4 Copyright (C) Simo Sorce 2005-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2007-2008
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * Component: ldb extended dn control module
26 * Description: this module builds a special dn for returned search
35 #include "ldb/include/ldb.h"
36 #include "ldb/include/ldb_errors.h"
37 #include "ldb/include/ldb_private.h"
38 #include "librpc/gen_ndr/ndr_misc.h"
39 #include "librpc/ndr/libndr.h"
40 #include "dsdb/samdb/samdb.h"
42 struct extended_dn_out_private {
44 struct dsdb_openldap_dereference_control *dereference_control;
47 static bool is_attr_in_list(const char * const * attrs, const char *attr)
51 for (i = 0; attrs[i]; i++) {
52 if (ldb_attr_cmp(attrs[i], attr) == 0)
59 static char **copy_attrs(void *mem_ctx, const char * const * attrs)
64 for (num = 0; attrs[num]; num++);
66 new = talloc_array(mem_ctx, char *, num + 1);
67 if (!new) return NULL;
69 for(i = 0; i < num; i++) {
70 new[i] = talloc_strdup(new, attrs[i]);
81 static bool add_attrs(void *mem_ctx, char ***attrs, const char *attr)
86 for (num = 0; (*attrs)[num]; num++);
88 new = talloc_realloc(mem_ctx, *attrs, char *, num + 2);
89 if (!new) return false;
93 new[num] = talloc_strdup(new, attr);
94 if (!new[num]) return false;
101 static int inject_extended_dn_out(struct ldb_reply *ares,
102 struct ldb_context *ldb,
108 const struct ldb_val *val;
109 const DATA_BLOB *guid_blob;
110 const DATA_BLOB *sid_blob;
112 guid_blob = ldb_msg_find_ldb_val(ares->message, "objectGUID");
113 sid_blob = ldb_msg_find_ldb_val(ares->message, "objectSID");
116 ldb_set_errstring(ldb, "Did not find objectGUID to inject into extended DN");
117 return LDB_ERR_OPERATIONS_ERROR;
120 ret = ldb_dn_set_extended_component(ares->message->dn, "GUID", guid_blob);
121 if (ret != LDB_SUCCESS) {
125 ret = ldb_dn_set_extended_component(ares->message->dn, "SID", sid_blob);
126 if (ret != LDB_SUCCESS) {
132 ldb_msg_remove_attr(ares->message, "objectGUID");
135 if (sid_blob && remove_sid) {
136 ldb_msg_remove_attr(ares->message, "objectSID");
139 val = ldb_msg_find_ldb_val(ares->message, "distinguishedName");
141 ldb_msg_remove_attr(ares->message, "distinguishedName");
142 ret = ldb_msg_add_steal_string(ares->message, "distinguishedName",
143 ldb_dn_get_extended_linearized(ares->message, ares->message->dn, type));
144 if (ret != LDB_SUCCESS) {
146 return LDB_ERR_OPERATIONS_ERROR;
152 static int handle_dereference(struct ldb_dn *dn,
153 struct dsdb_openldap_dereference_result **dereference_attrs,
154 const char *attr, const DATA_BLOB *val)
156 const struct ldb_val *entryUUIDblob, *sid_blob;
157 struct ldb_message fake_msg; /* easier to use routines that expect an ldb_message */
160 fake_msg.num_elements = 0;
162 /* Look for this attribute in the returned control */
163 for (j = 0; dereference_attrs && dereference_attrs[j]; j++) {
164 DATA_BLOB source_dn = data_blob_string_const(dereference_attrs[j]->dereferenced_dn);
165 if (ldb_attr_cmp(dereference_attrs[j]->source_attribute, attr)
166 && data_blob_cmp(&source_dn, val) == 0) {
168 fake_msg.num_elements = dereference_attrs[j]->num_attributes;
169 fake_msg.elements = dereference_attrs[j]->attributes;
173 if (!fake_msg.num_elements) {
176 /* Look for an OpenLDAP entryUUID */
178 entryUUIDblob = ldb_msg_find_ldb_val(&fake_msg, "entryUUID");
181 enum ndr_err_code ndr_err;
183 struct ldb_val guid_blob;
186 status = GUID_from_data_blob(entryUUIDblob, &guid);
188 if (!NT_STATUS_IS_OK(status)) {
189 return LDB_ERR_INVALID_DN_SYNTAX;
191 ndr_err = ndr_push_struct_blob(&guid_blob, NULL, NULL, &guid,
192 (ndr_push_flags_fn_t)ndr_push_GUID);
193 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
194 return LDB_ERR_INVALID_DN_SYNTAX;
197 ldb_dn_set_extended_component(dn, "GUID", &guid_blob);
200 sid_blob = ldb_msg_find_ldb_val(&fake_msg, "objectSID");
202 /* Look for the objectSID */
204 ldb_dn_set_extended_component(dn, "SID", sid_blob);
210 struct extended_search_context {
211 struct ldb_module *module;
212 const struct dsdb_schema *schema;
213 struct ldb_request *req;
220 static int extended_callback(struct ldb_request *req, struct ldb_reply *ares)
222 struct extended_search_context *ac;
223 struct ldb_control *control;
224 struct dsdb_openldap_dereference_result_control *dereference_control = NULL;
226 struct ldb_message *msg = ares->message;
227 struct extended_dn_out_private *private;
229 ac = talloc_get_type(req->context, struct extended_search_context);
230 private = talloc_get_type(ac->module->private_data, struct extended_dn_out_private);
233 return ldb_module_done(ac->req, NULL, NULL,
234 LDB_ERR_OPERATIONS_ERROR);
236 if (ares->error != LDB_SUCCESS) {
237 return ldb_module_done(ac->req, ares->controls,
238 ares->response, ares->error);
241 switch (ares->type) {
242 case LDB_REPLY_REFERRAL:
243 return ldb_module_send_referral(ac->req, ares->referral);
246 return ldb_module_done(ac->req, ares->controls,
247 ares->response, LDB_SUCCESS);
248 case LDB_REPLY_ENTRY:
253 /* for each record returned post-process to add any derived
254 attributes that have been asked for */
255 ret = inject_extended_dn_out(ares, ac->module->ldb,
256 ac->extended_type, ac->remove_guid,
258 if (ret != LDB_SUCCESS) {
259 return ldb_module_done(ac->req, NULL, NULL, ret);
263 if (private && private->dereference) {
264 control = ldb_reply_get_control(ares, DSDB_OPENLDAP_DEREFERENCE_CONTROL);
266 if (control && control->data) {
267 dereference_control = talloc_get_type(control->data, struct dsdb_openldap_dereference_result_control);
271 /* Walk the retruned elements (but only if we have a schema to interpret the list with) */
272 for (i = 0; ac->schema && i < msg->num_elements; i++) {
273 const struct dsdb_attribute *attribute;
274 /* distinguishedName has been dealt with above */
275 if (ldb_attr_cmp(msg->elements[i].name, "distinguishedName") == 0) {
278 attribute = dsdb_attribute_by_lDAPDisplayName(ac->schema, msg->elements[i].name);
282 /* Look to see if this attributeSyntax is a DN */
283 if (strcmp(attribute->attributeSyntax_oid, "2.5.5.1") != 0) {
287 for (j = 0; j < msg->elements[i].num_values; j++) {
289 struct ldb_dn *dn = ldb_dn_from_ldb_val(ac, ac->module->ldb, &msg->elements[i].values[j]);
290 if (!dn || !ldb_dn_validate(dn)) {
291 return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_INVALID_DN_SYNTAX);
294 /* If we are running in dereference mode (such
295 * as against OpenLDAP) then the DN in the msg
296 * above does not contain the extended values,
297 * and we need to look in the dereference
300 /* Look for this value in the attribute */
302 if (dereference_control) {
303 ret = handle_dereference(dn,
304 dereference_control->attributes,
305 msg->elements[i].name,
306 &msg->elements[i].values[j]);
307 if (ret != LDB_SUCCESS) {
309 return ldb_module_done(ac->req, NULL, NULL, ret);
314 dn_str = talloc_steal(msg->elements[i].values,
315 ldb_dn_get_linearized(dn));
317 dn_str = talloc_steal(msg->elements[i].values,
318 ldb_dn_get_extended_linearized(msg->elements[i].values,
319 dn, ac->extended_type));
321 msg->elements[i].values[j] = data_blob_string_const(dn_str);
325 return ldb_module_send_entry(ac->req, msg, ares->controls);
329 static int extended_dn_out_search(struct ldb_module *module, struct ldb_request *req)
331 struct ldb_control *control;
332 struct ldb_control *storage_format_control;
333 struct ldb_extended_dn_control *extended_ctrl = NULL;
334 struct ldb_control **saved_controls;
335 struct extended_search_context *ac;
336 struct ldb_request *down_req;
338 const char * const *const_attrs;
341 struct extended_dn_out_private *private = talloc_get_type(module->private_data, struct extended_dn_out_private);
343 /* check if there's an extended dn control */
344 control = ldb_request_get_control(req, LDB_CONTROL_EXTENDED_DN_OID);
345 if (control && control->data) {
346 extended_ctrl = talloc_get_type(control->data, struct ldb_extended_dn_control);
347 if (!extended_ctrl) {
348 return LDB_ERR_PROTOCOL_ERROR;
352 /* Look to see if, as we are in 'store DN+GUID+SID' mode, the
353 * client is after the storage format (to fill in linked
355 storage_format_control = ldb_request_get_control(req, DSDB_CONTROL_DN_STORAGE_FORMAT_OID);
356 if (!control && storage_format_control && storage_format_control->data) {
357 extended_ctrl = talloc_get_type(storage_format_control->data, struct ldb_extended_dn_control);
358 if (!extended_ctrl) {
359 ldb_set_errstring(module->ldb, "extended_dn_out: extended_ctrl was of the wrong data type");
360 return LDB_ERR_PROTOCOL_ERROR;
364 ac = talloc_zero(req, struct extended_search_context);
366 ldb_oom(module->ldb);
367 return LDB_ERR_OPERATIONS_ERROR;
371 ac->schema = dsdb_get_schema(module->ldb);
374 ac->remove_guid = false;
375 ac->remove_sid = false;
377 const_attrs = req->op.search.attrs;
379 /* We only need to do special processing if we were asked for
380 * the extended DN, or we are 'store DN+GUID+SID'
381 * (!dereference) mode. (This is the normal mode for LDB on
383 if (control || (storage_format_control && private && !private->dereference)) {
386 ac->extended_type = extended_ctrl->type;
388 ac->extended_type = 0;
391 /* check if attrs only is specified, in that case check wether we need to modify them */
392 if (req->op.search.attrs && !is_attr_in_list(req->op.search.attrs, "*")) {
393 if (! is_attr_in_list(req->op.search.attrs, "objectGUID")) {
394 ac->remove_guid = true;
396 if (! is_attr_in_list(req->op.search.attrs, "objectSID")) {
397 ac->remove_sid = true;
399 if (ac->remove_guid || ac->remove_sid) {
400 new_attrs = copy_attrs(ac, req->op.search.attrs);
401 if (new_attrs == NULL) {
402 ldb_oom(module->ldb);
403 return LDB_ERR_OPERATIONS_ERROR;
406 if (ac->remove_guid) {
407 if (!add_attrs(ac, &new_attrs, "objectGUID"))
408 return LDB_ERR_OPERATIONS_ERROR;
410 if (ac->remove_sid) {
411 if (!add_attrs(ac, &new_attrs, "objectSID"))
412 return LDB_ERR_OPERATIONS_ERROR;
414 const_attrs = (const char * const *)new_attrs;
419 ret = ldb_build_search_req_ex(&down_req,
422 req->op.search.scope,
426 ac, extended_callback,
428 if (ret != LDB_SUCCESS) {
432 /* Remove extended DN and storage format controls */
435 /* save it locally and remove it from the list */
436 /* we do not need to replace them later as we
437 * are keeping the original req intact */
438 if (!save_controls(control, down_req, &saved_controls)) {
439 return LDB_ERR_OPERATIONS_ERROR;
443 if (storage_format_control) {
444 /* save it locally and remove it from the list */
445 /* we do not need to replace them later as we
446 * are keeping the original req intact */
447 if (!save_controls(storage_format_control, down_req, &saved_controls)) {
448 return LDB_ERR_OPERATIONS_ERROR;
452 /* Add in dereference control, if we were asked to, we are
453 * using the 'dereference' mode (such as with an OpenLDAP
454 * backend) and have the control prepared */
455 if (control && private && private->dereference && private->dereference_control) {
456 ret = ldb_request_add_control(down_req,
457 DSDB_OPENLDAP_DEREFERENCE_CONTROL,
458 false, private->dereference_control);
459 if (ret != LDB_SUCCESS) {
464 /* perform the search */
465 return ldb_next_request(module, down_req);
468 static int extended_dn_out_ldb_init(struct ldb_module *module)
472 struct extended_dn_out_private *private = talloc(module, struct extended_dn_out_private);
474 module->private_data = private;
477 ldb_oom(module->ldb);
478 return LDB_ERR_OPERATIONS_ERROR;
481 private->dereference = false;
483 ret = ldb_mod_register_control(module, LDB_CONTROL_EXTENDED_DN_OID);
484 if (ret != LDB_SUCCESS) {
485 ldb_debug(module->ldb, LDB_DEBUG_ERROR,
486 "extended_dn_out: Unable to register control with rootdse!\n");
487 return LDB_ERR_OPERATIONS_ERROR;
490 return ldb_next_init(module);
493 static int extended_dn_out_dereference_init(struct ldb_module *module)
496 struct extended_dn_out_private *private;
497 struct dsdb_openldap_dereference_control *dereference_control;
498 struct dsdb_attribute *cur;
500 struct dsdb_schema *schema;
502 module->private_data = private = talloc_zero(module, struct extended_dn_out_private);
505 ldb_oom(module->ldb);
506 return LDB_ERR_OPERATIONS_ERROR;
509 private->dereference = true;
511 ret = ldb_mod_register_control(module, LDB_CONTROL_EXTENDED_DN_OID);
512 if (ret != LDB_SUCCESS) {
513 ldb_debug(module->ldb, LDB_DEBUG_ERROR,
514 "extended_dn_out: Unable to register control with rootdse!\n");
515 return LDB_ERR_OPERATIONS_ERROR;
518 ret = ldb_next_init(module);
520 if (ret != LDB_SUCCESS) {
524 schema = dsdb_get_schema(module->ldb);
526 /* No schema on this DB (yet) */
530 private->dereference_control = dereference_control
531 = talloc_zero(private, struct dsdb_openldap_dereference_control);
533 if (!private->dereference_control) {
534 ldb_oom(module->ldb);
535 return LDB_ERR_OPERATIONS_ERROR;
538 for (cur = schema->attributes; cur; cur = cur->next) {
539 static const char *attrs[] = {
545 if (strcmp(cur->syntax->attributeSyntax_oid, "2.5.5.1") != 0) {
548 dereference_control->dereference
549 = talloc_realloc(private, dereference_control->dereference,
550 struct dsdb_openldap_dereference *, i + 2);
551 if (!dereference_control) {
552 ldb_oom(module->ldb);
553 return LDB_ERR_OPERATIONS_ERROR;
555 dereference_control->dereference[i] = talloc(dereference_control->dereference,
556 struct dsdb_openldap_dereference);
557 if (!dereference_control->dereference[i]) {
558 ldb_oom(module->ldb);
559 return LDB_ERR_OPERATIONS_ERROR;
561 dereference_control->dereference[i]->source_attribute = cur->lDAPDisplayName;
562 dereference_control->dereference[i]->dereference_attribute = attrs;
564 dereference_control->dereference[i] = NULL;
569 _PUBLIC_ const struct ldb_module_ops ldb_extended_dn_out_ldb_module_ops = {
570 .name = "extended_dn_out_ldb",
571 .search = extended_dn_out_search,
572 .init_context = extended_dn_out_ldb_init,
576 _PUBLIC_ const struct ldb_module_ops ldb_extended_dn_out_dereference_module_ops = {
577 .name = "extended_dn_out_dereference",
578 .search = extended_dn_out_search,
579 .init_context = extended_dn_out_dereference_init,