xref: /illumos-gate/usr/src/lib/nsswitch/ldap/common/getgrent.c (revision 60a3f738d56f92ae8b80e4b62a2331c6e1f2311f) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <grp.h>
29 #include "ldap_common.h"
30 
31 /* String which may need to be removed from beginning of group password */
32 #define	_CRYPT		"{CRYPT}"
33 #define	_NO_PASSWD_VAL	""
34 
35 /* Group attributes filters */
36 #define	_G_NAME		"cn"
37 #define	_G_GID		"gidnumber"
38 #define	_G_PASSWD	"userpassword"
39 #define	_G_MEM		"memberuid"
40 
41 #define	_F_GETGRNAM	"(&(objectClass=posixGroup)(cn=%s))"
42 #define	_F_GETGRNAM_SSD	"(&(%%s)(cn=%s))"
43 #define	_F_GETGRGID	"(&(objectClass=posixGroup)(gidNumber=%ld))"
44 #define	_F_GETGRGID_SSD	"(&(%%s)(gidNumber=%ld))"
45 #define	_F_GETGRMEM	"(&(objectClass=posixGroup)(memberUid=%s))"
46 #define	_F_GETGRMEM_SSD	"(&(%%s)(memberUid=%s))"
47 
48 static const char *gr_attrs[] = {
49 	_G_NAME,
50 	_G_GID,
51 	_G_PASSWD,
52 	_G_MEM,
53 	(char *)NULL
54 };
55 
56 
57 /*
58  * _nss_ldap_group2str is the data marshaling method for the group getXbyY
59  * (e.g., getgrnam(), getgrgid(), getgrent()) backend processes. This method
60  * is called after a successful ldap search has been performed. This method
61  * will parse the ldap search values into the file format.
62  * e.g.
63  *
64  * adm::4:root,adm,daemon
65  *
66  */
67 
68 static int
69 _nss_ldap_group2str(ldap_backend_ptr be, nss_XbyY_args_t *argp)
70 {
71 	int		i;
72 	int		nss_result;
73 	int		buflen = 0, len;
74 	int		firstime = 1;
75 	char		*buffer = NULL;
76 	ns_ldap_result_t	*result = be->result;
77 	char		**gname, **passwd, **gid, *password;
78 	ns_ldap_attr_t	*members;
79 
80 
81 	if (result == NULL)
82 		return (NSS_STR_PARSE_PARSE);
83 	buflen = argp->buf.buflen;
84 
85 	if (argp->buf.result != NULL) {
86 		if ((be->buffer = calloc(1, buflen)) == NULL) {
87 			nss_result = NSS_STR_PARSE_PARSE;
88 			goto result_grp2str;
89 		}
90 		buffer = be->buffer;
91 	} else
92 		buffer = argp->buf.buffer;
93 
94 	nss_result = NSS_STR_PARSE_SUCCESS;
95 	(void) memset(buffer, 0, buflen);
96 
97 	gname = __ns_ldap_getAttr(result->entry, _G_NAME);
98 	if (gname == NULL || gname[0] == NULL || (strlen(gname[0]) < 1)) {
99 		nss_result = NSS_STR_PARSE_PARSE;
100 		goto result_grp2str;
101 	}
102 	passwd = __ns_ldap_getAttr(result->entry, _G_PASSWD);
103 	if (passwd == NULL || passwd[0] == NULL || (strlen(passwd[0]) == 0)) {
104 		/* group password could be NULL, replace it with "" */
105 		password = _NO_PASSWD_VAL;
106 	} else {
107 		/*
108 		 * Preen "{crypt}" if necessary.
109 		 * If the password does not include the {crypt} prefix
110 		 * then the password may be plain text.  And thus
111 		 * perhaps crypt(3c) should be used to encrypt it.
112 		 * Currently the password is copied verbatim.
113 		 */
114 		if (strncasecmp(passwd[0], _CRYPT, strlen(_CRYPT)) == 0)
115 			password = passwd[0] + strlen(_CRYPT);
116 		else
117 			password = passwd[0];
118 	}
119 	gid = __ns_ldap_getAttr(result->entry, _G_GID);
120 	if (gid == NULL || gid[0] == NULL || (strlen(gid[0]) < 1)) {
121 		nss_result = NSS_STR_PARSE_PARSE;
122 		goto result_grp2str;
123 	}
124 	len = snprintf(buffer, buflen, "%s:%s:%s:",
125 			gname[0], password, gid[0]);
126 	TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
127 
128 	members = __ns_ldap_getAttrStruct(result->entry, _G_MEM);
129 	if (members == NULL || members->attrvalue == NULL) {
130 		nss_result = NSS_STR_PARSE_PARSE;
131 		goto result_grp2str;
132 	}
133 
134 	for (i = 0; i < members->value_count; i++) {
135 		if (members->attrvalue[i] == NULL) {
136 			nss_result = NSS_STR_PARSE_PARSE;
137 			goto result_grp2str;
138 		}
139 		if (firstime) {
140 			len = snprintf(buffer, buflen, "%s",
141 					members->attrvalue[i]);
142 			TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
143 			firstime = 0;
144 		} else {
145 			len = snprintf(buffer, buflen, ",%s",
146 					members->attrvalue[i]);
147 			TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
148 		}
149 	}
150 	/* The front end marshaller doesn't need the trailing nulls */
151 	if (argp->buf.result != NULL)
152 		be->buflen = strlen(be->buffer);
153 result_grp2str:
154 	(void) __ns_ldap_freeResult(&be->result);
155 	return (nss_result);
156 }
157 
158 /*
159  * getbynam gets a group entry by name. This function constructs an ldap
160  * search filter using the name invocation parameter and the getgrnam search
161  * filter defined. Once the filter is constructed, we searche for a matching
162  * entry and marshal the data results into struct group for the frontend
163  * process. The function _nss_ldap_group2ent performs the data marshaling.
164  */
165 
166 static nss_status_t
167 getbynam(ldap_backend_ptr be, void *a)
168 {
169 	nss_XbyY_args_t	*argp = (nss_XbyY_args_t *)a;
170 	char		searchfilter[SEARCHFILTERLEN];
171 	char		userdata[SEARCHFILTERLEN];
172 	char		groupname[SEARCHFILTERLEN];
173 	int		ret;
174 
175 	if (_ldap_filter_name(groupname, argp->key.name, sizeof (groupname))
176 			!= 0)
177 		return ((nss_status_t)NSS_NOTFOUND);
178 
179 	ret = snprintf(searchfilter, sizeof (searchfilter),
180 	    _F_GETGRNAM, groupname);
181 	if (ret >= sizeof (searchfilter) || ret < 0)
182 		return ((nss_status_t)NSS_NOTFOUND);
183 
184 	ret = snprintf(userdata, sizeof (userdata), _F_GETGRNAM_SSD, groupname);
185 	if (ret >= sizeof (userdata) || ret < 0)
186 		return ((nss_status_t)NSS_NOTFOUND);
187 
188 	return ((nss_status_t)_nss_ldap_lookup(be, argp,
189 		_GROUP, searchfilter, NULL,
190 		_merge_SSD_filter, userdata));
191 }
192 
193 
194 /*
195  * getbygid gets a group entry by number. This function constructs an ldap
196  * search filter using the name invocation parameter and the getgrgid search
197  * filter defined. Once the filter is constructed, we searche for a matching
198  * entry and marshal the data results into struct group for the frontend
199  * process. The function _nss_ldap_group2ent performs the data marshaling.
200  */
201 
202 static nss_status_t
203 getbygid(ldap_backend_ptr be, void *a)
204 {
205 	nss_XbyY_args_t	*argp = (nss_XbyY_args_t *)a;
206 	char searchfilter[SEARCHFILTERLEN];
207 	char userdata[SEARCHFILTERLEN];
208 	int ret;
209 
210 	ret = snprintf(searchfilter, sizeof (searchfilter),
211 	    _F_GETGRGID, (long)argp->key.uid);
212 	if (ret >= sizeof (searchfilter) || ret < 0)
213 		return ((nss_status_t)NSS_NOTFOUND);
214 
215 	ret = snprintf(userdata, sizeof (userdata),
216 	    _F_GETGRGID_SSD, (long)argp->key.uid);
217 	if (ret >= sizeof (userdata) || ret < 0)
218 		return ((nss_status_t)NSS_NOTFOUND);
219 
220 	return ((nss_status_t)_nss_ldap_lookup(be, argp,
221 		_GROUP, searchfilter, NULL,
222 		_merge_SSD_filter, userdata));
223 
224 }
225 
226 
227 /*
228  * getbymember returns all groups a user is defined in. This function
229  * uses different architectural procedures than the other group backend
230  * system calls because it's a private interface. This function constructs
231  * an ldap search filter using the name invocation parameter. Once the
232  * filter is constructed, we search for all matching groups counting
233  * and storing each group name, gid, etc. Data marshaling is used for
234  * group processing. The function _nss_ldap_group2ent() performs the
235  * data marshaling.
236  *
237  * (const char *)argp->username;	(size_t)strlen(argp->username);
238  * (gid_t)argp->gid_array;		(int)argp->maxgids;
239  * (int)argp->numgids;
240  */
241 
242 static nss_status_t
243 getbymember(ldap_backend_ptr be, void *a)
244 {
245 	int			i, j, k;
246 	int			gcnt = (int)0;
247 	char			**groupvalue, **membervalue;
248 	nss_status_t		lstat;
249 	nss_XbyY_args_t		argb;
250 	static nss_XbyY_buf_t	*gb;
251 	struct nss_groupsbymem	*argp = (struct nss_groupsbymem *)a;
252 	char			searchfilter[SEARCHFILTERLEN];
253 	char			userdata[SEARCHFILTERLEN];
254 	char			name[SEARCHFILTERLEN];
255 	ns_ldap_result_t	*result;
256 	ns_ldap_entry_t		*curEntry;
257 	char			*username;
258 	gid_t			gid;
259 	int			ret;
260 
261 	/* LINTED E_EXPR_NULL_EFFECT */
262 	NSS_XbyY_ALLOC(&gb, sizeof (struct group), NSS_BUFLEN_GROUP);
263 	NSS_XbyY_INIT(&argb, gb->result, gb->buffer, gb->buflen, 0);
264 
265 	if (strcmp(argp->username, "") == 0 ||
266 	    strcmp(argp->username, "root") == 0)
267 		return ((nss_status_t)NSS_NOTFOUND);
268 
269 	if (_ldap_filter_name(name, argp->username, sizeof (name)) != 0)
270 		return ((nss_status_t)NSS_NOTFOUND);
271 
272 	ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETGRMEM, name);
273 	if (ret >= sizeof (searchfilter) || ret < 0)
274 		return ((nss_status_t)NSS_NOTFOUND);
275 
276 	ret = snprintf(userdata, sizeof (userdata), _F_GETGRMEM_SSD, name);
277 	if (ret >= sizeof (userdata) || ret < 0)
278 		return ((nss_status_t)NSS_NOTFOUND);
279 
280 	gcnt = (int)argp->numgids;
281 	lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, &argb,
282 		_GROUP, searchfilter, NULL,
283 		_merge_SSD_filter, userdata);
284 	if (lstat != (nss_status_t)NS_LDAP_SUCCESS)
285 		return ((nss_status_t)lstat);
286 	if (be->result == NULL)
287 		return (NSS_NOTFOUND);
288 	username = (char *)argp->username;
289 	result = (ns_ldap_result_t *)be->result;
290 	curEntry = (ns_ldap_entry_t *)result->entry;
291 	for (i = 0; i < result->entries_count; i++) {
292 		membervalue = __ns_ldap_getAttr(curEntry, "memberUid");
293 		if (membervalue) {
294 			for (j = 0; membervalue[j]; j++) {
295 				if (strcmp(membervalue[j], username) == NULL) {
296 					groupvalue = __ns_ldap_getAttr(curEntry,
297 						"gidnumber");
298 					gid = (gid_t)strtol(groupvalue[0],
299 						(char **)NULL, 10);
300 					if (argp->numgids < argp->maxgids) {
301 					    for (k = 0; k < argp->numgids;
302 							k++) {
303 						if (argp->gid_array[k] == gid)
304 						    /* already exists */
305 						    break;
306 					    }
307 					    if (k == argp->numgids)
308 						argp->gid_array[argp->numgids++]
309 						    = gid;
310 					}
311 					break;
312 				}
313 			}
314 		}
315 		curEntry = curEntry->next;
316 	}
317 
318 	(void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result);
319 	NSS_XbyY_FREE(&gb);
320 	if (gcnt == argp->numgids)
321 		return ((nss_status_t)NSS_NOTFOUND);
322 
323 	return ((nss_status_t)NSS_SUCCESS);
324 }
325 
326 static ldap_backend_op_t gr_ops[] = {
327 	_nss_ldap_destr,
328 	_nss_ldap_endent,
329 	_nss_ldap_setent,
330 	_nss_ldap_getent,
331 	getbynam,
332 	getbygid,
333 	getbymember
334 };
335 
336 
337 /*ARGSUSED0*/
338 nss_backend_t *
339 _nss_ldap_group_constr(const char *dummy1, const char *dummy2,
340 			const char *dummy3)
341 {
342 
343 	return ((nss_backend_t *)_nss_ldap_constr(gr_ops,
344 		sizeof (gr_ops)/sizeof (gr_ops[0]), _GROUP, gr_attrs,
345 		_nss_ldap_group2str));
346 }
347