10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
52830Sdjl * Common Development and Distribution License (the "License").
62830Sdjl * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate * See the License for the specific language governing permissions
110Sstevel@tonic-gate * and limitations under the License.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate *
190Sstevel@tonic-gate * CDDL HEADER END
200Sstevel@tonic-gate */
210Sstevel@tonic-gate /*
227220Ssc157166 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
230Sstevel@tonic-gate * Use is subject to license terms.
240Sstevel@tonic-gate */
250Sstevel@tonic-gate
260Sstevel@tonic-gate #include <grp.h>
270Sstevel@tonic-gate #include "ldap_common.h"
280Sstevel@tonic-gate
290Sstevel@tonic-gate /* String which may need to be removed from beginning of group password */
300Sstevel@tonic-gate #define _CRYPT "{CRYPT}"
310Sstevel@tonic-gate #define _NO_PASSWD_VAL ""
320Sstevel@tonic-gate
330Sstevel@tonic-gate /* Group attributes filters */
340Sstevel@tonic-gate #define _G_NAME "cn"
350Sstevel@tonic-gate #define _G_GID "gidnumber"
360Sstevel@tonic-gate #define _G_PASSWD "userpassword"
370Sstevel@tonic-gate #define _G_MEM "memberuid"
380Sstevel@tonic-gate
390Sstevel@tonic-gate #define _F_GETGRNAM "(&(objectClass=posixGroup)(cn=%s))"
400Sstevel@tonic-gate #define _F_GETGRNAM_SSD "(&(%%s)(cn=%s))"
414321Scasper #define _F_GETGRGID "(&(objectClass=posixGroup)(gidNumber=%u))"
424321Scasper #define _F_GETGRGID_SSD "(&(%%s)(gidNumber=%u))"
430Sstevel@tonic-gate #define _F_GETGRMEM "(&(objectClass=posixGroup)(memberUid=%s))"
440Sstevel@tonic-gate #define _F_GETGRMEM_SSD "(&(%%s)(memberUid=%s))"
450Sstevel@tonic-gate
460Sstevel@tonic-gate static const char *gr_attrs[] = {
470Sstevel@tonic-gate _G_NAME,
480Sstevel@tonic-gate _G_GID,
490Sstevel@tonic-gate _G_PASSWD,
500Sstevel@tonic-gate _G_MEM,
510Sstevel@tonic-gate (char *)NULL
520Sstevel@tonic-gate };
530Sstevel@tonic-gate
540Sstevel@tonic-gate
550Sstevel@tonic-gate /*
562830Sdjl * _nss_ldap_group2str is the data marshaling method for the group getXbyY
570Sstevel@tonic-gate * (e.g., getgrnam(), getgrgid(), getgrent()) backend processes. This method
580Sstevel@tonic-gate * is called after a successful ldap search has been performed. This method
592830Sdjl * will parse the ldap search values into the file format.
602830Sdjl * e.g.
612830Sdjl *
622830Sdjl * adm::4:root,adm,daemon
632830Sdjl *
640Sstevel@tonic-gate */
650Sstevel@tonic-gate
660Sstevel@tonic-gate static int
_nss_ldap_group2str(ldap_backend_ptr be,nss_XbyY_args_t * argp)672830Sdjl _nss_ldap_group2str(ldap_backend_ptr be, nss_XbyY_args_t *argp)
680Sstevel@tonic-gate {
692830Sdjl int i;
700Sstevel@tonic-gate int nss_result;
712830Sdjl int buflen = 0, len;
722830Sdjl int firstime = 1;
732830Sdjl char *buffer = NULL;
740Sstevel@tonic-gate ns_ldap_result_t *result = be->result;
75*8040SBaban.Kenkre@Sun.COM char **gname, **passwd, **gid, *password, *end;
76*8040SBaban.Kenkre@Sun.COM char gid_nobody[NOBODY_STR_LEN];
77*8040SBaban.Kenkre@Sun.COM char *gid_nobody_v[1];
782830Sdjl ns_ldap_attr_t *members;
792830Sdjl
80*8040SBaban.Kenkre@Sun.COM (void) snprintf(gid_nobody, sizeof (gid_nobody), "%u", GID_NOBODY);
81*8040SBaban.Kenkre@Sun.COM gid_nobody_v[0] = gid_nobody;
822830Sdjl
832830Sdjl if (result == NULL)
842830Sdjl return (NSS_STR_PARSE_PARSE);
852830Sdjl buflen = argp->buf.buflen;
862830Sdjl
872830Sdjl if (argp->buf.result != NULL) {
882830Sdjl if ((be->buffer = calloc(1, buflen)) == NULL) {
892830Sdjl nss_result = NSS_STR_PARSE_PARSE;
902830Sdjl goto result_grp2str;
912830Sdjl }
922830Sdjl buffer = be->buffer;
932830Sdjl } else
942830Sdjl buffer = argp->buf.buffer;
952830Sdjl
962830Sdjl nss_result = NSS_STR_PARSE_SUCCESS;
972830Sdjl (void) memset(buffer, 0, buflen);
980Sstevel@tonic-gate
992830Sdjl gname = __ns_ldap_getAttr(result->entry, _G_NAME);
1002830Sdjl if (gname == NULL || gname[0] == NULL || (strlen(gname[0]) < 1)) {
1012830Sdjl nss_result = NSS_STR_PARSE_PARSE;
1022830Sdjl goto result_grp2str;
1030Sstevel@tonic-gate }
1042830Sdjl passwd = __ns_ldap_getAttr(result->entry, _G_PASSWD);
1052830Sdjl if (passwd == NULL || passwd[0] == NULL || (strlen(passwd[0]) == 0)) {
1062830Sdjl /* group password could be NULL, replace it with "" */
1072830Sdjl password = _NO_PASSWD_VAL;
1082830Sdjl } else {
1092830Sdjl /*
1102830Sdjl * Preen "{crypt}" if necessary.
1112830Sdjl * If the password does not include the {crypt} prefix
1122830Sdjl * then the password may be plain text. And thus
1132830Sdjl * perhaps crypt(3c) should be used to encrypt it.
1142830Sdjl * Currently the password is copied verbatim.
1152830Sdjl */
1162830Sdjl if (strncasecmp(passwd[0], _CRYPT, strlen(_CRYPT)) == 0)
1172830Sdjl password = passwd[0] + strlen(_CRYPT);
1182830Sdjl else
1192830Sdjl password = passwd[0];
1202830Sdjl }
1212830Sdjl gid = __ns_ldap_getAttr(result->entry, _G_GID);
1222830Sdjl if (gid == NULL || gid[0] == NULL || (strlen(gid[0]) < 1)) {
1232830Sdjl nss_result = NSS_STR_PARSE_PARSE;
1242830Sdjl goto result_grp2str;
1252830Sdjl }
126*8040SBaban.Kenkre@Sun.COM /* Validate GID */
127*8040SBaban.Kenkre@Sun.COM if (strtoul(gid[0], &end, 10) > MAXUID)
128*8040SBaban.Kenkre@Sun.COM gid = gid_nobody_v;
1295362Smichen len = snprintf(buffer, buflen, "%s:%s:%s:", gname[0], password, gid[0]);
1302830Sdjl TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
1310Sstevel@tonic-gate
1322830Sdjl members = __ns_ldap_getAttrStruct(result->entry, _G_MEM);
1332830Sdjl if (members == NULL || members->attrvalue == NULL) {
1343386Smichen /* no member is fine, skip processing the member list */
1353386Smichen goto nomember;
1360Sstevel@tonic-gate }
1370Sstevel@tonic-gate
1382830Sdjl for (i = 0; i < members->value_count; i++) {
1392830Sdjl if (members->attrvalue[i] == NULL) {
1402830Sdjl nss_result = NSS_STR_PARSE_PARSE;
1412830Sdjl goto result_grp2str;
1420Sstevel@tonic-gate }
1432830Sdjl if (firstime) {
1442830Sdjl len = snprintf(buffer, buflen, "%s",
1455362Smichen members->attrvalue[i]);
1462830Sdjl TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
1472830Sdjl firstime = 0;
1482830Sdjl } else {
1492830Sdjl len = snprintf(buffer, buflen, ",%s",
1505362Smichen members->attrvalue[i]);
1512830Sdjl TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
1520Sstevel@tonic-gate }
1530Sstevel@tonic-gate }
1543386Smichen nomember:
1552830Sdjl /* The front end marshaller doesn't need the trailing nulls */
1562830Sdjl if (argp->buf.result != NULL)
1572830Sdjl be->buflen = strlen(be->buffer);
1582830Sdjl result_grp2str:
1590Sstevel@tonic-gate (void) __ns_ldap_freeResult(&be->result);
1602830Sdjl return (nss_result);
1610Sstevel@tonic-gate }
1620Sstevel@tonic-gate
1630Sstevel@tonic-gate /*
1640Sstevel@tonic-gate * getbynam gets a group entry by name. This function constructs an ldap
1650Sstevel@tonic-gate * search filter using the name invocation parameter and the getgrnam search
1660Sstevel@tonic-gate * filter defined. Once the filter is constructed, we searche for a matching
1670Sstevel@tonic-gate * entry and marshal the data results into struct group for the frontend
1680Sstevel@tonic-gate * process. The function _nss_ldap_group2ent performs the data marshaling.
1690Sstevel@tonic-gate */
1700Sstevel@tonic-gate
1710Sstevel@tonic-gate static nss_status_t
getbynam(ldap_backend_ptr be,void * a)1720Sstevel@tonic-gate getbynam(ldap_backend_ptr be, void *a)
1730Sstevel@tonic-gate {
1740Sstevel@tonic-gate nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a;
1750Sstevel@tonic-gate char searchfilter[SEARCHFILTERLEN];
1760Sstevel@tonic-gate char userdata[SEARCHFILTERLEN];
1770Sstevel@tonic-gate char groupname[SEARCHFILTERLEN];
1780Sstevel@tonic-gate int ret;
1790Sstevel@tonic-gate
1805362Smichen if (_ldap_filter_name(groupname, argp->key.name, sizeof (groupname)) !=
1815362Smichen 0)
1820Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
1830Sstevel@tonic-gate
1840Sstevel@tonic-gate ret = snprintf(searchfilter, sizeof (searchfilter),
1850Sstevel@tonic-gate _F_GETGRNAM, groupname);
1860Sstevel@tonic-gate if (ret >= sizeof (searchfilter) || ret < 0)
1870Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
1880Sstevel@tonic-gate
1890Sstevel@tonic-gate ret = snprintf(userdata, sizeof (userdata), _F_GETGRNAM_SSD, groupname);
1900Sstevel@tonic-gate if (ret >= sizeof (userdata) || ret < 0)
1910Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
1920Sstevel@tonic-gate
1930Sstevel@tonic-gate return ((nss_status_t)_nss_ldap_lookup(be, argp,
1945362Smichen _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
1950Sstevel@tonic-gate }
1960Sstevel@tonic-gate
1970Sstevel@tonic-gate
1980Sstevel@tonic-gate /*
1990Sstevel@tonic-gate * getbygid gets a group entry by number. This function constructs an ldap
2000Sstevel@tonic-gate * search filter using the name invocation parameter and the getgrgid search
2010Sstevel@tonic-gate * filter defined. Once the filter is constructed, we searche for a matching
2020Sstevel@tonic-gate * entry and marshal the data results into struct group for the frontend
2030Sstevel@tonic-gate * process. The function _nss_ldap_group2ent performs the data marshaling.
2040Sstevel@tonic-gate */
2050Sstevel@tonic-gate
2060Sstevel@tonic-gate static nss_status_t
getbygid(ldap_backend_ptr be,void * a)2070Sstevel@tonic-gate getbygid(ldap_backend_ptr be, void *a)
2080Sstevel@tonic-gate {
2090Sstevel@tonic-gate nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a;
2100Sstevel@tonic-gate char searchfilter[SEARCHFILTERLEN];
2110Sstevel@tonic-gate char userdata[SEARCHFILTERLEN];
2120Sstevel@tonic-gate int ret;
2130Sstevel@tonic-gate
214*8040SBaban.Kenkre@Sun.COM if (argp->key.uid > MAXUID)
215*8040SBaban.Kenkre@Sun.COM return ((nss_status_t)NSS_NOTFOUND);
216*8040SBaban.Kenkre@Sun.COM
2170Sstevel@tonic-gate ret = snprintf(searchfilter, sizeof (searchfilter),
2184321Scasper _F_GETGRGID, argp->key.uid);
2190Sstevel@tonic-gate if (ret >= sizeof (searchfilter) || ret < 0)
2200Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
2210Sstevel@tonic-gate
2220Sstevel@tonic-gate ret = snprintf(userdata, sizeof (userdata),
2234321Scasper _F_GETGRGID_SSD, argp->key.uid);
2240Sstevel@tonic-gate if (ret >= sizeof (userdata) || ret < 0)
2250Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
2260Sstevel@tonic-gate
2270Sstevel@tonic-gate return ((nss_status_t)_nss_ldap_lookup(be, argp,
2285362Smichen _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
2290Sstevel@tonic-gate
2300Sstevel@tonic-gate }
2310Sstevel@tonic-gate
2320Sstevel@tonic-gate
2330Sstevel@tonic-gate /*
2340Sstevel@tonic-gate * getbymember returns all groups a user is defined in. This function
2350Sstevel@tonic-gate * uses different architectural procedures than the other group backend
2360Sstevel@tonic-gate * system calls because it's a private interface. This function constructs
2370Sstevel@tonic-gate * an ldap search filter using the name invocation parameter. Once the
2380Sstevel@tonic-gate * filter is constructed, we search for all matching groups counting
2390Sstevel@tonic-gate * and storing each group name, gid, etc. Data marshaling is used for
2400Sstevel@tonic-gate * group processing. The function _nss_ldap_group2ent() performs the
2410Sstevel@tonic-gate * data marshaling.
2420Sstevel@tonic-gate *
2430Sstevel@tonic-gate * (const char *)argp->username; (size_t)strlen(argp->username);
2440Sstevel@tonic-gate * (gid_t)argp->gid_array; (int)argp->maxgids;
2450Sstevel@tonic-gate * (int)argp->numgids;
2460Sstevel@tonic-gate */
2470Sstevel@tonic-gate
2480Sstevel@tonic-gate static nss_status_t
getbymember(ldap_backend_ptr be,void * a)2490Sstevel@tonic-gate getbymember(ldap_backend_ptr be, void *a)
2500Sstevel@tonic-gate {
2510Sstevel@tonic-gate int i, j, k;
2520Sstevel@tonic-gate int gcnt = (int)0;
2530Sstevel@tonic-gate char **groupvalue, **membervalue;
2540Sstevel@tonic-gate nss_status_t lstat;
2550Sstevel@tonic-gate struct nss_groupsbymem *argp = (struct nss_groupsbymem *)a;
2560Sstevel@tonic-gate char searchfilter[SEARCHFILTERLEN];
2570Sstevel@tonic-gate char userdata[SEARCHFILTERLEN];
2580Sstevel@tonic-gate char name[SEARCHFILTERLEN];
2590Sstevel@tonic-gate ns_ldap_result_t *result;
2600Sstevel@tonic-gate ns_ldap_entry_t *curEntry;
2610Sstevel@tonic-gate char *username;
2620Sstevel@tonic-gate gid_t gid;
2630Sstevel@tonic-gate int ret;
2640Sstevel@tonic-gate
2650Sstevel@tonic-gate if (strcmp(argp->username, "") == 0 ||
2660Sstevel@tonic-gate strcmp(argp->username, "root") == 0)
2670Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
2680Sstevel@tonic-gate
2690Sstevel@tonic-gate if (_ldap_filter_name(name, argp->username, sizeof (name)) != 0)
2700Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
2710Sstevel@tonic-gate
2720Sstevel@tonic-gate ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETGRMEM, name);
2730Sstevel@tonic-gate if (ret >= sizeof (searchfilter) || ret < 0)
2740Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
2750Sstevel@tonic-gate
2760Sstevel@tonic-gate ret = snprintf(userdata, sizeof (userdata), _F_GETGRMEM_SSD, name);
2770Sstevel@tonic-gate if (ret >= sizeof (userdata) || ret < 0)
2780Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
2790Sstevel@tonic-gate
2800Sstevel@tonic-gate gcnt = (int)argp->numgids;
2815362Smichen lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, NULL,
2825362Smichen _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata);
2830Sstevel@tonic-gate if (lstat != (nss_status_t)NS_LDAP_SUCCESS)
2840Sstevel@tonic-gate return ((nss_status_t)lstat);
2850Sstevel@tonic-gate if (be->result == NULL)
2860Sstevel@tonic-gate return (NSS_NOTFOUND);
2870Sstevel@tonic-gate username = (char *)argp->username;
2880Sstevel@tonic-gate result = (ns_ldap_result_t *)be->result;
2890Sstevel@tonic-gate curEntry = (ns_ldap_entry_t *)result->entry;
2900Sstevel@tonic-gate for (i = 0; i < result->entries_count; i++) {
2910Sstevel@tonic-gate membervalue = __ns_ldap_getAttr(curEntry, "memberUid");
2920Sstevel@tonic-gate if (membervalue) {
2930Sstevel@tonic-gate for (j = 0; membervalue[j]; j++) {
2940Sstevel@tonic-gate if (strcmp(membervalue[j], username) == NULL) {
2950Sstevel@tonic-gate groupvalue = __ns_ldap_getAttr(curEntry,
2965362Smichen "gidnumber");
2970Sstevel@tonic-gate gid = (gid_t)strtol(groupvalue[0],
2985362Smichen (char **)NULL, 10);
2990Sstevel@tonic-gate if (argp->numgids < argp->maxgids) {
3005362Smichen for (k = 0; k < argp->numgids;
3015362Smichen k++) {
3025362Smichen if (argp->gid_array[k]
3035362Smichen == gid)
3040Sstevel@tonic-gate /* already exists */
3055362Smichen break;
3065362Smichen }
3075362Smichen if (k == argp->numgids)
3080Sstevel@tonic-gate argp->gid_array[argp->numgids++]
3090Sstevel@tonic-gate = gid;
3100Sstevel@tonic-gate }
3110Sstevel@tonic-gate break;
3120Sstevel@tonic-gate }
3130Sstevel@tonic-gate }
3140Sstevel@tonic-gate }
3150Sstevel@tonic-gate curEntry = curEntry->next;
3160Sstevel@tonic-gate }
3170Sstevel@tonic-gate
3182830Sdjl (void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result);
3190Sstevel@tonic-gate if (gcnt == argp->numgids)
3200Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND);
3210Sstevel@tonic-gate
3227220Ssc157166 /*
3237220Ssc157166 * Return NSS_SUCCESS only if array is full.
3247220Ssc157166 * Explained in <nss_dbdefs.h>.
3257220Ssc157166 */
3267220Ssc157166 return ((nss_status_t)((argp->numgids == argp->maxgids)
3277220Ssc157166 ? NSS_SUCCESS
3287220Ssc157166 : NSS_NOTFOUND));
3290Sstevel@tonic-gate }
3300Sstevel@tonic-gate
3310Sstevel@tonic-gate static ldap_backend_op_t gr_ops[] = {
3320Sstevel@tonic-gate _nss_ldap_destr,
3330Sstevel@tonic-gate _nss_ldap_endent,
3340Sstevel@tonic-gate _nss_ldap_setent,
3350Sstevel@tonic-gate _nss_ldap_getent,
3360Sstevel@tonic-gate getbynam,
3370Sstevel@tonic-gate getbygid,
3380Sstevel@tonic-gate getbymember
3390Sstevel@tonic-gate };
3400Sstevel@tonic-gate
3410Sstevel@tonic-gate
3420Sstevel@tonic-gate /*ARGSUSED0*/
3430Sstevel@tonic-gate nss_backend_t *
_nss_ldap_group_constr(const char * dummy1,const char * dummy2,const char * dummy3)3440Sstevel@tonic-gate _nss_ldap_group_constr(const char *dummy1, const char *dummy2,
3450Sstevel@tonic-gate const char *dummy3)
3460Sstevel@tonic-gate {
3470Sstevel@tonic-gate
3480Sstevel@tonic-gate return ((nss_backend_t *)_nss_ldap_constr(gr_ops,
3495362Smichen sizeof (gr_ops)/sizeof (gr_ops[0]), _GROUP, gr_attrs,
3505362Smichen _nss_ldap_group2str));
3510Sstevel@tonic-gate }
352