struct descriptor_context {
struct ldb_module *module;
struct ldb_request *req;
+ struct ldb_message *msg;
struct ldb_reply *search_res;
struct ldb_reply *search_oc_res;
struct ldb_val *parentsd_val;
+ struct ldb_message_element *sd_element;
struct ldb_val *sd_val;
int (*step_fn)(struct descriptor_context *);
};
struct ldb_context *ldb)
{
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
- struct ldb_dn *default_base_dn = ldb_get_default_basedn(ldb);
- struct ldb_dn *schema_base_dn = ldb_get_schema_basedn(ldb);
- struct ldb_dn *config_base_dn = ldb_get_config_basedn(ldb);
const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
struct dom_sid *dag_sid;
+ struct ldb_dn *nc_root;
+ int ret;
- /* FIXME: this has to be fixed regarding the forest DN (root DN) and
- * the domain DN (default DN) - they aren't always the same. */
+ ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return NULL;
+ }
- if (ldb_dn_compare_base(schema_base_dn, dn) == 0){
+ if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
if (security_token_has_sid(token, sa_sid))
dag_sid = dom_sid_dup(mem_ctx, sa_sid);
else if (security_token_has_sid(token, ea_sid))
dag_sid = dom_sid_dup(mem_ctx, da_sid);
else
dag_sid = NULL;
- }
- else if (ldb_dn_compare_base(config_base_dn, dn) == 0){
+ } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
if (security_token_has_sid(token, ea_sid))
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
else if (security_token_has_sid(token, da_sid))
dag_sid = dom_sid_dup(mem_ctx, da_sid);
else
dag_sid = NULL;
- }
- else if (ldb_dn_compare_base(default_base_dn, dn) == 0){
+ } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
if (security_token_has_sid(token, da_sid))
dag_sid = dom_sid_dup(mem_ctx, da_sid);
else if (security_token_has_sid(token, ea_sid))
dag_sid = dom_sid_dup(mem_ctx, ea_sid);
else
dag_sid = NULL;
- }
- else
+ } else {
dag_sid = NULL;
+ }
talloc_free(tmp_ctx);
return dag_sid;
return LDB_SUCCESS;
}
-
-static int descriptor_op_callback(struct ldb_request *req, struct ldb_reply *ares)
-{
- struct descriptor_context *ac;
-
- ac = talloc_get_type(req->context, struct descriptor_context);
-
- if (!ares) {
- return ldb_module_done(ac->req, NULL, NULL,
- LDB_ERR_OPERATIONS_ERROR);
- }
-
- if (ares->type == LDB_REPLY_REFERRAL) {
- return ldb_module_send_referral(ac->req, ares->referral);
- }
-
- if (ares->error != LDB_SUCCESS) {
- return ldb_module_done(ac->req, ares->controls,
- ares->response, ares->error);
- }
-
- if (ares->type != LDB_REPLY_DONE) {
- talloc_free(ares);
- return ldb_module_done(ac->req, NULL, NULL,
- LDB_ERR_OPERATIONS_ERROR);
- }
-
- return ldb_module_done(ac->req, ares->controls,
- ares->response, ares->error);
-}
-
static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares)
{
struct descriptor_context *ac;
return ldb_module_send_entry(ac->req, ares->message, ares->controls);
case LDB_REPLY_REFERRAL:
- /* ignore referrals */
- break;
+ return ldb_module_send_referral(ac->req, ares->referral);
case LDB_REPLY_DONE:
return ldb_module_done(ac->req, ares->controls,
ares->response, ares->error);
}
- talloc_free(ares);
- return LDB_SUCCESS;
fail:
return ldb_module_done(ac->req, NULL, NULL, ret);
}
struct ldb_context *ldb;
const struct dsdb_schema *schema;
struct ldb_request *mod_req;
- struct ldb_message_element *objectclass_element, *tmp_element, *oldsd_el;
+ struct ldb_message_element *objectclass_element, *oldsd_el;
struct ldb_val *oldsd_val = NULL;
int ret;
DATA_BLOB *sd;
const struct dsdb_class *objectclass;
- struct ldb_message *msg;
struct ldb_control *sd_control;
struct ldb_control *sd_control2;
- int flags = 0;
uint32_t sd_flags = 0;
ldb = ldb_module_get_ctx(ac->module);
schema = dsdb_get_schema(ldb, ac);
- msg = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
- if (msg == NULL) {
- return ldb_module_oom(ac->module);
- }
-
objectclass_element = ldb_msg_find_element(ac->search_oc_res->message,
"objectClass");
if (objectclass_element == NULL) {
}
sd_control = ldb_request_get_control(ac->req, LDB_CONTROL_SD_FLAGS_OID);
- sd_control2 = ldb_request_get_control(ac->req, LDB_CONTROL_RECALCULATE_SD_OID);
+ sd_control2 = ldb_request_get_control(ac->req,
+ LDB_CONTROL_RECALCULATE_SD_OID);
if (sd_control) {
struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
sd_flags = sdctr->secinfo_flags;
sd_flags = sd_flags & 0x0000000F;
}
if (sd_flags != 0) {
- oldsd_el = ldb_msg_find_element(ac->search_oc_res->message, "nTSecurityDescriptor");
+ oldsd_el = ldb_msg_find_element(ac->search_oc_res->message,
+ "nTSecurityDescriptor");
if (oldsd_el) {
oldsd_val = oldsd_el->values;
}
}
- sd = get_new_descriptor(ac->module, msg->dn, ac, objectclass,
- ac->parentsd_val, ac->sd_val, oldsd_val, sd_flags);
- if (ac->sd_val) {
- tmp_element = ldb_msg_find_element(msg, "ntSecurityDescriptor");
- flags = tmp_element->flags;
- ldb_msg_remove_attr(msg, "nTSecurityDescriptor");
- }
- if (sd) {
- ret = ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
- if (ret != LDB_SUCCESS) {
- return ret;
- }
- tmp_element = ldb_msg_find_element(msg, "ntSecurityDescriptor");
- if (sd_control2) {
- tmp_element->flags = LDB_FLAG_MOD_REPLACE;
- } else {
- tmp_element->flags = flags;
+ sd = get_new_descriptor(ac->module, ac->msg->dn, ac,
+ objectclass, ac->parentsd_val,
+ ac->sd_val, oldsd_val, sd_flags);
+ if (sd != NULL) {
+ if (ac->sd_val != NULL) {
+ ac->sd_element->values[0] = *sd;
+ } else if (sd_control2 != NULL) {
+ /* In this branch we really do force the recalculation
+ * of the SD */
+ ldb_msg_remove_attr(ac->msg, "nTSecurityDescriptor");
+
+ ret = ldb_msg_add_steal_value(ac->msg,
+ "nTSecurityDescriptor",
+ sd);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ac->sd_element = ldb_msg_find_element(ac->msg,
+ "nTSecurityDescriptor");
+ ac->sd_element->flags = LDB_FLAG_MOD_REPLACE;
}
}
+
+ /* mark the controls as non-critical since we've handled them */
+ if (sd_control != NULL) {
+ sd_control->critical = 0;
+ }
+ if (sd_control2 != NULL) {
+ sd_control2->critical = 0;
+ }
+
ret = ldb_build_mod_req(&mod_req, ldb, ac,
- msg,
+ ac->msg,
ac->req->controls,
- ac, descriptor_op_callback,
+ ac->req, dsdb_next_callback,
ac->req);
LDB_REQ_SET_LOCATION(mod_req);
if (ret != LDB_SUCCESS) {
return ret;
}
- /* mark it non-critical, so we don't get an error from the
- backend, but mark that we've handled it */
- if (sd_control) {
- sd_control->critical = 0;
- }
return ldb_next_request(ac->module, mod_req);
}
struct ldb_context *ldb;
const struct dsdb_schema *schema;
struct ldb_request *add_req;
- struct ldb_message_element *objectclass_element, *sd_element = NULL;
- struct ldb_message *msg;
- TALLOC_CTX *mem_ctx;
+ struct ldb_message_element *objectclass_element;
int ret;
DATA_BLOB *sd;
const struct dsdb_class *objectclass;
ldb = ldb_module_get_ctx(ac->module);
schema = dsdb_get_schema(ldb, ac);
- mem_ctx = talloc_new(ac);
- if (mem_ctx == NULL) {
- return ldb_module_oom(ac->module);
- }
-
switch (ac->req->operation) {
case LDB_ADD:
- msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message);
- if (msg == NULL) {
+ ac->msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message);
+ if (ac->msg == NULL) {
return ldb_module_oom(ac->module);
}
- objectclass_element = ldb_msg_find_element(msg, "objectClass");
+ objectclass_element = ldb_msg_find_element(ac->msg,
+ "objectClass");
if (objectclass_element == NULL) {
return ldb_operr(ldb);
}
}
break;
case LDB_MODIFY:
- msg = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
- if (msg == NULL) {
+ ac->msg = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
+ if (ac->msg == NULL) {
return ldb_module_oom(ac->module);
}
break;
return ldb_operr(ldb);
}
-
- /* get the security descriptor values*/
- sd_element = ldb_msg_find_element(msg, "nTSecurityDescriptor");
- if (sd_element) {
- ac->sd_val = talloc_memdup(ac, &sd_element->values[0], sizeof(struct ldb_val));
+ /* Check if there is a valid security descriptor provided */
+ ac->sd_element = dsdb_get_single_valued_attr(ac->msg,
+ "nTSecurityDescriptor",
+ ac->req->operation);
+ if ((ac->sd_element != NULL) && (ac->sd_element->num_values == 1)) {
+ ac->sd_val = talloc_memdup(ac,
+ &ac->sd_element->values[0],
+ sizeof(struct ldb_val));
}
- /* NC's have no parent */
- /* FIXME: this has to be made dynamic at some point */
- if ((ldb_dn_compare(msg->dn, (ldb_get_schema_basedn(ldb))) == 0) ||
- (ldb_dn_compare(msg->dn, (ldb_get_config_basedn(ldb))) == 0) ||
- (ldb_dn_compare(msg->dn, (ldb_get_default_basedn(ldb))) == 0)) {
- ac->parentsd_val = NULL;
- } else if (ac->search_res != NULL) {
- struct ldb_message_element *parent_element = ldb_msg_find_element(ac->search_res->message, "nTSecurityDescriptor");
- if (parent_element) {
- ac->parentsd_val = talloc_memdup(ac, &parent_element->values[0], sizeof(struct ldb_val));
+
+ /* If we do have a parent, then please fetch it's security descriptor.
+ * But have in mind: NCs don't have any parents! That means
+ * "CN=Configuration,DC=example,DC=com" has no parent
+ * "DC=example,DC=com" since this is located under another NC! */
+ if (ac->search_res != NULL) {
+ struct ldb_message_element *parent_element = NULL;
+ struct ldb_dn *nc_root;
+
+ ret = dsdb_find_nc_root(ldb, ac, ac->msg->dn, &nc_root);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (ldb_dn_compare(ac->msg->dn, nc_root) != 0) {
+ /* we aren't any NC */
+ parent_element = ldb_msg_find_element(ac->search_res->message,
+ "nTSecurityDescriptor");
+ if (parent_element != NULL) {
+ ac->parentsd_val = talloc_memdup(ac,
+ &parent_element->values[0],
+ sizeof(struct ldb_val));
+ }
}
}
/* Get the parent descriptor and the one provided. If not
* provided, get the default. Convert it to a security
* descriptor and calculate the permissions. */
- sd = get_new_descriptor(ac->module, msg->dn, mem_ctx, objectclass,
- ac->parentsd_val, ac->sd_val, NULL, 0);
- if (ac->sd_val) {
- ldb_msg_remove_attr(msg, "nTSecurityDescriptor");
- }
-
- if (sd) {
- ret = ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
- if (ret != LDB_SUCCESS) {
- return ret;
+ sd = get_new_descriptor(ac->module, ac->msg->dn, ac,
+ objectclass, ac->parentsd_val,
+ ac->sd_val, NULL, 0);
+ if (sd != NULL) {
+ if (ac->sd_val != NULL) {
+ ac->sd_element->values[0] = *sd;
+ } else if (ac->sd_element == NULL) {
+ ret = ldb_msg_add_steal_value(ac->msg,
+ "nTSecurityDescriptor",
+ sd);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
}
}
- talloc_free(mem_ctx);
- ret = ldb_msg_sanity_check(ldb, msg);
-
- if (ret != LDB_SUCCESS) {
- ldb_asprintf_errstring(ldb, "No last structural objectclass found on %s",
- ldb_dn_get_linearized(msg->dn));
- return ret;
- }
-
ret = ldb_build_add_req(&add_req, ldb, ac,
- msg,
+ ac->msg,
ac->req->controls,
- ac, descriptor_op_callback,
+ ac->req, dsdb_next_callback,
ac->req);
LDB_REQ_SET_LOCATION(add_req);
if (ret != LDB_SUCCESS) {
}
return ldb_next_request(ac->module, add_req);
} else {
- ret = ldb_build_search_req(&search_req, ldb,
- ac, msg->dn, LDB_SCOPE_BASE,
- "(objectClass=*)", attrs,
- NULL,
- ac, get_search_oc_callback,
- ac->req);
+ ret = ldb_build_search_req(&search_req, ldb, ac,
+ ac->msg->dn, LDB_SCOPE_BASE,
+ "(objectClass=*)", attrs,
+ NULL,
+ ac, get_search_oc_callback,
+ ac->req);
LDB_REQ_SET_LOCATION(search_req);
if (ret != LDB_SUCCESS) {
return ret;
break;
case LDB_MODIFY:
dn = req->op.mod.message->dn;
- sd_element = ldb_msg_find_element(req->op.mod.message, "nTSecurityDescriptor");
- /* This control allow forcing the recalculation of the SD */
- sd_control = ldb_request_get_control(req, LDB_CONTROL_RECALCULATE_SD_OID);
+ sd_element = ldb_msg_find_element(req->op.mod.message,
+ "nTSecurityDescriptor");
+ /* This control forces the recalculation of the SD also when
+ * no modification is performed. */
+ sd_control = ldb_request_get_control(req,
+ LDB_CONTROL_RECALCULATE_SD_OID);
if (!sd_element && !sd_control) {
return ldb_next_request(module, req);
}
}
ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_change: %s\n", ldb_dn_get_linearized(dn));
+ /* do not manipulate our control entries */
if (ldb_dn_is_special(dn)) {
return ldb_next_request(module, req);
}
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn));
+
+ /* do not manipulate our control entries */
+ if (ldb_dn_is_special(req->op.rename.olddn)) {
+ return ldb_next_request(module, req);
+ }
+
return ldb_next_request(module, req);
}