1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * Processes name2sid & sid2name batched lookups for a given user or 31 * computer from an AD Directory server using GSSAPI authentication 32 */ 33 34 #include <stdio.h> 35 #include <stdlib.h> 36 #include <alloca.h> 37 #include <string.h> 38 #include <strings.h> 39 #include <lber.h> 40 #include <ldap.h> 41 #include <sasl/sasl.h> 42 #include <string.h> 43 #include <ctype.h> 44 #include <pthread.h> 45 #include <synch.h> 46 #include <atomic.h> 47 #include <errno.h> 48 #include <assert.h> 49 #include <limits.h> 50 #include "idmapd.h" 51 52 /* 53 * Internal data structures for this code 54 */ 55 56 /* Attribute names and filter format strings */ 57 #define OBJECTSID "objectSid" 58 #define OBJECTSIDFILTER "(objectSid=%s)" 59 #define SAMACCOUNTNAME "sAMAccountName" 60 #define SANFILTER "(sAMAccountName=%.*s)" 61 #define OBJECTCLASS "objectClass" 62 63 /* 64 * This should really be in some <sys/sid.h> file or so; we have a 65 * private version of sid_t, and so must other components of ON until we 66 * rationalize this. 67 */ 68 typedef struct sid { 69 uchar_t version; 70 uchar_t sub_authority_count; 71 uint64_t authority; /* really, 48-bits */ 72 rid_t sub_authorities[SID_MAX_SUB_AUTHORITIES]; 73 } sid_t; 74 75 /* A single DS */ 76 typedef struct ad_host { 77 struct ad_host *next; 78 ad_t *owner; /* ad_t to which this belongs */ 79 pthread_mutex_t lock; 80 LDAP *ld; /* LDAP connection */ 81 uint32_t ref; /* ref count */ 82 time_t idletime; /* time since last activity */ 83 int dead; /* error on LDAP connection */ 84 /* 85 * Used to distinguish between different instances of LDAP 86 * connections to this same DS. We need this so we never mix up 87 * results for a given msgID from one connection with those of 88 * another earlier connection where two batch state structures 89 * share this ad_host object but used different LDAP connections 90 * to send their LDAP searches. 91 */ 92 uint64_t generation; 93 94 /* LDAP DS info */ 95 char *host; 96 int port; 97 98 /* hardwired to SASL GSSAPI only for now */ 99 char *saslmech; 100 unsigned saslflags; 101 } ad_host_t; 102 103 /* A set of DSs for a given AD partition; ad_t typedef comes from adutil.h */ 104 struct ad { 105 char *dflt_w2k_dom; /* used to qualify bare names */ 106 char *basedn; /* derived from dflt domain */ 107 pthread_mutex_t lock; 108 uint32_t ref; 109 idmap_ad_partition_t partition; /* Data or global catalog? */ 110 }; 111 112 /* 113 * A place to put the results of a batched (async) query 114 * 115 * There is one of these for every query added to a batch object 116 * (idmap_query_state, see below). 117 */ 118 typedef struct idmap_q { 119 char **result; /* name or stringified SID */ 120 char **domain; /* name of domain of object */ 121 rid_t *rid; /* for n2s, if not NULL */ 122 int *sid_type; /* if not NULL */ 123 idmap_retcode *rc; 124 int msgid; /* LDAP message ID */ 125 /* 126 * Bitfield containing state needed to know when we're done 127 * processing search results related to this query's LDAP 128 * searches. Mostly self-explanatory. 129 */ 130 uint16_t n2s : 1; /* name->SID or SID->name? */ 131 uint16_t got_reply : 1; 132 uint16_t got_results : 1; 133 uint16_t got_objectSid : 1; 134 uint16_t got_objectClass : 1; 135 uint16_t got_samAcctName : 1; 136 } idmap_q_t; 137 138 /* Batch context structure; typedef is in header file */ 139 struct idmap_query_state { 140 idmap_query_state_t *next; 141 int qcount; /* how many queries */ 142 uint32_t qlastsent; 143 uint32_t qinflight; /* how many queries in flight */ 144 uint16_t qdead; /* oops, lost LDAP connection */ 145 ad_host_t *qadh; /* LDAP connection */ 146 uint64_t qadh_gen; /* same as qadh->generation */ 147 idmap_q_t queries[1]; /* array of query results */ 148 }; 149 150 /* 151 * List of query state structs -- needed so we can "route" LDAP results 152 * to the right context if multiple threads should be using the same 153 * connection concurrently 154 */ 155 static idmap_query_state_t *qstatehead = NULL; 156 static pthread_mutex_t qstatelock = PTHREAD_MUTEX_INITIALIZER; 157 158 /* 159 * List of DSs, needed by the idle connection reaper thread 160 */ 161 static ad_host_t *host_head = NULL; 162 static pthread_t reaperid = (pthread_t)-1; 163 static pthread_mutex_t adhostlock = PTHREAD_MUTEX_INITIALIZER; 164 165 /*ARGSUSED*/ 166 static int 167 idmap_saslcallback(LDAP *ld, unsigned flags, void *defaults, void *prompts) { 168 sasl_interact_t *interact; 169 170 if (prompts == NULL || flags != LDAP_SASL_INTERACTIVE) 171 return (LDAP_PARAM_ERROR); 172 173 /* There should be no extra arguemnts for SASL/GSSAPI authentication */ 174 for (interact = prompts; interact->id != SASL_CB_LIST_END; 175 interact++) { 176 interact->result = NULL; 177 interact->len = 0; 178 } 179 return (LDAP_SUCCESS); 180 } 181 182 /* Turn "foo.bar.com" into "dc=foo,dc=bar,dc=com" */ 183 static 184 char * 185 dns2dn(const char *dns) 186 { 187 int nameparts; 188 189 /* Sigh, ldap_dns_to_dn()'s first arg should be a const char * */ 190 return (ldap_dns_to_dn((char *)dns, &nameparts)); 191 } 192 193 /* 194 * Turn "dc=foo,dc=bar,dc=com" into "foo.bar.com"; ignores any other 195 * attributes (CN, etc...) 196 */ 197 static 198 char * 199 dn2dns(const char *dn) 200 { 201 char **rdns = NULL; 202 char **attrs = NULL; 203 char **labels = NULL; 204 char *dns = NULL; 205 char **rdn, **attr, **label; 206 int maxlabels = 5; 207 int nlabels = 0; 208 int dnslen; 209 210 /* 211 * There is no reverse of ldap_dns_to_dn() in our libldap, so we 212 * have to do the hard work here for now. 213 */ 214 215 /* 216 * This code is much too liberal: it looks for "dc" attributes 217 * in all RDNs of the DN. In theory this could cause problems 218 * if people were to use "dc" in nodes other than the root of 219 * the tree, but in practice noone, least of all Active 220 * Directory, does that. 221 * 222 * On the other hand, this code is much too conservative: it 223 * does not make assumptions about ldap_explode_dn(), and _that_ 224 * is the true for looking at every attr of every RDN. 225 * 226 * Since we only ever look at dc and those must be DNS labels, 227 * at least until we get around to supporting IDN here we 228 * shouldn't see escaped labels from AD nor from libldap, though 229 * the spec (RFC2253) does allow libldap to escape things that 230 * don't need escaping -- if that should ever happen then 231 * libldap will need a spanking, and we can take care of that. 232 */ 233 234 /* Explode a DN into RDNs */ 235 if ((rdns = ldap_explode_dn(dn, 0)) == NULL) 236 return (NULL); 237 238 labels = calloc(maxlabels + 1, sizeof (char *)); 239 label = labels; 240 241 for (rdn = rdns; *rdn != NULL; rdn++) { 242 if (attrs != NULL) 243 ldap_value_free(attrs); 244 245 /* Explode each RDN, look for DC attr, save val as DNS label */ 246 if ((attrs = ldap_explode_rdn(rdn[0], 0)) == NULL) 247 goto done; 248 249 for (attr = attrs; *attr != NULL; attr++) { 250 if (strncasecmp(*attr, "dc=", 3) != 0) 251 continue; 252 253 /* Found a DNS label */ 254 labels[nlabels++] = strdup((*attr) + 3); 255 256 if (nlabels == maxlabels) { 257 char **tmp; 258 tmp = realloc(labels, 259 sizeof (char *) * (maxlabels + 1)); 260 261 if (tmp == NULL) 262 goto done; 263 264 labels = tmp; 265 labels[nlabels] = NULL; 266 } 267 268 /* There should be just one DC= attr per-RDN */ 269 break; 270 } 271 } 272 273 /* 274 * Got all the labels, now join with '.' 275 * 276 * We need room for nlabels - 1 periods ('.'), one nul 277 * terminator, and the strlen() of each label. 278 */ 279 dnslen = nlabels; 280 for (label = labels; *label != NULL; label++) 281 dnslen += strlen(*label); 282 283 if ((dns = malloc(dnslen)) == NULL) 284 goto done; 285 286 *dns = '\0'; 287 288 for (label = labels; *label != NULL; label++) { 289 (void) strlcat(dns, *label, dnslen); 290 /* 291 * NOTE: the last '.' won't be appended -- there's no room 292 * for it! 293 */ 294 (void) strlcat(dns, ".", dnslen); 295 } 296 297 done: 298 if (labels != NULL) { 299 for (label = labels; *label != NULL; label++) 300 free(*label); 301 free(labels); 302 } 303 if (attrs != NULL) 304 ldap_value_free(attrs); 305 if (rdns != NULL) 306 ldap_value_free(rdns); 307 308 return (dns); 309 } 310 311 /* 312 * Keep connection management simple for now, extend or replace later 313 * with updated libsldap code. 314 */ 315 #define ADREAPERSLEEP 60 316 #define ADCONN_TIME 300 317 318 /* 319 * Idle connection reaping side of connection management 320 * 321 * Every minute wake up and look for connections that have been idle for 322 * five minutes or more and close them. 323 */ 324 /*ARGSUSED*/ 325 static 326 void 327 adreaper(void *arg) 328 { 329 ad_host_t *adh; 330 time_t now; 331 timespec_t ts; 332 333 ts.tv_sec = ADREAPERSLEEP; 334 ts.tv_nsec = 0; 335 336 for (;;) { 337 /* 338 * nanosleep(3RT) is thead-safe (no SIGALRM) and more 339 * portable than usleep(3C) 340 */ 341 (void) nanosleep(&ts, NULL); 342 (void) pthread_mutex_lock(&adhostlock); 343 now = time(NULL); 344 for (adh = host_head; adh != NULL; adh = adh->next) { 345 (void) pthread_mutex_lock(&adh->lock); 346 if (adh->ref == 0 && adh->idletime != 0 && 347 adh->idletime + ADCONN_TIME < now) { 348 if (adh->ld) { 349 (void) ldap_unbind(adh->ld); 350 adh->ld = NULL; 351 adh->idletime = 0; 352 adh->ref = 0; 353 } 354 } 355 (void) pthread_mutex_unlock(&adh->lock); 356 } 357 (void) pthread_mutex_unlock(&adhostlock); 358 } 359 } 360 361 int 362 idmap_ad_alloc(ad_t **new_ad, const char *default_domain, 363 idmap_ad_partition_t part) 364 { 365 ad_t *ad; 366 367 *new_ad = NULL; 368 369 if ((default_domain == NULL || *default_domain == '\0') && 370 part != IDMAP_AD_GLOBAL_CATALOG) 371 return (-1); 372 373 if ((ad = calloc(1, sizeof (ad_t))) == NULL) 374 return (-1); 375 376 ad->ref = 1; 377 ad->partition = part; 378 379 /* 380 * If default_domain is NULL, deal, deferring errors until 381 * idmap_lookup_batch_start() -- this makes it easier on the 382 * caller, who can simply observe lookups failing as opposed to 383 * having to conditionalize calls to lookups according to 384 * whether it has a non-NULL ad_t *. 385 */ 386 if (default_domain == NULL) 387 default_domain = ""; 388 389 if ((ad->dflt_w2k_dom = strdup(default_domain)) == NULL) 390 goto err; 391 392 /* If default_domain is empty, deal; see above */ 393 if (*default_domain == '\0') { 394 if ((ad->basedn = strdup("")) == NULL) 395 goto err; 396 } else if ((ad->basedn = dns2dn(default_domain)) == NULL) { 397 goto err; 398 } 399 400 if (pthread_mutex_init(&ad->lock, NULL) != 0) 401 goto err; 402 403 *new_ad = ad; 404 405 return (0); 406 err: 407 if (ad->dflt_w2k_dom != NULL) 408 free(ad->dflt_w2k_dom); 409 if (ad->basedn != NULL) 410 free(ad->basedn); 411 free(ad); 412 return (-1); 413 } 414 415 416 void 417 idmap_ad_free(ad_t **ad) 418 { 419 ad_host_t *p; 420 421 if (ad == NULL || *ad == NULL) 422 return; 423 424 (void) pthread_mutex_lock(&(*ad)->lock); 425 426 if (atomic_dec_32_nv(&(*ad)->ref) > 0) { 427 (void) pthread_mutex_unlock(&(*ad)->lock); 428 *ad = NULL; 429 return; 430 } 431 432 for (p = host_head; p != NULL; p = p->next) { 433 if (p->owner != (*ad)) 434 continue; 435 idmap_delete_ds((*ad), p->host, p->port); 436 } 437 438 free((*ad)->basedn); 439 440 (void) pthread_mutex_unlock(&(*ad)->lock); 441 (void) pthread_mutex_destroy(&(*ad)->lock); 442 443 free(*ad); 444 445 *ad = NULL; 446 } 447 448 static 449 int 450 idmap_open_conn(ad_host_t *adh) 451 { 452 int rc, ldversion; 453 454 if (adh->dead && adh->ld != NULL) { 455 (void) ldap_unbind(adh->ld); 456 adh->ld = NULL; 457 adh->dead = 0; 458 } 459 460 if (adh->ld == NULL) { 461 int zero = 0; 462 int timeoutms = 30 * 1000; 463 464 atomic_inc_64(&adh->generation); 465 adh->ld = ldap_init(adh->host, adh->port); 466 if (adh->ld == NULL) 467 return (-1); 468 469 ldversion = LDAP_VERSION3; 470 (void) ldap_set_option(adh->ld, LDAP_OPT_PROTOCOL_VERSION, 471 &ldversion); 472 473 (void) ldap_set_option(adh->ld, LDAP_OPT_REFERRALS, 474 LDAP_OPT_OFF); 475 (void) ldap_set_option(adh->ld, LDAP_OPT_TIMELIMIT, &zero); 476 (void) ldap_set_option(adh->ld, LDAP_OPT_SIZELIMIT, &zero); 477 /* setup TCP/IP connect timeout */ 478 (void) ldap_set_option(adh->ld, LDAP_X_OPT_CONNECT_TIMEOUT, 479 &timeoutms); 480 (void) ldap_set_option(adh->ld, LDAP_OPT_RESTART, LDAP_OPT_ON); 481 rc = ldap_sasl_interactive_bind_s(adh->ld, 482 "" /* binddn */, adh->saslmech, NULL, NULL, adh->saslflags, 483 &idmap_saslcallback, NULL /* defaults */); 484 485 if (rc != LDAP_SUCCESS) { 486 idmapdlog(LOG_ERR, "Could not authenticate to the " 487 "LDAP server. (Check that the host keys are " 488 "correct?)"); 489 return (rc); 490 } 491 } 492 493 adh->idletime = time(NULL); 494 495 return (LDAP_SUCCESS); 496 } 497 498 499 /* 500 * Connection management: find an open connection or open one 501 */ 502 static 503 ad_host_t * 504 idmap_get_conn(const ad_t *ad) 505 { 506 ad_host_t *adh = NULL; 507 int rc; 508 509 (void) pthread_mutex_lock(&adhostlock); 510 511 /* 512 * Search for any ad_host_t, preferably one with an open 513 * connection 514 */ 515 for (adh = host_head; adh != NULL; adh = adh->next) { 516 if (adh->owner == ad) { 517 break; 518 } 519 } 520 521 if (adh != NULL) 522 atomic_inc_32(&adh->ref); 523 524 (void) pthread_mutex_unlock(&adhostlock); 525 526 if (adh == NULL) 527 return (NULL); 528 529 /* found connection, open it if not opened */ 530 (void) pthread_mutex_lock(&adh->lock); 531 rc = idmap_open_conn(adh); 532 (void) pthread_mutex_unlock(&adh->lock); 533 if (rc != LDAP_SUCCESS) 534 return (NULL); 535 536 return (adh); 537 } 538 539 static 540 void 541 idmap_release_conn(ad_host_t *adh) 542 { 543 (void) pthread_mutex_lock(&adh->lock); 544 if (atomic_dec_32_nv(&adh->ref) == 0) 545 adh->idletime = time(NULL); 546 (void) pthread_mutex_unlock(&adh->lock); 547 } 548 549 /* 550 * Take ad_host_config_t information, create a ad_host_t, 551 * populate it and add it to the list of hosts. 552 */ 553 554 int 555 idmap_add_ds(ad_t *ad, const char *host, int port) 556 { 557 ad_host_t *p; 558 ad_host_t *new = NULL; 559 int ret = -1; 560 561 if (port == 0) 562 port = (int)ad->partition; 563 564 (void) pthread_mutex_lock(&adhostlock); 565 for (p = host_head; p != NULL; p = p->next) { 566 if (p->owner != ad) 567 continue; 568 569 if (strcmp(host, p->host) == 0 && p->port == port) { 570 /* already added */ 571 ret = -2; 572 goto err; 573 } 574 } 575 576 /* add new entry */ 577 new = (ad_host_t *)calloc(1, sizeof (ad_host_t)); 578 if (new == NULL) 579 goto err; 580 new->owner = ad; 581 new->port = port; 582 new->dead = 0; 583 if ((new->host = strdup(host)) == NULL) 584 goto err; 585 586 /* default to SASL GSSAPI only for now */ 587 new->saslflags = LDAP_SASL_INTERACTIVE; 588 new->saslmech = "GSSAPI"; 589 590 if ((ret = pthread_mutex_init(&new->lock, NULL)) != 0) { 591 free(new->host); 592 new->host = NULL; 593 errno = ret; 594 ret = -1; 595 goto err; 596 } 597 598 /* link in */ 599 new->next = host_head; 600 host_head = new; 601 602 /* Start reaper if it doesn't exist */ 603 if (reaperid == 0) 604 (void) pthread_create(&reaperid, NULL, 605 (void *(*)(void *))adreaper, (void *)NULL); 606 607 err: 608 (void) pthread_mutex_unlock(&adhostlock); 609 610 if (ret != 0 && new != NULL) { 611 if (new->host != NULL) { 612 (void) pthread_mutex_destroy(&new->lock); 613 free(new->host); 614 } 615 free(new); 616 } 617 618 return (ret); 619 } 620 621 /* 622 * free a DS configuration 623 */ 624 void 625 idmap_delete_ds(ad_t *ad, const char *host, int port) 626 { 627 ad_host_t **p, *q; 628 629 (void) pthread_mutex_lock(&adhostlock); 630 for (p = &host_head; *p != NULL; p = &((*p)->next)) { 631 if ((*p)->owner != ad || strcmp(host, (*p)->host) != 0 || 632 (*p)->port != port) 633 continue; 634 /* found */ 635 if (atomic_dec_32_nv(&((*p)->ref)) > 0) 636 break; /* still in use */ 637 638 q = *p; 639 *p = (*p)->next; 640 641 (void) pthread_mutex_destroy(&q->lock); 642 643 if (q->ld) 644 (void) ldap_unbind(q->ld); 645 if (q->host) 646 free(q->host); 647 free(q); 648 break; 649 } 650 (void) pthread_mutex_unlock(&adhostlock); 651 } 652 653 /* 654 * Convert a binary SID in a BerValue to a sid_t 655 */ 656 static 657 int 658 idmap_getsid(BerValue *bval, sid_t *sidp) 659 { 660 int i, j; 661 uchar_t *v; 662 uint32_t a; 663 664 /* 665 * The binary format of a SID is as follows: 666 * 667 * byte #0: version, always 0x01 668 * byte #1: RID count, always <= 0x0f 669 * bytes #2-#7: SID authority, big-endian 48-bit unsigned int 670 * 671 * followed by RID count RIDs, each a little-endian, unsigned 672 * 32-bit int. 673 */ 674 /* 675 * Sanity checks: must have at least one RID, version must be 676 * 0x01, and the length must be 8 + rid count * 4 677 */ 678 if (bval->bv_len > 8 && bval->bv_val[0] == 0x01 && 679 bval->bv_len == 1 + 1 + 6 + bval->bv_val[1] * 4) { 680 v = (uchar_t *)bval->bv_val; 681 sidp->version = v[0]; 682 sidp->sub_authority_count = v[1]; 683 sidp->authority = 684 /* big endian -- so start from the left */ 685 ((u_longlong_t)v[2] << 40) | 686 ((u_longlong_t)v[3] << 32) | 687 ((u_longlong_t)v[4] << 24) | 688 ((u_longlong_t)v[5] << 16) | 689 ((u_longlong_t)v[6] << 8) | 690 (u_longlong_t)v[7]; 691 for (i = 0; i < sidp->sub_authority_count; i++) { 692 j = 8 + (i * 4); 693 /* little endian -- so start from the right */ 694 a = (v[j + 3] << 24) | (v[j + 2] << 16) | 695 (v[j + 1] << 8) | (v[j]); 696 sidp->sub_authorities[i] = a; 697 } 698 return (0); 699 } 700 return (-1); 701 } 702 703 /* 704 * Convert a sid_t to S-1-... 705 */ 706 static 707 char * 708 idmap_sid2txt(sid_t *sidp) 709 { 710 int rlen, i, len; 711 char *str, *cp; 712 713 if (sidp->version != 1) 714 return (NULL); 715 716 len = sizeof ("S-1-") - 1; 717 718 /* 719 * We could optimize like so, but, why? 720 * if (sidp->authority < 10) 721 * len += 2; 722 * else if (sidp->authority < 100) 723 * len += 3; 724 * else 725 * len += snprintf(NULL, 0"%llu", sidp->authority); 726 */ 727 len += snprintf(NULL, 0, "%llu", sidp->authority); 728 729 /* Max length of a uint32_t printed out in ASCII is 10 bytes */ 730 len += 1 + (sidp->sub_authority_count + 1) * 10; 731 732 if ((cp = str = malloc(len)) == NULL) 733 return (NULL); 734 735 rlen = snprintf(str, len, "S-1-%llu", sidp->authority); 736 737 cp += rlen; 738 len -= rlen; 739 740 for (i = 0; i < sidp->sub_authority_count; i++) { 741 assert(len > 0); 742 rlen = snprintf(cp, len, "-%u", sidp->sub_authorities[i]); 743 cp += rlen; 744 len -= rlen; 745 assert(len >= 0); 746 } 747 748 return (str); 749 } 750 751 /* 752 * Convert a sid_t to on-the-wire encoding 753 */ 754 static 755 int 756 idmap_sid2binsid(sid_t *sid, uchar_t *binsid, int binsidlen) 757 { 758 uchar_t *p; 759 int i; 760 uint64_t a; 761 uint32_t r; 762 763 if (sid->version != 1 || 764 binsidlen != (1 + 1 + 6 + sid->sub_authority_count * 4)) 765 return (-1); 766 767 p = binsid; 768 *p++ = 0x01; /* version */ 769 /* sub authority count */ 770 *p++ = sid->sub_authority_count; 771 /* Authority */ 772 a = sid->authority; 773 /* big-endian -- start from left */ 774 *p++ = (a >> 40) & 0xFF; 775 *p++ = (a >> 32) & 0xFF; 776 *p++ = (a >> 24) & 0xFF; 777 *p++ = (a >> 16) & 0xFF; 778 *p++ = (a >> 8) & 0xFF; 779 *p++ = a & 0xFF; 780 781 /* sub-authorities */ 782 for (i = 0; i < sid->sub_authority_count; i++) { 783 r = sid->sub_authorities[i]; 784 /* little-endian -- start from right */ 785 *p++ = (r & 0x000000FF); 786 *p++ = (r & 0x0000FF00) >> 8; 787 *p++ = (r & 0x00FF0000) >> 16; 788 *p++ = (r & 0xFF000000) >> 24; 789 } 790 791 return (0); 792 } 793 794 /* 795 * Convert a stringified SID (S-1-...) into a hex-encoded version of the 796 * on-the-wire encoding, but with each pair of hex digits pre-pended 797 * with a '\', so we can pass this to libldap. 798 */ 799 static 800 int 801 idmap_txtsid2hexbinsid(const char *txt, const rid_t *rid, 802 char *hexbinsid, int hexbinsidlen) 803 { 804 sid_t sid = { 0 }; 805 int i, j; 806 const char *cp; 807 char *ecp; 808 u_longlong_t a; 809 unsigned long r; 810 uchar_t *binsid, b, hb; 811 812 /* Only version 1 SIDs please */ 813 if (strncmp(txt, "S-1-", strlen("S-1-")) != 0) 814 return (-1); 815 816 if (strlen(txt) < (strlen("S-1-") + 1)) 817 return (-1); 818 819 /* count '-'s */ 820 for (j = 0, cp = strchr(txt, '-'); 821 cp != NULL && *cp != '\0'; 822 j++, cp = strchr(cp + 1, '-')) { 823 /* can't end on a '-' */ 824 if (*(cp + 1) == '\0') 825 return (-1); 826 } 827 828 /* must have at least one RID, but not too many */ 829 if (j < 3 || (j - 1) > SID_MAX_SUB_AUTHORITIES || 830 (rid != NULL && j > SID_MAX_SUB_AUTHORITIES)) 831 return (-1); 832 833 /* check that we only have digits and '-' */ 834 if (strspn(txt + 1, "0123456789-") < (strlen(txt) - 1)) 835 return (-1); 836 837 /* we know the version number and RID count */ 838 sid.version = 1; 839 sid.sub_authority_count = j - 2; 840 841 cp = txt + strlen("S-1-"); 842 843 /* 64-bit safe parsing of unsigned 48-bit authority value */ 844 errno = 0; 845 a = strtoull(cp, &ecp, 10); 846 847 /* errors parsing the authority or too many bits */ 848 if (cp == ecp || (a == 0 && errno == EINVAL) || 849 (a == ULLONG_MAX && errno == ERANGE) || 850 (a & 0x0000ffffffffffffULL) != a) 851 return (-1); 852 853 cp = ecp; 854 855 sid.authority = (uint64_t)a; 856 857 for (i = 0; i < sid.sub_authority_count; i++) { 858 if (*cp++ != '-') 859 return (-1); 860 /* 64-bit safe parsing of unsigned 32-bit RID */ 861 errno = 0; 862 r = strtoul(cp, &ecp, 10); 863 /* errors parsing the RID or too many bits */ 864 if (cp == ecp || (r == 0 && errno == EINVAL) || 865 (r == ULONG_MAX && errno == ERANGE) || 866 (r & 0xffffffffUL) != r) 867 return (-1); 868 sid.sub_authorities[i] = (uint32_t)r; 869 cp = ecp; 870 } 871 872 /* check that all of the string SID has been consumed */ 873 if (*cp != '\0') 874 return (-1); 875 876 if (rid != NULL) { 877 sid.sub_authorities[sid.sub_authority_count++] = *rid; 878 } 879 880 j = 1 + 1 + 6 + sid.sub_authority_count * 4; 881 882 if (hexbinsidlen < (j * 3)) 883 return (-2); 884 885 /* binary encode the SID */ 886 binsid = (uchar_t *)alloca(j); 887 (void) idmap_sid2binsid(&sid, binsid, j); 888 889 /* hex encode, with a backslash before each byte */ 890 for (ecp = hexbinsid, i = 0; i < j; i++) { 891 b = binsid[i]; 892 *ecp++ = '\\'; 893 hb = (b >> 4) & 0xF; 894 *ecp++ = (hb <= 0x9 ? hb + '0' : hb - 10 + 'A'); 895 hb = b & 0xF; 896 *ecp++ = (hb <= 0x9 ? hb + '0' : hb - 10 + 'A'); 897 } 898 *ecp = '\0'; 899 900 return (0); 901 } 902 903 static 904 char * 905 convert_bval2sid(BerValue *bval, rid_t *rid) 906 { 907 sid_t sid; 908 909 if (idmap_getsid(bval, &sid) < 0) 910 return (NULL); 911 912 /* 913 * If desired and if the SID is what should be a domain/computer 914 * user or group SID (i.e., S-1-5-w-x-y-z-<user/group RID>) then 915 * save the last RID and truncate the SID 916 */ 917 if (rid != NULL && sid.authority == 5 && sid.sub_authority_count == 5) 918 *rid = sid.sub_authorities[--sid.sub_authority_count]; 919 return (idmap_sid2txt(&sid)); 920 } 921 922 923 idmap_retcode 924 idmap_lookup_batch_start(ad_t *ad, int nqueries, idmap_query_state_t **state) 925 { 926 idmap_query_state_t *new_state; 927 ad_host_t *adh = NULL; 928 929 *state = NULL; 930 931 if (*ad->dflt_w2k_dom == '\0') 932 return (-1); 933 934 adh = idmap_get_conn(ad); 935 if (adh == NULL) 936 return (IDMAP_ERR_OTHER); 937 938 new_state = calloc(1, sizeof (idmap_query_state_t) + 939 (nqueries - 1) * sizeof (idmap_q_t)); 940 941 if (new_state == NULL) 942 return (IDMAP_ERR_MEMORY); 943 944 new_state->qadh = adh; 945 new_state->qcount = nqueries; 946 new_state->qadh_gen = adh->generation; 947 /* should be -1, but the atomic routines want unsigned */ 948 new_state->qlastsent = 0; 949 950 (void) pthread_mutex_lock(&qstatelock); 951 new_state->next = qstatehead; 952 qstatehead = new_state; 953 (void) pthread_mutex_unlock(&qstatelock); 954 955 *state = new_state; 956 957 return (IDMAP_SUCCESS); 958 } 959 960 /* 961 * Find the idmap_query_state_t to which a given LDAP result msgid on a 962 * given connection belongs 963 */ 964 static 965 int 966 idmap_msgid2query(ad_host_t *adh, int msgid, 967 idmap_query_state_t **state, int *qid) 968 { 969 idmap_query_state_t *p; 970 int i; 971 972 (void) pthread_mutex_lock(&qstatelock); 973 for (p = qstatehead; p != NULL; p = p->next) { 974 if (p->qadh != adh || adh->generation != p->qadh_gen) 975 continue; 976 for (i = 0; i < p->qcount; i++) { 977 if ((p->queries[i]).msgid == msgid) { 978 *state = p; 979 *qid = i; 980 (void) pthread_mutex_unlock(&qstatelock); 981 return (1); 982 } 983 } 984 } 985 (void) pthread_mutex_unlock(&qstatelock); 986 return (0); 987 } 988 989 /* 990 * Handle an objectSid attr from a result 991 */ 992 static 993 void 994 idmap_bv_objsid2sidstr(BerValue **bvalues, idmap_q_t *q) 995 { 996 if (bvalues == NULL) 997 return; 998 /* objectSid is single valued */ 999 *(q->result) = convert_bval2sid(bvalues[0], q->rid); 1000 q->got_objectSid = 1; 1001 } 1002 1003 /* 1004 * Handle a sAMAccountName attr from a result 1005 */ 1006 static 1007 void 1008 idmap_bv_samaccountname2name(BerValue **bvalues, idmap_q_t *q, const char *dn) 1009 { 1010 char *result, *domain; 1011 int len; 1012 1013 if (bvalues == NULL) 1014 return; 1015 1016 if ((domain = dn2dns(dn)) == NULL) 1017 return; 1018 1019 if (bvalues == NULL || bvalues[0] == NULL || 1020 bvalues[0]->bv_val == NULL) 1021 return; 1022 1023 len = bvalues[0]->bv_len + 1; 1024 1025 if (q->domain != NULL) 1026 *(q->domain) = domain; 1027 else 1028 len += strlen(domain) + 1; 1029 1030 if ((result = malloc(len)) == NULL) { 1031 if (q->domain != NULL) 1032 *(q->domain) = NULL; 1033 free(domain); 1034 return; 1035 } 1036 1037 (void) memcpy(result, bvalues[0]->bv_val, (size_t)bvalues[0]->bv_len); 1038 result[bvalues[0]->bv_len] = '\0'; 1039 1040 if (q->domain == NULL) { 1041 (void) strlcat(result, "@", len); 1042 (void) strlcat(result, domain, len); 1043 free(domain); 1044 } 1045 1046 *(q->result) = result; 1047 q->got_samAcctName = 1; 1048 } 1049 1050 1051 #define BVAL_CASEEQ(bv, str) \ 1052 (((*(bv))->bv_len == (sizeof (str) - 1)) && \ 1053 strncasecmp((*(bv))->bv_val, str, (*(bv))->bv_len) == 0) 1054 1055 /* 1056 * Handle an objectClass attr from a result 1057 */ 1058 static 1059 void 1060 idmap_bv_objclass2sidtype(BerValue **bvalues, idmap_q_t *q) 1061 { 1062 BerValue **cbval; 1063 1064 if (bvalues == NULL) 1065 return; 1066 1067 for (cbval = bvalues; *cbval != NULL; cbval++) { 1068 /* don't clobber sid_type */ 1069 if (*(q->sid_type) == _IDMAP_T_COMPUTER || 1070 *(q->sid_type) == _IDMAP_T_GROUP || 1071 *(q->sid_type) == _IDMAP_T_USER) 1072 continue; 1073 1074 if (BVAL_CASEEQ(cbval, "Computer")) { 1075 *(q->sid_type) = _IDMAP_T_COMPUTER; 1076 return; 1077 } else if (BVAL_CASEEQ(cbval, "Group")) { 1078 *(q->sid_type) = _IDMAP_T_GROUP; 1079 } else if (BVAL_CASEEQ(cbval, "USER")) { 1080 *(q->sid_type) = _IDMAP_T_USER; 1081 } else 1082 *(q->sid_type) = _IDMAP_T_OTHER; 1083 q->got_objectClass = 1; 1084 } 1085 } 1086 1087 /* 1088 * Handle a given search result entry 1089 */ 1090 static 1091 void 1092 idmap_extract_object(idmap_query_state_t *state, int qid, LDAPMessage *res) 1093 { 1094 char *dn, *attr; 1095 BerElement *ber = NULL; 1096 BerValue **bvalues; 1097 ad_host_t *adh; 1098 idmap_q_t *q; 1099 idmap_retcode orc; 1100 1101 adh = state->qadh; 1102 1103 (void) pthread_mutex_lock(&adh->lock); 1104 1105 if (adh->dead || (dn = ldap_get_dn(adh->ld, res)) == NULL) { 1106 (void) pthread_mutex_unlock(&adh->lock); 1107 return; 1108 } 1109 1110 q = &(state->queries[qid]); 1111 1112 for (attr = ldap_first_attribute(adh->ld, res, &ber); attr != NULL; 1113 attr = ldap_next_attribute(adh->ld, res, ber)) { 1114 orc = *q->rc; 1115 bvalues = NULL; /* for memory management below */ 1116 1117 /* 1118 * If this is an attribute we are looking for and 1119 * haven't seen it yet, parse it 1120 */ 1121 if (orc != IDMAP_SUCCESS && q->n2s && !q->got_objectSid && 1122 strcasecmp(attr, OBJECTSID) == 0) { 1123 bvalues = ldap_get_values_len(adh->ld, res, attr); 1124 idmap_bv_objsid2sidstr(bvalues, q); 1125 } else if (orc != IDMAP_SUCCESS && !q->n2s && 1126 !q->got_samAcctName && 1127 strcasecmp(attr, SAMACCOUNTNAME) == 0) { 1128 bvalues = ldap_get_values_len(adh->ld, res, attr); 1129 idmap_bv_samaccountname2name(bvalues, q, dn); 1130 } else if (orc != IDMAP_SUCCESS && !q->got_objectClass && 1131 strcasecmp(attr, OBJECTCLASS) == 0) { 1132 bvalues = ldap_get_values_len(adh->ld, res, attr); 1133 idmap_bv_objclass2sidtype(bvalues, q); 1134 } 1135 1136 if (bvalues != NULL) 1137 ldap_value_free_len(bvalues); 1138 ldap_memfree(attr); 1139 1140 if (q->n2s) 1141 *q->rc = (q->got_objectSid && 1142 q->got_objectClass) ? 1143 IDMAP_SUCCESS : IDMAP_ERR_NORESULT; 1144 else 1145 *q->rc = (q->got_samAcctName && 1146 q->got_objectClass) ? 1147 IDMAP_SUCCESS : IDMAP_ERR_NORESULT; 1148 1149 if (*q->rc == IDMAP_SUCCESS && *q->result == NULL) 1150 *q->rc = IDMAP_ERR_NORESULT; 1151 } 1152 (void) pthread_mutex_unlock(&adh->lock); 1153 1154 /* 1155 * If there should be multiple partial results for different 1156 * entities (there should not be, but, if it should happen) then 1157 * it's possible that they could get mixed up here and we could 1158 * get bogus results. We just mark the query's results as 1159 * toxic (IDMAP_ERR_INTERNAL). 1160 * 1161 * Between this and ignoring results when we've already filled 1162 * out a query's results we should be OK. The first full reply 1163 * wins. In practice we should never get multiple results. 1164 */ 1165 if (orc == IDMAP_ERR_INTERNAL) 1166 *q->rc = IDMAP_ERR_INTERNAL; 1167 else if (*q->rc != IDMAP_SUCCESS) 1168 *q->rc = IDMAP_ERR_INTERNAL; 1169 1170 if (ber != NULL) 1171 ber_free(ber, 0); 1172 1173 ldap_memfree(dn); 1174 } 1175 1176 /* 1177 * Try to get a result; if there is one, find the corresponding 1178 * idmap_q_t and process the result. 1179 */ 1180 static 1181 int 1182 idmap_get_adobject_batch(ad_host_t *adh, struct timeval *timeout) 1183 { 1184 idmap_query_state_t *query_state; 1185 LDAPMessage *res = NULL; 1186 int rc, ret, msgid, qid; 1187 1188 (void) pthread_mutex_lock(&adh->lock); 1189 if (adh->dead) { 1190 (void) pthread_mutex_unlock(&adh->lock); 1191 return (-1); 1192 } 1193 1194 /* Get one result */ 1195 rc = ldap_result(adh->ld, LDAP_RES_ANY, 0, 1196 timeout, &res); 1197 if (rc == LDAP_UNAVAILABLE || rc == LDAP_UNWILLING_TO_PERFORM || 1198 rc == LDAP_CONNECT_ERROR || rc == LDAP_SERVER_DOWN || 1199 rc == LDAP_BUSY) 1200 adh->dead = 1; 1201 (void) pthread_mutex_unlock(&adh->lock); 1202 1203 if (adh->dead) 1204 return (-1); 1205 1206 switch (rc) { 1207 case LDAP_RES_SEARCH_RESULT: 1208 /* We have all the LDAP replies for some search... */ 1209 msgid = ldap_msgid(res); 1210 if (idmap_msgid2query(adh, msgid, 1211 &query_state, &qid)) { 1212 /* ...so we can decrement qinflight */ 1213 atomic_dec_32(&query_state->qinflight); 1214 /* we saw at least one reply */ 1215 query_state->queries[qid].got_reply = 1; 1216 } 1217 (void) ldap_msgfree(res); 1218 ret = 0; 1219 break; 1220 case LDAP_RES_SEARCH_REFERENCE: 1221 /* 1222 * We have no need for these at the moment. Eventually, 1223 * when we query things that we can't expect to find in 1224 * the Global Catalog then we'll need to learn to follow 1225 * references. 1226 */ 1227 (void) ldap_msgfree(res); 1228 ret = 0; 1229 break; 1230 case LDAP_RES_SEARCH_ENTRY: 1231 /* Got a result */ 1232 msgid = ldap_msgid(res); 1233 if (idmap_msgid2query(adh, msgid, 1234 &query_state, &qid)) { 1235 idmap_extract_object(query_state, qid, res); 1236 /* we saw at least one result */ 1237 query_state->queries[qid].got_reply = 1; 1238 query_state->queries[qid].got_results = 1; 1239 } 1240 (void) ldap_msgfree(res); 1241 ret = 0; 1242 break; 1243 default: 1244 /* timeout or error; treat the same */ 1245 ret = -1; 1246 break; 1247 } 1248 1249 return (ret); 1250 } 1251 1252 void 1253 idmap_lookup_free_batch(idmap_query_state_t **state) 1254 { 1255 idmap_query_state_t **p; 1256 1257 idmap_release_conn((*state)->qadh); 1258 1259 /* Remove this state struct from the list of state structs */ 1260 (void) pthread_mutex_lock(&qstatelock); 1261 for (p = &qstatehead; *p != NULL; p = &(*p)->next) { 1262 if (*p == (*state)) { 1263 *p = (*state)->next; 1264 break; 1265 } 1266 } 1267 (void) pthread_mutex_unlock(&qstatelock); 1268 1269 free(*state); 1270 *state = NULL; 1271 } 1272 1273 idmap_retcode 1274 idmap_lookup_batch_end(idmap_query_state_t **state, 1275 struct timeval *timeout) 1276 { 1277 idmap_q_t *q; 1278 int i; 1279 int rc = LDAP_SUCCESS; 1280 idmap_retcode retcode = IDMAP_SUCCESS; 1281 1282 (*state)->qdead = 1; 1283 1284 /* Process results until done or until timeout, if given */ 1285 while ((*state)->qinflight > 0) { 1286 if ((rc = idmap_get_adobject_batch((*state)->qadh, 1287 timeout)) != 0) 1288 break; 1289 } 1290 1291 if (rc == LDAP_UNAVAILABLE || rc == LDAP_UNWILLING_TO_PERFORM || 1292 rc == LDAP_CONNECT_ERROR || rc == LDAP_SERVER_DOWN || 1293 rc == LDAP_BUSY) { 1294 retcode = IDMAP_ERR_RETRIABLE_NET_ERR; 1295 (*state)->qadh->dead = 1; 1296 } 1297 1298 for (i = 0; i < (*state)->qcount; i++) { 1299 q = &((*state)->queries[i]); 1300 if (q->got_reply && !q->got_results) { 1301 if (retcode == IDMAP_ERR_RETRIABLE_NET_ERR) 1302 *q->rc = IDMAP_ERR_RETRIABLE_NET_ERR; 1303 else 1304 *q->rc = IDMAP_ERR_NOTFOUND; 1305 } 1306 } 1307 1308 idmap_lookup_free_batch(state); 1309 1310 return (retcode); 1311 } 1312 1313 /* 1314 * Send one prepared search, queue up msgid, process what results are 1315 * available 1316 */ 1317 static 1318 idmap_retcode 1319 idmap_batch_add1(idmap_query_state_t *state, int n2s, 1320 const char *filter, const char *basedn, 1321 char **result, char **dname, rid_t *rid, int *sid_type, 1322 idmap_retcode *rc) 1323 { 1324 idmap_retcode retcode = IDMAP_SUCCESS; 1325 int lrc, qid; 1326 struct timeval tv; 1327 idmap_q_t *q; 1328 1329 if (state->qdead) { 1330 *rc = IDMAP_ERR_NORESULT; 1331 return (IDMAP_ERR_RETRIABLE_NET_ERR); 1332 } 1333 1334 qid = atomic_inc_32_nv(&state->qlastsent) - 1; 1335 1336 q = &(state->queries[qid]); 1337 1338 /* Remember where to put the results */ 1339 q->result = result; 1340 q->domain = dname; 1341 q->rid = rid; 1342 q->sid_type = sid_type; 1343 q->rc = rc; 1344 q->n2s = n2s ? 1 : 0; 1345 q->got_objectSid = 0; 1346 q->got_objectClass = 0; 1347 q->got_samAcctName = 0; 1348 1349 /* 1350 * Provide sane defaults for the results in case we never hear 1351 * back from the DS before closing the connection. 1352 */ 1353 *rc = IDMAP_ERR_RETRIABLE_NET_ERR; 1354 *sid_type = _IDMAP_T_OTHER; 1355 *result = NULL; 1356 if (dname != NULL) 1357 *dname = NULL; 1358 if (rid != NULL) 1359 *rid = 0; 1360 1361 /* Send this lookup, don't wait for a result here */ 1362 (void) pthread_mutex_lock(&state->qadh->lock); 1363 1364 if (!state->qadh->dead) { 1365 state->qadh->idletime = time(NULL); 1366 lrc = ldap_search_ext(state->qadh->ld, basedn, 1367 LDAP_SCOPE_SUBTREE, filter, NULL, 0, NULL, NULL, 1368 NULL, -1, &q->msgid); 1369 if (lrc == LDAP_BUSY || lrc == LDAP_UNAVAILABLE || 1370 lrc == LDAP_CONNECT_ERROR || lrc == LDAP_SERVER_DOWN || 1371 lrc == LDAP_UNWILLING_TO_PERFORM) { 1372 retcode = IDMAP_ERR_RETRIABLE_NET_ERR; 1373 state->qadh->dead = 1; 1374 } else if (lrc != LDAP_SUCCESS) { 1375 retcode = IDMAP_ERR_OTHER; 1376 state->qadh->dead = 1; 1377 } 1378 } 1379 (void) pthread_mutex_unlock(&state->qadh->lock); 1380 1381 if (state->qadh->dead) 1382 return (retcode); 1383 1384 atomic_inc_32(&state->qinflight); 1385 1386 /* 1387 * Reap as many requests as we can _without_ waiting 1388 * 1389 * We do this to prevent any possible TCP socket buffer 1390 * starvation deadlocks. 1391 */ 1392 (void) memset(&tv, 0, sizeof (tv)); 1393 while (idmap_get_adobject_batch(state->qadh, &tv) == 0) 1394 ; 1395 1396 return (IDMAP_SUCCESS); 1397 } 1398 1399 idmap_retcode 1400 idmap_name2sid_batch_add1(idmap_query_state_t *state, 1401 const char *name, const char *dname, 1402 char **sid, rid_t *rid, int *sid_type, idmap_retcode *rc) 1403 { 1404 idmap_retcode retcode; 1405 int flen, samAcctNameLen; 1406 char *filter = NULL; 1407 char *basedn = NULL; 1408 char *cp; 1409 1410 /* 1411 * Strategy: search [the global catalog] for user/group by 1412 * sAMAccountName = user/groupname with base DN derived from the 1413 * domain name. The objectSid and objectClass of the result are 1414 * all we need to figure out the SID of the user/group and 1415 * whether it is a user or a group. 1416 */ 1417 1418 /* 1419 * Handle optional domain parameter and default domain 1420 * semantics. The get a basedn from the domainname. 1421 */ 1422 if (dname == NULL || *dname != '\0') { 1423 /* domain name not given separately */ 1424 if ((cp = strchr(name, '@')) == NULL) { 1425 /* nor is the name qualified */ 1426 dname = state->qadh->owner->dflt_w2k_dom; 1427 basedn = state->qadh->owner->basedn; 1428 samAcctNameLen = strlen(name); 1429 } else { 1430 /* the name is qualified */ 1431 /* LINTED */ 1432 samAcctNameLen = cp - name; 1433 dname = cp + 1; 1434 } 1435 } 1436 1437 if (basedn == NULL) 1438 basedn = dns2dn(dname); 1439 1440 /* Assemble filter */ 1441 flen = snprintf(NULL, 0, SANFILTER, samAcctNameLen, name) + 1; 1442 if ((filter = (char *)malloc(flen)) == NULL) { 1443 if (basedn != state->qadh->owner->basedn) 1444 free(basedn); 1445 return (IDMAP_ERR_MEMORY); 1446 } 1447 (void) snprintf(filter, flen, SANFILTER, samAcctNameLen, name); 1448 1449 retcode = idmap_batch_add1(state, 1, filter, basedn, 1450 sid, NULL, rid, sid_type, rc); 1451 1452 if (basedn != state->qadh->owner->basedn) 1453 free(basedn); 1454 free(filter); 1455 1456 return (retcode); 1457 } 1458 1459 idmap_retcode 1460 idmap_sid2name_batch_add1(idmap_query_state_t *state, 1461 const char *sid, const rid_t *rid, 1462 char **name, char **dname, int *sid_type, idmap_retcode *rc) 1463 { 1464 idmap_retcode retcode; 1465 int flen, ret; 1466 char *filter = NULL; 1467 char cbinsid[MAXHEXBINSID + 1]; 1468 1469 /* 1470 * Strategy: search [the global catalog] for user/group by 1471 * objectSid = SID with empty base DN. The DN, sAMAccountName 1472 * and objectClass of the result are all we need to figure out 1473 * the name of the SID and whether it is a user, a group or a 1474 * computer. 1475 */ 1476 1477 ret = idmap_txtsid2hexbinsid(sid, rid, &cbinsid[0], sizeof (cbinsid)); 1478 if (ret != 0) 1479 return (IDMAP_ERR_SID); 1480 1481 /* Assemble filter */ 1482 flen = snprintf(NULL, 0, OBJECTSIDFILTER, cbinsid) + 1; 1483 if ((filter = (char *)malloc(flen)) == NULL) 1484 return (IDMAP_ERR_MEMORY); 1485 (void) snprintf(filter, flen, OBJECTSIDFILTER, cbinsid); 1486 1487 retcode = idmap_batch_add1(state, 0, filter, NULL, name, dname, 1488 NULL, sid_type, rc); 1489 1490 free(filter); 1491 1492 return (retcode); 1493 } 1494