4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
6 Copyright (C) Nadezhda Ivanova 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: DS Security descriptor module
28 * - Calculate the security descriptor of a newly created object
29 * - Perform sd recalculation on a move operation
30 * - Handle sd modification invariants
32 * Author: Nadezhda Ivanova
36 #include <ldb_module.h>
37 #include "util/dlinklist.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/ndr/libndr.h"
40 #include "librpc/gen_ndr/ndr_security.h"
41 #include "libcli/security/security.h"
42 #include "dsdb/samdb/ldb_modules/schema.h"
43 #include "auth/auth.h"
44 #include "param/param.h"
47 struct descriptor_data {
51 struct descriptor_context {
52 struct ldb_module *module;
53 struct ldb_request *req;
54 struct ldb_reply *search_res;
55 struct ldb_reply *search_oc_res;
56 struct ldb_val *parentsd_val;
57 struct ldb_val *sd_val;
58 int (*step_fn)(struct descriptor_context *);
61 struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
63 struct security_token *token,
64 struct ldb_context *ldb)
66 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
67 struct ldb_dn *default_base_dn = ldb_get_default_basedn(ldb);
68 struct ldb_dn *schema_base_dn = ldb_get_schema_basedn(ldb);
69 struct ldb_dn *config_base_dn = ldb_get_config_basedn(ldb);
70 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
71 struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
72 struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
73 struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
74 struct dom_sid *dag_sid;
76 /* FIXME: this has to be fixed regarding the forest DN (root DN) and
77 * the domain DN (default DN) - they aren't always the same. */
79 if (ldb_dn_compare_base(schema_base_dn, dn) == 0){
80 if (security_token_has_sid(token, sa_sid))
81 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
82 else if (security_token_has_sid(token, ea_sid))
83 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
84 else if (security_token_has_sid(token, da_sid))
85 dag_sid = dom_sid_dup(mem_ctx, da_sid);
89 else if (ldb_dn_compare_base(config_base_dn, dn) == 0){
90 if (security_token_has_sid(token, ea_sid))
91 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
92 else if (security_token_has_sid(token, da_sid))
93 dag_sid = dom_sid_dup(mem_ctx, da_sid);
97 else if (ldb_dn_compare_base(default_base_dn, dn) == 0){
98 if (security_token_has_sid(token, da_sid))
99 dag_sid = dom_sid_dup(mem_ctx, da_sid);
100 else if (security_token_has_sid(token, ea_sid))
101 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
108 talloc_free(tmp_ctx);
112 static struct security_descriptor *get_sd_unpacked(struct ldb_module *module, TALLOC_CTX *mem_ctx,
113 const struct dsdb_class *objectclass)
115 struct ldb_context *ldb = ldb_module_get_ctx(module);
116 struct security_descriptor *sd;
117 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
119 if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
123 sd = sddl_decode(mem_ctx,
124 objectclass->defaultSecurityDescriptor,
129 static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
130 struct ldb_context *ldb,
133 if (dsdb_functional_level(ldb) >= DS_DOMAIN_FUNCTION_2008) {
140 static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,
141 struct security_descriptor *new_sd,
142 struct security_descriptor *old_sd,
145 struct security_descriptor *final_sd;
146 /* if there is no control or control == 0 modify everything */
151 final_sd = talloc_zero(mem_ctx, struct security_descriptor);
152 final_sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
153 final_sd->type = SEC_DESC_SELF_RELATIVE;
155 if (sd_flags & (SECINFO_OWNER)) {
156 final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid));
157 final_sd->type |= new_sd->type & SEC_DESC_OWNER_DEFAULTED;
160 final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid));
161 final_sd->type |= old_sd->type & SEC_DESC_OWNER_DEFAULTED;
164 if (sd_flags & (SECINFO_GROUP)) {
165 final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid));
166 final_sd->type |= new_sd->type & SEC_DESC_GROUP_DEFAULTED;
169 final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid));
170 final_sd->type |= old_sd->type & SEC_DESC_GROUP_DEFAULTED;
173 if (sd_flags & (SECINFO_SACL)) {
174 final_sd->sacl = security_acl_dup(mem_ctx,new_sd->sacl);
175 final_sd->type |= new_sd->type & (SEC_DESC_SACL_PRESENT |
176 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
177 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
178 SEC_DESC_SERVER_SECURITY);
180 else if (old_sd && old_sd->sacl) {
181 final_sd->sacl = security_acl_dup(mem_ctx,old_sd->sacl);
182 final_sd->type |= old_sd->type & (SEC_DESC_SACL_PRESENT |
183 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
184 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
185 SEC_DESC_SERVER_SECURITY);
188 if (sd_flags & (SECINFO_DACL)) {
189 final_sd->dacl = security_acl_dup(mem_ctx,new_sd->dacl);
190 final_sd->type |= new_sd->type & (SEC_DESC_DACL_PRESENT |
191 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
192 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
193 SEC_DESC_DACL_TRUSTED);
195 else if (old_sd && old_sd->dacl) {
196 final_sd->dacl = security_acl_dup(mem_ctx,old_sd->dacl);
197 final_sd->type |= old_sd->type & (SEC_DESC_DACL_PRESENT |
198 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
199 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
200 SEC_DESC_DACL_TRUSTED);
202 /* not so sure about this */
203 final_sd->type |= new_sd->type & SEC_DESC_RM_CONTROL_VALID;
207 static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
210 const struct dsdb_class *objectclass,
211 const struct ldb_val *parent,
212 struct ldb_val *object,
213 struct ldb_val *old_sd,
216 struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL;
217 struct security_descriptor *old_descriptor = NULL;
218 struct security_descriptor *new_sd, *final_sd;
219 DATA_BLOB *linear_sd;
220 enum ndr_err_code ndr_err;
221 struct ldb_context *ldb = ldb_module_get_ctx(module);
222 struct auth_session_info *session_info
223 = ldb_get_opaque(ldb, "sessionInfo");
224 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
226 struct dom_sid *default_owner;
227 struct dom_sid *default_group;
230 user_descriptor = talloc(mem_ctx, struct security_descriptor);
231 if (!user_descriptor) {
234 ndr_err = ndr_pull_struct_blob(object, user_descriptor,
236 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
238 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
239 talloc_free(user_descriptor);
243 user_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
247 old_descriptor = talloc(mem_ctx, struct security_descriptor);
248 if (!old_descriptor) {
251 ndr_err = ndr_pull_struct_blob(old_sd, old_descriptor,
253 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
255 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
256 talloc_free(old_descriptor);
262 parent_descriptor = talloc(mem_ctx, struct security_descriptor);
263 if (!parent_descriptor) {
266 ndr_err = ndr_pull_struct_blob(parent, parent_descriptor,
268 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
270 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
271 talloc_free(parent_descriptor);
276 default_owner = get_default_ag(mem_ctx, dn,
277 session_info->security_token, ldb);
278 default_group = get_default_group(mem_ctx, ldb, default_owner);
279 new_sd = create_security_descriptor(mem_ctx, parent_descriptor, user_descriptor, true,
280 NULL, SEC_DACL_AUTO_INHERIT|SEC_SACL_AUTO_INHERIT,
281 session_info->security_token,
282 default_owner, default_group,
283 map_generic_rights_ds);
287 final_sd = descr_handle_sd_flags(mem_ctx, new_sd, old_descriptor, sd_flags);
293 if (final_sd->dacl) {
294 final_sd->dacl->revision = SECURITY_ACL_REVISION_ADS;
296 if (final_sd->sacl) {
297 final_sd->sacl->revision = SECURITY_ACL_REVISION_ADS;
300 sddl_sd = sddl_encode(mem_ctx, final_sd, domain_sid);
301 DEBUG(10, ("Object %s created with desriptor %s\n\n", ldb_dn_get_linearized(dn), sddl_sd));
303 linear_sd = talloc(mem_ctx, DATA_BLOB);
308 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
310 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
311 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
318 static DATA_BLOB *descr_get_descriptor_to_show(struct ldb_module *module,
323 struct security_descriptor *old_sd, *final_sd;
324 DATA_BLOB *linear_sd;
325 enum ndr_err_code ndr_err;
327 old_sd = talloc(mem_ctx, struct security_descriptor);
331 ndr_err = ndr_pull_struct_blob(sd, old_sd,
333 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
335 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
340 final_sd = descr_handle_sd_flags(mem_ctx, old_sd, NULL, sd_flags);
346 linear_sd = talloc(mem_ctx, DATA_BLOB);
351 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
353 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
354 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
361 static struct descriptor_context *descriptor_init_context(struct ldb_module *module,
362 struct ldb_request *req)
364 struct ldb_context *ldb;
365 struct descriptor_context *ac;
367 ldb = ldb_module_get_ctx(module);
369 ac = talloc_zero(req, struct descriptor_context);
371 ldb_set_errstring(ldb, "Out of Memory");
380 static int get_search_callback(struct ldb_request *req, struct ldb_reply *ares)
382 struct ldb_context *ldb;
383 struct descriptor_context *ac;
386 ac = talloc_get_type(req->context, struct descriptor_context);
387 ldb = ldb_module_get_ctx(ac->module);
390 return ldb_module_done(ac->req, NULL, NULL,
391 LDB_ERR_OPERATIONS_ERROR);
393 if (ares->error != LDB_SUCCESS &&
394 ares->error != LDB_ERR_NO_SUCH_OBJECT) {
395 return ldb_module_done(ac->req, ares->controls,
396 ares->response, ares->error);
399 ldb_reset_err_string(ldb);
401 switch (ares->type) {
402 case LDB_REPLY_ENTRY:
403 if (ac->search_res != NULL) {
404 ldb_set_errstring(ldb, "Too many results");
406 return ldb_module_done(ac->req, NULL, NULL,
407 LDB_ERR_OPERATIONS_ERROR);
410 ac->search_res = talloc_steal(ac, ares);
413 case LDB_REPLY_REFERRAL:
420 ret = ac->step_fn(ac);
421 if (ret != LDB_SUCCESS) {
422 return ldb_module_done(ac->req, NULL, NULL, ret);
430 static int get_search_oc_callback(struct ldb_request *req, struct ldb_reply *ares)
432 struct ldb_context *ldb;
433 struct descriptor_context *ac;
436 ac = talloc_get_type(req->context, struct descriptor_context);
437 ldb = ldb_module_get_ctx(ac->module);
440 return ldb_module_done(ac->req, NULL, NULL,
441 LDB_ERR_OPERATIONS_ERROR);
443 if (ares->error != LDB_SUCCESS &&
444 ares->error != LDB_ERR_NO_SUCH_OBJECT) {
445 return ldb_module_done(ac->req, ares->controls,
446 ares->response, ares->error);
449 ldb_reset_err_string(ldb);
451 switch (ares->type) {
452 case LDB_REPLY_ENTRY:
453 if (ac->search_oc_res != NULL) {
454 ldb_set_errstring(ldb, "Too many results");
456 return ldb_module_done(ac->req, NULL, NULL,
457 LDB_ERR_OPERATIONS_ERROR);
460 ac->search_oc_res = talloc_steal(ac, ares);
463 case LDB_REPLY_REFERRAL:
470 ret = ac->step_fn(ac);
471 if (ret != LDB_SUCCESS) {
472 return ldb_module_done(ac->req, NULL, NULL, ret);
480 static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares)
482 struct descriptor_context *ac;
483 struct ldb_control *sd_control;
484 struct ldb_val *sd_val = NULL;
485 struct ldb_message_element *sd_el;
488 uint32_t sd_flags = 0;
490 ac = talloc_get_type(req->context, struct descriptor_context);
493 ret = LDB_ERR_OPERATIONS_ERROR;
496 if (ares->error != LDB_SUCCESS) {
497 return ldb_module_done(ac->req, ares->controls,
498 ares->response, ares->error);
501 sd_control = ldb_request_get_control(ac->req, LDB_CONTROL_SD_FLAGS_OID);
503 struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
504 sd_flags = sdctr->secinfo_flags;
505 /* we only care for the last 4 bits */
506 sd_flags = sd_flags & 0x0000000F;
508 /* MS-ADTS 3.1.1.3.4.1.11 says that no bits
514 switch (ares->type) {
515 case LDB_REPLY_ENTRY:
517 sd_el = ldb_msg_find_element(ares->message, "nTSecurityDescriptor");
519 sd_val = sd_el->values;
523 show_sd = descr_get_descriptor_to_show(ac->module, ac->req,
526 ret = LDB_ERR_OPERATIONS_ERROR;
529 ldb_msg_remove_attr(ares->message, "nTSecurityDescriptor");
530 ret = ldb_msg_add_steal_value(ares->message, "nTSecurityDescriptor", show_sd);
531 if (ret != LDB_SUCCESS) {
535 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
537 case LDB_REPLY_REFERRAL:
538 return ldb_module_send_referral(ac->req, ares->referral);
541 return ldb_module_done(ac->req, ares->controls,
542 ares->response, ares->error);
547 return ldb_module_done(ac->req, NULL, NULL, ret);
550 static int descriptor_do_mod(struct descriptor_context *ac)
552 struct ldb_context *ldb;
553 const struct dsdb_schema *schema;
554 struct ldb_request *mod_req;
555 struct ldb_message_element *objectclass_element, *tmp_element, *oldsd_el;
556 struct ldb_val *oldsd_val = NULL;
559 const struct dsdb_class *objectclass;
560 struct ldb_message *msg;
561 struct ldb_control *sd_control;
562 struct ldb_control *sd_control2;
564 uint32_t sd_flags = 0;
566 ldb = ldb_module_get_ctx(ac->module);
567 schema = dsdb_get_schema(ldb, ac);
569 msg = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
571 return ldb_module_oom(ac->module);
574 objectclass_element = ldb_msg_find_element(ac->search_oc_res->message,
576 if (objectclass_element == NULL) {
577 return ldb_operr(ldb);
580 objectclass = get_last_structural_class(schema, objectclass_element);
581 if (objectclass == NULL) {
582 return ldb_operr(ldb);
585 sd_control = ldb_request_get_control(ac->req, LDB_CONTROL_SD_FLAGS_OID);
586 sd_control2 = ldb_request_get_control(ac->req, LDB_CONTROL_RECALCULATE_SD_OID);
588 struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
589 sd_flags = sdctr->secinfo_flags;
590 /* we only care for the last 4 bits */
591 sd_flags = sd_flags & 0x0000000F;
594 oldsd_el = ldb_msg_find_element(ac->search_oc_res->message, "nTSecurityDescriptor");
596 oldsd_val = oldsd_el->values;
599 sd = get_new_descriptor(ac->module, msg->dn, ac, objectclass,
600 ac->parentsd_val, ac->sd_val, oldsd_val, sd_flags);
602 tmp_element = ldb_msg_find_element(msg, "ntSecurityDescriptor");
603 flags = tmp_element->flags;
604 ldb_msg_remove_attr(msg, "nTSecurityDescriptor");
608 ret = ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
609 if (ret != LDB_SUCCESS) {
612 tmp_element = ldb_msg_find_element(msg, "ntSecurityDescriptor");
614 tmp_element->flags = LDB_FLAG_MOD_REPLACE;
616 tmp_element->flags = flags;
619 ret = ldb_build_mod_req(&mod_req, ldb, ac,
622 ac->req, dsdb_next_callback,
624 LDB_REQ_SET_LOCATION(mod_req);
625 if (ret != LDB_SUCCESS) {
628 /* mark it non-critical, so we don't get an error from the
629 backend, but mark that we've handled it */
631 sd_control->critical = 0;
634 return ldb_next_request(ac->module, mod_req);
637 static int descriptor_do_add(struct descriptor_context *ac)
639 struct ldb_context *ldb;
640 const struct dsdb_schema *schema;
641 struct ldb_request *add_req;
642 struct ldb_message_element *objectclass_element, *sd_element = NULL;
643 struct ldb_message *msg;
646 const struct dsdb_class *objectclass;
647 static const char *const attrs[] = { "objectClass", "nTSecurityDescriptor", NULL };
648 struct ldb_request *search_req;
650 ldb = ldb_module_get_ctx(ac->module);
651 schema = dsdb_get_schema(ldb, ac);
653 switch (ac->req->operation) {
655 msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message);
657 return ldb_module_oom(ac->module);
660 objectclass_element = ldb_msg_find_element(msg, "objectClass");
661 if (objectclass_element == NULL) {
662 return ldb_operr(ldb);
665 objectclass = get_last_structural_class(schema,
666 objectclass_element);
667 if (objectclass == NULL) {
668 return ldb_operr(ldb);
672 msg = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
674 return ldb_module_oom(ac->module);
678 return ldb_operr(ldb);
682 /* get the security descriptor values*/
683 sd_element = ldb_msg_find_element(msg, "nTSecurityDescriptor");
685 ac->sd_val = talloc_memdup(ac, &sd_element->values[0], sizeof(struct ldb_val));
687 /* NC's have no parent */
688 /* FIXME: this has to be made dynamic at some point */
689 if ((ldb_dn_compare(msg->dn, (ldb_get_schema_basedn(ldb))) == 0) ||
690 (ldb_dn_compare(msg->dn, (ldb_get_config_basedn(ldb))) == 0) ||
691 (ldb_dn_compare(msg->dn, (ldb_get_default_basedn(ldb))) == 0)) {
692 ac->parentsd_val = NULL;
693 } else if (ac->search_res != NULL) {
694 struct ldb_message_element *parent_element = ldb_msg_find_element(ac->search_res->message, "nTSecurityDescriptor");
695 if (parent_element) {
696 ac->parentsd_val = talloc_memdup(ac, &parent_element->values[0], sizeof(struct ldb_val));
700 if (ac->req->operation == LDB_ADD) {
701 /* Get the parent descriptor and the one provided. If not
702 * provided, get the default. Convert it to a security
703 * descriptor and calculate the permissions. */
704 sd = get_new_descriptor(ac->module, msg->dn, ac, objectclass,
705 ac->parentsd_val, ac->sd_val, NULL, 0);
707 ldb_msg_remove_attr(msg, "nTSecurityDescriptor");
711 ret = ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
712 if (ret != LDB_SUCCESS) {
717 ret = ldb_build_add_req(&add_req, ldb, ac,
720 ac->req, dsdb_next_callback,
722 LDB_REQ_SET_LOCATION(add_req);
723 if (ret != LDB_SUCCESS) {
726 return ldb_next_request(ac->module, add_req);
728 ret = ldb_build_search_req(&search_req, ldb,
729 ac, msg->dn, LDB_SCOPE_BASE,
730 "(objectClass=*)", attrs,
732 ac, get_search_oc_callback,
734 LDB_REQ_SET_LOCATION(search_req);
735 if (ret != LDB_SUCCESS) {
738 ac->step_fn = descriptor_do_mod;
739 return ldb_next_request(ac->module, search_req);
743 static int descriptor_change(struct ldb_module *module, struct ldb_request *req)
745 struct ldb_context *ldb;
746 struct ldb_control *sd_control;
747 struct ldb_request *search_req;
748 struct descriptor_context *ac;
749 struct ldb_dn *parent_dn, *dn;
750 struct ldb_message_element *sd_element;
752 static const char * const descr_attrs[] = { "nTSecurityDescriptor", NULL };
754 ldb = ldb_module_get_ctx(module);
756 switch (req->operation) {
758 dn = req->op.add.message->dn;
761 dn = req->op.mod.message->dn;
762 sd_element = ldb_msg_find_element(req->op.mod.message, "nTSecurityDescriptor");
763 /* This control allow forcing the recalculation of the SD */
764 sd_control = ldb_request_get_control(req, LDB_CONTROL_RECALCULATE_SD_OID);
765 if (!sd_element && !sd_control) {
766 return ldb_next_request(module, req);
770 return ldb_operr(ldb);
772 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_change: %s\n", ldb_dn_get_linearized(dn));
774 if (ldb_dn_is_special(dn)) {
775 return ldb_next_request(module, req);
778 ac = descriptor_init_context(module, req);
780 return ldb_operr(ldb);
783 /* If there isn't a parent, just go on to the add processing */
784 if (ldb_dn_get_comp_num(dn) == 1) {
785 return descriptor_do_add(ac);
788 /* get copy of parent DN */
789 parent_dn = ldb_dn_get_parent(ac, dn);
790 if (parent_dn == NULL) {
794 ret = ldb_build_search_req(&search_req, ldb,
795 ac, parent_dn, LDB_SCOPE_BASE,
796 "(objectClass=*)", descr_attrs,
798 ac, get_search_callback,
800 LDB_REQ_SET_LOCATION(search_req);
801 if (ret != LDB_SUCCESS) {
804 talloc_steal(search_req, parent_dn);
806 ac->step_fn = descriptor_do_add;
808 return ldb_next_request(ac->module, search_req);
811 static int descriptor_search(struct ldb_module *module, struct ldb_request *req)
814 struct ldb_context *ldb;
815 struct ldb_control *sd_control;
816 struct ldb_request *down_req;
817 struct descriptor_context *ac;
819 sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
821 return ldb_next_request(module, req);
824 ldb = ldb_module_get_ctx(module);
825 ac = descriptor_init_context(module, req);
827 return ldb_operr(ldb);
830 ret = ldb_build_search_req_ex(&down_req, ldb, ac,
832 req->op.search.scope,
834 req->op.search.attrs,
836 ac, descriptor_search_callback,
838 LDB_REQ_SET_LOCATION(down_req);
839 if (ret != LDB_SUCCESS) {
842 /* mark it as handled */
844 sd_control->critical = 0;
847 return ldb_next_request(ac->module, down_req);
850 static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
852 struct ldb_context *ldb = ldb_module_get_ctx(module);
853 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn));
854 return ldb_next_request(module, req);
857 static int descriptor_init(struct ldb_module *module)
859 int ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
860 struct ldb_context *ldb = ldb_module_get_ctx(module);
861 if (ret != LDB_SUCCESS) {
862 ldb_debug(ldb, LDB_DEBUG_ERROR,
863 "descriptor: Unable to register control with rootdse!\n");
864 return ldb_operr(ldb);
866 return ldb_next_init(module);
870 static const struct ldb_module_ops ldb_descriptor_module_ops = {
871 .name = "descriptor",
872 .search = descriptor_search,
873 .add = descriptor_change,
874 .modify = descriptor_change,
875 .rename = descriptor_rename,
876 .init_context = descriptor_init
879 int ldb_descriptor_module_init(const char *version)
881 LDB_MODULE_CHECK_VERSION(version);
882 return ldb_register_module(&ldb_descriptor_module_ops);