2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Simo Sorce 2005-2008
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "lib/ldb/include/ldb.h"
25 #include "lib/ldb/include/ldb_module.h"
26 #include "system/time.h"
27 #include "dsdb/samdb/samdb.h"
29 #include "dsdb/samdb/ldb_modules/util.h"
30 #include "libcli/security/security.h"
31 #include "librpc/ndr/libndr.h"
32 #include "auth/auth.h"
33 #include "param/param.h"
34 #include "lib/messaging/irpc.h"
35 #include "librpc/gen_ndr/ndr_irpc_c.h"
38 unsigned int num_controls;
40 unsigned int num_partitions;
41 struct ldb_dn **partitions;
45 return 1 if a specific attribute has been requested
47 static int do_attribute(const char * const *attrs, const char *name)
49 return attrs == NULL ||
50 ldb_attr_in_list(attrs, name) ||
51 ldb_attr_in_list(attrs, "*");
54 static int do_attribute_explicit(const char * const *attrs, const char *name)
56 return attrs != NULL && ldb_attr_in_list(attrs, name);
61 expand a DN attribute to include extended DN information if requested
63 static int expand_dn_in_message(struct ldb_module *module, struct ldb_message *msg,
64 const char *attrname, struct ldb_control *edn_control,
65 struct ldb_request *req)
67 struct ldb_dn *dn, *dn2;
70 struct ldb_request *req2;
72 const char *no_attrs[] = { NULL };
73 struct ldb_result *res;
74 struct ldb_extended_dn_control *edn;
75 TALLOC_CTX *tmp_ctx = talloc_new(req);
76 struct ldb_context *ldb;
79 ldb = ldb_module_get_ctx(module);
81 edn = talloc_get_type(edn_control->data, struct ldb_extended_dn_control);
86 v = discard_const_p(struct ldb_val, ldb_msg_find_ldb_val(msg, attrname));
92 dn_string = talloc_strndup(tmp_ctx, (const char *)v->data, v->length);
93 if (dn_string == NULL) {
95 return ldb_operr(ldb);
98 res = talloc_zero(tmp_ctx, struct ldb_result);
100 talloc_free(tmp_ctx);
101 return ldb_operr(ldb);
104 dn = ldb_dn_new(tmp_ctx, ldb, dn_string);
105 if (!ldb_dn_validate(dn)) {
106 talloc_free(tmp_ctx);
107 return ldb_operr(ldb);
110 ret = ldb_build_search_req(&req2, ldb, tmp_ctx,
116 res, ldb_search_default_callback,
118 if (ret != LDB_SUCCESS) {
119 talloc_free(tmp_ctx);
124 ret = ldb_request_add_control(req2,
125 LDB_CONTROL_EXTENDED_DN_OID,
126 edn_control->critical, edn);
127 if (ret != LDB_SUCCESS) {
128 talloc_free(tmp_ctx);
132 ret = ldb_next_request(module, req2);
133 if (ret == LDB_SUCCESS) {
134 ret = ldb_wait(req2->handle, LDB_WAIT_ALL);
136 if (ret != LDB_SUCCESS) {
137 talloc_free(tmp_ctx);
141 if (!res || res->count != 1) {
142 talloc_free(tmp_ctx);
143 return ldb_operr(ldb);
146 dn2 = res->msgs[0]->dn;
148 v->data = (uint8_t *)ldb_dn_get_extended_linearized(msg->elements, dn2, edn_type);
149 if (v->data == NULL) {
150 talloc_free(tmp_ctx);
151 return ldb_operr(ldb);
153 v->length = strlen((char *)v->data);
156 talloc_free(tmp_ctx);
163 add dynamically generated attributes to rootDSE result
165 static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *msg,
166 const char * const *attrs, struct ldb_request *req)
168 struct ldb_context *ldb;
169 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
171 const struct dsdb_schema *schema;
173 struct ldb_control *edn_control;
174 const char *dn_attrs[] = {
175 "configurationNamingContext",
176 "defaultNamingContext",
178 "rootDomainNamingContext",
179 "schemaNamingContext",
184 ldb = ldb_module_get_ctx(module);
185 schema = dsdb_get_schema(ldb, NULL);
187 msg->dn = ldb_dn_new(msg, ldb, NULL);
189 /* don't return the distinguishedName, cn and name attributes */
190 ldb_msg_remove_attr(msg, "distinguishedName");
191 ldb_msg_remove_attr(msg, "cn");
192 ldb_msg_remove_attr(msg, "name");
194 if (do_attribute(attrs, "currentTime")) {
195 if (ldb_msg_add_steal_string(msg, "currentTime",
196 ldb_timestring(msg, time(NULL))) != LDB_SUCCESS) {
201 if (priv && do_attribute(attrs, "supportedControl")) {
203 for (i = 0; i < priv->num_controls; i++) {
204 char *control = talloc_strdup(msg, priv->controls[i]);
208 if (ldb_msg_add_steal_string(msg, "supportedControl",
209 control) != LDB_SUCCESS) {
215 if (priv && do_attribute(attrs, "namingContexts")) {
217 for (i = 0; i < priv->num_partitions; i++) {
218 struct ldb_dn *dn = priv->partitions[i];
219 if (ldb_msg_add_steal_string(msg, "namingContexts",
220 ldb_dn_alloc_linearized(msg, dn)) != LDB_SUCCESS) {
226 server_sasl = talloc_get_type(ldb_get_opaque(ldb, "supportedSASLMechanisms"),
228 if (server_sasl && do_attribute(attrs, "supportedSASLMechanisms")) {
230 for (i = 0; server_sasl && server_sasl[i]; i++) {
231 char *sasl_name = talloc_strdup(msg, server_sasl[i]);
235 if (ldb_msg_add_steal_string(msg, "supportedSASLMechanisms",
236 sasl_name) != LDB_SUCCESS) {
242 if (do_attribute(attrs, "highestCommittedUSN")) {
244 int ret = ldb_sequence_number(ldb, LDB_SEQ_HIGHEST_SEQ, &seq_num);
245 if (ret == LDB_SUCCESS) {
246 if (ldb_msg_add_fmt(msg, "highestCommittedUSN",
247 "%llu", (unsigned long long)seq_num) != LDB_SUCCESS) {
253 if (schema && do_attribute_explicit(attrs, "dsSchemaAttrCount")) {
254 struct dsdb_attribute *cur;
257 for (cur = schema->attributes; cur; cur = cur->next) {
261 if (ldb_msg_add_fmt(msg, "dsSchemaAttrCount",
262 "%u", n) != LDB_SUCCESS) {
267 if (schema && do_attribute_explicit(attrs, "dsSchemaClassCount")) {
268 struct dsdb_class *cur;
271 for (cur = schema->classes; cur; cur = cur->next) {
275 if (ldb_msg_add_fmt(msg, "dsSchemaClassCount",
276 "%u", n) != LDB_SUCCESS) {
281 if (schema && do_attribute_explicit(attrs, "dsSchemaPrefixCount")) {
282 if (ldb_msg_add_fmt(msg, "dsSchemaPrefixCount",
283 "%u", schema->prefixmap->length) != LDB_SUCCESS) {
288 if (do_attribute_explicit(attrs, "validFSMOs")) {
289 const struct dsdb_naming_fsmo *naming_fsmo;
290 const struct dsdb_pdc_fsmo *pdc_fsmo;
293 if (schema && schema->fsmo.we_are_master) {
294 dn_str = ldb_dn_get_linearized(ldb_get_schema_basedn(ldb));
295 if (dn_str && dn_str[0]) {
296 if (ldb_msg_add_fmt(msg, "validFSMOs", "%s", dn_str) != LDB_SUCCESS) {
302 naming_fsmo = talloc_get_type(ldb_get_opaque(ldb, "dsdb_naming_fsmo"),
303 struct dsdb_naming_fsmo);
304 if (naming_fsmo && naming_fsmo->we_are_master) {
305 dn_str = ldb_dn_get_linearized(samdb_partitions_dn(ldb, msg));
306 if (dn_str && dn_str[0]) {
307 if (ldb_msg_add_fmt(msg, "validFSMOs", "%s", dn_str) != LDB_SUCCESS) {
313 pdc_fsmo = talloc_get_type(ldb_get_opaque(ldb, "dsdb_pdc_fsmo"),
314 struct dsdb_pdc_fsmo);
315 if (pdc_fsmo && pdc_fsmo->we_are_master) {
316 dn_str = ldb_dn_get_linearized(ldb_get_default_basedn(ldb));
317 if (dn_str && dn_str[0]) {
318 if (ldb_msg_add_fmt(msg, "validFSMOs", "%s", dn_str) != LDB_SUCCESS) {
325 if (do_attribute_explicit(attrs, "vendorVersion")) {
326 if (ldb_msg_add_fmt(msg, "vendorVersion",
327 "%s", SAMBA_VERSION_STRING) != LDB_SUCCESS) {
332 if (priv && do_attribute(attrs, "domainFunctionality")) {
333 if (ldb_msg_add_fmt(msg, "domainFunctionality",
334 "%d", dsdb_functional_level(ldb)) != LDB_SUCCESS) {
339 if (priv && do_attribute(attrs, "forestFunctionality")
340 && (val = talloc_get_type(ldb_get_opaque(ldb, "forestFunctionality"), int))) {
341 if (ldb_msg_add_fmt(msg, "forestFunctionality",
342 "%d", *val) != LDB_SUCCESS) {
347 if (priv && do_attribute(attrs, "domainControllerFunctionality")
348 && (val = talloc_get_type(ldb_get_opaque(ldb, "domainControllerFunctionality"), int))) {
349 if (ldb_msg_add_fmt(msg, "domainControllerFunctionality",
350 "%d", *val) != LDB_SUCCESS) {
355 if (do_attribute(attrs, "isGlobalCatalogReady")) {
356 /* MS-ADTS 3.1.1.3.2.10
357 Note, we should only return true here is we have
358 completed at least one synchronisation. As both
359 provision and vampire do a full sync, this means we
360 can return true is the gc bit is set in the NTDSDSA
362 if (ldb_msg_add_fmt(msg, "isGlobalCatalogReady",
363 "%s", samdb_is_gc(ldb)?"TRUE":"FALSE") != LDB_SUCCESS) {
368 if (do_attribute_explicit(attrs, "tokenGroups")) {
370 /* Obtain the user's session_info */
371 struct auth_session_info *session_info
372 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
373 if (session_info && session_info->security_token) {
374 /* The list of groups this user is in */
375 for (i = 0; i < session_info->security_token->num_sids; i++) {
376 if (samdb_msg_add_dom_sid(ldb, msg, msg,
378 &session_info->security_token->sids[i]) != LDB_SUCCESS) {
385 /* TODO: lots more dynamic attributes should be added here */
387 edn_control = ldb_request_get_control(req, LDB_CONTROL_EXTENDED_DN_OID);
389 /* if the client sent us the EXTENDED_DN control then we need
390 to expand the DNs to have GUID and SID. W2K8 join relies on
395 for (i=0; dn_attrs[i]; i++) {
396 if (!do_attribute(attrs, dn_attrs[i])) continue;
397 ret = expand_dn_in_message(module, msg, dn_attrs[i],
399 if (ret != LDB_SUCCESS) {
400 DEBUG(0,(__location__ ": Failed to expand DN in rootDSE for %s\n",
410 return ldb_operr(ldb);
414 handle search requests
417 struct rootdse_context {
418 struct ldb_module *module;
419 struct ldb_request *req;
422 static struct rootdse_context *rootdse_init_context(struct ldb_module *module,
423 struct ldb_request *req)
425 struct ldb_context *ldb;
426 struct rootdse_context *ac;
428 ldb = ldb_module_get_ctx(module);
430 ac = talloc_zero(req, struct rootdse_context);
432 ldb_set_errstring(ldb, "Out of Memory");
442 static int rootdse_callback(struct ldb_request *req, struct ldb_reply *ares)
444 struct rootdse_context *ac;
447 ac = talloc_get_type(req->context, struct rootdse_context);
450 return ldb_module_done(ac->req, NULL, NULL,
451 LDB_ERR_OPERATIONS_ERROR);
453 if (ares->error != LDB_SUCCESS) {
454 return ldb_module_done(ac->req, ares->controls,
455 ares->response, ares->error);
458 switch (ares->type) {
459 case LDB_REPLY_ENTRY:
461 * if the client explicit asks for the 'netlogon' attribute
462 * the reply_entry needs to be skipped
464 if (ac->req->op.search.attrs &&
465 ldb_attr_in_list(ac->req->op.search.attrs, "netlogon")) {
470 /* for each record returned post-process to add any dynamic
471 attributes that have been asked for */
472 ret = rootdse_add_dynamic(ac->module, ares->message,
473 ac->req->op.search.attrs, ac->req);
474 if (ret != LDB_SUCCESS) {
476 return ldb_module_done(ac->req, NULL, NULL, ret);
479 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
481 case LDB_REPLY_REFERRAL:
482 /* should we allow the backend to return referrals in this case
487 return ldb_module_done(ac->req, ares->controls,
488 ares->response, ares->error);
496 mark our registered controls as non-critical in the request
498 This is needed as clients may mark controls as critical even if they
499 are not needed at all in a request. For example, the centrify client
500 sets the SD_FLAGS control as critical on ldap modify requests which
501 are setting the dNSHostName attribute on the machine account. That
502 request doesn't need SD_FLAGS at all, but centrify adds it on all
505 static void rootdse_mark_noncritical(struct ldb_module *module, struct ldb_control **controls)
508 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
510 if (!controls) return;
512 for (i=0; controls[i]; i++) {
513 if (controls[i]->critical == 0) {
516 for (j=0; j<priv->num_controls; j++) {
517 if (strcasecmp(priv->controls[j], controls[i]->oid) == 0) {
518 controls[i]->critical = 0;
524 static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
526 struct ldb_context *ldb;
527 struct rootdse_context *ac;
528 struct ldb_request *down_req;
531 rootdse_mark_noncritical(module, req->controls);
533 ldb = ldb_module_get_ctx(module);
535 /* see if its for the rootDSE - only a base search on the "" DN qualifies */
536 if (!(req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base))) {
537 /* Otherwise, pass down to the rest of the stack */
538 return ldb_next_request(module, req);
541 ac = rootdse_init_context(module, req);
543 return ldb_operr(ldb);
546 /* in our db we store the rootDSE with a DN of @ROOTDSE */
547 ret = ldb_build_search_req(&down_req, ldb, ac,
548 ldb_dn_new(ac, ldb, "@ROOTDSE"),
551 req->op.search.attrs,
552 NULL,/* for now skip the controls from the client */
553 ac, rootdse_callback,
555 if (ret != LDB_SUCCESS) {
559 return ldb_next_request(module, down_req);
562 static int rootdse_register_control(struct ldb_module *module, struct ldb_request *req)
564 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
567 list = talloc_realloc(priv, priv->controls, char *, priv->num_controls + 1);
569 return ldb_oom(ldb_module_get_ctx(module));
572 list[priv->num_controls] = talloc_strdup(list, req->op.reg_control.oid);
573 if (!list[priv->num_controls]) {
574 return ldb_oom(ldb_module_get_ctx(module));
577 priv->num_controls += 1;
578 priv->controls = list;
580 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
583 static int rootdse_register_partition(struct ldb_module *module, struct ldb_request *req)
585 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
586 struct ldb_dn **list;
588 list = talloc_realloc(priv, priv->partitions, struct ldb_dn *, priv->num_partitions + 1);
590 return ldb_oom(ldb_module_get_ctx(module));
593 list[priv->num_partitions] = ldb_dn_copy(list, req->op.reg_partition.dn);
594 if (!list[priv->num_partitions]) {
595 return ldb_operr(ldb_module_get_ctx(module));
598 priv->num_partitions += 1;
599 priv->partitions = list;
601 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
605 static int rootdse_request(struct ldb_module *module, struct ldb_request *req)
607 switch (req->operation) {
609 case LDB_REQ_REGISTER_CONTROL:
610 return rootdse_register_control(module, req);
611 case LDB_REQ_REGISTER_PARTITION:
612 return rootdse_register_partition(module, req);
617 return ldb_next_request(module, req);
620 static int rootdse_init(struct ldb_module *module)
623 struct ldb_context *ldb;
624 struct ldb_result *res;
625 struct private_data *data;
626 const char *attrs[] = { "msDS-Behavior-Version", NULL };
627 const char *ds_attrs[] = { "dsServiceName", NULL };
630 ldb = ldb_module_get_ctx(module);
632 data = talloc_zero(module, struct private_data);
637 data->num_controls = 0;
638 data->controls = NULL;
639 data->num_partitions = 0;
640 data->partitions = NULL;
641 ldb_module_set_private(module, data);
643 ldb_set_default_dns(ldb);
645 ret = ldb_next_init(module);
647 if (ret != LDB_SUCCESS) {
651 mem_ctx = talloc_new(data);
656 /* Now that the partitions are set up, do a search for:
657 - domainControllerFunctionality
658 - domainFunctionality
659 - forestFunctionality
661 Then stuff these values into an opaque
663 ret = ldb_search(ldb, mem_ctx, &res,
664 ldb_get_default_basedn(ldb),
665 LDB_SCOPE_BASE, attrs, NULL);
666 if (ret == LDB_SUCCESS && res->count == 1) {
667 int domain_behaviour_version
668 = ldb_msg_find_attr_as_int(res->msgs[0],
669 "msDS-Behavior-Version", -1);
670 if (domain_behaviour_version != -1) {
671 int *val = talloc(ldb, int);
673 talloc_free(mem_ctx);
676 *val = domain_behaviour_version;
677 ret = ldb_set_opaque(ldb, "domainFunctionality", val);
678 if (ret != LDB_SUCCESS) {
679 talloc_free(mem_ctx);
685 ret = ldb_search(ldb, mem_ctx, &res,
686 samdb_partitions_dn(ldb, mem_ctx),
687 LDB_SCOPE_BASE, attrs, NULL);
688 if (ret == LDB_SUCCESS && res->count == 1) {
689 int forest_behaviour_version
690 = ldb_msg_find_attr_as_int(res->msgs[0],
691 "msDS-Behavior-Version", -1);
692 if (forest_behaviour_version != -1) {
693 int *val = talloc(ldb, int);
695 talloc_free(mem_ctx);
698 *val = forest_behaviour_version;
699 ret = ldb_set_opaque(ldb, "forestFunctionality", val);
700 if (ret != LDB_SUCCESS) {
701 talloc_free(mem_ctx);
707 ret = ldb_search(ldb, mem_ctx, &res,
708 ldb_dn_new(mem_ctx, ldb, ""),
709 LDB_SCOPE_BASE, ds_attrs, NULL);
710 if (ret == LDB_SUCCESS && res->count == 1) {
712 = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0],
715 ret = ldb_search(ldb, mem_ctx, &res, ds_dn,
716 LDB_SCOPE_BASE, attrs, NULL);
717 if (ret == LDB_SUCCESS && res->count == 1) {
718 int domain_controller_behaviour_version
719 = ldb_msg_find_attr_as_int(res->msgs[0],
720 "msDS-Behavior-Version", -1);
721 if (domain_controller_behaviour_version != -1) {
722 int *val = talloc(ldb, int);
724 talloc_free(mem_ctx);
727 *val = domain_controller_behaviour_version;
728 ret = ldb_set_opaque(ldb,
729 "domainControllerFunctionality", val);
730 if (ret != LDB_SUCCESS) {
731 talloc_free(mem_ctx);
739 talloc_free(mem_ctx);
745 * This function gets the string SCOPE_DN:OPTIONAL_FEATURE_GUID and parse it
746 * to a DN and a GUID object
748 static int get_optional_feature_dn_guid(struct ldb_request *req, struct ldb_context *ldb,
750 struct ldb_dn **op_feature_scope_dn,
751 struct GUID *op_feature_guid)
753 const struct ldb_message *msg = req->op.mod.message;
754 const char *ldb_val_str;
756 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
759 ldb_val_str = ldb_msg_find_attr_as_string(msg, "enableOptionalFeature", NULL);
761 ldb_set_errstring(ldb,
762 "rootdse: unable to find 'enableOptionalFeature'!");
763 return LDB_ERR_UNWILLING_TO_PERFORM;
766 guid = strchr(ldb_val_str, ':');
768 ldb_set_errstring(ldb,
769 "rootdse: unable to find GUID in 'enableOptionalFeature'!");
770 return LDB_ERR_UNWILLING_TO_PERFORM;
772 status = GUID_from_string(guid+1, op_feature_guid);
773 if (!NT_STATUS_IS_OK(status)) {
774 ldb_set_errstring(ldb,
775 "rootdse: bad GUID in 'enableOptionalFeature'!");
776 return LDB_ERR_UNWILLING_TO_PERFORM;
779 dn = talloc_strndup(tmp_ctx, ldb_val_str, guid-ldb_val_str);
781 ldb_set_errstring(ldb,
782 "rootdse: bad DN in 'enableOptionalFeature'!");
783 return LDB_ERR_UNWILLING_TO_PERFORM;
786 *op_feature_scope_dn = ldb_dn_new(mem_ctx, ldb, dn);
788 talloc_free(tmp_ctx);
793 * This function gets the OPTIONAL_FEATURE_GUID and looks for the optional feature
794 * ldb_message object.
796 static int dsdb_find_optional_feature(struct ldb_module *module, struct ldb_context *ldb,
797 TALLOC_CTX *mem_ctx, struct GUID op_feature_guid, struct ldb_message **msg)
799 struct ldb_result *res;
800 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
803 ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
805 DSDB_FLAG_NEXT_MODULE |
806 DSDB_SEARCH_SEARCH_ALL_PARTITIONS,
807 "(&(objectClass=msDS-OptionalFeature)"
808 "(msDS-OptionalFeatureGUID=%s))",GUID_string(tmp_ctx, &op_feature_guid));
810 if (ret != LDB_SUCCESS) {
811 talloc_free(tmp_ctx);
814 if (res->count == 0) {
815 talloc_free(tmp_ctx);
816 return LDB_ERR_NO_SUCH_OBJECT;
818 if (res->count != 1) {
819 ldb_asprintf_errstring(ldb,
820 "More than one object found matching optional feature GUID %s\n",
821 GUID_string(tmp_ctx, &op_feature_guid));
822 talloc_free(tmp_ctx);
823 return LDB_ERR_OPERATIONS_ERROR;
826 *msg = talloc_steal(mem_ctx, res->msgs[0]);
828 talloc_free(tmp_ctx);
832 static int rootdse_enable_recycle_bin(struct ldb_module *module,struct ldb_context *ldb,
833 TALLOC_CTX *mem_ctx, struct ldb_dn *op_feature_scope_dn,
834 struct ldb_message *op_feature_msg)
837 const int domain_func_level = dsdb_functional_level(ldb);
838 struct ldb_dn *ntds_settings_dn;
840 unsigned int el_count = 0;
841 struct ldb_message *msg;
843 ret = ldb_msg_find_attr_as_int(op_feature_msg, "msDS-RequiredForestBehaviorVersion", 0);
844 if (domain_func_level < ret){
845 ldb_asprintf_errstring(ldb,
846 "rootdse_enable_recycle_bin: Domain functional level must be at least %d\n",
848 return LDB_ERR_UNWILLING_TO_PERFORM;
851 tmp_ctx = talloc_new(mem_ctx);
852 ntds_settings_dn = samdb_ntds_settings_dn(ldb);
853 if (!ntds_settings_dn) {
854 DEBUG(0, (__location__ ": Failed to find NTDS settings DN\n"));
855 ret = LDB_ERR_OPERATIONS_ERROR;
856 talloc_free(tmp_ctx);
860 ntds_settings_dn = ldb_dn_copy(tmp_ctx, ntds_settings_dn);
861 if (!ntds_settings_dn) {
862 DEBUG(0, (__location__ ": Failed to copy NTDS settings DN\n"));
863 ret = LDB_ERR_OPERATIONS_ERROR;
864 talloc_free(tmp_ctx);
868 msg = ldb_msg_new(tmp_ctx);
869 msg->dn = ntds_settings_dn;
871 ldb_msg_add_linearized_dn(msg, "msDS-EnabledFeature", op_feature_msg->dn);
872 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
874 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE);
875 if (ret != LDB_SUCCESS) {
876 ldb_asprintf_errstring(ldb,
877 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
878 ldb_dn_get_linearized(ntds_settings_dn),
880 talloc_free(tmp_ctx);
884 msg->dn = op_feature_scope_dn;
885 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE);
886 if (ret != LDB_SUCCESS) {
887 ldb_asprintf_errstring(ldb,
888 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
889 ldb_dn_get_linearized(op_feature_scope_dn),
891 talloc_free(tmp_ctx);
898 static int rootdse_enableoptionalfeature(struct ldb_module *module, struct ldb_request *req)
902 - check for system (only system can enable features)
903 - extract GUID from the request
904 - find the feature object
905 - check functional level, must be at least msDS-RequiredForestBehaviorVersion
906 - check if it is already enabled (if enabled return LDAP_ATTRIBUTE_OR_VALUE_EXISTS) - probably not needed, just return error from the add/modify
907 - add/modify objects (see ntdsconnection code for an example)
910 struct ldb_context *ldb = ldb_module_get_ctx(module);
911 struct GUID op_feature_guid;
912 struct ldb_dn *op_feature_scope_dn;
913 struct ldb_message *op_feature_msg;
914 struct auth_session_info *session_info =
915 (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
916 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
918 const char *guid_string;
920 if (security_session_user_level(session_info, NULL) != SECURITY_SYSTEM) {
921 ldb_set_errstring(ldb, "rootdse: Insufficient rights for enableoptionalfeature");
922 return LDB_ERR_UNWILLING_TO_PERFORM;
925 ret = get_optional_feature_dn_guid(req, ldb, tmp_ctx, &op_feature_scope_dn, &op_feature_guid);
926 if (ret != LDB_SUCCESS) {
927 talloc_free(tmp_ctx);
931 guid_string = GUID_string(tmp_ctx, &op_feature_guid);
933 ldb_set_errstring(ldb, "rootdse: bad optional feature GUID");
934 return LDB_ERR_UNWILLING_TO_PERFORM;
937 ret = dsdb_find_optional_feature(module, ldb, tmp_ctx, op_feature_guid, &op_feature_msg);
938 if (ret != LDB_SUCCESS) {
939 ldb_asprintf_errstring(ldb,
940 "rootdse: unable to find optional feature for %s - %s",
941 guid_string, ldb_errstring(ldb));
942 talloc_free(tmp_ctx);
946 if (strcasecmp(DS_GUID_FEATURE_RECYCLE_BIN, guid_string) == 0) {
947 ret = rootdse_enable_recycle_bin(module, ldb,
948 tmp_ctx, op_feature_scope_dn,
951 ldb_asprintf_errstring(ldb,
952 "rootdse: unknown optional feature %s",
954 talloc_free(tmp_ctx);
955 return LDB_ERR_UNWILLING_TO_PERFORM;
957 if (ret != LDB_SUCCESS) {
958 ldb_asprintf_errstring(ldb,
959 "rootdse: failed to set optional feature for %s - %s",
960 guid_string, ldb_errstring(ldb));
961 talloc_free(tmp_ctx);
965 talloc_free(tmp_ctx);
966 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);;
969 static int rootdse_schemaupdatenow(struct ldb_module *module, struct ldb_request *req)
971 struct ldb_context *ldb = ldb_module_get_ctx(module);
972 struct ldb_result *ext_res;
974 struct ldb_dn *schema_dn;
976 schema_dn = ldb_get_schema_basedn(ldb);
978 ldb_reset_err_string(ldb);
979 ldb_debug(ldb, LDB_DEBUG_WARNING,
980 "rootdse_modify: no schema dn present: (skip ldb_extended call)\n");
981 return ldb_next_request(module, req);
984 ret = ldb_extended(ldb, DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID, schema_dn, &ext_res);
985 if (ret != LDB_SUCCESS) {
986 return ldb_operr(ldb);
989 talloc_free(ext_res);
990 return ldb_module_done(req, NULL, NULL, ret);
993 static int rootdse_add(struct ldb_module *module, struct ldb_request *req)
995 struct ldb_context *ldb = ldb_module_get_ctx(module);
997 rootdse_mark_noncritical(module, req->controls);
1000 If dn is not "" we should let it pass through
1002 if (!ldb_dn_is_null(req->op.add.message->dn)) {
1003 return ldb_next_request(module, req);
1006 ldb_set_errstring(ldb, "rootdse_add: you cannot add a new rootdse entry!");
1007 return LDB_ERR_NAMING_VIOLATION;
1010 static int rootdse_become_master(struct ldb_module *module,
1011 struct ldb_request *req,
1014 struct drepl_takeFSMORole r;
1015 struct messaging_context *msg;
1016 struct ldb_context *ldb = ldb_module_get_ctx(module);
1017 TALLOC_CTX *tmp_ctx = talloc_new(req);
1018 struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
1019 NTSTATUS status_call;
1021 struct dcerpc_binding_handle *irpc_handle;
1023 msg = messaging_client_init(tmp_ctx, lpcfg_messaging_path(tmp_ctx, lp_ctx),
1024 ldb_get_event_context(ldb));
1026 irpc_handle = irpc_binding_handle_by_name(tmp_ctx, msg,
1029 if (irpc_handle == NULL) {
1030 return ldb_oom(ldb);
1034 status_call = dcerpc_drepl_takeFSMORole_r(irpc_handle, tmp_ctx, &r);
1035 if (!NT_STATUS_IS_OK(status_call)) {
1036 return LDB_ERR_OPERATIONS_ERROR;
1038 status_fn = r.out.result;
1039 if (!W_ERROR_IS_OK(status_fn)) {
1040 return LDB_ERR_OPERATIONS_ERROR;
1042 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1045 static int rootdse_modify(struct ldb_module *module, struct ldb_request *req)
1047 struct ldb_context *ldb = ldb_module_get_ctx(module);
1049 rootdse_mark_noncritical(module, req->controls);
1052 If dn is not "" we should let it pass through
1054 if (!ldb_dn_is_null(req->op.mod.message->dn)) {
1055 return ldb_next_request(module, req);
1059 dn is empty so check for schemaUpdateNow attribute
1060 "The type of modification and values specified in the LDAP modify operation do not matter." MSDN
1062 if (ldb_msg_find_element(req->op.mod.message, "schemaUpdateNow")) {
1063 return rootdse_schemaupdatenow(module, req);
1065 if (ldb_msg_find_element(req->op.mod.message, "becomeDomainMaster")) {
1066 return rootdse_become_master(module, req, DREPL_NAMING_MASTER);
1068 if (ldb_msg_find_element(req->op.mod.message, "becomeInfrastructureMaster")) {
1069 return rootdse_become_master(module, req, DREPL_INFRASTRUCTURE_MASTER);
1071 if (ldb_msg_find_element(req->op.mod.message, "becomeRidMaster")) {
1072 return rootdse_become_master(module, req, DREPL_RID_MASTER);
1074 if (ldb_msg_find_element(req->op.mod.message, "becomeSchemaMaster")) {
1075 return rootdse_become_master(module, req, DREPL_SCHEMA_MASTER);
1077 if (ldb_msg_find_element(req->op.mod.message, "becomePdc")) {
1078 return rootdse_become_master(module, req, DREPL_PDC_MASTER);
1080 if (ldb_msg_find_element(req->op.mod.message, "enableOptionalFeature")) {
1081 return rootdse_enableoptionalfeature(module, req);
1084 ldb_set_errstring(ldb, "rootdse_modify: unknown attribute to change!");
1085 return LDB_ERR_UNWILLING_TO_PERFORM;
1088 static int rootdse_delete(struct ldb_module *module, struct ldb_request *req)
1090 struct ldb_context *ldb = ldb_module_get_ctx(module);
1092 rootdse_mark_noncritical(module, req->controls);
1095 If dn is not "" we should let it pass through
1097 if (!ldb_dn_is_null(req->op.del.dn)) {
1098 return ldb_next_request(module, req);
1101 ldb_set_errstring(ldb, "rootdse_remove: you cannot delete the rootdse entry!");
1102 return LDB_ERR_NO_SUCH_OBJECT;
1105 _PUBLIC_ const struct ldb_module_ops ldb_rootdse_module_ops = {
1107 .init_context = rootdse_init,
1108 .search = rootdse_search,
1109 .request = rootdse_request,
1111 .modify = rootdse_modify,
1112 .del = rootdse_delete