search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dsdb:extended_dn_store: rename extended_replace_dn to extended_replace_callback
[Samba.git] / source4 / dsdb / samdb / ldb_modules / extended_dn_store.c
blob203ed8fc77958928f4a7f5819f3bcaee0e212e05
1 /*
2 ldb database library
3
4 Copyright (C) Simo Sorce 2005-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2007-2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 /*
22 * Name: ldb
23 *
24 * Component: ldb extended dn control module
25 *
26 * Description: this module builds a special dn for returned search
27 * results nad creates the special DN in the backend store for new
28 * values.
29 *
30 * This also has the curious result that we convert <SID=S-1-2-345>
31 * in an attribute value into a normal DN for the rest of the stack
32 * to process
33 *
34 * Authors: Simo Sorce
35 * Andrew Bartlett
36 */
37
38 #include "includes.h"
39 #include <ldb.h>
40 #include <ldb_errors.h>
41 #include <ldb_module.h>
42 #include "librpc/gen_ndr/ndr_misc.h"
43 #include "dsdb/samdb/samdb.h"
44 #include "libcli/security/security.h"
45 #include "dsdb/samdb/ldb_modules/util.h"
46 #include <time.h>
47
48 struct extended_dn_replace_list {
49 struct extended_dn_replace_list *next;
50 struct dsdb_dn *dsdb_dn;
51 TALLOC_CTX *mem_ctx;
52 struct ldb_val *replace_dn;
53 struct extended_dn_context *ac;
54 struct ldb_request *search_req;
55 };
56
57
58 struct extended_dn_context {
59 const struct dsdb_schema *schema;
60 struct ldb_module *module;
61 struct ldb_context *ldb;
62 struct ldb_request *req;
63 struct ldb_request *new_req;
64
65 struct extended_dn_replace_list *ops;
66 struct extended_dn_replace_list *cur;
67 };
68
69
70 static struct extended_dn_context *extended_dn_context_init(struct ldb_module *module,
71 struct ldb_request *req)
72 {
73 struct extended_dn_context *ac;
74 struct ldb_context *ldb = ldb_module_get_ctx(module);
75 ac = talloc_zero(req, struct extended_dn_context);
76 if (ac == NULL) {
77 ldb_oom(ldb);
78 return NULL;
79 }
80
81 ac->schema = dsdb_get_schema(ldb_module_get_ctx(module), ac);
82 ac->module = module;
83 ac->ldb = ldb;
84 ac->req = req;
85
86 return ac;
87 }
88
89 /* An extra layer of indirection because LDB does not allow the original request to be altered */
90
91 static int extended_final_callback(struct ldb_request *req, struct ldb_reply *ares)
92 {
93 int ret = LDB_ERR_OPERATIONS_ERROR;
94 struct extended_dn_context *ac;
95 ac = talloc_get_type(req->context, struct extended_dn_context);
96
97 if (ares->error != LDB_SUCCESS) {
98 ret = ldb_module_done(ac->req, ares->controls,
99 ares->response, ares->error);
100 } else {
101 switch (ares->type) {
102 case LDB_REPLY_ENTRY:
103
104 ret = ldb_module_send_entry(ac->req, ares->message, ares->controls);
105 break;
106 case LDB_REPLY_REFERRAL:
107
108 ret = ldb_module_send_referral(ac->req, ares->referral);
109 break;
110 case LDB_REPLY_DONE:
111
112 ret = ldb_module_done(ac->req, ares->controls,
113 ares->response, ares->error);
114 break;
115 }
116 }
117 return ret;
118 }
119
120 static int extended_replace_callback(struct ldb_request *req, struct ldb_reply *ares)
121 {
122 struct extended_dn_replace_list *os = talloc_get_type(req->context,
123 struct extended_dn_replace_list);
124
125 if (!ares) {
126 return ldb_module_done(os->ac->req, NULL, NULL,
127 LDB_ERR_OPERATIONS_ERROR);
128 }
129 if (ares->error == LDB_ERR_NO_SUCH_OBJECT) {
130 /* Don't worry too much about dangling references */
131
132 ldb_reset_err_string(os->ac->ldb);
133 if (os->next) {
134 struct extended_dn_replace_list *next;
135
136 next = os->next;
137
138 talloc_free(os);
139
140 os = next;
141 return ldb_next_request(os->ac->module, next->search_req);
142 } else {
143 /* Otherwise, we are done - let's run the
144 * request now we have swapped the DNs for the
145 * full versions */
146 return ldb_next_request(os->ac->module, os->ac->new_req);
147 }
148 }
149 if (ares->error != LDB_SUCCESS) {
150 return ldb_module_done(os->ac->req, ares->controls,
151 ares->response, ares->error);
152 }
153
154 /* Only entries are interesting, and we only want the olddn */
155 switch (ares->type) {
156 case LDB_REPLY_ENTRY:
157 {
158 /* This *must* be the right DN, as this is a base
159 * search. We can't check, as it could be an extended
160 * DN, so a module below will resolve it */
161 struct ldb_dn *dn = ares->message->dn;
162
163 /* Rebuild with the string or binary 'extra part' the
164 * DN may have had as a prefix */
165 struct dsdb_dn *dsdb_dn = dsdb_dn_construct(ares, dn,
166 os->dsdb_dn->extra_part,
167 os->dsdb_dn->oid);
168 if (dsdb_dn) {
169 /* Replace the DN with the extended version of the DN
170 * (ie, add SID and GUID) */
171 *os->replace_dn = data_blob_string_const(
172 dsdb_dn_get_extended_linearized(os->mem_ctx,
173 dsdb_dn, 1));
174 talloc_free(dsdb_dn);
175 }
176 if (os->replace_dn->data == NULL) {
177 return ldb_module_done(os->ac->req, NULL, NULL,
178 LDB_ERR_OPERATIONS_ERROR);
179 }
180 break;
181 }
182 case LDB_REPLY_REFERRAL:
183 /* ignore */
184 break;
185
186 case LDB_REPLY_DONE:
187
188 talloc_free(ares);
189
190 /* Run the next search */
191
192 if (os->next) {
193 struct extended_dn_replace_list *next;
194
195 next = os->next;
196
197 talloc_free(os);
198
199 os = next;
200 return ldb_next_request(os->ac->module, next->search_req);
201 } else {
202 /* Otherwise, we are done - let's run the
203 * request now we have swapped the DNs for the
204 * full versions */
205 return ldb_next_request(os->ac->module, os->ac->new_req);
206 }
207 }
208
209 talloc_free(ares);
210 return LDB_SUCCESS;
211 }
212
213 /* We have a 'normal' DN in the inbound request. We need to find out
214 * what the GUID and SID are on the DN it points to, so we can
215 * construct an extended DN for storage.
216 *
217 * This creates a list of DNs to look up, and the plain DN to replace
218 */
219
220 static int extended_store_replace(struct extended_dn_context *ac,
221 TALLOC_CTX *callback_mem_ctx,
222 struct ldb_dn *self_dn,
223 struct ldb_val *plain_dn,
224 bool is_delete,
225 const struct dsdb_attribute *schema_attr)
226 {
227 const char *oid = schema_attr->syntax->ldap_oid;
228 int ret;
229 struct extended_dn_replace_list *os;
230 static const char *attrs[] = {
231 "objectSid",
232 "objectGUID",
233 NULL
234 };
235
236 os = talloc_zero(ac, struct extended_dn_replace_list);
237 if (!os) {
238 return ldb_oom(ac->ldb);
239 }
240
241 os->ac = ac;
242
243 os->mem_ctx = callback_mem_ctx;
244
245 os->dsdb_dn = dsdb_dn_parse(os, ac->ldb, plain_dn, oid);
246 if (!os->dsdb_dn || !ldb_dn_validate(os->dsdb_dn->dn)) {
247 talloc_free(os);
248 ldb_asprintf_errstring(ac->ldb,
249 "could not parse %.*s as a %s DN", (int)plain_dn->length, plain_dn->data,
250 oid);
251 return LDB_ERR_INVALID_DN_SYNTAX;
252 }
253
254 if (self_dn != NULL) {
255 ret = ldb_dn_compare(self_dn, os->dsdb_dn->dn);
256 if (ret == 0) {
257 /*
258 * If this is a reference to the object
259 * itself during an 'add', we won't
260 * be able to find the object.
261 */
262 talloc_free(os);
263 return LDB_SUCCESS;
264 }
265 }
266
267 if (is_delete && !ldb_dn_has_extended(os->dsdb_dn->dn)) {
268 /* NO need to figure this DN out, this element is
269 * going to be deleted anyway, and becuase it's not
270 * extended, we have enough information to do the
271 * delete */
272 talloc_free(os);
273 return LDB_SUCCESS;
274 }
275
276
277 os->replace_dn = plain_dn;
278
279 /* The search request here might happen to be for an
280 * 'extended' style DN, such as <GUID=abced...>. The next
281 * module in the stack will convert this into a normal DN for
282 * processing */
283 ret = ldb_build_search_req(&os->search_req,
284 ac->ldb, os, os->dsdb_dn->dn, LDB_SCOPE_BASE, NULL,
285 attrs, NULL, os, extended_replace_callback,
286 ac->req);
287 LDB_REQ_SET_LOCATION(os->search_req);
288 if (ret != LDB_SUCCESS) {
289 talloc_free(os);
290 return ret;
291 }
292
293 ret = dsdb_request_add_controls(os->search_req,
294 DSDB_FLAG_AS_SYSTEM |
295 DSDB_SEARCH_SHOW_RECYCLED |
296 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT);
297 if (ret != LDB_SUCCESS) {
298 talloc_free(os);
299 return ret;
300 }
301
302 if (ac->ops) {
303 ac->cur->next = os;
304 } else {
305 ac->ops = os;
306 }
307 ac->cur = os;
308
309 return LDB_SUCCESS;
310 }
311
312
313 /* add */
314 static int extended_dn_add(struct ldb_module *module, struct ldb_request *req)
315 {
316 struct extended_dn_context *ac;
317 int ret;
318 unsigned int i, j;
319
320 if (ldb_dn_is_special(req->op.add.message->dn)) {
321 /* do not manipulate our control entries */
322 return ldb_next_request(module, req);
323 }
324
325 ac = extended_dn_context_init(module, req);
326 if (!ac) {
327 return ldb_operr(ldb_module_get_ctx(module));
328 }
329
330 if (!ac->schema) {
331 /* without schema, this doesn't make any sense */
332 talloc_free(ac);
333 return ldb_next_request(module, req);
334 }
335
336 for (i=0; i < req->op.add.message->num_elements; i++) {
337 const struct ldb_message_element *el = &req->op.add.message->elements[i];
338 const struct dsdb_attribute *schema_attr
339 = dsdb_attribute_by_lDAPDisplayName(ac->schema, el->name);
340 if (!schema_attr) {
341 continue;
342 }
343
344 /* We only setup an extended DN GUID on DN elements */
345 if (schema_attr->dn_format == DSDB_INVALID_DN) {
346 continue;
347 }
348
349 if (schema_attr->attributeID_id == DRSUAPI_ATTID_distinguishedName) {
350 /* distinguishedName values are ignored */
351 continue;
352 }
353
354 /* Before we setup a procedure to modify the incoming message, we must copy it */
355 if (!ac->new_req) {
356 struct ldb_message *msg = ldb_msg_copy(ac, req->op.add.message);
357 if (!msg) {
358 return ldb_oom(ldb_module_get_ctx(module));
359 }
360
361 ret = ldb_build_add_req(&ac->new_req, ac->ldb, ac, msg, req->controls, ac, extended_final_callback, req);
362 LDB_REQ_SET_LOCATION(ac->new_req);
363 if (ret != LDB_SUCCESS) {
364 return ret;
365 }
366 }
367 /* Re-calculate el */
368 el = &ac->new_req->op.add.message->elements[i];
369 for (j = 0; j < el->num_values; j++) {
370 ret = extended_store_replace(ac, ac->new_req,
371 req->op.add.message->dn,
372 &el->values[j],
373 false, schema_attr);
374 if (ret != LDB_SUCCESS) {
375 return ret;
376 }
377 }
378 }
379
380 /* if no DNs were set continue */
381 if (ac->ops == NULL) {
382 talloc_free(ac);
383 return ldb_next_request(module, req);
384 }
385
386 /* start with the searches */
387 return ldb_next_request(module, ac->ops->search_req);
388 }
389
390 /* modify */
391 static int extended_dn_modify(struct ldb_module *module, struct ldb_request *req)
392 {
393 /* Look over list of modifications */
394 /* Find if any are for linked attributes */
395 /* Determine the effect of the modification */
396 /* Apply the modify to the linked entry */
397
398 unsigned int i, j;
399 struct extended_dn_context *ac;
400 struct ldb_control *fix_links_control = NULL;
401 int ret;
402
403 if (ldb_dn_is_special(req->op.mod.message->dn)) {
404 /* do not manipulate our control entries */
405 return ldb_next_request(module, req);
406 }
407
408 ac = extended_dn_context_init(module, req);
409 if (!ac) {
410 return ldb_operr(ldb_module_get_ctx(module));
411 }
412
413 if (!ac->schema) {
414 talloc_free(ac);
415 /* without schema, this doesn't make any sense */
416 return ldb_next_request(module, req);
417 }
418
419 fix_links_control = ldb_request_get_control(req,
420 DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS);
421 if (fix_links_control != NULL) {
422 return ldb_next_request(module, req);
423 }
424
425 for (i=0; i < req->op.mod.message->num_elements; i++) {
426 const struct ldb_message_element *el = &req->op.mod.message->elements[i];
427 const struct dsdb_attribute *schema_attr
428 = dsdb_attribute_by_lDAPDisplayName(ac->schema, el->name);
429 if (!schema_attr) {
430 continue;
431 }
432
433 /* We only setup an extended DN GUID on these particular DN objects */
434 if (schema_attr->dn_format == DSDB_INVALID_DN) {
435 continue;
436 }
437
438 if (schema_attr->attributeID_id == DRSUAPI_ATTID_distinguishedName) {
439 /* distinguishedName values are ignored */
440 continue;
441 }
442
443 /* Before we setup a procedure to modify the incoming message, we must copy it */
444 if (!ac->new_req) {
445 struct ldb_message *msg = ldb_msg_copy(ac, req->op.mod.message);
446 if (!msg) {
447 talloc_free(ac);
448 return ldb_oom(ac->ldb);
449 }
450
451 ret = ldb_build_mod_req(&ac->new_req, ac->ldb, ac, msg, req->controls, ac, extended_final_callback, req);
452 LDB_REQ_SET_LOCATION(ac->new_req);
453 if (ret != LDB_SUCCESS) {
454 talloc_free(ac);
455 return ret;
456 }
457 }
458 /* Re-calculate el */
459 el = &ac->new_req->op.mod.message->elements[i];
460 /* For each value being added, we need to setup the lookups to fill in the extended DN */
461 for (j = 0; j < el->num_values; j++) {
462 /* If we are just going to delete this
463 * element, only do a lookup if
464 * extended_store_replace determines it's an
465 * input of an extended DN */
466 bool is_delete = (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE);
467
468 ret = extended_store_replace(ac, ac->new_req,
469 NULL, /* self_dn to be ignored */
470 &el->values[j],
471 is_delete, schema_attr);
472 if (ret != LDB_SUCCESS) {
473 talloc_free(ac);
474 return ret;
475 }
476 }
477 }
478
479 /* if DNs were set continue */
480 if (ac->ops == NULL) {
481 talloc_free(ac);
482 return ldb_next_request(module, req);
483 }
484
485 /* start with the searches */
486 return ldb_next_request(module, ac->ops->search_req);
487 }
488
489 static const struct ldb_module_ops ldb_extended_dn_store_module_ops = {
490 .name = "extended_dn_store",
491 .add = extended_dn_add,
492 .modify = extended_dn_modify,
493 };
494
495 int ldb_extended_dn_store_module_init(const char *version)
496 {
497 LDB_MODULE_CHECK_VERSION(version);
498 return ldb_register_module(&ldb_extended_dn_store_module_ops);
499 }
Samba GIT mirror