From 4a4cdc990cdc9e29b63fd28c5aa58ae1b47ed174 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 11 Sep 2007 16:06:32 +0000 Subject: r25084: Move samba-specific code out of lib/ldb directory. (This used to be commit 917bd737cb07817664d9088860588d47525f5ff8) --- source4/lib/basic.mk | 1 + source4/lib/db_wrap.c | 2 +- source4/lib/ldb-samba/README | 7 + source4/lib/ldb-samba/config.mk | 12 + source4/lib/ldb-samba/ldif_handlers.c | 474 ++++++++++++++++++++++++++++++++++ source4/lib/ldb/common/ldb_modules.c | 1 - source4/lib/ldb/config.mk | 2 - source4/lib/ldb/ldb_tdb/ldb_tdb.h | 9 +- source4/lib/ldb/samba/README | 7 - source4/lib/ldb/samba/config.mk | 12 - source4/lib/ldb/samba/ldif_handlers.c | 474 ---------------------------------- source4/lib/ldb/tools/cmdline.c | 2 +- 12 files changed, 497 insertions(+), 506 deletions(-) create mode 100644 source4/lib/ldb-samba/README create mode 100644 source4/lib/ldb-samba/config.mk create mode 100644 source4/lib/ldb-samba/ldif_handlers.c delete mode 100644 source4/lib/ldb/samba/README delete mode 100644 source4/lib/ldb/samba/config.mk delete mode 100644 source4/lib/ldb/samba/ldif_handlers.c (limited to 'source4/lib') diff --git a/source4/lib/basic.mk b/source4/lib/basic.mk index e993207b00..713fdcede9 100644 --- a/source4/lib/basic.mk +++ b/source4/lib/basic.mk @@ -3,6 +3,7 @@ include samba3/config.mk include socket/config.mk include charset/config.mk include ldb/config.mk +include ldb-samba/config.mk include tls/config.mk include registry/config.mk include policy/config.mk diff --git a/source4/lib/db_wrap.c b/source4/lib/db_wrap.c index ad797fe6a0..92e4758f44 100644 --- a/source4/lib/db_wrap.c +++ b/source4/lib/db_wrap.c @@ -32,7 +32,7 @@ #include "lib/tdb/include/tdb.h" #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_errors.h" -#include "lib/ldb/samba/ldif_handlers.h" +#include "lib/ldb-samba/ldif_handlers.h" #include "db_wrap.h" #include "dsdb/samdb/samdb.h" #include "param/param.h" diff --git a/source4/lib/ldb-samba/README b/source4/lib/ldb-samba/README new file mode 100644 index 0000000000..3fa47159ca --- /dev/null +++ b/source4/lib/ldb-samba/README @@ -0,0 +1,7 @@ +This directory contains Samba specific extensions to ldb. It also +serves as example code on how to extend ldb for your own application. + +The main extension Samba uses is to provide ldif encode/decode +routines for specific attributes, so users can get nice pretty +printing of attributes in ldbedit, while the attributes are stored in +the standard NDR format in the database. diff --git a/source4/lib/ldb-samba/config.mk b/source4/lib/ldb-samba/config.mk new file mode 100644 index 0000000000..d29b3f319c --- /dev/null +++ b/source4/lib/ldb-samba/config.mk @@ -0,0 +1,12 @@ +################################################ +# Start SUBSYSTEM LDBSAMBA +[SUBSYSTEM::LDBSAMBA] +PUBLIC_DEPENDENCIES = LIBLDB +PRIVATE_PROTO_HEADER = ldif_handlers.h +PRIVATE_DEPENDENCIES = LIBSECURITY SAMDB +OBJ_FILES = \ + ldif_handlers.o +# End SUBSYSTEM LDBSAMBA +################################################ + + diff --git a/source4/lib/ldb-samba/ldif_handlers.c b/source4/lib/ldb-samba/ldif_handlers.c new file mode 100644 index 0000000000..cfd79563d5 --- /dev/null +++ b/source4/lib/ldb-samba/ldif_handlers.c @@ -0,0 +1,474 @@ +/* + ldb database library - ldif handlers for Samba + + Copyright (C) Andrew Tridgell 2005 + Copyright (C) Andrew Bartlett 2006-2007 + ** NOTE! The following LGPL license applies to the ldb + ** library. This does NOT imply that all of Samba is released + ** under the LGPL + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, see . +*/ + +#include "includes.h" +#include "ldb_includes.h" +#include "ldb_handlers.h" + +#include "librpc/gen_ndr/ndr_security.h" +#include "librpc/gen_ndr/ndr_misc.h" +#include "dsdb/samdb/samdb.h" +#include "libcli/security/security.h" + +/* + convert a ldif formatted objectSid to a NDR formatted blob +*/ +static int ldif_read_objectSid(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + struct dom_sid *sid; + NTSTATUS status; + sid = dom_sid_parse_talloc(mem_ctx, (const char *)in->data); + if (sid == NULL) { + return -1; + } + status = ndr_push_struct_blob(out, mem_ctx, sid, + (ndr_push_flags_fn_t)ndr_push_dom_sid); + talloc_free(sid); + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + return 0; +} + +/* + convert a NDR formatted blob to a ldif formatted objectSid +*/ +static int ldif_write_objectSid(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + struct dom_sid *sid; + NTSTATUS status; + sid = talloc(mem_ctx, struct dom_sid); + if (sid == NULL) { + return -1; + } + status = ndr_pull_struct_blob(in, sid, sid, + (ndr_pull_flags_fn_t)ndr_pull_dom_sid); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(sid); + return -1; + } + out->data = (uint8_t *)dom_sid_string(mem_ctx, sid); + talloc_free(sid); + if (out->data == NULL) { + return -1; + } + out->length = strlen((const char *)out->data); + return 0; +} + +static BOOL ldb_comparision_objectSid_isString(const struct ldb_val *v) +{ + if (v->length < 3) { + return False; + } + + if (strncmp("S-", (const char *)v->data, 2) != 0) return False; + + return True; +} + +/* + compare two objectSids +*/ +static int ldb_comparison_objectSid(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *v1, const struct ldb_val *v2) +{ + if (ldb_comparision_objectSid_isString(v1) && ldb_comparision_objectSid_isString(v2)) { + return strcmp((const char *)v1->data, (const char *)v2->data); + } else if (ldb_comparision_objectSid_isString(v1) + && !ldb_comparision_objectSid_isString(v2)) { + struct ldb_val v; + int ret; + if (ldif_read_objectSid(ldb, mem_ctx, v1, &v) != 0) { + return -1; + } + ret = ldb_comparison_binary(ldb, mem_ctx, &v, v2); + talloc_free(v.data); + return ret; + } else if (!ldb_comparision_objectSid_isString(v1) + && ldb_comparision_objectSid_isString(v2)) { + struct ldb_val v; + int ret; + if (ldif_read_objectSid(ldb, mem_ctx, v2, &v) != 0) { + return -1; + } + ret = ldb_comparison_binary(ldb, mem_ctx, v1, &v); + talloc_free(v.data); + return ret; + } + return ldb_comparison_binary(ldb, mem_ctx, v1, v2); +} + +/* + canonicalise a objectSid +*/ +static int ldb_canonicalise_objectSid(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + if (ldb_comparision_objectSid_isString(in)) { + return ldif_read_objectSid(ldb, mem_ctx, in, out); + } + return ldb_handler_copy(ldb, mem_ctx, in, out); +} + +/* + convert a ldif formatted objectGUID to a NDR formatted blob +*/ +static int ldif_read_objectGUID(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + struct GUID guid; + NTSTATUS status; + + status = GUID_from_string((const char *)in->data, &guid); + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + + status = ndr_push_struct_blob(out, mem_ctx, &guid, + (ndr_push_flags_fn_t)ndr_push_GUID); + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + return 0; +} + +/* + convert a NDR formatted blob to a ldif formatted objectGUID +*/ +static int ldif_write_objectGUID(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + struct GUID guid; + NTSTATUS status; + status = ndr_pull_struct_blob(in, mem_ctx, &guid, + (ndr_pull_flags_fn_t)ndr_pull_GUID); + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + out->data = (uint8_t *)GUID_string(mem_ctx, &guid); + if (out->data == NULL) { + return -1; + } + out->length = strlen((const char *)out->data); + return 0; +} + +static BOOL ldb_comparision_objectGUID_isString(const struct ldb_val *v) +{ + struct GUID guid; + NTSTATUS status; + + if (v->length < 33) return False; + + /* see if the input if null-terninated (safety check for the below) */ + if (v->data[v->length] != '\0') return False; + + status = GUID_from_string((const char *)v->data, &guid); + if (!NT_STATUS_IS_OK(status)) { + return False; + } + + return True; +} + +/* + compare two objectGUIDs +*/ +static int ldb_comparison_objectGUID(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *v1, const struct ldb_val *v2) +{ + if (ldb_comparision_objectGUID_isString(v1) && ldb_comparision_objectGUID_isString(v2)) { + return strcmp((const char *)v1->data, (const char *)v2->data); + } else if (ldb_comparision_objectGUID_isString(v1) + && !ldb_comparision_objectGUID_isString(v2)) { + struct ldb_val v; + int ret; + if (ldif_read_objectGUID(ldb, mem_ctx, v1, &v) != 0) { + return -1; + } + ret = ldb_comparison_binary(ldb, mem_ctx, &v, v2); + talloc_free(v.data); + return ret; + } else if (!ldb_comparision_objectGUID_isString(v1) + && ldb_comparision_objectGUID_isString(v2)) { + struct ldb_val v; + int ret; + if (ldif_read_objectGUID(ldb, mem_ctx, v2, &v) != 0) { + return -1; + } + ret = ldb_comparison_binary(ldb, mem_ctx, v1, &v); + talloc_free(v.data); + return ret; + } + return ldb_comparison_binary(ldb, mem_ctx, v1, v2); +} + +/* + canonicalise a objectGUID +*/ +static int ldb_canonicalise_objectGUID(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + if (ldb_comparision_objectGUID_isString(in)) { + return ldif_read_objectGUID(ldb, mem_ctx, in, out); + } + return ldb_handler_copy(ldb, mem_ctx, in, out); +} + + +/* + convert a ldif (SDDL) formatted ntSecurityDescriptor to a NDR formatted blob +*/ +static int ldif_read_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + struct security_descriptor *sd; + NTSTATUS status; + + sd = sddl_decode(mem_ctx, (const char *)in->data, NULL); + if (sd == NULL) { + return -1; + } + status = ndr_push_struct_blob(out, mem_ctx, sd, + (ndr_push_flags_fn_t)ndr_push_security_descriptor); + talloc_free(sd); + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + return 0; +} + +/* + convert a NDR formatted blob to a ldif formatted ntSecurityDescriptor (SDDL format) +*/ +static int ldif_write_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + struct security_descriptor *sd; + NTSTATUS status; + + sd = talloc(mem_ctx, struct security_descriptor); + if (sd == NULL) { + return -1; + } + status = ndr_pull_struct_blob(in, sd, sd, + (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(sd); + return -1; + } + out->data = (uint8_t *)sddl_encode(mem_ctx, sd, NULL); + talloc_free(sd); + if (out->data == NULL) { + return -1; + } + out->length = strlen((const char *)out->data); + return 0; +} + +/* + canonicolise an objectCategory. We use the short form as the cannoical form: + cn=Person,cn=Schema,cn=Configuration, becomes 'person' +*/ + +static int ldif_canonicalise_objectCategory(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + struct ldb_dn *dn1 = NULL; + const struct dsdb_schema *schema = dsdb_get_schema(ldb); + const struct dsdb_class *class; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return LDB_ERR_OPERATIONS_ERROR; + } + + if (!schema) { + *out = data_blob_talloc(mem_ctx, in->data, in->length); + if (in->data && !out->data) { + return LDB_ERR_OPERATIONS_ERROR; + } + return LDB_SUCCESS; + } + dn1 = ldb_dn_new(tmp_ctx, ldb, (char *)in->data); + if ( ! ldb_dn_validate(dn1)) { + const char *lDAPDisplayName = talloc_strndup(tmp_ctx, (char *)in->data, in->length); + class = dsdb_class_by_lDAPDisplayName(schema, lDAPDisplayName); + if (class) { + struct ldb_dn *dn = ldb_dn_new(mem_ctx, ldb, + class->defaultObjectCategory); + *out = data_blob_string_const(ldb_dn_alloc_casefold(mem_ctx, dn)); + talloc_free(tmp_ctx); + + if (!out->data) { + return LDB_ERR_OPERATIONS_ERROR; + } + return LDB_SUCCESS; + } else { + *out = data_blob_talloc(mem_ctx, in->data, in->length); + talloc_free(tmp_ctx); + + if (in->data && !out->data) { + return LDB_ERR_OPERATIONS_ERROR; + } + return LDB_SUCCESS; + } + } + *out = data_blob_string_const(ldb_dn_alloc_casefold(mem_ctx, dn1)); + talloc_free(tmp_ctx); + + if (!out->data) { + return LDB_ERR_OPERATIONS_ERROR; + } + return LDB_SUCCESS; +} + +static int ldif_comparison_objectCategory(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *v1, + const struct ldb_val *v2) +{ + + int ret, ret1, ret2; + struct ldb_val v1_canon, v2_canon; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + + /* I could try and bail if tmp_ctx was NULL, but what return + * value would I use? + * + * It seems easier to continue on the NULL context + */ + ret1 = ldif_canonicalise_objectCategory(ldb, tmp_ctx, v1, &v1_canon); + ret2 = ldif_canonicalise_objectCategory(ldb, tmp_ctx, v2, &v2_canon); + + if (ret1 == LDB_SUCCESS && ret2 == LDB_SUCCESS) { + ret = data_blob_cmp(&v1_canon, &v2_canon); + } else { + ret = data_blob_cmp(v1, v2); + } + talloc_free(tmp_ctx); + return ret; +} + +#define LDB_SYNTAX_SAMBA_SID "LDB_SYNTAX_SAMBA_SID" +#define LDB_SYNTAX_SAMBA_SECURITY_DESCRIPTOR "LDB_SYNTAX_SAMBA_SECURITY_DESCRIPTOR" +#define LDB_SYNTAX_SAMBA_GUID "LDB_SYNTAX_SAMBA_GUID" +#define LDB_SYNTAX_SAMBA_OBJECT_CATEGORY "LDB_SYNTAX_SAMBA_OBJECT_CATEGORY" + +static const struct ldb_schema_syntax samba_syntaxes[] = { + { + .name = LDB_SYNTAX_SAMBA_SID, + .ldif_read_fn = ldif_read_objectSid, + .ldif_write_fn = ldif_write_objectSid, + .canonicalise_fn= ldb_canonicalise_objectSid, + .comparison_fn = ldb_comparison_objectSid + },{ + .name = LDB_SYNTAX_SAMBA_SECURITY_DESCRIPTOR, + .ldif_read_fn = ldif_read_ntSecurityDescriptor, + .ldif_write_fn = ldif_write_ntSecurityDescriptor, + .canonicalise_fn= ldb_handler_copy, + .comparison_fn = ldb_comparison_binary + },{ + .name = LDB_SYNTAX_SAMBA_GUID, + .ldif_read_fn = ldif_read_objectGUID, + .ldif_write_fn = ldif_write_objectGUID, + .canonicalise_fn= ldb_canonicalise_objectGUID, + .comparison_fn = ldb_comparison_objectGUID + },{ + .name = LDB_SYNTAX_SAMBA_OBJECT_CATEGORY, + .ldif_read_fn = ldb_handler_copy, + .ldif_write_fn = ldb_handler_copy, + .canonicalise_fn= ldif_canonicalise_objectCategory, + .comparison_fn = ldif_comparison_objectCategory + } +}; + +static const struct { + const char *name; + const char *syntax; +} samba_attributes[] = { + { "objectSid", LDB_SYNTAX_SAMBA_SID }, + { "securityIdentifier", LDB_SYNTAX_SAMBA_SID }, + { "ntSecurityDescriptor", LDB_SYNTAX_SAMBA_SECURITY_DESCRIPTOR }, + { "objectGUID", LDB_SYNTAX_SAMBA_GUID }, + { "invocationId", LDB_SYNTAX_SAMBA_GUID }, + { "schemaIDGUID", LDB_SYNTAX_SAMBA_GUID }, + { "attributeSecurityGUID", LDB_SYNTAX_SAMBA_GUID }, + { "parentGUID", LDB_SYNTAX_SAMBA_GUID }, + { "siteGUID", LDB_SYNTAX_SAMBA_GUID }, + { "pKTGUID", LDB_SYNTAX_SAMBA_GUID }, + { "fRSVersionGUID", LDB_SYNTAX_SAMBA_GUID }, + { "fRSReplicaSetGUID", LDB_SYNTAX_SAMBA_GUID }, + { "netbootGUID", LDB_SYNTAX_SAMBA_GUID }, + { "objectCategory", LDB_SYNTAX_SAMBA_OBJECT_CATEGORY }, + { "member", LDB_SYNTAX_DN }, + { "memberOf", LDB_SYNTAX_DN }, + { "nCName", LDB_SYNTAX_DN }, + { "schemaNamingContext", LDB_SYNTAX_DN }, + { "configurationNamingContext", LDB_SYNTAX_DN }, + { "rootDomainNamingContext", LDB_SYNTAX_DN }, + { "defaultNamingContext", LDB_SYNTAX_DN }, + { "subRefs", LDB_SYNTAX_DN }, + { "dMDLocation", LDB_SYNTAX_DN }, + { "serverReference", LDB_SYNTAX_DN }, + { "masteredBy", LDB_SYNTAX_DN }, + { "msDs-masteredBy", LDB_SYNTAX_DN }, + { "fSMORoleOwner", LDB_SYNTAX_DN }, +}; + +/* + register the samba ldif handlers +*/ +int ldb_register_samba_handlers(struct ldb_context *ldb) +{ + uint32_t i; + + for (i=0; i < ARRAY_SIZE(samba_attributes); i++) { + int ret; + uint32_t j; + const struct ldb_schema_syntax *s = NULL; + + for (j=0; j < ARRAY_SIZE(samba_syntaxes); j++) { + if (strcmp(samba_attributes[i].syntax, samba_syntaxes[j].name) == 0) { + s = &samba_syntaxes[j]; + break; + } + } + + if (!s) { + s = ldb_standard_syntax_by_name(ldb, samba_attributes[i].syntax); + } + + if (!s) { + return -1; + } + + ret = ldb_schema_attribute_add_with_syntax(ldb, samba_attributes[i].name, 0, s); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + return LDB_SUCCESS; +} diff --git a/source4/lib/ldb/common/ldb_modules.c b/source4/lib/ldb/common/ldb_modules.c index b279af98f6..9f94c90c92 100644 --- a/source4/lib/ldb/common/ldb_modules.c +++ b/source4/lib/ldb/common/ldb_modules.c @@ -36,7 +36,6 @@ #if (_SAMBA_BUILD_ >= 4) #include "includes.h" #include "build.h" -#include "dynconfig.h" #endif #define LDB_MODULE_PREFIX "modules:" diff --git a/source4/lib/ldb/config.mk b/source4/lib/ldb/config.mk index ec74599fd8..dcc66d3bb0 100644 --- a/source4/lib/ldb/config.mk +++ b/source4/lib/ldb/config.mk @@ -312,5 +312,3 @@ LIBRARY_REALNAME = swig/_ldb.$(SHLIBEXT) OBJ_FILES = swig/ldb_wrap.o # End LIBRARY swig_ldb ####################### - -include samba/config.mk diff --git a/source4/lib/ldb/ldb_tdb/ldb_tdb.h b/source4/lib/ldb/ldb_tdb/ldb_tdb.h index 956f18688b..61b5f789d7 100644 --- a/source4/lib/ldb/ldb_tdb/ldb_tdb.h +++ b/source4/lib/ldb/ldb_tdb/ldb_tdb.h @@ -1,11 +1,4 @@ - -#ifdef _SAMBA_BUILD_ -#include "system/filesys.h" -#endif - -#if (_SAMBA_BUILD_ >= 4) -#include "lib/tdb/include/tdb.h" -#elif defined(_SAMBA_BUILD_) +#if (_SAMBA_BUILD_ == 3) #include "tdb/include/tdb.h" #else #include "tdb.h" diff --git a/source4/lib/ldb/samba/README b/source4/lib/ldb/samba/README deleted file mode 100644 index 3fa47159ca..0000000000 --- a/source4/lib/ldb/samba/README +++ /dev/null @@ -1,7 +0,0 @@ -This directory contains Samba specific extensions to ldb. It also -serves as example code on how to extend ldb for your own application. - -The main extension Samba uses is to provide ldif encode/decode -routines for specific attributes, so users can get nice pretty -printing of attributes in ldbedit, while the attributes are stored in -the standard NDR format in the database. diff --git a/source4/lib/ldb/samba/config.mk b/source4/lib/ldb/samba/config.mk deleted file mode 100644 index d29b3f319c..0000000000 --- a/source4/lib/ldb/samba/config.mk +++ /dev/null @@ -1,12 +0,0 @@ -################################################ -# Start SUBSYSTEM LDBSAMBA -[SUBSYSTEM::LDBSAMBA] -PUBLIC_DEPENDENCIES = LIBLDB -PRIVATE_PROTO_HEADER = ldif_handlers.h -PRIVATE_DEPENDENCIES = LIBSECURITY SAMDB -OBJ_FILES = \ - ldif_handlers.o -# End SUBSYSTEM LDBSAMBA -################################################ - - diff --git a/source4/lib/ldb/samba/ldif_handlers.c b/source4/lib/ldb/samba/ldif_handlers.c deleted file mode 100644 index cfd79563d5..0000000000 --- a/source4/lib/ldb/samba/ldif_handlers.c +++ /dev/null @@ -1,474 +0,0 @@ -/* - ldb database library - ldif handlers for Samba - - Copyright (C) Andrew Tridgell 2005 - Copyright (C) Andrew Bartlett 2006-2007 - ** NOTE! The following LGPL license applies to the ldb - ** library. This does NOT imply that all of Samba is released - ** under the LGPL - - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 3 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with this library; if not, see . -*/ - -#include "includes.h" -#include "ldb_includes.h" -#include "ldb_handlers.h" - -#include "librpc/gen_ndr/ndr_security.h" -#include "librpc/gen_ndr/ndr_misc.h" -#include "dsdb/samdb/samdb.h" -#include "libcli/security/security.h" - -/* - convert a ldif formatted objectSid to a NDR formatted blob -*/ -static int ldif_read_objectSid(struct ldb_context *ldb, void *mem_ctx, - const struct ldb_val *in, struct ldb_val *out) -{ - struct dom_sid *sid; - NTSTATUS status; - sid = dom_sid_parse_talloc(mem_ctx, (const char *)in->data); - if (sid == NULL) { - return -1; - } - status = ndr_push_struct_blob(out, mem_ctx, sid, - (ndr_push_flags_fn_t)ndr_push_dom_sid); - talloc_free(sid); - if (!NT_STATUS_IS_OK(status)) { - return -1; - } - return 0; -} - -/* - convert a NDR formatted blob to a ldif formatted objectSid -*/ -static int ldif_write_objectSid(struct ldb_context *ldb, void *mem_ctx, - const struct ldb_val *in, struct ldb_val *out) -{ - struct dom_sid *sid; - NTSTATUS status; - sid = talloc(mem_ctx, struct dom_sid); - if (sid == NULL) { - return -1; - } - status = ndr_pull_struct_blob(in, sid, sid, - (ndr_pull_flags_fn_t)ndr_pull_dom_sid); - if (!NT_STATUS_IS_OK(status)) { - talloc_free(sid); - return -1; - } - out->data = (uint8_t *)dom_sid_string(mem_ctx, sid); - talloc_free(sid); - if (out->data == NULL) { - return -1; - } - out->length = strlen((const char *)out->data); - return 0; -} - -static BOOL ldb_comparision_objectSid_isString(const struct ldb_val *v) -{ - if (v->length < 3) { - return False; - } - - if (strncmp("S-", (const char *)v->data, 2) != 0) return False; - - return True; -} - -/* - compare two objectSids -*/ -static int ldb_comparison_objectSid(struct ldb_context *ldb, void *mem_ctx, - const struct ldb_val *v1, const struct ldb_val *v2) -{ - if (ldb_comparision_objectSid_isString(v1) && ldb_comparision_objectSid_isString(v2)) { - return strcmp((const char *)v1->data, (const char *)v2->data); - } else if (ldb_comparision_objectSid_isString(v1) - && !ldb_comparision_objectSid_isString(v2)) { - struct ldb_val v; - int ret; - if (ldif_read_objectSid(ldb, mem_ctx, v1, &v) != 0) { - return -1; - } - ret = ldb_comparison_binary(ldb, mem_ctx, &v, v2); - talloc_free(v.data); - return ret; - } else if (!ldb_comparision_objectSid_isString(v1) - && ldb_comparision_objectSid_isString(v2)) { - struct ldb_val v; - int ret; - if (ldif_read_objectSid(ldb, mem_ctx, v2, &v) != 0) { - return -1; - } - ret = ldb_comparison_binary(ldb, mem_ctx, v1, &v); - talloc_free(v.data); - return ret; - } - return ldb_comparison_binary(ldb, mem_ctx, v1, v2); -} - -/* - canonicalise a objectSid -*/ -static int ldb_canonicalise_objectSid(struct ldb_context *ldb, void *mem_ctx, - const struct ldb_val *in, struct ldb_val *out) -{ - if (ldb_comparision_objectSid_isString(in)) { - return ldif_read_objectSid(ldb, mem_ctx, in, out); - } - return ldb_handler_copy(ldb, mem_ctx, in, out); -} - -/* - convert a ldif formatted objectGUID to a NDR formatted blob -*/ -static int ldif_read_objectGUID(struct ldb_context *ldb, void *mem_ctx, - const struct ldb_val *in, struct ldb_val *out) -{ - struct GUID guid; - NTSTATUS status; - - status = GUID_from_string((const char *)in->data, &guid); - if (!NT_STATUS_IS_OK(status)) { - return -1; - } - - status = ndr_push_struct_blob(out, mem_ctx, &guid, - (ndr_push_flags_fn_t)ndr_push_GUID); - if (!NT_STATUS_IS_OK(status)) { - return -1; - } - return 0; -} - -/* - convert a NDR formatted blob to a ldif formatted objectGUID -*/ -static int ldif_write_objectGUID(struct ldb_context *ldb, void *mem_ctx, - const struct ldb_val *in, struct ldb_val *out) -{ - struct GUID guid; - NTSTATUS status; - status = ndr_pull_struct_blob(in, mem_ctx, &guid, - (ndr_pull_flags_fn_t)ndr_pull_GUID); - if (!NT_STATUS_IS_OK(status)) { - return -1; - } - out->data = (uint8_t *)GUID_string(mem_ctx, &guid); - if (out->data == NULL) { - return -1; - } - out->length = strlen((const char *)out->data); - return 0; -} - -static BOOL ldb_comparision_objectGUID_isString(const struct ldb_val *v) -{ - struct GUID guid; - NTSTATUS status; - - if (v->length < 33) return False; - - /* see if the input if null-terninated (safety check for the below) */ - if (v->data[v->length] != '\0') return False; - - status = GUID_from_string((const char *)v->data, &guid); - if (!NT_STATUS_IS_OK(status)) { - return False; - } - - return True; -} - -/* - compare two objectGUIDs -*/ -static int ldb_comparison_objectGUID(struct ldb_context *ldb, void *mem_ctx, - const struct ldb_val *v1, const struct ldb_val *v2) -{ - if (ldb_comparision_objectGUID_isString(v1) && ldb_comparision_objectGUID_isString(v2)) { - return strcmp((const char *)v1->data, (const char *)v2->data); - } else if (ldb_comparision_objectGUID_isString(v1) - && !ldb_comparision_objectGUID_isString(v2)) { - struct ldb_val v; - int ret; - if (ldif_read_objectGUID(ldb, mem_ctx, v1, &v) != 0) { - return -1; - } - ret = ldb_comparison_binary(ldb, mem_ctx, &v, v2); - talloc_free(v.data); - return ret; - } else if (!ldb_comparision_objectGUID_isString(v1) - && ldb_comparision_objectGUID_isString(v2)) { - struct ldb_val v; - int ret; - if (ldif_read_objectGUID(ldb, mem_ctx, v2, &v) != 0) { - return -1; - } - ret = ldb_comparison_binary(ldb, mem_ctx, v1, &v); - talloc_free(v.data); - return ret; - } - return ldb_comparison_binary(ldb, mem_ctx, v1, v2); -} - -/* - canonicalise a objectGUID -*/ -static int ldb_canonicalise_objectGUID(struct ldb_context *ldb, void *mem_ctx, - const struct ldb_val *in, struct ldb_val *out) -{ - if (ldb_comparision_objectGUID_isString(in)) { - return ldif_read_objectGUID(ldb, mem_ctx, in, out); - } - return ldb_handler_copy(ldb, mem_ctx, in, out); -} - - -/* - convert a ldif (SDDL) formatted ntSecurityDescriptor to a NDR formatted blob -*/ -static int ldif_read_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx, - const struct ldb_val *in, struct ldb_val *out) -{ - struct security_descriptor *sd; - NTSTATUS status; - - sd = sddl_decode(mem_ctx, (const char *)in->data, NULL); - if (sd == NULL) { - return -1; - } - status = ndr_push_struct_blob(out, mem_ctx, sd, - (ndr_push_flags_fn_t)ndr_push_security_descriptor); - talloc_free(sd); - if (!NT_STATUS_IS_OK(status)) { - return -1; - } - return 0; -} - -/* - convert a NDR formatted blob to a ldif formatted ntSecurityDescriptor (SDDL format) -*/ -static int ldif_write_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx, - const struct ldb_val *in, struct ldb_val *out) -{ - struct security_descriptor *sd; - NTSTATUS status; - - sd = talloc(mem_ctx, struct security_descriptor); - if (sd == NULL) { - return -1; - } - status = ndr_pull_struct_blob(in, sd, sd, - (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); - if (!NT_STATUS_IS_OK(status)) { - talloc_free(sd); - return -1; - } - out->data = (uint8_t *)sddl_encode(mem_ctx, sd, NULL); - talloc_free(sd); - if (out->data == NULL) { - return -1; - } - out->length = strlen((const char *)out->data); - return 0; -} - -/* - canonicolise an objectCategory. We use the short form as the cannoical form: - cn=Person,cn=Schema,cn=Configuration, becomes 'person' -*/ - -static int ldif_canonicalise_objectCategory(struct ldb_context *ldb, void *mem_ctx, - const struct ldb_val *in, struct ldb_val *out) -{ - struct ldb_dn *dn1 = NULL; - const struct dsdb_schema *schema = dsdb_get_schema(ldb); - const struct dsdb_class *class; - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - if (!tmp_ctx) { - return LDB_ERR_OPERATIONS_ERROR; - } - - if (!schema) { - *out = data_blob_talloc(mem_ctx, in->data, in->length); - if (in->data && !out->data) { - return LDB_ERR_OPERATIONS_ERROR; - } - return LDB_SUCCESS; - } - dn1 = ldb_dn_new(tmp_ctx, ldb, (char *)in->data); - if ( ! ldb_dn_validate(dn1)) { - const char *lDAPDisplayName = talloc_strndup(tmp_ctx, (char *)in->data, in->length); - class = dsdb_class_by_lDAPDisplayName(schema, lDAPDisplayName); - if (class) { - struct ldb_dn *dn = ldb_dn_new(mem_ctx, ldb, - class->defaultObjectCategory); - *out = data_blob_string_const(ldb_dn_alloc_casefold(mem_ctx, dn)); - talloc_free(tmp_ctx); - - if (!out->data) { - return LDB_ERR_OPERATIONS_ERROR; - } - return LDB_SUCCESS; - } else { - *out = data_blob_talloc(mem_ctx, in->data, in->length); - talloc_free(tmp_ctx); - - if (in->data && !out->data) { - return LDB_ERR_OPERATIONS_ERROR; - } - return LDB_SUCCESS; - } - } - *out = data_blob_string_const(ldb_dn_alloc_casefold(mem_ctx, dn1)); - talloc_free(tmp_ctx); - - if (!out->data) { - return LDB_ERR_OPERATIONS_ERROR; - } - return LDB_SUCCESS; -} - -static int ldif_comparison_objectCategory(struct ldb_context *ldb, void *mem_ctx, - const struct ldb_val *v1, - const struct ldb_val *v2) -{ - - int ret, ret1, ret2; - struct ldb_val v1_canon, v2_canon; - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - - /* I could try and bail if tmp_ctx was NULL, but what return - * value would I use? - * - * It seems easier to continue on the NULL context - */ - ret1 = ldif_canonicalise_objectCategory(ldb, tmp_ctx, v1, &v1_canon); - ret2 = ldif_canonicalise_objectCategory(ldb, tmp_ctx, v2, &v2_canon); - - if (ret1 == LDB_SUCCESS && ret2 == LDB_SUCCESS) { - ret = data_blob_cmp(&v1_canon, &v2_canon); - } else { - ret = data_blob_cmp(v1, v2); - } - talloc_free(tmp_ctx); - return ret; -} - -#define LDB_SYNTAX_SAMBA_SID "LDB_SYNTAX_SAMBA_SID" -#define LDB_SYNTAX_SAMBA_SECURITY_DESCRIPTOR "LDB_SYNTAX_SAMBA_SECURITY_DESCRIPTOR" -#define LDB_SYNTAX_SAMBA_GUID "LDB_SYNTAX_SAMBA_GUID" -#define LDB_SYNTAX_SAMBA_OBJECT_CATEGORY "LDB_SYNTAX_SAMBA_OBJECT_CATEGORY" - -static const struct ldb_schema_syntax samba_syntaxes[] = { - { - .name = LDB_SYNTAX_SAMBA_SID, - .ldif_read_fn = ldif_read_objectSid, - .ldif_write_fn = ldif_write_objectSid, - .canonicalise_fn= ldb_canonicalise_objectSid, - .comparison_fn = ldb_comparison_objectSid - },{ - .name = LDB_SYNTAX_SAMBA_SECURITY_DESCRIPTOR, - .ldif_read_fn = ldif_read_ntSecurityDescriptor, - .ldif_write_fn = ldif_write_ntSecurityDescriptor, - .canonicalise_fn= ldb_handler_copy, - .comparison_fn = ldb_comparison_binary - },{ - .name = LDB_SYNTAX_SAMBA_GUID, - .ldif_read_fn = ldif_read_objectGUID, - .ldif_write_fn = ldif_write_objectGUID, - .canonicalise_fn= ldb_canonicalise_objectGUID, - .comparison_fn = ldb_comparison_objectGUID - },{ - .name = LDB_SYNTAX_SAMBA_OBJECT_CATEGORY, - .ldif_read_fn = ldb_handler_copy, - .ldif_write_fn = ldb_handler_copy, - .canonicalise_fn= ldif_canonicalise_objectCategory, - .comparison_fn = ldif_comparison_objectCategory - } -}; - -static const struct { - const char *name; - const char *syntax; -} samba_attributes[] = { - { "objectSid", LDB_SYNTAX_SAMBA_SID }, - { "securityIdentifier", LDB_SYNTAX_SAMBA_SID }, - { "ntSecurityDescriptor", LDB_SYNTAX_SAMBA_SECURITY_DESCRIPTOR }, - { "objectGUID", LDB_SYNTAX_SAMBA_GUID }, - { "invocationId", LDB_SYNTAX_SAMBA_GUID }, - { "schemaIDGUID", LDB_SYNTAX_SAMBA_GUID }, - { "attributeSecurityGUID", LDB_SYNTAX_SAMBA_GUID }, - { "parentGUID", LDB_SYNTAX_SAMBA_GUID }, - { "siteGUID", LDB_SYNTAX_SAMBA_GUID }, - { "pKTGUID", LDB_SYNTAX_SAMBA_GUID }, - { "fRSVersionGUID", LDB_SYNTAX_SAMBA_GUID }, - { "fRSReplicaSetGUID", LDB_SYNTAX_SAMBA_GUID }, - { "netbootGUID", LDB_SYNTAX_SAMBA_GUID }, - { "objectCategory", LDB_SYNTAX_SAMBA_OBJECT_CATEGORY }, - { "member", LDB_SYNTAX_DN }, - { "memberOf", LDB_SYNTAX_DN }, - { "nCName", LDB_SYNTAX_DN }, - { "schemaNamingContext", LDB_SYNTAX_DN }, - { "configurationNamingContext", LDB_SYNTAX_DN }, - { "rootDomainNamingContext", LDB_SYNTAX_DN }, - { "defaultNamingContext", LDB_SYNTAX_DN }, - { "subRefs", LDB_SYNTAX_DN }, - { "dMDLocation", LDB_SYNTAX_DN }, - { "serverReference", LDB_SYNTAX_DN }, - { "masteredBy", LDB_SYNTAX_DN }, - { "msDs-masteredBy", LDB_SYNTAX_DN }, - { "fSMORoleOwner", LDB_SYNTAX_DN }, -}; - -/* - register the samba ldif handlers -*/ -int ldb_register_samba_handlers(struct ldb_context *ldb) -{ - uint32_t i; - - for (i=0; i < ARRAY_SIZE(samba_attributes); i++) { - int ret; - uint32_t j; - const struct ldb_schema_syntax *s = NULL; - - for (j=0; j < ARRAY_SIZE(samba_syntaxes); j++) { - if (strcmp(samba_attributes[i].syntax, samba_syntaxes[j].name) == 0) { - s = &samba_syntaxes[j]; - break; - } - } - - if (!s) { - s = ldb_standard_syntax_by_name(ldb, samba_attributes[i].syntax); - } - - if (!s) { - return -1; - } - - ret = ldb_schema_attribute_add_with_syntax(ldb, samba_attributes[i].name, 0, s); - if (ret != LDB_SUCCESS) { - return ret; - } - } - - return LDB_SUCCESS; -} diff --git a/source4/lib/ldb/tools/cmdline.c b/source4/lib/ldb/tools/cmdline.c index 08f5dc721f..2cf8212154 100644 --- a/source4/lib/ldb/tools/cmdline.c +++ b/source4/lib/ldb/tools/cmdline.c @@ -27,7 +27,7 @@ #if (_SAMBA_BUILD_ >= 4) #include "includes.h" #include "lib/cmdline/popt_common.h" -#include "lib/ldb/samba/ldif_handlers.h" +#include "lib/ldb-samba/ldif_handlers.h" #include "auth/gensec/gensec.h" #include "auth/auth.h" #include "db_wrap.h" -- cgit