newlib-cygwin/winsup/cygwin/ldap.cc

444 lines
10 KiB
C++
Raw Normal View History

Introduce reading passwd/group entries from SAM/AD. Introduce /etc/nsswitch.conf file to configure it. * Makefile.in (DLL_OFILES): Add ldap.o. * autoload.cc: Import ldap functions from wldap32.dll. (DsEnumerateDomainTrustsW): Import. (NetGroupGetInfo): Import. * cygheap.h (class cygheap_domain_info): New class to keep global domain info. (class cygheap_pwdgrp): New class to keep passwd/group caches and configuration info from /etc/nssswitch.conf. (struct init_cygheap): Add cygheap_domain_info member "dom" and cygheap_pwdgrp member "pg". * cygtls.h (struct _local_storage): Remove unused member "res". Rearrange slightly, Add members pwbuf and grbuf to implement non-caching passwd/group fetching from SAM/AD. Make pw_pos and pw_pos unsigned. * fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Add RFC 2307 uid/gid mapping. * fhandler_process.cc: Drop including pwdgrp.h. * fhandler_procsysvipc.cc: Ditto. * fhandler_registry.cc (fhandler_registry::fstat): Set key uid/gid to ILLEGAL_UID/ILLEGAL_GID rather than UNKNOWN_UID/UNKNOWN_GID. * grp.cc (group_buf): Drop. (gr): Drop. (pwdgrp::parse_group): Fill pg_grp. (pwdgrp::read_group): Remove. (pwdgrp::init_grp): New method. (pwdgrp::prep_tls_grbuf): New method. (pwdgrp::find_group): New methods. (internal_getgrsid): Convert to call new pwdgrp methods. (internal_getgrnam): Ditto. (internal_getgrgid): Ditto. (getgrgid_r): Drop 2nd parameter from internal_getgrgid call. (getgrgid32): Ditto. (getgrnam_r): Ditto for internal_getgrnam. (getgrnam32): Ditto. (getgrent32): Convert to call new pwdgrp methods. (internal_getgrent): Remove. (internal_getgroups): Simplify, especially drop calls to internal_getgrent. * ldap.cc: New file implementing cyg_ldap class for LDAP access to AD and RFC 2307 server. * ldap.h: New header, declaring cyg_ldap class. * passwd.cc (passwd_buf): Drop. (pr): Drop. (pwdgrp::parse_passwd): Fill pg_pwd. (pwdgrp::read_passwd): Remove. (pwdgrp::init_pwd): New method. (pwdgrp::prep_tls_pwbuf): New method. (find_user): New methods. (internal_getpwsid): Convert to call new pwdgrp methods. (internal_getpwnam): Ditto. (internal_getpwuid): Ditto. (getpwuid32): Drop 2nd parameter from internal_getpwuid call. (getpwuid_r): Ditto. (getpwnam): Ditto for internal_getpwnam. (getpwnam_r): Ditto. (getpwent): Convert to call new pwdgrp methods. * path.cc (class etc): Remove all methods. * path.h (class etc): Drop. * pinfo.cc (pinfo_basic::pinfo_basic): Set gid to ILLEGAL_GID rather than UNKNOWN_GID. (pinfo_init): Ditto. * pwdgrp.h (internal_getpwnam): Drop 2nd parameter from declaration. (internal_getpwuid): Ditto. (internal_getgrgid): Ditto. (internal_getgrnam): Ditto. (internal_getgrent): Drop declaration. (enum fetch_user_arg_type_t): New type. (struct fetch_user_arg_t): New type. (struct pg_pwd): New type. (struct pg_grp): New type. (class pwdgrp): Rework to provide functions for file and db requests and caching. (class ugid_cache_t): New class to provide RFC 2307 uid map caching. (ugid_cache): Declare. * sec_acl.cc: Drop including pwdgrp.h. * sec_auth.cc: Drop including dsgetdc.h and pwdgrp.h. (get_logon_server): Convert third parameter to ULONG flags argument to allow arbitrary flags values in DsGetDcNameW call and change calls to this function throughout. Use cached account domain name rather than calling GetComputerNameW. (get_unix_group_sidlist): Remove. (get_server_groups): Drop call to get_unix_group_sidlist. (verify_token): Rework token group check without calling internal_getgrent. * sec_helper.cc (cygpsid::pstring): New methods, like string() but return pointer to end of string. (cygsid::getfromstr): Add wide character implementation. (get_sids_info): Add RFC 2307 uid/gid mapping for Samba shares. * security.cc: Drop including pwdgrp.h. * security.h (DEFAULT_UID): Remove. (UNKNOWN_UID): Remove. (UNKNOWN_GID): Remove. (uinfo_init): Move here from winsup.h. (ILLEGAL_UID): Ditto. (ILLEGAL_GID): Ditto. (UNIX_POSIX_OFFSET): Define. Add lengthy comment. (UNIX_POSIX_MASK): Ditto. (MAP_UNIX_TO_CYGWIN_ID): Ditto. (ILLEGAL_UID16): Move here from winsup.h. (ILLEGAL_GID16): Ditto. (uid16touid32): Ditto. (gid16togid32): Ditto. (sid_id_auth): New convenience macro for SID component access. (sid_sub_auth_count): Ditto. (sid_sub_auth): Ditto. (sid_sub_auth_rid): Ditto. (cygpsid::pstring): Declare. (cygsid::getfromstr): Declare wide character variant. (cygsid::operator=): Ditto. (cygsid::operator*=): Ditto. (get_logon_server): Change declaration according to source code. * setlsapwd.cc (setlsapwd): Drop 2nd parameter from internal_getpwnam call. * shared.cc (memory_init): Call cygheap->pg.init in first process. * syscalls.cc: Drop including pwdgrp.h. * tlsoffsets.h: Regenerate. * tlsoffsets64.h: Ditto. * uinfo.cc (internal_getlogin): Drop gratuitious internal_getpwuid call. Fix debug output. Overwrite user gid in border case of a missing passwd file while a group file exists. (pwdgrp::add_line): Allocate memory on cygheap. (pwdgrp::load): Remove. (ugid_cache): Define. (cygheap_pwdgrp::init): New method. (cygheap_pwdgrp::nss_init_line): New method. (cygheap_pwdgrp::_nss_init): New method. (cygheap_domain_info::init): New method. (logon_sid): Define. (get_logon_sid): New function. (pwdgrp::add_account_post_fetch): New method. (pwdgrp::add_account_from_file): New methods. (pwdgrp::add_account_from_windows): New methods. (pwdgrp::check_file): New method. (pwdgrp::fetch_account_from_line): New method. (pwdgrp::fetch_account_from_file): New method. (pwdgrp::fetch_account_from_windows): New method. * winsup.h: Move aforementioned macros and declarations to security.h.
2014-02-10 03:44:56 +08:00
/* ldap.cc: Helper functions for ldap access to Active Directory.
Copyright 2014 Red Hat, Inc.
This file is part of Cygwin.
This software is a copyrighted work licensed under the terms of the
Cygwin license. Please consult the file "CYGWIN_LICENSE" for
details. */
#include "winsup.h"
#include "ldap.h"
#include "cygerrno.h"
#include "security.h"
#include "path.h"
#include "fhandler.h"
#include "dtable.h"
#include "cygheap.h"
#include "registry.h"
#include "pinfo.h"
#include "lm.h"
#include "dsgetdc.h"
static LDAP_TIMEVAL tv = { 3, 0 };
static PWCHAR rootdse_attr[] =
{
(PWCHAR) L"defaultNamingContext",
(PWCHAR) L"supportedCapabilities",
NULL
};
static PWCHAR user_attr[] =
{
(PWCHAR) L"uid",
(PWCHAR) L"primaryGroupID",
(PWCHAR) L"gecos",
(PWCHAR) L"unixHomeDirectory",
(PWCHAR) L"loginShell",
(PWCHAR) L"uidNumber",
NULL
};
static PWCHAR group_attr[] =
{
(PWCHAR) L"cn",
(PWCHAR) L"gidNumber",
NULL
};
PWCHAR tdom_attr[] =
{
(PWCHAR) L"trustPosixOffset",
NULL
};
PWCHAR nfs_attr[] =
{
(PWCHAR) L"objectSid",
NULL
};
PWCHAR rfc2307_uid_attr[] =
{
(PWCHAR) L"uid",
NULL
};
PWCHAR rfc2307_gid_attr[] =
{
(PWCHAR) L"cn",
NULL
};
DWORD WINAPI
rediscover_thread (LPVOID dummy)
{
PDOMAIN_CONTROLLER_INFOW pdci;
DWORD ret = DsGetDcNameW (NULL, (PWCHAR) dummy, NULL, NULL,
DS_FORCE_REDISCOVERY | DS_ONLY_LDAP_NEEDED, &pdci);
if (ret == ERROR_SUCCESS)
NetApiBufferFree (pdci);
else
debug_printf ("DsGetDcNameW(%W) failed with error %u", dummy, ret);
return 0;
}
bool
cyg_ldap::connect_ssl (PCWSTR domain)
{
ULONG ret, timelimit = 3; /* secs */
if (!(lh = ldap_sslinitW ((PWCHAR) domain, LDAP_SSL_PORT, 1)))
{
debug_printf ("ldap_init(%W) error 0x%02x", domain, LdapGetLastError ());
return false;
}
if ((ret = ldap_set_option (lh, LDAP_OPT_TIMELIMIT, &timelimit))
!= LDAP_SUCCESS)
debug_printf ("ldap_set_option(LDAP_OPT_TIMELIMIT) error 0x%02x", ret);
if ((ret = ldap_bind_s (lh, NULL, NULL, LDAP_AUTH_NEGOTIATE)) != LDAP_SUCCESS)
{
debug_printf ("ldap_bind(%W) 0x%02x", domain, ret);
ldap_unbind (lh);
lh = NULL;
return false;
}
return true;
}
bool
cyg_ldap::connect_non_ssl (PCWSTR domain)
{
ULONG ret, timelimit = 3; /* secs */
if (!(lh = ldap_initW ((PWCHAR) domain, LDAP_PORT)))
{
debug_printf ("ldap_init(%W) error 0x%02x", domain, LdapGetLastError ());
return false;
}
if ((ret = ldap_set_option (lh, LDAP_OPT_SIGN, LDAP_OPT_ON))
!= LDAP_SUCCESS)
debug_printf ("ldap_set_option(LDAP_OPT_SIGN) error 0x%02x", ret);
if ((ret = ldap_set_option (lh, LDAP_OPT_ENCRYPT, LDAP_OPT_ON))
!= LDAP_SUCCESS)
debug_printf ("ldap_set_option(LDAP_OPT_ENCRYPT) error 0x%02x", ret);
if ((ret = ldap_set_option (lh, LDAP_OPT_TIMELIMIT, &timelimit))
!= LDAP_SUCCESS)
debug_printf ("ldap_set_option(LDAP_OPT_TIMELIMIT) error 0x%02x", ret);
if ((ret = ldap_bind_s (lh, NULL, NULL, LDAP_AUTH_NEGOTIATE)) != LDAP_SUCCESS)
{
debug_printf ("ldap_bind(%W) 0x%02x", domain, ret);
ldap_unbind (lh);
lh = NULL;
return false;
}
return true;
}
bool
cyg_ldap::open (PCWSTR domain)
{
LARGE_INTEGER start, stop;
static LARGE_INTEGER last_rediscover;
ULONG ret;
close ();
GetSystemTimeAsFileTime ((LPFILETIME) &start);
/* FIXME? connect_ssl can take ages even when failing, so we're trying to
do everything the non-SSL (but still encrypted) way. */
if (/*!connect_ssl (NULL) && */ !connect_non_ssl (domain))
return false;
/* For some obscure reason, there's a chance that the ldap_bind_s call takes
a long time, if the current primary DC is... well, burping or something.
If so, we rediscover in the background which usually switches to the next
fastest DC. */
GetSystemTimeAsFileTime ((LPFILETIME) &stop);
if ((stop.QuadPart - start.QuadPart) >= 3000000LL /* 0.3s */
&& (stop.QuadPart - last_rediscover.QuadPart) >= 30000000LL) /* 3s */
{
debug_printf ("ldap_bind_s is laming. Try to rediscover.");
HANDLE thr = CreateThread (&sec_none_nih, 4 * PTHREAD_STACK_MIN,
rediscover_thread, (LPVOID) domain,
STACK_SIZE_PARAM_IS_A_RESERVATION, NULL);
if (!thr)
debug_printf ("Couldn't start rediscover thread.");
else
{
last_rediscover = stop;
CloseHandle (thr);
}
}
if ((ret = ldap_search_stW (lh, NULL, LDAP_SCOPE_BASE,
(PWCHAR) L"(objectclass=*)", rootdse_attr,
0, &tv, &msg))
!= LDAP_SUCCESS)
{
debug_printf ("ldap_search(%W, ROOTDSE) error 0x%02x", domain, ret);
goto err;
}
if (!(entry = ldap_first_entry (lh, msg)))
{
debug_printf ("No ROOTDSE entry for %W", domain);
goto err;
}
if (!(val = ldap_get_valuesW (lh, entry, rootdse_attr[0])))
{
debug_printf ("No ROOTDSE value for %W", domain);
goto err;
}
if (!(rootdse = wcsdup (val[0])))
{
debug_printf ("wcsdup(%W, ROOTDSE) %d", domain, get_errno ());
goto err;
}
ldap_value_freeW (val);
if ((val = ldap_get_valuesW (lh, entry, rootdse_attr[1])))
{
for (ULONG idx = 0; idx < ldap_count_valuesW (val); ++idx)
if (!wcscmp (val[idx], LDAP_CAP_ACTIVE_DIRECTORY_OID_W))
{
isAD = true;
break;
}
}
ldap_value_freeW (val);
val = NULL;
ldap_memfreeW ((PWCHAR) msg);
msg = entry = NULL; return true;
err:
close ();
return false;
}
void
cyg_ldap::close ()
{
if (lh)
ldap_unbind (lh);
if (msg)
ldap_memfreeW ((PWCHAR) msg);
if (val)
ldap_value_freeW (val);
if (rootdse)
free (rootdse);
lh = NULL;
msg = entry = NULL;
val = NULL;
rootdse = NULL;
}
bool
cyg_ldap::fetch_ad_account (PSID sid, bool group)
{
WCHAR filter[512], *f;
LONG len = (LONG) RtlLengthSid (sid);
PBYTE s = (PBYTE) sid;
static WCHAR hex_wchars[] = L"0123456789abcdef";
ULONG ret;
if (msg)
{
ldap_memfreeW ((PWCHAR) msg);
msg = entry = NULL;
}
if (val)
{
ldap_value_freeW (val);
val = NULL;
}
f = wcpcpy (filter, L"(objectSid=");
while (len-- > 0)
{
*f++ = L'\\';
*f++ = hex_wchars[*s >> 4];
*f++ = hex_wchars[*s++ & 0xf];
}
wcpcpy (f, L")");
attr = group ? group_attr : user_attr;
if ((ret = ldap_search_stW (lh, rootdse, LDAP_SCOPE_SUBTREE, filter,
attr, 0, &tv, &msg)) != LDAP_SUCCESS)
{
debug_printf ("ldap_search_stW(%W,%W) error 0x%02x",
rootdse, filter, ret);
return false;
}
if (!(entry = ldap_first_entry (lh, msg)))
{
debug_printf ("No entry for %W in rootdse %W", filter, rootdse);
return false;
}
return true;
}
uint32_t
cyg_ldap::fetch_posix_offset_for_domain (PCWSTR domain)
{
WCHAR filter[512];
ULONG ret;
if (msg)
{
ldap_memfreeW ((PWCHAR) msg);
msg = entry = NULL;
}
if (val)
{
ldap_value_freeW (val);
val = NULL;
}
__small_swprintf (filter, L"(&(objectClass=trustedDomain)(name=%W))", domain);
if ((ret = ldap_search_stW (lh, rootdse, LDAP_SCOPE_SUBTREE, filter,
attr = tdom_attr, 0, &tv, &msg)) != LDAP_SUCCESS)
{
debug_printf ("ldap_search_stW(%W,%W) error 0x%02x",
rootdse, filter, ret);
return 0;
}
if (!(entry = ldap_first_entry (lh, msg)))
{
debug_printf ("No entry for %W in rootdse %W", filter, rootdse);
return 0;
}
return get_num_attribute (0);
}
PWCHAR
cyg_ldap::get_string_attribute (int idx)
{
if (val)
ldap_value_freeW (val);
val = ldap_get_valuesW (lh, entry, attr[idx]);
if (val)
return val[0];
return NULL;
}
uint32_t
cyg_ldap::get_num_attribute (int idx)
{
PWCHAR ret = get_string_attribute (idx);
if (ret)
return (uint32_t) wcstoul (ret, NULL, 10);
return (uint32_t) -1;
}
bool
cyg_ldap::fetch_unix_sid_from_ad (uint32_t id, cygsid &sid, bool group)
{
WCHAR filter[512];
ULONG ret;
PLDAP_BERVAL *bval;
if (msg)
{
ldap_memfreeW ((PWCHAR) msg);
msg = entry = NULL;
}
if (group)
__small_swprintf (filter, L"(&(objectClass=Group)(gidNumber=%u))", id);
else
__small_swprintf (filter, L"(&(objectClass=User)(uidNumber=%u))", id);
if ((ret = ldap_search_stW (lh, rootdse, LDAP_SCOPE_SUBTREE, filter,
nfs_attr, 0, &tv, &msg)) != LDAP_SUCCESS)
{
debug_printf ("ldap_search_stW(%W,%W) error 0x%02x",
rootdse, filter, ret);
return false;
}
if ((entry = ldap_first_entry (lh, msg))
&& (bval = ldap_get_values_lenW (lh, entry, nfs_attr[0])))
{
sid = (PSID) bval[0]->bv_val;
ldap_value_free_len (bval);
}
return true;
}
PWCHAR
cyg_ldap::fetch_unix_name_from_rfc2307 (uint32_t id, bool group)
{
WCHAR filter[512];
ULONG ret;
if (msg)
{
ldap_memfreeW ((PWCHAR) msg);
msg = entry = NULL;
}
if (val)
{
ldap_value_freeW (val);
val = NULL;
}
attr = group ? rfc2307_gid_attr : rfc2307_uid_attr;
if (group)
__small_swprintf (filter, L"(&(objectClass=posixGroup)(gidNumber=%u))", id);
else
__small_swprintf (filter, L"(&(objectClass=posixAccount)(uidNumber=%u))",
id);
if ((ret = ldap_search_stW (lh, rootdse, LDAP_SCOPE_SUBTREE, filter, attr,
0, &tv, &msg)) != LDAP_SUCCESS)
{
debug_printf ("ldap_search_stW(%W,%W) error 0x%02x",
rootdse, filter, ret);
return NULL;
}
if (!(entry = ldap_first_entry (lh, msg)))
{
debug_printf ("No entry for %W in rootdse %W", filter, rootdse);
return NULL;
}
return get_string_attribute (0);
}
uid_t
cyg_ldap::remap_uid (uid_t uid)
{
cygsid user (NO_SID);
PWCHAR name;
struct passwd *pw;
if (isAD)
{
if (fetch_unix_sid_from_ad (uid, user, false)
&& user != NO_SID
&& (pw = internal_getpwsid (user)))
return pw->pw_uid;
}
else if ((name = fetch_unix_name_from_rfc2307 (uid, false)))
{
char *mbname = NULL;
sys_wcstombs_alloc (&mbname, HEAP_NOTHEAP, name);
if ((pw = internal_getpwnam (mbname)))
return pw->pw_uid;
}
return ILLEGAL_UID;
}
gid_t
cyg_ldap::remap_gid (gid_t gid)
{
cygsid group (NO_SID);
PWCHAR name;
struct group *gr;
if (isAD)
{
if (fetch_unix_sid_from_ad (gid, group, true)
&& group != NO_SID
&& (gr = internal_getgrsid (group)))
return gr->gr_gid;
}
else if ((name = fetch_unix_name_from_rfc2307 (gid, true)))
{
char *mbname = NULL;
sys_wcstombs_alloc (&mbname, HEAP_NOTHEAP, name);
if ((gr = internal_getgrnam (mbname)))
return gr->gr_gid;
}
return ILLEGAL_GID;
}