10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*2830Sdjl * Common Development and Distribution License (the "License"). 6*2830Sdjl * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 22*2830Sdjl * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 270Sstevel@tonic-gate 280Sstevel@tonic-gate #include <grp.h> 290Sstevel@tonic-gate #include "ldap_common.h" 300Sstevel@tonic-gate 310Sstevel@tonic-gate /* String which may need to be removed from beginning of group password */ 320Sstevel@tonic-gate #define _CRYPT "{CRYPT}" 330Sstevel@tonic-gate #define _NO_PASSWD_VAL "" 340Sstevel@tonic-gate 350Sstevel@tonic-gate /* Group attributes filters */ 360Sstevel@tonic-gate #define _G_NAME "cn" 370Sstevel@tonic-gate #define _G_GID "gidnumber" 380Sstevel@tonic-gate #define _G_PASSWD "userpassword" 390Sstevel@tonic-gate #define _G_MEM "memberuid" 400Sstevel@tonic-gate 410Sstevel@tonic-gate #define _F_GETGRNAM "(&(objectClass=posixGroup)(cn=%s))" 420Sstevel@tonic-gate #define _F_GETGRNAM_SSD "(&(%%s)(cn=%s))" 430Sstevel@tonic-gate #define _F_GETGRGID "(&(objectClass=posixGroup)(gidNumber=%ld))" 440Sstevel@tonic-gate #define _F_GETGRGID_SSD "(&(%%s)(gidNumber=%ld))" 450Sstevel@tonic-gate #define _F_GETGRMEM "(&(objectClass=posixGroup)(memberUid=%s))" 460Sstevel@tonic-gate #define _F_GETGRMEM_SSD "(&(%%s)(memberUid=%s))" 470Sstevel@tonic-gate 480Sstevel@tonic-gate static const char *gr_attrs[] = { 490Sstevel@tonic-gate _G_NAME, 500Sstevel@tonic-gate _G_GID, 510Sstevel@tonic-gate _G_PASSWD, 520Sstevel@tonic-gate _G_MEM, 530Sstevel@tonic-gate (char *)NULL 540Sstevel@tonic-gate }; 550Sstevel@tonic-gate 560Sstevel@tonic-gate 570Sstevel@tonic-gate /* 58*2830Sdjl * _nss_ldap_group2str is the data marshaling method for the group getXbyY 590Sstevel@tonic-gate * (e.g., getgrnam(), getgrgid(), getgrent()) backend processes. This method 600Sstevel@tonic-gate * is called after a successful ldap search has been performed. This method 61*2830Sdjl * will parse the ldap search values into the file format. 62*2830Sdjl * e.g. 63*2830Sdjl * 64*2830Sdjl * adm::4:root,adm,daemon 65*2830Sdjl * 660Sstevel@tonic-gate */ 670Sstevel@tonic-gate 680Sstevel@tonic-gate static int 69*2830Sdjl _nss_ldap_group2str(ldap_backend_ptr be, nss_XbyY_args_t *argp) 700Sstevel@tonic-gate { 71*2830Sdjl int i; 720Sstevel@tonic-gate int nss_result; 73*2830Sdjl int buflen = 0, len; 74*2830Sdjl int firstime = 1; 75*2830Sdjl char *buffer = NULL; 760Sstevel@tonic-gate ns_ldap_result_t *result = be->result; 77*2830Sdjl char **gname, **passwd, **gid, *password; 78*2830Sdjl ns_ldap_attr_t *members; 79*2830Sdjl 80*2830Sdjl 81*2830Sdjl if (result == NULL) 82*2830Sdjl return (NSS_STR_PARSE_PARSE); 83*2830Sdjl buflen = argp->buf.buflen; 84*2830Sdjl 85*2830Sdjl if (argp->buf.result != NULL) { 86*2830Sdjl if ((be->buffer = calloc(1, buflen)) == NULL) { 87*2830Sdjl nss_result = NSS_STR_PARSE_PARSE; 88*2830Sdjl goto result_grp2str; 89*2830Sdjl } 90*2830Sdjl buffer = be->buffer; 91*2830Sdjl } else 92*2830Sdjl buffer = argp->buf.buffer; 93*2830Sdjl 94*2830Sdjl nss_result = NSS_STR_PARSE_SUCCESS; 95*2830Sdjl (void) memset(buffer, 0, buflen); 960Sstevel@tonic-gate 97*2830Sdjl gname = __ns_ldap_getAttr(result->entry, _G_NAME); 98*2830Sdjl if (gname == NULL || gname[0] == NULL || (strlen(gname[0]) < 1)) { 99*2830Sdjl nss_result = NSS_STR_PARSE_PARSE; 100*2830Sdjl goto result_grp2str; 1010Sstevel@tonic-gate } 102*2830Sdjl passwd = __ns_ldap_getAttr(result->entry, _G_PASSWD); 103*2830Sdjl if (passwd == NULL || passwd[0] == NULL || (strlen(passwd[0]) == 0)) { 104*2830Sdjl /* group password could be NULL, replace it with "" */ 105*2830Sdjl password = _NO_PASSWD_VAL; 106*2830Sdjl } else { 107*2830Sdjl /* 108*2830Sdjl * Preen "{crypt}" if necessary. 109*2830Sdjl * If the password does not include the {crypt} prefix 110*2830Sdjl * then the password may be plain text. And thus 111*2830Sdjl * perhaps crypt(3c) should be used to encrypt it. 112*2830Sdjl * Currently the password is copied verbatim. 113*2830Sdjl */ 114*2830Sdjl if (strncasecmp(passwd[0], _CRYPT, strlen(_CRYPT)) == 0) 115*2830Sdjl password = passwd[0] + strlen(_CRYPT); 116*2830Sdjl else 117*2830Sdjl password = passwd[0]; 118*2830Sdjl } 119*2830Sdjl gid = __ns_ldap_getAttr(result->entry, _G_GID); 120*2830Sdjl if (gid == NULL || gid[0] == NULL || (strlen(gid[0]) < 1)) { 121*2830Sdjl nss_result = NSS_STR_PARSE_PARSE; 122*2830Sdjl goto result_grp2str; 123*2830Sdjl } 124*2830Sdjl len = snprintf(buffer, buflen, "%s:%s:%s:", 125*2830Sdjl gname[0], password, gid[0]); 126*2830Sdjl TEST_AND_ADJUST(len, buffer, buflen, result_grp2str); 1270Sstevel@tonic-gate 128*2830Sdjl members = __ns_ldap_getAttrStruct(result->entry, _G_MEM); 129*2830Sdjl if (members == NULL || members->attrvalue == NULL) { 130*2830Sdjl nss_result = NSS_STR_PARSE_PARSE; 131*2830Sdjl goto result_grp2str; 1320Sstevel@tonic-gate } 1330Sstevel@tonic-gate 134*2830Sdjl for (i = 0; i < members->value_count; i++) { 135*2830Sdjl if (members->attrvalue[i] == NULL) { 136*2830Sdjl nss_result = NSS_STR_PARSE_PARSE; 137*2830Sdjl goto result_grp2str; 1380Sstevel@tonic-gate } 139*2830Sdjl if (firstime) { 140*2830Sdjl len = snprintf(buffer, buflen, "%s", 141*2830Sdjl members->attrvalue[i]); 142*2830Sdjl TEST_AND_ADJUST(len, buffer, buflen, result_grp2str); 143*2830Sdjl firstime = 0; 144*2830Sdjl } else { 145*2830Sdjl len = snprintf(buffer, buflen, ",%s", 146*2830Sdjl members->attrvalue[i]); 147*2830Sdjl TEST_AND_ADJUST(len, buffer, buflen, result_grp2str); 1480Sstevel@tonic-gate } 1490Sstevel@tonic-gate } 150*2830Sdjl /* The front end marshaller doesn't need the trailing nulls */ 151*2830Sdjl if (argp->buf.result != NULL) 152*2830Sdjl be->buflen = strlen(be->buffer); 153*2830Sdjl result_grp2str: 1540Sstevel@tonic-gate (void) __ns_ldap_freeResult(&be->result); 155*2830Sdjl return (nss_result); 1560Sstevel@tonic-gate } 1570Sstevel@tonic-gate 1580Sstevel@tonic-gate /* 1590Sstevel@tonic-gate * getbynam gets a group entry by name. This function constructs an ldap 1600Sstevel@tonic-gate * search filter using the name invocation parameter and the getgrnam search 1610Sstevel@tonic-gate * filter defined. Once the filter is constructed, we searche for a matching 1620Sstevel@tonic-gate * entry and marshal the data results into struct group for the frontend 1630Sstevel@tonic-gate * process. The function _nss_ldap_group2ent performs the data marshaling. 1640Sstevel@tonic-gate */ 1650Sstevel@tonic-gate 1660Sstevel@tonic-gate static nss_status_t 1670Sstevel@tonic-gate getbynam(ldap_backend_ptr be, void *a) 1680Sstevel@tonic-gate { 1690Sstevel@tonic-gate nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a; 1700Sstevel@tonic-gate char searchfilter[SEARCHFILTERLEN]; 1710Sstevel@tonic-gate char userdata[SEARCHFILTERLEN]; 1720Sstevel@tonic-gate char groupname[SEARCHFILTERLEN]; 1730Sstevel@tonic-gate int ret; 1740Sstevel@tonic-gate 1750Sstevel@tonic-gate if (_ldap_filter_name(groupname, argp->key.name, sizeof (groupname)) 1760Sstevel@tonic-gate != 0) 1770Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND); 1780Sstevel@tonic-gate 1790Sstevel@tonic-gate ret = snprintf(searchfilter, sizeof (searchfilter), 1800Sstevel@tonic-gate _F_GETGRNAM, groupname); 1810Sstevel@tonic-gate if (ret >= sizeof (searchfilter) || ret < 0) 1820Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND); 1830Sstevel@tonic-gate 1840Sstevel@tonic-gate ret = snprintf(userdata, sizeof (userdata), _F_GETGRNAM_SSD, groupname); 1850Sstevel@tonic-gate if (ret >= sizeof (userdata) || ret < 0) 1860Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND); 1870Sstevel@tonic-gate 1880Sstevel@tonic-gate return ((nss_status_t)_nss_ldap_lookup(be, argp, 1890Sstevel@tonic-gate _GROUP, searchfilter, NULL, 1900Sstevel@tonic-gate _merge_SSD_filter, userdata)); 1910Sstevel@tonic-gate } 1920Sstevel@tonic-gate 1930Sstevel@tonic-gate 1940Sstevel@tonic-gate /* 1950Sstevel@tonic-gate * getbygid gets a group entry by number. This function constructs an ldap 1960Sstevel@tonic-gate * search filter using the name invocation parameter and the getgrgid search 1970Sstevel@tonic-gate * filter defined. Once the filter is constructed, we searche for a matching 1980Sstevel@tonic-gate * entry and marshal the data results into struct group for the frontend 1990Sstevel@tonic-gate * process. The function _nss_ldap_group2ent performs the data marshaling. 2000Sstevel@tonic-gate */ 2010Sstevel@tonic-gate 2020Sstevel@tonic-gate static nss_status_t 2030Sstevel@tonic-gate getbygid(ldap_backend_ptr be, void *a) 2040Sstevel@tonic-gate { 2050Sstevel@tonic-gate nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a; 2060Sstevel@tonic-gate char searchfilter[SEARCHFILTERLEN]; 2070Sstevel@tonic-gate char userdata[SEARCHFILTERLEN]; 2080Sstevel@tonic-gate int ret; 2090Sstevel@tonic-gate 2100Sstevel@tonic-gate ret = snprintf(searchfilter, sizeof (searchfilter), 2110Sstevel@tonic-gate _F_GETGRGID, (long)argp->key.uid); 2120Sstevel@tonic-gate if (ret >= sizeof (searchfilter) || ret < 0) 2130Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND); 2140Sstevel@tonic-gate 2150Sstevel@tonic-gate ret = snprintf(userdata, sizeof (userdata), 2160Sstevel@tonic-gate _F_GETGRGID_SSD, (long)argp->key.uid); 2170Sstevel@tonic-gate if (ret >= sizeof (userdata) || ret < 0) 2180Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND); 2190Sstevel@tonic-gate 2200Sstevel@tonic-gate return ((nss_status_t)_nss_ldap_lookup(be, argp, 2210Sstevel@tonic-gate _GROUP, searchfilter, NULL, 2220Sstevel@tonic-gate _merge_SSD_filter, userdata)); 2230Sstevel@tonic-gate 2240Sstevel@tonic-gate } 2250Sstevel@tonic-gate 2260Sstevel@tonic-gate 2270Sstevel@tonic-gate /* 2280Sstevel@tonic-gate * getbymember returns all groups a user is defined in. This function 2290Sstevel@tonic-gate * uses different architectural procedures than the other group backend 2300Sstevel@tonic-gate * system calls because it's a private interface. This function constructs 2310Sstevel@tonic-gate * an ldap search filter using the name invocation parameter. Once the 2320Sstevel@tonic-gate * filter is constructed, we search for all matching groups counting 2330Sstevel@tonic-gate * and storing each group name, gid, etc. Data marshaling is used for 2340Sstevel@tonic-gate * group processing. The function _nss_ldap_group2ent() performs the 2350Sstevel@tonic-gate * data marshaling. 2360Sstevel@tonic-gate * 2370Sstevel@tonic-gate * (const char *)argp->username; (size_t)strlen(argp->username); 2380Sstevel@tonic-gate * (gid_t)argp->gid_array; (int)argp->maxgids; 2390Sstevel@tonic-gate * (int)argp->numgids; 2400Sstevel@tonic-gate */ 2410Sstevel@tonic-gate 2420Sstevel@tonic-gate static nss_status_t 2430Sstevel@tonic-gate getbymember(ldap_backend_ptr be, void *a) 2440Sstevel@tonic-gate { 2450Sstevel@tonic-gate int i, j, k; 2460Sstevel@tonic-gate int gcnt = (int)0; 2470Sstevel@tonic-gate char **groupvalue, **membervalue; 2480Sstevel@tonic-gate nss_status_t lstat; 2490Sstevel@tonic-gate nss_XbyY_args_t argb; 2500Sstevel@tonic-gate static nss_XbyY_buf_t *gb; 2510Sstevel@tonic-gate struct nss_groupsbymem *argp = (struct nss_groupsbymem *)a; 2520Sstevel@tonic-gate char searchfilter[SEARCHFILTERLEN]; 2530Sstevel@tonic-gate char userdata[SEARCHFILTERLEN]; 2540Sstevel@tonic-gate char name[SEARCHFILTERLEN]; 2550Sstevel@tonic-gate ns_ldap_result_t *result; 2560Sstevel@tonic-gate ns_ldap_entry_t *curEntry; 2570Sstevel@tonic-gate char *username; 2580Sstevel@tonic-gate gid_t gid; 2590Sstevel@tonic-gate int ret; 2600Sstevel@tonic-gate 261*2830Sdjl /* LINTED E_EXPR_NULL_EFFECT */ 2620Sstevel@tonic-gate NSS_XbyY_ALLOC(&gb, sizeof (struct group), NSS_BUFLEN_GROUP); 2630Sstevel@tonic-gate NSS_XbyY_INIT(&argb, gb->result, gb->buffer, gb->buflen, 0); 2640Sstevel@tonic-gate 2650Sstevel@tonic-gate if (strcmp(argp->username, "") == 0 || 2660Sstevel@tonic-gate strcmp(argp->username, "root") == 0) 2670Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND); 2680Sstevel@tonic-gate 2690Sstevel@tonic-gate if (_ldap_filter_name(name, argp->username, sizeof (name)) != 0) 2700Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND); 2710Sstevel@tonic-gate 2720Sstevel@tonic-gate ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETGRMEM, name); 2730Sstevel@tonic-gate if (ret >= sizeof (searchfilter) || ret < 0) 2740Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND); 2750Sstevel@tonic-gate 2760Sstevel@tonic-gate ret = snprintf(userdata, sizeof (userdata), _F_GETGRMEM_SSD, name); 2770Sstevel@tonic-gate if (ret >= sizeof (userdata) || ret < 0) 2780Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND); 2790Sstevel@tonic-gate 2800Sstevel@tonic-gate gcnt = (int)argp->numgids; 2810Sstevel@tonic-gate lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, &argb, 2820Sstevel@tonic-gate _GROUP, searchfilter, NULL, 2830Sstevel@tonic-gate _merge_SSD_filter, userdata); 2840Sstevel@tonic-gate if (lstat != (nss_status_t)NS_LDAP_SUCCESS) 2850Sstevel@tonic-gate return ((nss_status_t)lstat); 2860Sstevel@tonic-gate if (be->result == NULL) 2870Sstevel@tonic-gate return (NSS_NOTFOUND); 2880Sstevel@tonic-gate username = (char *)argp->username; 2890Sstevel@tonic-gate result = (ns_ldap_result_t *)be->result; 2900Sstevel@tonic-gate curEntry = (ns_ldap_entry_t *)result->entry; 2910Sstevel@tonic-gate for (i = 0; i < result->entries_count; i++) { 2920Sstevel@tonic-gate membervalue = __ns_ldap_getAttr(curEntry, "memberUid"); 2930Sstevel@tonic-gate if (membervalue) { 2940Sstevel@tonic-gate for (j = 0; membervalue[j]; j++) { 2950Sstevel@tonic-gate if (strcmp(membervalue[j], username) == NULL) { 2960Sstevel@tonic-gate groupvalue = __ns_ldap_getAttr(curEntry, 2970Sstevel@tonic-gate "gidnumber"); 2980Sstevel@tonic-gate gid = (gid_t)strtol(groupvalue[0], 2990Sstevel@tonic-gate (char **)NULL, 10); 3000Sstevel@tonic-gate if (argp->numgids < argp->maxgids) { 3010Sstevel@tonic-gate for (k = 0; k < argp->numgids; 3020Sstevel@tonic-gate k++) { 3030Sstevel@tonic-gate if (argp->gid_array[k] == gid) 3040Sstevel@tonic-gate /* already exists */ 3050Sstevel@tonic-gate break; 3060Sstevel@tonic-gate } 3070Sstevel@tonic-gate if (k == argp->numgids) 3080Sstevel@tonic-gate argp->gid_array[argp->numgids++] 3090Sstevel@tonic-gate = gid; 3100Sstevel@tonic-gate } 3110Sstevel@tonic-gate break; 3120Sstevel@tonic-gate } 3130Sstevel@tonic-gate } 3140Sstevel@tonic-gate } 3150Sstevel@tonic-gate curEntry = curEntry->next; 3160Sstevel@tonic-gate } 3170Sstevel@tonic-gate 318*2830Sdjl (void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result); 3190Sstevel@tonic-gate NSS_XbyY_FREE(&gb); 3200Sstevel@tonic-gate if (gcnt == argp->numgids) 3210Sstevel@tonic-gate return ((nss_status_t)NSS_NOTFOUND); 3220Sstevel@tonic-gate 3230Sstevel@tonic-gate return ((nss_status_t)NSS_SUCCESS); 3240Sstevel@tonic-gate } 3250Sstevel@tonic-gate 3260Sstevel@tonic-gate static ldap_backend_op_t gr_ops[] = { 3270Sstevel@tonic-gate _nss_ldap_destr, 3280Sstevel@tonic-gate _nss_ldap_endent, 3290Sstevel@tonic-gate _nss_ldap_setent, 3300Sstevel@tonic-gate _nss_ldap_getent, 3310Sstevel@tonic-gate getbynam, 3320Sstevel@tonic-gate getbygid, 3330Sstevel@tonic-gate getbymember 3340Sstevel@tonic-gate }; 3350Sstevel@tonic-gate 3360Sstevel@tonic-gate 3370Sstevel@tonic-gate /*ARGSUSED0*/ 3380Sstevel@tonic-gate nss_backend_t * 3390Sstevel@tonic-gate _nss_ldap_group_constr(const char *dummy1, const char *dummy2, 3400Sstevel@tonic-gate const char *dummy3) 3410Sstevel@tonic-gate { 3420Sstevel@tonic-gate 3430Sstevel@tonic-gate return ((nss_backend_t *)_nss_ldap_constr(gr_ops, 3440Sstevel@tonic-gate sizeof (gr_ops)/sizeof (gr_ops[0]), _GROUP, gr_attrs, 345*2830Sdjl _nss_ldap_group2str)); 3460Sstevel@tonic-gate } 347