SSSD · sumit-bose · Sep 5, 2025 · Dec 13, 2024 · Dec 18, 2024 · Dec 23, 2024
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
@@ -65,6 +65,7 @@
 #define SYSDB_DOMAIN_ID_RANGE_CLASS "domainIDRange"
 #define SYSDB_TRUSTED_AD_DOMAIN_RANGE_CLASS "TrustedADDomainRange"
 #define SYSDB_CERTMAP_CLASS "certificateMappingRule"
+#define SYSDB_AD_FSP_CLASS "foreignSecurityPrincipal"
 
 #define SYSDB_DN "dn"
 #define SYSDB_NAME "name"

diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
@@ -346,3 +346,18 @@ struct sdap_attr_map ad_sudorule_map[] = {
     { "ldap_sudorule_entry_usn", NULL, SYSDB_USN, NULL },
     SDAP_ATTR_MAP_TERMINATOR
 };
+
+enum ad_fsp_entry_attrs {
+    SDAP_OC_FSP = 0,
+    SDAP_AT_FSP_NAME,
+    SDAP_AT_FSP_OBJECTSID,
+
+    SDAP_OPTS_FSP /* attrs counter */
+};
+
+struct sdap_attr_map ad_fsp_map[] = {
+    { "ldap_fsp_object_class", "foreignSecurityPrincipal", SYSDB_AD_FSP_CLASS, NULL },
+    { "ldap_fsp_name", "cn", SYSDB_NAME, NULL },
+    { "ldap_fsp_objectsid", "objectSID", SYSDB_SID, NULL },
+    SDAP_ATTR_MAP_TERMINATOR
+};
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
@@ -1992,6 +1992,202 @@ static void generic_ext_search_handler(struct tevent_req *subreq,
     tevent_req_done(req);
 }
 
+/* ==Generic Search exposing all options with multiple maps === */
+struct sdap_get_and_multi_parse_generic_state {
+    struct sdap_attr_map *map;
+    int map_num_attrs;
+    struct sdap_attr_map_info *maps;
+    size_t num_maps;
+
+    struct sdap_reply sreply;
+    struct sdap_options *opts;
+};
+
+static void sdap_get_and_multi_parse_generic_done(struct tevent_req *subreq);
+static errno_t
+sdap_get_and_multi_parse_generic_parse_entry(struct sdap_handle *sh,
+                                             struct sdap_msg *msg,
+                                             void *pvt);
+
+struct tevent_req *
+sdap_get_and_multi_parse_generic_send(TALLOC_CTX *memctx,
+                                      struct tevent_context *ev,
+                                      struct sdap_options *opts,
+                                      struct sdap_handle *sh,
+                                      const char *search_base,
+                                      int scope,
+                                      const char *filter,
+                                      const char **attrs,
+                                      struct sdap_attr_map_info *maps,
+                                      size_t num_maps,
+                                      int attrsonly,
+                                      LDAPControl **serverctrls,
+                                      LDAPControl **clientctrls,
+                                      int sizelimit,
+                                      int timeout,
+                                      bool allow_paging)
+{
+    struct tevent_req *req = NULL;
+    struct tevent_req *subreq = NULL;
+    struct sdap_get_and_multi_parse_generic_state *state = NULL;
+    unsigned int flags = 0;
+
+    req = tevent_req_create(memctx, &state,
+                            struct sdap_get_and_multi_parse_generic_state);
+    if (!req) return NULL;
+
+    state->maps = maps;
+    state->num_maps = num_maps;
+    state->opts = opts;
+
+    if (allow_paging) {
+        flags |= SDAP_SRCH_FLG_PAGING;
+    }
+
+    if (attrsonly) {
+        flags |= SDAP_SRCH_FLG_ATTRS_ONLY;
+    }
+
+    subreq = sdap_get_generic_ext_send(state, ev, opts, sh, search_base,
+                                       scope, filter, attrs, serverctrls,
+                                       clientctrls, sizelimit, timeout,
+                                       sdap_get_and_multi_parse_generic_parse_entry,
+                                       state, flags);
+    if (!subreq) {
+        talloc_zfree(req);
+        return NULL;
+    }
+    tevent_req_set_callback(subreq, sdap_get_and_multi_parse_generic_done, req);
+
+    return req;
+}
+
+static errno_t
+sdap_get_and_multi_parse_generic_parse_entry(struct sdap_handle *sh,
+                                             struct sdap_msg *msg,
+                                             void *pvt)
+{
+    errno_t ret;
+    struct sdap_get_and_multi_parse_generic_state *state =
+                talloc_get_type(pvt, struct sdap_get_and_multi_parse_generic_state);
+    struct berval **vals;
+    int i, mi;
+    struct sdap_attr_map *map;
+    int num_attrs = 0;
+    struct sysdb_attrs *attrs = NULL;
+    char *tmp;
+    char *dn = NULL;
+    TALLOC_CTX *tmp_ctx;
+    bool disable_range_rtrvl;
+
+    tmp_ctx = talloc_new(NULL);
+    if (!tmp_ctx) return ENOMEM;
+
+    tmp = ldap_get_dn(sh->ldap, msg->msg);
+    if (!tmp) {
+        ret = EINVAL;
+        goto done;
+    }
+
+    dn = talloc_strdup(tmp_ctx, tmp);
+    ldap_memfree(tmp);
+    if (!dn) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    /* Find all suitable maps in the list */
+    vals = ldap_get_values_len(sh->ldap, msg->msg, "objectClass");
+    if (!vals) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Unknown entry type, no objectClass found for DN [%s]!\n", dn);
+        ret = EINVAL;
+        goto done;
+    }
+    for (mi =0; mi < state->num_maps; mi++) {
+        map = NULL;
+        for (i = 0; vals[i]; i++) {
+            /* the objectclass is always the first name in the map */
+            if (strncasecmp(state->maps[mi].map[0].name,
+                            vals[i]->bv_val, vals[i]->bv_len) == 0) {
+                /* it's an entry of the right type */
+                DEBUG(SSSDBG_TRACE_INTERNAL,
+                      "Matched objectclass [%s] on DN [%s], will use associated map\n",
+                       state->maps[mi].map[0].name, dn);
+                map = state->maps[mi].map;
+                num_attrs = state->maps[mi].num_attrs;
+                break;
+            }
+        }
+        if (!map) {
+            DEBUG(SSSDBG_TRACE_INTERNAL,
+                  "DN [%s] did not match the objectClass [%s]\n",
+                   dn, state->maps[mi].map[0].name);
+            continue;
+        }
+
+        disable_range_rtrvl = dp_opt_get_bool(state->opts->basic,
+                                              SDAP_DISABLE_RANGE_RETRIEVAL);
+
+        ret = sdap_parse_entry(state, sh, msg,
+                               map, num_attrs,
+                               &attrs, disable_range_rtrvl);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "sdap_parse_entry failed [%d]: %s\n", ret, strerror(ret));
+            goto done;
+        }
+        ret = sysdb_attrs_add_string(attrs, SYSDB_OBJECTCLASS, map[0].name);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to add objectclass.\n");
+            goto done;
+        }
+
+        break;
+    }
+    ldap_value_free_len(vals);
+
+    /* If some mapped entry was found, add to to the reply */
+    if (attrs != NULL) {
+        ret = add_to_reply(state, &state->sreply, attrs);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "add_to_reply failed.\n");
+            goto done;
+        }
+    }
+
+    ret = EOK;
+done:
+    talloc_zfree(tmp_ctx);
+    return ret;
+}
+
+static void sdap_get_and_multi_parse_generic_done(struct tevent_req *subreq)
+{
+    struct tevent_req *req = tevent_req_callback_data(subreq,
+                                                      struct tevent_req);
+    struct sdap_get_and_multi_parse_generic_state *state = tevent_req_data(req,
+                                 struct sdap_get_and_multi_parse_generic_state);
+
+    return generic_ext_search_handler(subreq, state->opts);
+}
+
+int sdap_get_and_multi_parse_generic_recv(struct tevent_req *req,
+                                          TALLOC_CTX *mem_ctx,
+                                          size_t *reply_count,
+                                          struct sysdb_attrs ***reply)
+{
+    struct sdap_get_and_multi_parse_generic_state *state = tevent_req_data(req,
+                                 struct sdap_get_and_multi_parse_generic_state);
+
+    TEVENT_REQ_RETURN_ON_ERROR(req);
+
+    *reply_count = state->sreply.reply_count;
+    *reply = talloc_steal(mem_ctx, state->sreply.reply);
+
+    return EOK;
+}
+
 /* ==Generic Search exposing all options======================= */
 struct sdap_get_and_parse_generic_state {
     struct sdap_attr_map *map;

diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
@@ -260,6 +260,28 @@ int sdap_get_generic_recv(struct tevent_req *req,
                          TALLOC_CTX *mem_ctx, size_t *reply_count,
                          struct sysdb_attrs ***reply_list);
 
+struct tevent_req *
+sdap_get_and_multi_parse_generic_send(TALLOC_CTX *memctx,
+                                      struct tevent_context *ev,
+                                      struct sdap_options *opts,
+                                      struct sdap_handle *sh,
+                                      const char *search_base,
+                                      int scope,
+                                      const char *filter,
+                                      const char **attrs,
+                                      struct sdap_attr_map_info *maps,
+                                      size_t num_maps,
+                                      int attrsonly,
+                                      LDAPControl **serverctrls,
+                                      LDAPControl **clientctrls,
+                                      int sizelimit,
+                                      int timeout,
+                                      bool allow_paging);
+int sdap_get_and_multi_parse_generic_recv(struct tevent_req *req,
+                                          TALLOC_CTX *mem_ctx,
+                                          size_t *reply_count,
+                                          struct sysdb_attrs ***reply);
+
 bool sdap_has_deref_support_ex(struct sdap_handle *sh,
                                struct sdap_options *opts,
                                bool ignore_client);