From 1f28541a241d2dc4c5460344f817d56182a672ce Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 16 Dec 2008 09:21:55 +0100 Subject: s4:dsdb: split extended_dn into extended_dn_in, extended_dn_out and extended_dn_store. By splitting the module, the extended_dn_in and extended_dn_store moudles can use extended_dn_out to actually get the extended DN. This avoids code duplication. The extended_dn_out module also contains a client implementation of the OpenLDAP dereference control (draft-masarati-ldap-deref-00). This also introduces a new control 'DSDB_CONTROL_DN_STORAGE_FORMAT_OID' to ask the extended_dn_out module to return whatever the 'storage format' is. This allows us to work with both OpenLDAP (which performs a dereference at run time) and LDB (which stores the GUID and SID on disk). Signed-off-by: Stefan Metzmacher --- source4/dsdb/samdb/ldb_modules/extended_dn_out.c | 655 +++++++++++++++++++++++ 1 file changed, 655 insertions(+) create mode 100644 source4/dsdb/samdb/ldb_modules/extended_dn_out.c (limited to 'source4/dsdb/samdb/ldb_modules/extended_dn_out.c') diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c new file mode 100644 index 0000000000..058c51bdb8 --- /dev/null +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c @@ -0,0 +1,655 @@ +/* + ldb database library + + Copyright (C) Simo Sorce 2005-2008 + Copyright (C) Andrew Bartlett 2007-2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * Name: ldb + * + * Component: ldb extended dn control module + * + * Description: this module builds a special dn for returned search + * results, and fixes some other aspects of the result (returned case issues) + * values. + * + * Authors: Simo Sorce + * Andrew Bartlett + */ + +#include "includes.h" +#include "ldb/include/ldb.h" +#include "ldb/include/ldb_errors.h" +#include "ldb/include/ldb_private.h" +#include "librpc/gen_ndr/ndr_misc.h" +#include "librpc/ndr/libndr.h" +#include "dsdb/samdb/samdb.h" + +struct extended_dn_out_private { + bool dereference; + bool normalise; + struct dsdb_openldap_dereference_control *dereference_control; +}; + +static bool is_attr_in_list(const char * const * attrs, const char *attr) +{ + int i; + + for (i = 0; attrs[i]; i++) { + if (ldb_attr_cmp(attrs[i], attr) == 0) + return true; + } + + return false; +} + +static char **copy_attrs(void *mem_ctx, const char * const * attrs) +{ + char **new; + int i, num; + + for (num = 0; attrs[num]; num++); + + new = talloc_array(mem_ctx, char *, num + 1); + if (!new) return NULL; + + for(i = 0; i < num; i++) { + new[i] = talloc_strdup(new, attrs[i]); + if (!new[i]) { + talloc_free(new); + return NULL; + } + } + new[i] = NULL; + + return new; +} + +static bool add_attrs(void *mem_ctx, char ***attrs, const char *attr) +{ + char **new; + int num; + + for (num = 0; (*attrs)[num]; num++); + + new = talloc_realloc(mem_ctx, *attrs, char *, num + 2); + if (!new) return false; + + *attrs = new; + + new[num] = talloc_strdup(new, attr); + if (!new[num]) return false; + + new[num + 1] = NULL; + + return true; +} + +/* Fix the DN so that the relative attribute names are in upper case so that the DN: + cn=Adminstrator,cn=users,dc=samba,dc=example,dc=com becomes + CN=Adminstrator,CN=users,DC=samba,DC=example,DC=com +*/ + + +static int fix_dn(struct ldb_dn *dn) +{ + int i, ret; + char *upper_rdn_attr; + + for (i=0; i < ldb_dn_get_comp_num(dn); i++) { + /* We need the attribute name in upper case */ + upper_rdn_attr = strupper_talloc(dn, + ldb_dn_get_component_name(dn, i)); + if (!upper_rdn_attr) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* And replace it with CN=foo (we need the attribute in upper case */ + ret = ldb_dn_set_component(dn, i, upper_rdn_attr, + *ldb_dn_get_component_val(dn, i)); + talloc_free(upper_rdn_attr); + if (ret != LDB_SUCCESS) { + return ret; + } + } + return LDB_SUCCESS; +} + +/* Inject the extended DN components, so the DN cn=Adminstrator,cn=users,dc=samba,dc=example,dc=com becomes + ;;cn=Adminstrator,cn=users,dc=samba,dc=example,dc=com */ + +static int inject_extended_dn_out(struct ldb_reply *ares, + struct ldb_context *ldb, + int type, + bool remove_guid, + bool remove_sid) +{ + int ret; + const DATA_BLOB *guid_blob; + const DATA_BLOB *sid_blob; + + guid_blob = ldb_msg_find_ldb_val(ares->message, "objectGUID"); + sid_blob = ldb_msg_find_ldb_val(ares->message, "objectSID"); + + if (!guid_blob) { + ldb_set_errstring(ldb, "Did not find objectGUID to inject into extended DN"); + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_dn_set_extended_component(ares->message->dn, "GUID", guid_blob); + if (ret != LDB_SUCCESS) { + return ret; + } + if (sid_blob) { + ret = ldb_dn_set_extended_component(ares->message->dn, "SID", sid_blob); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + if (remove_guid) { + ldb_msg_remove_attr(ares->message, "objectGUID"); + } + + if (sid_blob && remove_sid) { + ldb_msg_remove_attr(ares->message, "objectSID"); + } + + return LDB_SUCCESS; +} + +static int handle_dereference(struct ldb_dn *dn, + struct dsdb_openldap_dereference_result **dereference_attrs, + const char *attr, const DATA_BLOB *val) +{ + const struct ldb_val *entryUUIDblob, *sid_blob; + struct ldb_message fake_msg; /* easier to use routines that expect an ldb_message */ + int j; + + fake_msg.num_elements = 0; + + /* Look for this attribute in the returned control */ + for (j = 0; dereference_attrs && dereference_attrs[j]; j++) { + struct ldb_val source_dn = data_blob_string_const(dereference_attrs[j]->dereferenced_dn); + if (ldb_attr_cmp(dereference_attrs[j]->source_attribute, attr) == 0 + && data_blob_cmp(&source_dn, val) == 0) { + fake_msg.num_elements = dereference_attrs[j]->num_attributes; + fake_msg.elements = dereference_attrs[j]->attributes; + break; + } + } + if (!fake_msg.num_elements) { + return LDB_SUCCESS; + } + /* Look for an OpenLDAP entryUUID */ + + entryUUIDblob = ldb_msg_find_ldb_val(&fake_msg, "entryUUID"); + if (entryUUIDblob) { + NTSTATUS status; + enum ndr_err_code ndr_err; + + struct ldb_val guid_blob; + struct GUID guid; + + status = GUID_from_data_blob(entryUUIDblob, &guid); + + if (!NT_STATUS_IS_OK(status)) { + return LDB_ERR_INVALID_DN_SYNTAX; + } + ndr_err = ndr_push_struct_blob(&guid_blob, NULL, NULL, &guid, + (ndr_push_flags_fn_t)ndr_push_GUID); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return LDB_ERR_INVALID_DN_SYNTAX; + } + + ldb_dn_set_extended_component(dn, "GUID", &guid_blob); + } + + sid_blob = ldb_msg_find_ldb_val(&fake_msg, "objectSID"); + + /* Look for the objectSID */ + if (sid_blob) { + ldb_dn_set_extended_component(dn, "SID", sid_blob); + } + return LDB_SUCCESS; +} + +/* search */ +struct extended_search_context { + struct ldb_module *module; + const struct dsdb_schema *schema; + struct ldb_request *req; + bool inject; + bool remove_guid; + bool remove_sid; + int extended_type; +}; + +static int extended_callback(struct ldb_request *req, struct ldb_reply *ares) +{ + struct extended_search_context *ac; + struct ldb_control *control; + struct dsdb_openldap_dereference_result_control *dereference_control = NULL; + int ret, i, j; + struct ldb_message *msg = ares->message; + struct extended_dn_out_private *private; + + ac = talloc_get_type(req->context, struct extended_search_context); + private = talloc_get_type(ac->module->private_data, struct extended_dn_out_private); + + if (!ares) { + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); + } + + switch (ares->type) { + case LDB_REPLY_REFERRAL: + return ldb_module_send_referral(ac->req, ares->referral); + + case LDB_REPLY_DONE: + return ldb_module_done(ac->req, ares->controls, + ares->response, LDB_SUCCESS); + case LDB_REPLY_ENTRY: + break; + } + + if (private && private->normalise) { + ret = fix_dn(ares->message->dn); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, ret); + } + } + + if (ac->inject) { + /* for each record returned post-process to add any derived + attributes that have been asked for */ + ret = inject_extended_dn_out(ares, ac->module->ldb, + ac->extended_type, ac->remove_guid, + ac->remove_sid); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, ret); + } + } + + if ((private && private->normalise) || ac->inject) { + const struct ldb_val *val = ldb_msg_find_ldb_val(ares->message, "distinguishedName"); + if (val) { + ldb_msg_remove_attr(ares->message, "distinguishedName"); + if (ac->inject) { + ret = ldb_msg_add_steal_string(ares->message, "distinguishedName", + ldb_dn_get_extended_linearized(ares->message, ares->message->dn, ac->extended_type)); + } else { + ret = ldb_msg_add_string(ares->message, "distinguishedName", + ldb_dn_get_linearized(ares->message->dn)); + } + if (ret != LDB_SUCCESS) { + ldb_oom(ac->module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + } + } + + if (private && private->dereference) { + control = ldb_reply_get_control(ares, DSDB_OPENLDAP_DEREFERENCE_CONTROL); + + if (control && control->data) { + dereference_control = talloc_get_type(control->data, struct dsdb_openldap_dereference_result_control); + } + } + + /* Walk the retruned elements (but only if we have a schema to interpret the list with) */ + for (i = 0; ac->schema && i < msg->num_elements; i++) { + const struct dsdb_attribute *attribute; + attribute = dsdb_attribute_by_lDAPDisplayName(ac->schema, msg->elements[i].name); + if (!attribute) { + continue; + } + + if (private->normalise) { + /* If we are also in 'normalise' mode, then + * fix the attribute names to be in the + * correct case */ + msg->elements[i].name = talloc_strdup(msg->elements, attribute->lDAPDisplayName); + if (!msg->elements[i].name) { + ldb_oom(ac->module->ldb); + return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); + } + } + + /* distinguishedName has been dealt with above */ + if (ldb_attr_cmp(msg->elements[i].name, "distinguishedName") == 0) { + continue; + } + + /* Look to see if this attributeSyntax is a DN */ + if (strcmp(attribute->attributeSyntax_oid, "2.5.5.1") != 0) { + continue; + } + + for (j = 0; j < msg->elements[i].num_values; j++) { + const char *dn_str; + struct ldb_dn *dn = ldb_dn_from_ldb_val(ac, ac->module->ldb, &msg->elements[i].values[j]); + if (!dn || !ldb_dn_validate(dn)) { + return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_INVALID_DN_SYNTAX); + } + + if (private->normalise) { + ret = fix_dn(dn); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, ret); + } + } + + /* If we are running in dereference mode (such + * as against OpenLDAP) then the DN in the msg + * above does not contain the extended values, + * and we need to look in the dereference + * result */ + + /* Look for this value in the attribute */ + + if (dereference_control) { + ret = handle_dereference(dn, + dereference_control->attributes, + msg->elements[i].name, + &msg->elements[i].values[j]); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, ret); + } + } + + if (!ac->inject) { + dn_str = talloc_steal(msg->elements[i].values, + ldb_dn_get_linearized(dn)); + } else { + dn_str = talloc_steal(msg->elements[i].values, + ldb_dn_get_extended_linearized(msg->elements[i].values, + dn, ac->extended_type)); + } + if (!dn_str) { + ldb_oom(ac->module->ldb); + return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); + } + msg->elements[i].values[j] = data_blob_string_const(dn_str); + talloc_free(dn); + } + } + return ldb_module_send_entry(ac->req, msg, ares->controls); +} + + +static int extended_dn_out_search(struct ldb_module *module, struct ldb_request *req) +{ + struct ldb_control *control; + struct ldb_control *storage_format_control; + struct ldb_extended_dn_control *extended_ctrl = NULL; + struct ldb_control **saved_controls; + struct extended_search_context *ac; + struct ldb_request *down_req; + char **new_attrs; + const char * const *const_attrs; + int ret; + + struct extended_dn_out_private *private = talloc_get_type(module->private_data, struct extended_dn_out_private); + + /* check if there's an extended dn control */ + control = ldb_request_get_control(req, LDB_CONTROL_EXTENDED_DN_OID); + if (control && control->data) { + extended_ctrl = talloc_get_type(control->data, struct ldb_extended_dn_control); + if (!extended_ctrl) { + return LDB_ERR_PROTOCOL_ERROR; + } + } + + /* Look to see if, as we are in 'store DN+GUID+SID' mode, the + * client is after the storage format (to fill in linked + * attributes) */ + storage_format_control = ldb_request_get_control(req, DSDB_CONTROL_DN_STORAGE_FORMAT_OID); + if (!control && storage_format_control && storage_format_control->data) { + extended_ctrl = talloc_get_type(storage_format_control->data, struct ldb_extended_dn_control); + if (!extended_ctrl) { + ldb_set_errstring(module->ldb, "extended_dn_out: extended_ctrl was of the wrong data type"); + return LDB_ERR_PROTOCOL_ERROR; + } + } + + ac = talloc_zero(req, struct extended_search_context); + if (ac == NULL) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + ac->module = module; + ac->schema = dsdb_get_schema(module->ldb); + ac->req = req; + ac->inject = false; + ac->remove_guid = false; + ac->remove_sid = false; + + const_attrs = req->op.search.attrs; + + /* We only need to do special processing if we were asked for + * the extended DN, or we are 'store DN+GUID+SID' + * (!dereference) mode. (This is the normal mode for LDB on + * tdb). */ + if (control || (storage_format_control && private && !private->dereference)) { + ac->inject = true; + if (extended_ctrl) { + ac->extended_type = extended_ctrl->type; + } else { + ac->extended_type = 0; + } + + /* check if attrs only is specified, in that case check wether we need to modify them */ + if (req->op.search.attrs && !is_attr_in_list(req->op.search.attrs, "*")) { + if (! is_attr_in_list(req->op.search.attrs, "objectGUID")) { + ac->remove_guid = true; + } + if (! is_attr_in_list(req->op.search.attrs, "objectSID")) { + ac->remove_sid = true; + } + if (ac->remove_guid || ac->remove_sid) { + new_attrs = copy_attrs(ac, req->op.search.attrs); + if (new_attrs == NULL) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + if (ac->remove_guid) { + if (!add_attrs(ac, &new_attrs, "objectGUID")) + return LDB_ERR_OPERATIONS_ERROR; + } + if (ac->remove_sid) { + if (!add_attrs(ac, &new_attrs, "objectSID")) + return LDB_ERR_OPERATIONS_ERROR; + } + const_attrs = (const char * const *)new_attrs; + } + } + } + + ret = ldb_build_search_req_ex(&down_req, + module->ldb, ac, + req->op.search.base, + req->op.search.scope, + req->op.search.tree, + const_attrs, + req->controls, + ac, extended_callback, + req); + if (ret != LDB_SUCCESS) { + return ret; + } + + /* Remove extended DN and storage format controls */ + + if (control) { + /* save it locally and remove it from the list */ + /* we do not need to replace them later as we + * are keeping the original req intact */ + if (!save_controls(control, down_req, &saved_controls)) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + + if (storage_format_control) { + /* save it locally and remove it from the list */ + /* we do not need to replace them later as we + * are keeping the original req intact */ + if (!save_controls(storage_format_control, down_req, &saved_controls)) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + + /* Add in dereference control, if we were asked to, we are + * using the 'dereference' mode (such as with an OpenLDAP + * backend) and have the control prepared */ + if (control && private && private->dereference && private->dereference_control) { + ret = ldb_request_add_control(down_req, + DSDB_OPENLDAP_DEREFERENCE_CONTROL, + false, private->dereference_control); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + /* perform the search */ + return ldb_next_request(module, down_req); +} + +static int extended_dn_out_ldb_init(struct ldb_module *module) +{ + int ret; + + struct extended_dn_out_private *private = talloc(module, struct extended_dn_out_private); + + module->private_data = private; + + if (!private) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + private->dereference = false; + private->normalise = false; + + ret = ldb_mod_register_control(module, LDB_CONTROL_EXTENDED_DN_OID); + if (ret != LDB_SUCCESS) { + ldb_debug(module->ldb, LDB_DEBUG_ERROR, + "extended_dn_out: Unable to register control with rootdse!\n"); + return LDB_ERR_OPERATIONS_ERROR; + } + + return ldb_next_init(module); +} + +static int extended_dn_out_dereference_init(struct ldb_module *module) +{ + int ret, i = 0; + struct extended_dn_out_private *private; + struct dsdb_openldap_dereference_control *dereference_control; + struct dsdb_attribute *cur; + + struct dsdb_schema *schema; + + module->private_data = private = talloc_zero(module, struct extended_dn_out_private); + + if (!private) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + private->dereference = true; + + /* At the moment, servers that need dereference also need the + * DN and attribute names to be normalised */ + private->normalise = true; + + ret = ldb_mod_register_control(module, LDB_CONTROL_EXTENDED_DN_OID); + if (ret != LDB_SUCCESS) { + ldb_debug(module->ldb, LDB_DEBUG_ERROR, + "extended_dn_out: Unable to register control with rootdse!\n"); + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_next_init(module); + + if (ret != LDB_SUCCESS) { + return ret; + } + + schema = dsdb_get_schema(module->ldb); + if (!schema) { + /* No schema on this DB (yet) */ + return LDB_SUCCESS; + } + + private->dereference_control = dereference_control + = talloc_zero(private, struct dsdb_openldap_dereference_control); + + if (!private->dereference_control) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + for (cur = schema->attributes; cur; cur = cur->next) { + static const char *attrs[] = { + "entryUUID", + "objectSID", + NULL + }; + + if (strcmp(cur->syntax->attributeSyntax_oid, "2.5.5.1") != 0) { + continue; + } + dereference_control->dereference + = talloc_realloc(private, dereference_control->dereference, + struct dsdb_openldap_dereference *, i + 2); + if (!dereference_control) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + dereference_control->dereference[i] = talloc(dereference_control->dereference, + struct dsdb_openldap_dereference); + if (!dereference_control->dereference[i]) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + dereference_control->dereference[i]->source_attribute = cur->lDAPDisplayName; + dereference_control->dereference[i]->dereference_attribute = attrs; + i++; + dereference_control->dereference[i] = NULL; + } + return LDB_SUCCESS; +} + +_PUBLIC_ const struct ldb_module_ops ldb_extended_dn_out_ldb_module_ops = { + .name = "extended_dn_out_ldb", + .search = extended_dn_out_search, + .init_context = extended_dn_out_ldb_init, +}; + + +_PUBLIC_ const struct ldb_module_ops ldb_extended_dn_out_dereference_module_ops = { + .name = "extended_dn_out_dereference", + .search = extended_dn_out_search, + .init_context = extended_dn_out_dereference_init, +}; -- cgit