xref: /illumos-gate/usr/src/lib/nsswitch/ldap/common/getgrent.c (revision 2654012f83cec5dc15b61dfe3e4a4915f186e7a6)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <grp.h>
29 #include "ldap_common.h"
30 
31 /* String which may need to be removed from beginning of group password */
32 #define	_CRYPT		"{CRYPT}"
33 #define	_NO_PASSWD_VAL	""
34 
35 /* Group attributes filters */
36 #define	_G_NAME		"cn"
37 #define	_G_GID		"gidnumber"
38 #define	_G_PASSWD	"userpassword"
39 #define	_G_MEM		"memberuid"
40 
41 #define	_F_GETGRNAM	"(&(objectClass=posixGroup)(cn=%s))"
42 #define	_F_GETGRNAM_SSD	"(&(%%s)(cn=%s))"
43 #define	_F_GETGRGID	"(&(objectClass=posixGroup)(gidNumber=%u))"
44 #define	_F_GETGRGID_SSD	"(&(%%s)(gidNumber=%u))"
45 #define	_F_GETGRMEM	"(&(objectClass=posixGroup)(memberUid=%s))"
46 #define	_F_GETGRMEM_SSD	"(&(%%s)(memberUid=%s))"
47 
48 static const char *gr_attrs[] = {
49 	_G_NAME,
50 	_G_GID,
51 	_G_PASSWD,
52 	_G_MEM,
53 	(char *)NULL
54 };
55 
56 
57 /*
58  * _nss_ldap_group2str is the data marshaling method for the group getXbyY
59  * (e.g., getgrnam(), getgrgid(), getgrent()) backend processes. This method
60  * is called after a successful ldap search has been performed. This method
61  * will parse the ldap search values into the file format.
62  * e.g.
63  *
64  * adm::4:root,adm,daemon
65  *
66  */
67 
68 static int
69 _nss_ldap_group2str(ldap_backend_ptr be, nss_XbyY_args_t *argp)
70 {
71 	int		i;
72 	int		nss_result;
73 	int		buflen = 0, len;
74 	int		firstime = 1;
75 	char		*buffer = NULL;
76 	ns_ldap_result_t	*result = be->result;
77 	char		**gname, **passwd, **gid, *password;
78 	ns_ldap_attr_t	*members;
79 
80 
81 	if (result == NULL)
82 		return (NSS_STR_PARSE_PARSE);
83 	buflen = argp->buf.buflen;
84 
85 	if (argp->buf.result != NULL) {
86 		if ((be->buffer = calloc(1, buflen)) == NULL) {
87 			nss_result = NSS_STR_PARSE_PARSE;
88 			goto result_grp2str;
89 		}
90 		buffer = be->buffer;
91 	} else
92 		buffer = argp->buf.buffer;
93 
94 	nss_result = NSS_STR_PARSE_SUCCESS;
95 	(void) memset(buffer, 0, buflen);
96 
97 	gname = __ns_ldap_getAttr(result->entry, _G_NAME);
98 	if (gname == NULL || gname[0] == NULL || (strlen(gname[0]) < 1)) {
99 		nss_result = NSS_STR_PARSE_PARSE;
100 		goto result_grp2str;
101 	}
102 	passwd = __ns_ldap_getAttr(result->entry, _G_PASSWD);
103 	if (passwd == NULL || passwd[0] == NULL || (strlen(passwd[0]) == 0)) {
104 		/* group password could be NULL, replace it with "" */
105 		password = _NO_PASSWD_VAL;
106 	} else {
107 		/*
108 		 * Preen "{crypt}" if necessary.
109 		 * If the password does not include the {crypt} prefix
110 		 * then the password may be plain text.  And thus
111 		 * perhaps crypt(3c) should be used to encrypt it.
112 		 * Currently the password is copied verbatim.
113 		 */
114 		if (strncasecmp(passwd[0], _CRYPT, strlen(_CRYPT)) == 0)
115 			password = passwd[0] + strlen(_CRYPT);
116 		else
117 			password = passwd[0];
118 	}
119 	gid = __ns_ldap_getAttr(result->entry, _G_GID);
120 	if (gid == NULL || gid[0] == NULL || (strlen(gid[0]) < 1)) {
121 		nss_result = NSS_STR_PARSE_PARSE;
122 		goto result_grp2str;
123 	}
124 	len = snprintf(buffer, buflen, "%s:%s:%s:", gname[0], password, gid[0]);
125 	TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
126 
127 	members = __ns_ldap_getAttrStruct(result->entry, _G_MEM);
128 	if (members == NULL || members->attrvalue == NULL) {
129 		/* no member is fine, skip processing the member list */
130 		goto nomember;
131 	}
132 
133 	for (i = 0; i < members->value_count; i++) {
134 		if (members->attrvalue[i] == NULL) {
135 			nss_result = NSS_STR_PARSE_PARSE;
136 			goto result_grp2str;
137 		}
138 		if (firstime) {
139 			len = snprintf(buffer, buflen, "%s",
140 			    members->attrvalue[i]);
141 			TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
142 			firstime = 0;
143 		} else {
144 			len = snprintf(buffer, buflen, ",%s",
145 			    members->attrvalue[i]);
146 			TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
147 		}
148 	}
149 nomember:
150 	/* The front end marshaller doesn't need the trailing nulls */
151 	if (argp->buf.result != NULL)
152 		be->buflen = strlen(be->buffer);
153 result_grp2str:
154 	(void) __ns_ldap_freeResult(&be->result);
155 	return (nss_result);
156 }
157 
158 /*
159  * getbynam gets a group entry by name. This function constructs an ldap
160  * search filter using the name invocation parameter and the getgrnam search
161  * filter defined. Once the filter is constructed, we searche for a matching
162  * entry and marshal the data results into struct group for the frontend
163  * process. The function _nss_ldap_group2ent performs the data marshaling.
164  */
165 
166 static nss_status_t
167 getbynam(ldap_backend_ptr be, void *a)
168 {
169 	nss_XbyY_args_t	*argp = (nss_XbyY_args_t *)a;
170 	char		searchfilter[SEARCHFILTERLEN];
171 	char		userdata[SEARCHFILTERLEN];
172 	char		groupname[SEARCHFILTERLEN];
173 	int		ret;
174 
175 	if (_ldap_filter_name(groupname, argp->key.name, sizeof (groupname)) !=
176 	    0)
177 		return ((nss_status_t)NSS_NOTFOUND);
178 
179 	ret = snprintf(searchfilter, sizeof (searchfilter),
180 	    _F_GETGRNAM, groupname);
181 	if (ret >= sizeof (searchfilter) || ret < 0)
182 		return ((nss_status_t)NSS_NOTFOUND);
183 
184 	ret = snprintf(userdata, sizeof (userdata), _F_GETGRNAM_SSD, groupname);
185 	if (ret >= sizeof (userdata) || ret < 0)
186 		return ((nss_status_t)NSS_NOTFOUND);
187 
188 	return ((nss_status_t)_nss_ldap_lookup(be, argp,
189 	    _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
190 }
191 
192 
193 /*
194  * getbygid gets a group entry by number. This function constructs an ldap
195  * search filter using the name invocation parameter and the getgrgid search
196  * filter defined. Once the filter is constructed, we searche for a matching
197  * entry and marshal the data results into struct group for the frontend
198  * process. The function _nss_ldap_group2ent performs the data marshaling.
199  */
200 
201 static nss_status_t
202 getbygid(ldap_backend_ptr be, void *a)
203 {
204 	nss_XbyY_args_t	*argp = (nss_XbyY_args_t *)a;
205 	char searchfilter[SEARCHFILTERLEN];
206 	char userdata[SEARCHFILTERLEN];
207 	int ret;
208 
209 	ret = snprintf(searchfilter, sizeof (searchfilter),
210 	    _F_GETGRGID, argp->key.uid);
211 	if (ret >= sizeof (searchfilter) || ret < 0)
212 		return ((nss_status_t)NSS_NOTFOUND);
213 
214 	ret = snprintf(userdata, sizeof (userdata),
215 	    _F_GETGRGID_SSD, argp->key.uid);
216 	if (ret >= sizeof (userdata) || ret < 0)
217 		return ((nss_status_t)NSS_NOTFOUND);
218 
219 	return ((nss_status_t)_nss_ldap_lookup(be, argp,
220 	    _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
221 
222 }
223 
224 
225 /*
226  * getbymember returns all groups a user is defined in. This function
227  * uses different architectural procedures than the other group backend
228  * system calls because it's a private interface. This function constructs
229  * an ldap search filter using the name invocation parameter. Once the
230  * filter is constructed, we search for all matching groups counting
231  * and storing each group name, gid, etc. Data marshaling is used for
232  * group processing. The function _nss_ldap_group2ent() performs the
233  * data marshaling.
234  *
235  * (const char *)argp->username;	(size_t)strlen(argp->username);
236  * (gid_t)argp->gid_array;		(int)argp->maxgids;
237  * (int)argp->numgids;
238  */
239 
240 static nss_status_t
241 getbymember(ldap_backend_ptr be, void *a)
242 {
243 	int			i, j, k;
244 	int			gcnt = (int)0;
245 	char			**groupvalue, **membervalue;
246 	nss_status_t		lstat;
247 	struct nss_groupsbymem	*argp = (struct nss_groupsbymem *)a;
248 	char			searchfilter[SEARCHFILTERLEN];
249 	char			userdata[SEARCHFILTERLEN];
250 	char			name[SEARCHFILTERLEN];
251 	ns_ldap_result_t	*result;
252 	ns_ldap_entry_t		*curEntry;
253 	char			*username;
254 	gid_t			gid;
255 	int			ret;
256 
257 	if (strcmp(argp->username, "") == 0 ||
258 	    strcmp(argp->username, "root") == 0)
259 		return ((nss_status_t)NSS_NOTFOUND);
260 
261 	if (_ldap_filter_name(name, argp->username, sizeof (name)) != 0)
262 		return ((nss_status_t)NSS_NOTFOUND);
263 
264 	ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETGRMEM, name);
265 	if (ret >= sizeof (searchfilter) || ret < 0)
266 		return ((nss_status_t)NSS_NOTFOUND);
267 
268 	ret = snprintf(userdata, sizeof (userdata), _F_GETGRMEM_SSD, name);
269 	if (ret >= sizeof (userdata) || ret < 0)
270 		return ((nss_status_t)NSS_NOTFOUND);
271 
272 	gcnt = (int)argp->numgids;
273 	lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, NULL,
274 	    _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata);
275 	if (lstat != (nss_status_t)NS_LDAP_SUCCESS)
276 		return ((nss_status_t)lstat);
277 	if (be->result == NULL)
278 		return (NSS_NOTFOUND);
279 	username = (char *)argp->username;
280 	result = (ns_ldap_result_t *)be->result;
281 	curEntry = (ns_ldap_entry_t *)result->entry;
282 	for (i = 0; i < result->entries_count; i++) {
283 		membervalue = __ns_ldap_getAttr(curEntry, "memberUid");
284 		if (membervalue) {
285 			for (j = 0; membervalue[j]; j++) {
286 				if (strcmp(membervalue[j], username) == NULL) {
287 					groupvalue = __ns_ldap_getAttr(curEntry,
288 					    "gidnumber");
289 					gid = (gid_t)strtol(groupvalue[0],
290 					    (char **)NULL, 10);
291 					if (argp->numgids < argp->maxgids) {
292 						for (k = 0; k < argp->numgids;
293 						    k++) {
294 							if (argp->gid_array[k]
295 							    == gid)
296 						    /* already exists */
297 						break;
298 					}
299 					if (k == argp->numgids)
300 						argp->gid_array[argp->numgids++]
301 						    = gid;
302 					}
303 					break;
304 				}
305 			}
306 		}
307 		curEntry = curEntry->next;
308 	}
309 
310 	(void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result);
311 	if (gcnt == argp->numgids)
312 		return ((nss_status_t)NSS_NOTFOUND);
313 
314 	/*
315 	 * Return NSS_SUCCESS only if array is full.
316 	 * Explained in <nss_dbdefs.h>.
317 	 */
318 	return ((nss_status_t)((argp->numgids == argp->maxgids)
319 	    ? NSS_SUCCESS
320 	    : NSS_NOTFOUND));
321 }
322 
323 static ldap_backend_op_t gr_ops[] = {
324 	_nss_ldap_destr,
325 	_nss_ldap_endent,
326 	_nss_ldap_setent,
327 	_nss_ldap_getent,
328 	getbynam,
329 	getbygid,
330 	getbymember
331 };
332 
333 
334 /*ARGSUSED0*/
335 nss_backend_t *
336 _nss_ldap_group_constr(const char *dummy1, const char *dummy2,
337 			const char *dummy3)
338 {
339 
340 	return ((nss_backend_t *)_nss_ldap_constr(gr_ops,
341 	    sizeof (gr_ops)/sizeof (gr_ops[0]), _GROUP, gr_attrs,
342 	    _nss_ldap_group2str));
343 }
344