4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
5 Copyright (C) Simo Sorce 2004-2008
6 Copyright (C) Matthias Dieter Wallnöfer 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: ldb samldb module
27 * Description: add embedded user/group creation functionality
33 #include "libcli/ldap/ldap_ndr.h"
34 #include "ldb_module.h"
35 #include "dsdb/samdb/samdb.h"
36 #include "dsdb/samdb/ldb_modules/util.h"
37 #include "libcli/security/security.h"
38 #include "librpc/gen_ndr/ndr_security.h"
39 #include "../lib/util/util_ldb.h"
41 #include "param/param.h"
45 typedef int (*samldb_step_fn_t)(struct samldb_ctx *);
48 struct samldb_step *next;
53 struct ldb_module *module;
54 struct ldb_request *req;
56 /* used for add operations */
59 /* the resulting message */
60 struct ldb_message *msg;
62 /* used to find parent domain */
63 struct ldb_dn *check_dn;
64 struct ldb_dn *domain_dn;
65 struct dom_sid *domain_sid;
68 /* holds the entry SID */
71 /* holds a generic dn */
74 /* used in conjunction with "sid" in "samldb_dn_from_sid" */
75 struct ldb_dn *res_dn;
77 /* used in conjunction with "dn" in "samldb_sid_from_dn" */
78 struct dom_sid *res_sid;
80 /* used in "samldb_user_dn_to_prim_group_rid" */
81 uint32_t prim_group_rid;
83 /* used in conjunction with "prim_group_rid" in
84 * "samldb_prim_group_rid_to_users_cnt" */
85 unsigned int users_cnt;
87 /* used in "samldb_group_add_member" and "samldb_group_del_member" */
88 struct ldb_dn *group_dn;
89 struct ldb_dn *member_dn;
91 /* used in "samldb_primary_group_change" */
92 struct ldb_dn *user_dn;
93 struct ldb_dn *old_prim_group_dn, *new_prim_group_dn;
95 /* generic counter - used in "samldb_member_check" */
98 /* all the async steps necessary to complete the operation */
99 struct samldb_step *steps;
100 struct samldb_step *curstep;
102 /* If someone set an ares to forward controls and response back to the caller */
103 struct ldb_reply *ares;
106 static struct samldb_ctx *samldb_ctx_init(struct ldb_module *module,
107 struct ldb_request *req)
109 struct ldb_context *ldb;
110 struct samldb_ctx *ac;
112 ldb = ldb_module_get_ctx(module);
114 ac = talloc_zero(req, struct samldb_ctx);
126 static int samldb_add_step(struct samldb_ctx *ac, samldb_step_fn_t fn)
128 struct samldb_step *step, *stepper;
130 step = talloc_zero(ac, struct samldb_step);
132 return LDB_ERR_OPERATIONS_ERROR;
137 if (ac->steps == NULL) {
141 if (ac->curstep == NULL)
142 return LDB_ERR_OPERATIONS_ERROR;
143 for (stepper = ac->curstep; stepper->next != NULL;
144 stepper = stepper->next);
145 stepper->next = step;
151 static int samldb_first_step(struct samldb_ctx *ac)
153 if (ac->steps == NULL) {
154 return LDB_ERR_OPERATIONS_ERROR;
157 ac->curstep = ac->steps;
158 return ac->curstep->fn(ac);
161 static int samldb_next_step(struct samldb_ctx *ac)
163 if (ac->curstep->next) {
164 ac->curstep = ac->curstep->next;
165 return ac->curstep->fn(ac);
168 /* we exit the samldb module here */
169 /* If someone set an ares to forward controls and response back to the caller, use them */
171 return ldb_module_done(ac->req, ac->ares->controls,
172 ac->ares->response, LDB_SUCCESS);
174 return ldb_module_done(ac->req, NULL, NULL, LDB_SUCCESS);
179 * samldb_get_parent_domain (async)
182 static int samldb_get_parent_domain(struct samldb_ctx *ac);
184 static int samldb_get_parent_domain_callback(struct ldb_request *req,
185 struct ldb_reply *ares)
187 struct ldb_context *ldb;
188 struct samldb_ctx *ac;
192 ac = talloc_get_type(req->context, struct samldb_ctx);
193 ldb = ldb_module_get_ctx(ac->module);
196 ret = LDB_ERR_OPERATIONS_ERROR;
199 if (ares->error != LDB_SUCCESS) {
200 return ldb_module_done(ac->req, ares->controls,
201 ares->response, ares->error);
204 switch (ares->type) {
205 case LDB_REPLY_ENTRY:
207 if ((ac->domain_dn != NULL) || (ac->domain_sid != NULL)) {
209 ldb_set_errstring(ldb,
210 "Invalid number of results while searching "
211 "for domain object!");
212 ret = LDB_ERR_OPERATIONS_ERROR;
216 nextRid = ldb_msg_find_attr_as_string(ares->message,
218 if (nextRid == NULL) {
219 ldb_asprintf_errstring(ldb,
220 "While looking for domain above %s attribute nextRid not found in %s!",
221 ldb_dn_get_linearized(
222 ac->req->op.add.message->dn),
223 ldb_dn_get_linearized(ares->message->dn));
224 ret = LDB_ERR_OPERATIONS_ERROR;
228 ac->next_rid = strtol(nextRid, NULL, 0);
230 ac->domain_sid = samdb_result_dom_sid(ac, ares->message,
232 if (ac->domain_sid == NULL) {
233 ldb_set_errstring(ldb,
234 "Unable to get the parent domain SID!");
235 ret = LDB_ERR_CONSTRAINT_VIOLATION;
238 ac->domain_dn = ldb_dn_copy(ac, ares->message->dn);
244 case LDB_REPLY_REFERRAL:
252 if ((ac->domain_dn == NULL) || (ac->domain_sid == NULL)) {
253 /* not found -> retry */
254 ret = samldb_get_parent_domain(ac);
257 ret = samldb_next_step(ac);
263 if (ret != LDB_SUCCESS) {
264 return ldb_module_done(ac->req, NULL, NULL, ret);
270 /* Find a domain object in the parents of a particular DN. */
271 static int samldb_get_parent_domain(struct samldb_ctx *ac)
273 struct ldb_context *ldb;
274 static const char * const attrs[] = { "objectSid", "nextRid", NULL };
275 struct ldb_request *req;
279 ldb = ldb_module_get_ctx(ac->module);
281 if (ac->check_dn == NULL) {
282 return LDB_ERR_OPERATIONS_ERROR;
285 dn = ldb_dn_get_parent(ac, ac->check_dn);
287 ldb_set_errstring(ldb,
288 "Unable to find parent domain object!");
289 return LDB_ERR_CONSTRAINT_VIOLATION;
294 ret = ldb_build_search_req(&req, ldb, ac,
296 "(|(objectClass=domain)"
297 "(objectClass=builtinDomain))",
300 ac, samldb_get_parent_domain_callback,
303 if (ret != LDB_SUCCESS) {
307 return ldb_next_request(ac->module, req);
311 static int samldb_generate_samAccountName(struct ldb_message *msg)
315 /* Format: $000000-000000000000 */
317 name = talloc_asprintf(msg, "$%.6X-%.6X%.6X",
318 (unsigned int)generate_random(),
319 (unsigned int)generate_random(),
320 (unsigned int)generate_random());
322 return LDB_ERR_OPERATIONS_ERROR;
324 return ldb_msg_add_steal_string(msg, "samAccountName", name);
328 * samldb_check_samAccountName (async)
331 static int samldb_check_samAccountName_callback(struct ldb_request *req,
332 struct ldb_reply *ares)
334 struct samldb_ctx *ac;
337 ac = talloc_get_type(req->context, struct samldb_ctx);
339 if (ares->error != LDB_SUCCESS) {
340 return ldb_module_done(ac->req, ares->controls,
341 ares->response, ares->error);
344 switch (ares->type) {
345 case LDB_REPLY_ENTRY:
346 /* if we get an entry it means this samAccountName
348 return ldb_module_done(ac->req, NULL, NULL,
349 LDB_ERR_ENTRY_ALREADY_EXISTS);
351 case LDB_REPLY_REFERRAL:
352 /* this should not happen */
353 return ldb_module_done(ac->req, NULL, NULL,
354 LDB_ERR_OPERATIONS_ERROR);
357 /* not found, go on */
359 ret = samldb_next_step(ac);
363 if (ret != LDB_SUCCESS) {
364 return ldb_module_done(ac->req, NULL, NULL, ret);
370 static int samldb_check_samAccountName(struct samldb_ctx *ac)
372 struct ldb_context *ldb;
373 struct ldb_request *req;
378 ldb = ldb_module_get_ctx(ac->module);
380 if (ldb_msg_find_element(ac->msg, "samAccountName") == NULL) {
381 ret = samldb_generate_samAccountName(ac->msg);
382 if (ret != LDB_SUCCESS) {
387 name = ldb_msg_find_attr_as_string(ac->msg, "samAccountName", NULL);
389 return LDB_ERR_OPERATIONS_ERROR;
391 filter = talloc_asprintf(ac, "samAccountName=%s",
392 ldb_binary_encode_string(ac, name));
393 if (filter == NULL) {
394 return LDB_ERR_OPERATIONS_ERROR;
397 ret = ldb_build_search_req(&req, ldb, ac,
398 ac->domain_dn, LDB_SCOPE_SUBTREE,
401 ac, samldb_check_samAccountName_callback,
404 if (ret != LDB_SUCCESS) {
407 return ldb_next_request(ac->module, req);
411 static int samldb_check_samAccountType(struct samldb_ctx *ac)
413 struct ldb_context *ldb;
414 unsigned int account_type;
415 unsigned int group_type;
419 ldb = ldb_module_get_ctx(ac->module);
421 /* make sure sAMAccountType is not specified */
422 if (ldb_msg_find_element(ac->msg, "sAMAccountType") != NULL) {
423 ldb_asprintf_errstring(ldb,
424 "sAMAccountType must not be specified!");
425 return LDB_ERR_UNWILLING_TO_PERFORM;
428 if (strcmp("user", ac->type) == 0) {
429 uac = samdb_result_uint(ac->msg, "userAccountControl", 0);
431 ldb_asprintf_errstring(ldb,
432 "userAccountControl invalid!");
433 return LDB_ERR_UNWILLING_TO_PERFORM;
435 account_type = ds_uf2atype(uac);
436 ret = samdb_msg_add_uint(ldb,
440 if (ret != LDB_SUCCESS) {
445 if (strcmp("group", ac->type) == 0) {
447 group_type = samdb_result_uint(ac->msg, "groupType", 0);
448 if (group_type == 0) {
449 ldb_asprintf_errstring(ldb,
450 "groupType invalid!\n");
451 return LDB_ERR_UNWILLING_TO_PERFORM;
453 account_type = ds_gtype2atype(group_type);
454 ret = samdb_msg_add_uint(ldb,
458 if (ret != LDB_SUCCESS) {
464 return samldb_next_step(ac);
469 * samldb_get_sid_domain (async)
472 static int samldb_get_sid_domain_callback(struct ldb_request *req,
473 struct ldb_reply *ares)
475 struct ldb_context *ldb;
476 struct samldb_ctx *ac;
480 ac = talloc_get_type(req->context, struct samldb_ctx);
481 ldb = ldb_module_get_ctx(ac->module);
484 ret = LDB_ERR_OPERATIONS_ERROR;
487 if (ares->error != LDB_SUCCESS) {
488 return ldb_module_done(ac->req, ares->controls,
489 ares->response, ares->error);
492 switch (ares->type) {
493 case LDB_REPLY_ENTRY:
495 if (ac->next_rid != 0) {
497 ldb_set_errstring(ldb,
498 "Invalid number of results while searching "
499 "for domain object!");
500 ret = LDB_ERR_OPERATIONS_ERROR;
504 nextRid = ldb_msg_find_attr_as_string(ares->message,
506 if (nextRid == NULL) {
507 ldb_asprintf_errstring(ldb,
508 "Attribute nextRid not found in %s!",
509 ldb_dn_get_linearized(ares->message->dn));
510 ret = LDB_ERR_OPERATIONS_ERROR;
514 ac->next_rid = strtol(nextRid, NULL, 0);
516 ac->domain_dn = ldb_dn_copy(ac, ares->message->dn);
522 case LDB_REPLY_REFERRAL:
530 if (ac->next_rid == 0) {
531 ldb_asprintf_errstring(ldb,
532 "Unable to get nextRid from domain entry!");
533 ret = LDB_ERR_OPERATIONS_ERROR;
538 ret = samldb_next_step(ac);
543 if (ret != LDB_SUCCESS) {
544 return ldb_module_done(ac->req, NULL, NULL, ret);
550 /* Find a domain object in the parents of a particular DN. */
551 static int samldb_get_sid_domain(struct samldb_ctx *ac)
553 struct ldb_context *ldb;
554 static const char * const attrs[] = { "nextRid", NULL };
555 struct ldb_request *req;
559 ldb = ldb_module_get_ctx(ac->module);
561 if (ac->sid == NULL) {
562 return LDB_ERR_OPERATIONS_ERROR;
565 ac->domain_sid = dom_sid_dup(ac, ac->sid);
566 if (!ac->domain_sid) {
567 return LDB_ERR_OPERATIONS_ERROR;
569 /* get the domain component part of the provided SID */
570 ac->domain_sid->num_auths--;
572 filter = talloc_asprintf(ac,
574 "(|(objectClass=domain)"
575 "(objectClass=builtinDomain)))",
576 ldap_encode_ndr_dom_sid(ac, ac->domain_sid));
577 if (filter == NULL) {
578 return LDB_ERR_OPERATIONS_ERROR;
581 ret = ldb_build_search_req(&req, ldb, ac,
582 ldb_get_default_basedn(ldb),
586 ac, samldb_get_sid_domain_callback,
589 if (ret != LDB_SUCCESS) {
594 return ldb_next_request(ac->module, req);
598 * samldb_dn_from_sid (async)
601 static int samldb_dn_from_sid(struct samldb_ctx *ac);
603 static int samldb_dn_from_sid_callback(struct ldb_request *req,
604 struct ldb_reply *ares)
606 struct ldb_context *ldb;
607 struct samldb_ctx *ac;
610 ac = talloc_get_type(req->context, struct samldb_ctx);
611 ldb = ldb_module_get_ctx(ac->module);
614 ret = LDB_ERR_OPERATIONS_ERROR;
617 if (ares->error != LDB_SUCCESS) {
618 return ldb_module_done(ac->req, ares->controls,
619 ares->response, ares->error);
622 switch (ares->type) {
623 case LDB_REPLY_ENTRY:
625 if (ac->res_dn != NULL) {
627 ldb_set_errstring(ldb,
628 "Invalid number of results while searching "
629 "for domain objects!");
630 ret = LDB_ERR_OPERATIONS_ERROR;
633 ac->res_dn = ldb_dn_copy(ac, ares->message->dn);
639 case LDB_REPLY_REFERRAL:
648 /* found or not found, go on */
649 ret = samldb_next_step(ac);
654 if (ret != LDB_SUCCESS) {
655 return ldb_module_done(ac->req, NULL, NULL, ret);
661 /* Finds the DN "res_dn" of an object with a given SID "sid" */
662 static int samldb_dn_from_sid(struct samldb_ctx *ac)
664 struct ldb_context *ldb;
665 static const char * const attrs[] = { NULL };
666 struct ldb_request *req;
670 ldb = ldb_module_get_ctx(ac->module);
673 return LDB_ERR_OPERATIONS_ERROR;
675 filter = talloc_asprintf(ac, "(objectSid=%s)",
676 ldap_encode_ndr_dom_sid(ac, ac->sid));
678 return LDB_ERR_OPERATIONS_ERROR;
680 ret = ldb_build_search_req(&req, ldb, ac,
681 ldb_get_default_basedn(ldb),
685 ac, samldb_dn_from_sid_callback,
687 if (ret != LDB_SUCCESS)
690 return ldb_next_request(ac->module, req);
694 static int samldb_check_primaryGroupID_1(struct samldb_ctx *ac)
696 struct ldb_context *ldb;
699 ldb = ldb_module_get_ctx(ac->module);
701 rid = samdb_result_uint(ac->msg, "primaryGroupID", ~0);
702 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid);
704 return LDB_ERR_OPERATIONS_ERROR;
707 return samldb_next_step(ac);
710 static int samldb_check_primaryGroupID_2(struct samldb_ctx *ac)
712 if (ac->res_dn == NULL) {
713 struct ldb_context *ldb;
714 ldb = ldb_module_get_ctx(ac->module);
715 ldb_asprintf_errstring(ldb,
716 "Failed to find group sid %s!",
717 dom_sid_string(ac->sid, ac->sid));
718 return LDB_ERR_UNWILLING_TO_PERFORM;
721 return samldb_next_step(ac);
725 static bool samldb_msg_add_sid(struct ldb_message *msg,
727 const struct dom_sid *sid)
730 enum ndr_err_code ndr_err;
732 ndr_err = ndr_push_struct_blob(&v, msg, NULL, sid,
733 (ndr_push_flags_fn_t)ndr_push_dom_sid);
734 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
737 return (ldb_msg_add_value(msg, name, &v, NULL) == 0);
740 static int samldb_new_sid(struct samldb_ctx *ac)
743 if (ac->domain_sid == NULL || ac->next_rid == 0) {
744 return LDB_ERR_OPERATIONS_ERROR;
747 ac->sid = dom_sid_add_rid(ac, ac->domain_sid, ac->next_rid + 1);
748 if (ac->sid == NULL) {
749 return LDB_ERR_OPERATIONS_ERROR;
752 if ( ! samldb_msg_add_sid(ac->msg, "objectSid", ac->sid)) {
753 return LDB_ERR_OPERATIONS_ERROR;
756 return samldb_next_step(ac);
760 * samldb_notice_sid_callback (async)
763 static int samldb_notice_sid_callback(struct ldb_request *req,
764 struct ldb_reply *ares)
766 struct ldb_context *ldb;
767 struct samldb_ctx *ac;
770 ac = talloc_get_type(req->context, struct samldb_ctx);
771 ldb = ldb_module_get_ctx(ac->module);
774 ret = LDB_ERR_OPERATIONS_ERROR;
777 if (ares->error != LDB_SUCCESS) {
778 return ldb_module_done(ac->req, ares->controls,
779 ares->response, ares->error);
781 if (ares->type != LDB_REPLY_DONE) {
782 ldb_set_errstring(ldb,
783 "Invalid reply type!");
784 ret = LDB_ERR_OPERATIONS_ERROR;
788 ret = samldb_next_step(ac);
791 if (ret != LDB_SUCCESS) {
792 return ldb_module_done(ac->req, NULL, NULL, ret);
798 /* If we are adding new users/groups, we need to update the nextRid
799 * attribute to be 'above' the new/incoming RID. Attempt to do it
801 static int samldb_notice_sid(struct samldb_ctx *ac)
803 struct ldb_context *ldb;
804 uint32_t old_id, new_id;
805 struct ldb_request *req;
806 struct ldb_message *msg;
807 struct ldb_message_element *els;
808 struct ldb_val *vals;
811 ldb = ldb_module_get_ctx(ac->module);
812 old_id = ac->next_rid;
813 new_id = ac->sid->sub_auths[ac->sid->num_auths - 1];
815 if (old_id >= new_id) {
816 /* no need to update the domain nextRid attribute */
817 return samldb_next_step(ac);
820 /* we do a delete and add as a single operation. That prevents
821 a race, in case we are not actually on a transaction db */
822 msg = ldb_msg_new(ac);
825 return LDB_ERR_OPERATIONS_ERROR;
827 els = talloc_array(msg, struct ldb_message_element, 2);
830 return LDB_ERR_OPERATIONS_ERROR;
832 vals = talloc_array(msg, struct ldb_val, 2);
835 return LDB_ERR_OPERATIONS_ERROR;
837 msg->dn = ac->domain_dn;
838 msg->num_elements = 2;
841 els[0].num_values = 1;
842 els[0].values = &vals[0];
843 els[0].flags = LDB_FLAG_MOD_DELETE;
844 els[0].name = talloc_strdup(msg, "nextRid");
847 return LDB_ERR_OPERATIONS_ERROR;
850 els[1].num_values = 1;
851 els[1].values = &vals[1];
852 els[1].flags = LDB_FLAG_MOD_ADD;
853 els[1].name = els[0].name;
855 vals[0].data = (uint8_t *)talloc_asprintf(vals, "%u", old_id);
858 return LDB_ERR_OPERATIONS_ERROR;
860 vals[0].length = strlen((char *)vals[0].data);
862 vals[1].data = (uint8_t *)talloc_asprintf(vals, "%u", new_id);
865 return LDB_ERR_OPERATIONS_ERROR;
867 vals[1].length = strlen((char *)vals[1].data);
869 ret = ldb_build_mod_req(&req, ldb, ac,
871 ac, samldb_notice_sid_callback,
873 if (ret != LDB_SUCCESS) {
877 return ldb_next_request(ac->module, req);
881 * samldb_set_defaultObjectCategory_callback (async)
884 static int samldb_set_defaultObjectCategory_callback(struct ldb_request *req,
885 struct ldb_reply *ares)
887 struct ldb_context *ldb;
888 struct samldb_ctx *ac;
891 ac = talloc_get_type(req->context, struct samldb_ctx);
892 ldb = ldb_module_get_ctx(ac->module);
895 ret = LDB_ERR_OPERATIONS_ERROR;
898 if (ares->error != LDB_SUCCESS) {
899 return ldb_module_done(ac->req, ares->controls,
900 ares->response, ares->error);
902 if (ares->type != LDB_REPLY_DONE) {
903 ldb_set_errstring(ldb,
904 "Invalid reply type!");
905 ret = LDB_ERR_OPERATIONS_ERROR;
909 ret = samldb_next_step(ac);
912 if (ret != LDB_SUCCESS) {
913 return ldb_module_done(ac->req, NULL, NULL, ret);
919 static int samldb_set_defaultObjectCategory(struct samldb_ctx *ac)
923 struct ldb_request *req;
924 struct ldb_context *ldb;
925 struct ldb_message *msg = ldb_msg_new(ac);
929 ldb_msg_add_empty(msg, "defaultObjectCategory", LDB_FLAG_MOD_REPLACE, NULL);
931 ldb_msg_add_steal_string(msg, "defaultObjectCategory", ldb_dn_alloc_linearized(msg, ac->dn));
933 ldb = ldb_module_get_ctx(ac->module);
935 ret = ldb_build_mod_req(&req, ldb, ac,
937 ac, samldb_set_defaultObjectCategory_callback,
939 if (ret != LDB_SUCCESS) {
943 return ldb_next_request(ac->module, req);
946 ret = samldb_next_step(ac);
947 if (ret != LDB_SUCCESS) {
948 return ldb_module_done(ac->req, NULL, NULL, ret);
954 * samldb_find_for_defaultObjectCategory (async)
957 static int samldb_find_for_defaultObjectCategory_callback(struct ldb_request *req,
958 struct ldb_reply *ares)
960 struct samldb_ctx *ac;
963 ac = talloc_get_type(req->context, struct samldb_ctx);
965 if (ares->error != LDB_SUCCESS) {
966 return ldb_module_done(ac->req, ares->controls,
967 ares->response, ares->error);
970 switch (ares->type) {
971 case LDB_REPLY_ENTRY:
972 ac->dn = talloc_steal(ac, ares->message->dn);
974 case LDB_REPLY_REFERRAL:
975 /* this should not happen */
976 return ldb_module_done(ac->req, NULL, NULL,
977 LDB_ERR_OPERATIONS_ERROR);
980 /* found or not found, go on */
982 ret = samldb_next_step(ac);
983 if (ret != LDB_SUCCESS) {
984 return ldb_module_done(ac->req, NULL, NULL, ret);
992 static int samldb_find_for_defaultObjectCategory(struct samldb_ctx *ac)
994 struct ldb_context *ldb;
995 struct ldb_request *req;
997 static const char *no_attrs[] = { NULL };
999 ldb = ldb_module_get_ctx(ac->module);
1003 if (ldb_msg_find_element(ac->msg, "defaultObjectCategory") == NULL) {
1004 ret = ldb_build_search_req(&req, ldb, ac,
1005 ac->msg->dn, LDB_SCOPE_BASE,
1006 "objectClass=classSchema", no_attrs,
1008 ac, samldb_find_for_defaultObjectCategory_callback,
1010 if (ret != LDB_SUCCESS) {
1013 ret = dsdb_module_search_handle_flags(ac->module, req, DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT);
1014 if (ret != LDB_SUCCESS) {
1017 return ldb_next_request(ac->module, req);
1020 ret = samldb_next_step(ac);
1021 if (ret != LDB_SUCCESS) {
1022 return ldb_module_done(ac->req, NULL, NULL, ret);
1031 * samldb_add_entry (async)
1034 static int samldb_add_entry_callback(struct ldb_request *req,
1035 struct ldb_reply *ares)
1037 struct ldb_context *ldb;
1038 struct samldb_ctx *ac;
1041 ac = talloc_get_type(req->context, struct samldb_ctx);
1042 ldb = ldb_module_get_ctx(ac->module);
1045 return ldb_module_done(ac->req, NULL, NULL,
1046 LDB_ERR_OPERATIONS_ERROR);
1048 if (ares->error != LDB_SUCCESS) {
1049 return ldb_module_done(ac->req, ares->controls,
1050 ares->response, ares->error);
1052 if (ares->type != LDB_REPLY_DONE) {
1053 ldb_set_errstring(ldb,
1054 "Invalid reply type!\n");
1055 return ldb_module_done(ac->req, NULL, NULL,
1056 LDB_ERR_OPERATIONS_ERROR);
1059 /* The caller may wish to get controls back from the add */
1060 ac->ares = talloc_steal(ac, ares);
1062 ret = samldb_next_step(ac);
1063 if (ret != LDB_SUCCESS) {
1064 return ldb_module_done(ac->req, NULL, NULL, ret);
1069 static int samldb_add_entry(struct samldb_ctx *ac)
1071 struct ldb_context *ldb;
1072 struct ldb_request *req;
1075 ldb = ldb_module_get_ctx(ac->module);
1077 ret = ldb_build_add_req(&req, ldb, ac,
1080 ac, samldb_add_entry_callback,
1082 if (ret != LDB_SUCCESS) {
1086 return ldb_next_request(ac->module, req);
1090 static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
1092 struct ldb_context *ldb;
1093 struct loadparm_context *lp_ctx;
1094 enum sid_generator sid_generator;
1097 ldb = ldb_module_get_ctx(ac->module);
1099 /* search for a parent domain objet */
1100 ac->check_dn = ac->req->op.add.message->dn;
1101 ret = samldb_add_step(ac, samldb_get_parent_domain);
1102 if (ret != LDB_SUCCESS) return ret;
1104 /* Add informations for the different account types */
1106 if (strcmp(ac->type, "user") == 0) {
1107 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1108 "userAccountControl", "546");
1109 if (ret != LDB_SUCCESS) return ret;
1110 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1111 "badPwdCount", "0");
1112 if (ret != LDB_SUCCESS) return ret;
1113 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1115 if (ret != LDB_SUCCESS) return ret;
1116 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1117 "countryCode", "0");
1118 if (ret != LDB_SUCCESS) return ret;
1119 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1120 "badPasswordTime", "0");
1121 if (ret != LDB_SUCCESS) return ret;
1122 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1124 if (ret != LDB_SUCCESS) return ret;
1125 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1127 if (ret != LDB_SUCCESS) return ret;
1128 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1130 if (ret != LDB_SUCCESS) return ret;
1131 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1132 "primaryGroupID", "513");
1133 if (ret != LDB_SUCCESS) return ret;
1134 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1135 "accountExpires", "9223372036854775807");
1136 if (ret != LDB_SUCCESS) return ret;
1137 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1139 if (ret != LDB_SUCCESS) return ret;
1140 } else if (strcmp(ac->type, "group") == 0) {
1141 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1142 "groupType", "-2147483646");
1143 if (ret != LDB_SUCCESS) return ret;
1144 } else if (strcmp(ac->type, "classSchema") == 0) {
1145 const struct ldb_val *rdn_value;
1147 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1149 if (ret != LDB_SUCCESS) return ret;
1151 rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
1152 if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) {
1153 /* the RDN has prefix "CN" */
1154 ret = ldb_msg_add_string(ac->msg, "lDAPDisplayName",
1155 samdb_cn_to_lDAPDisplayName(ac,
1156 (const char *) rdn_value->data));
1157 if (ret != LDB_SUCCESS) {
1163 if (!ldb_msg_find_element(ac->msg, "schemaIDGUID")) {
1164 enum ndr_err_code ndr_err;
1165 struct ldb_val guid_value;
1168 guid = GUID_random();
1169 /* generated NDR encoded values */
1170 ndr_err = ndr_push_struct_blob(&guid_value, ac->msg,
1173 (ndr_push_flags_fn_t)ndr_push_GUID);
1174 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1176 return LDB_ERR_OPERATIONS_ERROR;
1178 ret = ldb_msg_add_value(ac->msg, "schemaIDGUID", &guid_value, NULL);
1179 if (ret != LDB_SUCCESS) {
1185 ret = samldb_add_step(ac, samldb_add_entry);
1186 if (ret != LDB_SUCCESS) return ret;
1188 ret = samldb_add_step(ac, samldb_find_for_defaultObjectCategory);
1189 if (ret != LDB_SUCCESS) return ret;
1191 ret = samldb_add_step(ac, samldb_set_defaultObjectCategory);
1192 if (ret != LDB_SUCCESS) return ret;
1194 return samldb_first_step(ac);
1195 } else if (strcmp(ac->type, "attributeSchema") == 0) {
1196 const struct ldb_val *rdn_value;
1197 rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
1198 if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) {
1199 /* the RDN has prefix "CN" */
1200 ret = ldb_msg_add_string(ac->msg, "lDAPDisplayName",
1201 samdb_cn_to_lDAPDisplayName(ac,
1202 (const char *) rdn_value->data));
1203 if (ret != LDB_SUCCESS) {
1209 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1210 "isSingleValued", "FALSE");
1211 if (ret != LDB_SUCCESS) return ret;
1213 if (!ldb_msg_find_element(ac->msg, "schemaIDGUID")) {
1214 enum ndr_err_code ndr_err;
1215 struct ldb_val guid_value;
1218 guid = GUID_random();
1219 /* generated NDR encoded values */
1220 ndr_err = ndr_push_struct_blob(&guid_value, ac->msg,
1223 (ndr_push_flags_fn_t)ndr_push_GUID);
1224 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1226 return LDB_ERR_OPERATIONS_ERROR;
1228 ret = ldb_msg_add_value(ac->msg, "schemaIDGUID", &guid_value, NULL);
1229 if (ret != LDB_SUCCESS) {
1235 ret = samldb_add_step(ac, samldb_add_entry);
1236 if (ret != LDB_SUCCESS) return ret;
1238 return samldb_first_step(ac);
1240 ldb_asprintf_errstring(ldb,
1241 "Invalid entry type!");
1242 return LDB_ERR_OPERATIONS_ERROR;
1245 /* check if we have a valid samAccountName */
1246 ret = samldb_add_step(ac, samldb_check_samAccountName);
1247 if (ret != LDB_SUCCESS) return ret;
1249 /* check account_type/group_type */
1250 ret = samldb_add_step(ac, samldb_check_samAccountType);
1251 if (ret != LDB_SUCCESS) return ret;
1253 /* check if we have a valid primary group ID */
1254 if (strcmp(ac->type, "user") == 0) {
1255 ret = samldb_add_step(ac, samldb_check_primaryGroupID_1);
1256 if (ret != LDB_SUCCESS) return ret;
1257 ret = samldb_add_step(ac, samldb_dn_from_sid);
1258 if (ret != LDB_SUCCESS) return ret;
1259 ret = samldb_add_step(ac, samldb_check_primaryGroupID_2);
1260 if (ret != LDB_SUCCESS) return ret;
1263 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
1264 struct loadparm_context);
1266 sid_generator = lp_sid_generator(lp_ctx);
1267 if (sid_generator == SID_GENERATOR_INTERNAL) {
1268 /* check if we have a valid SID */
1269 ac->sid = samdb_result_dom_sid(ac, ac->msg, "objectSid");
1271 ret = samldb_add_step(ac, samldb_new_sid);
1272 if (ret != LDB_SUCCESS) return ret;
1274 ret = samldb_add_step(ac, samldb_get_sid_domain);
1275 if (ret != LDB_SUCCESS) return ret;
1278 ret = samldb_add_step(ac, samldb_notice_sid);
1279 if (ret != LDB_SUCCESS) return ret;
1282 /* finally proceed with adding the entry */
1283 ret = samldb_add_step(ac, samldb_add_entry);
1284 if (ret != LDB_SUCCESS) return ret;
1286 return samldb_first_step(ac);
1290 * samldb_foreign_notice_sid (async)
1293 static int samldb_foreign_notice_sid_callback(struct ldb_request *req,
1294 struct ldb_reply *ares)
1296 struct ldb_context *ldb;
1297 struct samldb_ctx *ac;
1298 const char *nextRid;
1302 ac = talloc_get_type(req->context, struct samldb_ctx);
1303 ldb = ldb_module_get_ctx(ac->module);
1306 ret = LDB_ERR_OPERATIONS_ERROR;
1309 if (ares->error != LDB_SUCCESS) {
1310 return ldb_module_done(ac->req, ares->controls,
1311 ares->response, ares->error);
1314 switch (ares->type) {
1315 case LDB_REPLY_ENTRY:
1317 if (ac->next_rid != 0) {
1319 ldb_set_errstring(ldb,
1320 "Invalid number of results while searching "
1321 "for domain object!");
1322 ret = LDB_ERR_OPERATIONS_ERROR;
1326 nextRid = ldb_msg_find_attr_as_string(ares->message,
1328 if (nextRid == NULL) {
1329 ldb_asprintf_errstring(ldb,
1330 "While looking for foreign SID %s attribute nextRid not found in %s",
1331 dom_sid_string(ares, ac->sid),
1332 ldb_dn_get_linearized(ares->message->dn));
1333 ret = LDB_ERR_OPERATIONS_ERROR;
1337 ac->next_rid = strtol(nextRid, NULL, 0);
1339 ac->domain_dn = ldb_dn_copy(ac, ares->message->dn);
1341 name = samdb_result_string(ares->message, "name", NULL);
1342 ldb_debug(ldb, LDB_DEBUG_TRACE,
1343 "NOTE (strange but valid): Adding foreign SID "
1344 "record with SID %s, but this domain (%s) is "
1345 "not foreign in the database\n",
1346 dom_sid_string(ares, ac->sid), name);
1352 case LDB_REPLY_REFERRAL:
1358 case LDB_REPLY_DONE:
1361 /* if this is a fake foreign SID, notice the SID */
1362 if (ac->domain_dn) {
1363 ret = samldb_notice_sid(ac);
1368 ret = samldb_next_step(ac);
1373 if (ret != LDB_SUCCESS) {
1374 return ldb_module_done(ac->req, NULL, NULL, ret);
1380 /* Find a domain object in the parents of a particular DN. */
1381 static int samldb_foreign_notice_sid(struct samldb_ctx *ac)
1383 struct ldb_context *ldb;
1384 static const char * const attrs[3] = { "nextRid", "name", NULL };
1385 struct ldb_request *req;
1390 ldb = ldb_module_get_ctx(ac->module);
1392 if (ac->sid == NULL) {
1393 return LDB_ERR_OPERATIONS_ERROR;
1396 status = dom_sid_split_rid(ac, ac->sid, &ac->domain_sid, NULL);
1397 if (!NT_STATUS_IS_OK(status)) {
1398 return LDB_ERR_OPERATIONS_ERROR;
1402 filter = talloc_asprintf(ac,
1404 "(|(objectClass=domain)"
1405 "(objectClass=builtinDomain)))",
1406 ldap_encode_ndr_dom_sid(ac, ac->domain_sid));
1407 if (filter == NULL) {
1408 return LDB_ERR_OPERATIONS_ERROR;
1411 ret = ldb_build_search_req(&req, ldb, ac,
1412 ldb_get_default_basedn(ldb),
1416 ac, samldb_foreign_notice_sid_callback,
1419 if (ret != LDB_SUCCESS) {
1423 return ldb_next_request(ac->module, req);
1427 static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac)
1429 struct ldb_context *ldb;
1432 ldb = ldb_module_get_ctx(ac->module);
1436 ac->sid = samdb_result_dom_sid(ac->msg, ac->msg, "objectSid");
1437 if (ac->sid == NULL) {
1438 ac->sid = dom_sid_parse_talloc(ac->msg,
1439 (const char *)ldb_dn_get_rdn_val(ac->msg->dn)->data);
1441 ldb_set_errstring(ldb,
1442 "No valid SID found in "
1443 "ForeignSecurityPrincipal CN!");
1445 return LDB_ERR_CONSTRAINT_VIOLATION;
1447 if ( ! samldb_msg_add_sid(ac->msg, "objectSid", ac->sid)) {
1449 return LDB_ERR_OPERATIONS_ERROR;
1453 /* check if we need to notice this SID */
1454 ret = samldb_add_step(ac, samldb_foreign_notice_sid);
1455 if (ret != LDB_SUCCESS) return ret;
1457 /* finally proceed with adding the entry */
1458 ret = samldb_add_step(ac, samldb_add_entry);
1459 if (ret != LDB_SUCCESS) return ret;
1461 return samldb_first_step(ac);
1464 static int samldb_check_rdn(struct ldb_module *module, struct ldb_dn *dn)
1466 struct ldb_context *ldb;
1467 const char *rdn_name;
1469 ldb = ldb_module_get_ctx(module);
1470 rdn_name = ldb_dn_get_rdn_name(dn);
1472 if (strcasecmp(rdn_name, "cn") != 0) {
1473 ldb_asprintf_errstring(ldb,
1474 "Bad RDN (%s=) for samldb object, "
1475 "should be CN=!", rdn_name);
1476 return LDB_ERR_CONSTRAINT_VIOLATION;
1483 * samldb_sid_from_dn (async)
1486 static int samldb_sid_from_dn(struct samldb_ctx *ac);
1488 static int samldb_sid_from_dn_callback(struct ldb_request *req,
1489 struct ldb_reply *ares)
1491 struct ldb_context *ldb;
1492 struct samldb_ctx *ac;
1495 ac = talloc_get_type(req->context, struct samldb_ctx);
1496 ldb = ldb_module_get_ctx(ac->module);
1499 ret = LDB_ERR_OPERATIONS_ERROR;
1502 if (ares->error != LDB_SUCCESS) {
1503 return ldb_module_done(ac->req, ares->controls,
1504 ares->response, ares->error);
1507 switch (ares->type) {
1508 case LDB_REPLY_ENTRY:
1510 if (ac->res_sid != NULL) {
1512 ldb_set_errstring(ldb,
1513 "Invalid number of results while searching "
1514 "for domain objects!");
1515 ret = LDB_ERR_OPERATIONS_ERROR;
1518 ac->res_sid = samdb_result_dom_sid(ac, ares->message,
1525 case LDB_REPLY_REFERRAL:
1531 case LDB_REPLY_DONE:
1534 /* found or not found, go on */
1535 ret = samldb_next_step(ac);
1540 if (ret != LDB_SUCCESS) {
1541 return ldb_module_done(ac->req, NULL, NULL, ret);
1547 /* Finds the SID "res_sid" of an object with a given DN "dn" */
1548 static int samldb_sid_from_dn(struct samldb_ctx *ac)
1550 struct ldb_context *ldb;
1551 static const char * const attrs[] = { "objectSid", NULL };
1552 struct ldb_request *req;
1555 ldb = ldb_module_get_ctx(ac->module);
1558 return LDB_ERR_OPERATIONS_ERROR;
1560 ret = ldb_build_search_req(&req, ldb, ac,
1565 ac, samldb_sid_from_dn_callback,
1567 if (ret != LDB_SUCCESS)
1570 return ldb_next_request(ac->module, req);
1574 * samldb_user_dn_to_prim_group_rid (async)
1577 static int samldb_user_dn_to_prim_group_rid(struct samldb_ctx *ac);
1579 static int samldb_user_dn_to_prim_group_rid_callback(struct ldb_request *req,
1580 struct ldb_reply *ares)
1582 struct ldb_context *ldb;
1583 struct samldb_ctx *ac;
1586 ac = talloc_get_type(req->context, struct samldb_ctx);
1587 ldb = ldb_module_get_ctx(ac->module);
1590 ret = LDB_ERR_OPERATIONS_ERROR;
1593 if (ares->error != LDB_SUCCESS) {
1594 return ldb_module_done(ac->req, ares->controls,
1595 ares->response, ares->error);
1598 switch (ares->type) {
1599 case LDB_REPLY_ENTRY:
1601 if (ac->prim_group_rid != 0) {
1603 ldb_set_errstring(ldb,
1604 "Invalid number of results while searching "
1605 "for domain objects!");
1606 ret = LDB_ERR_OPERATIONS_ERROR;
1609 ac->prim_group_rid = samdb_result_uint(ares->message,
1610 "primaryGroupID", ~0);
1616 case LDB_REPLY_REFERRAL:
1622 case LDB_REPLY_DONE:
1624 if (ac->prim_group_rid == 0) {
1625 ldb_asprintf_errstring(ldb,
1626 "Unable to get the primary group RID!");
1627 ret = LDB_ERR_OPERATIONS_ERROR;
1632 ret = samldb_next_step(ac);
1637 if (ret != LDB_SUCCESS) {
1638 return ldb_module_done(ac->req, NULL, NULL, ret);
1644 /* Locates the "primaryGroupID" attribute from a certain user specified as
1645 * "user_dn". Saves the result in "prim_group_rid". */
1646 static int samldb_user_dn_to_prim_group_rid(struct samldb_ctx *ac)
1648 struct ldb_context *ldb;
1649 static const char * const attrs[] = { "primaryGroupID", NULL };
1650 struct ldb_request *req;
1653 ldb = ldb_module_get_ctx(ac->module);
1655 if (ac->user_dn == NULL)
1656 return LDB_ERR_OPERATIONS_ERROR;
1658 ret = ldb_build_search_req(&req, ldb, ac,
1663 ac, samldb_user_dn_to_prim_group_rid_callback,
1665 if (ret != LDB_SUCCESS)
1668 return ldb_next_request(ac->module, req);
1672 * samldb_prim_group_rid_to_users_cnt (async)
1675 static int samldb_prim_group_rid_to_users_cnt(struct samldb_ctx *ac);
1677 static int samldb_prim_group_rid_to_users_cnt_callback(struct ldb_request *req,
1678 struct ldb_reply *ares)
1680 struct ldb_context *ldb;
1681 struct samldb_ctx *ac;
1684 ac = talloc_get_type(req->context, struct samldb_ctx);
1685 ldb = ldb_module_get_ctx(ac->module);
1688 ret = LDB_ERR_OPERATIONS_ERROR;
1691 if (ares->error != LDB_SUCCESS) {
1692 return ldb_module_done(ac->req, ares->controls,
1693 ares->response, ares->error);
1696 switch (ares->type) {
1697 case LDB_REPLY_ENTRY:
1705 case LDB_REPLY_REFERRAL:
1711 case LDB_REPLY_DONE:
1714 /* found or not found, go on */
1715 ret = samldb_next_step(ac);
1720 if (ret != LDB_SUCCESS) {
1721 return ldb_module_done(ac->req, NULL, NULL, ret);
1727 /* Finds the amount of users which have the primary group "prim_group_rid" and
1728 * save the result in "users_cnt" */
1729 static int samldb_prim_group_rid_to_users_cnt(struct samldb_ctx *ac)
1731 struct ldb_context *ldb;
1732 static const char * const attrs[] = { NULL };
1733 struct ldb_request *req;
1737 ldb = ldb_module_get_ctx(ac->module);
1739 if ((ac->prim_group_rid == 0) || (ac->users_cnt != 0))
1740 return LDB_ERR_OPERATIONS_ERROR;
1742 filter = talloc_asprintf(ac, "(&(primaryGroupID=%u)(objectclass=user))",
1743 ac->prim_group_rid);
1745 return LDB_ERR_OPERATIONS_ERROR;
1747 ret = ldb_build_search_req(&req, ldb, ac,
1748 ldb_get_default_basedn(ldb),
1753 samldb_prim_group_rid_to_users_cnt_callback,
1755 if (ret != LDB_SUCCESS)
1758 return ldb_next_request(ac->module, req);
1762 * samldb_group_add_member (async)
1763 * samldb_group_del_member (async)
1766 static int samldb_group_add_del_member_callback(struct ldb_request *req,
1767 struct ldb_reply *ares)
1769 struct ldb_context *ldb;
1770 struct samldb_ctx *ac;
1773 ac = talloc_get_type(req->context, struct samldb_ctx);
1774 ldb = ldb_module_get_ctx(ac->module);
1777 ret = LDB_ERR_OPERATIONS_ERROR;
1780 if (ares->error != LDB_SUCCESS) {
1781 if (ares->error == LDB_ERR_NO_SUCH_ATTRIBUTE) {
1782 /* On error "NO_SUCH_ATTRIBUTE" (delete of an invalid
1783 * "member" attribute) return "UNWILLING_TO_PERFORM" */
1784 ares->error = LDB_ERR_UNWILLING_TO_PERFORM;
1786 return ldb_module_done(ac->req, ares->controls,
1787 ares->response, ares->error);
1789 if (ares->type != LDB_REPLY_DONE) {
1790 ldb_set_errstring(ldb,
1791 "Invalid reply type!");
1792 ret = LDB_ERR_OPERATIONS_ERROR;
1796 ret = samldb_next_step(ac);
1799 if (ret != LDB_SUCCESS) {
1800 return ldb_module_done(ac->req, NULL, NULL, ret);
1806 /* Adds a member with DN "member_dn" to a group with DN "group_dn" */
1807 static int samldb_group_add_member(struct samldb_ctx *ac)
1809 struct ldb_context *ldb;
1810 struct ldb_request *req;
1811 struct ldb_message *msg;
1814 ldb = ldb_module_get_ctx(ac->module);
1816 if ((ac->group_dn == NULL) || (ac->member_dn == NULL))
1817 return LDB_ERR_OPERATIONS_ERROR;
1819 msg = ldb_msg_new(ac);
1820 msg->dn = ac->group_dn;
1821 samdb_msg_add_addval(ldb, ac, msg, "member",
1822 ldb_dn_get_linearized(ac->member_dn));
1824 ret = ldb_build_mod_req(&req, ldb, ac,
1826 ac, samldb_group_add_del_member_callback,
1828 if (ret != LDB_SUCCESS)
1831 return ldb_next_request(ac->module, req);
1834 /* Removes a member with DN "member_dn" from a group with DN "group_dn" */
1835 static int samldb_group_del_member(struct samldb_ctx *ac)
1837 struct ldb_context *ldb;
1838 struct ldb_request *req;
1839 struct ldb_message *msg;
1842 ldb = ldb_module_get_ctx(ac->module);
1844 if ((ac->group_dn == NULL) || (ac->member_dn == NULL))
1845 return LDB_ERR_OPERATIONS_ERROR;
1847 msg = ldb_msg_new(ac);
1848 msg->dn = ac->group_dn;
1849 samdb_msg_add_delval(ldb, ac, msg, "member",
1850 ldb_dn_get_linearized(ac->member_dn));
1852 ret = ldb_build_mod_req(&req, ldb, ac,
1854 ac, samldb_group_add_del_member_callback,
1856 if (ret != LDB_SUCCESS)
1859 return ldb_next_request(ac->module, req);
1863 static int samldb_prim_group_change_1(struct samldb_ctx *ac)
1865 struct ldb_context *ldb;
1868 ldb = ldb_module_get_ctx(ac->module);
1870 ac->user_dn = ac->msg->dn;
1872 rid = samdb_result_uint(ac->msg, "primaryGroupID", ~0);
1873 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid);
1874 if (ac->sid == NULL)
1875 return LDB_ERR_OPERATIONS_ERROR;
1878 ac->prim_group_rid = 0;
1880 return samldb_next_step(ac);
1883 static int samldb_prim_group_change_2(struct samldb_ctx *ac)
1885 struct ldb_context *ldb;
1887 ldb = ldb_module_get_ctx(ac->module);
1889 if (ac->res_dn != NULL)
1890 ac->new_prim_group_dn = ac->res_dn;
1892 return LDB_ERR_UNWILLING_TO_PERFORM;
1894 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb),
1895 ac->prim_group_rid);
1896 if (ac->sid == NULL)
1897 return LDB_ERR_OPERATIONS_ERROR;
1900 return samldb_next_step(ac);
1903 static int samldb_prim_group_change_4(struct samldb_ctx *ac);
1904 static int samldb_prim_group_change_5(struct samldb_ctx *ac);
1905 static int samldb_prim_group_change_6(struct samldb_ctx *ac);
1907 static int samldb_prim_group_change_3(struct samldb_ctx *ac)
1911 if (ac->res_dn != NULL)
1912 ac->old_prim_group_dn = ac->res_dn;
1914 return LDB_ERR_UNWILLING_TO_PERFORM;
1916 /* Only update when the primary group changed */
1917 if (ldb_dn_compare(ac->old_prim_group_dn, ac->new_prim_group_dn) != 0) {
1918 ac->member_dn = ac->user_dn;
1919 /* Remove the "member" attribute of the actual (new) primary
1922 ret = samldb_add_step(ac, samldb_prim_group_change_4);
1923 if (ret != LDB_SUCCESS) return ret;
1925 ret = samldb_add_step(ac, samldb_group_del_member);
1926 if (ret != LDB_SUCCESS) return ret;
1928 /* Add a "member" attribute for the previous primary group */
1930 ret = samldb_add_step(ac, samldb_prim_group_change_5);
1931 if (ret != LDB_SUCCESS) return ret;
1933 ret = samldb_add_step(ac, samldb_group_add_member);
1934 if (ret != LDB_SUCCESS) return ret;
1937 ret = samldb_add_step(ac, samldb_prim_group_change_6);
1938 if (ret != LDB_SUCCESS) return ret;
1940 return samldb_next_step(ac);
1943 static int samldb_prim_group_change_4(struct samldb_ctx *ac)
1945 ac->group_dn = ac->new_prim_group_dn;
1947 return samldb_next_step(ac);
1950 static int samldb_prim_group_change_5(struct samldb_ctx *ac)
1952 ac->group_dn = ac->old_prim_group_dn;
1954 return samldb_next_step(ac);
1957 static int samldb_prim_group_change_6(struct samldb_ctx *ac)
1959 return ldb_next_request(ac->module, ac->req);
1962 static int samldb_prim_group_change(struct samldb_ctx *ac)
1966 /* Finds out the DN of the new primary group */
1968 ret = samldb_add_step(ac, samldb_prim_group_change_1);
1969 if (ret != LDB_SUCCESS) return ret;
1971 ret = samldb_add_step(ac, samldb_dn_from_sid);
1972 if (ret != LDB_SUCCESS) return ret;
1974 ret = samldb_add_step(ac, samldb_user_dn_to_prim_group_rid);
1975 if (ret != LDB_SUCCESS) return ret;
1977 /* Finds out the DN of the old primary group */
1979 ret = samldb_add_step(ac, samldb_prim_group_change_2);
1980 if (ret != LDB_SUCCESS) return ret;
1982 ret = samldb_add_step(ac, samldb_dn_from_sid);
1983 if (ret != LDB_SUCCESS) return ret;
1985 ret = samldb_add_step(ac, samldb_prim_group_change_3);
1986 if (ret != LDB_SUCCESS) return ret;
1988 return samldb_first_step(ac);
1992 static int samldb_member_check_1(struct samldb_ctx *ac)
1994 struct ldb_context *ldb;
1995 struct ldb_message_element *el;
1997 ldb = ldb_module_get_ctx(ac->module);
1999 el = ldb_msg_find_element(ac->msg, "member");
2001 ac->user_dn = ldb_dn_from_ldb_val(ac, ldb, &el->values[ac->cnt]);
2002 if (!ldb_dn_validate(ac->user_dn))
2003 return LDB_ERR_OPERATIONS_ERROR;
2004 ac->prim_group_rid = 0;
2006 return samldb_next_step(ac);
2009 static int samldb_member_check_2(struct samldb_ctx *ac)
2011 struct ldb_context *ldb;
2013 ldb = ldb_module_get_ctx(ac->module);
2015 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb),
2016 ac->prim_group_rid);
2017 if (ac->sid == NULL)
2018 return LDB_ERR_OPERATIONS_ERROR;
2021 return samldb_next_step(ac);
2024 static int samldb_member_check_3(struct samldb_ctx *ac)
2026 if (ldb_dn_compare(ac->res_dn, ac->msg->dn) == 0)
2027 return LDB_ERR_ENTRY_ALREADY_EXISTS;
2031 return samldb_next_step(ac);
2034 static int samldb_member_check_4(struct samldb_ctx *ac)
2036 return ldb_next_request(ac->module, ac->req);
2039 static int samldb_member_check(struct samldb_ctx *ac)
2041 struct ldb_message_element *el;
2044 el = ldb_msg_find_element(ac->msg, "member");
2046 for (i = 0; i < el->num_values; i++) {
2047 /* Denies to add "member"s to groups which are primary ones
2049 ret = samldb_add_step(ac, samldb_member_check_1);
2050 if (ret != LDB_SUCCESS) return ret;
2052 ret = samldb_add_step(ac, samldb_user_dn_to_prim_group_rid);
2053 if (ret != LDB_SUCCESS) return ret;
2055 ret = samldb_add_step(ac, samldb_member_check_2);
2056 if (ret != LDB_SUCCESS) return ret;
2058 ret = samldb_add_step(ac, samldb_dn_from_sid);
2059 if (ret != LDB_SUCCESS) return ret;
2061 ret = samldb_add_step(ac, samldb_member_check_3);
2062 if (ret != LDB_SUCCESS) return ret;
2065 ret = samldb_add_step(ac, samldb_member_check_4);
2066 if (ret != LDB_SUCCESS) return ret;
2068 return samldb_first_step(ac);
2072 static int samldb_prim_group_users_check_1(struct samldb_ctx *ac)
2074 ac->dn = ac->req->op.del.dn;
2077 return samldb_next_step(ac);
2080 static int samldb_prim_group_users_check_2(struct samldb_ctx *ac)
2085 if (ac->res_sid == NULL) {
2086 /* No SID - therefore ok here */
2087 return ldb_next_request(ac->module, ac->req);
2089 status = dom_sid_split_rid(ac, ac->res_sid, NULL, &rid);
2090 if (!NT_STATUS_IS_OK(status))
2091 return LDB_ERR_OPERATIONS_ERROR;
2094 /* Special object (security principal?) */
2095 return ldb_next_request(ac->module, ac->req);
2098 ac->prim_group_rid = rid;
2101 return samldb_next_step(ac);
2104 static int samldb_prim_group_users_check_3(struct samldb_ctx *ac)
2106 if (ac->users_cnt > 0)
2107 return LDB_ERR_ENTRY_ALREADY_EXISTS;
2109 return ldb_next_request(ac->module, ac->req);
2112 static int samldb_prim_group_users_check(struct samldb_ctx *ac)
2116 /* Finds out the SID/RID of the domain object */
2118 ret = samldb_add_step(ac, samldb_prim_group_users_check_1);
2119 if (ret != LDB_SUCCESS) return ret;
2121 ret = samldb_add_step(ac, samldb_sid_from_dn);
2122 if (ret != LDB_SUCCESS) return ret;
2124 /* Deny delete requests from groups which are primary ones */
2126 ret = samldb_add_step(ac, samldb_prim_group_users_check_2);
2127 if (ret != LDB_SUCCESS) return ret;
2129 ret = samldb_add_step(ac, samldb_prim_group_rid_to_users_cnt);
2130 if (ret != LDB_SUCCESS) return ret;
2132 ret = samldb_add_step(ac, samldb_prim_group_users_check_3);
2133 if (ret != LDB_SUCCESS) return ret;
2135 return samldb_first_step(ac);
2140 static int samldb_add(struct ldb_module *module, struct ldb_request *req)
2142 struct ldb_context *ldb;
2143 struct samldb_ctx *ac;
2146 ldb = ldb_module_get_ctx(module);
2147 ldb_debug(ldb, LDB_DEBUG_TRACE, "samldb_add\n");
2149 /* do not manipulate our control entries */
2150 if (ldb_dn_is_special(req->op.add.message->dn)) {
2151 return ldb_next_request(module, req);
2154 ac = samldb_ctx_init(module, req);
2156 return LDB_ERR_OPERATIONS_ERROR;
2159 /* build the new msg */
2160 ac->msg = ldb_msg_copy(ac, ac->req->op.add.message);
2163 ldb_debug(ldb, LDB_DEBUG_FATAL,
2164 "samldb_add: ldb_msg_copy failed!\n");
2165 return LDB_ERR_OPERATIONS_ERROR;
2168 if (samdb_find_attribute(ldb, ac->msg,
2169 "objectclass", "computer") != NULL) {
2171 /* make sure the computer object also has the 'user'
2172 * objectclass so it will be handled by the next call */
2173 ret = samdb_find_or_add_value(ldb, ac->msg,
2174 "objectclass", "user");
2175 if (ret != LDB_SUCCESS) {
2181 if (samdb_find_attribute(ldb, ac->msg,
2182 "objectclass", "user") != NULL) {
2184 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
2185 if (ret != LDB_SUCCESS) {
2190 return samldb_fill_object(ac, "user");
2193 if (samdb_find_attribute(ldb, ac->msg,
2194 "objectclass", "group") != NULL) {
2196 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
2197 if (ret != LDB_SUCCESS) {
2202 return samldb_fill_object(ac, "group");
2205 /* perhaps a foreignSecurityPrincipal? */
2206 if (samdb_find_attribute(ldb, ac->msg,
2208 "foreignSecurityPrincipal") != NULL) {
2210 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
2211 if (ret != LDB_SUCCESS) {
2216 return samldb_fill_foreignSecurityPrincipal_object(ac);
2219 if (samdb_find_attribute(ldb, ac->msg,
2220 "objectclass", "classSchema") != NULL) {
2222 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
2223 if (ret != LDB_SUCCESS) {
2228 return samldb_fill_object(ac, "classSchema");
2231 if (samdb_find_attribute(ldb, ac->msg,
2232 "objectclass", "attributeSchema") != NULL) {
2234 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
2235 if (ret != LDB_SUCCESS) {
2240 return samldb_fill_object(ac, "attributeSchema");
2245 /* nothing matched, go on */
2246 return ldb_next_request(module, req);
2250 static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
2252 struct ldb_context *ldb;
2253 struct ldb_message *msg;
2254 struct ldb_message_element *el, *el2;
2256 uint32_t account_type;
2258 if (ldb_dn_is_special(req->op.mod.message->dn)) {
2259 /* do not manipulate our control entries */
2260 return ldb_next_request(module, req);
2263 ldb = ldb_module_get_ctx(module);
2265 if (ldb_msg_find_element(req->op.mod.message, "sAMAccountType") != NULL) {
2266 ldb_asprintf_errstring(ldb,
2267 "sAMAccountType must not be specified!");
2268 return LDB_ERR_UNWILLING_TO_PERFORM;
2271 /* TODO: do not modify original request, create a new one */
2273 el = ldb_msg_find_element(req->op.mod.message, "groupType");
2274 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
2275 uint32_t group_type;
2277 req->op.mod.message = msg = ldb_msg_copy_shallow(req,
2278 req->op.mod.message);
2280 group_type = strtoul((const char *)el->values[0].data, NULL, 0);
2281 account_type = ds_gtype2atype(group_type);
2282 ret = samdb_msg_add_uint(ldb, msg, msg,
2285 if (ret != LDB_SUCCESS) {
2288 el2 = ldb_msg_find_element(msg, "sAMAccountType");
2289 el2->flags = LDB_FLAG_MOD_REPLACE;
2292 el = ldb_msg_find_element(req->op.mod.message, "userAccountControl");
2293 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
2294 uint32_t user_account_control;
2296 req->op.mod.message = msg = ldb_msg_copy_shallow(req,
2297 req->op.mod.message);
2299 user_account_control = strtoul((const char *)el->values[0].data,
2301 account_type = ds_uf2atype(user_account_control);
2302 ret = samdb_msg_add_uint(ldb, msg, msg,
2305 if (ret != LDB_SUCCESS) {
2308 el2 = ldb_msg_find_element(msg, "sAMAccountType");
2309 el2->flags = LDB_FLAG_MOD_REPLACE;
2311 if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
2312 ret = samdb_msg_add_string(ldb, msg, msg,
2313 "isCriticalSystemObject", "TRUE");
2314 if (ret != LDB_SUCCESS) {
2317 el2 = ldb_msg_find_element(msg, "isCriticalSystemObject");
2318 el2->flags = LDB_FLAG_MOD_REPLACE;
2322 el = ldb_msg_find_element(req->op.mod.message, "primaryGroupID");
2323 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
2324 struct samldb_ctx *ac;
2326 ac = samldb_ctx_init(module, req);
2328 return LDB_ERR_OPERATIONS_ERROR;
2330 req->op.mod.message = ac->msg = ldb_msg_copy_shallow(req,
2331 req->op.mod.message);
2333 return samldb_prim_group_change(ac);
2336 el = ldb_msg_find_element(req->op.mod.message, "member");
2337 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
2338 struct samldb_ctx *ac;
2340 ac = samldb_ctx_init(module, req);
2342 return LDB_ERR_OPERATIONS_ERROR;
2344 req->op.mod.message = ac->msg = ldb_msg_copy_shallow(req,
2345 req->op.mod.message);
2347 return samldb_member_check(ac);
2350 /* nothing matched, go on */
2351 return ldb_next_request(module, req);
2355 static int samldb_delete(struct ldb_module *module, struct ldb_request *req)
2357 struct samldb_ctx *ac;
2359 if (ldb_dn_is_special(req->op.del.dn)) {
2360 /* do not manipulate our control entries */
2361 return ldb_next_request(module, req);
2364 ac = samldb_ctx_init(module, req);
2366 return LDB_ERR_OPERATIONS_ERROR;
2368 return samldb_prim_group_users_check(ac);
2372 static int samldb_init(struct ldb_module *module)
2374 return ldb_next_init(module);
2377 _PUBLIC_ const struct ldb_module_ops ldb_samldb_module_ops = {
2379 .init_context = samldb_init,
2381 .modify = samldb_modify,
2382 .del = samldb_delete