>From 660d236aa988dfa3a271303f20e9b6c7320e1894 Mon Sep 17 00:00:00 2001
From: Marko Myllynen <myllynen@redhat.com>
Date: Fri, 30 Sep 2011 10:12:15 +0300
Subject: [PATCH] Allow using AD objectSid as uid source

https://fedorahosted.org/sssd/ticket/996

If ldap_user_uid_number = objectSid use the special conversion
code and make sure the end result matches winbind idmap_rid.
---
 src/providers/ldap/sdap_async_users.c |   40 ++++++++++++++++++++++++++------
 1 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index adf3cf4..7f670fe 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -114,14 +114,38 @@ int sdap_save_user(TALLOC_CTX *memctx,
     if (el->num_values == 0) shell = NULL;
     else shell = (const char *)el->values[0].data;
 
-    ret = sysdb_attrs_get_uint32_t(attrs,
-                                   opts->user_map[SDAP_AT_USER_UID].sys_name,
-                                   &uid);
-    if (ret != EOK) {
-        DEBUG(1, ("no uid provided for [%s] in domain [%s].\n",
-                  name, dom->name));
-        ret = EINVAL;
-        goto fail;
+    /* Perform AD objectSid to uid mapping if needed */
+    if (strcmp(opts->user_map[SDAP_AT_USER_UID].name, "objectSid") == 0) {
+        ret = sysdb_attrs_get_el(attrs,
+                                 opts->user_map[SDAP_AT_USER_UID].sys_name,
+                                 &el);
+        if (ret) goto fail;
+        if (el->num_values == 0) {
+            DEBUG(1, ("no uid provided for [%s] in domain [%s].\n",
+                      name, dom->name));
+            ret = EINVAL;
+            goto fail;
+        } else {
+            /* Contruct uid from objectSid */
+            const char *sid = (const char *)el->values[0].data;
+            int s = 2 + 6 + ((((int)sid[1])&0xff) - 1) * 4;
+            uid = (((int)sid[s])&0xff)|
+                 ((((int)sid[s+1])&0xff)<<8)|
+                 ((((int)sid[s+2])&0xff)<<16)|
+                 ((((int)sid[s+3])&0xff)<<24);
+            /* Match winbind/idmap_rid mapping */
+            uid = uid + dom->id_min;
+        }
+    } else {
+        ret = sysdb_attrs_get_uint32_t(attrs,
+                                       opts->user_map[SDAP_AT_USER_UID].sys_name,
+                                       &uid);
+        if (ret != EOK) {
+            DEBUG(1, ("no uid provided for [%s] in domain [%s].\n",
+                      name, dom->name));
+            ret = EINVAL;
+            goto fail;
+        }
     }
 
     /* check that the uid is valid for this domain */
-- 
1.7.1