4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
6 Copyright (C) Nadezhda Ivanova 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: DS Security descriptor module
28 * - Calculate the security descriptor of a newly created object
29 * - Perform sd recalculation on a move operation
30 * - Handle sd modification invariants
32 * Author: Nadezhda Ivanova
36 #include <ldb_module.h>
37 #include "util/dlinklist.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/ndr/libndr.h"
40 #include "librpc/gen_ndr/ndr_security.h"
41 #include "libcli/security/security.h"
42 #include "auth/auth.h"
43 #include "param/param.h"
44 #include "dsdb/samdb/ldb_modules/util.h"
46 struct descriptor_data {
50 struct descriptor_context {
51 struct ldb_module *module;
52 struct ldb_request *req;
53 struct ldb_message *msg;
54 struct ldb_reply *search_res;
55 struct ldb_reply *search_oc_res;
56 struct ldb_val *parentsd_val;
57 struct ldb_message_element *sd_element;
58 struct ldb_val *sd_val;
60 int (*step_fn)(struct descriptor_context *);
63 static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
65 struct security_token *token,
66 struct ldb_context *ldb)
68 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
69 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
70 struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
71 struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
72 struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
73 struct dom_sid *dag_sid;
74 struct ldb_dn *nc_root;
77 ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
78 if (ret != LDB_SUCCESS) {
83 if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
84 if (security_token_has_sid(token, sa_sid)) {
85 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
86 } else if (security_token_has_sid(token, ea_sid)) {
87 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
88 } else if (security_token_has_sid(token, da_sid)) {
89 dag_sid = dom_sid_dup(mem_ctx, da_sid);
90 } else if (security_token_is_system(token)) {
91 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
95 } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
96 if (security_token_has_sid(token, ea_sid)) {
97 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
98 } else if (security_token_has_sid(token, da_sid)) {
99 dag_sid = dom_sid_dup(mem_ctx, da_sid);
100 } else if (security_token_is_system(token)) {
101 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
105 } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
106 if (security_token_has_sid(token, da_sid)) {
107 dag_sid = dom_sid_dup(mem_ctx, da_sid);
108 } else if (security_token_has_sid(token, ea_sid)) {
109 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
110 } else if (security_token_is_system(token)) {
111 dag_sid = dom_sid_dup(mem_ctx, da_sid);
119 talloc_free(tmp_ctx);
123 static struct security_descriptor *get_sd_unpacked(struct ldb_module *module, TALLOC_CTX *mem_ctx,
124 const struct dsdb_class *objectclass)
126 struct ldb_context *ldb = ldb_module_get_ctx(module);
127 struct security_descriptor *sd;
128 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
130 if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
134 sd = sddl_decode(mem_ctx,
135 objectclass->defaultSecurityDescriptor,
140 static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
141 struct ldb_context *ldb,
144 if (dsdb_functional_level(ldb) >= DS_DOMAIN_FUNCTION_2008) {
151 static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,
152 struct security_descriptor *new_sd,
153 struct security_descriptor *old_sd,
156 struct security_descriptor *final_sd;
157 /* if there is no control or control == 0 modify everything */
162 final_sd = talloc_zero(mem_ctx, struct security_descriptor);
163 final_sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
164 final_sd->type = SEC_DESC_SELF_RELATIVE;
166 if (sd_flags & (SECINFO_OWNER)) {
167 final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid));
168 final_sd->type |= new_sd->type & SEC_DESC_OWNER_DEFAULTED;
171 final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid));
172 final_sd->type |= old_sd->type & SEC_DESC_OWNER_DEFAULTED;
175 if (sd_flags & (SECINFO_GROUP)) {
176 final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid));
177 final_sd->type |= new_sd->type & SEC_DESC_GROUP_DEFAULTED;
180 final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid));
181 final_sd->type |= old_sd->type & SEC_DESC_GROUP_DEFAULTED;
184 if (sd_flags & (SECINFO_SACL)) {
185 final_sd->sacl = security_acl_dup(mem_ctx,new_sd->sacl);
186 final_sd->type |= new_sd->type & (SEC_DESC_SACL_PRESENT |
187 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
188 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
189 SEC_DESC_SERVER_SECURITY);
191 else if (old_sd && old_sd->sacl) {
192 final_sd->sacl = security_acl_dup(mem_ctx,old_sd->sacl);
193 final_sd->type |= old_sd->type & (SEC_DESC_SACL_PRESENT |
194 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
195 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
196 SEC_DESC_SERVER_SECURITY);
199 if (sd_flags & (SECINFO_DACL)) {
200 final_sd->dacl = security_acl_dup(mem_ctx,new_sd->dacl);
201 final_sd->type |= new_sd->type & (SEC_DESC_DACL_PRESENT |
202 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
203 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
204 SEC_DESC_DACL_TRUSTED);
206 else if (old_sd && old_sd->dacl) {
207 final_sd->dacl = security_acl_dup(mem_ctx,old_sd->dacl);
208 final_sd->type |= old_sd->type & (SEC_DESC_DACL_PRESENT |
209 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
210 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
211 SEC_DESC_DACL_TRUSTED);
213 /* not so sure about this */
214 final_sd->type |= new_sd->type & SEC_DESC_RM_CONTROL_VALID;
218 static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
221 const struct dsdb_class *objectclass,
222 const struct ldb_val *parent,
223 const struct ldb_val *object,
224 const struct ldb_val *old_sd,
227 struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL;
228 struct security_descriptor *old_descriptor = NULL;
229 struct security_descriptor *new_sd, *final_sd;
230 DATA_BLOB *linear_sd;
231 enum ndr_err_code ndr_err;
232 struct ldb_context *ldb = ldb_module_get_ctx(module);
233 struct auth_session_info *session_info
234 = ldb_get_opaque(ldb, "sessionInfo");
235 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
237 struct dom_sid *default_owner;
238 struct dom_sid *default_group;
239 struct security_descriptor *default_descriptor = NULL;
241 if (objectclass != NULL) {
242 default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
246 user_descriptor = talloc(mem_ctx, struct security_descriptor);
247 if (!user_descriptor) {
250 ndr_err = ndr_pull_struct_blob(object, user_descriptor,
252 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
254 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
255 talloc_free(user_descriptor);
259 user_descriptor = default_descriptor;
263 old_descriptor = talloc(mem_ctx, struct security_descriptor);
264 if (!old_descriptor) {
267 ndr_err = ndr_pull_struct_blob(old_sd, old_descriptor,
269 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
271 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
272 talloc_free(old_descriptor);
278 parent_descriptor = talloc(mem_ctx, struct security_descriptor);
279 if (!parent_descriptor) {
282 ndr_err = ndr_pull_struct_blob(parent, parent_descriptor,
284 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
286 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
287 talloc_free(parent_descriptor);
292 if (user_descriptor && default_descriptor &&
293 (user_descriptor->dacl == NULL))
295 user_descriptor->dacl = default_descriptor->dacl;
296 user_descriptor->type |= default_descriptor->type & (
297 SEC_DESC_DACL_PRESENT |
298 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
299 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
300 SEC_DESC_DACL_TRUSTED);
303 if (user_descriptor && default_descriptor &&
304 (user_descriptor->sacl == NULL))
306 user_descriptor->sacl = default_descriptor->sacl;
307 user_descriptor->type |= default_descriptor->type & (
308 SEC_DESC_SACL_PRESENT |
309 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
310 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
311 SEC_DESC_SERVER_SECURITY);
314 default_owner = get_default_ag(mem_ctx, dn,
315 session_info->security_token, ldb);
316 default_group = get_default_group(mem_ctx, ldb, default_owner);
317 new_sd = create_security_descriptor(mem_ctx, parent_descriptor, user_descriptor, true,
318 NULL, SEC_DACL_AUTO_INHERIT|SEC_SACL_AUTO_INHERIT,
319 session_info->security_token,
320 default_owner, default_group,
321 map_generic_rights_ds);
325 final_sd = descr_handle_sd_flags(mem_ctx, new_sd, old_descriptor, sd_flags);
331 if (final_sd->dacl) {
332 final_sd->dacl->revision = SECURITY_ACL_REVISION_ADS;
334 if (final_sd->sacl) {
335 final_sd->sacl->revision = SECURITY_ACL_REVISION_ADS;
338 sddl_sd = sddl_encode(mem_ctx, final_sd, domain_sid);
339 DEBUG(10, ("Object %s created with desriptor %s\n\n", ldb_dn_get_linearized(dn), sddl_sd));
341 linear_sd = talloc(mem_ctx, DATA_BLOB);
346 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
348 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
349 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
356 static DATA_BLOB *descr_get_descriptor_to_show(struct ldb_module *module,
361 struct security_descriptor *old_sd, *final_sd;
362 DATA_BLOB *linear_sd;
363 enum ndr_err_code ndr_err;
365 old_sd = talloc(mem_ctx, struct security_descriptor);
369 ndr_err = ndr_pull_struct_blob(sd, old_sd,
371 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
373 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
378 final_sd = descr_handle_sd_flags(mem_ctx, old_sd, NULL, sd_flags);
384 linear_sd = talloc(mem_ctx, DATA_BLOB);
389 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
391 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
392 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
399 static struct descriptor_context *descriptor_init_context(struct ldb_module *module,
400 struct ldb_request *req)
402 struct ldb_context *ldb;
403 struct descriptor_context *ac;
405 ldb = ldb_module_get_ctx(module);
407 ac = talloc_zero(req, struct descriptor_context);
409 ldb_set_errstring(ldb, "Out of Memory");
418 static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares)
420 struct descriptor_context *ac;
421 struct ldb_val *sd_val = NULL;
422 struct ldb_message_element *sd_el;
426 ac = talloc_get_type(req->context, struct descriptor_context);
429 ret = LDB_ERR_OPERATIONS_ERROR;
432 if (ares->error != LDB_SUCCESS) {
433 return ldb_module_done(ac->req, ares->controls,
434 ares->response, ares->error);
437 switch (ares->type) {
438 case LDB_REPLY_ENTRY:
439 sd_el = ldb_msg_find_element(ares->message, "nTSecurityDescriptor");
441 sd_val = sd_el->values;
445 show_sd = descr_get_descriptor_to_show(ac->module, ac->req,
446 sd_val, ac->sd_flags);
448 ret = LDB_ERR_OPERATIONS_ERROR;
451 ldb_msg_remove_attr(ares->message, "nTSecurityDescriptor");
452 ret = ldb_msg_add_steal_value(ares->message, "nTSecurityDescriptor", show_sd);
453 if (ret != LDB_SUCCESS) {
457 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
459 case LDB_REPLY_REFERRAL:
460 return ldb_module_send_referral(ac->req, ares->referral);
463 return ldb_module_done(ac->req, ares->controls,
464 ares->response, ares->error);
469 return ldb_module_done(ac->req, NULL, NULL, ret);
472 static int descriptor_add(struct ldb_module *module, struct ldb_request *req)
474 struct ldb_context *ldb = ldb_module_get_ctx(module);
475 struct ldb_request *add_req;
476 struct ldb_message *msg;
477 struct ldb_result *parent_res;
478 const struct ldb_val *parent_sd = NULL;
479 const struct ldb_val *user_sd;
480 struct ldb_dn *dn = req->op.add.message->dn;
481 struct ldb_dn *parent_dn, *nc_root;
482 struct ldb_message_element *objectclass_element, *sd_element;
484 const struct dsdb_schema *schema;
486 const struct dsdb_class *objectclass;
487 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
488 uint32_t instanceType;
490 uint32_t sd_flags = dsdb_request_sd_flags(req, NULL);
492 /* do not manipulate our control entries */
493 if (ldb_dn_is_special(dn)) {
494 return ldb_next_request(module, req);
497 user_sd = ldb_msg_find_ldb_val(req->op.add.message, "nTSecurityDescriptor");
498 sd_element = ldb_msg_find_element(req->op.add.message, "nTSecurityDescriptor");
499 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
500 if (user_sd == NULL && sd_element) {
501 return ldb_next_request(module, req);
504 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: %s\n", ldb_dn_get_linearized(dn));
506 instanceType = ldb_msg_find_attr_as_uint(req->op.add.message, "instanceType", 0);
508 if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
513 ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
514 if (ret != LDB_SUCCESS) {
515 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find NC root for %s\n",
516 ldb_dn_get_linearized(dn));
520 if (ldb_dn_compare(dn, nc_root) == 0) {
521 DEBUG(0, ("Found DN %s being a NC by the old method\n", ldb_dn_get_linearized(dn)));
527 DEBUG(2, ("DN: %s is a NC\n", ldb_dn_get_linearized(dn)));
530 /* if the object has a parent, retrieve its SD to
531 * use for calculation. Unfortunately we do not yet have
532 * instanceType, so we use dsdb_find_nc_root. */
534 parent_dn = ldb_dn_get_parent(req, dn);
535 if (parent_dn == NULL) {
539 /* we aren't any NC */
540 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
542 DSDB_FLAG_NEXT_MODULE |
543 DSDB_FLAG_AS_SYSTEM |
544 DSDB_SEARCH_SHOW_RECYCLED,
546 if (ret != LDB_SUCCESS) {
547 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find SD for %s\n",
548 ldb_dn_get_linearized(parent_dn));
551 if (parent_res->count != 1) {
552 return ldb_operr(ldb);
554 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
557 schema = dsdb_get_schema(ldb, req);
559 objectclass_element = ldb_msg_find_element(req->op.add.message, "objectClass");
560 if (objectclass_element == NULL) {
561 return ldb_operr(ldb);
564 objectclass = dsdb_get_last_structural_class(schema,
565 objectclass_element);
566 if (objectclass == NULL) {
567 return ldb_operr(ldb);
571 * The SD_FLAG control is ignored on add
572 * and we default to all bits set.
576 sd = get_new_descriptor(module, dn, req,
577 objectclass, parent_sd,
578 user_sd, NULL, sd_flags);
580 return ldb_operr(ldb);
582 msg = ldb_msg_copy_shallow(req, req->op.add.message);
586 if (sd_element != NULL) {
587 sd_element->values[0] = *sd;
589 ret = ldb_msg_add_steal_value(msg,
590 "nTSecurityDescriptor",
592 if (ret != LDB_SUCCESS) {
597 ret = ldb_build_add_req(&add_req, ldb, req,
600 req, dsdb_next_callback,
602 LDB_REQ_SET_LOCATION(add_req);
603 if (ret != LDB_SUCCESS) {
604 return ldb_error(ldb, ret,
605 "descriptor_add: Error creating new add request.");
608 return ldb_next_request(module, add_req);
611 static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
613 struct ldb_context *ldb = ldb_module_get_ctx(module);
614 struct ldb_request *mod_req;
615 struct ldb_message *msg;
616 struct ldb_result *current_res, *parent_res;
617 const struct ldb_val *old_sd = NULL;
618 const struct ldb_val *parent_sd = NULL;
619 const struct ldb_val *user_sd;
620 struct ldb_dn *dn = req->op.mod.message->dn;
621 struct ldb_dn *parent_dn;
622 struct ldb_message_element *objectclass_element, *sd_element;
624 uint32_t instanceType;
625 bool explicit_sd_flags = false;
626 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
627 const struct dsdb_schema *schema;
629 const struct dsdb_class *objectclass;
630 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
631 static const char * const current_attrs[] = { "nTSecurityDescriptor",
633 "objectClass", NULL };
634 struct ldb_control *sd_propagation_control;
636 /* do not manipulate our control entries */
637 if (ldb_dn_is_special(dn)) {
638 return ldb_next_request(module, req);
642 sd_propagation_control = ldb_request_get_control(req,
643 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
644 if (sd_propagation_control != NULL) {
645 if (sd_propagation_control->data != module) {
646 return ldb_operr(ldb);
648 if (req->op.mod.message->num_elements != 0) {
649 return ldb_operr(ldb);
651 if (explicit_sd_flags) {
652 return ldb_operr(ldb);
654 if (sd_flags != 0xF) {
655 return ldb_operr(ldb);
657 if (sd_propagation_control->critical == 0) {
658 return ldb_operr(ldb);
661 sd_propagation_control->critical = 0;
664 sd_element = ldb_msg_find_element(req->op.mod.message, "nTSecurityDescriptor");
665 if (sd_propagation_control == NULL && sd_element == NULL) {
666 return ldb_next_request(module, req);
670 * nTSecurityDescriptor with DELETE is not supported yet.
671 * TODO: handle this correctly.
673 if (sd_propagation_control == NULL &&
674 LDB_FLAG_MOD_TYPE(sd_element->flags) == LDB_FLAG_MOD_DELETE)
676 return ldb_module_error(module,
677 LDB_ERR_UNWILLING_TO_PERFORM,
678 "MOD_DELETE for nTSecurityDescriptor "
679 "not supported yet");
682 user_sd = ldb_msg_find_ldb_val(req->op.mod.message, "nTSecurityDescriptor");
683 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
684 if (sd_propagation_control == NULL && user_sd == NULL) {
685 return ldb_next_request(module, req);
688 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_modify: %s\n", ldb_dn_get_linearized(dn));
690 ret = dsdb_module_search_dn(module, req, ¤t_res, dn,
692 DSDB_FLAG_NEXT_MODULE |
693 DSDB_FLAG_AS_SYSTEM |
694 DSDB_SEARCH_SHOW_RECYCLED,
696 if (ret != LDB_SUCCESS) {
697 ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
698 ldb_dn_get_linearized(dn));
702 instanceType = ldb_msg_find_attr_as_uint(current_res->msgs[0],
704 /* if the object has a parent, retrieve its SD to
705 * use for calculation */
706 if (!ldb_dn_is_null(current_res->msgs[0]->dn) &&
707 !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
708 parent_dn = ldb_dn_get_parent(req, dn);
709 if (parent_dn == NULL) {
712 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
714 DSDB_FLAG_NEXT_MODULE |
715 DSDB_FLAG_AS_SYSTEM |
716 DSDB_SEARCH_SHOW_RECYCLED,
718 if (ret != LDB_SUCCESS) {
719 ldb_debug(ldb, LDB_DEBUG_ERROR, "descriptor_modify: Could not find SD for %s\n",
720 ldb_dn_get_linearized(parent_dn));
723 if (parent_res->count != 1) {
724 return ldb_operr(ldb);
726 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
729 schema = dsdb_get_schema(ldb, req);
731 objectclass_element = ldb_msg_find_element(current_res->msgs[0], "objectClass");
732 if (objectclass_element == NULL) {
733 return ldb_operr(ldb);
736 objectclass = dsdb_get_last_structural_class(schema,
737 objectclass_element);
738 if (objectclass == NULL) {
739 return ldb_operr(ldb);
742 old_sd = ldb_msg_find_ldb_val(current_res->msgs[0], "nTSecurityDescriptor");
743 if (old_sd == NULL) {
744 return ldb_operr(ldb);
747 if (sd_propagation_control != NULL) {
749 * This just triggers a recalculation of the
755 sd = get_new_descriptor(module, dn, req,
756 objectclass, parent_sd,
757 user_sd, old_sd, sd_flags);
759 return ldb_operr(ldb);
761 msg = ldb_msg_copy_shallow(req, req->op.mod.message);
765 if (sd_propagation_control != NULL) {
766 ret = data_blob_cmp(old_sd, sd);
769 * The nTSecurityDescriptor is unchanged,
770 * which means we can stop the processing.
772 * We mark the control as critical again,
773 * as we have not processed it.
775 sd_propagation_control->critical = 1;
776 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
779 ret = ldb_msg_add_empty(msg, "nTSecurityDescriptor",
780 LDB_FLAG_MOD_REPLACE,
782 if (ret != LDB_SUCCESS) {
785 ret = ldb_msg_add_value(msg, "nTSecurityDescriptor",
787 if (ret != LDB_SUCCESS) {
791 sd_element->values[0] = *sd;
794 ret = ldb_build_mod_req(&mod_req, ldb, req,
800 LDB_REQ_SET_LOCATION(mod_req);
801 if (ret != LDB_SUCCESS) {
805 return ldb_next_request(module, mod_req);
808 static int descriptor_search(struct ldb_module *module, struct ldb_request *req)
811 struct ldb_context *ldb;
812 struct ldb_request *down_req;
813 struct descriptor_context *ac;
814 bool explicit_sd_flags = false;
815 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
816 bool show_sd = explicit_sd_flags;
819 ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"))
825 return ldb_next_request(module, req);
828 ldb = ldb_module_get_ctx(module);
829 ac = descriptor_init_context(module, req);
831 return ldb_operr(ldb);
833 ac->sd_flags = sd_flags;
835 ret = ldb_build_search_req_ex(&down_req, ldb, ac,
837 req->op.search.scope,
839 req->op.search.attrs,
841 ac, descriptor_search_callback,
843 LDB_REQ_SET_LOCATION(down_req);
844 if (ret != LDB_SUCCESS) {
848 return ldb_next_request(ac->module, down_req);
851 static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
853 struct ldb_context *ldb = ldb_module_get_ctx(module);
854 struct ldb_dn *olddn = req->op.rename.olddn;
856 /* do not manipulate our control entries */
857 if (ldb_dn_is_special(req->op.rename.olddn)) {
858 return ldb_next_request(module, req);
861 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_rename: %s\n",
862 ldb_dn_get_linearized(olddn));
864 return ldb_next_request(module, req);
867 static int descriptor_init(struct ldb_module *module)
869 int ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
870 struct ldb_context *ldb = ldb_module_get_ctx(module);
871 if (ret != LDB_SUCCESS) {
872 ldb_debug(ldb, LDB_DEBUG_ERROR,
873 "descriptor: Unable to register control with rootdse!\n");
874 return ldb_operr(ldb);
876 return ldb_next_init(module);
880 static const struct ldb_module_ops ldb_descriptor_module_ops = {
881 .name = "descriptor",
882 .search = descriptor_search,
883 .add = descriptor_add,
884 .modify = descriptor_modify,
885 .rename = descriptor_rename,
886 .init_context = descriptor_init
889 int ldb_descriptor_module_init(const char *version)
891 LDB_MODULE_CHECK_VERSION(version);
892 return ldb_register_module(&ldb_descriptor_module_ops);
git.samba.org / metze / samba / wip.git / blob