4 Copyright (C) Simo Sorce 2005-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2007-2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * Component: ldb extended dn control module
26 * Description: this module builds a special dn for returned search
27 * results nad creates the special DN in the backend store for new
30 * This also has the curious result that we convert <SID=S-1-2-345>
31 * in an attribute value into a normal DN for the rest of the stack
40 #include <ldb_errors.h>
41 #include <ldb_module.h>
42 #include "librpc/gen_ndr/ndr_misc.h"
43 #include "dsdb/samdb/samdb.h"
44 #include "libcli/security/security.h"
45 #include "dsdb/samdb/ldb_modules/util.h"
48 struct extended_dn_replace_list {
49 struct extended_dn_replace_list *next;
50 struct dsdb_dn *dsdb_dn;
52 struct ldb_val *replace_dn;
53 struct extended_dn_context *ac;
54 struct ldb_request *search_req;
58 struct extended_dn_context {
59 const struct dsdb_schema *schema;
60 struct ldb_module *module;
61 struct ldb_context *ldb;
62 struct ldb_request *req;
63 struct ldb_request *new_req;
65 struct extended_dn_replace_list *ops;
66 struct extended_dn_replace_list *cur;
70 static struct extended_dn_context *extended_dn_context_init(struct ldb_module *module,
71 struct ldb_request *req)
73 struct extended_dn_context *ac;
74 struct ldb_context *ldb = ldb_module_get_ctx(module);
75 ac = talloc_zero(req, struct extended_dn_context);
81 ac->schema = dsdb_get_schema(ldb_module_get_ctx(module), ac);
89 /* An extra layer of indirection because LDB does not allow the original request to be altered */
91 static int extended_final_callback(struct ldb_request *req, struct ldb_reply *ares)
93 int ret = LDB_ERR_OPERATIONS_ERROR;
94 struct extended_dn_context *ac;
95 ac = talloc_get_type(req->context, struct extended_dn_context);
97 if (ares->error != LDB_SUCCESS) {
98 ret = ldb_module_done(ac->req, ares->controls,
99 ares->response, ares->error);
101 switch (ares->type) {
102 case LDB_REPLY_ENTRY:
104 ret = ldb_module_send_entry(ac->req, ares->message, ares->controls);
106 case LDB_REPLY_REFERRAL:
108 ret = ldb_module_send_referral(ac->req, ares->referral);
112 ret = ldb_module_done(ac->req, ares->controls,
113 ares->response, ares->error);
120 static int extended_replace_dn(struct ldb_request *req, struct ldb_reply *ares)
122 struct extended_dn_replace_list *os = talloc_get_type(req->context,
123 struct extended_dn_replace_list);
126 return ldb_module_done(os->ac->req, NULL, NULL,
127 LDB_ERR_OPERATIONS_ERROR);
129 if (ares->error == LDB_ERR_NO_SUCH_OBJECT) {
130 /* Don't worry too much about dangling references */
132 ldb_reset_err_string(os->ac->ldb);
134 struct extended_dn_replace_list *next;
141 return ldb_next_request(os->ac->module, next->search_req);
143 /* Otherwise, we are done - let's run the
144 * request now we have swapped the DNs for the
146 return ldb_next_request(os->ac->module, os->ac->new_req);
149 if (ares->error != LDB_SUCCESS) {
150 return ldb_module_done(os->ac->req, ares->controls,
151 ares->response, ares->error);
154 /* Only entries are interesting, and we only want the olddn */
155 switch (ares->type) {
156 case LDB_REPLY_ENTRY:
158 /* This *must* be the right DN, as this is a base
159 * search. We can't check, as it could be an extended
160 * DN, so a module below will resolve it */
161 struct ldb_dn *dn = ares->message->dn;
163 /* Rebuild with the string or binary 'extra part' the
164 * DN may have had as a prefix */
165 struct dsdb_dn *dsdb_dn = dsdb_dn_construct(ares, dn,
166 os->dsdb_dn->extra_part,
169 /* Replace the DN with the extended version of the DN
170 * (ie, add SID and GUID) */
171 *os->replace_dn = data_blob_string_const(
172 dsdb_dn_get_extended_linearized(os->mem_ctx,
174 talloc_free(dsdb_dn);
176 if (os->replace_dn->data == NULL) {
177 return ldb_module_done(os->ac->req, NULL, NULL,
178 LDB_ERR_OPERATIONS_ERROR);
182 case LDB_REPLY_REFERRAL:
190 /* Run the next search */
193 struct extended_dn_replace_list *next;
200 return ldb_next_request(os->ac->module, next->search_req);
202 /* Otherwise, we are done - let's run the
203 * request now we have swapped the DNs for the
205 return ldb_next_request(os->ac->module, os->ac->new_req);
213 /* We have a 'normal' DN in the inbound request. We need to find out
214 * what the GUID and SID are on the DN it points to, so we can
215 * construct an extended DN for storage.
217 * This creates a list of DNs to look up, and the plain DN to replace
220 static int extended_store_replace(struct extended_dn_context *ac,
221 TALLOC_CTX *callback_mem_ctx,
222 struct ldb_val *plain_dn,
224 const struct dsdb_attribute *schema_attr)
226 const char *oid = schema_attr->syntax->ldap_oid;
228 struct extended_dn_replace_list *os;
229 static const char *attrs[] = {
235 os = talloc_zero(ac, struct extended_dn_replace_list);
237 return ldb_oom(ac->ldb);
242 os->mem_ctx = callback_mem_ctx;
244 os->dsdb_dn = dsdb_dn_parse(os, ac->ldb, plain_dn, oid);
245 if (!os->dsdb_dn || !ldb_dn_validate(os->dsdb_dn->dn)) {
247 ldb_asprintf_errstring(ac->ldb,
248 "could not parse %.*s as a %s DN", (int)plain_dn->length, plain_dn->data,
250 return LDB_ERR_INVALID_DN_SYNTAX;
253 if (is_delete && !ldb_dn_has_extended(os->dsdb_dn->dn)) {
254 /* NO need to figure this DN out, this element is
255 * going to be deleted anyway, and becuase it's not
256 * extended, we have enough information to do the
263 os->replace_dn = plain_dn;
265 /* The search request here might happen to be for an
266 * 'extended' style DN, such as <GUID=abced...>. The next
267 * module in the stack will convert this into a normal DN for
269 ret = ldb_build_search_req(&os->search_req,
270 ac->ldb, os, os->dsdb_dn->dn, LDB_SCOPE_BASE, NULL,
271 attrs, NULL, os, extended_replace_dn,
273 LDB_REQ_SET_LOCATION(os->search_req);
274 if (ret != LDB_SUCCESS) {
279 ret = dsdb_request_add_controls(os->search_req,
280 DSDB_FLAG_AS_SYSTEM |
281 DSDB_SEARCH_SHOW_RECYCLED |
282 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT);
283 if (ret != LDB_SUCCESS) {
300 static int extended_dn_add(struct ldb_module *module, struct ldb_request *req)
302 struct extended_dn_context *ac;
306 if (ldb_dn_is_special(req->op.add.message->dn)) {
307 /* do not manipulate our control entries */
308 return ldb_next_request(module, req);
311 ac = extended_dn_context_init(module, req);
313 return ldb_operr(ldb_module_get_ctx(module));
317 /* without schema, this doesn't make any sense */
319 return ldb_next_request(module, req);
322 for (i=0; i < req->op.add.message->num_elements; i++) {
323 const struct ldb_message_element *el = &req->op.add.message->elements[i];
324 const struct dsdb_attribute *schema_attr
325 = dsdb_attribute_by_lDAPDisplayName(ac->schema, el->name);
330 /* We only setup an extended DN GUID on DN elements */
331 if (schema_attr->dn_format == DSDB_INVALID_DN) {
335 if (schema_attr->attributeID_id == DRSUAPI_ATTID_distinguishedName) {
336 /* distinguishedName values are ignored */
340 /* Before we setup a procedure to modify the incoming message, we must copy it */
342 struct ldb_message *msg = ldb_msg_copy(ac, req->op.add.message);
344 return ldb_oom(ldb_module_get_ctx(module));
347 ret = ldb_build_add_req(&ac->new_req, ac->ldb, ac, msg, req->controls, ac, extended_final_callback, req);
348 LDB_REQ_SET_LOCATION(ac->new_req);
349 if (ret != LDB_SUCCESS) {
353 /* Re-calculate el */
354 el = &ac->new_req->op.add.message->elements[i];
355 for (j = 0; j < el->num_values; j++) {
356 ret = extended_store_replace(ac, ac->new_req, &el->values[j],
358 if (ret != LDB_SUCCESS) {
364 /* if no DNs were set continue */
365 if (ac->ops == NULL) {
367 return ldb_next_request(module, req);
370 /* start with the searches */
371 return ldb_next_request(module, ac->ops->search_req);
375 static int extended_dn_modify(struct ldb_module *module, struct ldb_request *req)
377 /* Look over list of modifications */
378 /* Find if any are for linked attributes */
379 /* Determine the effect of the modification */
380 /* Apply the modify to the linked entry */
383 struct extended_dn_context *ac;
384 struct ldb_control *fix_links_control = NULL;
387 if (ldb_dn_is_special(req->op.mod.message->dn)) {
388 /* do not manipulate our control entries */
389 return ldb_next_request(module, req);
392 ac = extended_dn_context_init(module, req);
394 return ldb_operr(ldb_module_get_ctx(module));
399 /* without schema, this doesn't make any sense */
400 return ldb_next_request(module, req);
403 fix_links_control = ldb_request_get_control(req,
404 DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS);
405 if (fix_links_control != NULL) {
406 return ldb_next_request(module, req);
409 for (i=0; i < req->op.mod.message->num_elements; i++) {
410 const struct ldb_message_element *el = &req->op.mod.message->elements[i];
411 const struct dsdb_attribute *schema_attr
412 = dsdb_attribute_by_lDAPDisplayName(ac->schema, el->name);
417 /* We only setup an extended DN GUID on these particular DN objects */
418 if (schema_attr->dn_format == DSDB_INVALID_DN) {
422 if (schema_attr->attributeID_id == DRSUAPI_ATTID_distinguishedName) {
423 /* distinguishedName values are ignored */
427 /* Before we setup a procedure to modify the incoming message, we must copy it */
429 struct ldb_message *msg = ldb_msg_copy(ac, req->op.mod.message);
432 return ldb_oom(ac->ldb);
435 ret = ldb_build_mod_req(&ac->new_req, ac->ldb, ac, msg, req->controls, ac, extended_final_callback, req);
436 LDB_REQ_SET_LOCATION(ac->new_req);
437 if (ret != LDB_SUCCESS) {
442 /* Re-calculate el */
443 el = &ac->new_req->op.mod.message->elements[i];
444 /* For each value being added, we need to setup the lookups to fill in the extended DN */
445 for (j = 0; j < el->num_values; j++) {
446 /* If we are just going to delete this
447 * element, only do a lookup if
448 * extended_store_replace determines it's an
449 * input of an extended DN */
450 bool is_delete = (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE);
452 ret = extended_store_replace(ac, ac->new_req, &el->values[j],
453 is_delete, schema_attr);
454 if (ret != LDB_SUCCESS) {
461 /* if DNs were set continue */
462 if (ac->ops == NULL) {
464 return ldb_next_request(module, req);
467 /* start with the searches */
468 return ldb_next_request(module, ac->ops->search_req);
471 static const struct ldb_module_ops ldb_extended_dn_store_module_ops = {
472 .name = "extended_dn_store",
473 .add = extended_dn_add,
474 .modify = extended_dn_modify,
477 int ldb_extended_dn_store_module_init(const char *version)
479 LDB_MODULE_CHECK_VERSION(version);
480 return ldb_register_module(&ldb_extended_dn_store_module_ops);