#include <ldb_module.h>
#include "ldb_handlers.h"
#include "dsdb/samdb/samdb.h"
+#include "dsdb/common/util.h"
#include "librpc/gen_ndr/ndr_security.h"
#include "librpc/gen_ndr/ndr_misc.h"
#include "librpc/gen_ndr/ndr_drsblobs.h"
int ldif_write_objectSid(struct ldb_context *ldb, void *mem_ctx,
const struct ldb_val *in, struct ldb_val *out)
{
- struct dom_sid *sid;
+ struct dom_sid sid;
enum ndr_err_code ndr_err;
- sid = talloc(mem_ctx, struct dom_sid);
- if (sid == NULL) {
- return -1;
- }
- ndr_err = ndr_pull_struct_blob_all(in, sid, sid,
+ ndr_err = ndr_pull_struct_blob_all_noalloc(in, &sid,
(ndr_pull_flags_fn_t)ndr_pull_dom_sid);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- talloc_free(sid);
return -1;
}
- *out = data_blob_string_const(dom_sid_string(mem_ctx, sid));
- talloc_free(sid);
+ *out = data_blob_string_const(dom_sid_string(mem_ctx, &sid));
if (out->data == NULL) {
return -1;
}
(const char *)in->data, in->length);
/* Check it looks like a SID */
- ndr_err = ndr_pull_struct_blob_all(out, mem_ctx, &sid,
+ ndr_err = ndr_pull_struct_blob_all_noalloc(out, &sid,
(ndr_pull_flags_fn_t)ndr_pull_dom_sid);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return -1;
const char *lDAPDisplayName = talloc_strndup(tmp_ctx, (char *)in->data, in->length);
sclass = dsdb_class_by_lDAPDisplayName(schema, lDAPDisplayName);
if (sclass) {
- struct ldb_dn *dn = ldb_dn_new(mem_ctx, ldb,
+ struct ldb_dn *dn = ldb_dn_new(tmp_ctx, ldb,
sclass->defaultObjectCategory);
+ if (dn == NULL) {
+ talloc_free(tmp_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
*out = data_blob_string_const(ldb_dn_alloc_casefold(mem_ctx, dn));
talloc_free(tmp_ctx);
true);
}
+static int ldif_write_dn_binary_NDR(struct ldb_context *ldb, void *mem_ctx,
+ const struct ldb_val *in, struct ldb_val *out,
+ size_t struct_size,
+ ndr_pull_flags_fn_t pull_fn,
+ ndr_print_fn_t print_fn,
+ bool mask_errors)
+{
+ uint8_t *p = NULL;
+ enum ndr_err_code err;
+ struct dsdb_dn *dsdb_dn = NULL;
+ char *dn_str = NULL;
+ char *str = NULL;
+
+ if (!(ldb_get_flags(ldb) & LDB_FLG_SHOW_BINARY)) {
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+
+ dsdb_dn = dsdb_dn_parse(mem_ctx, ldb, in, DSDB_SYNTAX_BINARY_DN);
+ if (dsdb_dn == NULL) {
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+
+ p = talloc_size(dsdb_dn, struct_size);
+ if (p == NULL) {
+ TALLOC_FREE(dsdb_dn);
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+
+ err = ndr_pull_struct_blob(&dsdb_dn->extra_part, p, p, pull_fn);
+ if (err != NDR_ERR_SUCCESS) {
+ /* fail in not in mask_error mode */
+ if (!mask_errors) {
+ return -1;
+ }
+ TALLOC_FREE(dsdb_dn);
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+
+ dn_str = ldb_dn_get_extended_linearized(dsdb_dn, dsdb_dn->dn, 1);
+ if (dn_str == NULL) {
+ TALLOC_FREE(dsdb_dn);
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+
+ str = ndr_print_struct_string(mem_ctx, print_fn, dn_str, p);
+ TALLOC_FREE(dsdb_dn);
+ if (str == NULL) {
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+
+ *out = data_blob_string_const(str);
+ return 0;
+}
+
+static int ldif_write_msDS_RevealedUsers(struct ldb_context *ldb, void *mem_ctx,
+ const struct ldb_val *in, struct ldb_val *out)
+{
+ return ldif_write_dn_binary_NDR(ldb, mem_ctx, in, out,
+ sizeof(struct replPropertyMetaData1),
+ (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaData1,
+ (ndr_print_fn_t)ndr_print_replPropertyMetaData1,
+ true);
+}
/*
convert a NDR formatted blob to a ldif formatted dnsRecord
true);
}
+/*
+ convert a NDR formatted blob to a ldif formatted dnsProperty
+*/
+static int ldif_write_dnsProperty(struct ldb_context *ldb, void *mem_ctx,
+ const struct ldb_val *in, struct ldb_val *out)
+{
+ return ldif_write_NDR(ldb, mem_ctx, in, out,
+ sizeof(struct dnsp_DnsProperty),
+ (ndr_pull_flags_fn_t)ndr_pull_dnsp_DnsProperty,
+ (ndr_print_fn_t)ndr_print_dnsp_DnsProperty,
+ true);
+}
+
/*
convert a NDR formatted blob of a supplementalCredentials into text
*/
true);
}
+/*
+ convert a NDR formatted blob to a ldif formatted msDS-TrustForestTrustInfo
+*/
+static int ldif_write_ForestTrustInfo(struct ldb_context *ldb, void *mem_ctx,
+ const struct ldb_val *in, struct ldb_val *out)
+{
+ return ldif_write_NDR(ldb, mem_ctx, in, out,
+ sizeof(struct ForestTrustInfo),
+ (ndr_pull_flags_fn_t)ndr_pull_ForestTrustInfo,
+ (ndr_print_fn_t)ndr_print_ForestTrustInfo,
+ true);
+}
/*
convert a NDR formatted blob of a partialAttributeSet into text
*/
ret = a->syntax->comparison_fn(ldb, tmp_ctx, v1, v2);
talloc_free(tmp_ctx);
if (operation == LDB_OP_GREATER) {
- *matched = (ret > 0);
+ *matched = (ret >= 0);
} else if (operation == LDB_OP_LESS) {
- *matched = (ret < 0);
+ *matched = (ret <= 0);
} else {
*matched = (ret == 0);
}
return LDB_ERR_INAPPROPRIATE_MATCHING;
}
+/*
+ compare two binary objects. This is correct for sorting as the sort order is:
+
+ a
+ aa
+ b
+ bb
+
+ rather than ldb_comparison_binary() which is:
+
+ a
+ b
+ aa
+ bb
+
+*/
+static int samba_ldb_comparison_binary(struct ldb_context *ldb, void *mem_ctx,
+ const struct ldb_val *v1, const struct ldb_val *v2)
+{
+ return data_blob_cmp(v1, v2);
+}
+
+/*
+ when this operator_fn is set for a syntax, the backend calls is in
+ preference to the comparison function. We are told the exact
+ comparison operation that is needed, and we can return errors.
+
+ This mode optimises for ldb_comparison_binary() if we need equality,
+ as this should be faster as it can do a length-check first.
+ */
+static int samba_syntax_binary_operator_fn(struct ldb_context *ldb, enum ldb_parse_op operation,
+ const struct ldb_schema_attribute *a,
+ const struct ldb_val *v1, const struct ldb_val *v2, bool *matched)
+{
+ if (operation == LDB_OP_EQUALITY) {
+ *matched = (ldb_comparison_binary(ldb, NULL, v1, v2) == 0);
+ return LDB_SUCCESS;
+ }
+ return samba_syntax_operator_fn(ldb, operation, a, v1, v2, matched);
+}
+
/*
see if two DNs match, comparing first by GUID, then by SID, and
finally by string components
.ldif_read_fn = ldif_read_ntSecurityDescriptor,
.ldif_write_fn = ldif_write_ntSecurityDescriptor,
.canonicalise_fn = ldb_handler_copy,
- .comparison_fn = ldb_comparison_binary,
- .operator_fn = samba_syntax_operator_fn
+ .comparison_fn = samba_ldb_comparison_binary,
+ .operator_fn = samba_syntax_binary_operator_fn
},{
.name = LDB_SYNTAX_SAMBA_SDDL_SECURITY_DESCRIPTOR,
.ldif_read_fn = ldb_handler_copy,
.ldif_read_fn = ldb_handler_copy,
.ldif_write_fn = ldif_write_schemaInfo,
.canonicalise_fn = ldb_handler_copy,
- .comparison_fn = ldb_comparison_binary,
- .operator_fn = samba_syntax_operator_fn
+ .comparison_fn = samba_ldb_comparison_binary,
+ .operator_fn = samba_syntax_binary_operator_fn
},{
.name = LDB_SYNTAX_SAMBA_PREFIX_MAP,
.ldif_read_fn = ldif_read_prefixMap,
.ldif_read_fn = ldb_handler_copy,
.ldif_write_fn = ldif_write_repsFromTo,
.canonicalise_fn = ldb_handler_copy,
- .comparison_fn = ldb_comparison_binary,
- .operator_fn = samba_syntax_operator_fn
+ .comparison_fn = samba_ldb_comparison_binary,
+ .operator_fn = samba_syntax_binary_operator_fn
},{
.name = LDB_SYNTAX_SAMBA_REPLPROPERTYMETADATA,
.ldif_read_fn = ldb_handler_copy,
.ldif_write_fn = ldif_write_replPropertyMetaData,
.canonicalise_fn = ldb_handler_copy,
- .comparison_fn = ldb_comparison_binary,
- .operator_fn = samba_syntax_operator_fn
+ .comparison_fn = samba_ldb_comparison_binary,
+ .operator_fn = samba_syntax_binary_operator_fn
},{
.name = LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR,
.ldif_read_fn = ldb_handler_copy,
.ldif_write_fn = ldif_write_replUpToDateVector,
.canonicalise_fn = ldb_handler_copy,
- .comparison_fn = ldb_comparison_binary,
+ .comparison_fn = samba_ldb_comparison_binary,
+ .operator_fn = samba_syntax_binary_operator_fn
+ },{
+ .name = LDB_SYNTAX_SAMBA_REVEALEDUSERS,
+ .ldif_read_fn = ldb_handler_copy,
+ .ldif_write_fn = ldif_write_msDS_RevealedUsers,
+ .canonicalise_fn = dsdb_dn_binary_canonicalise,
+ .comparison_fn = dsdb_dn_binary_comparison,
.operator_fn = samba_syntax_operator_fn
},{
.name = LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB,
.ldif_read_fn = ldb_handler_copy,
.ldif_write_fn = ldif_write_trustAuthInOutBlob,
.canonicalise_fn = ldb_handler_copy,
- .comparison_fn = ldb_comparison_binary,
- .operator_fn = samba_syntax_operator_fn
+ .comparison_fn = samba_ldb_comparison_binary,
+ .operator_fn = samba_syntax_binary_operator_fn
+ },{
+ .name = LDB_SYNTAX_SAMBA_FORESTTRUSTINFO,
+ .ldif_read_fn = ldb_handler_copy,
+ .ldif_write_fn = ldif_write_ForestTrustInfo,
+ .canonicalise_fn = ldb_handler_copy,
+ .comparison_fn = samba_ldb_comparison_binary,
+ .operator_fn = samba_syntax_binary_operator_fn
},{
.name = DSDB_SYNTAX_BINARY_DN,
.ldif_read_fn = ldb_handler_copy,
.ldif_read_fn = ldb_handler_copy,
.ldif_write_fn = ldif_write_dnsRecord,
.canonicalise_fn = ldb_handler_copy,
- .comparison_fn = ldb_comparison_binary,
- .operator_fn = samba_syntax_operator_fn
+ .comparison_fn = samba_ldb_comparison_binary,
+ .operator_fn = samba_syntax_binary_operator_fn
+ },{
+ .name = LDB_SYNTAX_SAMBA_DNSPROPERTY,
+ .ldif_read_fn = ldb_handler_copy,
+ .ldif_write_fn = ldif_write_dnsProperty,
+ .canonicalise_fn = ldb_handler_copy,
+ .comparison_fn = samba_ldb_comparison_binary,
+ .operator_fn = samba_syntax_binary_operator_fn
},{
.name = LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS,
.ldif_read_fn = ldb_handler_copy,
.ldif_write_fn = ldif_write_supplementalCredentialsBlob,
.canonicalise_fn = ldb_handler_copy,
- .comparison_fn = ldb_comparison_binary,
- .operator_fn = samba_syntax_operator_fn
+ .comparison_fn = samba_ldb_comparison_binary,
+ .operator_fn = samba_syntax_binary_operator_fn
},{
.name = LDB_SYNTAX_SAMBA_PARTIALATTRIBUTESET,
.ldif_read_fn = ldb_handler_copy,
.ldif_write_fn = ldif_write_partialAttributeSet,
.canonicalise_fn = ldb_handler_copy,
- .comparison_fn = ldb_comparison_binary,
- .operator_fn = samba_syntax_operator_fn
+ .comparison_fn = samba_ldb_comparison_binary,
+ .operator_fn = samba_syntax_binary_operator_fn
+ },{
+ .name = LDB_SYNTAX_SAMBA_OCTET_STRING,
+ .ldif_read_fn = ldb_handler_copy,
+ .ldif_write_fn = ldb_handler_copy,
+ .canonicalise_fn = ldb_handler_copy,
+ .comparison_fn = samba_ldb_comparison_binary,
+ .operator_fn = samba_syntax_binary_operator_fn
}
};
const char *name;
const char *syntax;
} samba_attributes[] = {
- { "objectSid", LDB_SYNTAX_SAMBA_SID },
- { "securityIdentifier", LDB_SYNTAX_SAMBA_SID },
- { "tokenGroups", LDB_SYNTAX_SAMBA_SID },
{ "ntSecurityDescriptor", LDB_SYNTAX_SAMBA_SECURITY_DESCRIPTOR },
{ "oMSyntax", LDB_SYNTAX_SAMBA_INT32 },
{ "objectCategory", LDB_SYNTAX_SAMBA_OBJECT_CATEGORY },
{ "repsTo", LDB_SYNTAX_SAMBA_REPSFROMTO },
{ "replPropertyMetaData", LDB_SYNTAX_SAMBA_REPLPROPERTYMETADATA },
{ "replUpToDateVector", LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR },
+ { "msDS-RevealedUsers", LDB_SYNTAX_SAMBA_REVEALEDUSERS },
{ "trustAuthIncoming", LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB },
{ "trustAuthOutgoing", LDB_SYNTAX_SAMBA_TRUSTAUTHINOUTBLOB },
+ { "msDS-TrustForestTrustInfo", LDB_SYNTAX_SAMBA_FORESTTRUSTINFO },
{ "rIDAllocationPool", LDB_SYNTAX_SAMBA_RANGE64 },
{ "rIDPreviousAllocationPool", LDB_SYNTAX_SAMBA_RANGE64 },
{ "rIDAvailablePool", LDB_SYNTAX_SAMBA_RANGE64 },
{ "defaultSecurityDescriptor", LDB_SYNTAX_SAMBA_SDDL_SECURITY_DESCRIPTOR },
+ /*
+ * these are extracted by searching
+ * (&(attributeSyntax=2.5.5.17)(omSyntax=4))
+ *
+ * Except: msAuthz-CentralAccessPolicyID as it might be a GUID see:
+ * adminDescription: For a Central Access Policy, this attribute defines a GUID t
+ * hat can be used to identify the set of policies when applied to a resource.
+ * Until we see a msAuthz-CentralAccessPolicyID value on a windows
+ * server, we ignore it here.
+ */
+ { "mS-DS-CreatorSID", LDB_SYNTAX_SAMBA_SID },
+ { "msDS-QuotaTrustee", LDB_SYNTAX_SAMBA_SID },
+ { "objectSid", LDB_SYNTAX_SAMBA_SID },
+ { "tokenGroups", LDB_SYNTAX_SAMBA_SID },
+ { "tokenGroupsGlobalAndUniversal", LDB_SYNTAX_SAMBA_SID },
+ { "tokenGroupsNoGCAcceptable", LDB_SYNTAX_SAMBA_SID },
+ { "securityIdentifier", LDB_SYNTAX_SAMBA_SID },
+ { "sIDHistory", LDB_SYNTAX_SAMBA_SID },
+ { "syncWithSID", LDB_SYNTAX_SAMBA_SID },
+
/*
* these are extracted by searching
* (&(attributeSyntax=2.5.5.10)(rangeLower=16)(rangeUpper=16)(omSyntax=4))
{ "fRSVersionGUID", LDB_SYNTAX_SAMBA_GUID },
{ "implementedCategories", LDB_SYNTAX_SAMBA_GUID },
{ "msDS-AzObjectGuid", LDB_SYNTAX_SAMBA_GUID },
+ { "msDS-GenerationId", LDB_SYNTAX_SAMBA_GUID },
+ { "msDS-OptionalFeatureGUID", LDB_SYNTAX_SAMBA_GUID },
{ "msDFSR-ContentSetGuid", LDB_SYNTAX_SAMBA_GUID },
{ "msDFSR-ReplicationGroupGuid", LDB_SYNTAX_SAMBA_GUID },
{ "mSMQDigests", LDB_SYNTAX_SAMBA_GUID },
{ "msDFS-GenerationGUIDv2", LDB_SYNTAX_SAMBA_GUID },
{ "msDFS-LinkIdentityGUIDv2", LDB_SYNTAX_SAMBA_GUID },
{ "msDFS-NamespaceIdentityGUIDv2", LDB_SYNTAX_SAMBA_GUID },
+ { "msSPP-CSVLKSkuId", LDB_SYNTAX_SAMBA_GUID },
+ { "msSPP-KMSIds", LDB_SYNTAX_SAMBA_GUID },
/*
* these are known to be GUIDs
*/
{ "invocationId", LDB_SYNTAX_SAMBA_GUID },
{ "parentGUID", LDB_SYNTAX_SAMBA_GUID },
- { "msDS-OptionalFeatureGUID", LDB_SYNTAX_SAMBA_GUID },
/* These NDR encoded things we want to be able to read with --show-binary */
{ "dnsRecord", LDB_SYNTAX_SAMBA_DNSRECORD },
+ { "dNSProperty", LDB_SYNTAX_SAMBA_DNSPROPERTY },
{ "supplementalCredentials", LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS},
{ "partialAttributeSet", LDB_SYNTAX_SAMBA_PARTIALATTRIBUTESET}
};
return s;
}
+static const char *secret_attributes[] = {DSDB_SECRET_ATTRIBUTES, "secret", NULL};
+
/*
register the samba ldif handlers
*/
return LDB_SUCCESS;
}
+ ret = ldb_set_opaque(ldb, LDB_SECRET_ATTRIBUTE_LIST_OPAQUE, discard_const_p(char *, secret_attributes));
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
for (i=0; i < ARRAY_SIZE(samba_attributes); i++) {
const struct ldb_schema_syntax *s = NULL;
}
+ ret = ldb_register_samba_matching_rules(ldb);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(ldb);
+ return LDB_SUCCESS;
+ }
+
ret = ldb_set_opaque(ldb, "SAMBA_HANDLERS_REGISTERED", (void*)1);
if (ret != LDB_SUCCESS) {
return ret;