4 Copyright (C) Simo Sorce 2004-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: ldb local_password module
27 * Description: correctly update hash values based on changes to userPassword and friends
29 * Author: Andrew Bartlett
33 #include "libcli/ldap/ldap.h"
34 #include "ldb_module.h"
35 #include "dsdb/samdb/samdb.h"
36 #include "librpc/ndr/libndr.h"
37 #include "dsdb/samdb/ldb_modules/password_modules.h"
39 #define PASSWORD_GUID_ATTR "masterGUID"
41 /* This module maintains a local password database, seperate from the main LDAP server.
43 This allows the password database to be syncronised in a multi-master
44 fashion, seperate to the more difficult concerns of the main
45 database. (With passwords, the last writer always wins)
47 Each incoming add/modify is split into a remote, and a local request, done in that order.
49 We maintain a list of attributes that are kept locally - perhaps
50 this should use the @KLUDGE_ACL list of passwordAttribute
53 static const char * const password_attrs[] = {
54 "supplementalCredentials",
59 "msDS-KeyVersionNumber",
63 /* And we merge them back into search requests when asked to do so */
66 struct lpdb_reply *next;
67 struct ldb_reply *remote;
68 struct ldb_dn *local_dn;
73 struct ldb_module *module;
74 struct ldb_request *req;
76 struct ldb_message *local_message;
78 struct lpdb_reply *list;
79 struct lpdb_reply *current;
80 struct ldb_reply *remote_done;
81 struct ldb_reply *remote;
83 bool added_objectGUID;
84 bool added_objectClass;
88 static struct lpdb_context *lpdb_init_context(struct ldb_module *module,
89 struct ldb_request *req)
91 struct ldb_context *ldb;
92 struct lpdb_context *ac;
94 ldb = ldb_module_get_ctx(module);
96 ac = talloc_zero(req, struct lpdb_context);
98 ldb_set_errstring(ldb, "Out of Memory");
108 static int lpdb_local_callback(struct ldb_request *req, struct ldb_reply *ares)
110 struct ldb_context *ldb;
111 struct lpdb_context *ac;
113 ac = talloc_get_type(req->context, struct lpdb_context);
114 ldb = ldb_module_get_ctx(ac->module);
117 return ldb_module_done(ac->req, NULL, NULL,
118 LDB_ERR_OPERATIONS_ERROR);
120 if (ares->error != LDB_SUCCESS) {
121 return ldb_module_done(ac->req, ares->controls,
122 ares->response, ares->error);
125 if (ares->type != LDB_REPLY_DONE) {
126 ldb_set_errstring(ldb, "Unexpected reply type");
128 return ldb_module_done(ac->req, NULL, NULL,
129 LDB_ERR_OPERATIONS_ERROR);
133 return ldb_module_done(ac->req,
134 ac->remote_done->controls,
135 ac->remote_done->response,
136 ac->remote_done->error);
139 /*****************************************************************************
141 ****************************************************************************/
143 static int lpdb_add_callback(struct ldb_request *req,
144 struct ldb_reply *ares);
146 static int local_password_add(struct ldb_module *module, struct ldb_request *req)
148 struct ldb_context *ldb;
149 struct ldb_message *remote_message;
150 struct ldb_request *remote_req;
151 struct lpdb_context *ac;
152 struct GUID objectGUID;
156 ldb = ldb_module_get_ctx(module);
157 ldb_debug(ldb, LDB_DEBUG_TRACE, "local_password_add\n");
159 if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
160 return ldb_next_request(module, req);
163 /* If the caller is manipulating the local passwords directly, let them pass */
164 if (ldb_dn_compare_base(ldb_dn_new(req, ldb, LOCAL_BASE),
165 req->op.add.message->dn) == 0) {
166 return ldb_next_request(module, req);
169 for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
170 if (ldb_msg_find_element(req->op.add.message, password_attrs[i])) {
175 /* It didn't match any of our password attributes, go on */
176 if (i == ARRAY_SIZE(password_attrs)) {
177 return ldb_next_request(module, req);
180 /* TODO: remove this when userPassword will be in schema */
181 if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
182 ldb_asprintf_errstring(ldb,
183 "Cannot relocate a password on entry: %s, does not have objectClass 'person'",
184 ldb_dn_get_linearized(req->op.add.message->dn));
185 return LDB_ERR_OBJECT_CLASS_VIOLATION;
188 /* From here, we assume we have password attributes to split off */
189 ac = lpdb_init_context(module, req);
191 return LDB_ERR_OPERATIONS_ERROR;
194 remote_message = ldb_msg_copy_shallow(remote_req, req->op.add.message);
195 if (remote_message == NULL) {
196 return LDB_ERR_OPERATIONS_ERROR;
199 /* Remove any password attributes from the remote message */
200 for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
201 ldb_msg_remove_attr(remote_message, password_attrs[i]);
204 /* Find the objectGUID to use as the key */
205 objectGUID = samdb_result_guid(ac->req->op.add.message, "objectGUID");
207 ac->local_message = ldb_msg_copy_shallow(ac, req->op.add.message);
208 if (ac->local_message == NULL) {
209 return LDB_ERR_OPERATIONS_ERROR;
212 /* Remove anything seen in the remote message from the local
213 * message (leaving only password attributes) */
214 for (i=0; i < remote_message->num_elements; i++) {
215 ldb_msg_remove_attr(ac->local_message, remote_message->elements[i].name);
218 /* We must have an objectGUID already, or we don't know where
219 * to add the password. This may be changed to an 'add and
220 * search', to allow the directory to create the objectGUID */
221 if (ldb_msg_find_ldb_val(req->op.add.message, "objectGUID") == NULL) {
222 ldb_set_errstring(ldb,
223 "no objectGUID found in search: "
224 "local_password module must be "
225 "onfigured below objectGUID module!\n");
226 return LDB_ERR_CONSTRAINT_VIOLATION;
229 ac->local_message->dn = ldb_dn_new(ac->local_message,
231 if ((ac->local_message->dn == NULL) ||
232 ( ! ldb_dn_add_child_fmt(ac->local_message->dn,
233 PASSWORD_GUID_ATTR "=%s",
234 GUID_string(ac->local_message,
236 return LDB_ERR_OPERATIONS_ERROR;
239 ret = ldb_build_add_req(&remote_req, ldb, ac,
242 ac, lpdb_add_callback,
244 if (ret != LDB_SUCCESS) {
248 return ldb_next_request(module, remote_req);
251 /* Add a record, splitting password attributes from the user's main
253 static int lpdb_add_callback(struct ldb_request *req,
254 struct ldb_reply *ares)
256 struct ldb_context *ldb;
257 struct ldb_request *local_req;
258 struct lpdb_context *ac;
261 ac = talloc_get_type(req->context, struct lpdb_context);
262 ldb = ldb_module_get_ctx(ac->module);
265 return ldb_module_done(ac->req, NULL, NULL,
266 LDB_ERR_OPERATIONS_ERROR);
268 if (ares->error != LDB_SUCCESS) {
269 return ldb_module_done(ac->req, ares->controls,
270 ares->response, ares->error);
273 if (ares->type != LDB_REPLY_DONE) {
274 ldb_set_errstring(ldb, "Unexpected reply type");
276 return ldb_module_done(ac->req, NULL, NULL,
277 LDB_ERR_OPERATIONS_ERROR);
280 ac->remote_done = talloc_steal(ac, ares);
282 ret = ldb_build_add_req(&local_req, ldb, ac,
285 ac, lpdb_local_callback,
287 if (ret != LDB_SUCCESS) {
288 return ldb_module_done(ac->req, NULL, NULL, ret);
291 ret = ldb_next_request(ac->module, local_req);
292 if (ret != LDB_SUCCESS) {
293 return ldb_module_done(ac->req, NULL, NULL, ret);
298 /*****************************************************************************
300 ****************************************************************************/
302 static int lpdb_modify_callabck(struct ldb_request *req,
303 struct ldb_reply *ares);
304 static int lpdb_mod_search_callback(struct ldb_request *req,
305 struct ldb_reply *ares);
307 static int local_password_modify(struct ldb_module *module, struct ldb_request *req)
309 struct ldb_context *ldb;
310 struct lpdb_context *ac;
311 struct ldb_message *remote_message;
312 struct ldb_request *remote_req;
316 ldb = ldb_module_get_ctx(module);
317 ldb_debug(ldb, LDB_DEBUG_TRACE, "local_password_modify\n");
319 if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
320 return ldb_next_request(module, req);
323 /* If the caller is manipulating the local passwords directly, let them pass */
324 if (ldb_dn_compare_base(ldb_dn_new(req, ldb, LOCAL_BASE),
325 req->op.mod.message->dn) == 0) {
326 return ldb_next_request(module, req);
329 for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
330 if (ldb_msg_find_element(req->op.add.message, password_attrs[i])) {
335 /* It didn't match any of our password attributes, then we have nothing to do here */
336 if (i == ARRAY_SIZE(password_attrs)) {
337 return ldb_next_request(module, req);
340 /* From here, we assume we have password attributes to split off */
341 ac = lpdb_init_context(module, req);
343 return LDB_ERR_OPERATIONS_ERROR;
346 remote_message = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
347 if (remote_message == NULL) {
348 return LDB_ERR_OPERATIONS_ERROR;
351 /* Remove any password attributes from the remote message */
352 for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
353 ldb_msg_remove_attr(remote_message, password_attrs[i]);
356 ac->local_message = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
357 if (ac->local_message == NULL) {
358 return LDB_ERR_OPERATIONS_ERROR;
361 /* Remove anything seen in the remote message from the local
362 * message (leaving only password attributes) */
363 for (i=0; i < remote_message->num_elements;i++) {
364 ldb_msg_remove_attr(ac->local_message, remote_message->elements[i].name);
367 ret = ldb_build_mod_req(&remote_req, ldb, ac,
370 ac, lpdb_modify_callabck,
372 if (ret != LDB_SUCCESS) {
376 return ldb_next_request(module, remote_req);
379 /* On a modify, we don't have the objectGUID handy, so we need to
380 * search our DN for it */
381 static int lpdb_modify_callabck(struct ldb_request *req,
382 struct ldb_reply *ares)
384 struct ldb_context *ldb;
385 static const char * const attrs[] = { "objectGUID", "objectClass", NULL };
386 struct ldb_request *search_req;
387 struct lpdb_context *ac;
390 ac = talloc_get_type(req->context, struct lpdb_context);
391 ldb = ldb_module_get_ctx(ac->module);
394 return ldb_module_done(ac->req, NULL, NULL,
395 LDB_ERR_OPERATIONS_ERROR);
397 if (ares->error != LDB_SUCCESS) {
398 return ldb_module_done(ac->req, ares->controls,
399 ares->response, ares->error);
402 if (ares->type != LDB_REPLY_DONE) {
403 ldb_set_errstring(ldb, "Unexpected reply type");
405 return ldb_module_done(ac->req, NULL, NULL,
406 LDB_ERR_OPERATIONS_ERROR);
409 ac->remote_done = talloc_steal(ac, ares);
411 /* prepare the search operation */
412 ret = ldb_build_search_req(&search_req, ldb, ac,
413 ac->req->op.mod.message->dn, LDB_SCOPE_BASE,
414 "(objectclass=*)", attrs,
416 ac, lpdb_mod_search_callback,
418 if (ret != LDB_SUCCESS) {
419 return ldb_module_done(ac->req, NULL, NULL,
420 LDB_ERR_OPERATIONS_ERROR);
423 ret = ldb_next_request(ac->module, search_req);
424 if (ret != LDB_SUCCESS) {
425 return ldb_module_done(ac->req, NULL, NULL,
426 LDB_ERR_OPERATIONS_ERROR);
431 /* Called when we search for our own entry. Stores the one entry we
432 * expect (as it is a base search) on the context pointer */
433 static int lpdb_mod_search_callback(struct ldb_request *req,
434 struct ldb_reply *ares)
436 struct ldb_context *ldb;
437 struct ldb_request *local_req;
438 struct lpdb_context *ac;
439 struct ldb_dn *local_dn;
440 struct GUID objectGUID;
441 int ret = LDB_SUCCESS;
443 ac = talloc_get_type(req->context, struct lpdb_context);
444 ldb = ldb_module_get_ctx(ac->module);
447 return ldb_module_done(ac->req, NULL, NULL,
448 LDB_ERR_OPERATIONS_ERROR);
450 if (ares->error != LDB_SUCCESS) {
451 return ldb_module_done(ac->req, ares->controls,
452 ares->response, ares->error);
455 switch (ares->type) {
456 case LDB_REPLY_ENTRY:
457 if (ac->remote != NULL) {
458 ldb_set_errstring(ldb, "Too many results");
460 return ldb_module_done(ac->req, NULL, NULL,
461 LDB_ERR_OPERATIONS_ERROR);
464 ac->remote = talloc_steal(ac, ares);
467 case LDB_REPLY_REFERRAL:
474 /* After we find out the objectGUID for the entry, modify the local
475 * password database as required */
479 /* if it is not an entry of type person this is an error */
480 /* TODO: remove this when sambaPassword will be in schema */
481 if (ac->remote == NULL) {
482 ldb_asprintf_errstring(ldb,
483 "entry just modified (%s) not found!",
484 ldb_dn_get_linearized(req->op.search.base));
485 return ldb_module_done(ac->req, NULL, NULL,
486 LDB_ERR_OPERATIONS_ERROR);
488 if (!ldb_msg_check_string_attribute(ac->remote->message,
489 "objectClass", "person")) {
490 /* Not relevent to us */
491 return ldb_module_done(ac->req,
492 ac->remote_done->controls,
493 ac->remote_done->response,
494 ac->remote_done->error);
497 if (ldb_msg_find_ldb_val(ac->remote->message,
498 "objectGUID") == NULL) {
499 ldb_set_errstring(ldb,
500 "no objectGUID found in search: "
501 "local_password module must be "
502 "configured below objectGUID "
504 return ldb_module_done(ac->req, NULL, NULL,
505 LDB_ERR_OBJECT_CLASS_VIOLATION);
508 objectGUID = samdb_result_guid(ac->remote->message,
511 local_dn = ldb_dn_new(ac, ldb, LOCAL_BASE);
512 if ((local_dn == NULL) ||
513 ( ! ldb_dn_add_child_fmt(local_dn,
514 PASSWORD_GUID_ATTR "=%s",
515 GUID_string(ac, &objectGUID)))) {
516 return ldb_module_done(ac->req, NULL, NULL,
517 LDB_ERR_OPERATIONS_ERROR);
519 ac->local_message->dn = local_dn;
521 ret = ldb_build_mod_req(&local_req, ldb, ac,
524 ac, lpdb_local_callback,
526 if (ret != LDB_SUCCESS) {
527 return ldb_module_done(ac->req, NULL, NULL, ret);
530 /* perform the local update */
531 ret = ldb_next_request(ac->module, local_req);
532 if (ret != LDB_SUCCESS) {
533 return ldb_module_done(ac->req, NULL, NULL, ret);
540 /*****************************************************************************
542 ****************************************************************************/
544 static int lpdb_delete_callabck(struct ldb_request *req,
545 struct ldb_reply *ares);
546 static int lpdb_del_search_callback(struct ldb_request *req,
547 struct ldb_reply *ares);
549 static int local_password_delete(struct ldb_module *module,
550 struct ldb_request *req)
552 struct ldb_context *ldb;
553 struct ldb_request *remote_req;
554 struct lpdb_context *ac;
557 ldb = ldb_module_get_ctx(module);
558 ldb_debug(ldb, LDB_DEBUG_TRACE, "local_password_delete\n");
560 /* do not manipulate our control entries */
561 if (ldb_dn_is_special(req->op.mod.message->dn)) {
562 return ldb_next_request(module, req);
565 /* If the caller is manipulating the local passwords directly,
567 if (ldb_dn_compare_base(ldb_dn_new(req, ldb, LOCAL_BASE),
568 req->op.del.dn) == 0) {
569 return ldb_next_request(module, req);
572 /* From here, we assume we have password attributes to split off */
573 ac = lpdb_init_context(module, req);
575 return LDB_ERR_OPERATIONS_ERROR;
578 ret = ldb_build_del_req(&remote_req, ldb, ac,
581 ac, lpdb_delete_callabck,
583 if (ret != LDB_SUCCESS) {
587 return ldb_next_request(module, remote_req);
590 /* On a modify, we don't have the objectGUID handy, so we need to
591 * search our DN for it */
592 static int lpdb_delete_callabck(struct ldb_request *req,
593 struct ldb_reply *ares)
595 struct ldb_context *ldb;
596 static const char * const attrs[] = { "objectGUID", "objectClass", NULL };
597 struct ldb_request *search_req;
598 struct lpdb_context *ac;
601 ac = talloc_get_type(req->context, struct lpdb_context);
602 ldb = ldb_module_get_ctx(ac->module);
605 return ldb_module_done(ac->req, NULL, NULL,
606 LDB_ERR_OPERATIONS_ERROR);
608 if (ares->error != LDB_SUCCESS) {
609 return ldb_module_done(ac->req, ares->controls,
610 ares->response, ares->error);
613 if (ares->type != LDB_REPLY_DONE) {
614 ldb_set_errstring(ldb, "Unexpected reply type");
616 return ldb_module_done(ac->req, NULL, NULL,
617 LDB_ERR_OPERATIONS_ERROR);
620 ac->remote_done = talloc_steal(ac, ares);
622 /* prepare the search operation */
623 ret = ldb_build_search_req(&search_req, ldb, ac,
624 ac->req->op.del.dn, LDB_SCOPE_BASE,
625 "(objectclass=*)", attrs,
627 ac, lpdb_del_search_callback,
629 if (ret != LDB_SUCCESS) {
630 return ldb_module_done(ac->req, NULL, NULL,
631 LDB_ERR_OPERATIONS_ERROR);
634 ret = ldb_next_request(ac->module, search_req);
635 if (ret != LDB_SUCCESS) {
636 return ldb_module_done(ac->req, NULL, NULL,
637 LDB_ERR_OPERATIONS_ERROR);
642 /* Called when we search for our own entry. Stores the one entry we
643 * expect (as it is a base search) on the context pointer */
644 static int lpdb_del_search_callback(struct ldb_request *req,
645 struct ldb_reply *ares)
647 struct ldb_context *ldb;
648 struct ldb_request *local_req;
649 struct lpdb_context *ac;
650 struct ldb_dn *local_dn;
651 struct GUID objectGUID;
652 int ret = LDB_SUCCESS;
654 ac = talloc_get_type(req->context, struct lpdb_context);
655 ldb = ldb_module_get_ctx(ac->module);
658 return ldb_module_done(ac->req, NULL, NULL,
659 LDB_ERR_OPERATIONS_ERROR);
661 if (ares->error != LDB_SUCCESS) {
662 return ldb_module_done(ac->req, ares->controls,
663 ares->response, ares->error);
666 switch (ares->type) {
667 case LDB_REPLY_ENTRY:
668 if (ac->remote != NULL) {
669 ldb_set_errstring(ldb, "Too many results");
671 return ldb_module_done(ac->req, NULL, NULL,
672 LDB_ERR_OPERATIONS_ERROR);
675 ac->remote = talloc_steal(ac, ares);
678 case LDB_REPLY_REFERRAL:
685 /* After we find out the objectGUID for the entry, modify the local
686 * password database as required */
690 /* if it is not an entry of type person this is NOT an error */
691 /* TODO: remove this when sambaPassword will be in schema */
692 if (ac->remote == NULL) {
693 return ldb_module_done(ac->req,
694 ac->remote_done->controls,
695 ac->remote_done->response,
696 ac->remote_done->error);
698 if (!ldb_msg_check_string_attribute(ac->remote->message,
699 "objectClass", "person")) {
700 /* Not relevent to us */
701 return ldb_module_done(ac->req,
702 ac->remote_done->controls,
703 ac->remote_done->response,
704 ac->remote_done->error);
707 if (ldb_msg_find_ldb_val(ac->remote->message,
708 "objectGUID") == NULL) {
709 ldb_set_errstring(ldb,
710 "no objectGUID found in search: "
711 "local_password module must be "
712 "configured below objectGUID "
714 return ldb_module_done(ac->req, NULL, NULL,
715 LDB_ERR_OBJECT_CLASS_VIOLATION);
718 objectGUID = samdb_result_guid(ac->remote->message,
721 local_dn = ldb_dn_new(ac, ldb, LOCAL_BASE);
722 if ((local_dn == NULL) ||
723 ( ! ldb_dn_add_child_fmt(local_dn,
724 PASSWORD_GUID_ATTR "=%s",
725 GUID_string(ac, &objectGUID)))) {
726 return ldb_module_done(ac->req, NULL, NULL,
727 LDB_ERR_OPERATIONS_ERROR);
730 ret = ldb_build_del_req(&local_req, ldb, ac,
733 ac, lpdb_local_callback,
735 if (ret != LDB_SUCCESS) {
736 return ldb_module_done(ac->req, NULL, NULL, ret);
739 /* perform the local update */
740 ret = ldb_next_request(ac->module, local_req);
741 if (ret != LDB_SUCCESS) {
742 return ldb_module_done(ac->req, NULL, NULL, ret);
750 /*****************************************************************************
752 ****************************************************************************/
754 static int lpdb_local_search_callback(struct ldb_request *req,
755 struct ldb_reply *ares);
757 static int lpdb_local_search(struct lpdb_context *ac)
759 struct ldb_context *ldb;
760 struct ldb_request *local_req;
763 ldb = ldb_module_get_ctx(ac->module);
765 ret = ldb_build_search_req(&local_req, ldb, ac,
766 ac->current->local_dn,
769 ac->req->op.search.attrs,
771 ac, lpdb_local_search_callback,
773 if (ret != LDB_SUCCESS) {
774 return LDB_ERR_OPERATIONS_ERROR;
777 return ldb_next_request(ac->module, local_req);
780 static int lpdb_local_search_callback(struct ldb_request *req,
781 struct ldb_reply *ares)
783 struct ldb_context *ldb;
784 struct lpdb_context *ac;
785 struct ldb_reply *merge;
786 struct lpdb_reply *lr;
790 ac = talloc_get_type(req->context, struct lpdb_context);
791 ldb = ldb_module_get_ctx(ac->module);
794 return ldb_module_done(ac->req, NULL, NULL,
795 LDB_ERR_OPERATIONS_ERROR);
797 if (ares->error != LDB_SUCCESS) {
798 return ldb_module_done(ac->req, ares->controls,
799 ares->response, ares->error);
804 /* we are interested only in a single reply (base search) */
805 switch (ares->type) {
806 case LDB_REPLY_ENTRY:
808 if (lr->remote == NULL) {
809 ldb_set_errstring(ldb,
810 "Too many results for password entry search!");
812 return ldb_module_done(ac->req, NULL, NULL,
813 LDB_ERR_OPERATIONS_ERROR);
819 /* steal the local results on the remote results to be
820 * returned all together */
821 talloc_steal(merge, ares->message->elements);
823 /* Make sure never to return the internal key attribute */
824 ldb_msg_remove_attr(ares->message, PASSWORD_GUID_ATTR);
826 for (i=0; i < ares->message->num_elements; i++) {
827 struct ldb_message_element *el;
829 el = ldb_msg_find_element(merge->message,
830 ares->message->elements[i].name);
832 ret = ldb_msg_add_empty(merge->message,
833 ares->message->elements[i].name,
835 if (ret != LDB_SUCCESS) {
837 return ldb_module_done(ac->req,
839 LDB_ERR_OPERATIONS_ERROR);
841 *el = ares->message->elements[i];
848 return ldb_module_send_entry(ac->req, merge->message, merge->controls);
850 case LDB_REPLY_REFERRAL:
859 /* if this entry was not returned yet, return it now */
861 ret = ldb_module_send_entry(ac->req, ac->remote->message, ac->remote->controls);
862 if (ret != LDB_SUCCESS) {
863 return ldb_module_done(ac->req,
869 if (lr->next->remote->type == LDB_REPLY_DONE) {
870 /* this was the last one */
871 return ldb_module_done(ac->req,
872 lr->next->remote->controls,
873 lr->next->remote->response,
874 lr->next->remote->error);
877 ac->current = lr->next;
880 ret = lpdb_local_search(ac);
881 if (ret != LDB_SUCCESS) {
882 return ldb_module_done(ac->req,
891 /* For each entry returned in a remote search, do a local base search,
892 * based on the objectGUID we asked for as an additional attribute */
893 static int lpdb_remote_search_callback(struct ldb_request *req,
894 struct ldb_reply *ares)
896 struct ldb_context *ldb;
897 struct lpdb_context *ac;
898 struct ldb_dn *local_dn;
899 struct GUID objectGUID;
900 struct lpdb_reply *lr;
903 ac = talloc_get_type(req->context, struct lpdb_context);
904 ldb = ldb_module_get_ctx(ac->module);
907 return ldb_module_done(ac->req, NULL, NULL,
908 LDB_ERR_OPERATIONS_ERROR);
910 if (ares->error != LDB_SUCCESS) {
911 return ldb_module_done(ac->req, ares->controls,
912 ares->response, ares->error);
915 switch (ares->type) {
916 case LDB_REPLY_ENTRY:
917 /* No point searching further if it's not a 'person' entry */
918 if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
920 /* Make sure to remove anything we added */
921 if (ac->added_objectGUID) {
922 ldb_msg_remove_attr(ares->message, "objectGUID");
925 if (ac->added_objectClass) {
926 ldb_msg_remove_attr(ares->message, "objectClass");
929 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
932 if (ldb_msg_find_ldb_val(ares->message, "objectGUID") == NULL) {
933 ldb_set_errstring(ldb,
934 "no objectGUID found in search: local_password module must be configured below objectGUID module!\n");
935 return ldb_module_done(ac->req, NULL, NULL,
936 LDB_ERR_OPERATIONS_ERROR);
939 objectGUID = samdb_result_guid(ares->message, "objectGUID");
941 if (ac->added_objectGUID) {
942 ldb_msg_remove_attr(ares->message, "objectGUID");
945 if (ac->added_objectClass) {
946 ldb_msg_remove_attr(ares->message, "objectClass");
949 local_dn = ldb_dn_new(ac, ldb, LOCAL_BASE);
950 if ((local_dn == NULL) ||
951 (! ldb_dn_add_child_fmt(local_dn,
952 PASSWORD_GUID_ATTR "=%s",
953 GUID_string(ac, &objectGUID)))) {
954 return ldb_module_done(ac->req, NULL, NULL,
955 LDB_ERR_OPERATIONS_ERROR);
958 lr = talloc_zero(ac, struct lpdb_reply);
960 return ldb_module_done(ac->req, NULL, NULL,
961 LDB_ERR_OPERATIONS_ERROR);
963 lr->local_dn = talloc_steal(lr, local_dn);
964 lr->remote = talloc_steal(lr, ares);
967 ac->current->next = lr;
975 case LDB_REPLY_REFERRAL:
977 return ldb_module_send_referral(ac->req, ares->referral);
981 if (ac->list == NULL) {
983 return ldb_module_done(ac->req, ares->controls,
984 ares->response, ares->error);
987 lr = talloc_zero(ac, struct lpdb_reply);
989 return ldb_module_done(ac->req, NULL, NULL,
990 LDB_ERR_OPERATIONS_ERROR);
992 lr->remote = talloc_steal(lr, ares);
994 ac->current->next = lr;
996 /* rewind current and start local searches */
997 ac->current= ac->list;
999 ret = lpdb_local_search(ac);
1000 if (ret != LDB_SUCCESS) {
1001 return ldb_module_done(ac->req, NULL, NULL, ret);
1008 /* Search for passwords and other attributes. The passwords are
1009 * local, but the other attributes are remote, and we need to glue the
1010 * two search spaces back togeather */
1012 static int local_password_search(struct ldb_module *module, struct ldb_request *req)
1014 struct ldb_context *ldb;
1015 struct ldb_request *remote_req;
1016 struct lpdb_context *ac;
1019 const char * const *search_attrs = NULL;
1021 ldb = ldb_module_get_ctx(module);
1022 ldb_debug(ldb, LDB_DEBUG_TRACE, "local_password_search\n");
1024 if (ldb_dn_is_special(req->op.search.base)) { /* do not manipulate our control entries */
1025 return ldb_next_request(module, req);
1028 search_attrs = NULL;
1030 /* If the caller is searching for the local passwords directly, let them pass */
1031 if (ldb_dn_compare_base(ldb_dn_new(req, ldb, LOCAL_BASE),
1032 req->op.search.base) == 0) {
1033 return ldb_next_request(module, req);
1036 if (req->op.search.attrs && (!ldb_attr_in_list(req->op.search.attrs, "*"))) {
1037 for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
1038 if (ldb_attr_in_list(req->op.search.attrs, password_attrs[i])) {
1043 /* It didn't match any of our password attributes, go on */
1044 if (i == ARRAY_SIZE(password_attrs)) {
1045 return ldb_next_request(module, req);
1049 ac = lpdb_init_context(module, req);
1051 return LDB_ERR_OPERATIONS_ERROR;
1054 /* Remote search is for all attributes: if the remote LDAP server has these attributes, then it overrides the local database */
1055 if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
1056 if (!ldb_attr_in_list(req->op.search.attrs, "objectGUID")) {
1057 search_attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "objectGUID");
1058 ac->added_objectGUID = true;
1059 if (!search_attrs) {
1060 return LDB_ERR_OPERATIONS_ERROR;
1063 search_attrs = req->op.search.attrs;
1065 if (!ldb_attr_in_list(search_attrs, "objectClass")) {
1066 search_attrs = ldb_attr_list_copy_add(ac, search_attrs, "objectClass");
1067 ac->added_objectClass = true;
1068 if (!search_attrs) {
1069 return LDB_ERR_OPERATIONS_ERROR;
1073 search_attrs = req->op.search.attrs;
1076 ret = ldb_build_search_req_ex(&remote_req, ldb, ac,
1077 req->op.search.base,
1078 req->op.search.scope,
1079 req->op.search.tree,
1082 ac, lpdb_remote_search_callback,
1084 if (ret != LDB_SUCCESS) {
1085 return LDB_ERR_OPERATIONS_ERROR;
1088 /* perform the search */
1089 return ldb_next_request(module, remote_req);
1092 _PUBLIC_ const struct ldb_module_ops ldb_local_password_module_ops = {
1093 .name = "local_password",
1094 .add = local_password_add,
1095 .modify = local_password_modify,
1096 .del = local_password_delete,
1097 .search = local_password_search
git.samba.org / nivanova / samba.git / blob