2 Unix SMB/CIFS implementation.
4 Copyright (C) Stefan Metzmacher 2004
5 Copyright (C) Matthias Dieter Wallnöfer 2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "ldap_server/ldap_server.h"
23 #include "../lib/util/dlinklist.h"
24 #include "auth/credentials/credentials.h"
25 #include "auth/gensec/gensec.h"
26 #include "auth/gensec/gensec_internal.h" /* TODO: remove this */
27 #include "auth/common_auth.h"
28 #include "param/param.h"
29 #include "samba/service_stream.h"
30 #include "dsdb/samdb/samdb.h"
31 #include <ldb_errors.h>
32 #include <ldb_module.h>
34 #include "lib/tsocket/tsocket.h"
35 #include "libcli/ldap/ldap_proto.h"
36 #include "source4/auth/auth.h"
38 static int map_ldb_error(TALLOC_CTX
*mem_ctx
, int ldb_err
,
39 const char *add_err_string
, const char **errstring
)
43 /* Certain LDB modules need to return very special WERROR codes. Proof
44 * for them here and if they exist skip the rest of the mapping. */
45 if (add_err_string
!= NULL
) {
47 strtol(add_err_string
, &endptr
, 16);
48 if (endptr
!= add_err_string
) {
49 *errstring
= add_err_string
;
54 /* Otherwise we calculate here a generic, but appropriate WERROR. */
60 case LDB_ERR_OPERATIONS_ERROR
:
61 err
= WERR_DS_OPERATIONS_ERROR
;
63 case LDB_ERR_PROTOCOL_ERROR
:
64 err
= WERR_DS_PROTOCOL_ERROR
;
66 case LDB_ERR_TIME_LIMIT_EXCEEDED
:
67 err
= WERR_DS_TIMELIMIT_EXCEEDED
;
69 case LDB_ERR_SIZE_LIMIT_EXCEEDED
:
70 err
= WERR_DS_SIZELIMIT_EXCEEDED
;
72 case LDB_ERR_COMPARE_FALSE
:
73 err
= WERR_DS_COMPARE_FALSE
;
75 case LDB_ERR_COMPARE_TRUE
:
76 err
= WERR_DS_COMPARE_TRUE
;
78 case LDB_ERR_AUTH_METHOD_NOT_SUPPORTED
:
79 err
= WERR_DS_AUTH_METHOD_NOT_SUPPORTED
;
81 case LDB_ERR_STRONG_AUTH_REQUIRED
:
82 err
= WERR_DS_STRONG_AUTH_REQUIRED
;
84 case LDB_ERR_REFERRAL
:
85 err
= WERR_DS_REFERRAL
;
87 case LDB_ERR_ADMIN_LIMIT_EXCEEDED
:
88 err
= WERR_DS_ADMIN_LIMIT_EXCEEDED
;
90 case LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION
:
91 err
= WERR_DS_UNAVAILABLE_CRIT_EXTENSION
;
93 case LDB_ERR_CONFIDENTIALITY_REQUIRED
:
94 err
= WERR_DS_CONFIDENTIALITY_REQUIRED
;
96 case LDB_ERR_SASL_BIND_IN_PROGRESS
:
99 case LDB_ERR_NO_SUCH_ATTRIBUTE
:
100 err
= WERR_DS_NO_ATTRIBUTE_OR_VALUE
;
102 case LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE
:
103 err
= WERR_DS_ATTRIBUTE_TYPE_UNDEFINED
;
105 case LDB_ERR_INAPPROPRIATE_MATCHING
:
106 err
= WERR_DS_INAPPROPRIATE_MATCHING
;
108 case LDB_ERR_CONSTRAINT_VIOLATION
:
109 err
= WERR_DS_CONSTRAINT_VIOLATION
;
111 case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS
:
112 err
= WERR_DS_ATTRIBUTE_OR_VALUE_EXISTS
;
114 case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
:
115 err
= WERR_DS_INVALID_ATTRIBUTE_SYNTAX
;
117 case LDB_ERR_NO_SUCH_OBJECT
:
118 err
= WERR_DS_NO_SUCH_OBJECT
;
120 case LDB_ERR_ALIAS_PROBLEM
:
121 err
= WERR_DS_ALIAS_PROBLEM
;
123 case LDB_ERR_INVALID_DN_SYNTAX
:
124 err
= WERR_DS_INVALID_DN_SYNTAX
;
126 case LDB_ERR_ALIAS_DEREFERENCING_PROBLEM
:
127 err
= WERR_DS_ALIAS_DEREF_PROBLEM
;
129 case LDB_ERR_INAPPROPRIATE_AUTHENTICATION
:
130 err
= WERR_DS_INAPPROPRIATE_AUTH
;
132 case LDB_ERR_INVALID_CREDENTIALS
:
133 err
= WERR_ACCESS_DENIED
;
135 case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
:
136 err
= WERR_DS_INSUFF_ACCESS_RIGHTS
;
141 case LDB_ERR_UNAVAILABLE
:
142 err
= WERR_DS_UNAVAILABLE
;
144 case LDB_ERR_UNWILLING_TO_PERFORM
:
145 err
= WERR_DS_UNWILLING_TO_PERFORM
;
147 case LDB_ERR_LOOP_DETECT
:
148 err
= WERR_DS_LOOP_DETECT
;
150 case LDB_ERR_NAMING_VIOLATION
:
151 err
= WERR_DS_NAMING_VIOLATION
;
153 case LDB_ERR_OBJECT_CLASS_VIOLATION
:
154 err
= WERR_DS_OBJ_CLASS_VIOLATION
;
156 case LDB_ERR_NOT_ALLOWED_ON_NON_LEAF
:
157 err
= WERR_DS_CANT_ON_NON_LEAF
;
159 case LDB_ERR_NOT_ALLOWED_ON_RDN
:
160 err
= WERR_DS_CANT_ON_RDN
;
162 case LDB_ERR_ENTRY_ALREADY_EXISTS
:
163 err
= WERR_DS_OBJ_STRING_NAME_EXISTS
;
165 case LDB_ERR_OBJECT_CLASS_MODS_PROHIBITED
:
166 err
= WERR_DS_CANT_MOD_OBJ_CLASS
;
168 case LDB_ERR_AFFECTS_MULTIPLE_DSAS
:
169 err
= WERR_DS_AFFECTS_MULTIPLE_DSAS
;
172 err
= WERR_DS_GENERIC_ERROR
;
176 *errstring
= talloc_asprintf(mem_ctx
, "%08X: %s", W_ERROR_V(err
),
177 add_err_string
!= NULL
? add_err_string
: ldb_strerror(ldb_err
));
179 /* result is 1:1 for now */
184 connect to the sam database
186 int ldapsrv_backend_Init(struct ldapsrv_connection
*conn
,
189 bool using_tls
= conn
->sockets
.active
== conn
->sockets
.tls
;
190 bool using_seal
= conn
->gensec
!= NULL
&& gensec_have_feature(conn
->gensec
,
191 GENSEC_FEATURE_SEAL
);
192 struct dsdb_encrypted_connection_state
*opaque_connection_state
= NULL
;
194 int ret
= samdb_connect_url(conn
,
195 conn
->connection
->event
.ctx
,
198 conn
->global_catalog
? LDB_FLG_RDONLY
: 0,
200 conn
->connection
->remote_address
,
203 if (ret
!= LDB_SUCCESS
) {
208 * We can safely call ldb_set_opaque() on this ldb as we have
209 * set remote_address above which avoids the ldb handle cache
211 opaque_connection_state
= talloc_zero(conn
, struct dsdb_encrypted_connection_state
);
212 if (opaque_connection_state
== NULL
) {
213 return LDB_ERR_OPERATIONS_ERROR
;
215 opaque_connection_state
->using_encrypted_connection
= using_tls
|| using_seal
;
216 ret
= ldb_set_opaque(conn
->ldb
,
217 DSDB_OPAQUE_ENCRYPTED_CONNECTION_STATE_NAME
,
218 opaque_connection_state
);
219 if (ret
!= LDB_SUCCESS
) {
220 DBG_ERR("ldb_set_opaque() failed to store our "
221 "encrypted connection state!");
225 if (conn
->server_credentials
) {
226 struct gensec_security
*gensec_security
= NULL
;
227 const char **sasl_mechs
= NULL
;
230 status
= samba_server_gensec_start(conn
,
231 conn
->connection
->event
.ctx
,
232 conn
->connection
->msg_ctx
,
234 conn
->server_credentials
,
237 if (!NT_STATUS_IS_OK(status
)) {
238 DBG_ERR("samba_server_gensec_start failed: %s\n",
240 return LDB_ERR_OPERATIONS_ERROR
;
243 /* ldb can have a different lifetime to conn, so we
244 need to ensure that sasl_mechs lives as long as the
246 sasl_mechs
= gensec_security_sasl_names(gensec_security
,
248 TALLOC_FREE(gensec_security
);
249 if (sasl_mechs
== NULL
) {
250 DBG_ERR("Failed to get sasl mechs!\n");
251 return LDB_ERR_OPERATIONS_ERROR
;
254 ldb_set_opaque(conn
->ldb
, "supportedSASLMechanisms", sasl_mechs
);
260 struct ldapsrv_reply
*ldapsrv_init_reply(struct ldapsrv_call
*call
, uint8_t type
)
262 struct ldapsrv_reply
*reply
;
264 reply
= talloc_zero(call
, struct ldapsrv_reply
);
268 reply
->msg
= talloc_zero(reply
, struct ldap_message
);
269 if (reply
->msg
== NULL
) {
274 reply
->msg
->messageid
= call
->request
->messageid
;
275 reply
->msg
->type
= type
;
276 reply
->msg
->controls
= NULL
;
282 * Encode a reply to an LDAP client as ASN.1, free the original memory
284 static NTSTATUS
ldapsrv_encode(TALLOC_CTX
*mem_ctx
,
285 struct ldapsrv_reply
*reply
)
287 bool bret
= ldap_encode(reply
->msg
,
288 samba_ldap_control_handlers(),
291 TALLOC_FREE(reply
->msg
);
293 DEBUG(0,("Failed to encode ldap reply of type %d: "
294 "ldap_encode() failed\n",
296 return NT_STATUS_NO_MEMORY
;
299 talloc_set_name_const(reply
->blob
.data
,
300 "Outgoing, encoded single LDAP reply");
306 * Queue a reply (encoding it also), even if it would exceed the
307 * limit. This allows the error packet with LDAP_SIZE_LIMIT_EXCEEDED
310 static NTSTATUS
ldapsrv_queue_reply_forced(struct ldapsrv_call
*call
,
311 struct ldapsrv_reply
*reply
)
313 NTSTATUS status
= ldapsrv_encode(call
, reply
);
315 if (NT_STATUS_IS_OK(status
)) {
316 DLIST_ADD_END(call
->replies
, reply
);
322 * Queue a reply (encoding it also) but check we do not send more than
323 * LDAP_SERVER_MAX_REPLY_SIZE of responses as a way to limit the
324 * amount of data a client can make us allocate.
326 NTSTATUS
ldapsrv_queue_reply(struct ldapsrv_call
*call
, struct ldapsrv_reply
*reply
)
328 NTSTATUS status
= ldapsrv_encode(call
, reply
);
330 if (!NT_STATUS_IS_OK(status
)) {
334 if (call
->reply_size
> call
->reply_size
+ reply
->blob
.length
335 || call
->reply_size
+ reply
->blob
.length
> LDAP_SERVER_MAX_REPLY_SIZE
) {
336 DBG_WARNING("Refusing to queue LDAP search response size "
337 "of more than %zu bytes\n",
338 LDAP_SERVER_MAX_REPLY_SIZE
);
339 TALLOC_FREE(reply
->blob
.data
);
340 return NT_STATUS_FILE_TOO_LARGE
;
343 call
->reply_size
+= reply
->blob
.length
;
345 DLIST_ADD_END(call
->replies
, reply
);
350 static NTSTATUS
ldapsrv_unwilling(struct ldapsrv_call
*call
, int error
)
352 struct ldapsrv_reply
*reply
;
353 struct ldap_ExtendedResponse
*r
;
355 DEBUG(10,("Unwilling type[%d] id[%d]\n", call
->request
->type
, call
->request
->messageid
));
357 reply
= ldapsrv_init_reply(call
, LDAP_TAG_ExtendedResponse
);
359 return NT_STATUS_NO_MEMORY
;
362 r
= &reply
->msg
->r
.ExtendedResponse
;
363 r
->response
.resultcode
= error
;
364 r
->response
.dn
= NULL
;
365 r
->response
.errormessage
= NULL
;
366 r
->response
.referral
= NULL
;
370 ldapsrv_queue_reply(call
, reply
);
374 static int ldapsrv_add_with_controls(struct ldapsrv_call
*call
,
375 const struct ldb_message
*message
,
376 struct ldb_control
**controls
,
377 struct ldb_result
*res
)
379 struct ldb_context
*ldb
= call
->conn
->ldb
;
380 struct ldb_request
*req
;
383 ret
= ldb_msg_sanity_check(ldb
, message
);
384 if (ret
!= LDB_SUCCESS
) {
388 ret
= ldb_build_add_req(&req
, ldb
, ldb
,
392 ldb_modify_default_callback
,
395 if (ret
!= LDB_SUCCESS
) return ret
;
397 if (call
->conn
->global_catalog
) {
398 return ldb_error(ldb
, LDB_ERR_UNWILLING_TO_PERFORM
, "modify forbidden on global catalog port");
400 ldb_request_add_control(req
, DSDB_CONTROL_NO_GLOBAL_CATALOG
, false, NULL
);
402 ret
= ldb_transaction_start(ldb
);
403 if (ret
!= LDB_SUCCESS
) {
407 if (!call
->conn
->is_privileged
) {
408 ldb_req_mark_untrusted(req
);
411 LDB_REQ_SET_LOCATION(req
);
413 ret
= ldb_request(ldb
, req
);
414 if (ret
== LDB_SUCCESS
) {
415 ret
= ldb_wait(req
->handle
, LDB_WAIT_ALL
);
418 if (ret
== LDB_SUCCESS
) {
419 ret
= ldb_transaction_commit(ldb
);
422 ldb_transaction_cancel(ldb
);
429 /* create and execute a modify request */
430 static int ldapsrv_mod_with_controls(struct ldapsrv_call
*call
,
431 const struct ldb_message
*message
,
432 struct ldb_control
**controls
,
433 struct ldb_result
*res
)
435 struct ldb_context
*ldb
= call
->conn
->ldb
;
436 struct ldb_request
*req
;
439 ret
= ldb_msg_sanity_check(ldb
, message
);
440 if (ret
!= LDB_SUCCESS
) {
444 ret
= ldb_build_mod_req(&req
, ldb
, ldb
,
448 ldb_modify_default_callback
,
451 if (ret
!= LDB_SUCCESS
) {
455 if (call
->conn
->global_catalog
) {
456 return ldb_error(ldb
, LDB_ERR_UNWILLING_TO_PERFORM
, "modify forbidden on global catalog port");
458 ldb_request_add_control(req
, DSDB_CONTROL_NO_GLOBAL_CATALOG
, false, NULL
);
460 ret
= ldb_transaction_start(ldb
);
461 if (ret
!= LDB_SUCCESS
) {
465 if (!call
->conn
->is_privileged
) {
466 ldb_req_mark_untrusted(req
);
469 LDB_REQ_SET_LOCATION(req
);
471 ret
= ldb_request(ldb
, req
);
472 if (ret
== LDB_SUCCESS
) {
473 ret
= ldb_wait(req
->handle
, LDB_WAIT_ALL
);
476 if (ret
== LDB_SUCCESS
) {
477 ret
= ldb_transaction_commit(ldb
);
480 ldb_transaction_cancel(ldb
);
487 /* create and execute a delete request */
488 static int ldapsrv_del_with_controls(struct ldapsrv_call
*call
,
490 struct ldb_control
**controls
,
491 struct ldb_result
*res
)
493 struct ldb_context
*ldb
= call
->conn
->ldb
;
494 struct ldb_request
*req
;
497 ret
= ldb_build_del_req(&req
, ldb
, ldb
,
501 ldb_modify_default_callback
,
504 if (ret
!= LDB_SUCCESS
) return ret
;
506 if (call
->conn
->global_catalog
) {
507 return ldb_error(ldb
, LDB_ERR_UNWILLING_TO_PERFORM
, "modify forbidden on global catalog port");
509 ldb_request_add_control(req
, DSDB_CONTROL_NO_GLOBAL_CATALOG
, false, NULL
);
511 ret
= ldb_transaction_start(ldb
);
512 if (ret
!= LDB_SUCCESS
) {
516 if (!call
->conn
->is_privileged
) {
517 ldb_req_mark_untrusted(req
);
520 LDB_REQ_SET_LOCATION(req
);
522 ret
= ldb_request(ldb
, req
);
523 if (ret
== LDB_SUCCESS
) {
524 ret
= ldb_wait(req
->handle
, LDB_WAIT_ALL
);
527 if (ret
== LDB_SUCCESS
) {
528 ret
= ldb_transaction_commit(ldb
);
531 ldb_transaction_cancel(ldb
);
538 static int ldapsrv_rename_with_controls(struct ldapsrv_call
*call
,
539 struct ldb_dn
*olddn
,
540 struct ldb_dn
*newdn
,
541 struct ldb_control
**controls
,
542 struct ldb_result
*res
)
544 struct ldb_context
*ldb
= call
->conn
->ldb
;
545 struct ldb_request
*req
;
548 ret
= ldb_build_rename_req(&req
, ldb
, ldb
,
553 ldb_modify_default_callback
,
556 if (ret
!= LDB_SUCCESS
) return ret
;
558 if (call
->conn
->global_catalog
) {
559 return ldb_error(ldb
, LDB_ERR_UNWILLING_TO_PERFORM
, "modify forbidden on global catalog port");
561 ldb_request_add_control(req
, DSDB_CONTROL_NO_GLOBAL_CATALOG
, false, NULL
);
563 ret
= ldb_transaction_start(ldb
);
564 if (ret
!= LDB_SUCCESS
) {
568 if (!call
->conn
->is_privileged
) {
569 ldb_req_mark_untrusted(req
);
572 LDB_REQ_SET_LOCATION(req
);
574 ret
= ldb_request(ldb
, req
);
575 if (ret
== LDB_SUCCESS
) {
576 ret
= ldb_wait(req
->handle
, LDB_WAIT_ALL
);
579 if (ret
== LDB_SUCCESS
) {
580 ret
= ldb_transaction_commit(ldb
);
583 ldb_transaction_cancel(ldb
);
592 struct ldapsrv_context
{
593 struct ldapsrv_call
*call
;
596 struct ldb_control
**controls
;
597 size_t count
; /* For notificaiton only */
600 static int ldap_server_search_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
602 struct ldapsrv_context
*ctx
= talloc_get_type(req
->context
, struct ldapsrv_context
);
603 struct ldapsrv_call
*call
= ctx
->call
;
604 struct ldb_context
*ldb
= call
->conn
->ldb
;
606 struct ldapsrv_reply
*ent_r
= NULL
;
607 struct ldap_SearchResEntry
*ent
;
612 return ldb_request_done(req
, LDB_ERR_OPERATIONS_ERROR
);
614 if (ares
->error
!= LDB_SUCCESS
) {
615 return ldb_request_done(req
, ares
->error
);
618 switch (ares
->type
) {
619 case LDB_REPLY_ENTRY
:
621 struct ldb_message
*msg
= ares
->message
;
622 ent_r
= ldapsrv_init_reply(call
, LDAP_TAG_SearchResultEntry
);
630 * Put the LDAP search response data under ent_r->msg
631 * so we can free that later once encoded
633 talloc_steal(ent_r
->msg
, msg
);
635 ent
= &ent_r
->msg
->r
.SearchResultEntry
;
636 ent
->dn
= ldb_dn_get_extended_linearized(ent_r
, msg
->dn
,
638 ent
->num_attributes
= 0;
639 ent
->attributes
= NULL
;
640 if (msg
->num_elements
== 0) {
643 ent
->num_attributes
= msg
->num_elements
;
644 ent
->attributes
= talloc_array(ent_r
, struct ldb_message_element
, ent
->num_attributes
);
645 if (ent
->attributes
== NULL
) {
649 for (j
=0; j
< ent
->num_attributes
; j
++) {
650 ent
->attributes
[j
].name
= msg
->elements
[j
].name
;
651 ent
->attributes
[j
].num_values
= 0;
652 ent
->attributes
[j
].values
= NULL
;
653 if (ctx
->attributesonly
&& (msg
->elements
[j
].num_values
== 0)) {
656 ent
->attributes
[j
].num_values
= msg
->elements
[j
].num_values
;
657 ent
->attributes
[j
].values
= msg
->elements
[j
].values
;
660 status
= ldapsrv_queue_reply(call
, ent_r
);
661 if (NT_STATUS_EQUAL(status
, NT_STATUS_FILE_TOO_LARGE
)) {
662 ret
= ldb_request_done(req
,
663 LDB_ERR_SIZE_LIMIT_EXCEEDED
);
664 ldb_asprintf_errstring(ldb
,
665 "LDAP search response size "
666 "limited to %zu bytes\n",
667 LDAP_SERVER_MAX_REPLY_SIZE
);
668 } else if (!NT_STATUS_IS_OK(status
)) {
669 ret
= ldb_request_done(req
,
676 case LDB_REPLY_REFERRAL
:
678 struct ldap_SearchResRef
*ent_ref
;
681 * TODO: This should be handled by the notification
684 if (call
->notification
.busy
) {
689 ent_r
= ldapsrv_init_reply(call
, LDAP_TAG_SearchResultReference
);
695 * Put the LDAP referral data under ent_r->msg
696 * so we can free that later once encoded
698 talloc_steal(ent_r
->msg
, ares
->referral
);
700 ent_ref
= &ent_r
->msg
->r
.SearchResultReference
;
701 ent_ref
->referral
= ares
->referral
;
703 status
= ldapsrv_queue_reply(call
, ent_r
);
704 if (!NT_STATUS_IS_OK(status
)) {
705 ret
= LDB_ERR_OPERATIONS_ERROR
;
714 * We don't queue the reply for this one, we let that
717 ctx
->controls
= talloc_move(ctx
, &ares
->controls
);
720 return ldb_request_done(req
, LDB_SUCCESS
);
724 ret
= LDB_ERR_OPERATIONS_ERROR
;
732 static NTSTATUS
ldapsrv_SearchRequest(struct ldapsrv_call
*call
)
734 struct ldap_SearchRequest
*req
= &call
->request
->r
.SearchRequest
;
735 struct ldap_Result
*done
;
736 struct ldapsrv_reply
*done_r
;
737 TALLOC_CTX
*local_ctx
;
738 struct ldapsrv_context
*callback_ctx
= NULL
;
739 struct ldb_context
*samdb
= talloc_get_type(call
->conn
->ldb
, struct ldb_context
);
740 struct ldb_dn
*basedn
;
741 struct ldb_request
*lreq
;
742 struct ldb_control
*search_control
;
743 struct ldb_search_options_control
*search_options
;
744 struct ldb_control
*extended_dn_control
;
745 struct ldb_extended_dn_control
*extended_dn_decoded
= NULL
;
746 struct ldb_control
*notification_control
= NULL
;
747 enum ldb_scope scope
= LDB_SCOPE_DEFAULT
;
748 const char **attrs
= NULL
;
749 const char *scope_str
, *errstr
= NULL
;
753 int extended_type
= 1;
756 * Warn for searches that are longer than 1/4 of the
757 * search_timeout, being 30sec by default
759 struct timeval start_time
= timeval_current();
760 struct timeval warning_time
761 = timeval_add(&start_time
,
762 call
->conn
->limits
.search_timeout
/ 4,
765 local_ctx
= talloc_new(call
);
766 NT_STATUS_HAVE_NO_MEMORY(local_ctx
);
768 basedn
= ldb_dn_new(local_ctx
, samdb
, req
->basedn
);
769 NT_STATUS_HAVE_NO_MEMORY(basedn
);
771 switch (req
->scope
) {
772 case LDAP_SEARCH_SCOPE_BASE
:
774 scope
= LDB_SCOPE_BASE
;
776 case LDAP_SEARCH_SCOPE_SINGLE
:
778 scope
= LDB_SCOPE_ONELEVEL
;
780 case LDAP_SEARCH_SCOPE_SUB
:
782 scope
= LDB_SCOPE_SUBTREE
;
785 result
= LDAP_PROTOCOL_ERROR
;
786 map_ldb_error(local_ctx
, LDB_ERR_PROTOCOL_ERROR
, NULL
,
788 scope_str
= "<Invalid scope>";
789 errstr
= talloc_asprintf(local_ctx
,
790 "%s. Invalid scope", errstr
);
793 DEBUG(10,("SearchRequest: scope: [%s]\n", scope_str
));
795 if (req
->num_attributes
>= 1) {
796 attrs
= talloc_array(local_ctx
, const char *, req
->num_attributes
+1);
797 NT_STATUS_HAVE_NO_MEMORY(attrs
);
799 for (i
=0; i
< req
->num_attributes
; i
++) {
800 DEBUG(10,("SearchRequest: attrs: [%s]\n",req
->attributes
[i
]));
801 attrs
[i
] = req
->attributes
[i
];
806 DEBUG(5,("ldb_request %s dn=%s filter=%s\n",
807 scope_str
, req
->basedn
, ldb_filter_from_tree(call
, req
->tree
)));
809 callback_ctx
= talloc_zero(local_ctx
, struct ldapsrv_context
);
810 NT_STATUS_HAVE_NO_MEMORY(callback_ctx
);
811 callback_ctx
->call
= call
;
812 callback_ctx
->extended_type
= extended_type
;
813 callback_ctx
->attributesonly
= req
->attributesonly
;
815 ldb_ret
= ldb_build_search_req_ex(&lreq
, samdb
, local_ctx
,
818 call
->request
->controls
,
820 ldap_server_search_callback
,
823 if (ldb_ret
!= LDB_SUCCESS
) {
827 if (call
->conn
->global_catalog
) {
828 search_control
= ldb_request_get_control(lreq
, LDB_CONTROL_SEARCH_OPTIONS_OID
);
830 search_options
= NULL
;
831 if (search_control
) {
832 search_options
= talloc_get_type(search_control
->data
, struct ldb_search_options_control
);
833 search_options
->search_options
|= LDB_SEARCH_OPTION_PHANTOM_ROOT
;
835 search_options
= talloc(lreq
, struct ldb_search_options_control
);
836 NT_STATUS_HAVE_NO_MEMORY(search_options
);
837 search_options
->search_options
= LDB_SEARCH_OPTION_PHANTOM_ROOT
;
838 ldb_request_add_control(lreq
, LDB_CONTROL_SEARCH_OPTIONS_OID
, false, search_options
);
841 ldb_request_add_control(lreq
, DSDB_CONTROL_NO_GLOBAL_CATALOG
, false, NULL
);
844 extended_dn_control
= ldb_request_get_control(lreq
, LDB_CONTROL_EXTENDED_DN_OID
);
846 if (extended_dn_control
) {
847 if (extended_dn_control
->data
) {
848 extended_dn_decoded
= talloc_get_type(extended_dn_control
->data
, struct ldb_extended_dn_control
);
849 extended_type
= extended_dn_decoded
->type
;
853 callback_ctx
->extended_type
= extended_type
;
856 notification_control
= ldb_request_get_control(lreq
, LDB_CONTROL_NOTIFICATION_OID
);
857 if (notification_control
!= NULL
) {
858 const struct ldapsrv_call
*pc
= NULL
;
861 for (pc
= call
->conn
->pending_calls
; pc
!= NULL
; pc
= pc
->next
) {
865 if (count
>= call
->conn
->limits
.max_notifications
) {
866 DEBUG(10,("SearchRequest: error MaxNotificationPerConn\n"));
867 result
= map_ldb_error(local_ctx
,
868 LDB_ERR_ADMIN_LIMIT_EXCEEDED
,
869 "MaxNotificationPerConn reached",
875 * For now we need to do periodic retries on our own.
876 * As the dsdb_notification module will return after each run.
878 call
->notification
.busy
= true;
882 const char *scheme
= NULL
;
883 switch (call
->conn
->referral_scheme
) {
884 case LDAP_REFERRAL_SCHEME_LDAPS
:
890 ldb_ret
= ldb_set_opaque(
892 LDAP_REFERRAL_SCHEME_OPAQUE
,
893 discard_const_p(char *, scheme
));
894 if (ldb_ret
!= LDB_SUCCESS
) {
900 time_t timeout
= call
->conn
->limits
.search_timeout
;
903 || (req
->timelimit
!= 0
904 && req
->timelimit
< timeout
))
906 timeout
= req
->timelimit
;
908 ldb_set_timeout(samdb
, lreq
, timeout
);
911 if (!call
->conn
->is_privileged
) {
912 ldb_req_mark_untrusted(lreq
);
915 LDB_REQ_SET_LOCATION(lreq
);
917 ldb_ret
= ldb_request(samdb
, lreq
);
919 if (ldb_ret
!= LDB_SUCCESS
) {
923 ldb_ret
= ldb_wait(lreq
->handle
, LDB_WAIT_ALL
);
925 if (ldb_ret
== LDB_SUCCESS
) {
926 if (call
->notification
.busy
) {
927 /* Move/Add it to the end */
928 DLIST_DEMOTE(call
->conn
->pending_calls
, call
);
929 call
->notification
.generation
=
930 call
->conn
->service
->notification
.generation
;
932 if (callback_ctx
->count
!= 0) {
933 call
->notification
.generation
+= 1;
934 ldapsrv_notification_retry_setup(call
->conn
->service
,
938 talloc_free(local_ctx
);
946 * This looks like duplicated code - because it is - but
947 * otherwise the work in the parameters will be done
948 * regardless, this way the functions only execute when the
951 * The basedn is re-obtained as a string to escape it
953 if ((req
->timelimit
== 0 || call
->conn
->limits
.search_timeout
< req
->timelimit
)
954 && ldb_ret
== LDB_ERR_TIME_LIMIT_EXCEEDED
) {
955 struct dom_sid_buf sid_buf
;
956 DBG_WARNING("MaxQueryDuration(%d) timeout exceeded "
957 "in SearchRequest by %s from %s filter: [%s] "
960 call
->conn
->limits
.search_timeout
,
961 dom_sid_str_buf(&call
->conn
->session_info
->security_token
->sids
[0],
963 tsocket_address_string(call
->conn
->connection
->remote_address
,
965 ldb_filter_from_tree(call
, req
->tree
),
966 ldb_dn_get_extended_linearized(call
, basedn
, 1),
968 for (i
=0; i
< req
->num_attributes
; i
++) {
969 DBG_WARNING("MaxQueryDuration timeout exceeded attrs: [%s]\n",
973 } else if (timeval_expired(&warning_time
)) {
974 struct dom_sid_buf sid_buf
;
975 DBG_NOTICE("Long LDAP Query: Duration was %.2fs, "
976 "MaxQueryDuration(%d)/4 == %d "
977 "in SearchRequest by %s from %s filter: [%s] "
981 timeval_elapsed(&start_time
),
982 call
->conn
->limits
.search_timeout
,
983 call
->conn
->limits
.search_timeout
/ 4,
984 dom_sid_str_buf(&call
->conn
->session_info
->security_token
->sids
[0],
986 tsocket_address_string(call
->conn
->connection
->remote_address
,
988 ldb_filter_from_tree(call
, req
->tree
),
989 ldb_dn_get_extended_linearized(call
, basedn
, 1),
991 ldb_strerror(ldb_ret
));
992 for (i
=0; i
< req
->num_attributes
; i
++) {
993 DBG_NOTICE("Long LDAP Query attrs: [%s]\n",
997 struct dom_sid_buf sid_buf
;
998 DBG_INFO("LDAP Query: Duration was %.2fs, "
999 "SearchRequest by %s from %s filter: [%s] "
1003 timeval_elapsed(&start_time
),
1004 dom_sid_str_buf(&call
->conn
->session_info
->security_token
->sids
[0],
1006 tsocket_address_string(call
->conn
->connection
->remote_address
,
1008 ldb_filter_from_tree(call
, req
->tree
),
1009 ldb_dn_get_extended_linearized(call
, basedn
, 1),
1011 ldb_strerror(ldb_ret
));
1014 DLIST_REMOVE(call
->conn
->pending_calls
, call
);
1015 call
->notification
.busy
= false;
1017 done_r
= ldapsrv_init_reply(call
, LDAP_TAG_SearchResultDone
);
1018 NT_STATUS_HAVE_NO_MEMORY(done_r
);
1020 done
= &done_r
->msg
->r
.SearchResultDone
;
1022 done
->referral
= NULL
;
1025 } else if (ldb_ret
== LDB_SUCCESS
) {
1026 if (callback_ctx
->controls
) {
1027 done_r
->msg
->controls
= callback_ctx
->controls
;
1028 talloc_steal(done_r
->msg
, callback_ctx
->controls
);
1030 result
= LDB_SUCCESS
;
1032 DEBUG(10,("SearchRequest: error\n"));
1033 result
= map_ldb_error(local_ctx
, ldb_ret
, ldb_errstring(samdb
),
1037 done
->resultcode
= result
;
1038 done
->errormessage
= (errstr
?talloc_strdup(done_r
, errstr
):NULL
);
1040 talloc_free(local_ctx
);
1042 return ldapsrv_queue_reply_forced(call
, done_r
);
1045 static NTSTATUS
ldapsrv_ModifyRequest(struct ldapsrv_call
*call
)
1047 struct ldap_ModifyRequest
*req
= &call
->request
->r
.ModifyRequest
;
1048 struct ldap_Result
*modify_result
;
1049 struct ldapsrv_reply
*modify_reply
;
1050 TALLOC_CTX
*local_ctx
;
1051 struct ldb_context
*samdb
= call
->conn
->ldb
;
1052 struct ldb_message
*msg
= NULL
;
1054 const char *errstr
= NULL
;
1055 int result
= LDAP_SUCCESS
;
1058 struct ldb_result
*res
= NULL
;
1060 DEBUG(10, ("ModifyRequest"));
1061 DEBUGADD(10, (" dn: %s\n", req
->dn
));
1063 local_ctx
= talloc_named(call
, 0, "ModifyRequest local memory context");
1064 NT_STATUS_HAVE_NO_MEMORY(local_ctx
);
1066 dn
= ldb_dn_new(local_ctx
, samdb
, req
->dn
);
1067 NT_STATUS_HAVE_NO_MEMORY(dn
);
1069 DEBUG(10, ("ModifyRequest: dn: [%s]\n", req
->dn
));
1071 msg
= ldb_msg_new(local_ctx
);
1072 NT_STATUS_HAVE_NO_MEMORY(msg
);
1076 if (req
->num_mods
> 0) {
1077 msg
->num_elements
= req
->num_mods
;
1078 msg
->elements
= talloc_array(msg
, struct ldb_message_element
, req
->num_mods
);
1079 NT_STATUS_HAVE_NO_MEMORY(msg
->elements
);
1081 for (i
=0; i
< msg
->num_elements
; i
++) {
1082 msg
->elements
[i
].name
= discard_const_p(char, req
->mods
[i
].attrib
.name
);
1083 msg
->elements
[i
].num_values
= 0;
1084 msg
->elements
[i
].values
= NULL
;
1086 switch (req
->mods
[i
].type
) {
1088 result
= LDAP_PROTOCOL_ERROR
;
1089 map_ldb_error(local_ctx
,
1090 LDB_ERR_PROTOCOL_ERROR
, NULL
, &errstr
);
1091 errstr
= talloc_asprintf(local_ctx
,
1092 "%s. Invalid LDAP_MODIFY_* type", errstr
);
1094 case LDAP_MODIFY_ADD
:
1095 msg
->elements
[i
].flags
= LDB_FLAG_MOD_ADD
;
1097 case LDAP_MODIFY_DELETE
:
1098 msg
->elements
[i
].flags
= LDB_FLAG_MOD_DELETE
;
1100 case LDAP_MODIFY_REPLACE
:
1101 msg
->elements
[i
].flags
= LDB_FLAG_MOD_REPLACE
;
1105 msg
->elements
[i
].num_values
= req
->mods
[i
].attrib
.num_values
;
1106 if (msg
->elements
[i
].num_values
> 0) {
1107 msg
->elements
[i
].values
= talloc_array(msg
->elements
, struct ldb_val
,
1108 msg
->elements
[i
].num_values
);
1109 NT_STATUS_HAVE_NO_MEMORY(msg
->elements
[i
].values
);
1111 for (j
=0; j
< msg
->elements
[i
].num_values
; j
++) {
1112 msg
->elements
[i
].values
[j
].length
= req
->mods
[i
].attrib
.values
[j
].length
;
1113 msg
->elements
[i
].values
[j
].data
= req
->mods
[i
].attrib
.values
[j
].data
;
1120 modify_reply
= ldapsrv_init_reply(call
, LDAP_TAG_ModifyResponse
);
1121 NT_STATUS_HAVE_NO_MEMORY(modify_reply
);
1123 if (result
== LDAP_SUCCESS
) {
1124 res
= talloc_zero(local_ctx
, struct ldb_result
);
1125 NT_STATUS_HAVE_NO_MEMORY(res
);
1126 ldb_ret
= ldapsrv_mod_with_controls(call
, msg
, call
->request
->controls
, res
);
1127 result
= map_ldb_error(local_ctx
, ldb_ret
, ldb_errstring(samdb
),
1131 modify_result
= &modify_reply
->msg
->r
.ModifyResponse
;
1132 modify_result
->dn
= NULL
;
1133 if ((res
!= NULL
) && (res
->refs
!= NULL
)) {
1134 modify_result
->resultcode
= map_ldb_error(local_ctx
,
1137 modify_result
->errormessage
= (errstr
?talloc_strdup(modify_reply
, errstr
):NULL
);
1138 modify_result
->referral
= talloc_strdup(call
, *res
->refs
);
1140 modify_result
->resultcode
= result
;
1141 modify_result
->errormessage
= (errstr
?talloc_strdup(modify_reply
, errstr
):NULL
);
1142 modify_result
->referral
= NULL
;
1144 talloc_free(local_ctx
);
1146 return ldapsrv_queue_reply(call
, modify_reply
);
1150 static NTSTATUS
ldapsrv_AddRequest(struct ldapsrv_call
*call
)
1152 struct ldap_AddRequest
*req
= &call
->request
->r
.AddRequest
;
1153 struct ldap_Result
*add_result
;
1154 struct ldapsrv_reply
*add_reply
;
1155 TALLOC_CTX
*local_ctx
;
1156 struct ldb_context
*samdb
= call
->conn
->ldb
;
1157 struct ldb_message
*msg
= NULL
;
1159 const char *errstr
= NULL
;
1160 int result
= LDAP_SUCCESS
;
1163 struct ldb_result
*res
= NULL
;
1165 DEBUG(10, ("AddRequest"));
1166 DEBUGADD(10, (" dn: %s\n", req
->dn
));
1168 local_ctx
= talloc_named(call
, 0, "AddRequest local memory context");
1169 NT_STATUS_HAVE_NO_MEMORY(local_ctx
);
1171 dn
= ldb_dn_new(local_ctx
, samdb
, req
->dn
);
1172 NT_STATUS_HAVE_NO_MEMORY(dn
);
1174 DEBUG(10, ("AddRequest: dn: [%s]\n", req
->dn
));
1176 msg
= talloc(local_ctx
, struct ldb_message
);
1177 NT_STATUS_HAVE_NO_MEMORY(msg
);
1180 msg
->num_elements
= 0;
1181 msg
->elements
= NULL
;
1183 if (req
->num_attributes
> 0) {
1184 msg
->num_elements
= req
->num_attributes
;
1185 msg
->elements
= talloc_array(msg
, struct ldb_message_element
, msg
->num_elements
);
1186 NT_STATUS_HAVE_NO_MEMORY(msg
->elements
);
1188 for (i
=0; i
< msg
->num_elements
; i
++) {
1189 msg
->elements
[i
].name
= discard_const_p(char, req
->attributes
[i
].name
);
1190 msg
->elements
[i
].flags
= 0;
1191 msg
->elements
[i
].num_values
= 0;
1192 msg
->elements
[i
].values
= NULL
;
1194 if (req
->attributes
[i
].num_values
> 0) {
1195 msg
->elements
[i
].num_values
= req
->attributes
[i
].num_values
;
1196 msg
->elements
[i
].values
= talloc_array(msg
->elements
, struct ldb_val
,
1197 msg
->elements
[i
].num_values
);
1198 NT_STATUS_HAVE_NO_MEMORY(msg
->elements
[i
].values
);
1200 for (j
=0; j
< msg
->elements
[i
].num_values
; j
++) {
1201 msg
->elements
[i
].values
[j
].length
= req
->attributes
[i
].values
[j
].length
;
1202 msg
->elements
[i
].values
[j
].data
= req
->attributes
[i
].values
[j
].data
;
1208 add_reply
= ldapsrv_init_reply(call
, LDAP_TAG_AddResponse
);
1209 NT_STATUS_HAVE_NO_MEMORY(add_reply
);
1211 if (result
== LDAP_SUCCESS
) {
1212 res
= talloc_zero(local_ctx
, struct ldb_result
);
1213 NT_STATUS_HAVE_NO_MEMORY(res
);
1214 ldb_ret
= ldapsrv_add_with_controls(call
, msg
, call
->request
->controls
, res
);
1215 result
= map_ldb_error(local_ctx
, ldb_ret
, ldb_errstring(samdb
),
1219 add_result
= &add_reply
->msg
->r
.AddResponse
;
1220 add_result
->dn
= NULL
;
1221 if ((res
!= NULL
) && (res
->refs
!= NULL
)) {
1222 add_result
->resultcode
= map_ldb_error(local_ctx
,
1223 LDB_ERR_REFERRAL
, NULL
,
1225 add_result
->errormessage
= (errstr
?talloc_strdup(add_reply
,errstr
):NULL
);
1226 add_result
->referral
= talloc_strdup(call
, *res
->refs
);
1228 add_result
->resultcode
= result
;
1229 add_result
->errormessage
= (errstr
?talloc_strdup(add_reply
,errstr
):NULL
);
1230 add_result
->referral
= NULL
;
1232 talloc_free(local_ctx
);
1234 return ldapsrv_queue_reply(call
, add_reply
);
1238 static NTSTATUS
ldapsrv_DelRequest(struct ldapsrv_call
*call
)
1240 struct ldap_DelRequest
*req
= &call
->request
->r
.DelRequest
;
1241 struct ldap_Result
*del_result
;
1242 struct ldapsrv_reply
*del_reply
;
1243 TALLOC_CTX
*local_ctx
;
1244 struct ldb_context
*samdb
= call
->conn
->ldb
;
1246 const char *errstr
= NULL
;
1247 int result
= LDAP_SUCCESS
;
1249 struct ldb_result
*res
= NULL
;
1251 DEBUG(10, ("DelRequest"));
1252 DEBUGADD(10, (" dn: %s\n", req
->dn
));
1254 local_ctx
= talloc_named(call
, 0, "DelRequest local memory context");
1255 NT_STATUS_HAVE_NO_MEMORY(local_ctx
);
1257 dn
= ldb_dn_new(local_ctx
, samdb
, req
->dn
);
1258 NT_STATUS_HAVE_NO_MEMORY(dn
);
1260 DEBUG(10, ("DelRequest: dn: [%s]\n", req
->dn
));
1262 del_reply
= ldapsrv_init_reply(call
, LDAP_TAG_DelResponse
);
1263 NT_STATUS_HAVE_NO_MEMORY(del_reply
);
1265 if (result
== LDAP_SUCCESS
) {
1266 res
= talloc_zero(local_ctx
, struct ldb_result
);
1267 NT_STATUS_HAVE_NO_MEMORY(res
);
1268 ldb_ret
= ldapsrv_del_with_controls(call
, dn
, call
->request
->controls
, res
);
1269 result
= map_ldb_error(local_ctx
, ldb_ret
, ldb_errstring(samdb
),
1273 del_result
= &del_reply
->msg
->r
.DelResponse
;
1274 del_result
->dn
= NULL
;
1275 if ((res
!= NULL
) && (res
->refs
!= NULL
)) {
1276 del_result
->resultcode
= map_ldb_error(local_ctx
,
1277 LDB_ERR_REFERRAL
, NULL
,
1279 del_result
->errormessage
= (errstr
?talloc_strdup(del_reply
,errstr
):NULL
);
1280 del_result
->referral
= talloc_strdup(call
, *res
->refs
);
1282 del_result
->resultcode
= result
;
1283 del_result
->errormessage
= (errstr
?talloc_strdup(del_reply
,errstr
):NULL
);
1284 del_result
->referral
= NULL
;
1287 talloc_free(local_ctx
);
1289 return ldapsrv_queue_reply(call
, del_reply
);
1292 static NTSTATUS
ldapsrv_ModifyDNRequest(struct ldapsrv_call
*call
)
1294 struct ldap_ModifyDNRequest
*req
= &call
->request
->r
.ModifyDNRequest
;
1295 struct ldap_Result
*modifydn
;
1296 struct ldapsrv_reply
*modifydn_r
;
1297 TALLOC_CTX
*local_ctx
;
1298 struct ldb_context
*samdb
= call
->conn
->ldb
;
1299 struct ldb_dn
*olddn
, *newdn
=NULL
, *newrdn
;
1300 struct ldb_dn
*parentdn
= NULL
;
1301 const char *errstr
= NULL
;
1302 int result
= LDAP_SUCCESS
;
1304 struct ldb_result
*res
= NULL
;
1306 DEBUG(10, ("ModifyDNRequest"));
1307 DEBUGADD(10, (" dn: %s", req
->dn
));
1308 DEBUGADD(10, (" newrdn: %s\n", req
->newrdn
));
1310 local_ctx
= talloc_named(call
, 0, "ModifyDNRequest local memory context");
1311 NT_STATUS_HAVE_NO_MEMORY(local_ctx
);
1313 olddn
= ldb_dn_new(local_ctx
, samdb
, req
->dn
);
1314 NT_STATUS_HAVE_NO_MEMORY(olddn
);
1316 newrdn
= ldb_dn_new(local_ctx
, samdb
, req
->newrdn
);
1317 NT_STATUS_HAVE_NO_MEMORY(newrdn
);
1319 DEBUG(10, ("ModifyDNRequest: olddn: [%s]\n", req
->dn
));
1320 DEBUG(10, ("ModifyDNRequest: newrdn: [%s]\n", req
->newrdn
));
1322 if (ldb_dn_get_comp_num(newrdn
) == 0) {
1323 result
= LDAP_PROTOCOL_ERROR
;
1324 map_ldb_error(local_ctx
, LDB_ERR_PROTOCOL_ERROR
, NULL
,
1329 if (ldb_dn_get_comp_num(newrdn
) > 1) {
1330 result
= LDAP_NAMING_VIOLATION
;
1331 map_ldb_error(local_ctx
, LDB_ERR_NAMING_VIOLATION
, NULL
,
1336 /* we can't handle the rename if we should not remove the old dn */
1337 if (!req
->deleteolddn
) {
1338 result
= LDAP_UNWILLING_TO_PERFORM
;
1339 map_ldb_error(local_ctx
, LDB_ERR_UNWILLING_TO_PERFORM
, NULL
,
1341 errstr
= talloc_asprintf(local_ctx
,
1342 "%s. Old RDN must be deleted", errstr
);
1346 if (req
->newsuperior
) {
1347 DEBUG(10, ("ModifyDNRequest: newsuperior: [%s]\n", req
->newsuperior
));
1348 parentdn
= ldb_dn_new(local_ctx
, samdb
, req
->newsuperior
);
1352 parentdn
= ldb_dn_get_parent(local_ctx
, olddn
);
1355 result
= LDAP_NO_SUCH_OBJECT
;
1356 map_ldb_error(local_ctx
, LDB_ERR_NO_SUCH_OBJECT
, NULL
, &errstr
);
1360 if ( ! ldb_dn_add_child(parentdn
, newrdn
)) {
1361 result
= LDAP_OTHER
;
1362 map_ldb_error(local_ctx
, LDB_ERR_OTHER
, NULL
, &errstr
);
1368 modifydn_r
= ldapsrv_init_reply(call
, LDAP_TAG_ModifyDNResponse
);
1369 NT_STATUS_HAVE_NO_MEMORY(modifydn_r
);
1371 if (result
== LDAP_SUCCESS
) {
1372 res
= talloc_zero(local_ctx
, struct ldb_result
);
1373 NT_STATUS_HAVE_NO_MEMORY(res
);
1374 ldb_ret
= ldapsrv_rename_with_controls(call
, olddn
, newdn
, call
->request
->controls
, res
);
1375 result
= map_ldb_error(local_ctx
, ldb_ret
, ldb_errstring(samdb
),
1379 modifydn
= &modifydn_r
->msg
->r
.ModifyDNResponse
;
1380 modifydn
->dn
= NULL
;
1381 if ((res
!= NULL
) && (res
->refs
!= NULL
)) {
1382 modifydn
->resultcode
= map_ldb_error(local_ctx
,
1383 LDB_ERR_REFERRAL
, NULL
,
1385 modifydn
->errormessage
= (errstr
?talloc_strdup(modifydn_r
,errstr
):NULL
);
1386 modifydn
->referral
= talloc_strdup(call
, *res
->refs
);
1388 modifydn
->resultcode
= result
;
1389 modifydn
->errormessage
= (errstr
?talloc_strdup(modifydn_r
,errstr
):NULL
);
1390 modifydn
->referral
= NULL
;
1393 talloc_free(local_ctx
);
1395 return ldapsrv_queue_reply(call
, modifydn_r
);
1398 static NTSTATUS
ldapsrv_CompareRequest(struct ldapsrv_call
*call
)
1400 struct ldap_CompareRequest
*req
= &call
->request
->r
.CompareRequest
;
1401 struct ldap_Result
*compare
;
1402 struct ldapsrv_reply
*compare_r
;
1403 TALLOC_CTX
*local_ctx
;
1404 struct ldb_context
*samdb
= call
->conn
->ldb
;
1405 struct ldb_result
*res
= NULL
;
1407 const char *attrs
[1];
1408 const char *errstr
= NULL
;
1409 const char *filter
= NULL
;
1410 int result
= LDAP_SUCCESS
;
1413 DEBUG(10, ("CompareRequest"));
1414 DEBUGADD(10, (" dn: %s\n", req
->dn
));
1416 local_ctx
= talloc_named(call
, 0, "CompareRequest local_memory_context");
1417 NT_STATUS_HAVE_NO_MEMORY(local_ctx
);
1419 dn
= ldb_dn_new(local_ctx
, samdb
, req
->dn
);
1420 NT_STATUS_HAVE_NO_MEMORY(dn
);
1422 DEBUG(10, ("CompareRequest: dn: [%s]\n", req
->dn
));
1423 filter
= talloc_asprintf(local_ctx
, "(%s=%*s)", req
->attribute
,
1424 (int)req
->value
.length
, req
->value
.data
);
1425 NT_STATUS_HAVE_NO_MEMORY(filter
);
1427 DEBUGADD(10, ("CompareRequest: attribute: [%s]\n", filter
));
1431 compare_r
= ldapsrv_init_reply(call
, LDAP_TAG_CompareResponse
);
1432 NT_STATUS_HAVE_NO_MEMORY(compare_r
);
1434 if (result
== LDAP_SUCCESS
) {
1435 ldb_ret
= ldb_search(samdb
, local_ctx
, &res
,
1436 dn
, LDB_SCOPE_BASE
, attrs
, "%s", filter
);
1437 if (ldb_ret
!= LDB_SUCCESS
) {
1438 result
= map_ldb_error(local_ctx
, ldb_ret
,
1439 ldb_errstring(samdb
), &errstr
);
1440 DEBUG(10,("CompareRequest: error: %s\n", errstr
));
1441 } else if (res
->count
== 0) {
1442 DEBUG(10,("CompareRequest: doesn't matched\n"));
1443 result
= LDAP_COMPARE_FALSE
;
1445 } else if (res
->count
== 1) {
1446 DEBUG(10,("CompareRequest: matched\n"));
1447 result
= LDAP_COMPARE_TRUE
;
1449 } else if (res
->count
> 1) {
1450 result
= LDAP_OTHER
;
1451 map_ldb_error(local_ctx
, LDB_ERR_OTHER
, NULL
, &errstr
);
1452 errstr
= talloc_asprintf(local_ctx
,
1453 "%s. Too many objects match!", errstr
);
1454 DEBUG(10,("CompareRequest: %d results: %s\n", res
->count
, errstr
));
1458 compare
= &compare_r
->msg
->r
.CompareResponse
;
1460 compare
->resultcode
= result
;
1461 compare
->errormessage
= (errstr
?talloc_strdup(compare_r
,errstr
):NULL
);
1462 compare
->referral
= NULL
;
1464 talloc_free(local_ctx
);
1466 return ldapsrv_queue_reply(call
, compare_r
);
1469 static NTSTATUS
ldapsrv_AbandonRequest(struct ldapsrv_call
*call
)
1471 struct ldap_AbandonRequest
*req
= &call
->request
->r
.AbandonRequest
;
1472 struct ldapsrv_call
*c
= NULL
;
1473 struct ldapsrv_call
*n
= NULL
;
1475 DEBUG(10, ("AbandonRequest\n"));
1477 for (c
= call
->conn
->pending_calls
; c
!= NULL
; c
= n
) {
1480 if (c
->request
->messageid
!= req
->messageid
) {
1484 DLIST_REMOVE(call
->conn
->pending_calls
, c
);
1488 return NT_STATUS_OK
;
1491 static NTSTATUS
ldapsrv_expired(struct ldapsrv_call
*call
)
1493 struct ldapsrv_reply
*reply
= NULL
;
1494 struct ldap_ExtendedResponse
*r
= NULL
;
1496 DBG_DEBUG("Sending connection expired message\n");
1498 reply
= ldapsrv_init_reply(call
, LDAP_TAG_ExtendedResponse
);
1499 if (reply
== NULL
) {
1500 return NT_STATUS_NO_MEMORY
;
1504 * According to RFC4511 section 4.4.1 this has a msgid of 0
1506 reply
->msg
->messageid
= 0;
1508 r
= &reply
->msg
->r
.ExtendedResponse
;
1509 r
->response
.resultcode
= LDB_ERR_UNAVAILABLE
;
1510 r
->response
.errormessage
= "The server has timed out this connection";
1511 r
->oid
= "1.3.6.1.4.1.1466.20036"; /* see rfc4511 section 4.4.1 */
1513 ldapsrv_queue_reply(call
, reply
);
1514 return NT_STATUS_OK
;
1517 NTSTATUS
ldapsrv_do_call(struct ldapsrv_call
*call
)
1520 struct ldap_message
*msg
= call
->request
;
1521 struct ldapsrv_connection
*conn
= call
->conn
;
1525 expired
= timeval_expired(&conn
->limits
.expire_time
);
1527 status
= ldapsrv_expired(call
);
1528 if (!NT_STATUS_IS_OK(status
)) {
1531 return NT_STATUS_NETWORK_SESSION_EXPIRED
;
1534 /* Check for undecoded critical extensions */
1535 for (i
=0; msg
->controls
&& msg
->controls
[i
]; i
++) {
1536 if (!msg
->controls_decoded
[i
] &&
1537 msg
->controls
[i
]->critical
) {
1538 DEBUG(3, ("ldapsrv_do_call: Critical extension %s is not known to this server\n",
1539 msg
->controls
[i
]->oid
));
1540 return ldapsrv_unwilling(call
, LDAP_UNAVAILABLE_CRITICAL_EXTENSION
);
1544 if (call
->conn
->authz_logged
== false) {
1548 * We do not want to log anonymous access if the query
1549 * is just for the rootDSE, or it is a startTLS or a
1552 * A rootDSE search could also be done over
1553 * CLDAP anonymously for example, so these don't
1555 * Essentially we want to know about
1556 * access beyond that normally done prior to a
1560 switch(call
->request
->type
) {
1561 case LDAP_TAG_BindRequest
:
1562 case LDAP_TAG_UnbindRequest
:
1563 case LDAP_TAG_AbandonRequest
:
1566 case LDAP_TAG_ExtendedResponse
: {
1567 struct ldap_ExtendedRequest
*req
= &call
->request
->r
.ExtendedRequest
;
1568 if (strcmp(req
->oid
, LDB_EXTENDED_START_TLS_OID
) == 0) {
1573 case LDAP_TAG_SearchRequest
: {
1574 struct ldap_SearchRequest
*req
= &call
->request
->r
.SearchRequest
;
1575 if (req
->scope
== LDAP_SEARCH_SCOPE_BASE
) {
1576 if (req
->basedn
[0] == '\0') {
1587 const char *transport_protection
= AUTHZ_TRANSPORT_PROTECTION_NONE
;
1588 if (call
->conn
->sockets
.active
== call
->conn
->sockets
.tls
) {
1589 transport_protection
= AUTHZ_TRANSPORT_PROTECTION_TLS
;
1592 log_successful_authz_event(call
->conn
->connection
->msg_ctx
,
1593 call
->conn
->connection
->lp_ctx
,
1594 call
->conn
->connection
->remote_address
,
1595 call
->conn
->connection
->local_address
,
1598 transport_protection
,
1599 call
->conn
->session_info
);
1601 call
->conn
->authz_logged
= true;
1605 switch(call
->request
->type
) {
1606 case LDAP_TAG_BindRequest
:
1607 return ldapsrv_BindRequest(call
);
1608 case LDAP_TAG_UnbindRequest
:
1609 return ldapsrv_UnbindRequest(call
);
1610 case LDAP_TAG_SearchRequest
:
1611 return ldapsrv_SearchRequest(call
);
1612 case LDAP_TAG_ModifyRequest
:
1613 status
= ldapsrv_ModifyRequest(call
);
1615 case LDAP_TAG_AddRequest
:
1616 status
= ldapsrv_AddRequest(call
);
1618 case LDAP_TAG_DelRequest
:
1619 status
= ldapsrv_DelRequest(call
);
1621 case LDAP_TAG_ModifyDNRequest
:
1622 status
= ldapsrv_ModifyDNRequest(call
);
1624 case LDAP_TAG_CompareRequest
:
1625 return ldapsrv_CompareRequest(call
);
1626 case LDAP_TAG_AbandonRequest
:
1627 return ldapsrv_AbandonRequest(call
);
1628 case LDAP_TAG_ExtendedRequest
:
1629 status
= ldapsrv_ExtendedRequest(call
);
1632 return ldapsrv_unwilling(call
, LDAP_PROTOCOL_ERROR
);
1635 if (NT_STATUS_IS_OK(status
)) {
1636 ldapsrv_notification_retry_setup(call
->conn
->service
, true);