2 ldb database library - ildap backend
4 Copyright (C) Andrew Tridgell 2005
5 Copyright (C) Simo Sorce 2008
7 ** NOTE! The following LGPL license applies to the ldb
8 ** library. This does NOT imply that all of Samba is released
11 This library is free software; you can redistribute it and/or
12 modify it under the terms of the GNU Lesser General Public
13 License as published by the Free Software Foundation; either
14 version 3 of the License, or (at your option) any later version.
16 This library is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 Lesser General Public License for more details.
21 You should have received a copy of the GNU Lesser General Public
22 License along with this library; if not, see <http://www.gnu.org/licenses/>.
28 * Component: ldb ildap backend
30 * Description: This is a ldb backend for the internal ldap
31 * client library in Samba4. By using this backend we are
32 * independent of a system ldap library
34 * Author: Andrew Tridgell
38 * - description: make the module use asynchronous calls
44 #include "ldb_module.h"
45 #include "util/dlinklist.h"
47 #include "libcli/ldap/libcli_ldap.h"
48 #include "libcli/ldap/ldap_client.h"
49 #include "auth/auth.h"
50 #include "auth/credentials/credentials.h"
51 #include "dsdb/common/util.h"
54 struct ldap_connection *ldap;
55 struct tevent_context *event_ctx;
59 struct ldb_module *module;
60 struct ldb_request *req;
62 struct ildb_private *ildb;
63 struct ldap_request *ireq;
65 /* indicate we are already processing
66 * the ldap_request in ildb_callback() */
67 bool in_ildb_callback;
71 struct ildb_destructor_ctx *dc;
74 static void ildb_request_done(struct ildb_context *ctx,
75 struct ldb_control **ctrls, int error)
77 struct ldb_context *ldb;
78 struct ldb_reply *ares;
80 ldb = ldb_module_get_ctx(ctx->module);
84 if (ctx->req == NULL) {
85 /* if the req has been freed already just return */
89 ares = talloc_zero(ctx->req, struct ldb_reply);
92 ctx->req->callback(ctx->req, NULL);
95 ares->type = LDB_REPLY_DONE;
96 ares->controls = talloc_steal(ares, ctrls);
99 ctx->req->callback(ctx->req, ares);
102 static void ildb_auto_done_callback(struct tevent_context *ev,
103 struct tevent_timer *te,
107 struct ildb_context *ac;
109 ac = talloc_get_type(private_data, struct ildb_context);
110 ildb_request_done(ac, NULL, LDB_SUCCESS);
114 convert a ldb_message structure to a list of ldap_mod structures
115 ready for ildap_add() or ildap_modify()
117 static struct ldap_mod **ildb_msg_to_mods(void *mem_ctx, unsigned int *num_mods,
118 const struct ldb_message *msg,
121 struct ldap_mod **mods;
125 /* allocate maximum number of elements needed */
126 mods = talloc_array(mem_ctx, struct ldap_mod *, msg->num_elements+1);
133 for (i = 0; i < msg->num_elements; i++) {
134 const struct ldb_message_element *el = &msg->elements[i];
136 mods[n] = talloc(mods, struct ldap_mod);
142 mods[n]->attrib = *el;
144 switch (el->flags & LDB_FLAG_MOD_MASK) {
145 case LDB_FLAG_MOD_ADD:
146 mods[n]->type = LDAP_MODIFY_ADD;
148 case LDB_FLAG_MOD_DELETE:
149 mods[n]->type = LDAP_MODIFY_DELETE;
151 case LDB_FLAG_MOD_REPLACE:
152 mods[n]->type = LDAP_MODIFY_REPLACE;
169 map an ildap NTSTATUS to a ldb error code
171 static int ildb_map_error(struct ldb_module *module, NTSTATUS status)
173 struct ildb_private *ildb;
174 struct ldb_context *ldb;
177 ildb = talloc_get_type(ldb_module_get_private(module), struct ildb_private);
178 ldb = ldb_module_get_ctx(module);
180 if (NT_STATUS_IS_OK(status)) {
184 mem_ctx = talloc_new(ildb);
187 return LDB_ERR_OPERATIONS_ERROR;
189 ldb_set_errstring(ldb,
190 ldap_errstr(ildb->ldap, mem_ctx, status));
191 talloc_free(mem_ctx);
192 if (NT_STATUS_IS_LDAP(status)) {
193 return NT_STATUS_LDAP_CODE(status);
195 return LDB_ERR_OPERATIONS_ERROR;
198 static void ildb_request_timeout(struct tevent_context *ev, struct tevent_timer *te,
199 struct timeval t, void *private_data)
201 struct ildb_context *ac = talloc_get_type(private_data, struct ildb_context);
203 if (ac->ireq->state == LDAP_REQUEST_PENDING) {
204 DLIST_REMOVE(ac->ireq->conn->pending, ac->ireq);
207 ildb_request_done(ac, NULL, LDB_ERR_TIME_LIMIT_EXCEEDED);
210 static void ildb_callback(struct ldap_request *req)
212 struct ldb_context *ldb;
213 struct ildb_context *ac;
215 struct ldap_SearchResEntry *search;
216 struct ldap_message *msg;
217 struct ldb_control **controls;
218 struct ldb_message *ldbmsg;
220 bool callback_failed;
225 ac = talloc_get_type(req->async.private_data, struct ildb_context);
226 ldb = ldb_module_get_ctx(ac->module);
227 callback_failed = false;
228 request_done = false;
231 /* check if we are already processing this request */
232 if (ac->in_ildb_callback) {
235 /* mark the request as being in process */
236 ac->in_ildb_callback = true;
238 if (!NT_STATUS_IS_OK(req->status)) {
239 ret = ildb_map_error(ac->module, req->status);
240 ildb_request_done(ac, NULL, ret);
244 if (req->num_replies < 1) {
245 ret = LDB_ERR_OPERATIONS_ERROR;
246 ildb_request_done(ac, NULL, ret);
252 case LDAP_TAG_ModifyRequest:
253 if (req->replies[0]->type != LDAP_TAG_ModifyResponse) {
254 ret = LDB_ERR_PROTOCOL_ERROR;
257 status = ldap_check_response(ac->ireq->conn, &req->replies[0]->r.GeneralResult);
258 ret = ildb_map_error(ac->module, status);
262 case LDAP_TAG_AddRequest:
263 if (req->replies[0]->type != LDAP_TAG_AddResponse) {
264 ret = LDB_ERR_PROTOCOL_ERROR;
267 status = ldap_check_response(ac->ireq->conn, &req->replies[0]->r.GeneralResult);
268 ret = ildb_map_error(ac->module, status);
272 case LDAP_TAG_DelRequest:
273 if (req->replies[0]->type != LDAP_TAG_DelResponse) {
274 ret = LDB_ERR_PROTOCOL_ERROR;
277 status = ldap_check_response(ac->ireq->conn, &req->replies[0]->r.GeneralResult);
278 ret = ildb_map_error(ac->module, status);
282 case LDAP_TAG_ModifyDNRequest:
283 if (req->replies[0]->type != LDAP_TAG_ModifyDNResponse) {
284 ret = LDB_ERR_PROTOCOL_ERROR;
287 status = ldap_check_response(ac->ireq->conn, &req->replies[0]->r.GeneralResult);
288 ret = ildb_map_error(ac->module, status);
292 case LDAP_TAG_SearchRequest:
293 /* loop over all messages */
294 for (i = 0; i < req->num_replies; i++) {
296 msg = req->replies[i];
299 case LDAP_TAG_SearchResultDone:
301 status = ldap_check_response(ac->ireq->conn, &msg->r.GeneralResult);
302 if (!NT_STATUS_IS_OK(status)) {
303 ret = ildb_map_error(ac->module, status);
307 controls = talloc_steal(ac, msg->controls);
308 if (msg->r.SearchResultDone.resultcode) {
309 if (msg->r.SearchResultDone.errormessage) {
310 ldb_set_errstring(ldb, msg->r.SearchResultDone.errormessage);
314 ret = msg->r.SearchResultDone.resultcode;
318 case LDAP_TAG_SearchResultEntry:
320 ldbmsg = ldb_msg_new(ac);
322 ret = LDB_ERR_OPERATIONS_ERROR;
326 search = &(msg->r.SearchResultEntry);
328 ldbmsg->dn = ldb_dn_new(ldbmsg, ldb, search->dn);
329 if ( ! ldb_dn_validate(ldbmsg->dn)) {
330 ret = LDB_ERR_OPERATIONS_ERROR;
333 ldbmsg->num_elements = search->num_attributes;
334 ldbmsg->elements = talloc_move(ldbmsg, &search->attributes);
336 controls = talloc_steal(ac, msg->controls);
338 ret = ldb_module_send_entry(ac->req, ldbmsg, controls);
339 if (ret != LDB_SUCCESS) {
340 callback_failed = true;
345 case LDAP_TAG_SearchResultReference:
347 referral = talloc_strdup(ac, msg->r.SearchResultReference.referral);
349 ret = ldb_module_send_referral(ac->req, referral);
350 if (ret != LDB_SUCCESS) {
351 callback_failed = true;
357 /* TAG not handled, fail ! */
358 ret = LDB_ERR_PROTOCOL_ERROR;
362 if (ret != LDB_SUCCESS) {
367 talloc_free(req->replies);
369 req->num_replies = 0;
374 ret = LDB_ERR_PROTOCOL_ERROR;
378 if (ret != LDB_SUCCESS) {
380 /* if the callback failed the caller will have freed the
381 * request. Just return and don't try to use it */
382 if ( ! callback_failed) {
387 /* mark the request as not being in progress */
388 ac->in_ildb_callback = false;
391 ildb_request_done(ac, controls, ret);
397 static int ildb_request_send(struct ildb_context *ac, struct ldap_message *msg)
399 struct ldb_context *ldb;
400 struct ldap_request *req;
403 return LDB_ERR_OPERATIONS_ERROR;
406 ldb = ldb_module_get_ctx(ac->module);
408 ldb_request_set_state(ac->req, LDB_ASYNC_PENDING);
410 req = ldap_request_send(ac->ildb->ldap, msg);
412 ldb_set_errstring(ldb, "async send request failed");
413 return LDB_ERR_OPERATIONS_ERROR;
415 ac->ireq = talloc_reparent(ac->ildb->ldap, ac, req);
417 if (!ac->ireq->conn) {
418 ldb_set_errstring(ldb, "connection to remote LDAP server dropped?");
419 return LDB_ERR_OPERATIONS_ERROR;
422 TALLOC_FREE(req->time_event);
423 if (ac->req->timeout > 0) {
424 struct timeval tv = {
425 .tv_sec = ac->req->starttime + ac->req->timeout,
428 req->time_event = tevent_add_timer(ac->ildb->event_ctx, ac, tv,
429 ildb_request_timeout, ac);
432 req->async.fn = ildb_callback;
433 req->async.private_data = ac;
439 search for matching records using an asynchronous function
441 static int ildb_search(struct ildb_context *ac)
443 struct ldb_context *ldb;
444 struct ldb_request *req = ac->req;
445 struct ldap_message *msg;
448 ldb = ldb_module_get_ctx(ac->module);
450 if (!req->callback || !req->context) {
451 ldb_set_errstring(ldb, "Async interface called with NULL callback function or NULL context");
452 return LDB_ERR_OPERATIONS_ERROR;
455 if (req->op.search.tree == NULL) {
456 ldb_set_errstring(ldb, "Invalid expression parse tree");
457 return LDB_ERR_OPERATIONS_ERROR;
460 msg = new_ldap_message(req);
462 ldb_set_errstring(ldb, "Out of Memory");
463 return LDB_ERR_OPERATIONS_ERROR;
466 msg->type = LDAP_TAG_SearchRequest;
468 if (req->op.search.base == NULL) {
469 msg->r.SearchRequest.basedn = talloc_strdup(msg, "");
471 msg->r.SearchRequest.basedn = ldb_dn_get_extended_linearized(msg, req->op.search.base, 0);
473 if (msg->r.SearchRequest.basedn == NULL) {
474 ldb_set_errstring(ldb, "Unable to determine baseDN");
476 return LDB_ERR_OPERATIONS_ERROR;
479 if (req->op.search.scope == LDB_SCOPE_DEFAULT) {
480 msg->r.SearchRequest.scope = LDAP_SEARCH_SCOPE_SUB;
482 msg->r.SearchRequest.scope = req->op.search.scope;
485 msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER;
486 msg->r.SearchRequest.timelimit = 0;
487 msg->r.SearchRequest.sizelimit = 0;
488 msg->r.SearchRequest.attributesonly = 0;
489 msg->r.SearchRequest.tree = discard_const(req->op.search.tree);
491 for (n = 0; req->op.search.attrs && req->op.search.attrs[n]; n++) /* noop */ ;
492 msg->r.SearchRequest.num_attributes = n;
493 msg->r.SearchRequest.attributes = req->op.search.attrs;
494 msg->controls = req->controls;
496 return ildb_request_send(ac, msg);
502 static int ildb_add(struct ildb_context *ac)
504 struct ldb_request *req = ac->req;
505 struct ldap_message *msg;
506 struct ldap_mod **mods;
509 msg = new_ldap_message(req);
511 return LDB_ERR_OPERATIONS_ERROR;
514 msg->type = LDAP_TAG_AddRequest;
516 msg->r.AddRequest.dn = ldb_dn_get_extended_linearized(msg, req->op.add.message->dn, 0);
517 if (msg->r.AddRequest.dn == NULL) {
519 return LDB_ERR_INVALID_DN_SYNTAX;
522 mods = ildb_msg_to_mods(msg, &n, req->op.add.message, 0);
525 return LDB_ERR_OPERATIONS_ERROR;
528 msg->r.AddRequest.num_attributes = n;
529 msg->r.AddRequest.attributes = talloc_array(msg, struct ldb_message_element, n);
530 if (msg->r.AddRequest.attributes == NULL) {
532 return LDB_ERR_OPERATIONS_ERROR;
535 for (i = 0; i < n; i++) {
536 msg->r.AddRequest.attributes[i] = mods[i]->attrib;
538 msg->controls = req->controls;
540 return ildb_request_send(ac, msg);
546 static int ildb_modify(struct ildb_context *ac)
548 struct ldb_request *req = ac->req;
549 struct ldap_message *msg;
550 struct ldap_mod **mods;
553 msg = new_ldap_message(req);
555 return LDB_ERR_OPERATIONS_ERROR;
558 msg->type = LDAP_TAG_ModifyRequest;
560 msg->r.ModifyRequest.dn = ldb_dn_get_extended_linearized(msg, req->op.mod.message->dn, 0);
561 if (msg->r.ModifyRequest.dn == NULL) {
563 return LDB_ERR_INVALID_DN_SYNTAX;
566 mods = ildb_msg_to_mods(msg, &n, req->op.mod.message, 1);
569 return LDB_ERR_OPERATIONS_ERROR;
572 msg->r.ModifyRequest.num_mods = n;
573 msg->r.ModifyRequest.mods = talloc_array(msg, struct ldap_mod, n);
574 if (msg->r.ModifyRequest.mods == NULL) {
576 return LDB_ERR_OPERATIONS_ERROR;
579 for (i = 0; i < n; i++) {
580 msg->r.ModifyRequest.mods[i] = *mods[i];
582 msg->controls = req->controls;
583 return ildb_request_send(ac, msg);
589 static int ildb_delete(struct ildb_context *ac)
591 struct ldb_request *req = ac->req;
592 struct ldap_message *msg;
594 msg = new_ldap_message(req);
596 return LDB_ERR_OPERATIONS_ERROR;
599 msg->type = LDAP_TAG_DelRequest;
601 msg->r.DelRequest.dn = ldb_dn_get_extended_linearized(msg, req->op.del.dn, 0);
602 if (msg->r.DelRequest.dn == NULL) {
604 return LDB_ERR_INVALID_DN_SYNTAX;
606 msg->controls = req->controls;
608 return ildb_request_send(ac, msg);
614 static int ildb_rename(struct ildb_context *ac)
616 struct ldb_request *req = ac->req;
617 struct ldap_message *msg;
618 const char *rdn_name;
619 const struct ldb_val *rdn_val;
621 msg = new_ldap_message(req);
623 return LDB_ERR_OPERATIONS_ERROR;
626 msg->type = LDAP_TAG_ModifyDNRequest;
627 msg->r.ModifyDNRequest.dn = ldb_dn_get_extended_linearized(msg, req->op.rename.olddn, 0);
628 if (msg->r.ModifyDNRequest.dn == NULL) {
630 return LDB_ERR_INVALID_DN_SYNTAX;
633 rdn_name = ldb_dn_get_rdn_name(req->op.rename.newdn);
634 rdn_val = ldb_dn_get_rdn_val(req->op.rename.newdn);
636 if ((rdn_name != NULL) && (rdn_val != NULL)) {
637 msg->r.ModifyDNRequest.newrdn =
638 talloc_asprintf(msg, "%s=%s", rdn_name,
639 rdn_val->length > 0 ? ldb_dn_escape_value(msg, *rdn_val) : "");
641 msg->r.ModifyDNRequest.newrdn = talloc_strdup(msg, "");
643 if (msg->r.ModifyDNRequest.newrdn == NULL) {
645 return LDB_ERR_OPERATIONS_ERROR;
648 msg->r.ModifyDNRequest.newsuperior =
649 ldb_dn_alloc_linearized(msg, ldb_dn_get_parent(msg, req->op.rename.newdn));
650 if (msg->r.ModifyDNRequest.newsuperior == NULL) {
652 return LDB_ERR_INVALID_DN_SYNTAX;
655 msg->r.ModifyDNRequest.deleteolddn = true;
656 msg->controls = req->controls;
658 return ildb_request_send(ac, msg);
661 static int ildb_start_trans(struct ldb_module *module)
663 /* TODO implement a local locking mechanism here */
668 static int ildb_end_trans(struct ldb_module *module)
670 /* TODO implement a local transaction mechanism here */
675 static int ildb_del_trans(struct ldb_module *module)
677 /* TODO implement a local locking mechanism here */
682 static bool ildb_dn_is_special(struct ldb_request *req)
684 struct ldb_dn *dn = NULL;
686 switch (req->operation) {
688 dn = req->op.search.base;
691 dn = req->op.add.message->dn;
694 dn = req->op.mod.message->dn;
700 dn = req->op.rename.olddn;
706 if (dn && ldb_dn_is_special(dn)) {
712 static int ildb_handle_request(struct ldb_module *module, struct ldb_request *req)
714 struct ldb_context *ldb;
715 struct ildb_private *ildb;
716 struct ildb_context *ac;
717 struct tevent_timer *te;
720 ildb = talloc_get_type(ldb_module_get_private(module), struct ildb_private);
721 ldb = ldb_module_get_ctx(module);
723 if (req->starttime == 0 || req->timeout == 0) {
724 ldb_set_errstring(ldb, "Invalid timeout settings");
725 return LDB_ERR_TIME_LIMIT_EXCEEDED;
728 ac = talloc_zero(req, struct ildb_context);
730 ldb_set_errstring(ldb, "Out of Memory");
731 return LDB_ERR_OPERATIONS_ERROR;
738 if (ildb_dn_is_special(req)) {
740 te = tevent_add_timer(ac->ildb->event_ctx,
742 ildb_auto_done_callback, ac);
744 return LDB_ERR_OPERATIONS_ERROR;
750 switch (ac->req->operation) {
752 ret = ildb_search(ac);
758 ret = ildb_modify(ac);
761 ret = ildb_delete(ac);
764 ret = ildb_rename(ac);
767 /* no other op supported */
768 ret = LDB_ERR_PROTOCOL_ERROR;
775 static const struct ldb_module_ops ildb_ops = {
777 .search = ildb_handle_request,
778 .add = ildb_handle_request,
779 .modify = ildb_handle_request,
780 .del = ildb_handle_request,
781 .rename = ildb_handle_request,
782 /* .request = ildb_handle_request, */
783 .start_transaction = ildb_start_trans,
784 .end_transaction = ildb_end_trans,
785 .del_transaction = ildb_del_trans,
789 connect to the database
791 static int ildb_connect(struct ldb_context *ldb, const char *url,
792 unsigned int flags, const char *options[],
793 struct ldb_module **_module)
795 struct ldb_module *module;
796 struct ildb_private *ildb;
797 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
798 struct cli_credentials *creds;
799 struct loadparm_context *lp_ctx;
801 module = ldb_module_new(ldb, ldb, "ldb_ildap backend", &ildb_ops);
802 if (!module) return LDB_ERR_OPERATIONS_ERROR;
804 ildb = talloc(module, struct ildb_private);
809 ldb_module_set_private(module, ildb);
811 ildb->event_ctx = ldb_get_event_context(ldb);
813 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
814 struct loadparm_context);
816 ildb->ldap = ldap4_new_connection(ildb, lp_ctx,
823 if (flags & LDB_FLG_RECONNECT) {
824 ldap_set_reconn_params(ildb->ldap, 10);
827 status = ldap_connect(ildb->ldap, url);
828 if (!NT_STATUS_IS_OK(status)) {
829 ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to connect to ldap URL '%s' - %s",
830 url, ldap_errstr(ildb->ldap, module, status));
834 /* caller can optionally setup credentials using the opaque token 'credentials' */
835 creds = talloc_get_type(ldb_get_opaque(ldb, "credentials"), struct cli_credentials);
837 struct auth_session_info *session_info = talloc_get_type(
838 ldb_get_opaque(ldb, DSDB_SESSION_INFO),
839 struct auth_session_info);
841 creds = session_info->credentials;
845 if (creds != NULL && cli_credentials_authentication_requested(creds)) {
846 const char *bind_dn = cli_credentials_get_bind_dn(creds);
848 const char *password = cli_credentials_get_password(creds);
849 status = ldap_bind_simple(ildb->ldap, bind_dn, password);
850 if (!NT_STATUS_IS_OK(status)) {
851 ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s",
852 ldap_errstr(ildb->ldap, module, status));
856 status = ldap_bind_sasl(ildb->ldap, creds, lp_ctx);
857 if (!NT_STATUS_IS_OK(status)) {
858 ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s",
859 ldap_errstr(ildb->ldap, module, status));
869 if (ildb != NULL && ildb->ldap != NULL) {
870 ldb_set_errstring(ldb, ldap_errstr(ildb->ldap, module, status));
873 if (NT_STATUS_IS_LDAP(status)) {
874 return NT_STATUS_LDAP_CODE(status);
875 } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)
876 || NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
877 || NT_STATUS_EQUAL(status, NT_STATUS_LOGON_FAILURE)
878 || NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
879 return LDB_ERR_INVALID_CREDENTIALS;
881 return LDB_ERR_OPERATIONS_ERROR;
885 initialise the module
887 _PUBLIC_ int ldb_ildap_init(const char *ldb_version)
890 const char *names[] = { "ldap", "ldaps", "ldapi", NULL };
891 for (i=0; names[i]; i++) {
892 ret = ldb_register_backend(names[i], ildb_connect, true);
893 if (ret != LDB_SUCCESS) {
git.samba.org / samba.git / blob