From b255a41dca63a68f404e37b7eb46b54070bea466 Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Mon, 10 Aug 2009 13:16:41 +0200 Subject: s4:operational module - move and enhancements This moves the "operational" LDB module to the right place under "dsdb/samdb/ldb_modules" (suggested by abartlet) and enhances it for supporting dynamic generated "primaryGroupToken" for AD groups. This should fix bug #6466. --- source4/dsdb/samdb/ldb_modules/config.mk | 11 + source4/dsdb/samdb/ldb_modules/operational.c | 347 +++++++++++++++++++++++++++ source4/lib/ldb/config.mk | 12 - source4/lib/ldb/modules/operational.c | 314 ------------------------ 4 files changed, 358 insertions(+), 326 deletions(-) create mode 100644 source4/dsdb/samdb/ldb_modules/operational.c delete mode 100644 source4/lib/ldb/modules/operational.c diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk index c039dda065..18144dd2c5 100644 --- a/source4/dsdb/samdb/ldb_modules/config.mk +++ b/source4/dsdb/samdb/ldb_modules/config.mk @@ -323,3 +323,14 @@ SUBSYSTEM = LIBLDB ldb_instancetype_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/instancetype.o +################################################ +# Start MODULE ldb_operational +[MODULE::ldb_operational] +SUBSYSTEM = LIBLDB +CFLAGS = -Ilib/ldb/include +PRIVATE_DEPENDENCIES = LIBTALLOC LIBTEVENT +INIT_FUNCTION = LDB_MODULE(operational) +# End MODULE ldb_operational +################################################ + +ldb_operational_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/operational.o diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c new file mode 100644 index 0000000000..9cbe1db070 --- /dev/null +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -0,0 +1,347 @@ +/* + ldb database library + + Copyright (C) Andrew Tridgell 2005 + Copyright (C) Simo Sorce 2006-2008 + Copyright (C) Matthias Dieter Wallnöfer 2009 + + ** NOTE! The following LGPL license applies to the ldb + ** library. This does NOT imply that all of Samba is released + ** under the LGPL + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, see . +*/ + +/* + handle operational attributes + */ + +/* + createTimestamp: HIDDEN, searchable, ldaptime, alias for whenCreated + modifyTimestamp: HIDDEN, searchable, ldaptime, alias for whenChanged + + for the above two, we do the search as normal, and if + createTimestamp or modifyTimestamp is asked for, then do + additional searches for whenCreated and whenChanged and fill in + the resulting values + + we also need to replace these with the whenCreated/whenChanged + equivalent in the search expression trees + + whenCreated: not-HIDDEN, CONSTRUCTED, SEARCHABLE + whenChanged: not-HIDDEN, CONSTRUCTED, SEARCHABLE + + on init we need to setup attribute handlers for these so + comparisons are done correctly. The resolution is 1 second. + + on add we need to add both the above, for current time + + on modify we need to change whenChanged + + + subschemaSubentry: HIDDEN, not-searchable, + points at DN CN=Aggregate,$SCHEMADN + + for this one we do the search as normal, then add the static + value if requested. How do we work out the $BASEDN from inside a + module? + + structuralObjectClass: HIDDEN, CONSTRUCTED, not-searchable. always same as objectclass? + + for this one we do the search as normal, then if requested ask + for objectclass, change the attribute name, and add it + + allowedAttributesEffective: HIDDEN, CONSTRUCTED, not-searchable, + + list of attributes that can be modified - requires schema lookup + + primaryGroupToken: HIDDEN, CONSTRUCTED, SEARCHABLE + + contains the RID of a certain group object + + + attributeTypes: in schema only + objectClasses: in schema only + matchingRules: in schema only + matchingRuleUse: in schema only + creatorsName: not supported by w2k3? + modifiersName: not supported by w2k3? +*/ + +#include "ldb_includes.h" +#include "ldb_module.h" + +#include "includes.h" +#include "dsdb/samdb/samdb.h" + +#ifndef ARRAY_SIZE +#define ARRAY_SIZE(a) (sizeof(a)/sizeof(a[0])) +#endif + +/* + construct a canonical name from a message +*/ +static int construct_canonical_name(struct ldb_module *module, + struct ldb_message *msg) +{ + char *canonicalName; + canonicalName = ldb_dn_canonical_string(msg, msg->dn); + if (canonicalName == NULL) { + return -1; + } + return ldb_msg_add_steal_string(msg, "canonicalName", canonicalName); +} + +/* + construct a primary group token for groups from a message +*/ +static int construct_primary_group_token(struct ldb_module *module, + struct ldb_message *msg) +{ + struct ldb_context *ldb; + uint32_t primary_group_token; + + ldb = ldb_module_get_ctx(module); + + if (samdb_search_count(ldb, ldb, msg->dn, "(objectclass=group)") == 1) { + primary_group_token + = samdb_result_rid_from_sid(ldb, msg, "objectSid", 0); + return samdb_msg_add_int(ldb, ldb, msg, "primaryGroupToken", + primary_group_token); + } else { + return LDB_SUCCESS; + } +} + + +/* + a list of attribute names that should be substituted in the parse + tree before the search is done +*/ +static const struct { + const char *attr; + const char *replace; +} parse_tree_sub[] = { + { "createTimestamp", "whenCreated" }, + { "modifyTimestamp", "whenChanged" } +}; + + +/* + a list of attribute names that are hidden, but can be searched for + using another (non-hidden) name to produce the correct result +*/ +static const struct { + const char *attr; + const char *replace; + int (*constructor)(struct ldb_module *, struct ldb_message *); +} search_sub[] = { + { "createTimestamp", "whenCreated", NULL }, + { "modifyTimestamp", "whenChanged", NULL }, + { "structuralObjectClass", "objectClass", NULL }, + { "canonicalName", "distinguishedName", construct_canonical_name }, + { "primaryGroupToken", "objectSid", construct_primary_group_token } +}; + +/* + post process a search result record. For any search_sub[] attributes that were + asked for, we need to call the appropriate copy routine to copy the result + into the message, then remove any attributes that we added to the search but + were not asked for by the user +*/ +static int operational_search_post_process(struct ldb_module *module, + struct ldb_message *msg, + const char * const *attrs) +{ + struct ldb_context *ldb; + int i, a=0; + + ldb = ldb_module_get_ctx(module); + + for (a=0;attrs && attrs[a];a++) { + for (i=0;icontext, struct operational_context); + + if (!ares) { + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + /* for each record returned post-process to add any derived + attributes that have been asked for */ + ret = operational_search_post_process(ac->module, + ares->message, + ac->attrs); + if (ret != 0) { + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + return ldb_module_send_entry(ac->req, ares->message, ares->controls); + + case LDB_REPLY_REFERRAL: + /* ignore referrals */ + break; + + case LDB_REPLY_DONE: + + return ldb_module_done(ac->req, ares->controls, + ares->response, LDB_SUCCESS); + } + + talloc_free(ares); + return LDB_SUCCESS; +} + +static int operational_search(struct ldb_module *module, struct ldb_request *req) +{ + struct ldb_context *ldb; + struct operational_context *ac; + struct ldb_request *down_req; + const char **search_attrs = NULL; + int i, a; + int ret; + + ldb = ldb_module_get_ctx(module); + + ac = talloc(req, struct operational_context); + if (ac == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + + ac->module = module; + ac->req = req; + ac->attrs = req->op.search.attrs; + + /* FIXME: We must copy the tree and keep the original + * unmodified. SSS */ + /* replace any attributes in the parse tree that are + searchable, but are stored using a different name in the + backend */ + for (i=0;iop.search.tree, + parse_tree_sub[i].attr, + parse_tree_sub[i].replace); + } + + /* in the list of attributes we are looking for, rename any + attributes to the alias for any hidden attributes that can + be fetched directly using non-hidden names */ + for (a=0;ac->attrs && ac->attrs[a];a++) { + for (i=0;iattrs[a], search_sub[i].attr) == 0 && + search_sub[i].replace) { + if (!search_attrs) { + search_attrs = ldb_attr_list_copy(req, ac->attrs); + if (search_attrs == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + search_attrs[a] = search_sub[i].replace; + } + } + } + + ret = ldb_build_search_req_ex(&down_req, ldb, ac, + req->op.search.base, + req->op.search.scope, + req->op.search.tree, + /* use new set of attrs if any */ + search_attrs == NULL?req->op.search.attrs:search_attrs, + req->controls, + ac, operational_callback, + req); + if (ret != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* perform the search */ + return ldb_next_request(module, down_req); +} + +static int operational_init(struct ldb_module *ctx) +{ + int ret = 0; + + if (ret != 0) { + return ret; + } + + return ldb_next_init(ctx); +} + +const struct ldb_module_ops ldb_operational_module_ops = { + .name = "operational", + .search = operational_search, + .init_context = operational_init +}; diff --git a/source4/lib/ldb/config.mk b/source4/lib/ldb/config.mk index 6fcf3943d0..4a1f814baa 100644 --- a/source4/lib/ldb/config.mk +++ b/source4/lib/ldb/config.mk @@ -46,18 +46,6 @@ SUBSYSTEM = LIBLDB ldb_paged_searches_OBJ_FILES = $(ldbsrcdir)/modules/paged_searches.o -################################################ -# Start MODULE ldb_operational -[MODULE::ldb_operational] -SUBSYSTEM = LIBLDB -CFLAGS = -I$(ldbsrcdir)/include -PRIVATE_DEPENDENCIES = LIBTALLOC LIBTEVENT -INIT_FUNCTION = LDB_MODULE(operational) -# End MODULE ldb_operational -################################################ - -ldb_operational_OBJ_FILES = $(ldbsrcdir)/modules/operational.o - ################################################ # Start MODULE ldb_rdn_name [MODULE::ldb_rdn_name] diff --git a/source4/lib/ldb/modules/operational.c b/source4/lib/ldb/modules/operational.c deleted file mode 100644 index 77b0014afa..0000000000 --- a/source4/lib/ldb/modules/operational.c +++ /dev/null @@ -1,314 +0,0 @@ -/* - ldb database library - - Copyright (C) Andrew Tridgell 2005 - Copyright (C) Simo Sorce 2006-2008 - - ** NOTE! The following LGPL license applies to the ldb - ** library. This does NOT imply that all of Samba is released - ** under the LGPL - - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 3 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with this library; if not, see . -*/ -/* - handle operational attributes - */ - -/* - createTimestamp: HIDDEN, searchable, ldaptime, alias for whenCreated - modifyTimestamp: HIDDEN, searchable, ldaptime, alias for whenChanged - - for the above two, we do the search as normal, and if - createTimestamp or modifyTimestamp is asked for, then do - additional searches for whenCreated and whenChanged and fill in - the resulting values - - we also need to replace these with the whenCreated/whenChanged - equivalent in the search expression trees - - whenCreated: not-HIDDEN, CONSTRUCTED, SEARCHABLE - whenChanged: not-HIDDEN, CONSTRUCTED, SEARCHABLE - - on init we need to setup attribute handlers for these so - comparisons are done correctly. The resolution is 1 second. - - on add we need to add both the above, for current time - - on modify we need to change whenChanged - - - subschemaSubentry: HIDDEN, not-searchable, - points at DN CN=Aggregate,$SCHEMADN - - for this one we do the search as normal, then add the static - value if requested. How do we work out the $BASEDN from inside a - module? - - - structuralObjectClass: HIDDEN, CONSTRUCTED, not-searchable. always same as objectclass? - - for this one we do the search as normal, then if requested ask - for objectclass, change the attribute name, and add it - - allowedAttributesEffective: HIDDEN, CONSTRUCTED, not-searchable, - list of attributes that can be modified - requires schema lookup - - - attributeTypes: in schema only - objectClasses: in schema only - matchingRules: in schema only - matchingRuleUse: in schema only - creatorsName: not supported by w2k3? - modifiersName: not supported by w2k3? -*/ - -#include "ldb_includes.h" -#include "ldb_module.h" - -#ifndef ARRAY_SIZE -#define ARRAY_SIZE(a) (sizeof(a)/sizeof(a[0])) -#endif - -/* - construct a canonical name from a message -*/ -static int construct_canonical_name(struct ldb_module *module, struct ldb_message *msg) -{ - char *canonicalName; - canonicalName = ldb_dn_canonical_string(msg, msg->dn); - if (canonicalName == NULL) { - return -1; - } - return ldb_msg_add_steal_string(msg, "canonicalName", canonicalName); -} - -/* - a list of attribute names that should be substituted in the parse - tree before the search is done -*/ -static const struct { - const char *attr; - const char *replace; -} parse_tree_sub[] = { - { "createTimestamp", "whenCreated" }, - { "modifyTimestamp", "whenChanged" } -}; - - -/* - a list of attribute names that are hidden, but can be searched for - using another (non-hidden) name to produce the correct result -*/ -static const struct { - const char *attr; - const char *replace; - int (*constructor)(struct ldb_module *, struct ldb_message *); -} search_sub[] = { - { "createTimestamp", "whenCreated", NULL }, - { "modifyTimestamp", "whenChanged", NULL }, - { "structuralObjectClass", "objectClass", NULL }, - { "canonicalName", "distinguishedName", construct_canonical_name } -}; - -/* - post process a search result record. For any search_sub[] attributes that were - asked for, we need to call the appropriate copy routine to copy the result - into the message, then remove any attributes that we added to the search but were - not asked for by the user -*/ -static int operational_search_post_process(struct ldb_module *module, - struct ldb_message *msg, - const char * const *attrs) -{ - struct ldb_context *ldb; - int i, a=0; - - ldb = ldb_module_get_ctx(module); - - for (a=0;attrs && attrs[a];a++) { - for (i=0;icontext, struct operational_context); - - if (!ares) { - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - if (ares->error != LDB_SUCCESS) { - return ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); - } - - switch (ares->type) { - case LDB_REPLY_ENTRY: - /* for each record returned post-process to add any derived - attributes that have been asked for */ - ret = operational_search_post_process(ac->module, - ares->message, - ac->attrs); - if (ret != 0) { - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - return ldb_module_send_entry(ac->req, ares->message, ares->controls); - - case LDB_REPLY_REFERRAL: - /* ignore referrals */ - break; - - case LDB_REPLY_DONE: - - return ldb_module_done(ac->req, ares->controls, - ares->response, LDB_SUCCESS); - } - - talloc_free(ares); - return LDB_SUCCESS; -} - -static int operational_search(struct ldb_module *module, struct ldb_request *req) -{ - struct ldb_context *ldb; - struct operational_context *ac; - struct ldb_request *down_req; - const char **search_attrs = NULL; - int i, a; - int ret; - - ldb = ldb_module_get_ctx(module); - - ac = talloc(req, struct operational_context); - if (ac == NULL) { - return LDB_ERR_OPERATIONS_ERROR; - } - - ac->module = module; - ac->req = req; - ac->attrs = req->op.search.attrs; - - /* FIXME: We must copy the tree and keep the original - * unmodified. SSS */ - /* replace any attributes in the parse tree that are - searchable, but are stored using a different name in the - backend */ - for (i=0;iop.search.tree, - parse_tree_sub[i].attr, - parse_tree_sub[i].replace); - } - - /* in the list of attributes we are looking for, rename any - attributes to the alias for any hidden attributes that can - be fetched directly using non-hidden names */ - for (a=0;ac->attrs && ac->attrs[a];a++) { - for (i=0;iattrs[a], search_sub[i].attr) == 0 && - search_sub[i].replace) { - if (!search_attrs) { - search_attrs = ldb_attr_list_copy(req, ac->attrs); - if (search_attrs == NULL) { - return LDB_ERR_OPERATIONS_ERROR; - } - } - search_attrs[a] = search_sub[i].replace; - } - } - } - - ret = ldb_build_search_req_ex(&down_req, ldb, ac, - req->op.search.base, - req->op.search.scope, - req->op.search.tree, - /* use new set of attrs if any */ - search_attrs == NULL?req->op.search.attrs:search_attrs, - req->controls, - ac, operational_callback, - req); - if (ret != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; - } - - /* perform the search */ - return ldb_next_request(module, down_req); -} - -static int operational_init(struct ldb_module *ctx) -{ - int ret = 0; - - if (ret != 0) { - return ret; - } - - return ldb_next_init(ctx); -} - -const struct ldb_module_ops ldb_operational_module_ops = { - .name = "operational", - .search = operational_search, - .init_context = operational_init -}; -- cgit