11fcced4cSJordan Brown /*
21fcced4cSJordan Brown  * CDDL HEADER START
31fcced4cSJordan Brown  *
41fcced4cSJordan Brown  * The contents of this file are subject to the terms of the
51fcced4cSJordan Brown  * Common Development and Distribution License (the "License").
61fcced4cSJordan Brown  * You may not use this file except in compliance with the License.
71fcced4cSJordan Brown  *
81fcced4cSJordan Brown  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
91fcced4cSJordan Brown  * or http://www.opensolaris.org/os/licensing.
101fcced4cSJordan Brown  * See the License for the specific language governing permissions
111fcced4cSJordan Brown  * and limitations under the License.
121fcced4cSJordan Brown  *
131fcced4cSJordan Brown  * When distributing Covered Code, include this CDDL HEADER in each
141fcced4cSJordan Brown  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
151fcced4cSJordan Brown  * If applicable, add the following below this CDDL HEADER, with the
161fcced4cSJordan Brown  * fields enclosed by brackets "[]" replaced with your own identifying
171fcced4cSJordan Brown  * information: Portions Copyright [yyyy] [name of copyright owner]
181fcced4cSJordan Brown  *
191fcced4cSJordan Brown  * CDDL HEADER END
201fcced4cSJordan Brown  */
211fcced4cSJordan Brown 
221fcced4cSJordan Brown /*
23*cb174861Sjoyce mcintosh  * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
241fcced4cSJordan Brown  */
251fcced4cSJordan Brown 
261fcced4cSJordan Brown /*
271fcced4cSJordan Brown  * Retrieve directory information for standard UNIX users/groups.
281fcced4cSJordan Brown  * (NB:  not just from files, but all nsswitch sources.)
291fcced4cSJordan Brown  */
301fcced4cSJordan Brown 
311fcced4cSJordan Brown #include <pwd.h>
321fcced4cSJordan Brown #include <grp.h>
331fcced4cSJordan Brown #include <malloc.h>
341fcced4cSJordan Brown #include <string.h>
351fcced4cSJordan Brown #include <stdlib.h>
361fcced4cSJordan Brown #include <netdb.h>
37*cb174861Sjoyce mcintosh #include <libuutil.h>
381fcced4cSJordan Brown #include <note.h>
391fcced4cSJordan Brown #include <errno.h>
401fcced4cSJordan Brown #include "idmapd.h"
411fcced4cSJordan Brown #include "directory.h"
421fcced4cSJordan Brown #include "directory_private.h"
431fcced4cSJordan Brown #include <rpcsvc/idmap_prot.h>
441fcced4cSJordan Brown #include "directory_server_impl.h"
451fcced4cSJordan Brown #include "sidutil.h"
461fcced4cSJordan Brown 
471fcced4cSJordan Brown static directory_error_t machine_sid_dav(directory_values_rpc *lvals,
481fcced4cSJordan Brown     unsigned int rid);
491fcced4cSJordan Brown static directory_error_t directory_provider_nsswitch_populate(
501fcced4cSJordan Brown     directory_entry_rpc *pent, struct passwd *pwd, struct group *grp,
511fcced4cSJordan Brown     idmap_utf8str_list *attrs);
521fcced4cSJordan Brown 
531fcced4cSJordan Brown /*
541fcced4cSJordan Brown  * Retrieve information by name.
551fcced4cSJordan Brown  * Called indirectly through the directory_provider_static structure.
561fcced4cSJordan Brown  */
571fcced4cSJordan Brown static
581fcced4cSJordan Brown directory_error_t
directory_provider_nsswitch_get(directory_entry_rpc * del,idmap_utf8str_list * ids,idmap_utf8str types,idmap_utf8str_list * attrs)591fcced4cSJordan Brown directory_provider_nsswitch_get(
601fcced4cSJordan Brown     directory_entry_rpc *del,
611fcced4cSJordan Brown     idmap_utf8str_list *ids,
621fcced4cSJordan Brown     idmap_utf8str types,
631fcced4cSJordan Brown     idmap_utf8str_list *attrs)
641fcced4cSJordan Brown {
651fcced4cSJordan Brown 	int i;
661fcced4cSJordan Brown 
671fcced4cSJordan Brown 	RDLOCK_CONFIG();
681fcced4cSJordan Brown 
691fcced4cSJordan Brown 	/* 6835280 spurious lint error if the strlen is in the declaration */
701fcced4cSJordan Brown 	int host_name_len = strlen(_idmapdstate.hostname);
711fcced4cSJordan Brown 	char my_host_name[host_name_len + 1];
721fcced4cSJordan Brown 	(void) strcpy(my_host_name, _idmapdstate.hostname);
731fcced4cSJordan Brown 
741fcced4cSJordan Brown 	/* We use len later, so this is not merely a workaround for 6835280 */
751fcced4cSJordan Brown 	int machine_sid_len = strlen(_idmapdstate.cfg->pgcfg.machine_sid);
761fcced4cSJordan Brown 	char my_machine_sid[machine_sid_len + 1];
771fcced4cSJordan Brown 	(void) strcpy(my_machine_sid, _idmapdstate.cfg->pgcfg.machine_sid);
781fcced4cSJordan Brown 
791fcced4cSJordan Brown 	UNLOCK_CONFIG();
801fcced4cSJordan Brown 
811fcced4cSJordan Brown 	for (i = 0; i < ids->idmap_utf8str_list_len; i++) {
821fcced4cSJordan Brown 		struct passwd *pwd = NULL;
831fcced4cSJordan Brown 		struct group *grp = NULL;
841fcced4cSJordan Brown 		directory_error_t de;
851fcced4cSJordan Brown 		int type;
861fcced4cSJordan Brown 
871fcced4cSJordan Brown 		/*
881fcced4cSJordan Brown 		 * Extract the type for this particular ID.
891fcced4cSJordan Brown 		 * Advance to the next type, if it's there, else keep
901fcced4cSJordan Brown 		 * using this type until we run out of IDs.
911fcced4cSJordan Brown 		 */
921fcced4cSJordan Brown 		type = *types;
931fcced4cSJordan Brown 		if (*(types+1) != '\0')
941fcced4cSJordan Brown 			types++;
951fcced4cSJordan Brown 
961fcced4cSJordan Brown 		/*
971fcced4cSJordan Brown 		 * If this entry has already been handled, one way or another,
981fcced4cSJordan Brown 		 * skip it.
991fcced4cSJordan Brown 		 */
1001fcced4cSJordan Brown 		if (del[i].status != DIRECTORY_NOT_FOUND)
1011fcced4cSJordan Brown 			continue;
1021fcced4cSJordan Brown 
1031fcced4cSJordan Brown 		char *id = ids->idmap_utf8str_list_val[i];
1041fcced4cSJordan Brown 
1051fcced4cSJordan Brown 		if (type == DIRECTORY_ID_SID[0]) {
1061fcced4cSJordan Brown 			/*
1071fcced4cSJordan Brown 			 * Is it our SID?
1081fcced4cSJordan Brown 			 * Check whether the first part matches, then a "-",
1091fcced4cSJordan Brown 			 * then a single RID.
1101fcced4cSJordan Brown 			 */
1111fcced4cSJordan Brown 			if (strncasecmp(id, my_machine_sid, machine_sid_len) !=
1121fcced4cSJordan Brown 			    0)
1131fcced4cSJordan Brown 				continue;
1141fcced4cSJordan Brown 			if (id[machine_sid_len] != '-')
1151fcced4cSJordan Brown 				continue;
1161fcced4cSJordan Brown 			char *p;
1171fcced4cSJordan Brown 			uint32_t rid =
1181fcced4cSJordan Brown 			    strtoul(id + machine_sid_len + 1, &p, 10);
1191fcced4cSJordan Brown 			if (*p != '\0')
1201fcced4cSJordan Brown 				continue;
1211fcced4cSJordan Brown 
1221fcced4cSJordan Brown 			if (rid < LOCALRID_UID_MIN) {
1231fcced4cSJordan Brown 				/* Builtin, not handled here */
1241fcced4cSJordan Brown 				continue;
1251fcced4cSJordan Brown 			}
1261fcced4cSJordan Brown 
1271fcced4cSJordan Brown 			if (rid <= LOCALRID_UID_MAX) {
1281fcced4cSJordan Brown 				/* User */
1291fcced4cSJordan Brown 				errno = 0;
1301fcced4cSJordan Brown 				pwd = getpwuid(rid - LOCALRID_UID_MIN);
1311fcced4cSJordan Brown 				if (pwd == NULL) {
1321fcced4cSJordan Brown 					if (errno == 0)		/* Not found */
1331fcced4cSJordan Brown 						continue;
1341fcced4cSJordan Brown 					char buf[40];
1351fcced4cSJordan Brown 					int err = errno;
1361fcced4cSJordan Brown 					(void) snprintf(buf, sizeof (buf),
1371fcced4cSJordan Brown 					    "%d", err);
1381fcced4cSJordan Brown 					directory_entry_set_error(&del[i],
1391fcced4cSJordan Brown 					    directory_error("errno.getpwuid",
1401fcced4cSJordan Brown 					    "getpwuid: %2 (%1)",
1411fcced4cSJordan Brown 					    buf, strerror(err), NULL));
1421fcced4cSJordan Brown 					continue;
1431fcced4cSJordan Brown 				}
1441fcced4cSJordan Brown 			} else if (rid >= LOCALRID_GID_MIN &&
1451fcced4cSJordan Brown 			    rid <= LOCALRID_GID_MAX) {
1461fcced4cSJordan Brown 				/* Group */
1471fcced4cSJordan Brown 				errno = 0;
1481fcced4cSJordan Brown 				grp = getgrgid(rid - LOCALRID_GID_MIN);
1491fcced4cSJordan Brown 				if (grp == NULL) {
1501fcced4cSJordan Brown 					if (errno == 0)		/* Not found */
1511fcced4cSJordan Brown 						continue;
1521fcced4cSJordan Brown 					char buf[40];
1531fcced4cSJordan Brown 					int err = errno;
1541fcced4cSJordan Brown 					(void) snprintf(buf, sizeof (buf),
1551fcced4cSJordan Brown 					    "%d", err);
1561fcced4cSJordan Brown 					directory_entry_set_error(&del[i],
1571fcced4cSJordan Brown 					    directory_error("errno.getgrgid",
1581fcced4cSJordan Brown 					    "getgrgid: %2 (%1)",
1591fcced4cSJordan Brown 					    buf, strerror(err), NULL));
1601fcced4cSJordan Brown 					continue;
1611fcced4cSJordan Brown 				}
1621fcced4cSJordan Brown 			} else
1631fcced4cSJordan Brown 				continue;
1641fcced4cSJordan Brown 
1651fcced4cSJordan Brown 		} else {
1661fcced4cSJordan Brown 			int id_len = strlen(id);
1671fcced4cSJordan Brown 			char name[id_len + 1];
1681fcced4cSJordan Brown 			char domain[id_len + 1];
1691fcced4cSJordan Brown 
1701fcced4cSJordan Brown 			split_name(name, domain, id);
1711fcced4cSJordan Brown 
1721fcced4cSJordan Brown 			if (domain[0] != '\0') {
1731fcced4cSJordan Brown 				if (!domain_eq(domain, my_host_name))
1741fcced4cSJordan Brown 					continue;
1751fcced4cSJordan Brown 			}
1761fcced4cSJordan Brown 
1771fcced4cSJordan Brown 			/*
1781fcced4cSJordan Brown 			 * If the caller has requested user or group
1791fcced4cSJordan Brown 			 * information specifically, we only set one of
1801fcced4cSJordan Brown 			 * pwd or grp.
1811fcced4cSJordan Brown 			 * If the caller has requested either type, we try
1821fcced4cSJordan Brown 			 * both in the hopes of getting one.
1831fcced4cSJordan Brown 			 * Note that directory_provider_nsswitch_populate
1841fcced4cSJordan Brown 			 * considers it to be an error if both are set.
1851fcced4cSJordan Brown 			 */
1861fcced4cSJordan Brown 			if (type != DIRECTORY_ID_GROUP[0]) {
1871fcced4cSJordan Brown 				/* prep for not found / error case */
1881fcced4cSJordan Brown 				errno = 0;
1891fcced4cSJordan Brown 
1901fcced4cSJordan Brown 				pwd = getpwnam(name);
1911fcced4cSJordan Brown 				if (pwd == NULL && errno != 0) {
1921fcced4cSJordan Brown 					char buf[40];
1931fcced4cSJordan Brown 					int err = errno;
1941fcced4cSJordan Brown 					(void) snprintf(buf, sizeof (buf),
1951fcced4cSJordan Brown 					    "%d", err);
1961fcced4cSJordan Brown 					directory_entry_set_error(&del[i],
1971fcced4cSJordan Brown 					    directory_error("errno.getpwnam",
1981fcced4cSJordan Brown 					    "getpwnam: %2 (%1)",
1991fcced4cSJordan Brown 					    buf, strerror(err), NULL));
2001fcced4cSJordan Brown 					continue;
2011fcced4cSJordan Brown 				}
2021fcced4cSJordan Brown 			}
2031fcced4cSJordan Brown 
2041fcced4cSJordan Brown 			if (type != DIRECTORY_ID_USER[0]) {
2051fcced4cSJordan Brown 				/* prep for not found / error case */
2061fcced4cSJordan Brown 				errno = 0;
2071fcced4cSJordan Brown 
2081fcced4cSJordan Brown 				grp = getgrnam(name);
2091fcced4cSJordan Brown 				if (grp == NULL && errno != 0) {
2101fcced4cSJordan Brown 					char buf[40];
2111fcced4cSJordan Brown 					int err = errno;
2121fcced4cSJordan Brown 					(void) snprintf(buf, sizeof (buf),
2131fcced4cSJordan Brown 					    "%d", err);
2141fcced4cSJordan Brown 					directory_entry_set_error(&del[i],
2151fcced4cSJordan Brown 					    directory_error("errno.getgrnam",
2161fcced4cSJordan Brown 					    "getgrnam: %2 (%1)",
2171fcced4cSJordan Brown 					    buf, strerror(err), NULL));
2181fcced4cSJordan Brown 					continue;
2191fcced4cSJordan Brown 				}
2201fcced4cSJordan Brown 			}
2211fcced4cSJordan Brown 		}
2221fcced4cSJordan Brown 
2231fcced4cSJordan Brown 		/*
2241fcced4cSJordan Brown 		 * Didn't find it, don't populate the structure.
2251fcced4cSJordan Brown 		 * Another provider might populate it.
2261fcced4cSJordan Brown 		 */
2271fcced4cSJordan Brown 		if (pwd == NULL && grp == NULL)
2281fcced4cSJordan Brown 			continue;
2291fcced4cSJordan Brown 
2301fcced4cSJordan Brown 		de = directory_provider_nsswitch_populate(&del[i], pwd, grp,
2311fcced4cSJordan Brown 		    attrs);
2321fcced4cSJordan Brown 		if (de != NULL) {
2331fcced4cSJordan Brown 			directory_entry_set_error(&del[i], de);
2341fcced4cSJordan Brown 			de = NULL;
2351fcced4cSJordan Brown 			continue;
2361fcced4cSJordan Brown 		}
2371fcced4cSJordan Brown 	}
2381fcced4cSJordan Brown 
2391fcced4cSJordan Brown 	return (NULL);
2401fcced4cSJordan Brown }
2411fcced4cSJordan Brown 
2421fcced4cSJordan Brown /*
2431fcced4cSJordan Brown  * Given a pwd structure or a grp structure, and a list of attributes that
2441fcced4cSJordan Brown  * were requested, populate the structure to return to the caller.
2451fcced4cSJordan Brown  */
2461fcced4cSJordan Brown static
2471fcced4cSJordan Brown directory_error_t
directory_provider_nsswitch_populate(directory_entry_rpc * pent,struct passwd * pwd,struct group * grp,idmap_utf8str_list * attrs)2481fcced4cSJordan Brown directory_provider_nsswitch_populate(
2491fcced4cSJordan Brown     directory_entry_rpc *pent,
2501fcced4cSJordan Brown     struct passwd *pwd,
2511fcced4cSJordan Brown     struct group *grp,
2521fcced4cSJordan Brown     idmap_utf8str_list *attrs)
2531fcced4cSJordan Brown {
2541fcced4cSJordan Brown 	int j;
2551fcced4cSJordan Brown 	directory_values_rpc *llvals;
2561fcced4cSJordan Brown 	int nattrs;
2571fcced4cSJordan Brown 
2581fcced4cSJordan Brown 	/*
2591fcced4cSJordan Brown 	 * If it wasn't for this case, everything would be a lot simpler.
2601fcced4cSJordan Brown 	 * UNIX allows users and groups with the same name.  Windows doesn't.
2611fcced4cSJordan Brown 	 */
2621fcced4cSJordan Brown 	if (pwd != NULL && grp != NULL) {
2631fcced4cSJordan Brown 		return directory_error("Ambiguous.Name",
2641fcced4cSJordan Brown 		    "Ambiguous name, is both a user and a group",
2651fcced4cSJordan Brown 		    NULL);
2661fcced4cSJordan Brown 	}
2671fcced4cSJordan Brown 
2681fcced4cSJordan Brown 	nattrs = attrs->idmap_utf8str_list_len;
2691fcced4cSJordan Brown 
2701fcced4cSJordan Brown 	llvals = calloc(nattrs, sizeof (directory_values_rpc));
2711fcced4cSJordan Brown 	if (llvals == NULL)
2721fcced4cSJordan Brown 		goto nomem;
2731fcced4cSJordan Brown 
2741fcced4cSJordan Brown 	pent->directory_entry_rpc_u.attrs.attrs_val = llvals;
2751fcced4cSJordan Brown 	pent->directory_entry_rpc_u.attrs.attrs_len = nattrs;
2761fcced4cSJordan Brown 	pent->status = DIRECTORY_FOUND;
2771fcced4cSJordan Brown 
2781fcced4cSJordan Brown 	for (j = 0; j < nattrs; j++) {
2791fcced4cSJordan Brown 		directory_values_rpc *val;
2801fcced4cSJordan Brown 		char *a;
2811fcced4cSJordan Brown 		directory_error_t de;
2821fcced4cSJordan Brown 
2831fcced4cSJordan Brown 		/*
2841fcced4cSJordan Brown 		 * We're going to refer to these a lot, so make a shorthand
2851fcced4cSJordan Brown 		 * copy.
2861fcced4cSJordan Brown 		 */
2871fcced4cSJordan Brown 		a = attrs->idmap_utf8str_list_val[j];
2881fcced4cSJordan Brown 		val = &llvals[j];
2891fcced4cSJordan Brown 
2901fcced4cSJordan Brown 		/*
2911fcced4cSJordan Brown 		 * Start by assuming no errors and that we don't have
2921fcced4cSJordan Brown 		 * the information
2931fcced4cSJordan Brown 		 */
2941fcced4cSJordan Brown 		val->found = FALSE;
2951fcced4cSJordan Brown 		de = NULL;
2961fcced4cSJordan Brown 
2971fcced4cSJordan Brown 		if (pwd != NULL) {
2981fcced4cSJordan Brown 			/*
2991fcced4cSJordan Brown 			 * Handle attributes for user entries.
3001fcced4cSJordan Brown 			 */
301*cb174861Sjoyce mcintosh 			if (uu_strcaseeq(a, "cn")) {
3021fcced4cSJordan Brown 				const char *p = pwd->pw_name;
3031fcced4cSJordan Brown 				de = str_list_dav(val, &p, 1);
304*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "objectClass")) {
3051fcced4cSJordan Brown 				static const char *objectClasses[] = {
3061fcced4cSJordan Brown 					"top",
3071fcced4cSJordan Brown 					"posixAccount",
3081fcced4cSJordan Brown 				};
3091fcced4cSJordan Brown 				de = str_list_dav(val, objectClasses,
310*cb174861Sjoyce mcintosh 				    UU_NELEM(objectClasses));
311*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "gidNumber")) {
3121fcced4cSJordan Brown 				de = uint_list_dav(val, &pwd->pw_gid, 1);
313*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "objectSid")) {
3141fcced4cSJordan Brown 				de = machine_sid_dav(val,
3151fcced4cSJordan Brown 				    pwd->pw_uid + LOCALRID_UID_MIN);
316*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "displayName")) {
3171fcced4cSJordan Brown 				const char *p = pwd->pw_gecos;
3181fcced4cSJordan Brown 				de = str_list_dav(val, &p, 1);
319*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "distinguishedName")) {
3201fcced4cSJordan Brown 				char *dn;
3211fcced4cSJordan Brown 				RDLOCK_CONFIG();
3221fcced4cSJordan Brown 				(void) asprintf(&dn,
3231fcced4cSJordan Brown 				    "uid=%s,ou=people,dc=%s",
3241fcced4cSJordan Brown 				    pwd->pw_name, _idmapdstate.hostname);
3251fcced4cSJordan Brown 				UNLOCK_CONFIG();
3261fcced4cSJordan Brown 				if (dn == NULL)
3271fcced4cSJordan Brown 					goto nomem;
3281fcced4cSJordan Brown 				const char *cdn = dn;
3291fcced4cSJordan Brown 				de = str_list_dav(val, &cdn, 1);
3301fcced4cSJordan Brown 				free(dn);
331*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "uid")) {
3321fcced4cSJordan Brown 				const char *p = pwd->pw_name;
3331fcced4cSJordan Brown 				de = str_list_dav(val, &p, 1);
334*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "uidNumber")) {
3351fcced4cSJordan Brown 				de = uint_list_dav(val, &pwd->pw_uid, 1);
336*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "gecos")) {
3371fcced4cSJordan Brown 				const char *p = pwd->pw_gecos;
3381fcced4cSJordan Brown 				de = str_list_dav(val, &p, 1);
339*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "homeDirectory")) {
3401fcced4cSJordan Brown 				const char *p = pwd->pw_dir;
3411fcced4cSJordan Brown 				de = str_list_dav(val, &p, 1);
342*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "loginShell")) {
3431fcced4cSJordan Brown 				const char *p = pwd->pw_shell;
3441fcced4cSJordan Brown 				de = str_list_dav(val, &p, 1);
345*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "x-sun-canonicalName")) {
3461fcced4cSJordan Brown 				char *canon;
3471fcced4cSJordan Brown 				RDLOCK_CONFIG();
3481fcced4cSJordan Brown 				(void) asprintf(&canon, "%s@%s",
3491fcced4cSJordan Brown 				    pwd->pw_name, _idmapdstate.hostname);
3501fcced4cSJordan Brown 				UNLOCK_CONFIG();
3511fcced4cSJordan Brown 				if (canon == NULL)
3521fcced4cSJordan Brown 					goto nomem;
3531fcced4cSJordan Brown 				const char *ccanon = canon;
3541fcced4cSJordan Brown 				de = str_list_dav(val, &ccanon, 1);
3551fcced4cSJordan Brown 				free(canon);
356*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "x-sun-provider")) {
3571fcced4cSJordan Brown 				const char *provider = "UNIX-passwd";
3581fcced4cSJordan Brown 				de = str_list_dav(val, &provider, 1);
3591fcced4cSJordan Brown 			}
3601fcced4cSJordan Brown 		} else if (grp != NULL)  {
3611fcced4cSJordan Brown 			/*
3621fcced4cSJordan Brown 			 * Handle attributes for group entries.
3631fcced4cSJordan Brown 			 */
364*cb174861Sjoyce mcintosh 			if (uu_strcaseeq(a, "cn")) {
3651fcced4cSJordan Brown 				const char *p = grp->gr_name;
3661fcced4cSJordan Brown 				de = str_list_dav(val, &p, 1);
367*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "objectClass")) {
3681fcced4cSJordan Brown 				static const char *objectClasses[] = {
3691fcced4cSJordan Brown 					"top",
3701fcced4cSJordan Brown 					"posixGroup",
3711fcced4cSJordan Brown 				};
3721fcced4cSJordan Brown 				de = str_list_dav(val, objectClasses,
373*cb174861Sjoyce mcintosh 				    UU_NELEM(objectClasses));
374*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "gidNumber")) {
3751fcced4cSJordan Brown 				de = uint_list_dav(val, &grp->gr_gid, 1);
376*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "objectSid")) {
3771fcced4cSJordan Brown 				de = machine_sid_dav(val,
3781fcced4cSJordan Brown 				    grp->gr_gid + LOCALRID_GID_MIN);
379*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "displayName")) {
3801fcced4cSJordan Brown 				const char *p = grp->gr_name;
3811fcced4cSJordan Brown 				de = str_list_dav(val, &p, 1);
382*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "distinguishedName")) {
3831fcced4cSJordan Brown 				char *dn;
3841fcced4cSJordan Brown 				RDLOCK_CONFIG();
3851fcced4cSJordan Brown 				(void) asprintf(&dn,
3861fcced4cSJordan Brown 				    "cn=%s,ou=group,dc=%s",
3871fcced4cSJordan Brown 				    grp->gr_name, _idmapdstate.hostname);
3881fcced4cSJordan Brown 				UNLOCK_CONFIG();
3891fcced4cSJordan Brown 				if (dn == NULL)
3901fcced4cSJordan Brown 					goto nomem;
3911fcced4cSJordan Brown 				const char *cdn = dn;
3921fcced4cSJordan Brown 				de = str_list_dav(val, &cdn, 1);
3931fcced4cSJordan Brown 				free(dn);
394*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "memberUid")) {
3951fcced4cSJordan Brown 				/*
3961fcced4cSJordan Brown 				 * NEEDSWORK:  There is probably a non-cast
3971fcced4cSJordan Brown 				 * way to do this, but I don't immediately
3981fcced4cSJordan Brown 				 * see it.
3991fcced4cSJordan Brown 				 */
4001fcced4cSJordan Brown 				const char * const *members =
4011fcced4cSJordan Brown 				    (const char * const *)grp->gr_mem;
4021fcced4cSJordan Brown 				de = str_list_dav(val, members, 0);
403*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "x-sun-canonicalName")) {
4041fcced4cSJordan Brown 				char *canon;
4051fcced4cSJordan Brown 				RDLOCK_CONFIG();
4061fcced4cSJordan Brown 				(void) asprintf(&canon, "%s@%s",
4071fcced4cSJordan Brown 				    grp->gr_name, _idmapdstate.hostname);
4081fcced4cSJordan Brown 				UNLOCK_CONFIG();
4091fcced4cSJordan Brown 				if (canon == NULL)
4101fcced4cSJordan Brown 					goto nomem;
4111fcced4cSJordan Brown 				const char *ccanon = canon;
4121fcced4cSJordan Brown 				de = str_list_dav(val, &ccanon, 1);
4131fcced4cSJordan Brown 				free(canon);
414*cb174861Sjoyce mcintosh 			} else if (uu_strcaseeq(a, "x-sun-provider")) {
4151fcced4cSJordan Brown 				const char *provider = "UNIX-group";
4161fcced4cSJordan Brown 				de = str_list_dav(val, &provider, 1);
4171fcced4cSJordan Brown 			}
4181fcced4cSJordan Brown 		}
4191fcced4cSJordan Brown 
4201fcced4cSJordan Brown 		if (de != NULL)
4211fcced4cSJordan Brown 			return (de);
4221fcced4cSJordan Brown 	}
4231fcced4cSJordan Brown 
4241fcced4cSJordan Brown 	return (NULL);
4251fcced4cSJordan Brown 
4261fcced4cSJordan Brown nomem:
4271fcced4cSJordan Brown 	return (directory_error("ENOMEM.users",
4281fcced4cSJordan Brown 	    "No memory allocating return value for user lookup", NULL));
4291fcced4cSJordan Brown }
4301fcced4cSJordan Brown 
4311fcced4cSJordan Brown /*
4321fcced4cSJordan Brown  * Populate a directory attribute value with a SID based on our machine SID
4331fcced4cSJordan Brown  * and the specified RID.
4341fcced4cSJordan Brown  *
4351fcced4cSJordan Brown  * It's a bit perverse that we must take a text-format SID and turn it into
4361fcced4cSJordan Brown  * a binary-format SID, only to have the caller probably turn it back into
4371fcced4cSJordan Brown  * text format, but SIDs are carried across LDAP in binary format.
4381fcced4cSJordan Brown  */
4391fcced4cSJordan Brown static
4401fcced4cSJordan Brown directory_error_t
machine_sid_dav(directory_values_rpc * lvals,unsigned int rid)4411fcced4cSJordan Brown machine_sid_dav(directory_values_rpc *lvals, unsigned int rid)
4421fcced4cSJordan Brown {
4431fcced4cSJordan Brown 	sid_t *sid;
4441fcced4cSJordan Brown 	directory_error_t de;
4451fcced4cSJordan Brown 
4461fcced4cSJordan Brown 	RDLOCK_CONFIG();
4471fcced4cSJordan Brown 	int len = strlen(_idmapdstate.cfg->pgcfg.machine_sid);
4481fcced4cSJordan Brown 	char buf[len + 100];	/* 100 is enough space for any RID */
4491fcced4cSJordan Brown 	(void) snprintf(buf, sizeof (buf), "%s-%u",
4501fcced4cSJordan Brown 	    _idmapdstate.cfg->pgcfg.machine_sid, rid);
4511fcced4cSJordan Brown 	UNLOCK_CONFIG();
4521fcced4cSJordan Brown 
4531fcced4cSJordan Brown 	sid = sid_fromstr(buf);
4541fcced4cSJordan Brown 	if (sid == NULL)
4551fcced4cSJordan Brown 		goto nomem;
4561fcced4cSJordan Brown 
4571fcced4cSJordan Brown 	sid_to_le(sid);
4581fcced4cSJordan Brown 
4591fcced4cSJordan Brown 	de = bin_list_dav(lvals, sid, 1, sid_len(sid));
4601fcced4cSJordan Brown 	sid_free(sid);
4611fcced4cSJordan Brown 	return (de);
4621fcced4cSJordan Brown 
4631fcced4cSJordan Brown nomem:
4641fcced4cSJordan Brown 	return (directory_error("ENOMEM.machine_sid_dav",
4651fcced4cSJordan Brown 	    "Out of memory allocating return value for lookup", NULL));
4661fcced4cSJordan Brown }
4671fcced4cSJordan Brown 
4681fcced4cSJordan Brown struct directory_provider_static directory_provider_nsswitch = {
4691fcced4cSJordan Brown 	"files",
4701fcced4cSJordan Brown 	directory_provider_nsswitch_get,
4711fcced4cSJordan Brown };
472