4 Copyright (C) Simo Sorce 2004-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Stefan Metzmacher <metze@samba.org> 2007
8 Copyright (C) Matthieu Patou <mat@samba.org> 2010
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 * Component: ldb repl_meta_data module
29 * Description: - add a unique objectGUID onto every new record,
30 * - handle whenCreated, whenChanged timestamps
31 * - handle uSNCreated, uSNChanged numbers
32 * - handle replPropertyMetaData attribute
35 * Author: Stefan Metzmacher
39 #include "ldb_module.h"
40 #include "dsdb/samdb/samdb.h"
41 #include "dsdb/common/proto.h"
42 #include "../libds/common/flags.h"
43 #include "librpc/gen_ndr/ndr_misc.h"
44 #include "librpc/gen_ndr/ndr_drsuapi.h"
45 #include "librpc/gen_ndr/ndr_drsblobs.h"
46 #include "param/param.h"
47 #include "libcli/security/security.h"
48 #include "lib/util/dlinklist.h"
49 #include "dsdb/samdb/ldb_modules/util.h"
50 #include "lib/util/binsearch.h"
51 #include "lib/util/tsort.h"
54 * It's 29/12/9999 at 23:59:59 UTC as specified in MS-ADTS 7.1.1.4.2
55 * Deleted Objects Container
57 static const NTTIME DELETED_OBJECT_CONTAINER_CHANGE_TIME = 2650466015990000000ULL;
59 struct replmd_private {
61 struct la_entry *la_list;
63 struct la_backlink *la_backlinks;
65 struct nc_entry *prev, *next;
68 uint64_t mod_usn_urgent;
73 struct la_entry *next, *prev;
74 struct drsuapi_DsReplicaLinkedAttribute *la;
77 struct replmd_replicated_request {
78 struct ldb_module *module;
79 struct ldb_request *req;
81 const struct dsdb_schema *schema;
83 /* the controls we pass down */
84 struct ldb_control **controls;
86 /* details for the mode where we apply a bunch of inbound replication meessages */
88 uint32_t index_current;
89 struct dsdb_extended_replicated_objects *objs;
91 struct ldb_message *search_msg;
97 enum urgent_situation {
98 REPL_URGENT_ON_CREATE = 1,
99 REPL_URGENT_ON_UPDATE = 2,
100 REPL_URGENT_ON_DELETE = 4
104 static const struct {
105 const char *update_name;
106 enum urgent_situation repl_situation;
107 } urgent_objects[] = {
108 {"nTDSDSA", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_DELETE)},
109 {"crossRef", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_DELETE)},
110 {"attributeSchema", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
111 {"classSchema", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
112 {"secret", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
113 {"rIDManager", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
117 /* Attributes looked for when updating or deleting, to check for a urgent replication needed */
118 static const char *urgent_attrs[] = {
121 "userAccountControl",
126 static bool replmd_check_urgent_objectclass(const struct ldb_message_element *objectclass_el,
127 enum urgent_situation situation)
130 for (i=0; urgent_objects[i].update_name; i++) {
132 if ((situation & urgent_objects[i].repl_situation) == 0) {
136 for (j=0; j<objectclass_el->num_values; j++) {
137 const struct ldb_val *v = &objectclass_el->values[j];
138 if (ldb_attr_cmp((const char *)v->data, urgent_objects[i].update_name) == 0) {
146 static bool replmd_check_urgent_attribute(const struct ldb_message_element *el)
148 if (ldb_attr_in_list(urgent_attrs, el->name)) {
155 static int replmd_replicated_apply_next(struct replmd_replicated_request *ar);
158 initialise the module
159 allocate the private structure and build the list
160 of partition DNs for use by replmd_notify()
162 static int replmd_init(struct ldb_module *module)
164 struct replmd_private *replmd_private;
165 struct ldb_context *ldb = ldb_module_get_ctx(module);
167 replmd_private = talloc_zero(module, struct replmd_private);
168 if (replmd_private == NULL) {
170 return LDB_ERR_OPERATIONS_ERROR;
172 ldb_module_set_private(module, replmd_private);
174 return ldb_next_init(module);
178 cleanup our per-transaction contexts
180 static void replmd_txn_cleanup(struct replmd_private *replmd_private)
182 talloc_free(replmd_private->la_ctx);
183 replmd_private->la_list = NULL;
184 replmd_private->la_ctx = NULL;
186 talloc_free(replmd_private->bl_ctx);
187 replmd_private->la_backlinks = NULL;
188 replmd_private->bl_ctx = NULL;
193 struct la_backlink *next, *prev;
194 const char *attr_name;
195 struct GUID forward_guid, target_guid;
200 process a backlinks we accumulated during a transaction, adding and
201 deleting the backlinks from the target objects
203 static int replmd_process_backlink(struct ldb_module *module, struct la_backlink *bl, struct ldb_request *parent)
205 struct ldb_dn *target_dn, *source_dn;
207 struct ldb_context *ldb = ldb_module_get_ctx(module);
208 struct ldb_message *msg;
209 TALLOC_CTX *tmp_ctx = talloc_new(bl);
215 - construct ldb_message
216 - either an add or a delete
218 ret = dsdb_module_dn_by_guid(module, tmp_ctx, &bl->target_guid, &target_dn, parent);
219 if (ret != LDB_SUCCESS) {
220 DEBUG(2,(__location__ ": WARNING: Failed to find target DN for linked attribute with GUID %s\n",
221 GUID_string(bl, &bl->target_guid)));
225 ret = dsdb_module_dn_by_guid(module, tmp_ctx, &bl->forward_guid, &source_dn, parent);
226 if (ret != LDB_SUCCESS) {
227 ldb_asprintf_errstring(ldb, "Failed to find source DN for linked attribute with GUID %s\n",
228 GUID_string(bl, &bl->forward_guid));
229 talloc_free(tmp_ctx);
233 msg = ldb_msg_new(tmp_ctx);
235 ldb_module_oom(module);
236 talloc_free(tmp_ctx);
237 return LDB_ERR_OPERATIONS_ERROR;
240 /* construct a ldb_message for adding/deleting the backlink */
242 dn_string = ldb_dn_get_extended_linearized(tmp_ctx, source_dn, 1);
244 ldb_module_oom(module);
245 talloc_free(tmp_ctx);
246 return LDB_ERR_OPERATIONS_ERROR;
248 ret = ldb_msg_add_steal_string(msg, bl->attr_name, dn_string);
249 if (ret != LDB_SUCCESS) {
250 talloc_free(tmp_ctx);
253 msg->elements[0].flags = bl->active?LDB_FLAG_MOD_ADD:LDB_FLAG_MOD_DELETE;
255 /* a backlink should never be single valued. Unfortunately the
256 exchange schema has a attribute
257 msExchBridgeheadedLocalConnectorsDNBL which is single
258 valued and a backlink. We need to cope with that by
259 ignoring the single value flag */
260 msg->elements[0].flags |= LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK;
262 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
263 if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE && !bl->active) {
264 /* we allow LDB_ERR_NO_SUCH_ATTRIBUTE as success to
265 cope with possible corruption where the backlink has
266 already been removed */
267 DEBUG(3,("WARNING: backlink from %s already removed from %s - %s\n",
268 ldb_dn_get_linearized(target_dn),
269 ldb_dn_get_linearized(source_dn),
270 ldb_errstring(ldb)));
272 } else if (ret != LDB_SUCCESS) {
273 ldb_asprintf_errstring(ldb, "Failed to %s backlink from %s to %s - %s",
274 bl->active?"add":"remove",
275 ldb_dn_get_linearized(source_dn),
276 ldb_dn_get_linearized(target_dn),
278 talloc_free(tmp_ctx);
281 talloc_free(tmp_ctx);
286 add a backlink to the list of backlinks to add/delete in the prepare
289 static int replmd_add_backlink(struct ldb_module *module, const struct dsdb_schema *schema,
290 struct GUID *forward_guid, struct GUID *target_guid,
291 bool active, const struct dsdb_attribute *schema_attr, bool immediate)
293 const struct dsdb_attribute *target_attr;
294 struct la_backlink *bl;
295 struct replmd_private *replmd_private =
296 talloc_get_type_abort(ldb_module_get_private(module), struct replmd_private);
298 target_attr = dsdb_attribute_by_linkID(schema, schema_attr->linkID ^ 1);
301 * windows 2003 has a broken schema where the
302 * definition of msDS-IsDomainFor is missing (which is
303 * supposed to be the backlink of the
304 * msDS-HasDomainNCs attribute
309 /* see if its already in the list */
310 for (bl=replmd_private->la_backlinks; bl; bl=bl->next) {
311 if (GUID_equal(forward_guid, &bl->forward_guid) &&
312 GUID_equal(target_guid, &bl->target_guid) &&
313 (target_attr->lDAPDisplayName == bl->attr_name ||
314 strcmp(target_attr->lDAPDisplayName, bl->attr_name) == 0)) {
320 /* we found an existing one */
321 if (bl->active == active) {
324 DLIST_REMOVE(replmd_private->la_backlinks, bl);
329 if (replmd_private->bl_ctx == NULL) {
330 replmd_private->bl_ctx = talloc_new(replmd_private);
331 if (replmd_private->bl_ctx == NULL) {
332 ldb_module_oom(module);
333 return LDB_ERR_OPERATIONS_ERROR;
338 bl = talloc(replmd_private->bl_ctx, struct la_backlink);
340 ldb_module_oom(module);
341 return LDB_ERR_OPERATIONS_ERROR;
344 /* Ensure the schema does not go away before the bl->attr_name is used */
345 if (!talloc_reference(bl, schema)) {
347 ldb_module_oom(module);
348 return LDB_ERR_OPERATIONS_ERROR;
351 bl->attr_name = target_attr->lDAPDisplayName;
352 bl->forward_guid = *forward_guid;
353 bl->target_guid = *target_guid;
356 /* the caller may ask for this backlink to be processed
359 int ret = replmd_process_backlink(module, bl, NULL);
364 DLIST_ADD(replmd_private->la_backlinks, bl);
371 * Callback for most write operations in this module:
373 * notify the repl task that a object has changed. The notifies are
374 * gathered up in the replmd_private structure then written to the
375 * @REPLCHANGED object in each partition during the prepare_commit
377 static int replmd_op_callback(struct ldb_request *req, struct ldb_reply *ares)
380 struct replmd_replicated_request *ac =
381 talloc_get_type_abort(req->context, struct replmd_replicated_request);
382 struct replmd_private *replmd_private =
383 talloc_get_type_abort(ldb_module_get_private(ac->module), struct replmd_private);
384 struct nc_entry *modified_partition;
385 struct ldb_control *partition_ctrl;
386 const struct dsdb_control_current_partition *partition;
388 struct ldb_control **controls;
390 partition_ctrl = ldb_reply_get_control(ares, DSDB_CONTROL_CURRENT_PARTITION_OID);
392 controls = ares->controls;
393 if (ldb_request_get_control(ac->req,
394 DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
396 * Remove the current partition control from what we pass up
397 * the chain if it hasn't been requested manually.
399 controls = ldb_controls_except_specified(ares->controls, ares,
403 if (ares->error != LDB_SUCCESS) {
404 DEBUG(5,("%s failure. Error is: %s\n", __FUNCTION__, ldb_strerror(ares->error)));
405 return ldb_module_done(ac->req, controls,
406 ares->response, ares->error);
409 if (ares->type != LDB_REPLY_DONE) {
410 ldb_set_errstring(ldb_module_get_ctx(ac->module), "Invalid reply type for notify\n!");
411 return ldb_module_done(ac->req, NULL,
412 NULL, LDB_ERR_OPERATIONS_ERROR);
415 if (!partition_ctrl) {
416 ldb_set_errstring(ldb_module_get_ctx(ac->module),"No partition control on reply");
417 return ldb_module_done(ac->req, NULL,
418 NULL, LDB_ERR_OPERATIONS_ERROR);
421 partition = talloc_get_type_abort(partition_ctrl->data,
422 struct dsdb_control_current_partition);
424 if (ac->seq_num > 0) {
425 for (modified_partition = replmd_private->ncs; modified_partition;
426 modified_partition = modified_partition->next) {
427 if (ldb_dn_compare(modified_partition->dn, partition->dn) == 0) {
432 if (modified_partition == NULL) {
433 modified_partition = talloc_zero(replmd_private, struct nc_entry);
434 if (!modified_partition) {
435 ldb_oom(ldb_module_get_ctx(ac->module));
436 return ldb_module_done(ac->req, NULL,
437 NULL, LDB_ERR_OPERATIONS_ERROR);
439 modified_partition->dn = ldb_dn_copy(modified_partition, partition->dn);
440 if (!modified_partition->dn) {
441 ldb_oom(ldb_module_get_ctx(ac->module));
442 return ldb_module_done(ac->req, NULL,
443 NULL, LDB_ERR_OPERATIONS_ERROR);
445 DLIST_ADD(replmd_private->ncs, modified_partition);
448 if (ac->seq_num > modified_partition->mod_usn) {
449 modified_partition->mod_usn = ac->seq_num;
451 modified_partition->mod_usn_urgent = ac->seq_num;
456 if (ac->apply_mode) {
460 ret = replmd_replicated_apply_next(ac);
461 if (ret != LDB_SUCCESS) {
462 return ldb_module_done(ac->req, NULL, NULL, ret);
466 /* free the partition control container here, for the
467 * common path. Other cases will have it cleaned up
468 * eventually with the ares */
469 talloc_free(partition_ctrl);
470 return ldb_module_done(ac->req, controls,
471 ares->response, LDB_SUCCESS);
477 * update a @REPLCHANGED record in each partition if there have been
478 * any writes of replicated data in the partition
480 static int replmd_notify_store(struct ldb_module *module, struct ldb_request *parent)
482 struct replmd_private *replmd_private =
483 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
485 while (replmd_private->ncs) {
487 struct nc_entry *modified_partition = replmd_private->ncs;
489 ret = dsdb_module_save_partition_usn(module, modified_partition->dn,
490 modified_partition->mod_usn,
491 modified_partition->mod_usn_urgent, parent);
492 if (ret != LDB_SUCCESS) {
493 DEBUG(0,(__location__ ": Failed to save partition uSN for %s\n",
494 ldb_dn_get_linearized(modified_partition->dn)));
497 DLIST_REMOVE(replmd_private->ncs, modified_partition);
498 talloc_free(modified_partition);
506 created a replmd_replicated_request context
508 static struct replmd_replicated_request *replmd_ctx_init(struct ldb_module *module,
509 struct ldb_request *req)
511 struct ldb_context *ldb;
512 struct replmd_replicated_request *ac;
514 ldb = ldb_module_get_ctx(module);
516 ac = talloc_zero(req, struct replmd_replicated_request);
525 ac->schema = dsdb_get_schema(ldb, ac);
527 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
528 "replmd_modify: no dsdb_schema loaded");
529 DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
537 add a time element to a record
539 static int add_time_element(struct ldb_message *msg, const char *attr, time_t t)
541 struct ldb_message_element *el;
545 if (ldb_msg_find_element(msg, attr) != NULL) {
549 s = ldb_timestring(msg, t);
551 return LDB_ERR_OPERATIONS_ERROR;
554 ret = ldb_msg_add_string(msg, attr, s);
555 if (ret != LDB_SUCCESS) {
559 el = ldb_msg_find_element(msg, attr);
560 /* always set as replace. This works because on add ops, the flag
562 el->flags = LDB_FLAG_MOD_REPLACE;
568 add a uint64_t element to a record
570 static int add_uint64_element(struct ldb_context *ldb, struct ldb_message *msg,
571 const char *attr, uint64_t v)
573 struct ldb_message_element *el;
576 if (ldb_msg_find_element(msg, attr) != NULL) {
580 ret = samdb_msg_add_uint64(ldb, msg, msg, attr, v);
581 if (ret != LDB_SUCCESS) {
585 el = ldb_msg_find_element(msg, attr);
586 /* always set as replace. This works because on add ops, the flag
588 el->flags = LDB_FLAG_MOD_REPLACE;
593 static int replmd_replPropertyMetaData1_attid_sort(const struct replPropertyMetaData1 *m1,
594 const struct replPropertyMetaData1 *m2,
595 const uint32_t *rdn_attid)
597 if (m1->attid == m2->attid) {
602 * the rdn attribute should be at the end!
603 * so we need to return a value greater than zero
604 * which means m1 is greater than m2
606 if (m1->attid == *rdn_attid) {
611 * the rdn attribute should be at the end!
612 * so we need to return a value less than zero
613 * which means m2 is greater than m1
615 if (m2->attid == *rdn_attid) {
619 return m1->attid > m2->attid ? 1 : -1;
622 static int replmd_replPropertyMetaDataCtr1_sort(struct replPropertyMetaDataCtr1 *ctr1,
623 const struct dsdb_schema *schema,
626 const char *rdn_name;
627 const struct dsdb_attribute *rdn_sa;
629 rdn_name = ldb_dn_get_rdn_name(dn);
631 DEBUG(0,(__location__ ": No rDN for %s?\n", ldb_dn_get_linearized(dn)));
632 return LDB_ERR_OPERATIONS_ERROR;
635 rdn_sa = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name);
636 if (rdn_sa == NULL) {
637 DEBUG(0,(__location__ ": No sa found for rDN %s for %s\n", rdn_name, ldb_dn_get_linearized(dn)));
638 return LDB_ERR_OPERATIONS_ERROR;
641 DEBUG(6,("Sorting rpmd with attid exception %u rDN=%s DN=%s\n",
642 rdn_sa->attributeID_id, rdn_name, ldb_dn_get_linearized(dn)));
644 LDB_TYPESAFE_QSORT(ctr1->array, ctr1->count, &rdn_sa->attributeID_id, replmd_replPropertyMetaData1_attid_sort);
649 static int replmd_ldb_message_element_attid_sort(const struct ldb_message_element *e1,
650 const struct ldb_message_element *e2,
651 const struct dsdb_schema *schema)
653 const struct dsdb_attribute *a1;
654 const struct dsdb_attribute *a2;
657 * TODO: make this faster by caching the dsdb_attribute pointer
658 * on the ldb_messag_element
661 a1 = dsdb_attribute_by_lDAPDisplayName(schema, e1->name);
662 a2 = dsdb_attribute_by_lDAPDisplayName(schema, e2->name);
664 if (a1->attributeID_id == a2->attributeID_id) {
667 return a1->attributeID_id > a2->attributeID_id ? 1 : -1;
670 static void replmd_ldb_message_sort(struct ldb_message *msg,
671 const struct dsdb_schema *schema)
673 LDB_TYPESAFE_QSORT(msg->elements, msg->num_elements, schema, replmd_ldb_message_element_attid_sort);
676 static int replmd_build_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
677 const struct GUID *invocation_id, uint64_t seq_num,
678 uint64_t local_usn, NTTIME nttime, uint32_t version, bool deleted);
682 fix up linked attributes in replmd_add.
683 This involves setting up the right meta-data in extended DN
684 components, and creating backlinks to the object
686 static int replmd_add_fix_la(struct ldb_module *module, struct ldb_message_element *el,
687 uint64_t seq_num, const struct GUID *invocationId, time_t t,
688 struct GUID *guid, const struct dsdb_attribute *sa, struct ldb_request *parent)
691 TALLOC_CTX *tmp_ctx = talloc_new(el->values);
692 struct ldb_context *ldb = ldb_module_get_ctx(module);
694 /* We will take a reference to the schema in replmd_add_backlink */
695 const struct dsdb_schema *schema = dsdb_get_schema(ldb, NULL);
698 unix_to_nt_time(&now, t);
700 for (i=0; i<el->num_values; i++) {
701 struct ldb_val *v = &el->values[i];
702 struct dsdb_dn *dsdb_dn = dsdb_dn_parse(tmp_ctx, ldb, v, sa->syntax->ldap_oid);
703 struct GUID target_guid;
707 /* note that the DN already has the extended
708 components from the extended_dn_store module */
709 status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &target_guid, "GUID");
710 if (!NT_STATUS_IS_OK(status) || GUID_all_zero(&target_guid)) {
711 ret = dsdb_module_guid_by_dn(module, dsdb_dn->dn, &target_guid, parent);
712 if (ret != LDB_SUCCESS) {
713 talloc_free(tmp_ctx);
716 ret = dsdb_set_extended_dn_guid(dsdb_dn->dn, &target_guid, "GUID");
717 if (ret != LDB_SUCCESS) {
718 talloc_free(tmp_ctx);
723 ret = replmd_build_la_val(el->values, v, dsdb_dn, invocationId,
724 seq_num, seq_num, now, 0, false);
725 if (ret != LDB_SUCCESS) {
726 talloc_free(tmp_ctx);
730 ret = replmd_add_backlink(module, schema, guid, &target_guid, true, sa, false);
731 if (ret != LDB_SUCCESS) {
732 talloc_free(tmp_ctx);
737 talloc_free(tmp_ctx);
743 intercept add requests
745 static int replmd_add(struct ldb_module *module, struct ldb_request *req)
747 struct samldb_msds_intid_persistant *msds_intid_struct;
748 struct ldb_context *ldb;
749 struct ldb_control *control;
750 struct replmd_replicated_request *ac;
751 enum ndr_err_code ndr_err;
752 struct ldb_request *down_req;
753 struct ldb_message *msg;
754 const DATA_BLOB *guid_blob;
756 struct replPropertyMetaDataBlob nmd;
757 struct ldb_val nmd_value;
758 const struct GUID *our_invocation_id;
759 time_t t = time(NULL);
764 unsigned int functional_level;
766 bool allow_add_guid = false;
767 bool remove_current_guid = false;
768 bool is_urgent = false;
769 struct ldb_message_element *objectclass_el;
771 /* check if there's a show relax control (used by provision to say 'I know what I'm doing') */
772 control = ldb_request_get_control(req, LDB_CONTROL_RELAX_OID);
774 allow_add_guid = true;
777 /* do not manipulate our control entries */
778 if (ldb_dn_is_special(req->op.add.message->dn)) {
779 return ldb_next_request(module, req);
782 ldb = ldb_module_get_ctx(module);
784 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_add\n");
786 guid_blob = ldb_msg_find_ldb_val(req->op.add.message, "objectGUID");
787 if (guid_blob != NULL) {
788 if (!allow_add_guid) {
789 ldb_set_errstring(ldb,
790 "replmd_add: it's not allowed to add an object with objectGUID!");
791 return LDB_ERR_UNWILLING_TO_PERFORM;
793 NTSTATUS status = GUID_from_data_blob(guid_blob,&guid);
794 if (!NT_STATUS_IS_OK(status)) {
795 ldb_set_errstring(ldb,
796 "replmd_add: Unable to parse the 'objectGUID' as a GUID!");
797 return LDB_ERR_UNWILLING_TO_PERFORM;
799 /* we remove this attribute as it can be a string and
800 * will not be treated correctly and then we will re-add
801 * it later on in the good format */
802 remove_current_guid = true;
806 guid = GUID_random();
809 ac = replmd_ctx_init(module, req);
811 return ldb_module_oom(module);
814 functional_level = dsdb_functional_level(ldb);
816 /* Get a sequence number from the backend */
817 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ac->seq_num);
818 if (ret != LDB_SUCCESS) {
823 /* get our invocationId */
824 our_invocation_id = samdb_ntds_invocation_id(ldb);
825 if (!our_invocation_id) {
826 ldb_debug_set(ldb, LDB_DEBUG_ERROR,
827 "replmd_add: unable to find invocationId\n");
829 return LDB_ERR_OPERATIONS_ERROR;
832 /* we have to copy the message as the caller might have it as a const */
833 msg = ldb_msg_copy_shallow(ac, req->op.add.message);
837 return LDB_ERR_OPERATIONS_ERROR;
840 /* generated times */
841 unix_to_nt_time(&now, t);
842 time_str = ldb_timestring(msg, t);
846 return LDB_ERR_OPERATIONS_ERROR;
848 if (remove_current_guid) {
849 ldb_msg_remove_attr(msg,"objectGUID");
853 * remove autogenerated attributes
855 ldb_msg_remove_attr(msg, "whenCreated");
856 ldb_msg_remove_attr(msg, "whenChanged");
857 ldb_msg_remove_attr(msg, "uSNCreated");
858 ldb_msg_remove_attr(msg, "uSNChanged");
859 ldb_msg_remove_attr(msg, "replPropertyMetaData");
862 * readd replicated attributes
864 ret = ldb_msg_add_string(msg, "whenCreated", time_str);
865 if (ret != LDB_SUCCESS) {
871 /* build the replication meta_data */
874 nmd.ctr.ctr1.count = msg->num_elements;
875 nmd.ctr.ctr1.array = talloc_array(msg,
876 struct replPropertyMetaData1,
878 if (!nmd.ctr.ctr1.array) {
881 return LDB_ERR_OPERATIONS_ERROR;
884 for (i=0; i < msg->num_elements; i++) {
885 struct ldb_message_element *e = &msg->elements[i];
886 struct replPropertyMetaData1 *m = &nmd.ctr.ctr1.array[ni];
887 const struct dsdb_attribute *sa;
889 if (e->name[0] == '@') continue;
891 sa = dsdb_attribute_by_lDAPDisplayName(ac->schema, e->name);
893 ldb_debug_set(ldb, LDB_DEBUG_ERROR,
894 "replmd_add: attribute '%s' not defined in schema\n",
897 return LDB_ERR_NO_SUCH_ATTRIBUTE;
900 if ((sa->systemFlags & DS_FLAG_ATTR_NOT_REPLICATED) || (sa->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED)) {
901 /* if the attribute is not replicated (0x00000001)
902 * or constructed (0x00000004) it has no metadata
907 if (sa->linkID != 0 && functional_level > DS_DOMAIN_FUNCTION_2000) {
908 ret = replmd_add_fix_la(module, e, ac->seq_num, our_invocation_id, t, &guid, sa, req);
909 if (ret != LDB_SUCCESS) {
913 /* linked attributes are not stored in
914 replPropertyMetaData in FL above w2k */
918 m->attid = sa->attributeID_id;
920 if (m->attid == 0x20030) {
921 const struct ldb_val *rdn_val = ldb_dn_get_rdn_val(msg->dn);
924 if (rdn_val == NULL) {
927 return LDB_ERR_OPERATIONS_ERROR;
930 rdn = (const char*)rdn_val->data;
931 if (strcmp(rdn, "Deleted Objects") == 0) {
933 * Set the originating_change_time to 29/12/9999 at 23:59:59
934 * as specified in MS-ADTS 7.1.1.4.2 Deleted Objects Container
936 m->originating_change_time = DELETED_OBJECT_CONTAINER_CHANGE_TIME;
938 m->originating_change_time = now;
941 m->originating_change_time = now;
943 m->originating_invocation_id = *our_invocation_id;
944 m->originating_usn = ac->seq_num;
945 m->local_usn = ac->seq_num;
949 /* fix meta data count */
950 nmd.ctr.ctr1.count = ni;
953 * sort meta data array, and move the rdn attribute entry to the end
955 ret = replmd_replPropertyMetaDataCtr1_sort(&nmd.ctr.ctr1, ac->schema, msg->dn);
956 if (ret != LDB_SUCCESS) {
961 /* generated NDR encoded values */
962 ndr_err = ndr_push_struct_blob(&nmd_value, msg,
964 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
965 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
968 return LDB_ERR_OPERATIONS_ERROR;
972 * add the autogenerated values
974 ret = dsdb_msg_add_guid(msg, &guid, "objectGUID");
975 if (ret != LDB_SUCCESS) {
980 ret = ldb_msg_add_string(msg, "whenChanged", time_str);
981 if (ret != LDB_SUCCESS) {
986 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNCreated", ac->seq_num);
987 if (ret != LDB_SUCCESS) {
992 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNChanged", ac->seq_num);
993 if (ret != LDB_SUCCESS) {
998 ret = ldb_msg_add_value(msg, "replPropertyMetaData", &nmd_value, NULL);
999 if (ret != LDB_SUCCESS) {
1006 * sort the attributes by attid before storing the object
1008 replmd_ldb_message_sort(msg, ac->schema);
1010 objectclass_el = ldb_msg_find_element(msg, "objectClass");
1011 is_urgent = replmd_check_urgent_objectclass(objectclass_el,
1012 REPL_URGENT_ON_CREATE);
1014 ac->is_urgent = is_urgent;
1015 ret = ldb_build_add_req(&down_req, ldb, ac,
1018 ac, replmd_op_callback,
1021 LDB_REQ_SET_LOCATION(down_req);
1022 if (ret != LDB_SUCCESS) {
1027 /* current partition control is needed by "replmd_op_callback" */
1028 if (ldb_request_get_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
1029 ret = ldb_request_add_control(down_req,
1030 DSDB_CONTROL_CURRENT_PARTITION_OID,
1032 if (ret != LDB_SUCCESS) {
1038 if (functional_level == DS_DOMAIN_FUNCTION_2000) {
1039 ret = ldb_request_add_control(down_req, DSDB_CONTROL_APPLY_LINKS, false, NULL);
1040 if (ret != LDB_SUCCESS) {
1046 /* mark the control done */
1048 control->critical = 0;
1050 if (ldb_dn_compare_base(ac->schema->base_dn, req->op.add.message->dn) != 0) {
1052 /* Update the usn in the SAMLDB_MSDS_INTID_OPAQUE opaque */
1053 msds_intid_struct = (struct samldb_msds_intid_persistant *) ldb_get_opaque(ldb, SAMLDB_MSDS_INTID_OPAQUE);
1054 if (msds_intid_struct) {
1055 msds_intid_struct->usn = ac->seq_num;
1058 /* go on with the call chain */
1059 return ldb_next_request(module, down_req);
1064 * update the replPropertyMetaData for one element
1066 static int replmd_update_rpmd_element(struct ldb_context *ldb,
1067 struct ldb_message *msg,
1068 struct ldb_message_element *el,
1069 struct ldb_message_element *old_el,
1070 struct replPropertyMetaDataBlob *omd,
1071 const struct dsdb_schema *schema,
1073 const struct GUID *our_invocation_id,
1075 struct ldb_request *req)
1078 const struct dsdb_attribute *a;
1079 struct replPropertyMetaData1 *md1;
1081 a = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
1083 if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID)) {
1084 /* allow this to make it possible for dbcheck
1085 to remove bad attributes */
1089 DEBUG(0,(__location__ ": Unable to find attribute %s in schema\n",
1091 return LDB_ERR_OPERATIONS_ERROR;
1094 if ((a->systemFlags & DS_FLAG_ATTR_NOT_REPLICATED) || (a->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED)) {
1098 /* if the attribute's value haven't changed then return LDB_SUCCESS
1099 * Unless we have the provision control or if the attribute is
1100 * interSiteTopologyGenerator as this page explain: http://support.microsoft.com/kb/224815
1101 * this attribute is periodicaly written by the DC responsible for the intersite generation
1104 if (old_el != NULL && ldb_msg_element_compare(el, old_el) == 0) {
1105 if (strcmp(el->name, "interSiteTopologyGenerator") != 0 &&
1106 !ldb_request_get_control(req, LDB_CONTROL_PROVISION_OID)) {
1108 * allow this to make it possible for dbcheck
1109 * to rebuild broken metadata
1115 for (i=0; i<omd->ctr.ctr1.count; i++) {
1116 if (a->attributeID_id == omd->ctr.ctr1.array[i].attid) break;
1119 if (a->linkID != 0 && dsdb_functional_level(ldb) > DS_DOMAIN_FUNCTION_2000) {
1120 /* linked attributes are not stored in
1121 replPropertyMetaData in FL above w2k, but we do
1122 raise the seqnum for the object */
1123 if (*seq_num == 0 &&
1124 ldb_sequence_number(ldb, LDB_SEQ_NEXT, seq_num) != LDB_SUCCESS) {
1125 return LDB_ERR_OPERATIONS_ERROR;
1130 if (i == omd->ctr.ctr1.count) {
1131 /* we need to add a new one */
1132 omd->ctr.ctr1.array = talloc_realloc(msg, omd->ctr.ctr1.array,
1133 struct replPropertyMetaData1, omd->ctr.ctr1.count+1);
1134 if (omd->ctr.ctr1.array == NULL) {
1136 return LDB_ERR_OPERATIONS_ERROR;
1138 omd->ctr.ctr1.count++;
1139 ZERO_STRUCT(omd->ctr.ctr1.array[i]);
1142 /* Get a new sequence number from the backend. We only do this
1143 * if we have a change that requires a new
1144 * replPropertyMetaData element
1146 if (*seq_num == 0) {
1147 int ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, seq_num);
1148 if (ret != LDB_SUCCESS) {
1149 return LDB_ERR_OPERATIONS_ERROR;
1153 md1 = &omd->ctr.ctr1.array[i];
1155 md1->attid = a->attributeID_id;
1156 if (md1->attid == 0x20030) {
1157 const struct ldb_val *rdn_val = ldb_dn_get_rdn_val(msg->dn);
1160 if (rdn_val == NULL) {
1162 return LDB_ERR_OPERATIONS_ERROR;
1165 rdn = (const char*)rdn_val->data;
1166 if (strcmp(rdn, "Deleted Objects") == 0) {
1168 * Set the originating_change_time to 29/12/9999 at 23:59:59
1169 * as specified in MS-ADTS 7.1.1.4.2 Deleted Objects Container
1171 md1->originating_change_time = DELETED_OBJECT_CONTAINER_CHANGE_TIME;
1173 md1->originating_change_time = now;
1176 md1->originating_change_time = now;
1178 md1->originating_invocation_id = *our_invocation_id;
1179 md1->originating_usn = *seq_num;
1180 md1->local_usn = *seq_num;
1185 static uint64_t find_max_local_usn(struct replPropertyMetaDataBlob omd)
1187 uint32_t count = omd.ctr.ctr1.count;
1190 for (i=0; i < count; i++) {
1191 struct replPropertyMetaData1 m = omd.ctr.ctr1.array[i];
1192 if (max < m.local_usn) {
1200 * update the replPropertyMetaData object each time we modify an
1201 * object. This is needed for DRS replication, as the merge on the
1202 * client is based on this object
1204 static int replmd_update_rpmd(struct ldb_module *module,
1205 const struct dsdb_schema *schema,
1206 struct ldb_request *req,
1207 const char * const *rename_attrs,
1208 struct ldb_message *msg, uint64_t *seq_num,
1210 bool *is_urgent, bool *rodc)
1212 const struct ldb_val *omd_value;
1213 enum ndr_err_code ndr_err;
1214 struct replPropertyMetaDataBlob omd;
1217 const struct GUID *our_invocation_id;
1219 const char * const *attrs = NULL;
1220 const char * const attrs1[] = { "replPropertyMetaData", "*", NULL };
1221 const char * const attrs2[] = { "uSNChanged", "objectClass", "instanceType", NULL };
1222 struct ldb_result *res;
1223 struct ldb_context *ldb;
1224 struct ldb_message_element *objectclass_el;
1225 enum urgent_situation situation;
1226 bool rmd_is_provided;
1229 attrs = rename_attrs;
1234 ldb = ldb_module_get_ctx(module);
1236 our_invocation_id = samdb_ntds_invocation_id(ldb);
1237 if (!our_invocation_id) {
1238 /* this happens during an initial vampire while
1239 updating the schema */
1240 DEBUG(5,("No invocationID - skipping replPropertyMetaData update\n"));
1244 unix_to_nt_time(&now, t);
1246 if (ldb_request_get_control(req, DSDB_CONTROL_CHANGEREPLMETADATA_OID)) {
1247 rmd_is_provided = true;
1249 rmd_is_provided = false;
1252 /* if isDeleted is present and is TRUE, then we consider we are deleting,
1253 * otherwise we consider we are updating */
1254 if (ldb_msg_check_string_attribute(msg, "isDeleted", "TRUE")) {
1255 situation = REPL_URGENT_ON_DELETE;
1256 } else if (rename_attrs) {
1257 situation = REPL_URGENT_ON_CREATE | REPL_URGENT_ON_DELETE;
1259 situation = REPL_URGENT_ON_UPDATE;
1262 if (rmd_is_provided) {
1263 /* In this case the change_replmetadata control was supplied */
1264 /* We check that it's the only attribute that is provided
1265 * (it's a rare case so it's better to keep the code simplier)
1266 * We also check that the highest local_usn is bigger than
1269 if( msg->num_elements != 1 ||
1270 strncmp(msg->elements[0].name,
1271 "replPropertyMetaData", 20) ) {
1272 DEBUG(0,(__location__ ": changereplmetada control called without "\
1273 "a specified replPropertyMetaData attribute or with others\n"));
1274 return LDB_ERR_OPERATIONS_ERROR;
1276 if (situation != REPL_URGENT_ON_UPDATE) {
1277 DEBUG(0,(__location__ ": changereplmetada control can't be called when deleting an object\n"));
1278 return LDB_ERR_OPERATIONS_ERROR;
1280 omd_value = ldb_msg_find_ldb_val(msg, "replPropertyMetaData");
1282 DEBUG(0,(__location__ ": replPropertyMetaData was not specified for Object %s\n",
1283 ldb_dn_get_linearized(msg->dn)));
1284 return LDB_ERR_OPERATIONS_ERROR;
1286 ndr_err = ndr_pull_struct_blob(omd_value, msg, &omd,
1287 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
1288 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1289 DEBUG(0,(__location__ ": Failed to parse replPropertyMetaData for %s\n",
1290 ldb_dn_get_linearized(msg->dn)));
1291 return LDB_ERR_OPERATIONS_ERROR;
1293 *seq_num = find_max_local_usn(omd);
1295 ret = dsdb_module_search_dn(module, msg, &res, msg->dn, attrs2,
1296 DSDB_FLAG_NEXT_MODULE |
1297 DSDB_SEARCH_SHOW_RECYCLED |
1298 DSDB_SEARCH_SHOW_EXTENDED_DN |
1299 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
1300 DSDB_SEARCH_REVEAL_INTERNALS, req);
1302 if (ret != LDB_SUCCESS) {
1306 objectclass_el = ldb_msg_find_element(res->msgs[0], "objectClass");
1307 if (is_urgent && replmd_check_urgent_objectclass(objectclass_el,
1312 db_seq = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNChanged", 0);
1313 if (*seq_num <= db_seq) {
1314 DEBUG(0,(__location__ ": changereplmetada control provided but max(local_usn)"\
1315 " is less or equal to uSNChanged (max = %lld uSNChanged = %lld)\n",
1316 (long long)*seq_num, (long long)db_seq));
1317 return LDB_ERR_OPERATIONS_ERROR;
1321 /* search for the existing replPropertyMetaDataBlob. We need
1322 * to use REVEAL and ask for DNs in storage format to support
1323 * the check for values being the same in
1324 * replmd_update_rpmd_element()
1326 ret = dsdb_module_search_dn(module, msg, &res, msg->dn, attrs,
1327 DSDB_FLAG_NEXT_MODULE |
1328 DSDB_SEARCH_SHOW_RECYCLED |
1329 DSDB_SEARCH_SHOW_EXTENDED_DN |
1330 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
1331 DSDB_SEARCH_REVEAL_INTERNALS, req);
1332 if (ret != LDB_SUCCESS) {
1336 objectclass_el = ldb_msg_find_element(res->msgs[0], "objectClass");
1337 if (is_urgent && replmd_check_urgent_objectclass(objectclass_el,
1342 omd_value = ldb_msg_find_ldb_val(res->msgs[0], "replPropertyMetaData");
1344 DEBUG(0,(__location__ ": Object %s does not have a replPropertyMetaData attribute\n",
1345 ldb_dn_get_linearized(msg->dn)));
1346 return LDB_ERR_OPERATIONS_ERROR;
1349 ndr_err = ndr_pull_struct_blob(omd_value, msg, &omd,
1350 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
1351 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1352 DEBUG(0,(__location__ ": Failed to parse replPropertyMetaData for %s\n",
1353 ldb_dn_get_linearized(msg->dn)));
1354 return LDB_ERR_OPERATIONS_ERROR;
1357 if (omd.version != 1) {
1358 DEBUG(0,(__location__ ": bad version %u in replPropertyMetaData for %s\n",
1359 omd.version, ldb_dn_get_linearized(msg->dn)));
1360 return LDB_ERR_OPERATIONS_ERROR;
1363 for (i=0; i<msg->num_elements; i++) {
1364 struct ldb_message_element *old_el;
1365 old_el = ldb_msg_find_element(res->msgs[0], msg->elements[i].name);
1366 ret = replmd_update_rpmd_element(ldb, msg, &msg->elements[i], old_el, &omd, schema, seq_num,
1367 our_invocation_id, now, req);
1368 if (ret != LDB_SUCCESS) {
1372 if (is_urgent && !*is_urgent && (situation == REPL_URGENT_ON_UPDATE)) {
1373 *is_urgent = replmd_check_urgent_attribute(&msg->elements[i]);
1379 * replmd_update_rpmd_element has done an update if the
1382 if (*seq_num != 0) {
1383 struct ldb_val *md_value;
1384 struct ldb_message_element *el;
1386 /*if we are RODC and this is a DRSR update then its ok*/
1387 if (!ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)
1388 && !ldb_request_get_control(req, DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA)) {
1389 unsigned instanceType;
1391 ret = samdb_rodc(ldb, rodc);
1392 if (ret != LDB_SUCCESS) {
1393 DEBUG(4, (__location__ ": unable to tell if we are an RODC\n"));
1395 ldb_set_errstring(ldb, "RODC modify is forbidden!");
1396 return LDB_ERR_REFERRAL;
1399 instanceType = ldb_msg_find_attr_as_uint(res->msgs[0], "instanceType", INSTANCE_TYPE_WRITE);
1400 if (!(instanceType & INSTANCE_TYPE_WRITE)) {
1401 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM,
1402 "cannot change replicated attribute on partial replica");
1406 md_value = talloc(msg, struct ldb_val);
1407 if (md_value == NULL) {
1409 return LDB_ERR_OPERATIONS_ERROR;
1412 ret = replmd_replPropertyMetaDataCtr1_sort(&omd.ctr.ctr1, schema, msg->dn);
1413 if (ret != LDB_SUCCESS) {
1417 ndr_err = ndr_push_struct_blob(md_value, msg, &omd,
1418 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
1419 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1420 DEBUG(0,(__location__ ": Failed to marshall replPropertyMetaData for %s\n",
1421 ldb_dn_get_linearized(msg->dn)));
1422 return LDB_ERR_OPERATIONS_ERROR;
1425 ret = ldb_msg_add_empty(msg, "replPropertyMetaData", LDB_FLAG_MOD_REPLACE, &el);
1426 if (ret != LDB_SUCCESS) {
1427 DEBUG(0,(__location__ ": Failed to add updated replPropertyMetaData %s\n",
1428 ldb_dn_get_linearized(msg->dn)));
1433 el->values = md_value;
1440 struct dsdb_dn *dsdb_dn;
1445 static int parsed_dn_compare(struct parsed_dn *pdn1, struct parsed_dn *pdn2)
1447 return GUID_compare(pdn1->guid, pdn2->guid);
1450 static struct parsed_dn *parsed_dn_find(struct parsed_dn *pdn,
1451 unsigned int count, struct GUID *guid,
1454 struct parsed_dn *ret;
1456 if (dn && GUID_all_zero(guid)) {
1457 /* when updating a link using DRS, we sometimes get a
1458 NULL GUID. We then need to try and match by DN */
1459 for (i=0; i<count; i++) {
1460 if (ldb_dn_compare(pdn[i].dsdb_dn->dn, dn) == 0) {
1461 dsdb_get_extended_dn_guid(pdn[i].dsdb_dn->dn, guid, "GUID");
1467 BINARY_ARRAY_SEARCH(pdn, count, guid, guid, GUID_compare, ret);
1472 get a series of message element values as an array of DNs and GUIDs
1473 the result is sorted by GUID
1475 static int get_parsed_dns(struct ldb_module *module, TALLOC_CTX *mem_ctx,
1476 struct ldb_message_element *el, struct parsed_dn **pdn,
1477 const char *ldap_oid, struct ldb_request *parent)
1480 struct ldb_context *ldb = ldb_module_get_ctx(module);
1487 (*pdn) = talloc_array(mem_ctx, struct parsed_dn, el->num_values);
1489 ldb_module_oom(module);
1490 return LDB_ERR_OPERATIONS_ERROR;
1493 for (i=0; i<el->num_values; i++) {
1494 struct ldb_val *v = &el->values[i];
1497 struct parsed_dn *p;
1501 p->dsdb_dn = dsdb_dn_parse(*pdn, ldb, v, ldap_oid);
1502 if (p->dsdb_dn == NULL) {
1503 return LDB_ERR_INVALID_DN_SYNTAX;
1506 dn = p->dsdb_dn->dn;
1508 p->guid = talloc(*pdn, struct GUID);
1509 if (p->guid == NULL) {
1510 ldb_module_oom(module);
1511 return LDB_ERR_OPERATIONS_ERROR;
1514 status = dsdb_get_extended_dn_guid(dn, p->guid, "GUID");
1515 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
1516 /* we got a DN without a GUID - go find the GUID */
1517 int ret = dsdb_module_guid_by_dn(module, dn, p->guid, parent);
1518 if (ret != LDB_SUCCESS) {
1519 ldb_asprintf_errstring(ldb, "Unable to find GUID for DN %s\n",
1520 ldb_dn_get_linearized(dn));
1521 if (ret == LDB_ERR_NO_SUCH_OBJECT &&
1522 LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE &&
1523 ldb_attr_cmp(el->name, "member") == 0) {
1524 return LDB_ERR_UNWILLING_TO_PERFORM;
1528 ret = dsdb_set_extended_dn_guid(dn, p->guid, "GUID");
1529 if (ret != LDB_SUCCESS) {
1532 } else if (!NT_STATUS_IS_OK(status)) {
1533 return LDB_ERR_OPERATIONS_ERROR;
1536 /* keep a pointer to the original ldb_val */
1540 TYPESAFE_QSORT(*pdn, el->num_values, parsed_dn_compare);
1546 build a new extended DN, including all meta data fields
1548 RMD_FLAGS = DSDB_RMD_FLAG_* bits
1549 RMD_ADDTIME = originating_add_time
1550 RMD_INVOCID = originating_invocation_id
1551 RMD_CHANGETIME = originating_change_time
1552 RMD_ORIGINATING_USN = originating_usn
1553 RMD_LOCAL_USN = local_usn
1554 RMD_VERSION = version
1556 static int replmd_build_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
1557 const struct GUID *invocation_id, uint64_t seq_num,
1558 uint64_t local_usn, NTTIME nttime, uint32_t version, bool deleted)
1560 struct ldb_dn *dn = dsdb_dn->dn;
1561 const char *tstring, *usn_string, *flags_string;
1562 struct ldb_val tval;
1564 struct ldb_val usnv, local_usnv;
1565 struct ldb_val vers, flagsv;
1568 const char *dnstring;
1570 uint32_t rmd_flags = deleted?DSDB_RMD_FLAG_DELETED:0;
1572 tstring = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)nttime);
1574 return LDB_ERR_OPERATIONS_ERROR;
1576 tval = data_blob_string_const(tstring);
1578 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)seq_num);
1580 return LDB_ERR_OPERATIONS_ERROR;
1582 usnv = data_blob_string_const(usn_string);
1584 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)local_usn);
1586 return LDB_ERR_OPERATIONS_ERROR;
1588 local_usnv = data_blob_string_const(usn_string);
1590 vstring = talloc_asprintf(mem_ctx, "%lu", (unsigned long)version);
1592 return LDB_ERR_OPERATIONS_ERROR;
1594 vers = data_blob_string_const(vstring);
1596 status = GUID_to_ndr_blob(invocation_id, dn, &iid);
1597 if (!NT_STATUS_IS_OK(status)) {
1598 return LDB_ERR_OPERATIONS_ERROR;
1601 flags_string = talloc_asprintf(mem_ctx, "%u", rmd_flags);
1602 if (!flags_string) {
1603 return LDB_ERR_OPERATIONS_ERROR;
1605 flagsv = data_blob_string_const(flags_string);
1607 ret = ldb_dn_set_extended_component(dn, "RMD_FLAGS", &flagsv);
1608 if (ret != LDB_SUCCESS) return ret;
1609 ret = ldb_dn_set_extended_component(dn, "RMD_ADDTIME", &tval);
1610 if (ret != LDB_SUCCESS) return ret;
1611 ret = ldb_dn_set_extended_component(dn, "RMD_INVOCID", &iid);
1612 if (ret != LDB_SUCCESS) return ret;
1613 ret = ldb_dn_set_extended_component(dn, "RMD_CHANGETIME", &tval);
1614 if (ret != LDB_SUCCESS) return ret;
1615 ret = ldb_dn_set_extended_component(dn, "RMD_LOCAL_USN", &local_usnv);
1616 if (ret != LDB_SUCCESS) return ret;
1617 ret = ldb_dn_set_extended_component(dn, "RMD_ORIGINATING_USN", &usnv);
1618 if (ret != LDB_SUCCESS) return ret;
1619 ret = ldb_dn_set_extended_component(dn, "RMD_VERSION", &vers);
1620 if (ret != LDB_SUCCESS) return ret;
1622 dnstring = dsdb_dn_get_extended_linearized(mem_ctx, dsdb_dn, 1);
1623 if (dnstring == NULL) {
1624 return LDB_ERR_OPERATIONS_ERROR;
1626 *v = data_blob_string_const(dnstring);
1631 static int replmd_update_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
1632 struct dsdb_dn *old_dsdb_dn, const struct GUID *invocation_id,
1633 uint64_t seq_num, uint64_t local_usn, NTTIME nttime,
1634 uint32_t version, bool deleted);
1637 check if any links need upgrading from w2k format
1639 The parent_ctx is the ldb_message_element which contains the values array that dns[i].v points at, and which should be used for allocating any new value.
1641 static int replmd_check_upgrade_links(struct parsed_dn *dns, uint32_t count, struct ldb_message_element *parent_ctx, const struct GUID *invocation_id)
1644 for (i=0; i<count; i++) {
1649 status = dsdb_get_extended_dn_uint32(dns[i].dsdb_dn->dn, &version, "RMD_VERSION");
1650 if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
1654 /* it's an old one that needs upgrading */
1655 ret = replmd_update_la_val(parent_ctx->values, dns[i].v, dns[i].dsdb_dn, dns[i].dsdb_dn, invocation_id,
1657 if (ret != LDB_SUCCESS) {
1665 update an extended DN, including all meta data fields
1667 see replmd_build_la_val for value names
1669 static int replmd_update_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
1670 struct dsdb_dn *old_dsdb_dn, const struct GUID *invocation_id,
1671 uint64_t seq_num, uint64_t local_usn, NTTIME nttime,
1672 uint32_t version, bool deleted)
1674 struct ldb_dn *dn = dsdb_dn->dn;
1675 const char *tstring, *usn_string, *flags_string;
1676 struct ldb_val tval;
1678 struct ldb_val usnv, local_usnv;
1679 struct ldb_val vers, flagsv;
1680 const struct ldb_val *old_addtime;
1681 uint32_t old_version;
1684 const char *dnstring;
1686 uint32_t rmd_flags = deleted?DSDB_RMD_FLAG_DELETED:0;
1688 tstring = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)nttime);
1690 return LDB_ERR_OPERATIONS_ERROR;
1692 tval = data_blob_string_const(tstring);
1694 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)seq_num);
1696 return LDB_ERR_OPERATIONS_ERROR;
1698 usnv = data_blob_string_const(usn_string);
1700 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)local_usn);
1702 return LDB_ERR_OPERATIONS_ERROR;
1704 local_usnv = data_blob_string_const(usn_string);
1706 status = GUID_to_ndr_blob(invocation_id, dn, &iid);
1707 if (!NT_STATUS_IS_OK(status)) {
1708 return LDB_ERR_OPERATIONS_ERROR;
1711 flags_string = talloc_asprintf(mem_ctx, "%u", rmd_flags);
1712 if (!flags_string) {
1713 return LDB_ERR_OPERATIONS_ERROR;
1715 flagsv = data_blob_string_const(flags_string);
1717 ret = ldb_dn_set_extended_component(dn, "RMD_FLAGS", &flagsv);
1718 if (ret != LDB_SUCCESS) return ret;
1720 /* get the ADDTIME from the original */
1721 old_addtime = ldb_dn_get_extended_component(old_dsdb_dn->dn, "RMD_ADDTIME");
1722 if (old_addtime == NULL) {
1723 old_addtime = &tval;
1725 if (dsdb_dn != old_dsdb_dn ||
1726 ldb_dn_get_extended_component(dn, "RMD_ADDTIME") == NULL) {
1727 ret = ldb_dn_set_extended_component(dn, "RMD_ADDTIME", old_addtime);
1728 if (ret != LDB_SUCCESS) return ret;
1731 /* use our invocation id */
1732 ret = ldb_dn_set_extended_component(dn, "RMD_INVOCID", &iid);
1733 if (ret != LDB_SUCCESS) return ret;
1735 /* changetime is the current time */
1736 ret = ldb_dn_set_extended_component(dn, "RMD_CHANGETIME", &tval);
1737 if (ret != LDB_SUCCESS) return ret;
1739 /* update the USN */
1740 ret = ldb_dn_set_extended_component(dn, "RMD_ORIGINATING_USN", &usnv);
1741 if (ret != LDB_SUCCESS) return ret;
1743 ret = ldb_dn_set_extended_component(dn, "RMD_LOCAL_USN", &local_usnv);
1744 if (ret != LDB_SUCCESS) return ret;
1746 /* increase the version by 1 */
1747 status = dsdb_get_extended_dn_uint32(old_dsdb_dn->dn, &old_version, "RMD_VERSION");
1748 if (NT_STATUS_IS_OK(status) && old_version >= version) {
1749 version = old_version+1;
1751 vstring = talloc_asprintf(dn, "%lu", (unsigned long)version);
1752 vers = data_blob_string_const(vstring);
1753 ret = ldb_dn_set_extended_component(dn, "RMD_VERSION", &vers);
1754 if (ret != LDB_SUCCESS) return ret;
1756 dnstring = dsdb_dn_get_extended_linearized(mem_ctx, dsdb_dn, 1);
1757 if (dnstring == NULL) {
1758 return LDB_ERR_OPERATIONS_ERROR;
1760 *v = data_blob_string_const(dnstring);
1766 handle adding a linked attribute
1768 static int replmd_modify_la_add(struct ldb_module *module,
1769 const struct dsdb_schema *schema,
1770 struct ldb_message *msg,
1771 struct ldb_message_element *el,
1772 struct ldb_message_element *old_el,
1773 const struct dsdb_attribute *schema_attr,
1776 struct GUID *msg_guid,
1777 struct ldb_request *parent)
1780 struct parsed_dn *dns, *old_dns;
1781 TALLOC_CTX *tmp_ctx = talloc_new(msg);
1783 struct ldb_val *new_values = NULL;
1784 unsigned int num_new_values = 0;
1785 unsigned old_num_values = old_el?old_el->num_values:0;
1786 const struct GUID *invocation_id;
1787 struct ldb_context *ldb = ldb_module_get_ctx(module);
1790 unix_to_nt_time(&now, t);
1792 ret = get_parsed_dns(module, tmp_ctx, el, &dns, schema_attr->syntax->ldap_oid, parent);
1793 if (ret != LDB_SUCCESS) {
1794 talloc_free(tmp_ctx);
1798 ret = get_parsed_dns(module, tmp_ctx, old_el, &old_dns, schema_attr->syntax->ldap_oid, parent);
1799 if (ret != LDB_SUCCESS) {
1800 talloc_free(tmp_ctx);
1804 invocation_id = samdb_ntds_invocation_id(ldb);
1805 if (!invocation_id) {
1806 talloc_free(tmp_ctx);
1807 return LDB_ERR_OPERATIONS_ERROR;
1810 ret = replmd_check_upgrade_links(old_dns, old_num_values, old_el, invocation_id);
1811 if (ret != LDB_SUCCESS) {
1812 talloc_free(tmp_ctx);
1816 /* for each new value, see if it exists already with the same GUID */
1817 for (i=0; i<el->num_values; i++) {
1818 struct parsed_dn *p = parsed_dn_find(old_dns, old_num_values, dns[i].guid, NULL);
1820 /* this is a new linked attribute value */
1821 new_values = talloc_realloc(tmp_ctx, new_values, struct ldb_val, num_new_values+1);
1822 if (new_values == NULL) {
1823 ldb_module_oom(module);
1824 talloc_free(tmp_ctx);
1825 return LDB_ERR_OPERATIONS_ERROR;
1827 ret = replmd_build_la_val(new_values, &new_values[num_new_values], dns[i].dsdb_dn,
1828 invocation_id, seq_num, seq_num, now, 0, false);
1829 if (ret != LDB_SUCCESS) {
1830 talloc_free(tmp_ctx);
1835 /* this is only allowed if the GUID was
1836 previously deleted. */
1837 uint32_t rmd_flags = dsdb_dn_rmd_flags(p->dsdb_dn->dn);
1839 if (!(rmd_flags & DSDB_RMD_FLAG_DELETED)) {
1840 ldb_asprintf_errstring(ldb, "Attribute %s already exists for target GUID %s",
1841 el->name, GUID_string(tmp_ctx, p->guid));
1842 talloc_free(tmp_ctx);
1843 /* error codes for 'member' need to be
1845 if (ldb_attr_cmp(el->name, "member") == 0) {
1846 return LDB_ERR_ENTRY_ALREADY_EXISTS;
1848 return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
1851 ret = replmd_update_la_val(old_el->values, p->v, dns[i].dsdb_dn, p->dsdb_dn,
1852 invocation_id, seq_num, seq_num, now, 0, false);
1853 if (ret != LDB_SUCCESS) {
1854 talloc_free(tmp_ctx);
1859 ret = replmd_add_backlink(module, schema, msg_guid, dns[i].guid, true, schema_attr, true);
1860 if (ret != LDB_SUCCESS) {
1861 talloc_free(tmp_ctx);
1866 /* add the new ones on to the end of the old values, constructing a new el->values */
1867 el->values = talloc_realloc(msg->elements, old_el?old_el->values:NULL,
1869 old_num_values+num_new_values);
1870 if (el->values == NULL) {
1871 ldb_module_oom(module);
1872 return LDB_ERR_OPERATIONS_ERROR;
1875 memcpy(&el->values[old_num_values], new_values, num_new_values*sizeof(struct ldb_val));
1876 el->num_values = old_num_values + num_new_values;
1878 talloc_steal(msg->elements, el->values);
1879 talloc_steal(el->values, new_values);
1881 talloc_free(tmp_ctx);
1883 /* we now tell the backend to replace all existing values
1884 with the one we have constructed */
1885 el->flags = LDB_FLAG_MOD_REPLACE;
1892 handle deleting all active linked attributes
1894 static int replmd_modify_la_delete(struct ldb_module *module,
1895 const struct dsdb_schema *schema,
1896 struct ldb_message *msg,
1897 struct ldb_message_element *el,
1898 struct ldb_message_element *old_el,
1899 const struct dsdb_attribute *schema_attr,
1902 struct GUID *msg_guid,
1903 struct ldb_request *parent)
1906 struct parsed_dn *dns, *old_dns;
1907 TALLOC_CTX *tmp_ctx = talloc_new(msg);
1909 const struct GUID *invocation_id;
1910 struct ldb_context *ldb = ldb_module_get_ctx(module);
1913 unix_to_nt_time(&now, t);
1915 /* check if there is nothing to delete */
1916 if ((!old_el || old_el->num_values == 0) &&
1917 el->num_values == 0) {
1921 if (!old_el || old_el->num_values == 0) {
1922 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1925 ret = get_parsed_dns(module, tmp_ctx, el, &dns, schema_attr->syntax->ldap_oid, parent);
1926 if (ret != LDB_SUCCESS) {
1927 talloc_free(tmp_ctx);
1931 ret = get_parsed_dns(module, tmp_ctx, old_el, &old_dns, schema_attr->syntax->ldap_oid, parent);
1932 if (ret != LDB_SUCCESS) {
1933 talloc_free(tmp_ctx);
1937 invocation_id = samdb_ntds_invocation_id(ldb);
1938 if (!invocation_id) {
1939 return LDB_ERR_OPERATIONS_ERROR;
1942 ret = replmd_check_upgrade_links(old_dns, old_el->num_values, old_el, invocation_id);
1943 if (ret != LDB_SUCCESS) {
1944 talloc_free(tmp_ctx);
1950 /* see if we are being asked to delete any links that
1951 don't exist or are already deleted */
1952 for (i=0; i<el->num_values; i++) {
1953 struct parsed_dn *p = &dns[i];
1954 struct parsed_dn *p2;
1957 p2 = parsed_dn_find(old_dns, old_el->num_values, p->guid, NULL);
1959 ldb_asprintf_errstring(ldb, "Attribute %s doesn't exist for target GUID %s",
1960 el->name, GUID_string(tmp_ctx, p->guid));
1961 if (ldb_attr_cmp(el->name, "member") == 0) {
1962 return LDB_ERR_UNWILLING_TO_PERFORM;
1964 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1967 rmd_flags = dsdb_dn_rmd_flags(p2->dsdb_dn->dn);
1968 if (rmd_flags & DSDB_RMD_FLAG_DELETED) {
1969 ldb_asprintf_errstring(ldb, "Attribute %s already deleted for target GUID %s",
1970 el->name, GUID_string(tmp_ctx, p->guid));
1971 if (ldb_attr_cmp(el->name, "member") == 0) {
1972 return LDB_ERR_UNWILLING_TO_PERFORM;
1974 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1979 /* for each new value, see if it exists already with the same GUID
1980 if it is not already deleted and matches the delete list then delete it
1982 for (i=0; i<old_el->num_values; i++) {
1983 struct parsed_dn *p = &old_dns[i];
1986 if (el->num_values && parsed_dn_find(dns, el->num_values, p->guid, NULL) == NULL) {
1990 rmd_flags = dsdb_dn_rmd_flags(p->dsdb_dn->dn);
1991 if (rmd_flags & DSDB_RMD_FLAG_DELETED) continue;
1993 ret = replmd_update_la_val(old_el->values, p->v, p->dsdb_dn, p->dsdb_dn,
1994 invocation_id, seq_num, seq_num, now, 0, true);
1995 if (ret != LDB_SUCCESS) {
1996 talloc_free(tmp_ctx);
2000 ret = replmd_add_backlink(module, schema, msg_guid, old_dns[i].guid, false, schema_attr, true);
2001 if (ret != LDB_SUCCESS) {
2002 talloc_free(tmp_ctx);
2007 el->values = talloc_steal(msg->elements, old_el->values);
2008 el->num_values = old_el->num_values;
2010 talloc_free(tmp_ctx);
2012 /* we now tell the backend to replace all existing values
2013 with the one we have constructed */
2014 el->flags = LDB_FLAG_MOD_REPLACE;
2020 handle replacing a linked attribute
2022 static int replmd_modify_la_replace(struct ldb_module *module,
2023 const struct dsdb_schema *schema,
2024 struct ldb_message *msg,
2025 struct ldb_message_element *el,
2026 struct ldb_message_element *old_el,
2027 const struct dsdb_attribute *schema_attr,
2030 struct GUID *msg_guid,
2031 struct ldb_request *parent)
2034 struct parsed_dn *dns, *old_dns;
2035 TALLOC_CTX *tmp_ctx = talloc_new(msg);
2037 const struct GUID *invocation_id;
2038 struct ldb_context *ldb = ldb_module_get_ctx(module);
2039 struct ldb_val *new_values = NULL;
2040 unsigned int num_new_values = 0;
2041 unsigned int old_num_values = old_el?old_el->num_values:0;
2044 unix_to_nt_time(&now, t);
2046 /* check if there is nothing to replace */
2047 if ((!old_el || old_el->num_values == 0) &&
2048 el->num_values == 0) {
2052 ret = get_parsed_dns(module, tmp_ctx, el, &dns, schema_attr->syntax->ldap_oid, parent);
2053 if (ret != LDB_SUCCESS) {
2054 talloc_free(tmp_ctx);
2058 ret = get_parsed_dns(module, tmp_ctx, old_el, &old_dns, schema_attr->syntax->ldap_oid, parent);
2059 if (ret != LDB_SUCCESS) {
2060 talloc_free(tmp_ctx);
2064 invocation_id = samdb_ntds_invocation_id(ldb);
2065 if (!invocation_id) {
2066 return LDB_ERR_OPERATIONS_ERROR;
2069 ret = replmd_check_upgrade_links(old_dns, old_num_values, old_el, invocation_id);
2070 if (ret != LDB_SUCCESS) {
2071 talloc_free(tmp_ctx);
2075 /* mark all the old ones as deleted */
2076 for (i=0; i<old_num_values; i++) {
2077 struct parsed_dn *old_p = &old_dns[i];
2078 struct parsed_dn *p;
2079 uint32_t rmd_flags = dsdb_dn_rmd_flags(old_p->dsdb_dn->dn);
2081 if (rmd_flags & DSDB_RMD_FLAG_DELETED) continue;
2083 ret = replmd_add_backlink(module, schema, msg_guid, old_dns[i].guid, false, schema_attr, false);
2084 if (ret != LDB_SUCCESS) {
2085 talloc_free(tmp_ctx);
2089 p = parsed_dn_find(dns, el->num_values, old_p->guid, NULL);
2091 /* we don't delete it if we are re-adding it */
2095 ret = replmd_update_la_val(old_el->values, old_p->v, old_p->dsdb_dn, old_p->dsdb_dn,
2096 invocation_id, seq_num, seq_num, now, 0, true);
2097 if (ret != LDB_SUCCESS) {
2098 talloc_free(tmp_ctx);
2103 /* for each new value, either update its meta-data, or add it
2106 for (i=0; i<el->num_values; i++) {
2107 struct parsed_dn *p = &dns[i], *old_p;
2110 (old_p = parsed_dn_find(old_dns,
2111 old_num_values, p->guid, NULL)) != NULL) {
2112 /* update in place */
2113 ret = replmd_update_la_val(old_el->values, old_p->v, p->dsdb_dn,
2114 old_p->dsdb_dn, invocation_id,
2115 seq_num, seq_num, now, 0, false);
2116 if (ret != LDB_SUCCESS) {
2117 talloc_free(tmp_ctx);
2122 new_values = talloc_realloc(tmp_ctx, new_values, struct ldb_val,
2124 if (new_values == NULL) {
2125 ldb_module_oom(module);
2126 talloc_free(tmp_ctx);
2127 return LDB_ERR_OPERATIONS_ERROR;
2129 ret = replmd_build_la_val(new_values, &new_values[num_new_values], dns[i].dsdb_dn,
2130 invocation_id, seq_num, seq_num, now, 0, false);
2131 if (ret != LDB_SUCCESS) {
2132 talloc_free(tmp_ctx);
2138 ret = replmd_add_backlink(module, schema, msg_guid, dns[i].guid, true, schema_attr, false);
2139 if (ret != LDB_SUCCESS) {
2140 talloc_free(tmp_ctx);
2145 /* add the new values to the end of old_el */
2146 if (num_new_values != 0) {
2147 el->values = talloc_realloc(msg->elements, old_el?old_el->values:NULL,
2148 struct ldb_val, old_num_values+num_new_values);
2149 if (el->values == NULL) {
2150 ldb_module_oom(module);
2151 return LDB_ERR_OPERATIONS_ERROR;
2153 memcpy(&el->values[old_num_values], &new_values[0],
2154 sizeof(struct ldb_val)*num_new_values);
2155 el->num_values = old_num_values + num_new_values;
2156 talloc_steal(msg->elements, new_values);
2158 el->values = old_el->values;
2159 el->num_values = old_el->num_values;
2160 talloc_steal(msg->elements, el->values);
2163 talloc_free(tmp_ctx);
2165 /* we now tell the backend to replace all existing values
2166 with the one we have constructed */
2167 el->flags = LDB_FLAG_MOD_REPLACE;
2174 handle linked attributes in modify requests
2176 static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
2177 struct ldb_message *msg,
2178 uint64_t seq_num, time_t t,
2179 struct ldb_request *parent)
2181 struct ldb_result *res;
2184 struct ldb_context *ldb = ldb_module_get_ctx(module);
2185 struct ldb_message *old_msg;
2187 const struct dsdb_schema *schema;
2188 struct GUID old_guid;
2191 /* there the replmd_update_rpmd code has already
2192 * checked and saw that there are no linked
2197 if (dsdb_functional_level(ldb) == DS_DOMAIN_FUNCTION_2000) {
2198 /* don't do anything special for linked attributes */
2202 ret = dsdb_module_search_dn(module, msg, &res, msg->dn, NULL,
2203 DSDB_FLAG_NEXT_MODULE |
2204 DSDB_SEARCH_SHOW_RECYCLED |
2205 DSDB_SEARCH_REVEAL_INTERNALS |
2206 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT,
2208 if (ret != LDB_SUCCESS) {
2211 schema = dsdb_get_schema(ldb, res);
2213 return LDB_ERR_OPERATIONS_ERROR;
2216 old_msg = res->msgs[0];
2218 old_guid = samdb_result_guid(old_msg, "objectGUID");
2220 for (i=0; i<msg->num_elements; i++) {
2221 struct ldb_message_element *el = &msg->elements[i];
2222 struct ldb_message_element *old_el, *new_el;
2223 const struct dsdb_attribute *schema_attr
2224 = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
2226 ldb_asprintf_errstring(ldb,
2227 "%s: attribute %s is not a valid attribute in schema",
2228 __FUNCTION__, el->name);
2229 return LDB_ERR_OBJECT_CLASS_VIOLATION;
2231 if (schema_attr->linkID == 0) {
2234 if ((schema_attr->linkID & 1) == 1) {
2235 if (parent && ldb_request_get_control(parent, DSDB_CONTROL_DBCHECK)) {
2238 /* Odd is for the target. Illegal to modify */
2239 ldb_asprintf_errstring(ldb,
2240 "attribute %s must not be modified directly, it is a linked attribute", el->name);
2241 return LDB_ERR_UNWILLING_TO_PERFORM;
2243 old_el = ldb_msg_find_element(old_msg, el->name);
2244 switch (el->flags & LDB_FLAG_MOD_MASK) {
2245 case LDB_FLAG_MOD_REPLACE:
2246 ret = replmd_modify_la_replace(module, schema, msg, el, old_el, schema_attr, seq_num, t, &old_guid, parent);
2248 case LDB_FLAG_MOD_DELETE:
2249 ret = replmd_modify_la_delete(module, schema, msg, el, old_el, schema_attr, seq_num, t, &old_guid, parent);
2251 case LDB_FLAG_MOD_ADD:
2252 ret = replmd_modify_la_add(module, schema, msg, el, old_el, schema_attr, seq_num, t, &old_guid, parent);
2255 ldb_asprintf_errstring(ldb,
2256 "invalid flags 0x%x for %s linked attribute",
2257 el->flags, el->name);
2258 return LDB_ERR_UNWILLING_TO_PERFORM;
2260 if (dsdb_check_single_valued_link(schema_attr, el) != LDB_SUCCESS) {
2261 ldb_asprintf_errstring(ldb,
2262 "Attribute %s is single valued but more than one value has been supplied",
2264 return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
2266 el->flags |= LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK;
2271 if (ret != LDB_SUCCESS) {
2275 ldb_msg_remove_attr(old_msg, el->name);
2277 ldb_msg_add_empty(old_msg, el->name, 0, &new_el);
2278 new_el->num_values = el->num_values;
2279 new_el->values = talloc_steal(msg->elements, el->values);
2281 /* TODO: this relises a bit too heavily on the exact
2282 behaviour of ldb_msg_find_element and
2283 ldb_msg_remove_element */
2284 old_el = ldb_msg_find_element(msg, el->name);
2286 ldb_msg_remove_element(msg, old_el);
2297 static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
2299 struct samldb_msds_intid_persistant *msds_intid_struct;
2300 struct ldb_context *ldb;
2301 struct replmd_replicated_request *ac;
2302 struct ldb_request *down_req;
2303 struct ldb_message *msg;
2304 time_t t = time(NULL);
2306 bool is_urgent = false, rodc = false;
2307 unsigned int functional_level;
2308 const DATA_BLOB *guid_blob;
2310 /* do not manipulate our control entries */
2311 if (ldb_dn_is_special(req->op.mod.message->dn)) {
2312 return ldb_next_request(module, req);
2315 ldb = ldb_module_get_ctx(module);
2317 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_modify\n");
2319 guid_blob = ldb_msg_find_ldb_val(req->op.mod.message, "objectGUID");
2320 if ( guid_blob != NULL ) {
2321 ldb_set_errstring(ldb,
2322 "replmd_modify: it's not allowed to change the objectGUID!");
2323 return LDB_ERR_CONSTRAINT_VIOLATION;
2326 ac = replmd_ctx_init(module, req);
2328 return ldb_module_oom(module);
2331 functional_level = dsdb_functional_level(ldb);
2333 /* we have to copy the message as the caller might have it as a const */
2334 msg = ldb_msg_copy_shallow(ac, req->op.mod.message);
2338 return LDB_ERR_OPERATIONS_ERROR;
2341 ldb_msg_remove_attr(msg, "whenChanged");
2342 ldb_msg_remove_attr(msg, "uSNChanged");
2344 ret = replmd_update_rpmd(module, ac->schema, req, NULL,
2345 msg, &ac->seq_num, t, &is_urgent, &rodc);
2346 if (rodc && (ret == LDB_ERR_REFERRAL)) {
2347 struct loadparm_context *lp_ctx;
2350 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
2351 struct loadparm_context);
2353 referral = talloc_asprintf(req,
2355 lpcfg_dnsdomain(lp_ctx),
2356 ldb_dn_get_linearized(msg->dn));
2357 ret = ldb_module_send_referral(req, referral);
2362 if (ret != LDB_SUCCESS) {
2367 ret = replmd_modify_handle_linked_attribs(module, msg, ac->seq_num, t, req);
2368 if (ret != LDB_SUCCESS) {
2374 * - replace the old object with the newly constructed one
2377 ac->is_urgent = is_urgent;
2379 ret = ldb_build_mod_req(&down_req, ldb, ac,
2382 ac, replmd_op_callback,
2384 LDB_REQ_SET_LOCATION(down_req);
2385 if (ret != LDB_SUCCESS) {
2390 /* current partition control is needed by "replmd_op_callback" */
2391 if (ldb_request_get_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
2392 ret = ldb_request_add_control(down_req,
2393 DSDB_CONTROL_CURRENT_PARTITION_OID,
2395 if (ret != LDB_SUCCESS) {
2401 /* If we are in functional level 2000, then
2402 * replmd_modify_handle_linked_attribs will have done
2404 if (functional_level == DS_DOMAIN_FUNCTION_2000) {
2405 ret = ldb_request_add_control(down_req, DSDB_CONTROL_APPLY_LINKS, false, NULL);
2406 if (ret != LDB_SUCCESS) {
2412 talloc_steal(down_req, msg);
2414 /* we only change whenChanged and uSNChanged if the seq_num
2416 if (ac->seq_num != 0) {
2417 ret = add_time_element(msg, "whenChanged", t);
2418 if (ret != LDB_SUCCESS) {
2424 ret = add_uint64_element(ldb, msg, "uSNChanged", ac->seq_num);
2425 if (ret != LDB_SUCCESS) {
2432 if (!ldb_dn_compare_base(ac->schema->base_dn, msg->dn)) {
2433 /* Update the usn in the SAMLDB_MSDS_INTID_OPAQUE opaque */
2434 msds_intid_struct = (struct samldb_msds_intid_persistant *) ldb_get_opaque(ldb, SAMLDB_MSDS_INTID_OPAQUE);
2435 if (msds_intid_struct) {
2436 msds_intid_struct->usn = ac->seq_num;
2440 /* go on with the call chain */
2441 return ldb_next_request(module, down_req);
2444 static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *ares);
2447 handle a rename request
2449 On a rename we need to do an extra ldb_modify which sets the
2450 whenChanged and uSNChanged attributes. We do this in a callback after the success.
2452 static int replmd_rename(struct ldb_module *module, struct ldb_request *req)
2454 struct ldb_context *ldb;
2455 struct replmd_replicated_request *ac;
2457 struct ldb_request *down_req;
2459 /* do not manipulate our control entries */
2460 if (ldb_dn_is_special(req->op.mod.message->dn)) {
2461 return ldb_next_request(module, req);
2464 ldb = ldb_module_get_ctx(module);
2466 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_rename\n");
2468 ac = replmd_ctx_init(module, req);
2470 return ldb_module_oom(module);
2473 ret = ldb_build_rename_req(&down_req, ldb, ac,
2474 ac->req->op.rename.olddn,
2475 ac->req->op.rename.newdn,
2477 ac, replmd_rename_callback,
2479 LDB_REQ_SET_LOCATION(down_req);
2480 if (ret != LDB_SUCCESS) {
2485 /* go on with the call chain */
2486 return ldb_next_request(module, down_req);
2489 /* After the rename is compleated, update the whenchanged etc */
2490 static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *ares)
2492 struct ldb_context *ldb;
2493 struct replmd_replicated_request *ac;
2494 struct ldb_request *down_req;
2495 struct ldb_message *msg;
2496 const struct dsdb_attribute *rdn_attr;
2497 const char *rdn_name;
2498 const struct ldb_val *rdn_val;
2499 const char *attrs[5] = { NULL, };
2500 time_t t = time(NULL);
2502 bool is_urgent = false, rodc = false;
2504 ac = talloc_get_type(req->context, struct replmd_replicated_request);
2505 ldb = ldb_module_get_ctx(ac->module);
2507 if (ares->error != LDB_SUCCESS) {
2508 return ldb_module_done(ac->req, ares->controls,
2509 ares->response, ares->error);
2512 if (ares->type != LDB_REPLY_DONE) {
2513 ldb_set_errstring(ldb,
2514 "invalid ldb_reply_type in callback");
2516 return ldb_module_done(ac->req, NULL, NULL,
2517 LDB_ERR_OPERATIONS_ERROR);
2521 * - replace the old object with the newly constructed one
2524 msg = ldb_msg_new(ac);
2527 return LDB_ERR_OPERATIONS_ERROR;
2530 msg->dn = ac->req->op.rename.newdn;
2532 rdn_name = ldb_dn_get_rdn_name(msg->dn);
2533 if (rdn_name == NULL) {
2535 return ldb_module_done(ac->req, NULL, NULL,
2539 /* normalize the rdn attribute name */
2540 rdn_attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, rdn_name);
2541 if (rdn_attr == NULL) {
2543 return ldb_module_done(ac->req, NULL, NULL,
2546 rdn_name = rdn_attr->lDAPDisplayName;
2548 rdn_val = ldb_dn_get_rdn_val(msg->dn);
2549 if (rdn_val == NULL) {
2551 return ldb_module_done(ac->req, NULL, NULL,
2555 if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
2557 return ldb_module_done(ac->req, NULL, NULL,
2560 if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) {
2562 return ldb_module_done(ac->req, NULL, NULL,
2565 if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
2567 return ldb_module_done(ac->req, NULL, NULL,
2570 if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) {
2572 return ldb_module_done(ac->req, NULL, NULL,
2577 * here we let replmd_update_rpmd() only search for
2578 * the existing "replPropertyMetaData" and rdn_name attributes.
2580 * We do not want the existing "name" attribute as
2581 * the "name" attribute needs to get the version
2582 * updated on rename even if the rdn value hasn't changed.
2584 * This is the diff of the meta data, for a moved user
2585 * on a w2k8r2 server:
2588 * -dn: CN=sdf df,CN=Users,DC=bla,DC=base
2589 * +dn: CN=sdf df,OU=TestOU,DC=bla,DC=base
2590 * replPropertyMetaData: NDR: struct replPropertyMetaDataBlob
2591 * version : 0x00000001 (1)
2592 * reserved : 0x00000000 (0)
2593 * @@ -66,11 +66,11 @@ replPropertyMetaData: NDR: struct re
2594 * local_usn : 0x00000000000037a5 (14245)
2595 * array: struct replPropertyMetaData1
2596 * attid : DRSUAPI_ATTID_name (0x90001)
2597 * - version : 0x00000001 (1)
2598 * - originating_change_time : Wed Feb 9 17:20:49 2011 CET
2599 * + version : 0x00000002 (2)
2600 * + originating_change_time : Wed Apr 6 15:21:01 2011 CEST
2601 * originating_invocation_id: 0d36ca05-5507-4e62-aca3-354bab0d39e1
2602 * - originating_usn : 0x00000000000037a5 (14245)
2603 * - local_usn : 0x00000000000037a5 (14245)
2604 * + originating_usn : 0x0000000000003834 (14388)
2605 * + local_usn : 0x0000000000003834 (14388)
2606 * array: struct replPropertyMetaData1
2607 * attid : DRSUAPI_ATTID_userAccountControl (0x90008)
2608 * version : 0x00000004 (4)
2610 attrs[0] = "replPropertyMetaData";
2611 attrs[1] = "objectClass";
2612 attrs[2] = "instanceType";
2613 attrs[3] = rdn_name;
2616 ret = replmd_update_rpmd(ac->module, ac->schema, req, attrs,
2617 msg, &ac->seq_num, t, &is_urgent, &rodc);
2618 if (rodc && (ret == LDB_ERR_REFERRAL)) {
2619 struct ldb_dn *olddn = ac->req->op.rename.olddn;
2620 struct loadparm_context *lp_ctx;
2623 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
2624 struct loadparm_context);
2626 referral = talloc_asprintf(req,
2628 lpcfg_dnsdomain(lp_ctx),
2629 ldb_dn_get_linearized(olddn));
2630 ret = ldb_module_send_referral(req, referral);
2632 return ldb_module_done(req, NULL, NULL, ret);
2635 if (ret != LDB_SUCCESS) {
2637 return ldb_module_done(ac->req, NULL, NULL, ret);
2640 if (ac->seq_num == 0) {
2642 return ldb_module_done(ac->req, NULL, NULL,
2644 "internal error seq_num == 0"));
2646 ac->is_urgent = is_urgent;
2648 ret = ldb_build_mod_req(&down_req, ldb, ac,
2651 ac, replmd_op_callback,
2653 LDB_REQ_SET_LOCATION(down_req);
2654 if (ret != LDB_SUCCESS) {
2659 /* current partition control is needed by "replmd_op_callback" */
2660 if (ldb_request_get_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
2661 ret = ldb_request_add_control(down_req,
2662 DSDB_CONTROL_CURRENT_PARTITION_OID,
2664 if (ret != LDB_SUCCESS) {
2670 talloc_steal(down_req, msg);
2672 ret = add_time_element(msg, "whenChanged", t);
2673 if (ret != LDB_SUCCESS) {
2679 ret = add_uint64_element(ldb, msg, "uSNChanged", ac->seq_num);
2680 if (ret != LDB_SUCCESS) {
2686 /* go on with the call chain - do the modify after the rename */
2687 return ldb_next_request(ac->module, down_req);
2691 remove links from objects that point at this object when an object
2694 static int replmd_delete_remove_link(struct ldb_module *module,
2695 const struct dsdb_schema *schema,
2697 struct ldb_message_element *el,
2698 const struct dsdb_attribute *sa,
2699 struct ldb_request *parent)
2702 TALLOC_CTX *tmp_ctx = talloc_new(module);
2703 struct ldb_context *ldb = ldb_module_get_ctx(module);
2705 for (i=0; i<el->num_values; i++) {
2706 struct dsdb_dn *dsdb_dn;
2710 struct ldb_message *msg;
2711 const struct dsdb_attribute *target_attr;
2712 struct ldb_message_element *el2;
2713 struct ldb_val dn_val;
2715 if (dsdb_dn_is_deleted_val(&el->values[i])) {
2719 dsdb_dn = dsdb_dn_parse(tmp_ctx, ldb, &el->values[i], sa->syntax->ldap_oid);
2721 talloc_free(tmp_ctx);
2722 return LDB_ERR_OPERATIONS_ERROR;
2725 status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &guid2, "GUID");
2726 if (!NT_STATUS_IS_OK(status)) {
2727 talloc_free(tmp_ctx);
2728 return LDB_ERR_OPERATIONS_ERROR;
2731 /* remove the link */
2732 msg = ldb_msg_new(tmp_ctx);
2734 ldb_module_oom(module);
2735 talloc_free(tmp_ctx);
2736 return LDB_ERR_OPERATIONS_ERROR;
2740 msg->dn = dsdb_dn->dn;
2742 target_attr = dsdb_attribute_by_linkID(schema, sa->linkID ^ 1);
2743 if (target_attr == NULL) {
2747 ret = ldb_msg_add_empty(msg, target_attr->lDAPDisplayName, LDB_FLAG_MOD_DELETE, &el2);
2748 if (ret != LDB_SUCCESS) {
2749 ldb_module_oom(module);
2750 talloc_free(tmp_ctx);
2751 return LDB_ERR_OPERATIONS_ERROR;
2753 dn_val = data_blob_string_const(ldb_dn_get_linearized(dn));
2754 el2->values = &dn_val;
2755 el2->num_values = 1;
2757 ret = dsdb_module_modify(module, msg, DSDB_FLAG_OWN_MODULE, parent);
2758 if (ret != LDB_SUCCESS) {
2759 talloc_free(tmp_ctx);
2763 talloc_free(tmp_ctx);
2769 handle update of replication meta data for deletion of objects
2771 This also handles the mapping of delete to a rename operation
2772 to allow deletes to be replicated.
2774 static int replmd_delete(struct ldb_module *module, struct ldb_request *req)
2776 int ret = LDB_ERR_OTHER;
2777 bool retb, disallow_move_on_delete;
2778 struct ldb_dn *old_dn, *new_dn;
2779 const char *rdn_name;
2780 const struct ldb_val *rdn_value, *new_rdn_value;
2782 struct ldb_context *ldb = ldb_module_get_ctx(module);
2783 const struct dsdb_schema *schema;
2784 struct ldb_message *msg, *old_msg;
2785 struct ldb_message_element *el;
2786 TALLOC_CTX *tmp_ctx;
2787 struct ldb_result *res, *parent_res;
2788 const char *preserved_attrs[] = {
2789 /* yes, this really is a hard coded list. See MS-ADTS
2790 section 3.1.1.5.5.1.1 */
2791 "nTSecurityDescriptor", "attributeID", "attributeSyntax", "dNReferenceUpdate", "dNSHostName",
2792 "flatName", "governsID", "groupType", "instanceType", "lDAPDisplayName", "legacyExchangeDN",
2793 "isDeleted", "isRecycled", "lastKnownParent", "msDS-LastKnownRDN", "mS-DS-CreatorSID",
2794 "mSMQOwnerID", "nCName", "objectClass", "distinguishedName", "objectGUID", "objectSid",
2795 "oMSyntax", "proxiedObjectName", "name", "replPropertyMetaData", "sAMAccountName",
2796 "securityIdentifier", "sIDHistory", "subClassOf", "systemFlags", "trustPartner", "trustDirection",
2797 "trustType", "trustAttributes", "userAccountControl", "uSNChanged", "uSNCreated", "whenCreated",
2798 "whenChanged", NULL};
2799 unsigned int i, el_count = 0;
2800 enum deletion_state { OBJECT_NOT_DELETED=1, OBJECT_DELETED=2, OBJECT_RECYCLED=3,
2801 OBJECT_TOMBSTONE=4, OBJECT_REMOVED=5 };
2802 enum deletion_state deletion_state, next_deletion_state;
2805 if (ldb_dn_is_special(req->op.del.dn)) {
2806 return ldb_next_request(module, req);
2809 tmp_ctx = talloc_new(ldb);
2812 return LDB_ERR_OPERATIONS_ERROR;
2815 schema = dsdb_get_schema(ldb, tmp_ctx);
2817 return LDB_ERR_OPERATIONS_ERROR;
2820 old_dn = ldb_dn_copy(tmp_ctx, req->op.del.dn);
2822 /* we need the complete msg off disk, so we can work out which
2823 attributes need to be removed */
2824 ret = dsdb_module_search_dn(module, tmp_ctx, &res, old_dn, NULL,
2825 DSDB_FLAG_NEXT_MODULE |
2826 DSDB_SEARCH_SHOW_RECYCLED |
2827 DSDB_SEARCH_REVEAL_INTERNALS |
2828 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT, req);
2829 if (ret != LDB_SUCCESS) {
2830 talloc_free(tmp_ctx);
2833 old_msg = res->msgs[0];
2836 ret = dsdb_recyclebin_enabled(module, &enabled);
2837 if (ret != LDB_SUCCESS) {
2838 talloc_free(tmp_ctx);
2842 if (ldb_msg_check_string_attribute(old_msg, "isDeleted", "TRUE")) {
2844 deletion_state = OBJECT_TOMBSTONE;
2845 next_deletion_state = OBJECT_REMOVED;
2846 } else if (ldb_msg_check_string_attribute(old_msg, "isRecycled", "TRUE")) {
2847 deletion_state = OBJECT_RECYCLED;
2848 next_deletion_state = OBJECT_REMOVED;
2850 deletion_state = OBJECT_DELETED;
2851 next_deletion_state = OBJECT_RECYCLED;
2854 deletion_state = OBJECT_NOT_DELETED;
2856 next_deletion_state = OBJECT_DELETED;
2858 next_deletion_state = OBJECT_TOMBSTONE;
2862 if (next_deletion_state == OBJECT_REMOVED) {
2863 struct auth_session_info *session_info =
2864 (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
2865 if (security_session_user_level(session_info, NULL) != SECURITY_SYSTEM) {
2866 ldb_asprintf_errstring(ldb, "Refusing to delete deleted object %s",
2867 ldb_dn_get_linearized(old_msg->dn));
2868 return LDB_ERR_UNWILLING_TO_PERFORM;
2871 /* it is already deleted - really remove it this time */
2872 talloc_free(tmp_ctx);
2873 return ldb_next_request(module, req);
2876 rdn_name = ldb_dn_get_rdn_name(old_dn);
2877 rdn_value = ldb_dn_get_rdn_val(old_dn);
2878 if ((rdn_name == NULL) || (rdn_value == NULL)) {
2879 talloc_free(tmp_ctx);
2880 return ldb_operr(ldb);
2883 msg = ldb_msg_new(tmp_ctx);
2885 ldb_module_oom(module);
2886 talloc_free(tmp_ctx);
2887 return LDB_ERR_OPERATIONS_ERROR;
2892 if (deletion_state == OBJECT_NOT_DELETED){
2893 /* consider the SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag */
2894 disallow_move_on_delete =
2895 (ldb_msg_find_attr_as_int(old_msg, "systemFlags", 0)
2896 & SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE);
2898 /* work out where we will be renaming this object to */
2899 if (!disallow_move_on_delete) {
2900 ret = dsdb_get_deleted_objects_dn(ldb, tmp_ctx, old_dn,
2902 if (ret != LDB_SUCCESS) {
2903 /* this is probably an attempted delete on a partition
2904 * that doesn't allow delete operations, such as the
2905 * schema partition */
2906 ldb_asprintf_errstring(ldb, "No Deleted Objects container for DN %s",
2907 ldb_dn_get_linearized(old_dn));
2908 talloc_free(tmp_ctx);
2909 return LDB_ERR_UNWILLING_TO_PERFORM;
2912 new_dn = ldb_dn_get_parent(tmp_ctx, old_dn);
2913 if (new_dn == NULL) {
2914 ldb_module_oom(module);
2915 talloc_free(tmp_ctx);
2916 return LDB_ERR_OPERATIONS_ERROR;
2920 /* get the objects GUID from the search we just did */
2921 guid = samdb_result_guid(old_msg, "objectGUID");
2923 /* Add a formatted child */
2924 retb = ldb_dn_add_child_fmt(new_dn, "%s=%s\\0ADEL:%s",
2926 ldb_dn_escape_value(tmp_ctx, *rdn_value),
2927 GUID_string(tmp_ctx, &guid));
2929 DEBUG(0,(__location__ ": Unable to add a formatted child to dn: %s",
2930 ldb_dn_get_linearized(new_dn)));
2931 talloc_free(tmp_ctx);
2932 return LDB_ERR_OPERATIONS_ERROR;
2935 ret = ldb_msg_add_string(msg, "isDeleted", "TRUE");
2936 if (ret != LDB_SUCCESS) {
2937 DEBUG(0,(__location__ ": Failed to add isDeleted string to the msg\n"));
2938 ldb_module_oom(module);
2939 talloc_free(tmp_ctx);
2942 msg->elements[el_count++].flags = LDB_FLAG_MOD_REPLACE;
2946 now we need to modify the object in the following ways:
2948 - add isDeleted=TRUE
2949 - update rDN and name, with new rDN
2950 - remove linked attributes
2951 - remove objectCategory and sAMAccountType
2952 - remove attribs not on the preserved list
2953 - preserved if in above list, or is rDN
2954 - remove all linked attribs from this object
2955 - remove all links from other objects to this object
2956 - add lastKnownParent
2957 - update replPropertyMetaData?
2959 see MS-ADTS "Tombstone Requirements" section 3.1.1.5.5.1.1
2962 /* we need the storage form of the parent GUID */
2963 ret = dsdb_module_search_dn(module, tmp_ctx, &parent_res,
2964 ldb_dn_get_parent(tmp_ctx, old_dn), NULL,
2965 DSDB_FLAG_NEXT_MODULE |
2966 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
2967 DSDB_SEARCH_REVEAL_INTERNALS|
2968 DSDB_SEARCH_SHOW_RECYCLED, req);
2969 if (ret != LDB_SUCCESS) {
2970 talloc_free(tmp_ctx);
2974 if (deletion_state == OBJECT_NOT_DELETED){
2975 ret = ldb_msg_add_steal_string(msg, "lastKnownParent",
2976 ldb_dn_get_extended_linearized(tmp_ctx, parent_res->msgs[0]->dn, 1));
2977 if (ret != LDB_SUCCESS) {
2978 DEBUG(0,(__location__ ": Failed to add lastKnownParent string to the msg\n"));
2979 ldb_module_oom(module);
2980 talloc_free(tmp_ctx);
2983 msg->elements[el_count++].flags = LDB_FLAG_MOD_REPLACE;
2986 switch (next_deletion_state){
2988 case OBJECT_DELETED:
2990 ret = ldb_msg_add_value(msg, "msDS-LastKnownRDN", rdn_value, NULL);
2991 if (ret != LDB_SUCCESS) {
2992 DEBUG(0,(__location__ ": Failed to add msDS-LastKnownRDN string to the msg\n"));
2993 ldb_module_oom(module);
2994 talloc_free(tmp_ctx);
2997 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
2999 ret = ldb_msg_add_empty(msg, "objectCategory", LDB_FLAG_MOD_REPLACE, NULL);
3000 if (ret != LDB_SUCCESS) {
3001 talloc_free(tmp_ctx);
3002 ldb_module_oom(module);
3006 ret = ldb_msg_add_empty(msg, "sAMAccountType", LDB_FLAG_MOD_REPLACE, NULL);
3007 if (ret != LDB_SUCCESS) {
3008 talloc_free(tmp_ctx);
3009 ldb_module_oom(module);
3015 case OBJECT_RECYCLED:
3016 case OBJECT_TOMBSTONE:
3019 * we also mark it as recycled, meaning this object can't be
3020 * recovered (we are stripping its attributes).
3021 * This is done only if we have this schema object of course ...
3022 * This behavior is identical to the one of Windows 2008R2 which
3023 * always set the isRecycled attribute, even if the recycle-bin is
3024 * not activated and what ever the forest level is.
3026 if (dsdb_attribute_by_lDAPDisplayName(schema, "isRecycled") != NULL) {
3027 ret = ldb_msg_add_string(msg, "isRecycled", "TRUE");
3028 if (ret != LDB_SUCCESS) {
3029 DEBUG(0,(__location__ ": Failed to add isRecycled string to the msg\n"));
3030 ldb_module_oom(module);
3031 talloc_free(tmp_ctx);
3034 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
3037 /* work out which of the old attributes we will be removing */
3038 for (i=0; i<old_msg->num_elements; i++) {
3039 const struct dsdb_attribute *sa;
3040 el = &old_msg->elements[i];
3041 sa = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
3043 talloc_free(tmp_ctx);
3044 return LDB_ERR_OPERATIONS_ERROR;
3046 if (ldb_attr_cmp(el->name, rdn_name) == 0) {
3047 /* don't remove the rDN */
3050 if (sa->linkID && (sa->linkID & 1)) {
3052 we have a backlink in this object
3053 that needs to be removed. We're not
3054 allowed to remove it directly
3055 however, so we instead setup a
3056 modify to delete the corresponding
3059 ret = replmd_delete_remove_link(module, schema, old_dn, el, sa, req);
3060 if (ret != LDB_SUCCESS) {
3061 talloc_free(tmp_ctx);
3062 return LDB_ERR_OPERATIONS_ERROR;
3064 /* now we continue, which means we
3065 won't remove this backlink
3070 if (!sa->linkID && ldb_attr_in_list(preserved_attrs, el->name)) {
3073 ret = ldb_msg_add_empty(msg, el->name, LDB_FLAG_MOD_DELETE, &el);
3074 if (ret != LDB_SUCCESS) {
3075 talloc_free(tmp_ctx);
3076 ldb_module_oom(module);
3086 if (deletion_state == OBJECT_NOT_DELETED) {
3087 const struct dsdb_attribute *sa;
3089 /* work out what the new rdn value is, for updating the
3090 rDN and name fields */
3091 new_rdn_value = ldb_dn_get_rdn_val(new_dn);
3092 if (new_rdn_value == NULL) {
3093 talloc_free(tmp_ctx);
3094 return ldb_operr(ldb);
3097 sa = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name);
3099 talloc_free(tmp_ctx);
3100 return LDB_ERR_OPERATIONS_ERROR;
3103 ret = ldb_msg_add_value(msg, sa->lDAPDisplayName, new_rdn_value,
3105 if (ret != LDB_SUCCESS) {
3106 talloc_free(tmp_ctx);
3109 el->flags = LDB_FLAG_MOD_REPLACE;
3111 el = ldb_msg_find_element(old_msg, "name");
3113 ret = ldb_msg_add_value(msg, "name", new_rdn_value, &el);
3114 if (ret != LDB_SUCCESS) {
3115 talloc_free(tmp_ctx);
3118 el->flags = LDB_FLAG_MOD_REPLACE;
3122 ret = dsdb_module_modify(module, msg, DSDB_FLAG_OWN_MODULE, req);
3123 if (ret != LDB_SUCCESS) {
3124 ldb_asprintf_errstring(ldb, "replmd_delete: Failed to modify object %s in delete - %s",
3125 ldb_dn_get_linearized(old_dn), ldb_errstring(ldb));
3126 talloc_free(tmp_ctx);
3130 if (deletion_state == OBJECT_NOT_DELETED) {
3131 /* now rename onto the new DN */
3132 ret = dsdb_module_rename(module, old_dn, new_dn, DSDB_FLAG_NEXT_MODULE, req);
3133 if (ret != LDB_SUCCESS){
3134 DEBUG(0,(__location__ ": Failed to rename object from '%s' to '%s' - %s\n",
3135 ldb_dn_get_linearized(old_dn),
3136 ldb_dn_get_linearized(new_dn),
3137 ldb_errstring(ldb)));
3138 talloc_free(tmp_ctx);
3143 talloc_free(tmp_ctx);
3145 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
3150 static int replmd_replicated_request_error(struct replmd_replicated_request *ar, int ret)
3155 static int replmd_replicated_request_werror(struct replmd_replicated_request *ar, WERROR status)
3157 int ret = LDB_ERR_OTHER;
3158 /* TODO: do some error mapping */
3163 static struct replPropertyMetaData1 *
3164 replmd_replPropertyMetaData1_find_attid(struct replPropertyMetaDataBlob *md_blob,
3165 enum drsuapi_DsAttributeId attid)
3168 struct replPropertyMetaDataCtr1 *rpmd_ctr = &md_blob->ctr.ctr1;
3170 for (i = 0; i < rpmd_ctr->count; i++) {
3171 if (rpmd_ctr->array[i].attid == attid) {
3172 return &rpmd_ctr->array[i];
3180 return true if an update is newer than an existing entry
3181 see section 5.11 of MS-ADTS
3183 static bool replmd_update_is_newer(const struct GUID *current_invocation_id,
3184 const struct GUID *update_invocation_id,
3185 uint32_t current_version,
3186 uint32_t update_version,
3187 NTTIME current_change_time,
3188 NTTIME update_change_time)
3190 if (update_version != current_version) {
3191 return update_version > current_version;
3193 if (update_change_time != current_change_time) {
3194 return update_change_time > current_change_time;
3196 return GUID_compare(update_invocation_id, current_invocation_id) > 0;
3199 static bool replmd_replPropertyMetaData1_is_newer(struct replPropertyMetaData1 *cur_m,
3200 struct replPropertyMetaData1 *new_m)
3202 return replmd_update_is_newer(&cur_m->originating_invocation_id,
3203 &new_m->originating_invocation_id,
3206 cur_m->originating_change_time,
3207 new_m->originating_change_time);
3214 static struct ldb_dn *replmd_conflict_dn(TALLOC_CTX *mem_ctx, struct ldb_dn *dn, struct GUID *guid)
3216 const struct ldb_val *rdn_val;
3217 const char *rdn_name;
3218 struct ldb_dn *new_dn;
3220 rdn_val = ldb_dn_get_rdn_val(dn);
3221 rdn_name = ldb_dn_get_rdn_name(dn);
3222 if (!rdn_val || !rdn_name) {
3226 new_dn = ldb_dn_copy(mem_ctx, dn);
3231 if (!ldb_dn_remove_child_components(new_dn, 1)) {
3235 if (!ldb_dn_add_child_fmt(new_dn, "%s=%s\\0ACNF:%s",
3237 ldb_dn_escape_value(new_dn, *rdn_val),
3238 GUID_string(new_dn, guid))) {
3247 perform a modify operation which sets the rDN and name attributes to
3248 their current values. This has the effect of changing these
3249 attributes to have been last updated by the current DC. This is
3250 needed to ensure that renames performed as part of conflict
3251 resolution are propogated to other DCs
3253 static int replmd_name_modify(struct replmd_replicated_request *ar,
3254 struct ldb_request *req, struct ldb_dn *dn)
3256 struct ldb_message *msg;
3257 const char *rdn_name;
3258 const struct ldb_val *rdn_val;
3259 const struct dsdb_attribute *rdn_attr;
3262 msg = ldb_msg_new(req);
3268 rdn_name = ldb_dn_get_rdn_name(dn);
3269 if (rdn_name == NULL) {
3273 /* normalize the rdn attribute name */
3274 rdn_attr = dsdb_attribute_by_lDAPDisplayName(ar->schema, rdn_name);
3275 if (rdn_attr == NULL) {
3278 rdn_name = rdn_attr->lDAPDisplayName;
3280 rdn_val = ldb_dn_get_rdn_val(dn);
3281 if (rdn_val == NULL) {
3285 if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
3288 if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) {
3291 if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
3294 if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) {
3298 ret = dsdb_module_modify(ar->module, msg, DSDB_FLAG_OWN_MODULE, req);
3299 if (ret != LDB_SUCCESS) {
3300 DEBUG(0,(__location__ ": Failed to modify rDN/name of conflict DN '%s' - %s",
3301 ldb_dn_get_linearized(dn),
3302 ldb_errstring(ldb_module_get_ctx(ar->module))));
3312 DEBUG(0,(__location__ ": Failed to setup modify rDN/name of conflict DN '%s'",
3313 ldb_dn_get_linearized(dn)));
3314 return LDB_ERR_OPERATIONS_ERROR;
3319 callback for conflict DN handling where we have renamed the incoming
3320 record. After renaming it, we need to ensure the change of name and
3321 rDN for the incoming record is seen as an originating update by this DC.
3323 This also handles updating lastKnownParent for entries sent to lostAndFound
3325 static int replmd_op_name_modify_callback(struct ldb_request *req, struct ldb_reply *ares)
3327 struct replmd_replicated_request *ar =
3328 talloc_get_type_abort(req->context, struct replmd_replicated_request);
3329 struct ldb_dn *conflict_dn;
3332 if (ares->error != LDB_SUCCESS) {
3333 /* call the normal callback for everything except success */
3334 return replmd_op_callback(req, ares);
3337 switch (req->operation) {
3339 conflict_dn = req->op.add.message->dn;
3342 conflict_dn = req->op.mod.message->dn;
3345 smb_panic("replmd_op_name_modify_callback called in unknown circumstances");
3348 /* perform a modify of the rDN and name of the record */
3349 ret = replmd_name_modify(ar, req, conflict_dn);
3350 if (ret != LDB_SUCCESS) {
3352 return replmd_op_callback(req, ares);
3355 if (ar->objs->objects[ar->index_current].last_known_parent) {
3356 struct ldb_message *msg = ldb_msg_new(req);
3358 ldb_module_oom(ar->module);
3359 return LDB_ERR_OPERATIONS_ERROR;
3362 msg->dn = req->op.add.message->dn;
3364 ret = ldb_msg_add_steal_string(msg, "lastKnownParent",
3365 ldb_dn_get_extended_linearized(msg, ar->objs->objects[ar->index_current].last_known_parent, 1));
3366 if (ret != LDB_SUCCESS) {
3367 DEBUG(0,(__location__ ": Failed to add lastKnownParent string to the msg\n"));
3368 ldb_module_oom(ar->module);
3371 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
3373 ret = dsdb_module_modify(ar->module, msg, DSDB_FLAG_OWN_MODULE, req);
3374 if (ret != LDB_SUCCESS) {
3375 DEBUG(0,(__location__ ": Failed to modify lastKnownParent of lostAndFound DN '%s' - %s",
3376 ldb_dn_get_linearized(msg->dn),
3377 ldb_errstring(ldb_module_get_ctx(ar->module))));
3383 return replmd_op_callback(req, ares);
3387 callback for replmd_replicated_apply_add() and replmd_replicated_handle_rename()
3388 This copes with the creation of conflict records in the case where
3389 the DN exists, but with a different objectGUID
3391 static int replmd_op_possible_conflict_callback(struct ldb_request *req, struct ldb_reply *ares, int (*callback)(struct ldb_request *req, struct ldb_reply *ares))
3393 struct ldb_dn *conflict_dn;
3394 struct replmd_replicated_request *ar =
3395 talloc_get_type_abort(req->context, struct replmd_replicated_request);
3396 struct ldb_result *res;
3397 const char *attrs[] = { "replPropertyMetaData", "objectGUID", NULL };
3399 const struct ldb_val *omd_value;
3400 struct replPropertyMetaDataBlob omd, *rmd;
3401 enum ndr_err_code ndr_err;
3402 bool rename_incoming_record, rodc;
3403 struct replPropertyMetaData1 *rmd_name, *omd_name;
3404 struct ldb_message *msg;
3406 req->callback = callback;
3408 if (ares->error != LDB_ERR_ENTRY_ALREADY_EXISTS) {
3409 /* call the normal callback for everything except
3411 return ldb_module_done(req, ares->controls, ares->response, ares->error);
3414 ret = samdb_rodc(ldb_module_get_ctx(ar->module), &rodc);
3415 if (ret != LDB_SUCCESS) {
3416 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module), "Failed to determine if we are an RODC when attempting to form conflict DN: %s", ldb_errstring(ldb_module_get_ctx(ar->module)));
3417 return ldb_module_done(req, ares->controls, ares->response, LDB_ERR_OPERATIONS_ERROR);
3420 * we have a conflict, and need to decide if we will keep the
3421 * new record or the old record
3424 msg = ar->objs->objects[ar->index_current].msg;
3426 switch (req->operation) {
3428 conflict_dn = msg->dn;
3431 conflict_dn = req->op.rename.newdn;
3434 return ldb_module_done(req, ares->controls, ares->response, ldb_module_operr(ar->module));
3439 * We are on an RODC, or were a GC for this
3440 * partition, so we have to fail this until
3441 * someone who owns the partition sorts it
3444 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
3445 "Conflict adding object '%s' from incoming replication as we are read only for the partition. \n"
3446 " - We must fail the operation until a master for this partition resolves the conflict",
3447 ldb_dn_get_linearized(conflict_dn));
3452 * first we need the replPropertyMetaData attribute from the
3455 ret = dsdb_module_search_dn(ar->module, req, &res, conflict_dn,
3457 DSDB_FLAG_NEXT_MODULE |
3458 DSDB_SEARCH_SHOW_DELETED |
3459 DSDB_SEARCH_SHOW_RECYCLED, req);
3460 if (ret != LDB_SUCCESS) {
3461 DEBUG(0,(__location__ ": Unable to find object for conflicting record '%s'\n",
3462 ldb_dn_get_linearized(conflict_dn)));
3466 omd_value = ldb_msg_find_ldb_val(res->msgs[0], "replPropertyMetaData");
3467 if (omd_value == NULL) {
3468 DEBUG(0,(__location__ ": Unable to find replPropertyMetaData for conflicting record '%s'\n",
3469 ldb_dn_get_linearized(conflict_dn)));
3473 ndr_err = ndr_pull_struct_blob(omd_value, res->msgs[0], &omd,
3474 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
3475 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3476 DEBUG(0,(__location__ ": Failed to parse old replPropertyMetaData for %s\n",
3477 ldb_dn_get_linearized(conflict_dn)));
3481 rmd = ar->objs->objects[ar->index_current].meta_data;
3483 /* we decide which is newer based on the RPMD on the name
3484 attribute. See [MS-DRSR] ResolveNameConflict */
3485 rmd_name = replmd_replPropertyMetaData1_find_attid(rmd, DRSUAPI_ATTID_name);
3486 omd_name = replmd_replPropertyMetaData1_find_attid(&omd, DRSUAPI_ATTID_name);
3487 if (!rmd_name || !omd_name) {
3488 DEBUG(0,(__location__ ": Failed to find name attribute in replPropertyMetaData for %s\n",
3489 ldb_dn_get_linearized(conflict_dn)));
3493 rename_incoming_record = !(ar->objs->dsdb_repl_flags & DSDB_REPL_FLAG_PRIORITISE_INCOMING) &&
3494 !replmd_replPropertyMetaData1_is_newer(omd_name, rmd_name);
3496 if (rename_incoming_record) {
3498 struct ldb_dn *new_dn;
3499 struct ldb_message *new_msg;
3502 * We want to run the original callback here, which
3503 * will return LDB_ERR_ENTRY_ALREADY_EXISTS to the
3504 * caller, which will in turn know to rename the
3505 * incoming record. The error string is set in case
3506 * this isn't handled properly at some point in the
3509 if (req->operation == LDB_RENAME) {
3510 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
3511 "Unable to handle incoming renames where this would "
3512 "create a conflict. Incoming record is %s (caller to handle)\n",
3513 ldb_dn_get_extended_linearized(req, conflict_dn, 1));
3518 guid = samdb_result_guid(msg, "objectGUID");
3519 if (GUID_all_zero(&guid)) {
3520 DEBUG(0,(__location__ ": Failed to find objectGUID for conflicting incoming record %s\n",
3521 ldb_dn_get_linearized(conflict_dn)));
3524 new_dn = replmd_conflict_dn(req, conflict_dn, &guid);
3525 if (new_dn == NULL) {
3526 DEBUG(0,(__location__ ": Failed to form conflict DN for %s\n",
3527 ldb_dn_get_linearized(conflict_dn)));
3531 DEBUG(1,(__location__ ": Resolving conflict record via incoming rename '%s' -> '%s'\n",
3532 ldb_dn_get_linearized(conflict_dn), ldb_dn_get_linearized(new_dn)));
3534 /* re-submit the request, but with a different
3535 callback, so we don't loop forever. */
3536 new_msg = ldb_msg_copy_shallow(req, msg);
3539 DEBUG(0,(__location__ ": Failed to copy conflict DN message for %s\n",
3540 ldb_dn_get_linearized(conflict_dn)));
3542 new_msg->dn = new_dn;
3543 req->op.add.message = new_msg;
3544 req->callback = replmd_op_name_modify_callback;
3546 return ldb_next_request(ar->module, req);
3548 /* we are renaming the existing record */
3550 struct ldb_dn *new_dn;
3552 guid = samdb_result_guid(res->msgs[0], "objectGUID");
3553 if (GUID_all_zero(&guid)) {
3554 DEBUG(0,(__location__ ": Failed to find objectGUID for existing conflict record %s\n",
3555 ldb_dn_get_linearized(conflict_dn)));
3559 new_dn = replmd_conflict_dn(req, conflict_dn, &guid);
3560 if (new_dn == NULL) {
3561 DEBUG(0,(__location__ ": Failed to form conflict DN for %s\n",
3562 ldb_dn_get_linearized(conflict_dn)));
3566 DEBUG(1,(__location__ ": Resolving conflict record via existing rename '%s' -> '%s'\n",
3567 ldb_dn_get_linearized(conflict_dn), ldb_dn_get_linearized(new_dn)));
3569 ret = dsdb_module_rename(ar->module, conflict_dn, new_dn,
3570 DSDB_FLAG_OWN_MODULE, req);
3571 if (ret != LDB_SUCCESS) {
3572 DEBUG(0,(__location__ ": Failed to rename conflict dn '%s' to '%s' - %s\n",
3573 ldb_dn_get_linearized(conflict_dn),
3574 ldb_dn_get_linearized(new_dn),
3575 ldb_errstring(ldb_module_get_ctx(ar->module))));
3580 * now we need to ensure that the rename is seen as an
3581 * originating update. We do that with a modify.
3583 ret = replmd_name_modify(ar, req, new_dn);
3584 if (ret != LDB_SUCCESS) {
3588 return ldb_next_request(ar->module, req);
3592 /* on failure do the original callback. This means replication
3593 * will stop with an error, but there is not much else we can
3596 return ldb_module_done(req, ares->controls, ares->response, ares->error);
3600 callback for replmd_replicated_apply_add()
3601 This copes with the creation of conflict records in the case where
3602 the DN exists, but with a different objectGUID
3604 static int replmd_op_add_callback(struct ldb_request *req, struct ldb_reply *ares)
3606 struct replmd_replicated_request *ar =
3607 talloc_get_type_abort(req->context, struct replmd_replicated_request);
3609 if (ar->objs->objects[ar->index_current].last_known_parent) {
3610 /* This is like a conflict DN, where we put the object in LostAndFound
3611 see MS-DRSR 4.1.10.6.10 FindBestParentObject */
3612 return replmd_op_possible_conflict_callback(req, ares, replmd_op_name_modify_callback);
3615 return replmd_op_possible_conflict_callback(req, ares, replmd_op_callback);
3619 callback for replmd_replicated_handle_rename()
3620 This copes with the creation of conflict records in the case where
3621 the DN exists, but with a different objectGUID
3623 static int replmd_op_rename_callback(struct ldb_request *req, struct ldb_reply *ares)
3625 return replmd_op_possible_conflict_callback(req, ares, ldb_modify_default_callback);
3629 this is called when a new object comes in over DRS
3631 static int replmd_replicated_apply_add(struct replmd_replicated_request *ar)
3633 struct ldb_context *ldb;
3634 struct ldb_request *change_req;
3635 enum ndr_err_code ndr_err;
3636 struct ldb_message *msg;
3637 struct replPropertyMetaDataBlob *md;
3638 struct ldb_val md_value;
3643 * TODO: check if the parent object exist
3647 * TODO: handle the conflict case where an object with the
3651 ldb = ldb_module_get_ctx(ar->module);
3652 msg = ar->objs->objects[ar->index_current].msg;
3653 md = ar->objs->objects[ar->index_current].meta_data;
3655 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ar->seq_num);
3656 if (ret != LDB_SUCCESS) {
3657 return replmd_replicated_request_error(ar, ret);
3660 ret = ldb_msg_add_value(msg, "objectGUID", &ar->objs->objects[ar->index_current].guid_value, NULL);
3661 if (ret != LDB_SUCCESS) {
3662 return replmd_replicated_request_error(ar, ret);
3665 ret = ldb_msg_add_string(msg, "whenChanged", ar->objs->objects[ar->index_current].when_changed);
3666 if (ret != LDB_SUCCESS) {
3667 return replmd_replicated_request_error(ar, ret);
3670 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNCreated", ar->seq_num);
3671 if (ret != LDB_SUCCESS) {
3672 return replmd_replicated_request_error(ar, ret);
3675 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNChanged", ar->seq_num);
3676 if (ret != LDB_SUCCESS) {
3677 return replmd_replicated_request_error(ar, ret);
3680 /* remove any message elements that have zero values */
3681 for (i=0; i<msg->num_elements; i++) {
3682 struct ldb_message_element *el = &msg->elements[i];
3684 if (el->num_values == 0) {
3685 DEBUG(4,(__location__ ": Removing attribute %s with num_values==0\n",
3687 memmove(el, el+1, sizeof(*el)*(msg->num_elements - (i+1)));
3688 msg->num_elements--;
3695 * the meta data array is already sorted by the caller
3697 for (i=0; i < md->ctr.ctr1.count; i++) {
3698 md->ctr.ctr1.array[i].local_usn = ar->seq_num;
3700 ndr_err = ndr_push_struct_blob(&md_value, msg, md,
3701 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
3702 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3703 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
3704 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
3706 ret = ldb_msg_add_value(msg, "replPropertyMetaData", &md_value, NULL);
3707 if (ret != LDB_SUCCESS) {
3708 return replmd_replicated_request_error(ar, ret);
3711 replmd_ldb_message_sort(msg, ar->schema);
3714 char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_ADD, msg);
3715 DEBUG(4, ("DRS replication add message:\n%s\n", s));
3719 ret = ldb_build_add_req(&change_req,
3725 replmd_op_add_callback,
3727 LDB_REQ_SET_LOCATION(change_req);
3728 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
3730 /* current partition control needed by "repmd_op_callback" */
3731 ret = ldb_request_add_control(change_req,
3732 DSDB_CONTROL_CURRENT_PARTITION_OID,
3734 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
3736 if (ar->objs->dsdb_repl_flags & DSDB_REPL_FLAG_PARTIAL_REPLICA) {
3737 /* this tells the partition module to make it a
3738 partial replica if creating an NC */
3739 ret = ldb_request_add_control(change_req,
3740 DSDB_CONTROL_PARTIAL_REPLICA,
3742 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
3745 return ldb_next_request(ar->module, change_req);
3748 static int replmd_replicated_apply_search_for_parent_callback(struct ldb_request *req,
3749 struct ldb_reply *ares)
3751 struct replmd_replicated_request *ar = talloc_get_type(req->context,
3752 struct replmd_replicated_request);
3756 return ldb_module_done(ar->req, NULL, NULL,
3757 LDB_ERR_OPERATIONS_ERROR);
3759 if (ares->error != LDB_SUCCESS &&
3760 ares->error != LDB_ERR_NO_SUCH_OBJECT) {
3761 return ldb_module_done(ar->req, ares->controls,
3762 ares->response, ares->error);
3765 switch (ares->type) {
3766 case LDB_REPLY_ENTRY:
3768 struct ldb_message *parent_msg = ares->message;
3769 struct ldb_message *msg = ar->objs->objects[ar->index_current].msg;
3770 struct ldb_dn *parent_dn;
3773 if (!ldb_msg_check_string_attribute(msg, "isDeleted", "TRUE")
3774 && ldb_msg_check_string_attribute(parent_msg, "isDeleted", "TRUE")) {
3775 /* Per MS-DRSR 4.1.10.6.10
3776 * FindBestParentObject we need to move this
3777 * new object under a deleted object to
3779 struct ldb_dn *nc_root;
3781 ret = dsdb_find_nc_root(ldb_module_get_ctx(ar->module), msg, msg->dn, &nc_root);
3782 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
3783 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
3784 "No suitable NC root found for %s. "
3785 "We need to move this object because parent object %s "
3786 "is deleted, but this object is not.",
3787 ldb_dn_get_linearized(msg->dn),
3788 ldb_dn_get_linearized(parent_msg->dn));
3789 return ldb_module_done(ar->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
3790 } else if (ret != LDB_SUCCESS) {
3791 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
3792 "Unable to find NC root for %s: %s. "
3793 "We need to move this object because parent object %s "
3794 "is deleted, but this object is not.",
3795 ldb_dn_get_linearized(msg->dn),
3796 ldb_errstring(ldb_module_get_ctx(ar->module)),
3797 ldb_dn_get_linearized(parent_msg->dn));
3798 return ldb_module_done(ar->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
3801 ret = dsdb_wellknown_dn(ldb_module_get_ctx(ar->module), msg,
3803 DS_GUID_LOSTANDFOUND_CONTAINER,
3805 if (ret != LDB_SUCCESS) {
3806 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
3807 "Unable to find LostAndFound Container for %s "
3808 "in partition %s: %s. "
3809 "We need to move this object because parent object %s "
3810 "is deleted, but this object is not.",
3811 ldb_dn_get_linearized(msg->dn), ldb_dn_get_linearized(nc_root),
3812 ldb_errstring(ldb_module_get_ctx(ar->module)),
3813 ldb_dn_get_linearized(parent_msg->dn));
3814 return ldb_module_done(ar->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
3816 ar->objs->objects[ar->index_current].last_known_parent
3817 = talloc_steal(ar->objs->objects[ar->index_current].msg, parent_msg->dn);
3819 parent_dn = parent_msg->dn;
3822 comp_num = ldb_dn_get_comp_num(msg->dn);
3824 if (!ldb_dn_remove_base_components(msg->dn, comp_num - 1)) {
3826 return ldb_module_done(ar->req, NULL, NULL, ldb_module_operr(ar->module));
3829 if (!ldb_dn_add_base(msg->dn, parent_dn)) {
3831 return ldb_module_done(ar->req, NULL, NULL, ldb_module_operr(ar->module));
3835 case LDB_REPLY_REFERRAL:
3836 /* we ignore referrals */
3839 case LDB_REPLY_DONE:
3840 ret = replmd_replicated_apply_add(ar);
3841 if (ret != LDB_SUCCESS) {
3842 return ldb_module_done(ar->req, NULL, NULL, ret);
3851 * Look for the parent object, so we put the new object in the right place
3854 static int replmd_replicated_apply_search_for_parent(struct replmd_replicated_request *ar)
3856 struct ldb_context *ldb;
3860 struct ldb_request *search_req;
3861 static const char *attrs[] = {"isDeleted", NULL};
3863 ldb = ldb_module_get_ctx(ar->module);
3865 if (!ar->objs->objects[ar->index_current].parent_guid_value.data) {
3866 return replmd_replicated_apply_add(ar);
3869 tmp_str = ldb_binary_encode(ar, ar->objs->objects[ar->index_current].parent_guid_value);
3870 if (!tmp_str) return replmd_replicated_request_werror(ar, WERR_NOMEM);
3872 filter = talloc_asprintf(ar, "(objectGUID=%s)", tmp_str);
3873 if (!filter) return replmd_replicated_request_werror(ar, WERR_NOMEM);
3874 talloc_free(tmp_str);
3876 ret = ldb_build_search_req(&search_req,
3879 ar->objs->partition_dn,
3885 replmd_replicated_apply_search_for_parent_callback,
3887 LDB_REQ_SET_LOCATION(search_req);
3889 ret = dsdb_request_add_controls(search_req,
3890 DSDB_SEARCH_SHOW_RECYCLED|
3891 DSDB_SEARCH_SHOW_DELETED|
3892 DSDB_SEARCH_SHOW_EXTENDED_DN);
3893 if (ret != LDB_SUCCESS) {
3897 return ldb_next_request(ar->module, search_req);
3901 handle renames that come in over DRS replication
3903 static int replmd_replicated_handle_rename(struct replmd_replicated_request *ar,
3904 struct ldb_message *msg,
3905 struct replPropertyMetaDataBlob *rmd,
3906 struct replPropertyMetaDataBlob *omd,
3907 struct ldb_request *parent)
3909 struct replPropertyMetaData1 *md_remote;
3910 struct replPropertyMetaData1 *md_local;
3912 if (ldb_dn_compare(msg->dn, ar->search_msg->dn) == 0) {
3917 /* now we need to check for double renames. We could have a
3918 * local rename pending which our replication partner hasn't
3919 * received yet. We choose which one wins by looking at the
3920 * attribute stamps on the two objects, the newer one wins
3922 md_remote = replmd_replPropertyMetaData1_find_attid(rmd, DRSUAPI_ATTID_name);
3923 md_local = replmd_replPropertyMetaData1_find_attid(omd, DRSUAPI_ATTID_name);
3924 /* if there is no name attribute then we have to assume the
3925 object we've received is in fact newer */
3926 if (ar->objs->dsdb_repl_flags & DSDB_REPL_FLAG_PRIORITISE_INCOMING ||
3927 !md_remote || !md_local ||
3928 replmd_replPropertyMetaData1_is_newer(md_local, md_remote)) {
3929 struct ldb_request *req;
3931 TALLOC_CTX *tmp_ctx = talloc_new(msg);
3932 struct ldb_result *res;
3934 DEBUG(4,("replmd_replicated_request rename %s => %s\n",
3935 ldb_dn_get_linearized(ar->search_msg->dn),
3936 ldb_dn_get_linearized(msg->dn)));
3939 res = talloc_zero(tmp_ctx, struct ldb_result);
3941 talloc_free(tmp_ctx);
3942 return ldb_oom(ldb_module_get_ctx(ar->module));
3945 /* pass rename to the next module
3946 * so it doesn't appear as an originating update */
3947 ret = ldb_build_rename_req(&req, ldb_module_get_ctx(ar->module), tmp_ctx,
3948 ar->search_msg->dn, msg->dn,
3951 replmd_op_rename_callback,
3953 LDB_REQ_SET_LOCATION(req);
3954 if (ret != LDB_SUCCESS) {
3955 talloc_free(tmp_ctx);
3959 ret = dsdb_request_add_controls(req, DSDB_MODIFY_RELAX);
3960 if (ret != LDB_SUCCESS) {
3961 talloc_free(tmp_ctx);
3965 ret = ldb_next_request(ar->module, req);
3967 if (ret == LDB_SUCCESS) {
3968 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
3971 talloc_free(tmp_ctx);
3975 /* we're going to keep our old object */
3976 DEBUG(4,(__location__ ": Keeping object %s and rejecting older rename to %s\n",
3977 ldb_dn_get_linearized(ar->search_msg->dn),
3978 ldb_dn_get_linearized(msg->dn)));
3983 static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
3985 struct ldb_context *ldb;
3986 struct ldb_request *change_req;
3987 enum ndr_err_code ndr_err;
3988 struct ldb_message *msg;
3989 struct replPropertyMetaDataBlob *rmd;
3990 struct replPropertyMetaDataBlob omd;
3991 const struct ldb_val *omd_value;
3992 struct replPropertyMetaDataBlob nmd;
3993 struct ldb_val nmd_value;
3996 unsigned int removed_attrs = 0;
3998 int (*callback)(struct ldb_request *req, struct ldb_reply *ares) = replmd_op_callback;
4000 ldb = ldb_module_get_ctx(ar->module);
4001 msg = ar->objs->objects[ar->index_current].msg;
4003 rmd = ar->objs->objects[ar->index_current].meta_data;
4007 /* find existing meta data */
4008 omd_value = ldb_msg_find_ldb_val(ar->search_msg, "replPropertyMetaData");
4010 ndr_err = ndr_pull_struct_blob(omd_value, ar, &omd,
4011 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
4012 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4013 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4014 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4017 if (omd.version != 1) {
4018 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
4022 /* handle renames that come in over DRS */
4023 ret = replmd_replicated_handle_rename(ar, msg, rmd, &omd, ar->req);
4026 * This particular error code means that we already tried the
4027 * conflict algrorithm, and the existing record name was newer, so we
4028 * need to rename the incoming record
4030 if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) {
4033 struct ldb_dn *new_dn;
4034 status = GUID_from_ndr_blob(&ar->objs->objects[ar->index_current].guid_value, &guid);
4035 /* This really, really can't fail */
4036 SMB_ASSERT(NT_STATUS_IS_OK(status));
4038 new_dn = replmd_conflict_dn(msg, msg->dn, &guid);
4039 if (new_dn == NULL) {
4040 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
4041 "Failed to form conflict DN for %s\n",
4042 ldb_dn_get_linearized(msg->dn));
4044 return replmd_replicated_request_werror(ar, WERR_NOMEM);
4047 ret = dsdb_module_rename(ar->module, ar->search_msg->dn, new_dn,
4048 DSDB_FLAG_NEXT_MODULE, ar->req);
4049 if (ret != LDB_SUCCESS) {
4050 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
4051 "Failed to rename incoming conflicting dn '%s' (was '%s') to '%s' - %s\n",
4052 ldb_dn_get_linearized(msg->dn),
4053 ldb_dn_get_linearized(ar->search_msg->dn),
4054 ldb_dn_get_linearized(new_dn),
4055 ldb_errstring(ldb_module_get_ctx(ar->module)));
4056 return replmd_replicated_request_werror(ar, WERR_DS_DRA_DB_ERROR);
4059 /* Set the callback to one that will fix up the name to be a conflict DN */
4060 callback = replmd_op_name_modify_callback;
4062 } else if (ret != LDB_SUCCESS) {
4063 ldb_debug(ldb, LDB_DEBUG_FATAL,
4064 "replmd_replicated_request rename %s => %s failed - %s\n",
4065 ldb_dn_get_linearized(ar->search_msg->dn),
4066 ldb_dn_get_linearized(msg->dn),
4067 ldb_errstring(ldb));
4068 return replmd_replicated_request_werror(ar, WERR_DS_DRA_DB_ERROR);
4073 nmd.ctr.ctr1.count = omd.ctr.ctr1.count + rmd->ctr.ctr1.count;
4074 nmd.ctr.ctr1.array = talloc_array(ar,
4075 struct replPropertyMetaData1,
4076 nmd.ctr.ctr1.count);
4077 if (!nmd.ctr.ctr1.array) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4079 /* first copy the old meta data */
4080 for (i=0; i < omd.ctr.ctr1.count; i++) {
4081 nmd.ctr.ctr1.array[ni] = omd.ctr.ctr1.array[i];
4086 /* now merge in the new meta data */
4087 for (i=0; i < rmd->ctr.ctr1.count; i++) {
4090 for (j=0; j < ni; j++) {
4093 if (rmd->ctr.ctr1.array[i].attid != nmd.ctr.ctr1.array[j].attid) {
4097 if (ar->objs->dsdb_repl_flags & DSDB_REPL_FLAG_PRIORITISE_INCOMING) {
4098 /* if we compare equal then do an
4099 update. This is used when a client
4100 asks for a FULL_SYNC, and can be
4101 used to recover a corrupt
4103 cmp = !replmd_replPropertyMetaData1_is_newer(&rmd->ctr.ctr1.array[i],
4104 &nmd.ctr.ctr1.array[j]);
4106 cmp = replmd_replPropertyMetaData1_is_newer(&nmd.ctr.ctr1.array[j],
4107 &rmd->ctr.ctr1.array[i]);
4110 /* replace the entry */
4111 nmd.ctr.ctr1.array[j] = rmd->ctr.ctr1.array[i];
4112 if (ar->seq_num == 0) {
4113 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ar->seq_num);
4114 if (ret != LDB_SUCCESS) {
4115 return replmd_replicated_request_error(ar, ret);
4118 nmd.ctr.ctr1.array[j].local_usn = ar->seq_num;
4123 if (rmd->ctr.ctr1.array[i].attid != DRSUAPI_ATTID_instanceType) {
4124 DEBUG(3,("Discarding older DRS attribute update to %s on %s from %s\n",
4125 msg->elements[i-removed_attrs].name,
4126 ldb_dn_get_linearized(msg->dn),
4127 GUID_string(ar, &rmd->ctr.ctr1.array[i].originating_invocation_id)));
4130 /* we don't want to apply this change so remove the attribute */
4131 ldb_msg_remove_element(msg, &msg->elements[i-removed_attrs]);
4138 if (found) continue;
4140 nmd.ctr.ctr1.array[ni] = rmd->ctr.ctr1.array[i];
4141 if (ar->seq_num == 0) {
4142 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ar->seq_num);
4143 if (ret != LDB_SUCCESS) {
4144 return replmd_replicated_request_error(ar, ret);
4147 nmd.ctr.ctr1.array[ni].local_usn = ar->seq_num;
4152 * finally correct the size of the meta_data array
4154 nmd.ctr.ctr1.count = ni;
4157 * the rdn attribute (the alias for the name attribute),
4158 * 'cn' for most objects is the last entry in the meta data array
4161 * sort the new meta data array
4163 ret = replmd_replPropertyMetaDataCtr1_sort(&nmd.ctr.ctr1, ar->schema, msg->dn);
4164 if (ret != LDB_SUCCESS) {
4169 * check if some replicated attributes left, otherwise skip the ldb_modify() call
4171 if (msg->num_elements == 0) {
4172 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_replicated_apply_merge[%u]: skip replace\n",
4175 ar->index_current++;
4176 return replmd_replicated_apply_next(ar);
4179 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_replicated_apply_merge[%u]: replace %u attributes\n",
4180 ar->index_current, msg->num_elements);
4182 /* create the meta data value */
4183 ndr_err = ndr_push_struct_blob(&nmd_value, msg, &nmd,
4184 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
4185 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4186 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4187 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4191 * when we know that we'll modify the record, add the whenChanged, uSNChanged
4192 * and replPopertyMetaData attributes
4194 ret = ldb_msg_add_string(msg, "whenChanged", ar->objs->objects[ar->index_current].when_changed);
4195 if (ret != LDB_SUCCESS) {
4196 return replmd_replicated_request_error(ar, ret);
4198 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNChanged", ar->seq_num);
4199 if (ret != LDB_SUCCESS) {
4200 return replmd_replicated_request_error(ar, ret);
4202 ret = ldb_msg_add_value(msg, "replPropertyMetaData", &nmd_value, NULL);
4203 if (ret != LDB_SUCCESS) {
4204 return replmd_replicated_request_error(ar, ret);
4207 replmd_ldb_message_sort(msg, ar->schema);
4209 /* we want to replace the old values */
4210 for (i=0; i < msg->num_elements; i++) {
4211 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
4215 char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_MODIFY, msg);
4216 DEBUG(4, ("DRS replication modify message:\n%s\n", s));
4220 ret = ldb_build_mod_req(&change_req,
4228 LDB_REQ_SET_LOCATION(change_req);
4229 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4231 /* current partition control needed by "repmd_op_callback" */
4232 ret = ldb_request_add_control(change_req,
4233 DSDB_CONTROL_CURRENT_PARTITION_OID,
4235 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4237 return ldb_next_request(ar->module, change_req);
4240 static int replmd_replicated_apply_search_callback(struct ldb_request *req,
4241 struct ldb_reply *ares)
4243 struct replmd_replicated_request *ar = talloc_get_type(req->context,
4244 struct replmd_replicated_request);
4248 return ldb_module_done(ar->req, NULL, NULL,
4249 LDB_ERR_OPERATIONS_ERROR);
4251 if (ares->error != LDB_SUCCESS &&
4252 ares->error != LDB_ERR_NO_SUCH_OBJECT) {
4253 return ldb_module_done(ar->req, ares->controls,
4254 ares->response, ares->error);
4257 switch (ares->type) {
4258 case LDB_REPLY_ENTRY:
4259 ar->search_msg = talloc_steal(ar, ares->message);
4262 case LDB_REPLY_REFERRAL:
4263 /* we ignore referrals */
4266 case LDB_REPLY_DONE:
4267 ar->objs->objects[ar->index_current].last_known_parent = NULL;
4269 if (ar->search_msg != NULL) {
4270 ret = replmd_replicated_apply_merge(ar);
4272 ret = replmd_replicated_apply_search_for_parent(ar);
4274 if (ret != LDB_SUCCESS) {
4275 return ldb_module_done(ar->req, NULL, NULL, ret);
4283 static int replmd_replicated_uptodate_vector(struct replmd_replicated_request *ar);
4285 static int replmd_replicated_apply_next(struct replmd_replicated_request *ar)
4287 struct ldb_context *ldb;
4291 struct ldb_request *search_req;
4292 struct ldb_search_options_control *options;
4294 if (ar->index_current >= ar->objs->num_objects) {
4295 /* done with it, go to next stage */
4296 return replmd_replicated_uptodate_vector(ar);
4299 ldb = ldb_module_get_ctx(ar->module);
4300 ar->search_msg = NULL;
4302 tmp_str = ldb_binary_encode(ar, ar->objs->objects[ar->index_current].guid_value);
4303 if (!tmp_str) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4305 filter = talloc_asprintf(ar, "(objectGUID=%s)", tmp_str);
4306 if (!filter) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4307 talloc_free(tmp_str);
4309 ret = ldb_build_search_req(&search_req,
4318 replmd_replicated_apply_search_callback,
4320 LDB_REQ_SET_LOCATION(search_req);
4322 ret = ldb_request_add_control(search_req, LDB_CONTROL_SHOW_RECYCLED_OID,
4324 if (ret != LDB_SUCCESS) {
4328 /* we need to cope with cross-partition links, so search for
4329 the GUID over all partitions */
4330 options = talloc(search_req, struct ldb_search_options_control);
4331 if (options == NULL) {
4332 DEBUG(0, (__location__ ": out of memory\n"));
4333 return LDB_ERR_OPERATIONS_ERROR;
4335 options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
4337 ret = ldb_request_add_control(search_req,
4338 LDB_CONTROL_SEARCH_OPTIONS_OID,
4340 if (ret != LDB_SUCCESS) {
4344 return ldb_next_request(ar->module, search_req);
4347 static int replmd_replicated_uptodate_modify_callback(struct ldb_request *req,
4348 struct ldb_reply *ares)
4350 struct ldb_context *ldb;
4351 struct replmd_replicated_request *ar = talloc_get_type(req->context,
4352 struct replmd_replicated_request);
4353 ldb = ldb_module_get_ctx(ar->module);
4356 return ldb_module_done(ar->req, NULL, NULL,
4357 LDB_ERR_OPERATIONS_ERROR);
4359 if (ares->error != LDB_SUCCESS) {
4360 return ldb_module_done(ar->req, ares->controls,
4361 ares->response, ares->error);
4364 if (ares->type != LDB_REPLY_DONE) {
4365 ldb_asprintf_errstring(ldb, "Invalid LDB reply type %d", ares->type);
4366 return ldb_module_done(ar->req, NULL, NULL,
4367 LDB_ERR_OPERATIONS_ERROR);
4372 return ldb_module_done(ar->req, NULL, NULL, LDB_SUCCESS);
4375 static int replmd_replicated_uptodate_modify(struct replmd_replicated_request *ar)
4377 struct ldb_context *ldb;
4378 struct ldb_request *change_req;
4379 enum ndr_err_code ndr_err;
4380 struct ldb_message *msg;
4381 struct replUpToDateVectorBlob ouv;
4382 const struct ldb_val *ouv_value;
4383 const struct drsuapi_DsReplicaCursor2CtrEx *ruv;
4384 struct replUpToDateVectorBlob nuv;
4385 struct ldb_val nuv_value;
4386 struct ldb_message_element *nuv_el = NULL;
4387 const struct GUID *our_invocation_id;
4388 struct ldb_message_element *orf_el = NULL;
4389 struct repsFromToBlob nrf;
4390 struct ldb_val *nrf_value = NULL;
4391 struct ldb_message_element *nrf_el = NULL;
4395 time_t t = time(NULL);
4398 uint32_t instanceType;
4400 ldb = ldb_module_get_ctx(ar->module);
4401 ruv = ar->objs->uptodateness_vector;
4407 unix_to_nt_time(&now, t);
4409 if (ar->search_msg == NULL) {
4410 /* this happens for a REPL_OBJ call where we are
4411 creating the target object by replicating it. The
4412 subdomain join code does this for the partition DN
4414 DEBUG(4,(__location__ ": Skipping UDV and repsFrom update as no target DN\n"));
4415 return ldb_module_done(ar->req, NULL, NULL, LDB_SUCCESS);
4418 instanceType = ldb_msg_find_attr_as_uint(ar->search_msg, "instanceType", 0);
4419 if (! (instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
4420 DEBUG(4,(__location__ ": Skipping UDV and repsFrom update as not NC root: %s\n",
4421 ldb_dn_get_linearized(ar->search_msg->dn)));
4422 return ldb_module_done(ar->req, NULL, NULL, LDB_SUCCESS);
4426 * first create the new replUpToDateVector
4428 ouv_value = ldb_msg_find_ldb_val(ar->search_msg, "replUpToDateVector");
4430 ndr_err = ndr_pull_struct_blob(ouv_value, ar, &ouv,
4431 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
4432 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4433 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4434 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4437 if (ouv.version != 2) {
4438 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
4443 * the new uptodateness vector will at least
4444 * contain 1 entry, one for the source_dsa
4446 * plus optional values from our old vector and the one from the source_dsa
4448 nuv.ctr.ctr2.count = 1 + ouv.ctr.ctr2.count;
4449 if (ruv) nuv.ctr.ctr2.count += ruv->count;
4450 nuv.ctr.ctr2.cursors = talloc_array(ar,
4451 struct drsuapi_DsReplicaCursor2,
4452 nuv.ctr.ctr2.count);
4453 if (!nuv.ctr.ctr2.cursors) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4455 /* first copy the old vector */
4456 for (i=0; i < ouv.ctr.ctr2.count; i++) {
4457 nuv.ctr.ctr2.cursors[ni] = ouv.ctr.ctr2.cursors[i];
4461 /* get our invocation_id if we have one already attached to the ldb */
4462 our_invocation_id = samdb_ntds_invocation_id(ldb);
4464 /* merge in the source_dsa vector is available */
4465 for (i=0; (ruv && i < ruv->count); i++) {
4468 if (our_invocation_id &&
4469 GUID_equal(&ruv->cursors[i].source_dsa_invocation_id,
4470 our_invocation_id)) {
4474 for (j=0; j < ni; j++) {
4475 if (!GUID_equal(&ruv->cursors[i].source_dsa_invocation_id,
4476 &nuv.ctr.ctr2.cursors[j].source_dsa_invocation_id)) {
4483 * we update only the highest_usn and not the latest_sync_success time,
4484 * because the last success stands for direct replication
4486 if (ruv->cursors[i].highest_usn > nuv.ctr.ctr2.cursors[j].highest_usn) {
4487 nuv.ctr.ctr2.cursors[j].highest_usn = ruv->cursors[i].highest_usn;
4492 if (found) continue;
4494 /* if it's not there yet, add it */
4495 nuv.ctr.ctr2.cursors[ni] = ruv->cursors[i];
4500 * merge in the current highwatermark for the source_dsa
4503 for (j=0; j < ni; j++) {
4504 if (!GUID_equal(&ar->objs->source_dsa->source_dsa_invocation_id,
4505 &nuv.ctr.ctr2.cursors[j].source_dsa_invocation_id)) {
4512 * here we update the highest_usn and last_sync_success time
4513 * because we're directly replicating from the source_dsa
4515 * and use the tmp_highest_usn because this is what we have just applied
4518 nuv.ctr.ctr2.cursors[j].highest_usn = ar->objs->source_dsa->highwatermark.tmp_highest_usn;
4519 nuv.ctr.ctr2.cursors[j].last_sync_success = now;
4524 * here we update the highest_usn and last_sync_success time
4525 * because we're directly replicating from the source_dsa
4527 * and use the tmp_highest_usn because this is what we have just applied
4530 nuv.ctr.ctr2.cursors[ni].source_dsa_invocation_id= ar->objs->source_dsa->source_dsa_invocation_id;
4531 nuv.ctr.ctr2.cursors[ni].highest_usn = ar->objs->source_dsa->highwatermark.tmp_highest_usn;
4532 nuv.ctr.ctr2.cursors[ni].last_sync_success = now;
4537 * finally correct the size of the cursors array
4539 nuv.ctr.ctr2.count = ni;
4544 TYPESAFE_QSORT(nuv.ctr.ctr2.cursors, nuv.ctr.ctr2.count, drsuapi_DsReplicaCursor2_compare);
4547 * create the change ldb_message
4549 msg = ldb_msg_new(ar);
4550 if (!msg) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4551 msg->dn = ar->search_msg->dn;
4553 ndr_err = ndr_push_struct_blob(&nuv_value, msg, &nuv,
4554 (ndr_push_flags_fn_t)ndr_push_replUpToDateVectorBlob);
4555 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4556 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4557 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4559 ret = ldb_msg_add_value(msg, "replUpToDateVector", &nuv_value, &nuv_el);
4560 if (ret != LDB_SUCCESS) {
4561 return replmd_replicated_request_error(ar, ret);
4563 nuv_el->flags = LDB_FLAG_MOD_REPLACE;
4566 * now create the new repsFrom value from the given repsFromTo1 structure
4570 nrf.ctr.ctr1 = *ar->objs->source_dsa;
4571 nrf.ctr.ctr1.highwatermark.highest_usn = nrf.ctr.ctr1.highwatermark.tmp_highest_usn;
4574 * first see if we already have a repsFrom value for the current source dsa
4575 * if so we'll later replace this value
4577 orf_el = ldb_msg_find_element(ar->search_msg, "repsFrom");
4579 for (i=0; i < orf_el->num_values; i++) {
4580 struct repsFromToBlob *trf;
4582 trf = talloc(ar, struct repsFromToBlob);
4583 if (!trf) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4585 ndr_err = ndr_pull_struct_blob(&orf_el->values[i], trf, trf,
4586 (ndr_pull_flags_fn_t)ndr_pull_repsFromToBlob);
4587 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4588 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4589 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4592 if (trf->version != 1) {
4593 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
4597 * we compare the source dsa objectGUID not the invocation_id
4598 * because we want only one repsFrom value per source dsa
4599 * and when the invocation_id of the source dsa has changed we don't need
4600 * the old repsFrom with the old invocation_id
4602 if (!GUID_equal(&trf->ctr.ctr1.source_dsa_obj_guid,
4603 &ar->objs->source_dsa->source_dsa_obj_guid)) {
4609 nrf_value = &orf_el->values[i];
4614 * copy over all old values to the new ldb_message
4616 ret = ldb_msg_add_empty(msg, "repsFrom", 0, &nrf_el);
4617 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4622 * if we haven't found an old repsFrom value for the current source dsa
4623 * we'll add a new value
4626 struct ldb_val zero_value;
4627 ZERO_STRUCT(zero_value);
4628 ret = ldb_msg_add_value(msg, "repsFrom", &zero_value, &nrf_el);
4629 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4631 nrf_value = &nrf_el->values[nrf_el->num_values - 1];
4634 /* we now fill the value which is already attached to ldb_message */
4635 ndr_err = ndr_push_struct_blob(nrf_value, msg,
4637 (ndr_push_flags_fn_t)ndr_push_repsFromToBlob);
4638 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4639 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4640 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4644 * the ldb_message_element for the attribute, has all the old values and the new one
4645 * so we'll replace the whole attribute with all values
4647 nrf_el->flags = LDB_FLAG_MOD_REPLACE;
4649 if (CHECK_DEBUGLVL(4)) {
4650 char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_MODIFY, msg);
4651 DEBUG(4, ("DRS replication uptodate modify message:\n%s\n", s));
4655 /* prepare the ldb_modify() request */
4656 ret = ldb_build_mod_req(&change_req,
4662 replmd_replicated_uptodate_modify_callback,
4664 LDB_REQ_SET_LOCATION(change_req);
4665 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4667 return ldb_next_request(ar->module, change_req);
4670 static int replmd_replicated_uptodate_search_callback(struct ldb_request *req,
4671 struct ldb_reply *ares)
4673 struct replmd_replicated_request *ar = talloc_get_type(req->context,
4674 struct replmd_replicated_request);
4678 return ldb_module_done(ar->req, NULL, NULL,
4679 LDB_ERR_OPERATIONS_ERROR);
4681 if (ares->error != LDB_SUCCESS &&
4682 ares->error != LDB_ERR_NO_SUCH_OBJECT) {
4683 return ldb_module_done(ar->req, ares->controls,
4684 ares->response, ares->error);
4687 switch (ares->type) {
4688 case LDB_REPLY_ENTRY:
4689 ar->search_msg = talloc_steal(ar, ares->message);
4692 case LDB_REPLY_REFERRAL:
4693 /* we ignore referrals */
4696 case LDB_REPLY_DONE:
4697 ret = replmd_replicated_uptodate_modify(ar);
4698 if (ret != LDB_SUCCESS) {
4699 return ldb_module_done(ar->req, NULL, NULL, ret);
4708 static int replmd_replicated_uptodate_vector(struct replmd_replicated_request *ar)
4710 struct ldb_context *ldb;
4712 static const char *attrs[] = {
4713 "replUpToDateVector",
4718 struct ldb_request *search_req;
4720 ldb = ldb_module_get_ctx(ar->module);
4721 ar->search_msg = NULL;
4723 ret = ldb_build_search_req(&search_req,
4726 ar->objs->partition_dn,
4732 replmd_replicated_uptodate_search_callback,
4734 LDB_REQ_SET_LOCATION(search_req);
4735 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4737 return ldb_next_request(ar->module, search_req);
4742 static int replmd_extended_replicated_objects(struct ldb_module *module, struct ldb_request *req)
4744 struct ldb_context *ldb;
4745 struct dsdb_extended_replicated_objects *objs;
4746 struct replmd_replicated_request *ar;
4747 struct ldb_control **ctrls;
4750 struct replmd_private *replmd_private =
4751 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
4752 struct dsdb_control_replicated_update *rep_update;
4754 ldb = ldb_module_get_ctx(module);
4756 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_extended_replicated_objects\n");
4758 objs = talloc_get_type(req->op.extended.data, struct dsdb_extended_replicated_objects);
4760 ldb_debug(ldb, LDB_DEBUG_FATAL, "replmd_extended_replicated_objects: invalid extended data\n");
4761 return LDB_ERR_PROTOCOL_ERROR;
4764 if (objs->version != DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION) {
4765 ldb_debug(ldb, LDB_DEBUG_FATAL, "replmd_extended_replicated_objects: extended data invalid version [%u != %u]\n",
4766 objs->version, DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION);
4767 return LDB_ERR_PROTOCOL_ERROR;
4770 ar = replmd_ctx_init(module, req);
4772 return LDB_ERR_OPERATIONS_ERROR;
4774 /* Set the flags to have the replmd_op_callback run over the full set of objects */
4775 ar->apply_mode = true;
4777 ar->schema = dsdb_get_schema(ldb, ar);
4779 ldb_debug_set(ldb, LDB_DEBUG_FATAL, "replmd_ctx_init: no loaded schema found\n");
4781 DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
4782 return LDB_ERR_CONSTRAINT_VIOLATION;
4785 ctrls = req->controls;
4787 if (req->controls) {
4788 req->controls = talloc_memdup(ar, req->controls,
4789 talloc_get_size(req->controls));
4790 if (!req->controls) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4793 /* This allows layers further down to know if a change came in
4794 over replication and what the replication flags were */
4795 rep_update = talloc_zero(ar, struct dsdb_control_replicated_update);
4796 if (rep_update == NULL) {
4797 return ldb_module_oom(module);
4799 rep_update->dsdb_repl_flags = objs->dsdb_repl_flags;
4801 ret = ldb_request_add_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID, false, rep_update);
4802 if (ret != LDB_SUCCESS) {
4806 /* If this change contained linked attributes in the body
4807 * (rather than in the links section) we need to update
4808 * backlinks in linked_attributes */
4809 ret = ldb_request_add_control(req, DSDB_CONTROL_APPLY_LINKS, false, NULL);
4810 if (ret != LDB_SUCCESS) {
4814 ar->controls = req->controls;
4815 req->controls = ctrls;
4817 DEBUG(4,("linked_attributes_count=%u\n", objs->linked_attributes_count));
4819 /* save away the linked attributes for the end of the
4821 for (i=0; i<ar->objs->linked_attributes_count; i++) {
4822 struct la_entry *la_entry;
4824 if (replmd_private->la_ctx == NULL) {
4825 replmd_private->la_ctx = talloc_new(replmd_private);
4827 la_entry = talloc(replmd_private->la_ctx, struct la_entry);
4828 if (la_entry == NULL) {
4830 return LDB_ERR_OPERATIONS_ERROR;
4832 la_entry->la = talloc(la_entry, struct drsuapi_DsReplicaLinkedAttribute);
4833 if (la_entry->la == NULL) {
4834 talloc_free(la_entry);
4836 return LDB_ERR_OPERATIONS_ERROR;
4838 *la_entry->la = ar->objs->linked_attributes[i];
4840 /* we need to steal the non-scalars so they stay
4841 around until the end of the transaction */
4842 talloc_steal(la_entry->la, la_entry->la->identifier);
4843 talloc_steal(la_entry->la, la_entry->la->value.blob);
4845 DLIST_ADD(replmd_private->la_list, la_entry);
4848 return replmd_replicated_apply_next(ar);
4852 process one linked attribute structure
4854 static int replmd_process_linked_attribute(struct ldb_module *module,
4855 struct la_entry *la_entry,
4856 struct ldb_request *parent)
4858 struct drsuapi_DsReplicaLinkedAttribute *la = la_entry->la;
4859 struct ldb_context *ldb = ldb_module_get_ctx(module);
4860 struct ldb_message *msg;
4861 TALLOC_CTX *tmp_ctx = talloc_new(la_entry);
4862 const struct dsdb_schema *schema = dsdb_get_schema(ldb, tmp_ctx);
4864 const struct dsdb_attribute *attr;
4865 struct dsdb_dn *dsdb_dn;
4866 uint64_t seq_num = 0;
4867 struct ldb_message_element *old_el;
4869 time_t t = time(NULL);
4870 struct ldb_result *res;
4871 const char *attrs[2];
4872 struct parsed_dn *pdn_list, *pdn;
4873 struct GUID guid = GUID_zero();
4875 bool active = (la->flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE)?true:false;
4876 const struct GUID *our_invocation_id;
4879 linked_attributes[0]:
4880 &objs->linked_attributes[i]: struct drsuapi_DsReplicaLinkedAttribute
4882 identifier: struct drsuapi_DsReplicaObjectIdentifier
4883 __ndr_size : 0x0000003a (58)
4884 __ndr_size_sid : 0x00000000 (0)
4885 guid : 8e95b6a9-13dd-4158-89db-3220a5be5cc7
4887 __ndr_size_dn : 0x00000000 (0)
4889 attid : DRSUAPI_ATTID_member (0x1F)
4890 value: struct drsuapi_DsAttributeValue
4891 __ndr_size : 0x0000007e (126)
4893 blob : DATA_BLOB length=126
4894 flags : 0x00000001 (1)
4895 1: DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE
4896 originating_add_time : Wed Sep 2 22:20:01 2009 EST
4897 meta_data: struct drsuapi_DsReplicaMetaData
4898 version : 0x00000015 (21)
4899 originating_change_time : Wed Sep 2 23:39:07 2009 EST
4900 originating_invocation_id: 794640f3-18cf-40ee-a211-a93992b67a64
4901 originating_usn : 0x000000000001e19c (123292)
4903 (for cases where the link is to a normal DN)
4904 &target: struct drsuapi_DsReplicaObjectIdentifier3
4905 __ndr_size : 0x0000007e (126)
4906 __ndr_size_sid : 0x0000001c (28)
4907 guid : 7639e594-db75-4086-b0d4-67890ae46031
4908 sid : S-1-5-21-2848215498-2472035911-1947525656-19924
4909 __ndr_size_dn : 0x00000022 (34)
4910 dn : 'CN=UOne,OU=TestOU,DC=vsofs8,DC=com'
4913 /* find the attribute being modified */
4914 attr = dsdb_attribute_by_attributeID_id(schema, la->attid);
4916 DEBUG(0, (__location__ ": Unable to find attributeID 0x%x\n", la->attid));
4917 talloc_free(tmp_ctx);
4918 return LDB_ERR_OPERATIONS_ERROR;
4921 attrs[0] = attr->lDAPDisplayName;
4924 /* get the existing message from the db for the object with
4925 this GUID, returning attribute being modified. We will then
4926 use this msg as the basis for a modify call */
4927 ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
4928 DSDB_FLAG_NEXT_MODULE |
4929 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
4930 DSDB_SEARCH_SHOW_RECYCLED |
4931 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
4932 DSDB_SEARCH_REVEAL_INTERNALS,
4934 "objectGUID=%s", GUID_string(tmp_ctx, &la->identifier->guid));
4935 if (ret != LDB_SUCCESS) {
4936 talloc_free(tmp_ctx);
4939 if (res->count != 1) {
4940 ldb_asprintf_errstring(ldb, "DRS linked attribute for GUID %s - DN not found",
4941 GUID_string(tmp_ctx, &la->identifier->guid));
4942 talloc_free(tmp_ctx);
4943 return LDB_ERR_NO_SUCH_OBJECT;
4947 if (msg->num_elements == 0) {
4948 ret = ldb_msg_add_empty(msg, attr->lDAPDisplayName, LDB_FLAG_MOD_REPLACE, &old_el);
4949 if (ret != LDB_SUCCESS) {
4950 ldb_module_oom(module);
4951 talloc_free(tmp_ctx);
4952 return LDB_ERR_OPERATIONS_ERROR;
4955 old_el = &msg->elements[0];
4956 old_el->flags = LDB_FLAG_MOD_REPLACE;
4959 /* parse the existing links */
4960 ret = get_parsed_dns(module, tmp_ctx, old_el, &pdn_list, attr->syntax->ldap_oid, parent);
4961 if (ret != LDB_SUCCESS) {
4962 talloc_free(tmp_ctx);
4966 /* get our invocationId */
4967 our_invocation_id = samdb_ntds_invocation_id(ldb);
4968 if (!our_invocation_id) {
4969 ldb_debug_set(ldb, LDB_DEBUG_ERROR, __location__ ": unable to find invocationId\n");
4970 talloc_free(tmp_ctx);
4971 return LDB_ERR_OPERATIONS_ERROR;
4974 ret = replmd_check_upgrade_links(pdn_list, old_el->num_values, old_el, our_invocation_id);
4975 if (ret != LDB_SUCCESS) {
4976 talloc_free(tmp_ctx);
4980 status = dsdb_dn_la_from_blob(ldb, attr, schema, tmp_ctx, la->value.blob, &dsdb_dn);
4981 if (!W_ERROR_IS_OK(status)) {
4982 ldb_asprintf_errstring(ldb, "Failed to parsed linked attribute blob for %s on %s - %s\n",
4983 old_el->name, ldb_dn_get_linearized(msg->dn), win_errstr(status));
4984 return LDB_ERR_OPERATIONS_ERROR;
4987 ntstatus = dsdb_get_extended_dn_guid(dsdb_dn->dn, &guid, "GUID");
4988 if (!NT_STATUS_IS_OK(ntstatus) && active) {
4989 ldb_asprintf_errstring(ldb, "Failed to find GUID in linked attribute blob for %s on %s from %s",
4991 ldb_dn_get_linearized(dsdb_dn->dn),
4992 ldb_dn_get_linearized(msg->dn));
4993 return LDB_ERR_OPERATIONS_ERROR;
4996 /* re-resolve the DN by GUID, as the DRS server may give us an
4998 ret = dsdb_module_dn_by_guid(module, dsdb_dn, &guid, &dsdb_dn->dn, parent);
4999 if (ret != LDB_SUCCESS) {
5000 DEBUG(2,(__location__ ": WARNING: Failed to re-resolve GUID %s - using %s\n",
5001 GUID_string(tmp_ctx, &guid),
5002 ldb_dn_get_linearized(dsdb_dn->dn)));
5005 /* see if this link already exists */
5006 pdn = parsed_dn_find(pdn_list, old_el->num_values, &guid, dsdb_dn->dn);
5008 /* see if this update is newer than what we have already */
5009 struct GUID invocation_id = GUID_zero();
5010 uint32_t version = 0;
5011 uint32_t originating_usn = 0;
5012 NTTIME change_time = 0;
5013 uint32_t rmd_flags = dsdb_dn_rmd_flags(pdn->dsdb_dn->dn);
5015 dsdb_get_extended_dn_guid(pdn->dsdb_dn->dn, &invocation_id, "RMD_INVOCID");
5016 dsdb_get_extended_dn_uint32(pdn->dsdb_dn->dn, &version, "RMD_VERSION");
5017 dsdb_get_extended_dn_uint32(pdn->dsdb_dn->dn, &originating_usn, "RMD_ORIGINATING_USN");
5018 dsdb_get_extended_dn_nttime(pdn->dsdb_dn->dn, &change_time, "RMD_CHANGETIME");
5020 if (!replmd_update_is_newer(&invocation_id,
5021 &la->meta_data.originating_invocation_id,
5023 la->meta_data.version,
5025 la->meta_data.originating_change_time)) {
5026 DEBUG(3,("Discarding older DRS linked attribute update to %s on %s from %s\n",
5027 old_el->name, ldb_dn_get_linearized(msg->dn),
5028 GUID_string(tmp_ctx, &la->meta_data.originating_invocation_id)));
5029 talloc_free(tmp_ctx);
5033 /* get a seq_num for this change */
5034 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &seq_num);
5035 if (ret != LDB_SUCCESS) {
5036 talloc_free(tmp_ctx);
5040 if (!(rmd_flags & DSDB_RMD_FLAG_DELETED)) {
5041 /* remove the existing backlink */
5042 ret = replmd_add_backlink(module, schema, &la->identifier->guid, &guid, false, attr, false);
5043 if (ret != LDB_SUCCESS) {
5044 talloc_free(tmp_ctx);
5049 ret = replmd_update_la_val(tmp_ctx, pdn->v, dsdb_dn, pdn->dsdb_dn,
5050 &la->meta_data.originating_invocation_id,
5051 la->meta_data.originating_usn, seq_num,
5052 la->meta_data.originating_change_time,
5053 la->meta_data.version,
5055 if (ret != LDB_SUCCESS) {
5056 talloc_free(tmp_ctx);
5061 /* add the new backlink */
5062 ret = replmd_add_backlink(module, schema, &la->identifier->guid, &guid, true, attr, false);
5063 if (ret != LDB_SUCCESS) {
5064 talloc_free(tmp_ctx);
5069 /* get a seq_num for this change */
5070 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &seq_num);
5071 if (ret != LDB_SUCCESS) {
5072 talloc_free(tmp_ctx);
5076 old_el->values = talloc_realloc(msg->elements, old_el->values,
5077 struct ldb_val, old_el->num_values+1);
5078 if (!old_el->values) {
5079 ldb_module_oom(module);
5080 return LDB_ERR_OPERATIONS_ERROR;
5082 old_el->num_values++;
5084 ret = replmd_build_la_val(tmp_ctx, &old_el->values[old_el->num_values-1], dsdb_dn,
5085 &la->meta_data.originating_invocation_id,
5086 la->meta_data.originating_usn, seq_num,
5087 la->meta_data.originating_change_time,
5088 la->meta_data.version,
5089 (la->flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE)?false:true);
5090 if (ret != LDB_SUCCESS) {
5091 talloc_free(tmp_ctx);
5096 ret = replmd_add_backlink(module, schema, &la->identifier->guid, &guid,
5098 if (ret != LDB_SUCCESS) {
5099 talloc_free(tmp_ctx);
5105 /* we only change whenChanged and uSNChanged if the seq_num
5107 ret = add_time_element(msg, "whenChanged", t);
5108 if (ret != LDB_SUCCESS) {
5109 talloc_free(tmp_ctx);
5114 ret = add_uint64_element(ldb, msg, "uSNChanged", seq_num);
5115 if (ret != LDB_SUCCESS) {
5116 talloc_free(tmp_ctx);
5121 old_el = ldb_msg_find_element(msg, attr->lDAPDisplayName);
5122 if (old_el == NULL) {
5123 talloc_free(tmp_ctx);
5124 return ldb_operr(ldb);
5127 ret = dsdb_check_single_valued_link(attr, old_el);
5128 if (ret != LDB_SUCCESS) {
5129 talloc_free(tmp_ctx);
5133 old_el->flags |= LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK;
5135 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
5136 if (ret != LDB_SUCCESS) {
5137 ldb_debug(ldb, LDB_DEBUG_WARNING, "Failed to apply linked attribute change '%s'\n%s\n",
5139 ldb_ldif_message_string(ldb, tmp_ctx, LDB_CHANGETYPE_MODIFY, msg));
5140 talloc_free(tmp_ctx);
5144 talloc_free(tmp_ctx);
5149 static int replmd_extended(struct ldb_module *module, struct ldb_request *req)
5151 if (strcmp(req->op.extended.oid, DSDB_EXTENDED_REPLICATED_OBJECTS_OID) == 0) {
5152 return replmd_extended_replicated_objects(module, req);
5155 return ldb_next_request(module, req);
5160 we hook into the transaction operations to allow us to
5161 perform the linked attribute updates at the end of the whole
5162 transaction. This allows a forward linked attribute to be created
5163 before the object is created. During a vampire, w2k8 sends us linked
5164 attributes before the objects they are part of.
5166 static int replmd_start_transaction(struct ldb_module *module)
5168 /* create our private structure for this transaction */
5169 struct replmd_private *replmd_private = talloc_get_type(ldb_module_get_private(module),
5170 struct replmd_private);
5171 replmd_txn_cleanup(replmd_private);
5173 /* free any leftover mod_usn records from cancelled
5175 while (replmd_private->ncs) {
5176 struct nc_entry *e = replmd_private->ncs;
5177 DLIST_REMOVE(replmd_private->ncs, e);
5181 return ldb_next_start_trans(module);
5185 on prepare commit we loop over our queued la_context structures and
5188 static int replmd_prepare_commit(struct ldb_module *module)
5190 struct replmd_private *replmd_private =
5191 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
5192 struct la_entry *la, *prev;
5193 struct la_backlink *bl;
5196 /* walk the list backwards, to do the first entry first, as we
5197 * added the entries with DLIST_ADD() which puts them at the
5198 * start of the list */
5199 for (la = DLIST_TAIL(replmd_private->la_list); la; la=prev) {
5200 prev = DLIST_PREV(la);
5201 DLIST_REMOVE(replmd_private->la_list, la);
5202 ret = replmd_process_linked_attribute(module, la, NULL);
5203 if (ret != LDB_SUCCESS) {
5204 replmd_txn_cleanup(replmd_private);
5209 /* process our backlink list, creating and deleting backlinks
5211 for (bl=replmd_private->la_backlinks; bl; bl=bl->next) {
5212 ret = replmd_process_backlink(module, bl, NULL);
5213 if (ret != LDB_SUCCESS) {
5214 replmd_txn_cleanup(replmd_private);
5219 replmd_txn_cleanup(replmd_private);
5221 /* possibly change @REPLCHANGED */
5222 ret = replmd_notify_store(module, NULL);
5223 if (ret != LDB_SUCCESS) {
5227 return ldb_next_prepare_commit(module);
5230 static int replmd_del_transaction(struct ldb_module *module)
5232 struct replmd_private *replmd_private =
5233 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
5234 replmd_txn_cleanup(replmd_private);
5236 return ldb_next_del_trans(module);
5240 static const struct ldb_module_ops ldb_repl_meta_data_module_ops = {
5241 .name = "repl_meta_data",
5242 .init_context = replmd_init,
5244 .modify = replmd_modify,
5245 .rename = replmd_rename,
5246 .del = replmd_delete,
5247 .extended = replmd_extended,
5248 .start_transaction = replmd_start_transaction,
5249 .prepare_commit = replmd_prepare_commit,
5250 .del_transaction = replmd_del_transaction,
5253 int ldb_repl_meta_data_module_init(const char *version)
5255 LDB_MODULE_CHECK_VERSION(version);
5256 return ldb_register_module(&ldb_repl_meta_data_module_ops);