4 LDAP semantics mapping module
6 Copyright (C) Jelmer Vernooij 2005
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 This module relies on ldb_map to do all the real work, but performs
25 some of the trivial mappings between AD semantics and that provided
26 by OpenLDAP and similar servers.
30 #include "ldb/include/ldb_module.h"
31 #include "ldb/ldb_map/ldb_map.h"
33 #include "librpc/gen_ndr/ndr_misc.h"
34 #include "librpc/ndr/libndr.h"
35 #include "dsdb/samdb/samdb.h"
37 struct entryuuid_private {
38 struct ldb_context *ldb;
39 struct ldb_dn **base_dns;
42 static struct ldb_val encode_guid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
45 NTSTATUS status = GUID_from_data_blob(val, &guid);
46 enum ndr_err_code ndr_err;
47 struct ldb_val out = data_blob(NULL, 0);
49 if (!NT_STATUS_IS_OK(status)) {
52 ndr_err = ndr_push_struct_blob(&out, ctx, NULL, &guid,
53 (ndr_push_flags_fn_t)ndr_push_GUID);
54 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
61 static struct ldb_val guid_always_string(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
63 struct ldb_val out = data_blob(NULL, 0);
65 NTSTATUS status = GUID_from_data_blob(val, &guid);
66 if (!NT_STATUS_IS_OK(status)) {
69 return data_blob_string_const(GUID_string(ctx, &guid));
72 static struct ldb_val encode_ns_guid(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
75 NTSTATUS status = NS_GUID_from_string((char *)val->data, &guid);
76 enum ndr_err_code ndr_err;
77 struct ldb_val out = data_blob(NULL, 0);
79 if (!NT_STATUS_IS_OK(status)) {
82 ndr_err = ndr_push_struct_blob(&out, ctx, NULL, &guid,
83 (ndr_push_flags_fn_t)ndr_push_GUID);
84 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
91 static struct ldb_val guid_ns_string(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
93 struct ldb_val out = data_blob(NULL, 0);
95 NTSTATUS status = GUID_from_data_blob(val, &guid);
96 if (!NT_STATUS_IS_OK(status)) {
99 return data_blob_string_const(NS_GUID_string(ctx, &guid));
102 /* The backend holds binary sids, so just copy them back */
103 static struct ldb_val val_copy(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
105 struct ldb_val out = data_blob(NULL, 0);
106 out = ldb_val_dup(ctx, val);
111 /* Ensure we always convert sids into binary, so the backend doesn't have to know about both forms */
112 static struct ldb_val sid_always_binary(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
114 struct ldb_context *ldb = ldb_module_get_ctx(module);
115 struct ldb_val out = data_blob(NULL, 0);
116 const struct ldb_schema_attribute *a = ldb_schema_attribute_by_name(ldb, "objectSid");
118 if (a->syntax->canonicalise_fn(ldb, ctx, val, &out) != LDB_SUCCESS) {
119 return data_blob(NULL, 0);
125 /* Ensure we always convert objectCategory into a DN */
126 static struct ldb_val objectCategory_always_dn(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
128 struct ldb_context *ldb = ldb_module_get_ctx(module);
130 struct ldb_val out = data_blob(NULL, 0);
131 const struct ldb_schema_attribute *a = ldb_schema_attribute_by_name(ldb, "objectCategory");
133 dn = ldb_dn_from_ldb_val(ctx, ldb, val);
134 if (dn && ldb_dn_validate(dn)) {
136 return val_copy(module, ctx, val);
140 if (a->syntax->canonicalise_fn(ldb, ctx, val, &out) != LDB_SUCCESS) {
141 return data_blob(NULL, 0);
147 static struct ldb_val normalise_to_signed32(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
150 /* We've to use "strtoll" here to have the intended overflows.
151 * Otherwise we may get "LONG_MAX" and the conversion is wrong. */
152 int32_t i = (int32_t) strtoll((char *)val->data, NULL, 0);
153 out = data_blob_string_const(talloc_asprintf(ctx, "%d", i));
157 static struct ldb_val usn_to_entryCSN(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
160 unsigned long long usn = strtoull((const char *)val->data, NULL, 10);
161 time_t t = (usn >> 24);
162 out = data_blob_string_const(talloc_asprintf(ctx, "%s#%06x#00#000000", ldb_timestring(ctx, t), (unsigned int)(usn & 0xFFFFFF)));
166 static unsigned long long entryCSN_to_usn_int(TALLOC_CTX *ctx, const struct ldb_val *val)
168 char *entryCSN = talloc_strdup(ctx, (const char *)val->data);
171 unsigned long long usn;
176 p = strchr(entryCSN, '#');
191 usn = strtol(mod_per_sec, NULL, 16);
193 t = ldb_string_to_time(entryCSN);
195 usn = usn | ((unsigned long long)t <<24);
199 static struct ldb_val entryCSN_to_usn(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
202 unsigned long long usn = entryCSN_to_usn_int(ctx, val);
203 out = data_blob_string_const(talloc_asprintf(ctx, "%lld", usn));
207 static struct ldb_val usn_to_timestamp(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
210 unsigned long long usn = strtoull((const char *)val->data, NULL, 10);
211 time_t t = (usn >> 24);
212 out = data_blob_string_const(ldb_timestring(ctx, t));
216 static struct ldb_val timestamp_to_usn(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
220 unsigned long long usn;
222 t = ldb_string_to_time((const char *)val->data);
224 usn = ((unsigned long long)t <<24);
226 out = data_blob_string_const(talloc_asprintf(ctx, "%lld", usn));
231 static const struct ldb_map_attribute entryuuid_attributes[] =
235 .local_name = "objectGUID",
236 .type = LDB_MAP_CONVERT,
239 .remote_name = "entryUUID",
240 .convert_local = guid_always_string,
241 .convert_remote = encode_guid,
247 .local_name = "invocationId",
248 .type = LDB_MAP_CONVERT,
251 .remote_name = "invocationId",
252 .convert_local = guid_always_string,
253 .convert_remote = encode_guid,
259 .local_name = "objectSid",
260 .type = LDB_MAP_CONVERT,
263 .remote_name = "objectSid",
264 .convert_local = sid_always_binary,
265 .convert_remote = val_copy,
270 .local_name = "name",
271 .type = LDB_MAP_RENAME,
274 .remote_name = "samba4RDN"
279 .local_name = "whenCreated",
280 .type = LDB_MAP_RENAME,
283 .remote_name = "createTimestamp"
288 .local_name = "whenChanged",
289 .type = LDB_MAP_RENAME,
292 .remote_name = "modifyTimestamp"
297 .local_name = "objectClasses",
298 .type = LDB_MAP_RENAME,
301 .remote_name = "samba4ObjectClasses"
306 .local_name = "dITContentRules",
307 .type = LDB_MAP_RENAME,
310 .remote_name = "samba4DITContentRules"
315 .local_name = "attributeTypes",
316 .type = LDB_MAP_RENAME,
319 .remote_name = "samba4AttributeTypes"
324 .local_name = "objectCategory",
325 .type = LDB_MAP_CONVERT,
328 .remote_name = "objectCategory",
329 .convert_local = objectCategory_always_dn,
330 .convert_remote = val_copy,
335 .local_name = "distinguishedName",
336 .type = LDB_MAP_RENAME,
339 .remote_name = "entryDN"
344 .local_name = "primaryGroupID",
345 .type = LDB_MAP_CONVERT,
348 .remote_name = "primaryGroupID",
349 .convert_local = normalise_to_signed32,
350 .convert_remote = val_copy,
355 .local_name = "groupType",
356 .type = LDB_MAP_CONVERT,
359 .remote_name = "groupType",
360 .convert_local = normalise_to_signed32,
361 .convert_remote = val_copy,
366 .local_name = "userAccountControl",
367 .type = LDB_MAP_CONVERT,
370 .remote_name = "userAccountControl",
371 .convert_local = normalise_to_signed32,
372 .convert_remote = val_copy,
377 .local_name = "sAMAccountType",
378 .type = LDB_MAP_CONVERT,
381 .remote_name = "sAMAccountType",
382 .convert_local = normalise_to_signed32,
383 .convert_remote = val_copy,
388 .local_name = "systemFlags",
389 .type = LDB_MAP_CONVERT,
392 .remote_name = "systemFlags",
393 .convert_local = normalise_to_signed32,
394 .convert_remote = val_copy,
399 .local_name = "usnChanged",
400 .type = LDB_MAP_CONVERT,
403 .remote_name = "entryCSN",
404 .convert_local = usn_to_entryCSN,
405 .convert_remote = entryCSN_to_usn
410 .local_name = "usnCreated",
411 .type = LDB_MAP_CONVERT,
414 .remote_name = "createTimestamp",
415 .convert_local = usn_to_timestamp,
416 .convert_remote = timestamp_to_usn,
422 .type = LDB_MAP_KEEP,
429 /* This objectClass conflicts with builtin classes on OpenLDAP */
430 const struct ldb_map_objectclass entryuuid_objectclasses[] =
433 .local_name = "subSchema",
434 .remote_name = "samba4SubSchema"
441 /* These things do not show up in wildcard searches in OpenLDAP, but
442 * we need them to show up in the AD-like view */
443 static const char * const entryuuid_wildcard_attributes[] = {
453 static const struct ldb_map_attribute nsuniqueid_attributes[] =
457 .local_name = "objectGUID",
458 .type = LDB_MAP_CONVERT,
461 .remote_name = "nsuniqueid",
462 .convert_local = guid_ns_string,
463 .convert_remote = encode_ns_guid,
469 .local_name = "objectSid",
470 .type = LDB_MAP_CONVERT,
473 .remote_name = "objectSid",
474 .convert_local = sid_always_binary,
475 .convert_remote = val_copy,
480 .local_name = "whenCreated",
481 .type = LDB_MAP_RENAME,
484 .remote_name = "createTimestamp"
489 .local_name = "whenChanged",
490 .type = LDB_MAP_RENAME,
493 .remote_name = "modifyTimestamp"
498 .local_name = "objectCategory",
499 .type = LDB_MAP_CONVERT,
502 .remote_name = "objectCategory",
503 .convert_local = objectCategory_always_dn,
504 .convert_remote = val_copy,
509 .local_name = "distinguishedName",
510 .type = LDB_MAP_RENAME,
513 .remote_name = "entryDN"
518 .local_name = "primaryGroupID",
519 .type = LDB_MAP_CONVERT,
522 .remote_name = "primaryGroupID",
523 .convert_local = normalise_to_signed32,
524 .convert_remote = val_copy,
529 .local_name = "groupType",
530 .type = LDB_MAP_CONVERT,
533 .remote_name = "sambaGroupType",
534 .convert_local = normalise_to_signed32,
535 .convert_remote = val_copy,
540 .local_name = "userAccountControl",
541 .type = LDB_MAP_CONVERT,
544 .remote_name = "userAccountControl",
545 .convert_local = normalise_to_signed32,
546 .convert_remote = val_copy,
551 .local_name = "sAMAccountType",
552 .type = LDB_MAP_CONVERT,
555 .remote_name = "sAMAccountType",
556 .convert_local = normalise_to_signed32,
557 .convert_remote = val_copy,
562 .local_name = "systemFlags",
563 .type = LDB_MAP_CONVERT,
566 .remote_name = "systemFlags",
567 .convert_local = normalise_to_signed32,
568 .convert_remote = val_copy,
573 .local_name = "usnChanged",
574 .type = LDB_MAP_CONVERT,
577 .remote_name = "modifyTimestamp",
578 .convert_local = usn_to_timestamp,
579 .convert_remote = timestamp_to_usn,
584 .local_name = "usnCreated",
585 .type = LDB_MAP_CONVERT,
588 .remote_name = "createTimestamp",
589 .convert_local = usn_to_timestamp,
590 .convert_remote = timestamp_to_usn,
595 .local_name = "unixHomeDirectory",
599 .remote_name = "homeDirectory"
604 .local_name = "pwdLastSet",
608 .remote_name = "sambaPwdLastSet"
613 .local_name = "lastLogon",
617 .remote_name = "sambaLogonTime"
622 .local_name = "lastLogoff",
626 .remote_name = "sambaLogoffTime"
631 .local_name = "badPwdCount",
635 .remote_name = "sambaBadPasswordCount"
640 .local_name = "logonHours",
644 .remote_name = "sambaLogonHours"
649 .local_name = "homeDrive",
653 .remote_name = "sambaHomeDrive"
658 .local_name = "scriptPath",
662 .remote_name = "sambaLogonScript"
667 .local_name = "profilePath",
671 .remote_name = "sambaProfilePath"
676 .local_name = "userWorkstations",
680 .remote_name = "sambaUserWorkstations"
685 .local_name = "homeDirectory",
689 .remote_name = "sambaHomePath"
694 .local_name = "nextRid",
698 .remote_name = "sambaNextRid"
703 .local_name = "privilegeDisplayName",
707 .remote_name = "sambaPrivName"
713 .type = LDB_MAP_KEEP,
720 /* This objectClass conflicts with builtin classes on FDS */
721 const struct ldb_map_objectclass nsuniqueid_objectclasses[] =
724 .local_name = "domain",
725 .remote_name = "samba4Domain"
728 .local_name = "rFC822LocalPart",
729 .remote_name = "samba4RFC822LocalPart"
732 .local_name = "mailRecipient",
733 .remote_name = "samba4MailRecipient"
736 .local_name = "nisMap",
737 .remote_name = "samba4NisMap"
740 .local_name = "person",
741 .remote_name = "samba4Person"
744 .local_name = "organizationalPerson",
745 .remote_name = "samba4OrganizationalPerson"
748 .local_name = "residentialPerson",
749 .remote_name = "samba4ResidentialPerson"
752 .local_name = "inetOrgPerson",
753 .remote_name = "samba4InetOrgPerson"
760 /* These things do not show up in wildcard searches in OpenLDAP, but
761 * we need them to show up in the AD-like view */
762 static const char * const nsuniqueid_wildcard_attributes[] = {
771 /* the context init function */
772 static int entryuuid_init(struct ldb_module *module)
775 ret = ldb_map_init(module, entryuuid_attributes, entryuuid_objectclasses, entryuuid_wildcard_attributes, "samba4Top", NULL);
776 if (ret != LDB_SUCCESS)
779 return ldb_next_init(module);
782 /* the context init function */
783 static int nsuniqueid_init(struct ldb_module *module)
786 ret = ldb_map_init(module, nsuniqueid_attributes, nsuniqueid_objectclasses, nsuniqueid_wildcard_attributes, "extensibleObject", NULL);
787 if (ret != LDB_SUCCESS)
790 return ldb_next_init(module);
793 static int get_seq_callback(struct ldb_request *req,
794 struct ldb_reply *ares)
796 unsigned long long *seq = (unsigned long long *)req->context;
799 return ldb_request_done(req, LDB_ERR_OPERATIONS_ERROR);
801 if (ares->error != LDB_SUCCESS) {
802 return ldb_request_done(req, ares->error);
805 if (ares->type == LDB_REPLY_ENTRY) {
806 struct ldb_message_element *el = ldb_msg_find_element(ares->message, "contextCSN");
808 *seq = entryCSN_to_usn_int(ares, &el->values[0]);
812 if (ares->type == LDB_REPLY_DONE) {
813 return ldb_request_done(req, LDB_SUCCESS);
820 static int entryuuid_sequence_number(struct ldb_module *module, struct ldb_request *req)
822 struct ldb_context *ldb;
824 struct map_private *map_private;
825 struct entryuuid_private *entryuuid_private;
826 unsigned long long seq_num = 0;
827 struct ldb_request *search_req;
829 const struct ldb_control *partition_ctrl;
830 const struct dsdb_control_current_partition *partition;
832 static const char *contextCSN_attr[] = {
836 struct ldb_seqnum_request *seq;
837 struct ldb_seqnum_result *seqr;
838 struct ldb_extended *ext;
840 ldb = ldb_module_get_ctx(module);
842 seq = talloc_get_type(req->op.extended.data, struct ldb_seqnum_request);
844 map_private = talloc_get_type(ldb_module_get_private(module), struct map_private);
846 entryuuid_private = talloc_get_type(map_private->caller_private, struct entryuuid_private);
848 /* All this to get the DN of the parition, so we can search the right thing */
849 partition_ctrl = ldb_request_get_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID);
850 if (!partition_ctrl) {
851 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
852 "entryuuid_sequence_number: no current partition control found");
853 return LDB_ERR_CONSTRAINT_VIOLATION;
856 partition = talloc_get_type(partition_ctrl->data,
857 struct dsdb_control_current_partition);
858 SMB_ASSERT(partition && partition->version == DSDB_CONTROL_CURRENT_PARTITION_VERSION);
860 ret = ldb_build_search_req(&search_req, ldb, req,
861 partition->dn, LDB_SCOPE_BASE,
862 NULL, contextCSN_attr, NULL,
863 &seq_num, get_seq_callback,
865 if (ret != LDB_SUCCESS) {
869 ret = ldb_next_request(module, search_req);
871 if (ret == LDB_SUCCESS) {
872 ret = ldb_wait(search_req->handle, LDB_WAIT_ALL);
875 talloc_free(search_req);
876 if (ret != LDB_SUCCESS) {
880 ext = talloc_zero(req, struct ldb_extended);
882 return LDB_ERR_OPERATIONS_ERROR;
884 seqr = talloc_zero(req, struct ldb_seqnum_result);
887 return LDB_ERR_OPERATIONS_ERROR;
889 ext->oid = LDB_EXTENDED_SEQUENCE_NUMBER;
893 case LDB_SEQ_HIGHEST_SEQ:
894 seqr->seq_num = seq_num;
897 seqr->seq_num = seq_num;
900 case LDB_SEQ_HIGHEST_TIMESTAMP:
902 seqr->seq_num = (seq_num >> 24);
907 seqr->flags |= LDB_SEQ_TIMESTAMP_SEQUENCE;
908 seqr->flags |= LDB_SEQ_GLOBAL_SEQUENCE;
910 /* send request done */
911 return ldb_module_done(req, NULL, ext, LDB_SUCCESS);
914 static int entryuuid_extended(struct ldb_module *module, struct ldb_request *req)
916 if (strcmp(req->op.extended.oid, LDB_EXTENDED_SEQUENCE_NUMBER) == 0) {
917 return entryuuid_sequence_number(module, req);
920 return ldb_next_request(module, req);
923 _PUBLIC_ const struct ldb_module_ops ldb_entryuuid_module_ops = {
925 .init_context = entryuuid_init,
926 .extended = entryuuid_extended,
930 _PUBLIC_ const struct ldb_module_ops ldb_nsuniqueid_module_ops = {
931 .name = "nsuniqueid",
932 .init_context = nsuniqueid_init,
933 .extended = entryuuid_extended,