4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
6 Copyright (C) Nadezhda Ivanova 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: DS Security descriptor module
28 * - Calculate the security descriptor of a newly created object
29 * - Perform sd recalculation on a move operation
30 * - Handle sd modification invariants
32 * Author: Nadezhda Ivanova
36 #include <ldb_module.h>
37 #include "util/dlinklist.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/ndr/libndr.h"
40 #include "librpc/gen_ndr/ndr_security.h"
41 #include "libcli/security/security.h"
42 #include "dsdb/samdb/ldb_modules/schema.h"
43 #include "auth/auth.h"
44 #include "param/param.h"
47 struct descriptor_data {
51 struct descriptor_context {
52 struct ldb_module *module;
53 struct ldb_request *req;
54 struct ldb_message *msg;
55 struct ldb_reply *search_res;
56 struct ldb_reply *search_oc_res;
57 struct ldb_val *parentsd_val;
58 struct ldb_message_element *sd_element;
59 struct ldb_val *sd_val;
60 int (*step_fn)(struct descriptor_context *);
63 struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
65 struct security_token *token,
66 struct ldb_context *ldb)
68 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
69 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
70 struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
71 struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
72 struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
73 struct dom_sid *dag_sid;
74 struct ldb_dn *nc_root;
77 ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
78 if (ret != LDB_SUCCESS) {
83 if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
84 if (security_token_has_sid(token, sa_sid))
85 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
86 else if (security_token_has_sid(token, ea_sid))
87 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
88 else if (security_token_has_sid(token, da_sid))
89 dag_sid = dom_sid_dup(mem_ctx, da_sid);
92 } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
93 if (security_token_has_sid(token, ea_sid))
94 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
95 else if (security_token_has_sid(token, da_sid))
96 dag_sid = dom_sid_dup(mem_ctx, da_sid);
99 } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
100 if (security_token_has_sid(token, da_sid))
101 dag_sid = dom_sid_dup(mem_ctx, da_sid);
102 else if (security_token_has_sid(token, ea_sid))
103 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
110 talloc_free(tmp_ctx);
114 static struct security_descriptor *get_sd_unpacked(struct ldb_module *module, TALLOC_CTX *mem_ctx,
115 const struct dsdb_class *objectclass)
117 struct ldb_context *ldb = ldb_module_get_ctx(module);
118 struct security_descriptor *sd;
119 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
121 if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
125 sd = sddl_decode(mem_ctx,
126 objectclass->defaultSecurityDescriptor,
131 static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
132 struct ldb_context *ldb,
135 if (dsdb_functional_level(ldb) >= DS_DOMAIN_FUNCTION_2008) {
142 static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,
143 struct security_descriptor *new_sd,
144 struct security_descriptor *old_sd,
147 struct security_descriptor *final_sd;
148 /* if there is no control or control == 0 modify everything */
153 final_sd = talloc_zero(mem_ctx, struct security_descriptor);
154 final_sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
155 final_sd->type = SEC_DESC_SELF_RELATIVE;
157 if (sd_flags & (SECINFO_OWNER)) {
158 final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid));
159 final_sd->type |= new_sd->type & SEC_DESC_OWNER_DEFAULTED;
162 final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid));
163 final_sd->type |= old_sd->type & SEC_DESC_OWNER_DEFAULTED;
166 if (sd_flags & (SECINFO_GROUP)) {
167 final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid));
168 final_sd->type |= new_sd->type & SEC_DESC_GROUP_DEFAULTED;
171 final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid));
172 final_sd->type |= old_sd->type & SEC_DESC_GROUP_DEFAULTED;
175 if (sd_flags & (SECINFO_SACL)) {
176 final_sd->sacl = security_acl_dup(mem_ctx,new_sd->sacl);
177 final_sd->type |= new_sd->type & (SEC_DESC_SACL_PRESENT |
178 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
179 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
180 SEC_DESC_SERVER_SECURITY);
182 else if (old_sd && old_sd->sacl) {
183 final_sd->sacl = security_acl_dup(mem_ctx,old_sd->sacl);
184 final_sd->type |= old_sd->type & (SEC_DESC_SACL_PRESENT |
185 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
186 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
187 SEC_DESC_SERVER_SECURITY);
190 if (sd_flags & (SECINFO_DACL)) {
191 final_sd->dacl = security_acl_dup(mem_ctx,new_sd->dacl);
192 final_sd->type |= new_sd->type & (SEC_DESC_DACL_PRESENT |
193 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
194 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
195 SEC_DESC_DACL_TRUSTED);
197 else if (old_sd && old_sd->dacl) {
198 final_sd->dacl = security_acl_dup(mem_ctx,old_sd->dacl);
199 final_sd->type |= old_sd->type & (SEC_DESC_DACL_PRESENT |
200 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
201 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
202 SEC_DESC_DACL_TRUSTED);
204 /* not so sure about this */
205 final_sd->type |= new_sd->type & SEC_DESC_RM_CONTROL_VALID;
209 static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
212 const struct dsdb_class *objectclass,
213 const struct ldb_val *parent,
214 struct ldb_val *object,
215 struct ldb_val *old_sd,
218 struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL;
219 struct security_descriptor *old_descriptor = NULL;
220 struct security_descriptor *new_sd, *final_sd;
221 DATA_BLOB *linear_sd;
222 enum ndr_err_code ndr_err;
223 struct ldb_context *ldb = ldb_module_get_ctx(module);
224 struct auth_session_info *session_info
225 = ldb_get_opaque(ldb, "sessionInfo");
226 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
228 struct dom_sid *default_owner;
229 struct dom_sid *default_group;
232 user_descriptor = talloc(mem_ctx, struct security_descriptor);
233 if (!user_descriptor) {
236 ndr_err = ndr_pull_struct_blob(object, user_descriptor,
238 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
240 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
241 talloc_free(user_descriptor);
245 user_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
249 old_descriptor = talloc(mem_ctx, struct security_descriptor);
250 if (!old_descriptor) {
253 ndr_err = ndr_pull_struct_blob(old_sd, old_descriptor,
255 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
257 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
258 talloc_free(old_descriptor);
264 parent_descriptor = talloc(mem_ctx, struct security_descriptor);
265 if (!parent_descriptor) {
268 ndr_err = ndr_pull_struct_blob(parent, parent_descriptor,
270 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
272 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
273 talloc_free(parent_descriptor);
278 default_owner = get_default_ag(mem_ctx, dn,
279 session_info->security_token, ldb);
280 default_group = get_default_group(mem_ctx, ldb, default_owner);
281 new_sd = create_security_descriptor(mem_ctx, parent_descriptor, user_descriptor, true,
282 NULL, SEC_DACL_AUTO_INHERIT|SEC_SACL_AUTO_INHERIT,
283 session_info->security_token,
284 default_owner, default_group,
285 map_generic_rights_ds);
289 final_sd = descr_handle_sd_flags(mem_ctx, new_sd, old_descriptor, sd_flags);
295 if (final_sd->dacl) {
296 final_sd->dacl->revision = SECURITY_ACL_REVISION_ADS;
298 if (final_sd->sacl) {
299 final_sd->sacl->revision = SECURITY_ACL_REVISION_ADS;
302 sddl_sd = sddl_encode(mem_ctx, final_sd, domain_sid);
303 DEBUG(10, ("Object %s created with desriptor %s\n\n", ldb_dn_get_linearized(dn), sddl_sd));
305 linear_sd = talloc(mem_ctx, DATA_BLOB);
310 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
312 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
313 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
320 static DATA_BLOB *descr_get_descriptor_to_show(struct ldb_module *module,
325 struct security_descriptor *old_sd, *final_sd;
326 DATA_BLOB *linear_sd;
327 enum ndr_err_code ndr_err;
329 old_sd = talloc(mem_ctx, struct security_descriptor);
333 ndr_err = ndr_pull_struct_blob(sd, old_sd,
335 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
337 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
342 final_sd = descr_handle_sd_flags(mem_ctx, old_sd, NULL, sd_flags);
348 linear_sd = talloc(mem_ctx, DATA_BLOB);
353 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
355 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
356 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
363 static struct descriptor_context *descriptor_init_context(struct ldb_module *module,
364 struct ldb_request *req)
366 struct ldb_context *ldb;
367 struct descriptor_context *ac;
369 ldb = ldb_module_get_ctx(module);
371 ac = talloc_zero(req, struct descriptor_context);
373 ldb_set_errstring(ldb, "Out of Memory");
382 static int get_search_callback(struct ldb_request *req, struct ldb_reply *ares)
384 struct ldb_context *ldb;
385 struct descriptor_context *ac;
388 ac = talloc_get_type(req->context, struct descriptor_context);
389 ldb = ldb_module_get_ctx(ac->module);
392 return ldb_module_done(ac->req, NULL, NULL,
393 LDB_ERR_OPERATIONS_ERROR);
395 if (ares->error != LDB_SUCCESS &&
396 ares->error != LDB_ERR_NO_SUCH_OBJECT) {
397 return ldb_module_done(ac->req, ares->controls,
398 ares->response, ares->error);
401 ldb_reset_err_string(ldb);
403 switch (ares->type) {
404 case LDB_REPLY_ENTRY:
405 if (ac->search_res != NULL) {
406 ldb_set_errstring(ldb, "Too many results");
408 return ldb_module_done(ac->req, NULL, NULL,
409 LDB_ERR_OPERATIONS_ERROR);
412 ac->search_res = talloc_steal(ac, ares);
415 case LDB_REPLY_REFERRAL:
422 ret = ac->step_fn(ac);
423 if (ret != LDB_SUCCESS) {
424 return ldb_module_done(ac->req, NULL, NULL, ret);
432 static int get_search_oc_callback(struct ldb_request *req, struct ldb_reply *ares)
434 struct ldb_context *ldb;
435 struct descriptor_context *ac;
438 ac = talloc_get_type(req->context, struct descriptor_context);
439 ldb = ldb_module_get_ctx(ac->module);
442 return ldb_module_done(ac->req, NULL, NULL,
443 LDB_ERR_OPERATIONS_ERROR);
445 if (ares->error != LDB_SUCCESS &&
446 ares->error != LDB_ERR_NO_SUCH_OBJECT) {
447 return ldb_module_done(ac->req, ares->controls,
448 ares->response, ares->error);
451 ldb_reset_err_string(ldb);
453 switch (ares->type) {
454 case LDB_REPLY_ENTRY:
455 if (ac->search_oc_res != NULL) {
456 ldb_set_errstring(ldb, "Too many results");
458 return ldb_module_done(ac->req, NULL, NULL,
459 LDB_ERR_OPERATIONS_ERROR);
462 ac->search_oc_res = talloc_steal(ac, ares);
465 case LDB_REPLY_REFERRAL:
472 ret = ac->step_fn(ac);
473 if (ret != LDB_SUCCESS) {
474 return ldb_module_done(ac->req, NULL, NULL, ret);
482 static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares)
484 struct descriptor_context *ac;
485 struct ldb_control *sd_control;
486 struct ldb_val *sd_val = NULL;
487 struct ldb_message_element *sd_el;
490 uint32_t sd_flags = 0;
492 ac = talloc_get_type(req->context, struct descriptor_context);
495 ret = LDB_ERR_OPERATIONS_ERROR;
498 if (ares->error != LDB_SUCCESS) {
499 return ldb_module_done(ac->req, ares->controls,
500 ares->response, ares->error);
503 sd_control = ldb_request_get_control(ac->req, LDB_CONTROL_SD_FLAGS_OID);
505 struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
506 sd_flags = sdctr->secinfo_flags;
507 /* we only care for the last 4 bits */
508 sd_flags = sd_flags & 0x0000000F;
510 /* MS-ADTS 3.1.1.3.4.1.11 says that no bits
516 switch (ares->type) {
517 case LDB_REPLY_ENTRY:
519 sd_el = ldb_msg_find_element(ares->message, "nTSecurityDescriptor");
521 sd_val = sd_el->values;
525 show_sd = descr_get_descriptor_to_show(ac->module, ac->req,
528 ret = LDB_ERR_OPERATIONS_ERROR;
531 ldb_msg_remove_attr(ares->message, "nTSecurityDescriptor");
532 ret = ldb_msg_add_steal_value(ares->message, "nTSecurityDescriptor", show_sd);
533 if (ret != LDB_SUCCESS) {
537 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
539 case LDB_REPLY_REFERRAL:
540 return ldb_module_send_referral(ac->req, ares->referral);
543 return ldb_module_done(ac->req, ares->controls,
544 ares->response, ares->error);
549 return ldb_module_done(ac->req, NULL, NULL, ret);
552 static int descriptor_do_mod(struct descriptor_context *ac)
554 struct ldb_context *ldb;
555 const struct dsdb_schema *schema;
556 struct ldb_request *mod_req;
557 struct ldb_message_element *objectclass_element, *oldsd_el;
558 struct ldb_val *oldsd_val = NULL;
561 const struct dsdb_class *objectclass;
562 struct ldb_control *sd_control;
563 struct ldb_control *sd_control2;
564 uint32_t sd_flags = 0;
566 ldb = ldb_module_get_ctx(ac->module);
567 schema = dsdb_get_schema(ldb, ac);
569 objectclass_element = ldb_msg_find_element(ac->search_oc_res->message,
571 if (objectclass_element == NULL) {
572 return ldb_operr(ldb);
575 objectclass = get_last_structural_class(schema, objectclass_element);
576 if (objectclass == NULL) {
577 return ldb_operr(ldb);
580 sd_control = ldb_request_get_control(ac->req, LDB_CONTROL_SD_FLAGS_OID);
581 sd_control2 = ldb_request_get_control(ac->req,
582 LDB_CONTROL_RECALCULATE_SD_OID);
584 struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
585 sd_flags = sdctr->secinfo_flags;
586 /* we only care for the last 4 bits */
587 sd_flags = sd_flags & 0x0000000F;
590 oldsd_el = ldb_msg_find_element(ac->search_oc_res->message,
591 "nTSecurityDescriptor");
593 oldsd_val = oldsd_el->values;
597 sd = get_new_descriptor(ac->module, ac->msg->dn, ac,
598 objectclass, ac->parentsd_val,
599 ac->sd_val, oldsd_val, sd_flags);
601 if (ac->sd_val != NULL) {
602 ac->sd_element->values[0] = *sd;
603 } else if (sd_control2 != NULL) {
604 /* In this branch we really do force the recalculation
606 ldb_msg_remove_attr(ac->msg, "nTSecurityDescriptor");
608 ret = ldb_msg_add_steal_value(ac->msg,
609 "nTSecurityDescriptor",
611 if (ret != LDB_SUCCESS) {
614 ac->sd_element = ldb_msg_find_element(ac->msg,
615 "nTSecurityDescriptor");
616 ac->sd_element->flags = LDB_FLAG_MOD_REPLACE;
620 /* mark the controls as non-critical since we've handled them */
621 if (sd_control != NULL) {
622 sd_control->critical = 0;
624 if (sd_control2 != NULL) {
625 sd_control2->critical = 0;
628 ret = ldb_build_mod_req(&mod_req, ldb, ac,
631 ac->req, dsdb_next_callback,
633 LDB_REQ_SET_LOCATION(mod_req);
634 if (ret != LDB_SUCCESS) {
638 return ldb_next_request(ac->module, mod_req);
641 static int descriptor_do_add(struct descriptor_context *ac)
643 struct ldb_context *ldb;
644 const struct dsdb_schema *schema;
645 struct ldb_request *add_req;
646 struct ldb_message_element *objectclass_element;
649 const struct dsdb_class *objectclass;
650 static const char *const attrs[] = { "objectClass", "nTSecurityDescriptor", NULL };
651 struct ldb_request *search_req;
653 ldb = ldb_module_get_ctx(ac->module);
654 schema = dsdb_get_schema(ldb, ac);
656 switch (ac->req->operation) {
658 ac->msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message);
659 if (ac->msg == NULL) {
660 return ldb_module_oom(ac->module);
663 objectclass_element = ldb_msg_find_element(ac->msg,
665 if (objectclass_element == NULL) {
666 return ldb_operr(ldb);
669 objectclass = get_last_structural_class(schema,
670 objectclass_element);
671 if (objectclass == NULL) {
672 return ldb_operr(ldb);
676 ac->msg = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
677 if (ac->msg == NULL) {
678 return ldb_module_oom(ac->module);
682 return ldb_operr(ldb);
685 /* Check if there is a valid security descriptor provided */
686 ac->sd_element = dsdb_get_single_valued_attr(ac->msg,
687 "nTSecurityDescriptor",
689 if ((ac->sd_element != NULL) && (ac->sd_element->num_values == 1)) {
690 ac->sd_val = talloc_memdup(ac,
691 &ac->sd_element->values[0],
692 sizeof(struct ldb_val));
695 /* If we do have a parent, then please fetch it's security descriptor.
696 * But have in mind: NCs don't have any parents! That means
697 * "CN=Configuration,DC=example,DC=com" has no parent
698 * "DC=example,DC=com" since this is located under another NC! */
699 if (ac->search_res != NULL) {
700 struct ldb_message_element *parent_element = NULL;
701 struct ldb_dn *nc_root;
703 ret = dsdb_find_nc_root(ldb, ac, ac->msg->dn, &nc_root);
704 if (ret != LDB_SUCCESS) {
708 if (ldb_dn_compare(ac->msg->dn, nc_root) != 0) {
709 /* we aren't any NC */
710 parent_element = ldb_msg_find_element(ac->search_res->message,
711 "nTSecurityDescriptor");
712 if (parent_element != NULL) {
713 ac->parentsd_val = talloc_memdup(ac,
714 &parent_element->values[0],
715 sizeof(struct ldb_val));
720 if (ac->req->operation == LDB_ADD) {
721 /* Get the parent descriptor and the one provided. If not
722 * provided, get the default. Convert it to a security
723 * descriptor and calculate the permissions. */
724 sd = get_new_descriptor(ac->module, ac->msg->dn, ac,
725 objectclass, ac->parentsd_val,
726 ac->sd_val, NULL, 0);
728 if (ac->sd_val != NULL) {
729 ac->sd_element->values[0] = *sd;
730 } else if (ac->sd_element == NULL) {
731 ret = ldb_msg_add_steal_value(ac->msg,
732 "nTSecurityDescriptor",
734 if (ret != LDB_SUCCESS) {
740 ret = ldb_build_add_req(&add_req, ldb, ac,
743 ac->req, dsdb_next_callback,
745 LDB_REQ_SET_LOCATION(add_req);
746 if (ret != LDB_SUCCESS) {
749 return ldb_next_request(ac->module, add_req);
751 ret = ldb_build_search_req(&search_req, ldb, ac,
752 ac->msg->dn, LDB_SCOPE_BASE,
753 "(objectClass=*)", attrs,
755 ac, get_search_oc_callback,
757 LDB_REQ_SET_LOCATION(search_req);
758 if (ret != LDB_SUCCESS) {
761 ac->step_fn = descriptor_do_mod;
762 return ldb_next_request(ac->module, search_req);
766 static int descriptor_change(struct ldb_module *module, struct ldb_request *req)
768 struct ldb_context *ldb;
769 struct ldb_control *sd_control;
770 struct ldb_request *search_req;
771 struct descriptor_context *ac;
772 struct ldb_dn *parent_dn, *dn;
773 struct ldb_message_element *sd_element;
775 static const char * const descr_attrs[] = { "nTSecurityDescriptor", NULL };
777 ldb = ldb_module_get_ctx(module);
779 switch (req->operation) {
781 dn = req->op.add.message->dn;
784 dn = req->op.mod.message->dn;
785 sd_element = ldb_msg_find_element(req->op.mod.message,
786 "nTSecurityDescriptor");
787 /* This control forces the recalculation of the SD also when
788 * no modification is performed. */
789 sd_control = ldb_request_get_control(req,
790 LDB_CONTROL_RECALCULATE_SD_OID);
791 if (!sd_element && !sd_control) {
792 return ldb_next_request(module, req);
796 return ldb_operr(ldb);
798 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_change: %s\n", ldb_dn_get_linearized(dn));
800 /* do not manipulate our control entries */
801 if (ldb_dn_is_special(dn)) {
802 return ldb_next_request(module, req);
805 ac = descriptor_init_context(module, req);
807 return ldb_operr(ldb);
810 /* If there isn't a parent, just go on to the add processing */
811 if (ldb_dn_get_comp_num(dn) == 1) {
812 return descriptor_do_add(ac);
815 /* get copy of parent DN */
816 parent_dn = ldb_dn_get_parent(ac, dn);
817 if (parent_dn == NULL) {
821 ret = ldb_build_search_req(&search_req, ldb,
822 ac, parent_dn, LDB_SCOPE_BASE,
823 "(objectClass=*)", descr_attrs,
825 ac, get_search_callback,
827 LDB_REQ_SET_LOCATION(search_req);
828 if (ret != LDB_SUCCESS) {
831 talloc_steal(search_req, parent_dn);
833 ac->step_fn = descriptor_do_add;
835 return ldb_next_request(ac->module, search_req);
838 static int descriptor_search(struct ldb_module *module, struct ldb_request *req)
841 struct ldb_context *ldb;
842 struct ldb_control *sd_control;
843 struct ldb_request *down_req;
844 struct descriptor_context *ac;
846 sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
848 return ldb_next_request(module, req);
851 ldb = ldb_module_get_ctx(module);
852 ac = descriptor_init_context(module, req);
854 return ldb_operr(ldb);
857 ret = ldb_build_search_req_ex(&down_req, ldb, ac,
859 req->op.search.scope,
861 req->op.search.attrs,
863 ac, descriptor_search_callback,
865 LDB_REQ_SET_LOCATION(down_req);
866 if (ret != LDB_SUCCESS) {
869 /* mark it as handled */
871 sd_control->critical = 0;
874 return ldb_next_request(ac->module, down_req);
877 static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
879 struct ldb_context *ldb = ldb_module_get_ctx(module);
880 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn));
882 /* do not manipulate our control entries */
883 if (ldb_dn_is_special(req->op.rename.olddn)) {
884 return ldb_next_request(module, req);
887 return ldb_next_request(module, req);
890 static int descriptor_init(struct ldb_module *module)
892 int ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
893 struct ldb_context *ldb = ldb_module_get_ctx(module);
894 if (ret != LDB_SUCCESS) {
895 ldb_debug(ldb, LDB_DEBUG_ERROR,
896 "descriptor: Unable to register control with rootdse!\n");
897 return ldb_operr(ldb);
899 return ldb_next_init(module);
903 static const struct ldb_module_ops ldb_descriptor_module_ops = {
904 .name = "descriptor",
905 .search = descriptor_search,
906 .add = descriptor_change,
907 .modify = descriptor_change,
908 .rename = descriptor_rename,
909 .init_context = descriptor_init
912 int ldb_descriptor_module_init(const char *version)
914 LDB_MODULE_CHECK_VERSION(version);
915 return ldb_register_module(&ldb_descriptor_module_ops);
git.samba.org / samba.git / blob