1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * Processes name2sid & sid2name batched lookups for a given user or 31 * computer from an AD Directory server using GSSAPI authentication 32 */ 33 34 #include <stdio.h> 35 #include <stdlib.h> 36 #include <alloca.h> 37 #include <string.h> 38 #include <strings.h> 39 #include <lber.h> 40 #include <ldap.h> 41 #include <sasl/sasl.h> 42 #include <string.h> 43 #include <ctype.h> 44 #include <pthread.h> 45 #include <synch.h> 46 #include <atomic.h> 47 #include <errno.h> 48 #include <assert.h> 49 #include <limits.h> 50 #include <sys/u8_textprep.h> 51 #include "idmapd.h" 52 53 /* 54 * Internal data structures for this code 55 */ 56 57 /* Attribute names and filter format strings */ 58 #define SAN "sAMAccountName" 59 #define OBJSID "objectSid" 60 #define OBJCLASS "objectClass" 61 #define SANFILTER "(sAMAccountName=%.*s)" 62 #define OBJSIDFILTER "(objectSid=%s)" 63 64 /* 65 * This should really be in some <sys/sid.h> file or so; we have a 66 * private version of sid_t, and so must other components of ON until we 67 * rationalize this. 68 */ 69 typedef struct sid { 70 uchar_t version; 71 uchar_t sub_authority_count; 72 uint64_t authority; /* really, 48-bits */ 73 rid_t sub_authorities[SID_MAX_SUB_AUTHORITIES]; 74 } sid_t; 75 76 /* A single DS */ 77 typedef struct ad_host { 78 struct ad_host *next; 79 ad_t *owner; /* ad_t to which this belongs */ 80 pthread_mutex_t lock; 81 LDAP *ld; /* LDAP connection */ 82 uint32_t ref; /* ref count */ 83 time_t idletime; /* time since last activity */ 84 int dead; /* error on LDAP connection */ 85 /* 86 * Used to distinguish between different instances of LDAP 87 * connections to this same DS. We need this so we never mix up 88 * results for a given msgID from one connection with those of 89 * another earlier connection where two batch state structures 90 * share this ad_host object but used different LDAP connections 91 * to send their LDAP searches. 92 */ 93 uint64_t generation; 94 95 /* LDAP DS info */ 96 char *host; 97 int port; 98 99 /* hardwired to SASL GSSAPI only for now */ 100 char *saslmech; 101 unsigned saslflags; 102 } ad_host_t; 103 104 /* A set of DSs for a given AD partition; ad_t typedef comes from adutil.h */ 105 struct ad { 106 char *dflt_w2k_dom; /* used to qualify bare names */ 107 pthread_mutex_t lock; 108 uint32_t ref; 109 ad_host_t *last_adh; 110 idmap_ad_partition_t partition; /* Data or global catalog? */ 111 }; 112 113 /* 114 * A place to put the results of a batched (async) query 115 * 116 * There is one of these for every query added to a batch object 117 * (idmap_query_state, see below). 118 */ 119 typedef struct idmap_q { 120 /* 121 * data used for validating search result entries for name->SID 122 * lookups 123 */ 124 char *ecanonname; /* expected canon name */ 125 char *edomain; /* expected domain name */ 126 int eunixtype; /* expected unix type */ 127 /* results */ 128 char **canonname; /* actual canon name */ 129 char **domain; /* name of domain of object */ 130 char **sid; /* stringified SID */ 131 rid_t *rid; /* RID */ 132 int *sid_type; /* user or group SID? */ 133 char **unixname; /* unixname for name mapping */ 134 idmap_retcode *rc; 135 136 /* lookup state */ 137 int msgid; /* LDAP message ID */ 138 } idmap_q_t; 139 140 /* Batch context structure; typedef is in header file */ 141 struct idmap_query_state { 142 idmap_query_state_t *next; 143 int qcount; /* how many queries */ 144 int ref_cnt; /* reference count */ 145 pthread_cond_t cv; /* Condition wait variable */ 146 uint32_t qlastsent; 147 uint32_t qinflight; /* how many queries in flight */ 148 uint16_t qdead; /* oops, lost LDAP connection */ 149 ad_host_t *qadh; /* LDAP connection */ 150 uint64_t qadh_gen; /* same as qadh->generation */ 151 const char *ad_unixuser_attr; 152 const char *ad_unixgroup_attr; 153 idmap_q_t queries[1]; /* array of query results */ 154 }; 155 156 /* 157 * List of query state structs -- needed so we can "route" LDAP results 158 * to the right context if multiple threads should be using the same 159 * connection concurrently 160 */ 161 static idmap_query_state_t *qstatehead = NULL; 162 static pthread_mutex_t qstatelock = PTHREAD_MUTEX_INITIALIZER; 163 164 /* 165 * List of DSs, needed by the idle connection reaper thread 166 */ 167 static ad_host_t *host_head = NULL; 168 static pthread_t reaperid = 0; 169 static pthread_mutex_t adhostlock = PTHREAD_MUTEX_INITIALIZER; 170 171 172 static void 173 idmap_lookup_unlock_batch(idmap_query_state_t **state); 174 175 static void 176 delete_ds(ad_t *ad, const char *host, int port); 177 178 /*ARGSUSED*/ 179 static int 180 idmap_saslcallback(LDAP *ld, unsigned flags, void *defaults, void *prompts) 181 { 182 sasl_interact_t *interact; 183 184 if (prompts == NULL || flags != LDAP_SASL_INTERACTIVE) 185 return (LDAP_PARAM_ERROR); 186 187 /* There should be no extra arguemnts for SASL/GSSAPI authentication */ 188 for (interact = prompts; interact->id != SASL_CB_LIST_END; 189 interact++) { 190 interact->result = NULL; 191 interact->len = 0; 192 } 193 return (LDAP_SUCCESS); 194 } 195 196 197 /* 198 * Turn "dc=foo,dc=bar,dc=com" into "foo.bar.com"; ignores any other 199 * attributes (CN, etc...). We don't need the reverse, for now. 200 */ 201 static 202 char * 203 dn2dns(const char *dn) 204 { 205 char **rdns = NULL; 206 char **attrs = NULL; 207 char **labels = NULL; 208 char *dns = NULL; 209 char **rdn, **attr, **label; 210 int maxlabels = 5; 211 int nlabels = 0; 212 int dnslen; 213 214 /* 215 * There is no reverse of ldap_dns_to_dn() in our libldap, so we 216 * have to do the hard work here for now. 217 */ 218 219 /* 220 * This code is much too liberal: it looks for "dc" attributes 221 * in all RDNs of the DN. In theory this could cause problems 222 * if people were to use "dc" in nodes other than the root of 223 * the tree, but in practice noone, least of all Active 224 * Directory, does that. 225 * 226 * On the other hand, this code is much too conservative: it 227 * does not make assumptions about ldap_explode_dn(), and _that_ 228 * is the true for looking at every attr of every RDN. 229 * 230 * Since we only ever look at dc and those must be DNS labels, 231 * at least until we get around to supporting IDN here we 232 * shouldn't see escaped labels from AD nor from libldap, though 233 * the spec (RFC2253) does allow libldap to escape things that 234 * don't need escaping -- if that should ever happen then 235 * libldap will need a spanking, and we can take care of that. 236 */ 237 238 /* Explode a DN into RDNs */ 239 if ((rdns = ldap_explode_dn(dn, 0)) == NULL) 240 return (NULL); 241 242 labels = calloc(maxlabels + 1, sizeof (char *)); 243 label = labels; 244 245 for (rdn = rdns; *rdn != NULL; rdn++) { 246 if (attrs != NULL) 247 ldap_value_free(attrs); 248 249 /* Explode each RDN, look for DC attr, save val as DNS label */ 250 if ((attrs = ldap_explode_rdn(rdn[0], 0)) == NULL) 251 goto done; 252 253 for (attr = attrs; *attr != NULL; attr++) { 254 if (strncasecmp(*attr, "dc=", 3) != 0) 255 continue; 256 257 /* Found a DNS label */ 258 labels[nlabels++] = strdup((*attr) + 3); 259 260 if (nlabels == maxlabels) { 261 char **tmp; 262 tmp = realloc(labels, 263 sizeof (char *) * (maxlabels + 1)); 264 265 if (tmp == NULL) 266 goto done; 267 268 labels = tmp; 269 labels[nlabels] = NULL; 270 } 271 272 /* There should be just one DC= attr per-RDN */ 273 break; 274 } 275 } 276 277 /* 278 * Got all the labels, now join with '.' 279 * 280 * We need room for nlabels - 1 periods ('.'), one nul 281 * terminator, and the strlen() of each label. 282 */ 283 dnslen = nlabels; 284 for (label = labels; *label != NULL; label++) 285 dnslen += strlen(*label); 286 287 if ((dns = malloc(dnslen)) == NULL) 288 goto done; 289 290 *dns = '\0'; 291 292 for (label = labels; *label != NULL; label++) { 293 (void) strlcat(dns, *label, dnslen); 294 /* 295 * NOTE: the last '.' won't be appended -- there's no room 296 * for it! 297 */ 298 (void) strlcat(dns, ".", dnslen); 299 } 300 301 done: 302 if (labels != NULL) { 303 for (label = labels; *label != NULL; label++) 304 free(*label); 305 free(labels); 306 } 307 if (attrs != NULL) 308 ldap_value_free(attrs); 309 if (rdns != NULL) 310 ldap_value_free(rdns); 311 312 return (dns); 313 } 314 315 /* 316 * Keep connection management simple for now, extend or replace later 317 * with updated libsldap code. 318 */ 319 #define ADREAPERSLEEP 60 320 #define ADCONN_TIME 300 321 322 /* 323 * Idle connection reaping side of connection management 324 * 325 * Every minute wake up and look for connections that have been idle for 326 * five minutes or more and close them. 327 */ 328 /*ARGSUSED*/ 329 static 330 void 331 adreaper(void *arg) 332 { 333 ad_host_t *adh; 334 time_t now; 335 timespec_t ts; 336 337 ts.tv_sec = ADREAPERSLEEP; 338 ts.tv_nsec = 0; 339 340 for (;;) { 341 /* 342 * nanosleep(3RT) is thead-safe (no SIGALRM) and more 343 * portable than usleep(3C) 344 */ 345 (void) nanosleep(&ts, NULL); 346 (void) pthread_mutex_lock(&adhostlock); 347 now = time(NULL); 348 for (adh = host_head; adh != NULL; adh = adh->next) { 349 (void) pthread_mutex_lock(&adh->lock); 350 if (adh->ref == 0 && adh->idletime != 0 && 351 adh->idletime + ADCONN_TIME < now) { 352 if (adh->ld) { 353 (void) ldap_unbind(adh->ld); 354 adh->ld = NULL; 355 adh->idletime = 0; 356 adh->ref = 0; 357 } 358 } 359 (void) pthread_mutex_unlock(&adh->lock); 360 } 361 (void) pthread_mutex_unlock(&adhostlock); 362 } 363 } 364 365 int 366 idmap_ad_alloc(ad_t **new_ad, const char *default_domain, 367 idmap_ad_partition_t part) 368 { 369 ad_t *ad; 370 371 *new_ad = NULL; 372 373 if ((default_domain == NULL || *default_domain == '\0') && 374 part != IDMAP_AD_GLOBAL_CATALOG) 375 return (-1); 376 377 if ((ad = calloc(1, sizeof (ad_t))) == NULL) 378 return (-1); 379 380 ad->ref = 1; 381 ad->partition = part; 382 383 /* 384 * If default_domain is NULL, deal, deferring errors until 385 * idmap_lookup_batch_start() -- this makes it easier on the 386 * caller, who can simply observe lookups failing as opposed to 387 * having to conditionalize calls to lookups according to 388 * whether it has a non-NULL ad_t *. 389 */ 390 if (default_domain == NULL) 391 default_domain = ""; 392 393 if ((ad->dflt_w2k_dom = strdup(default_domain)) == NULL) 394 goto err; 395 396 if (pthread_mutex_init(&ad->lock, NULL) != 0) 397 goto err; 398 399 *new_ad = ad; 400 401 return (0); 402 err: 403 if (ad->dflt_w2k_dom != NULL) 404 free(ad->dflt_w2k_dom); 405 free(ad); 406 return (-1); 407 } 408 409 410 void 411 idmap_ad_free(ad_t **ad) 412 { 413 ad_host_t *p; 414 ad_host_t *prev; 415 416 if (ad == NULL || *ad == NULL) 417 return; 418 419 (void) pthread_mutex_lock(&(*ad)->lock); 420 421 if (atomic_dec_32_nv(&(*ad)->ref) > 0) { 422 (void) pthread_mutex_unlock(&(*ad)->lock); 423 *ad = NULL; 424 return; 425 } 426 427 (void) pthread_mutex_lock(&adhostlock); 428 prev = NULL; 429 p = host_head; 430 while (p != NULL) { 431 if (p->owner != (*ad)) { 432 prev = p; 433 p = p->next; 434 continue; 435 } else { 436 delete_ds((*ad), p->host, p->port); 437 if (prev == NULL) 438 p = host_head; 439 else 440 p = prev->next; 441 } 442 } 443 (void) pthread_mutex_unlock(&adhostlock); 444 445 (void) pthread_mutex_unlock(&(*ad)->lock); 446 (void) pthread_mutex_destroy(&(*ad)->lock); 447 448 free((*ad)->dflt_w2k_dom); 449 free(*ad); 450 451 *ad = NULL; 452 } 453 454 455 static 456 int 457 idmap_open_conn(ad_host_t *adh, int timeoutsecs) 458 { 459 int zero = 0; 460 int ldversion, rc; 461 int timeoutms = timeoutsecs * 1000; 462 463 if (adh == NULL) 464 return (0); 465 466 (void) pthread_mutex_lock(&adh->lock); 467 468 if (!adh->dead && adh->ld != NULL) 469 /* done! */ 470 goto out; 471 472 if (adh->ld != NULL) { 473 (void) ldap_unbind(adh->ld); 474 adh->ld = NULL; 475 } 476 477 atomic_inc_64(&adh->generation); 478 479 /* Open and bind an LDAP connection */ 480 adh->ld = ldap_init(adh->host, adh->port); 481 if (adh->ld == NULL) { 482 idmapdlog(LOG_INFO, "ldap_init() to server " 483 "%s port %d failed. (%s)", adh->host, 484 adh->port, strerror(errno)); 485 goto out; 486 } 487 ldversion = LDAP_VERSION3; 488 (void) ldap_set_option(adh->ld, LDAP_OPT_PROTOCOL_VERSION, &ldversion); 489 (void) ldap_set_option(adh->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); 490 (void) ldap_set_option(adh->ld, LDAP_OPT_TIMELIMIT, &zero); 491 (void) ldap_set_option(adh->ld, LDAP_OPT_SIZELIMIT, &zero); 492 (void) ldap_set_option(adh->ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeoutms); 493 (void) ldap_set_option(adh->ld, LDAP_OPT_RESTART, LDAP_OPT_ON); 494 rc = ldap_sasl_interactive_bind_s(adh->ld, "" /* binddn */, 495 adh->saslmech, NULL, NULL, adh->saslflags, &idmap_saslcallback, 496 NULL); 497 498 if (rc != LDAP_SUCCESS) { 499 (void) ldap_unbind(adh->ld); 500 adh->ld = NULL; 501 idmapdlog(LOG_INFO, "ldap_sasl_interactive_bind_s() to server " 502 "%s port %d failed. (%s)", adh->host, adh->port, 503 ldap_err2string(rc)); 504 } 505 506 idmapdlog(LOG_DEBUG, "Using global catalog server %s:%d", 507 adh->host, adh->port); 508 509 out: 510 if (adh->ld != NULL) { 511 atomic_inc_32(&adh->ref); 512 adh->idletime = time(NULL); 513 adh->dead = 0; 514 (void) pthread_mutex_unlock(&adh->lock); 515 return (1); 516 } 517 518 (void) pthread_mutex_unlock(&adh->lock); 519 return (0); 520 } 521 522 523 /* 524 * Connection management: find an open connection or open one 525 */ 526 static 527 ad_host_t * 528 idmap_get_conn(ad_t *ad) 529 { 530 ad_host_t *adh = NULL; 531 int tries; 532 int dscount = 0; 533 int timeoutsecs = IDMAPD_LDAP_OPEN_TIMEOUT; 534 535 retry: 536 (void) pthread_mutex_lock(&adhostlock); 537 538 if (host_head == NULL) { 539 (void) pthread_mutex_unlock(&adhostlock); 540 goto out; 541 } 542 543 if (dscount == 0) { 544 /* 545 * First try: count the number of DSes. 546 * 547 * Integer overflow is not an issue -- we can't have so many 548 * DSes because they won't fit even DNS over TCP, and SMF 549 * shouldn't let you set so many. 550 */ 551 for (adh = host_head, tries = 0; adh != NULL; adh = adh->next) { 552 if (adh->owner == ad) 553 dscount++; 554 } 555 556 if (dscount == 0) { 557 (void) pthread_mutex_unlock(&adhostlock); 558 goto out; 559 } 560 561 tries = dscount * 3; /* three tries per-ds */ 562 563 /* 564 * Begin round-robin at the next DS in the list after the last 565 * one that we had a connection to, else start with the first 566 * DS in the list. 567 */ 568 adh = ad->last_adh; 569 } 570 571 /* 572 * Round-robin -- pick the next one on the list; if the list 573 * changes on us, no big deal, we'll just potentially go 574 * around the wrong number of times. 575 */ 576 for (;;) { 577 if (adh == NULL || (adh = adh->next) == NULL) 578 adh = host_head; 579 if (adh->owner == ad) 580 break; 581 } 582 583 ad->last_adh = adh; 584 (void) pthread_mutex_unlock(&adhostlock); 585 586 587 /* Found suitable DS, open it if not already opened */ 588 if (idmap_open_conn(adh, timeoutsecs)) 589 return (adh); 590 591 tries--; 592 593 if ((tries % dscount) == 0) 594 timeoutsecs *= 2; 595 596 if (tries > 0) 597 goto retry; 598 599 out: 600 idmapdlog(LOG_NOTICE, "Couldn't open an LDAP connection to any global " 601 "catalog server!"); 602 603 return (NULL); 604 } 605 606 static 607 void 608 idmap_release_conn(ad_host_t *adh) 609 { 610 (void) pthread_mutex_lock(&adh->lock); 611 if (atomic_dec_32_nv(&adh->ref) == 0) 612 adh->idletime = time(NULL); 613 (void) pthread_mutex_unlock(&adh->lock); 614 } 615 616 /* 617 * Take ad_host_config_t information, create a ad_host_t, 618 * populate it and add it to the list of hosts. 619 */ 620 621 int 622 idmap_add_ds(ad_t *ad, const char *host, int port) 623 { 624 ad_host_t *p; 625 ad_host_t *new = NULL; 626 int ret = -1; 627 628 if (port == 0) 629 port = (int)ad->partition; 630 631 (void) pthread_mutex_lock(&adhostlock); 632 for (p = host_head; p != NULL; p = p->next) { 633 if (p->owner != ad) 634 continue; 635 636 if (strcmp(host, p->host) == 0 && p->port == port) { 637 /* already added */ 638 ret = 0; 639 goto err; 640 } 641 } 642 643 /* add new entry */ 644 new = (ad_host_t *)calloc(1, sizeof (ad_host_t)); 645 if (new == NULL) 646 goto err; 647 new->owner = ad; 648 new->port = port; 649 new->dead = 0; 650 if ((new->host = strdup(host)) == NULL) 651 goto err; 652 653 /* default to SASL GSSAPI only for now */ 654 new->saslflags = LDAP_SASL_INTERACTIVE; 655 new->saslmech = "GSSAPI"; 656 657 if ((ret = pthread_mutex_init(&new->lock, NULL)) != 0) { 658 free(new->host); 659 new->host = NULL; 660 errno = ret; 661 ret = -1; 662 goto err; 663 } 664 665 /* link in */ 666 new->next = host_head; 667 host_head = new; 668 669 /* Start reaper if it doesn't exist */ 670 if (reaperid == 0) 671 (void) pthread_create(&reaperid, NULL, 672 (void *(*)(void *))adreaper, (void *)NULL); 673 674 err: 675 (void) pthread_mutex_unlock(&adhostlock); 676 677 if (ret != 0 && new != NULL) { 678 if (new->host != NULL) { 679 (void) pthread_mutex_destroy(&new->lock); 680 free(new->host); 681 } 682 free(new); 683 } 684 685 return (ret); 686 } 687 688 /* 689 * Free a DS configuration. 690 * Caller must lock the adhostlock mutex 691 */ 692 static void 693 delete_ds(ad_t *ad, const char *host, int port) 694 { 695 ad_host_t **p, *q; 696 697 for (p = &host_head; *p != NULL; p = &((*p)->next)) { 698 if ((*p)->owner != ad || strcmp(host, (*p)->host) != 0 || 699 (*p)->port != port) 700 continue; 701 /* found */ 702 if ((*p)->ref > 0) 703 break; /* still in use */ 704 705 q = *p; 706 *p = (*p)->next; 707 708 (void) pthread_mutex_destroy(&q->lock); 709 710 if (q->ld) 711 (void) ldap_unbind(q->ld); 712 if (q->host) 713 free(q->host); 714 free(q); 715 break; 716 } 717 718 } 719 720 721 /* 722 * Convert a binary SID in a BerValue to a sid_t 723 */ 724 static 725 int 726 idmap_getsid(BerValue *bval, sid_t *sidp) 727 { 728 int i, j; 729 uchar_t *v; 730 uint32_t a; 731 732 /* 733 * The binary format of a SID is as follows: 734 * 735 * byte #0: version, always 0x01 736 * byte #1: RID count, always <= 0x0f 737 * bytes #2-#7: SID authority, big-endian 48-bit unsigned int 738 * 739 * followed by RID count RIDs, each a little-endian, unsigned 740 * 32-bit int. 741 */ 742 /* 743 * Sanity checks: must have at least one RID, version must be 744 * 0x01, and the length must be 8 + rid count * 4 745 */ 746 if (bval->bv_len > 8 && bval->bv_val[0] == 0x01 && 747 bval->bv_len == 1 + 1 + 6 + bval->bv_val[1] * 4) { 748 v = (uchar_t *)bval->bv_val; 749 sidp->version = v[0]; 750 sidp->sub_authority_count = v[1]; 751 sidp->authority = 752 /* big endian -- so start from the left */ 753 ((u_longlong_t)v[2] << 40) | 754 ((u_longlong_t)v[3] << 32) | 755 ((u_longlong_t)v[4] << 24) | 756 ((u_longlong_t)v[5] << 16) | 757 ((u_longlong_t)v[6] << 8) | 758 (u_longlong_t)v[7]; 759 for (i = 0; i < sidp->sub_authority_count; i++) { 760 j = 8 + (i * 4); 761 /* little endian -- so start from the right */ 762 a = (v[j + 3] << 24) | (v[j + 2] << 16) | 763 (v[j + 1] << 8) | (v[j]); 764 sidp->sub_authorities[i] = a; 765 } 766 return (0); 767 } 768 return (-1); 769 } 770 771 /* 772 * Convert a sid_t to S-1-... 773 */ 774 static 775 char * 776 idmap_sid2txt(sid_t *sidp) 777 { 778 int rlen, i, len; 779 char *str, *cp; 780 781 if (sidp->version != 1) 782 return (NULL); 783 784 len = sizeof ("S-1-") - 1; 785 786 /* 787 * We could optimize like so, but, why? 788 * if (sidp->authority < 10) 789 * len += 2; 790 * else if (sidp->authority < 100) 791 * len += 3; 792 * else 793 * len += snprintf(NULL, 0"%llu", sidp->authority); 794 */ 795 len += snprintf(NULL, 0, "%llu", sidp->authority); 796 797 /* Max length of a uint32_t printed out in ASCII is 10 bytes */ 798 len += 1 + (sidp->sub_authority_count + 1) * 10; 799 800 if ((cp = str = malloc(len)) == NULL) 801 return (NULL); 802 803 rlen = snprintf(str, len, "S-1-%llu", sidp->authority); 804 805 cp += rlen; 806 len -= rlen; 807 808 for (i = 0; i < sidp->sub_authority_count; i++) { 809 assert(len > 0); 810 rlen = snprintf(cp, len, "-%u", sidp->sub_authorities[i]); 811 cp += rlen; 812 len -= rlen; 813 assert(len >= 0); 814 } 815 816 return (str); 817 } 818 819 /* 820 * Convert a sid_t to on-the-wire encoding 821 */ 822 static 823 int 824 idmap_sid2binsid(sid_t *sid, uchar_t *binsid, int binsidlen) 825 { 826 uchar_t *p; 827 int i; 828 uint64_t a; 829 uint32_t r; 830 831 if (sid->version != 1 || 832 binsidlen != (1 + 1 + 6 + sid->sub_authority_count * 4)) 833 return (-1); 834 835 p = binsid; 836 *p++ = 0x01; /* version */ 837 /* sub authority count */ 838 *p++ = sid->sub_authority_count; 839 /* Authority */ 840 a = sid->authority; 841 /* big-endian -- start from left */ 842 *p++ = (a >> 40) & 0xFF; 843 *p++ = (a >> 32) & 0xFF; 844 *p++ = (a >> 24) & 0xFF; 845 *p++ = (a >> 16) & 0xFF; 846 *p++ = (a >> 8) & 0xFF; 847 *p++ = a & 0xFF; 848 849 /* sub-authorities */ 850 for (i = 0; i < sid->sub_authority_count; i++) { 851 r = sid->sub_authorities[i]; 852 /* little-endian -- start from right */ 853 *p++ = (r & 0x000000FF); 854 *p++ = (r & 0x0000FF00) >> 8; 855 *p++ = (r & 0x00FF0000) >> 16; 856 *p++ = (r & 0xFF000000) >> 24; 857 } 858 859 return (0); 860 } 861 862 /* 863 * Convert a stringified SID (S-1-...) into a hex-encoded version of the 864 * on-the-wire encoding, but with each pair of hex digits pre-pended 865 * with a '\', so we can pass this to libldap. 866 */ 867 static 868 int 869 idmap_txtsid2hexbinsid(const char *txt, const rid_t *rid, 870 char *hexbinsid, int hexbinsidlen) 871 { 872 sid_t sid = { 0 }; 873 int i, j; 874 const char *cp; 875 char *ecp; 876 u_longlong_t a; 877 unsigned long r; 878 uchar_t *binsid, b, hb; 879 880 /* Only version 1 SIDs please */ 881 if (strncmp(txt, "S-1-", strlen("S-1-")) != 0) 882 return (-1); 883 884 if (strlen(txt) < (strlen("S-1-") + 1)) 885 return (-1); 886 887 /* count '-'s */ 888 for (j = 0, cp = strchr(txt, '-'); 889 cp != NULL && *cp != '\0'; 890 j++, cp = strchr(cp + 1, '-')) { 891 /* can't end on a '-' */ 892 if (*(cp + 1) == '\0') 893 return (-1); 894 } 895 896 /* Adjust count for version and authority */ 897 j -= 2; 898 899 /* we know the version number and RID count */ 900 sid.version = 1; 901 sid.sub_authority_count = (rid != NULL) ? j + 1 : j; 902 903 /* must have at least one RID, but not too many */ 904 if (sid.sub_authority_count < 1 || 905 sid.sub_authority_count > SID_MAX_SUB_AUTHORITIES) 906 return (-1); 907 908 /* check that we only have digits and '-' */ 909 if (strspn(txt + 1, "0123456789-") < (strlen(txt) - 1)) 910 return (-1); 911 912 cp = txt + strlen("S-1-"); 913 914 /* 64-bit safe parsing of unsigned 48-bit authority value */ 915 errno = 0; 916 a = strtoull(cp, &ecp, 10); 917 918 /* errors parsing the authority or too many bits */ 919 if (cp == ecp || (a == 0 && errno == EINVAL) || 920 (a == ULLONG_MAX && errno == ERANGE) || 921 (a & 0x0000ffffffffffffULL) != a) 922 return (-1); 923 924 cp = ecp; 925 926 sid.authority = (uint64_t)a; 927 928 for (i = 0; i < j; i++) { 929 if (*cp++ != '-') 930 return (-1); 931 /* 64-bit safe parsing of unsigned 32-bit RID */ 932 errno = 0; 933 r = strtoul(cp, &ecp, 10); 934 /* errors parsing the RID or too many bits */ 935 if (cp == ecp || (r == 0 && errno == EINVAL) || 936 (r == ULONG_MAX && errno == ERANGE) || 937 (r & 0xffffffffUL) != r) 938 return (-1); 939 sid.sub_authorities[i] = (uint32_t)r; 940 cp = ecp; 941 } 942 943 /* check that all of the string SID has been consumed */ 944 if (*cp != '\0') 945 return (-1); 946 947 if (rid != NULL) 948 sid.sub_authorities[j] = *rid; 949 950 j = 1 + 1 + 6 + sid.sub_authority_count * 4; 951 952 if (hexbinsidlen < (j * 3)) 953 return (-2); 954 955 /* binary encode the SID */ 956 binsid = (uchar_t *)alloca(j); 957 (void) idmap_sid2binsid(&sid, binsid, j); 958 959 /* hex encode, with a backslash before each byte */ 960 for (ecp = hexbinsid, i = 0; i < j; i++) { 961 b = binsid[i]; 962 *ecp++ = '\\'; 963 hb = (b >> 4) & 0xF; 964 *ecp++ = (hb <= 0x9 ? hb + '0' : hb - 10 + 'A'); 965 hb = b & 0xF; 966 *ecp++ = (hb <= 0x9 ? hb + '0' : hb - 10 + 'A'); 967 } 968 *ecp = '\0'; 969 970 return (0); 971 } 972 973 static 974 char * 975 convert_bval2sid(BerValue *bval, rid_t *rid) 976 { 977 sid_t sid; 978 979 if (idmap_getsid(bval, &sid) < 0) 980 return (NULL); 981 982 /* 983 * If desired and if the SID is what should be a domain/computer 984 * user or group SID (i.e., S-1-5-w-x-y-z-<user/group RID>) then 985 * save the last RID and truncate the SID 986 */ 987 if (rid != NULL && sid.authority == 5 && sid.sub_authority_count == 5) 988 *rid = sid.sub_authorities[--sid.sub_authority_count]; 989 return (idmap_sid2txt(&sid)); 990 } 991 992 993 idmap_retcode 994 idmap_lookup_batch_start(ad_t *ad, int nqueries, idmap_query_state_t **state) 995 { 996 idmap_query_state_t *new_state; 997 ad_host_t *adh = NULL; 998 999 *state = NULL; 1000 1001 /* Note: ad->dflt_w2k_dom cannot be NULL - see idmap_ad_alloc() */ 1002 if (ad == NULL || *ad->dflt_w2k_dom == '\0') 1003 return (IDMAP_ERR_INTERNAL); 1004 1005 adh = idmap_get_conn(ad); 1006 if (adh == NULL) 1007 return (IDMAP_ERR_RETRIABLE_NET_ERR); 1008 1009 new_state = calloc(1, sizeof (idmap_query_state_t) + 1010 (nqueries - 1) * sizeof (idmap_q_t)); 1011 1012 if (new_state == NULL) 1013 return (IDMAP_ERR_MEMORY); 1014 1015 new_state->ref_cnt = 1; 1016 new_state->qadh = adh; 1017 new_state->qcount = nqueries; 1018 new_state->qadh_gen = adh->generation; 1019 /* should be -1, but the atomic routines want unsigned */ 1020 new_state->qlastsent = 0; 1021 (void) pthread_cond_init(&new_state->cv, NULL); 1022 1023 (void) pthread_mutex_lock(&qstatelock); 1024 new_state->next = qstatehead; 1025 qstatehead = new_state; 1026 (void) pthread_mutex_unlock(&qstatelock); 1027 1028 *state = new_state; 1029 1030 return (IDMAP_SUCCESS); 1031 } 1032 1033 /* 1034 * Set unixuser_attr and unixgroup_attr for AD-based name mapping 1035 */ 1036 void 1037 idmap_lookup_batch_set_unixattr(idmap_query_state_t *state, 1038 const char *unixuser_attr, const char *unixgroup_attr) 1039 { 1040 state->ad_unixuser_attr = unixuser_attr; 1041 state->ad_unixgroup_attr = unixgroup_attr; 1042 } 1043 1044 /* 1045 * Find the idmap_query_state_t to which a given LDAP result msgid on a 1046 * given connection belongs. This routine increaments the reference count 1047 * so that the object can not be freed. idmap_lookup_unlock_batch() 1048 * must be called to decreament the reference count. 1049 */ 1050 static 1051 int 1052 idmap_msgid2query(ad_host_t *adh, int msgid, 1053 idmap_query_state_t **state, int *qid) 1054 { 1055 idmap_query_state_t *p; 1056 int i; 1057 1058 (void) pthread_mutex_lock(&qstatelock); 1059 for (p = qstatehead; p != NULL; p = p->next) { 1060 if (p->qadh != adh || adh->generation != p->qadh_gen) 1061 continue; 1062 for (i = 0; i < p->qcount; i++) { 1063 if ((p->queries[i]).msgid == msgid) { 1064 p->ref_cnt++; 1065 *state = p; 1066 *qid = i; 1067 (void) pthread_mutex_unlock(&qstatelock); 1068 return (1); 1069 } 1070 } 1071 } 1072 (void) pthread_mutex_unlock(&qstatelock); 1073 return (0); 1074 } 1075 1076 /* 1077 * Take parsed attribute values from a search result entry and check if 1078 * it is the result that was desired and, if so, set the result fields 1079 * of the given idmap_q_t. 1080 * 1081 * Frees the unused char * values. 1082 */ 1083 static 1084 void 1085 idmap_setqresults(idmap_q_t *q, char *san, char *dn, char *sid, 1086 rid_t rid, int sid_type, char *unixname) 1087 { 1088 char *domain; 1089 int err1, err2; 1090 1091 assert(dn != NULL); 1092 1093 if ((domain = dn2dns(dn)) == NULL) 1094 goto out; 1095 1096 if (q->ecanonname != NULL && san != NULL) { 1097 /* Check that this is the canonname that we were looking for */ 1098 if (u8_strcmp(q->ecanonname, san, 0, 1099 U8_STRCMP_CI_LOWER, /* no normalization, for now */ 1100 U8_UNICODE_LATEST, &err1) != 0 || err1 != 0) 1101 goto out; 1102 } 1103 1104 if (q->edomain != NULL) { 1105 /* Check that this is the domain that we were looking for */ 1106 if (u8_strcmp(q->edomain, domain, 0, U8_STRCMP_CI_LOWER, 1107 U8_UNICODE_LATEST, &err2) != 0 || err2 != 0) 1108 goto out; 1109 } 1110 1111 /* Set results */ 1112 if (q->sid) { 1113 *q->sid = sid; 1114 sid = NULL; 1115 } 1116 if (q->rid) 1117 *q->rid = rid; 1118 if (q->sid_type) 1119 *q->sid_type = sid_type; 1120 if (q->unixname) { 1121 *q->unixname = unixname; 1122 unixname = NULL; 1123 } 1124 if (q->domain != NULL) { 1125 *q->domain = domain; 1126 domain = NULL; 1127 } 1128 if (q->canonname != NULL) { 1129 *q->canonname = san; 1130 san = NULL; 1131 } 1132 1133 /* Always have q->rc; idmap_extract_object() asserts this */ 1134 *q->rc = IDMAP_SUCCESS; 1135 1136 out: 1137 /* Free unused attribute values */ 1138 free(san); 1139 free(sid); 1140 free(domain); 1141 free(unixname); 1142 } 1143 1144 /* 1145 * The following three functions extract objectSid, sAMAccountName and 1146 * objectClass attribute values and, in the case of objectSid and 1147 * objectClass, parse them. 1148 * 1149 * idmap_setqresults() takes care of dealing with the result entry's DN. 1150 */ 1151 1152 /* 1153 * Return a NUL-terminated stringified SID from the value of an 1154 * objectSid attribute and put the last RID in *rid. 1155 */ 1156 static 1157 char * 1158 idmap_bv_objsid2sidstr(BerValue **bvalues, rid_t *rid) 1159 { 1160 char *sid; 1161 1162 if (bvalues == NULL) 1163 return (NULL); 1164 /* objectSid is single valued */ 1165 if ((sid = convert_bval2sid(bvalues[0], rid)) == NULL) 1166 return (NULL); 1167 return (sid); 1168 } 1169 1170 /* 1171 * Return a NUL-terminated string from the value of a sAMAccountName 1172 * or unixname attribute. 1173 */ 1174 static 1175 char * 1176 idmap_bv_name2str(BerValue **bvalues) 1177 { 1178 char *s; 1179 1180 if (bvalues == NULL || bvalues[0] == NULL || 1181 bvalues[0]->bv_val == NULL) 1182 return (NULL); 1183 1184 if ((s = malloc(bvalues[0]->bv_len + 1)) == NULL) 1185 return (NULL); 1186 1187 (void) snprintf(s, bvalues[0]->bv_len + 1, "%.*s", bvalues[0]->bv_len, 1188 bvalues[0]->bv_val); 1189 1190 return (s); 1191 } 1192 1193 1194 #define BVAL_CASEEQ(bv, str) \ 1195 (((*(bv))->bv_len == (sizeof (str) - 1)) && \ 1196 strncasecmp((*(bv))->bv_val, str, (*(bv))->bv_len) == 0) 1197 1198 /* 1199 * Extract the class of the result entry. Returns 1 on success, 0 on 1200 * failure. 1201 */ 1202 static 1203 int 1204 idmap_bv_objclass2sidtype(BerValue **bvalues, int *sid_type) 1205 { 1206 BerValue **cbval; 1207 1208 *sid_type = _IDMAP_T_OTHER; 1209 if (bvalues == NULL) 1210 return (0); 1211 1212 /* 1213 * We iterate over all the values because computer is a 1214 * sub-class of user. 1215 */ 1216 for (cbval = bvalues; *cbval != NULL; cbval++) { 1217 if (BVAL_CASEEQ(cbval, "Computer")) { 1218 *sid_type = _IDMAP_T_COMPUTER; 1219 break; 1220 } else if (BVAL_CASEEQ(cbval, "Group")) { 1221 *sid_type = _IDMAP_T_GROUP; 1222 break; 1223 } else if (BVAL_CASEEQ(cbval, "USER")) { 1224 *sid_type = _IDMAP_T_USER; 1225 /* Continue looping -- this may be a computer yet */ 1226 } 1227 /* 1228 * "else if (*sid_type = _IDMAP_T_USER)" then this is a 1229 * new sub-class of user -- what to do with it?? 1230 */ 1231 } 1232 1233 return (1); 1234 } 1235 1236 /* 1237 * Handle a given search result entry 1238 */ 1239 static 1240 void 1241 idmap_extract_object(idmap_query_state_t *state, int qid, LDAPMessage *res) 1242 { 1243 BerElement *ber = NULL; 1244 BerValue **bvalues; 1245 ad_host_t *adh; 1246 idmap_q_t *q; 1247 char *attr; 1248 const char *unixuser_attr = NULL; 1249 const char *unixgroup_attr = NULL; 1250 char *unixuser = NULL; 1251 char *unixgroup = NULL; 1252 char *dn = NULL; 1253 char *san = NULL; 1254 char *sid = NULL; 1255 rid_t rid = 0; 1256 int sid_type = _IDMAP_T_UNDEF; 1257 int has_class, has_san, has_sid; 1258 int has_unixuser, has_unixgroup; 1259 1260 adh = state->qadh; 1261 1262 (void) pthread_mutex_lock(&adh->lock); 1263 1264 q = &(state->queries[qid]); 1265 1266 assert(q->rc != NULL); 1267 1268 if (*q->rc == IDMAP_SUCCESS || adh->dead || 1269 (dn = ldap_get_dn(adh->ld, res)) == NULL) { 1270 (void) pthread_mutex_unlock(&adh->lock); 1271 return; 1272 } 1273 1274 assert(q->domain == NULL || *q->domain == NULL); 1275 1276 /* 1277 * If the caller has requested unixname then determine the 1278 * AD attribute name that will have the unixname. 1279 */ 1280 if (q->unixname != NULL) { 1281 if (q->eunixtype == _IDMAP_T_USER) 1282 unixuser_attr = state->ad_unixuser_attr; 1283 else if (q->eunixtype == _IDMAP_T_GROUP) 1284 unixgroup_attr = state->ad_unixgroup_attr; 1285 else if (q->eunixtype == _IDMAP_T_UNDEF) { 1286 /* 1287 * This is the case where we don't know 1288 * before hand whether we need unixuser 1289 * or unixgroup. This will be determined 1290 * by the "sid_type" (i.e whether the given 1291 * winname is user or group). If sid_type 1292 * turns out to be user we will return 1293 * unixuser (if found) and if it is a group 1294 * we will return unixgroup (if found). We 1295 * lookup for both ad_unixuser_attr and 1296 * ad_unixgroup_attr and discard one of them 1297 * after we know the "sidtype". This 1298 * supports the following type of lookups. 1299 * 1300 * Example: 1301 * $idmap show -c winname:foo 1302 * In the above example, idmap will 1303 * return uid if winname is winuser 1304 * and gid if winname is wingroup. 1305 */ 1306 unixuser_attr = state->ad_unixuser_attr; 1307 unixgroup_attr = state->ad_unixgroup_attr; 1308 } 1309 } 1310 1311 has_class = has_san = has_sid = has_unixuser = has_unixgroup = 0; 1312 for (attr = ldap_first_attribute(adh->ld, res, &ber); attr != NULL; 1313 attr = ldap_next_attribute(adh->ld, res, ber)) { 1314 bvalues = NULL; /* for memory management below */ 1315 1316 /* 1317 * If this is an attribute we are looking for and 1318 * haven't seen it yet, parse it 1319 */ 1320 if (q->sid != NULL && !has_sid && 1321 strcasecmp(attr, OBJSID) == 0) { 1322 bvalues = ldap_get_values_len(adh->ld, res, attr); 1323 sid = idmap_bv_objsid2sidstr(bvalues, &rid); 1324 has_sid = (sid != NULL); 1325 } else if (!has_san && strcasecmp(attr, SAN) == 0) { 1326 bvalues = ldap_get_values_len(adh->ld, res, attr); 1327 san = idmap_bv_name2str(bvalues); 1328 has_san = (san != NULL); 1329 } else if (!has_class && strcasecmp(attr, OBJCLASS) == 0) { 1330 bvalues = ldap_get_values_len(adh->ld, res, attr); 1331 has_class = idmap_bv_objclass2sidtype(bvalues, 1332 &sid_type); 1333 if (has_class && q->unixname != NULL && 1334 q->eunixtype == _IDMAP_T_UNDEF) { 1335 /* 1336 * This is the case where we didn't 1337 * know whether we wanted unixuser or 1338 * unixgroup as described above. 1339 * Now since we know the "sid_type" 1340 * we discard the unwanted value 1341 * if it was retrieved before we 1342 * got here. 1343 */ 1344 if (sid_type == _IDMAP_T_USER) { 1345 free(unixgroup); 1346 unixgroup_attr = unixgroup = NULL; 1347 } else if (sid_type == _IDMAP_T_GROUP) { 1348 free(unixuser); 1349 unixuser_attr = unixuser = NULL; 1350 } else { 1351 free(unixuser); 1352 free(unixgroup); 1353 unixuser_attr = unixuser = NULL; 1354 unixgroup_attr = unixgroup = NULL; 1355 } 1356 } 1357 } else if (!has_unixuser && unixuser_attr != NULL && 1358 strcasecmp(attr, unixuser_attr) == 0) { 1359 bvalues = ldap_get_values_len(adh->ld, res, attr); 1360 unixuser = idmap_bv_name2str(bvalues); 1361 has_unixuser = (unixuser != NULL); 1362 } else if (!has_unixgroup && unixgroup_attr != NULL && 1363 strcasecmp(attr, unixgroup_attr) == 0) { 1364 bvalues = ldap_get_values_len(adh->ld, res, attr); 1365 unixgroup = idmap_bv_name2str(bvalues); 1366 has_unixgroup = (unixgroup != NULL); 1367 } 1368 1369 if (bvalues != NULL) 1370 ldap_value_free_len(bvalues); 1371 ldap_memfree(attr); 1372 1373 if (has_class && has_san && 1374 (q->sid == NULL || has_sid) && 1375 (unixuser_attr == NULL || has_unixuser) && 1376 (unixgroup_attr == NULL || has_unixgroup)) { 1377 /* Got what we need */ 1378 break; 1379 } 1380 } 1381 1382 if (!has_class) { 1383 /* 1384 * Didn't find objectclass. Something's wrong with our 1385 * AD data. 1386 */ 1387 free(san); 1388 free(sid); 1389 free(unixuser); 1390 free(unixgroup); 1391 } else { 1392 /* 1393 * Either we got what we needed and came out of the loop 1394 * early OR we completed the loop in which case we didn't 1395 * find some attributes that we were looking for. In either 1396 * case set the result with what we got. 1397 */ 1398 idmap_setqresults(q, san, dn, sid, rid, sid_type, 1399 (unixuser != NULL) ? unixuser : unixgroup); 1400 } 1401 1402 (void) pthread_mutex_unlock(&adh->lock); 1403 1404 if (ber != NULL) 1405 ber_free(ber, 0); 1406 1407 ldap_memfree(dn); 1408 } 1409 1410 /* 1411 * Try to get a result; if there is one, find the corresponding 1412 * idmap_q_t and process the result. 1413 */ 1414 static 1415 int 1416 idmap_get_adobject_batch(ad_host_t *adh, struct timeval *timeout) 1417 { 1418 idmap_query_state_t *query_state; 1419 LDAPMessage *res = NULL; 1420 int rc, ret, msgid, qid; 1421 1422 (void) pthread_mutex_lock(&adh->lock); 1423 if (adh->dead) { 1424 (void) pthread_mutex_unlock(&adh->lock); 1425 return (-1); 1426 } 1427 1428 /* Get one result */ 1429 rc = ldap_result(adh->ld, LDAP_RES_ANY, 0, 1430 timeout, &res); 1431 if ((timeout != NULL && timeout->tv_sec > 0 && rc == LDAP_SUCCESS) || 1432 rc < 0) 1433 adh->dead = 1; 1434 (void) pthread_mutex_unlock(&adh->lock); 1435 1436 if (adh->dead) 1437 return (-1); 1438 1439 switch (rc) { 1440 case LDAP_RES_SEARCH_RESULT: 1441 /* We have all the LDAP replies for some search... */ 1442 msgid = ldap_msgid(res); 1443 if (idmap_msgid2query(adh, msgid, 1444 &query_state, &qid)) { 1445 /* ...so we can decrement qinflight */ 1446 atomic_dec_32(&query_state->qinflight); 1447 /* We've seen all the result entries we'll see */ 1448 if (*query_state->queries[qid].rc != IDMAP_SUCCESS) 1449 *query_state->queries[qid].rc = 1450 IDMAP_ERR_NOTFOUND; 1451 idmap_lookup_unlock_batch(&query_state); 1452 } 1453 (void) ldap_msgfree(res); 1454 ret = 0; 1455 break; 1456 case LDAP_RES_SEARCH_REFERENCE: 1457 /* 1458 * We have no need for these at the moment. Eventually, 1459 * when we query things that we can't expect to find in 1460 * the Global Catalog then we'll need to learn to follow 1461 * references. 1462 */ 1463 (void) ldap_msgfree(res); 1464 ret = 0; 1465 break; 1466 case LDAP_RES_SEARCH_ENTRY: 1467 /* Got a result */ 1468 msgid = ldap_msgid(res); 1469 if (idmap_msgid2query(adh, msgid, 1470 &query_state, &qid)) { 1471 idmap_extract_object(query_state, qid, res); 1472 /* we saw at least one result */ 1473 idmap_lookup_unlock_batch(&query_state); 1474 } 1475 (void) ldap_msgfree(res); 1476 ret = 0; 1477 break; 1478 default: 1479 /* timeout or error; treat the same */ 1480 ret = -1; 1481 break; 1482 } 1483 1484 return (ret); 1485 } 1486 1487 /* 1488 * This routine decreament the reference count of the 1489 * idmap_query_state_t 1490 */ 1491 static void 1492 idmap_lookup_unlock_batch(idmap_query_state_t **state) 1493 { 1494 /* 1495 * Decrement reference count with qstatelock locked 1496 */ 1497 (void) pthread_mutex_lock(&qstatelock); 1498 (*state)->ref_cnt--; 1499 /* 1500 * If there are no references wakup the allocating thread 1501 */ 1502 if ((*state)->ref_cnt == 0) 1503 (void) pthread_cond_signal(&(*state)->cv); 1504 (void) pthread_mutex_unlock(&qstatelock); 1505 *state = NULL; 1506 } 1507 1508 static 1509 void 1510 idmap_cleanup_batch(idmap_query_state_t *batch) 1511 { 1512 int i; 1513 1514 for (i = 0; i < batch->qcount; i++) { 1515 if (batch->queries[i].ecanonname != NULL) 1516 free(batch->queries[i].ecanonname); 1517 batch->queries[i].ecanonname = NULL; 1518 if (batch->queries[i].edomain != NULL) 1519 free(batch->queries[i].edomain); 1520 batch->queries[i].edomain = NULL; 1521 } 1522 } 1523 1524 /* 1525 * This routine frees the idmap_query_state_t structure 1526 * If the reference count is greater than 1 it waits 1527 * for the other threads to finish using it. 1528 */ 1529 void 1530 idmap_lookup_release_batch(idmap_query_state_t **state) 1531 { 1532 idmap_query_state_t **p; 1533 1534 /* 1535 * Decrement reference count with qstatelock locked 1536 * and wait for reference count to get to zero 1537 */ 1538 (void) pthread_mutex_lock(&qstatelock); 1539 (*state)->ref_cnt--; 1540 while ((*state)->ref_cnt > 0) { 1541 (void) pthread_cond_wait(&(*state)->cv, &qstatelock); 1542 } 1543 1544 /* Remove this state struct from the list of state structs */ 1545 for (p = &qstatehead; *p != NULL; p = &(*p)->next) { 1546 if (*p == (*state)) { 1547 *p = (*state)->next; 1548 break; 1549 } 1550 } 1551 1552 idmap_cleanup_batch(*state); 1553 1554 (void) pthread_mutex_unlock(&qstatelock); 1555 1556 (void) pthread_cond_destroy(&(*state)->cv); 1557 1558 idmap_release_conn((*state)->qadh); 1559 1560 free(*state); 1561 *state = NULL; 1562 } 1563 1564 idmap_retcode 1565 idmap_lookup_batch_end(idmap_query_state_t **state) 1566 { 1567 int rc = LDAP_SUCCESS; 1568 idmap_retcode retcode = IDMAP_SUCCESS; 1569 struct timeval timeout; 1570 1571 (*state)->qdead = 1; 1572 timeout.tv_sec = IDMAPD_SEARCH_TIMEOUT; 1573 timeout.tv_usec = 0; 1574 1575 /* Process results until done or until timeout, if given */ 1576 while ((*state)->qinflight > 0) { 1577 if ((rc = idmap_get_adobject_batch((*state)->qadh, 1578 &timeout)) != 0) 1579 break; 1580 } 1581 1582 if (rc != 0) 1583 retcode = IDMAP_ERR_RETRIABLE_NET_ERR; 1584 1585 idmap_lookup_release_batch(state); 1586 1587 return (retcode); 1588 } 1589 1590 /* 1591 * Send one prepared search, queue up msgid, process what results are 1592 * available 1593 */ 1594 static 1595 idmap_retcode 1596 idmap_batch_add1(idmap_query_state_t *state, 1597 const char *filter, char *ecanonname, char *edomain, int eunixtype, 1598 char **canonname, char **dname, char **sid, rid_t *rid, 1599 int *sid_type, char **unixname, idmap_retcode *rc) 1600 { 1601 idmap_retcode retcode = IDMAP_SUCCESS; 1602 int lrc, qid, i; 1603 struct timeval tv; 1604 idmap_q_t *q; 1605 static char *attrs[] = { 1606 SAN, 1607 OBJSID, 1608 OBJCLASS, 1609 NULL, /* placeholder for unixname attr */ 1610 NULL, /* placeholder for unixname attr */ 1611 NULL 1612 }; 1613 1614 qid = atomic_inc_32_nv(&state->qlastsent) - 1; 1615 1616 q = &(state->queries[qid]); 1617 1618 /* 1619 * Remember the expected canonname so we can check the results 1620 * agains it 1621 */ 1622 q->ecanonname = ecanonname; 1623 q->edomain = edomain; 1624 q->eunixtype = eunixtype; 1625 1626 /* Remember where to put the results */ 1627 q->canonname = canonname; 1628 q->sid = sid; 1629 q->domain = dname; 1630 q->rid = rid; 1631 q->sid_type = sid_type; 1632 q->rc = rc; 1633 q->unixname = unixname; 1634 1635 /* Add unixuser/unixgroup attribute names to the attrs list */ 1636 if (unixname != NULL) { 1637 i = 3; 1638 if (eunixtype != _IDMAP_T_GROUP && 1639 state->ad_unixuser_attr != NULL) 1640 attrs[i++] = (char *)state->ad_unixuser_attr; 1641 if (eunixtype != _IDMAP_T_USER && 1642 state->ad_unixgroup_attr != NULL) 1643 attrs[i] = (char *)state->ad_unixgroup_attr; 1644 } 1645 1646 /* 1647 * Provide sane defaults for the results in case we never hear 1648 * back from the DS before closing the connection. 1649 * 1650 * In particular we default the result to indicate a retriable 1651 * error. The first complete matching result entry will cause 1652 * this to be set to IDMAP_SUCCESS, and the end of the results 1653 * for this search will cause this to indicate "not found" if no 1654 * result entries arrived or no complete ones matched the lookup 1655 * we were doing. 1656 */ 1657 *rc = IDMAP_ERR_RETRIABLE_NET_ERR; 1658 if (sid_type != NULL) 1659 *sid_type = _IDMAP_T_OTHER; 1660 if (sid != NULL) 1661 *sid = NULL; 1662 if (canonname != NULL) 1663 *canonname = NULL; 1664 if (dname != NULL) 1665 *dname = NULL; 1666 if (rid != NULL) 1667 *rid = 0; 1668 1669 /* Send this lookup, don't wait for a result here */ 1670 (void) pthread_mutex_lock(&state->qadh->lock); 1671 1672 if (!state->qadh->dead) { 1673 state->qadh->idletime = time(NULL); 1674 lrc = ldap_search_ext(state->qadh->ld, "", 1675 LDAP_SCOPE_SUBTREE, filter, attrs, 0, NULL, NULL, 1676 NULL, -1, &q->msgid); 1677 if (lrc == LDAP_BUSY || lrc == LDAP_UNAVAILABLE || 1678 lrc == LDAP_CONNECT_ERROR || lrc == LDAP_SERVER_DOWN || 1679 lrc == LDAP_UNWILLING_TO_PERFORM) { 1680 retcode = IDMAP_ERR_RETRIABLE_NET_ERR; 1681 state->qadh->dead = 1; 1682 } else if (lrc != LDAP_SUCCESS) { 1683 retcode = IDMAP_ERR_OTHER; 1684 state->qadh->dead = 1; 1685 } 1686 } 1687 (void) pthread_mutex_unlock(&state->qadh->lock); 1688 1689 if (state->qadh->dead) 1690 return (retcode); 1691 1692 atomic_inc_32(&state->qinflight); 1693 1694 /* 1695 * Reap as many requests as we can _without_ waiting 1696 * 1697 * We do this to prevent any possible TCP socket buffer 1698 * starvation deadlocks. 1699 */ 1700 (void) memset(&tv, 0, sizeof (tv)); 1701 while (idmap_get_adobject_batch(state->qadh, &tv) == 0) 1702 ; 1703 1704 return (IDMAP_SUCCESS); 1705 } 1706 1707 idmap_retcode 1708 idmap_name2sid_batch_add1(idmap_query_state_t *state, 1709 const char *name, const char *dname, int eunixtype, 1710 char **canonname, char **sid, rid_t *rid, int *sid_type, 1711 char **unixname, idmap_retcode *rc) 1712 { 1713 idmap_retcode retcode; 1714 int len, samAcctNameLen; 1715 char *filter = NULL; 1716 char *ecanonname, *edomain; /* expected canonname */ 1717 1718 /* 1719 * Strategy: search the global catalog for user/group by 1720 * sAMAccountName = user/groupname with "" as the base DN and by 1721 * userPrincipalName = user/groupname@domain. The result 1722 * entries will be checked to conform to the name and domain 1723 * name given here. The DN, sAMAccountName, userPrincipalName, 1724 * objectSid and objectClass of the result entries are all we 1725 * need to figure out which entries match the lookup, the SID of 1726 * the user/group and whether it is a user or a group. 1727 */ 1728 1729 /* 1730 * We need the name and the domain name separately and as 1731 * name@domain. We also allow the domain to be provided 1732 * separately. 1733 */ 1734 samAcctNameLen = strlen(name); 1735 1736 if ((ecanonname = strdup(name)) == NULL) 1737 return (IDMAP_ERR_MEMORY); 1738 1739 if (dname == NULL || *dname == '\0') { 1740 if ((dname = strchr(name, '@')) != NULL) { 1741 /* 'name' is qualified with a domain name */ 1742 if ((edomain = strdup(dname + 1)) == NULL) { 1743 free(ecanonname); 1744 return (IDMAP_ERR_MEMORY); 1745 } 1746 *strchr(ecanonname, '@') = '\0'; 1747 } else { 1748 /* 'name' not qualified and dname not given */ 1749 if (state->qadh->owner->dflt_w2k_dom == NULL || 1750 *state->qadh->owner->dflt_w2k_dom == '\0') { 1751 free(ecanonname); 1752 return (IDMAP_ERR_DOMAIN); 1753 } 1754 edomain = strdup(state->qadh->owner->dflt_w2k_dom); 1755 if (edomain == NULL) { 1756 free(ecanonname); 1757 return (IDMAP_ERR_MEMORY); 1758 } 1759 } 1760 } else { 1761 if ((edomain = strdup(dname)) == NULL) { 1762 free(ecanonname); 1763 return (IDMAP_ERR_MEMORY); 1764 } 1765 } 1766 1767 /* Assemble filter */ 1768 len = snprintf(NULL, 0, SANFILTER, samAcctNameLen, name) + 1; 1769 if ((filter = (char *)malloc(len)) == NULL) { 1770 free(ecanonname); 1771 return (IDMAP_ERR_MEMORY); 1772 } 1773 (void) snprintf(filter, len, SANFILTER, samAcctNameLen, name); 1774 1775 retcode = idmap_batch_add1(state, filter, ecanonname, edomain, 1776 eunixtype, canonname, NULL, sid, rid, sid_type, unixname, rc); 1777 1778 free(filter); 1779 1780 return (retcode); 1781 } 1782 1783 idmap_retcode 1784 idmap_sid2name_batch_add1(idmap_query_state_t *state, 1785 const char *sid, const rid_t *rid, int eunixtype, 1786 char **name, char **dname, int *sid_type, char **unixname, 1787 idmap_retcode *rc) 1788 { 1789 idmap_retcode retcode; 1790 int flen, ret; 1791 char *filter = NULL; 1792 char cbinsid[MAXHEXBINSID + 1]; 1793 1794 /* 1795 * Strategy: search [the global catalog] for user/group by 1796 * objectSid = SID with empty base DN. The DN, sAMAccountName 1797 * and objectClass of the result are all we need to figure out 1798 * the name of the SID and whether it is a user, a group or a 1799 * computer. 1800 */ 1801 1802 ret = idmap_txtsid2hexbinsid(sid, rid, &cbinsid[0], sizeof (cbinsid)); 1803 if (ret != 0) 1804 return (IDMAP_ERR_SID); 1805 1806 /* Assemble filter */ 1807 flen = snprintf(NULL, 0, OBJSIDFILTER, cbinsid) + 1; 1808 if ((filter = (char *)malloc(flen)) == NULL) 1809 return (IDMAP_ERR_MEMORY); 1810 (void) snprintf(filter, flen, OBJSIDFILTER, cbinsid); 1811 1812 retcode = idmap_batch_add1(state, filter, NULL, NULL, eunixtype, 1813 name, dname, NULL, NULL, sid_type, unixname, rc); 1814 1815 free(filter); 1816 1817 return (retcode); 1818 } 1819 1820 idmap_retcode 1821 idmap_unixname2sid_batch_add1(idmap_query_state_t *state, 1822 const char *unixname, int is_user, int is_wuser, 1823 char **sid, rid_t *rid, char **name, char **dname, int *sid_type, 1824 idmap_retcode *rc) 1825 { 1826 idmap_retcode retcode; 1827 int len, ulen; 1828 char *filter = NULL; 1829 const char *attrname = NULL; 1830 1831 /* Get unixuser or unixgroup AD attribute name */ 1832 attrname = (is_user) ? 1833 state->ad_unixuser_attr : state->ad_unixgroup_attr; 1834 if (attrname == NULL) 1835 return (IDMAP_ERR_NOTFOUND); 1836 1837 /* Assemble filter */ 1838 ulen = strlen(unixname); 1839 len = snprintf(NULL, 0, "(&(objectclass=%s)(%s=%.*s))", 1840 is_wuser ? "user" : "group", attrname, ulen, unixname) + 1; 1841 if ((filter = (char *)malloc(len)) == NULL) 1842 return (IDMAP_ERR_MEMORY); 1843 (void) snprintf(filter, len, "(&(objectclass=%s)(%s=%.*s))", 1844 is_wuser ? "user" : "group", attrname, ulen, unixname); 1845 1846 retcode = idmap_batch_add1(state, filter, NULL, NULL, 1847 _IDMAP_T_UNDEF, name, dname, sid, rid, sid_type, NULL, rc); 1848 1849 free(filter); 1850 1851 return (retcode); 1852 } 1853