964 cookie->conn_user->bad_mt_conn == B_TRUE) { 2965 __s_api_conn_mt_close(cookie->conn_user, 0, NULL); 2966 cookie->err_rc = cookie->conn_user->ns_rc; 2967 cookie->errorp = cookie->conn_user->ns_error; 2968 cookie->conn_user->ns_error = NULL; 2969 return (ERROR); 2970 } 2971 2972 if (cycle == ONE_STEP) { 2973 return (cookie->new_state); 2974 } 2975 cookie->state = cookie->new_state; 2976 } 2977 /*NOTREACHED*/ 2978 #if 0 2979 (void) sprintf(errstr, 2980 gettext("Unexpected State machine error.\n")); 2981 err = strdup(errstr); 2982 MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, err, NS_LDAP_MEMORY); 2983 cookie->err_rc = NS_LDAP_INTERNAL; 2984 cookie->errorp = *errorp; 2985 return (ERROR); 2986 #endif 2987 } 2988 2989 /* 2990 * For a lookup of shadow data, if shadow update is enabled, 2991 * check the calling process' privilege to ensure it's 2992 * allowed to perform such operation. 2993 */ 2994 static int 2995 check_shadow(ns_ldap_cookie_t *cookie, const char *service) 2996 { 2997 char errstr[MAXERROR]; 2998 char *err; 2999 boolean_t priv; 3000 /* caller */ 3001 priv_set_t *ps; 3002 /* zone */ 3003 priv_set_t *zs; 3004 3005 /* 3006 * If service is "shadow", we may need 3007 * to use privilege credentials. 3008 */ 3009 if ((strcmp(service, "shadow") == 0) && 3010 __ns_ldap_is_shadow_update_enabled()) { 3011 /* 3012 * Since we release admin credentials after 3013 * connection is closed and we do not cache 3014 * them, we allow any root or all zone 3015 * privilege process to read shadow data. 3016 */ 3017 priv = (geteuid() == 0); 3018 if (!priv) { 3019 /* caller */ 3020 ps = priv_allocset(); 3021 3022 (void) getppriv(PRIV_EFFECTIVE, ps); 3023 zs = priv_str_to_set("zone", ",", NULL); 3024 priv = priv_isequalset(ps, zs); 3025 priv_freeset(ps); 3026 priv_freeset(zs); 3027 } 3028 if (!priv) { 3029 (void) sprintf(errstr, 3030 gettext("Permission denied")); 3031 err = strdup(errstr); 3032 if (err == NULL) 3033 return (NS_LDAP_MEMORY); 3034 MKERROR(LOG_INFO, cookie->errorp, NS_LDAP_INTERNAL, err, 3035 NS_LDAP_MEMORY); 3036 return (NS_LDAP_INTERNAL); 3037 } 3038 cookie->i_flags |= NS_LDAP_READ_SHADOW; 3039 /* 3040 * We do not want to reuse connection (hence 3041 * keep it open) with admin credentials. 3042 * If NS_LDAP_KEEP_CONN is set, reject the 3043 * request. 3044 */ 3045 if (cookie->i_flags & NS_LDAP_KEEP_CONN) 3046 return (NS_LDAP_INVALID_PARAM); 3047 cookie->i_flags |= NS_LDAP_NEW_CONN; 3048 } 3049 3050 return (NS_LDAP_SUCCESS); 3051 } 3052 3053 /* 3054 * internal function for __ns_ldap_list 3055 */ 3056 static int 3057 ldap_list( 3058 ns_ldap_list_batch_t *batch, 3059 const char *service, 3060 const char *filter, 3061 const char *sortattr, 3062 int (*init_filter_cb)(const ns_ldap_search_desc_t *desc, 3063 char **realfilter, const void *userdata), 3064 const char * const *attribute, 3065 const ns_cred_t *auth, 3066 const int flags, 3067 ns_ldap_result_t **rResult, /* return result entries */ 3068 ns_ldap_error_t **errorp, 3069 int *rcp, 3070 int (*callback)(const ns_ldap_entry_t *entry, const void *userdata), 3071 const void *userdata, ns_conn_user_t *conn_user) 3072 { 3073 ns_ldap_cookie_t *cookie; 3074 ns_ldap_search_desc_t **sdlist = NULL; 3075 ns_ldap_search_desc_t *dptr; 3076 ns_ldap_error_t *error = NULL; 3077 char **dns = NULL; 3078 int scope; 3079 int rc; 3080 int from_result; 3081 3082 *errorp = NULL; 3083 *rResult = NULL; 3084 *rcp = NS_LDAP_SUCCESS; 3085 3086 /* 3087 * Sanity check - NS_LDAP_READ_SHADOW is for our 3088 * own internal use. 3089 */ 3090 if (flags & NS_LDAP_READ_SHADOW) 3091 return (NS_LDAP_INVALID_PARAM); 3092 3093 /* Initialize State machine cookie */ 3094 cookie = init_search_state_machine(); 3095 if (cookie == NULL) { 3096 *rcp = NS_LDAP_MEMORY; 3097 return (NS_LDAP_MEMORY); 3098 } 3099 cookie->conn_user = conn_user; 3100 3101 /* see if need to follow referrals */ 3102 rc = __s_api_toFollowReferrals(flags, 3103 &cookie->followRef, errorp); 3104 if (rc != NS_LDAP_SUCCESS) { 3105 delete_search_cookie(cookie); 3106 *rcp = rc; 3107 return (rc); 3108 } 3109 3110 /* get the service descriptor - or create a default one */ 3111 rc = __s_api_get_SSD_from_SSDtoUse_service(service, 3112 &sdlist, &error); 3113 if (rc != NS_LDAP_SUCCESS) { 3114 delete_search_cookie(cookie); 3115 *errorp = error; 3116 *rcp = rc; 3117 return (rc); 3118 } 3119 3120 if (sdlist == NULL) { 3121 /* Create default service Desc */ 3122 sdlist = (ns_ldap_search_desc_t **)calloc(2, 3123 sizeof (ns_ldap_search_desc_t *)); 3124 if (sdlist == NULL) { 3125 delete_search_cookie(cookie); 3126 cookie = NULL; 3127 *rcp = NS_LDAP_MEMORY; 3128 return (NS_LDAP_MEMORY); 3129 } 3130 dptr = (ns_ldap_search_desc_t *) 3131 calloc(1, sizeof (ns_ldap_search_desc_t)); 3132 if (dptr == NULL) { 3133 free(sdlist); 3134 delete_search_cookie(cookie); 3135 cookie = NULL; 3136 *rcp = NS_LDAP_MEMORY; 3137 return (NS_LDAP_MEMORY); 3138 } 3139 sdlist[0] = dptr; 3140 3141 /* default base */ 3142 rc = __s_api_getDNs(&dns, service, &cookie->errorp); 3143 if (rc != NS_LDAP_SUCCESS) { 3144 if (dns) { 3145 __s_api_free2dArray(dns); 3146 dns = NULL; 3147 } 3148 *errorp = cookie->errorp; 3149 cookie->errorp = NULL; 3150 delete_search_cookie(cookie); 3151 cookie = NULL; 3152 *rcp = rc; 3153 return (rc); 3154 } 3155 dptr->basedn = strdup(dns[0]); 3156 __s_api_free2dArray(dns); 3157 dns = NULL; 3158 3159 /* default scope */ 3160 scope = 0; 3161 rc = __s_api_getSearchScope(&scope, &cookie->errorp); 3162 dptr->scope = scope; 3163 } 3164 3165 cookie->sdlist = sdlist; 3166 3167 /* 3168 * use VLV/PAGE control only if NS_LDAP_PAGE_CTRL is set 3169 */ 3170 if (flags & NS_LDAP_PAGE_CTRL) 3171 cookie->use_paging = TRUE; 3172 else 3173 cookie->use_paging = FALSE; 3174 3175 /* Set up other arguments */ 3176 cookie->userdata = userdata; 3177 if (init_filter_cb != NULL) { 3178 cookie->init_filter_cb = init_filter_cb; 3179 cookie->use_filtercb = 1; 3180 } 3181 if (callback != NULL) { 3182 cookie->callback = callback; 3183 cookie->use_usercb = 1; 3184 } 3185 3186 /* check_shadow() may add extra value to cookie->i_flags */ 3187 cookie->i_flags = flags; 3188 if (service) { 3189 cookie->service = strdup(service); 3190 if (cookie->service == NULL) { 3191 delete_search_cookie(cookie); 3192 cookie = NULL; 3193 *rcp = NS_LDAP_MEMORY; 3194 return (NS_LDAP_MEMORY); 3195 } 3196 3197 /* 3198 * If given, use the credential given by the caller, and 3199 * skip the credential check required for shadow update. 3200 */ 3201 if (auth == NULL) { 3202 rc = check_shadow(cookie, service); 3203 if (rc != NS_LDAP_SUCCESS) { 3204 *errorp = cookie->errorp; 3205 cookie->errorp = NULL; 3206 delete_search_cookie(cookie); 3207 cookie = NULL; 3208 *rcp = rc; 3209 return (rc); 3210 } 3211 } 3212 } 3213 3214 cookie->i_filter = strdup(filter); 3215 cookie->i_attr = attribute; 3216 cookie->i_auth = auth; 3217 cookie->i_sortattr = sortattr; 3218 3219 if (batch != NULL) { 3220 cookie->batch = batch; 3221 cookie->reinit_on_retriable_err = B_TRUE; 3222 cookie->no_wait = B_TRUE; 3223 (void) search_state_machine(cookie, INIT, 0); 3224 cookie->no_wait = B_FALSE; 3225 rc = cookie->err_rc; 3226 3227 if (rc == NS_LDAP_SUCCESS) { 3228 /* 3229 * Here rc == NS_LDAP_SUCCESS means that the state 3230 * machine init'ed successfully. The actual status 3231 * of the search will be determined by 3232 * __ns_ldap_list_batch_end(). Add the cookie to our 3233 * batch. 3234 */ 3235 cookie->caller_result = rResult; 3236 cookie->caller_errorp = errorp; 3237 cookie->caller_rc = rcp; 3238 cookie->next_cookie_in_batch = batch->cookie_list; 3239 batch->cookie_list = cookie; 3240 batch->nactive++; 3241 return (rc); 3242 } 3243 /* 3244 * If state machine init failed then copy error to the caller 3245 * and delete the cookie. 3246 */ 3247 } else { 3248 (void) search_state_machine(cookie, INIT, 0); 3249 } 3250 3251 /* Copy results back to user */ 3252 rc = cookie->err_rc; 3253 if (rc != NS_LDAP_SUCCESS) { 3254 if (conn_user != NULL && conn_user->ns_error != NULL) { 3255 *errorp = conn_user->ns_error; 3256 conn_user->ns_error = NULL; 3257 } else { 3258 *errorp = cookie->errorp; 3259 } 3260 } 3261 *rResult = cookie->result; 3262 from_result = cookie->err_from_result; 3263 3264 cookie->errorp = NULL; 3265 cookie->result = NULL; 3266 delete_search_cookie(cookie); 3267 cookie = NULL; 3268 3269 if (from_result == 0 && *rResult == NULL) 3270 rc = NS_LDAP_NOTFOUND; 3271 *rcp = rc; 3272 return (rc); 3273 } 3274 3275 3276 /* 3277 * __ns_ldap_list performs one or more LDAP searches to a given 3278 * directory server using service search descriptors and schema 3279 * mapping as appropriate. The operation may be retried a 3280 * couple of times in error situations. 3281 */ 3282 int 3283 __ns_ldap_list( 3284 const char *service, 3285 const char *filter, 3286 int (*init_filter_cb)(const ns_ldap_search_desc_t *desc, 3287 char **realfilter, const void *userdata), 3288 const char * const *attribute, 3289 const ns_cred_t *auth, 3290 const int flags, 3291 ns_ldap_result_t **rResult, /* return result entries */ 3292 ns_ldap_error_t **errorp, 3293 int (*callback)(const ns_ldap_entry_t *entry, const void *userdata), 3294 const void *userdata) 3295 { 3296 int mod_flags; 3297 /* 3298 * Strip the NS_LDAP_PAGE_CTRL option as this interface does not 3299 * support this. If you want to use this option call the API 3300 * __ns_ldap_list_sort() with has the sort attribute. 3301 */ 3302 mod_flags = flags & (~NS_LDAP_PAGE_CTRL); 3303 3304 return (__ns_ldap_list_sort(service, filter, NULL, init_filter_cb, 3305 attribute, auth, mod_flags, rResult, errorp, 3306 callback, userdata)); 3307 } 3308 3309 /* 3310 * __ns_ldap_list_sort performs one or more LDAP searches to a given 3311 * directory server using service search descriptors and schema 3312 * mapping as appropriate. The operation may be retried a 3313 * couple of times in error situations. 3314 */ 3315 int 3316 __ns_ldap_list_sort( 3317 const char *service, 3318 const char *filter, 3319 const char *sortattr, 3320 int (*init_filter_cb)(const ns_ldap_search_desc_t *desc, 3321 char **realfilter, const void *userdata), 3322 const char * const *attribute, 3323 const ns_cred_t *auth, 3324 const int flags, 3325 ns_ldap_result_t **rResult, /* return result entries */ 3326 ns_ldap_error_t **errorp, 3327 int (*callback)(const ns_ldap_entry_t *entry, const void *userdata), 3328 const void *userdata) 3329 { 3330 ns_conn_user_t *cu = NULL; 3331 int try_cnt = 0; 3332 int rc = NS_LDAP_SUCCESS, trc; 3333 3334 for (;;) { 3335 if (__s_api_setup_retry_search(&cu, NS_CONN_USER_SEARCH, 3336 &try_cnt, &rc, errorp) == 0) 3337 break; 3338 rc = ldap_list(NULL, service, filter, sortattr, init_filter_cb, 3339 attribute, auth, flags, rResult, errorp, &trc, callback, 3340 userdata, cu); 3341 } 3342 3343 return (rc); 3344 } 3345 3346 /* 3347 * Create and initialize batch for native LDAP lookups 3348 */ 3349 int 3350 __ns_ldap_list_batch_start(ns_ldap_list_batch_t **batch) 3351 { 3352 *batch = calloc(1, sizeof (ns_ldap_list_batch_t)); 3353 if (*batch == NULL) 3354 return (NS_LDAP_MEMORY); 3355 return (NS_LDAP_SUCCESS); 3356 } 3357 3358 3359 /* 3360 * Add a LDAP search request to the batch. 3361 */ 3362 int 3363 __ns_ldap_list_batch_add( 3364 ns_ldap_list_batch_t *batch, 3365 const char *service, 3366 const char *filter, 3367 int (*init_filter_cb)(const ns_ldap_search_desc_t *desc, 3368 char **realfilter, const void *userdata), 3369 const char * const *attribute, 3370 const ns_cred_t *auth, 3371 const int flags, 3372 ns_ldap_result_t **rResult, /* return result entries */ 3373 ns_ldap_error_t **errorp, 3374 int *rcp, 3375 int (*callback)(const ns_ldap_entry_t *entry, const void *userdata), 3376 const void *userdata) 3377 { 3378 ns_conn_user_t *cu; 3379 int rc; 3380 int mod_flags; 3381 3382 cu = __s_api_conn_user_init(NS_CONN_USER_SEARCH, NULL, 0); 3383 if (cu == NULL) { 3384 if (rcp != NULL) 3385 *rcp = NS_LDAP_MEMORY; 3386 return (NS_LDAP_MEMORY); 3387 } 3388 3389 /* 3390 * Strip the NS_LDAP_PAGE_CTRL option as the batch interface does not 3391 * support this. 3392 */ 3393 mod_flags = flags & (~NS_LDAP_PAGE_CTRL); 3394 3395 rc = ldap_list(batch, service, filter, NULL, init_filter_cb, attribute, 3396 auth, mod_flags, rResult, errorp, rcp, callback, userdata, cu); 3397 3398 /* 3399 * Free the conn_user if the cookie was not batched. If the cookie 3400 * was batched then __ns_ldap_list_batch_end or release will free the 3401 * conn_user. The batch API instructs the search_state_machine 3402 * to reinit and retry (max 3 times) on retriable LDAP errors. 3403 */ 3404 if (rc != NS_LDAP_SUCCESS && cu != NULL) { 3405 if (cu->conn_mt != NULL) 3406 __s_api_conn_mt_return(cu); 3407 __s_api_conn_user_free(cu); 3408 } 3409 return (rc); 3410 } 3411 3412 3413 /* 3414 * Free batch. 3415 */ 3416 void 3417 __ns_ldap_list_batch_release(ns_ldap_list_batch_t *batch) 3418 { 3419 ns_ldap_cookie_t *c, *next; 3420 3421 for (c = batch->cookie_list; c != NULL; c = next) { 3422 next = c->next_cookie_in_batch; 3423 if (c->conn_user != NULL) { 3424 if (c->conn_user->conn_mt != NULL) 3425 __s_api_conn_mt_return(c->conn_user); 3426 __s_api_conn_user_free(c->conn_user); 3427 c->conn_user = NULL; 3428 } 3429 delete_search_cookie(c); 3430 } 3431 free(batch); 3432 } 3433 3434 #define LD_USING_STATE(st) \ 3435 ((st == DO_SEARCH) || (st == MULTI_RESULT) || (st == NEXT_RESULT)) 3436 3437 /* 3438 * Process batch. Everytime this function is called it selects an 3439 * active cookie from the batch and single steps through the 3440 * search_state_machine for the selected cookie. If lookup associated 3441 * with the cookie is complete (success or error) then the cookie is 3442 * removed from the batch and its memory freed. 3443 * 3444 * Returns 1 (if batch still has active cookies) 3445 * 0 (if batch has no more active cookies) 3446 * -1 (on errors, *rcp will contain the error code) 3447 * 3448 * The caller should call this function in a loop as long as it returns 1 3449 * to process all the requests added to the batch. The results (and errors) 3450 * will be available in the locations provided by the caller at the time of 3451 * __ns_ldap_list_batch_add(). 3452 */ 3453 static 3454 int 3455 __ns_ldap_list_batch_process(ns_ldap_list_batch_t *batch, int *rcp) 3456 { 3457 ns_ldap_cookie_t *c, *ptr, **prev; 3458 ns_state_t state; 3459 ns_ldap_error_t *errorp = NULL; 3460 int rc; 3461 3462 /* Check if are already done */ 3463 if (batch->nactive == 0) 3464 return (0); 3465 3466 /* Get the next cookie from the batch */ 3467 c = (batch->next_cookie == NULL) ? 3468 batch->cookie_list : batch->next_cookie; 3469 3470 batch->next_cookie = c->next_cookie_in_batch; 3471 3472 /* 3473 * Checks the status of the cookie's connection if it needs 3474 * to use that connection for ldap_search_ext or ldap_result. 3475 * If the connection is no longer good but worth retrying 3476 * then reinit the search_state_machine for this cookie 3477 * starting from the first search descriptor. REINIT will 3478 * clear any leftover results if max retries have not been 3479 * reached and redo the search (which may also involve 3480 * following referrals again). 3481 * 3482 * Note that each cookie in the batch will make this 3483 * determination when it reaches one of the LD_USING_STATES. 3484 */ 3485 if (LD_USING_STATE(c->new_state) && c->conn_user != NULL) { 3486 rc = __s_api_setup_getnext(c->conn_user, &c->err_rc, &errorp); 3487 if (rc == LDAP_BUSY || rc == LDAP_UNAVAILABLE || 3488 rc == LDAP_UNWILLING_TO_PERFORM) { 3489 if (errorp != NULL) { 3490 (void) __ns_ldap_freeError(&c->errorp); 3491 c->errorp = errorp; 3492 } 3493 c->new_state = REINIT; 3494 } else if (rc == LDAP_CONNECT_ERROR || 3495 rc == LDAP_SERVER_DOWN) { 3496 if (errorp != NULL) { 3497 (void) __ns_ldap_freeError(&c->errorp); 3498 c->errorp = errorp; 3499 } 3500 c->new_state = REINIT; 3501 /* 3502 * MT connection is not usable, 3503 * close it before REINIT. 3504 */ 3505 __s_api_conn_mt_close( 3506 c->conn_user, rc, NULL); 3507 } else if (rc != NS_LDAP_SUCCESS) { 3508 if (rcp != NULL) 3509 *rcp = rc; 3510 *c->caller_result = NULL; 3511 *c->caller_errorp = errorp; 3512 *c->caller_rc = rc; 3513 return (-1); 3514 } 3515 } 3516 3517 for (;;) { 3518 /* Single step through the search_state_machine */ 3519 state = search_state_machine(c, c->new_state, ONE_STEP); 3520 switch (state) { 3521 case LDAP_ERROR: 3522 (void) search_state_machine(c, state, ONE_STEP); 3523 (void) search_state_machine(c, CLEAR_RESULTS, ONE_STEP); 3524 /* FALLTHROUGH */ 3525 case ERROR: 3526 case EXIT: 3527 *c->caller_result = c->result; 3528 *c->caller_errorp = c->errorp; 3529 *c->caller_rc = 3530 (c->result == NULL && c->err_from_result == 0) 3531 ? NS_LDAP_NOTFOUND : c->err_rc; 3532 c->result = NULL; 3533 c->errorp = NULL; 3534 /* Remove the cookie from the batch */ 3535 ptr = batch->cookie_list; 3536 prev = &batch->cookie_list; 3537 while (ptr != NULL) { 3538 if (ptr == c) { 3539 *prev = ptr->next_cookie_in_batch; 3540 break; 3541 } 3542 prev = &ptr->next_cookie_in_batch; 3543 ptr = ptr->next_cookie_in_batch; 3544 } 3545 /* Delete cookie and decrement active cookie count */ 3546 if (c->conn_user != NULL) { 3547 if (c->conn_user->conn_mt != NULL) 3548 __s_api_conn_mt_return(c->conn_user); 3549 __s_api_conn_user_free(c->conn_user); 3550 c->conn_user = NULL; 3551 } 3552 delete_search_cookie(c); 3553 batch->nactive--; 3554 break; 3555 case NEXT_RESULT: 3556 case MULTI_RESULT: 3557 /* 3558 * This means that search_state_machine needs to do 3559 * another ldap_result() for the cookie in question. 3560 * We only do at most one ldap_result() per call in 3561 * this function and therefore we return. This allows 3562 * the caller to process results from other cookies 3563 * in the batch without getting tied up on just one 3564 * cookie. 3565 */ 3566 break; 3567 default: 3568 /* 3569 * This includes states that follow NEXT_RESULT or 3570 * MULTI_RESULT such as PROCESS_RESULT and 3571 * END_PROCESS_RESULT. We continue processing 3572 * this cookie till we reach either the error, exit 3573 * or the result states. 3574 */ 3575 continue; 3576 } 3577 break; 3578 } 3579 3580 /* Return 0 if no more cookies left otherwise 1 */ 3581 return ((batch->nactive > 0) ? 1 : 0); 3582 } 3583 3584 3585 /* 3586 * Process all the active cookies in the batch and when none 3587 * remains finalize the batch. 3588 */ 3589 int 3590 __ns_ldap_list_batch_end(ns_ldap_list_batch_t *batch) 3591 { 3592 int rc = NS_LDAP_SUCCESS; 3593 while (__ns_ldap_list_batch_process(batch, &rc) > 0) 3594 ; 3595 __ns_ldap_list_batch_release(batch); 3596 return (rc); 3597 } 3598 3599 typedef struct lookup_data { 3600 const char *lkd_dn; 3601 const char *lkd_service; 3602 const char *lkd_filter; 3603 const ns_cred_t *lkd_cred; 3604 ns_conn_user_t *lkd_user; 3605 } lookup_data_t; 3606 3607 /* 3608 * This creates a service search descriptor that can be used to 3609 * retrieve a specific DN by using the DN as the basedn with a search 3610 * scope of 'base'. We don't use any service SSDs in this instance since 3611 * they are intended to search specific locations/subtrees and filter the 3612 * results, while here we are wanting to retrieve a specific entry. 3613 */ 3614 static int 3615 lookup_create_ssd(lookup_data_t *dn_data, ns_ldap_search_desc_t **descpp) 3616 { 3617 ns_ldap_search_desc_t *dptr; 3618 3619 *descpp = NULL; 3620 3621 dptr = calloc(1, sizeof (ns_ldap_search_desc_t)); 3622 if (dptr == NULL) 3623 return (NS_LDAP_MEMORY); 3624 3625 dptr->basedn = strdup(dn_data->lkd_dn); 3626 dptr->scope = NS_LDAP_SCOPE_BASE; 3627 dptr->filter = strdup(dn_data->lkd_filter); 3628 3629 if (dptr->basedn == NULL || dptr->filter == NULL) { 3630 __ns_ldap_freeASearchDesc(dptr); 3631 return (NS_LDAP_MEMORY); 3632 } 3633 3634 *descpp = dptr; 3635 return (NS_LDAP_SUCCESS); 3636 } 3637 3638 static int 3639 lookup_dn(lookup_data_t *dn_data, const char **attrs, 3640 ns_ldap_result_t **resultp, ns_ldap_error_t **errorp) 3641 { 3642 ns_ldap_cookie_t *cookie; 3643 int rc = 0; 3644 int flags = 0; 3645 3646 *errorp = NULL; 3647 *resultp = NULL; 3648 3649 if (dn_data == NULL || dn_data->lkd_dn == NULL || 3650 dn_data->lkd_dn[0] == '\0' || dn_data->lkd_filter == NULL) 3651 return (NS_LDAP_INVALID_PARAM); 3652 3653 cookie = init_search_state_machine(); 3654 if (cookie == NULL) 3655 return (NS_LDAP_MEMORY); 3656 3657 rc = __s_api_toFollowReferrals(flags, &cookie->followRef, errorp); 3658 if (rc != NS_LDAP_SUCCESS) 3659 goto out; 3660 3661 /* 1 for SSD, 1 for terminating NULL */ 3662 cookie->sdlist = calloc(2, sizeof (ns_ldap_search_desc_t *)); 3663 if (cookie->sdlist == NULL) { 3664 rc = NS_LDAP_MEMORY; 3665 goto out; 3666 } 3667 3668 rc = lookup_create_ssd(dn_data, &cookie->sdlist[0]); 3669 if (rc != NS_LDAP_SUCCESS) 3670 goto out; 3671 3672 if (dn_data->lkd_service != NULL) { 3673 /* 3674 * If a service was specified, set that on the cookie so 3675 * that search_state_machine() will properly map 3676 * attributes and objectclasses. 3677 */ 3678 cookie->service = strdup(dn_data->lkd_service); 3679 if (cookie->service == NULL) { 3680 rc = NS_LDAP_MEMORY; 3681 goto out; 3682 } 3683 } 3684 3685 cookie->i_attr = attrs; 3686 cookie->i_auth = dn_data->lkd_cred; 3687 cookie->i_flags = 0; 3688 cookie->i_filter = strdup(dn_data->lkd_filter); 3689 if (cookie->i_filter == NULL) { 3690 rc = NS_LDAP_MEMORY; 3691 goto out; 3692 } 3693 3694 /* 3695 * Actually perform the search. The return value is only used when 3696 * iterating through multiple results. Since we are searching with 3697 * a scope of base, we will always get at most one result entry, 3698 * we ignore the return value and look at err_rc to determine if 3699 * there were any errors. 3700 */ 3701 (void) search_state_machine(cookie, INIT, 0); 3702 rc = cookie->err_rc; 3703 3704 if (rc != NS_LDAP_SUCCESS) { 3705 ns_conn_user_t *user = dn_data->lkd_user; 3706 3707 if (user != NULL && user->ns_error != NULL) { 3708 *errorp = user->ns_error; 3709 user->ns_error = NULL; 3710 } else { 3711 *errorp = cookie->errorp; 3712 cookie->errorp = NULL; 3713 } 3714 } else if (cookie->result != NULL) { 3715 *resultp = cookie->result; 3716 cookie->result = NULL; 3717 } else { 3718 rc = NS_LDAP_NOTFOUND; 3719 } 3720 3721 out: 3722 delete_search_cookie(cookie); 3723 return (rc); 3724 } 3725 3726 /* 3727 * find_domainname performs one or more LDAP searches to 3728 * find the value of the nisdomain attribute associated with 3729 * the input DN (with no retry). 3730 */ 3731 3732 static int 3733 find_domainname(const char *dn, char **domainname, const ns_cred_t *cred, 3734 ns_ldap_error_t **errorp, ns_conn_user_t *conn_user) 3735 { 3736 lookup_data_t ldata; 3737 ns_ldap_result_t *result; 3738 char **value; 3739 int rc; 3740 3741 *domainname = NULL; 3742 *errorp = NULL; 3743 3744 ldata.lkd_dn = dn; 3745 ldata.lkd_service = NULL; 3746 ldata.lkd_filter = _NIS_FILTER; 3747 ldata.lkd_cred = cred; 3748 ldata.lkd_user = conn_user; 3749 3750 rc = lookup_dn(&ldata, nis_domain_attrs, &result, errorp); 3751 if (rc != NS_LDAP_SUCCESS) 3752 return (rc); 3753 3754 value = __ns_ldap_getAttr(result->entry, _NIS_DOMAIN); 3755 3756 if (value != NULL && value[0] != NULL) { 3757 *domainname = strdup(value[0]); 3758 if (*domainname == NULL) 3759 rc = NS_LDAP_MEMORY; 3760 } else { 3761 rc = NS_LDAP_NOTFOUND; 3762 } 3763 3764 (void) __ns_ldap_freeResult(&result); 3765 return (rc); 3766 } 3767 3768 /* 3769 * __s_api_find_domainname performs one or more LDAP searches to 3770 * find the value of the nisdomain attribute associated with 3771 * the input DN (with retry). 3772 */ 3773 3774 static int 3775 __s_api_find_domainname(const char *dn, char **domainname, 3776 const ns_cred_t *cred, ns_ldap_error_t **errorp) 3777 { 3778 ns_conn_user_t *cu = NULL; 3779 int try_cnt = 0; 3780 int rc = NS_LDAP_SUCCESS; 3781 3782 for (;;) { 3783 if (__s_api_setup_retry_search(&cu, NS_CONN_USER_SEARCH, 3784 &try_cnt, &rc, errorp) == 0) 3785 break; 3786 rc = find_domainname(dn, domainname, cred, errorp, cu); 3787 } 3788 3789 return (rc); 3790 } 3791 3792 static int 3793 firstEntry( 3794 const char *service, 3795 const char *filter, 3796 const char *sortattr, 3797 int (*init_filter_cb)(const ns_ldap_search_desc_t *desc, 3798 char **realfilter, const void *userdata), 3799 const char * const *attribute, 3800 const ns_cred_t *auth, 3801 const int flags, 3802 void **vcookie, 3803 ns_ldap_result_t **result, 3804 ns_ldap_error_t ** errorp, 3805 const void *userdata, 3806 ns_conn_user_t *conn_user) 3807 { 3808 ns_ldap_cookie_t *cookie = NULL; 3809 ns_ldap_error_t *error = NULL; 3810 ns_state_t state; 3811 ns_ldap_search_desc_t **sdlist; 3812 ns_ldap_search_desc_t *dptr; 3813 char **dns = NULL; 3814 int scope; 3815 int rc; 3816 3817 *errorp = NULL; 3818 *result = NULL; 3819 3820 /* 3821 * Sanity check - NS_LDAP_READ_SHADOW is for our 3822 * own internal use. 3823 */ 3824 if (flags & NS_LDAP_READ_SHADOW) 3825 return (NS_LDAP_INVALID_PARAM); 3826 3827 /* get the service descriptor - or create a default one */ 3828 rc = __s_api_get_SSD_from_SSDtoUse_service(service, 3829 &sdlist, &error); 3830 if (rc != NS_LDAP_SUCCESS) { 3831 *errorp = error; 3832 return (rc); 3833 } 3834 if (sdlist == NULL) { 3835 /* Create default service Desc */ 3836 sdlist = (ns_ldap_search_desc_t **)calloc(2, 3837 sizeof (ns_ldap_search_desc_t *)); 3838 if (sdlist == NULL) { 3839 return (NS_LDAP_MEMORY); 3840 } 3841 dptr = (ns_ldap_search_desc_t *) 3842 calloc(1, sizeof (ns_ldap_search_desc_t)); 3843 if (dptr == NULL) { 3844 free(sdlist); 3845 return (NS_LDAP_MEMORY); 3846 } 3847 sdlist[0] = dptr; 3848 3849 /* default base */ 3850 rc = __s_api_getDNs(&dns, service, &error); 3851 if (rc != NS_LDAP_SUCCESS) { 3852 if (dns) { 3853 __s_api_free2dArray(dns); 3854 dns = NULL; 3855 } 3856 if (sdlist) { 3857 (void) __ns_ldap_freeSearchDescriptors( 3858 &sdlist); 3859 3860 sdlist = NULL; 3861 } 3862 *errorp = error; 3863 return (rc); 3864 } 3865 dptr->basedn = strdup(dns[0]); 3866 __s_api_free2dArray(dns); 3867 dns = NULL; 3868 3869 /* default scope */ 3870 scope = 0; 3871 cookie = init_search_state_machine(); 3872 if (cookie == NULL) { 3873 if (sdlist) { 3874 (void) __ns_ldap_freeSearchDescriptors(&sdlist); 3875 sdlist = NULL; 3876 } 3877 return (NS_LDAP_MEMORY); 3878 } 3879 rc = __s_api_getSearchScope(&scope, &cookie->errorp); 3880 dptr->scope = scope; 3881 } 3882 3883 /* Initialize State machine cookie */ 3884 if (cookie == NULL) 3885 cookie = init_search_state_machine(); 3886 if (cookie == NULL) { 3887 if (sdlist) { 3888 (void) __ns_ldap_freeSearchDescriptors(&sdlist); 3889 sdlist = NULL; 3890 } 3891 return (NS_LDAP_MEMORY); 3892 } 3893 3894 /* identify self as a getent user */ 3895 cookie->conn_user = conn_user; 3896 3897 cookie->sdlist = sdlist; 3898 3899 /* see if need to follow referrals */ 3900 rc = __s_api_toFollowReferrals(flags, 3901 &cookie->followRef, errorp); 3902 if (rc != NS_LDAP_SUCCESS) { 3903 delete_search_cookie(cookie); 3904 return (rc); 3905 } 3906 3907 /* 3908 * use VLV/PAGE control only if NS_LDAP_NO_PAGE_CTRL is not set 3909 */ 3910 if (flags & NS_LDAP_NO_PAGE_CTRL) 3911 cookie->use_paging = FALSE; 3912 else 3913 cookie->use_paging = TRUE; 3914 3915 /* Set up other arguments */ 3916 cookie->userdata = userdata; 3917 if (init_filter_cb != NULL) { 3918 cookie->init_filter_cb = init_filter_cb; 3919 cookie->use_filtercb = 1; 3920 } 3921 cookie->use_usercb = 0; 3922 /* check_shadow() may add extra value to cookie->i_flags */ 3923 cookie->i_flags = flags; 3924 if (service) { 3925 cookie->service = strdup(service); 3926 if (cookie->service == NULL) { 3927 delete_search_cookie(cookie); 3928 return (NS_LDAP_MEMORY); 3929 } 3930 3931 /* 3932 * If given, use the credential given by the caller, and 3933 * skip the credential check required for shadow update. 3934 */ 3935 if (auth == NULL) { 3936 rc = check_shadow(cookie, service); 3937 if (rc != NS_LDAP_SUCCESS) { 3938 *errorp = cookie->errorp; 3939 cookie->errorp = NULL; 3940 delete_search_cookie(cookie); 3941 cookie = NULL; 3942 return (rc); 3943 } 3944 } 3945 } 3946 3947 cookie->i_filter = strdup(filter); 3948 cookie->i_attr = attribute; 3949 cookie->i_sortattr = sortattr; 3950 cookie->i_auth = auth; 3951 3952 state = INIT; 3953 for (;;) { 3954 state = search_state_machine(cookie, state, ONE_STEP); 3955 switch (state) { 3956 case PROCESS_RESULT: 3957 *result = cookie->result; 3958 cookie->result = NULL; 3959 *vcookie = (void *)cookie; 3960 return (NS_LDAP_SUCCESS); 3961 case LDAP_ERROR: 3962 state = search_state_machine(cookie, state, ONE_STEP); 3963 state = search_state_machine(cookie, CLEAR_RESULTS, 3964 ONE_STEP); 3965 /* FALLTHROUGH */ 3966 case ERROR: 3967 rc = cookie->err_rc; 3968 if (conn_user != NULL && conn_user->ns_error != NULL) { 3969 *errorp = conn_user->ns_error; 3970 conn_user->ns_error = NULL; 3971 } else { 3972 *errorp = cookie->errorp; 3973 cookie->errorp = NULL; 3974 } 3975 delete_search_cookie(cookie); 3976 return (rc); 3977 case EXIT: 3978 rc = cookie->err_rc; 3979 if (rc != NS_LDAP_SUCCESS) { 3980 *errorp = cookie->errorp; 3981 cookie->errorp = NULL; 3982 } else { 3983 rc = NS_LDAP_NOTFOUND; 3984 } 3985 3986 delete_search_cookie(cookie); 3987 return (rc); 3988 3989 default: 3990 break; 3991 } 3992 } 3993 } 3994 3995 int 3996 __ns_ldap_firstEntry( 3997 const char *service, 3998 const char *filter, 3999 const char *vlv_sort, 4000 int (*init_filter_cb)(const ns_ldap_search_desc_t *desc, 4001 char **realfilter, const void *userdata), 4002 const char * const *attribute, 4003 const ns_cred_t *auth, 4004 const int flags, 4005 void **vcookie, 4006 ns_ldap_result_t **result, 4007 ns_ldap_error_t ** errorp, 4008 const void *userdata) 4009 { 4010 ns_conn_user_t *cu = NULL; 4011 int try_cnt = 0; 4012 int rc = NS_LDAP_SUCCESS; 4013 4014 for (;;) { 4015 if (__s_api_setup_retry_search(&cu, NS_CONN_USER_GETENT, 4016 &try_cnt, &rc, errorp) == 0) 4017 break; 4018 rc = firstEntry(service, filter, vlv_sort, init_filter_cb, 4019 attribute, auth, flags, vcookie, result, errorp, userdata, 4020 cu); 4021 } 4022 return (rc); 4023 } 4024 4025 /*ARGSUSED2*/ 4026 int 4027 __ns_ldap_nextEntry(void *vcookie, ns_ldap_result_t **result, 4028 ns_ldap_error_t ** errorp) 4029 { 4030 ns_ldap_cookie_t *cookie; 4031 ns_state_t state; 4032 int rc; 4033 4034 cookie = (ns_ldap_cookie_t *)vcookie; 4035 cookie->result = NULL; 4036 *result = NULL; 4037 4038 if (cookie->conn_user != NULL) { 4039 rc = __s_api_setup_getnext(cookie->conn_user, 4040 &cookie->err_rc, errorp); 4041 if (rc != NS_LDAP_SUCCESS) 4042 return (rc); 4043 } 4044 4045 state = END_PROCESS_RESULT; 4046 for (;;) { 4047 state = search_state_machine(cookie, state, ONE_STEP); 4048 switch (state) { 4049 case PROCESS_RESULT: 4050 *result = cookie->result; 4051 cookie->result = NULL; 4052 return (NS_LDAP_SUCCESS); 4053 case LDAP_ERROR: 4054 state = search_state_machine(cookie, state, ONE_STEP); 4055 state = search_state_machine(cookie, CLEAR_RESULTS, 4056 ONE_STEP); 4057 /* FALLTHROUGH */ 4058 case ERROR: 4059 rc = cookie->err_rc; 4060 *errorp = cookie->errorp; 4061 cookie->errorp = NULL; 4062 return (rc); 4063 case EXIT: 4064 return (NS_LDAP_SUCCESS); 4065 } 4066 } 4067 } 4068 4069 int 4070 __ns_ldap_endEntry( 4071 void **vcookie, 4072 ns_ldap_error_t ** errorp) 4073 { 4074 ns_ldap_cookie_t *cookie; 4075 int rc; 4076 4077 if (*vcookie == NULL) 4078 return (NS_LDAP_INVALID_PARAM); 4079 4080 cookie = (ns_ldap_cookie_t *)(*vcookie); 4081 cookie->result = NULL; 4082 4083 /* Complete search */ 4084 rc = search_state_machine(cookie, CLEAR_RESULTS, 0); 4085 4086 /* Copy results back to user */ 4087 rc = cookie->err_rc; 4088 if (rc != NS_LDAP_SUCCESS) 4089 *errorp = cookie->errorp; 4090 4091 cookie->errorp = NULL; 4092 if (cookie->conn_user != NULL) { 4093 if (cookie->conn_user->conn_mt != NULL) 4094 __s_api_conn_mt_return(cookie->conn_user); 4095 __s_api_conn_user_free(cookie->conn_user); 4096 } 4097 delete_search_cookie(cookie); 4098 cookie = NULL; 4099 *vcookie = NULL; 4100 4101 return (rc); 4102 } 4103 4104 4105 int 4106 __ns_ldap_freeResult(ns_ldap_result_t **result) 4107 { 4108 4109 ns_ldap_entry_t *curEntry = NULL; 4110 ns_ldap_entry_t *delEntry = NULL; 4111 int i; 4112 ns_ldap_result_t *res = *result; 4113 4114 #ifdef DEBUG 4115 (void) fprintf(stderr, "__ns_ldap_freeResult START\n"); 4116 #endif 4117 if (res == NULL) 4118 return (NS_LDAP_INVALID_PARAM); 4119 4120 if (res->entry != NULL) 4121 curEntry = res->entry; 4122 4123 for (i = 0; i < res->entries_count; i++) { 4124 if (curEntry != NULL) { 4125 delEntry = curEntry; 4126 curEntry = curEntry->next; 4127 __ns_ldap_freeEntry(delEntry); 4128 } 4129 } 4130 4131 free(res); 4132 *result = NULL; 4133 return (NS_LDAP_SUCCESS); 4134 } 4135 4136 int 4137 __ns_ldap_auth(const ns_cred_t *auth, const int flags, ns_ldap_error_t **errorp, 4138 LDAPControl **serverctrls __unused, LDAPControl **clientctrls __unused) 4139 { 4140 4141 ConnectionID connectionId = -1; 4142 Connection *conp; 4143 int rc = 0; 4144 int do_not_fail_if_new_pwd_reqd = 0; 4145 int nopasswd_acct_mgmt = 0; 4146 ns_conn_user_t *conn_user; 4147 4148 4149 #ifdef DEBUG 4150 (void) fprintf(stderr, "__ns_ldap_auth START\n"); 4151 #endif 4152 4153 *errorp = NULL; 4154 if (auth == NULL) 4155 return (NS_LDAP_INVALID_PARAM); 4156 4157 conn_user = __s_api_conn_user_init(NS_CONN_USER_AUTH, 4158 NULL, B_FALSE); 4159 4160 rc = __s_api_getConnection(NULL, flags | NS_LDAP_NEW_CONN, 4161 auth, &connectionId, &conp, errorp, 4162 do_not_fail_if_new_pwd_reqd, nopasswd_acct_mgmt, 4163 conn_user); 4164 4165 if (conn_user != NULL) 4166 __s_api_conn_user_free(conn_user); 4167 4168 if (rc == NS_LDAP_OP_FAILED && *errorp) 4169 (void) __ns_ldap_freeError(errorp); 4170 4171 if (connectionId > -1) 4172 DropConnection(connectionId, flags); 4173 return (rc); 4174 } 4175 4176 char ** 4177 __ns_ldap_getAttr(const ns_ldap_entry_t *entry, const char *attrname) 4178 { 4179 int i; 4180 4181 if (entry == NULL) 4182 return (NULL); 4183 for (i = 0; i < entry->attr_count; i++) { 4184 if (strcasecmp(entry->attr_pair[i]->attrname, attrname) == 0) 4185 return (entry->attr_pair[i]->attrvalue); 4186 } 4187 return (NULL); 4188 } 4189 4190 ns_ldap_attr_t * 4191 __ns_ldap_getAttrStruct(const ns_ldap_entry_t *entry, const char *attrname) 4192 { 4193 int i; 4194 4195 if (entry == NULL) 4196 return (NULL); 4197 for (i = 0; i < entry->attr_count; i++) { 4198 if (strcasecmp(entry->attr_pair[i]->attrname, attrname) == 0) 4199 return (entry->attr_pair[i]); 4200 } 4201 return (NULL); 4202 } 4203 4204 4205 int 4206 __ns_ldap_uid2dn(const char *uid, char **userDN, const ns_cred_t *cred, 4207 ns_ldap_error_t **errorp) 4208 { 4209 ns_ldap_result_t *result = NULL; 4210 char *filter, *userdata; 4211 char errstr[MAXERROR]; 4212 char **value; 4213 int rc = 0; 4214 int i; 4215 size_t len; 4216 4217 *errorp = NULL; 4218 *userDN = NULL; 4219 if ((uid == NULL) || (uid[0] == '\0')) 4220 return (NS_LDAP_INVALID_PARAM); 4221 4222 for (i = 0; uid[i] != '\0'; i++) { 4223 if (uid[i] == '=') { 4224 *userDN = strdup(uid); 4225 return (NS_LDAP_SUCCESS); 4226 } 4227 } 4228 for (i = 0; (uid[i] != '\0') && isdigit(uid[i]); i++) 4229 ; 4230 if (uid[i] == '\0') { 4231 len = strlen(UIDNUMFILTER) + strlen(uid) + 1; 4232 filter = malloc(len); 4233 if (filter == NULL) { 4234 *userDN = NULL; 4235 return (NS_LDAP_MEMORY); 4236 } 4237 (void) snprintf(filter, len, UIDNUMFILTER, uid); 4238 4239 len = strlen(UIDNUMFILTER_SSD) + strlen(uid) + 1; 4240 userdata = malloc(len); 4241 if (userdata == NULL) { 4242 *userDN = NULL; 4243 free(filter); 4244 return (NS_LDAP_MEMORY); 4245 } 4246 (void) snprintf(userdata, len, UIDNUMFILTER_SSD, uid); 4247 } else { 4248 len = strlen(UIDFILTER) + strlen(uid) + 1; 4249 filter = malloc(len); 4250 if (filter == NULL) { 4251 *userDN = NULL; 4252 return (NS_LDAP_MEMORY); 4253 } 4254 (void) snprintf(filter, len, UIDFILTER, uid); 4255 4256 len = strlen(UIDFILTER_SSD) + strlen(uid) + 1; 4257 userdata = malloc(len); 4258 if (userdata == NULL) { 4259 *userDN = NULL; 4260 free(filter); 4261 return (NS_LDAP_MEMORY); 4262 } 4263 (void) snprintf(userdata, len, UIDFILTER_SSD, uid); 4264 } 4265 4266 /* 4267 * we want to retrieve the DN as it appears in LDAP 4268 * hence the use of NS_LDAP_NOT_CVT_DN in flags 4269 */ 4270 rc = __ns_ldap_list("passwd", filter, 4271 __s_api_merge_SSD_filter, 4272 NULL, cred, NS_LDAP_NOT_CVT_DN, 4273 &result, errorp, NULL, 4274 userdata); 4275 free(filter); 4276 filter = NULL; 4277 free(userdata); 4278 userdata = NULL; 4279 if (rc != NS_LDAP_SUCCESS) { 4280 if (result) { 4281 (void) __ns_ldap_freeResult(&result); 4282 result = NULL; 4283 } 4284 return (rc); 4285 } 4286 if (result->entries_count > 1) { 4287 (void) __ns_ldap_freeResult(&result); 4288 result = NULL; 4289 *userDN = NULL; 4290 (void) sprintf(errstr, 4291 gettext("Too many entries are returned for %s"), uid); 4292 MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, strdup(errstr), 4293 NS_LDAP_MEMORY); 4294 return (NS_LDAP_INTERNAL); 4295 } 4296 4297 value = __ns_ldap_getAttr(result->entry, "dn"); 4298 *userDN = strdup(value[0]); 4299 (void) __ns_ldap_freeResult(&result); 4300 result = NULL; 4301 return (NS_LDAP_SUCCESS); 4302 } 4303 4304 #define _P_UID "uid" 4305 static const char *dn2uid_attrs[] = { 4306 _P_CN, 4307 _P_UID, 4308 (char *)NULL 4309 }; 4310 4311 int 4312 __ns_ldap_dn2uid(const char *dn, char **userIDp, const ns_cred_t *cred, 4313 ns_ldap_error_t **errorp) 4314 { 4315 lookup_data_t ldata; 4316 ns_ldap_result_t *result; 4317 char **value; 4318 int rc; 4319 4320 *errorp = NULL; 4321 *userIDp = NULL; 4322 if ((dn == NULL) || (dn[0] == '\0')) 4323 return (NS_LDAP_INVALID_PARAM); 4324 4325 /* 4326 * Many LDAP servers do not support using the dn in a search 4327 * filter. As a result, we unfortunately cannot use __ns_ldap_list() 4328 * to lookup the DN. Instead we perform a search with the baseDN 4329 * being the DN we are looking for with a scope of 'base' to 4330 * return the entry, as this should be supported by all LDAP servers. 4331 */ 4332 ldata.lkd_dn = dn; 4333 4334 /* 4335 * Since we are looking up a user account by its DN, use the attribute 4336 * and objectclass mappings (if present) for the passwd service. 4337 */ 4338 ldata.lkd_service = "passwd"; 4339 ldata.lkd_filter = UIDDNFILTER; 4340 ldata.lkd_cred = cred; 4341 ldata.lkd_user = NULL; 4342 4343 rc = lookup_dn(&ldata, dn2uid_attrs, &result, errorp); 4344 if (rc != NS_LDAP_SUCCESS) 4345 return (rc); 4346 4347 value = __ns_ldap_getAttr(result->entry, _P_UID); 4348 if (value != NULL && value[0] != NULL) { 4349 *userIDp = strdup(value[0]); 4350 if (*userIDp == NULL) 4351 rc = NS_LDAP_MEMORY; 4352 } else { 4353 rc = NS_LDAP_NOTFOUND; 4354 } 4355 4356 (void) __ns_ldap_freeResult(&result); 4357 return (rc); 4358 } 4359 4360 int 4361 __ns_ldap_host2dn(const char *host, const char *domain, char **hostDN, 4362 const ns_cred_t *cred, ns_ldap_error_t **errorp) 4363 { 4364 ns_ldap_result_t *result = NULL; 4365 char *filter, *userdata; 4366 char errstr[MAXERROR]; 4367 char **value; 4368 int rc; 4369 size_t len; 4370 4371 /* 4372 * XXX 4373 * the domain parameter needs to be used in case domain is not local, 4374 * if this routine is to support multi domain setups, it needs lots 4375 * of work... 4376 */ 4377 *errorp = NULL; 4378 *hostDN = NULL; 4379 if ((host == NULL) || (host[0] == '\0')) 4380 return (NS_LDAP_INVALID_PARAM); 4381 4382 len = strlen(HOSTFILTER) + strlen(host) + 1; 4383 filter = malloc(len); 4384 if (filter == NULL) { 4385 return (NS_LDAP_MEMORY); 4386 } 4387 (void) snprintf(filter, len, HOSTFILTER, host); 4388 4389 len = strlen(HOSTFILTER_SSD) + strlen(host) + 1; 4390 userdata = malloc(len); 4391 if (userdata == NULL) { 4392 free(filter); 4393 return (NS_LDAP_MEMORY); 4394 } 4395 (void) snprintf(userdata, len, HOSTFILTER_SSD, host); 4396 4397 /* 4398 * we want to retrieve the DN as it appears in LDAP 4399 * hence the use of NS_LDAP_NOT_CVT_DN in flags 4400 */ 4401 rc = __ns_ldap_list("hosts", filter, 4402 __s_api_merge_SSD_filter, 4403 NULL, cred, NS_LDAP_NOT_CVT_DN, &result, 4404 errorp, NULL, 4405 userdata); 4406 free(filter); 4407 filter = NULL; 4408 free(userdata); 4409 userdata = NULL; 4410 if (rc != NS_LDAP_SUCCESS) { 4411 if (result) { 4412 (void) __ns_ldap_freeResult(&result); 4413 result = NULL; 4414 } 4415 return (rc); 4416 } 4417 4418 if (result->entries_count > 1) { 4419 (void) __ns_ldap_freeResult(&result); 4420 result = NULL; 4421 *hostDN = NULL; 4422 (void) sprintf(errstr, 4423 gettext("Too many entries are returned for %s"), host); 4424 MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL, strdup(errstr), 4425 NS_LDAP_MEMORY); 4426 return (NS_LDAP_INTERNAL); 4427 } 4428 4429 value = __ns_ldap_getAttr(result->entry, "dn"); 4430 *hostDN = strdup(value[0]); 4431 (void) __ns_ldap_freeResult(&result); 4432 result = NULL; 4433 return (NS_LDAP_SUCCESS); 4434 } 4435 4436 int 4437 __ns_ldap_dn2domain(const char *dn, char **domain, const ns_cred_t *cred, 4438 ns_ldap_error_t **errorp) 4439 { 4440 int rc, pnum, i, j, len = 0; 4441 char *newdn, **rdns = NULL; 4442 char **dns, *dn1; 4443 4444 *errorp = NULL; 4445 4446 if (domain == NULL) 4447 return (NS_LDAP_INVALID_PARAM); 4448 else 4449 *domain = NULL; 4450 4451 if ((dn == NULL) || (dn[0] == '\0')) 4452 return (NS_LDAP_INVALID_PARAM); 4453 4454 /* 4455 * break dn into rdns 4456 */ 4457 dn1 = strdup(dn); 4458 if (dn1 == NULL) 4459 return (NS_LDAP_MEMORY); 4460 rdns = ldap_explode_dn(dn1, 0); 4461 free(dn1); 4462 if (rdns == NULL || *rdns == NULL) 4463 return (NS_LDAP_INVALID_PARAM); 4464 4465 for (i = 0; rdns[i]; i++) 4466 len += strlen(rdns[i]) + 1; 4467 pnum = i; 4468 4469 newdn = (char *)malloc(len + 1); 4470 dns = (char **)calloc(pnum, sizeof (char *)); 4471 if (newdn == NULL || dns == NULL) { 4472 if (newdn) 4473 free(newdn); 4474 ldap_value_free(rdns); 4475 return (NS_LDAP_MEMORY); 4476 } 4477 4478 /* construct a semi-normalized dn, newdn */ 4479 *newdn = '\0'; 4480 for (i = 0; rdns[i]; i++) { 4481 dns[i] = newdn + strlen(newdn); 4482 (void) strcat(newdn, 4483 __s_api_remove_rdn_space(rdns[i])); 4484 (void) strcat(newdn, ","); 4485 } 4486 /* remove the last ',' */ 4487 newdn[strlen(newdn) - 1] = '\0'; 4488 ldap_value_free(rdns); 4489 4490 /* 4491 * loop and find the domain name associated with newdn, 4492 * removing rdn one by one from left to right 4493 */ 4494 for (i = 0; i < pnum; i++) { 4495 4496 if (*errorp) 4497 (void) __ns_ldap_freeError(errorp); 4498 4499 /* 4500 * try cache manager first 4501 */ 4502 rc = __s_api_get_cachemgr_data(NS_CACHE_DN2DOMAIN, 4503 dns[i], domain); 4504 if (rc != NS_LDAP_SUCCESS) { 4505 /* 4506 * try ldap server second 4507 */ 4508 rc = __s_api_find_domainname(dns[i], domain, 4509 cred, errorp); 4510 } else { 4511 /* 4512 * skip the last one, 4513 * since it is already cached by ldap_cachemgr 4514 */ 4515 i--; 4516 } 4517 if (rc == NS_LDAP_SUCCESS) { 4518 if (__s_api_nscd_proc()) { 4519 /* 4520 * If it's nscd, ask cache manager to save the 4521 * dn to domain mapping(s) 4522 */ 4523 for (j = 0; j <= i; j++) { 4524 (void) __s_api_set_cachemgr_data( 4525 NS_CACHE_DN2DOMAIN, 4526 dns[j], 4527 *domain); 4528 } 4529 } 4530 break; 4531 } 4532 } 4533 4534 free(dns); 4535 free(newdn); 4536 if (rc != NS_LDAP_SUCCESS) 4537 rc = NS_LDAP_NOTFOUND; 4538 return (rc); 4539 } 4540 4541 int 4542 __ns_ldap_getServiceAuthMethods(const char *service, ns_auth_t ***auth, 4543 ns_ldap_error_t **errorp) 4544 { 4545 char errstr[MAXERROR]; 4546 int rc, i; 4547 boolean_t done = B_FALSE; 4548 int slen; 4549 void **param; 4550 char **sam, *srv, *send; 4551 ns_auth_t **authpp = NULL, *ap; 4552 int cnt, max; 4553 ns_config_t *cfg; 4554 ns_ldap_error_t *error = NULL; 4555 4556 if (errorp == NULL) 4557 return (NS_LDAP_INVALID_PARAM); 4558 *errorp = NULL; 4559 4560 if ((service == NULL) || (service[0] == '\0') || 4561 (auth == NULL)) 4562 return (NS_LDAP_INVALID_PARAM); 4563 4564 *auth = NULL; 4565 rc = __ns_ldap_getParam(NS_LDAP_SERVICE_AUTH_METHOD_P, ¶m, &error); 4566 if (rc != NS_LDAP_SUCCESS || param == NULL) { 4567 *errorp = error; 4568 return (rc); 4569 } 4570 sam = (char **)param; 4571 4572 cfg = __s_api_get_default_config(); 4573 cnt = 0; 4574 4575 slen = strlen(service); 4576 4577 for (; *sam; sam++) { 4578 srv = *sam; 4579 if (strncasecmp(service, srv, slen) != 0) 4580 continue; 4581 srv += slen; 4582 if (*srv != COLONTOK) 4583 continue; 4584 send = srv; 4585 srv++; 4586 for (max = 1; (send = strchr(++send, SEMITOK)) != NULL; max++) 4587 ; 4588 authpp = (ns_auth_t **)calloc(++max, sizeof (ns_auth_t *)); 4589 if (authpp == NULL) { 4590 (void) __ns_ldap_freeParam(¶m); 4591 __s_api_release_config(cfg); 4592 return (NS_LDAP_MEMORY); 4593 } 4594 while (!done) { 4595 send = strchr(srv, SEMITOK); 4596 if (send != NULL) { 4597 *send = '\0'; 4598 send++; 4599 } 4600 i = __s_get_enum_value(cfg, srv, NS_LDAP_AUTH_P); 4601 if (i == -1) { 4602 (void) __ns_ldap_freeParam(¶m); 4603 (void) sprintf(errstr, 4604 gettext("Unsupported " 4605 "serviceAuthenticationMethod: %s.\n"), srv); 4606 MKERROR(LOG_WARNING, *errorp, NS_CONFIG_SYNTAX, 4607 strdup(errstr), NS_LDAP_MEMORY); 4608 __s_api_release_config(cfg); 4609 return (NS_LDAP_CONFIG); 4610 } 4611 ap = __s_api_AuthEnumtoStruct((EnumAuthType_t)i); 4612 if (ap == NULL) { 4613 (void) __ns_ldap_freeParam(¶m); 4614 __s_api_release_config(cfg); 4615 return (NS_LDAP_MEMORY); 4616 } 4617 authpp[cnt++] = ap; 4618 if (send == NULL) 4619 done = B_TRUE; 4620 else 4621 srv = send; 4622 } 4623 } 4624 4625 *auth = authpp; 4626 (void) __ns_ldap_freeParam(¶m); 4627 __s_api_release_config(cfg); 4628 return (NS_LDAP_SUCCESS); 4629 } 4630 4631 /* 4632 * This routine is called when certain scenario occurs 4633 * e.g. 4634 * service == auto_home 4635 * SSD = automount: ou = mytest, 4636 * NS_LDAP_MAPATTRIBUTE= auto_home: automountMapName=AAA 4637 * NS_LDAP_OBJECTCLASSMAP= auto_home:automountMap=MynisMap 4638 * NS_LDAP_OBJECTCLASSMAP= auto_home:automount=MynisObject 4639 * 4640 * The automountMapName is prepended implicitely but is mapped 4641 * to AAA. So dn could appers as 4642 * dn: AAA=auto_home,ou=bar,dc=foo,dc=com 4643 * dn: automountKey=user_01,AAA=auto_home,ou=bar,dc=foo,dc=com 4644 * dn: automountKey=user_02,AAA=auto_home,ou=bar,dc=foo,dc=com 4645 * in the directory. 4646 * This function is called to covert the mapped attr back to 4647 * orig attr when the entries are searched and returned 4648 */ 4649 4650 int 4651 __s_api_convert_automountmapname(const char *service, char **dn, 4652 ns_ldap_error_t **errp) 4653 { 4654 4655 char **mapping = NULL; 4656 char *mapped_attr = NULL; 4657 char *automountmapname = "automountMapName"; 4658 char *buffer = NULL; 4659 int rc = NS_LDAP_SUCCESS; 4660 char errstr[MAXERROR]; 4661 4662 /* 4663 * dn is an input/out parameter, check it first 4664 */ 4665 4666 if (service == NULL || dn == NULL || *dn == NULL) 4667 return (NS_LDAP_INVALID_PARAM); 4668 4669 /* 4670 * Check to see if there is a mapped attribute for auto_xxx 4671 */ 4672 4673 mapping = __ns_ldap_getMappedAttributes(service, automountmapname); 4674 4675 /* 4676 * if no mapped attribute for auto_xxx, try automount 4677 */ 4678 4679 if (mapping == NULL) { 4680 mapping = __ns_ldap_getMappedAttributes( 4681 "automount", automountmapname); 4682 } 4683 4684 /* 4685 * if no mapped attribute is found, return SUCCESS (no op) 4686 */ 4687 4688 if (mapping == NULL) 4689 return (NS_LDAP_SUCCESS); 4690 4691 /* 4692 * if the mapped attribute is found and attr is not empty, 4693 * copy it 4694 */ 4695 4696 if (mapping[0] != NULL) { 4697 mapped_attr = strdup(mapping[0]); 4698 __s_api_free2dArray(mapping); 4699 if (mapped_attr == NULL) { 4700 return (NS_LDAP_MEMORY); 4701 } 4702 } else { 4703 __s_api_free2dArray(mapping); 4704 4705 (void) snprintf(errstr, (2 * MAXERROR), 4706 gettext("Attribute nisMapName is mapped to an " 4707 "empty string.\n")); 4708 4709 MKERROR(LOG_ERR, *errp, NS_CONFIG_SYNTAX, 4710 strdup(errstr), NS_LDAP_MEMORY); 4711 4712 return (NS_LDAP_CONFIG); 4713 } 4714 4715 /* 4716 * Locate the mapped attribute in the dn 4717 * and replace it if it exists 4718 */ 4719 4720 rc = __s_api_replace_mapped_attr_in_dn( 4721 (const char *) automountmapname, (const char *) mapped_attr, 4722 (const char *) *dn, &buffer); 4723 4724 /* clean up */ 4725 4726 free(mapped_attr); 4727 4728 /* 4729 * If mapped attr is found(buffer != NULL) 4730 * a new dn is returned 4731 * If no mapped attribute is in dn, 4732 * return NS_LDAP_SUCCESS (no op) 4733 * If no memory, 4734 * return NS_LDAP_MEMORY (no op) 4735 */ 4736 4737 if (buffer != NULL) { 4738 free(*dn); 4739 *dn = buffer; 4740 } 4741 4742 return (rc); 4743 } 4744 4745 /* 4746 * If the mapped attr is found in the dn, 4747 * return NS_LDAP_SUCCESS and a new_dn. 4748 * If no mapped attr is found, 4749 * return NS_LDAP_SUCCESS and *new_dn == NULL 4750 * If there is not enough memory, 4751 * return NS_LDAP_MEMORY and *new_dn == NULL 4752 */ 4753 4754 int 4755 __s_api_replace_mapped_attr_in_dn(const char *orig_attr, 4756 const char *mapped_attr, const char *dn, char **new_dn) 4757 { 4758 4759 char **dnArray = NULL; 4760 char *cur = NULL, *start = NULL; 4761 int i = 0; 4762 boolean_t found = B_FALSE; 4763 int len = 0, orig_len = 0, mapped_len = 0; 4764 int dn_len = 0, tmp_len = 0; 4765 4766 *new_dn = NULL; 4767 4768 /* 4769 * seperate dn into individual componets 4770 * e.g. 4771 * "automountKey=user_01" , "automountMapName_test=auto_home", ... 4772 */ 4773 dnArray = ldap_explode_dn(dn, 0); 4774 4775 /* 4776 * This will find "mapped attr=value" in dn. 4777 * It won't find match if mapped attr appears 4778 * in the value. 4779 */ 4780 for (i = 0; dnArray[i] != NULL; i++) { 4781 /* 4782 * This function is called when reading from 4783 * the directory so assume each component has "=". 4784 * Any ill formatted dn should be rejected 4785 * before adding to the directory 4786 */ 4787 cur = strchr(dnArray[i], '='); 4788 *cur = '\0'; 4789 if (strcasecmp(mapped_attr, dnArray[i]) == 0) 4790 found = B_TRUE; 4791 *cur = '='; 4792 if (found) 4793 break; 4794 } 4795 4796 if (!found) { 4797 __s_api_free2dArray(dnArray); 4798 *new_dn = NULL; 4799 return (NS_LDAP_SUCCESS); 4800 } 4801 /* 4802 * The new length is *dn length + (difference between 4803 * orig attr and mapped attr) + 1 ; 4804 * e.g. 4805 * automountKey=aa,automountMapName_test=auto_home,dc=foo,dc=com 4806 * ==> 4807 * automountKey=aa,automountMapName=auto_home,dc=foo,dc=com 4808 */ 4809 mapped_len = strlen(mapped_attr); 4810 orig_len = strlen(orig_attr); 4811 dn_len = strlen(dn); 4812 len = dn_len + orig_len - mapped_len + 1; 4813 *new_dn = (char *)calloc(1, len); 4814 if (*new_dn == NULL) { 4815 __s_api_free2dArray(dnArray); 4816 return (NS_LDAP_MEMORY); 4817 } 4818 4819 /* 4820 * Locate the mapped attr in the dn. 4821 * Use dnArray[i] instead of mapped_attr 4822 * because mapped_attr could appear in 4823 * the value 4824 */ 4825 4826 cur = strstr(dn, dnArray[i]); 4827 __s_api_free2dArray(dnArray); 4828 /* copy the portion before mapped attr in dn */ 4829 start = *new_dn; 4830 tmp_len = cur - dn; 4831 (void) memcpy(start, dn, tmp_len); 4832 4833 /* 4834 * Copy the orig_attr. e.g. automountMapName 4835 * This replaces mapped attr with orig attr 4836 */ 4837 start = start + (cur - dn); /* move cursor in buffer */ 4838 (void) memcpy(start, orig_attr, orig_len); 4839 4840 /* 4841 * Copy the portion after mapped attr in dn 4842 */ 4843 cur = cur + mapped_len; /* move cursor in dn */ 4844 start = start + orig_len; /* move cursor in buffer */ 4845 (void) strcpy(start, cur); 4846 4847 return (NS_LDAP_SUCCESS); 4848 } 4849 4850 /* 4851 * Validate Filter functions 4852 */ 4853 4854 /* ***** Start of modified libldap.so.5 filter parser ***** */ 4855 4856 /* filter parsing routine forward references */ 4857 static int adj_filter_list(char *str); 4858 static int adj_simple_filter(char *str); 4859 static int unescape_filterval(char *val); 4860 static int hexchar2int(char c); 4861 static int adj_substring_filter(char *val); 4862 4863 4864 /* 4865 * assumes string manipulation is in-line 4866 * and all strings are sufficient in size 4867 * return value is the position after 'c' 4868 */ 4869 4870 static char * 4871 resync_str(char *str, char *next, char c) 4872 { 4873 char *ret; 4874 4875 ret = str + strlen(str); 4876 *next = c; 4877 if (ret == next) 4878 return (ret); 4879 (void) strcat(str, next); 4880 return (ret); 4881 } 4882 4883 static char * 4884 find_right_paren(char *s) 4885 { 4886 int balance; 4887 boolean_t escape; 4888 4889 balance = 1; 4890 escape = B_FALSE; 4891 while (*s && balance) { 4892 if (escape == B_FALSE) { 4893 if (*s == '(') 4894 balance++; 4895 else if (*s == ')') 4896 balance--; 4897 } 4898 if (*s == '\\' && !escape) 4899 escape = B_TRUE; 4900 else 4901 escape = B_FALSE; 4902 if (balance) 4903 s++; 4904 } 4905 4906 return (*s ? s : NULL); 4907 } 4908 4909 static char * 4910 adj_complex_filter(char *str) 4911 { 4912 char *next; 4913 4914 /* 4915 * We have (x(filter)...) with str sitting on 4916 * the x. We have to find the paren matching 4917 * the one before the x and put the intervening 4918 * filters by calling adj_filter_list(). 4919 */ 4920 4921 str++; 4922 if ((next = find_right_paren(str)) == NULL) 4923 return (NULL); 4924 4925 *next = '\0'; 4926 if (adj_filter_list(str) == -1) 4927 return (NULL); 4928 next = resync_str(str, next, ')'); 4929 next++; 4930 4931 return (next); 4932 } 4933 4934 static int 4935 adj_filter(char *str) 4936 { 4937 char *next; 4938 int parens, balance; 4939 boolean_t escape; 4940 char *np, *cp, *dp; 4941 4942 parens = 0; 4943 while (*str) { 4944 switch (*str) { 4945 case '(': 4946 str++; 4947 parens++; 4948 switch (*str) { 4949 case '&': 4950 if ((str = adj_complex_filter(str)) == NULL) 4951 return (-1); 4952 4953 parens--; 4954 break; 4955 4956 case '|': 4957 if ((str = adj_complex_filter(str)) == NULL) 4958 return (-1); 4959 4960 parens--; 4961 break; 4962 4963 case '!': 4964 if ((str = adj_complex_filter(str)) == NULL) 4965 return (-1); 4966 4967 parens--; 4968 break; 4969 4970 case '(': 4971 /* illegal ((case - generated by conversion */ 4972 4973 /* find missing close) */ 4974 np = find_right_paren(str+1); 4975 4976 /* error if not found */ 4977 if (np == NULL) 4978 return (-1); 4979 4980 /* remove redundant (and) */ 4981 for (dp = str, cp = str+1; cp < np; ) { 4982 *dp++ = *cp++; 4983 } 4984 cp++; 4985 while (*cp) 4986 *dp++ = *cp++; 4987 *dp = '\0'; 4988 4989 /* re-start test at original ( */ 4990 parens--; 4991 str--; 4992 break; 4993 4994 default: 4995 balance = 1; 4996 escape = B_FALSE; 4997 next = str; 4998 while (*next && balance) { 4999 if (escape == B_FALSE) { 5000 if (*next == '(') 5001 balance++; 5002 else if (*next == ')') 5003 balance--; 5004 } 5005 if (*next == '\\' && !escape) 5006 escape = B_TRUE; 5007 else 5008 escape = B_FALSE; 5009 if (balance) 5010 next++; 5011 } 5012 if (balance != 0) 5013 return (-1); 5014 5015 *next = '\0'; 5016 if (adj_simple_filter(str) == -1) { 5017 return (-1); 5018 } 5019 next = resync_str(str, next, ')'); 5020 next++; 5021 str = next; 5022 parens--; 5023 break; 5024 } 5025 break; 5026 5027 case ')': 5028 str++; 5029 parens--; 5030 break; 5031 5032 case ' ': 5033 str++; 5034 break; 5035 5036 default: /* assume it's a simple type=value filter */ 5037 next = strchr(str, '\0'); 5038 if (adj_simple_filter(str) == -1) { 5039 return (-1); 5040 } 5041 str = next; 5042 break; 5043 } 5044 } 5045 5046 return (parens ? -1 : 0); 5047 } 5048 5049 5050 /* 5051 * Put a list of filters like this "(filter1)(filter2)..." 5052 */ 5053 5054 static int 5055 adj_filter_list(char *str) 5056 { 5057 char *next; 5058 char save; 5059 5060 while (*str) { 5061 while (*str && isspace(*str)) 5062 str++; 5063 if (*str == '\0') 5064 break; 5065 5066 if ((next = find_right_paren(str + 1)) == NULL) 5067 return (-1); 5068 save = *++next; 5069 5070 /* now we have "(filter)" with str pointing to it */ 5071 *next = '\0'; 5072 if (adj_filter(str) == -1) 5073 return (-1); 5074 next = resync_str(str, next, save); 5075 5076 str = next; 5077 } 5078 5079 return (0); 5080 } 5081 5082 5083 /* 5084 * is_valid_attr - returns 1 if a is a syntactically valid left-hand side 5085 * of a filter expression, 0 otherwise. A valid string may contain only 5086 * letters, numbers, hyphens, semi-colons, colons and periods. examples: 5087 * cn 5088 * cn;lang-fr 5089 * 1.2.3.4;binary;dynamic 5090 * mail;dynamic 5091 * cn:dn:1.2.3.4 5092 * 5093 * For compatibility with older servers, we also allow underscores in 5094 * attribute types, even through they are not allowed by the LDAPv3 RFCs. 5095 */ 5096 static int 5097 is_valid_attr(char *a) 5098 { 5099 for (; *a; a++) { 5100 if (!isascii(*a)) { 5101 return (0); 5102 } else if (!isalnum(*a)) { 5103 switch (*a) { 5104 case '-': 5105 case '.': 5106 case ';': 5107 case ':': 5108 case '_': 5109 break; /* valid */ 5110 default: 5111 return (0); 5112 } 5113 } 5114 } 5115 return (1); 5116 } 5117 5118 static char * 5119 find_star(char *s) 5120 { 5121 for (; *s; ++s) { 5122 switch (*s) { 5123 case '*': 5124 return (s); 5125 case '\\': 5126 ++s; 5127 if (hexchar2int(s[0]) >= 0 && hexchar2int(s[1]) >= 0) 5128 ++s; 5129 default: 5130 break; 5131 } 5132 } 5133 return (NULL); 5134 } 5135 5136 static int 5137 adj_simple_filter(char *str) 5138 { 5139 char *s, *s2, *s3, filterop; 5140 char *value; 5141 int ftype = 0; 5142 int rc; 5143 5144 rc = -1; /* pessimistic */ 5145 5146 if ((str = strdup(str)) == NULL) { 5147 return (rc); 5148 } 5149 5150 if ((s = strchr(str, '=')) == NULL) { 5151 goto free_and_return; 5152 } 5153 value = s + 1; 5154 *s-- = '\0'; 5155 filterop = *s; 5156 if (filterop == '<' || filterop == '>' || filterop == '~' || 5157 filterop == ':') { 5158 *s = '\0'; 5159 } 5160 5161 if (!is_valid_attr(str)) { 5162 goto free_and_return; 5163 } 5164 5165 switch (filterop) { 5166 case '<': /* LDAP_FILTER_LE */ 5167 case '>': /* LDAP_FILTER_GE */ 5168 case '~': /* LDAP_FILTER_APPROX */ 5169 break; 5170 case ':': /* extended filter - v3 only */ 5171 /* 5172 * extended filter looks like this: 5173 * 5174 * [type][':dn'][':'oid]':='value 5175 * 5176 * where one of type or :oid is required. 5177 * 5178 */ 5179 s2 = s3 = NULL; 5180 if ((s2 = strrchr(str, ':')) == NULL) { 5181 goto free_and_return; 5182 } 5183 if (strcasecmp(s2, ":dn") == 0) { 5184 *s2 = '\0'; 5185 } else { 5186 *s2 = '\0'; 5187 if ((s3 = strrchr(str, ':')) != NULL) { 5188 if (strcasecmp(s3, ":dn") != 0) { 5189 goto free_and_return; 5190 } 5191 *s3 = '\0'; 5192 } 5193 } 5194 if (unescape_filterval(value) < 0) { 5195 goto free_and_return; 5196 } 5197 rc = 0; 5198 goto free_and_return; 5199 /* break; */ 5200 default: 5201 if (find_star(value) == NULL) { 5202 ftype = 0; /* LDAP_FILTER_EQUALITY */ 5203 } else if (strcmp(value, "*") == 0) { 5204 ftype = 1; /* LDAP_FILTER_PRESENT */ 5205 } else { 5206 rc = adj_substring_filter(value); 5207 goto free_and_return; 5208 } 5209 break; 5210 } 5211 5212 if (ftype != 0) { /* == LDAP_FILTER_PRESENT */ 5213 rc = 0; 5214 } else if (unescape_filterval(value) >= 0) { 5215 rc = 0; 5216 } 5217 if (rc != -1) { 5218 rc = 0; 5219 } 5220 5221 free_and_return: 5222 free(str); 5223 return (rc); 5224 } 5225 5226 5227 /* 5228 * Check in place both LDAPv2 (RFC-1960) and LDAPv3 (hexadecimal) escape 5229 * sequences within the null-terminated string 'val'. 5230 * 5231 * If 'val' contains invalid escape sequences we return -1. 5232 * Otherwise return 1 5233 */ 5234 static int 5235 unescape_filterval(char *val) 5236 { 5237 boolean_t escape, firstdigit; 5238 char *s; 5239 5240 firstdigit = B_FALSE; 5241 escape = B_FALSE; 5242 for (s = val; *s; s++) { 5243 if (escape) { 5244 /* 5245 * first try LDAPv3 escape (hexadecimal) sequence 5246 */ 5247 if (hexchar2int(*s) < 0) { 5248 if (firstdigit) { 5249 /* 5250 * LDAPv2 (RFC1960) escape sequence 5251 */ 5252 escape = B_FALSE; 5253 } else { 5254 return (-1); 5255 } 5256 } 5257 if (firstdigit) { 5258 firstdigit = B_FALSE; 5259 } else { 5260 escape = B_FALSE; 5261 } 5262 5263 } else if (*s != '\\') { 5264 escape = B_FALSE; 5265 5266 } else { 5267 escape = B_TRUE; 5268 firstdigit = B_TRUE; 5269 } 5270 } 5271 5272 return (1); 5273 } 5274 5275 5276 /* 5277 * convert character 'c' that represents a hexadecimal digit to an integer. 5278 * if 'c' is not a hexidecimal digit [0-9A-Fa-f], -1 is returned. 5279 * otherwise the converted value is returned. 5280 */ 5281 static int 5282 hexchar2int(char c) 5283 { 5284 if (c >= '0' && c <= '9') { 5285 return (c - '0'); 5286 } 5287 if (c >= 'A' && c <= 'F') { 5288 return (c - 'A' + 10); 5289 } 5290 if (c >= 'a' && c <= 'f') { 5291 return (c - 'a' + 10); 5292 } 5293 return (-1); 5294 } 5295 5296 static int 5297 adj_substring_filter(char *val) 5298 { 5299 char *nextstar; 5300 5301 for (; val != NULL; val = nextstar) { 5302 if ((nextstar = find_star(val)) != NULL) { 5303 *nextstar++ = '\0'; 5304 } 5305 5306 if (*val != '\0') { 5307 if (unescape_filterval(val) < 0) { 5308 return (-1); 5309 } 5310 } 5311 } 5312 5313 return (0); 5314 } 5315 5316 /* ***** End of modified libldap.so.5 filter parser ***** */ 5317 5318 5319 /* 5320 * Walk filter, remove redundant parentheses in-line 5321 * verify that the filter is reasonable 5322 */ 5323 static int 5324 validate_filter(ns_ldap_cookie_t *cookie) 5325 { 5326 char *filter = cookie->filter; 5327 int rc; 5328 5329 /* Parse filter looking for illegal values */ 5330 5331 rc = adj_filter(filter); 5332 if (rc != 0) { 5333 return (NS_LDAP_OP_FAILED); 5334 } 5335 5336 /* end of filter checking */ 5337 5338 return (NS_LDAP_SUCCESS); 5339 } 5340 5341 /* 5342 * Set the account management request control that needs to be sent to server. 5343 * This control is required to get the account management information of 5344 * a user to do local account checking. 5345 */ 5346 static int 5347 setup_acctmgmt_params(ns_ldap_cookie_t *cookie) 5348 { 5349 LDAPControl *req, **requestctrls; 5350 5351 req = calloc(1, sizeof (LDAPControl)); 5352 5353 if (req == NULL) 5354 return (NS_LDAP_MEMORY); 5355 5356 /* fill in the fields of this new control */ 5357 req->ldctl_iscritical = 1; 5358 req->ldctl_oid = strdup(NS_LDAP_ACCOUNT_USABLE_CONTROL); 5359 if (req->ldctl_oid == NULL) { 5360 free(req); 5361 return (NS_LDAP_MEMORY); 5362 } 5363 5364 requestctrls = (LDAPControl **)calloc(2, sizeof (LDAPControl *)); 5365 if (requestctrls == NULL) { 5366 ldap_control_free(req); 5367 return (NS_LDAP_MEMORY); 5368 } 5369 5370 requestctrls[0] = req; 5371 5372 cookie->p_serverctrls = requestctrls; 5373 5374 return (NS_LDAP_SUCCESS); 5375 } 5376 5377 /* 5378 * int get_new_acct_more_info(BerElement *ber, 5379 * AcctUsableResponse_t *acctResp) 5380 * 5381 * Decode the more_info data from an Account Management control response, 5382 * when the account is not usable and when code style is from recent LDAP 5383 * servers (see below comments for parse_acct_cont_resp_msg() to get more 5384 * details on coding styles and ASN1 description). 5385 * 5386 * Expected BER encoding: {tbtbtbtiti} 5387 * +t: tag is 0 5388 * +b: TRUE if inactive due to account inactivation 5389 * +t: tag is 1 5390 * +b: TRUE if password has been reset 5391 * +t: tag is 2 5392 * +b: TRUE if password is expired 5393 * +t: tag is 3 5394 * +i: contains num of remaining grace, 0 means no grace 5395 * +t: tag is 4 5396 * +i: contains num of seconds before auto-unlock. -1 means acct is locked 5397 * forever (i.e. until reset) 5398 * 5399 * Asumptions: 5400 * - ber is not null 5401 * - acctResp is not null and is initialized with default values for the 5402 * fields in its AcctUsableResp.more_info structure 5403 * - the ber stream is received in the correct order, per the ASN1 description. 5404 * We do not check this order and make the asumption that it is correct. 5405 * Note that the ber stream may not (and will not in most cases) contain 5406 * all fields. 5407 */ 5408 static int 5409 get_new_acct_more_info(BerElement *ber, AcctUsableResponse_t *acctResp) 5410 { 5411 int rc = NS_LDAP_SUCCESS; 5412 char errstr[MAXERROR]; 5413 ber_tag_t rTag = LBER_DEFAULT; 5414 ber_len_t rLen = 0; 5415 ber_int_t rValue; 5416 char *last; 5417 int berRC = 0; 5418 5419 /* 5420 * Look at what more_info BER element is/are left to be decoded. 5421 * look at each of them 1 by 1, without checking on their order 5422 * and possible multi values. 5423 */ 5424 for (rTag = ber_first_element(ber, &rLen, &last); 5425 rTag != LBER_END_OF_SEQORSET; 5426 rTag = ber_next_element(ber, &rLen, last)) { 5427 5428 berRC = 0; 5429 switch (rTag) { 5430 case 0 | LBER_CLASS_CONTEXT | LBER_PRIMITIVE: 5431 /* inactive */ 5432 berRC = ber_scanf(ber, "b", &rValue); 5433 if (berRC != LBER_ERROR) { 5434 (acctResp->AcctUsableResp).more_info. 5435 inactive = (rValue != 0) ? 1 : 0; 5436 } 5437 break; 5438 5439 case 1 | LBER_CLASS_CONTEXT | LBER_PRIMITIVE: 5440 /* reset */ 5441 berRC = ber_scanf(ber, "b", &rValue); 5442 if (berRC != LBER_ERROR) { 5443 (acctResp->AcctUsableResp).more_info.reset 5444 = (rValue != 0) ? 1 : 0; 5445 } 5446 break; 5447 5448 case 2 | LBER_CLASS_CONTEXT | LBER_PRIMITIVE: 5449 /* expired */ 5450 berRC = ber_scanf(ber, "b", &rValue); 5451 if (berRC != LBER_ERROR) { 5452 (acctResp->AcctUsableResp).more_info.expired 5453 = (rValue != 0) ? 1 : 0; 5454 } 5455 break; 5456 5457 case 3 | LBER_CLASS_CONTEXT | LBER_PRIMITIVE: 5458 /* remaining grace */ 5459 berRC = ber_scanf(ber, "i", &rValue); 5460 if (berRC != LBER_ERROR) { 5461 (acctResp->AcctUsableResp).more_info.rem_grace 5462 = rValue; 5463 } 5464 break; 5465 5466 case 4 | LBER_CLASS_CONTEXT | LBER_PRIMITIVE: 5467 /* seconds before unlock */ 5468 berRC = ber_scanf(ber, "i", &rValue); 5469 if (berRC != LBER_ERROR) { 5470 (acctResp->AcctUsableResp).more_info. 5471 sec_b4_unlock = rValue; 5472 } 5473 break; 5474 5475 default : 5476 (void) sprintf(errstr, 5477 gettext("invalid reason tag 0x%x"), rTag); 5478 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5479 rc = NS_LDAP_INTERNAL; 5480 break; 5481 } 5482 if (berRC == LBER_ERROR) { 5483 (void) sprintf(errstr, 5484 gettext("error 0x%x decoding value for " 5485 "tag 0x%x"), berRC, rTag); 5486 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5487 rc = NS_LDAP_INTERNAL; 5488 } 5489 if (rc != NS_LDAP_SUCCESS) { 5490 /* exit the for loop */ 5491 break; 5492 } 5493 } 5494 5495 return (rc); 5496 } 5497 5498 /* 5499 * int get_old_acct_opt_more_info(BerElement *ber, 5500 * AcctUsableResponse_t *acctResp) 5501 * 5502 * Decode the optional more_info data from an Account Management control 5503 * response, when the account is not usable and when code style is from LDAP 5504 * server 5.2p4 (see below comments for parse_acct_cont_resp_msg() to get more 5505 * details on coding styles and ASN1 description). 5506 * 5507 * Expected BER encoding: titi} 5508 * +t: tag is 2 5509 * +i: contains num of remaining grace, 0 means no grace 5510 * +t: tag is 3 5511 * +i: contains num of seconds before auto-unlock. -1 means acct is locked 5512 * forever (i.e. until reset) 5513 * 5514 * Asumptions: 5515 * - ber is a valid BER element 5516 * - acctResp is initialized for the fields in its AcctUsableResp.more_info 5517 * structure 5518 */ 5519 static int 5520 get_old_acct_opt_more_info(ber_tag_t tag, BerElement *ber, 5521 AcctUsableResponse_t *acctResp) 5522 { 5523 int rc = NS_LDAP_SUCCESS; 5524 char errstr[MAXERROR]; 5525 ber_len_t len; 5526 int rem_grace, sec_b4_unlock; 5527 5528 switch (tag) { 5529 case 2: 5530 /* decode and maybe 3 is following */ 5531 if ((tag = ber_scanf(ber, "i", &rem_grace)) == LBER_ERROR) { 5532 (void) sprintf(errstr, gettext("Can not get " 5533 "rem_grace")); 5534 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5535 rc = NS_LDAP_INTERNAL; 5536 break; 5537 } 5538 (acctResp->AcctUsableResp).more_info.rem_grace = rem_grace; 5539 5540 if ((tag = ber_peek_tag(ber, &len)) == LBER_ERROR) { 5541 /* this is a success case, break to exit */ 5542 (void) sprintf(errstr, gettext("No more " 5543 "optional data")); 5544 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5545 break; 5546 } 5547 5548 if (tag == 3) { 5549 if (ber_scanf(ber, "i", &sec_b4_unlock) == LBER_ERROR) { 5550 (void) sprintf(errstr, 5551 gettext("Can not get sec_b4_unlock " 5552 "- 1st case")); 5553 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5554 rc = NS_LDAP_INTERNAL; 5555 break; 5556 } 5557 (acctResp->AcctUsableResp).more_info.sec_b4_unlock = 5558 sec_b4_unlock; 5559 } else { /* unknown tag */ 5560 (void) sprintf(errstr, gettext("Unknown tag " 5561 "- 1st case")); 5562 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5563 rc = NS_LDAP_INTERNAL; 5564 break; 5565 } 5566 break; 5567 5568 case 3: 5569 if (ber_scanf(ber, "i", &sec_b4_unlock) == LBER_ERROR) { 5570 (void) sprintf(errstr, gettext("Can not get " 5571 "sec_b4_unlock - 2nd case")); 5572 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5573 rc = NS_LDAP_INTERNAL; 5574 break; 5575 } 5576 (acctResp->AcctUsableResp).more_info.sec_b4_unlock = 5577 sec_b4_unlock; 5578 break; 5579 5580 default: /* unknown tag */ 5581 (void) sprintf(errstr, gettext("Unknown tag - 2nd case")); 5582 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5583 rc = NS_LDAP_INTERNAL; 5584 break; 5585 } 5586 5587 return (rc); 5588 } 5589 5590 /* 5591 * **** This function needs to be moved to libldap library **** 5592 * parse_acct_cont_resp_msg() parses the message received by server according to 5593 * following format (ASN1 notation): 5594 * 5595 * ACCOUNT_USABLE_RESPONSE::= CHOICE { 5596 * is_available [0] INTEGER, 5597 * ** seconds before expiration ** 5598 * is_not_available [1] more_info 5599 * } 5600 * more_info::= SEQUENCE { 5601 * inactive [0] BOOLEAN DEFAULT FALSE, 5602 * reset [1] BOOLEAN DEFAULT FALSE, 5603 * expired [2] BOOLEAN DEFAULT FALSE, 5604 * remaining_grace [3] INTEGER OPTIONAL, 5605 * seconds_before_unlock [4] INTEGER OPTIONAL 5606 * } 5607 */ 5608 /* 5609 * #define used to make the difference between coding style as done 5610 * by LDAP server 5.2p4 and newer LDAP servers. There are 4 values: 5611 * - DS52p4_USABLE: 5.2p4 coding style, account is usable 5612 * - DS52p4_NOT_USABLE: 5.2p4 coding style, account is not usable 5613 * - NEW_USABLE: newer LDAP servers coding style, account is usable 5614 * - NEW_NOT_USABLE: newer LDAP servers coding style, account is not usable 5615 * 5616 * An account would be considered not usable if for instance: 5617 * - it's been made inactive in the LDAP server 5618 * - or its password was reset in the LDAP server database 5619 * - or its password expired 5620 * - or the account has been locked, possibly forever 5621 */ 5622 #define DS52p4_USABLE 0x00 5623 #define DS52p4_NOT_USABLE 0x01 5624 #define NEW_USABLE 0x00 | LBER_CLASS_CONTEXT | LBER_PRIMITIVE 5625 #define NEW_NOT_USABLE 0x01 | LBER_CLASS_CONTEXT | LBER_CONSTRUCTED 5626 static int 5627 parse_acct_cont_resp_msg(LDAPControl **ectrls, AcctUsableResponse_t *acctResp) 5628 { 5629 int rc = NS_LDAP_SUCCESS; 5630 BerElement *ber; 5631 ber_tag_t tag; 5632 ber_len_t len; 5633 int i; 5634 char errstr[MAXERROR]; 5635 /* used for any coding style when account is usable */ 5636 int seconds_before_expiry; 5637 /* used for 5.2p4 coding style when account is not usable */ 5638 int inactive, reset, expired; 5639 5640 if (ectrls == NULL) { 5641 (void) sprintf(errstr, gettext("Invalid ectrls parameter")); 5642 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5643 return (NS_LDAP_INVALID_PARAM); 5644 } 5645 5646 for (i = 0; ectrls[i] != NULL; i++) { 5647 if (strcmp(ectrls[i]->ldctl_oid, NS_LDAP_ACCOUNT_USABLE_CONTROL) 5648 == 0) { 5649 break; 5650 } 5651 } 5652 5653 if (ectrls[i] == NULL) { 5654 /* Ldap control is not found */ 5655 (void) sprintf(errstr, gettext("Account Usable Control " 5656 "not found")); 5657 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5658 return (NS_LDAP_NOTFOUND); 5659 } 5660 5661 /* Allocate a BER element from the control value and parse it. */ 5662 if ((ber = ber_init(&ectrls[i]->ldctl_value)) == NULL) 5663 return (NS_LDAP_MEMORY); 5664 5665 if ((tag = ber_peek_tag(ber, &len)) == LBER_ERROR) { 5666 /* Ldap decoding error */ 5667 (void) sprintf(errstr, gettext("Error decoding 1st tag")); 5668 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5669 ber_free(ber, 1); 5670 return (NS_LDAP_INTERNAL); 5671 } 5672 5673 switch (tag) { 5674 case DS52p4_USABLE: 5675 case NEW_USABLE: 5676 acctResp->choice = 0; 5677 if (ber_scanf(ber, "i", &seconds_before_expiry) 5678 == LBER_ERROR) { 5679 /* Ldap decoding error */ 5680 (void) sprintf(errstr, gettext("Can not get " 5681 "seconds_before_expiry")); 5682 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5683 rc = NS_LDAP_INTERNAL; 5684 break; 5685 } 5686 /* ber_scanf() succeeded */ 5687 (acctResp->AcctUsableResp).seconds_before_expiry = 5688 seconds_before_expiry; 5689 break; 5690 5691 case DS52p4_NOT_USABLE: 5692 acctResp->choice = 1; 5693 if (ber_scanf(ber, "{bbb", &inactive, &reset, &expired) 5694 == LBER_ERROR) { 5695 /* Ldap decoding error */ 5696 (void) sprintf(errstr, gettext("Can not get " 5697 "inactive/reset/expired")); 5698 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5699 rc = NS_LDAP_INTERNAL; 5700 break; 5701 } 5702 /* ber_scanf() succeeded */ 5703 (acctResp->AcctUsableResp).more_info.inactive = 5704 ((inactive == 0) ? 0 : 1); 5705 (acctResp->AcctUsableResp).more_info.reset = 5706 ((reset == 0) ? 0 : 1); 5707 (acctResp->AcctUsableResp).more_info.expired = 5708 ((expired == 0) ? 0 : 1); 5709 (acctResp->AcctUsableResp).more_info.rem_grace = 0; 5710 (acctResp->AcctUsableResp).more_info.sec_b4_unlock = 0; 5711 5712 if ((tag = ber_peek_tag(ber, &len)) == LBER_ERROR) { 5713 /* this is a success case, break to exit */ 5714 (void) sprintf(errstr, gettext("No optional data")); 5715 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5716 break; 5717 } 5718 5719 /* 5720 * Look at what optional more_info BER element is/are 5721 * left to be decoded. 5722 */ 5723 rc = get_old_acct_opt_more_info(tag, ber, acctResp); 5724 break; 5725 5726 case NEW_NOT_USABLE: 5727 acctResp->choice = 1; 5728 /* 5729 * Recent LDAP servers won't code more_info data for default 5730 * values (see above comments on ASN1 description for what 5731 * fields have default values & what fields are optional). 5732 */ 5733 (acctResp->AcctUsableResp).more_info.inactive = 0; 5734 (acctResp->AcctUsableResp).more_info.reset = 0; 5735 (acctResp->AcctUsableResp).more_info.expired = 0; 5736 (acctResp->AcctUsableResp).more_info.rem_grace = 0; 5737 (acctResp->AcctUsableResp).more_info.sec_b4_unlock = 0; 5738 5739 if (len == 0) { 5740 /* 5741 * Nothing else to decode; this is valid and we 5742 * use default values set above. 5743 */ 5744 (void) sprintf(errstr, gettext("more_info is " 5745 "empty, using default values")); 5746 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5747 break; 5748 } 5749 5750 /* 5751 * Look at what more_info BER element is/are left to 5752 * be decoded. 5753 */ 5754 rc = get_new_acct_more_info(ber, acctResp); 5755 break; 5756 5757 default: 5758 (void) sprintf(errstr, gettext("unknwon coding style " 5759 "(tag: 0x%x)"), tag); 5760 syslog(LOG_DEBUG, "libsldap: %s", errstr); 5761 rc = NS_LDAP_INTERNAL; 5762 break; 5763 } 5764 5765 ber_free(ber, 1); 5766 return (rc); 5767 } 5768 5769 /* 5770 * internal function for __ns_ldap_getAcctMgmt() 5771 */ 5772 static int 5773 getAcctMgmt(const char *user, AcctUsableResponse_t *acctResp, 5774 ns_conn_user_t *conn_user) 5775 { 5776 int scope, rc; 5777 ns_ldap_cookie_t *cookie; 5778 ns_ldap_search_desc_t **sdlist = NULL; 5779 ns_ldap_search_desc_t *dptr; 5780 ns_ldap_error_t *error = NULL; 5781 char **dns = NULL; 5782 char service[] = "shadow"; 5783 5784 if (user == NULL || acctResp == NULL) 5785 return (NS_LDAP_INVALID_PARAM); 5786 5787 /* Initialize State machine cookie */ 5788 cookie = init_search_state_machine(); 5789 if (cookie == NULL) 5790 return (NS_LDAP_MEMORY); 5791 cookie->conn_user = conn_user; 5792 5793 /* see if need to follow referrals */ 5794 rc = __s_api_toFollowReferrals(0, 5795 &cookie->followRef, &error); 5796 if (rc != NS_LDAP_SUCCESS) { 5797 (void) __ns_ldap_freeError(&error); 5798 goto out; 5799 } 5800 5801 /* get the service descriptor - or create a default one */ 5802 rc = __s_api_get_SSD_from_SSDtoUse_service(service, 5803 &sdlist, &error); 5804 if (rc != NS_LDAP_SUCCESS) { 5805 (void) __ns_ldap_freeError(&error); 5806 goto out; 5807 } 5808 5809 if (sdlist == NULL) { 5810 /* Create default service Desc */ 5811 sdlist = (ns_ldap_search_desc_t **)calloc(2, 5812 sizeof (ns_ldap_search_desc_t *)); 5813 if (sdlist == NULL) { 5814 rc = NS_LDAP_MEMORY; 5815 goto out; 5816 } 5817 dptr = (ns_ldap_search_desc_t *) 5818 calloc(1, sizeof (ns_ldap_search_desc_t)); 5819 if (dptr == NULL) { 5820 free(sdlist); 5821 rc = NS_LDAP_MEMORY; 5822 goto out; 5823 } 5824 sdlist[0] = dptr; 5825 5826 /* default base */ 5827 rc = __s_api_getDNs(&dns, service, &cookie->errorp); 5828 if (rc != NS_LDAP_SUCCESS) { 5829 if (dns) { 5830 __s_api_free2dArray(dns); 5831 dns = NULL; 5832 } 5833 (void) __ns_ldap_freeError(&(cookie->errorp)); 5834 cookie->errorp = NULL; 5835 goto out; 5836 } 5837 dptr->basedn = strdup(dns[0]); 5838 if (dptr->basedn == NULL) { 5839 free(sdlist); 5840 free(dptr); 5841 if (dns) { 5842 __s_api_free2dArray(dns); 5843 dns = NULL; 5844 } 5845 rc = NS_LDAP_MEMORY; 5846 goto out; 5847 } 5848 __s_api_free2dArray(dns); 5849 dns = NULL; 5850 5851 /* default scope */ 5852 scope = 0; 5853 rc = __s_api_getSearchScope(&scope, &cookie->errorp); 5854 dptr->scope = scope; 5855 } 5856 5857 cookie->sdlist = sdlist; 5858 5859 cookie->service = strdup(service); 5860 if (cookie->service == NULL) { 5861 rc = NS_LDAP_MEMORY; 5862 goto out; 5863 } 5864 5865 /* search for entries for this particular uid */ 5866 (void) asprintf(&cookie->i_filter, "(uid=%s)", user); 5867 if (cookie->i_filter == NULL) { 5868 rc = NS_LDAP_MEMORY; 5869 goto out; 5870 } 5871 5872 /* create the control request */ 5873 if ((rc = setup_acctmgmt_params(cookie)) != NS_LDAP_SUCCESS) 5874 goto out; 5875 5876 /* Process search */ 5877 rc = search_state_machine(cookie, GET_ACCT_MGMT_INFO, 0); 5878 5879 /* Copy results back to user */ 5880 rc = cookie->err_rc; 5881 if (rc != NS_LDAP_SUCCESS) 5882 (void) __ns_ldap_freeError(&(cookie->errorp)); 5883 5884 if (cookie->result == NULL) 5885 goto out; 5886 5887 if ((rc = parse_acct_cont_resp_msg(cookie->resultctrl, acctResp)) 5888 != NS_LDAP_SUCCESS) 5889 goto out; 5890 5891 rc = NS_LDAP_SUCCESS; 5892 5893 out: 5894 delete_search_cookie(cookie); 5895 5896 return (rc); 5897 } 5898 5899 /* 5900 * __ns_ldap_getAcctMgmt() is called from pam account management stack 5901 * for retrieving accounting information of users with no user password - 5902 * eg. rlogin, rsh, etc. This function uses the account management control 5903 * request to do a search on the server for the user in question. The 5904 * response control returned from the server is got from the cookie. 5905 * Input params: username of whose account mgmt information is to be got 5906 * pointer to hold the parsed account management information 5907 * Return values: NS_LDAP_SUCCESS on success or appropriate error 5908 * code on failure 5909 */ 5910 int 5911 __ns_ldap_getAcctMgmt(const char *user, AcctUsableResponse_t *acctResp) 5912 { 5913 ns_conn_user_t *cu = NULL; 5914 int try_cnt = 0; 5915 int rc = NS_LDAP_SUCCESS; 5916 ns_ldap_error_t *error = NULL; 5917 5918 for (;;) { 5919 if (__s_api_setup_retry_search(&cu, NS_CONN_USER_SEARCH, 5920 &try_cnt, &rc, &error) == 0) 5921 break; 5922 rc = getAcctMgmt(user, acctResp, cu); 5923 } 5924 return (rc); 5925 } 5926