2 ldb database library - ldif handlers for Samba
4 Copyright (C) Andrew Tridgell 2005
5 Copyright (C) Andrew Bartlett 2006-2007
6 ** NOTE! The following LGPL license applies to the ldb
7 ** library. This does NOT imply that all of Samba is released
10 This library is free software; you can redistribute it and/or
11 modify it under the terms of the GNU Lesser General Public
12 License as published by the Free Software Foundation; either
13 version 3 of the License, or (at your option) any later version.
15 This library is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public
21 License along with this library; if not, see <http://www.gnu.org/licenses/>.
25 #include "ldb_private.h"
26 #include "ldb_handlers.h"
27 #include "dsdb/samdb/samdb.h"
28 #include "librpc/gen_ndr/ndr_security.h"
29 #include "librpc/gen_ndr/ndr_misc.h"
30 #include "librpc/gen_ndr/ndr_drsblobs.h"
31 #include "libcli/security/security.h"
32 #include "param/param.h"
35 convert a ldif formatted objectSid to a NDR formatted blob
37 static int ldif_read_objectSid(struct ldb_context *ldb, void *mem_ctx,
38 const struct ldb_val *in, struct ldb_val *out)
40 enum ndr_err_code ndr_err;
42 sid = dom_sid_parse_length(mem_ctx, in);
46 ndr_err = ndr_push_struct_blob(out, mem_ctx, NULL, sid,
47 (ndr_push_flags_fn_t)ndr_push_dom_sid);
49 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
56 convert a NDR formatted blob to a ldif formatted objectSid
58 static int ldif_write_objectSid(struct ldb_context *ldb, void *mem_ctx,
59 const struct ldb_val *in, struct ldb_val *out)
62 enum ndr_err_code ndr_err;
64 sid = talloc(mem_ctx, struct dom_sid);
68 ndr_err = ndr_pull_struct_blob_all(in, sid, NULL, sid,
69 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
70 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
74 *out = data_blob_string_const(dom_sid_string(mem_ctx, sid));
76 if (out->data == NULL) {
82 static bool ldb_comparision_objectSid_isString(const struct ldb_val *v)
88 if (strncmp("S-", (const char *)v->data, 2) != 0) return false;
94 compare two objectSids
96 static int ldb_comparison_objectSid(struct ldb_context *ldb, void *mem_ctx,
97 const struct ldb_val *v1, const struct ldb_val *v2)
99 if (ldb_comparision_objectSid_isString(v1) && ldb_comparision_objectSid_isString(v2)) {
100 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
101 } else if (ldb_comparision_objectSid_isString(v1)
102 && !ldb_comparision_objectSid_isString(v2)) {
105 if (ldif_read_objectSid(ldb, mem_ctx, v1, &v) != 0) {
106 /* Perhaps not a string after all */
107 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
109 ret = ldb_comparison_binary(ldb, mem_ctx, &v, v2);
112 } else if (!ldb_comparision_objectSid_isString(v1)
113 && ldb_comparision_objectSid_isString(v2)) {
116 if (ldif_read_objectSid(ldb, mem_ctx, v2, &v) != 0) {
117 /* Perhaps not a string after all */
118 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
120 ret = ldb_comparison_binary(ldb, mem_ctx, v1, &v);
124 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
128 canonicalise a objectSid
130 static int ldb_canonicalise_objectSid(struct ldb_context *ldb, void *mem_ctx,
131 const struct ldb_val *in, struct ldb_val *out)
133 if (ldb_comparision_objectSid_isString(in)) {
134 if (ldif_read_objectSid(ldb, mem_ctx, in, out) != 0) {
135 /* Perhaps not a string after all */
136 return ldb_handler_copy(ldb, mem_ctx, in, out);
140 return ldb_handler_copy(ldb, mem_ctx, in, out);
143 static int extended_dn_read_SID(struct ldb_context *ldb, void *mem_ctx,
144 const struct ldb_val *in, struct ldb_val *out)
147 enum ndr_err_code ndr_err;
148 if (ldb_comparision_objectSid_isString(in)) {
149 if (ldif_read_objectSid(ldb, mem_ctx, in, out) == 0) {
154 /* Perhaps not a string after all */
155 *out = data_blob_talloc(mem_ctx, NULL, in->length/2+1);
161 (*out).length = strhex_to_str((char *)out->data, out->length,
162 (const char *)in->data, in->length);
164 /* Check it looks like a SID */
165 ndr_err = ndr_pull_struct_blob_all(out, mem_ctx, NULL, &sid,
166 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
167 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
174 convert a ldif formatted objectGUID to a NDR formatted blob
176 static int ldif_read_objectGUID(struct ldb_context *ldb, void *mem_ctx,
177 const struct ldb_val *in, struct ldb_val *out)
181 enum ndr_err_code ndr_err;
183 status = GUID_from_data_blob(in, &guid);
184 if (!NT_STATUS_IS_OK(status)) {
188 ndr_err = ndr_push_struct_blob(out, mem_ctx, NULL, &guid,
189 (ndr_push_flags_fn_t)ndr_push_GUID);
190 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
197 convert a NDR formatted blob to a ldif formatted objectGUID
199 static int ldif_write_objectGUID(struct ldb_context *ldb, void *mem_ctx,
200 const struct ldb_val *in, struct ldb_val *out)
203 enum ndr_err_code ndr_err;
204 ndr_err = ndr_pull_struct_blob_all(in, mem_ctx, NULL, &guid,
205 (ndr_pull_flags_fn_t)ndr_pull_GUID);
206 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
209 out->data = (uint8_t *)GUID_string(mem_ctx, &guid);
210 if (out->data == NULL) {
213 out->length = strlen((const char *)out->data);
217 static bool ldb_comparision_objectGUID_isString(const struct ldb_val *v)
219 if (v->length != 36 && v->length != 38) return false;
221 /* Might be a GUID string, can't be a binary GUID (fixed 16 bytes) */
225 static int extended_dn_read_GUID(struct ldb_context *ldb, void *mem_ctx,
226 const struct ldb_val *in, struct ldb_val *out)
229 enum ndr_err_code ndr_err;
230 if (in->length == 36 && ldif_read_objectGUID(ldb, mem_ctx, in, out) == 0) {
234 /* Try as 'hex' form */
235 if (in->length != 32) {
239 *out = data_blob_talloc(mem_ctx, NULL, in->length/2+1);
245 (*out).length = strhex_to_str((char *)out->data, out->length,
246 (const char *)in->data, in->length);
248 /* Check it looks like a GUID */
249 ndr_err = ndr_pull_struct_blob_all(out, mem_ctx, NULL, &guid,
250 (ndr_pull_flags_fn_t)ndr_pull_GUID);
251 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
258 compare two objectGUIDs
260 static int ldb_comparison_objectGUID(struct ldb_context *ldb, void *mem_ctx,
261 const struct ldb_val *v1, const struct ldb_val *v2)
263 if (ldb_comparision_objectGUID_isString(v1) && ldb_comparision_objectGUID_isString(v2)) {
264 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
265 } else if (ldb_comparision_objectGUID_isString(v1)
266 && !ldb_comparision_objectGUID_isString(v2)) {
269 if (ldif_read_objectGUID(ldb, mem_ctx, v1, &v) != 0) {
270 /* Perhaps it wasn't a valid string after all */
271 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
273 ret = ldb_comparison_binary(ldb, mem_ctx, &v, v2);
276 } else if (!ldb_comparision_objectGUID_isString(v1)
277 && ldb_comparision_objectGUID_isString(v2)) {
280 if (ldif_read_objectGUID(ldb, mem_ctx, v2, &v) != 0) {
281 /* Perhaps it wasn't a valid string after all */
282 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
284 ret = ldb_comparison_binary(ldb, mem_ctx, v1, &v);
288 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
292 canonicalise a objectGUID
294 static int ldb_canonicalise_objectGUID(struct ldb_context *ldb, void *mem_ctx,
295 const struct ldb_val *in, struct ldb_val *out)
297 if (ldb_comparision_objectGUID_isString(in)) {
298 if (ldif_read_objectGUID(ldb, mem_ctx, in, out) != 0) {
299 /* Perhaps it wasn't a valid string after all */
300 return ldb_handler_copy(ldb, mem_ctx, in, out);
304 return ldb_handler_copy(ldb, mem_ctx, in, out);
309 convert a ldif (SDDL) formatted ntSecurityDescriptor to a NDR formatted blob
311 static int ldif_read_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
312 const struct ldb_val *in, struct ldb_val *out)
314 struct security_descriptor *sd;
315 enum ndr_err_code ndr_err;
317 sd = sddl_decode(mem_ctx, (const char *)in->data, NULL);
321 ndr_err = ndr_push_struct_blob(out, mem_ctx, NULL, sd,
322 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
324 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
331 convert a NDR formatted blob to a ldif formatted ntSecurityDescriptor (SDDL format)
333 static int ldif_write_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
334 const struct ldb_val *in, struct ldb_val *out)
336 struct security_descriptor *sd;
337 enum ndr_err_code ndr_err;
339 sd = talloc(mem_ctx, struct security_descriptor);
343 /* We can't use ndr_pull_struct_blob_all because this contains relative pointers */
344 ndr_err = ndr_pull_struct_blob(in, sd, NULL, sd,
345 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
346 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
350 out->data = (uint8_t *)sddl_encode(mem_ctx, sd, NULL);
352 if (out->data == NULL) {
355 out->length = strlen((const char *)out->data);
360 canonicalise an objectCategory. We use the short form as the cannoical form:
361 cn=Person,cn=Schema,cn=Configuration,<basedn> becomes 'person'
364 static int ldif_canonicalise_objectCategory(struct ldb_context *ldb, void *mem_ctx,
365 const struct ldb_val *in, struct ldb_val *out)
367 struct ldb_dn *dn1 = NULL;
368 const struct dsdb_schema *schema = dsdb_get_schema(ldb);
369 const struct dsdb_class *sclass;
370 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
372 return LDB_ERR_OPERATIONS_ERROR;
376 *out = data_blob_talloc(mem_ctx, in->data, in->length);
377 if (in->data && !out->data) {
378 return LDB_ERR_OPERATIONS_ERROR;
382 dn1 = ldb_dn_from_ldb_val(tmp_ctx, ldb, in);
383 if ( ! ldb_dn_validate(dn1)) {
384 const char *lDAPDisplayName = talloc_strndup(tmp_ctx, (char *)in->data, in->length);
385 sclass = dsdb_class_by_lDAPDisplayName(schema, lDAPDisplayName);
387 struct ldb_dn *dn = ldb_dn_new(mem_ctx, ldb,
388 sclass->defaultObjectCategory);
389 *out = data_blob_string_const(ldb_dn_alloc_casefold(mem_ctx, dn));
390 talloc_free(tmp_ctx);
393 return LDB_ERR_OPERATIONS_ERROR;
397 *out = data_blob_talloc(mem_ctx, in->data, in->length);
398 talloc_free(tmp_ctx);
400 if (in->data && !out->data) {
401 return LDB_ERR_OPERATIONS_ERROR;
406 *out = data_blob_string_const(ldb_dn_alloc_casefold(mem_ctx, dn1));
407 talloc_free(tmp_ctx);
410 return LDB_ERR_OPERATIONS_ERROR;
415 static int ldif_comparison_objectCategory(struct ldb_context *ldb, void *mem_ctx,
416 const struct ldb_val *v1,
417 const struct ldb_val *v2)
421 struct ldb_val v1_canon, v2_canon;
422 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
424 /* I could try and bail if tmp_ctx was NULL, but what return
427 * It seems easier to continue on the NULL context
429 ret1 = ldif_canonicalise_objectCategory(ldb, tmp_ctx, v1, &v1_canon);
430 ret2 = ldif_canonicalise_objectCategory(ldb, tmp_ctx, v2, &v2_canon);
432 if (ret1 == LDB_SUCCESS && ret2 == LDB_SUCCESS) {
433 ret = data_blob_cmp(&v1_canon, &v2_canon);
435 ret = data_blob_cmp(v1, v2);
437 talloc_free(tmp_ctx);
442 convert a ldif formatted prefixMap to a NDR formatted blob
444 static int ldif_read_prefixMap(struct ldb_context *ldb, void *mem_ctx,
445 const struct ldb_val *in, struct ldb_val *out)
447 struct prefixMapBlob *blob;
448 enum ndr_err_code ndr_err;
449 char *string, *line, *p, *oid;
451 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
453 if (tmp_ctx == NULL) {
457 blob = talloc_zero(tmp_ctx, struct prefixMapBlob);
463 blob->version = PREFIX_MAP_VERSION_DSDB;
465 string = talloc_strndup(mem_ctx, (const char *)in->data, in->length);
466 if (string == NULL) {
472 while (line && line[0]) {
477 p=strchr(line, '\n');
482 /* allow a traling seperator */
487 blob->ctr.dsdb.mappings = talloc_realloc(blob,
488 blob->ctr.dsdb.mappings,
489 struct drsuapi_DsReplicaOIDMapping,
490 blob->ctr.dsdb.num_mappings+1);
491 if (!blob->ctr.dsdb.mappings) {
492 talloc_free(tmp_ctx);
496 blob->ctr.dsdb.mappings[blob->ctr.dsdb.num_mappings].id_prefix = strtoul(line, &oid, 10);
499 talloc_free(tmp_ctx);
503 /* we know there must be at least ":" */
506 blob->ctr.dsdb.mappings[blob->ctr.dsdb.num_mappings].oid.oid
507 = talloc_strdup(blob->ctr.dsdb.mappings, oid);
509 blob->ctr.dsdb.num_mappings++;
511 /* Now look past the terminator we added above */
519 ndr_err = ndr_push_struct_blob(out, mem_ctx,
520 lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
522 (ndr_push_flags_fn_t)ndr_push_prefixMapBlob);
523 talloc_free(tmp_ctx);
524 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
531 convert a NDR formatted blob to a ldif formatted prefixMap
533 static int ldif_write_prefixMap(struct ldb_context *ldb, void *mem_ctx,
534 const struct ldb_val *in, struct ldb_val *out)
536 struct prefixMapBlob *blob;
537 enum ndr_err_code ndr_err;
541 blob = talloc(mem_ctx, struct prefixMapBlob);
545 ndr_err = ndr_pull_struct_blob_all(in, blob,
546 lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
548 (ndr_pull_flags_fn_t)ndr_pull_prefixMapBlob);
549 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
553 if (blob->version != PREFIX_MAP_VERSION_DSDB) {
556 string = talloc_strdup(mem_ctx, "");
557 if (string == NULL) {
561 for (i=0; i < blob->ctr.dsdb.num_mappings; i++) {
563 string = talloc_asprintf_append(string, ";");
565 string = talloc_asprintf_append(string, "%u:%s",
566 blob->ctr.dsdb.mappings[i].id_prefix,
567 blob->ctr.dsdb.mappings[i].oid.oid);
568 if (string == NULL) {
574 *out = data_blob_string_const(string);
578 static bool ldif_comparision_prefixMap_isString(const struct ldb_val *v)
584 if (IVAL(v->data, 0) == PREFIX_MAP_VERSION_DSDB) {
592 canonicalise a prefixMap
594 static int ldif_canonicalise_prefixMap(struct ldb_context *ldb, void *mem_ctx,
595 const struct ldb_val *in, struct ldb_val *out)
597 if (ldif_comparision_prefixMap_isString(in)) {
598 return ldif_read_prefixMap(ldb, mem_ctx, in, out);
600 return ldb_handler_copy(ldb, mem_ctx, in, out);
603 static int ldif_comparison_prefixMap(struct ldb_context *ldb, void *mem_ctx,
604 const struct ldb_val *v1,
605 const struct ldb_val *v2)
609 struct ldb_val v1_canon, v2_canon;
610 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
612 /* I could try and bail if tmp_ctx was NULL, but what return
615 * It seems easier to continue on the NULL context
617 ret1 = ldif_canonicalise_prefixMap(ldb, tmp_ctx, v1, &v1_canon);
618 ret2 = ldif_canonicalise_prefixMap(ldb, tmp_ctx, v2, &v2_canon);
620 if (ret1 == LDB_SUCCESS && ret2 == LDB_SUCCESS) {
621 ret = data_blob_cmp(&v1_canon, &v2_canon);
623 ret = data_blob_cmp(v1, v2);
625 talloc_free(tmp_ctx);
629 static int extended_dn_write_hex(struct ldb_context *ldb, void *mem_ctx,
630 const struct ldb_val *in, struct ldb_val *out)
632 *out = data_blob_string_const(data_blob_hex_string(mem_ctx, in));
640 #define LDB_SYNTAX_SAMBA_GUID "LDB_SYNTAX_SAMBA_GUID"
641 #define LDB_SYNTAX_SAMBA_OBJECT_CATEGORY "LDB_SYNTAX_SAMBA_OBJECT_CATEGORY"
642 #define LDB_SYNTAX_SAMBA_PREFIX_MAP "LDB_SYNTAX_SAMBA_PREFIX_MAP"
644 static const struct ldb_schema_syntax samba_syntaxes[] = {
646 .name = LDB_SYNTAX_SAMBA_SID,
647 .ldif_read_fn = ldif_read_objectSid,
648 .ldif_write_fn = ldif_write_objectSid,
649 .canonicalise_fn = ldb_canonicalise_objectSid,
650 .comparison_fn = ldb_comparison_objectSid
652 .name = LDB_SYNTAX_SAMBA_SECURITY_DESCRIPTOR,
653 .ldif_read_fn = ldif_read_ntSecurityDescriptor,
654 .ldif_write_fn = ldif_write_ntSecurityDescriptor,
655 .canonicalise_fn = ldb_handler_copy,
656 .comparison_fn = ldb_comparison_binary
658 .name = LDB_SYNTAX_SAMBA_GUID,
659 .ldif_read_fn = ldif_read_objectGUID,
660 .ldif_write_fn = ldif_write_objectGUID,
661 .canonicalise_fn = ldb_canonicalise_objectGUID,
662 .comparison_fn = ldb_comparison_objectGUID
664 .name = LDB_SYNTAX_SAMBA_OBJECT_CATEGORY,
665 .ldif_read_fn = ldb_handler_copy,
666 .ldif_write_fn = ldb_handler_copy,
667 .canonicalise_fn = ldif_canonicalise_objectCategory,
668 .comparison_fn = ldif_comparison_objectCategory
670 .name = LDB_SYNTAX_SAMBA_PREFIX_MAP,
671 .ldif_read_fn = ldif_read_prefixMap,
672 .ldif_write_fn = ldif_write_prefixMap,
673 .canonicalise_fn = ldif_canonicalise_prefixMap,
674 .comparison_fn = ldif_comparison_prefixMap
678 static const struct ldb_dn_extended_syntax samba_dn_syntax[] = {
681 .read_fn = extended_dn_read_SID,
682 .write_clear_fn = ldif_write_objectSid,
683 .write_hex_fn = extended_dn_write_hex
686 .read_fn = extended_dn_read_GUID,
687 .write_clear_fn = ldif_write_objectGUID,
688 .write_hex_fn = extended_dn_write_hex
691 .read_fn = ldb_handler_copy,
692 .write_clear_fn = ldb_handler_copy,
693 .write_hex_fn = ldb_handler_copy
697 static const struct {
700 } samba_attributes[] = {
701 { "objectSid", LDB_SYNTAX_SAMBA_SID },
702 { "securityIdentifier", LDB_SYNTAX_SAMBA_SID },
703 { "ntSecurityDescriptor", LDB_SYNTAX_SAMBA_SECURITY_DESCRIPTOR },
704 { "objectGUID", LDB_SYNTAX_SAMBA_GUID },
705 { "invocationId", LDB_SYNTAX_SAMBA_GUID },
706 { "schemaIDGUID", LDB_SYNTAX_SAMBA_GUID },
707 { "attributeSecurityGUID", LDB_SYNTAX_SAMBA_GUID },
708 { "parentGUID", LDB_SYNTAX_SAMBA_GUID },
709 { "siteGUID", LDB_SYNTAX_SAMBA_GUID },
710 { "pKTGUID", LDB_SYNTAX_SAMBA_GUID },
711 { "fRSVersionGUID", LDB_SYNTAX_SAMBA_GUID },
712 { "fRSReplicaSetGUID", LDB_SYNTAX_SAMBA_GUID },
713 { "netbootGUID", LDB_SYNTAX_SAMBA_GUID },
714 { "objectCategory", LDB_SYNTAX_SAMBA_OBJECT_CATEGORY },
715 { "prefixMap", LDB_SYNTAX_SAMBA_PREFIX_MAP }
718 const struct ldb_schema_syntax *ldb_samba_syntax_by_name(struct ldb_context *ldb, const char *name)
721 const struct ldb_schema_syntax *s = NULL;
723 for (j=0; j < ARRAY_SIZE(samba_syntaxes); j++) {
724 if (strcmp(name, samba_syntaxes[j].name) == 0) {
725 s = &samba_syntaxes[j];
732 const struct ldb_schema_syntax *ldb_samba_syntax_by_lDAPDisplayName(struct ldb_context *ldb, const char *name)
735 const struct ldb_schema_syntax *s = NULL;
737 for (j=0; j < ARRAY_SIZE(samba_attributes); j++) {
738 if (strcmp(samba_attributes[j].name, name) == 0) {
739 s = ldb_samba_syntax_by_name(ldb, samba_attributes[j].syntax);
748 register the samba ldif handlers
750 int ldb_register_samba_handlers(struct ldb_context *ldb)
754 for (i=0; i < ARRAY_SIZE(samba_attributes); i++) {
756 const struct ldb_schema_syntax *s = NULL;
758 s = ldb_samba_syntax_by_name(ldb, samba_attributes[i].syntax);
761 s = ldb_standard_syntax_by_name(ldb, samba_attributes[i].syntax);
768 ret = ldb_schema_attribute_add_with_syntax(ldb, samba_attributes[i].name, LDB_ATTR_FLAG_FIXED, s);
769 if (ret != LDB_SUCCESS) {
774 for (i=0; i < ARRAY_SIZE(samba_dn_syntax); i++) {
776 ret = ldb_dn_extended_add_syntax(ldb, LDB_ATTR_FLAG_FIXED, &samba_dn_syntax[i]);
777 if (ret != LDB_SUCCESS) {
git.samba.org / samba.git / blob