1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <grp.h>
29 #include "ldap_common.h"
30 
31 /* String which may need to be removed from beginning of group password */
32 #define	_CRYPT		"{CRYPT}"
33 #define	_NO_PASSWD_VAL	""
34 
35 /* Group attributes filters */
36 #define	_G_NAME		"cn"
37 #define	_G_GID		"gidnumber"
38 #define	_G_PASSWD	"userpassword"
39 #define	_G_MEM		"memberuid"
40 
41 #define	_F_GETGRNAM	"(&(objectClass=posixGroup)(cn=%s))"
42 #define	_F_GETGRNAM_SSD	"(&(%%s)(cn=%s))"
43 #define	_F_GETGRGID	"(&(objectClass=posixGroup)(gidNumber=%ld))"
44 #define	_F_GETGRGID_SSD	"(&(%%s)(gidNumber=%ld))"
45 #define	_F_GETGRMEM	"(&(objectClass=posixGroup)(memberUid=%s))"
46 #define	_F_GETGRMEM_SSD	"(&(%%s)(memberUid=%s))"
47 
48 static const char *gr_attrs[] = {
49 	_G_NAME,
50 	_G_GID,
51 	_G_PASSWD,
52 	_G_MEM,
53 	(char *)NULL
54 };
55 
56 
57 /*
58  * _nss_ldap_group2str is the data marshaling method for the group getXbyY
59  * (e.g., getgrnam(), getgrgid(), getgrent()) backend processes. This method
60  * is called after a successful ldap search has been performed. This method
61  * will parse the ldap search values into the file format.
62  * e.g.
63  *
64  * adm::4:root,adm,daemon
65  *
66  */
67 
68 static int
69 _nss_ldap_group2str(ldap_backend_ptr be, nss_XbyY_args_t *argp)
70 {
71 	int		i;
72 	int		nss_result;
73 	int		buflen = 0, len;
74 	int		firstime = 1;
75 	char		*buffer = NULL;
76 	ns_ldap_result_t	*result = be->result;
77 	char		**gname, **passwd, **gid, *password;
78 	ns_ldap_attr_t	*members;
79 
80 
81 	if (result == NULL)
82 		return (NSS_STR_PARSE_PARSE);
83 	buflen = argp->buf.buflen;
84 
85 	if (argp->buf.result != NULL) {
86 		if ((be->buffer = calloc(1, buflen)) == NULL) {
87 			nss_result = NSS_STR_PARSE_PARSE;
88 			goto result_grp2str;
89 		}
90 		buffer = be->buffer;
91 	} else
92 		buffer = argp->buf.buffer;
93 
94 	nss_result = NSS_STR_PARSE_SUCCESS;
95 	(void) memset(buffer, 0, buflen);
96 
97 	gname = __ns_ldap_getAttr(result->entry, _G_NAME);
98 	if (gname == NULL || gname[0] == NULL || (strlen(gname[0]) < 1)) {
99 		nss_result = NSS_STR_PARSE_PARSE;
100 		goto result_grp2str;
101 	}
102 	passwd = __ns_ldap_getAttr(result->entry, _G_PASSWD);
103 	if (passwd == NULL || passwd[0] == NULL || (strlen(passwd[0]) == 0)) {
104 		/* group password could be NULL, replace it with "" */
105 		password = _NO_PASSWD_VAL;
106 	} else {
107 		/*
108 		 * Preen "{crypt}" if necessary.
109 		 * If the password does not include the {crypt} prefix
110 		 * then the password may be plain text.  And thus
111 		 * perhaps crypt(3c) should be used to encrypt it.
112 		 * Currently the password is copied verbatim.
113 		 */
114 		if (strncasecmp(passwd[0], _CRYPT, strlen(_CRYPT)) == 0)
115 			password = passwd[0] + strlen(_CRYPT);
116 		else
117 			password = passwd[0];
118 	}
119 	gid = __ns_ldap_getAttr(result->entry, _G_GID);
120 	if (gid == NULL || gid[0] == NULL || (strlen(gid[0]) < 1)) {
121 		nss_result = NSS_STR_PARSE_PARSE;
122 		goto result_grp2str;
123 	}
124 	len = snprintf(buffer, buflen, "%s:%s:%s:",
125 			gname[0], password, gid[0]);
126 	TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
127 
128 	members = __ns_ldap_getAttrStruct(result->entry, _G_MEM);
129 	if (members == NULL || members->attrvalue == NULL) {
130 		/* no member is fine, skip processing the member list */
131 		goto nomember;
132 	}
133 
134 	for (i = 0; i < members->value_count; i++) {
135 		if (members->attrvalue[i] == NULL) {
136 			nss_result = NSS_STR_PARSE_PARSE;
137 			goto result_grp2str;
138 		}
139 		if (firstime) {
140 			len = snprintf(buffer, buflen, "%s",
141 					members->attrvalue[i]);
142 			TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
143 			firstime = 0;
144 		} else {
145 			len = snprintf(buffer, buflen, ",%s",
146 					members->attrvalue[i]);
147 			TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
148 		}
149 	}
150 nomember:
151 	/* The front end marshaller doesn't need the trailing nulls */
152 	if (argp->buf.result != NULL)
153 		be->buflen = strlen(be->buffer);
154 result_grp2str:
155 	(void) __ns_ldap_freeResult(&be->result);
156 	return (nss_result);
157 }
158 
159 /*
160  * getbynam gets a group entry by name. This function constructs an ldap
161  * search filter using the name invocation parameter and the getgrnam search
162  * filter defined. Once the filter is constructed, we searche for a matching
163  * entry and marshal the data results into struct group for the frontend
164  * process. The function _nss_ldap_group2ent performs the data marshaling.
165  */
166 
167 static nss_status_t
168 getbynam(ldap_backend_ptr be, void *a)
169 {
170 	nss_XbyY_args_t	*argp = (nss_XbyY_args_t *)a;
171 	char		searchfilter[SEARCHFILTERLEN];
172 	char		userdata[SEARCHFILTERLEN];
173 	char		groupname[SEARCHFILTERLEN];
174 	int		ret;
175 
176 	if (_ldap_filter_name(groupname, argp->key.name, sizeof (groupname))
177 			!= 0)
178 		return ((nss_status_t)NSS_NOTFOUND);
179 
180 	ret = snprintf(searchfilter, sizeof (searchfilter),
181 	    _F_GETGRNAM, groupname);
182 	if (ret >= sizeof (searchfilter) || ret < 0)
183 		return ((nss_status_t)NSS_NOTFOUND);
184 
185 	ret = snprintf(userdata, sizeof (userdata), _F_GETGRNAM_SSD, groupname);
186 	if (ret >= sizeof (userdata) || ret < 0)
187 		return ((nss_status_t)NSS_NOTFOUND);
188 
189 	return ((nss_status_t)_nss_ldap_lookup(be, argp,
190 		_GROUP, searchfilter, NULL,
191 		_merge_SSD_filter, userdata));
192 }
193 
194 
195 /*
196  * getbygid gets a group entry by number. This function constructs an ldap
197  * search filter using the name invocation parameter and the getgrgid search
198  * filter defined. Once the filter is constructed, we searche for a matching
199  * entry and marshal the data results into struct group for the frontend
200  * process. The function _nss_ldap_group2ent performs the data marshaling.
201  */
202 
203 static nss_status_t
204 getbygid(ldap_backend_ptr be, void *a)
205 {
206 	nss_XbyY_args_t	*argp = (nss_XbyY_args_t *)a;
207 	char searchfilter[SEARCHFILTERLEN];
208 	char userdata[SEARCHFILTERLEN];
209 	int ret;
210 
211 	ret = snprintf(searchfilter, sizeof (searchfilter),
212 	    _F_GETGRGID, (long)argp->key.uid);
213 	if (ret >= sizeof (searchfilter) || ret < 0)
214 		return ((nss_status_t)NSS_NOTFOUND);
215 
216 	ret = snprintf(userdata, sizeof (userdata),
217 	    _F_GETGRGID_SSD, (long)argp->key.uid);
218 	if (ret >= sizeof (userdata) || ret < 0)
219 		return ((nss_status_t)NSS_NOTFOUND);
220 
221 	return ((nss_status_t)_nss_ldap_lookup(be, argp,
222 		_GROUP, searchfilter, NULL,
223 		_merge_SSD_filter, userdata));
224 
225 }
226 
227 
228 /*
229  * getbymember returns all groups a user is defined in. This function
230  * uses different architectural procedures than the other group backend
231  * system calls because it's a private interface. This function constructs
232  * an ldap search filter using the name invocation parameter. Once the
233  * filter is constructed, we search for all matching groups counting
234  * and storing each group name, gid, etc. Data marshaling is used for
235  * group processing. The function _nss_ldap_group2ent() performs the
236  * data marshaling.
237  *
238  * (const char *)argp->username;	(size_t)strlen(argp->username);
239  * (gid_t)argp->gid_array;		(int)argp->maxgids;
240  * (int)argp->numgids;
241  */
242 
243 static nss_status_t
244 getbymember(ldap_backend_ptr be, void *a)
245 {
246 	int			i, j, k;
247 	int			gcnt = (int)0;
248 	char			**groupvalue, **membervalue;
249 	nss_status_t		lstat;
250 	nss_XbyY_args_t		argb;
251 	static nss_XbyY_buf_t	*gb;
252 	struct nss_groupsbymem	*argp = (struct nss_groupsbymem *)a;
253 	char			searchfilter[SEARCHFILTERLEN];
254 	char			userdata[SEARCHFILTERLEN];
255 	char			name[SEARCHFILTERLEN];
256 	ns_ldap_result_t	*result;
257 	ns_ldap_entry_t		*curEntry;
258 	char			*username;
259 	gid_t			gid;
260 	int			ret;
261 
262 	/* LINTED E_EXPR_NULL_EFFECT */
263 	NSS_XbyY_ALLOC(&gb, sizeof (struct group), NSS_BUFLEN_GROUP);
264 	NSS_XbyY_INIT(&argb, gb->result, gb->buffer, gb->buflen, 0);
265 
266 	if (strcmp(argp->username, "") == 0 ||
267 	    strcmp(argp->username, "root") == 0)
268 		return ((nss_status_t)NSS_NOTFOUND);
269 
270 	if (_ldap_filter_name(name, argp->username, sizeof (name)) != 0)
271 		return ((nss_status_t)NSS_NOTFOUND);
272 
273 	ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETGRMEM, name);
274 	if (ret >= sizeof (searchfilter) || ret < 0)
275 		return ((nss_status_t)NSS_NOTFOUND);
276 
277 	ret = snprintf(userdata, sizeof (userdata), _F_GETGRMEM_SSD, name);
278 	if (ret >= sizeof (userdata) || ret < 0)
279 		return ((nss_status_t)NSS_NOTFOUND);
280 
281 	gcnt = (int)argp->numgids;
282 	lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, &argb,
283 		_GROUP, searchfilter, NULL,
284 		_merge_SSD_filter, userdata);
285 	if (lstat != (nss_status_t)NS_LDAP_SUCCESS)
286 		return ((nss_status_t)lstat);
287 	if (be->result == NULL)
288 		return (NSS_NOTFOUND);
289 	username = (char *)argp->username;
290 	result = (ns_ldap_result_t *)be->result;
291 	curEntry = (ns_ldap_entry_t *)result->entry;
292 	for (i = 0; i < result->entries_count; i++) {
293 		membervalue = __ns_ldap_getAttr(curEntry, "memberUid");
294 		if (membervalue) {
295 			for (j = 0; membervalue[j]; j++) {
296 				if (strcmp(membervalue[j], username) == NULL) {
297 					groupvalue = __ns_ldap_getAttr(curEntry,
298 						"gidnumber");
299 					gid = (gid_t)strtol(groupvalue[0],
300 						(char **)NULL, 10);
301 					if (argp->numgids < argp->maxgids) {
302 					    for (k = 0; k < argp->numgids;
303 							k++) {
304 						if (argp->gid_array[k] == gid)
305 						    /* already exists */
306 						    break;
307 					    }
308 					    if (k == argp->numgids)
309 						argp->gid_array[argp->numgids++]
310 						    = gid;
311 					}
312 					break;
313 				}
314 			}
315 		}
316 		curEntry = curEntry->next;
317 	}
318 
319 	(void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result);
320 	NSS_XbyY_FREE(&gb);
321 	if (gcnt == argp->numgids)
322 		return ((nss_status_t)NSS_NOTFOUND);
323 
324 	return ((nss_status_t)NSS_SUCCESS);
325 }
326 
327 static ldap_backend_op_t gr_ops[] = {
328 	_nss_ldap_destr,
329 	_nss_ldap_endent,
330 	_nss_ldap_setent,
331 	_nss_ldap_getent,
332 	getbynam,
333 	getbygid,
334 	getbymember
335 };
336 
337 
338 /*ARGSUSED0*/
339 nss_backend_t *
340 _nss_ldap_group_constr(const char *dummy1, const char *dummy2,
341 			const char *dummy3)
342 {
343 
344 	return ((nss_backend_t *)_nss_ldap_constr(gr_ops,
345 		sizeof (gr_ops)/sizeof (gr_ops[0]), _GROUP, gr_attrs,
346 		_nss_ldap_group2str));
347 }
348