diff options
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/descriptor.c | 387 |
1 files changed, 0 insertions, 387 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index 51b80d8587..917413214e 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -379,106 +379,6 @@ static struct descriptor_context *descriptor_init_context(struct ldb_module *mod return ac; } -static int get_search_callback(struct ldb_request *req, struct ldb_reply *ares) -{ - struct ldb_context *ldb; - struct descriptor_context *ac; - int ret; - - ac = talloc_get_type(req->context, struct descriptor_context); - ldb = ldb_module_get_ctx(ac->module); - - if (!ares) { - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - if (ares->error != LDB_SUCCESS && - ares->error != LDB_ERR_NO_SUCH_OBJECT) { - return ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); - } - - ldb_reset_err_string(ldb); - - switch (ares->type) { - case LDB_REPLY_ENTRY: - if (ac->search_res != NULL) { - ldb_set_errstring(ldb, "Too many results"); - talloc_free(ares); - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - - ac->search_res = talloc_steal(ac, ares); - break; - - case LDB_REPLY_REFERRAL: - /* ignore */ - talloc_free(ares); - break; - - case LDB_REPLY_DONE: - talloc_free(ares); - ret = ac->step_fn(ac); - if (ret != LDB_SUCCESS) { - return ldb_module_done(ac->req, NULL, NULL, ret); - } - break; - } - - return LDB_SUCCESS; -} - -static int get_search_oc_callback(struct ldb_request *req, struct ldb_reply *ares) -{ - struct ldb_context *ldb; - struct descriptor_context *ac; - int ret; - - ac = talloc_get_type(req->context, struct descriptor_context); - ldb = ldb_module_get_ctx(ac->module); - - if (!ares) { - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - if (ares->error != LDB_SUCCESS && - ares->error != LDB_ERR_NO_SUCH_OBJECT) { - return ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); - } - - ldb_reset_err_string(ldb); - - switch (ares->type) { - case LDB_REPLY_ENTRY: - if (ac->search_oc_res != NULL) { - ldb_set_errstring(ldb, "Too many results"); - talloc_free(ares); - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - - ac->search_oc_res = talloc_steal(ac, ares); - break; - - case LDB_REPLY_REFERRAL: - /* ignore */ - talloc_free(ares); - break; - - case LDB_REPLY_DONE: - talloc_free(ares); - ret = ac->step_fn(ac); - if (ret != LDB_SUCCESS) { - return ldb_module_done(ac->req, NULL, NULL, ret); - } - break; - } - - return LDB_SUCCESS; -} - static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares) { struct descriptor_context *ac; @@ -549,220 +449,6 @@ fail: return ldb_module_done(ac->req, NULL, NULL, ret); } -static int descriptor_do_mod(struct descriptor_context *ac) -{ - struct ldb_context *ldb; - const struct dsdb_schema *schema; - struct ldb_request *mod_req; - struct ldb_message_element *objectclass_element, *oldsd_el; - struct ldb_val *oldsd_val = NULL; - int ret; - DATA_BLOB *sd; - const struct dsdb_class *objectclass; - struct ldb_control *sd_control; - struct ldb_control *sd_control2; - uint32_t sd_flags = 0; - - ldb = ldb_module_get_ctx(ac->module); - schema = dsdb_get_schema(ldb, ac); - - objectclass_element = ldb_msg_find_element(ac->search_oc_res->message, - "objectClass"); - if (objectclass_element == NULL) { - return ldb_operr(ldb); - } - - objectclass = get_last_structural_class(schema, objectclass_element, ac->req); - if (objectclass == NULL) { - return ldb_operr(ldb); - } - - sd_control = ldb_request_get_control(ac->req, LDB_CONTROL_SD_FLAGS_OID); - sd_control2 = ldb_request_get_control(ac->req, - LDB_CONTROL_RECALCULATE_SD_OID); - if (sd_control) { - struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data; - sd_flags = sdctr->secinfo_flags; - /* we only care for the last 4 bits */ - sd_flags = sd_flags & 0x0000000F; - } - if (sd_flags != 0) { - oldsd_el = ldb_msg_find_element(ac->search_oc_res->message, - "nTSecurityDescriptor"); - if (oldsd_el) { - oldsd_val = oldsd_el->values; - } - } - - sd = get_new_descriptor(ac->module, ac->msg->dn, ac, - objectclass, ac->parentsd_val, - ac->sd_val, oldsd_val, sd_flags); - if (sd != NULL) { - if (ac->sd_val != NULL) { - ac->sd_element->values[0] = *sd; - } else if (sd_control2 != NULL) { - /* In this branch we really do force the recalculation - * of the SD */ - ldb_msg_remove_attr(ac->msg, "nTSecurityDescriptor"); - - ret = ldb_msg_add_steal_value(ac->msg, - "nTSecurityDescriptor", - sd); - if (ret != LDB_SUCCESS) { - return ret; - } - ac->sd_element = ldb_msg_find_element(ac->msg, - "nTSecurityDescriptor"); - ac->sd_element->flags = LDB_FLAG_MOD_REPLACE; - } - } - - /* mark the controls as non-critical since we've handled them */ - if (sd_control != NULL) { - sd_control->critical = 0; - } - if (sd_control2 != NULL) { - sd_control2->critical = 0; - } - - ret = ldb_build_mod_req(&mod_req, ldb, ac, - ac->msg, - ac->req->controls, - ac->req, dsdb_next_callback, - ac->req); - LDB_REQ_SET_LOCATION(mod_req); - if (ret != LDB_SUCCESS) { - return ret; - } - - return ldb_next_request(ac->module, mod_req); -} - -static int descriptor_do_add(struct descriptor_context *ac) -{ - struct ldb_context *ldb; - const struct dsdb_schema *schema; - struct ldb_request *add_req; - struct ldb_message_element *objectclass_element; - int ret; - DATA_BLOB *sd; - const struct dsdb_class *objectclass; - static const char *const attrs[] = { "objectClass", "nTSecurityDescriptor", NULL }; - struct ldb_request *search_req; - - ldb = ldb_module_get_ctx(ac->module); - schema = dsdb_get_schema(ldb, ac); - - switch (ac->req->operation) { - case LDB_ADD: - ac->msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message); - if (ac->msg == NULL) { - return ldb_module_oom(ac->module); - } - - objectclass_element = ldb_msg_find_element(ac->msg, - "objectClass"); - if (objectclass_element == NULL) { - return ldb_operr(ldb); - } - - objectclass = get_last_structural_class(schema, - objectclass_element, ac->req); - if (objectclass == NULL) { - return ldb_operr(ldb); - } - break; - case LDB_MODIFY: - ac->msg = ldb_msg_copy_shallow(ac, ac->req->op.mod.message); - if (ac->msg == NULL) { - return ldb_module_oom(ac->module); - } - break; - default: - return ldb_operr(ldb); - } - - /* Check if there is a valid security descriptor provided */ - ac->sd_element = dsdb_get_single_valued_attr(ac->msg, - "nTSecurityDescriptor", - ac->req->operation); - if ((ac->sd_element != NULL) && (ac->sd_element->num_values == 1)) { - ac->sd_val = talloc_memdup(ac, - &ac->sd_element->values[0], - sizeof(struct ldb_val)); - } - - /* If we do have a parent, then please fetch it's security descriptor. - * But have in mind: NCs don't have any parents! That means - * "CN=Configuration,DC=example,DC=com" has no parent - * "DC=example,DC=com" since this is located under another NC! */ - if (ac->search_res != NULL) { - struct ldb_message_element *parent_element = NULL; - struct ldb_dn *nc_root; - - ret = dsdb_find_nc_root(ldb, ac, ac->msg->dn, &nc_root); - if (ret != LDB_SUCCESS) { - return ret; - } - - if (ldb_dn_compare(ac->msg->dn, nc_root) != 0) { - /* we aren't any NC */ - parent_element = ldb_msg_find_element(ac->search_res->message, - "nTSecurityDescriptor"); - if (parent_element != NULL) { - ac->parentsd_val = talloc_memdup(ac, - &parent_element->values[0], - sizeof(struct ldb_val)); - } - } - } - - if (ac->req->operation == LDB_ADD) { - /* Get the parent descriptor and the one provided. If not - * provided, get the default. Convert it to a security - * descriptor and calculate the permissions. */ - sd = get_new_descriptor(ac->module, ac->msg->dn, ac, - objectclass, ac->parentsd_val, - ac->sd_val, NULL, 0); - if (sd != NULL) { - if (ac->sd_val != NULL) { - ac->sd_element->values[0] = *sd; - } else if (ac->sd_element == NULL) { - ret = ldb_msg_add_steal_value(ac->msg, - "nTSecurityDescriptor", - sd); - if (ret != LDB_SUCCESS) { - return ret; - } - } - } - - ret = ldb_build_add_req(&add_req, ldb, ac, - ac->msg, - ac->req->controls, - ac->req, dsdb_next_callback, - ac->req); - LDB_REQ_SET_LOCATION(add_req); - if (ret != LDB_SUCCESS) { - return ret; - } - return ldb_next_request(ac->module, add_req); - } else { - ret = ldb_build_search_req(&search_req, ldb, ac, - ac->msg->dn, LDB_SCOPE_BASE, - "(objectClass=*)", attrs, - NULL, - ac, get_search_oc_callback, - ac->req); - LDB_REQ_SET_LOCATION(search_req); - if (ret != LDB_SUCCESS) { - return ret; - } - ac->step_fn = descriptor_do_mod; - return ldb_next_request(ac->module, search_req); - } -} - static int descriptor_add(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb; @@ -1017,79 +703,6 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, mod_req); } - -static int descriptor_change(struct ldb_module *module, struct ldb_request *req) -{ - struct ldb_context *ldb; - struct ldb_control *sd_control; - struct ldb_request *search_req; - struct descriptor_context *ac; - struct ldb_dn *parent_dn, *dn; - struct ldb_message_element *sd_element; - int ret; - static const char * const descr_attrs[] = { "nTSecurityDescriptor", NULL }; - - ldb = ldb_module_get_ctx(module); - - switch (req->operation) { - case LDB_ADD: - dn = req->op.add.message->dn; - break; - case LDB_MODIFY: - dn = req->op.mod.message->dn; - sd_element = ldb_msg_find_element(req->op.mod.message, - "nTSecurityDescriptor"); - /* This control forces the recalculation of the SD also when - * no modification is performed. */ - sd_control = ldb_request_get_control(req, - LDB_CONTROL_RECALCULATE_SD_OID); - if (!sd_element && !sd_control) { - return ldb_next_request(module, req); - } - break; - default: - return ldb_operr(ldb); - } - ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_change: %s\n", ldb_dn_get_linearized(dn)); - - /* do not manipulate our control entries */ - if (ldb_dn_is_special(dn)) { - return ldb_next_request(module, req); - } - - ac = descriptor_init_context(module, req); - if (ac == NULL) { - return ldb_operr(ldb); - } - - /* If there isn't a parent, just go on to the add processing */ - if (ldb_dn_get_comp_num(dn) == 1) { - return descriptor_do_add(ac); - } - - /* get copy of parent DN */ - parent_dn = ldb_dn_get_parent(ac, dn); - if (parent_dn == NULL) { - return ldb_oom(ldb); - } - - ret = ldb_build_search_req(&search_req, ldb, - ac, parent_dn, LDB_SCOPE_BASE, - "(objectClass=*)", descr_attrs, - NULL, - ac, get_search_callback, - req); - LDB_REQ_SET_LOCATION(search_req); - if (ret != LDB_SUCCESS) { - return ret; - } - talloc_steal(search_req, parent_dn); - - ac->step_fn = descriptor_do_add; - - return ldb_next_request(ac->module, search_req); -} - static int descriptor_search(struct ldb_module *module, struct ldb_request *req) { int ret; |