2 ldb database library - ildap backend
4 Copyright (C) Andrew Tridgell 2005
5 Copyright (C) Simo Sorce 2008
7 ** NOTE! The following LGPL license applies to the ldb
8 ** library. This does NOT imply that all of Samba is released
11 This library is free software; you can redistribute it and/or
12 modify it under the terms of the GNU Lesser General Public
13 License as published by the Free Software Foundation; either
14 version 3 of the License, or (at your option) any later version.
16 This library is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 Lesser General Public License for more details.
21 You should have received a copy of the GNU Lesser General Public
22 License along with this library; if not, see <http://www.gnu.org/licenses/>.
28 * Component: ldb ildap backend
30 * Description: This is a ldb backend for the internal ldap
31 * client library in Samba4. By using this backend we are
32 * independent of a system ldap library
34 * Author: Andrew Tridgell
38 * - description: make the module use asyncronous calls
44 #include "ldb_module.h"
45 #include "dlinklist.h"
47 #include "libcli/ldap/ldap.h"
48 #include "libcli/ldap/ldap_client.h"
49 #include "auth/auth.h"
50 #include "auth/credentials/credentials.h"
53 struct ldap_connection *ldap;
54 struct tevent_context *event_ctx;
58 struct ldb_module *module;
59 struct ldb_request *req;
61 struct ildb_private *ildb;
62 struct ldap_request *ireq;
64 /* indicate we are already processing
65 * the ldap_request in ildb_callback() */
66 bool in_ildb_callback;
70 struct ildb_destructor_ctx *dc;
73 static void ildb_request_done(struct ildb_context *ctx,
74 struct ldb_control **ctrls, int error)
76 struct ldb_context *ldb;
77 struct ldb_reply *ares;
79 ldb = ldb_module_get_ctx(ctx->module);
83 if (ctx->req == NULL) {
84 /* if the req has been freed already just return */
88 ares = talloc_zero(ctx->req, struct ldb_reply);
91 ctx->req->callback(ctx->req, NULL);
94 ares->type = LDB_REPLY_DONE;
95 ares->controls = talloc_steal(ares, ctrls);
98 ctx->req->callback(ctx->req, ares);
101 static void ildb_auto_done_callback(struct tevent_context *ev,
102 struct tevent_timer *te,
106 struct ildb_context *ac;
108 ac = talloc_get_type(private_data, struct ildb_context);
109 ildb_request_done(ac, NULL, LDB_SUCCESS);
113 convert a ldb_message structure to a list of ldap_mod structures
114 ready for ildap_add() or ildap_modify()
116 static struct ldap_mod **ildb_msg_to_mods(void *mem_ctx, int *num_mods,
117 const struct ldb_message *msg,
120 struct ldap_mod **mods;
124 /* allocate maximum number of elements needed */
125 mods = talloc_array(mem_ctx, struct ldap_mod *, msg->num_elements+1);
132 for (i = 0; i < msg->num_elements; i++) {
133 const struct ldb_message_element *el = &msg->elements[i];
135 mods[n] = talloc(mods, struct ldap_mod);
141 mods[n]->attrib = *el;
143 switch (el->flags & LDB_FLAG_MOD_MASK) {
144 case LDB_FLAG_MOD_ADD:
145 mods[n]->type = LDAP_MODIFY_ADD;
147 case LDB_FLAG_MOD_DELETE:
148 mods[n]->type = LDAP_MODIFY_DELETE;
150 case LDB_FLAG_MOD_REPLACE:
151 mods[n]->type = LDAP_MODIFY_REPLACE;
168 map an ildap NTSTATUS to a ldb error code
170 static int ildb_map_error(struct ldb_module *module, NTSTATUS status)
172 struct ildb_private *ildb;
173 struct ldb_context *ldb;
176 ildb = talloc_get_type(ldb_module_get_private(module), struct ildb_private);
177 ldb = ldb_module_get_ctx(module);
179 if (NT_STATUS_IS_OK(status)) {
183 mem_ctx = talloc_new(ildb);
186 return LDB_ERR_OPERATIONS_ERROR;
188 ldb_set_errstring(ldb,
189 ldap_errstr(ildb->ldap, mem_ctx, status));
190 talloc_free(mem_ctx);
191 if (NT_STATUS_IS_LDAP(status)) {
192 return NT_STATUS_LDAP_CODE(status);
194 return LDB_ERR_OPERATIONS_ERROR;
197 static void ildb_request_timeout(struct tevent_context *ev, struct tevent_timer *te,
198 struct timeval t, void *private_data)
200 struct ildb_context *ac = talloc_get_type(private_data, struct ildb_context);
202 if (ac->ireq->state == LDAP_REQUEST_PENDING) {
203 DLIST_REMOVE(ac->ireq->conn->pending, ac->ireq);
206 ildb_request_done(ac, NULL, LDB_ERR_TIME_LIMIT_EXCEEDED);
209 static void ildb_callback(struct ldap_request *req)
211 struct ldb_context *ldb;
212 struct ildb_context *ac;
214 struct ldap_SearchResEntry *search;
215 struct ldap_message *msg;
216 struct ldb_control **controls;
217 struct ldb_message *ldbmsg;
219 bool callback_failed;
224 ac = talloc_get_type(req->async.private_data, struct ildb_context);
225 ldb = ldb_module_get_ctx(ac->module);
226 callback_failed = false;
227 request_done = false;
230 /* check if we are already processing this request */
231 if (ac->in_ildb_callback) {
234 /* mark the request as being in process */
235 ac->in_ildb_callback = true;
237 if (!NT_STATUS_IS_OK(req->status)) {
238 ret = ildb_map_error(ac->module, req->status);
239 ildb_request_done(ac, NULL, ret);
243 if (req->num_replies < 1) {
244 ret = LDB_ERR_OPERATIONS_ERROR;
245 ildb_request_done(ac, NULL, ret);
251 case LDAP_TAG_ModifyRequest:
252 if (req->replies[0]->type != LDAP_TAG_ModifyResponse) {
253 ret = LDB_ERR_PROTOCOL_ERROR;
256 status = ldap_check_response(ac->ireq->conn, &req->replies[0]->r.GeneralResult);
257 ret = ildb_map_error(ac->module, status);
261 case LDAP_TAG_AddRequest:
262 if (req->replies[0]->type != LDAP_TAG_AddResponse) {
263 ret = LDB_ERR_PROTOCOL_ERROR;
266 status = ldap_check_response(ac->ireq->conn, &req->replies[0]->r.GeneralResult);
267 ret = ildb_map_error(ac->module, status);
271 case LDAP_TAG_DelRequest:
272 if (req->replies[0]->type != LDAP_TAG_DelResponse) {
273 ret = LDB_ERR_PROTOCOL_ERROR;
276 status = ldap_check_response(ac->ireq->conn, &req->replies[0]->r.GeneralResult);
277 ret = ildb_map_error(ac->module, status);
281 case LDAP_TAG_ModifyDNRequest:
282 if (req->replies[0]->type != LDAP_TAG_ModifyDNResponse) {
283 ret = LDB_ERR_PROTOCOL_ERROR;
286 status = ldap_check_response(ac->ireq->conn, &req->replies[0]->r.GeneralResult);
287 ret = ildb_map_error(ac->module, status);
291 case LDAP_TAG_SearchRequest:
292 /* loop over all messages */
293 for (i = 0; i < req->num_replies; i++) {
295 msg = req->replies[i];
298 case LDAP_TAG_SearchResultDone:
300 status = ldap_check_response(ac->ireq->conn, &msg->r.GeneralResult);
301 if (!NT_STATUS_IS_OK(status)) {
302 ret = ildb_map_error(ac->module, status);
306 controls = talloc_steal(ac, msg->controls);
307 if (msg->r.SearchResultDone.resultcode) {
308 if (msg->r.SearchResultDone.errormessage) {
309 ldb_set_errstring(ldb, msg->r.SearchResultDone.errormessage);
313 ret = msg->r.SearchResultDone.resultcode;
317 case LDAP_TAG_SearchResultEntry:
319 ldbmsg = ldb_msg_new(ac);
321 ret = LDB_ERR_OPERATIONS_ERROR;
325 search = &(msg->r.SearchResultEntry);
327 ldbmsg->dn = ldb_dn_new(ldbmsg, ldb, search->dn);
328 if ( ! ldb_dn_validate(ldbmsg->dn)) {
329 ret = LDB_ERR_OPERATIONS_ERROR;
332 ldbmsg->num_elements = search->num_attributes;
333 ldbmsg->elements = talloc_move(ldbmsg, &search->attributes);
335 controls = talloc_steal(ac, msg->controls);
337 ret = ldb_module_send_entry(ac->req, ldbmsg, controls);
338 if (ret != LDB_SUCCESS) {
339 callback_failed = true;
344 case LDAP_TAG_SearchResultReference:
346 referral = talloc_strdup(ac, msg->r.SearchResultReference.referral);
348 ret = ldb_module_send_referral(ac->req, referral);
349 if (ret != LDB_SUCCESS) {
350 callback_failed = true;
356 /* TAG not handled, fail ! */
357 ret = LDB_ERR_PROTOCOL_ERROR;
361 if (ret != LDB_SUCCESS) {
366 talloc_free(req->replies);
368 req->num_replies = 0;
373 ret = LDB_ERR_PROTOCOL_ERROR;
377 if (ret != LDB_SUCCESS) {
379 /* if the callback failed the caller will have freed the
380 * request. Just return and don't try to use it */
381 if ( ! callback_failed) {
387 ildb_request_done(ac, controls, ret);
390 /* unmark the request as beign in progress */
391 ac->in_ildb_callback = false;
396 static int ildb_request_send(struct ildb_context *ac, struct ldap_message *msg)
398 struct ldb_context *ldb;
399 struct ldap_request *req;
402 return LDB_ERR_OPERATIONS_ERROR;
405 ldb = ldb_module_get_ctx(ac->module);
407 req = ldap_request_send(ac->ildb->ldap, msg);
409 ldb_set_errstring(ldb, "async send request failed");
410 return LDB_ERR_OPERATIONS_ERROR;
412 ac->ireq = talloc_steal(ac, req);
414 if (!ac->ireq->conn) {
415 ldb_set_errstring(ldb, "connection to remote LDAP server dropped?");
416 return LDB_ERR_OPERATIONS_ERROR;
419 talloc_free(req->time_event);
420 req->time_event = NULL;
421 if (ac->req->timeout) {
422 req->time_event = tevent_add_timer(ac->ildb->event_ctx, ac,
423 timeval_current_ofs(ac->req->timeout, 0),
424 ildb_request_timeout, ac);
427 req->async.fn = ildb_callback;
428 req->async.private_data = ac;
434 search for matching records using an asynchronous function
436 static int ildb_search(struct ildb_context *ac)
438 struct ldb_context *ldb;
439 struct ldb_request *req = ac->req;
440 struct ldap_message *msg;
443 ldb = ldb_module_get_ctx(ac->module);
445 if (!req->callback || !req->context) {
446 ldb_set_errstring(ldb, "Async interface called with NULL callback function or NULL context");
447 return LDB_ERR_OPERATIONS_ERROR;
450 if (req->op.search.tree == NULL) {
451 ldb_set_errstring(ldb, "Invalid expression parse tree");
452 return LDB_ERR_OPERATIONS_ERROR;
455 msg = new_ldap_message(req);
457 ldb_set_errstring(ldb, "Out of Memory");
458 return LDB_ERR_OPERATIONS_ERROR;
461 msg->type = LDAP_TAG_SearchRequest;
463 if (req->op.search.base == NULL) {
464 msg->r.SearchRequest.basedn = talloc_strdup(msg, "");
466 msg->r.SearchRequest.basedn = ldb_dn_get_extended_linearized(msg, req->op.search.base, 0);
468 if (msg->r.SearchRequest.basedn == NULL) {
469 ldb_set_errstring(ldb, "Unable to determine baseDN");
471 return LDB_ERR_OPERATIONS_ERROR;
474 if (req->op.search.scope == LDB_SCOPE_DEFAULT) {
475 msg->r.SearchRequest.scope = LDB_SCOPE_SUBTREE;
477 msg->r.SearchRequest.scope = req->op.search.scope;
480 msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER;
481 msg->r.SearchRequest.timelimit = 0;
482 msg->r.SearchRequest.sizelimit = 0;
483 msg->r.SearchRequest.attributesonly = 0;
484 msg->r.SearchRequest.tree = discard_const(req->op.search.tree);
486 for (n = 0; req->op.search.attrs && req->op.search.attrs[n]; n++) /* noop */ ;
487 msg->r.SearchRequest.num_attributes = n;
488 msg->r.SearchRequest.attributes = req->op.search.attrs;
489 msg->controls = req->controls;
491 return ildb_request_send(ac, msg);
497 static int ildb_add(struct ildb_context *ac)
499 struct ldb_request *req = ac->req;
500 struct ldap_message *msg;
501 struct ldap_mod **mods;
504 msg = new_ldap_message(req);
506 return LDB_ERR_OPERATIONS_ERROR;
509 msg->type = LDAP_TAG_AddRequest;
511 msg->r.AddRequest.dn = ldb_dn_get_extended_linearized(msg, req->op.add.message->dn, 0);
512 if (msg->r.AddRequest.dn == NULL) {
514 return LDB_ERR_INVALID_DN_SYNTAX;
517 mods = ildb_msg_to_mods(msg, &n, req->op.add.message, 0);
520 return LDB_ERR_OPERATIONS_ERROR;
523 msg->r.AddRequest.num_attributes = n;
524 msg->r.AddRequest.attributes = talloc_array(msg, struct ldb_message_element, n);
525 if (msg->r.AddRequest.attributes == NULL) {
527 return LDB_ERR_OPERATIONS_ERROR;
530 for (i = 0; i < n; i++) {
531 msg->r.AddRequest.attributes[i] = mods[i]->attrib;
533 msg->controls = req->controls;
535 return ildb_request_send(ac, msg);
541 static int ildb_modify(struct ildb_context *ac)
543 struct ldb_request *req = ac->req;
544 struct ldap_message *msg;
545 struct ldap_mod **mods;
548 msg = new_ldap_message(req);
550 return LDB_ERR_OPERATIONS_ERROR;
553 msg->type = LDAP_TAG_ModifyRequest;
555 msg->r.ModifyRequest.dn = ldb_dn_get_extended_linearized(msg, req->op.mod.message->dn, 0);
556 if (msg->r.ModifyRequest.dn == NULL) {
558 return LDB_ERR_INVALID_DN_SYNTAX;
561 mods = ildb_msg_to_mods(msg, &n, req->op.mod.message, 1);
564 return LDB_ERR_OPERATIONS_ERROR;
567 msg->r.ModifyRequest.num_mods = n;
568 msg->r.ModifyRequest.mods = talloc_array(msg, struct ldap_mod, n);
569 if (msg->r.ModifyRequest.mods == NULL) {
571 return LDB_ERR_OPERATIONS_ERROR;
574 for (i = 0; i < n; i++) {
575 msg->r.ModifyRequest.mods[i] = *mods[i];
577 msg->controls = req->controls;
578 return ildb_request_send(ac, msg);
584 static int ildb_delete(struct ildb_context *ac)
586 struct ldb_request *req = ac->req;
587 struct ldap_message *msg;
589 msg = new_ldap_message(req);
591 return LDB_ERR_OPERATIONS_ERROR;
594 msg->type = LDAP_TAG_DelRequest;
596 msg->r.DelRequest.dn = ldb_dn_get_extended_linearized(msg, req->op.del.dn, 0);
597 if (msg->r.DelRequest.dn == NULL) {
599 return LDB_ERR_INVALID_DN_SYNTAX;
601 msg->controls = req->controls;
603 return ildb_request_send(ac, msg);
609 static int ildb_rename(struct ildb_context *ac)
611 struct ldb_request *req = ac->req;
612 struct ldap_message *msg;
613 const char *rdn_name;
614 const struct ldb_val *rdn_val;
616 msg = new_ldap_message(req);
618 return LDB_ERR_OPERATIONS_ERROR;
621 msg->type = LDAP_TAG_ModifyDNRequest;
622 msg->r.ModifyDNRequest.dn = ldb_dn_get_extended_linearized(msg, req->op.rename.olddn, 0);
623 if (msg->r.ModifyDNRequest.dn == NULL) {
625 return LDB_ERR_INVALID_DN_SYNTAX;
628 rdn_name = ldb_dn_get_rdn_name(req->op.rename.newdn);
629 rdn_val = ldb_dn_get_rdn_val(req->op.rename.newdn);
631 if ((rdn_name != NULL) && (rdn_val != NULL)) {
632 msg->r.ModifyDNRequest.newrdn =
633 talloc_asprintf(msg, "%s=%s", rdn_name,
634 ldb_dn_escape_value(msg, *rdn_val));
636 msg->r.ModifyDNRequest.newrdn = talloc_strdup(msg, "");
638 if (msg->r.ModifyDNRequest.newrdn == NULL) {
640 return LDB_ERR_OPERATIONS_ERROR;
643 msg->r.ModifyDNRequest.newsuperior =
644 ldb_dn_alloc_linearized(msg, ldb_dn_get_parent(msg, req->op.rename.newdn));
645 if (msg->r.ModifyDNRequest.newsuperior == NULL) {
647 return LDB_ERR_INVALID_DN_SYNTAX;
650 msg->r.ModifyDNRequest.deleteolddn = true;
651 msg->controls = req->controls;
653 return ildb_request_send(ac, msg);
656 static int ildb_start_trans(struct ldb_module *module)
658 /* TODO implement a local locking mechanism here */
663 static int ildb_end_trans(struct ldb_module *module)
665 /* TODO implement a local transaction mechanism here */
670 static int ildb_del_trans(struct ldb_module *module)
672 /* TODO implement a local locking mechanism here */
677 static bool ildb_dn_is_special(struct ldb_request *req)
679 struct ldb_dn *dn = NULL;
681 switch (req->operation) {
683 dn = req->op.add.message->dn;
686 dn = req->op.mod.message->dn;
692 dn = req->op.rename.olddn;
698 if (dn && ldb_dn_is_special(dn)) {
704 static int ildb_handle_request(struct ldb_module *module, struct ldb_request *req)
706 struct ldb_context *ldb;
707 struct ildb_private *ildb;
708 struct ildb_context *ac;
709 struct tevent_timer *te;
712 ildb = talloc_get_type(ldb_module_get_private(module), struct ildb_private);
713 ldb = ldb_module_get_ctx(module);
715 if (req->starttime == 0 || req->timeout == 0) {
716 ldb_set_errstring(ldb, "Invalid timeout settings");
717 return LDB_ERR_TIME_LIMIT_EXCEEDED;
720 ac = talloc_zero(req, struct ildb_context);
722 ldb_set_errstring(ldb, "Out of Memory");
723 return LDB_ERR_OPERATIONS_ERROR;
730 if (ildb_dn_is_special(req)) {
732 te = tevent_add_timer(ac->ildb->event_ctx,
734 ildb_auto_done_callback, ac);
736 return LDB_ERR_OPERATIONS_ERROR;
742 switch (ac->req->operation) {
744 ret = ildb_search(ac);
750 ret = ildb_modify(ac);
753 ret = ildb_delete(ac);
756 ret = ildb_rename(ac);
759 /* no other op supported */
760 ret = LDB_ERR_OPERATIONS_ERROR;
767 static const struct ldb_module_ops ildb_ops = {
769 .search = ildb_handle_request,
770 .add = ildb_handle_request,
771 .modify = ildb_handle_request,
772 .del = ildb_handle_request,
773 .rename = ildb_handle_request,
774 /* .request = ildb_handle_request, */
775 .start_transaction = ildb_start_trans,
776 .end_transaction = ildb_end_trans,
777 .del_transaction = ildb_del_trans,
781 connect to the database
783 static int ildb_connect(struct ldb_context *ldb, const char *url,
784 unsigned int flags, const char *options[],
785 struct ldb_module **_module)
787 struct ldb_module *module;
788 struct ildb_private *ildb;
790 struct cli_credentials *creds;
791 struct loadparm_context *lp_ctx;
793 module = ldb_module_new(ldb, ldb, "ldb_ildap backend", &ildb_ops);
794 if (!module) return LDB_ERR_OPERATIONS_ERROR;
796 ildb = talloc(module, struct ildb_private);
801 ldb_module_set_private(module, ildb);
803 ildb->event_ctx = ldb_get_event_context(ldb);
805 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
806 struct loadparm_context);
808 ildb->ldap = ldap4_new_connection(ildb, lp_ctx,
815 if (flags & LDB_FLG_RECONNECT) {
816 ldap_set_reconn_params(ildb->ldap, 10);
819 status = ldap_connect(ildb->ldap, url);
820 if (!NT_STATUS_IS_OK(status)) {
821 ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to connect to ldap URL '%s' - %s",
822 url, ldap_errstr(ildb->ldap, module, status));
826 /* caller can optionally setup credentials using the opaque token 'credentials' */
827 creds = talloc_get_type(ldb_get_opaque(ldb, "credentials"), struct cli_credentials);
829 struct auth_session_info *session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"), struct auth_session_info);
831 creds = session_info->credentials;
835 if (creds != NULL && cli_credentials_authentication_requested(creds)) {
836 const char *bind_dn = cli_credentials_get_bind_dn(creds);
838 const char *password = cli_credentials_get_password(creds);
839 status = ldap_bind_simple(ildb->ldap, bind_dn, password);
840 if (!NT_STATUS_IS_OK(status)) {
841 ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s",
842 ldap_errstr(ildb->ldap, module, status));
846 status = ldap_bind_sasl(ildb->ldap, creds, lp_ctx);
847 if (!NT_STATUS_IS_OK(status)) {
848 ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s",
849 ldap_errstr(ildb->ldap, module, status));
860 return LDB_ERR_OPERATIONS_ERROR;
863 _PUBLIC_ const struct ldb_backend_ops ldb_ldap_backend_ops = {
865 .connect_fn = ildb_connect
868 _PUBLIC_ const struct ldb_backend_ops ldb_ldapi_backend_ops = {
870 .connect_fn = ildb_connect
873 _PUBLIC_ const struct ldb_backend_ops ldb_ldaps_backend_ops = {
875 .connect_fn = ildb_connect
git.samba.org / abartlet / samba.git / .git / blob