2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Simo Sorce 2005-2008
8 Copyright (C) Matthieu Patou <mat@matws.net> 2011
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include <ldb_module.h>
27 #include "system/time.h"
28 #include "dsdb/samdb/samdb.h"
30 #include "dsdb/samdb/ldb_modules/util.h"
31 #include "libcli/security/security.h"
32 #include "librpc/ndr/libndr.h"
33 #include "auth/auth.h"
34 #include "param/param.h"
35 #include "lib/messaging/irpc.h"
36 #include "librpc/gen_ndr/ndr_irpc_c.h"
39 unsigned int num_controls;
41 unsigned int num_partitions;
42 struct ldb_dn **partitions;
47 return 1 if a specific attribute has been requested
49 static int do_attribute(const char * const *attrs, const char *name)
51 return attrs == NULL ||
52 ldb_attr_in_list(attrs, name) ||
53 ldb_attr_in_list(attrs, "*");
56 static int do_attribute_explicit(const char * const *attrs, const char *name)
58 return attrs != NULL && ldb_attr_in_list(attrs, name);
63 expand a DN attribute to include extended DN information if requested
65 static int expand_dn_in_message(struct ldb_module *module, struct ldb_message *msg,
66 const char *attrname, struct ldb_control *edn_control,
67 struct ldb_request *req)
69 struct ldb_dn *dn, *dn2;
72 struct ldb_request *req2;
74 const char *no_attrs[] = { NULL };
75 struct ldb_result *res;
76 struct ldb_extended_dn_control *edn;
77 TALLOC_CTX *tmp_ctx = talloc_new(req);
78 struct ldb_context *ldb;
81 struct ldb_message_element *el;
83 ldb = ldb_module_get_ctx(module);
85 edn = talloc_get_type(edn_control->data, struct ldb_extended_dn_control);
90 el = ldb_msg_find_element(msg, attrname);
91 if (!el || el->num_values == 0) {
95 for (i = 0; i < el->num_values; i++) {
102 dn_string = talloc_strndup(tmp_ctx, (const char *)v->data, v->length);
103 if (dn_string == NULL) {
104 talloc_free(tmp_ctx);
105 return ldb_operr(ldb);
108 res = talloc_zero(tmp_ctx, struct ldb_result);
110 talloc_free(tmp_ctx);
111 return ldb_operr(ldb);
114 dn = ldb_dn_new(tmp_ctx, ldb, dn_string);
116 talloc_free(tmp_ctx);
117 return ldb_operr(ldb);
120 ret = ldb_build_search_req(&req2, ldb, tmp_ctx,
126 res, ldb_search_default_callback,
128 LDB_REQ_SET_LOCATION(req2);
129 if (ret != LDB_SUCCESS) {
130 talloc_free(tmp_ctx);
135 ret = ldb_request_add_control(req2,
136 LDB_CONTROL_EXTENDED_DN_OID,
137 edn_control->critical, edn);
138 if (ret != LDB_SUCCESS) {
139 talloc_free(tmp_ctx);
140 return ldb_error(ldb, ret, "Failed to add control");
143 ret = ldb_next_request(module, req2);
144 if (ret == LDB_SUCCESS) {
145 ret = ldb_wait(req2->handle, LDB_WAIT_ALL);
148 if (ret != LDB_SUCCESS) {
149 talloc_free(tmp_ctx);
153 if (!res || res->count != 1) {
154 talloc_free(tmp_ctx);
155 return ldb_operr(ldb);
158 dn2 = res->msgs[0]->dn;
160 v->data = (uint8_t *)ldb_dn_get_extended_linearized(msg->elements, dn2, edn_type);
161 if (v->data == NULL) {
162 talloc_free(tmp_ctx);
163 return ldb_operr(ldb);
165 v->length = strlen((char *)v->data);
168 talloc_free(tmp_ctx);
174 see if we are master for a FSMO role
176 static int dsdb_module_we_are_master(struct ldb_module *module, struct ldb_dn *dn, bool *master,
177 struct ldb_request *parent)
179 const char *attrs[] = { "fSMORoleOwner", NULL };
180 TALLOC_CTX *tmp_ctx = talloc_new(parent);
181 struct ldb_result *res;
183 struct ldb_dn *owner_dn;
185 ret = dsdb_module_search_dn(module, tmp_ctx, &res,
186 dn, attrs, DSDB_FLAG_NEXT_MODULE, parent);
187 if (ret != LDB_SUCCESS) {
188 talloc_free(tmp_ctx);
192 owner_dn = ldb_msg_find_attr_as_dn(ldb_module_get_ctx(module),
193 tmp_ctx, res->msgs[0], "fSMORoleOwner");
196 talloc_free(tmp_ctx);
200 *master = (ldb_dn_compare(owner_dn, samdb_ntds_settings_dn(ldb_module_get_ctx(module))) == 0);
201 talloc_free(tmp_ctx);
206 add dynamically generated attributes to rootDSE result
208 static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *msg,
209 const char * const *attrs, struct ldb_request *req)
211 struct ldb_context *ldb;
212 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
214 const struct dsdb_schema *schema;
216 struct ldb_control *edn_control;
217 const char *dn_attrs[] = {
218 "configurationNamingContext",
219 "defaultNamingContext",
220 "rootDomainNamingContext",
221 "schemaNamingContext",
227 const char *guid_attrs[] = {
233 ldb = ldb_module_get_ctx(module);
234 schema = dsdb_get_schema(ldb, NULL);
236 msg->dn = ldb_dn_new(msg, ldb, NULL);
238 /* don't return the distinguishedName, cn and name attributes */
239 ldb_msg_remove_attr(msg, "distinguishedName");
240 ldb_msg_remove_attr(msg, "cn");
241 ldb_msg_remove_attr(msg, "name");
243 if (do_attribute(attrs, "serverName")) {
244 if (ldb_msg_add_linearized_dn(msg, "serverName",
245 samdb_server_dn(ldb, msg)) != LDB_SUCCESS) {
250 if (do_attribute(attrs, "dnsHostName")) {
251 struct ldb_result *res;
253 const char *dns_attrs[] = { "dNSHostName", NULL };
254 ret = dsdb_module_search_dn(module, msg, &res, samdb_server_dn(ldb, msg),
255 dns_attrs, DSDB_FLAG_NEXT_MODULE, req);
256 if (ret == LDB_SUCCESS) {
257 const char *hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
258 if (hostname != NULL) {
259 if (ldb_msg_add_string(msg, "dNSHostName", hostname)) {
266 if (do_attribute(attrs, "ldapServiceName")) {
267 struct loadparm_context *lp_ctx
268 = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
269 struct loadparm_context);
270 char *ldap_service_name, *hostname;
272 hostname = strlower_talloc(msg, lpcfg_netbios_name(lp_ctx));
273 if (hostname == NULL) {
277 ldap_service_name = talloc_asprintf(msg, "%s:%s$@%s",
278 samdb_forest_name(ldb, msg),
279 hostname, lpcfg_realm(lp_ctx));
280 if (ldap_service_name == NULL) {
284 if (ldb_msg_add_string(msg, "ldapServiceName",
285 ldap_service_name) != LDB_SUCCESS) {
290 if (do_attribute(attrs, "currentTime")) {
291 if (ldb_msg_add_steal_string(msg, "currentTime",
292 ldb_timestring(msg, time(NULL))) != LDB_SUCCESS) {
297 if (priv && do_attribute(attrs, "supportedControl")) {
298 for (i = 0; i < priv->num_controls; i++) {
299 char *control = talloc_strdup(msg, priv->controls[i]);
303 if (ldb_msg_add_steal_string(msg, "supportedControl",
304 control) != LDB_SUCCESS) {
310 if (priv && do_attribute(attrs, "namingContexts")) {
311 for (i = 0; i < priv->num_partitions; i++) {
312 struct ldb_dn *dn = priv->partitions[i];
313 if (ldb_msg_add_steal_string(msg, "namingContexts",
314 ldb_dn_alloc_linearized(msg, dn)) != LDB_SUCCESS) {
320 server_sasl = talloc_get_type(ldb_get_opaque(ldb, "supportedSASLMechanisms"),
322 if (server_sasl && do_attribute(attrs, "supportedSASLMechanisms")) {
323 for (i = 0; server_sasl && server_sasl[i]; i++) {
324 char *sasl_name = talloc_strdup(msg, server_sasl[i]);
328 if (ldb_msg_add_steal_string(msg, "supportedSASLMechanisms",
329 sasl_name) != LDB_SUCCESS) {
335 if (do_attribute(attrs, "highestCommittedUSN")) {
337 int ret = ldb_sequence_number(ldb, LDB_SEQ_HIGHEST_SEQ, &seq_num);
338 if (ret == LDB_SUCCESS) {
339 if (samdb_msg_add_uint64(ldb, msg, msg,
340 "highestCommittedUSN",
341 seq_num) != LDB_SUCCESS) {
347 if (schema && do_attribute_explicit(attrs, "dsSchemaAttrCount")) {
348 struct dsdb_attribute *cur;
351 for (cur = schema->attributes; cur; cur = cur->next) {
355 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaAttrCount",
361 if (schema && do_attribute_explicit(attrs, "dsSchemaClassCount")) {
362 struct dsdb_class *cur;
365 for (cur = schema->classes; cur; cur = cur->next) {
369 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaClassCount",
375 if (schema && do_attribute_explicit(attrs, "dsSchemaPrefixCount")) {
376 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaPrefixCount",
377 schema->prefixmap->length) != LDB_SUCCESS) {
382 if (do_attribute_explicit(attrs, "validFSMOs")) {
383 struct ldb_dn *dns[3];
385 dns[0] = ldb_get_schema_basedn(ldb);
386 dns[1] = samdb_partitions_dn(ldb, msg);
387 dns[2] = ldb_get_default_basedn(ldb);
389 for (i=0; i<3; i++) {
391 int ret = dsdb_module_we_are_master(module, dns[i], &master, req);
392 if (ret != LDB_SUCCESS) {
395 if (master && ldb_msg_add_fmt(msg, "validFSMOs", "%s",
396 ldb_dn_get_linearized(dns[i])) != LDB_SUCCESS) {
402 if (do_attribute_explicit(attrs, "vendorVersion")) {
403 if (ldb_msg_add_fmt(msg, "vendorVersion",
404 "%s", SAMBA_VERSION_STRING) != LDB_SUCCESS) {
409 if (do_attribute(attrs, "domainFunctionality")) {
410 if (samdb_msg_add_int(ldb, msg, msg, "domainFunctionality",
411 dsdb_functional_level(ldb)) != LDB_SUCCESS) {
416 if (do_attribute(attrs, "forestFunctionality")) {
417 if (samdb_msg_add_int(ldb, msg, msg, "forestFunctionality",
418 dsdb_forest_functional_level(ldb)) != LDB_SUCCESS) {
423 if (do_attribute(attrs, "domainControllerFunctionality")
424 && (val = talloc_get_type(ldb_get_opaque(ldb, "domainControllerFunctionality"), int))) {
425 if (samdb_msg_add_int(ldb, msg, msg,
426 "domainControllerFunctionality",
427 *val) != LDB_SUCCESS) {
432 if (do_attribute(attrs, "isGlobalCatalogReady")) {
433 /* MS-ADTS 3.1.1.3.2.10
434 Note, we should only return true here is we have
435 completed at least one synchronisation. As both
436 provision and vampire do a full sync, this means we
437 can return true is the gc bit is set in the NTDSDSA
439 if (ldb_msg_add_fmt(msg, "isGlobalCatalogReady",
440 "%s", samdb_is_gc(ldb)?"TRUE":"FALSE") != LDB_SUCCESS) {
445 if (do_attribute_explicit(attrs, "tokenGroups")) {
446 /* Obtain the user's session_info */
447 struct auth_session_info *session_info
448 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
449 if (session_info && session_info->security_token) {
450 /* The list of groups this user is in */
451 for (i = 0; i < session_info->security_token->num_sids; i++) {
452 if (samdb_msg_add_dom_sid(ldb, msg, msg,
454 &session_info->security_token->sids[i]) != LDB_SUCCESS) {
461 /* TODO: lots more dynamic attributes should be added here */
463 edn_control = ldb_request_get_control(req, LDB_CONTROL_EXTENDED_DN_OID);
465 /* convert any GUID attributes to be in the right form */
466 for (i=0; guid_attrs[i]; i++) {
467 struct ldb_result *res;
468 struct ldb_message_element *el;
469 struct ldb_dn *attr_dn;
470 const char *no_attrs[] = { NULL };
473 if (!do_attribute(attrs, guid_attrs[i])) continue;
475 attr_dn = ldb_msg_find_attr_as_dn(ldb, req, msg, guid_attrs[i]);
476 if (attr_dn == NULL) {
480 ret = dsdb_module_search_dn(module, req, &res,
482 DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_EXTENDED_DN,
484 if (ret != LDB_SUCCESS) {
485 return ldb_operr(ldb);
488 el = ldb_msg_find_element(msg, guid_attrs[i]);
490 return ldb_operr(ldb);
493 talloc_steal(el->values, res->msgs[0]->dn);
495 struct ldb_extended_dn_control *edn;
497 edn = talloc_get_type(edn_control->data, struct ldb_extended_dn_control);
499 edn_type = edn->type;
501 el->values[0].data = (uint8_t *)ldb_dn_get_extended_linearized(el->values,
505 el->values[0].data = (uint8_t *)talloc_strdup(el->values,
506 ldb_dn_get_linearized(res->msgs[0]->dn));
508 if (el->values[0].data == NULL) {
511 el->values[0].length = strlen((const char *)el->values[0].data);
514 /* if the client sent us the EXTENDED_DN control then we need
515 to expand the DNs to have GUID and SID. W2K8 join relies on
519 for (i=0; dn_attrs[i]; i++) {
520 if (!do_attribute(attrs, dn_attrs[i])) continue;
521 ret = expand_dn_in_message(module, msg, dn_attrs[i],
523 if (ret != LDB_SUCCESS) {
524 DEBUG(0,(__location__ ": Failed to expand DN in rootDSE for %s\n",
534 return ldb_operr(ldb);
538 handle search requests
541 struct rootdse_context {
542 struct ldb_module *module;
543 struct ldb_request *req;
546 static struct rootdse_context *rootdse_init_context(struct ldb_module *module,
547 struct ldb_request *req)
549 struct ldb_context *ldb;
550 struct rootdse_context *ac;
552 ldb = ldb_module_get_ctx(module);
554 ac = talloc_zero(req, struct rootdse_context);
556 ldb_set_errstring(ldb, "Out of Memory");
566 static int rootdse_callback(struct ldb_request *req, struct ldb_reply *ares)
568 struct rootdse_context *ac;
571 ac = talloc_get_type(req->context, struct rootdse_context);
574 return ldb_module_done(ac->req, NULL, NULL,
575 LDB_ERR_OPERATIONS_ERROR);
577 if (ares->error != LDB_SUCCESS) {
578 return ldb_module_done(ac->req, ares->controls,
579 ares->response, ares->error);
582 switch (ares->type) {
583 case LDB_REPLY_ENTRY:
585 * if the client explicit asks for the 'netlogon' attribute
586 * the reply_entry needs to be skipped
588 if (ac->req->op.search.attrs &&
589 ldb_attr_in_list(ac->req->op.search.attrs, "netlogon")) {
594 /* for each record returned post-process to add any dynamic
595 attributes that have been asked for */
596 ret = rootdse_add_dynamic(ac->module, ares->message,
597 ac->req->op.search.attrs, ac->req);
598 if (ret != LDB_SUCCESS) {
600 return ldb_module_done(ac->req, NULL, NULL, ret);
603 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
605 case LDB_REPLY_REFERRAL:
606 /* should we allow the backend to return referrals in this case
611 return ldb_module_done(ac->req, ares->controls,
612 ares->response, ares->error);
620 filter from controls from clients in several ways
622 1) mark our registered controls as non-critical in the request
624 This is needed as clients may mark controls as critical even if
625 they are not needed at all in a request. For example, the centrify
626 client sets the SD_FLAGS control as critical on ldap modify
627 requests which are setting the dNSHostName attribute on the
628 machine account. That request doesn't need SD_FLAGS at all, but
629 centrify adds it on all ldap requests.
631 2) if this request is untrusted then remove any non-registered
632 controls that are non-critical
634 This is used on ldap:// connections to prevent remote users from
635 setting an internal control that may be dangerous
637 3) if this request is untrusted then fail any request that includes
638 a critical non-registered control
640 static int rootdse_filter_controls(struct ldb_module *module, struct ldb_request *req)
643 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
646 if (!req->controls) {
650 is_untrusted = ldb_req_is_untrusted(req);
652 for (i=0; req->controls[i]; i++) {
653 bool is_registered = false;
654 bool is_critical = (req->controls[i]->critical != 0);
656 if (req->controls[i]->oid == NULL) {
660 if (is_untrusted || is_critical) {
661 for (j=0; j<priv->num_controls; j++) {
662 if (strcasecmp(priv->controls[j], req->controls[i]->oid) == 0) {
663 is_registered = true;
669 if (is_untrusted && !is_registered) {
671 /* remove it by marking the oid NULL */
672 req->controls[i]->oid = NULL;
673 req->controls[i]->data = NULL;
674 req->controls[i]->critical = 0;
677 /* its a critical unregistered control - give
679 ldb_asprintf_errstring(ldb_module_get_ctx(module),
680 "Attempt to use critical non-registered control '%s'",
681 req->controls[i]->oid);
682 return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION;
689 /* If the control is DIRSYNC control then we keep the critical
690 * flag as the dirsync module will need to act upon it
692 if (is_registered && strcmp(req->controls[i]->oid,
693 LDB_CONTROL_DIRSYNC_OID)!= 0) {
694 req->controls[i]->critical = 0;
701 /* Ensure that anonymous users are not allowed to make anything other than rootDSE search operations */
703 static int rootdse_filter_operations(struct ldb_module *module, struct ldb_request *req)
705 struct auth_session_info *session_info;
706 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
707 bool is_untrusted = ldb_req_is_untrusted(req);
708 bool is_anonymous = true;
709 if (is_untrusted == false) {
713 session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
715 is_anonymous = security_token_is_anonymous(session_info->security_token);
718 if (is_anonymous == false || (priv && priv->block_anonymous == false)) {
722 if (req->operation == LDB_SEARCH) {
723 if (req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base)) {
727 ldb_set_errstring(ldb_module_get_ctx(module), "Operation unavailable without authentication");
728 return LDB_ERR_OPERATIONS_ERROR;
731 static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
733 struct ldb_context *ldb;
734 struct rootdse_context *ac;
735 struct ldb_request *down_req;
738 ret = rootdse_filter_operations(module, req);
739 if (ret != LDB_SUCCESS) {
743 ret = rootdse_filter_controls(module, req);
744 if (ret != LDB_SUCCESS) {
748 ldb = ldb_module_get_ctx(module);
750 /* see if its for the rootDSE - only a base search on the "" DN qualifies */
751 if (!(req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base))) {
752 /* Otherwise, pass down to the rest of the stack */
753 return ldb_next_request(module, req);
756 ac = rootdse_init_context(module, req);
758 return ldb_operr(ldb);
761 /* in our db we store the rootDSE with a DN of @ROOTDSE */
762 ret = ldb_build_search_req(&down_req, ldb, ac,
763 ldb_dn_new(ac, ldb, "@ROOTDSE"),
766 req->op.search.attrs,
767 NULL,/* for now skip the controls from the client */
768 ac, rootdse_callback,
770 LDB_REQ_SET_LOCATION(down_req);
771 if (ret != LDB_SUCCESS) {
775 return ldb_next_request(module, down_req);
778 static int rootdse_register_control(struct ldb_module *module, struct ldb_request *req)
780 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
783 list = talloc_realloc(priv, priv->controls, char *, priv->num_controls + 1);
785 return ldb_oom(ldb_module_get_ctx(module));
788 list[priv->num_controls] = talloc_strdup(list, req->op.reg_control.oid);
789 if (!list[priv->num_controls]) {
790 return ldb_oom(ldb_module_get_ctx(module));
793 priv->num_controls += 1;
794 priv->controls = list;
796 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
799 static int rootdse_register_partition(struct ldb_module *module, struct ldb_request *req)
801 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
802 struct ldb_dn **list;
804 list = talloc_realloc(priv, priv->partitions, struct ldb_dn *, priv->num_partitions + 1);
806 return ldb_oom(ldb_module_get_ctx(module));
809 list[priv->num_partitions] = ldb_dn_copy(list, req->op.reg_partition.dn);
810 if (!list[priv->num_partitions]) {
811 return ldb_operr(ldb_module_get_ctx(module));
814 priv->num_partitions += 1;
815 priv->partitions = list;
817 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
821 static int rootdse_request(struct ldb_module *module, struct ldb_request *req)
823 switch (req->operation) {
825 case LDB_REQ_REGISTER_CONTROL:
826 return rootdse_register_control(module, req);
827 case LDB_REQ_REGISTER_PARTITION:
828 return rootdse_register_partition(module, req);
833 return ldb_next_request(module, req);
836 static int rootdse_init(struct ldb_module *module)
839 struct ldb_context *ldb;
840 struct ldb_result *res;
841 struct private_data *data;
842 const char *attrs[] = { "msDS-Behavior-Version", NULL };
843 const char *ds_attrs[] = { "dsServiceName", NULL };
846 ldb = ldb_module_get_ctx(module);
848 data = talloc_zero(module, struct private_data);
853 data->num_controls = 0;
854 data->controls = NULL;
855 data->num_partitions = 0;
856 data->partitions = NULL;
857 data->block_anonymous = true;
859 ldb_module_set_private(module, data);
861 ldb_set_default_dns(ldb);
863 ret = ldb_next_init(module);
865 if (ret != LDB_SUCCESS) {
869 mem_ctx = talloc_new(data);
874 /* Now that the partitions are set up, do a search for:
875 - domainControllerFunctionality
876 - domainFunctionality
877 - forestFunctionality
879 Then stuff these values into an opaque
881 ret = dsdb_module_search(module, mem_ctx, &res,
882 ldb_get_default_basedn(ldb),
883 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
884 if (ret == LDB_SUCCESS && res->count == 1) {
885 int domain_behaviour_version
886 = ldb_msg_find_attr_as_int(res->msgs[0],
887 "msDS-Behavior-Version", -1);
888 if (domain_behaviour_version != -1) {
889 int *val = talloc(ldb, int);
891 talloc_free(mem_ctx);
894 *val = domain_behaviour_version;
895 ret = ldb_set_opaque(ldb, "domainFunctionality", val);
896 if (ret != LDB_SUCCESS) {
897 talloc_free(mem_ctx);
903 ret = dsdb_module_search(module, mem_ctx, &res,
904 samdb_partitions_dn(ldb, mem_ctx),
905 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
906 if (ret == LDB_SUCCESS && res->count == 1) {
907 int forest_behaviour_version
908 = ldb_msg_find_attr_as_int(res->msgs[0],
909 "msDS-Behavior-Version", -1);
910 if (forest_behaviour_version != -1) {
911 int *val = talloc(ldb, int);
913 talloc_free(mem_ctx);
916 *val = forest_behaviour_version;
917 ret = ldb_set_opaque(ldb, "forestFunctionality", val);
918 if (ret != LDB_SUCCESS) {
919 talloc_free(mem_ctx);
925 /* For now, our own server's location in the DB is recorded in
926 * the @ROOTDSE record */
927 ret = dsdb_module_search(module, mem_ctx, &res,
928 ldb_dn_new(mem_ctx, ldb, "@ROOTDSE"),
929 LDB_SCOPE_BASE, ds_attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
930 if (ret == LDB_SUCCESS && res->count == 1) {
932 = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0],
935 ret = dsdb_module_search(module, mem_ctx, &res, ds_dn,
936 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
937 if (ret == LDB_SUCCESS && res->count == 1) {
938 int domain_controller_behaviour_version
939 = ldb_msg_find_attr_as_int(res->msgs[0],
940 "msDS-Behavior-Version", -1);
941 if (domain_controller_behaviour_version != -1) {
942 int *val = talloc(ldb, int);
944 talloc_free(mem_ctx);
947 *val = domain_controller_behaviour_version;
948 ret = ldb_set_opaque(ldb,
949 "domainControllerFunctionality", val);
950 if (ret != LDB_SUCCESS) {
951 talloc_free(mem_ctx);
959 data->block_anonymous = dsdb_block_anonymous_ops(module, NULL);
961 talloc_free(mem_ctx);
967 * This function gets the string SCOPE_DN:OPTIONAL_FEATURE_GUID and parse it
968 * to a DN and a GUID object
970 static int get_optional_feature_dn_guid(struct ldb_request *req, struct ldb_context *ldb,
972 struct ldb_dn **op_feature_scope_dn,
973 struct GUID *op_feature_guid)
975 const struct ldb_message *msg = req->op.mod.message;
976 const char *ldb_val_str;
978 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
981 ldb_val_str = ldb_msg_find_attr_as_string(msg, "enableOptionalFeature", NULL);
983 ldb_set_errstring(ldb,
984 "rootdse: unable to find 'enableOptionalFeature'!");
985 return LDB_ERR_UNWILLING_TO_PERFORM;
988 guid = strchr(ldb_val_str, ':');
990 ldb_set_errstring(ldb,
991 "rootdse: unable to find GUID in 'enableOptionalFeature'!");
992 return LDB_ERR_UNWILLING_TO_PERFORM;
994 status = GUID_from_string(guid+1, op_feature_guid);
995 if (!NT_STATUS_IS_OK(status)) {
996 ldb_set_errstring(ldb,
997 "rootdse: bad GUID in 'enableOptionalFeature'!");
998 return LDB_ERR_UNWILLING_TO_PERFORM;
1001 dn = talloc_strndup(tmp_ctx, ldb_val_str, guid-ldb_val_str);
1003 ldb_set_errstring(ldb,
1004 "rootdse: bad DN in 'enableOptionalFeature'!");
1005 return LDB_ERR_UNWILLING_TO_PERFORM;
1008 *op_feature_scope_dn = ldb_dn_new(mem_ctx, ldb, dn);
1010 talloc_free(tmp_ctx);
1015 * This function gets the OPTIONAL_FEATURE_GUID and looks for the optional feature
1016 * ldb_message object.
1018 static int dsdb_find_optional_feature(struct ldb_module *module, struct ldb_context *ldb,
1019 TALLOC_CTX *mem_ctx, struct GUID op_feature_guid, struct ldb_message **msg,
1020 struct ldb_request *parent)
1022 struct ldb_result *res;
1023 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1026 ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
1028 DSDB_FLAG_NEXT_MODULE |
1029 DSDB_SEARCH_SEARCH_ALL_PARTITIONS,
1031 "(&(objectClass=msDS-OptionalFeature)"
1032 "(msDS-OptionalFeatureGUID=%s))",GUID_string(tmp_ctx, &op_feature_guid));
1034 if (ret != LDB_SUCCESS) {
1035 talloc_free(tmp_ctx);
1038 if (res->count == 0) {
1039 talloc_free(tmp_ctx);
1040 return LDB_ERR_NO_SUCH_OBJECT;
1042 if (res->count != 1) {
1043 ldb_asprintf_errstring(ldb,
1044 "More than one object found matching optional feature GUID %s\n",
1045 GUID_string(tmp_ctx, &op_feature_guid));
1046 talloc_free(tmp_ctx);
1047 return LDB_ERR_OPERATIONS_ERROR;
1050 *msg = talloc_steal(mem_ctx, res->msgs[0]);
1052 talloc_free(tmp_ctx);
1056 static int rootdse_enable_recycle_bin(struct ldb_module *module,struct ldb_context *ldb,
1057 TALLOC_CTX *mem_ctx, struct ldb_dn *op_feature_scope_dn,
1058 struct ldb_message *op_feature_msg, struct ldb_request *parent)
1061 const int domain_func_level = dsdb_functional_level(ldb);
1062 struct ldb_dn *ntds_settings_dn;
1063 TALLOC_CTX *tmp_ctx;
1064 unsigned int el_count = 0;
1065 struct ldb_message *msg;
1067 ret = ldb_msg_find_attr_as_int(op_feature_msg, "msDS-RequiredForestBehaviorVersion", 0);
1068 if (domain_func_level < ret){
1069 ldb_asprintf_errstring(ldb,
1070 "rootdse_enable_recycle_bin: Domain functional level must be at least %d\n",
1072 return LDB_ERR_UNWILLING_TO_PERFORM;
1075 tmp_ctx = talloc_new(mem_ctx);
1076 ntds_settings_dn = samdb_ntds_settings_dn(ldb);
1077 if (!ntds_settings_dn) {
1078 talloc_free(tmp_ctx);
1079 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "Failed to find NTDS settings DN");
1082 ntds_settings_dn = ldb_dn_copy(tmp_ctx, ntds_settings_dn);
1083 if (!ntds_settings_dn) {
1084 talloc_free(tmp_ctx);
1085 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "Failed to copy NTDS settings DN");
1088 msg = ldb_msg_new(tmp_ctx);
1089 msg->dn = ntds_settings_dn;
1091 ldb_msg_add_linearized_dn(msg, "msDS-EnabledFeature", op_feature_msg->dn);
1092 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
1094 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1095 if (ret != LDB_SUCCESS) {
1096 ldb_asprintf_errstring(ldb,
1097 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1098 ldb_dn_get_linearized(ntds_settings_dn),
1099 ldb_errstring(ldb));
1100 talloc_free(tmp_ctx);
1104 msg->dn = op_feature_scope_dn;
1105 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1106 if (ret != LDB_SUCCESS) {
1107 ldb_asprintf_errstring(ldb,
1108 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1109 ldb_dn_get_linearized(op_feature_scope_dn),
1110 ldb_errstring(ldb));
1111 talloc_free(tmp_ctx);
1118 static int rootdse_enableoptionalfeature(struct ldb_module *module, struct ldb_request *req)
1122 - check for system (only system can enable features)
1123 - extract GUID from the request
1124 - find the feature object
1125 - check functional level, must be at least msDS-RequiredForestBehaviorVersion
1126 - check if it is already enabled (if enabled return LDAP_ATTRIBUTE_OR_VALUE_EXISTS) - probably not needed, just return error from the add/modify
1127 - add/modify objects (see ntdsconnection code for an example)
1130 struct ldb_context *ldb = ldb_module_get_ctx(module);
1131 struct GUID op_feature_guid;
1132 struct ldb_dn *op_feature_scope_dn;
1133 struct ldb_message *op_feature_msg;
1134 struct auth_session_info *session_info =
1135 (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
1136 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
1138 const char *guid_string;
1140 if (security_session_user_level(session_info, NULL) != SECURITY_SYSTEM) {
1141 ldb_set_errstring(ldb, "rootdse: Insufficient rights for enableoptionalfeature");
1142 return LDB_ERR_UNWILLING_TO_PERFORM;
1145 ret = get_optional_feature_dn_guid(req, ldb, tmp_ctx, &op_feature_scope_dn, &op_feature_guid);
1146 if (ret != LDB_SUCCESS) {
1147 talloc_free(tmp_ctx);
1151 guid_string = GUID_string(tmp_ctx, &op_feature_guid);
1153 ldb_set_errstring(ldb, "rootdse: bad optional feature GUID");
1154 return LDB_ERR_UNWILLING_TO_PERFORM;
1157 ret = dsdb_find_optional_feature(module, ldb, tmp_ctx, op_feature_guid, &op_feature_msg, req);
1158 if (ret != LDB_SUCCESS) {
1159 ldb_asprintf_errstring(ldb,
1160 "rootdse: unable to find optional feature for %s - %s",
1161 guid_string, ldb_errstring(ldb));
1162 talloc_free(tmp_ctx);
1166 if (strcasecmp(DS_GUID_FEATURE_RECYCLE_BIN, guid_string) == 0) {
1167 ret = rootdse_enable_recycle_bin(module, ldb,
1168 tmp_ctx, op_feature_scope_dn,
1169 op_feature_msg, req);
1171 ldb_asprintf_errstring(ldb,
1172 "rootdse: unknown optional feature %s",
1174 talloc_free(tmp_ctx);
1175 return LDB_ERR_UNWILLING_TO_PERFORM;
1177 if (ret != LDB_SUCCESS) {
1178 ldb_asprintf_errstring(ldb,
1179 "rootdse: failed to set optional feature for %s - %s",
1180 guid_string, ldb_errstring(ldb));
1181 talloc_free(tmp_ctx);
1185 talloc_free(tmp_ctx);
1186 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);;
1189 static int rootdse_schemaupdatenow(struct ldb_module *module, struct ldb_request *req)
1191 struct ldb_context *ldb = ldb_module_get_ctx(module);
1192 struct ldb_result *ext_res;
1194 struct ldb_dn *schema_dn;
1196 schema_dn = ldb_get_schema_basedn(ldb);
1198 ldb_reset_err_string(ldb);
1199 ldb_debug(ldb, LDB_DEBUG_WARNING,
1200 "rootdse_modify: no schema dn present: (skip ldb_extended call)\n");
1201 return ldb_next_request(module, req);
1204 ret = ldb_extended(ldb, DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID, schema_dn, &ext_res);
1205 if (ret != LDB_SUCCESS) {
1206 return ldb_operr(ldb);
1209 talloc_free(ext_res);
1210 return ldb_module_done(req, NULL, NULL, ret);
1213 static int rootdse_schemaupgradeinprogress(struct ldb_module *module, struct ldb_request *req)
1215 struct ldb_context *ldb = ldb_module_get_ctx(module);
1216 struct ldb_result *ext_res;
1217 int ret = LDB_SUCCESS;
1218 struct ldb_dn *schema_dn;
1220 schema_dn = ldb_get_schema_basedn(ldb);
1222 ldb_reset_err_string(ldb);
1223 ldb_debug(ldb, LDB_DEBUG_WARNING,
1224 "rootdse_modify: no schema dn present: (skip ldb_extended call)\n");
1225 return ldb_next_request(module, req);
1228 /* FIXME we have to do something in order to relax constraints for DRS
1229 * setting schemaUpgradeInProgress cause the fschemaUpgradeInProgress
1230 * in all LDAP connection (2K3/2K3R2) or in the current connection (2K8 and +)
1231 * to be set to true.
1234 /* from 5.113 LDAPConnections in DRSR.pdf
1235 * fschemaUpgradeInProgress: A Boolean that specifies certain constraint
1236 * validations are skipped when adding, updating, or removing directory
1237 * objects on the opened connection. The skipped constraint validations
1238 * are documented in the applicable constraint sections in [MS-ADTS].
1240 return ldb_module_done(req, NULL, NULL, ret);
1243 static int rootdse_add(struct ldb_module *module, struct ldb_request *req)
1245 struct ldb_context *ldb = ldb_module_get_ctx(module);
1248 ret = rootdse_filter_operations(module, req);
1249 if (ret != LDB_SUCCESS) {
1253 ret = rootdse_filter_controls(module, req);
1254 if (ret != LDB_SUCCESS) {
1259 If dn is not "" we should let it pass through
1261 if (!ldb_dn_is_null(req->op.add.message->dn)) {
1262 return ldb_next_request(module, req);
1265 ldb_set_errstring(ldb, "rootdse_add: you cannot add a new rootdse entry!");
1266 return LDB_ERR_NAMING_VIOLATION;
1269 struct fsmo_transfer_state {
1270 struct ldb_context *ldb;
1271 struct ldb_request *req;
1275 called when a FSMO transfer operation has completed
1277 static void rootdse_fsmo_transfer_callback(struct tevent_req *treq)
1279 struct fsmo_transfer_state *fsmo = tevent_req_callback_data(treq, struct fsmo_transfer_state);
1282 struct ldb_request *req = fsmo->req;
1283 struct ldb_context *ldb = fsmo->ldb;
1285 status = dcerpc_drepl_takeFSMORole_recv(treq, fsmo, &werr);
1287 if (!NT_STATUS_IS_OK(status)) {
1288 ldb_asprintf_errstring(ldb, "Failed FSMO transfer: %s", nt_errstr(status));
1289 ldb_module_done(req, NULL, NULL, LDB_ERR_UNAVAILABLE);
1292 if (!W_ERROR_IS_OK(werr)) {
1293 ldb_asprintf_errstring(ldb, "Failed FSMO transfer: %s", win_errstr(werr));
1294 ldb_module_done(req, NULL, NULL, LDB_ERR_UNAVAILABLE);
1298 ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1301 static int rootdse_become_master(struct ldb_module *module,
1302 struct ldb_request *req,
1303 enum drepl_role_master role)
1305 struct imessaging_context *msg;
1306 struct ldb_context *ldb = ldb_module_get_ctx(module);
1307 TALLOC_CTX *tmp_ctx = talloc_new(req);
1308 struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
1310 struct dcerpc_binding_handle *irpc_handle;
1312 struct auth_session_info *session_info;
1313 enum security_user_level level;
1314 struct fsmo_transfer_state *fsmo;
1315 struct tevent_req *treq;
1317 session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
1318 level = security_session_user_level(session_info, NULL);
1319 if (level < SECURITY_ADMINISTRATOR) {
1320 return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS, "Denied rootDSE modify for non-administrator");
1323 ret = samdb_rodc(ldb, &am_rodc);
1324 if (ret != LDB_SUCCESS) {
1325 return ldb_error(ldb, ret, "Could not determine if server is RODC.");
1329 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM,
1330 "RODC cannot become a role master.");
1333 msg = imessaging_client_init(tmp_ctx, lp_ctx,
1334 ldb_get_event_context(ldb));
1336 ldb_asprintf_errstring(ldb, "Failed to generate client messaging context in %s", lpcfg_imessaging_path(tmp_ctx, lp_ctx));
1337 return LDB_ERR_OPERATIONS_ERROR;
1339 irpc_handle = irpc_binding_handle_by_name(tmp_ctx, msg,
1342 if (irpc_handle == NULL) {
1343 return ldb_oom(ldb);
1345 fsmo = talloc_zero(req, struct fsmo_transfer_state);
1347 return ldb_oom(ldb);
1352 /* we send the call asynchronously, as the ldap client is
1353 * expecting to get an error back if the role transfer fails
1356 treq = dcerpc_drepl_takeFSMORole_send(req, ldb_get_event_context(ldb), irpc_handle, role);
1358 return ldb_oom(ldb);
1361 tevent_req_set_callback(treq, rootdse_fsmo_transfer_callback, fsmo);
1365 static int rootdse_modify(struct ldb_module *module, struct ldb_request *req)
1367 struct ldb_context *ldb = ldb_module_get_ctx(module);
1370 ret = rootdse_filter_operations(module, req);
1371 if (ret != LDB_SUCCESS) {
1375 ret = rootdse_filter_controls(module, req);
1376 if (ret != LDB_SUCCESS) {
1381 If dn is not "" we should let it pass through
1383 if (!ldb_dn_is_null(req->op.mod.message->dn)) {
1384 return ldb_next_request(module, req);
1388 dn is empty so check for schemaUpdateNow attribute
1389 "The type of modification and values specified in the LDAP modify operation do not matter." MSDN
1391 if (ldb_msg_find_element(req->op.mod.message, "schemaUpdateNow")) {
1392 return rootdse_schemaupdatenow(module, req);
1394 if (ldb_msg_find_element(req->op.mod.message, "becomeDomainMaster")) {
1395 return rootdse_become_master(module, req, DREPL_NAMING_MASTER);
1397 if (ldb_msg_find_element(req->op.mod.message, "becomeInfrastructureMaster")) {
1398 return rootdse_become_master(module, req, DREPL_INFRASTRUCTURE_MASTER);
1400 if (ldb_msg_find_element(req->op.mod.message, "becomeRidMaster")) {
1401 return rootdse_become_master(module, req, DREPL_RID_MASTER);
1403 if (ldb_msg_find_element(req->op.mod.message, "becomeSchemaMaster")) {
1404 return rootdse_become_master(module, req, DREPL_SCHEMA_MASTER);
1406 if (ldb_msg_find_element(req->op.mod.message, "becomePdc")) {
1407 return rootdse_become_master(module, req, DREPL_PDC_MASTER);
1409 if (ldb_msg_find_element(req->op.mod.message, "enableOptionalFeature")) {
1410 return rootdse_enableoptionalfeature(module, req);
1412 if (ldb_msg_find_element(req->op.mod.message, "schemaUpgradeInProgress")) {
1413 return rootdse_schemaupgradeinprogress(module, req);
1416 ldb_set_errstring(ldb, "rootdse_modify: unknown attribute to change!");
1417 return LDB_ERR_UNWILLING_TO_PERFORM;
1420 static int rootdse_rename(struct ldb_module *module, struct ldb_request *req)
1422 struct ldb_context *ldb = ldb_module_get_ctx(module);
1425 ret = rootdse_filter_operations(module, req);
1426 if (ret != LDB_SUCCESS) {
1430 ret = rootdse_filter_controls(module, req);
1431 if (ret != LDB_SUCCESS) {
1436 If dn is not "" we should let it pass through
1438 if (!ldb_dn_is_null(req->op.rename.olddn)) {
1439 return ldb_next_request(module, req);
1442 ldb_set_errstring(ldb, "rootdse_remove: you cannot rename the rootdse entry!");
1443 return LDB_ERR_NO_SUCH_OBJECT;
1446 static int rootdse_delete(struct ldb_module *module, struct ldb_request *req)
1448 struct ldb_context *ldb = ldb_module_get_ctx(module);
1451 ret = rootdse_filter_operations(module, req);
1452 if (ret != LDB_SUCCESS) {
1456 ret = rootdse_filter_controls(module, req);
1457 if (ret != LDB_SUCCESS) {
1462 If dn is not "" we should let it pass through
1464 if (!ldb_dn_is_null(req->op.del.dn)) {
1465 return ldb_next_request(module, req);
1468 ldb_set_errstring(ldb, "rootdse_remove: you cannot delete the rootdse entry!");
1469 return LDB_ERR_NO_SUCH_OBJECT;
1472 static int rootdse_extended(struct ldb_module *module, struct ldb_request *req)
1476 ret = rootdse_filter_operations(module, req);
1477 if (ret != LDB_SUCCESS) {
1481 ret = rootdse_filter_controls(module, req);
1482 if (ret != LDB_SUCCESS) {
1486 return ldb_next_request(module, req);
1489 static const struct ldb_module_ops ldb_rootdse_module_ops = {
1491 .init_context = rootdse_init,
1492 .search = rootdse_search,
1493 .request = rootdse_request,
1495 .modify = rootdse_modify,
1496 .rename = rootdse_rename,
1497 .extended = rootdse_extended,
1498 .del = rootdse_delete
1501 int ldb_rootdse_module_init(const char *version)
1503 LDB_MODULE_CHECK_VERSION(version);
1504 return ldb_register_module(&ldb_rootdse_module_ops);
git.samba.org / ddiss / samba.git / blob