4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
5 Copyright (C) Simo Sorce 2004-2008
6 Copyright (C) Matthias Dieter Wallnöfer 2009
8 * NOTICE: this module is NOT released under the GNU LGPL license as
9 * other ldb code. This module is release under the GNU GPL v3 or
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
29 * Component: ldb samldb module
31 * Description: add embedded user/group creation functionality
37 #include "libcli/ldap/ldap_ndr.h"
38 #include "ldb_module.h"
39 #include "dsdb/samdb/samdb.h"
40 #include "libcli/security/security.h"
41 #include "librpc/gen_ndr/ndr_security.h"
42 #include "../lib/util/util_ldb.h"
47 typedef int (*samldb_step_fn_t)(struct samldb_ctx *);
50 struct samldb_step *next;
55 struct ldb_module *module;
56 struct ldb_request *req;
58 /* used for add operations */
61 /* the resulting message */
62 struct ldb_message *msg;
64 /* used to find parent domain */
65 struct ldb_dn *check_dn;
66 struct ldb_dn *domain_dn;
67 struct dom_sid *domain_sid;
70 /* holds the entry SID */
73 /* holds a generic dn */
76 /* used in conjunction with "sid" in "samldb_dn_from_sid" */
77 struct ldb_dn *res_dn;
79 /* used in conjunction with "dn" in "samldb_sid_from_dn" */
80 struct dom_sid *res_sid;
82 /* used in "samldb_user_dn_to_prim_group_rid" */
83 uint32_t prim_group_rid;
85 /* used in conjunction with "prim_group_rid" in
86 * "samldb_prim_group_rid_to_users_cnt" */
87 unsigned int users_cnt;
89 /* used in "samldb_group_add_member" and "samldb_group_del_member" */
90 struct ldb_dn *group_dn;
91 struct ldb_dn *member_dn;
93 /* used in "samldb_primary_group_change" */
94 struct ldb_dn *user_dn;
95 struct ldb_dn *old_prim_group_dn, *new_prim_group_dn;
97 /* generic counter - used in "samldb_member_check" */
100 /* all the async steps necessary to complete the operation */
101 struct samldb_step *steps;
102 struct samldb_step *curstep;
105 static struct samldb_ctx *samldb_ctx_init(struct ldb_module *module,
106 struct ldb_request *req)
108 struct ldb_context *ldb;
109 struct samldb_ctx *ac;
111 ldb = ldb_module_get_ctx(module);
113 ac = talloc_zero(req, struct samldb_ctx);
125 static int samldb_add_step(struct samldb_ctx *ac, samldb_step_fn_t fn)
127 struct samldb_step *step, *stepper;
129 step = talloc_zero(ac, struct samldb_step);
131 return LDB_ERR_OPERATIONS_ERROR;
136 if (ac->steps == NULL) {
140 if (ac->curstep == NULL)
141 return LDB_ERR_OPERATIONS_ERROR;
142 for (stepper = ac->curstep; stepper->next != NULL;
143 stepper = stepper->next);
144 stepper->next = step;
150 static int samldb_first_step(struct samldb_ctx *ac)
152 if (ac->steps == NULL) {
153 return LDB_ERR_OPERATIONS_ERROR;
156 ac->curstep = ac->steps;
157 return ac->curstep->fn(ac);
160 static int samldb_next_step(struct samldb_ctx *ac)
162 if (ac->curstep->next) {
163 ac->curstep = ac->curstep->next;
164 return ac->curstep->fn(ac);
167 /* it is an error if the last step does not properly
168 * return to the upper module by itself */
169 return LDB_ERR_OPERATIONS_ERROR;
173 * samldb_get_parent_domain (async)
176 static int samldb_get_parent_domain(struct samldb_ctx *ac);
178 static int samldb_get_parent_domain_callback(struct ldb_request *req,
179 struct ldb_reply *ares)
181 struct ldb_context *ldb;
182 struct samldb_ctx *ac;
186 ac = talloc_get_type(req->context, struct samldb_ctx);
187 ldb = ldb_module_get_ctx(ac->module);
190 ret = LDB_ERR_OPERATIONS_ERROR;
193 if (ares->error != LDB_SUCCESS) {
194 return ldb_module_done(ac->req, ares->controls,
195 ares->response, ares->error);
198 switch (ares->type) {
199 case LDB_REPLY_ENTRY:
201 if ((ac->domain_dn != NULL) || (ac->domain_sid != NULL)) {
203 ldb_set_errstring(ldb,
204 "Invalid number of results while searching "
205 "for domain object!");
206 ret = LDB_ERR_OPERATIONS_ERROR;
210 nextRid = ldb_msg_find_attr_as_string(ares->message,
212 if (nextRid == NULL) {
213 ldb_asprintf_errstring(ldb,
214 "While looking for domain above %s attribute nextRid not found in %s!\n",
215 ldb_dn_get_linearized(
216 ac->req->op.add.message->dn),
217 ldb_dn_get_linearized(ares->message->dn));
218 ret = LDB_ERR_OPERATIONS_ERROR;
222 ac->next_rid = strtol(nextRid, NULL, 0);
224 ac->domain_sid = samdb_result_dom_sid(ac, ares->message,
226 if (ac->domain_sid == NULL) {
227 ldb_set_errstring(ldb,
228 "Unable to get the parent domain SID!\n");
229 ret = LDB_ERR_CONSTRAINT_VIOLATION;
232 ac->domain_dn = ldb_dn_copy(ac, ares->message->dn);
238 case LDB_REPLY_REFERRAL:
246 if ((ac->domain_dn == NULL) || (ac->domain_sid == NULL)) {
247 /* not found -> retry */
248 ret = samldb_get_parent_domain(ac);
251 ret = samldb_next_step(ac);
257 if (ret != LDB_SUCCESS) {
258 return ldb_module_done(ac->req, NULL, NULL, ret);
264 /* Find a domain object in the parents of a particular DN. */
265 static int samldb_get_parent_domain(struct samldb_ctx *ac)
267 struct ldb_context *ldb;
268 static const char * const attrs[] = { "objectSid", "nextRid", NULL };
269 struct ldb_request *req;
273 ldb = ldb_module_get_ctx(ac->module);
275 if (ac->check_dn == NULL) {
276 return LDB_ERR_OPERATIONS_ERROR;
279 dn = ldb_dn_get_parent(ac, ac->check_dn);
281 ldb_set_errstring(ldb,
282 "Unable to find parent domain object!");
283 return LDB_ERR_CONSTRAINT_VIOLATION;
288 ret = ldb_build_search_req(&req, ldb, ac,
290 "(|(objectClass=domain)"
291 "(objectClass=builtinDomain)"
292 "(objectClass=samba4LocalDomain))",
295 ac, samldb_get_parent_domain_callback,
298 if (ret != LDB_SUCCESS) {
302 return ldb_next_request(ac->module, req);
306 static int samldb_generate_samAccountName(struct ldb_message *msg)
310 /* Format: $000000-000000000000 */
312 name = talloc_asprintf(msg, "$%.6X-%.6X%.6X",
313 (unsigned int)generate_random(),
314 (unsigned int)generate_random(),
315 (unsigned int)generate_random());
317 return LDB_ERR_OPERATIONS_ERROR;
319 return ldb_msg_add_steal_string(msg, "samAccountName", name);
323 * samldb_check_samAccountName (async)
326 static int samldb_check_samAccountName_callback(struct ldb_request *req,
327 struct ldb_reply *ares)
329 struct samldb_ctx *ac;
332 ac = talloc_get_type(req->context, struct samldb_ctx);
334 if (ares->error != LDB_SUCCESS) {
335 return ldb_module_done(ac->req, ares->controls,
336 ares->response, ares->error);
339 switch (ares->type) {
340 case LDB_REPLY_ENTRY:
341 /* if we get an entry it means this samAccountName
343 return ldb_module_done(ac->req, NULL, NULL,
344 LDB_ERR_ENTRY_ALREADY_EXISTS);
346 case LDB_REPLY_REFERRAL:
347 /* this should not happen */
348 return ldb_module_done(ac->req, NULL, NULL,
349 LDB_ERR_OPERATIONS_ERROR);
352 /* not found, go on */
354 ret = samldb_next_step(ac);
358 if (ret != LDB_SUCCESS) {
359 return ldb_module_done(ac->req, NULL, NULL, ret);
365 static int samldb_check_samAccountName(struct samldb_ctx *ac)
367 struct ldb_context *ldb;
368 struct ldb_request *req;
373 ldb = ldb_module_get_ctx(ac->module);
375 if (ldb_msg_find_element(ac->msg, "samAccountName") == NULL) {
376 ret = samldb_generate_samAccountName(ac->msg);
377 if (ret != LDB_SUCCESS) {
382 name = ldb_msg_find_attr_as_string(ac->msg, "samAccountName", NULL);
384 return LDB_ERR_OPERATIONS_ERROR;
386 filter = talloc_asprintf(ac, "samAccountName=%s", ldb_binary_encode_string(ac, name));
387 if (filter == NULL) {
388 return LDB_ERR_OPERATIONS_ERROR;
391 ret = ldb_build_search_req(&req, ldb, ac,
392 ac->domain_dn, LDB_SCOPE_SUBTREE,
395 ac, samldb_check_samAccountName_callback,
398 if (ret != LDB_SUCCESS) {
401 return ldb_next_request(ac->module, req);
405 static int samldb_check_samAccountType(struct samldb_ctx *ac)
407 struct ldb_context *ldb;
408 unsigned int account_type;
409 unsigned int group_type;
413 ldb = ldb_module_get_ctx(ac->module);
415 /* make sure sAMAccountType is not specified */
416 if (ldb_msg_find_element(ac->msg, "sAMAccountType") != NULL) {
417 ldb_asprintf_errstring(ldb,
418 "sAMAccountType must not be specified!");
419 return LDB_ERR_UNWILLING_TO_PERFORM;
422 if (strcmp("user", ac->type) == 0) {
423 uac = samdb_result_uint(ac->msg, "userAccountControl", 0);
425 ldb_asprintf_errstring(ldb,
426 "userAccountControl invalid!");
427 return LDB_ERR_UNWILLING_TO_PERFORM;
429 account_type = ds_uf2atype(uac);
430 ret = samdb_msg_add_uint(ldb,
434 if (ret != LDB_SUCCESS) {
439 if (strcmp("group", ac->type) == 0) {
441 group_type = samdb_result_uint(ac->msg, "groupType", 0);
442 if (group_type == 0) {
443 ldb_asprintf_errstring(ldb,
444 "groupType invalid!");
445 return LDB_ERR_UNWILLING_TO_PERFORM;
447 account_type = ds_gtype2atype(group_type);
448 ret = samdb_msg_add_uint(ldb,
452 if (ret != LDB_SUCCESS) {
458 return samldb_next_step(ac);
463 * samldb_get_sid_domain (async)
466 static int samldb_get_sid_domain_callback(struct ldb_request *req,
467 struct ldb_reply *ares)
469 struct ldb_context *ldb;
470 struct samldb_ctx *ac;
474 ac = talloc_get_type(req->context, struct samldb_ctx);
475 ldb = ldb_module_get_ctx(ac->module);
478 ret = LDB_ERR_OPERATIONS_ERROR;
481 if (ares->error != LDB_SUCCESS) {
482 return ldb_module_done(ac->req, ares->controls,
483 ares->response, ares->error);
486 switch (ares->type) {
487 case LDB_REPLY_ENTRY:
489 if (ac->next_rid != 0) {
491 ldb_set_errstring(ldb,
492 "Invalid number of results while searching "
493 "for domain object!");
494 ret = LDB_ERR_OPERATIONS_ERROR;
498 nextRid = ldb_msg_find_attr_as_string(ares->message,
500 if (nextRid == NULL) {
501 ldb_asprintf_errstring(ldb,
502 "Attribute nextRid not found in %s!\n",
503 ldb_dn_get_linearized(ares->message->dn));
504 ret = LDB_ERR_OPERATIONS_ERROR;
508 ac->next_rid = strtol(nextRid, NULL, 0);
510 ac->domain_dn = ldb_dn_copy(ac, ares->message->dn);
516 case LDB_REPLY_REFERRAL:
524 if (ac->next_rid == 0) {
525 ldb_asprintf_errstring(ldb,
526 "Unable to get nextRid from domain entry!\n");
527 ret = LDB_ERR_OPERATIONS_ERROR;
532 ret = samldb_next_step(ac);
537 if (ret != LDB_SUCCESS) {
538 return ldb_module_done(ac->req, NULL, NULL, ret);
544 /* Find a domain object in the parents of a particular DN. */
545 static int samldb_get_sid_domain(struct samldb_ctx *ac)
547 struct ldb_context *ldb;
548 static const char * const attrs[2] = { "nextRid", NULL };
549 struct ldb_request *req;
553 ldb = ldb_module_get_ctx(ac->module);
555 if (ac->sid == NULL) {
556 return LDB_ERR_OPERATIONS_ERROR;
559 ac->domain_sid = dom_sid_dup(ac, ac->sid);
560 if (!ac->domain_sid) {
561 return LDB_ERR_OPERATIONS_ERROR;
563 /* get the domain component part of the provided SID */
564 ac->domain_sid->num_auths--;
566 filter = talloc_asprintf(ac, "(&(objectSid=%s)"
567 "(|(objectClass=domain)"
568 "(objectClass=builtinDomain)"
569 "(objectClass=samba4LocalDomain)))",
570 ldap_encode_ndr_dom_sid(ac, ac->domain_sid));
571 if (filter == NULL) {
572 return LDB_ERR_OPERATIONS_ERROR;
575 ret = ldb_build_search_req(&req, ldb, ac,
576 ldb_get_default_basedn(ldb),
580 ac, samldb_get_sid_domain_callback,
583 if (ret != LDB_SUCCESS) {
588 return ldb_next_request(ac->module, req);
592 * samldb_dn_from_sid (async)
595 static int samldb_dn_from_sid(struct samldb_ctx *ac);
597 static int samldb_dn_from_sid_callback(struct ldb_request *req,
598 struct ldb_reply *ares)
600 struct ldb_context *ldb;
601 struct samldb_ctx *ac;
604 ac = talloc_get_type(req->context, struct samldb_ctx);
605 ldb = ldb_module_get_ctx(ac->module);
608 ret = LDB_ERR_OPERATIONS_ERROR;
611 if (ares->error != LDB_SUCCESS) {
612 return ldb_module_done(ac->req, ares->controls,
613 ares->response, ares->error);
616 switch (ares->type) {
617 case LDB_REPLY_ENTRY:
619 if (ac->res_dn != NULL) {
621 ldb_set_errstring(ldb,
622 "Invalid number of results while searching "
623 "for domain objects!");
624 ret = LDB_ERR_OPERATIONS_ERROR;
627 ac->res_dn = ldb_dn_copy(ac, ares->message->dn);
633 case LDB_REPLY_REFERRAL:
642 /* found or not found, go on */
643 ret = samldb_next_step(ac);
648 if (ret != LDB_SUCCESS) {
649 return ldb_module_done(ac->req, NULL, NULL, ret);
655 /* Finds the DN "res_dn" of an object with a given SID "sid" */
656 static int samldb_dn_from_sid(struct samldb_ctx *ac)
658 struct ldb_context *ldb;
659 static const char * const attrs[] = { NULL };
660 struct ldb_request *req;
664 ldb = ldb_module_get_ctx(ac->module);
667 return LDB_ERR_OPERATIONS_ERROR;
669 filter = talloc_asprintf(ac, "(objectSid=%s)",
670 ldap_encode_ndr_dom_sid(ac, ac->sid));
672 return LDB_ERR_OPERATIONS_ERROR;
674 ret = ldb_build_search_req(&req, ldb, ac,
675 ldb_get_default_basedn(ldb),
679 ac, samldb_dn_from_sid_callback,
681 if (ret != LDB_SUCCESS)
684 return ldb_next_request(ac->module, req);
688 static int samldb_check_primaryGroupID_1(struct samldb_ctx *ac)
690 struct ldb_context *ldb;
693 ldb = ldb_module_get_ctx(ac->module);
695 rid = samdb_result_uint(ac->msg, "primaryGroupID", ~0);
696 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid);
698 return LDB_ERR_OPERATIONS_ERROR;
701 return samldb_next_step(ac);
704 static int samldb_check_primaryGroupID_2(struct samldb_ctx *ac)
706 if (ac->res_dn == NULL)
707 return LDB_ERR_UNWILLING_TO_PERFORM;
709 return samldb_next_step(ac);
713 static bool samldb_msg_add_sid(struct ldb_message *msg,
715 const struct dom_sid *sid)
718 enum ndr_err_code ndr_err;
720 ndr_err = ndr_push_struct_blob(&v, msg, NULL, sid,
721 (ndr_push_flags_fn_t)ndr_push_dom_sid);
722 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
725 return (ldb_msg_add_value(msg, name, &v, NULL) == 0);
728 static int samldb_new_sid(struct samldb_ctx *ac)
731 if (ac->domain_sid == NULL || ac->next_rid == 0) {
732 return LDB_ERR_OPERATIONS_ERROR;
735 ac->sid = dom_sid_add_rid(ac, ac->domain_sid, ac->next_rid + 1);
736 if (ac->sid == NULL) {
737 return LDB_ERR_OPERATIONS_ERROR;
740 if ( ! samldb_msg_add_sid(ac->msg, "objectSid", ac->sid)) {
741 return LDB_ERR_OPERATIONS_ERROR;
744 return samldb_next_step(ac);
748 * samldb_notice_sid_callback (async)
751 static int samldb_notice_sid_callback(struct ldb_request *req,
752 struct ldb_reply *ares)
754 struct ldb_context *ldb;
755 struct samldb_ctx *ac;
758 ac = talloc_get_type(req->context, struct samldb_ctx);
759 ldb = ldb_module_get_ctx(ac->module);
762 ret = LDB_ERR_OPERATIONS_ERROR;
765 if (ares->error != LDB_SUCCESS) {
766 return ldb_module_done(ac->req, ares->controls,
767 ares->response, ares->error);
769 if (ares->type != LDB_REPLY_DONE) {
770 ldb_set_errstring(ldb,
771 "Invalid reply type!\n");
772 ret = LDB_ERR_OPERATIONS_ERROR;
776 ret = samldb_next_step(ac);
779 if (ret != LDB_SUCCESS) {
780 return ldb_module_done(ac->req, NULL, NULL, ret);
786 /* If we are adding new users/groups, we need to update the nextRid
787 * attribute to be 'above' the new/incoming RID. Attempt to do it
789 static int samldb_notice_sid(struct samldb_ctx *ac)
791 struct ldb_context *ldb;
792 uint32_t old_id, new_id;
793 struct ldb_request *req;
794 struct ldb_message *msg;
795 struct ldb_message_element *els;
796 struct ldb_val *vals;
799 ldb = ldb_module_get_ctx(ac->module);
800 old_id = ac->next_rid;
801 new_id = ac->sid->sub_auths[ac->sid->num_auths - 1];
803 if (old_id >= new_id) {
804 /* no need to update the domain nextRid attribute */
805 return samldb_next_step(ac);
808 /* we do a delete and add as a single operation. That prevents
809 a race, in case we are not actually on a transaction db */
810 msg = ldb_msg_new(ac);
813 return LDB_ERR_OPERATIONS_ERROR;
815 els = talloc_array(msg, struct ldb_message_element, 2);
818 return LDB_ERR_OPERATIONS_ERROR;
820 vals = talloc_array(msg, struct ldb_val, 2);
823 return LDB_ERR_OPERATIONS_ERROR;
825 msg->dn = ac->domain_dn;
826 msg->num_elements = 2;
829 els[0].num_values = 1;
830 els[0].values = &vals[0];
831 els[0].flags = LDB_FLAG_MOD_DELETE;
832 els[0].name = talloc_strdup(msg, "nextRid");
835 return LDB_ERR_OPERATIONS_ERROR;
838 els[1].num_values = 1;
839 els[1].values = &vals[1];
840 els[1].flags = LDB_FLAG_MOD_ADD;
841 els[1].name = els[0].name;
843 vals[0].data = (uint8_t *)talloc_asprintf(vals, "%u", old_id);
846 return LDB_ERR_OPERATIONS_ERROR;
848 vals[0].length = strlen((char *)vals[0].data);
850 vals[1].data = (uint8_t *)talloc_asprintf(vals, "%u", new_id);
853 return LDB_ERR_OPERATIONS_ERROR;
855 vals[1].length = strlen((char *)vals[1].data);
857 ret = ldb_build_mod_req(&req, ldb, ac,
859 ac, samldb_notice_sid_callback,
861 if (ret != LDB_SUCCESS) {
865 return ldb_next_request(ac->module, req);
869 * samldb_add_entry (async)
872 static int samldb_add_entry_callback(struct ldb_request *req,
873 struct ldb_reply *ares)
875 struct ldb_context *ldb;
876 struct samldb_ctx *ac;
878 ac = talloc_get_type(req->context, struct samldb_ctx);
879 ldb = ldb_module_get_ctx(ac->module);
882 return ldb_module_done(ac->req, NULL, NULL,
883 LDB_ERR_OPERATIONS_ERROR);
885 if (ares->error != LDB_SUCCESS) {
886 return ldb_module_done(ac->req, ares->controls,
887 ares->response, ares->error);
889 if (ares->type != LDB_REPLY_DONE) {
890 ldb_set_errstring(ldb,
891 "Invalid reply type!\n");
892 return ldb_module_done(ac->req, NULL, NULL,
893 LDB_ERR_OPERATIONS_ERROR);
896 /* we exit the samldb module here */
897 return ldb_module_done(ac->req, ares->controls,
898 ares->response, LDB_SUCCESS);
901 static int samldb_add_entry(struct samldb_ctx *ac)
903 struct ldb_context *ldb;
904 struct ldb_request *req;
907 ldb = ldb_module_get_ctx(ac->module);
909 ret = ldb_build_add_req(&req, ldb, ac,
912 ac, samldb_add_entry_callback,
914 if (ret != LDB_SUCCESS) {
918 return ldb_next_request(ac->module, req);
922 static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
924 struct ldb_context *ldb;
927 ldb = ldb_module_get_ctx(ac->module);
929 /* search for a parent domain objet */
930 ac->check_dn = ac->req->op.add.message->dn;
931 ret = samldb_add_step(ac, samldb_get_parent_domain);
932 if (ret != LDB_SUCCESS) return ret;
934 /* Add informations for the different account types */
936 if (strcmp(ac->type, "user") == 0) {
937 ret = samdb_find_or_add_attribute(ldb, ac->msg,
938 "userAccountControl", "546");
939 if (ret != LDB_SUCCESS) return ret;
940 ret = samdb_find_or_add_attribute(ldb, ac->msg,
942 if (ret != LDB_SUCCESS) return ret;
943 ret = samdb_find_or_add_attribute(ldb, ac->msg,
945 if (ret != LDB_SUCCESS) return ret;
946 ret = samdb_find_or_add_attribute(ldb, ac->msg,
948 if (ret != LDB_SUCCESS) return ret;
949 ret = samdb_find_or_add_attribute(ldb, ac->msg,
950 "badPasswordTime", "0");
951 if (ret != LDB_SUCCESS) return ret;
952 ret = samdb_find_or_add_attribute(ldb, ac->msg,
954 if (ret != LDB_SUCCESS) return ret;
955 ret = samdb_find_or_add_attribute(ldb, ac->msg,
957 if (ret != LDB_SUCCESS) return ret;
958 ret = samdb_find_or_add_attribute(ldb, ac->msg,
960 if (ret != LDB_SUCCESS) return ret;
961 ret = samdb_find_or_add_attribute(ldb, ac->msg,
962 "primaryGroupID", "513");
963 if (ret != LDB_SUCCESS) return ret;
964 ret = samdb_find_or_add_attribute(ldb, ac->msg,
965 "accountExpires", "9223372036854775807");
966 if (ret != LDB_SUCCESS) return ret;
967 ret = samdb_find_or_add_attribute(ldb, ac->msg,
969 if (ret != LDB_SUCCESS) return ret;
970 } else if (strcmp(ac->type, "group") == 0) {
971 ret = samdb_find_or_add_attribute(ldb, ac->msg,
972 "groupType", "-2147483646");
973 if (ret != LDB_SUCCESS) return ret;
975 /* we should only have "user" and "group" */
976 ldb_asprintf_errstring(ldb,
977 "Invalid entry type!\n");
978 return LDB_ERR_OPERATIONS_ERROR;
981 /* check if we have a valid samAccountName */
982 ret = samldb_add_step(ac, samldb_check_samAccountName);
983 if (ret != LDB_SUCCESS) return ret;
985 /* check account_type/group_type */
986 ret = samldb_add_step(ac, samldb_check_samAccountType);
987 if (ret != LDB_SUCCESS) return ret;
989 /* check if we have a valid primary group ID */
990 if (strcmp(ac->type, "user") == 0) {
991 ret = samldb_add_step(ac, samldb_check_primaryGroupID_1);
992 if (ret != LDB_SUCCESS) return ret;
993 ret = samldb_add_step(ac, samldb_dn_from_sid);
994 if (ret != LDB_SUCCESS) return ret;
995 ret = samldb_add_step(ac, samldb_check_primaryGroupID_2);
996 if (ret != LDB_SUCCESS) return ret;
999 /* check if we have a valid SID */
1000 ac->sid = samdb_result_dom_sid(ac, ac->msg, "objectSid");
1002 ret = samldb_add_step(ac, samldb_new_sid);
1003 if (ret != LDB_SUCCESS) return ret;
1005 ret = samldb_add_step(ac, samldb_get_sid_domain);
1006 if (ret != LDB_SUCCESS) return ret;
1009 ret = samldb_add_step(ac, samldb_notice_sid);
1010 if (ret != LDB_SUCCESS) return ret;
1012 /* finally proceed with adding the entry */
1013 ret = samldb_add_step(ac, samldb_add_entry);
1014 if (ret != LDB_SUCCESS) return ret;
1016 return samldb_first_step(ac);
1020 * samldb_foreign_notice_sid (async)
1023 static int samldb_foreign_notice_sid_callback(struct ldb_request *req,
1024 struct ldb_reply *ares)
1026 struct ldb_context *ldb;
1027 struct samldb_ctx *ac;
1028 const char *nextRid;
1032 ac = talloc_get_type(req->context, struct samldb_ctx);
1033 ldb = ldb_module_get_ctx(ac->module);
1036 ret = LDB_ERR_OPERATIONS_ERROR;
1039 if (ares->error != LDB_SUCCESS) {
1040 return ldb_module_done(ac->req, ares->controls,
1041 ares->response, ares->error);
1044 switch (ares->type) {
1045 case LDB_REPLY_ENTRY:
1047 if (ac->next_rid != 0) {
1049 ldb_set_errstring(ldb,
1050 "Invalid number of results while searching "
1051 "for domain object!");
1052 ret = LDB_ERR_OPERATIONS_ERROR;
1056 nextRid = ldb_msg_find_attr_as_string(ares->message,
1058 if (nextRid == NULL) {
1059 ldb_asprintf_errstring(ldb,
1060 "while looking for forign sid %s attribute nextRid not found in %s\n",
1061 dom_sid_string(ares, ac->sid),
1062 ldb_dn_get_linearized(ares->message->dn));
1063 ret = LDB_ERR_OPERATIONS_ERROR;
1067 ac->next_rid = strtol(nextRid, NULL, 0);
1069 ac->domain_dn = ldb_dn_copy(ac, ares->message->dn);
1071 name = samdb_result_string(ares->message, "name", NULL);
1072 ldb_debug(ldb, LDB_DEBUG_TRACE,
1073 "NOTE (strange but valid): Adding foreign SID "
1074 "record with SID %s, but this domain (%s) is "
1075 "not foreign in the database",
1076 dom_sid_string(ares, ac->sid), name);
1082 case LDB_REPLY_REFERRAL:
1088 case LDB_REPLY_DONE:
1091 /* if this is a fake foreign SID, notice the SID */
1092 if (ac->domain_dn) {
1093 ret = samldb_notice_sid(ac);
1098 ret = samldb_next_step(ac);
1103 if (ret != LDB_SUCCESS) {
1104 return ldb_module_done(ac->req, NULL, NULL, ret);
1110 /* Find a domain object in the parents of a particular DN. */
1111 static int samldb_foreign_notice_sid(struct samldb_ctx *ac)
1113 struct ldb_context *ldb;
1114 static const char * const attrs[3] = { "nextRid", "name", NULL };
1115 struct ldb_request *req;
1120 ldb = ldb_module_get_ctx(ac->module);
1122 if (ac->sid == NULL) {
1123 return LDB_ERR_OPERATIONS_ERROR;
1126 status = dom_sid_split_rid(ac, ac->sid, &ac->domain_sid, NULL);
1127 if (!NT_STATUS_IS_OK(status)) {
1128 return LDB_ERR_OPERATIONS_ERROR;
1131 filter = talloc_asprintf(ac, "(&(objectSid=%s)(objectclass=domain))",
1132 ldap_encode_ndr_dom_sid(ac, ac->domain_sid));
1133 if (filter == NULL) {
1134 return LDB_ERR_OPERATIONS_ERROR;
1137 ret = ldb_build_search_req(&req, ldb, ac,
1138 ldb_get_default_basedn(ldb),
1142 ac, samldb_foreign_notice_sid_callback,
1145 if (ret != LDB_SUCCESS) {
1149 return ldb_next_request(ac->module, req);
1153 static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac)
1155 struct ldb_context *ldb;
1158 ldb = ldb_module_get_ctx(ac->module);
1162 ac->sid = samdb_result_dom_sid(ac->msg, ac->msg, "objectSid");
1163 if (ac->sid == NULL) {
1164 ac->sid = dom_sid_parse_talloc(ac->msg,
1165 (const char *)ldb_dn_get_rdn_val(ac->msg->dn)->data);
1167 ldb_set_errstring(ldb,
1168 "No valid found SID in "
1169 "ForeignSecurityPrincipal CN!");
1171 return LDB_ERR_CONSTRAINT_VIOLATION;
1173 if ( ! samldb_msg_add_sid(ac->msg, "objectSid", ac->sid)) {
1175 return LDB_ERR_OPERATIONS_ERROR;
1179 /* check if we need to notice this SID */
1180 ret = samldb_add_step(ac, samldb_foreign_notice_sid);
1181 if (ret != LDB_SUCCESS) return ret;
1183 /* finally proceed with adding the entry */
1184 ret = samldb_add_step(ac, samldb_add_entry);
1185 if (ret != LDB_SUCCESS) return ret;
1187 return samldb_first_step(ac);
1190 static int samldb_check_rdn(struct ldb_module *module, struct ldb_dn *dn)
1192 struct ldb_context *ldb;
1193 const char *rdn_name;
1195 ldb = ldb_module_get_ctx(module);
1196 rdn_name = ldb_dn_get_rdn_name(dn);
1198 if (strcasecmp(rdn_name, "cn") != 0) {
1199 ldb_asprintf_errstring(ldb,
1200 "Bad RDN (%s=) for samldb object, "
1201 "should be CN=!\n", rdn_name);
1202 return LDB_ERR_CONSTRAINT_VIOLATION;
1209 * samldb_sid_from_dn (async)
1212 static int samldb_sid_from_dn(struct samldb_ctx *ac);
1214 static int samldb_sid_from_dn_callback(struct ldb_request *req,
1215 struct ldb_reply *ares)
1217 struct ldb_context *ldb;
1218 struct samldb_ctx *ac;
1221 ac = talloc_get_type(req->context, struct samldb_ctx);
1222 ldb = ldb_module_get_ctx(ac->module);
1225 ret = LDB_ERR_OPERATIONS_ERROR;
1228 if (ares->error != LDB_SUCCESS) {
1229 return ldb_module_done(ac->req, ares->controls,
1230 ares->response, ares->error);
1233 switch (ares->type) {
1234 case LDB_REPLY_ENTRY:
1236 if (ac->res_sid != NULL) {
1238 ldb_set_errstring(ldb,
1239 "Invalid number of results while searching "
1240 "for domain objects!");
1241 ret = LDB_ERR_OPERATIONS_ERROR;
1244 ac->res_sid = samdb_result_dom_sid(ac, ares->message,
1251 case LDB_REPLY_REFERRAL:
1257 case LDB_REPLY_DONE:
1260 /* found or not found, go on */
1261 ret = samldb_next_step(ac);
1266 if (ret != LDB_SUCCESS) {
1267 return ldb_module_done(ac->req, NULL, NULL, ret);
1273 /* Finds the SID "res_sid" of an object with a given DN "dn" */
1274 static int samldb_sid_from_dn(struct samldb_ctx *ac)
1276 struct ldb_context *ldb;
1277 static const char * const attrs[] = { "objectSid" };
1278 struct ldb_request *req;
1281 ldb = ldb_module_get_ctx(ac->module);
1284 return LDB_ERR_OPERATIONS_ERROR;
1286 ret = ldb_build_search_req(&req, ldb, ac,
1291 ac, samldb_sid_from_dn_callback,
1293 if (ret != LDB_SUCCESS)
1296 return ldb_next_request(ac->module, req);
1300 * samldb_user_dn_to_prim_group_rid (async)
1303 static int samldb_user_dn_to_prim_group_rid(struct samldb_ctx *ac);
1305 static int samldb_user_dn_to_prim_group_rid_callback(struct ldb_request *req,
1306 struct ldb_reply *ares)
1308 struct ldb_context *ldb;
1309 struct samldb_ctx *ac;
1312 ac = talloc_get_type(req->context, struct samldb_ctx);
1313 ldb = ldb_module_get_ctx(ac->module);
1316 ret = LDB_ERR_OPERATIONS_ERROR;
1319 if (ares->error != LDB_SUCCESS) {
1320 return ldb_module_done(ac->req, ares->controls,
1321 ares->response, ares->error);
1324 switch (ares->type) {
1325 case LDB_REPLY_ENTRY:
1327 if (ac->prim_group_rid != 0) {
1329 ldb_set_errstring(ldb,
1330 "Invalid number of results while searching "
1331 "for domain objects!");
1332 ret = LDB_ERR_OPERATIONS_ERROR;
1335 ac->prim_group_rid = samdb_result_uint(ares->message,
1336 "primaryGroupID", ~0);
1342 case LDB_REPLY_REFERRAL:
1348 case LDB_REPLY_DONE:
1350 if (ac->prim_group_rid == 0) {
1351 ldb_asprintf_errstring(ldb,
1352 "Unable to get the primary group RID!\n");
1353 ret = LDB_ERR_OPERATIONS_ERROR;
1358 ret = samldb_next_step(ac);
1363 if (ret != LDB_SUCCESS) {
1364 return ldb_module_done(ac->req, NULL, NULL, ret);
1370 /* Locates the "primaryGroupID" attribute from a certain user specified as
1371 * "user_dn". Saves the result in "prim_group_rid". */
1372 static int samldb_user_dn_to_prim_group_rid(struct samldb_ctx *ac)
1374 struct ldb_context *ldb;
1375 static const char * const attrs[] = { "primaryGroupID", NULL };
1376 struct ldb_request *req;
1379 ldb = ldb_module_get_ctx(ac->module);
1381 if (ac->user_dn == NULL)
1382 return LDB_ERR_OPERATIONS_ERROR;
1384 ret = ldb_build_search_req(&req, ldb, ac,
1389 ac, samldb_user_dn_to_prim_group_rid_callback,
1391 if (ret != LDB_SUCCESS)
1394 return ldb_next_request(ac->module, req);
1398 * samldb_prim_group_rid_to_users_cnt (async)
1401 static int samldb_prim_group_rid_to_users_cnt(struct samldb_ctx *ac);
1403 static int samldb_prim_group_rid_to_users_cnt_callback(struct ldb_request *req,
1404 struct ldb_reply *ares)
1406 struct ldb_context *ldb;
1407 struct samldb_ctx *ac;
1410 ac = talloc_get_type(req->context, struct samldb_ctx);
1411 ldb = ldb_module_get_ctx(ac->module);
1414 ret = LDB_ERR_OPERATIONS_ERROR;
1417 if (ares->error != LDB_SUCCESS) {
1418 return ldb_module_done(ac->req, ares->controls,
1419 ares->response, ares->error);
1422 switch (ares->type) {
1423 case LDB_REPLY_ENTRY:
1431 case LDB_REPLY_REFERRAL:
1437 case LDB_REPLY_DONE:
1440 /* found or not found, go on */
1441 ret = samldb_next_step(ac);
1446 if (ret != LDB_SUCCESS) {
1447 return ldb_module_done(ac->req, NULL, NULL, ret);
1453 /* Finds the amount of users which have the primary group "prim_group_rid" and
1454 * save the result in "users_cnt" */
1455 static int samldb_prim_group_rid_to_users_cnt(struct samldb_ctx *ac)
1457 struct ldb_context *ldb;
1458 static const char * const attrs[] = { NULL };
1459 struct ldb_request *req;
1463 ldb = ldb_module_get_ctx(ac->module);
1465 if ((ac->prim_group_rid == 0) || (ac->users_cnt != 0))
1466 return LDB_ERR_OPERATIONS_ERROR;
1468 filter = talloc_asprintf(ac, "(&(primaryGroupID=%u)(objectclass=user))",
1469 ac->prim_group_rid);
1471 return LDB_ERR_OPERATIONS_ERROR;
1473 ret = ldb_build_search_req(&req, ldb, ac,
1474 ldb_get_default_basedn(ldb),
1479 samldb_prim_group_rid_to_users_cnt_callback,
1481 if (ret != LDB_SUCCESS)
1484 return ldb_next_request(ac->module, req);
1488 * samldb_group_add_member (async)
1489 * samldb_group_del_member (async)
1492 static int samldb_group_add_del_member_callback(struct ldb_request *req,
1493 struct ldb_reply *ares)
1495 struct ldb_context *ldb;
1496 struct samldb_ctx *ac;
1499 ac = talloc_get_type(req->context, struct samldb_ctx);
1500 ldb = ldb_module_get_ctx(ac->module);
1503 ret = LDB_ERR_OPERATIONS_ERROR;
1506 if (ares->error != LDB_SUCCESS) {
1507 if (ares->error == LDB_ERR_NO_SUCH_ATTRIBUTE) {
1508 /* On error "NO_SUCH_ATTRIBUTE" (delete of an invalid
1509 * "member" attribute) return "UNWILLING_TO_PERFORM" */
1510 ares->error = LDB_ERR_UNWILLING_TO_PERFORM;
1512 return ldb_module_done(ac->req, ares->controls,
1513 ares->response, ares->error);
1515 if (ares->type != LDB_REPLY_DONE) {
1516 ldb_set_errstring(ldb,
1517 "Invalid reply type!\n");
1518 ret = LDB_ERR_OPERATIONS_ERROR;
1522 ret = samldb_next_step(ac);
1525 if (ret != LDB_SUCCESS) {
1526 return ldb_module_done(ac->req, NULL, NULL, ret);
1532 /* Adds a member with DN "member_dn" to a group with DN "group_dn" */
1533 static int samldb_group_add_member(struct samldb_ctx *ac)
1535 struct ldb_context *ldb;
1536 struct ldb_request *req;
1537 struct ldb_message *msg;
1540 ldb = ldb_module_get_ctx(ac->module);
1542 if ((ac->group_dn == NULL) || (ac->member_dn == NULL))
1543 return LDB_ERR_OPERATIONS_ERROR;
1545 msg = ldb_msg_new(ac);
1546 msg->dn = ac->group_dn;
1547 samdb_msg_add_addval(ldb, ac, msg, "member",
1548 ldb_dn_get_linearized(ac->member_dn));
1550 ret = ldb_build_mod_req(&req, ldb, ac,
1552 ac, samldb_group_add_del_member_callback,
1554 if (ret != LDB_SUCCESS)
1557 return ldb_next_request(ac->module, req);
1560 /* Removes a member with DN "member_dn" from a group with DN "group_dn" */
1561 static int samldb_group_del_member(struct samldb_ctx *ac)
1563 struct ldb_context *ldb;
1564 struct ldb_request *req;
1565 struct ldb_message *msg;
1568 ldb = ldb_module_get_ctx(ac->module);
1570 if ((ac->group_dn == NULL) || (ac->member_dn == NULL))
1571 return LDB_ERR_OPERATIONS_ERROR;
1573 msg = ldb_msg_new(ac);
1574 msg->dn = ac->group_dn;
1575 samdb_msg_add_delval(ldb, ac, msg, "member",
1576 ldb_dn_get_linearized(ac->member_dn));
1578 ret = ldb_build_mod_req(&req, ldb, ac,
1580 ac, samldb_group_add_del_member_callback,
1582 if (ret != LDB_SUCCESS)
1585 return ldb_next_request(ac->module, req);
1589 static int samldb_prim_group_change_1(struct samldb_ctx *ac)
1591 struct ldb_context *ldb;
1594 ldb = ldb_module_get_ctx(ac->module);
1596 ac->user_dn = ac->msg->dn;
1598 rid = samdb_result_uint(ac->msg, "primaryGroupID", ~0);
1599 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid);
1600 if (ac->sid == NULL)
1601 return LDB_ERR_OPERATIONS_ERROR;
1604 ac->prim_group_rid = 0;
1606 return samldb_next_step(ac);
1609 static int samldb_prim_group_change_2(struct samldb_ctx *ac)
1611 struct ldb_context *ldb;
1613 ldb = ldb_module_get_ctx(ac->module);
1615 if (ac->res_dn != NULL)
1616 ac->new_prim_group_dn = ac->res_dn;
1618 return LDB_ERR_UNWILLING_TO_PERFORM;
1620 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb),
1621 ac->prim_group_rid);
1622 if (ac->sid == NULL)
1623 return LDB_ERR_OPERATIONS_ERROR;
1626 return samldb_next_step(ac);
1629 static int samldb_prim_group_change_4(struct samldb_ctx *ac);
1630 static int samldb_prim_group_change_5(struct samldb_ctx *ac);
1631 static int samldb_prim_group_change_6(struct samldb_ctx *ac);
1633 static int samldb_prim_group_change_3(struct samldb_ctx *ac)
1637 if (ac->res_dn != NULL)
1638 ac->old_prim_group_dn = ac->res_dn;
1640 return LDB_ERR_UNWILLING_TO_PERFORM;
1642 /* Only update when the primary group changed */
1643 if (ldb_dn_compare(ac->old_prim_group_dn, ac->new_prim_group_dn) != 0) {
1644 ac->member_dn = ac->user_dn;
1645 /* Remove the "member" attribute of the actual (new) primary
1648 ret = samldb_add_step(ac, samldb_prim_group_change_4);
1649 if (ret != LDB_SUCCESS) return ret;
1651 ret = samldb_add_step(ac, samldb_group_del_member);
1652 if (ret != LDB_SUCCESS) return ret;
1654 /* Add a "member" attribute for the previous primary group */
1656 ret = samldb_add_step(ac, samldb_prim_group_change_5);
1657 if (ret != LDB_SUCCESS) return ret;
1659 ret = samldb_add_step(ac, samldb_group_add_member);
1660 if (ret != LDB_SUCCESS) return ret;
1663 ret = samldb_add_step(ac, samldb_prim_group_change_6);
1664 if (ret != LDB_SUCCESS) return ret;
1666 return samldb_next_step(ac);
1669 static int samldb_prim_group_change_4(struct samldb_ctx *ac)
1671 ac->group_dn = ac->new_prim_group_dn;
1673 return samldb_next_step(ac);
1676 static int samldb_prim_group_change_5(struct samldb_ctx *ac)
1678 ac->group_dn = ac->old_prim_group_dn;
1680 return samldb_next_step(ac);
1683 static int samldb_prim_group_change_6(struct samldb_ctx *ac)
1685 return ldb_next_request(ac->module, ac->req);
1688 static int samldb_prim_group_change(struct samldb_ctx *ac)
1692 /* Finds out the DN of the new primary group */
1694 ret = samldb_add_step(ac, samldb_prim_group_change_1);
1695 if (ret != LDB_SUCCESS) return ret;
1697 ret = samldb_add_step(ac, samldb_dn_from_sid);
1698 if (ret != LDB_SUCCESS) return ret;
1700 ret = samldb_add_step(ac, samldb_user_dn_to_prim_group_rid);
1701 if (ret != LDB_SUCCESS) return ret;
1703 /* Finds out the DN of the old primary group */
1705 ret = samldb_add_step(ac, samldb_prim_group_change_2);
1706 if (ret != LDB_SUCCESS) return ret;
1708 ret = samldb_add_step(ac, samldb_dn_from_sid);
1709 if (ret != LDB_SUCCESS) return ret;
1711 ret = samldb_add_step(ac, samldb_prim_group_change_3);
1712 if (ret != LDB_SUCCESS) return ret;
1714 return samldb_first_step(ac);
1718 static int samldb_member_check_1(struct samldb_ctx *ac)
1720 struct ldb_context *ldb;
1721 struct ldb_message_element *el;
1723 ldb = ldb_module_get_ctx(ac->module);
1725 el = ldb_msg_find_element(ac->msg, "member");
1727 ac->user_dn = ldb_dn_from_ldb_val(ac, ldb, &el->values[ac->cnt]);
1728 if (!ldb_dn_validate(ac->user_dn))
1729 return LDB_ERR_OPERATIONS_ERROR;
1730 ac->prim_group_rid = 0;
1732 return samldb_next_step(ac);
1735 static int samldb_member_check_2(struct samldb_ctx *ac)
1737 struct ldb_context *ldb;
1739 ldb = ldb_module_get_ctx(ac->module);
1741 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb),
1742 ac->prim_group_rid);
1743 if (ac->sid == NULL)
1744 return LDB_ERR_OPERATIONS_ERROR;
1747 return samldb_next_step(ac);
1750 static int samldb_member_check_3(struct samldb_ctx *ac)
1752 if (ldb_dn_compare(ac->res_dn, ac->msg->dn) == 0)
1753 return LDB_ERR_ENTRY_ALREADY_EXISTS;
1757 return samldb_next_step(ac);
1760 static int samldb_member_check_4(struct samldb_ctx *ac)
1762 return ldb_next_request(ac->module, ac->req);
1765 static int samldb_member_check(struct samldb_ctx *ac)
1767 struct ldb_message_element *el;
1770 el = ldb_msg_find_element(ac->msg, "member");
1772 for (i = 0; i < el->num_values; i++) {
1773 /* Denies to add "member"s to groups which are primary ones
1775 ret = samldb_add_step(ac, samldb_member_check_1);
1776 if (ret != LDB_SUCCESS) return ret;
1778 ret = samldb_add_step(ac, samldb_user_dn_to_prim_group_rid);
1779 if (ret != LDB_SUCCESS) return ret;
1781 ret = samldb_add_step(ac, samldb_member_check_2);
1782 if (ret != LDB_SUCCESS) return ret;
1784 ret = samldb_add_step(ac, samldb_dn_from_sid);
1785 if (ret != LDB_SUCCESS) return ret;
1787 ret = samldb_add_step(ac, samldb_member_check_3);
1788 if (ret != LDB_SUCCESS) return ret;
1791 ret = samldb_add_step(ac, samldb_member_check_4);
1792 if (ret != LDB_SUCCESS) return ret;
1794 return samldb_first_step(ac);
1798 static int samldb_prim_group_users_check_1(struct samldb_ctx *ac)
1800 ac->dn = ac->req->op.del.dn;
1803 return samldb_next_step(ac);
1806 static int samldb_prim_group_users_check_2(struct samldb_ctx *ac)
1811 if (ac->res_sid == NULL) {
1812 /* No SID - therefore ok here */
1813 return ldb_next_request(ac->module, ac->req);
1815 status = dom_sid_split_rid(ac, ac->res_sid, NULL, &rid);
1816 if (!NT_STATUS_IS_OK(status))
1817 return LDB_ERR_OPERATIONS_ERROR;
1820 /* Special object (security principal?) */
1821 return ldb_next_request(ac->module, ac->req);
1824 ac->prim_group_rid = rid;
1827 return samldb_next_step(ac);
1830 static int samldb_prim_group_users_check_3(struct samldb_ctx *ac)
1832 if (ac->users_cnt > 0)
1833 return LDB_ERR_ENTRY_ALREADY_EXISTS;
1835 return ldb_next_request(ac->module, ac->req);
1838 static int samldb_prim_group_users_check(struct samldb_ctx *ac)
1842 /* Finds out the SID/RID of the domain object */
1844 ret = samldb_add_step(ac, samldb_prim_group_users_check_1);
1845 if (ret != LDB_SUCCESS) return ret;
1847 ret = samldb_add_step(ac, samldb_sid_from_dn);
1848 if (ret != LDB_SUCCESS) return ret;
1850 /* Deny delete requests from groups which are primary ones */
1852 ret = samldb_add_step(ac, samldb_prim_group_users_check_2);
1853 if (ret != LDB_SUCCESS) return ret;
1855 ret = samldb_add_step(ac, samldb_prim_group_rid_to_users_cnt);
1856 if (ret != LDB_SUCCESS) return ret;
1858 ret = samldb_add_step(ac, samldb_prim_group_users_check_3);
1859 if (ret != LDB_SUCCESS) return ret;
1861 return samldb_first_step(ac);
1866 static int samldb_add(struct ldb_module *module, struct ldb_request *req)
1868 struct ldb_context *ldb;
1869 struct samldb_ctx *ac;
1872 ldb = ldb_module_get_ctx(module);
1873 ldb_debug(ldb, LDB_DEBUG_TRACE, "samldb_add_record\n");
1875 /* do not manipulate our control entries */
1876 if (ldb_dn_is_special(req->op.add.message->dn)) {
1877 return ldb_next_request(module, req);
1880 ac = samldb_ctx_init(module, req);
1882 return LDB_ERR_OPERATIONS_ERROR;
1885 /* build the new msg */
1886 ac->msg = ldb_msg_copy(ac, ac->req->op.add.message);
1889 ldb_debug(ldb, LDB_DEBUG_FATAL,
1890 "samldb_add: ldb_msg_copy failed!\n");
1891 return LDB_ERR_OPERATIONS_ERROR;
1894 if (samdb_find_attribute(ldb, ac->msg,
1895 "objectclass", "computer") != NULL) {
1897 /* make sure the computer object also has the 'user'
1898 * objectclass so it will be handled by the next call */
1899 ret = samdb_find_or_add_value(ldb, ac->msg,
1900 "objectclass", "user");
1901 if (ret != LDB_SUCCESS) {
1907 if (samdb_find_attribute(ldb, ac->msg,
1908 "objectclass", "user") != NULL) {
1910 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
1911 if (ret != LDB_SUCCESS) {
1916 return samldb_fill_object(ac, "user");
1919 if (samdb_find_attribute(ldb, ac->msg,
1920 "objectclass", "group") != NULL) {
1922 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
1923 if (ret != LDB_SUCCESS) {
1928 return samldb_fill_object(ac, "group");
1931 /* perhaps a foreignSecurityPrincipal? */
1932 if (samdb_find_attribute(ldb, ac->msg,
1934 "foreignSecurityPrincipal") != NULL) {
1936 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
1937 if (ret != LDB_SUCCESS) {
1942 return samldb_fill_foreignSecurityPrincipal_object(ac);
1947 /* nothing matched, go on */
1948 return ldb_next_request(module, req);
1952 static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
1954 struct ldb_context *ldb;
1955 struct ldb_message *msg;
1956 struct ldb_message_element *el, *el2;
1958 uint32_t account_type;
1960 if (ldb_dn_is_special(req->op.mod.message->dn)) {
1961 /* do not manipulate our control entries */
1962 return ldb_next_request(module, req);
1965 ldb = ldb_module_get_ctx(module);
1967 if (ldb_msg_find_element(req->op.mod.message, "sAMAccountType") != NULL) {
1968 ldb_asprintf_errstring(ldb,
1969 "sAMAccountType must not be specified!");
1970 return LDB_ERR_UNWILLING_TO_PERFORM;
1973 /* TODO: do not modify original request, create a new one */
1975 el = ldb_msg_find_element(req->op.mod.message, "groupType");
1976 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
1977 uint32_t group_type;
1979 req->op.mod.message = msg = ldb_msg_copy_shallow(req,
1980 req->op.mod.message);
1982 group_type = strtoul((const char *)el->values[0].data, NULL, 0);
1983 account_type = ds_gtype2atype(group_type);
1984 ret = samdb_msg_add_uint(ldb, msg, msg,
1987 if (ret != LDB_SUCCESS) {
1990 el2 = ldb_msg_find_element(msg, "sAMAccountType");
1991 el2->flags = LDB_FLAG_MOD_REPLACE;
1994 el = ldb_msg_find_element(req->op.mod.message, "userAccountControl");
1995 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
1996 uint32_t user_account_control;
1998 req->op.mod.message = msg = ldb_msg_copy_shallow(req,
1999 req->op.mod.message);
2001 user_account_control = strtoul((const char *)el->values[0].data,
2003 account_type = ds_uf2atype(user_account_control);
2004 ret = samdb_msg_add_uint(ldb, msg, msg,
2007 if (ret != LDB_SUCCESS) {
2010 el2 = ldb_msg_find_element(msg, "sAMAccountType");
2011 el2->flags = LDB_FLAG_MOD_REPLACE;
2014 el = ldb_msg_find_element(req->op.mod.message, "primaryGroupID");
2015 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
2016 struct samldb_ctx *ac;
2018 ac = samldb_ctx_init(module, req);
2020 return LDB_ERR_OPERATIONS_ERROR;
2022 req->op.mod.message = ac->msg = ldb_msg_copy_shallow(req,
2023 req->op.mod.message);
2025 return samldb_prim_group_change(ac);
2028 el = ldb_msg_find_element(req->op.mod.message, "member");
2029 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
2030 struct samldb_ctx *ac;
2032 ac = samldb_ctx_init(module, req);
2034 return LDB_ERR_OPERATIONS_ERROR;
2036 req->op.mod.message = ac->msg = ldb_msg_copy_shallow(req,
2037 req->op.mod.message);
2039 return samldb_member_check(ac);
2042 /* nothing matched, go on */
2043 return ldb_next_request(module, req);
2047 static int samldb_delete(struct ldb_module *module, struct ldb_request *req)
2049 struct samldb_ctx *ac;
2051 if (ldb_dn_is_special(req->op.del.dn)) {
2052 /* do not manipulate our control entries */
2053 return ldb_next_request(module, req);
2056 ac = samldb_ctx_init(module, req);
2058 return LDB_ERR_OPERATIONS_ERROR;
2060 return samldb_prim_group_users_check(ac);
2064 static int samldb_init(struct ldb_module *module)
2066 return ldb_next_init(module);
2069 _PUBLIC_ const struct ldb_module_ops ldb_samldb_module_ops = {
2071 .init_context = samldb_init,
2073 .modify = samldb_modify,
2074 .del = samldb_delete