From d2ec925c63fdcfd102f7adcc345ce9f1fe886fd3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 10 Dec 2008 17:23:44 +1100 Subject: Fix sequence number generation against OpenLDAP It seems that in 2deeb99fff1a90c79ba1927e1a069362e250a63c adding the partition control to this request was missed out. Andrew Bartlett Signed-off-by: Stefan Metzmacher --- source4/dsdb/samdb/ldb_modules/partition.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c index 2a321e29c5..5500c75a92 100644 --- a/source4/dsdb/samdb/ldb_modules/partition.c +++ b/source4/dsdb/samdb/ldb_modules/partition.c @@ -895,6 +895,14 @@ static int partition_sequence_number(struct ldb_module *module, struct ldb_reque return ret; } + ret = ldb_request_add_control(treq, + DSDB_CONTROL_CURRENT_PARTITION_OID, + false, data->partitions[i]); + if (ret != LDB_SUCCESS) { + talloc_free(res); + return ret; + } + ret = partition_request(data->partitions[i]->module, treq); if (ret != LDB_SUCCESS) { talloc_free(res); -- cgit From 56d39e1711854f4e82f8370955a34539be22c483 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 4 Dec 2008 10:38:07 +1100 Subject: Make greater use of 'GUID_from_data_blob' This avoids accidentily running off the end of a string, and uses a single 'guess which type of GUID I have' algorithm. Andrew Bartlett Signed-off-by: Stefan Metzmacher --- source4/dsdb/samdb/ldb_modules/simple_ldap_map.c | 51 +++++------------------- 1 file changed, 11 insertions(+), 40 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/simple_ldap_map.c b/source4/dsdb/samdb/ldb_modules/simple_ldap_map.c index c353914e2c..0e42f7869a 100644 --- a/source4/dsdb/samdb/ldb_modules/simple_ldap_map.c +++ b/source4/dsdb/samdb/ldb_modules/simple_ldap_map.c @@ -44,7 +44,7 @@ struct entryuuid_private { static struct ldb_val encode_guid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val) { struct GUID guid; - NTSTATUS status = GUID_from_string((char *)val->data, &guid); + NTSTATUS status = GUID_from_data_blob(val, &guid); enum ndr_err_code ndr_err; struct ldb_val out = data_blob(NULL, 0); @@ -62,27 +62,13 @@ static struct ldb_val encode_guid(struct ldb_module *module, TALLOC_CTX *ctx, co static struct ldb_val guid_always_string(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val) { - struct GUID *guid; struct ldb_val out = data_blob(NULL, 0); - if (val->length >= 32 && val->data[val->length] == '\0') { - ldb_handler_copy(module->ldb, ctx, val, &out); - } else { - enum ndr_err_code ndr_err; - - guid = talloc(ctx, struct GUID); - if (guid == NULL) { - return out; - } - ndr_err = ndr_pull_struct_blob(val, guid, NULL, guid, - (ndr_pull_flags_fn_t)ndr_pull_GUID); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - talloc_free(guid); - return out; - } - out = data_blob_string_const(GUID_string(ctx, guid)); - talloc_free(guid); + struct GUID guid; + NTSTATUS status = GUID_from_data_blob(val, &guid); + if (!NT_STATUS_IS_OK(status)) { + return out; } - return out; + return data_blob_string_const(GUID_string(ctx, &guid)); } static struct ldb_val encode_ns_guid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val) @@ -107,27 +93,12 @@ static struct ldb_val encode_ns_guid(struct ldb_module *module, TALLOC_CTX *ctx, static struct ldb_val guid_ns_string(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val) { struct ldb_val out = data_blob(NULL, 0); - if (val->length >= 32 && val->data[val->length] == '\0') { - struct GUID guid; - GUID_from_string((char *)val->data, &guid); - out = data_blob_string_const(NS_GUID_string(ctx, &guid)); - } else { - enum ndr_err_code ndr_err; - struct GUID *guid_p; - guid_p = talloc(ctx, struct GUID); - if (guid_p == NULL) { - return out; - } - ndr_err = ndr_pull_struct_blob(val, guid_p, NULL, guid_p, - (ndr_pull_flags_fn_t)ndr_pull_GUID); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - talloc_free(guid_p); - return out; - } - out = data_blob_string_const(NS_GUID_string(ctx, guid_p)); - talloc_free(guid_p); + struct GUID guid; + NTSTATUS status = GUID_from_data_blob(val, &guid); + if (!NT_STATUS_IS_OK(status)) { + return out; } - return out; + return data_blob_string_const(NS_GUID_string(ctx, &guid)); } /* The backend holds binary sids, so just copy them back */ -- cgit From 8ce5640fbfd48debc3e6b3f27e07d1a0d79bd2b4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 8 Dec 2008 22:22:21 +1100 Subject: Add hint to use passwordAttributes in @KLUDGE_ACL in future This module is not used at the moment, but if we do use it again, we should try to avoid duplicate lists. Signed-off-by: Stefan Metzmacher --- source4/dsdb/samdb/ldb_modules/local_password.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/local_password.c b/source4/dsdb/samdb/ldb_modules/local_password.c index 622e444166..4e864e1452 100644 --- a/source4/dsdb/samdb/ldb_modules/local_password.c +++ b/source4/dsdb/samdb/ldb_modules/local_password.c @@ -47,7 +47,8 @@ Each incoming add/modify is split into a remote, and a local request, done in that order. - We maintain a list of attributes that are kept locally: + We maintain a list of attributes that are kept locally - perhaps + this should use the @KLUDGE_ACL list of passwordAttribute */ static const char * const password_attrs[] = { -- cgit From 30ae74d39957b56f7ad893275fc7704b5b923332 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 16 Dec 2008 08:28:55 +0100 Subject: s4:dsdb: add support for DSDB_OPENLDAP_DEREFERENCE_CONTROL Encode and decode the OpenLDAP dereference control (draft-masarati-ldap-deref-00) At this time, the ldb_controls infrustructure does not handle request and reply controls having different formats, so this is purely the client implementation (ie, there is no decode of the client->server packet, and no encode of the server->client packet). Signed-off-by: Stefan Metzmacher --- source4/dsdb/samdb/samdb.h | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h index 93068d66ef..570221ee25 100644 --- a/source4/dsdb/samdb/samdb.h +++ b/source4/dsdb/samdb/samdb.h @@ -100,4 +100,26 @@ struct dsdb_pdc_fsmo { */ #define DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID "1.3.6.1.4.1.7165.4.4.2" +#define DSDB_OPENLDAP_DEREFERENCE_CONTROL "1.3.6.1.4.1.4203.666.5.16" + +struct dsdb_openldap_dereference { + const char *source_attribute; + const char **dereference_attribute; +}; + +struct dsdb_openldap_dereference_control { + struct dsdb_openldap_dereference **dereference; +}; + +struct dsdb_openldap_dereference_result { + const char *source_attribute; + const char *dereferenced_dn; + int num_attributes; + struct ldb_message_element *attributes; +}; + +struct dsdb_openldap_dereference_result_control { + struct dsdb_openldap_dereference_result **attributes; +}; + #endif /* __SAMDB_H__ */ -- cgit From b65f1a097754d32dd8b156e719d4a4f328bf4fbc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 16 Dec 2008 08:40:49 +0100 Subject: s4:samldb: improve error strings When things go wrong with LDB, this routine seems to be particularly sensitive to it. This extra debugging should help the next poor soul who breaks LDB. Signed-off-by: Stefan Metzmacher --- source4/dsdb/samdb/ldb_modules/samldb.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 95a16b5527..627e15ab93 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -346,13 +346,14 @@ static int samldb_get_parent_domain_callback(struct ldb_request *req, } nextRid = ldb_msg_find_attr_as_string(ares->message, - "nextRid", NULL); + "nextRid", NULL); if (nextRid == NULL) { ldb_asprintf_errstring(ac->module->ldb, - "attribute nextRid not found in %s\n", - ldb_dn_get_linearized(ares->message->dn)); + "while looking for domain above %s attribute nextRid not found in %s\n", + ldb_dn_get_linearized(ac->req->op.add.message->dn), + ldb_dn_get_linearized(ares->message->dn)); ret = LDB_ERR_OPERATIONS_ERROR; - break;; + break; } ac->next_rid = strtol(nextRid, NULL, 0); @@ -369,6 +370,7 @@ static int samldb_get_parent_domain_callback(struct ldb_request *req, talloc_free(ares); ret = LDB_SUCCESS; + ldb_reset_err_string(ac->module->ldb); break; case LDB_REPLY_REFERRAL: @@ -1067,8 +1069,8 @@ static int samldb_foreign_notice_sid_callback(struct ldb_request *req, "nextRid", NULL); if (nextRid == NULL) { ldb_asprintf_errstring(ac->module->ldb, - "attribute nextRid not found in %s\n", - ldb_dn_get_linearized(ares->message->dn)); + "while looking for forign sid %s attribute nextRid not found in %s\n", + dom_sid_string(ares, ac->sid), ldb_dn_get_linearized(ares->message->dn)); ret = LDB_ERR_OPERATIONS_ERROR; break; } -- cgit From 1107021f3aa4ad1a3995a018d11aed485aa39c38 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 16 Dec 2008 08:41:22 +0100 Subject: s4:samldb: make use of dom_sid_split_rid() Signed-off-by: Stefan Metzmacher --- source4/dsdb/samdb/ldb_modules/samldb.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 627e15ab93..7ecc41d2c3 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1120,6 +1120,7 @@ static int samldb_foreign_notice_sid(struct samldb_ctx *ac) { static const char * const attrs[3] = { "nextRid", "name", NULL }; struct ldb_request *req; + NTSTATUS status; char *filter; int ret; @@ -1127,12 +1128,10 @@ static int samldb_foreign_notice_sid(struct samldb_ctx *ac) return LDB_ERR_OPERATIONS_ERROR; } - ac->domain_sid = dom_sid_dup(ac, ac->sid); - if (!ac->domain_sid) { + status = dom_sid_split_rid(ac, ac->sid, &ac->domain_sid, NULL); + if (!NT_STATUS_IS_OK(status)) { return LDB_ERR_OPERATIONS_ERROR; } - /* get the domain component part of the provided SID */ - ac->domain_sid->num_auths--; filter = talloc_asprintf(ac, "(&(objectSid=%s)(objectclass=domain))", ldap_encode_ndr_dom_sid(ac, ac->domain_sid)); -- cgit From 596fe759e1fed835173146a74ac9986066acc48e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 16 Dec 2008 08:59:05 +0100 Subject: s4:ldb: make it possible to return per entry controls Signed-off-by: Stefan Metzmacher --- source4/dsdb/samdb/ldb_modules/anr.c | 2 +- source4/dsdb/samdb/ldb_modules/extended_dn.c | 2 +- source4/dsdb/samdb/ldb_modules/kludge_acl.c | 2 +- source4/dsdb/samdb/ldb_modules/local_password.c | 6 +++--- source4/dsdb/samdb/ldb_modules/normalise.c | 2 +- source4/dsdb/samdb/ldb_modules/partition.c | 2 +- source4/dsdb/samdb/ldb_modules/proxy.c | 2 +- source4/dsdb/samdb/ldb_modules/ranged_results.c | 2 +- source4/dsdb/samdb/ldb_modules/rootdse.c | 2 +- source4/dsdb/samdb/ldb_modules/schema_fsmo.c | 4 ++-- source4/dsdb/samdb/ldb_modules/show_deleted.c | 2 +- 11 files changed, 14 insertions(+), 14 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/anr.c b/source4/dsdb/samdb/ldb_modules/anr.c index da23030ed3..49e453ffa1 100644 --- a/source4/dsdb/samdb/ldb_modules/anr.c +++ b/source4/dsdb/samdb/ldb_modules/anr.c @@ -289,7 +289,7 @@ static int anr_search_callback(struct ldb_request *req, struct ldb_reply *ares) switch (ares->type) { case LDB_REPLY_ENTRY: - return ldb_module_send_entry(ac->req, ares->message); + return ldb_module_send_entry(ac->req, ares->message, ares->controls); case LDB_REPLY_REFERRAL: return ldb_module_send_referral(ac->req, ares->referral); diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn.c b/source4/dsdb/samdb/ldb_modules/extended_dn.c index a0602d9281..48683db456 100644 --- a/source4/dsdb/samdb/ldb_modules/extended_dn.c +++ b/source4/dsdb/samdb/ldb_modules/extended_dn.c @@ -241,7 +241,7 @@ static int extended_callback(struct ldb_request *req, struct ldb_reply *ares) } } - return ldb_module_send_entry(ac->req, ares->message); + return ldb_module_send_entry(ac->req, ares->message, ares->controls); case LDB_REPLY_REFERRAL: return ldb_module_send_referral(ac->req, ares->referral); diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c index 97179a8126..275e9b5299 100644 --- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c +++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c @@ -301,7 +301,7 @@ static int kludge_acl_callback(struct ldb_request *req, struct ldb_reply *ares) } } - return ldb_module_send_entry(ac->req, ares->message); + return ldb_module_send_entry(ac->req, ares->message, ares->controls); case LDB_REPLY_REFERRAL: return ldb_module_send_referral(ac->req, ares->referral); diff --git a/source4/dsdb/samdb/ldb_modules/local_password.c b/source4/dsdb/samdb/ldb_modules/local_password.c index 4e864e1452..55d895791a 100644 --- a/source4/dsdb/samdb/ldb_modules/local_password.c +++ b/source4/dsdb/samdb/ldb_modules/local_password.c @@ -820,7 +820,7 @@ static int lpdb_local_search_callback(struct ldb_request *req, /* free the rest */ talloc_free(ares); - return ldb_module_send_entry(ac->req, merge->message); + return ldb_module_send_entry(ac->req, merge->message, merge->controls); case LDB_REPLY_REFERRAL: /* ignore */ @@ -833,7 +833,7 @@ static int lpdb_local_search_callback(struct ldb_request *req, /* if this entry was not returned yet, return it now */ if (lr->remote) { - ret = ldb_module_send_entry(ac->req, ac->remote->message); + ret = ldb_module_send_entry(ac->req, ac->remote->message, ac->remote->controls); if (ret != LDB_SUCCESS) { return ldb_module_done(ac->req, NULL, NULL, ret); @@ -899,7 +899,7 @@ static int lpdb_remote_search_callback(struct ldb_request *req, ldb_msg_remove_attr(ares->message, "objectClass"); } - return ldb_module_send_entry(ac->req, ares->message); + return ldb_module_send_entry(ac->req, ares->message, ares->controls); } if (ldb_msg_find_ldb_val(ares->message, "objectGUID") == NULL) { diff --git a/source4/dsdb/samdb/ldb_modules/normalise.c b/source4/dsdb/samdb/ldb_modules/normalise.c index 2366bc7856..9ead1612db 100644 --- a/source4/dsdb/samdb/ldb_modules/normalise.c +++ b/source4/dsdb/samdb/ldb_modules/normalise.c @@ -134,7 +134,7 @@ static int normalize_search_callback(struct ldb_request *req, struct ldb_reply * } } - return ldb_module_send_entry(ac->req, msg); + return ldb_module_send_entry(ac->req, msg, ares->controls); case LDB_REPLY_REFERRAL: diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c index 5500c75a92..0d2ce64604 100644 --- a/source4/dsdb/samdb/ldb_modules/partition.c +++ b/source4/dsdb/samdb/ldb_modules/partition.c @@ -186,7 +186,7 @@ static int partition_req_callback(struct ldb_request *req, return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); } - return ldb_module_send_entry(ac->req, ares->message); + return ldb_module_send_entry(ac->req, ares->message, ares->controls); case LDB_REPLY_DONE: if (ares->error == LDB_SUCCESS) { diff --git a/source4/dsdb/samdb/ldb_modules/proxy.c b/source4/dsdb/samdb/ldb_modules/proxy.c index 2ff42297b7..23116be9ac 100644 --- a/source4/dsdb/samdb/ldb_modules/proxy.c +++ b/source4/dsdb/samdb/ldb_modules/proxy.c @@ -280,7 +280,7 @@ static int proxy_search_callback(struct ldb_request *req, ac->count++; #endif proxy_convert_record(ac->module->ldb, proxy, ares->message); - ret = ldb_module_send_entry(ac->req, ares->message); + ret = ldb_module_send_entry(ac->req, ares->message, ares->controls); break; case LDB_REPLY_REFERRAL: diff --git a/source4/dsdb/samdb/ldb_modules/ranged_results.c b/source4/dsdb/samdb/ldb_modules/ranged_results.c index b8e43a7e88..eeb161bdde 100644 --- a/source4/dsdb/samdb/ldb_modules/ranged_results.c +++ b/source4/dsdb/samdb/ldb_modules/ranged_results.c @@ -164,7 +164,7 @@ static int rr_search_callback(struct ldb_request *req, struct ldb_reply *ares) } } - return ldb_module_send_entry(ac->req, ares->message); + return ldb_module_send_entry(ac->req, ares->message, ares->controls); } /* search */ diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c index b38e182cf7..04a97fcd3b 100644 --- a/source4/dsdb/samdb/ldb_modules/rootdse.c +++ b/source4/dsdb/samdb/ldb_modules/rootdse.c @@ -278,7 +278,7 @@ static int rootdse_callback(struct ldb_request *req, struct ldb_reply *ares) return ldb_module_done(ac->req, NULL, NULL, ret); } - return ldb_module_send_entry(ac->req, ares->message); + return ldb_module_send_entry(ac->req, ares->message, ares->controls); case LDB_REPLY_REFERRAL: /* should we allow the backend to return referrals in this case diff --git a/source4/dsdb/samdb/ldb_modules/schema_fsmo.c b/source4/dsdb/samdb/ldb_modules/schema_fsmo.c index df409a8ae3..bfcf239f3a 100644 --- a/source4/dsdb/samdb/ldb_modules/schema_fsmo.c +++ b/source4/dsdb/samdb/ldb_modules/schema_fsmo.c @@ -406,7 +406,7 @@ static int schema_fsmo_search_callback(struct ldb_request *req, struct ldb_reply case LDB_REPLY_ENTRY: if (ldb_dn_compare(ares->message->dn, mc->aggregate_dn) != 0) { - return ldb_module_send_entry(ac->req, ares->message); + return ldb_module_send_entry(ac->req, ares->message, ares->controls); } for (i=0; i < ARRAY_SIZE(generated_attrs); i++) { @@ -418,7 +418,7 @@ static int schema_fsmo_search_callback(struct ldb_request *req, struct ldb_reply } } - return ldb_module_send_entry(ac->req, ares->message); + return ldb_module_send_entry(ac->req, ares->message, ares->controls); case LDB_REPLY_REFERRAL: diff --git a/source4/dsdb/samdb/ldb_modules/show_deleted.c b/source4/dsdb/samdb/ldb_modules/show_deleted.c index 0e3b46debe..0914e51ebe 100644 --- a/source4/dsdb/samdb/ldb_modules/show_deleted.c +++ b/source4/dsdb/samdb/ldb_modules/show_deleted.c @@ -64,7 +64,7 @@ static int show_deleted_search_callback(struct ldb_request *req, switch (ares->type) { case LDB_REPLY_ENTRY: - return ldb_module_send_entry(ar->req, ares->message); + return ldb_module_send_entry(ar->req, ares->message, ares->controls); case LDB_REPLY_REFERRAL: return ldb_module_send_referral(ar->req, ares->referral); -- cgit From d68ad8218ff104da35c2ed5b389c18926484c3af Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 16 Dec 2008 09:01:35 +0100 Subject: s4:rootdse: fix the logic to indentify a rootdse search Signed-off-by: Stefan Metzmacher --- source4/dsdb/samdb/ldb_modules/rootdse.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c index 04a97fcd3b..461a554ec0 100644 --- a/source4/dsdb/samdb/ldb_modules/rootdse.c +++ b/source4/dsdb/samdb/ldb_modules/rootdse.c @@ -301,8 +301,7 @@ static int rootdse_search(struct ldb_module *module, struct ldb_request *req) int ret; /* see if its for the rootDSE - only a base search on the "" DN qualifies */ - if (req->op.search.scope != LDB_SCOPE_BASE || - ( ! ldb_dn_is_null(req->op.search.base))) { + if (!(req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base))) { /* Otherwise, pass down to the rest of the stack */ return ldb_next_request(module, req); } -- cgit From 911cf5d62569e77e9f490f28e776b5b47c81e05b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Nov 2008 20:06:16 +1100 Subject: s4:dsdb: Make the linked_attributes module set an extended dn This means that linked attributes will always have the same case form as the actaul entry, as we search for that entry. We then also use the GUID and SID found on that entry to fill in the extended DN on disk. Andrew Bartlett Signed-off-by: Stefan Metzmacher --- source4/dsdb/samdb/ldb_modules/linked_attributes.c | 517 +++++++++++++-------- 1 file changed, 325 insertions(+), 192 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/linked_attributes.c b/source4/dsdb/samdb/ldb_modules/linked_attributes.c index f16eb215a6..a3318ccabd 100644 --- a/source4/dsdb/samdb/ldb_modules/linked_attributes.c +++ b/source4/dsdb/samdb/ldb_modules/linked_attributes.c @@ -32,10 +32,12 @@ #include "ldb/include/ldb.h" #include "ldb/include/ldb_errors.h" #include "ldb/include/ldb_private.h" +#include "ldb/include/dlinklist.h" #include "dsdb/samdb/samdb.h" struct la_op_store { struct la_op_store *next; + struct la_op_store *prev; enum la_op {LA_OP_ADD, LA_OP_DEL} op; struct ldb_dn *dn; char *name; @@ -52,10 +54,12 @@ struct la_context { const struct dsdb_schema *schema; struct ldb_module *module; struct ldb_request *req; - + struct ldb_dn *add_dn; + struct ldb_dn *del_dn; struct replace_context *rc; struct la_op_store *ops; - struct la_op_store *cur; + struct ldb_extended *op_response; + struct ldb_control **op_controls; }; static struct la_context *linked_attributes_init(struct ldb_module *module, @@ -65,7 +69,7 @@ static struct la_context *linked_attributes_init(struct ldb_module *module, ac = talloc_zero(req, struct la_context); if (ac == NULL) { - ldb_set_errstring(module->ldb, "Out of Memory"); + ldb_oom(module->ldb); return NULL; } @@ -80,9 +84,9 @@ static struct la_context *linked_attributes_init(struct ldb_module *module, * series of modify requests */ static int la_store_op(struct la_context *ac, enum la_op op, struct ldb_val *dn, - const char *name, const char *value) + const char *name) { - struct la_op_store *os, *tmp; + struct la_op_store *os; struct ldb_dn *op_dn; op_dn = ldb_dn_from_ldb_val(ac, ac->module->ldb, dn); @@ -92,68 +96,30 @@ static int la_store_op(struct la_context *ac, return LDB_ERR_INVALID_DN_SYNTAX; } - /* optimize out del - add operations that would end up - * with no changes */ - if (ac->ops && op == LA_OP_DEL) { - /* do a linear search to find out if there is - * an equivalent add */ - os = ac->ops; - while (os->next) { - - tmp = os->next; - if (tmp->op == LA_OP_ADD) { - - if ((strcmp(name, tmp->name) == 0) && - (strcmp(value, tmp->value) == 0) && - (ldb_dn_compare(op_dn, tmp->dn) == 0)) { - - break; - } - } - os = os->next; - } - if (os->next) { - /* pair found, remove it and return */ - os->next = tmp->next; - talloc_free(tmp); - talloc_free(op_dn); - return LDB_SUCCESS; - } - } - os = talloc_zero(ac, struct la_op_store); if (!os) { + ldb_oom(ac->module->ldb); return LDB_ERR_OPERATIONS_ERROR; } os->op = op; os->dn = talloc_steal(os, op_dn); - if (!os->dn) { - return LDB_ERR_OPERATIONS_ERROR; - } os->name = talloc_strdup(os, name); if (!os->name) { + ldb_oom(ac->module->ldb); return LDB_ERR_OPERATIONS_ERROR; } - if ((op != LA_OP_DEL) && (value == NULL)) { - return LDB_ERR_OPERATIONS_ERROR; - } - if (value) { - os->value = talloc_strdup(os, value); - if (!os->value) { - return LDB_ERR_OPERATIONS_ERROR; - } - } - - if (ac->ops) { - ac->cur->next = os; + /* Do deletes before adds */ + if (op == LA_OP_ADD) { + DLIST_ADD_END(ac->ops, os, struct la_op_store *); } else { - ac->ops = os; + /* By adding to the head of the list, we do deletes before + * adds when processing a replace */ + DLIST_ADD(ac->ops, os); } - ac->cur = os; return LDB_SUCCESS; } @@ -164,8 +130,6 @@ static int la_do_mod_request(struct la_context *ac); static int la_mod_callback(struct ldb_request *req, struct ldb_reply *ares); static int la_down_req(struct la_context *ac); -static int la_down_callback(struct ldb_request *req, - struct ldb_reply *ares); @@ -175,7 +139,6 @@ static int linked_attributes_add(struct ldb_module *module, struct ldb_request * const struct dsdb_attribute *target_attr; struct la_context *ac; const char *attr_name; - const char *attr_val; int ret; int i, j; @@ -231,12 +194,11 @@ static int linked_attributes_add(struct ldb_module *module, struct ldb_request * } attr_name = target_attr->lDAPDisplayName; - attr_val = ldb_dn_get_linearized(ac->req->op.add.message->dn); for (j = 0; j < el->num_values; j++) { ret = la_store_op(ac, LA_OP_ADD, &el->values[j], - attr_name, attr_val); + attr_name); if (ret != LDB_SUCCESS) { return ret; } @@ -245,6 +207,7 @@ static int linked_attributes_add(struct ldb_module *module, struct ldb_request * /* if no linked attributes are present continue */ if (ac->ops == NULL) { + /* nothing to do for this module, proceed */ talloc_free(ac); return ldb_next_request(module, req); } @@ -265,7 +228,6 @@ static int la_mod_search_callback(struct ldb_request *req, struct ldb_reply *are struct replace_context *rc; struct la_context *ac; const char *attr_name; - const char *dn; int i, j; int ret = LDB_SUCCESS; @@ -286,16 +248,18 @@ static int la_mod_search_callback(struct ldb_request *req, struct ldb_reply *are case LDB_REPLY_ENTRY: if (ldb_dn_compare(ares->message->dn, ac->req->op.mod.message->dn) != 0) { + ldb_asprintf_errstring(ac->module->ldb, + "linked_attributes: %s is not the DN we were looking for", ldb_dn_get_linearized(ares->message->dn)); /* Guh? We only asked for this DN */ - ldb_oom(ac->module->ldb); talloc_free(ares); return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); } - dn = ldb_dn_get_linearized(ac->req->op.add.message->dn); + ac->add_dn = ac->del_dn = talloc_steal(ac, ares->message->dn); - for (i = 0; i < rc->num_elements; i++) { + /* We don't populate 'rc' for ADD - it can't be deleting elements anyway */ + for (i = 0; rc && i < rc->num_elements; i++) { schema_attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, rc->el[i].name); if (!schema_attr) { @@ -330,11 +294,11 @@ static int la_mod_search_callback(struct ldb_request *req, struct ldb_reply *are } attr_name = target_attr->lDAPDisplayName; - /* make sure we manage each value */ + /* Now we know what was there, we can remove it for the re-add */ for (j = 0; j < search_el->num_values; j++) { ret = la_store_op(ac, LA_OP_DEL, &search_el->values[j], - attr_name, dn); + attr_name); if (ret != LDB_SUCCESS) { talloc_free(ares); return ldb_module_done(ac->req, @@ -353,10 +317,20 @@ static int la_mod_search_callback(struct ldb_request *req, struct ldb_reply *are talloc_free(ares); - /* Start with the original request */ - ret = la_down_req(ac); - if (ret != LDB_SUCCESS) { - return ldb_module_done(ac->req, NULL, NULL, ret); + if (ac->req->operation == LDB_ADD) { + /* Start the modifies to the backlinks */ + ret = la_do_mod_request(ac); + + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, + ret); + } + } else { + /* Start with the original request */ + ret = la_down_req(ac); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, ret); + } } return LDB_SUCCESS; } @@ -377,6 +351,8 @@ static int linked_attributes_modify(struct ldb_module *module, struct ldb_reques int i, j; struct la_context *ac; struct ldb_request *search_req; + const char **attrs; + int ret; if (ldb_dn_is_special(req->op.mod.message->dn)) { @@ -394,12 +370,15 @@ static int linked_attributes_modify(struct ldb_module *module, struct ldb_reques return ldb_next_request(module, req); } - ac->rc = NULL; + ac->rc = talloc_zero(ac, struct replace_context); + if (!ac->rc) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } for (i=0; i < req->op.mod.message->num_elements; i++) { bool store_el = false; const char *attr_name; - const char *attr_val; const struct dsdb_attribute *target_attr; const struct ldb_message_element *el = &req->op.mod.message->elements[i]; const struct dsdb_attribute *schema_attr @@ -437,8 +416,7 @@ static int linked_attributes_modify(struct ldb_module *module, struct ldb_reques } attr_name = target_attr->lDAPDisplayName; - attr_val = ldb_dn_get_linearized(ac->req->op.mod.message->dn); - + switch (el->flags & LDB_FLAG_MOD_MASK) { case LDB_FLAG_MOD_REPLACE: /* treat as just a normal add the delete part is handled by the callback */ @@ -452,7 +430,7 @@ static int linked_attributes_modify(struct ldb_module *module, struct ldb_reques for (j = 0; j < el->num_values; j++) { ret = la_store_op(ac, LA_OP_ADD, &el->values[j], - attr_name, attr_val); + attr_name); if (ret != LDB_SUCCESS) { return ret; } @@ -466,7 +444,7 @@ static int linked_attributes_modify(struct ldb_module *module, struct ldb_reques for (j = 0; j < el->num_values; j++) { ret = la_store_op(ac, LA_OP_DEL, &el->values[j], - attr_name, attr_val); + attr_name); if (ret != LDB_SUCCESS) { return ret; } @@ -484,15 +462,6 @@ static int linked_attributes_modify(struct ldb_module *module, struct ldb_reques if (store_el) { struct ldb_message_element *search_el; - /* Fill out ac->rc only if we have to find the old values */ - if (!ac->rc) { - ac->rc = talloc_zero(ac, struct replace_context); - if (!ac->rc) { - ldb_oom(module->ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - } - search_el = talloc_realloc(ac->rc, ac->rc->el, struct ldb_message_element, ac->rc->num_elements +1); @@ -506,25 +475,21 @@ static int linked_attributes_modify(struct ldb_module *module, struct ldb_reques ac->rc->num_elements++; } } - - /* both replace and delete without values are handled in the callback - * after the search on the entry to be modified is performed */ - - /* Only bother doing a search of this entry (to find old - * values) if replace or delete operations are attempted */ - if (ac->rc) { - const char **attrs; - - attrs = talloc_array(ac->rc, const char *, ac->rc->num_elements +1); + + if (ac->ops || ac->rc->el) { + /* both replace and delete without values are handled in the callback + * after the search on the entry to be modified is performed */ + + attrs = talloc_array(ac->rc, const char *, ac->rc->num_elements + 1); if (!attrs) { ldb_oom(module->ldb); return LDB_ERR_OPERATIONS_ERROR; } - for (i = 0; i < ac->rc->num_elements; i++) { + for (i = 0; ac->rc && i < ac->rc->num_elements; i++) { attrs[i] = ac->rc->el[i].name; } attrs[i] = NULL; - + /* The callback does all the hard work here */ ret = ldb_build_search_req(&search_req, module->ldb, ac, req->op.mod.message->dn, @@ -534,32 +499,31 @@ static int linked_attributes_modify(struct ldb_module *module, struct ldb_reques ac, la_mod_search_callback, req); + /* We need to figure out our own extended DN, to fill in as the backlink target */ + if (ret == LDB_SUCCESS) { + ret = ldb_request_add_control(search_req, + LDB_CONTROL_EXTENDED_DN_OID, + false, NULL); + } if (ret == LDB_SUCCESS) { talloc_steal(search_req, attrs); - + ret = ldb_next_request(module, search_req); } - } else { - if (ac->ops) { - /* Start with the original request */ - ret = la_down_req(ac); - } else { - /* nothing to do for this module, proceed */ - talloc_free(ac); - ret = ldb_next_request(module, req); - } + /* nothing to do for this module, proceed */ + talloc_free(ac); + ret = ldb_next_request(module, req); } return ret; } /* delete, rename */ -static int linked_attributes_op(struct ldb_module *module, struct ldb_request *req) +static int linked_attributes_del(struct ldb_module *module, struct ldb_request *req) { struct ldb_request *search_req; - struct ldb_dn *base_dn; struct la_context *ac; const char **attrs; WERROR werr; @@ -574,17 +538,6 @@ static int linked_attributes_op(struct ldb_module *module, struct ldb_request *r - Regain our sainity */ - switch (req->operation) { - case LDB_RENAME: - base_dn = req->op.rename.olddn; - break; - case LDB_DELETE: - base_dn = req->op.del.dn; - break; - default: - return LDB_ERR_OPERATIONS_ERROR; - } - ac = linked_attributes_init(module, req); if (!ac) { return LDB_ERR_OPERATIONS_ERROR; @@ -601,7 +554,7 @@ static int linked_attributes_op(struct ldb_module *module, struct ldb_request *r } ret = ldb_build_search_req(&search_req, module->ldb, req, - base_dn, LDB_SCOPE_BASE, + req->op.del.dn, LDB_SCOPE_BASE, "(objectClass=*)", attrs, NULL, ac, la_op_search_callback, @@ -616,6 +569,35 @@ static int linked_attributes_op(struct ldb_module *module, struct ldb_request *r return ldb_next_request(module, search_req); } +/* delete, rename */ +static int linked_attributes_rename(struct ldb_module *module, struct ldb_request *req) +{ + struct la_context *ac; + + /* This gets complex: We need to: + - Do a search for the entry + - Wait for these result to appear + - In the callback for the result, issue a modify + request based on the linked attributes found + - Wait for each modify result + - Regain our sainity + */ + + ac = linked_attributes_init(module, req); + if (!ac) { + return LDB_ERR_OPERATIONS_ERROR; + } + + if (!ac->schema) { + /* without schema, this doesn't make any sense */ + return ldb_next_request(module, req); + } + + /* start with the original request */ + return la_down_req(ac); +} + + static int la_op_search_callback(struct ldb_request *req, struct ldb_reply *ares) { @@ -624,8 +606,6 @@ static int la_op_search_callback(struct ldb_request *req, const struct dsdb_attribute *target_attr; const struct ldb_message_element *el; const char *attr_name; - const char *deldn; - const char *adddn; int i, j; int ret; @@ -659,15 +639,16 @@ static int la_op_search_callback(struct ldb_request *req, switch (ac->req->operation) { case LDB_DELETE: - deldn = ldb_dn_get_linearized(ac->req->op.del.dn); - adddn = NULL; + ac->del_dn = talloc_steal(ac, ares->message->dn); break; case LDB_RENAME: - deldn = ldb_dn_get_linearized(ac->req->op.rename.olddn); - adddn = ldb_dn_get_linearized(ac->req->op.rename.newdn); + ac->add_dn = talloc_steal(ac, ares->message->dn); + ac->del_dn = talloc_steal(ac, ac->req->op.rename.olddn); break; default: talloc_free(ares); + ldb_set_errstring(ac->module->ldb, + "operations must be delete or rename"); return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); } @@ -708,16 +689,15 @@ static int la_op_search_callback(struct ldb_request *req, for (j = 0; j < el->num_values; j++) { ret = la_store_op(ac, LA_OP_DEL, &el->values[j], - attr_name, deldn); - if (ret != LDB_SUCCESS) { - talloc_free(ares); - return ldb_module_done(ac->req, - NULL, NULL, ret); + attr_name); + + /* for renames, ensure we add it back */ + if (ret == LDB_SUCCESS + && ac->req->operation == LDB_RENAME) { + ret = la_store_op(ac, LA_OP_ADD, + &el->values[j], + attr_name); } - if (!adddn) continue; - ret = la_store_op(ac, LA_OP_ADD, - &el->values[j], - attr_name, adddn); if (ret != LDB_SUCCESS) { talloc_free(ares); return ldb_module_done(ac->req, @@ -736,10 +716,31 @@ static int la_op_search_callback(struct ldb_request *req, talloc_free(ares); - /* start the mod requests chain */ - ret = la_down_req(ac); - if (ret != LDB_SUCCESS) { - return ldb_module_done(ac->req, NULL, NULL, ret); + + switch (ac->req->operation) { + case LDB_DELETE: + /* start the mod requests chain */ + ret = la_down_req(ac); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, ret); + } + break; + case LDB_RENAME: + + ret = la_do_mod_request(ac); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, + ret); + } + + return ret; + + default: + talloc_free(ares); + ldb_set_errstring(ac->module->ldb, + "operations must be delete or rename"); + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); } return LDB_SUCCESS; } @@ -757,6 +758,12 @@ static int la_do_mod_request(struct la_context *ac) struct ldb_context *ldb; int ret; + /* If we have no modifies in the queue, we are done! */ + if (!ac->ops) { + return ldb_module_done(ac->req, ac->op_controls, + ac->op_response, LDB_SUCCESS); + } + ldb = ac->module->ldb; /* Create the modify request */ @@ -765,10 +772,7 @@ static int la_do_mod_request(struct la_context *ac) ldb_oom(ldb); return LDB_ERR_OPERATIONS_ERROR; } - new_msg->dn = ldb_dn_copy(new_msg, ac->ops->dn); - if (!new_msg->dn) { - return LDB_ERR_OPERATIONS_ERROR; - } + new_msg->dn = ac->ops->dn; if (ac->ops->op == LA_OP_ADD) { ret = ldb_msg_add_empty(new_msg, ac->ops->name, @@ -785,8 +789,19 @@ static int la_do_mod_request(struct la_context *ac) ldb_oom(ldb); return LDB_ERR_OPERATIONS_ERROR; } - ret_el->values[0] = data_blob_string_const(ac->ops->value); ret_el->num_values = 1; + if (ac->ops->op == LA_OP_ADD) { + ret_el->values[0] = data_blob_string_const(ldb_dn_get_extended_linearized(new_msg, ac->add_dn, 1)); + } else { + ret_el->values[0] = data_blob_string_const(ldb_dn_get_extended_linearized(new_msg, ac->del_dn, 1)); + } + +#if 0 + ldb_debug(ac->module->ldb, LDB_DEBUG_WARNING, + "link on %s %s: %s %s\n", + ldb_dn_get_linearized(new_msg->dn), ret_el->name, + ret_el->values[0].data, ac->ops->op == LA_OP_ADD ? "added" : "deleted"); +#endif /* use ac->ops as the mem_ctx so that the request will be freed * in the callback as soon as completed */ @@ -808,7 +823,6 @@ static int la_mod_callback(struct ldb_request *req, struct ldb_reply *ares) { struct la_context *ac; struct la_op_store *os; - int ret; ac = talloc_get_type(req->context, struct la_context); @@ -831,30 +845,180 @@ static int la_mod_callback(struct ldb_request *req, struct ldb_reply *ares) talloc_free(ares); - if (ac->ops) { - os = ac->ops; - ac->ops = os->next; + os = ac->ops; + DLIST_REMOVE(ac->ops, os); + + /* this frees the request too + * DO NOT access 'req' after this point */ + talloc_free(os); - /* this frees the request too - * DO NOT access 'req' after this point */ - talloc_free(os); + return la_do_mod_request(ac); +} + +/* Having done the original operation, then try to fix up all the linked attributes for modify and delete */ +static int la_mod_del_callback(struct ldb_request *req, struct ldb_reply *ares) +{ + int ret; + struct la_context *ac; + ac = talloc_get_type(req->context, struct la_context); + + if (!ares) { + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); } - /* If we still have modifies in the queue, then run them */ - if (ac->ops) { - ret = la_do_mod_request(ac); - } else { - /* Otherwise, we are done! */ - ret = ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); + if (ares->type != LDB_REPLY_DONE) { + ldb_set_errstring(ac->module->ldb, + "invalid ldb_reply_type in callback"); + talloc_free(ares); + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); } + + ac->op_controls = talloc_steal(ac, ares->controls); + ac->op_response = talloc_steal(ac, ares->response); + /* If we have modfies to make, this is the time to do them for modify and delete */ + ret = la_do_mod_request(ac); + if (ret != LDB_SUCCESS) { return ldb_module_done(ac->req, NULL, NULL, ret); } + talloc_free(ares); + + /* la_do_mod_request has already sent the callbacks */ return LDB_SUCCESS; + +} + +/* Having done the original rename try to fix up all the linked attributes */ +static int la_rename_callback(struct ldb_request *req, struct ldb_reply *ares) +{ + int ret; + struct la_context *ac; + struct ldb_request *search_req; + const char **attrs; + WERROR werr; + ac = talloc_get_type(req->context, struct la_context); + + if (!ares) { + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); + } + + if (ares->type != LDB_REPLY_DONE) { + ldb_set_errstring(ac->module->ldb, + "invalid ldb_reply_type in callback"); + talloc_free(ares); + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + werr = dsdb_linked_attribute_lDAPDisplayName_list(ac->schema, ac, &attrs); + if (!W_ERROR_IS_OK(werr)) { + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_build_search_req(&search_req, ac->module->ldb, req, + ac->req->op.rename.newdn, LDB_SCOPE_BASE, + "(objectClass=*)", attrs, + NULL, + ac, la_op_search_callback, + req); + + if (ret != LDB_SUCCESS) { + return ret; + } + + talloc_steal(search_req, attrs); + + if (ret == LDB_SUCCESS) { + ret = ldb_request_add_control(search_req, + LDB_CONTROL_EXTENDED_DN_OID, + false, NULL); + } + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, + ret); + } + + ac->op_controls = talloc_steal(ac, ares->controls); + ac->op_response = talloc_steal(ac, ares->response); + + return ldb_next_request(ac->module, search_req); +} + +/* Having done the original add, then try to fix up all the linked attributes + + This is done after the add so the links can get the extended DNs correctly. + */ +static int la_add_callback(struct ldb_request *req, struct ldb_reply *ares) +{ + int ret; + struct la_context *ac; + ac = talloc_get_type(req->context, struct la_context); + + if (!ares) { + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); + } + + if (ares->type != LDB_REPLY_DONE) { + ldb_set_errstring(ac->module->ldb, + "invalid ldb_reply_type in callback"); + talloc_free(ares); + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + if (ac->ops) { + struct ldb_request *search_req; + static const char *attrs[] = { NULL }; + + /* The callback does all the hard work here - we need + * the objectGUID and SID of the added record */ + ret = ldb_build_search_req(&search_req, ac->module->ldb, ac, + ac->req->op.add.message->dn, + LDB_SCOPE_BASE, + "(objectClass=*)", attrs, + NULL, + ac, la_mod_search_callback, + ac->req); + + if (ret == LDB_SUCCESS) { + ret = ldb_request_add_control(search_req, + LDB_CONTROL_EXTENDED_DN_OID, + false, NULL); + } + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, + ret); + } + + ac->op_controls = talloc_steal(ac, ares->controls); + ac->op_response = talloc_steal(ac, ares->response); + + return ldb_next_request(ac->module, search_req); + + } else { + return ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); + } } +/* Reconstruct the original request, but pointing at our local callback to finish things off */ static int la_down_req(struct la_context *ac) { struct ldb_request *down_req; @@ -865,21 +1029,21 @@ static int la_down_req(struct la_context *ac) ret = ldb_build_add_req(&down_req, ac->module->ldb, ac, ac->req->op.add.message, ac->req->controls, - ac, la_down_callback, + ac, la_add_callback, ac->req); break; case LDB_MODIFY: ret = ldb_build_mod_req(&down_req, ac->module->ldb, ac, ac->req->op.mod.message, ac->req->controls, - ac, la_down_callback, + ac, la_mod_del_callback, ac->req); break; case LDB_DELETE: ret = ldb_build_del_req(&down_req, ac->module->ldb, ac, ac->req->op.del.dn, ac->req->controls, - ac, la_down_callback, + ac, la_mod_del_callback, ac->req); break; case LDB_RENAME: @@ -887,7 +1051,7 @@ static int la_down_req(struct la_context *ac) ac->req->op.rename.olddn, ac->req->op.rename.newdn, ac->req->controls, - ac, la_down_callback, + ac, la_rename_callback, ac->req); break; default: @@ -900,42 +1064,11 @@ static int la_down_req(struct la_context *ac) return ldb_next_request(ac->module, down_req); } -/* Having done the original operation, then try to fix up all the linked attributes */ -static int la_down_callback(struct ldb_request *req, struct ldb_reply *ares) -{ - struct la_context *ac; - - ac = talloc_get_type(req->context, struct la_context); - - if (!ares) { - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - if (ares->error != LDB_SUCCESS) { - return ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); - } - - if (ares->type != LDB_REPLY_DONE) { - ldb_set_errstring(ac->module->ldb, - "invalid ldb_reply_type in callback"); - talloc_free(ares); - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - /* If we have modfies to make, then run them */ - if (ac->ops) { - return la_do_mod_request(ac); - } else { - return ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); - } -} _PUBLIC_ const struct ldb_module_ops ldb_linked_attributes_module_ops = { .name = "linked_attributes", .add = linked_attributes_add, .modify = linked_attributes_modify, - .del = linked_attributes_op, - .rename = linked_attributes_op, + .del = linked_attributes_del, + .rename = linked_attributes_rename, }; -- cgit From 1f28541a241d2dc4c5460344f817d56182a672ce Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 16 Dec 2008 09:21:55 +0100 Subject: s4:dsdb: split extended_dn into extended_dn_in, extended_dn_out and extended_dn_store. By splitting the module, the extended_dn_in and extended_dn_store moudles can use extended_dn_out to actually get the extended DN. This avoids code duplication. The extended_dn_out module also contains a client implementation of the OpenLDAP dereference control (draft-masarati-ldap-deref-00). This also introduces a new control 'DSDB_CONTROL_DN_STORAGE_FORMAT_OID' to ask the extended_dn_out module to return whatever the 'storage format' is. This allows us to work with both OpenLDAP (which performs a dereference at run time) and LDB (which stores the GUID and SID on disk). Signed-off-by: Stefan Metzmacher --- source4/dsdb/samdb/ldb_modules/config.mk | 36 +- source4/dsdb/samdb/ldb_modules/extended_dn.c | 666 --------------------- source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 394 ++++++++++++ source4/dsdb/samdb/ldb_modules/extended_dn_out.c | 655 ++++++++++++++++++++ source4/dsdb/samdb/ldb_modules/extended_dn_store.c | 431 +++++++++++++ source4/dsdb/samdb/samdb.h | 5 + 6 files changed, 1515 insertions(+), 672 deletions(-) delete mode 100644 source4/dsdb/samdb/ldb_modules/extended_dn.c create mode 100644 source4/dsdb/samdb/ldb_modules/extended_dn_in.c create mode 100644 source4/dsdb/samdb/ldb_modules/extended_dn_out.c create mode 100644 source4/dsdb/samdb/ldb_modules/extended_dn_store.c (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk index 1387066256..19375bb923 100644 --- a/source4/dsdb/samdb/ldb_modules/config.mk +++ b/source4/dsdb/samdb/ldb_modules/config.mk @@ -171,15 +171,39 @@ INIT_FUNCTION = LDB_MODULE(kludge_acl) ldb_kludge_acl_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/kludge_acl.o ################################################ -# Start MODULE ldb_extended_dn -[MODULE::ldb_extended_dn] +# Start MODULE ldb_extended_dn_in +[MODULE::ldb_extended_dn_in] SUBSYSTEM = LIBLDB -PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS LIBNDR LIBSECURITY SAMDB -INIT_FUNCTION = LDB_MODULE(extended_dn) -# End MODULE ldb_extended_dn +PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS +INIT_FUNCTION = LDB_MODULE(extended_dn_in) +# End MODULE ldb_extended_dn_in +################################################ + +ldb_extended_dn_in_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/extended_dn_in.o + +################################################ +# Start MODULE ldb_extended_dn_out +[MODULE::ldb_extended_dn_out] +SUBSYSTEM = LIBLDB +PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS +INIT_FUNCTION = LDB_MODULE(extended_dn_out_ldb),LDB_MODULE(extended_dn_out_dereference) +ENABLE = YES +ALIASES = extended_dn_out_ldb extended_dn_out_dereference +# End MODULE ldb_extended_dn_out +################################################ + +ldb_extended_dn_out_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/extended_dn_out.o + +################################################ +# Start MODULE ldb_extended_dn_store +[MODULE::ldb_extended_dn_store] +SUBSYSTEM = LIBLDB +PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS +INIT_FUNCTION = LDB_MODULE(extended_dn_store) +# End MODULE ldb_extended_dn_store ################################################ -ldb_extended_dn_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/extended_dn.o +ldb_extended_dn_store_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/extended_dn_store.o ################################################ # Start MODULE ldb_show_deleted diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn.c b/source4/dsdb/samdb/ldb_modules/extended_dn.c deleted file mode 100644 index 48683db456..0000000000 --- a/source4/dsdb/samdb/ldb_modules/extended_dn.c +++ /dev/null @@ -1,666 +0,0 @@ -/* - ldb database library - - Copyright (C) Simo Sorce 2005-2008 - - ** NOTE! The following LGPL license applies to the ldb - ** library. This does NOT imply that all of Samba is released - ** under the LGPL - - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 3 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with this library; if not, see . -*/ - -/* - * Name: ldb - * - * Component: ldb extended dn control module - * - * Description: this module builds a special dn - * - * Author: Simo Sorce - */ - -#include "includes.h" -#include "ldb/include/ldb.h" -#include "ldb/include/ldb_errors.h" -#include "ldb/include/ldb_private.h" -#include "librpc/gen_ndr/ndr_misc.h" -#include "dsdb/samdb/samdb.h" -#include "libcli/security/security.h" - -#include - -static bool is_attr_in_list(const char * const * attrs, const char *attr) -{ - int i; - - for (i = 0; attrs[i]; i++) { - if (strcasecmp(attrs[i], attr) == 0) - return true; - } - - return false; -} - -static char **copy_attrs(void *mem_ctx, const char * const * attrs) -{ - char **new; - int i, num; - - for (num = 0; attrs[num]; num++); - - new = talloc_array(mem_ctx, char *, num + 1); - if (!new) return NULL; - - for(i = 0; i < num; i++) { - new[i] = talloc_strdup(new, attrs[i]); - if (!new[i]) { - talloc_free(new); - return NULL; - } - } - new[i] = NULL; - - return new; -} - -static bool add_attrs(void *mem_ctx, char ***attrs, const char *attr) -{ - char **new; - int num; - - for (num = 0; (*attrs)[num]; num++); - - new = talloc_realloc(mem_ctx, *attrs, char *, num + 2); - if (!new) return false; - - *attrs = new; - - new[num] = talloc_strdup(new, attr); - if (!new[num]) return false; - - new[num + 1] = NULL; - - return true; -} - -static int inject_extended_dn(struct ldb_message *msg, - struct ldb_context *ldb, - int type, - bool remove_guid, - bool remove_sid) -{ - const struct ldb_val *val; - struct GUID guid; - struct dom_sid *sid; - const DATA_BLOB *guid_blob; - const DATA_BLOB *sid_blob; - char *object_guid; - char *object_sid; - char *new_dn; - - guid_blob = ldb_msg_find_ldb_val(msg, "objectGUID"); - sid_blob = ldb_msg_find_ldb_val(msg, "objectSID"); - - if (!guid_blob) { - return LDB_ERR_OPERATIONS_ERROR; - } - - switch (type) { - case 0: - /* return things in hexadecimal format */ - if (sid_blob) { - const char *lower_guid_hex = strlower_talloc(msg, data_blob_hex_string(msg, guid_blob)); - const char *lower_sid_hex = strlower_talloc(msg, data_blob_hex_string(msg, sid_blob)); - if (!lower_guid_hex || !lower_sid_hex) { - return LDB_ERR_OPERATIONS_ERROR; - } - new_dn = talloc_asprintf(msg, ";;%s", - lower_guid_hex, - lower_sid_hex, - ldb_dn_get_linearized(msg->dn)); - } else { - const char *lower_guid_hex = strlower_talloc(msg, data_blob_hex_string(msg, guid_blob)); - if (!lower_guid_hex) { - return LDB_ERR_OPERATIONS_ERROR; - } - new_dn = talloc_asprintf(msg, ";%s", - lower_guid_hex, - ldb_dn_get_linearized(msg->dn)); - } - - break; - case 1: - /* retrieve object_guid */ - guid = samdb_result_guid(msg, "objectGUID"); - object_guid = GUID_string(msg, &guid); - - /* retrieve object_sid */ - object_sid = NULL; - sid = samdb_result_dom_sid(msg, msg, "objectSID"); - if (sid) { - object_sid = dom_sid_string(msg, sid); - if (!object_sid) - return LDB_ERR_OPERATIONS_ERROR; - - } - - /* Normal, sane format */ - if (object_sid) { - new_dn = talloc_asprintf(msg, ";;%s", - object_guid, object_sid, - ldb_dn_get_linearized(msg->dn)); - } else { - new_dn = talloc_asprintf(msg, ";%s", - object_guid, - ldb_dn_get_linearized(msg->dn)); - } - break; - default: - return LDB_ERR_OPERATIONS_ERROR; - } - - if (!new_dn) { - return LDB_ERR_OPERATIONS_ERROR; - } - - if (remove_guid) { - ldb_msg_remove_attr(msg, "objectGUID"); - } - - if (sid_blob && remove_sid) { - ldb_msg_remove_attr(msg, "objectSID"); - } - - msg->dn = ldb_dn_new(msg, ldb, new_dn); - if (! ldb_dn_validate(msg->dn)) - return LDB_ERR_OPERATIONS_ERROR; - - val = ldb_msg_find_ldb_val(msg, "distinguishedName"); - if (val) { - ldb_msg_remove_attr(msg, "distinguishedName"); - if (ldb_msg_add_steal_string(msg, "distinguishedName", new_dn)) - return LDB_ERR_OPERATIONS_ERROR; - } - - return LDB_SUCCESS; -} - -/* search */ -struct extended_context { - - struct ldb_module *module; - struct ldb_request *req; - struct ldb_control *control; - struct ldb_dn *basedn; - char *wellknown_object; - bool inject; - bool remove_guid; - bool remove_sid; - int extended_type; - const char * const *cast_attrs; -}; - -static int extended_callback(struct ldb_request *req, struct ldb_reply *ares) -{ - struct extended_context *ac; - int ret; - - ac = talloc_get_type(req->context, struct extended_context); - - if (!ares) { - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - if (ares->error != LDB_SUCCESS) { - return ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); - } - - switch (ares->type) { - case LDB_REPLY_ENTRY: - if (ac->inject) { - /* for each record returned post-process to add any derived - attributes that have been asked for */ - ret = inject_extended_dn(ares->message, ac->module->ldb, - ac->extended_type, ac->remove_guid, - ac->remove_sid); - if (ret != LDB_SUCCESS) { - return ldb_module_done(ac->req, NULL, NULL, ret); - } - } - - return ldb_module_send_entry(ac->req, ares->message, ares->controls); - - case LDB_REPLY_REFERRAL: - return ldb_module_send_referral(ac->req, ares->referral); - - case LDB_REPLY_DONE: - return ldb_module_done(ac->req, ares->controls, - ares->response, LDB_SUCCESS); - - } - return LDB_SUCCESS; -} - -static int extended_base_callback(struct ldb_request *req, struct ldb_reply *ares) -{ - struct extended_context *ac; - struct ldb_request *down_req; - struct ldb_control **saved_controls; - struct ldb_message_element *el; - int ret; - size_t i; - size_t wkn_len = 0; - char *valstr = NULL; - const char *found = NULL; - - ac = talloc_get_type(req->context, struct extended_context); - - if (!ares) { - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - if (ares->error != LDB_SUCCESS) { - return ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); - } - - switch (ares->type) { - case LDB_REPLY_ENTRY: - if (!ac->wellknown_object) { - ac->basedn = ares->message->dn; - break; - } - - wkn_len = strlen(ac->wellknown_object); - - el = ldb_msg_find_element(ares->message, "wellKnownObjects"); - if (!el) { - ac->basedn = NULL; - break; - } - - for (i=0; i < el->num_values; i++) { - valstr = talloc_strndup(ac, - (const char *)el->values[i].data, - el->values[i].length); - if (!valstr) { - ldb_oom(ac->module->ldb); - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - - if (strncasecmp(valstr, ac->wellknown_object, wkn_len) != 0) { - talloc_free(valstr); - continue; - } - - found = &valstr[wkn_len]; - break; - } - - if (!found) { - break; - } - - ac->basedn = ldb_dn_new(ac, ac->module->ldb, found); - talloc_free(valstr); - if (!ac->basedn) { - ldb_oom(ac->module->ldb); - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - - break; - - case LDB_REPLY_REFERRAL: - break; - - case LDB_REPLY_DONE: - - if (!ac->basedn) { - const char *str = talloc_asprintf(req, "Base-DN '%s' not found", - ldb_dn_get_linearized(ac->req->op.search.base)); - ldb_set_errstring(ac->module->ldb, str); - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_NO_SUCH_OBJECT); - } - - ret = ldb_build_search_req_ex(&down_req, - ac->module->ldb, ac, - ac->basedn, - ac->req->op.search.scope, - ac->req->op.search.tree, - ac->cast_attrs, - ac->req->controls, - ac, extended_callback, - ac->req); - if (ret != LDB_SUCCESS) { - return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); - } - - if (ac->control) { - /* save it locally and remove it from the list */ - /* we do not need to replace them later as we - * are keeping the original req intact */ - if (!save_controls(ac->control, down_req, &saved_controls)) { - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - } - - /* perform the search */ - return ldb_next_request(ac->module, down_req); - } - return LDB_SUCCESS; -} - -static int extended_search(struct ldb_module *module, struct ldb_request *req) -{ - struct ldb_control *control; - struct ldb_extended_dn_control *extended_ctrl = NULL; - struct ldb_control **saved_controls; - struct extended_context *ac; - struct ldb_request *down_req; - char **new_attrs; - int ret; - struct ldb_dn *base_dn = NULL; - enum ldb_scope base_dn_scope = LDB_SCOPE_BASE; - const char *base_dn_filter = NULL; - const char * const *base_dn_attrs = NULL; - char *wellknown_object = NULL; - static const char *dnattr[] = { - "distinguishedName", - NULL - }; - static const char *wkattr[] = { - "wellKnownObjects", - NULL - }; - - if (ldb_dn_is_special(req->op.search.base)) { - char *dn; - - dn = ldb_dn_alloc_linearized(req, req->op.search.base); - if (!dn) { - ldb_oom(module->ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - - if (strncasecmp(dn, "'); - if (!p) { - return LDB_ERR_INVALID_DN_SYNTAX; - } - p[0] = '\0'; - - if (strncasecmp(str, "S-", 2) == 0) { - valstr = str; - } else { - DATA_BLOB binary; - binary = strhex_to_data_blob(NULL, str); - if (!binary.data) { - ldb_oom(module->ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - valstr = ldb_binary_encode(req, binary); - data_blob_free(&binary); - if (!valstr) { - ldb_oom(module->ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - } - - /* TODO: do a search over all partitions */ - base_dn = ldb_get_default_basedn(module->ldb); - base_dn_filter = talloc_asprintf(req, "(objectSid=%s)", valstr); - if (!base_dn_filter) { - ldb_oom(module->ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - base_dn_scope = LDB_SCOPE_SUBTREE; - base_dn_attrs = dnattr; - } else if (strncasecmp(dn, "'); - if (!p) { - return LDB_ERR_INVALID_DN_SYNTAX; - } - p[0] = '\0'; - - if (strchr(str, '-')) { - valstr = str; - } else { - DATA_BLOB binary; - binary = strhex_to_data_blob(NULL, str); - if (!binary.data) { - ldb_oom(module->ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - valstr = ldb_binary_encode(req, binary); - data_blob_free(&binary); - if (!valstr) { - ldb_oom(module->ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - } - - /* TODO: do a search over all partitions */ - base_dn = ldb_get_default_basedn(module->ldb); - base_dn_filter = talloc_asprintf(req, "(objectGUID=%s)", valstr); - if (!base_dn_filter) { - ldb_oom(module->ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - base_dn_scope = LDB_SCOPE_SUBTREE; - base_dn_attrs = dnattr; - } else if (strncasecmp(dn, "ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - - tail_str = p; - p = strchr(tail_str, '>'); - if (!p) { - return LDB_ERR_INVALID_DN_SYNTAX; - } - p[0] = '\0'; - - base_dn = ldb_dn_new(req, module->ldb, tail_str); - if (!base_dn) { - ldb_oom(module->ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - base_dn_filter = talloc_strdup(req, "(objectClass=*)"); - if (!base_dn_filter) { - ldb_oom(module->ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - base_dn_scope = LDB_SCOPE_BASE; - base_dn_attrs = wkattr; - } - talloc_free(dn); - } - - /* check if there's an extended dn control */ - control = ldb_request_get_control(req, LDB_CONTROL_EXTENDED_DN_OID); - if (control == NULL && base_dn_filter == NULL) { - /* not found go on */ - return ldb_next_request(module, req); - } - - if (control && control->data) { - extended_ctrl = talloc_get_type(control->data, struct ldb_extended_dn_control); - if (!extended_ctrl) { - return LDB_ERR_PROTOCOL_ERROR; - } - } - - ac = talloc_zero(req, struct extended_context); - if (ac == NULL) { - ldb_oom(module->ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - - ac->module = module; - ac->req = req; - ac->control = control; - ac->basedn = NULL; - ac->wellknown_object = wellknown_object; - ac->inject = false; - ac->remove_guid = false; - ac->remove_sid = false; - - if (control) { - ac->inject = true; - if (extended_ctrl) { - ac->extended_type = extended_ctrl->type; - } else { - ac->extended_type = 0; - } - - /* check if attrs only is specified, in that case check wether we need to modify them */ - if (req->op.search.attrs) { - if (! is_attr_in_list(req->op.search.attrs, "objectGUID")) { - ac->remove_guid = true; - } - if (! is_attr_in_list(req->op.search.attrs, "objectSID")) { - ac->remove_sid = true; - } - if (ac->remove_guid || ac->remove_sid) { - new_attrs = copy_attrs(ac, req->op.search.attrs); - if (new_attrs == NULL) { - ldb_oom(module->ldb); - return LDB_ERR_OPERATIONS_ERROR; - } - - if (ac->remove_guid) { - if (!add_attrs(ac, &new_attrs, "objectGUID")) - return LDB_ERR_OPERATIONS_ERROR; - } - if (ac->remove_sid) { - if (!add_attrs(ac, &new_attrs, "objectSID")) - return LDB_ERR_OPERATIONS_ERROR; - } - ac->cast_attrs = (const char * const *)new_attrs; - } else { - ac->cast_attrs = req->op.search.attrs; - } - } - } - - if (base_dn) { - ret = ldb_build_search_req(&down_req, - module->ldb, ac, - base_dn, - base_dn_scope, - base_dn_filter, - base_dn_attrs, - NULL, - ac, extended_base_callback, - req); - if (ret != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; - } - - /* perform the search */ - return ldb_next_request(module, down_req); - } - - ret = ldb_build_search_req_ex(&down_req, - module->ldb, ac, - req->op.search.base, - req->op.search.scope, - req->op.search.tree, - ac->cast_attrs, - req->controls, - ac, extended_callback, - req); - if (ret != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; - } - - if (ac->control) { - /* save it locally and remove it from the list */ - /* we do not need to replace them later as we - * are keeping the original req intact */ - if (!save_controls(control, down_req, &saved_controls)) { - return LDB_ERR_OPERATIONS_ERROR; - } - } - - /* perform the search */ - return ldb_next_request(module, down_req); -} - -static int extended_init(struct ldb_module *module) -{ - int ret; - - ret = ldb_mod_register_control(module, LDB_CONTROL_EXTENDED_DN_OID); - if (ret != LDB_SUCCESS) { - ldb_debug(module->ldb, LDB_DEBUG_ERROR, - "extended_dn: Unable to register control with rootdse!\n"); - return LDB_ERR_OPERATIONS_ERROR; - } - - return ldb_next_init(module); -} - -_PUBLIC_ const struct ldb_module_ops ldb_extended_dn_module_ops = { - .name = "extended_dn", - .search = extended_search, - .init_context = extended_init -}; diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c new file mode 100644 index 0000000000..c3db4fa588 --- /dev/null +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c @@ -0,0 +1,394 @@ +/* + ldb database library + + Copyright (C) Simo Sorce 2005-2008 + Copyright (C) Andrew Bartlett 2007-2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * Name: ldb + * + * Component: ldb extended dn control module + * + * Description: this module interprets DNs of the form into normal DNs. + * + * Authors: Simo Sorce + * Andrew Bartlett + */ + +#include "includes.h" +#include "ldb/include/ldb.h" +#include "ldb/include/ldb_errors.h" +#include "ldb/include/ldb_private.h" + +/* search */ +struct extended_search_context { + struct ldb_module *module; + struct ldb_request *req; + struct ldb_dn *basedn; + char *wellknown_object; + int extended_type; +}; + +/* An extra layer of indirection because LDB does not allow the original request to be altered */ + +static int extended_final_callback(struct ldb_request *req, struct ldb_reply *ares) +{ + int ret = LDB_ERR_OPERATIONS_ERROR; + struct extended_search_context *ac; + ac = talloc_get_type(req->context, struct extended_search_context); + + if (ares->error != LDB_SUCCESS) { + ret = ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); + } else { + switch (ares->type) { + case LDB_REPLY_ENTRY: + + ret = ldb_module_send_entry(ac->req, ares->message, ares->controls); + break; + case LDB_REPLY_REFERRAL: + + ret = ldb_module_send_referral(ac->req, ares->referral); + break; + case LDB_REPLY_DONE: + + ret = ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); + break; + } + } + return ret; +} + +static int extended_base_callback(struct ldb_request *req, struct ldb_reply *ares) +{ + struct extended_search_context *ac; + struct ldb_request *down_req; + struct ldb_message_element *el; + int ret; + size_t i; + size_t wkn_len = 0; + char *valstr = NULL; + const char *found = NULL; + + ac = talloc_get_type(req->context, struct extended_search_context); + + if (!ares) { + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + if (!ac->wellknown_object) { + ac->basedn = talloc_steal(ac, ares->message->dn); + break; + } + + wkn_len = strlen(ac->wellknown_object); + + el = ldb_msg_find_element(ares->message, "wellKnownObjects"); + if (!el) { + ac->basedn = NULL; + break; + } + + for (i=0; i < el->num_values; i++) { + valstr = talloc_strndup(ac, + (const char *)el->values[i].data, + el->values[i].length); + if (!valstr) { + ldb_oom(ac->module->ldb); + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + if (strncasecmp(valstr, ac->wellknown_object, wkn_len) != 0) { + talloc_free(valstr); + continue; + } + + found = &valstr[wkn_len]; + break; + } + + if (!found) { + break; + } + + ac->basedn = ldb_dn_new(ac, ac->module->ldb, found); + talloc_free(valstr); + if (!ac->basedn) { + ldb_oom(ac->module->ldb); + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + break; + + case LDB_REPLY_REFERRAL: + break; + + case LDB_REPLY_DONE: + + if (!ac->basedn) { + const char *str = talloc_asprintf(req, "Base-DN '%s' not found", + ldb_dn_get_linearized(ac->req->op.search.base)); + ldb_set_errstring(ac->module->ldb, str); + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_NO_SUCH_OBJECT); + } + + switch (ac->req->operation) { + case LDB_SEARCH: + ret = ldb_build_search_req_ex(&down_req, + ac->module->ldb, ac->req, + ac->basedn, + ac->req->op.search.scope, + ac->req->op.search.tree, + ac->req->op.search.attrs, + ac->req->controls, + ac, extended_final_callback, + ac->req); + break; + case LDB_ADD: + { + struct ldb_message *add_msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message); + if (!add_msg) { + ldb_oom(ac->module->ldb); + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + add_msg->dn = ac->basedn; + + ret = ldb_build_add_req(&down_req, + ac->module->ldb, ac->req, + add_msg, + ac->req->controls, + ac, extended_final_callback, + ac->req); + break; + } + case LDB_MODIFY: + { + struct ldb_message *mod_msg = ldb_msg_copy_shallow(ac, ac->req->op.mod.message); + if (!mod_msg) { + ldb_oom(ac->module->ldb); + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + mod_msg->dn = ac->basedn; + + ret = ldb_build_mod_req(&down_req, + ac->module->ldb, ac->req, + mod_msg, + ac->req->controls, + ac, extended_final_callback, + ac->req); + break; + } + case LDB_DELETE: + ret = ldb_build_del_req(&down_req, + ac->module->ldb, ac->req, + ac->basedn, + ac->req->controls, + ac, extended_final_callback, + ac->req); + break; + case LDB_RENAME: + ret = ldb_build_rename_req(&down_req, + ac->module->ldb, ac->req, + ac->basedn, + ac->req->op.rename.newdn, + ac->req->controls, + ac, extended_final_callback, + ac->req); + break; + default: + return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); + } + + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, ret); + } + + return ldb_next_request(ac->module, down_req); + } + talloc_free(ares); + return LDB_SUCCESS; +} + +static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req, struct ldb_dn *dn) +{ + struct extended_search_context *ac; + struct ldb_request *down_req; + int ret; + struct ldb_dn *base_dn = NULL; + enum ldb_scope base_dn_scope = LDB_SCOPE_BASE; + const char *base_dn_filter = NULL; + const char * const *base_dn_attrs = NULL; + char *wellknown_object = NULL; + static const char *no_attr[] = { + NULL + }; + static const char *wkattr[] = { + "wellKnownObjects", + NULL + }; + + if (!ldb_dn_has_extended(dn)) { + /* Move along there isn't anything to see here */ + return ldb_next_request(module, req); + } else { + /* It looks like we need to map the DN */ + const struct ldb_val *sid_val, *guid_val, *wkguid_val; + + sid_val = ldb_dn_get_extended_component(dn, "SID"); + guid_val = ldb_dn_get_extended_component(dn, "GUID"); + wkguid_val = ldb_dn_get_extended_component(dn, "WKGUID"); + + if (sid_val) { + /* TODO: do a search over all partitions */ + base_dn = ldb_get_default_basedn(module->ldb); + base_dn_filter = talloc_asprintf(req, "(objectSid=%s)", + ldb_binary_encode(req, *sid_val)); + if (!base_dn_filter) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + base_dn_scope = LDB_SCOPE_SUBTREE; + base_dn_attrs = no_attr; + + } else if (guid_val) { + + /* TODO: do a search over all partitions */ + base_dn = ldb_get_default_basedn(module->ldb); + base_dn_filter = talloc_asprintf(req, "(objectGUID=%s)", + ldb_binary_encode(req, *guid_val)); + if (!base_dn_filter) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + base_dn_scope = LDB_SCOPE_SUBTREE; + base_dn_attrs = no_attr; + + + } else if (wkguid_val) { + char *wkguid_dup; + char *tail_str; + char *p; + + wkguid_dup = talloc_strndup(req, (char *)wkguid_val->data, wkguid_val->length); + + p = strchr(wkguid_dup, ','); + if (!p) { + return LDB_ERR_INVALID_DN_SYNTAX; + } + + p[0] = '\0'; + p++; + + wellknown_object = talloc_asprintf(req, "B:32:%s:", wkguid_dup); + if (!wellknown_object) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + tail_str = p; + + base_dn = ldb_dn_new(req, module->ldb, tail_str); + talloc_free(wkguid_dup); + if (!base_dn) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + base_dn_filter = talloc_strdup(req, "(objectClass=*)"); + if (!base_dn_filter) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + base_dn_scope = LDB_SCOPE_BASE; + base_dn_attrs = wkattr; + } else { + return LDB_ERR_INVALID_DN_SYNTAX; + } + + ac = talloc_zero(req, struct extended_search_context); + if (ac == NULL) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + ac->module = module; + ac->req = req; + ac->basedn = NULL; /* Filled in if the search finds the DN by SID/GUID etc */ + ac->wellknown_object = wellknown_object; + + /* If the base DN was an extended DN (perhaps a well known + * GUID) then search for that, so we can proceed with the original operation */ + + ret = ldb_build_search_req(&down_req, + module->ldb, ac, + base_dn, + base_dn_scope, + base_dn_filter, + base_dn_attrs, + NULL, + ac, extended_base_callback, + req); + if (ret != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* perform the search */ + return ldb_next_request(module, down_req); + } +} + +static int extended_dn_in_search(struct ldb_module *module, struct ldb_request *req) +{ + return extended_dn_in_fix(module, req, req->op.search.base); +} + +static int extended_dn_in_modify(struct ldb_module *module, struct ldb_request *req) +{ + return extended_dn_in_fix(module, req, req->op.mod.message->dn); +} + +static int extended_dn_in_del(struct ldb_module *module, struct ldb_request *req) +{ + return extended_dn_in_fix(module, req, req->op.del.dn); +} + +static int extended_dn_in_rename(struct ldb_module *module, struct ldb_request *req) +{ + return extended_dn_in_fix(module, req, req->op.rename.olddn); +} + +_PUBLIC_ const struct ldb_module_ops ldb_extended_dn_in_module_ops = { + .name = "extended_dn_in", + .search = extended_dn_in_search, + .modify = extended_dn_in_modify, + .del = extended_dn_in_del, + .rename = extended_dn_in_rename, +}; diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c new file mode 100644 index 0000000000..058c51bdb8 --- /dev/null +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c @@ -0,0 +1,655 @@ +/* + ldb database library + + Copyright (C) Simo Sorce 2005-2008 + Copyright (C) Andrew Bartlett 2007-2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * Name: ldb + * + * Component: ldb extended dn control module + * + * Description: this module builds a special dn for returned search + * results, and fixes some other aspects of the result (returned case issues) + * values. + * + * Authors: Simo Sorce + * Andrew Bartlett + */ + +#include "includes.h" +#include "ldb/include/ldb.h" +#include "ldb/include/ldb_errors.h" +#include "ldb/include/ldb_private.h" +#include "librpc/gen_ndr/ndr_misc.h" +#include "librpc/ndr/libndr.h" +#include "dsdb/samdb/samdb.h" + +struct extended_dn_out_private { + bool dereference; + bool normalise; + struct dsdb_openldap_dereference_control *dereference_control; +}; + +static bool is_attr_in_list(const char * const * attrs, const char *attr) +{ + int i; + + for (i = 0; attrs[i]; i++) { + if (ldb_attr_cmp(attrs[i], attr) == 0) + return true; + } + + return false; +} + +static char **copy_attrs(void *mem_ctx, const char * const * attrs) +{ + char **new; + int i, num; + + for (num = 0; attrs[num]; num++); + + new = talloc_array(mem_ctx, char *, num + 1); + if (!new) return NULL; + + for(i = 0; i < num; i++) { + new[i] = talloc_strdup(new, attrs[i]); + if (!new[i]) { + talloc_free(new); + return NULL; + } + } + new[i] = NULL; + + return new; +} + +static bool add_attrs(void *mem_ctx, char ***attrs, const char *attr) +{ + char **new; + int num; + + for (num = 0; (*attrs)[num]; num++); + + new = talloc_realloc(mem_ctx, *attrs, char *, num + 2); + if (!new) return false; + + *attrs = new; + + new[num] = talloc_strdup(new, attr); + if (!new[num]) return false; + + new[num + 1] = NULL; + + return true; +} + +/* Fix the DN so that the relative attribute names are in upper case so that the DN: + cn=Adminstrator,cn=users,dc=samba,dc=example,dc=com becomes + CN=Adminstrator,CN=users,DC=samba,DC=example,DC=com +*/ + + +static int fix_dn(struct ldb_dn *dn) +{ + int i, ret; + char *upper_rdn_attr; + + for (i=0; i < ldb_dn_get_comp_num(dn); i++) { + /* We need the attribute name in upper case */ + upper_rdn_attr = strupper_talloc(dn, + ldb_dn_get_component_name(dn, i)); + if (!upper_rdn_attr) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* And replace it with CN=foo (we need the attribute in upper case */ + ret = ldb_dn_set_component(dn, i, upper_rdn_attr, + *ldb_dn_get_component_val(dn, i)); + talloc_free(upper_rdn_attr); + if (ret != LDB_SUCCESS) { + return ret; + } + } + return LDB_SUCCESS; +} + +/* Inject the extended DN components, so the DN cn=Adminstrator,cn=users,dc=samba,dc=example,dc=com becomes + ;;cn=Adminstrator,cn=users,dc=samba,dc=example,dc=com */ + +static int inject_extended_dn_out(struct ldb_reply *ares, + struct ldb_context *ldb, + int type, + bool remove_guid, + bool remove_sid) +{ + int ret; + const DATA_BLOB *guid_blob; + const DATA_BLOB *sid_blob; + + guid_blob = ldb_msg_find_ldb_val(ares->message, "objectGUID"); + sid_blob = ldb_msg_find_ldb_val(ares->message, "objectSID"); + + if (!guid_blob) { + ldb_set_errstring(ldb, "Did not find objectGUID to inject into extended DN"); + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_dn_set_extended_component(ares->message->dn, "GUID", guid_blob); + if (ret != LDB_SUCCESS) { + return ret; + } + if (sid_blob) { + ret = ldb_dn_set_extended_component(ares->message->dn, "SID", sid_blob); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + if (remove_guid) { + ldb_msg_remove_attr(ares->message, "objectGUID"); + } + + if (sid_blob && remove_sid) { + ldb_msg_remove_attr(ares->message, "objectSID"); + } + + return LDB_SUCCESS; +} + +static int handle_dereference(struct ldb_dn *dn, + struct dsdb_openldap_dereference_result **dereference_attrs, + const char *attr, const DATA_BLOB *val) +{ + const struct ldb_val *entryUUIDblob, *sid_blob; + struct ldb_message fake_msg; /* easier to use routines that expect an ldb_message */ + int j; + + fake_msg.num_elements = 0; + + /* Look for this attribute in the returned control */ + for (j = 0; dereference_attrs && dereference_attrs[j]; j++) { + struct ldb_val source_dn = data_blob_string_const(dereference_attrs[j]->dereferenced_dn); + if (ldb_attr_cmp(dereference_attrs[j]->source_attribute, attr) == 0 + && data_blob_cmp(&source_dn, val) == 0) { + fake_msg.num_elements = dereference_attrs[j]->num_attributes; + fake_msg.elements = dereference_attrs[j]->attributes; + break; + } + } + if (!fake_msg.num_elements) { + return LDB_SUCCESS; + } + /* Look for an OpenLDAP entryUUID */ + + entryUUIDblob = ldb_msg_find_ldb_val(&fake_msg, "entryUUID"); + if (entryUUIDblob) { + NTSTATUS status; + enum ndr_err_code ndr_err; + + struct ldb_val guid_blob; + struct GUID guid; + + status = GUID_from_data_blob(entryUUIDblob, &guid); + + if (!NT_STATUS_IS_OK(status)) { + return LDB_ERR_INVALID_DN_SYNTAX; + } + ndr_err = ndr_push_struct_blob(&guid_blob, NULL, NULL, &guid, + (ndr_push_flags_fn_t)ndr_push_GUID); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return LDB_ERR_INVALID_DN_SYNTAX; + } + + ldb_dn_set_extended_component(dn, "GUID", &guid_blob); + } + + sid_blob = ldb_msg_find_ldb_val(&fake_msg, "objectSID"); + + /* Look for the objectSID */ + if (sid_blob) { + ldb_dn_set_extended_component(dn, "SID", sid_blob); + } + return LDB_SUCCESS; +} + +/* search */ +struct extended_search_context { + struct ldb_module *module; + const struct dsdb_schema *schema; + struct ldb_request *req; + bool inject; + bool remove_guid; + bool remove_sid; + int extended_type; +}; + +static int extended_callback(struct ldb_request *req, struct ldb_reply *ares) +{ + struct extended_search_context *ac; + struct ldb_control *control; + struct dsdb_openldap_dereference_result_control *dereference_control = NULL; + int ret, i, j; + struct ldb_message *msg = ares->message; + struct extended_dn_out_private *private; + + ac = talloc_get_type(req->context, struct extended_search_context); + private = talloc_get_type(ac->module->private_data, struct extended_dn_out_private); + + if (!ares) { + return ldb_module_done(ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); + } + + switch (ares->type) { + case LDB_REPLY_REFERRAL: + return ldb_module_send_referral(ac->req, ares->referral); + + case LDB_REPLY_DONE: + return ldb_module_done(ac->req, ares->controls, + ares->response, LDB_SUCCESS); + case LDB_REPLY_ENTRY: + break; + } + + if (private && private->normalise) { + ret = fix_dn(ares->message->dn); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, ret); + } + } + + if (ac->inject) { + /* for each record returned post-process to add any derived + attributes that have been asked for */ + ret = inject_extended_dn_out(ares, ac->module->ldb, + ac->extended_type, ac->remove_guid, + ac->remove_sid); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, ret); + } + } + + if ((private && private->normalise) || ac->inject) { + const struct ldb_val *val = ldb_msg_find_ldb_val(ares->message, "distinguishedName"); + if (val) { + ldb_msg_remove_attr(ares->message, "distinguishedName"); + if (ac->inject) { + ret = ldb_msg_add_steal_string(ares->message, "distinguishedName", + ldb_dn_get_extended_linearized(ares->message, ares->message->dn, ac->extended_type)); + } else { + ret = ldb_msg_add_string(ares->message, "distinguishedName", + ldb_dn_get_linearized(ares->message->dn)); + } + if (ret != LDB_SUCCESS) { + ldb_oom(ac->module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + } + } + + if (private && private->dereference) { + control = ldb_reply_get_control(ares, DSDB_OPENLDAP_DEREFERENCE_CONTROL); + + if (control && control->data) { + dereference_control = talloc_get_type(control->data, struct dsdb_openldap_dereference_result_control); + } + } + + /* Walk the retruned elements (but only if we have a schema to interpret the list with) */ + for (i = 0; ac->schema && i < msg->num_elements; i++) { + const struct dsdb_attribute *attribute; + attribute = dsdb_attribute_by_lDAPDisplayName(ac->schema, msg->elements[i].name); + if (!attribute) { + continue; + } + + if (private->normalise) { + /* If we are also in 'normalise' mode, then + * fix the attribute names to be in the + * correct case */ + msg->elements[i].name = talloc_strdup(msg->elements, attribute->lDAPDisplayName); + if (!msg->elements[i].name) { + ldb_oom(ac->module->ldb); + return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); + } + } + + /* distinguishedName has been dealt with above */ + if (ldb_attr_cmp(msg->elements[i].name, "distinguishedName") == 0) { + continue; + } + + /* Look to see if this attributeSyntax is a DN */ + if (strcmp(attribute->attributeSyntax_oid, "2.5.5.1") != 0) { + continue; + } + + for (j = 0; j < msg->elements[i].num_values; j++) { + const char *dn_str; + struct ldb_dn *dn = ldb_dn_from_ldb_val(ac, ac->module->ldb, &msg->elements[i].values[j]); + if (!dn || !ldb_dn_validate(dn)) { + return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_INVALID_DN_SYNTAX); + } + + if (private->normalise) { + ret = fix_dn(dn); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, ret); + } + } + + /* If we are running in dereference mode (such + * as against OpenLDAP) then the DN in the msg + * above does not contain the extended values, + * and we need to look in the dereference + * result */ + + /* Look for this value in the attribute */ + + if (dereference_control) { + ret = handle_dereference(dn, + dereference_control->attributes, + msg->elements[i].name, + &msg->elements[i].values[j]); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ac->req, NULL, NULL, ret); + } + } + + if (!ac->inject) { + dn_str = talloc_steal(msg->elements[i].values, + ldb_dn_get_linearized(dn)); + } else { + dn_str = talloc_steal(msg->elements[i].values, + ldb_dn_get_extended_linearized(msg->elements[i].values, + dn, ac->extended_type)); + } + if (!dn_str) { + ldb_oom(ac->module->ldb); + return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); + } + msg->elements[i].values[j] = data_blob_string_const(dn_str); + talloc_free(dn); + } + } + return ldb_module_send_entry(ac->req, msg, ares->controls); +} + + +static int extended_dn_out_search(struct ldb_module *module, struct ldb_request *req) +{ + struct ldb_control *control; + struct ldb_control *storage_format_control; + struct ldb_extended_dn_control *extended_ctrl = NULL; + struct ldb_control **saved_controls; + struct extended_search_context *ac; + struct ldb_request *down_req; + char **new_attrs; + const char * const *const_attrs; + int ret; + + struct extended_dn_out_private *private = talloc_get_type(module->private_data, struct extended_dn_out_private); + + /* check if there's an extended dn control */ + control = ldb_request_get_control(req, LDB_CONTROL_EXTENDED_DN_OID); + if (control && control->data) { + extended_ctrl = talloc_get_type(control->data, struct ldb_extended_dn_control); + if (!extended_ctrl) { + return LDB_ERR_PROTOCOL_ERROR; + } + } + + /* Look to see if, as we are in 'store DN+GUID+SID' mode, the + * client is after the storage format (to fill in linked + * attributes) */ + storage_format_control = ldb_request_get_control(req, DSDB_CONTROL_DN_STORAGE_FORMAT_OID); + if (!control && storage_format_control && storage_format_control->data) { + extended_ctrl = talloc_get_type(storage_format_control->data, struct ldb_extended_dn_control); + if (!extended_ctrl) { + ldb_set_errstring(module->ldb, "extended_dn_out: extended_ctrl was of the wrong data type"); + return LDB_ERR_PROTOCOL_ERROR; + } + } + + ac = talloc_zero(req, struct extended_search_context); + if (ac == NULL) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + ac->module = module; + ac->schema = dsdb_get_schema(module->ldb); + ac->req = req; + ac->inject = false; + ac->remove_guid = false; + ac->remove_sid = false; + + const_attrs = req->op.search.attrs; + + /* We only need to do special processing if we were asked for + * the extended DN, or we are 'store DN+GUID+SID' + * (!dereference) mode. (This is the normal mode for LDB on + * tdb). */ + if (control || (storage_format_control && private && !private->dereference)) { + ac->inject = true; + if (extended_ctrl) { + ac->extended_type = extended_ctrl->type; + } else { + ac->extended_type = 0; + } + + /* check if attrs only is specified, in that case check wether we need to modify them */ + if (req->op.search.attrs && !is_attr_in_list(req->op.search.attrs, "*")) { + if (! is_attr_in_list(req->op.search.attrs, "objectGUID")) { + ac->remove_guid = true; + } + if (! is_attr_in_list(req->op.search.attrs, "objectSID")) { + ac->remove_sid = true; + } + if (ac->remove_guid || ac->remove_sid) { + new_attrs = copy_attrs(ac, req->op.search.attrs); + if (new_attrs == NULL) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + if (ac->remove_guid) { + if (!add_attrs(ac, &new_attrs, "objectGUID")) + return LDB_ERR_OPERATIONS_ERROR; + } + if (ac->remove_sid) { + if (!add_attrs(ac, &new_attrs, "objectSID")) + return LDB_ERR_OPERATIONS_ERROR; + } + const_attrs = (const char * const *)new_attrs; + } + } + } + + ret = ldb_build_search_req_ex(&down_req, + module->ldb, ac, + req->op.search.base, + req->op.search.scope, + req->op.search.tree, + const_attrs, + req->controls, + ac, extended_callback, + req); + if (ret != LDB_SUCCESS) { + return ret; + } + + /* Remove extended DN and storage format controls */ + + if (control) { + /* save it locally and remove it from the list */ + /* we do not need to replace them later as we + * are keeping the original req intact */ + if (!save_controls(control, down_req, &saved_controls)) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + + if (storage_format_control) { + /* save it locally and remove it from the list */ + /* we do not need to replace them later as we + * are keeping the original req intact */ + if (!save_controls(storage_format_control, down_req, &saved_controls)) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + + /* Add in dereference control, if we were asked to, we are + * using the 'dereference' mode (such as with an OpenLDAP + * backend) and have the control prepared */ + if (control && private && private->dereference && private->dereference_control) { + ret = ldb_request_add_control(down_req, + DSDB_OPENLDAP_DEREFERENCE_CONTROL, + false, private->dereference_control); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + /* perform the search */ + return ldb_next_request(module, down_req); +} + +static int extended_dn_out_ldb_init(struct ldb_module *module) +{ + int ret; + + struct extended_dn_out_private *private = talloc(module, struct extended_dn_out_private); + + module->private_data = private; + + if (!private) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + private->dereference = false; + private->normalise = false; + + ret = ldb_mod_register_control(module, LDB_CONTROL_EXTENDED_DN_OID); + if (ret != LDB_SUCCESS) { + ldb_debug(module->ldb, LDB_DEBUG_ERROR, + "extended_dn_out: Unable to register control with rootdse!\n"); + return LDB_ERR_OPERATIONS_ERROR; + } + + return ldb_next_init(module); +} + +static int extended_dn_out_dereference_init(struct ldb_module *module) +{ + int ret, i = 0; + struct extended_dn_out_private *private; + struct dsdb_openldap_dereference_control *dereference_control; + struct dsdb_attribute *cur; + + struct dsdb_schema *schema; + + module->private_data = private = talloc_zero(module, struct extended_dn_out_private); + + if (!private) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + private->dereference = true; + + /* At the moment, servers that need dereference also need the + * DN and attribute names to be normalised */ + private->normalise = true; + + ret = ldb_mod_register_control(module, LDB_CONTROL_EXTENDED_DN_OID); + if (ret != LDB_SUCCESS) { + ldb_debug(module->ldb, LDB_DEBUG_ERROR, + "extended_dn_out: Unable to register control with rootdse!\n"); + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_next_init(module); + + if (ret != LDB_SUCCESS) { + return ret; + } + + schema = dsdb_get_schema(module->ldb); + if (!schema) { + /* No schema on this DB (yet) */ + return LDB_SUCCESS; + } + + private->dereference_control = dereference_control + = talloc_zero(private, struct dsdb_openldap_dereference_control); + + if (!private->dereference_control) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + for (cur = schema->attributes; cur; cur = cur->next) { + static const char *attrs[] = { + "entryUUID", + "objectSID", + NULL + }; + + if (strcmp(cur->syntax->attributeSyntax_oid, "2.5.5.1") != 0) { + continue; + } + dereference_control->dereference + = talloc_realloc(private, dereference_control->dereference, + struct dsdb_openldap_dereference *, i + 2); + if (!dereference_control) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + dereference_control->dereference[i] = talloc(dereference_control->dereference, + struct dsdb_openldap_dereference); + if (!dereference_control->dereference[i]) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + dereference_control->dereference[i]->source_attribute = cur->lDAPDisplayName; + dereference_control->dereference[i]->dereference_attribute = attrs; + i++; + dereference_control->dereference[i] = NULL; + } + return LDB_SUCCESS; +} + +_PUBLIC_ const struct ldb_module_ops ldb_extended_dn_out_ldb_module_ops = { + .name = "extended_dn_out_ldb", + .search = extended_dn_out_search, + .init_context = extended_dn_out_ldb_init, +}; + + +_PUBLIC_ const struct ldb_module_ops ldb_extended_dn_out_dereference_module_ops = { + .name = "extended_dn_out_dereference", + .search = extended_dn_out_search, + .init_context = extended_dn_out_dereference_init, +}; diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_store.c b/source4/dsdb/samdb/ldb_modules/extended_dn_store.c new file mode 100644 index 0000000000..4f4e9d0fd7 --- /dev/null +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_store.c @@ -0,0 +1,431 @@ +/* + ldb database library + + Copyright (C) Simo Sorce 2005-2008 + Copyright (C) Andrew Bartlett 2007-2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * Name: ldb + * + * Component: ldb extended dn control module + * + * Description: this module builds a special dn for returned search + * results nad creates the special DN in the backend store for new + * values. + * + * This also has the curious result that we convert + * in an attribute value into a normal DN for the rest of the stack + * to process + * + * Authors: Simo Sorce + * Andrew Bartlett + */ + +#include "includes.h" +#include "ldb/include/ldb.h" +#include "ldb/include/ldb_errors.h" +#include "ldb/include/ldb_private.h" +#include "librpc/gen_ndr/ndr_misc.h" +#include "dsdb/samdb/samdb.h" +#include "libcli/security/security.h" + +#include + +struct extended_dn_replace_list { + struct extended_dn_replace_list *next; + struct ldb_dn *dn; + TALLOC_CTX *mem_ctx; + struct ldb_val *replace_dn; + struct extended_dn_context *ac; + struct ldb_request *search_req; +}; + + +struct extended_dn_context { + const struct dsdb_schema *schema; + struct ldb_module *module; + struct ldb_request *req; + struct ldb_request *new_req; + + struct extended_dn_replace_list *ops; + struct extended_dn_replace_list *cur; +}; + + +static struct extended_dn_context *extended_dn_context_init(struct ldb_module *module, + struct ldb_request *req) +{ + struct extended_dn_context *ac; + + ac = talloc_zero(req, struct extended_dn_context); + if (ac == NULL) { + ldb_oom(module->ldb); + return NULL; + } + + ac->schema = dsdb_get_schema(module->ldb); + ac->module = module; + ac->req = req; + + return ac; +} + +/* An extra layer of indirection because LDB does not allow the original request to be altered */ + +static int extended_final_callback(struct ldb_request *req, struct ldb_reply *ares) +{ + int ret = LDB_ERR_OPERATIONS_ERROR; + struct extended_dn_context *ac; + ac = talloc_get_type(req->context, struct extended_dn_context); + + if (ares->error != LDB_SUCCESS) { + ret = ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); + } else { + switch (ares->type) { + case LDB_REPLY_ENTRY: + + ret = ldb_module_send_entry(ac->req, ares->message, ares->controls); + break; + case LDB_REPLY_REFERRAL: + + ret = ldb_module_send_referral(ac->req, ares->referral); + break; + case LDB_REPLY_DONE: + + ret = ldb_module_done(ac->req, ares->controls, + ares->response, ares->error); + break; + } + } + return ret; +} + +static int extended_replace_dn(struct ldb_request *req, struct ldb_reply *ares) +{ + struct extended_dn_replace_list *os = talloc_get_type(req->context, + struct extended_dn_replace_list); + + if (!ares) { + return ldb_module_done(os->ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error == LDB_ERR_NO_SUCH_OBJECT) { + /* Don't worry too much about dangling references */ + + ldb_reset_err_string(os->ac->module->ldb); + if (os->next) { + struct extended_dn_replace_list *next; + + next = os->next; + + talloc_free(os); + + os = next; + return ldb_next_request(os->ac->module, next->search_req); + } else { + /* Otherwise, we are done - let's run the + * request now we have swapped the DNs for the + * full versions */ + return ldb_next_request(os->ac->module, os->ac->req); + } + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(os->ac->req, ares->controls, + ares->response, ares->error); + } + + /* Only entries are interesting, and we only want the olddn */ + switch (ares->type) { + case LDB_REPLY_ENTRY: + { + /* This *must* be the right DN, as this is a base + * search. We can't check, as it could be an extended + * DN, so a module below will resolve it */ + struct ldb_dn *dn = ares->message->dn; + + /* Replace the DN with the extended version of the DN + * (ie, add SID and GUID) */ + *os->replace_dn = data_blob_string_const( + ldb_dn_get_extended_linearized(os->mem_ctx, + dn, 1)); + if (os->replace_dn->data == NULL) { + return ldb_module_done(os->ac->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + break; + } + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + + talloc_free(ares); + + /* Run the next search */ + + if (os->next) { + struct extended_dn_replace_list *next; + + next = os->next; + + talloc_free(os); + + os = next; + return ldb_next_request(os->ac->module, next->search_req); + } else { + /* Otherwise, we are done - let's run the + * request now we have swapped the DNs for the + * full versions */ + return ldb_next_request(os->ac->module, os->ac->new_req); + } + } + + talloc_free(ares); + return LDB_SUCCESS; +} + +/* We have a 'normal' DN in the inbound request. We need to find out + * what the GUID and SID are on the DN it points to, so we can + * construct an extended DN for storage. + * + * This creates a list of DNs to look up, and the plain DN to replace + */ + +static int extended_store_replace(struct extended_dn_context *ac, + TALLOC_CTX *callback_mem_ctx, + struct ldb_val *plain_dn) +{ + int ret; + struct extended_dn_replace_list *os; + static const char *attrs[] = { + "objectSid", + "objectGUID", + NULL + }; + + os = talloc_zero(ac, struct extended_dn_replace_list); + if (!os) { + return LDB_ERR_OPERATIONS_ERROR; + } + + os->ac = ac; + + os->mem_ctx = callback_mem_ctx; + + os->dn = ldb_dn_from_ldb_val(os, ac->module->ldb, plain_dn); + if (!os->dn || !ldb_dn_validate(os->dn)) { + talloc_free(os); + ldb_asprintf_errstring(ac->module->ldb, + "could not parse %.*s as a DN", (int)plain_dn->length, plain_dn->data); + return LDB_ERR_INVALID_DN_SYNTAX; + } + + os->replace_dn = plain_dn; + + /* The search request here might happen to be for an + * 'extended' style DN, such as . The next + * module in the stack will convert this into a normal DN for + * processing */ + ret = ldb_build_search_req(&os->search_req, + ac->module->ldb, os, os->dn, LDB_SCOPE_BASE, NULL, + attrs, NULL, os, extended_replace_dn, + ac->req); + + if (ret != LDB_SUCCESS) { + talloc_free(os); + return ret; + } + + ret = ldb_request_add_control(os->search_req, + DSDB_CONTROL_DN_STORAGE_FORMAT_OID, + true, NULL); + if (ret != LDB_SUCCESS) { + talloc_free(os); + return ret; + } + + if (ac->ops) { + ac->cur->next = os; + } else { + ac->ops = os; + } + ac->cur = os; + + return LDB_SUCCESS; +} + + +/* add */ +static int extended_dn_add(struct ldb_module *module, struct ldb_request *req) +{ + struct extended_dn_context *ac; + int ret; + int i, j; + + if (ldb_dn_is_special(req->op.add.message->dn)) { + /* do not manipulate our control entries */ + return ldb_next_request(module, req); + } + + ac = extended_dn_context_init(module, req); + if (!ac) { + return LDB_ERR_OPERATIONS_ERROR; + } + + if (!ac->schema) { + /* without schema, this doesn't make any sense */ + talloc_free(ac); + return ldb_next_request(module, req); + } + + for (i=0; i < req->op.add.message->num_elements; i++) { + const struct ldb_message_element *el = &req->op.add.message->elements[i]; + const struct dsdb_attribute *schema_attr + = dsdb_attribute_by_lDAPDisplayName(ac->schema, el->name); + if (!schema_attr) { + continue; + } + + /* We only setup an extended DN GUID on these particular DN objects */ + if (strcmp(schema_attr->attributeSyntax_oid, "2.5.5.1") != 0) { + continue; + } + + /* Before we setup a procedure to modify the incoming message, we must copy it */ + if (!ac->new_req) { + struct ldb_message *msg = ldb_msg_copy(ac, req->op.add.message); + if (!msg) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_build_add_req(&ac->new_req, module->ldb, ac, msg, req->controls, ac, extended_final_callback, req); + if (ret != LDB_SUCCESS) { + return ret; + } + } + /* Re-calculate el */ + el = &ac->new_req->op.add.message->elements[i]; + for (j = 0; j < el->num_values; j++) { + ret = extended_store_replace(ac, ac->new_req->op.add.message->elements, &el->values[j]); + if (ret != LDB_SUCCESS) { + return ret; + } + } + } + + /* if DNs were set continue */ + if (ac->ops == NULL) { + talloc_free(ac); + return ldb_next_request(module, req); + } + + /* start with the searches */ + return ldb_next_request(module, ac->ops->search_req); +} + +/* modify */ +static int extended_dn_modify(struct ldb_module *module, struct ldb_request *req) +{ + /* Look over list of modifications */ + /* Find if any are for linked attributes */ + /* Determine the effect of the modification */ + /* Apply the modify to the linked entry */ + + int i, j; + struct extended_dn_context *ac; + int ret; + + if (ldb_dn_is_special(req->op.mod.message->dn)) { + /* do not manipulate our control entries */ + return ldb_next_request(module, req); + } + + ac = extended_dn_context_init(module, req); + if (!ac) { + return LDB_ERR_OPERATIONS_ERROR; + } + + if (!ac->schema) { + /* without schema, this doesn't make any sense */ + return ldb_next_request(module, req); + } + + for (i=0; i < req->op.mod.message->num_elements; i++) { + const struct ldb_message_element *el = &req->op.mod.message->elements[i]; + const struct dsdb_attribute *schema_attr + = dsdb_attribute_by_lDAPDisplayName(ac->schema, el->name); + if (!schema_attr) { + continue; + } + + /* We only setup an extended DN GUID on these particular DN objects */ + if (strcmp(schema_attr->attributeSyntax_oid, "2.5.5.1") != 0) { + continue; + } + + /* Before we setup a procedure to modify the incoming message, we must copy it */ + if (!ac->new_req) { + struct ldb_message *msg = ldb_msg_copy(ac, req->op.mod.message); + if (!msg) { + ldb_oom(module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_build_mod_req(&ac->new_req, module->ldb, ac, msg, req->controls, ac, extended_final_callback, req); + if (ret != LDB_SUCCESS) { + return ret; + } + } + /* Re-calculate el */ + el = &ac->new_req->op.mod.message->elements[i]; + /* For each value being added, we need to setup the lookups to fill in the extended DN */ + for (j = 0; j < el->num_values; j++) { + struct ldb_dn *dn = ldb_dn_from_ldb_val(ac, module->ldb, &el->values[j]); + if (!dn || !ldb_dn_validate(dn)) { + ldb_asprintf_errstring(module->ldb, + "could not parse attribute %s as a DN", el->name); + return LDB_ERR_INVALID_DN_SYNTAX; + } + if (((el->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE) && !ldb_dn_has_extended(dn)) { + /* NO need to figure this DN out, it's going to be deleted anyway */ + continue; + } + ret = extended_store_replace(ac, req->op.mod.message->elements, &el->values[j]); + if (ret != LDB_SUCCESS) { + return ret; + } + } + } + + /* if DNs were set continue */ + if (ac->ops == NULL) { + talloc_free(ac); + return ldb_next_request(module, req); + } + + /* start with the searches */ + return ldb_next_request(module, ac->ops->search_req); +} + +_PUBLIC_ const struct ldb_module_ops ldb_extended_dn_store_module_ops = { + .name = "extended_dn_store", + .add = extended_dn_add, + .modify = extended_dn_modify, +}; diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h index 570221ee25..efc467865c 100644 --- a/source4/dsdb/samdb/samdb.h +++ b/source4/dsdb/samdb/samdb.h @@ -59,6 +59,11 @@ struct dsdb_control_current_partition { #define DSDB_CONTROL_REPLICATED_UPDATE_OID "1.3.6.1.4.1.7165.4.3.3" /* DSDB_CONTROL_REPLICATED_UPDATE_OID has NULL data */ +#define DSDB_CONTROL_DN_STORAGE_FORMAT_OID "1.3.6.1.4.1.7165.4.3.4" +/* DSDB_CONTROL_DN_STORAGE_FORMAT_OID has NULL data and behaves very + * much like LDB_CONTROL_EXTENDED_DN_OID when the DB stores an + * extended DN, and otherwise returns normal DNs */ + #define DSDB_EXTENDED_REPLICATED_OBJECTS_OID "1.3.6.1.4.1.7165.4.4.1" struct dsdb_extended_replicated_object { struct ldb_message *msg; -- cgit From 12a7eeeaf4a21329a124d467e2d6616467fa17d1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 16 Dec 2008 09:23:07 +0100 Subject: s4:dsdb: remove normalise module The extended_dn_out module provides the functionality now. Signed-off-by: Stefan Metzmacher --- source4/dsdb/samdb/ldb_modules/config.mk | 12 -- source4/dsdb/samdb/ldb_modules/normalise.c | 194 ----------------------------- 2 files changed, 206 deletions(-) delete mode 100644 source4/dsdb/samdb/ldb_modules/normalise.c (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk index 19375bb923..1c50923eba 100644 --- a/source4/dsdb/samdb/ldb_modules/config.mk +++ b/source4/dsdb/samdb/ldb_modules/config.mk @@ -311,18 +311,6 @@ SUBSYSTEM = LIBLDB ldb_anr_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/anr.o -################################################ -# Start MODULE ldb_normalise -[MODULE::ldb_normalise] -INIT_FUNCTION = LDB_MODULE(normalise) -CFLAGS = -Ilib/ldb/include -PRIVATE_DEPENDENCIES = LIBTALLOC LIBEVENTS LIBSAMBA-UTIL SAMDB -SUBSYSTEM = LIBLDB -# End MODULE ldb_normalise -################################################ - -ldb_normalise_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/normalise.o - ################################################ # Start MODULE ldb_instancetype [MODULE::ldb_instancetype] diff --git a/source4/dsdb/samdb/ldb_modules/normalise.c b/source4/dsdb/samdb/ldb_modules/normalise.c deleted file mode 100644 index 9ead1612db..0000000000 --- a/source4/dsdb/samdb/ldb_modules/normalise.c +++ /dev/null @@ -1,194 +0,0 @@ -/* - ldb database library - - Copyright (C) Amdrew Bartlett 2007-2008 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -/* - * Name: ldb - * - * Component: ldb normalisation module - * - * Description: module to ensure all DNs and attribute names are normalised - * - * Author: Andrew Bartlett - */ - -#include "includes.h" -#include "ldb/include/ldb.h" -#include "ldb/include/ldb_errors.h" -#include "ldb/include/ldb_private.h" -#include "dsdb/samdb/samdb.h" - -/* Fix up the DN to be in the standard form, taking particular care to match the parent DN - - This should mean that if the parent is: - CN=Users,DC=samba,DC=example,DC=com - and a proposed child is - cn=Admins ,cn=USERS,dc=Samba,dc=example,dc=COM - - The resulting DN should be: - - CN=Admins,CN=Users,DC=samba,DC=example,DC=com - - */ - -struct norm_context { - struct ldb_module *module; - struct ldb_request *req; - - const struct dsdb_schema *schema; -}; - -static int fix_dn(struct ldb_dn *dn) -{ - int i, ret; - char *upper_rdn_attr; - - for (i=0; i < ldb_dn_get_comp_num(dn); i++) { - /* We need the attribute name in upper case */ - upper_rdn_attr = strupper_talloc(dn, - ldb_dn_get_component_name(dn, i)); - if (!upper_rdn_attr) { - return LDB_ERR_OPERATIONS_ERROR; - } - - /* And replace it with CN=foo (we need the attribute in upper case */ - ret = ldb_dn_set_component(dn, i, upper_rdn_attr, - *ldb_dn_get_component_val(dn, i)); - talloc_free(upper_rdn_attr); - if (ret != LDB_SUCCESS) { - return ret; - } - } - return LDB_SUCCESS; -} - -static int normalize_search_callback(struct ldb_request *req, struct ldb_reply *ares) -{ - struct ldb_message *msg; - struct norm_context *ac; - int i, j, ret; - - ac = talloc_get_type(req->context, struct norm_context); - - if (!ares) { - return ldb_module_done(ac->req, NULL, NULL, - LDB_ERR_OPERATIONS_ERROR); - } - if (ares->error != LDB_SUCCESS) { - return ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); - } - - /* Only entries are interesting, and we handle the case of the parent seperatly */ - - switch (ares->type) { - case LDB_REPLY_ENTRY: - - /* OK, we have one of *many* search results passing by here, - * but we should get them one at a time */ - msg = ares->message; - - ret = fix_dn(msg->dn); - if (ret != LDB_SUCCESS) { - return ldb_module_done(ac->req, NULL, NULL, ret); - } - - for (i = 0; i < msg->num_elements; i++) { - const struct dsdb_attribute *attribute = dsdb_attribute_by_lDAPDisplayName(ac->schema, msg->elements[i].name); - if (!attribute) { - continue; - } - /* Look to see if this attributeSyntax is a DN */ - if (!((strcmp(attribute->attributeSyntax_oid, "2.5.5.1") == 0) || - (strcmp(attribute->attributeSyntax_oid, "2.5.5.7") == 0))) { - continue; - } - for (j = 0; j < msg->elements[i].num_values; j++) { - const char *dn_str; - struct ldb_dn *dn = ldb_dn_from_ldb_val(ac, ac->module->ldb, &msg->elements[i].values[j]); - if (!dn) { - return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); - } - ret = fix_dn(dn); - if (ret != LDB_SUCCESS) { - return ldb_module_done(ac->req, NULL, NULL, ret); - } - dn_str = talloc_steal(msg->elements[i].values, ldb_dn_get_linearized(dn)); - msg->elements[i].values[j] = data_blob_string_const(dn_str); - talloc_free(dn); - } - } - - return ldb_module_send_entry(ac->req, msg, ares->controls); - - case LDB_REPLY_REFERRAL: - - return ldb_module_send_referral(ac->req, ares->referral); - - case LDB_REPLY_DONE: - - return ldb_module_done(ac->req, ares->controls, - ares->response, ares->error); - } - - return LDB_SUCCESS; -} - -/* search */ -static int normalise_search(struct ldb_module *module, struct ldb_request *req) -{ - struct ldb_request *down_req; - struct norm_context *ac; - int ret; - - ac = talloc(req, struct norm_context); - if (ac == NULL) { - return LDB_ERR_OPERATIONS_ERROR; - } - - ac->module = module; - ac->req = req; - - /* if schema not yet present just skip over */ - ac->schema = dsdb_get_schema(ac->module->ldb); - if (ac->schema == NULL) { - talloc_free(ac); - return ldb_next_request(module, req); - } - - ret = ldb_build_search_req_ex(&down_req, module->ldb, ac, - req->op.search.base, - req->op.search.scope, - req->op.search.tree, - req->op.search.attrs, - req->controls, - ac, normalize_search_callback, - req); - if (ret != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; - } - - return ldb_next_request(module, down_req); -} - - - -_PUBLIC_ const struct ldb_module_ops ldb_normalise_module_ops = { - .name = "normalise", - .search = normalise_search, -}; -- cgit