2 ldb database library - ldif handlers for Samba
4 Copyright (C) Andrew Tridgell 2005
5 Copyright (C) Andrew Bartlett 2006-2007
6 ** NOTE! The following LGPL license applies to the ldb
7 ** library. This does NOT imply that all of Samba is released
10 This library is free software; you can redistribute it and/or
11 modify it under the terms of the GNU Lesser General Public
12 License as published by the Free Software Foundation; either
13 version 3 of the License, or (at your option) any later version.
15 This library is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public
21 License along with this library; if not, see <http://www.gnu.org/licenses/>.
25 #include "lib/ldb/include/ldb_includes.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "librpc/gen_ndr/ndr_security.h"
28 #include "librpc/gen_ndr/ndr_misc.h"
29 #include "librpc/gen_ndr/ndr_drsblobs.h"
30 #include "libcli/security/security.h"
31 #include "param/param.h"
34 convert a ldif formatted objectSid to a NDR formatted blob
36 static int ldif_read_objectSid(struct ldb_context *ldb, void *mem_ctx,
37 const struct ldb_val *in, struct ldb_val *out)
39 enum ndr_err_code ndr_err;
41 sid = dom_sid_parse_talloc(mem_ctx, (const char *)in->data);
45 ndr_err = ndr_push_struct_blob(out, mem_ctx, NULL, sid,
46 (ndr_push_flags_fn_t)ndr_push_dom_sid);
48 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
55 convert a NDR formatted blob to a ldif formatted objectSid
57 static int ldif_write_objectSid(struct ldb_context *ldb, void *mem_ctx,
58 const struct ldb_val *in, struct ldb_val *out)
61 enum ndr_err_code ndr_err;
63 sid = talloc(mem_ctx, struct dom_sid);
67 ndr_err = ndr_pull_struct_blob(in, sid, NULL, sid,
68 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
69 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
73 out->data = (uint8_t *)dom_sid_string(mem_ctx, sid);
75 if (out->data == NULL) {
78 out->length = strlen((const char *)out->data);
82 static bool ldb_comparision_objectSid_isString(const struct ldb_val *v)
88 if (strncmp("S-", (const char *)v->data, 2) != 0) return false;
94 compare two objectSids
96 static int ldb_comparison_objectSid(struct ldb_context *ldb, void *mem_ctx,
97 const struct ldb_val *v1, const struct ldb_val *v2)
99 if (ldb_comparision_objectSid_isString(v1) && ldb_comparision_objectSid_isString(v2)) {
100 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
101 } else if (ldb_comparision_objectSid_isString(v1)
102 && !ldb_comparision_objectSid_isString(v2)) {
105 if (ldif_read_objectSid(ldb, mem_ctx, v1, &v) != 0) {
106 /* Perhaps not a string after all */
107 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
109 ret = ldb_comparison_binary(ldb, mem_ctx, &v, v2);
112 } else if (!ldb_comparision_objectSid_isString(v1)
113 && ldb_comparision_objectSid_isString(v2)) {
116 if (ldif_read_objectSid(ldb, mem_ctx, v2, &v) != 0) {
117 /* Perhaps not a string after all */
118 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
120 ret = ldb_comparison_binary(ldb, mem_ctx, v1, &v);
124 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
128 canonicalise a objectSid
130 static int ldb_canonicalise_objectSid(struct ldb_context *ldb, void *mem_ctx,
131 const struct ldb_val *in, struct ldb_val *out)
133 if (ldb_comparision_objectSid_isString(in)) {
134 if (ldif_read_objectSid(ldb, mem_ctx, in, out) != 0) {
135 /* Perhaps not a string after all */
136 return ldb_handler_copy(ldb, mem_ctx, in, out);
139 return ldb_handler_copy(ldb, mem_ctx, in, out);
143 convert a ldif formatted objectGUID to a NDR formatted blob
145 static int ldif_read_objectGUID(struct ldb_context *ldb, void *mem_ctx,
146 const struct ldb_val *in, struct ldb_val *out)
150 enum ndr_err_code ndr_err;
152 status = GUID_from_string((const char *)in->data, &guid);
153 if (!NT_STATUS_IS_OK(status)) {
157 ndr_err = ndr_push_struct_blob(out, mem_ctx, NULL, &guid,
158 (ndr_push_flags_fn_t)ndr_push_GUID);
159 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
166 convert a NDR formatted blob to a ldif formatted objectGUID
168 static int ldif_write_objectGUID(struct ldb_context *ldb, void *mem_ctx,
169 const struct ldb_val *in, struct ldb_val *out)
172 enum ndr_err_code ndr_err;
173 ndr_err = ndr_pull_struct_blob(in, mem_ctx, NULL, &guid,
174 (ndr_pull_flags_fn_t)ndr_pull_GUID);
175 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
178 out->data = (uint8_t *)GUID_string(mem_ctx, &guid);
179 if (out->data == NULL) {
182 out->length = strlen((const char *)out->data);
186 static bool ldb_comparision_objectGUID_isString(const struct ldb_val *v)
191 if (v->length < 33) return false;
193 /* see if the input if null-terninated (safety check for the below) */
194 if (v->data[v->length] != '\0') return false;
196 status = GUID_from_string((const char *)v->data, &guid);
197 if (!NT_STATUS_IS_OK(status)) {
205 compare two objectGUIDs
207 static int ldb_comparison_objectGUID(struct ldb_context *ldb, void *mem_ctx,
208 const struct ldb_val *v1, const struct ldb_val *v2)
210 if (ldb_comparision_objectGUID_isString(v1) && ldb_comparision_objectGUID_isString(v2)) {
211 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
212 } else if (ldb_comparision_objectGUID_isString(v1)
213 && !ldb_comparision_objectGUID_isString(v2)) {
216 if (ldif_read_objectGUID(ldb, mem_ctx, v1, &v) != 0) {
217 /* Perhaps it wasn't a valid string after all */
218 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
220 ret = ldb_comparison_binary(ldb, mem_ctx, &v, v2);
223 } else if (!ldb_comparision_objectGUID_isString(v1)
224 && ldb_comparision_objectGUID_isString(v2)) {
227 if (ldif_read_objectGUID(ldb, mem_ctx, v2, &v) != 0) {
228 /* Perhaps it wasn't a valid string after all */
229 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
231 ret = ldb_comparison_binary(ldb, mem_ctx, v1, &v);
235 return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
239 canonicalise a objectGUID
241 static int ldb_canonicalise_objectGUID(struct ldb_context *ldb, void *mem_ctx,
242 const struct ldb_val *in, struct ldb_val *out)
244 if (ldb_comparision_objectGUID_isString(in)) {
245 if (ldif_read_objectGUID(ldb, mem_ctx, in, out) != 0) {
246 /* Perhaps it wasn't a valid string after all */
247 return ldb_handler_copy(ldb, mem_ctx, in, out);
250 return ldb_handler_copy(ldb, mem_ctx, in, out);
255 convert a ldif (SDDL) formatted ntSecurityDescriptor to a NDR formatted blob
257 static int ldif_read_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
258 const struct ldb_val *in, struct ldb_val *out)
260 struct security_descriptor *sd;
261 enum ndr_err_code ndr_err;
263 sd = sddl_decode(mem_ctx, (const char *)in->data, NULL);
267 ndr_err = ndr_push_struct_blob(out, mem_ctx, NULL, sd,
268 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
270 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
277 convert a NDR formatted blob to a ldif formatted ntSecurityDescriptor (SDDL format)
279 static int ldif_write_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
280 const struct ldb_val *in, struct ldb_val *out)
282 struct security_descriptor *sd;
283 enum ndr_err_code ndr_err;
285 sd = talloc(mem_ctx, struct security_descriptor);
289 ndr_err = ndr_pull_struct_blob(in, sd, NULL, sd,
290 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
291 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
295 out->data = (uint8_t *)sddl_encode(mem_ctx, sd, NULL);
297 if (out->data == NULL) {
300 out->length = strlen((const char *)out->data);
305 canonicalise an objectCategory. We use the short form as the cannoical form:
306 cn=Person,cn=Schema,cn=Configuration,<basedn> becomes 'person'
309 static int ldif_canonicalise_objectCategory(struct ldb_context *ldb, void *mem_ctx,
310 const struct ldb_val *in, struct ldb_val *out)
312 struct ldb_dn *dn1 = NULL;
313 const struct dsdb_schema *schema = dsdb_get_schema(ldb);
314 const struct dsdb_class *class;
315 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
317 return LDB_ERR_OPERATIONS_ERROR;
321 *out = data_blob_talloc(mem_ctx, in->data, in->length);
322 if (in->data && !out->data) {
323 return LDB_ERR_OPERATIONS_ERROR;
327 dn1 = ldb_dn_new(tmp_ctx, ldb, (char *)in->data);
328 if ( ! ldb_dn_validate(dn1)) {
329 const char *lDAPDisplayName = talloc_strndup(tmp_ctx, (char *)in->data, in->length);
330 class = dsdb_class_by_lDAPDisplayName(schema, lDAPDisplayName);
332 struct ldb_dn *dn = ldb_dn_new(mem_ctx, ldb,
333 class->defaultObjectCategory);
334 *out = data_blob_string_const(ldb_dn_alloc_casefold(mem_ctx, dn));
335 talloc_free(tmp_ctx);
338 return LDB_ERR_OPERATIONS_ERROR;
342 *out = data_blob_talloc(mem_ctx, in->data, in->length);
343 talloc_free(tmp_ctx);
345 if (in->data && !out->data) {
346 return LDB_ERR_OPERATIONS_ERROR;
351 *out = data_blob_string_const(ldb_dn_alloc_casefold(mem_ctx, dn1));
352 talloc_free(tmp_ctx);
355 return LDB_ERR_OPERATIONS_ERROR;
360 static int ldif_comparison_objectCategory(struct ldb_context *ldb, void *mem_ctx,
361 const struct ldb_val *v1,
362 const struct ldb_val *v2)
366 struct ldb_val v1_canon, v2_canon;
367 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
369 /* I could try and bail if tmp_ctx was NULL, but what return
372 * It seems easier to continue on the NULL context
374 ret1 = ldif_canonicalise_objectCategory(ldb, tmp_ctx, v1, &v1_canon);
375 ret2 = ldif_canonicalise_objectCategory(ldb, tmp_ctx, v2, &v2_canon);
377 if (ret1 == LDB_SUCCESS && ret2 == LDB_SUCCESS) {
378 ret = data_blob_cmp(&v1_canon, &v2_canon);
380 ret = data_blob_cmp(v1, v2);
382 talloc_free(tmp_ctx);
387 convert a ldif formatted prefixMap to a NDR formatted blob
389 static int ldif_read_prefixMap(struct ldb_context *ldb, void *mem_ctx,
390 const struct ldb_val *in, struct ldb_val *out)
392 struct prefixMapBlob *blob;
393 enum ndr_err_code ndr_err;
394 char *string, *line, *p, *oid;
396 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
398 if (tmp_ctx == NULL) {
402 blob = talloc_zero(tmp_ctx, struct prefixMapBlob);
408 blob->version = PREFIX_MAP_VERSION_DSDB;
410 string = talloc_strndup(mem_ctx, (const char *)in->data, in->length);
411 if (string == NULL) {
417 while (line && line[0]) {
422 p=strchr(line, '\n');
427 /* allow a traling seperator */
432 blob->ctr.dsdb.mappings = talloc_realloc(blob,
433 blob->ctr.dsdb.mappings,
434 struct drsuapi_DsReplicaOIDMapping,
435 blob->ctr.dsdb.num_mappings+1);
436 if (!blob->ctr.dsdb.mappings) {
437 talloc_free(tmp_ctx);
441 blob->ctr.dsdb.mappings[blob->ctr.dsdb.num_mappings].id_prefix = strtoul(line, &oid, 10);
444 talloc_free(tmp_ctx);
448 /* we know there must be at least ":" */
451 blob->ctr.dsdb.mappings[blob->ctr.dsdb.num_mappings].oid.oid
452 = talloc_strdup(blob->ctr.dsdb.mappings, oid);
454 blob->ctr.dsdb.num_mappings++;
456 /* Now look past the terminator we added above */
464 ndr_err = ndr_push_struct_blob(out, mem_ctx,
465 lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
467 (ndr_push_flags_fn_t)ndr_push_prefixMapBlob);
468 talloc_free(tmp_ctx);
469 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
476 convert a NDR formatted blob to a ldif formatted prefixMap
478 static int ldif_write_prefixMap(struct ldb_context *ldb, void *mem_ctx,
479 const struct ldb_val *in, struct ldb_val *out)
481 struct prefixMapBlob *blob;
482 enum ndr_err_code ndr_err;
486 blob = talloc(mem_ctx, struct prefixMapBlob);
490 ndr_err = ndr_pull_struct_blob(in, blob,
491 lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
493 (ndr_pull_flags_fn_t)ndr_pull_prefixMapBlob);
494 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
498 if (blob->version != PREFIX_MAP_VERSION_DSDB) {
501 string = talloc_strdup(mem_ctx, "");
502 if (string == NULL) {
506 for (i=0; i < blob->ctr.dsdb.num_mappings; i++) {
508 string = talloc_asprintf_append(string, ";");
510 string = talloc_asprintf_append(string, "%u:%s",
511 blob->ctr.dsdb.mappings[i].id_prefix,
512 blob->ctr.dsdb.mappings[i].oid.oid);
513 if (string == NULL) {
519 *out = data_blob_string_const(string);
523 static bool ldif_comparision_prefixMap_isString(const struct ldb_val *v)
529 if (IVAL(v->data, 0) == PREFIX_MAP_VERSION_DSDB) {
537 canonicalise a prefixMap
539 static int ldif_canonicalise_prefixMap(struct ldb_context *ldb, void *mem_ctx,
540 const struct ldb_val *in, struct ldb_val *out)
542 if (ldif_comparision_prefixMap_isString(in)) {
543 return ldif_read_prefixMap(ldb, mem_ctx, in, out);
545 return ldb_handler_copy(ldb, mem_ctx, in, out);
548 static int ldif_comparison_prefixMap(struct ldb_context *ldb, void *mem_ctx,
549 const struct ldb_val *v1,
550 const struct ldb_val *v2)
554 struct ldb_val v1_canon, v2_canon;
555 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
557 /* I could try and bail if tmp_ctx was NULL, but what return
560 * It seems easier to continue on the NULL context
562 ret1 = ldif_canonicalise_prefixMap(ldb, tmp_ctx, v1, &v1_canon);
563 ret2 = ldif_canonicalise_prefixMap(ldb, tmp_ctx, v2, &v2_canon);
565 if (ret1 == LDB_SUCCESS && ret2 == LDB_SUCCESS) {
566 ret = data_blob_cmp(&v1_canon, &v2_canon);
568 ret = data_blob_cmp(v1, v2);
570 talloc_free(tmp_ctx);
574 #define LDB_SYNTAX_SAMBA_GUID "LDB_SYNTAX_SAMBA_GUID"
575 #define LDB_SYNTAX_SAMBA_OBJECT_CATEGORY "LDB_SYNTAX_SAMBA_OBJECT_CATEGORY"
576 #define LDB_SYNTAX_SAMBA_PREFIX_MAP "LDB_SYNTAX_SAMBA_PREFIX_MAP"
578 static const struct ldb_schema_syntax samba_syntaxes[] = {
580 .name = LDB_SYNTAX_SAMBA_SID,
581 .ldif_read_fn = ldif_read_objectSid,
582 .ldif_write_fn = ldif_write_objectSid,
583 .canonicalise_fn= ldb_canonicalise_objectSid,
584 .comparison_fn = ldb_comparison_objectSid
586 .name = LDB_SYNTAX_SAMBA_SECURITY_DESCRIPTOR,
587 .ldif_read_fn = ldif_read_ntSecurityDescriptor,
588 .ldif_write_fn = ldif_write_ntSecurityDescriptor,
589 .canonicalise_fn= ldb_handler_copy,
590 .comparison_fn = ldb_comparison_binary
592 .name = LDB_SYNTAX_SAMBA_GUID,
593 .ldif_read_fn = ldif_read_objectGUID,
594 .ldif_write_fn = ldif_write_objectGUID,
595 .canonicalise_fn= ldb_canonicalise_objectGUID,
596 .comparison_fn = ldb_comparison_objectGUID
598 .name = LDB_SYNTAX_SAMBA_OBJECT_CATEGORY,
599 .ldif_read_fn = ldb_handler_copy,
600 .ldif_write_fn = ldb_handler_copy,
601 .canonicalise_fn= ldif_canonicalise_objectCategory,
602 .comparison_fn = ldif_comparison_objectCategory
604 .name = LDB_SYNTAX_SAMBA_PREFIX_MAP,
605 .ldif_read_fn = ldif_read_prefixMap,
606 .ldif_write_fn = ldif_write_prefixMap,
607 .canonicalise_fn= ldif_canonicalise_prefixMap,
608 .comparison_fn = ldif_comparison_prefixMap
612 static const struct {
615 } samba_attributes[] = {
616 { "objectSid", LDB_SYNTAX_SAMBA_SID },
617 { "securityIdentifier", LDB_SYNTAX_SAMBA_SID },
618 { "ntSecurityDescriptor", LDB_SYNTAX_SAMBA_SECURITY_DESCRIPTOR },
619 { "objectGUID", LDB_SYNTAX_SAMBA_GUID },
620 { "invocationId", LDB_SYNTAX_SAMBA_GUID },
621 { "schemaIDGUID", LDB_SYNTAX_SAMBA_GUID },
622 { "attributeSecurityGUID", LDB_SYNTAX_SAMBA_GUID },
623 { "parentGUID", LDB_SYNTAX_SAMBA_GUID },
624 { "siteGUID", LDB_SYNTAX_SAMBA_GUID },
625 { "pKTGUID", LDB_SYNTAX_SAMBA_GUID },
626 { "fRSVersionGUID", LDB_SYNTAX_SAMBA_GUID },
627 { "fRSReplicaSetGUID", LDB_SYNTAX_SAMBA_GUID },
628 { "netbootGUID", LDB_SYNTAX_SAMBA_GUID },
629 { "objectCategory", LDB_SYNTAX_SAMBA_OBJECT_CATEGORY },
630 { "prefixMap", LDB_SYNTAX_SAMBA_PREFIX_MAP }
633 const struct ldb_schema_syntax *ldb_samba_syntax_by_name(struct ldb_context *ldb, const char *name)
636 const struct ldb_schema_syntax *s = NULL;
638 for (j=0; j < ARRAY_SIZE(samba_syntaxes); j++) {
639 if (strcmp(name, samba_syntaxes[j].name) == 0) {
640 s = &samba_syntaxes[j];
649 register the samba ldif handlers
651 int ldb_register_samba_handlers(struct ldb_context *ldb)
655 for (i=0; i < ARRAY_SIZE(samba_attributes); i++) {
657 const struct ldb_schema_syntax *s = NULL;
659 s = ldb_samba_syntax_by_name(ldb, samba_attributes[i].syntax);
662 s = ldb_standard_syntax_by_name(ldb, samba_attributes[i].syntax);
669 ret = ldb_schema_attribute_add_with_syntax(ldb, samba_attributes[i].name, LDB_ATTR_FLAG_FIXED, s);
670 if (ret != LDB_SUCCESS) {