4 Copyright (C) Simo Sorce 2004-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Stefan Metzmacher <metze@samba.org> 2007
8 Copyright (C) Matthieu Patou <mat@samba.org> 2010
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 * Component: ldb repl_meta_data module
29 * Description: - add a unique objectGUID onto every new record,
30 * - handle whenCreated, whenChanged timestamps
31 * - handle uSNCreated, uSNChanged numbers
32 * - handle replPropertyMetaData attribute
35 * Author: Stefan Metzmacher
39 #include "ldb_module.h"
40 #include "dsdb/samdb/samdb.h"
41 #include "dsdb/common/proto.h"
42 #include "../libds/common/flags.h"
43 #include "librpc/gen_ndr/ndr_misc.h"
44 #include "librpc/gen_ndr/ndr_drsuapi.h"
45 #include "librpc/gen_ndr/ndr_drsblobs.h"
46 #include "param/param.h"
47 #include "libcli/security/security.h"
48 #include "lib/util/dlinklist.h"
49 #include "dsdb/samdb/ldb_modules/util.h"
50 #include "lib/util/binsearch.h"
51 #include "lib/util/tsort.h"
54 * It's 29/12/9999 at 23:59:59 UTC as specified in MS-ADTS 7.1.1.4.2
55 * Deleted Objects Container
57 static const NTTIME DELETED_OBJECT_CONTAINER_CHANGE_TIME = 2650466015990000000ULL;
59 struct replmd_private {
61 struct la_entry *la_list;
63 struct la_backlink *la_backlinks;
65 struct nc_entry *prev, *next;
68 uint64_t mod_usn_urgent;
73 struct la_entry *next, *prev;
74 struct drsuapi_DsReplicaLinkedAttribute *la;
77 struct replmd_replicated_request {
78 struct ldb_module *module;
79 struct ldb_request *req;
81 const struct dsdb_schema *schema;
83 /* the controls we pass down */
84 struct ldb_control **controls;
86 /* details for the mode where we apply a bunch of inbound replication meessages */
88 uint32_t index_current;
89 struct dsdb_extended_replicated_objects *objs;
91 struct ldb_message *search_msg;
97 enum urgent_situation {
98 REPL_URGENT_ON_CREATE = 1,
99 REPL_URGENT_ON_UPDATE = 2,
100 REPL_URGENT_ON_DELETE = 4
104 static const struct {
105 const char *update_name;
106 enum urgent_situation repl_situation;
107 } urgent_objects[] = {
108 {"nTDSDSA", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_DELETE)},
109 {"crossRef", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_DELETE)},
110 {"attributeSchema", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
111 {"classSchema", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
112 {"secret", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
113 {"rIDManager", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
117 /* Attributes looked for when updating or deleting, to check for a urgent replication needed */
118 static const char *urgent_attrs[] = {
121 "userAccountControl",
126 static bool replmd_check_urgent_objectclass(const struct ldb_message_element *objectclass_el,
127 enum urgent_situation situation)
130 for (i=0; urgent_objects[i].update_name; i++) {
132 if ((situation & urgent_objects[i].repl_situation) == 0) {
136 for (j=0; j<objectclass_el->num_values; j++) {
137 const struct ldb_val *v = &objectclass_el->values[j];
138 if (ldb_attr_cmp((const char *)v->data, urgent_objects[i].update_name) == 0) {
146 static bool replmd_check_urgent_attribute(const struct ldb_message_element *el)
148 if (ldb_attr_in_list(urgent_attrs, el->name)) {
155 static int replmd_replicated_apply_next(struct replmd_replicated_request *ar);
158 initialise the module
159 allocate the private structure and build the list
160 of partition DNs for use by replmd_notify()
162 static int replmd_init(struct ldb_module *module)
164 struct replmd_private *replmd_private;
165 struct ldb_context *ldb = ldb_module_get_ctx(module);
167 replmd_private = talloc_zero(module, struct replmd_private);
168 if (replmd_private == NULL) {
170 return LDB_ERR_OPERATIONS_ERROR;
172 ldb_module_set_private(module, replmd_private);
174 return ldb_next_init(module);
178 cleanup our per-transaction contexts
180 static void replmd_txn_cleanup(struct replmd_private *replmd_private)
182 talloc_free(replmd_private->la_ctx);
183 replmd_private->la_list = NULL;
184 replmd_private->la_ctx = NULL;
186 talloc_free(replmd_private->bl_ctx);
187 replmd_private->la_backlinks = NULL;
188 replmd_private->bl_ctx = NULL;
193 struct la_backlink *next, *prev;
194 const char *attr_name;
195 struct GUID forward_guid, target_guid;
200 process a backlinks we accumulated during a transaction, adding and
201 deleting the backlinks from the target objects
203 static int replmd_process_backlink(struct ldb_module *module, struct la_backlink *bl, struct ldb_request *parent)
205 struct ldb_dn *target_dn, *source_dn;
207 struct ldb_context *ldb = ldb_module_get_ctx(module);
208 struct ldb_message *msg;
209 TALLOC_CTX *tmp_ctx = talloc_new(bl);
215 - construct ldb_message
216 - either an add or a delete
218 ret = dsdb_module_dn_by_guid(module, tmp_ctx, &bl->target_guid, &target_dn, parent);
219 if (ret != LDB_SUCCESS) {
220 DEBUG(2,(__location__ ": WARNING: Failed to find target DN for linked attribute with GUID %s\n",
221 GUID_string(bl, &bl->target_guid)));
225 ret = dsdb_module_dn_by_guid(module, tmp_ctx, &bl->forward_guid, &source_dn, parent);
226 if (ret != LDB_SUCCESS) {
227 ldb_asprintf_errstring(ldb, "Failed to find source DN for linked attribute with GUID %s\n",
228 GUID_string(bl, &bl->forward_guid));
229 talloc_free(tmp_ctx);
233 msg = ldb_msg_new(tmp_ctx);
235 ldb_module_oom(module);
236 talloc_free(tmp_ctx);
237 return LDB_ERR_OPERATIONS_ERROR;
240 /* construct a ldb_message for adding/deleting the backlink */
242 dn_string = ldb_dn_get_extended_linearized(tmp_ctx, source_dn, 1);
244 ldb_module_oom(module);
245 talloc_free(tmp_ctx);
246 return LDB_ERR_OPERATIONS_ERROR;
248 ret = ldb_msg_add_steal_string(msg, bl->attr_name, dn_string);
249 if (ret != LDB_SUCCESS) {
250 talloc_free(tmp_ctx);
253 msg->elements[0].flags = bl->active?LDB_FLAG_MOD_ADD:LDB_FLAG_MOD_DELETE;
255 /* a backlink should never be single valued. Unfortunately the
256 exchange schema has a attribute
257 msExchBridgeheadedLocalConnectorsDNBL which is single
258 valued and a backlink. We need to cope with that by
259 ignoring the single value flag */
260 msg->elements[0].flags |= LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK;
262 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
263 if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE && !bl->active) {
264 /* we allow LDB_ERR_NO_SUCH_ATTRIBUTE as success to
265 cope with possible corruption where the backlink has
266 already been removed */
267 DEBUG(3,("WARNING: backlink from %s already removed from %s - %s\n",
268 ldb_dn_get_linearized(target_dn),
269 ldb_dn_get_linearized(source_dn),
270 ldb_errstring(ldb)));
272 } else if (ret != LDB_SUCCESS) {
273 ldb_asprintf_errstring(ldb, "Failed to %s backlink from %s to %s - %s",
274 bl->active?"add":"remove",
275 ldb_dn_get_linearized(source_dn),
276 ldb_dn_get_linearized(target_dn),
278 talloc_free(tmp_ctx);
281 talloc_free(tmp_ctx);
286 add a backlink to the list of backlinks to add/delete in the prepare
289 static int replmd_add_backlink(struct ldb_module *module, const struct dsdb_schema *schema,
290 struct GUID *forward_guid, struct GUID *target_guid,
291 bool active, const struct dsdb_attribute *schema_attr, bool immediate)
293 const struct dsdb_attribute *target_attr;
294 struct la_backlink *bl;
295 struct replmd_private *replmd_private =
296 talloc_get_type_abort(ldb_module_get_private(module), struct replmd_private);
298 target_attr = dsdb_attribute_by_linkID(schema, schema_attr->linkID ^ 1);
301 * windows 2003 has a broken schema where the
302 * definition of msDS-IsDomainFor is missing (which is
303 * supposed to be the backlink of the
304 * msDS-HasDomainNCs attribute
309 /* see if its already in the list */
310 for (bl=replmd_private->la_backlinks; bl; bl=bl->next) {
311 if (GUID_equal(forward_guid, &bl->forward_guid) &&
312 GUID_equal(target_guid, &bl->target_guid) &&
313 (target_attr->lDAPDisplayName == bl->attr_name ||
314 strcmp(target_attr->lDAPDisplayName, bl->attr_name) == 0)) {
320 /* we found an existing one */
321 if (bl->active == active) {
324 DLIST_REMOVE(replmd_private->la_backlinks, bl);
329 if (replmd_private->bl_ctx == NULL) {
330 replmd_private->bl_ctx = talloc_new(replmd_private);
331 if (replmd_private->bl_ctx == NULL) {
332 ldb_module_oom(module);
333 return LDB_ERR_OPERATIONS_ERROR;
338 bl = talloc(replmd_private->bl_ctx, struct la_backlink);
340 ldb_module_oom(module);
341 return LDB_ERR_OPERATIONS_ERROR;
344 /* Ensure the schema does not go away before the bl->attr_name is used */
345 if (!talloc_reference(bl, schema)) {
347 ldb_module_oom(module);
348 return LDB_ERR_OPERATIONS_ERROR;
351 bl->attr_name = target_attr->lDAPDisplayName;
352 bl->forward_guid = *forward_guid;
353 bl->target_guid = *target_guid;
356 /* the caller may ask for this backlink to be processed
359 int ret = replmd_process_backlink(module, bl, NULL);
364 DLIST_ADD(replmd_private->la_backlinks, bl);
371 * Callback for most write operations in this module:
373 * notify the repl task that a object has changed. The notifies are
374 * gathered up in the replmd_private structure then written to the
375 * @REPLCHANGED object in each partition during the prepare_commit
377 static int replmd_op_callback(struct ldb_request *req, struct ldb_reply *ares)
380 struct replmd_replicated_request *ac =
381 talloc_get_type_abort(req->context, struct replmd_replicated_request);
382 struct replmd_private *replmd_private =
383 talloc_get_type_abort(ldb_module_get_private(ac->module), struct replmd_private);
384 struct nc_entry *modified_partition;
385 struct ldb_control *partition_ctrl;
386 const struct dsdb_control_current_partition *partition;
388 struct ldb_control **controls;
390 partition_ctrl = ldb_reply_get_control(ares, DSDB_CONTROL_CURRENT_PARTITION_OID);
392 controls = ares->controls;
393 if (ldb_request_get_control(ac->req,
394 DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
396 * Remove the current partition control from what we pass up
397 * the chain if it hasn't been requested manually.
399 controls = ldb_controls_except_specified(ares->controls, ares,
403 if (ares->error != LDB_SUCCESS) {
404 DEBUG(5,("%s failure. Error is: %s\n", __FUNCTION__, ldb_strerror(ares->error)));
405 return ldb_module_done(ac->req, controls,
406 ares->response, ares->error);
409 if (ares->type != LDB_REPLY_DONE) {
410 ldb_set_errstring(ldb_module_get_ctx(ac->module), "Invalid reply type for notify\n!");
411 return ldb_module_done(ac->req, NULL,
412 NULL, LDB_ERR_OPERATIONS_ERROR);
415 if (!partition_ctrl) {
416 ldb_set_errstring(ldb_module_get_ctx(ac->module),"No partition control on reply");
417 return ldb_module_done(ac->req, NULL,
418 NULL, LDB_ERR_OPERATIONS_ERROR);
421 partition = talloc_get_type_abort(partition_ctrl->data,
422 struct dsdb_control_current_partition);
424 if (ac->seq_num > 0) {
425 for (modified_partition = replmd_private->ncs; modified_partition;
426 modified_partition = modified_partition->next) {
427 if (ldb_dn_compare(modified_partition->dn, partition->dn) == 0) {
432 if (modified_partition == NULL) {
433 modified_partition = talloc_zero(replmd_private, struct nc_entry);
434 if (!modified_partition) {
435 ldb_oom(ldb_module_get_ctx(ac->module));
436 return ldb_module_done(ac->req, NULL,
437 NULL, LDB_ERR_OPERATIONS_ERROR);
439 modified_partition->dn = ldb_dn_copy(modified_partition, partition->dn);
440 if (!modified_partition->dn) {
441 ldb_oom(ldb_module_get_ctx(ac->module));
442 return ldb_module_done(ac->req, NULL,
443 NULL, LDB_ERR_OPERATIONS_ERROR);
445 DLIST_ADD(replmd_private->ncs, modified_partition);
448 if (ac->seq_num > modified_partition->mod_usn) {
449 modified_partition->mod_usn = ac->seq_num;
451 modified_partition->mod_usn_urgent = ac->seq_num;
456 if (ac->apply_mode) {
460 ret = replmd_replicated_apply_next(ac);
461 if (ret != LDB_SUCCESS) {
462 return ldb_module_done(ac->req, NULL, NULL, ret);
466 /* free the partition control container here, for the
467 * common path. Other cases will have it cleaned up
468 * eventually with the ares */
469 talloc_free(partition_ctrl);
470 return ldb_module_done(ac->req, controls,
471 ares->response, LDB_SUCCESS);
477 * update a @REPLCHANGED record in each partition if there have been
478 * any writes of replicated data in the partition
480 static int replmd_notify_store(struct ldb_module *module, struct ldb_request *parent)
482 struct replmd_private *replmd_private =
483 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
485 while (replmd_private->ncs) {
487 struct nc_entry *modified_partition = replmd_private->ncs;
489 ret = dsdb_module_save_partition_usn(module, modified_partition->dn,
490 modified_partition->mod_usn,
491 modified_partition->mod_usn_urgent, parent);
492 if (ret != LDB_SUCCESS) {
493 DEBUG(0,(__location__ ": Failed to save partition uSN for %s\n",
494 ldb_dn_get_linearized(modified_partition->dn)));
497 DLIST_REMOVE(replmd_private->ncs, modified_partition);
498 talloc_free(modified_partition);
506 created a replmd_replicated_request context
508 static struct replmd_replicated_request *replmd_ctx_init(struct ldb_module *module,
509 struct ldb_request *req)
511 struct ldb_context *ldb;
512 struct replmd_replicated_request *ac;
514 ldb = ldb_module_get_ctx(module);
516 ac = talloc_zero(req, struct replmd_replicated_request);
525 ac->schema = dsdb_get_schema(ldb, ac);
527 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
528 "replmd_modify: no dsdb_schema loaded");
529 DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
537 add a time element to a record
539 static int add_time_element(struct ldb_message *msg, const char *attr, time_t t)
541 struct ldb_message_element *el;
545 if (ldb_msg_find_element(msg, attr) != NULL) {
549 s = ldb_timestring(msg, t);
551 return LDB_ERR_OPERATIONS_ERROR;
554 ret = ldb_msg_add_string(msg, attr, s);
555 if (ret != LDB_SUCCESS) {
559 el = ldb_msg_find_element(msg, attr);
560 /* always set as replace. This works because on add ops, the flag
562 el->flags = LDB_FLAG_MOD_REPLACE;
568 add a uint64_t element to a record
570 static int add_uint64_element(struct ldb_context *ldb, struct ldb_message *msg,
571 const char *attr, uint64_t v)
573 struct ldb_message_element *el;
576 if (ldb_msg_find_element(msg, attr) != NULL) {
580 ret = samdb_msg_add_uint64(ldb, msg, msg, attr, v);
581 if (ret != LDB_SUCCESS) {
585 el = ldb_msg_find_element(msg, attr);
586 /* always set as replace. This works because on add ops, the flag
588 el->flags = LDB_FLAG_MOD_REPLACE;
593 static int replmd_replPropertyMetaData1_attid_sort(const struct replPropertyMetaData1 *m1,
594 const struct replPropertyMetaData1 *m2,
595 const uint32_t *rdn_attid)
597 if (m1->attid == m2->attid) {
602 * the rdn attribute should be at the end!
603 * so we need to return a value greater than zero
604 * which means m1 is greater than m2
606 if (m1->attid == *rdn_attid) {
611 * the rdn attribute should be at the end!
612 * so we need to return a value less than zero
613 * which means m2 is greater than m1
615 if (m2->attid == *rdn_attid) {
619 return m1->attid > m2->attid ? 1 : -1;
622 static int replmd_replPropertyMetaDataCtr1_sort(struct replPropertyMetaDataCtr1 *ctr1,
623 const struct dsdb_schema *schema,
626 const char *rdn_name;
627 const struct dsdb_attribute *rdn_sa;
629 rdn_name = ldb_dn_get_rdn_name(dn);
631 DEBUG(0,(__location__ ": No rDN for %s?\n", ldb_dn_get_linearized(dn)));
632 return LDB_ERR_OPERATIONS_ERROR;
635 rdn_sa = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name);
636 if (rdn_sa == NULL) {
637 DEBUG(0,(__location__ ": No sa found for rDN %s for %s\n", rdn_name, ldb_dn_get_linearized(dn)));
638 return LDB_ERR_OPERATIONS_ERROR;
641 DEBUG(6,("Sorting rpmd with attid exception %u rDN=%s DN=%s\n",
642 rdn_sa->attributeID_id, rdn_name, ldb_dn_get_linearized(dn)));
644 LDB_TYPESAFE_QSORT(ctr1->array, ctr1->count, &rdn_sa->attributeID_id, replmd_replPropertyMetaData1_attid_sort);
649 static int replmd_ldb_message_element_attid_sort(const struct ldb_message_element *e1,
650 const struct ldb_message_element *e2,
651 const struct dsdb_schema *schema)
653 const struct dsdb_attribute *a1;
654 const struct dsdb_attribute *a2;
657 * TODO: make this faster by caching the dsdb_attribute pointer
658 * on the ldb_messag_element
661 a1 = dsdb_attribute_by_lDAPDisplayName(schema, e1->name);
662 a2 = dsdb_attribute_by_lDAPDisplayName(schema, e2->name);
665 * TODO: remove this check, we should rely on e1 and e2 having valid attribute names
669 return strcasecmp(e1->name, e2->name);
671 if (a1->attributeID_id == a2->attributeID_id) {
674 return a1->attributeID_id > a2->attributeID_id ? 1 : -1;
677 static void replmd_ldb_message_sort(struct ldb_message *msg,
678 const struct dsdb_schema *schema)
680 LDB_TYPESAFE_QSORT(msg->elements, msg->num_elements, schema, replmd_ldb_message_element_attid_sort);
683 static int replmd_build_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
684 const struct GUID *invocation_id, uint64_t seq_num,
685 uint64_t local_usn, NTTIME nttime, uint32_t version, bool deleted);
689 fix up linked attributes in replmd_add.
690 This involves setting up the right meta-data in extended DN
691 components, and creating backlinks to the object
693 static int replmd_add_fix_la(struct ldb_module *module, struct ldb_message_element *el,
694 uint64_t seq_num, const struct GUID *invocationId, time_t t,
695 struct GUID *guid, const struct dsdb_attribute *sa, struct ldb_request *parent)
698 TALLOC_CTX *tmp_ctx = talloc_new(el->values);
699 struct ldb_context *ldb = ldb_module_get_ctx(module);
701 /* We will take a reference to the schema in replmd_add_backlink */
702 const struct dsdb_schema *schema = dsdb_get_schema(ldb, NULL);
705 unix_to_nt_time(&now, t);
707 for (i=0; i<el->num_values; i++) {
708 struct ldb_val *v = &el->values[i];
709 struct dsdb_dn *dsdb_dn = dsdb_dn_parse(tmp_ctx, ldb, v, sa->syntax->ldap_oid);
710 struct GUID target_guid;
714 /* note that the DN already has the extended
715 components from the extended_dn_store module */
716 status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &target_guid, "GUID");
717 if (!NT_STATUS_IS_OK(status) || GUID_all_zero(&target_guid)) {
718 ret = dsdb_module_guid_by_dn(module, dsdb_dn->dn, &target_guid, parent);
719 if (ret != LDB_SUCCESS) {
720 talloc_free(tmp_ctx);
723 ret = dsdb_set_extended_dn_guid(dsdb_dn->dn, &target_guid, "GUID");
724 if (ret != LDB_SUCCESS) {
725 talloc_free(tmp_ctx);
730 ret = replmd_build_la_val(el->values, v, dsdb_dn, invocationId,
731 seq_num, seq_num, now, 0, false);
732 if (ret != LDB_SUCCESS) {
733 talloc_free(tmp_ctx);
737 ret = replmd_add_backlink(module, schema, guid, &target_guid, true, sa, false);
738 if (ret != LDB_SUCCESS) {
739 talloc_free(tmp_ctx);
744 talloc_free(tmp_ctx);
750 intercept add requests
752 static int replmd_add(struct ldb_module *module, struct ldb_request *req)
754 struct ldb_context *ldb;
755 struct ldb_control *control;
756 struct replmd_replicated_request *ac;
757 enum ndr_err_code ndr_err;
758 struct ldb_request *down_req;
759 struct ldb_message *msg;
760 const DATA_BLOB *guid_blob;
762 struct replPropertyMetaDataBlob nmd;
763 struct ldb_val nmd_value;
764 const struct GUID *our_invocation_id;
765 time_t t = time(NULL);
770 unsigned int functional_level;
772 bool allow_add_guid = false;
773 bool remove_current_guid = false;
774 bool is_urgent = false;
775 struct ldb_message_element *objectclass_el;
777 /* check if there's a show relax control (used by provision to say 'I know what I'm doing') */
778 control = ldb_request_get_control(req, LDB_CONTROL_RELAX_OID);
780 allow_add_guid = true;
783 /* do not manipulate our control entries */
784 if (ldb_dn_is_special(req->op.add.message->dn)) {
785 return ldb_next_request(module, req);
788 ldb = ldb_module_get_ctx(module);
790 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_add\n");
792 guid_blob = ldb_msg_find_ldb_val(req->op.add.message, "objectGUID");
793 if (guid_blob != NULL) {
794 if (!allow_add_guid) {
795 ldb_set_errstring(ldb,
796 "replmd_add: it's not allowed to add an object with objectGUID!");
797 return LDB_ERR_UNWILLING_TO_PERFORM;
799 NTSTATUS status = GUID_from_data_blob(guid_blob,&guid);
800 if (!NT_STATUS_IS_OK(status)) {
801 ldb_set_errstring(ldb,
802 "replmd_add: Unable to parse the 'objectGUID' as a GUID!");
803 return LDB_ERR_UNWILLING_TO_PERFORM;
805 /* we remove this attribute as it can be a string and
806 * will not be treated correctly and then we will re-add
807 * it later on in the good format */
808 remove_current_guid = true;
812 guid = GUID_random();
815 ac = replmd_ctx_init(module, req);
817 return ldb_module_oom(module);
820 functional_level = dsdb_functional_level(ldb);
822 /* Get a sequence number from the backend */
823 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ac->seq_num);
824 if (ret != LDB_SUCCESS) {
829 /* get our invocationId */
830 our_invocation_id = samdb_ntds_invocation_id(ldb);
831 if (!our_invocation_id) {
832 ldb_debug_set(ldb, LDB_DEBUG_ERROR,
833 "replmd_add: unable to find invocationId\n");
835 return LDB_ERR_OPERATIONS_ERROR;
838 /* we have to copy the message as the caller might have it as a const */
839 msg = ldb_msg_copy_shallow(ac, req->op.add.message);
843 return LDB_ERR_OPERATIONS_ERROR;
846 /* generated times */
847 unix_to_nt_time(&now, t);
848 time_str = ldb_timestring(msg, t);
852 return LDB_ERR_OPERATIONS_ERROR;
854 if (remove_current_guid) {
855 ldb_msg_remove_attr(msg,"objectGUID");
859 * remove autogenerated attributes
861 ldb_msg_remove_attr(msg, "whenCreated");
862 ldb_msg_remove_attr(msg, "whenChanged");
863 ldb_msg_remove_attr(msg, "uSNCreated");
864 ldb_msg_remove_attr(msg, "uSNChanged");
865 ldb_msg_remove_attr(msg, "replPropertyMetaData");
868 * readd replicated attributes
870 ret = ldb_msg_add_string(msg, "whenCreated", time_str);
871 if (ret != LDB_SUCCESS) {
877 /* build the replication meta_data */
880 nmd.ctr.ctr1.count = msg->num_elements;
881 nmd.ctr.ctr1.array = talloc_array(msg,
882 struct replPropertyMetaData1,
884 if (!nmd.ctr.ctr1.array) {
887 return LDB_ERR_OPERATIONS_ERROR;
890 for (i=0; i < msg->num_elements; i++) {
891 struct ldb_message_element *e = &msg->elements[i];
892 struct replPropertyMetaData1 *m = &nmd.ctr.ctr1.array[ni];
893 const struct dsdb_attribute *sa;
895 if (e->name[0] == '@') continue;
897 sa = dsdb_attribute_by_lDAPDisplayName(ac->schema, e->name);
899 ldb_debug_set(ldb, LDB_DEBUG_ERROR,
900 "replmd_add: attribute '%s' not defined in schema\n",
903 return LDB_ERR_NO_SUCH_ATTRIBUTE;
906 if ((sa->systemFlags & DS_FLAG_ATTR_NOT_REPLICATED) || (sa->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED)) {
907 /* if the attribute is not replicated (0x00000001)
908 * or constructed (0x00000004) it has no metadata
913 if (sa->linkID != 0 && functional_level > DS_DOMAIN_FUNCTION_2000) {
914 ret = replmd_add_fix_la(module, e, ac->seq_num, our_invocation_id, t, &guid, sa, req);
915 if (ret != LDB_SUCCESS) {
919 /* linked attributes are not stored in
920 replPropertyMetaData in FL above w2k */
924 m->attid = sa->attributeID_id;
926 if (m->attid == 0x20030) {
927 const struct ldb_val *rdn_val = ldb_dn_get_rdn_val(msg->dn);
930 if (rdn_val == NULL) {
933 return LDB_ERR_OPERATIONS_ERROR;
936 rdn = (const char*)rdn_val->data;
937 if (strcmp(rdn, "Deleted Objects") == 0) {
939 * Set the originating_change_time to 29/12/9999 at 23:59:59
940 * as specified in MS-ADTS 7.1.1.4.2 Deleted Objects Container
942 m->originating_change_time = DELETED_OBJECT_CONTAINER_CHANGE_TIME;
944 m->originating_change_time = now;
947 m->originating_change_time = now;
949 m->originating_invocation_id = *our_invocation_id;
950 m->originating_usn = ac->seq_num;
951 m->local_usn = ac->seq_num;
955 /* fix meta data count */
956 nmd.ctr.ctr1.count = ni;
959 * sort meta data array, and move the rdn attribute entry to the end
961 ret = replmd_replPropertyMetaDataCtr1_sort(&nmd.ctr.ctr1, ac->schema, msg->dn);
962 if (ret != LDB_SUCCESS) {
967 /* generated NDR encoded values */
968 ndr_err = ndr_push_struct_blob(&nmd_value, msg,
970 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
971 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
974 return LDB_ERR_OPERATIONS_ERROR;
978 * add the autogenerated values
980 ret = dsdb_msg_add_guid(msg, &guid, "objectGUID");
981 if (ret != LDB_SUCCESS) {
986 ret = ldb_msg_add_string(msg, "whenChanged", time_str);
987 if (ret != LDB_SUCCESS) {
992 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNCreated", ac->seq_num);
993 if (ret != LDB_SUCCESS) {
998 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNChanged", ac->seq_num);
999 if (ret != LDB_SUCCESS) {
1004 ret = ldb_msg_add_value(msg, "replPropertyMetaData", &nmd_value, NULL);
1005 if (ret != LDB_SUCCESS) {
1012 * sort the attributes by attid before storing the object
1014 replmd_ldb_message_sort(msg, ac->schema);
1016 objectclass_el = ldb_msg_find_element(msg, "objectClass");
1017 is_urgent = replmd_check_urgent_objectclass(objectclass_el,
1018 REPL_URGENT_ON_CREATE);
1020 ac->is_urgent = is_urgent;
1021 ret = ldb_build_add_req(&down_req, ldb, ac,
1024 ac, replmd_op_callback,
1027 LDB_REQ_SET_LOCATION(down_req);
1028 if (ret != LDB_SUCCESS) {
1033 /* current partition control is needed by "replmd_op_callback" */
1034 if (ldb_request_get_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
1035 ret = ldb_request_add_control(down_req,
1036 DSDB_CONTROL_CURRENT_PARTITION_OID,
1038 if (ret != LDB_SUCCESS) {
1044 if (functional_level == DS_DOMAIN_FUNCTION_2000) {
1045 ret = ldb_request_add_control(down_req, DSDB_CONTROL_APPLY_LINKS, false, NULL);
1046 if (ret != LDB_SUCCESS) {
1052 /* mark the control done */
1054 control->critical = 0;
1057 /* go on with the call chain */
1058 return ldb_next_request(module, down_req);
1063 * update the replPropertyMetaData for one element
1065 static int replmd_update_rpmd_element(struct ldb_context *ldb,
1066 struct ldb_message *msg,
1067 struct ldb_message_element *el,
1068 struct ldb_message_element *old_el,
1069 struct replPropertyMetaDataBlob *omd,
1070 const struct dsdb_schema *schema,
1072 const struct GUID *our_invocation_id,
1074 struct ldb_request *req)
1077 const struct dsdb_attribute *a;
1078 struct replPropertyMetaData1 *md1;
1080 a = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
1082 if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID)) {
1083 /* allow this to make it possible for dbcheck
1084 to remove bad attributes */
1088 DEBUG(0,(__location__ ": Unable to find attribute %s in schema\n",
1090 return LDB_ERR_OPERATIONS_ERROR;
1093 if ((a->systemFlags & DS_FLAG_ATTR_NOT_REPLICATED) || (a->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED)) {
1097 /* if the attribute's value haven't changed then return LDB_SUCCESS
1098 * Unless we have the provision control or if the attribute is
1099 * interSiteTopologyGenerator as this page explain: http://support.microsoft.com/kb/224815
1100 * this attribute is periodicaly written by the DC responsible for the intersite generation
1103 if (old_el != NULL && ldb_msg_element_compare(el, old_el) == 0) {
1104 if (strcmp(el->name, "interSiteTopologyGenerator") != 0 &&
1105 !ldb_request_get_control(req, LDB_CONTROL_PROVISION_OID)) {
1107 * allow this to make it possible for dbcheck
1108 * to rebuild broken metadata
1114 for (i=0; i<omd->ctr.ctr1.count; i++) {
1115 if (a->attributeID_id == omd->ctr.ctr1.array[i].attid) break;
1118 if (a->linkID != 0 && dsdb_functional_level(ldb) > DS_DOMAIN_FUNCTION_2000) {
1119 /* linked attributes are not stored in
1120 replPropertyMetaData in FL above w2k, but we do
1121 raise the seqnum for the object */
1122 if (*seq_num == 0 &&
1123 ldb_sequence_number(ldb, LDB_SEQ_NEXT, seq_num) != LDB_SUCCESS) {
1124 return LDB_ERR_OPERATIONS_ERROR;
1129 if (i == omd->ctr.ctr1.count) {
1130 /* we need to add a new one */
1131 omd->ctr.ctr1.array = talloc_realloc(msg, omd->ctr.ctr1.array,
1132 struct replPropertyMetaData1, omd->ctr.ctr1.count+1);
1133 if (omd->ctr.ctr1.array == NULL) {
1135 return LDB_ERR_OPERATIONS_ERROR;
1137 omd->ctr.ctr1.count++;
1138 ZERO_STRUCT(omd->ctr.ctr1.array[i]);
1141 /* Get a new sequence number from the backend. We only do this
1142 * if we have a change that requires a new
1143 * replPropertyMetaData element
1145 if (*seq_num == 0) {
1146 int ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, seq_num);
1147 if (ret != LDB_SUCCESS) {
1148 return LDB_ERR_OPERATIONS_ERROR;
1152 md1 = &omd->ctr.ctr1.array[i];
1154 md1->attid = a->attributeID_id;
1155 if (md1->attid == 0x20030) {
1156 const struct ldb_val *rdn_val = ldb_dn_get_rdn_val(msg->dn);
1159 if (rdn_val == NULL) {
1161 return LDB_ERR_OPERATIONS_ERROR;
1164 rdn = (const char*)rdn_val->data;
1165 if (strcmp(rdn, "Deleted Objects") == 0) {
1167 * Set the originating_change_time to 29/12/9999 at 23:59:59
1168 * as specified in MS-ADTS 7.1.1.4.2 Deleted Objects Container
1170 md1->originating_change_time = DELETED_OBJECT_CONTAINER_CHANGE_TIME;
1172 md1->originating_change_time = now;
1175 md1->originating_change_time = now;
1177 md1->originating_invocation_id = *our_invocation_id;
1178 md1->originating_usn = *seq_num;
1179 md1->local_usn = *seq_num;
1184 static uint64_t find_max_local_usn(struct replPropertyMetaDataBlob omd)
1186 uint32_t count = omd.ctr.ctr1.count;
1189 for (i=0; i < count; i++) {
1190 struct replPropertyMetaData1 m = omd.ctr.ctr1.array[i];
1191 if (max < m.local_usn) {
1199 * update the replPropertyMetaData object each time we modify an
1200 * object. This is needed for DRS replication, as the merge on the
1201 * client is based on this object
1203 static int replmd_update_rpmd(struct ldb_module *module,
1204 const struct dsdb_schema *schema,
1205 struct ldb_request *req,
1206 const char * const *rename_attrs,
1207 struct ldb_message *msg, uint64_t *seq_num,
1209 bool *is_urgent, bool *rodc)
1211 const struct ldb_val *omd_value;
1212 enum ndr_err_code ndr_err;
1213 struct replPropertyMetaDataBlob omd;
1216 const struct GUID *our_invocation_id;
1218 const char * const *attrs = NULL;
1219 const char * const attrs1[] = { "replPropertyMetaData", "*", NULL };
1220 const char * const attrs2[] = { "uSNChanged", "objectClass", "instanceType", NULL };
1221 struct ldb_result *res;
1222 struct ldb_context *ldb;
1223 struct ldb_message_element *objectclass_el;
1224 enum urgent_situation situation;
1225 bool rmd_is_provided;
1228 attrs = rename_attrs;
1233 ldb = ldb_module_get_ctx(module);
1235 our_invocation_id = samdb_ntds_invocation_id(ldb);
1236 if (!our_invocation_id) {
1237 /* this happens during an initial vampire while
1238 updating the schema */
1239 DEBUG(5,("No invocationID - skipping replPropertyMetaData update\n"));
1243 unix_to_nt_time(&now, t);
1245 if (ldb_request_get_control(req, DSDB_CONTROL_CHANGEREPLMETADATA_OID)) {
1246 rmd_is_provided = true;
1248 rmd_is_provided = false;
1251 /* if isDeleted is present and is TRUE, then we consider we are deleting,
1252 * otherwise we consider we are updating */
1253 if (ldb_msg_check_string_attribute(msg, "isDeleted", "TRUE")) {
1254 situation = REPL_URGENT_ON_DELETE;
1255 } else if (rename_attrs) {
1256 situation = REPL_URGENT_ON_CREATE | REPL_URGENT_ON_DELETE;
1258 situation = REPL_URGENT_ON_UPDATE;
1261 if (rmd_is_provided) {
1262 /* In this case the change_replmetadata control was supplied */
1263 /* We check that it's the only attribute that is provided
1264 * (it's a rare case so it's better to keep the code simplier)
1265 * We also check that the highest local_usn is bigger than
1268 if( msg->num_elements != 1 ||
1269 strncmp(msg->elements[0].name,
1270 "replPropertyMetaData", 20) ) {
1271 DEBUG(0,(__location__ ": changereplmetada control called without "\
1272 "a specified replPropertyMetaData attribute or with others\n"));
1273 return LDB_ERR_OPERATIONS_ERROR;
1275 if (situation != REPL_URGENT_ON_UPDATE) {
1276 DEBUG(0,(__location__ ": changereplmetada control can't be called when deleting an object\n"));
1277 return LDB_ERR_OPERATIONS_ERROR;
1279 omd_value = ldb_msg_find_ldb_val(msg, "replPropertyMetaData");
1281 DEBUG(0,(__location__ ": replPropertyMetaData was not specified for Object %s\n",
1282 ldb_dn_get_linearized(msg->dn)));
1283 return LDB_ERR_OPERATIONS_ERROR;
1285 ndr_err = ndr_pull_struct_blob(omd_value, msg, &omd,
1286 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
1287 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1288 DEBUG(0,(__location__ ": Failed to parse replPropertyMetaData for %s\n",
1289 ldb_dn_get_linearized(msg->dn)));
1290 return LDB_ERR_OPERATIONS_ERROR;
1292 *seq_num = find_max_local_usn(omd);
1294 ret = dsdb_module_search_dn(module, msg, &res, msg->dn, attrs2,
1295 DSDB_FLAG_NEXT_MODULE |
1296 DSDB_SEARCH_SHOW_RECYCLED |
1297 DSDB_SEARCH_SHOW_EXTENDED_DN |
1298 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
1299 DSDB_SEARCH_REVEAL_INTERNALS, req);
1301 if (ret != LDB_SUCCESS) {
1305 objectclass_el = ldb_msg_find_element(res->msgs[0], "objectClass");
1306 if (is_urgent && replmd_check_urgent_objectclass(objectclass_el,
1311 db_seq = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNChanged", 0);
1312 if (*seq_num <= db_seq) {
1313 DEBUG(0,(__location__ ": changereplmetada control provided but max(local_usn)"\
1314 " is less or equal to uSNChanged (max = %lld uSNChanged = %lld)\n",
1315 (long long)*seq_num, (long long)db_seq));
1316 return LDB_ERR_OPERATIONS_ERROR;
1320 /* search for the existing replPropertyMetaDataBlob. We need
1321 * to use REVEAL and ask for DNs in storage format to support
1322 * the check for values being the same in
1323 * replmd_update_rpmd_element()
1325 ret = dsdb_module_search_dn(module, msg, &res, msg->dn, attrs,
1326 DSDB_FLAG_NEXT_MODULE |
1327 DSDB_SEARCH_SHOW_RECYCLED |
1328 DSDB_SEARCH_SHOW_EXTENDED_DN |
1329 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
1330 DSDB_SEARCH_REVEAL_INTERNALS, req);
1331 if (ret != LDB_SUCCESS) {
1335 objectclass_el = ldb_msg_find_element(res->msgs[0], "objectClass");
1336 if (is_urgent && replmd_check_urgent_objectclass(objectclass_el,
1341 omd_value = ldb_msg_find_ldb_val(res->msgs[0], "replPropertyMetaData");
1343 DEBUG(0,(__location__ ": Object %s does not have a replPropertyMetaData attribute\n",
1344 ldb_dn_get_linearized(msg->dn)));
1345 return LDB_ERR_OPERATIONS_ERROR;
1348 ndr_err = ndr_pull_struct_blob(omd_value, msg, &omd,
1349 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
1350 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1351 DEBUG(0,(__location__ ": Failed to parse replPropertyMetaData for %s\n",
1352 ldb_dn_get_linearized(msg->dn)));
1353 return LDB_ERR_OPERATIONS_ERROR;
1356 if (omd.version != 1) {
1357 DEBUG(0,(__location__ ": bad version %u in replPropertyMetaData for %s\n",
1358 omd.version, ldb_dn_get_linearized(msg->dn)));
1359 return LDB_ERR_OPERATIONS_ERROR;
1362 for (i=0; i<msg->num_elements; i++) {
1363 struct ldb_message_element *old_el;
1364 old_el = ldb_msg_find_element(res->msgs[0], msg->elements[i].name);
1365 ret = replmd_update_rpmd_element(ldb, msg, &msg->elements[i], old_el, &omd, schema, seq_num,
1366 our_invocation_id, now, req);
1367 if (ret != LDB_SUCCESS) {
1371 if (is_urgent && !*is_urgent && (situation == REPL_URGENT_ON_UPDATE)) {
1372 *is_urgent = replmd_check_urgent_attribute(&msg->elements[i]);
1378 * replmd_update_rpmd_element has done an update if the
1381 if (*seq_num != 0) {
1382 struct ldb_val *md_value;
1383 struct ldb_message_element *el;
1385 /*if we are RODC and this is a DRSR update then its ok*/
1386 if (!ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) {
1387 unsigned instanceType;
1389 ret = samdb_rodc(ldb, rodc);
1390 if (ret != LDB_SUCCESS) {
1391 DEBUG(4, (__location__ ": unable to tell if we are an RODC\n"));
1393 ldb_set_errstring(ldb, "RODC modify is forbidden!");
1394 return LDB_ERR_REFERRAL;
1397 instanceType = ldb_msg_find_attr_as_uint(res->msgs[0], "instanceType", INSTANCE_TYPE_WRITE);
1398 if (!(instanceType & INSTANCE_TYPE_WRITE)) {
1399 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM,
1400 "cannot change replicated attribute on partial replica");
1404 md_value = talloc(msg, struct ldb_val);
1405 if (md_value == NULL) {
1407 return LDB_ERR_OPERATIONS_ERROR;
1410 ret = replmd_replPropertyMetaDataCtr1_sort(&omd.ctr.ctr1, schema, msg->dn);
1411 if (ret != LDB_SUCCESS) {
1415 ndr_err = ndr_push_struct_blob(md_value, msg, &omd,
1416 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
1417 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1418 DEBUG(0,(__location__ ": Failed to marshall replPropertyMetaData for %s\n",
1419 ldb_dn_get_linearized(msg->dn)));
1420 return LDB_ERR_OPERATIONS_ERROR;
1423 ret = ldb_msg_add_empty(msg, "replPropertyMetaData", LDB_FLAG_MOD_REPLACE, &el);
1424 if (ret != LDB_SUCCESS) {
1425 DEBUG(0,(__location__ ": Failed to add updated replPropertyMetaData %s\n",
1426 ldb_dn_get_linearized(msg->dn)));
1431 el->values = md_value;
1438 struct dsdb_dn *dsdb_dn;
1443 static int parsed_dn_compare(struct parsed_dn *pdn1, struct parsed_dn *pdn2)
1445 return GUID_compare(pdn1->guid, pdn2->guid);
1448 static struct parsed_dn *parsed_dn_find(struct parsed_dn *pdn,
1449 unsigned int count, struct GUID *guid,
1452 struct parsed_dn *ret;
1454 if (dn && GUID_all_zero(guid)) {
1455 /* when updating a link using DRS, we sometimes get a
1456 NULL GUID. We then need to try and match by DN */
1457 for (i=0; i<count; i++) {
1458 if (ldb_dn_compare(pdn[i].dsdb_dn->dn, dn) == 0) {
1459 dsdb_get_extended_dn_guid(pdn[i].dsdb_dn->dn, guid, "GUID");
1465 BINARY_ARRAY_SEARCH(pdn, count, guid, guid, GUID_compare, ret);
1470 get a series of message element values as an array of DNs and GUIDs
1471 the result is sorted by GUID
1473 static int get_parsed_dns(struct ldb_module *module, TALLOC_CTX *mem_ctx,
1474 struct ldb_message_element *el, struct parsed_dn **pdn,
1475 const char *ldap_oid, struct ldb_request *parent)
1478 struct ldb_context *ldb = ldb_module_get_ctx(module);
1485 (*pdn) = talloc_array(mem_ctx, struct parsed_dn, el->num_values);
1487 ldb_module_oom(module);
1488 return LDB_ERR_OPERATIONS_ERROR;
1491 for (i=0; i<el->num_values; i++) {
1492 struct ldb_val *v = &el->values[i];
1495 struct parsed_dn *p;
1499 p->dsdb_dn = dsdb_dn_parse(*pdn, ldb, v, ldap_oid);
1500 if (p->dsdb_dn == NULL) {
1501 return LDB_ERR_INVALID_DN_SYNTAX;
1504 dn = p->dsdb_dn->dn;
1506 p->guid = talloc(*pdn, struct GUID);
1507 if (p->guid == NULL) {
1508 ldb_module_oom(module);
1509 return LDB_ERR_OPERATIONS_ERROR;
1512 status = dsdb_get_extended_dn_guid(dn, p->guid, "GUID");
1513 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
1514 /* we got a DN without a GUID - go find the GUID */
1515 int ret = dsdb_module_guid_by_dn(module, dn, p->guid, parent);
1516 if (ret != LDB_SUCCESS) {
1517 ldb_asprintf_errstring(ldb, "Unable to find GUID for DN %s\n",
1518 ldb_dn_get_linearized(dn));
1519 if (ret == LDB_ERR_NO_SUCH_OBJECT &&
1520 LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE &&
1521 ldb_attr_cmp(el->name, "member") == 0) {
1522 return LDB_ERR_UNWILLING_TO_PERFORM;
1526 ret = dsdb_set_extended_dn_guid(dn, p->guid, "GUID");
1527 if (ret != LDB_SUCCESS) {
1530 } else if (!NT_STATUS_IS_OK(status)) {
1531 return LDB_ERR_OPERATIONS_ERROR;
1534 /* keep a pointer to the original ldb_val */
1538 TYPESAFE_QSORT(*pdn, el->num_values, parsed_dn_compare);
1544 build a new extended DN, including all meta data fields
1546 RMD_FLAGS = DSDB_RMD_FLAG_* bits
1547 RMD_ADDTIME = originating_add_time
1548 RMD_INVOCID = originating_invocation_id
1549 RMD_CHANGETIME = originating_change_time
1550 RMD_ORIGINATING_USN = originating_usn
1551 RMD_LOCAL_USN = local_usn
1552 RMD_VERSION = version
1554 static int replmd_build_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
1555 const struct GUID *invocation_id, uint64_t seq_num,
1556 uint64_t local_usn, NTTIME nttime, uint32_t version, bool deleted)
1558 struct ldb_dn *dn = dsdb_dn->dn;
1559 const char *tstring, *usn_string, *flags_string;
1560 struct ldb_val tval;
1562 struct ldb_val usnv, local_usnv;
1563 struct ldb_val vers, flagsv;
1566 const char *dnstring;
1568 uint32_t rmd_flags = deleted?DSDB_RMD_FLAG_DELETED:0;
1570 tstring = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)nttime);
1572 return LDB_ERR_OPERATIONS_ERROR;
1574 tval = data_blob_string_const(tstring);
1576 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)seq_num);
1578 return LDB_ERR_OPERATIONS_ERROR;
1580 usnv = data_blob_string_const(usn_string);
1582 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)local_usn);
1584 return LDB_ERR_OPERATIONS_ERROR;
1586 local_usnv = data_blob_string_const(usn_string);
1588 vstring = talloc_asprintf(mem_ctx, "%lu", (unsigned long)version);
1590 return LDB_ERR_OPERATIONS_ERROR;
1592 vers = data_blob_string_const(vstring);
1594 status = GUID_to_ndr_blob(invocation_id, dn, &iid);
1595 if (!NT_STATUS_IS_OK(status)) {
1596 return LDB_ERR_OPERATIONS_ERROR;
1599 flags_string = talloc_asprintf(mem_ctx, "%u", rmd_flags);
1600 if (!flags_string) {
1601 return LDB_ERR_OPERATIONS_ERROR;
1603 flagsv = data_blob_string_const(flags_string);
1605 ret = ldb_dn_set_extended_component(dn, "RMD_FLAGS", &flagsv);
1606 if (ret != LDB_SUCCESS) return ret;
1607 ret = ldb_dn_set_extended_component(dn, "RMD_ADDTIME", &tval);
1608 if (ret != LDB_SUCCESS) return ret;
1609 ret = ldb_dn_set_extended_component(dn, "RMD_INVOCID", &iid);
1610 if (ret != LDB_SUCCESS) return ret;
1611 ret = ldb_dn_set_extended_component(dn, "RMD_CHANGETIME", &tval);
1612 if (ret != LDB_SUCCESS) return ret;
1613 ret = ldb_dn_set_extended_component(dn, "RMD_LOCAL_USN", &local_usnv);
1614 if (ret != LDB_SUCCESS) return ret;
1615 ret = ldb_dn_set_extended_component(dn, "RMD_ORIGINATING_USN", &usnv);
1616 if (ret != LDB_SUCCESS) return ret;
1617 ret = ldb_dn_set_extended_component(dn, "RMD_VERSION", &vers);
1618 if (ret != LDB_SUCCESS) return ret;
1620 dnstring = dsdb_dn_get_extended_linearized(mem_ctx, dsdb_dn, 1);
1621 if (dnstring == NULL) {
1622 return LDB_ERR_OPERATIONS_ERROR;
1624 *v = data_blob_string_const(dnstring);
1629 static int replmd_update_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
1630 struct dsdb_dn *old_dsdb_dn, const struct GUID *invocation_id,
1631 uint64_t seq_num, uint64_t local_usn, NTTIME nttime,
1632 uint32_t version, bool deleted);
1635 check if any links need upgrading from w2k format
1637 The parent_ctx is the ldb_message_element which contains the values array that dns[i].v points at, and which should be used for allocating any new value.
1639 static int replmd_check_upgrade_links(struct parsed_dn *dns, uint32_t count, struct ldb_message_element *parent_ctx, const struct GUID *invocation_id)
1642 for (i=0; i<count; i++) {
1647 status = dsdb_get_extended_dn_uint32(dns[i].dsdb_dn->dn, &version, "RMD_VERSION");
1648 if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
1652 /* it's an old one that needs upgrading */
1653 ret = replmd_update_la_val(parent_ctx->values, dns[i].v, dns[i].dsdb_dn, dns[i].dsdb_dn, invocation_id,
1655 if (ret != LDB_SUCCESS) {
1663 update an extended DN, including all meta data fields
1665 see replmd_build_la_val for value names
1667 static int replmd_update_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
1668 struct dsdb_dn *old_dsdb_dn, const struct GUID *invocation_id,
1669 uint64_t seq_num, uint64_t local_usn, NTTIME nttime,
1670 uint32_t version, bool deleted)
1672 struct ldb_dn *dn = dsdb_dn->dn;
1673 const char *tstring, *usn_string, *flags_string;
1674 struct ldb_val tval;
1676 struct ldb_val usnv, local_usnv;
1677 struct ldb_val vers, flagsv;
1678 const struct ldb_val *old_addtime;
1679 uint32_t old_version;
1682 const char *dnstring;
1684 uint32_t rmd_flags = deleted?DSDB_RMD_FLAG_DELETED:0;
1686 tstring = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)nttime);
1688 return LDB_ERR_OPERATIONS_ERROR;
1690 tval = data_blob_string_const(tstring);
1692 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)seq_num);
1694 return LDB_ERR_OPERATIONS_ERROR;
1696 usnv = data_blob_string_const(usn_string);
1698 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)local_usn);
1700 return LDB_ERR_OPERATIONS_ERROR;
1702 local_usnv = data_blob_string_const(usn_string);
1704 status = GUID_to_ndr_blob(invocation_id, dn, &iid);
1705 if (!NT_STATUS_IS_OK(status)) {
1706 return LDB_ERR_OPERATIONS_ERROR;
1709 flags_string = talloc_asprintf(mem_ctx, "%u", rmd_flags);
1710 if (!flags_string) {
1711 return LDB_ERR_OPERATIONS_ERROR;
1713 flagsv = data_blob_string_const(flags_string);
1715 ret = ldb_dn_set_extended_component(dn, "RMD_FLAGS", &flagsv);
1716 if (ret != LDB_SUCCESS) return ret;
1718 /* get the ADDTIME from the original */
1719 old_addtime = ldb_dn_get_extended_component(old_dsdb_dn->dn, "RMD_ADDTIME");
1720 if (old_addtime == NULL) {
1721 old_addtime = &tval;
1723 if (dsdb_dn != old_dsdb_dn ||
1724 ldb_dn_get_extended_component(dn, "RMD_ADDTIME") == NULL) {
1725 ret = ldb_dn_set_extended_component(dn, "RMD_ADDTIME", old_addtime);
1726 if (ret != LDB_SUCCESS) return ret;
1729 /* use our invocation id */
1730 ret = ldb_dn_set_extended_component(dn, "RMD_INVOCID", &iid);
1731 if (ret != LDB_SUCCESS) return ret;
1733 /* changetime is the current time */
1734 ret = ldb_dn_set_extended_component(dn, "RMD_CHANGETIME", &tval);
1735 if (ret != LDB_SUCCESS) return ret;
1737 /* update the USN */
1738 ret = ldb_dn_set_extended_component(dn, "RMD_ORIGINATING_USN", &usnv);
1739 if (ret != LDB_SUCCESS) return ret;
1741 ret = ldb_dn_set_extended_component(dn, "RMD_LOCAL_USN", &local_usnv);
1742 if (ret != LDB_SUCCESS) return ret;
1744 /* increase the version by 1 */
1745 status = dsdb_get_extended_dn_uint32(old_dsdb_dn->dn, &old_version, "RMD_VERSION");
1746 if (NT_STATUS_IS_OK(status) && old_version >= version) {
1747 version = old_version+1;
1749 vstring = talloc_asprintf(dn, "%lu", (unsigned long)version);
1750 vers = data_blob_string_const(vstring);
1751 ret = ldb_dn_set_extended_component(dn, "RMD_VERSION", &vers);
1752 if (ret != LDB_SUCCESS) return ret;
1754 dnstring = dsdb_dn_get_extended_linearized(mem_ctx, dsdb_dn, 1);
1755 if (dnstring == NULL) {
1756 return LDB_ERR_OPERATIONS_ERROR;
1758 *v = data_blob_string_const(dnstring);
1764 handle adding a linked attribute
1766 static int replmd_modify_la_add(struct ldb_module *module,
1767 const struct dsdb_schema *schema,
1768 struct ldb_message *msg,
1769 struct ldb_message_element *el,
1770 struct ldb_message_element *old_el,
1771 const struct dsdb_attribute *schema_attr,
1774 struct GUID *msg_guid,
1775 struct ldb_request *parent)
1778 struct parsed_dn *dns, *old_dns;
1779 TALLOC_CTX *tmp_ctx = talloc_new(msg);
1781 struct ldb_val *new_values = NULL;
1782 unsigned int num_new_values = 0;
1783 unsigned old_num_values = old_el?old_el->num_values:0;
1784 const struct GUID *invocation_id;
1785 struct ldb_context *ldb = ldb_module_get_ctx(module);
1788 unix_to_nt_time(&now, t);
1790 ret = get_parsed_dns(module, tmp_ctx, el, &dns, schema_attr->syntax->ldap_oid, parent);
1791 if (ret != LDB_SUCCESS) {
1792 talloc_free(tmp_ctx);
1796 ret = get_parsed_dns(module, tmp_ctx, old_el, &old_dns, schema_attr->syntax->ldap_oid, parent);
1797 if (ret != LDB_SUCCESS) {
1798 talloc_free(tmp_ctx);
1802 invocation_id = samdb_ntds_invocation_id(ldb);
1803 if (!invocation_id) {
1804 talloc_free(tmp_ctx);
1805 return LDB_ERR_OPERATIONS_ERROR;
1808 ret = replmd_check_upgrade_links(old_dns, old_num_values, old_el, invocation_id);
1809 if (ret != LDB_SUCCESS) {
1810 talloc_free(tmp_ctx);
1814 /* for each new value, see if it exists already with the same GUID */
1815 for (i=0; i<el->num_values; i++) {
1816 struct parsed_dn *p = parsed_dn_find(old_dns, old_num_values, dns[i].guid, NULL);
1818 /* this is a new linked attribute value */
1819 new_values = talloc_realloc(tmp_ctx, new_values, struct ldb_val, num_new_values+1);
1820 if (new_values == NULL) {
1821 ldb_module_oom(module);
1822 talloc_free(tmp_ctx);
1823 return LDB_ERR_OPERATIONS_ERROR;
1825 ret = replmd_build_la_val(new_values, &new_values[num_new_values], dns[i].dsdb_dn,
1826 invocation_id, seq_num, seq_num, now, 0, false);
1827 if (ret != LDB_SUCCESS) {
1828 talloc_free(tmp_ctx);
1833 /* this is only allowed if the GUID was
1834 previously deleted. */
1835 uint32_t rmd_flags = dsdb_dn_rmd_flags(p->dsdb_dn->dn);
1837 if (!(rmd_flags & DSDB_RMD_FLAG_DELETED)) {
1838 ldb_asprintf_errstring(ldb, "Attribute %s already exists for target GUID %s",
1839 el->name, GUID_string(tmp_ctx, p->guid));
1840 talloc_free(tmp_ctx);
1841 /* error codes for 'member' need to be
1843 if (ldb_attr_cmp(el->name, "member") == 0) {
1844 return LDB_ERR_ENTRY_ALREADY_EXISTS;
1846 return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
1849 ret = replmd_update_la_val(old_el->values, p->v, dns[i].dsdb_dn, p->dsdb_dn,
1850 invocation_id, seq_num, seq_num, now, 0, false);
1851 if (ret != LDB_SUCCESS) {
1852 talloc_free(tmp_ctx);
1857 ret = replmd_add_backlink(module, schema, msg_guid, dns[i].guid, true, schema_attr, true);
1858 if (ret != LDB_SUCCESS) {
1859 talloc_free(tmp_ctx);
1864 /* add the new ones on to the end of the old values, constructing a new el->values */
1865 el->values = talloc_realloc(msg->elements, old_el?old_el->values:NULL,
1867 old_num_values+num_new_values);
1868 if (el->values == NULL) {
1869 ldb_module_oom(module);
1870 return LDB_ERR_OPERATIONS_ERROR;
1873 memcpy(&el->values[old_num_values], new_values, num_new_values*sizeof(struct ldb_val));
1874 el->num_values = old_num_values + num_new_values;
1876 talloc_steal(msg->elements, el->values);
1877 talloc_steal(el->values, new_values);
1879 talloc_free(tmp_ctx);
1881 /* we now tell the backend to replace all existing values
1882 with the one we have constructed */
1883 el->flags = LDB_FLAG_MOD_REPLACE;
1890 handle deleting all active linked attributes
1892 static int replmd_modify_la_delete(struct ldb_module *module,
1893 const struct dsdb_schema *schema,
1894 struct ldb_message *msg,
1895 struct ldb_message_element *el,
1896 struct ldb_message_element *old_el,
1897 const struct dsdb_attribute *schema_attr,
1900 struct GUID *msg_guid,
1901 struct ldb_request *parent)
1904 struct parsed_dn *dns, *old_dns;
1905 TALLOC_CTX *tmp_ctx = talloc_new(msg);
1907 const struct GUID *invocation_id;
1908 struct ldb_context *ldb = ldb_module_get_ctx(module);
1911 unix_to_nt_time(&now, t);
1913 /* check if there is nothing to delete */
1914 if ((!old_el || old_el->num_values == 0) &&
1915 el->num_values == 0) {
1919 if (!old_el || old_el->num_values == 0) {
1920 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1923 ret = get_parsed_dns(module, tmp_ctx, el, &dns, schema_attr->syntax->ldap_oid, parent);
1924 if (ret != LDB_SUCCESS) {
1925 talloc_free(tmp_ctx);
1929 ret = get_parsed_dns(module, tmp_ctx, old_el, &old_dns, schema_attr->syntax->ldap_oid, parent);
1930 if (ret != LDB_SUCCESS) {
1931 talloc_free(tmp_ctx);
1935 invocation_id = samdb_ntds_invocation_id(ldb);
1936 if (!invocation_id) {
1937 return LDB_ERR_OPERATIONS_ERROR;
1940 ret = replmd_check_upgrade_links(old_dns, old_el->num_values, old_el, invocation_id);
1941 if (ret != LDB_SUCCESS) {
1942 talloc_free(tmp_ctx);
1948 /* see if we are being asked to delete any links that
1949 don't exist or are already deleted */
1950 for (i=0; i<el->num_values; i++) {
1951 struct parsed_dn *p = &dns[i];
1952 struct parsed_dn *p2;
1955 p2 = parsed_dn_find(old_dns, old_el->num_values, p->guid, NULL);
1957 ldb_asprintf_errstring(ldb, "Attribute %s doesn't exist for target GUID %s",
1958 el->name, GUID_string(tmp_ctx, p->guid));
1959 if (ldb_attr_cmp(el->name, "member") == 0) {
1960 return LDB_ERR_UNWILLING_TO_PERFORM;
1962 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1965 rmd_flags = dsdb_dn_rmd_flags(p2->dsdb_dn->dn);
1966 if (rmd_flags & DSDB_RMD_FLAG_DELETED) {
1967 ldb_asprintf_errstring(ldb, "Attribute %s already deleted for target GUID %s",
1968 el->name, GUID_string(tmp_ctx, p->guid));
1969 if (ldb_attr_cmp(el->name, "member") == 0) {
1970 return LDB_ERR_UNWILLING_TO_PERFORM;
1972 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1977 /* for each new value, see if it exists already with the same GUID
1978 if it is not already deleted and matches the delete list then delete it
1980 for (i=0; i<old_el->num_values; i++) {
1981 struct parsed_dn *p = &old_dns[i];
1984 if (el->num_values && parsed_dn_find(dns, el->num_values, p->guid, NULL) == NULL) {
1988 rmd_flags = dsdb_dn_rmd_flags(p->dsdb_dn->dn);
1989 if (rmd_flags & DSDB_RMD_FLAG_DELETED) continue;
1991 ret = replmd_update_la_val(old_el->values, p->v, p->dsdb_dn, p->dsdb_dn,
1992 invocation_id, seq_num, seq_num, now, 0, true);
1993 if (ret != LDB_SUCCESS) {
1994 talloc_free(tmp_ctx);
1998 ret = replmd_add_backlink(module, schema, msg_guid, old_dns[i].guid, false, schema_attr, true);
1999 if (ret != LDB_SUCCESS) {
2000 talloc_free(tmp_ctx);
2005 el->values = talloc_steal(msg->elements, old_el->values);
2006 el->num_values = old_el->num_values;
2008 talloc_free(tmp_ctx);
2010 /* we now tell the backend to replace all existing values
2011 with the one we have constructed */
2012 el->flags = LDB_FLAG_MOD_REPLACE;
2018 handle replacing a linked attribute
2020 static int replmd_modify_la_replace(struct ldb_module *module,
2021 const struct dsdb_schema *schema,
2022 struct ldb_message *msg,
2023 struct ldb_message_element *el,
2024 struct ldb_message_element *old_el,
2025 const struct dsdb_attribute *schema_attr,
2028 struct GUID *msg_guid,
2029 struct ldb_request *parent)
2032 struct parsed_dn *dns, *old_dns;
2033 TALLOC_CTX *tmp_ctx = talloc_new(msg);
2035 const struct GUID *invocation_id;
2036 struct ldb_context *ldb = ldb_module_get_ctx(module);
2037 struct ldb_val *new_values = NULL;
2038 unsigned int num_new_values = 0;
2039 unsigned int old_num_values = old_el?old_el->num_values:0;
2042 unix_to_nt_time(&now, t);
2044 /* check if there is nothing to replace */
2045 if ((!old_el || old_el->num_values == 0) &&
2046 el->num_values == 0) {
2050 ret = get_parsed_dns(module, tmp_ctx, el, &dns, schema_attr->syntax->ldap_oid, parent);
2051 if (ret != LDB_SUCCESS) {
2052 talloc_free(tmp_ctx);
2056 ret = get_parsed_dns(module, tmp_ctx, old_el, &old_dns, schema_attr->syntax->ldap_oid, parent);
2057 if (ret != LDB_SUCCESS) {
2058 talloc_free(tmp_ctx);
2062 invocation_id = samdb_ntds_invocation_id(ldb);
2063 if (!invocation_id) {
2064 return LDB_ERR_OPERATIONS_ERROR;
2067 ret = replmd_check_upgrade_links(old_dns, old_num_values, old_el, invocation_id);
2068 if (ret != LDB_SUCCESS) {
2069 talloc_free(tmp_ctx);
2073 /* mark all the old ones as deleted */
2074 for (i=0; i<old_num_values; i++) {
2075 struct parsed_dn *old_p = &old_dns[i];
2076 struct parsed_dn *p;
2077 uint32_t rmd_flags = dsdb_dn_rmd_flags(old_p->dsdb_dn->dn);
2079 if (rmd_flags & DSDB_RMD_FLAG_DELETED) continue;
2081 ret = replmd_add_backlink(module, schema, msg_guid, old_dns[i].guid, false, schema_attr, false);
2082 if (ret != LDB_SUCCESS) {
2083 talloc_free(tmp_ctx);
2087 p = parsed_dn_find(dns, el->num_values, old_p->guid, NULL);
2089 /* we don't delete it if we are re-adding it */
2093 ret = replmd_update_la_val(old_el->values, old_p->v, old_p->dsdb_dn, old_p->dsdb_dn,
2094 invocation_id, seq_num, seq_num, now, 0, true);
2095 if (ret != LDB_SUCCESS) {
2096 talloc_free(tmp_ctx);
2101 /* for each new value, either update its meta-data, or add it
2104 for (i=0; i<el->num_values; i++) {
2105 struct parsed_dn *p = &dns[i], *old_p;
2108 (old_p = parsed_dn_find(old_dns,
2109 old_num_values, p->guid, NULL)) != NULL) {
2110 /* update in place */
2111 ret = replmd_update_la_val(old_el->values, old_p->v, p->dsdb_dn,
2112 old_p->dsdb_dn, invocation_id,
2113 seq_num, seq_num, now, 0, false);
2114 if (ret != LDB_SUCCESS) {
2115 talloc_free(tmp_ctx);
2120 new_values = talloc_realloc(tmp_ctx, new_values, struct ldb_val,
2122 if (new_values == NULL) {
2123 ldb_module_oom(module);
2124 talloc_free(tmp_ctx);
2125 return LDB_ERR_OPERATIONS_ERROR;
2127 ret = replmd_build_la_val(new_values, &new_values[num_new_values], dns[i].dsdb_dn,
2128 invocation_id, seq_num, seq_num, now, 0, false);
2129 if (ret != LDB_SUCCESS) {
2130 talloc_free(tmp_ctx);
2136 ret = replmd_add_backlink(module, schema, msg_guid, dns[i].guid, true, schema_attr, false);
2137 if (ret != LDB_SUCCESS) {
2138 talloc_free(tmp_ctx);
2143 /* add the new values to the end of old_el */
2144 if (num_new_values != 0) {
2145 el->values = talloc_realloc(msg->elements, old_el?old_el->values:NULL,
2146 struct ldb_val, old_num_values+num_new_values);
2147 if (el->values == NULL) {
2148 ldb_module_oom(module);
2149 return LDB_ERR_OPERATIONS_ERROR;
2151 memcpy(&el->values[old_num_values], &new_values[0],
2152 sizeof(struct ldb_val)*num_new_values);
2153 el->num_values = old_num_values + num_new_values;
2154 talloc_steal(msg->elements, new_values);
2156 el->values = old_el->values;
2157 el->num_values = old_el->num_values;
2158 talloc_steal(msg->elements, el->values);
2161 talloc_free(tmp_ctx);
2163 /* we now tell the backend to replace all existing values
2164 with the one we have constructed */
2165 el->flags = LDB_FLAG_MOD_REPLACE;
2172 handle linked attributes in modify requests
2174 static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
2175 struct ldb_message *msg,
2176 uint64_t seq_num, time_t t,
2177 struct ldb_request *parent)
2179 struct ldb_result *res;
2182 struct ldb_context *ldb = ldb_module_get_ctx(module);
2183 struct ldb_message *old_msg;
2185 const struct dsdb_schema *schema;
2186 struct GUID old_guid;
2189 /* there the replmd_update_rpmd code has already
2190 * checked and saw that there are no linked
2195 if (dsdb_functional_level(ldb) == DS_DOMAIN_FUNCTION_2000) {
2196 /* don't do anything special for linked attributes */
2200 ret = dsdb_module_search_dn(module, msg, &res, msg->dn, NULL,
2201 DSDB_FLAG_NEXT_MODULE |
2202 DSDB_SEARCH_SHOW_RECYCLED |
2203 DSDB_SEARCH_REVEAL_INTERNALS |
2204 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT,
2206 if (ret != LDB_SUCCESS) {
2209 schema = dsdb_get_schema(ldb, res);
2211 return LDB_ERR_OPERATIONS_ERROR;
2214 old_msg = res->msgs[0];
2216 old_guid = samdb_result_guid(old_msg, "objectGUID");
2218 for (i=0; i<msg->num_elements; i++) {
2219 struct ldb_message_element *el = &msg->elements[i];
2220 struct ldb_message_element *old_el, *new_el;
2221 const struct dsdb_attribute *schema_attr
2222 = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
2224 ldb_asprintf_errstring(ldb,
2225 "%s: attribute %s is not a valid attribute in schema",
2226 __FUNCTION__, el->name);
2227 return LDB_ERR_OBJECT_CLASS_VIOLATION;
2229 if (schema_attr->linkID == 0) {
2232 if ((schema_attr->linkID & 1) == 1) {
2233 if (parent && ldb_request_get_control(parent, DSDB_CONTROL_DBCHECK)) {
2236 /* Odd is for the target. Illegal to modify */
2237 ldb_asprintf_errstring(ldb,
2238 "attribute %s must not be modified directly, it is a linked attribute", el->name);
2239 return LDB_ERR_UNWILLING_TO_PERFORM;
2241 old_el = ldb_msg_find_element(old_msg, el->name);
2242 switch (el->flags & LDB_FLAG_MOD_MASK) {
2243 case LDB_FLAG_MOD_REPLACE:
2244 ret = replmd_modify_la_replace(module, schema, msg, el, old_el, schema_attr, seq_num, t, &old_guid, parent);
2246 case LDB_FLAG_MOD_DELETE:
2247 ret = replmd_modify_la_delete(module, schema, msg, el, old_el, schema_attr, seq_num, t, &old_guid, parent);
2249 case LDB_FLAG_MOD_ADD:
2250 ret = replmd_modify_la_add(module, schema, msg, el, old_el, schema_attr, seq_num, t, &old_guid, parent);
2253 ldb_asprintf_errstring(ldb,
2254 "invalid flags 0x%x for %s linked attribute",
2255 el->flags, el->name);
2256 return LDB_ERR_UNWILLING_TO_PERFORM;
2258 if (dsdb_check_single_valued_link(schema_attr, el) != LDB_SUCCESS) {
2259 ldb_asprintf_errstring(ldb,
2260 "Attribute %s is single valued but more than one value has been supplied",
2262 return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
2264 el->flags |= LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK;
2269 if (ret != LDB_SUCCESS) {
2273 ldb_msg_remove_attr(old_msg, el->name);
2275 ldb_msg_add_empty(old_msg, el->name, 0, &new_el);
2276 new_el->num_values = el->num_values;
2277 new_el->values = talloc_steal(msg->elements, el->values);
2279 /* TODO: this relises a bit too heavily on the exact
2280 behaviour of ldb_msg_find_element and
2281 ldb_msg_remove_element */
2282 old_el = ldb_msg_find_element(msg, el->name);
2284 ldb_msg_remove_element(msg, old_el);
2295 static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
2297 struct ldb_context *ldb;
2298 struct replmd_replicated_request *ac;
2299 struct ldb_request *down_req;
2300 struct ldb_message *msg;
2301 time_t t = time(NULL);
2303 bool is_urgent = false, rodc = false;
2304 unsigned int functional_level;
2305 const DATA_BLOB *guid_blob;
2307 /* do not manipulate our control entries */
2308 if (ldb_dn_is_special(req->op.mod.message->dn)) {
2309 return ldb_next_request(module, req);
2312 ldb = ldb_module_get_ctx(module);
2314 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_modify\n");
2316 guid_blob = ldb_msg_find_ldb_val(req->op.mod.message, "objectGUID");
2317 if ( guid_blob != NULL ) {
2318 ldb_set_errstring(ldb,
2319 "replmd_modify: it's not allowed to change the objectGUID!");
2320 return LDB_ERR_CONSTRAINT_VIOLATION;
2323 ac = replmd_ctx_init(module, req);
2325 return ldb_module_oom(module);
2328 functional_level = dsdb_functional_level(ldb);
2330 /* we have to copy the message as the caller might have it as a const */
2331 msg = ldb_msg_copy_shallow(ac, req->op.mod.message);
2335 return LDB_ERR_OPERATIONS_ERROR;
2338 ldb_msg_remove_attr(msg, "whenChanged");
2339 ldb_msg_remove_attr(msg, "uSNChanged");
2341 ret = replmd_update_rpmd(module, ac->schema, req, NULL,
2342 msg, &ac->seq_num, t, &is_urgent, &rodc);
2343 if (rodc && (ret == LDB_ERR_REFERRAL)) {
2344 struct loadparm_context *lp_ctx;
2347 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
2348 struct loadparm_context);
2350 referral = talloc_asprintf(req,
2352 lpcfg_dnsdomain(lp_ctx),
2353 ldb_dn_get_linearized(msg->dn));
2354 ret = ldb_module_send_referral(req, referral);
2359 if (ret != LDB_SUCCESS) {
2364 ret = replmd_modify_handle_linked_attribs(module, msg, ac->seq_num, t, req);
2365 if (ret != LDB_SUCCESS) {
2371 * - replace the old object with the newly constructed one
2374 ac->is_urgent = is_urgent;
2376 ret = ldb_build_mod_req(&down_req, ldb, ac,
2379 ac, replmd_op_callback,
2381 LDB_REQ_SET_LOCATION(down_req);
2382 if (ret != LDB_SUCCESS) {
2387 /* current partition control is needed by "replmd_op_callback" */
2388 if (ldb_request_get_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
2389 ret = ldb_request_add_control(down_req,
2390 DSDB_CONTROL_CURRENT_PARTITION_OID,
2392 if (ret != LDB_SUCCESS) {
2398 /* If we are in functional level 2000, then
2399 * replmd_modify_handle_linked_attribs will have done
2401 if (functional_level == DS_DOMAIN_FUNCTION_2000) {
2402 ret = ldb_request_add_control(down_req, DSDB_CONTROL_APPLY_LINKS, false, NULL);
2403 if (ret != LDB_SUCCESS) {
2409 talloc_steal(down_req, msg);
2411 /* we only change whenChanged and uSNChanged if the seq_num
2413 if (ac->seq_num != 0) {
2414 ret = add_time_element(msg, "whenChanged", t);
2415 if (ret != LDB_SUCCESS) {
2421 ret = add_uint64_element(ldb, msg, "uSNChanged", ac->seq_num);
2422 if (ret != LDB_SUCCESS) {
2429 /* go on with the call chain */
2430 return ldb_next_request(module, down_req);
2433 static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *ares);
2436 handle a rename request
2438 On a rename we need to do an extra ldb_modify which sets the
2439 whenChanged and uSNChanged attributes. We do this in a callback after the success.
2441 static int replmd_rename(struct ldb_module *module, struct ldb_request *req)
2443 struct ldb_context *ldb;
2444 struct replmd_replicated_request *ac;
2446 struct ldb_request *down_req;
2448 /* do not manipulate our control entries */
2449 if (ldb_dn_is_special(req->op.mod.message->dn)) {
2450 return ldb_next_request(module, req);
2453 ldb = ldb_module_get_ctx(module);
2455 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_rename\n");
2457 ac = replmd_ctx_init(module, req);
2459 return ldb_module_oom(module);
2462 ret = ldb_build_rename_req(&down_req, ldb, ac,
2463 ac->req->op.rename.olddn,
2464 ac->req->op.rename.newdn,
2466 ac, replmd_rename_callback,
2468 LDB_REQ_SET_LOCATION(down_req);
2469 if (ret != LDB_SUCCESS) {
2474 /* go on with the call chain */
2475 return ldb_next_request(module, down_req);
2478 /* After the rename is compleated, update the whenchanged etc */
2479 static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *ares)
2481 struct ldb_context *ldb;
2482 struct replmd_replicated_request *ac;
2483 struct ldb_request *down_req;
2484 struct ldb_message *msg;
2485 const struct dsdb_attribute *rdn_attr;
2486 const char *rdn_name;
2487 const struct ldb_val *rdn_val;
2488 const char *attrs[5] = { NULL, };
2489 time_t t = time(NULL);
2491 bool is_urgent = false, rodc = false;
2493 ac = talloc_get_type(req->context, struct replmd_replicated_request);
2494 ldb = ldb_module_get_ctx(ac->module);
2496 if (ares->error != LDB_SUCCESS) {
2497 return ldb_module_done(ac->req, ares->controls,
2498 ares->response, ares->error);
2501 if (ares->type != LDB_REPLY_DONE) {
2502 ldb_set_errstring(ldb,
2503 "invalid ldb_reply_type in callback");
2505 return ldb_module_done(ac->req, NULL, NULL,
2506 LDB_ERR_OPERATIONS_ERROR);
2510 * - replace the old object with the newly constructed one
2513 msg = ldb_msg_new(ac);
2516 return LDB_ERR_OPERATIONS_ERROR;
2519 msg->dn = ac->req->op.rename.newdn;
2521 rdn_name = ldb_dn_get_rdn_name(msg->dn);
2522 if (rdn_name == NULL) {
2524 return ldb_module_done(ac->req, NULL, NULL,
2528 /* normalize the rdn attribute name */
2529 rdn_attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, rdn_name);
2530 if (rdn_attr == NULL) {
2532 return ldb_module_done(ac->req, NULL, NULL,
2535 rdn_name = rdn_attr->lDAPDisplayName;
2537 rdn_val = ldb_dn_get_rdn_val(msg->dn);
2538 if (rdn_val == NULL) {
2540 return ldb_module_done(ac->req, NULL, NULL,
2544 if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
2546 return ldb_module_done(ac->req, NULL, NULL,
2549 if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) {
2551 return ldb_module_done(ac->req, NULL, NULL,
2554 if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
2556 return ldb_module_done(ac->req, NULL, NULL,
2559 if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) {
2561 return ldb_module_done(ac->req, NULL, NULL,
2566 * here we let replmd_update_rpmd() only search for
2567 * the existing "replPropertyMetaData" and rdn_name attributes.
2569 * We do not want the existing "name" attribute as
2570 * the "name" attribute needs to get the version
2571 * updated on rename even if the rdn value hasn't changed.
2573 * This is the diff of the meta data, for a moved user
2574 * on a w2k8r2 server:
2577 * -dn: CN=sdf df,CN=Users,DC=bla,DC=base
2578 * +dn: CN=sdf df,OU=TestOU,DC=bla,DC=base
2579 * replPropertyMetaData: NDR: struct replPropertyMetaDataBlob
2580 * version : 0x00000001 (1)
2581 * reserved : 0x00000000 (0)
2582 * @@ -66,11 +66,11 @@ replPropertyMetaData: NDR: struct re
2583 * local_usn : 0x00000000000037a5 (14245)
2584 * array: struct replPropertyMetaData1
2585 * attid : DRSUAPI_ATTID_name (0x90001)
2586 * - version : 0x00000001 (1)
2587 * - originating_change_time : Wed Feb 9 17:20:49 2011 CET
2588 * + version : 0x00000002 (2)
2589 * + originating_change_time : Wed Apr 6 15:21:01 2011 CEST
2590 * originating_invocation_id: 0d36ca05-5507-4e62-aca3-354bab0d39e1
2591 * - originating_usn : 0x00000000000037a5 (14245)
2592 * - local_usn : 0x00000000000037a5 (14245)
2593 * + originating_usn : 0x0000000000003834 (14388)
2594 * + local_usn : 0x0000000000003834 (14388)
2595 * array: struct replPropertyMetaData1
2596 * attid : DRSUAPI_ATTID_userAccountControl (0x90008)
2597 * version : 0x00000004 (4)
2599 attrs[0] = "replPropertyMetaData";
2600 attrs[1] = "objectClass";
2601 attrs[2] = "instanceType";
2602 attrs[3] = rdn_name;
2605 ret = replmd_update_rpmd(ac->module, ac->schema, req, attrs,
2606 msg, &ac->seq_num, t, &is_urgent, &rodc);
2607 if (rodc && (ret == LDB_ERR_REFERRAL)) {
2608 struct ldb_dn *olddn = ac->req->op.rename.olddn;
2609 struct loadparm_context *lp_ctx;
2612 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
2613 struct loadparm_context);
2615 referral = talloc_asprintf(req,
2617 lpcfg_dnsdomain(lp_ctx),
2618 ldb_dn_get_linearized(olddn));
2619 ret = ldb_module_send_referral(req, referral);
2621 return ldb_module_done(req, NULL, NULL, ret);
2624 if (ret != LDB_SUCCESS) {
2626 return ldb_module_done(ac->req, NULL, NULL, ret);
2629 if (ac->seq_num == 0) {
2631 return ldb_module_done(ac->req, NULL, NULL,
2633 "internal error seq_num == 0"));
2635 ac->is_urgent = is_urgent;
2637 ret = ldb_build_mod_req(&down_req, ldb, ac,
2640 ac, replmd_op_callback,
2642 LDB_REQ_SET_LOCATION(down_req);
2643 if (ret != LDB_SUCCESS) {
2648 /* current partition control is needed by "replmd_op_callback" */
2649 if (ldb_request_get_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
2650 ret = ldb_request_add_control(down_req,
2651 DSDB_CONTROL_CURRENT_PARTITION_OID,
2653 if (ret != LDB_SUCCESS) {
2659 talloc_steal(down_req, msg);
2661 ret = add_time_element(msg, "whenChanged", t);
2662 if (ret != LDB_SUCCESS) {
2668 ret = add_uint64_element(ldb, msg, "uSNChanged", ac->seq_num);
2669 if (ret != LDB_SUCCESS) {
2675 /* go on with the call chain - do the modify after the rename */
2676 return ldb_next_request(ac->module, down_req);
2680 remove links from objects that point at this object when an object
2683 static int replmd_delete_remove_link(struct ldb_module *module,
2684 const struct dsdb_schema *schema,
2686 struct ldb_message_element *el,
2687 const struct dsdb_attribute *sa,
2688 struct ldb_request *parent)
2691 TALLOC_CTX *tmp_ctx = talloc_new(module);
2692 struct ldb_context *ldb = ldb_module_get_ctx(module);
2694 for (i=0; i<el->num_values; i++) {
2695 struct dsdb_dn *dsdb_dn;
2699 struct ldb_message *msg;
2700 const struct dsdb_attribute *target_attr;
2701 struct ldb_message_element *el2;
2702 struct ldb_val dn_val;
2704 if (dsdb_dn_is_deleted_val(&el->values[i])) {
2708 dsdb_dn = dsdb_dn_parse(tmp_ctx, ldb, &el->values[i], sa->syntax->ldap_oid);
2710 talloc_free(tmp_ctx);
2711 return LDB_ERR_OPERATIONS_ERROR;
2714 status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &guid2, "GUID");
2715 if (!NT_STATUS_IS_OK(status)) {
2716 talloc_free(tmp_ctx);
2717 return LDB_ERR_OPERATIONS_ERROR;
2720 /* remove the link */
2721 msg = ldb_msg_new(tmp_ctx);
2723 ldb_module_oom(module);
2724 talloc_free(tmp_ctx);
2725 return LDB_ERR_OPERATIONS_ERROR;
2729 msg->dn = dsdb_dn->dn;
2731 target_attr = dsdb_attribute_by_linkID(schema, sa->linkID ^ 1);
2732 if (target_attr == NULL) {
2736 ret = ldb_msg_add_empty(msg, target_attr->lDAPDisplayName, LDB_FLAG_MOD_DELETE, &el2);
2737 if (ret != LDB_SUCCESS) {
2738 ldb_module_oom(module);
2739 talloc_free(tmp_ctx);
2740 return LDB_ERR_OPERATIONS_ERROR;
2742 dn_val = data_blob_string_const(ldb_dn_get_linearized(dn));
2743 el2->values = &dn_val;
2744 el2->num_values = 1;
2746 ret = dsdb_module_modify(module, msg, DSDB_FLAG_OWN_MODULE, parent);
2747 if (ret != LDB_SUCCESS) {
2748 talloc_free(tmp_ctx);
2752 talloc_free(tmp_ctx);
2758 handle update of replication meta data for deletion of objects
2760 This also handles the mapping of delete to a rename operation
2761 to allow deletes to be replicated.
2763 static int replmd_delete(struct ldb_module *module, struct ldb_request *req)
2765 int ret = LDB_ERR_OTHER;
2766 bool retb, disallow_move_on_delete;
2767 struct ldb_dn *old_dn, *new_dn;
2768 const char *rdn_name;
2769 const struct ldb_val *rdn_value, *new_rdn_value;
2771 struct ldb_context *ldb = ldb_module_get_ctx(module);
2772 const struct dsdb_schema *schema;
2773 struct ldb_message *msg, *old_msg;
2774 struct ldb_message_element *el;
2775 TALLOC_CTX *tmp_ctx;
2776 struct ldb_result *res, *parent_res;
2777 const char *preserved_attrs[] = {
2778 /* yes, this really is a hard coded list. See MS-ADTS
2779 section 3.1.1.5.5.1.1 */
2780 "nTSecurityDescriptor", "attributeID", "attributeSyntax", "dNReferenceUpdate", "dNSHostName",
2781 "flatName", "governsID", "groupType", "instanceType", "lDAPDisplayName", "legacyExchangeDN",
2782 "isDeleted", "isRecycled", "lastKnownParent", "msDS-LastKnownRDN", "mS-DS-CreatorSID",
2783 "mSMQOwnerID", "nCName", "objectClass", "distinguishedName", "objectGUID", "objectSid",
2784 "oMSyntax", "proxiedObjectName", "name", "replPropertyMetaData", "sAMAccountName",
2785 "securityIdentifier", "sIDHistory", "subClassOf", "systemFlags", "trustPartner", "trustDirection",
2786 "trustType", "trustAttributes", "userAccountControl", "uSNChanged", "uSNCreated", "whenCreated",
2787 "whenChanged", NULL};
2788 unsigned int i, el_count = 0;
2789 enum deletion_state { OBJECT_NOT_DELETED=1, OBJECT_DELETED=2, OBJECT_RECYCLED=3,
2790 OBJECT_TOMBSTONE=4, OBJECT_REMOVED=5 };
2791 enum deletion_state deletion_state, next_deletion_state;
2793 int functional_level;
2795 if (ldb_dn_is_special(req->op.del.dn)) {
2796 return ldb_next_request(module, req);
2799 tmp_ctx = talloc_new(ldb);
2802 return LDB_ERR_OPERATIONS_ERROR;
2805 schema = dsdb_get_schema(ldb, tmp_ctx);
2807 return LDB_ERR_OPERATIONS_ERROR;
2810 functional_level = dsdb_functional_level(ldb);
2812 old_dn = ldb_dn_copy(tmp_ctx, req->op.del.dn);
2814 /* we need the complete msg off disk, so we can work out which
2815 attributes need to be removed */
2816 ret = dsdb_module_search_dn(module, tmp_ctx, &res, old_dn, NULL,
2817 DSDB_FLAG_NEXT_MODULE |
2818 DSDB_SEARCH_SHOW_RECYCLED |
2819 DSDB_SEARCH_REVEAL_INTERNALS |
2820 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT, req);
2821 if (ret != LDB_SUCCESS) {
2822 talloc_free(tmp_ctx);
2825 old_msg = res->msgs[0];
2828 ret = dsdb_recyclebin_enabled(module, &enabled);
2829 if (ret != LDB_SUCCESS) {
2830 talloc_free(tmp_ctx);
2834 if (ldb_msg_check_string_attribute(old_msg, "isDeleted", "TRUE")) {
2836 deletion_state = OBJECT_TOMBSTONE;
2837 next_deletion_state = OBJECT_REMOVED;
2838 } else if (ldb_msg_check_string_attribute(old_msg, "isRecycled", "TRUE")) {
2839 deletion_state = OBJECT_RECYCLED;
2840 next_deletion_state = OBJECT_REMOVED;
2842 deletion_state = OBJECT_DELETED;
2843 next_deletion_state = OBJECT_RECYCLED;
2846 deletion_state = OBJECT_NOT_DELETED;
2848 next_deletion_state = OBJECT_DELETED;
2850 next_deletion_state = OBJECT_TOMBSTONE;
2854 if (next_deletion_state == OBJECT_REMOVED) {
2855 struct auth_session_info *session_info =
2856 (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
2857 if (security_session_user_level(session_info, NULL) != SECURITY_SYSTEM) {
2858 ldb_asprintf_errstring(ldb, "Refusing to delete deleted object %s",
2859 ldb_dn_get_linearized(old_msg->dn));
2860 return LDB_ERR_UNWILLING_TO_PERFORM;
2863 /* it is already deleted - really remove it this time */
2864 talloc_free(tmp_ctx);
2865 return ldb_next_request(module, req);
2868 rdn_name = ldb_dn_get_rdn_name(old_dn);
2869 rdn_value = ldb_dn_get_rdn_val(old_dn);
2870 if ((rdn_name == NULL) || (rdn_value == NULL)) {
2871 talloc_free(tmp_ctx);
2872 return ldb_operr(ldb);
2875 msg = ldb_msg_new(tmp_ctx);
2877 ldb_module_oom(module);
2878 talloc_free(tmp_ctx);
2879 return LDB_ERR_OPERATIONS_ERROR;
2884 if (deletion_state == OBJECT_NOT_DELETED){
2885 /* consider the SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag */
2886 disallow_move_on_delete =
2887 (ldb_msg_find_attr_as_int(old_msg, "systemFlags", 0)
2888 & SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE);
2890 /* work out where we will be renaming this object to */
2891 if (!disallow_move_on_delete) {
2892 ret = dsdb_get_deleted_objects_dn(ldb, tmp_ctx, old_dn,
2894 if (ret != LDB_SUCCESS) {
2895 /* this is probably an attempted delete on a partition
2896 * that doesn't allow delete operations, such as the
2897 * schema partition */
2898 ldb_asprintf_errstring(ldb, "No Deleted Objects container for DN %s",
2899 ldb_dn_get_linearized(old_dn));
2900 talloc_free(tmp_ctx);
2901 return LDB_ERR_UNWILLING_TO_PERFORM;
2904 new_dn = ldb_dn_get_parent(tmp_ctx, old_dn);
2905 if (new_dn == NULL) {
2906 ldb_module_oom(module);
2907 talloc_free(tmp_ctx);
2908 return LDB_ERR_OPERATIONS_ERROR;
2912 /* get the objects GUID from the search we just did */
2913 guid = samdb_result_guid(old_msg, "objectGUID");
2915 /* Add a formatted child */
2916 retb = ldb_dn_add_child_fmt(new_dn, "%s=%s\\0ADEL:%s",
2918 ldb_dn_escape_value(tmp_ctx, *rdn_value),
2919 GUID_string(tmp_ctx, &guid));
2921 DEBUG(0,(__location__ ": Unable to add a formatted child to dn: %s",
2922 ldb_dn_get_linearized(new_dn)));
2923 talloc_free(tmp_ctx);
2924 return LDB_ERR_OPERATIONS_ERROR;
2927 ret = ldb_msg_add_string(msg, "isDeleted", "TRUE");
2928 if (ret != LDB_SUCCESS) {
2929 DEBUG(0,(__location__ ": Failed to add isDeleted string to the msg\n"));
2930 ldb_module_oom(module);
2931 talloc_free(tmp_ctx);
2934 msg->elements[el_count++].flags = LDB_FLAG_MOD_REPLACE;
2938 now we need to modify the object in the following ways:
2940 - add isDeleted=TRUE
2941 - update rDN and name, with new rDN
2942 - remove linked attributes
2943 - remove objectCategory and sAMAccountType
2944 - remove attribs not on the preserved list
2945 - preserved if in above list, or is rDN
2946 - remove all linked attribs from this object
2947 - remove all links from other objects to this object
2948 - add lastKnownParent
2949 - update replPropertyMetaData?
2951 see MS-ADTS "Tombstone Requirements" section 3.1.1.5.5.1.1
2954 /* we need the storage form of the parent GUID */
2955 ret = dsdb_module_search_dn(module, tmp_ctx, &parent_res,
2956 ldb_dn_get_parent(tmp_ctx, old_dn), NULL,
2957 DSDB_FLAG_NEXT_MODULE |
2958 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
2959 DSDB_SEARCH_REVEAL_INTERNALS|
2960 DSDB_SEARCH_SHOW_RECYCLED, req);
2961 if (ret != LDB_SUCCESS) {
2962 talloc_free(tmp_ctx);
2966 if (deletion_state == OBJECT_NOT_DELETED){
2967 ret = ldb_msg_add_steal_string(msg, "lastKnownParent",
2968 ldb_dn_get_extended_linearized(tmp_ctx, parent_res->msgs[0]->dn, 1));
2969 if (ret != LDB_SUCCESS) {
2970 DEBUG(0,(__location__ ": Failed to add lastKnownParent string to the msg\n"));
2971 ldb_module_oom(module);
2972 talloc_free(tmp_ctx);
2975 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
2978 switch (next_deletion_state){
2980 case OBJECT_DELETED:
2982 ret = ldb_msg_add_value(msg, "msDS-LastKnownRDN", rdn_value, NULL);
2983 if (ret != LDB_SUCCESS) {
2984 DEBUG(0,(__location__ ": Failed to add msDS-LastKnownRDN string to the msg\n"));
2985 ldb_module_oom(module);
2986 talloc_free(tmp_ctx);
2989 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
2991 ret = ldb_msg_add_empty(msg, "objectCategory", LDB_FLAG_MOD_REPLACE, NULL);
2992 if (ret != LDB_SUCCESS) {
2993 talloc_free(tmp_ctx);
2994 ldb_module_oom(module);
2998 ret = ldb_msg_add_empty(msg, "sAMAccountType", LDB_FLAG_MOD_REPLACE, NULL);
2999 if (ret != LDB_SUCCESS) {
3000 talloc_free(tmp_ctx);
3001 ldb_module_oom(module);
3007 case OBJECT_RECYCLED:
3008 case OBJECT_TOMBSTONE:
3011 * we also mark it as recycled, meaning this object can't be
3012 * recovered (we are stripping its attributes).
3013 * This is done only if we have this schema object of course ...
3014 * This behavior is identical to the one of Windows 2008R2 which
3015 * always set the isRecycled attribute, even if the recycle-bin is
3016 * not activated and what ever the forest level is.
3018 if (dsdb_attribute_by_lDAPDisplayName(schema, "isRecycled") != NULL) {
3019 ret = ldb_msg_add_string(msg, "isRecycled", "TRUE");
3020 if (ret != LDB_SUCCESS) {
3021 DEBUG(0,(__location__ ": Failed to add isRecycled string to the msg\n"));
3022 ldb_module_oom(module);
3023 talloc_free(tmp_ctx);
3026 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
3029 /* work out which of the old attributes we will be removing */
3030 for (i=0; i<old_msg->num_elements; i++) {
3031 const struct dsdb_attribute *sa;
3032 el = &old_msg->elements[i];
3033 sa = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
3035 talloc_free(tmp_ctx);
3036 return LDB_ERR_OPERATIONS_ERROR;
3038 if (ldb_attr_cmp(el->name, rdn_name) == 0) {
3039 /* don't remove the rDN */
3042 if (sa->linkID && (sa->linkID & 1)) {
3044 we have a backlink in this object
3045 that needs to be removed. We're not
3046 allowed to remove it directly
3047 however, so we instead setup a
3048 modify to delete the corresponding
3051 ret = replmd_delete_remove_link(module, schema, old_dn, el, sa, req);
3052 if (ret != LDB_SUCCESS) {
3053 talloc_free(tmp_ctx);
3054 return LDB_ERR_OPERATIONS_ERROR;
3056 /* now we continue, which means we
3057 won't remove this backlink
3062 if (!sa->linkID && ldb_attr_in_list(preserved_attrs, el->name)) {
3065 ret = ldb_msg_add_empty(msg, el->name, LDB_FLAG_MOD_DELETE, &el);
3066 if (ret != LDB_SUCCESS) {
3067 talloc_free(tmp_ctx);
3068 ldb_module_oom(module);
3078 if (deletion_state == OBJECT_NOT_DELETED) {
3079 const struct dsdb_attribute *sa;
3081 /* work out what the new rdn value is, for updating the
3082 rDN and name fields */
3083 new_rdn_value = ldb_dn_get_rdn_val(new_dn);
3084 if (new_rdn_value == NULL) {
3085 talloc_free(tmp_ctx);
3086 return ldb_operr(ldb);
3089 sa = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name);
3091 talloc_free(tmp_ctx);
3092 return LDB_ERR_OPERATIONS_ERROR;
3095 ret = ldb_msg_add_value(msg, sa->lDAPDisplayName, new_rdn_value,
3097 if (ret != LDB_SUCCESS) {
3098 talloc_free(tmp_ctx);
3101 el->flags = LDB_FLAG_MOD_REPLACE;
3103 el = ldb_msg_find_element(old_msg, "name");
3105 ret = ldb_msg_add_value(msg, "name", new_rdn_value, &el);
3106 if (ret != LDB_SUCCESS) {
3107 talloc_free(tmp_ctx);
3110 el->flags = LDB_FLAG_MOD_REPLACE;
3114 ret = dsdb_module_modify(module, msg, DSDB_FLAG_OWN_MODULE, req);
3115 if (ret != LDB_SUCCESS) {
3116 ldb_asprintf_errstring(ldb, "replmd_delete: Failed to modify object %s in delete - %s",
3117 ldb_dn_get_linearized(old_dn), ldb_errstring(ldb));
3118 talloc_free(tmp_ctx);
3122 if (deletion_state == OBJECT_NOT_DELETED) {
3123 /* now rename onto the new DN */
3124 ret = dsdb_module_rename(module, old_dn, new_dn, DSDB_FLAG_NEXT_MODULE, req);
3125 if (ret != LDB_SUCCESS){
3126 DEBUG(0,(__location__ ": Failed to rename object from '%s' to '%s' - %s\n",
3127 ldb_dn_get_linearized(old_dn),
3128 ldb_dn_get_linearized(new_dn),
3129 ldb_errstring(ldb)));
3130 talloc_free(tmp_ctx);
3135 talloc_free(tmp_ctx);
3137 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
3142 static int replmd_replicated_request_error(struct replmd_replicated_request *ar, int ret)
3147 static int replmd_replicated_request_werror(struct replmd_replicated_request *ar, WERROR status)
3149 int ret = LDB_ERR_OTHER;
3150 /* TODO: do some error mapping */
3155 static struct replPropertyMetaData1 *
3156 replmd_replPropertyMetaData1_find_attid(struct replPropertyMetaDataBlob *md_blob,
3157 enum drsuapi_DsAttributeId attid)
3160 struct replPropertyMetaDataCtr1 *rpmd_ctr = &md_blob->ctr.ctr1;
3162 for (i = 0; i < rpmd_ctr->count; i++) {
3163 if (rpmd_ctr->array[i].attid == attid) {
3164 return &rpmd_ctr->array[i];
3172 return true if an update is newer than an existing entry
3173 see section 5.11 of MS-ADTS
3175 static bool replmd_update_is_newer(const struct GUID *current_invocation_id,
3176 const struct GUID *update_invocation_id,
3177 uint32_t current_version,
3178 uint32_t update_version,
3179 NTTIME current_change_time,
3180 NTTIME update_change_time)
3182 if (update_version != current_version) {
3183 return update_version > current_version;
3185 if (update_change_time != current_change_time) {
3186 return update_change_time > current_change_time;
3188 return GUID_compare(update_invocation_id, current_invocation_id) > 0;
3191 static bool replmd_replPropertyMetaData1_is_newer(struct replPropertyMetaData1 *cur_m,
3192 struct replPropertyMetaData1 *new_m)
3194 return replmd_update_is_newer(&cur_m->originating_invocation_id,
3195 &new_m->originating_invocation_id,
3198 cur_m->originating_change_time,
3199 new_m->originating_change_time);
3206 static struct ldb_dn *replmd_conflict_dn(TALLOC_CTX *mem_ctx, struct ldb_dn *dn, struct GUID *guid)
3208 const struct ldb_val *rdn_val;
3209 const char *rdn_name;
3210 struct ldb_dn *new_dn;
3212 rdn_val = ldb_dn_get_rdn_val(dn);
3213 rdn_name = ldb_dn_get_rdn_name(dn);
3214 if (!rdn_val || !rdn_name) {
3218 new_dn = ldb_dn_copy(mem_ctx, dn);
3223 if (!ldb_dn_remove_child_components(new_dn, 1)) {
3227 if (!ldb_dn_add_child_fmt(new_dn, "%s=%s\\0ACNF:%s",
3229 ldb_dn_escape_value(new_dn, *rdn_val),
3230 GUID_string(new_dn, guid))) {
3239 perform a modify operation which sets the rDN and name attributes to
3240 their current values. This has the effect of changing these
3241 attributes to have been last updated by the current DC. This is
3242 needed to ensure that renames performed as part of conflict
3243 resolution are propogated to other DCs
3245 static int replmd_name_modify(struct replmd_replicated_request *ar,
3246 struct ldb_request *req, struct ldb_dn *dn)
3248 struct ldb_message *msg;
3249 const char *rdn_name;
3250 const struct ldb_val *rdn_val;
3251 const struct dsdb_attribute *rdn_attr;
3254 msg = ldb_msg_new(req);
3260 rdn_name = ldb_dn_get_rdn_name(dn);
3261 if (rdn_name == NULL) {
3265 /* normalize the rdn attribute name */
3266 rdn_attr = dsdb_attribute_by_lDAPDisplayName(ar->schema, rdn_name);
3267 if (rdn_attr == NULL) {
3270 rdn_name = rdn_attr->lDAPDisplayName;
3272 rdn_val = ldb_dn_get_rdn_val(dn);
3273 if (rdn_val == NULL) {
3277 if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
3280 if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) {
3283 if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
3286 if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) {
3290 ret = dsdb_module_modify(ar->module, msg, DSDB_FLAG_OWN_MODULE, req);
3291 if (ret != LDB_SUCCESS) {
3292 DEBUG(0,(__location__ ": Failed to modify rDN/name of conflict DN '%s' - %s",
3293 ldb_dn_get_linearized(dn),
3294 ldb_errstring(ldb_module_get_ctx(ar->module))));
3304 DEBUG(0,(__location__ ": Failed to setup modify rDN/name of conflict DN '%s'",
3305 ldb_dn_get_linearized(dn)));
3306 return LDB_ERR_OPERATIONS_ERROR;
3311 callback for conflict DN handling where we have renamed the incoming
3312 record. After renaming it, we need to ensure the change of name and
3313 rDN for the incoming record is seen as an originating update by this DC.
3315 static int replmd_op_name_modify_callback(struct ldb_request *req, struct ldb_reply *ares)
3317 struct replmd_replicated_request *ar =
3318 talloc_get_type_abort(req->context, struct replmd_replicated_request);
3321 if (ares->error != LDB_SUCCESS) {
3322 /* call the normal callback for everything except success */
3323 return replmd_op_callback(req, ares);
3326 /* perform a modify of the rDN and name of the record */
3327 ret = replmd_name_modify(ar, req, req->op.add.message->dn);
3328 if (ret != LDB_SUCCESS) {
3330 return replmd_op_callback(req, ares);
3333 return replmd_op_callback(req, ares);
3337 callback for replmd_replicated_apply_add()
3338 This copes with the creation of conflict records in the case where
3339 the DN exists, but with a different objectGUID
3341 static int replmd_op_add_callback(struct ldb_request *req, struct ldb_reply *ares)
3343 struct ldb_dn *conflict_dn;
3344 struct replmd_replicated_request *ar =
3345 talloc_get_type_abort(req->context, struct replmd_replicated_request);
3346 struct ldb_result *res;
3347 const char *attrs[] = { "replPropertyMetaData", "objectGUID", NULL };
3349 const struct ldb_val *rmd_value, *omd_value;
3350 struct replPropertyMetaDataBlob omd, rmd;
3351 enum ndr_err_code ndr_err;
3352 bool rename_incoming_record, rodc;
3353 struct replPropertyMetaData1 *rmd_name, *omd_name;
3355 if (ares->error != LDB_ERR_ENTRY_ALREADY_EXISTS) {
3356 /* call the normal callback for everything except
3358 return replmd_op_callback(req, ares);
3361 ret = samdb_rodc(ldb_module_get_ctx(ar->module), &rodc);
3362 if (ret != LDB_SUCCESS) {
3366 * we have a conflict, and need to decide if we will keep the
3367 * new record or the old record
3369 conflict_dn = req->op.add.message->dn;
3373 * We are on an RODC, or were a GC for this
3374 * partition, so we have to fail this until
3375 * someone who owns the partition sorts it
3378 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
3379 "Conflict adding object '%s' from incoming replication as we are read only for the partition. \n"
3380 " - We must fail the operation until a master for this partition resolves the conflict",
3381 ldb_dn_get_linearized(conflict_dn));
3386 * we have a conflict, and need to decide if we will keep the
3387 * new record or the old record
3389 conflict_dn = req->op.add.message->dn;
3392 * first we need the replPropertyMetaData attribute from the
3395 ret = dsdb_module_search_dn(ar->module, req, &res, conflict_dn,
3397 DSDB_FLAG_NEXT_MODULE |
3398 DSDB_SEARCH_SHOW_DELETED |
3399 DSDB_SEARCH_SHOW_RECYCLED, req);
3400 if (ret != LDB_SUCCESS) {
3401 DEBUG(0,(__location__ ": Unable to find object for conflicting record '%s'\n",
3402 ldb_dn_get_linearized(conflict_dn)));
3406 omd_value = ldb_msg_find_ldb_val(res->msgs[0], "replPropertyMetaData");
3407 if (omd_value == NULL) {
3408 DEBUG(0,(__location__ ": Unable to find replPropertyMetaData for conflicting record '%s'\n",
3409 ldb_dn_get_linearized(conflict_dn)));
3413 ndr_err = ndr_pull_struct_blob(omd_value, res->msgs[0], &omd,
3414 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
3415 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3416 DEBUG(0,(__location__ ": Failed to parse old replPropertyMetaData for %s\n",
3417 ldb_dn_get_linearized(conflict_dn)));
3422 * and the replPropertyMetaData attribute from the
3425 rmd_value = ldb_msg_find_ldb_val(req->op.add.message, "replPropertyMetaData");
3426 if (rmd_value == NULL) {
3427 DEBUG(0,(__location__ ": Unable to find replPropertyMetaData for new record '%s'\n",
3428 ldb_dn_get_linearized(conflict_dn)));
3432 ndr_err = ndr_pull_struct_blob(rmd_value, req, &rmd,
3433 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
3434 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3435 DEBUG(0,(__location__ ": Failed to parse new replPropertyMetaData for %s\n",
3436 ldb_dn_get_linearized(conflict_dn)));
3440 /* we decide which is newer based on the RPMD on the name
3441 attribute. See [MS-DRSR] ResolveNameConflict */
3442 rmd_name = replmd_replPropertyMetaData1_find_attid(&rmd, DRSUAPI_ATTID_name);
3443 omd_name = replmd_replPropertyMetaData1_find_attid(&omd, DRSUAPI_ATTID_name);
3444 if (!rmd_name || !omd_name) {
3445 DEBUG(0,(__location__ ": Failed to find name attribute in replPropertyMetaData for %s\n",
3446 ldb_dn_get_linearized(conflict_dn)));
3450 rename_incoming_record = !replmd_replPropertyMetaData1_is_newer(omd_name, rmd_name);
3452 if (rename_incoming_record) {
3454 struct ldb_dn *new_dn;
3455 struct ldb_message *new_msg;
3457 guid = samdb_result_guid(req->op.add.message, "objectGUID");
3458 if (GUID_all_zero(&guid)) {
3459 DEBUG(0,(__location__ ": Failed to find objectGUID for conflicting incoming record %s\n",
3460 ldb_dn_get_linearized(conflict_dn)));
3463 new_dn = replmd_conflict_dn(req, conflict_dn, &guid);
3464 if (new_dn == NULL) {
3465 DEBUG(0,(__location__ ": Failed to form conflict DN for %s\n",
3466 ldb_dn_get_linearized(conflict_dn)));
3470 DEBUG(1,(__location__ ": Resolving conflict record via incoming rename '%s' -> '%s'\n",
3471 ldb_dn_get_linearized(conflict_dn), ldb_dn_get_linearized(new_dn)));
3473 /* re-submit the request, but with a different
3474 callback, so we don't loop forever. */
3475 new_msg = ldb_msg_copy_shallow(req, req->op.add.message);
3478 DEBUG(0,(__location__ ": Failed to copy conflict DN message for %s\n",
3479 ldb_dn_get_linearized(conflict_dn)));
3481 new_msg->dn = new_dn;
3482 req->op.add.message = new_msg;
3483 req->callback = replmd_op_name_modify_callback;
3485 return ldb_next_request(ar->module, req);
3487 /* we are renaming the existing record */
3489 struct ldb_dn *new_dn;
3491 guid = samdb_result_guid(res->msgs[0], "objectGUID");
3492 if (GUID_all_zero(&guid)) {
3493 DEBUG(0,(__location__ ": Failed to find objectGUID for existing conflict record %s\n",
3494 ldb_dn_get_linearized(conflict_dn)));
3498 new_dn = replmd_conflict_dn(req, conflict_dn, &guid);
3499 if (new_dn == NULL) {
3500 DEBUG(0,(__location__ ": Failed to form conflict DN for %s\n",
3501 ldb_dn_get_linearized(conflict_dn)));
3505 DEBUG(1,(__location__ ": Resolving conflict record via existing rename '%s' -> '%s'\n",
3506 ldb_dn_get_linearized(conflict_dn), ldb_dn_get_linearized(new_dn)));
3508 ret = dsdb_module_rename(ar->module, conflict_dn, new_dn,
3509 DSDB_FLAG_OWN_MODULE, req);
3510 if (ret != LDB_SUCCESS) {
3511 DEBUG(0,(__location__ ": Failed to rename conflict dn '%s' to '%s' - %s\n",
3512 ldb_dn_get_linearized(conflict_dn),
3513 ldb_dn_get_linearized(new_dn),
3514 ldb_errstring(ldb_module_get_ctx(ar->module))));
3519 * now we need to ensure that the rename is seen as an
3520 * originating update. We do that with a modify.
3522 ret = replmd_name_modify(ar, req, new_dn);
3523 if (ret != LDB_SUCCESS) {
3527 req->callback = replmd_op_callback;
3529 return ldb_next_request(ar->module, req);
3533 /* on failure do the original callback. This means replication
3534 * will stop with an error, but there is not much else we can
3537 return replmd_op_callback(req, ares);
3541 this is called when a new object comes in over DRS
3543 static int replmd_replicated_apply_add(struct replmd_replicated_request *ar)
3545 struct ldb_context *ldb;
3546 struct ldb_request *change_req;
3547 enum ndr_err_code ndr_err;
3548 struct ldb_message *msg;
3549 struct replPropertyMetaDataBlob *md;
3550 struct ldb_val md_value;
3555 * TODO: check if the parent object exist
3559 * TODO: handle the conflict case where an object with the
3563 ldb = ldb_module_get_ctx(ar->module);
3564 msg = ar->objs->objects[ar->index_current].msg;
3565 md = ar->objs->objects[ar->index_current].meta_data;
3567 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ar->seq_num);
3568 if (ret != LDB_SUCCESS) {
3569 return replmd_replicated_request_error(ar, ret);
3572 ret = ldb_msg_add_value(msg, "objectGUID", &ar->objs->objects[ar->index_current].guid_value, NULL);
3573 if (ret != LDB_SUCCESS) {
3574 return replmd_replicated_request_error(ar, ret);
3577 ret = ldb_msg_add_string(msg, "whenChanged", ar->objs->objects[ar->index_current].when_changed);
3578 if (ret != LDB_SUCCESS) {
3579 return replmd_replicated_request_error(ar, ret);
3582 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNCreated", ar->seq_num);
3583 if (ret != LDB_SUCCESS) {
3584 return replmd_replicated_request_error(ar, ret);
3587 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNChanged", ar->seq_num);
3588 if (ret != LDB_SUCCESS) {
3589 return replmd_replicated_request_error(ar, ret);
3592 /* remove any message elements that have zero values */
3593 for (i=0; i<msg->num_elements; i++) {
3594 struct ldb_message_element *el = &msg->elements[i];
3596 if (el->num_values == 0) {
3597 DEBUG(4,(__location__ ": Removing attribute %s with num_values==0\n",
3599 memmove(el, el+1, sizeof(*el)*(msg->num_elements - (i+1)));
3600 msg->num_elements--;
3607 * the meta data array is already sorted by the caller
3609 for (i=0; i < md->ctr.ctr1.count; i++) {
3610 md->ctr.ctr1.array[i].local_usn = ar->seq_num;
3612 ndr_err = ndr_push_struct_blob(&md_value, msg, md,
3613 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
3614 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3615 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
3616 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
3618 ret = ldb_msg_add_value(msg, "replPropertyMetaData", &md_value, NULL);
3619 if (ret != LDB_SUCCESS) {
3620 return replmd_replicated_request_error(ar, ret);
3623 replmd_ldb_message_sort(msg, ar->schema);
3626 char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_ADD, msg);
3627 DEBUG(4, ("DRS replication add message:\n%s\n", s));
3631 ret = ldb_build_add_req(&change_req,
3637 replmd_op_add_callback,
3639 LDB_REQ_SET_LOCATION(change_req);
3640 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
3642 /* current partition control needed by "repmd_op_callback" */
3643 ret = ldb_request_add_control(change_req,
3644 DSDB_CONTROL_CURRENT_PARTITION_OID,
3646 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
3648 if (ar->objs->dsdb_repl_flags & DSDB_REPL_FLAG_PARTIAL_REPLICA) {
3649 /* this tells the partition module to make it a
3650 partial replica if creating an NC */
3651 ret = ldb_request_add_control(change_req,
3652 DSDB_CONTROL_PARTIAL_REPLICA,
3654 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
3657 return ldb_next_request(ar->module, change_req);
3661 handle renames that come in over DRS replication
3663 static int replmd_replicated_handle_rename(struct replmd_replicated_request *ar,
3664 struct ldb_message *msg,
3665 struct replPropertyMetaDataBlob *rmd,
3666 struct replPropertyMetaDataBlob *omd,
3667 struct ldb_request *parent)
3669 struct replPropertyMetaData1 *md_remote;
3670 struct replPropertyMetaData1 *md_local;
3672 if (ldb_dn_compare(msg->dn, ar->search_msg->dn) == 0) {
3677 /* now we need to check for double renames. We could have a
3678 * local rename pending which our replication partner hasn't
3679 * received yet. We choose which one wins by looking at the
3680 * attribute stamps on the two objects, the newer one wins
3682 md_remote = replmd_replPropertyMetaData1_find_attid(rmd, DRSUAPI_ATTID_name);
3683 md_local = replmd_replPropertyMetaData1_find_attid(omd, DRSUAPI_ATTID_name);
3684 /* if there is no name attribute then we have to assume the
3685 object we've received is in fact newer */
3686 if (!md_remote || !md_local ||
3687 replmd_replPropertyMetaData1_is_newer(md_local, md_remote)) {
3688 DEBUG(4,("replmd_replicated_request rename %s => %s\n",
3689 ldb_dn_get_linearized(ar->search_msg->dn),
3690 ldb_dn_get_linearized(msg->dn)));
3691 /* pass rename to the next module
3692 * so it doesn't appear as an originating update */
3693 return dsdb_module_rename(ar->module,
3694 ar->search_msg->dn, msg->dn,
3695 DSDB_FLAG_NEXT_MODULE | DSDB_MODIFY_RELAX, parent);
3698 /* we're going to keep our old object */
3699 DEBUG(4,(__location__ ": Keeping object %s and rejecting older rename to %s\n",
3700 ldb_dn_get_linearized(ar->search_msg->dn),
3701 ldb_dn_get_linearized(msg->dn)));
3706 static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
3708 struct ldb_context *ldb;
3709 struct ldb_request *change_req;
3710 enum ndr_err_code ndr_err;
3711 struct ldb_message *msg;
3712 struct replPropertyMetaDataBlob *rmd;
3713 struct replPropertyMetaDataBlob omd;
3714 const struct ldb_val *omd_value;
3715 struct replPropertyMetaDataBlob nmd;
3716 struct ldb_val nmd_value;
3719 unsigned int removed_attrs = 0;
3722 ldb = ldb_module_get_ctx(ar->module);
3723 msg = ar->objs->objects[ar->index_current].msg;
3724 rmd = ar->objs->objects[ar->index_current].meta_data;
3728 /* find existing meta data */
3729 omd_value = ldb_msg_find_ldb_val(ar->search_msg, "replPropertyMetaData");
3731 ndr_err = ndr_pull_struct_blob(omd_value, ar, &omd,
3732 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
3733 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3734 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
3735 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
3738 if (omd.version != 1) {
3739 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
3743 /* handle renames that come in over DRS */
3744 ret = replmd_replicated_handle_rename(ar, msg, rmd, &omd, ar->req);
3745 if (ret != LDB_SUCCESS) {
3746 ldb_debug(ldb, LDB_DEBUG_FATAL,
3747 "replmd_replicated_request rename %s => %s failed - %s\n",
3748 ldb_dn_get_linearized(ar->search_msg->dn),
3749 ldb_dn_get_linearized(msg->dn),
3750 ldb_errstring(ldb));
3751 return replmd_replicated_request_werror(ar, WERR_DS_DRA_DB_ERROR);
3756 nmd.ctr.ctr1.count = omd.ctr.ctr1.count + rmd->ctr.ctr1.count;
3757 nmd.ctr.ctr1.array = talloc_array(ar,
3758 struct replPropertyMetaData1,
3759 nmd.ctr.ctr1.count);
3760 if (!nmd.ctr.ctr1.array) return replmd_replicated_request_werror(ar, WERR_NOMEM);
3762 /* first copy the old meta data */
3763 for (i=0; i < omd.ctr.ctr1.count; i++) {
3764 nmd.ctr.ctr1.array[ni] = omd.ctr.ctr1.array[i];
3769 /* now merge in the new meta data */
3770 for (i=0; i < rmd->ctr.ctr1.count; i++) {
3773 for (j=0; j < ni; j++) {
3776 if (rmd->ctr.ctr1.array[i].attid != nmd.ctr.ctr1.array[j].attid) {
3780 if (ar->objs->dsdb_repl_flags & DSDB_REPL_FLAG_PRIORITISE_INCOMING) {
3781 /* if we compare equal then do an
3782 update. This is used when a client
3783 asks for a FULL_SYNC, and can be
3784 used to recover a corrupt
3786 cmp = !replmd_replPropertyMetaData1_is_newer(&rmd->ctr.ctr1.array[i],
3787 &nmd.ctr.ctr1.array[j]);
3789 cmp = replmd_replPropertyMetaData1_is_newer(&nmd.ctr.ctr1.array[j],
3790 &rmd->ctr.ctr1.array[i]);
3793 /* replace the entry */
3794 nmd.ctr.ctr1.array[j] = rmd->ctr.ctr1.array[i];
3795 if (ar->seq_num == 0) {
3796 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ar->seq_num);
3797 if (ret != LDB_SUCCESS) {
3798 return replmd_replicated_request_error(ar, ret);
3801 nmd.ctr.ctr1.array[j].local_usn = ar->seq_num;
3806 if (rmd->ctr.ctr1.array[i].attid != DRSUAPI_ATTID_instanceType) {
3807 DEBUG(3,("Discarding older DRS attribute update to %s on %s from %s\n",
3808 msg->elements[i-removed_attrs].name,
3809 ldb_dn_get_linearized(msg->dn),
3810 GUID_string(ar, &rmd->ctr.ctr1.array[i].originating_invocation_id)));
3813 /* we don't want to apply this change so remove the attribute */
3814 ldb_msg_remove_element(msg, &msg->elements[i-removed_attrs]);
3821 if (found) continue;
3823 nmd.ctr.ctr1.array[ni] = rmd->ctr.ctr1.array[i];
3824 if (ar->seq_num == 0) {
3825 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ar->seq_num);
3826 if (ret != LDB_SUCCESS) {
3827 return replmd_replicated_request_error(ar, ret);
3830 nmd.ctr.ctr1.array[ni].local_usn = ar->seq_num;
3835 * finally correct the size of the meta_data array
3837 nmd.ctr.ctr1.count = ni;
3840 * the rdn attribute (the alias for the name attribute),
3841 * 'cn' for most objects is the last entry in the meta data array
3844 * sort the new meta data array
3846 ret = replmd_replPropertyMetaDataCtr1_sort(&nmd.ctr.ctr1, ar->schema, msg->dn);
3847 if (ret != LDB_SUCCESS) {
3852 * check if some replicated attributes left, otherwise skip the ldb_modify() call
3854 if (msg->num_elements == 0) {
3855 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_replicated_apply_merge[%u]: skip replace\n",
3858 ar->index_current++;
3859 return replmd_replicated_apply_next(ar);
3862 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_replicated_apply_merge[%u]: replace %u attributes\n",
3863 ar->index_current, msg->num_elements);
3865 /* create the meta data value */
3866 ndr_err = ndr_push_struct_blob(&nmd_value, msg, &nmd,
3867 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
3868 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3869 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
3870 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
3874 * when we know that we'll modify the record, add the whenChanged, uSNChanged
3875 * and replPopertyMetaData attributes
3877 ret = ldb_msg_add_string(msg, "whenChanged", ar->objs->objects[ar->index_current].when_changed);
3878 if (ret != LDB_SUCCESS) {
3879 return replmd_replicated_request_error(ar, ret);
3881 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNChanged", ar->seq_num);
3882 if (ret != LDB_SUCCESS) {
3883 return replmd_replicated_request_error(ar, ret);
3885 ret = ldb_msg_add_value(msg, "replPropertyMetaData", &nmd_value, NULL);
3886 if (ret != LDB_SUCCESS) {
3887 return replmd_replicated_request_error(ar, ret);
3890 replmd_ldb_message_sort(msg, ar->schema);
3892 /* we want to replace the old values */
3893 for (i=0; i < msg->num_elements; i++) {
3894 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
3898 char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_MODIFY, msg);
3899 DEBUG(4, ("DRS replication modify message:\n%s\n", s));
3903 ret = ldb_build_mod_req(&change_req,
3911 LDB_REQ_SET_LOCATION(change_req);
3912 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
3914 /* current partition control needed by "repmd_op_callback" */
3915 ret = ldb_request_add_control(change_req,
3916 DSDB_CONTROL_CURRENT_PARTITION_OID,
3918 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
3920 return ldb_next_request(ar->module, change_req);
3923 static int replmd_replicated_apply_search_callback(struct ldb_request *req,
3924 struct ldb_reply *ares)
3926 struct replmd_replicated_request *ar = talloc_get_type(req->context,
3927 struct replmd_replicated_request);
3931 return ldb_module_done(ar->req, NULL, NULL,
3932 LDB_ERR_OPERATIONS_ERROR);
3934 if (ares->error != LDB_SUCCESS &&
3935 ares->error != LDB_ERR_NO_SUCH_OBJECT) {
3936 return ldb_module_done(ar->req, ares->controls,
3937 ares->response, ares->error);
3940 switch (ares->type) {
3941 case LDB_REPLY_ENTRY:
3942 ar->search_msg = talloc_steal(ar, ares->message);
3945 case LDB_REPLY_REFERRAL:
3946 /* we ignore referrals */
3949 case LDB_REPLY_DONE:
3950 if (ar->search_msg != NULL) {
3951 ret = replmd_replicated_apply_merge(ar);
3953 ret = replmd_replicated_apply_add(ar);
3955 if (ret != LDB_SUCCESS) {
3956 return ldb_module_done(ar->req, NULL, NULL, ret);
3964 static int replmd_replicated_uptodate_vector(struct replmd_replicated_request *ar);
3966 static int replmd_replicated_apply_next(struct replmd_replicated_request *ar)
3968 struct ldb_context *ldb;
3972 struct ldb_request *search_req;
3973 struct ldb_search_options_control *options;
3975 if (ar->index_current >= ar->objs->num_objects) {
3976 /* done with it, go to next stage */
3977 return replmd_replicated_uptodate_vector(ar);
3980 ldb = ldb_module_get_ctx(ar->module);
3981 ar->search_msg = NULL;
3983 tmp_str = ldb_binary_encode(ar, ar->objs->objects[ar->index_current].guid_value);
3984 if (!tmp_str) return replmd_replicated_request_werror(ar, WERR_NOMEM);
3986 filter = talloc_asprintf(ar, "(objectGUID=%s)", tmp_str);
3987 if (!filter) return replmd_replicated_request_werror(ar, WERR_NOMEM);
3988 talloc_free(tmp_str);
3990 ret = ldb_build_search_req(&search_req,
3999 replmd_replicated_apply_search_callback,
4001 LDB_REQ_SET_LOCATION(search_req);
4003 ret = ldb_request_add_control(search_req, LDB_CONTROL_SHOW_RECYCLED_OID,
4005 if (ret != LDB_SUCCESS) {
4009 /* we need to cope with cross-partition links, so search for
4010 the GUID over all partitions */
4011 options = talloc(search_req, struct ldb_search_options_control);
4012 if (options == NULL) {
4013 DEBUG(0, (__location__ ": out of memory\n"));
4014 return LDB_ERR_OPERATIONS_ERROR;
4016 options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
4018 ret = ldb_request_add_control(search_req,
4019 LDB_CONTROL_SEARCH_OPTIONS_OID,
4021 if (ret != LDB_SUCCESS) {
4025 return ldb_next_request(ar->module, search_req);
4028 static int replmd_replicated_uptodate_modify_callback(struct ldb_request *req,
4029 struct ldb_reply *ares)
4031 struct ldb_context *ldb;
4032 struct replmd_replicated_request *ar = talloc_get_type(req->context,
4033 struct replmd_replicated_request);
4034 ldb = ldb_module_get_ctx(ar->module);
4037 return ldb_module_done(ar->req, NULL, NULL,
4038 LDB_ERR_OPERATIONS_ERROR);
4040 if (ares->error != LDB_SUCCESS) {
4041 return ldb_module_done(ar->req, ares->controls,
4042 ares->response, ares->error);
4045 if (ares->type != LDB_REPLY_DONE) {
4046 ldb_asprintf_errstring(ldb, "Invalid LDB reply type %d", ares->type);
4047 return ldb_module_done(ar->req, NULL, NULL,
4048 LDB_ERR_OPERATIONS_ERROR);
4053 return ldb_module_done(ar->req, NULL, NULL, LDB_SUCCESS);
4056 static int replmd_replicated_uptodate_modify(struct replmd_replicated_request *ar)
4058 struct ldb_context *ldb;
4059 struct ldb_request *change_req;
4060 enum ndr_err_code ndr_err;
4061 struct ldb_message *msg;
4062 struct replUpToDateVectorBlob ouv;
4063 const struct ldb_val *ouv_value;
4064 const struct drsuapi_DsReplicaCursor2CtrEx *ruv;
4065 struct replUpToDateVectorBlob nuv;
4066 struct ldb_val nuv_value;
4067 struct ldb_message_element *nuv_el = NULL;
4068 const struct GUID *our_invocation_id;
4069 struct ldb_message_element *orf_el = NULL;
4070 struct repsFromToBlob nrf;
4071 struct ldb_val *nrf_value = NULL;
4072 struct ldb_message_element *nrf_el = NULL;
4076 time_t t = time(NULL);
4079 uint32_t instanceType;
4081 ldb = ldb_module_get_ctx(ar->module);
4082 ruv = ar->objs->uptodateness_vector;
4088 unix_to_nt_time(&now, t);
4090 if (ar->search_msg == NULL) {
4091 /* this happens for a REPL_OBJ call where we are
4092 creating the target object by replicating it. The
4093 subdomain join code does this for the partition DN
4095 DEBUG(4,(__location__ ": Skipping UDV and repsFrom update as no target DN\n"));
4096 return ldb_module_done(ar->req, NULL, NULL, LDB_SUCCESS);
4099 instanceType = ldb_msg_find_attr_as_uint(ar->search_msg, "instanceType", 0);
4100 if (! (instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
4101 DEBUG(4,(__location__ ": Skipping UDV and repsFrom update as not NC root: %s\n",
4102 ldb_dn_get_linearized(ar->search_msg->dn)));
4103 return ldb_module_done(ar->req, NULL, NULL, LDB_SUCCESS);
4107 * first create the new replUpToDateVector
4109 ouv_value = ldb_msg_find_ldb_val(ar->search_msg, "replUpToDateVector");
4111 ndr_err = ndr_pull_struct_blob(ouv_value, ar, &ouv,
4112 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
4113 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4114 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4115 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4118 if (ouv.version != 2) {
4119 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
4124 * the new uptodateness vector will at least
4125 * contain 1 entry, one for the source_dsa
4127 * plus optional values from our old vector and the one from the source_dsa
4129 nuv.ctr.ctr2.count = 1 + ouv.ctr.ctr2.count;
4130 if (ruv) nuv.ctr.ctr2.count += ruv->count;
4131 nuv.ctr.ctr2.cursors = talloc_array(ar,
4132 struct drsuapi_DsReplicaCursor2,
4133 nuv.ctr.ctr2.count);
4134 if (!nuv.ctr.ctr2.cursors) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4136 /* first copy the old vector */
4137 for (i=0; i < ouv.ctr.ctr2.count; i++) {
4138 nuv.ctr.ctr2.cursors[ni] = ouv.ctr.ctr2.cursors[i];
4142 /* get our invocation_id if we have one already attached to the ldb */
4143 our_invocation_id = samdb_ntds_invocation_id(ldb);
4145 /* merge in the source_dsa vector is available */
4146 for (i=0; (ruv && i < ruv->count); i++) {
4149 if (our_invocation_id &&
4150 GUID_equal(&ruv->cursors[i].source_dsa_invocation_id,
4151 our_invocation_id)) {
4155 for (j=0; j < ni; j++) {
4156 if (!GUID_equal(&ruv->cursors[i].source_dsa_invocation_id,
4157 &nuv.ctr.ctr2.cursors[j].source_dsa_invocation_id)) {
4164 * we update only the highest_usn and not the latest_sync_success time,
4165 * because the last success stands for direct replication
4167 if (ruv->cursors[i].highest_usn > nuv.ctr.ctr2.cursors[j].highest_usn) {
4168 nuv.ctr.ctr2.cursors[j].highest_usn = ruv->cursors[i].highest_usn;
4173 if (found) continue;
4175 /* if it's not there yet, add it */
4176 nuv.ctr.ctr2.cursors[ni] = ruv->cursors[i];
4181 * merge in the current highwatermark for the source_dsa
4184 for (j=0; j < ni; j++) {
4185 if (!GUID_equal(&ar->objs->source_dsa->source_dsa_invocation_id,
4186 &nuv.ctr.ctr2.cursors[j].source_dsa_invocation_id)) {
4193 * here we update the highest_usn and last_sync_success time
4194 * because we're directly replicating from the source_dsa
4196 * and use the tmp_highest_usn because this is what we have just applied
4199 nuv.ctr.ctr2.cursors[j].highest_usn = ar->objs->source_dsa->highwatermark.tmp_highest_usn;
4200 nuv.ctr.ctr2.cursors[j].last_sync_success = now;
4205 * here we update the highest_usn and last_sync_success time
4206 * because we're directly replicating from the source_dsa
4208 * and use the tmp_highest_usn because this is what we have just applied
4211 nuv.ctr.ctr2.cursors[ni].source_dsa_invocation_id= ar->objs->source_dsa->source_dsa_invocation_id;
4212 nuv.ctr.ctr2.cursors[ni].highest_usn = ar->objs->source_dsa->highwatermark.tmp_highest_usn;
4213 nuv.ctr.ctr2.cursors[ni].last_sync_success = now;
4218 * finally correct the size of the cursors array
4220 nuv.ctr.ctr2.count = ni;
4225 TYPESAFE_QSORT(nuv.ctr.ctr2.cursors, nuv.ctr.ctr2.count, drsuapi_DsReplicaCursor2_compare);
4228 * create the change ldb_message
4230 msg = ldb_msg_new(ar);
4231 if (!msg) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4232 msg->dn = ar->search_msg->dn;
4234 ndr_err = ndr_push_struct_blob(&nuv_value, msg, &nuv,
4235 (ndr_push_flags_fn_t)ndr_push_replUpToDateVectorBlob);
4236 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4237 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4238 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4240 ret = ldb_msg_add_value(msg, "replUpToDateVector", &nuv_value, &nuv_el);
4241 if (ret != LDB_SUCCESS) {
4242 return replmd_replicated_request_error(ar, ret);
4244 nuv_el->flags = LDB_FLAG_MOD_REPLACE;
4247 * now create the new repsFrom value from the given repsFromTo1 structure
4251 nrf.ctr.ctr1 = *ar->objs->source_dsa;
4252 nrf.ctr.ctr1.highwatermark.highest_usn = nrf.ctr.ctr1.highwatermark.tmp_highest_usn;
4255 * first see if we already have a repsFrom value for the current source dsa
4256 * if so we'll later replace this value
4258 orf_el = ldb_msg_find_element(ar->search_msg, "repsFrom");
4260 for (i=0; i < orf_el->num_values; i++) {
4261 struct repsFromToBlob *trf;
4263 trf = talloc(ar, struct repsFromToBlob);
4264 if (!trf) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4266 ndr_err = ndr_pull_struct_blob(&orf_el->values[i], trf, trf,
4267 (ndr_pull_flags_fn_t)ndr_pull_repsFromToBlob);
4268 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4269 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4270 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4273 if (trf->version != 1) {
4274 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
4278 * we compare the source dsa objectGUID not the invocation_id
4279 * because we want only one repsFrom value per source dsa
4280 * and when the invocation_id of the source dsa has changed we don't need
4281 * the old repsFrom with the old invocation_id
4283 if (!GUID_equal(&trf->ctr.ctr1.source_dsa_obj_guid,
4284 &ar->objs->source_dsa->source_dsa_obj_guid)) {
4290 nrf_value = &orf_el->values[i];
4295 * copy over all old values to the new ldb_message
4297 ret = ldb_msg_add_empty(msg, "repsFrom", 0, &nrf_el);
4298 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4303 * if we haven't found an old repsFrom value for the current source dsa
4304 * we'll add a new value
4307 struct ldb_val zero_value;
4308 ZERO_STRUCT(zero_value);
4309 ret = ldb_msg_add_value(msg, "repsFrom", &zero_value, &nrf_el);
4310 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4312 nrf_value = &nrf_el->values[nrf_el->num_values - 1];
4315 /* we now fill the value which is already attached to ldb_message */
4316 ndr_err = ndr_push_struct_blob(nrf_value, msg,
4318 (ndr_push_flags_fn_t)ndr_push_repsFromToBlob);
4319 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4320 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4321 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4325 * the ldb_message_element for the attribute, has all the old values and the new one
4326 * so we'll replace the whole attribute with all values
4328 nrf_el->flags = LDB_FLAG_MOD_REPLACE;
4330 if (CHECK_DEBUGLVL(4)) {
4331 char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_MODIFY, msg);
4332 DEBUG(4, ("DRS replication uptodate modify message:\n%s\n", s));
4336 /* prepare the ldb_modify() request */
4337 ret = ldb_build_mod_req(&change_req,
4343 replmd_replicated_uptodate_modify_callback,
4345 LDB_REQ_SET_LOCATION(change_req);
4346 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4348 return ldb_next_request(ar->module, change_req);
4351 static int replmd_replicated_uptodate_search_callback(struct ldb_request *req,
4352 struct ldb_reply *ares)
4354 struct replmd_replicated_request *ar = talloc_get_type(req->context,
4355 struct replmd_replicated_request);
4359 return ldb_module_done(ar->req, NULL, NULL,
4360 LDB_ERR_OPERATIONS_ERROR);
4362 if (ares->error != LDB_SUCCESS &&
4363 ares->error != LDB_ERR_NO_SUCH_OBJECT) {
4364 return ldb_module_done(ar->req, ares->controls,
4365 ares->response, ares->error);
4368 switch (ares->type) {
4369 case LDB_REPLY_ENTRY:
4370 ar->search_msg = talloc_steal(ar, ares->message);
4373 case LDB_REPLY_REFERRAL:
4374 /* we ignore referrals */
4377 case LDB_REPLY_DONE:
4378 ret = replmd_replicated_uptodate_modify(ar);
4379 if (ret != LDB_SUCCESS) {
4380 return ldb_module_done(ar->req, NULL, NULL, ret);
4389 static int replmd_replicated_uptodate_vector(struct replmd_replicated_request *ar)
4391 struct ldb_context *ldb;
4393 static const char *attrs[] = {
4394 "replUpToDateVector",
4399 struct ldb_request *search_req;
4401 ldb = ldb_module_get_ctx(ar->module);
4402 ar->search_msg = NULL;
4404 ret = ldb_build_search_req(&search_req,
4407 ar->objs->partition_dn,
4413 replmd_replicated_uptodate_search_callback,
4415 LDB_REQ_SET_LOCATION(search_req);
4416 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4418 return ldb_next_request(ar->module, search_req);
4423 static int replmd_extended_replicated_objects(struct ldb_module *module, struct ldb_request *req)
4425 struct ldb_context *ldb;
4426 struct dsdb_extended_replicated_objects *objs;
4427 struct replmd_replicated_request *ar;
4428 struct ldb_control **ctrls;
4431 struct replmd_private *replmd_private =
4432 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
4433 struct dsdb_control_replicated_update *rep_update;
4435 ldb = ldb_module_get_ctx(module);
4437 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_extended_replicated_objects\n");
4439 objs = talloc_get_type(req->op.extended.data, struct dsdb_extended_replicated_objects);
4441 ldb_debug(ldb, LDB_DEBUG_FATAL, "replmd_extended_replicated_objects: invalid extended data\n");
4442 return LDB_ERR_PROTOCOL_ERROR;
4445 if (objs->version != DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION) {
4446 ldb_debug(ldb, LDB_DEBUG_FATAL, "replmd_extended_replicated_objects: extended data invalid version [%u != %u]\n",
4447 objs->version, DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION);
4448 return LDB_ERR_PROTOCOL_ERROR;
4451 ar = replmd_ctx_init(module, req);
4453 return LDB_ERR_OPERATIONS_ERROR;
4455 /* Set the flags to have the replmd_op_callback run over the full set of objects */
4456 ar->apply_mode = true;
4458 ar->schema = dsdb_get_schema(ldb, ar);
4460 ldb_debug_set(ldb, LDB_DEBUG_FATAL, "replmd_ctx_init: no loaded schema found\n");
4462 DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
4463 return LDB_ERR_CONSTRAINT_VIOLATION;
4466 ctrls = req->controls;
4468 if (req->controls) {
4469 req->controls = talloc_memdup(ar, req->controls,
4470 talloc_get_size(req->controls));
4471 if (!req->controls) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4474 /* This allows layers further down to know if a change came in
4475 over replication and what the replication flags were */
4476 rep_update = talloc_zero(ar, struct dsdb_control_replicated_update);
4477 if (rep_update == NULL) {
4478 return ldb_module_oom(module);
4480 rep_update->dsdb_repl_flags = objs->dsdb_repl_flags;
4482 ret = ldb_request_add_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID, false, rep_update);
4483 if (ret != LDB_SUCCESS) {
4487 /* If this change contained linked attributes in the body
4488 * (rather than in the links section) we need to update
4489 * backlinks in linked_attributes */
4490 ret = ldb_request_add_control(req, DSDB_CONTROL_APPLY_LINKS, false, NULL);
4491 if (ret != LDB_SUCCESS) {
4495 ar->controls = req->controls;
4496 req->controls = ctrls;
4498 DEBUG(4,("linked_attributes_count=%u\n", objs->linked_attributes_count));
4500 /* save away the linked attributes for the end of the
4502 for (i=0; i<ar->objs->linked_attributes_count; i++) {
4503 struct la_entry *la_entry;
4505 if (replmd_private->la_ctx == NULL) {
4506 replmd_private->la_ctx = talloc_new(replmd_private);
4508 la_entry = talloc(replmd_private->la_ctx, struct la_entry);
4509 if (la_entry == NULL) {
4511 return LDB_ERR_OPERATIONS_ERROR;
4513 la_entry->la = talloc(la_entry, struct drsuapi_DsReplicaLinkedAttribute);
4514 if (la_entry->la == NULL) {
4515 talloc_free(la_entry);
4517 return LDB_ERR_OPERATIONS_ERROR;
4519 *la_entry->la = ar->objs->linked_attributes[i];
4521 /* we need to steal the non-scalars so they stay
4522 around until the end of the transaction */
4523 talloc_steal(la_entry->la, la_entry->la->identifier);
4524 talloc_steal(la_entry->la, la_entry->la->value.blob);
4526 DLIST_ADD(replmd_private->la_list, la_entry);
4529 return replmd_replicated_apply_next(ar);
4533 process one linked attribute structure
4535 static int replmd_process_linked_attribute(struct ldb_module *module,
4536 struct la_entry *la_entry,
4537 struct ldb_request *parent)
4539 struct drsuapi_DsReplicaLinkedAttribute *la = la_entry->la;
4540 struct ldb_context *ldb = ldb_module_get_ctx(module);
4541 struct ldb_message *msg;
4542 TALLOC_CTX *tmp_ctx = talloc_new(la_entry);
4543 const struct dsdb_schema *schema = dsdb_get_schema(ldb, tmp_ctx);
4545 const struct dsdb_attribute *attr;
4546 struct dsdb_dn *dsdb_dn;
4547 uint64_t seq_num = 0;
4548 struct ldb_message_element *old_el;
4550 time_t t = time(NULL);
4551 struct ldb_result *res;
4552 const char *attrs[2];
4553 struct parsed_dn *pdn_list, *pdn;
4554 struct GUID guid = GUID_zero();
4556 bool active = (la->flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE)?true:false;
4557 const struct GUID *our_invocation_id;
4560 linked_attributes[0]:
4561 &objs->linked_attributes[i]: struct drsuapi_DsReplicaLinkedAttribute
4563 identifier: struct drsuapi_DsReplicaObjectIdentifier
4564 __ndr_size : 0x0000003a (58)
4565 __ndr_size_sid : 0x00000000 (0)
4566 guid : 8e95b6a9-13dd-4158-89db-3220a5be5cc7
4568 __ndr_size_dn : 0x00000000 (0)
4570 attid : DRSUAPI_ATTID_member (0x1F)
4571 value: struct drsuapi_DsAttributeValue
4572 __ndr_size : 0x0000007e (126)
4574 blob : DATA_BLOB length=126
4575 flags : 0x00000001 (1)
4576 1: DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE
4577 originating_add_time : Wed Sep 2 22:20:01 2009 EST
4578 meta_data: struct drsuapi_DsReplicaMetaData
4579 version : 0x00000015 (21)
4580 originating_change_time : Wed Sep 2 23:39:07 2009 EST
4581 originating_invocation_id: 794640f3-18cf-40ee-a211-a93992b67a64
4582 originating_usn : 0x000000000001e19c (123292)
4584 (for cases where the link is to a normal DN)
4585 &target: struct drsuapi_DsReplicaObjectIdentifier3
4586 __ndr_size : 0x0000007e (126)
4587 __ndr_size_sid : 0x0000001c (28)
4588 guid : 7639e594-db75-4086-b0d4-67890ae46031
4589 sid : S-1-5-21-2848215498-2472035911-1947525656-19924
4590 __ndr_size_dn : 0x00000022 (34)
4591 dn : 'CN=UOne,OU=TestOU,DC=vsofs8,DC=com'
4594 /* find the attribute being modified */
4595 attr = dsdb_attribute_by_attributeID_id(schema, la->attid);
4597 DEBUG(0, (__location__ ": Unable to find attributeID 0x%x\n", la->attid));
4598 talloc_free(tmp_ctx);
4599 return LDB_ERR_OPERATIONS_ERROR;
4602 attrs[0] = attr->lDAPDisplayName;
4605 /* get the existing message from the db for the object with
4606 this GUID, returning attribute being modified. We will then
4607 use this msg as the basis for a modify call */
4608 ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
4609 DSDB_FLAG_NEXT_MODULE |
4610 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
4611 DSDB_SEARCH_SHOW_RECYCLED |
4612 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
4613 DSDB_SEARCH_REVEAL_INTERNALS,
4615 "objectGUID=%s", GUID_string(tmp_ctx, &la->identifier->guid));
4616 if (ret != LDB_SUCCESS) {
4617 talloc_free(tmp_ctx);
4620 if (res->count != 1) {
4621 ldb_asprintf_errstring(ldb, "DRS linked attribute for GUID %s - DN not found",
4622 GUID_string(tmp_ctx, &la->identifier->guid));
4623 talloc_free(tmp_ctx);
4624 return LDB_ERR_NO_SUCH_OBJECT;
4628 if (msg->num_elements == 0) {
4629 ret = ldb_msg_add_empty(msg, attr->lDAPDisplayName, LDB_FLAG_MOD_REPLACE, &old_el);
4630 if (ret != LDB_SUCCESS) {
4631 ldb_module_oom(module);
4632 talloc_free(tmp_ctx);
4633 return LDB_ERR_OPERATIONS_ERROR;
4636 old_el = &msg->elements[0];
4637 old_el->flags = LDB_FLAG_MOD_REPLACE;
4640 /* parse the existing links */
4641 ret = get_parsed_dns(module, tmp_ctx, old_el, &pdn_list, attr->syntax->ldap_oid, parent);
4642 if (ret != LDB_SUCCESS) {
4643 talloc_free(tmp_ctx);
4647 /* get our invocationId */
4648 our_invocation_id = samdb_ntds_invocation_id(ldb);
4649 if (!our_invocation_id) {
4650 ldb_debug_set(ldb, LDB_DEBUG_ERROR, __location__ ": unable to find invocationId\n");
4651 talloc_free(tmp_ctx);
4652 return LDB_ERR_OPERATIONS_ERROR;
4655 ret = replmd_check_upgrade_links(pdn_list, old_el->num_values, old_el, our_invocation_id);
4656 if (ret != LDB_SUCCESS) {
4657 talloc_free(tmp_ctx);
4661 status = dsdb_dn_la_from_blob(ldb, attr, schema, tmp_ctx, la->value.blob, &dsdb_dn);
4662 if (!W_ERROR_IS_OK(status)) {
4663 ldb_asprintf_errstring(ldb, "Failed to parsed linked attribute blob for %s on %s - %s\n",
4664 old_el->name, ldb_dn_get_linearized(msg->dn), win_errstr(status));
4665 return LDB_ERR_OPERATIONS_ERROR;
4668 ntstatus = dsdb_get_extended_dn_guid(dsdb_dn->dn, &guid, "GUID");
4669 if (!NT_STATUS_IS_OK(ntstatus) && active) {
4670 ldb_asprintf_errstring(ldb, "Failed to find GUID in linked attribute blob for %s on %s from %s",
4672 ldb_dn_get_linearized(dsdb_dn->dn),
4673 ldb_dn_get_linearized(msg->dn));
4674 return LDB_ERR_OPERATIONS_ERROR;
4677 /* re-resolve the DN by GUID, as the DRS server may give us an
4679 ret = dsdb_module_dn_by_guid(module, dsdb_dn, &guid, &dsdb_dn->dn, parent);
4680 if (ret != LDB_SUCCESS) {
4681 DEBUG(2,(__location__ ": WARNING: Failed to re-resolve GUID %s - using %s\n",
4682 GUID_string(tmp_ctx, &guid),
4683 ldb_dn_get_linearized(dsdb_dn->dn)));
4686 /* see if this link already exists */
4687 pdn = parsed_dn_find(pdn_list, old_el->num_values, &guid, dsdb_dn->dn);
4689 /* see if this update is newer than what we have already */
4690 struct GUID invocation_id = GUID_zero();
4691 uint32_t version = 0;
4692 uint32_t originating_usn = 0;
4693 NTTIME change_time = 0;
4694 uint32_t rmd_flags = dsdb_dn_rmd_flags(pdn->dsdb_dn->dn);
4696 dsdb_get_extended_dn_guid(pdn->dsdb_dn->dn, &invocation_id, "RMD_INVOCID");
4697 dsdb_get_extended_dn_uint32(pdn->dsdb_dn->dn, &version, "RMD_VERSION");
4698 dsdb_get_extended_dn_uint32(pdn->dsdb_dn->dn, &originating_usn, "RMD_ORIGINATING_USN");
4699 dsdb_get_extended_dn_nttime(pdn->dsdb_dn->dn, &change_time, "RMD_CHANGETIME");
4701 if (!replmd_update_is_newer(&invocation_id,
4702 &la->meta_data.originating_invocation_id,
4704 la->meta_data.version,
4706 la->meta_data.originating_change_time)) {
4707 DEBUG(3,("Discarding older DRS linked attribute update to %s on %s from %s\n",
4708 old_el->name, ldb_dn_get_linearized(msg->dn),
4709 GUID_string(tmp_ctx, &la->meta_data.originating_invocation_id)));
4710 talloc_free(tmp_ctx);
4714 /* get a seq_num for this change */
4715 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &seq_num);
4716 if (ret != LDB_SUCCESS) {
4717 talloc_free(tmp_ctx);
4721 if (!(rmd_flags & DSDB_RMD_FLAG_DELETED)) {
4722 /* remove the existing backlink */
4723 ret = replmd_add_backlink(module, schema, &la->identifier->guid, &guid, false, attr, false);
4724 if (ret != LDB_SUCCESS) {
4725 talloc_free(tmp_ctx);
4730 ret = replmd_update_la_val(tmp_ctx, pdn->v, dsdb_dn, pdn->dsdb_dn,
4731 &la->meta_data.originating_invocation_id,
4732 la->meta_data.originating_usn, seq_num,
4733 la->meta_data.originating_change_time,
4734 la->meta_data.version,
4736 if (ret != LDB_SUCCESS) {
4737 talloc_free(tmp_ctx);
4742 /* add the new backlink */
4743 ret = replmd_add_backlink(module, schema, &la->identifier->guid, &guid, true, attr, false);
4744 if (ret != LDB_SUCCESS) {
4745 talloc_free(tmp_ctx);
4750 /* get a seq_num for this change */
4751 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &seq_num);
4752 if (ret != LDB_SUCCESS) {
4753 talloc_free(tmp_ctx);
4757 old_el->values = talloc_realloc(msg->elements, old_el->values,
4758 struct ldb_val, old_el->num_values+1);
4759 if (!old_el->values) {
4760 ldb_module_oom(module);
4761 return LDB_ERR_OPERATIONS_ERROR;
4763 old_el->num_values++;
4765 ret = replmd_build_la_val(tmp_ctx, &old_el->values[old_el->num_values-1], dsdb_dn,
4766 &la->meta_data.originating_invocation_id,
4767 la->meta_data.originating_usn, seq_num,
4768 la->meta_data.originating_change_time,
4769 la->meta_data.version,
4770 (la->flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE)?false:true);
4771 if (ret != LDB_SUCCESS) {
4772 talloc_free(tmp_ctx);
4777 ret = replmd_add_backlink(module, schema, &la->identifier->guid, &guid,
4779 if (ret != LDB_SUCCESS) {
4780 talloc_free(tmp_ctx);
4786 /* we only change whenChanged and uSNChanged if the seq_num
4788 ret = add_time_element(msg, "whenChanged", t);
4789 if (ret != LDB_SUCCESS) {
4790 talloc_free(tmp_ctx);
4795 ret = add_uint64_element(ldb, msg, "uSNChanged", seq_num);
4796 if (ret != LDB_SUCCESS) {
4797 talloc_free(tmp_ctx);
4802 old_el = ldb_msg_find_element(msg, attr->lDAPDisplayName);
4803 if (old_el == NULL) {
4804 talloc_free(tmp_ctx);
4805 return ldb_operr(ldb);
4808 ret = dsdb_check_single_valued_link(attr, old_el);
4809 if (ret != LDB_SUCCESS) {
4810 talloc_free(tmp_ctx);
4814 old_el->flags |= LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK;
4816 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
4817 if (ret != LDB_SUCCESS) {
4818 ldb_debug(ldb, LDB_DEBUG_WARNING, "Failed to apply linked attribute change '%s'\n%s\n",
4820 ldb_ldif_message_string(ldb, tmp_ctx, LDB_CHANGETYPE_MODIFY, msg));
4821 talloc_free(tmp_ctx);
4825 talloc_free(tmp_ctx);
4830 static int replmd_extended(struct ldb_module *module, struct ldb_request *req)
4832 if (strcmp(req->op.extended.oid, DSDB_EXTENDED_REPLICATED_OBJECTS_OID) == 0) {
4833 return replmd_extended_replicated_objects(module, req);
4836 return ldb_next_request(module, req);
4841 we hook into the transaction operations to allow us to
4842 perform the linked attribute updates at the end of the whole
4843 transaction. This allows a forward linked attribute to be created
4844 before the object is created. During a vampire, w2k8 sends us linked
4845 attributes before the objects they are part of.
4847 static int replmd_start_transaction(struct ldb_module *module)
4849 /* create our private structure for this transaction */
4850 struct replmd_private *replmd_private = talloc_get_type(ldb_module_get_private(module),
4851 struct replmd_private);
4852 replmd_txn_cleanup(replmd_private);
4854 /* free any leftover mod_usn records from cancelled
4856 while (replmd_private->ncs) {
4857 struct nc_entry *e = replmd_private->ncs;
4858 DLIST_REMOVE(replmd_private->ncs, e);
4862 return ldb_next_start_trans(module);
4866 on prepare commit we loop over our queued la_context structures and
4869 static int replmd_prepare_commit(struct ldb_module *module)
4871 struct replmd_private *replmd_private =
4872 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
4873 struct la_entry *la, *prev;
4874 struct la_backlink *bl;
4877 /* walk the list backwards, to do the first entry first, as we
4878 * added the entries with DLIST_ADD() which puts them at the
4879 * start of the list */
4880 for (la = DLIST_TAIL(replmd_private->la_list); la; la=prev) {
4881 prev = DLIST_PREV(la);
4882 DLIST_REMOVE(replmd_private->la_list, la);
4883 ret = replmd_process_linked_attribute(module, la, NULL);
4884 if (ret != LDB_SUCCESS) {
4885 replmd_txn_cleanup(replmd_private);
4890 /* process our backlink list, creating and deleting backlinks
4892 for (bl=replmd_private->la_backlinks; bl; bl=bl->next) {
4893 ret = replmd_process_backlink(module, bl, NULL);
4894 if (ret != LDB_SUCCESS) {
4895 replmd_txn_cleanup(replmd_private);
4900 replmd_txn_cleanup(replmd_private);
4902 /* possibly change @REPLCHANGED */
4903 ret = replmd_notify_store(module, NULL);
4904 if (ret != LDB_SUCCESS) {
4908 return ldb_next_prepare_commit(module);
4911 static int replmd_del_transaction(struct ldb_module *module)
4913 struct replmd_private *replmd_private =
4914 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
4915 replmd_txn_cleanup(replmd_private);
4917 return ldb_next_del_trans(module);
4921 static const struct ldb_module_ops ldb_repl_meta_data_module_ops = {
4922 .name = "repl_meta_data",
4923 .init_context = replmd_init,
4925 .modify = replmd_modify,
4926 .rename = replmd_rename,
4927 .del = replmd_delete,
4928 .extended = replmd_extended,
4929 .start_transaction = replmd_start_transaction,
4930 .prepare_commit = replmd_prepare_commit,
4931 .del_transaction = replmd_del_transaction,
4934 int ldb_repl_meta_data_module_init(const char *version)
4936 LDB_MODULE_CHECK_VERSION(version);
4937 return ldb_register_module(&ldb_repl_meta_data_module_ops);