1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <grp.h> 29 #include "ldap_common.h" 30 31 /* String which may need to be removed from beginning of group password */ 32 #define _CRYPT "{CRYPT}" 33 #define _NO_PASSWD_VAL "" 34 35 /* Group attributes filters */ 36 #define _G_NAME "cn" 37 #define _G_GID "gidnumber" 38 #define _G_PASSWD "userpassword" 39 #define _G_MEM "memberuid" 40 41 #define _F_GETGRNAM "(&(objectClass=posixGroup)(cn=%s))" 42 #define _F_GETGRNAM_SSD "(&(%%s)(cn=%s))" 43 #define _F_GETGRGID "(&(objectClass=posixGroup)(gidNumber=%u))" 44 #define _F_GETGRGID_SSD "(&(%%s)(gidNumber=%u))" 45 #define _F_GETGRMEM "(&(objectClass=posixGroup)(memberUid=%s))" 46 #define _F_GETGRMEM_SSD "(&(%%s)(memberUid=%s))" 47 48 static const char *gr_attrs[] = { 49 _G_NAME, 50 _G_GID, 51 _G_PASSWD, 52 _G_MEM, 53 (char *)NULL 54 }; 55 56 57 /* 58 * _nss_ldap_group2str is the data marshaling method for the group getXbyY 59 * (e.g., getgrnam(), getgrgid(), getgrent()) backend processes. This method 60 * is called after a successful ldap search has been performed. This method 61 * will parse the ldap search values into the file format. 62 * e.g. 63 * 64 * adm::4:root,adm,daemon 65 * 66 */ 67 68 static int 69 _nss_ldap_group2str(ldap_backend_ptr be, nss_XbyY_args_t *argp) 70 { 71 int i; 72 int nss_result; 73 int buflen = 0, len; 74 int firstime = 1; 75 char *buffer = NULL; 76 ns_ldap_result_t *result = be->result; 77 char **gname, **passwd, **gid, *password; 78 ns_ldap_attr_t *members; 79 80 81 if (result == NULL) 82 return (NSS_STR_PARSE_PARSE); 83 buflen = argp->buf.buflen; 84 85 if (argp->buf.result != NULL) { 86 if ((be->buffer = calloc(1, buflen)) == NULL) { 87 nss_result = NSS_STR_PARSE_PARSE; 88 goto result_grp2str; 89 } 90 buffer = be->buffer; 91 } else 92 buffer = argp->buf.buffer; 93 94 nss_result = NSS_STR_PARSE_SUCCESS; 95 (void) memset(buffer, 0, buflen); 96 97 gname = __ns_ldap_getAttr(result->entry, _G_NAME); 98 if (gname == NULL || gname[0] == NULL || (strlen(gname[0]) < 1)) { 99 nss_result = NSS_STR_PARSE_PARSE; 100 goto result_grp2str; 101 } 102 passwd = __ns_ldap_getAttr(result->entry, _G_PASSWD); 103 if (passwd == NULL || passwd[0] == NULL || (strlen(passwd[0]) == 0)) { 104 /* group password could be NULL, replace it with "" */ 105 password = _NO_PASSWD_VAL; 106 } else { 107 /* 108 * Preen "{crypt}" if necessary. 109 * If the password does not include the {crypt} prefix 110 * then the password may be plain text. And thus 111 * perhaps crypt(3c) should be used to encrypt it. 112 * Currently the password is copied verbatim. 113 */ 114 if (strncasecmp(passwd[0], _CRYPT, strlen(_CRYPT)) == 0) 115 password = passwd[0] + strlen(_CRYPT); 116 else 117 password = passwd[0]; 118 } 119 gid = __ns_ldap_getAttr(result->entry, _G_GID); 120 if (gid == NULL || gid[0] == NULL || (strlen(gid[0]) < 1)) { 121 nss_result = NSS_STR_PARSE_PARSE; 122 goto result_grp2str; 123 } 124 len = snprintf(buffer, buflen, "%s:%s:%s:", gname[0], password, gid[0]); 125 TEST_AND_ADJUST(len, buffer, buflen, result_grp2str); 126 127 members = __ns_ldap_getAttrStruct(result->entry, _G_MEM); 128 if (members == NULL || members->attrvalue == NULL) { 129 /* no member is fine, skip processing the member list */ 130 goto nomember; 131 } 132 133 for (i = 0; i < members->value_count; i++) { 134 if (members->attrvalue[i] == NULL) { 135 nss_result = NSS_STR_PARSE_PARSE; 136 goto result_grp2str; 137 } 138 if (firstime) { 139 len = snprintf(buffer, buflen, "%s", 140 members->attrvalue[i]); 141 TEST_AND_ADJUST(len, buffer, buflen, result_grp2str); 142 firstime = 0; 143 } else { 144 len = snprintf(buffer, buflen, ",%s", 145 members->attrvalue[i]); 146 TEST_AND_ADJUST(len, buffer, buflen, result_grp2str); 147 } 148 } 149 nomember: 150 /* The front end marshaller doesn't need the trailing nulls */ 151 if (argp->buf.result != NULL) 152 be->buflen = strlen(be->buffer); 153 result_grp2str: 154 (void) __ns_ldap_freeResult(&be->result); 155 return (nss_result); 156 } 157 158 /* 159 * getbynam gets a group entry by name. This function constructs an ldap 160 * search filter using the name invocation parameter and the getgrnam search 161 * filter defined. Once the filter is constructed, we searche for a matching 162 * entry and marshal the data results into struct group for the frontend 163 * process. The function _nss_ldap_group2ent performs the data marshaling. 164 */ 165 166 static nss_status_t 167 getbynam(ldap_backend_ptr be, void *a) 168 { 169 nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a; 170 char searchfilter[SEARCHFILTERLEN]; 171 char userdata[SEARCHFILTERLEN]; 172 char groupname[SEARCHFILTERLEN]; 173 int ret; 174 175 if (_ldap_filter_name(groupname, argp->key.name, sizeof (groupname)) != 176 0) 177 return ((nss_status_t)NSS_NOTFOUND); 178 179 ret = snprintf(searchfilter, sizeof (searchfilter), 180 _F_GETGRNAM, groupname); 181 if (ret >= sizeof (searchfilter) || ret < 0) 182 return ((nss_status_t)NSS_NOTFOUND); 183 184 ret = snprintf(userdata, sizeof (userdata), _F_GETGRNAM_SSD, groupname); 185 if (ret >= sizeof (userdata) || ret < 0) 186 return ((nss_status_t)NSS_NOTFOUND); 187 188 return ((nss_status_t)_nss_ldap_lookup(be, argp, 189 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata)); 190 } 191 192 193 /* 194 * getbygid gets a group entry by number. This function constructs an ldap 195 * search filter using the name invocation parameter and the getgrgid search 196 * filter defined. Once the filter is constructed, we searche for a matching 197 * entry and marshal the data results into struct group for the frontend 198 * process. The function _nss_ldap_group2ent performs the data marshaling. 199 */ 200 201 static nss_status_t 202 getbygid(ldap_backend_ptr be, void *a) 203 { 204 nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a; 205 char searchfilter[SEARCHFILTERLEN]; 206 char userdata[SEARCHFILTERLEN]; 207 int ret; 208 209 ret = snprintf(searchfilter, sizeof (searchfilter), 210 _F_GETGRGID, argp->key.uid); 211 if (ret >= sizeof (searchfilter) || ret < 0) 212 return ((nss_status_t)NSS_NOTFOUND); 213 214 ret = snprintf(userdata, sizeof (userdata), 215 _F_GETGRGID_SSD, argp->key.uid); 216 if (ret >= sizeof (userdata) || ret < 0) 217 return ((nss_status_t)NSS_NOTFOUND); 218 219 return ((nss_status_t)_nss_ldap_lookup(be, argp, 220 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata)); 221 222 } 223 224 225 /* 226 * getbymember returns all groups a user is defined in. This function 227 * uses different architectural procedures than the other group backend 228 * system calls because it's a private interface. This function constructs 229 * an ldap search filter using the name invocation parameter. Once the 230 * filter is constructed, we search for all matching groups counting 231 * and storing each group name, gid, etc. Data marshaling is used for 232 * group processing. The function _nss_ldap_group2ent() performs the 233 * data marshaling. 234 * 235 * (const char *)argp->username; (size_t)strlen(argp->username); 236 * (gid_t)argp->gid_array; (int)argp->maxgids; 237 * (int)argp->numgids; 238 */ 239 240 static nss_status_t 241 getbymember(ldap_backend_ptr be, void *a) 242 { 243 int i, j, k; 244 int gcnt = (int)0; 245 char **groupvalue, **membervalue; 246 nss_status_t lstat; 247 struct nss_groupsbymem *argp = (struct nss_groupsbymem *)a; 248 char searchfilter[SEARCHFILTERLEN]; 249 char userdata[SEARCHFILTERLEN]; 250 char name[SEARCHFILTERLEN]; 251 ns_ldap_result_t *result; 252 ns_ldap_entry_t *curEntry; 253 char *username; 254 gid_t gid; 255 int ret; 256 257 if (strcmp(argp->username, "") == 0 || 258 strcmp(argp->username, "root") == 0) 259 return ((nss_status_t)NSS_NOTFOUND); 260 261 if (_ldap_filter_name(name, argp->username, sizeof (name)) != 0) 262 return ((nss_status_t)NSS_NOTFOUND); 263 264 ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETGRMEM, name); 265 if (ret >= sizeof (searchfilter) || ret < 0) 266 return ((nss_status_t)NSS_NOTFOUND); 267 268 ret = snprintf(userdata, sizeof (userdata), _F_GETGRMEM_SSD, name); 269 if (ret >= sizeof (userdata) || ret < 0) 270 return ((nss_status_t)NSS_NOTFOUND); 271 272 gcnt = (int)argp->numgids; 273 lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, NULL, 274 _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata); 275 if (lstat != (nss_status_t)NS_LDAP_SUCCESS) 276 return ((nss_status_t)lstat); 277 if (be->result == NULL) 278 return (NSS_NOTFOUND); 279 username = (char *)argp->username; 280 result = (ns_ldap_result_t *)be->result; 281 curEntry = (ns_ldap_entry_t *)result->entry; 282 for (i = 0; i < result->entries_count; i++) { 283 membervalue = __ns_ldap_getAttr(curEntry, "memberUid"); 284 if (membervalue) { 285 for (j = 0; membervalue[j]; j++) { 286 if (strcmp(membervalue[j], username) == NULL) { 287 groupvalue = __ns_ldap_getAttr(curEntry, 288 "gidnumber"); 289 gid = (gid_t)strtol(groupvalue[0], 290 (char **)NULL, 10); 291 if (argp->numgids < argp->maxgids) { 292 for (k = 0; k < argp->numgids; 293 k++) { 294 if (argp->gid_array[k] 295 == gid) 296 /* already exists */ 297 break; 298 } 299 if (k == argp->numgids) 300 argp->gid_array[argp->numgids++] 301 = gid; 302 } 303 break; 304 } 305 } 306 } 307 curEntry = curEntry->next; 308 } 309 310 (void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result); 311 if (gcnt == argp->numgids) 312 return ((nss_status_t)NSS_NOTFOUND); 313 314 return ((nss_status_t)NSS_SUCCESS); 315 } 316 317 static ldap_backend_op_t gr_ops[] = { 318 _nss_ldap_destr, 319 _nss_ldap_endent, 320 _nss_ldap_setent, 321 _nss_ldap_getent, 322 getbynam, 323 getbygid, 324 getbymember 325 }; 326 327 328 /*ARGSUSED0*/ 329 nss_backend_t * 330 _nss_ldap_group_constr(const char *dummy1, const char *dummy2, 331 const char *dummy3) 332 { 333 334 return ((nss_backend_t *)_nss_ldap_constr(gr_ops, 335 sizeof (gr_ops)/sizeof (gr_ops[0]), _GROUP, gr_attrs, 336 _nss_ldap_group2str)); 337 } 338