4 Copyright (C) Simo Sorce 2004-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: ldb local_password module
27 * Description: correctly update hash values based on changes to userPassword and friends
29 * Author: Andrew Bartlett
33 #include "libcli/ldap/ldap.h"
34 #include "ldb/include/ldb_errors.h"
35 #include "ldb/include/ldb_private.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "librpc/ndr/libndr.h"
38 #include "dsdb/samdb/ldb_modules/password_modules.h"
40 #define PASSWORD_GUID_ATTR "masterGUID"
42 /* This module maintains a local password database, seperate from the main LDAP server.
44 This allows the password database to be syncronised in a multi-master
45 fashion, seperate to the more difficult concerns of the main
46 database. (With passwords, the last writer always wins)
48 Each incoming add/modify is split into a remote, and a local request, done in that order.
50 We maintain a list of attributes that are kept locally - perhaps
51 this should use the @KLUDGE_ACL list of passwordAttribute
54 static const char * const password_attrs[] = {
55 "supplementalCredentials",
60 "msDS-KeyVersionNumber",
64 /* And we merge them back into search requests when asked to do so */
67 struct lpdb_reply *next;
68 struct ldb_reply *remote;
69 struct ldb_dn *local_dn;
74 struct ldb_module *module;
75 struct ldb_request *req;
77 struct ldb_message *local_message;
79 struct lpdb_reply *list;
80 struct lpdb_reply *current;
81 struct ldb_reply *remote_done;
82 struct ldb_reply *remote;
84 bool added_objectGUID;
85 bool added_objectClass;
89 static struct lpdb_context *lpdb_init_context(struct ldb_module *module,
90 struct ldb_request *req)
92 struct lpdb_context *ac;
94 ac = talloc_zero(req, struct lpdb_context);
96 ldb_set_errstring(module->ldb, "Out of Memory");
106 static int lpdb_local_callback(struct ldb_request *req, struct ldb_reply *ares)
108 struct lpdb_context *ac;
110 ac = talloc_get_type(req->context, struct lpdb_context);
113 return ldb_module_done(ac->req, NULL, NULL,
114 LDB_ERR_OPERATIONS_ERROR);
116 if (ares->error != LDB_SUCCESS) {
117 return ldb_module_done(ac->req, ares->controls,
118 ares->response, ares->error);
121 if (ares->type != LDB_REPLY_DONE) {
122 ldb_set_errstring(ac->module->ldb, "Unexpected reply type");
124 return ldb_module_done(ac->req, NULL, NULL,
125 LDB_ERR_OPERATIONS_ERROR);
129 return ldb_module_done(ac->req,
130 ac->remote_done->controls,
131 ac->remote_done->response,
132 ac->remote_done->error);
135 /*****************************************************************************
137 ****************************************************************************/
139 static int lpdb_add_callback(struct ldb_request *req,
140 struct ldb_reply *ares);
142 static int local_password_add(struct ldb_module *module, struct ldb_request *req)
144 struct ldb_message *remote_message;
145 struct ldb_request *remote_req;
146 struct lpdb_context *ac;
147 struct GUID objectGUID;
151 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "local_password_add\n");
153 if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
154 return ldb_next_request(module, req);
157 /* If the caller is manipulating the local passwords directly, let them pass */
158 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
159 req->op.add.message->dn) == 0) {
160 return ldb_next_request(module, req);
163 for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
164 if (ldb_msg_find_element(req->op.add.message, password_attrs[i])) {
169 /* It didn't match any of our password attributes, go on */
170 if (i == ARRAY_SIZE(password_attrs)) {
171 return ldb_next_request(module, req);
174 /* TODO: remove this when userPassword will be in schema */
175 if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
176 ldb_asprintf_errstring(module->ldb,
177 "Cannot relocate a password on entry: %s, does not have objectClass 'person'",
178 ldb_dn_get_linearized(req->op.add.message->dn));
179 return LDB_ERR_OBJECT_CLASS_VIOLATION;
182 /* From here, we assume we have password attributes to split off */
183 ac = lpdb_init_context(module, req);
185 return LDB_ERR_OPERATIONS_ERROR;
188 remote_message = ldb_msg_copy_shallow(remote_req, req->op.add.message);
189 if (remote_message == NULL) {
190 return LDB_ERR_OPERATIONS_ERROR;
193 /* Remove any password attributes from the remote message */
194 for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
195 ldb_msg_remove_attr(remote_message, password_attrs[i]);
198 /* Find the objectGUID to use as the key */
199 objectGUID = samdb_result_guid(ac->req->op.add.message, "objectGUID");
201 ac->local_message = ldb_msg_copy_shallow(ac, req->op.add.message);
202 if (ac->local_message == NULL) {
203 return LDB_ERR_OPERATIONS_ERROR;
206 /* Remove anything seen in the remote message from the local
207 * message (leaving only password attributes) */
208 for (i=0; i < remote_message->num_elements; i++) {
209 ldb_msg_remove_attr(ac->local_message, remote_message->elements[i].name);
212 /* We must have an objectGUID already, or we don't know where
213 * to add the password. This may be changed to an 'add and
214 * search', to allow the directory to create the objectGUID */
215 if (ldb_msg_find_ldb_val(req->op.add.message, "objectGUID") == NULL) {
216 ldb_set_errstring(module->ldb,
217 "no objectGUID found in search: "
218 "local_password module must be "
219 "onfigured below objectGUID module!\n");
220 return LDB_ERR_CONSTRAINT_VIOLATION;
223 ac->local_message->dn = ldb_dn_new(ac->local_message,
224 module->ldb, LOCAL_BASE);
225 if ((ac->local_message->dn == NULL) ||
226 ( ! ldb_dn_add_child_fmt(ac->local_message->dn,
227 PASSWORD_GUID_ATTR "=%s",
228 GUID_string(ac->local_message,
230 return LDB_ERR_OPERATIONS_ERROR;
233 ret = ldb_build_add_req(&remote_req, module->ldb, ac,
236 ac, lpdb_add_callback,
238 if (ret != LDB_SUCCESS) {
242 return ldb_next_request(module, remote_req);
245 /* Add a record, splitting password attributes from the user's main
247 static int lpdb_add_callback(struct ldb_request *req,
248 struct ldb_reply *ares)
250 struct ldb_request *local_req;
251 struct lpdb_context *ac;
254 ac = talloc_get_type(req->context, struct lpdb_context);
257 return ldb_module_done(ac->req, NULL, NULL,
258 LDB_ERR_OPERATIONS_ERROR);
260 if (ares->error != LDB_SUCCESS) {
261 return ldb_module_done(ac->req, ares->controls,
262 ares->response, ares->error);
265 if (ares->type != LDB_REPLY_DONE) {
266 ldb_set_errstring(ac->module->ldb, "Unexpected reply type");
268 return ldb_module_done(ac->req, NULL, NULL,
269 LDB_ERR_OPERATIONS_ERROR);
272 ac->remote_done = talloc_steal(ac, ares);
274 ret = ldb_build_add_req(&local_req, ac->module->ldb, ac,
277 ac, lpdb_local_callback,
279 if (ret != LDB_SUCCESS) {
280 return ldb_module_done(ac->req, NULL, NULL, ret);
283 ret = ldb_next_request(ac->module, local_req);
284 if (ret != LDB_SUCCESS) {
285 return ldb_module_done(ac->req, NULL, NULL, ret);
290 /*****************************************************************************
292 ****************************************************************************/
294 static int lpdb_modify_callabck(struct ldb_request *req,
295 struct ldb_reply *ares);
296 static int lpdb_mod_search_callback(struct ldb_request *req,
297 struct ldb_reply *ares);
299 static int local_password_modify(struct ldb_module *module, struct ldb_request *req)
301 struct lpdb_context *ac;
302 struct ldb_message *remote_message;
303 struct ldb_request *remote_req;
307 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "local_password_modify\n");
309 if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
310 return ldb_next_request(module, req);
313 /* If the caller is manipulating the local passwords directly, let them pass */
314 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
315 req->op.mod.message->dn) == 0) {
316 return ldb_next_request(module, req);
319 for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
320 if (ldb_msg_find_element(req->op.add.message, password_attrs[i])) {
325 /* It didn't match any of our password attributes, then we have nothing to do here */
326 if (i == ARRAY_SIZE(password_attrs)) {
327 return ldb_next_request(module, req);
330 /* From here, we assume we have password attributes to split off */
331 ac = lpdb_init_context(module, req);
333 return LDB_ERR_OPERATIONS_ERROR;
336 remote_message = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
337 if (remote_message == NULL) {
338 return LDB_ERR_OPERATIONS_ERROR;
341 /* Remove any password attributes from the remote message */
342 for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
343 ldb_msg_remove_attr(remote_message, password_attrs[i]);
346 ac->local_message = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
347 if (ac->local_message == NULL) {
348 return LDB_ERR_OPERATIONS_ERROR;
351 /* Remove anything seen in the remote message from the local
352 * message (leaving only password attributes) */
353 for (i=0; i < remote_message->num_elements;i++) {
354 ldb_msg_remove_attr(ac->local_message, remote_message->elements[i].name);
357 ret = ldb_build_mod_req(&remote_req, module->ldb, ac,
360 ac, lpdb_modify_callabck,
362 if (ret != LDB_SUCCESS) {
366 return ldb_next_request(module, remote_req);
369 /* On a modify, we don't have the objectGUID handy, so we need to
370 * search our DN for it */
371 static int lpdb_modify_callabck(struct ldb_request *req,
372 struct ldb_reply *ares)
374 static const char * const attrs[] = { "objectGUID", "objectClass", NULL };
375 struct ldb_request *search_req;
376 struct lpdb_context *ac;
379 ac = talloc_get_type(req->context, struct lpdb_context);
382 return ldb_module_done(ac->req, NULL, NULL,
383 LDB_ERR_OPERATIONS_ERROR);
385 if (ares->error != LDB_SUCCESS) {
386 return ldb_module_done(ac->req, ares->controls,
387 ares->response, ares->error);
390 if (ares->type != LDB_REPLY_DONE) {
391 ldb_set_errstring(ac->module->ldb, "Unexpected reply type");
393 return ldb_module_done(ac->req, NULL, NULL,
394 LDB_ERR_OPERATIONS_ERROR);
397 ac->remote_done = talloc_steal(ac, ares);
399 /* prepare the search operation */
400 ret = ldb_build_search_req(&search_req, ac->module->ldb, ac,
401 ac->req->op.mod.message->dn, LDB_SCOPE_BASE,
402 "(objectclass=*)", attrs,
404 ac, lpdb_mod_search_callback,
406 if (ret != LDB_SUCCESS) {
407 return ldb_module_done(ac->req, NULL, NULL,
408 LDB_ERR_OPERATIONS_ERROR);
411 ret = ldb_next_request(ac->module, search_req);
412 if (ret != LDB_SUCCESS) {
413 return ldb_module_done(ac->req, NULL, NULL,
414 LDB_ERR_OPERATIONS_ERROR);
419 /* Called when we search for our own entry. Stores the one entry we
420 * expect (as it is a base search) on the context pointer */
421 static int lpdb_mod_search_callback(struct ldb_request *req,
422 struct ldb_reply *ares)
424 struct ldb_request *local_req;
425 struct lpdb_context *ac;
426 struct ldb_dn *local_dn;
427 struct GUID objectGUID;
428 int ret = LDB_SUCCESS;
430 ac = talloc_get_type(req->context, struct lpdb_context);
433 return ldb_module_done(ac->req, NULL, NULL,
434 LDB_ERR_OPERATIONS_ERROR);
436 if (ares->error != LDB_SUCCESS) {
437 return ldb_module_done(ac->req, ares->controls,
438 ares->response, ares->error);
441 switch (ares->type) {
442 case LDB_REPLY_ENTRY:
443 if (ac->remote != NULL) {
444 ldb_set_errstring(ac->module->ldb, "Too many results");
446 return ldb_module_done(ac->req, NULL, NULL,
447 LDB_ERR_OPERATIONS_ERROR);
450 ac->remote = talloc_steal(ac, ares);
453 case LDB_REPLY_REFERRAL:
460 /* After we find out the objectGUID for the entry, modify the local
461 * password database as required */
465 /* if it is not an entry of type person this is an error */
466 /* TODO: remove this when sambaPassword will be in schema */
467 if (ac->remote == NULL) {
468 ldb_asprintf_errstring(ac->module->ldb,
469 "entry just modified (%s) not found!",
470 ldb_dn_get_linearized(req->op.search.base));
471 return ldb_module_done(ac->req, NULL, NULL,
472 LDB_ERR_OPERATIONS_ERROR);
474 if (!ldb_msg_check_string_attribute(ac->remote->message,
475 "objectClass", "person")) {
476 /* Not relevent to us */
477 return ldb_module_done(ac->req,
478 ac->remote_done->controls,
479 ac->remote_done->response,
480 ac->remote_done->error);
483 if (ldb_msg_find_ldb_val(ac->remote->message,
484 "objectGUID") == NULL) {
485 ldb_set_errstring(ac->module->ldb,
486 "no objectGUID found in search: "
487 "local_password module must be "
488 "configured below objectGUID "
490 return ldb_module_done(ac->req, NULL, NULL,
491 LDB_ERR_OBJECT_CLASS_VIOLATION);
494 objectGUID = samdb_result_guid(ac->remote->message,
497 local_dn = ldb_dn_new(ac, ac->module->ldb, LOCAL_BASE);
498 if ((local_dn == NULL) ||
499 ( ! ldb_dn_add_child_fmt(local_dn,
500 PASSWORD_GUID_ATTR "=%s",
501 GUID_string(ac, &objectGUID)))) {
502 return ldb_module_done(ac->req, NULL, NULL,
503 LDB_ERR_OPERATIONS_ERROR);
505 ac->local_message->dn = local_dn;
507 ret = ldb_build_mod_req(&local_req, ac->module->ldb, ac,
510 ac, lpdb_local_callback,
512 if (ret != LDB_SUCCESS) {
513 return ldb_module_done(ac->req, NULL, NULL, ret);
516 /* perform the local update */
517 ret = ldb_next_request(ac->module, local_req);
518 if (ret != LDB_SUCCESS) {
519 return ldb_module_done(ac->req, NULL, NULL, ret);
526 /*****************************************************************************
528 ****************************************************************************/
530 static int lpdb_delete_callabck(struct ldb_request *req,
531 struct ldb_reply *ares);
532 static int lpdb_del_search_callback(struct ldb_request *req,
533 struct ldb_reply *ares);
535 static int local_password_delete(struct ldb_module *module,
536 struct ldb_request *req)
538 struct ldb_request *remote_req;
539 struct lpdb_context *ac;
542 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "local_password_delete\n");
544 /* do not manipulate our control entries */
545 if (ldb_dn_is_special(req->op.mod.message->dn)) {
546 return ldb_next_request(module, req);
549 /* If the caller is manipulating the local passwords directly,
551 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
552 req->op.del.dn) == 0) {
553 return ldb_next_request(module, req);
556 /* From here, we assume we have password attributes to split off */
557 ac = lpdb_init_context(module, req);
559 return LDB_ERR_OPERATIONS_ERROR;
562 ret = ldb_build_del_req(&remote_req, module->ldb, ac,
565 ac, lpdb_delete_callabck,
567 if (ret != LDB_SUCCESS) {
571 return ldb_next_request(module, remote_req);
574 /* On a modify, we don't have the objectGUID handy, so we need to
575 * search our DN for it */
576 static int lpdb_delete_callabck(struct ldb_request *req,
577 struct ldb_reply *ares)
579 static const char * const attrs[] = { "objectGUID", "objectClass", NULL };
580 struct ldb_request *search_req;
581 struct lpdb_context *ac;
584 ac = talloc_get_type(req->context, struct lpdb_context);
587 return ldb_module_done(ac->req, NULL, NULL,
588 LDB_ERR_OPERATIONS_ERROR);
590 if (ares->error != LDB_SUCCESS) {
591 return ldb_module_done(ac->req, ares->controls,
592 ares->response, ares->error);
595 if (ares->type != LDB_REPLY_DONE) {
596 ldb_set_errstring(ac->module->ldb, "Unexpected reply type");
598 return ldb_module_done(ac->req, NULL, NULL,
599 LDB_ERR_OPERATIONS_ERROR);
602 ac->remote_done = talloc_steal(ac, ares);
604 /* prepare the search operation */
605 ret = ldb_build_search_req(&search_req, ac->module->ldb, ac,
606 ac->req->op.del.dn, LDB_SCOPE_BASE,
607 "(objectclass=*)", attrs,
609 ac, lpdb_del_search_callback,
611 if (ret != LDB_SUCCESS) {
612 return ldb_module_done(ac->req, NULL, NULL,
613 LDB_ERR_OPERATIONS_ERROR);
616 ret = ldb_next_request(ac->module, search_req);
617 if (ret != LDB_SUCCESS) {
618 return ldb_module_done(ac->req, NULL, NULL,
619 LDB_ERR_OPERATIONS_ERROR);
624 /* Called when we search for our own entry. Stores the one entry we
625 * expect (as it is a base search) on the context pointer */
626 static int lpdb_del_search_callback(struct ldb_request *req,
627 struct ldb_reply *ares)
629 struct ldb_request *local_req;
630 struct lpdb_context *ac;
631 struct ldb_dn *local_dn;
632 struct GUID objectGUID;
633 int ret = LDB_SUCCESS;
635 ac = talloc_get_type(req->context, struct lpdb_context);
638 return ldb_module_done(ac->req, NULL, NULL,
639 LDB_ERR_OPERATIONS_ERROR);
641 if (ares->error != LDB_SUCCESS) {
642 return ldb_module_done(ac->req, ares->controls,
643 ares->response, ares->error);
646 switch (ares->type) {
647 case LDB_REPLY_ENTRY:
648 if (ac->remote != NULL) {
649 ldb_set_errstring(ac->module->ldb, "Too many results");
651 return ldb_module_done(ac->req, NULL, NULL,
652 LDB_ERR_OPERATIONS_ERROR);
655 ac->remote = talloc_steal(ac, ares);
658 case LDB_REPLY_REFERRAL:
665 /* After we find out the objectGUID for the entry, modify the local
666 * password database as required */
670 /* if it is not an entry of type person this is NOT an error */
671 /* TODO: remove this when sambaPassword will be in schema */
672 if (ac->remote == NULL) {
673 return ldb_module_done(ac->req,
674 ac->remote_done->controls,
675 ac->remote_done->response,
676 ac->remote_done->error);
678 if (!ldb_msg_check_string_attribute(ac->remote->message,
679 "objectClass", "person")) {
680 /* Not relevent to us */
681 return ldb_module_done(ac->req,
682 ac->remote_done->controls,
683 ac->remote_done->response,
684 ac->remote_done->error);
687 if (ldb_msg_find_ldb_val(ac->remote->message,
688 "objectGUID") == NULL) {
689 ldb_set_errstring(ac->module->ldb,
690 "no objectGUID found in search: "
691 "local_password module must be "
692 "configured below objectGUID "
694 return ldb_module_done(ac->req, NULL, NULL,
695 LDB_ERR_OBJECT_CLASS_VIOLATION);
698 objectGUID = samdb_result_guid(ac->remote->message,
701 local_dn = ldb_dn_new(ac, ac->module->ldb, LOCAL_BASE);
702 if ((local_dn == NULL) ||
703 ( ! ldb_dn_add_child_fmt(local_dn,
704 PASSWORD_GUID_ATTR "=%s",
705 GUID_string(ac, &objectGUID)))) {
706 return ldb_module_done(ac->req, NULL, NULL,
707 LDB_ERR_OPERATIONS_ERROR);
710 ret = ldb_build_del_req(&local_req, ac->module->ldb, ac,
713 ac, lpdb_local_callback,
715 if (ret != LDB_SUCCESS) {
716 return ldb_module_done(ac->req, NULL, NULL, ret);
719 /* perform the local update */
720 ret = ldb_next_request(ac->module, local_req);
721 if (ret != LDB_SUCCESS) {
722 return ldb_module_done(ac->req, NULL, NULL, ret);
730 /*****************************************************************************
732 ****************************************************************************/
734 static int lpdb_local_search_callback(struct ldb_request *req,
735 struct ldb_reply *ares);
737 static int lpdb_local_search(struct lpdb_context *ac)
739 struct ldb_request *local_req;
742 ret = ldb_build_search_req(&local_req, ac->module->ldb, ac,
743 ac->current->local_dn,
746 ac->req->op.search.attrs,
748 ac, lpdb_local_search_callback,
750 if (ret != LDB_SUCCESS) {
751 return LDB_ERR_OPERATIONS_ERROR;
754 return ldb_next_request(ac->module, local_req);
757 static int lpdb_local_search_callback(struct ldb_request *req,
758 struct ldb_reply *ares)
760 struct lpdb_context *ac;
761 struct ldb_reply *merge;
762 struct lpdb_reply *lr;
766 ac = talloc_get_type(req->context, struct lpdb_context);
769 return ldb_module_done(ac->req, NULL, NULL,
770 LDB_ERR_OPERATIONS_ERROR);
772 if (ares->error != LDB_SUCCESS) {
773 return ldb_module_done(ac->req, ares->controls,
774 ares->response, ares->error);
779 /* we are interested only in a single reply (base search) */
780 switch (ares->type) {
781 case LDB_REPLY_ENTRY:
783 if (lr->remote == NULL) {
784 ldb_set_errstring(ac->module->ldb,
785 "Too many results for password entry search!");
787 return ldb_module_done(ac->req, NULL, NULL,
788 LDB_ERR_OPERATIONS_ERROR);
794 /* steal the local results on the remote results to be
795 * returned all together */
796 talloc_steal(merge, ares->message->elements);
798 /* Make sure never to return the internal key attribute */
799 ldb_msg_remove_attr(ares->message, PASSWORD_GUID_ATTR);
801 for (i=0; i < ares->message->num_elements; i++) {
802 struct ldb_message_element *el;
804 el = ldb_msg_find_element(merge->message,
805 ares->message->elements[i].name);
807 ret = ldb_msg_add_empty(merge->message,
808 ares->message->elements[i].name,
810 if (ret != LDB_SUCCESS) {
812 return ldb_module_done(ac->req,
814 LDB_ERR_OPERATIONS_ERROR);
816 *el = ares->message->elements[i];
823 return ldb_module_send_entry(ac->req, merge->message, merge->controls);
825 case LDB_REPLY_REFERRAL:
834 /* if this entry was not returned yet, return it now */
836 ret = ldb_module_send_entry(ac->req, ac->remote->message, ac->remote->controls);
837 if (ret != LDB_SUCCESS) {
838 return ldb_module_done(ac->req,
844 if (lr->next->remote->type == LDB_REPLY_DONE) {
845 /* this was the last one */
846 return ldb_module_done(ac->req,
847 lr->next->remote->controls,
848 lr->next->remote->response,
849 lr->next->remote->error);
852 ac->current = lr->next;
855 ret = lpdb_local_search(ac);
856 if (ret != LDB_SUCCESS) {
857 return ldb_module_done(ac->req,
866 /* For each entry returned in a remote search, do a local base search,
867 * based on the objectGUID we asked for as an additional attribute */
868 static int lpdb_remote_search_callback(struct ldb_request *req,
869 struct ldb_reply *ares)
871 struct lpdb_context *ac;
872 struct ldb_dn *local_dn;
873 struct GUID objectGUID;
874 struct lpdb_reply *lr;
877 ac = talloc_get_type(req->context, struct lpdb_context);
880 return ldb_module_done(ac->req, NULL, NULL,
881 LDB_ERR_OPERATIONS_ERROR);
883 if (ares->error != LDB_SUCCESS) {
884 return ldb_module_done(ac->req, ares->controls,
885 ares->response, ares->error);
888 switch (ares->type) {
889 case LDB_REPLY_ENTRY:
890 /* No point searching further if it's not a 'person' entry */
891 if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
893 /* Make sure to remove anything we added */
894 if (ac->added_objectGUID) {
895 ldb_msg_remove_attr(ares->message, "objectGUID");
898 if (ac->added_objectClass) {
899 ldb_msg_remove_attr(ares->message, "objectClass");
902 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
905 if (ldb_msg_find_ldb_val(ares->message, "objectGUID") == NULL) {
906 ldb_set_errstring(ac->module->ldb,
907 "no objectGUID found in search: local_password module must be configured below objectGUID module!\n");
908 return ldb_module_done(ac->req, NULL, NULL,
909 LDB_ERR_OPERATIONS_ERROR);
912 objectGUID = samdb_result_guid(ares->message, "objectGUID");
914 if (ac->added_objectGUID) {
915 ldb_msg_remove_attr(ares->message, "objectGUID");
918 if (ac->added_objectClass) {
919 ldb_msg_remove_attr(ares->message, "objectClass");
922 local_dn = ldb_dn_new(ac, ac->module->ldb, LOCAL_BASE);
923 if ((local_dn == NULL) ||
924 (! ldb_dn_add_child_fmt(local_dn,
925 PASSWORD_GUID_ATTR "=%s",
926 GUID_string(ac, &objectGUID)))) {
927 return ldb_module_done(ac->req, NULL, NULL,
928 LDB_ERR_OPERATIONS_ERROR);
931 lr = talloc_zero(ac, struct lpdb_reply);
933 return ldb_module_done(ac->req, NULL, NULL,
934 LDB_ERR_OPERATIONS_ERROR);
936 lr->local_dn = talloc_steal(lr, local_dn);
937 lr->remote = talloc_steal(lr, ares);
940 ac->current->next = lr;
948 case LDB_REPLY_REFERRAL:
950 return ldb_module_send_referral(ac->req, ares->referral);
954 if (ac->list == NULL) {
956 return ldb_module_done(ac->req, ares->controls,
957 ares->response, ares->error);
960 lr = talloc_zero(ac, struct lpdb_reply);
962 return ldb_module_done(ac->req, NULL, NULL,
963 LDB_ERR_OPERATIONS_ERROR);
965 lr->remote = talloc_steal(lr, ares);
967 ac->current->next = lr;
969 /* rewind current and start local searches */
970 ac->current= ac->list;
972 ret = lpdb_local_search(ac);
973 if (ret != LDB_SUCCESS) {
974 return ldb_module_done(ac->req, NULL, NULL, ret);
981 /* Search for passwords and other attributes. The passwords are
982 * local, but the other attributes are remote, and we need to glue the
983 * two search spaces back togeather */
985 static int local_password_search(struct ldb_module *module, struct ldb_request *req)
987 struct ldb_request *remote_req;
988 struct lpdb_context *ac;
991 const char * const *search_attrs = NULL;
993 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "local_password_search\n");
995 if (ldb_dn_is_special(req->op.search.base)) { /* do not manipulate our control entries */
996 return ldb_next_request(module, req);
1001 /* If the caller is searching for the local passwords directly, let them pass */
1002 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
1003 req->op.search.base) == 0) {
1004 return ldb_next_request(module, req);
1007 if (req->op.search.attrs && (!ldb_attr_in_list(req->op.search.attrs, "*"))) {
1008 for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
1009 if (ldb_attr_in_list(req->op.search.attrs, password_attrs[i])) {
1014 /* It didn't match any of our password attributes, go on */
1015 if (i == ARRAY_SIZE(password_attrs)) {
1016 return ldb_next_request(module, req);
1020 ac = lpdb_init_context(module, req);
1022 return LDB_ERR_OPERATIONS_ERROR;
1025 /* Remote search is for all attributes: if the remote LDAP server has these attributes, then it overrides the local database */
1026 if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
1027 if (!ldb_attr_in_list(req->op.search.attrs, "objectGUID")) {
1028 search_attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "objectGUID");
1029 ac->added_objectGUID = true;
1030 if (!search_attrs) {
1031 return LDB_ERR_OPERATIONS_ERROR;
1034 search_attrs = req->op.search.attrs;
1036 if (!ldb_attr_in_list(search_attrs, "objectClass")) {
1037 search_attrs = ldb_attr_list_copy_add(ac, search_attrs, "objectClass");
1038 ac->added_objectClass = true;
1039 if (!search_attrs) {
1040 return LDB_ERR_OPERATIONS_ERROR;
1044 search_attrs = req->op.search.attrs;
1047 ret = ldb_build_search_req_ex(&remote_req, module->ldb, ac,
1048 req->op.search.base,
1049 req->op.search.scope,
1050 req->op.search.tree,
1053 ac, lpdb_remote_search_callback,
1055 if (ret != LDB_SUCCESS) {
1056 return LDB_ERR_OPERATIONS_ERROR;
1059 /* perform the search */
1060 return ldb_next_request(module, remote_req);
1063 _PUBLIC_ const struct ldb_module_ops ldb_local_password_module_ops = {
1064 .name = "local_password",
1065 .add = local_password_add,
1066 .modify = local_password_modify,
1067 .del = local_password_delete,
1068 .search = local_password_search