svn commit: samba r14451 - branches/SAMBA_3_0/examples/LDAP
branches/SAMBA_3_0/source/passdb trunk/examples/LDAP
trunk/source/passdb
jerry at samba.org
jerry at samba.org
Wed Mar 15 16:00:36 GMT 2006
Author: jerry
Date: 2006-03-15 16:00:34 +0000 (Wed, 15 Mar 2006)
New Revision: 14451
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14451
Log:
In order to get pdb_ldap searching for SID_NAME_ALIAS
groups in the ${MACHINESID} and S_1-5-32 domains correctly,
I had to add a substr search on sambaSID.
* add substr matching rule to OpenLDAP schema
(we need to update the other schema as will since this
is a pretty important change). Sites will need to
- install the new schema
- add 'indea sambaSID sub' to slapd.conf
- run slapindex
* remove uses of SID_NAME_WKN_GRP in pdb_ldap.c
Modified:
branches/SAMBA_3_0/examples/LDAP/samba.schema
branches/SAMBA_3_0/source/passdb/pdb_ldap.c
trunk/examples/LDAP/samba.schema
trunk/source/passdb/pdb_ldap.c
Changeset:
Modified: branches/SAMBA_3_0/examples/LDAP/samba.schema
===================================================================
--- branches/SAMBA_3_0/examples/LDAP/samba.schema 2006-03-15 15:38:15 UTC (rev 14450)
+++ branches/SAMBA_3_0/examples/LDAP/samba.schema 2006-03-15 16:00:34 UTC (rev 14451)
@@ -295,9 +295,9 @@
attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
DESC 'Security ID'
EQUALITY caseIgnoreIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
-
##
## Primary group SID, compatible with ntSid
##
Modified: branches/SAMBA_3_0/source/passdb/pdb_ldap.c
===================================================================
--- branches/SAMBA_3_0/source/passdb/pdb_ldap.c 2006-03-15 15:38:15 UTC (rev 14450)
+++ branches/SAMBA_3_0/source/passdb/pdb_ldap.c 2006-03-15 16:00:34 UTC (rev 14451)
@@ -2740,25 +2740,16 @@
break;
case SID_NAME_ALIAS:
- if (!sid_check_is_in_our_domain(&map->sid)) {
- DEBUG(3, ("Refusing to map sid %s as an alias, not "
- "in our domain\n",
+ if (!sid_check_is_in_our_domain(&map->sid)
+ && !sid_check_is_in_builtin(&map->sid) )
+ {
+ DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n",
sid_string_static(&map->sid)));
result = NT_STATUS_INVALID_PARAMETER;
goto done;
}
break;
- case SID_NAME_WKN_GRP:
- if (!sid_check_is_in_builtin(&map->sid)) {
- DEBUG(3, ("Refusing to map sid %s as an alias, not "
- "in builtin domain\n",
- sid_string_static(&map->sid)));
- result = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
- break;
-
default:
DEBUG(3, ("Got invalid use '%s' for mapping\n",
sid_type_lookup(map->sid_name_use)));
@@ -3137,7 +3128,7 @@
pstring filter;
if (sid_check_is_in_builtin(alias)) {
- type = SID_NAME_WKN_GRP;
+ type = SID_NAME_ALIAS;
}
if (sid_check_is_in_our_domain(alias)) {
@@ -3250,7 +3241,7 @@
*p_num_members = 0;
if (sid_check_is_in_builtin(alias)) {
- type = SID_NAME_WKN_GRP;
+ type = SID_NAME_ALIAS;
}
if (sid_check_is_in_our_domain(alias)) {
@@ -3346,7 +3337,7 @@
enum SID_NAME_USE type = SID_NAME_USE_NONE;
if (sid_check_is_builtin(domain_sid)) {
- type = SID_NAME_WKN_GRP;
+ type = SID_NAME_ALIAS;
}
if (sid_check_is_domain(domain_sid)) {
@@ -3775,7 +3766,7 @@
type = atol(attr);
/* Consistency checks */
- if ((is_builtin && (type != SID_NAME_WKN_GRP)) ||
+ if ((is_builtin && (type != SID_NAME_ALIAS)) ||
(!is_builtin && ((type != SID_NAME_ALIAS) &&
(type != SID_NAME_DOM_GRP)))) {
DEBUG(2, ("Rejecting invalid group mapping entry %s\n", dn));
@@ -4261,25 +4252,15 @@
case SID_NAME_DOM_GRP:
case SID_NAME_ALIAS:
- if (!sid_peek_check_rid(get_global_sam_sid(), &sid,
- &result->rid)) {
+ if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)
+ && !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid))
+ {
DEBUG(0, ("%s is not in our domain\n",
sid_string_static(&sid)));
return False;
}
break;
- case SID_NAME_WKN_GRP:
-
- if (!sid_peek_check_rid(&global_sid_Builtin, &sid,
- &result->rid)) {
-
- DEBUG(0, ("%s is not in builtin sid\n",
- sid_string_static(&sid)));
- return False;
- }
- break;
-
default:
DEBUG(0,("unkown group type: %d\n", group_type));
return False;
@@ -4290,6 +4271,7 @@
static BOOL ldapsam_search_grouptype(struct pdb_methods *methods,
struct pdb_search *search,
+ const DOM_SID *sid,
enum SID_NAME_USE type)
{
struct ldapsam_privates *ldap_state = methods->private_data;
@@ -4308,7 +4290,8 @@
state->scope = LDAP_SCOPE_SUBTREE;
state->filter = talloc_asprintf(search->mem_ctx,
"(&(objectclass=sambaGroupMapping)"
- "(sambaGroupType=%d))", type);
+ "(sambaGroupType=%d)(sambaSID=%s)",
+ sid_string_static(sid), type);
state->attrs = talloc_attrs(search->mem_ctx, "cn", "sambaSid",
"displayName", "description",
"sambaGroupType", NULL);
@@ -4333,23 +4316,14 @@
static BOOL ldapsam_search_groups(struct pdb_methods *methods,
struct pdb_search *search)
{
- return ldapsam_search_grouptype(methods, search, SID_NAME_DOM_GRP);
+ return ldapsam_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
}
static BOOL ldapsam_search_aliases(struct pdb_methods *methods,
struct pdb_search *search,
const DOM_SID *sid)
{
- if (sid_check_is_domain(sid))
- return ldapsam_search_grouptype(methods, search,
- SID_NAME_ALIAS);
-
- if (sid_check_is_builtin(sid))
- return ldapsam_search_grouptype(methods, search,
- SID_NAME_WKN_GRP);
-
- DEBUG(5, ("Don't know SID %s\n", sid_string_static(sid)));
- return False;
+ return ldapsam_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
}
static BOOL ldapsam_rid_algorithm(struct pdb_methods *methods)
Modified: trunk/examples/LDAP/samba.schema
===================================================================
--- trunk/examples/LDAP/samba.schema 2006-03-15 15:38:15 UTC (rev 14450)
+++ trunk/examples/LDAP/samba.schema 2006-03-15 16:00:34 UTC (rev 14451)
@@ -295,9 +295,9 @@
attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
DESC 'Security ID'
EQUALITY caseIgnoreIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
-
##
## Primary group SID, compatible with ntSid
##
Modified: trunk/source/passdb/pdb_ldap.c
===================================================================
--- trunk/source/passdb/pdb_ldap.c 2006-03-15 15:38:15 UTC (rev 14450)
+++ trunk/source/passdb/pdb_ldap.c 2006-03-15 16:00:34 UTC (rev 14451)
@@ -2740,25 +2740,16 @@
break;
case SID_NAME_ALIAS:
- if (!sid_check_is_in_our_domain(&map->sid)) {
- DEBUG(3, ("Refusing to map sid %s as an alias, not "
- "in our domain\n",
+ if (!sid_check_is_in_our_domain(&map->sid)
+ && !sid_check_is_in_builtin(&map->sid) )
+ {
+ DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n",
sid_string_static(&map->sid)));
result = NT_STATUS_INVALID_PARAMETER;
goto done;
}
break;
- case SID_NAME_WKN_GRP:
- if (!sid_check_is_in_builtin(&map->sid)) {
- DEBUG(3, ("Refusing to map sid %s as an alias, not "
- "in builtin domain\n",
- sid_string_static(&map->sid)));
- result = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
- break;
-
default:
DEBUG(3, ("Got invalid use '%s' for mapping\n",
sid_type_lookup(map->sid_name_use)));
@@ -3137,7 +3128,7 @@
pstring filter;
if (sid_check_is_in_builtin(alias)) {
- type = SID_NAME_WKN_GRP;
+ type = SID_NAME_ALIAS;
}
if (sid_check_is_in_our_domain(alias)) {
@@ -3250,7 +3241,7 @@
*p_num_members = 0;
if (sid_check_is_in_builtin(alias)) {
- type = SID_NAME_WKN_GRP;
+ type = SID_NAME_ALIAS;
}
if (sid_check_is_in_our_domain(alias)) {
@@ -3346,7 +3337,7 @@
enum SID_NAME_USE type = SID_NAME_USE_NONE;
if (sid_check_is_builtin(domain_sid)) {
- type = SID_NAME_WKN_GRP;
+ type = SID_NAME_ALIAS;
}
if (sid_check_is_domain(domain_sid)) {
@@ -3775,7 +3766,7 @@
type = atol(attr);
/* Consistency checks */
- if ((is_builtin && (type != SID_NAME_WKN_GRP)) ||
+ if ((is_builtin && (type != SID_NAME_ALIAS)) ||
(!is_builtin && ((type != SID_NAME_ALIAS) &&
(type != SID_NAME_DOM_GRP)))) {
DEBUG(2, ("Rejecting invalid group mapping entry %s\n", dn));
@@ -4261,25 +4252,15 @@
case SID_NAME_DOM_GRP:
case SID_NAME_ALIAS:
- if (!sid_peek_check_rid(get_global_sam_sid(), &sid,
- &result->rid)) {
+ if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)
+ && !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid))
+ {
DEBUG(0, ("%s is not in our domain\n",
sid_string_static(&sid)));
return False;
}
break;
- case SID_NAME_WKN_GRP:
-
- if (!sid_peek_check_rid(&global_sid_Builtin, &sid,
- &result->rid)) {
-
- DEBUG(0, ("%s is not in builtin sid\n",
- sid_string_static(&sid)));
- return False;
- }
- break;
-
default:
DEBUG(0,("unkown group type: %d\n", group_type));
return False;
@@ -4290,6 +4271,7 @@
static BOOL ldapsam_search_grouptype(struct pdb_methods *methods,
struct pdb_search *search,
+ const DOM_SID *sid,
enum SID_NAME_USE type)
{
struct ldapsam_privates *ldap_state = methods->private_data;
@@ -4308,7 +4290,8 @@
state->scope = LDAP_SCOPE_SUBTREE;
state->filter = talloc_asprintf(search->mem_ctx,
"(&(objectclass=sambaGroupMapping)"
- "(sambaGroupType=%d))", type);
+ "(sambaGroupType=%d)(sambaSID=%s)",
+ sid_string_static(sid), type);
state->attrs = talloc_attrs(search->mem_ctx, "cn", "sambaSid",
"displayName", "description",
"sambaGroupType", NULL);
@@ -4333,23 +4316,14 @@
static BOOL ldapsam_search_groups(struct pdb_methods *methods,
struct pdb_search *search)
{
- return ldapsam_search_grouptype(methods, search, SID_NAME_DOM_GRP);
+ return ldapsam_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
}
static BOOL ldapsam_search_aliases(struct pdb_methods *methods,
struct pdb_search *search,
const DOM_SID *sid)
{
- if (sid_check_is_domain(sid))
- return ldapsam_search_grouptype(methods, search,
- SID_NAME_ALIAS);
-
- if (sid_check_is_builtin(sid))
- return ldapsam_search_grouptype(methods, search,
- SID_NAME_WKN_GRP);
-
- DEBUG(5, ("Don't know SID %s\n", sid_string_static(sid)));
- return False;
+ return ldapsam_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
}
static BOOL ldapsam_rid_algorithm(struct pdb_methods *methods)
More information about the samba-cvs
mailing list