1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #ifndef _ADUTILS_H 28 #define _ADUTILS_H 29 30 #ifdef __cplusplus 31 extern "C" { 32 #endif 33 34 /* 35 * Processes name2sid & sid2name lookups for a given user or computer 36 * from an AD Difrectory server using GSSAPI authentication 37 */ 38 39 #include <stdio.h> 40 #include <stdlib.h> 41 #include <unistd.h> 42 #include <lber.h> 43 #include <ldap.h> 44 #include <sasl/sasl.h> 45 #include <string.h> 46 #include <ctype.h> 47 #include <sys/types.h> 48 #include <time.h> 49 #include <thread.h> 50 #include <synch.h> 51 #include <rpcsvc/idmap_prot.h> 52 #include "libadutils.h" 53 #include <sys/idmap.h> 54 55 /* 56 * idmapd interfaces stolen? from other idmapd code? 57 */ 58 59 /* 60 * Eventually these should be an enum here, but instead we share a 61 * namespace with other things in idmapd. 62 */ 63 #define _IDMAP_T_OTHER 0 64 #define _IDMAP_T_UNDEF -1 65 #define _IDMAP_T_USER -1004 66 #define _IDMAP_T_GROUP -1005 67 #define _IDMAP_T_DOMAIN -1006 68 69 typedef uint32_t rid_t; 70 typedef uid_t posix_id_t; 71 72 typedef struct idmap_query_state idmap_query_state_t; 73 74 int idmap_add_ds(adutils_ad_t *ad, const char *host, int port); 75 76 77 /* 78 * Batch lookups 79 * 80 * Start a batch, add queries to the batch one by one (the output 81 * pointers should all differ, so that a query's results don't clobber 82 * any other's), end the batch to wait for replies for all outstanding 83 * queries. The output parameters of each query are initialized to NULL 84 * or -1 as appropriate. 85 * 86 * LDAP searches are sent one by one without waiting (i.e., blocking) 87 * for replies. Replies are handled as soon as they are available. 88 * Missing replies are waited for only when idmap_lookup_batch_end() is 89 * called. 90 * 91 * If an add1 function returns != 0 then abort the batch by calling 92 * idmap_lookup_batch_end(), but note that some queries may have been 93 * answered, so check the result code of each query. 94 */ 95 96 /* Start a batch of lookups */ 97 idmap_retcode idmap_lookup_batch_start(adutils_ad_t *ad, int nqueries, 98 int directory_based_mapping, const char *default_domain, 99 idmap_query_state_t **state); 100 101 /* End a batch and release its idmap_query_state_t object */ 102 idmap_retcode idmap_lookup_batch_end(idmap_query_state_t **state); 103 104 /* Abandon a batch and release its idmap_query_state_t object */ 105 void idmap_lookup_release_batch(idmap_query_state_t **state); 106 107 /* 108 * Add a name->SID lookup 109 * 110 * - 'dname' is optional; if NULL or empty string then 'name' has to be 111 * a user/group name qualified wih a domainname (e.g., foo@domain), 112 * else the 'name' must not be qualified and the domainname must be 113 * passed in 'dname'. 114 * 115 * - if 'rid' is NULL then the output SID string will include the last 116 * RID, else it won't and the last RID value will be stored in *rid. 117 * 118 * The caller must free() *sid. 119 */ 120 idmap_retcode idmap_name2sid_batch_add1(idmap_query_state_t *state, 121 const char *name, const char *dname, int eunixtype, 122 char **dn, char **attr, char **value, char **canonname, 123 char **sid, rid_t *rid, int *sid_type, char **unixname, 124 posix_id_t *pid, idmap_retcode *rc); 125 /* 126 * Add a SID->name lookup 127 * 128 * - 'rid' is optional; if NULL then 'sid' is expected to have the 129 * user/group RID present, else 'sid' is expected not to have it, and 130 * *rid will be used to qualify the given 'sid' 131 * 132 * - 'dname' is optional; if NULL then the fully qualified user/group 133 * name will be stored in *name, else the domain name will be stored in 134 * *dname and the user/group name will be stored in *name without a 135 * domain qualifier. 136 * 137 * The caller must free() *name and *dname (if present). 138 */ 139 idmap_retcode idmap_sid2name_batch_add1(idmap_query_state_t *state, 140 const char *sid, const rid_t *rid, int eunixtype, 141 char **dn, char **attr, char **value, char **name, 142 char **dname, int *sid_type, char **unixname, 143 posix_id_t *pid, idmap_retcode *rc); 144 145 /* 146 * Add a unixname->SID lookup 147 */ 148 idmap_retcode idmap_unixname2sid_batch_add1(idmap_query_state_t *state, 149 const char *unixname, int is_user, int is_wuser, 150 char **dn, char **attr, char **value, char **sid, rid_t *rid, 151 char **name, char **dname, int *sid_type, idmap_retcode *rc); 152 153 /* 154 * Add a PID->SID lookup 155 */ 156 idmap_retcode idmap_pid2sid_batch_add1(idmap_query_state_t *state, 157 posix_id_t pid, int is_user, 158 char **dn, char **attr, char **value, char **sid, rid_t *rid, 159 char **name, char **dname, int *sid_type, idmap_retcode *rc); 160 161 /* 162 * Set unixname attribute names for the batch for AD-based name mapping 163 */ 164 void idmap_lookup_batch_set_unixattr(idmap_query_state_t *state, 165 const char *unixuser_attr, const char *unixgroup_attr); 166 167 #ifdef __cplusplus 168 } 169 #endif 170 171 #endif /* _ADUTILS_H */ 172