1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #include <grp.h>
27 #include "ldap_common.h"
28
29 /* String which may need to be removed from beginning of group password */
30 #define _CRYPT "{CRYPT}"
31 #define _NO_PASSWD_VAL ""
32
33 /* Group attributes filters */
34 #define _G_NAME "cn"
35 #define _G_GID "gidnumber"
36 #define _G_PASSWD "userpassword"
37 #define _G_MEM "memberuid"
38
39 #define _F_GETGRNAM "(&(objectClass=posixGroup)(cn=%s))"
40 #define _F_GETGRNAM_SSD "(&(%%s)(cn=%s))"
41 #define _F_GETGRGID "(&(objectClass=posixGroup)(gidNumber=%u))"
42 #define _F_GETGRGID_SSD "(&(%%s)(gidNumber=%u))"
43 #define _F_GETGRMEM "(&(objectClass=posixGroup)(memberUid=%s))"
44 #define _F_GETGRMEM_SSD "(&(%%s)(memberUid=%s))"
45
46 static const char *gr_attrs[] = {
47 _G_NAME,
48 _G_GID,
49 _G_PASSWD,
50 _G_MEM,
51 (char *)NULL
52 };
53
54
55 /*
56 * _nss_ldap_group2str is the data marshaling method for the group getXbyY
57 * (e.g., getgrnam(), getgrgid(), getgrent()) backend processes. This method
58 * is called after a successful ldap search has been performed. This method
59 * will parse the ldap search values into the file format.
60 * e.g.
61 *
62 * adm::4:root,adm,daemon
63 *
64 */
65
66 static int
_nss_ldap_group2str(ldap_backend_ptr be,nss_XbyY_args_t * argp)67 _nss_ldap_group2str(ldap_backend_ptr be, nss_XbyY_args_t *argp)
68 {
69 int i;
70 int nss_result;
71 int buflen = 0, len;
72 int firstime = 1;
73 char *buffer = NULL;
74 ns_ldap_result_t *result = be->result;
75 char **gname, **passwd, **gid, *password, *end;
76 char gid_nobody[NOBODY_STR_LEN];
77 char *gid_nobody_v[1];
78 ns_ldap_attr_t *members;
79
80 (void) snprintf(gid_nobody, sizeof (gid_nobody), "%u", GID_NOBODY);
81 gid_nobody_v[0] = gid_nobody;
82
83 if (result == NULL)
84 return (NSS_STR_PARSE_PARSE);
85 buflen = argp->buf.buflen;
86
87 if (argp->buf.result != NULL) {
88 if ((be->buffer = calloc(1, buflen)) == NULL) {
89 nss_result = NSS_STR_PARSE_PARSE;
90 goto result_grp2str;
91 }
92 buffer = be->buffer;
93 } else
94 buffer = argp->buf.buffer;
95
96 nss_result = NSS_STR_PARSE_SUCCESS;
97 (void) memset(buffer, 0, buflen);
98
99 gname = __ns_ldap_getAttr(result->entry, _G_NAME);
100 if (gname == NULL || gname[0] == NULL || (strlen(gname[0]) < 1)) {
101 nss_result = NSS_STR_PARSE_PARSE;
102 goto result_grp2str;
103 }
104 passwd = __ns_ldap_getAttr(result->entry, _G_PASSWD);
105 if (passwd == NULL || passwd[0] == NULL || (strlen(passwd[0]) == 0)) {
106 /* group password could be NULL, replace it with "" */
107 password = _NO_PASSWD_VAL;
108 } else {
109 /*
110 * Preen "{crypt}" if necessary.
111 * If the password does not include the {crypt} prefix
112 * then the password may be plain text. And thus
113 * perhaps crypt(3c) should be used to encrypt it.
114 * Currently the password is copied verbatim.
115 */
116 if (strncasecmp(passwd[0], _CRYPT, strlen(_CRYPT)) == 0)
117 password = passwd[0] + strlen(_CRYPT);
118 else
119 password = passwd[0];
120 }
121 gid = __ns_ldap_getAttr(result->entry, _G_GID);
122 if (gid == NULL || gid[0] == NULL || (strlen(gid[0]) < 1)) {
123 nss_result = NSS_STR_PARSE_PARSE;
124 goto result_grp2str;
125 }
126 /* Validate GID */
127 if (strtoul(gid[0], &end, 10) > MAXUID)
128 gid = gid_nobody_v;
129 len = snprintf(buffer, buflen, "%s:%s:%s:", gname[0], password, gid[0]);
130 TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
131
132 members = __ns_ldap_getAttrStruct(result->entry, _G_MEM);
133 if (members == NULL || members->attrvalue == NULL) {
134 /* no member is fine, skip processing the member list */
135 goto nomember;
136 }
137
138 for (i = 0; i < members->value_count; i++) {
139 if (members->attrvalue[i] == NULL) {
140 nss_result = NSS_STR_PARSE_PARSE;
141 goto result_grp2str;
142 }
143 if (firstime) {
144 len = snprintf(buffer, buflen, "%s",
145 members->attrvalue[i]);
146 TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
147 firstime = 0;
148 } else {
149 len = snprintf(buffer, buflen, ",%s",
150 members->attrvalue[i]);
151 TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
152 }
153 }
154 nomember:
155 /* The front end marshaller doesn't need the trailing nulls */
156 if (argp->buf.result != NULL)
157 be->buflen = strlen(be->buffer);
158 result_grp2str:
159 (void) __ns_ldap_freeResult(&be->result);
160 return (nss_result);
161 }
162
163 /*
164 * getbynam gets a group entry by name. This function constructs an ldap
165 * search filter using the name invocation parameter and the getgrnam search
166 * filter defined. Once the filter is constructed, we searche for a matching
167 * entry and marshal the data results into struct group for the frontend
168 * process. The function _nss_ldap_group2ent performs the data marshaling.
169 */
170
171 static nss_status_t
getbynam(ldap_backend_ptr be,void * a)172 getbynam(ldap_backend_ptr be, void *a)
173 {
174 nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a;
175 char searchfilter[SEARCHFILTERLEN];
176 char userdata[SEARCHFILTERLEN];
177 char groupname[SEARCHFILTERLEN];
178 int ret;
179
180 if (_ldap_filter_name(groupname, argp->key.name, sizeof (groupname)) !=
181 0)
182 return ((nss_status_t)NSS_NOTFOUND);
183
184 ret = snprintf(searchfilter, sizeof (searchfilter),
185 _F_GETGRNAM, groupname);
186 if (ret >= sizeof (searchfilter) || ret < 0)
187 return ((nss_status_t)NSS_NOTFOUND);
188
189 ret = snprintf(userdata, sizeof (userdata), _F_GETGRNAM_SSD, groupname);
190 if (ret >= sizeof (userdata) || ret < 0)
191 return ((nss_status_t)NSS_NOTFOUND);
192
193 return ((nss_status_t)_nss_ldap_lookup(be, argp,
194 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
195 }
196
197
198 /*
199 * getbygid gets a group entry by number. This function constructs an ldap
200 * search filter using the name invocation parameter and the getgrgid search
201 * filter defined. Once the filter is constructed, we searche for a matching
202 * entry and marshal the data results into struct group for the frontend
203 * process. The function _nss_ldap_group2ent performs the data marshaling.
204 */
205
206 static nss_status_t
getbygid(ldap_backend_ptr be,void * a)207 getbygid(ldap_backend_ptr be, void *a)
208 {
209 nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a;
210 char searchfilter[SEARCHFILTERLEN];
211 char userdata[SEARCHFILTERLEN];
212 int ret;
213
214 if (argp->key.uid > MAXUID)
215 return ((nss_status_t)NSS_NOTFOUND);
216
217 ret = snprintf(searchfilter, sizeof (searchfilter),
218 _F_GETGRGID, argp->key.uid);
219 if (ret >= sizeof (searchfilter) || ret < 0)
220 return ((nss_status_t)NSS_NOTFOUND);
221
222 ret = snprintf(userdata, sizeof (userdata),
223 _F_GETGRGID_SSD, argp->key.uid);
224 if (ret >= sizeof (userdata) || ret < 0)
225 return ((nss_status_t)NSS_NOTFOUND);
226
227 return ((nss_status_t)_nss_ldap_lookup(be, argp,
228 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
229
230 }
231
232
233 /*
234 * getbymember returns all groups a user is defined in. This function
235 * uses different architectural procedures than the other group backend
236 * system calls because it's a private interface. This function constructs
237 * an ldap search filter using the name invocation parameter. Once the
238 * filter is constructed, we search for all matching groups counting
239 * and storing each group name, gid, etc. Data marshaling is used for
240 * group processing. The function _nss_ldap_group2ent() performs the
241 * data marshaling.
242 *
243 * (const char *)argp->username; (size_t)strlen(argp->username);
244 * (gid_t)argp->gid_array; (int)argp->maxgids;
245 * (int)argp->numgids;
246 */
247
248 static nss_status_t
getbymember(ldap_backend_ptr be,void * a)249 getbymember(ldap_backend_ptr be, void *a)
250 {
251 int i, j, k;
252 int gcnt = (int)0;
253 char **groupvalue, **membervalue;
254 nss_status_t lstat;
255 struct nss_groupsbymem *argp = (struct nss_groupsbymem *)a;
256 char searchfilter[SEARCHFILTERLEN];
257 char userdata[SEARCHFILTERLEN];
258 char name[SEARCHFILTERLEN];
259 ns_ldap_result_t *result;
260 ns_ldap_entry_t *curEntry;
261 char *username;
262 gid_t gid;
263 int ret;
264
265 if (strcmp(argp->username, "") == 0 ||
266 strcmp(argp->username, "root") == 0)
267 return ((nss_status_t)NSS_NOTFOUND);
268
269 if (_ldap_filter_name(name, argp->username, sizeof (name)) != 0)
270 return ((nss_status_t)NSS_NOTFOUND);
271
272 ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETGRMEM, name);
273 if (ret >= sizeof (searchfilter) || ret < 0)
274 return ((nss_status_t)NSS_NOTFOUND);
275
276 ret = snprintf(userdata, sizeof (userdata), _F_GETGRMEM_SSD, name);
277 if (ret >= sizeof (userdata) || ret < 0)
278 return ((nss_status_t)NSS_NOTFOUND);
279
280 gcnt = (int)argp->numgids;
281 lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, NULL,
282 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata);
283 if (lstat != (nss_status_t)NS_LDAP_SUCCESS)
284 return ((nss_status_t)lstat);
285 if (be->result == NULL)
286 return (NSS_NOTFOUND);
287 username = (char *)argp->username;
288 result = (ns_ldap_result_t *)be->result;
289 curEntry = (ns_ldap_entry_t *)result->entry;
290 for (i = 0; i < result->entries_count; i++) {
291 membervalue = __ns_ldap_getAttr(curEntry, "memberUid");
292 if (membervalue) {
293 for (j = 0; membervalue[j]; j++) {
294 if (strcmp(membervalue[j], username) == NULL) {
295 groupvalue = __ns_ldap_getAttr(curEntry,
296 "gidnumber");
297 gid = (gid_t)strtol(groupvalue[0],
298 (char **)NULL, 10);
299 if (argp->numgids < argp->maxgids) {
300 for (k = 0; k < argp->numgids;
301 k++) {
302 if (argp->gid_array[k]
303 == gid)
304 /* already exists */
305 break;
306 }
307 if (k == argp->numgids)
308 argp->gid_array[argp->numgids++]
309 = gid;
310 }
311 break;
312 }
313 }
314 }
315 curEntry = curEntry->next;
316 }
317
318 (void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result);
319 if (gcnt == argp->numgids)
320 return ((nss_status_t)NSS_NOTFOUND);
321
322 /*
323 * Return NSS_SUCCESS only if array is full.
324 * Explained in <nss_dbdefs.h>.
325 */
326 return ((nss_status_t)((argp->numgids == argp->maxgids)
327 ? NSS_SUCCESS
328 : NSS_NOTFOUND));
329 }
330
331 static ldap_backend_op_t gr_ops[] = {
332 _nss_ldap_destr,
333 _nss_ldap_endent,
334 _nss_ldap_setent,
335 _nss_ldap_getent,
336 getbynam,
337 getbygid,
338 getbymember
339 };
340
341
342 /*ARGSUSED0*/
343 nss_backend_t *
_nss_ldap_group_constr(const char * dummy1,const char * dummy2,const char * dummy3)344 _nss_ldap_group_constr(const char *dummy1, const char *dummy2,
345 const char *dummy3)
346 {
347
348 return ((nss_backend_t *)_nss_ldap_constr(gr_ops,
349 sizeof (gr_ops)/sizeof (gr_ops[0]), _GROUP, gr_attrs,
350 _nss_ldap_group2str));
351 }
352