1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * 25 * Copyright 2017 Nexenta Systems, Inc. All rights reserved. 26 * Copyright 2020 Joyent, Inc. 27 */ 28 29 #include <grp.h> 30 #include "ldap_common.h" 31 #include <string.h> 32 33 /* String which may need to be removed from beginning of group password */ 34 #define _CRYPT "{CRYPT}" 35 #define _NO_PASSWD_VAL "" 36 37 /* Group attributes filters */ 38 #define _G_NAME "cn" 39 #define _G_GID "gidnumber" 40 #define _G_PASSWD "userpassword" 41 #define _G_MEMUID "memberuid" 42 #define _G_MEM_DN "member" /* DN */ 43 44 #define _F_GETGRNAM "(&(objectClass=posixGroup)(cn=%s))" 45 #define _F_GETGRNAM_SSD "(&(%%s)(cn=%s))" 46 #define _F_GETGRGID "(&(objectClass=posixGroup)(gidNumber=%u))" 47 #define _F_GETGRGID_SSD "(&(%%s)(gidNumber=%u))" 48 49 /* 50 * When searching for groups in which a specified user is a member, 51 * there are a few different membership schema that might be in use. 52 * We'll use a filter that should work with an of the common ones: 53 * "memberUid=NAME", or "member=DN" (try uniquemember too?) 54 * The first parameter in the filter string is replaced by username, 55 * and the remaining ones by the full DN. 56 */ 57 #define _F_GETGRMEM "(&(objectClass=posixGroup)" \ 58 "(|(memberUid=%s)(member=%s)))" 59 #define _F_GETGRMEM_SSD "(&(%%s)" \ 60 "(|(memberUid=%s)(member=%s)))" 61 62 static const char *gr_attrs[] = { 63 _G_NAME, 64 _G_GID, 65 _G_PASSWD, 66 _G_MEMUID, 67 _G_MEM_DN, 68 (char *)NULL 69 }; 70 71 static int 72 getmembers_UID(char **bufpp, int *lenp, ns_ldap_attr_t *members); 73 static int 74 getmembers_DN(char **bufpp, int *lenp, ns_ldap_attr_t *members); 75 76 77 /* 78 * _nss_ldap_group2str is the data marshaling method for the group getXbyY 79 * (e.g., getgrnam(), getgrgid(), getgrent()) backend processes. This method 80 * is called after a successful ldap search has been performed. This method 81 * will parse the ldap search values into the file format. 82 * e.g. 83 * 84 * adm::4:root,adm,daemon 85 * 86 */ 87 88 static int 89 _nss_ldap_group2str(ldap_backend_ptr be, nss_XbyY_args_t *argp) 90 { 91 int i; 92 int nss_result; 93 int buflen = 0, len; 94 char *buffer = NULL; 95 ns_ldap_result_t *result = be->result; 96 char **gname, **passwd, **gid, *password, *end; 97 char gid_nobody[NOBODY_STR_LEN]; 98 char *gid_nobody_v[1]; 99 ns_ldap_attr_t *members; 100 101 (void) snprintf(gid_nobody, sizeof (gid_nobody), "%u", GID_NOBODY); 102 gid_nobody_v[0] = gid_nobody; 103 104 if (result == NULL) 105 return (NSS_STR_PARSE_PARSE); 106 buflen = argp->buf.buflen; 107 108 if (argp->buf.result != NULL) { 109 if ((be->buffer = calloc(1, buflen)) == NULL) { 110 nss_result = NSS_STR_PARSE_PARSE; 111 goto result_grp2str; 112 } 113 buffer = be->buffer; 114 } else 115 buffer = argp->buf.buffer; 116 117 nss_result = NSS_STR_PARSE_SUCCESS; 118 (void) memset(buffer, 0, buflen); 119 120 gname = __ns_ldap_getAttr(result->entry, _G_NAME); 121 if (gname == NULL || gname[0] == NULL || (strlen(gname[0]) < 1)) { 122 nss_result = NSS_STR_PARSE_PARSE; 123 goto result_grp2str; 124 } 125 passwd = __ns_ldap_getAttr(result->entry, _G_PASSWD); 126 if (passwd == NULL || passwd[0] == NULL || (strlen(passwd[0]) == 0)) { 127 /* group password could be NULL, replace it with "" */ 128 password = _NO_PASSWD_VAL; 129 } else { 130 /* 131 * Preen "{crypt}" if necessary. 132 * If the password does not include the {crypt} prefix 133 * then the password may be plain text. And thus 134 * perhaps crypt(3c) should be used to encrypt it. 135 * Currently the password is copied verbatim. 136 */ 137 if (strncasecmp(passwd[0], _CRYPT, strlen(_CRYPT)) == 0) 138 password = passwd[0] + strlen(_CRYPT); 139 else 140 password = passwd[0]; 141 } 142 gid = __ns_ldap_getAttr(result->entry, _G_GID); 143 if (gid == NULL || gid[0] == NULL || (strlen(gid[0]) < 1)) { 144 nss_result = NSS_STR_PARSE_PARSE; 145 goto result_grp2str; 146 } 147 /* Validate GID */ 148 if (strtoul(gid[0], &end, 10) > MAXUID) 149 gid = gid_nobody_v; 150 len = snprintf(buffer, buflen, "%s:%s:%s:", gname[0], password, gid[0]); 151 TEST_AND_ADJUST(len, buffer, buflen, result_grp2str); 152 153 members = __ns_ldap_getAttrStruct(result->entry, _G_MEMUID); 154 if (members != NULL && members->attrvalue != NULL) { 155 nss_result = getmembers_UID(&buffer, &buflen, members); 156 if (nss_result != 0) 157 goto result_grp2str; 158 } 159 160 members = __ns_ldap_getAttrStruct(result->entry, _G_MEM_DN); 161 if (members != NULL && members->attrvalue != NULL) { 162 nss_result = getmembers_DN(&buffer, &buflen, members); 163 if (nss_result != 0) 164 goto result_grp2str; 165 } 166 167 /* The front end marshaller doesn't need the trailing nulls */ 168 if (argp->buf.result != NULL) 169 be->buflen = strlen(be->buffer); 170 result_grp2str: 171 (void) __ns_ldap_freeResult(&be->result); 172 return (nss_result); 173 } 174 175 /* 176 * Process the list values from the "memberUid" attribute of the 177 * current group. Note that this list is often empty, and we 178 * get the real list of members via getmember_DN (see below). 179 */ 180 static int 181 getmembers_UID(char **bufpp, int *lenp, ns_ldap_attr_t *members) 182 { 183 char *member_str, *strtok_state; 184 char *buffer; 185 int buflen; 186 int i, len; 187 int nss_result = 0; 188 int firsttime; 189 190 buffer = *bufpp; 191 buflen = *lenp; 192 firsttime = (buffer[-1] == ':'); 193 194 for (i = 0; i < members->value_count; i++) { 195 member_str = members->attrvalue[i]; 196 if (member_str == NULL) 197 goto out; 198 199 #ifdef DEBUG 200 (void) fprintf(stdout, "getmembers_UID: uid=<%s>\n", 201 member_str); 202 #endif 203 /* 204 * If not a valid Unix user name, or 205 * not valid in ldap, just skip. 206 */ 207 if (member_str[0] == '\0' || 208 strpbrk(member_str, " ,:=") != NULL) 209 continue; 210 211 if (firsttime) { 212 len = snprintf(buffer, buflen, "%s", member_str); 213 firsttime = 0; 214 } else { 215 len = snprintf(buffer, buflen, ",%s", member_str); 216 } 217 TEST_AND_ADJUST(len, buffer, buflen, out); 218 } 219 220 out: 221 *bufpp = buffer; 222 *lenp = buflen; 223 return (nss_result); 224 } 225 226 /* 227 * Process the list values from the "member" attribute of the 228 * current group. Note that this list is ONLY one that can be 229 * assumed to be non-empty. The problem here is that this list 230 * contains the list of members as "distinguished names" (DN), 231 * and we want the Unix names (known here as "uid"). We must 232 * lookup the "uid" for each DN in the member list. Example: 233 * CN=Doe\, John,OU=Users,DC=contoso,DC=com => john.doe 234 */ 235 static int 236 getmembers_DN(char **bufpp, int *lenp, ns_ldap_attr_t *members) 237 { 238 ns_ldap_error_t *error = NULL; 239 char *member_dn, *member_uid; 240 char *buffer; 241 int buflen; 242 int i, len; 243 int nss_result = 0; /* used by TEST_AND_ADJUST macro */ 244 int firsttime; 245 246 buffer = *bufpp; 247 buflen = *lenp; 248 firsttime = (buffer[-1] == ':'); 249 250 for (i = 0; i < members->value_count; i++) { 251 member_dn = members->attrvalue[i]; 252 if (member_dn == NULL) 253 goto out; 254 255 /* 256 * The attribute name was "member", so these should be 257 * full distinguished names (DNs). We need to loookup 258 * the Unix UID (name) for each. 259 */ 260 #ifdef DEBUG 261 (void) fprintf(stdout, "getmembers_DN: dn=%s\n", 262 member_dn); 263 #endif 264 if (member_dn[0] == '\0') 265 continue; 266 267 if (__ns_ldap_dn2uid(member_dn, 268 &member_uid, NULL, &error) != NS_LDAP_SUCCESS) { 269 (void) __ns_ldap_freeError(&error); 270 error = NULL; 271 continue; 272 } 273 #ifdef DEBUG 274 (void) fprintf(stdout, "getmembers_DN: uid=<%s>\n", 275 member_uid); 276 #endif 277 /* Skip invalid names. */ 278 if (member_uid[0] == '\0' || 279 strpbrk(member_uid, " ,:=") != NULL) { 280 free(member_uid); 281 continue; 282 } 283 284 if (firsttime) { 285 len = snprintf(buffer, buflen, "%s", member_uid); 286 firsttime = 0; 287 } else { 288 len = snprintf(buffer, buflen, ",%s", member_uid); 289 } 290 free(member_uid); 291 TEST_AND_ADJUST(len, buffer, buflen, out); 292 } 293 294 out: 295 *bufpp = buffer; 296 *lenp = buflen; 297 return (nss_result); 298 } 299 300 /* 301 * getbynam gets a group entry by name. This function constructs an ldap 302 * search filter using the name invocation parameter and the getgrnam search 303 * filter defined. Once the filter is constructed, we searche for a matching 304 * entry and marshal the data results into struct group for the frontend 305 * process. The function _nss_ldap_group2ent performs the data marshaling. 306 */ 307 308 static nss_status_t 309 getbynam(ldap_backend_ptr be, void *a) 310 { 311 nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a; 312 char searchfilter[SEARCHFILTERLEN]; 313 char userdata[SEARCHFILTERLEN]; 314 char groupname[SEARCHFILTERLEN]; 315 int ret; 316 317 if (_ldap_filter_name(groupname, argp->key.name, sizeof (groupname)) != 318 0) 319 return ((nss_status_t)NSS_NOTFOUND); 320 321 ret = snprintf(searchfilter, sizeof (searchfilter), 322 _F_GETGRNAM, groupname); 323 if (ret >= sizeof (searchfilter) || ret < 0) 324 return ((nss_status_t)NSS_NOTFOUND); 325 326 ret = snprintf(userdata, sizeof (userdata), _F_GETGRNAM_SSD, groupname); 327 if (ret >= sizeof (userdata) || ret < 0) 328 return ((nss_status_t)NSS_NOTFOUND); 329 330 return ((nss_status_t)_nss_ldap_lookup(be, argp, 331 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata)); 332 } 333 334 335 /* 336 * getbygid gets a group entry by number. This function constructs an ldap 337 * search filter using the name invocation parameter and the getgrgid search 338 * filter defined. Once the filter is constructed, we searche for a matching 339 * entry and marshal the data results into struct group for the frontend 340 * process. The function _nss_ldap_group2ent performs the data marshaling. 341 */ 342 343 static nss_status_t 344 getbygid(ldap_backend_ptr be, void *a) 345 { 346 nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a; 347 char searchfilter[SEARCHFILTERLEN]; 348 char userdata[SEARCHFILTERLEN]; 349 int ret; 350 351 if (argp->key.uid > MAXUID) 352 return ((nss_status_t)NSS_NOTFOUND); 353 354 ret = snprintf(searchfilter, sizeof (searchfilter), 355 _F_GETGRGID, argp->key.uid); 356 if (ret >= sizeof (searchfilter) || ret < 0) 357 return ((nss_status_t)NSS_NOTFOUND); 358 359 ret = snprintf(userdata, sizeof (userdata), 360 _F_GETGRGID_SSD, argp->key.uid); 361 if (ret >= sizeof (userdata) || ret < 0) 362 return ((nss_status_t)NSS_NOTFOUND); 363 364 return ((nss_status_t)_nss_ldap_lookup(be, argp, 365 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata)); 366 367 } 368 369 370 /* 371 * Use a custom attributes list for getbymember, because the LDAP 372 * query for this requests a list of groups, and the result can be 373 * very large if it includes the list of members with each group. 374 * We don't need or want the list of members in this case. 375 */ 376 static const char *grbymem_attrs[] = { 377 _G_NAME, /* cn */ 378 _G_GID, /* gidnumber */ 379 (char *)NULL 380 }; 381 382 /* 383 * getbymember returns all groups a user is defined in. This function 384 * uses different architectural procedures than the other group backend 385 * system calls because it's a private interface. This function constructs 386 * an ldap search filter using the name invocation parameter. Once the 387 * filter is constructed, we search for all matching groups counting 388 * and storing each group name, gid, etc. Data marshaling is used for 389 * group processing. The function _nss_ldap_group2ent() performs the 390 * data marshaling. 391 * 392 * (const char *)argp->username; (size_t)strlen(argp->username); 393 * (gid_t)argp->gid_array; (int)argp->maxgids; 394 * (int)argp->numgids; 395 */ 396 397 static nss_status_t 398 getbymember(ldap_backend_ptr be, void *a) 399 { 400 ns_ldap_error_t *error = NULL; 401 int i, j, k; 402 int gcnt = (int)0; 403 char **groupvalue; 404 nss_status_t lstat; 405 struct nss_groupsbymem *argp = (struct nss_groupsbymem *)a; 406 char searchfilter[SEARCHFILTERLEN]; 407 char userdata[SEARCHFILTERLEN]; 408 char name[SEARCHFILTERLEN]; 409 char escdn[SEARCHFILTERLEN]; 410 ns_ldap_result_t *result; 411 ns_ldap_entry_t *curEntry; 412 char *dn; 413 gid_t gid; 414 int ret1, ret2; 415 416 if (strcmp(argp->username, "") == 0 || 417 strcmp(argp->username, "root") == 0) 418 return ((nss_status_t)NSS_NOTFOUND); 419 420 if (_ldap_filter_name(name, argp->username, sizeof (name)) != 0) 421 return ((nss_status_t)NSS_NOTFOUND); 422 423 /* 424 * Look up the user DN in ldap. If it's not found, search solely by 425 * username. 426 */ 427 lstat = __ns_ldap_uid2dn(name, &dn, NULL, &error); 428 if (lstat != (nss_status_t)NS_LDAP_SUCCESS) { 429 /* Can't get DN. Use bare name */ 430 (void) __ns_ldap_freeError(&error); 431 dn = name; 432 } 433 /* Note: must free dn if != name */ 434 435 /* 436 * Compose filter patterns 437 */ 438 ret1 = snprintf(searchfilter, sizeof (searchfilter), 439 _F_GETGRMEM, name, dn); 440 ret2 = snprintf(userdata, sizeof (userdata), 441 _F_GETGRMEM_SSD, name, dn); 442 if (dn != name) 443 free(dn); 444 if (ret1 >= sizeof (searchfilter) || ret1 < 0) 445 return ((nss_status_t)NSS_NOTFOUND); 446 if (ret2 >= sizeof (userdata) || ret2 < 0) 447 return ((nss_status_t)NSS_NOTFOUND); 448 449 /* 450 * Query for groups matching the filter. 451 */ 452 lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, NULL, 453 _GROUP, searchfilter, grbymem_attrs, 454 _merge_SSD_filter, userdata); 455 if (lstat != (nss_status_t)NS_LDAP_SUCCESS) 456 return ((nss_status_t)lstat); 457 if (be->result == NULL) 458 return (NSS_NOTFOUND); 459 460 /* 461 * Walk the query result, collecting GIDs. 462 */ 463 result = (ns_ldap_result_t *)be->result; 464 curEntry = (ns_ldap_entry_t *)result->entry; 465 gcnt = (int)argp->numgids; 466 for (i = 0; i < result->entries_count; i++) { 467 468 /* 469 * Does this group have a gidNumber attr? 470 */ 471 groupvalue = __ns_ldap_getAttr(curEntry, _G_GID); 472 if (groupvalue == NULL || groupvalue[0] == NULL) { 473 /* Drop this group from the list */ 474 goto next_group; 475 } 476 477 /* 478 * Convert it to a numeric GID 479 */ 480 errno = 0; 481 gid = (gid_t)strtol(groupvalue[0], (char **)NULL, 10); 482 if (errno != 0) 483 goto next_group; 484 485 /* 486 * If we don't already have this GID, add it. 487 */ 488 if (argp->numgids < argp->maxgids) { 489 for (k = 0; k < argp->numgids; k++) { 490 if (argp->gid_array[k] == gid) { 491 /* already have it */ 492 goto next_group; 493 } 494 } 495 argp->gid_array[argp->numgids++] = gid; 496 } 497 498 next_group: 499 curEntry = curEntry->next; 500 } 501 502 (void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result); 503 if (gcnt == argp->numgids) 504 return ((nss_status_t)NSS_NOTFOUND); 505 506 /* 507 * Return NSS_SUCCESS only if array is full. 508 * Explained in <nss_dbdefs.h>. 509 */ 510 return ((nss_status_t)((argp->numgids == argp->maxgids) 511 ? NSS_SUCCESS 512 : NSS_NOTFOUND)); 513 } 514 515 static ldap_backend_op_t gr_ops[] = { 516 _nss_ldap_destr, 517 _nss_ldap_endent, 518 _nss_ldap_setent, 519 _nss_ldap_getent, 520 getbynam, 521 getbygid, 522 getbymember 523 }; 524 525 526 /*ARGSUSED0*/ 527 nss_backend_t * 528 _nss_ldap_group_constr(const char *dummy1, const char *dummy2, 529 const char *dummy3) 530 { 531 532 return ((nss_backend_t *)_nss_ldap_constr(gr_ops, 533 sizeof (gr_ops)/sizeof (gr_ops[0]), _GROUP, gr_attrs, 534 _nss_ldap_group2str)); 535 } 536