1c5c4113dSnw141292 /* 2c5c4113dSnw141292 * CDDL HEADER START 3c5c4113dSnw141292 * 4c5c4113dSnw141292 * The contents of this file are subject to the terms of the 5c5c4113dSnw141292 * Common Development and Distribution License (the "License"). 6c5c4113dSnw141292 * You may not use this file except in compliance with the License. 7c5c4113dSnw141292 * 8c5c4113dSnw141292 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9c5c4113dSnw141292 * or http://www.opensolaris.org/os/licensing. 10c5c4113dSnw141292 * See the License for the specific language governing permissions 11c5c4113dSnw141292 * and limitations under the License. 12c5c4113dSnw141292 * 13c5c4113dSnw141292 * When distributing Covered Code, include this CDDL HEADER in each 14c5c4113dSnw141292 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15c5c4113dSnw141292 * If applicable, add the following below this CDDL HEADER, with the 16c5c4113dSnw141292 * fields enclosed by brackets "[]" replaced with your own identifying 17c5c4113dSnw141292 * information: Portions Copyright [yyyy] [name of copyright owner] 18c5c4113dSnw141292 * 19c5c4113dSnw141292 * CDDL HEADER END 20c5c4113dSnw141292 */ 21c5c4113dSnw141292 22c5c4113dSnw141292 /* 23c5c4113dSnw141292 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 24c5c4113dSnw141292 * Use is subject to license terms. 25c5c4113dSnw141292 */ 26c5c4113dSnw141292 27c5c4113dSnw141292 #ifndef _ADUTILS_H 28c5c4113dSnw141292 #define _ADUTILS_H 29c5c4113dSnw141292 30c5c4113dSnw141292 #pragma ident "%Z%%M% %I% %E% SMI" 31c5c4113dSnw141292 32c5c4113dSnw141292 #ifdef __cplusplus 33c5c4113dSnw141292 extern "C" { 34c5c4113dSnw141292 #endif 35c5c4113dSnw141292 36c5c4113dSnw141292 /* 37c5c4113dSnw141292 * Processes name2sid & sid2name lookups for a given user or computer 38c5c4113dSnw141292 * from an AD Difrectory server using GSSAPI authentication 39c5c4113dSnw141292 */ 40c5c4113dSnw141292 41c5c4113dSnw141292 #include <stdio.h> 42c5c4113dSnw141292 #include <stdlib.h> 43c5c4113dSnw141292 #include <unistd.h> 44c5c4113dSnw141292 #include <lber.h> 45c5c4113dSnw141292 #include <ldap.h> 46c5c4113dSnw141292 #include <sasl/sasl.h> 47c5c4113dSnw141292 #include <string.h> 48c5c4113dSnw141292 #include <ctype.h> 49c5c4113dSnw141292 #include <sys/types.h> 50c5c4113dSnw141292 #include <time.h> 51c5c4113dSnw141292 #include <thread.h> 52c5c4113dSnw141292 #include <synch.h> 53c5c4113dSnw141292 #include "idmap_prot.h" 54c5c4113dSnw141292 #include <sys/idmap.h> 55c5c4113dSnw141292 56c5c4113dSnw141292 /* 57c5c4113dSnw141292 * idmapd interfaces stolen? from other idmapd code? 58c5c4113dSnw141292 */ 59c5c4113dSnw141292 60c5c4113dSnw141292 /* 61c5c4113dSnw141292 * Eventually these should be an enum here, but instead we share a 62c5c4113dSnw141292 * namespace with other things in idmapd. 63c5c4113dSnw141292 */ 64c5c4113dSnw141292 #define _IDMAP_T_OTHER 0 65*e8c27ec8Sbaban #define _IDMAP_T_UNDEF -1 66c5c4113dSnw141292 #define _IDMAP_T_USER -1004 67c5c4113dSnw141292 #define _IDMAP_T_GROUP -1005 68c5c4113dSnw141292 #define _IDMAP_T_DOMAIN -1006 69c5c4113dSnw141292 #define _IDMAP_T_COMPUTER -1007 70c5c4113dSnw141292 71c5c4113dSnw141292 #define SID_MAX_SUB_AUTHORITIES 15 72c5c4113dSnw141292 #define MAXBINSID (1 + 1 + 6 + (SID_MAX_SUB_AUTHORITIES * 4)) 73c5c4113dSnw141292 #define MAXHEXBINSID (MAXBINSID * 3) 74c5c4113dSnw141292 75c5c4113dSnw141292 typedef uint32_t rid_t; 76c5c4113dSnw141292 77c5c4113dSnw141292 /* 78c5c4113dSnw141292 * We use the port numbers for normal LDAP and global catalog LDAP as 79c5c4113dSnw141292 * the enum values for this enumeration. Clever? Silly? You decide. 80c5c4113dSnw141292 * Although we never actually use these enum values as port numbers and 81c5c4113dSnw141292 * never will, so this is just cute. 82c5c4113dSnw141292 */ 83c5c4113dSnw141292 typedef enum idmap_ad_partition { 84c5c4113dSnw141292 IDMAP_AD_DATA = 389, 85c5c4113dSnw141292 IDMAP_AD_GLOBAL_CATALOG = 3268 86c5c4113dSnw141292 } idmap_ad_partition_t; 87c5c4113dSnw141292 88c5c4113dSnw141292 typedef struct ad ad_t; 89c5c4113dSnw141292 typedef struct idmap_query_state idmap_query_state_t; 90c5c4113dSnw141292 91c5c4113dSnw141292 /* 92c5c4113dSnw141292 * Idmap interfaces: 93c5c4113dSnw141292 * 94c5c4113dSnw141292 * - an ad_t represents an AD partition 95c5c4113dSnw141292 * - a DS (hostname + port, if port != 0) can be added/removed from an ad_t 96c5c4113dSnw141292 * - and because libldap supports space-separated lists of servers, a 97c5c4113dSnw141292 * single hostname value can actually be a set of hostnames. 98c5c4113dSnw141292 * - an ad_t can be allocated, ref'ed and released; last release 99c5c4113dSnw141292 * releases resources 100c5c4113dSnw141292 * 101c5c4113dSnw141292 * - lookups are batched; see below. 102c5c4113dSnw141292 * 103c5c4113dSnw141292 * See below. 104c5c4113dSnw141292 */ 105c5c4113dSnw141292 106c5c4113dSnw141292 /* Allocate/release ad_t objects */ 107c5c4113dSnw141292 int idmap_ad_alloc(ad_t **new_ad, const char *default_domain, 108c5c4113dSnw141292 idmap_ad_partition_t part); 109c5c4113dSnw141292 void idmap_ad_free(ad_t **ad); 110c5c4113dSnw141292 111c5c4113dSnw141292 /* Add/remove a DS to/from an ad_t */ 112c5c4113dSnw141292 int idmap_add_ds(ad_t *ad, const char *host, int port); 113c5c4113dSnw141292 void idmap_delete_ds(ad_t *ad, const char *host, int port); 114c5c4113dSnw141292 115c5c4113dSnw141292 /* 116c5c4113dSnw141292 * Batch lookups 117c5c4113dSnw141292 * 118c5c4113dSnw141292 * Start a batch, add queries to the batch one by one (the output 119c5c4113dSnw141292 * pointers should all differ, so that a query's results don't clobber 120c5c4113dSnw141292 * any other's), end the batch to wait for replies for all outstanding 121c5c4113dSnw141292 * queries. The output parameters of each query are initialized to NULL 122c5c4113dSnw141292 * or -1 as appropriate. 123c5c4113dSnw141292 * 124c5c4113dSnw141292 * LDAP searches are sent one by one without waiting (i.e., blocking) 125c5c4113dSnw141292 * for replies. Replies are handled as soon as they are available. 126c5c4113dSnw141292 * Missing replies are waited for only when idmap_lookup_batch_end() is 127c5c4113dSnw141292 * called. 128c5c4113dSnw141292 * 129c5c4113dSnw141292 * If an add1 function returns != 0 then abort the batch by calling 130c5c4113dSnw141292 * idmap_lookup_batch_end(), but note that some queries may have been 131c5c4113dSnw141292 * answered, so check the result code of each query. 132c5c4113dSnw141292 */ 133c5c4113dSnw141292 134c5c4113dSnw141292 /* Start a batch of lookups */ 135c5c4113dSnw141292 idmap_retcode idmap_lookup_batch_start(ad_t *ad, int nqueries, 136c5c4113dSnw141292 idmap_query_state_t **state); 137c5c4113dSnw141292 138c5c4113dSnw141292 /* End a batch and release its idmap_query_state_t object */ 139c5c4113dSnw141292 idmap_retcode idmap_lookup_batch_end(idmap_query_state_t **state, 140c5c4113dSnw141292 struct timeval *timeout); 141c5c4113dSnw141292 142c5c4113dSnw141292 /* Abandon a batch and release its idmap_query_state_t object */ 14384decf41Sjp151216 void idmap_lookup_release_batch(idmap_query_state_t **state); 144c5c4113dSnw141292 145c5c4113dSnw141292 /* 146c5c4113dSnw141292 * Add a name->SID lookup 147c5c4113dSnw141292 * 148c5c4113dSnw141292 * - 'dname' is optional; if NULL or empty string then 'name' has to be 149c5c4113dSnw141292 * a user/group name qualified wih a domainname (e.g., foo@domain), 150c5c4113dSnw141292 * else the 'name' must not be qualified and the domainname must be 151c5c4113dSnw141292 * passed in 'dname'. 152c5c4113dSnw141292 * 153c5c4113dSnw141292 * - if 'rid' is NULL then the output SID string will include the last 154c5c4113dSnw141292 * RID, else it won't and the last RID value will be stored in *rid. 155c5c4113dSnw141292 * 156c5c4113dSnw141292 * The caller must free() *sid. 157c5c4113dSnw141292 */ 158c5c4113dSnw141292 idmap_retcode idmap_name2sid_batch_add1(idmap_query_state_t *state, 159*e8c27ec8Sbaban const char *name, const char *dname, int eunixtype, 160cd37da74Snw141292 char **canonname, char **sid, rid_t *rid, int *sid_type, 161*e8c27ec8Sbaban char **unixname, idmap_retcode *rc); 162c5c4113dSnw141292 /* 163c5c4113dSnw141292 * Add a SID->name lookup 164c5c4113dSnw141292 * 165c5c4113dSnw141292 * - 'rid' is optional; if NULL then 'sid' is expected to have the 166c5c4113dSnw141292 * user/group RID present, else 'sid' is expected not to have it, and 167c5c4113dSnw141292 * *rid will be used to qualify the given 'sid' 168c5c4113dSnw141292 * 169c5c4113dSnw141292 * - 'dname' is optional; if NULL then the fully qualified user/group 170c5c4113dSnw141292 * name will be stored in *name, else the domain name will be stored in 171c5c4113dSnw141292 * *dname and the user/group name will be stored in *name without a 172c5c4113dSnw141292 * domain qualifier. 173c5c4113dSnw141292 * 174c5c4113dSnw141292 * The caller must free() *name and *dname (if present). 175c5c4113dSnw141292 */ 176c5c4113dSnw141292 idmap_retcode idmap_sid2name_batch_add1(idmap_query_state_t *state, 177*e8c27ec8Sbaban const char *sid, const rid_t *rid, int eunixtype, 178*e8c27ec8Sbaban char **name, char **dname, int *sid_type, 179*e8c27ec8Sbaban char **unixname, idmap_retcode *rc); 180*e8c27ec8Sbaban 181*e8c27ec8Sbaban /* 182*e8c27ec8Sbaban * Add a unixname->SID lookup 183*e8c27ec8Sbaban */ 184*e8c27ec8Sbaban idmap_retcode idmap_unixname2sid_batch_add1(idmap_query_state_t *state, 185*e8c27ec8Sbaban const char *unixname, int is_user, int is_wuser, 186*e8c27ec8Sbaban char **sid, rid_t *rid, char **name, char **dname, 187*e8c27ec8Sbaban int *sid_type, idmap_retcode *rc); 188*e8c27ec8Sbaban 189*e8c27ec8Sbaban /* 190*e8c27ec8Sbaban * Set unixname attribute names for the batch for AD-based name mapping 191*e8c27ec8Sbaban */ 192*e8c27ec8Sbaban void idmap_lookup_batch_set_unixattr(idmap_query_state_t *state, 193*e8c27ec8Sbaban const char *unixuser_attr, const char *unixgroup_attr); 194c5c4113dSnw141292 195c5c4113dSnw141292 #ifdef __cplusplus 196c5c4113dSnw141292 } 197c5c4113dSnw141292 #endif 198c5c4113dSnw141292 199c5c4113dSnw141292 #endif /* _ADUTILS_H */ 200