4 Copyright (C) Andrew Tridgell 2004
6 ** NOTE! The following LGPL license applies to the ldb
7 ** library. This does NOT imply that all of Samba is released
10 This library is free software; you can redistribute it and/or
11 modify it under the terms of the GNU Lesser General Public
12 License as published by the Free Software Foundation; either
13 version 3 of the License, or (at your option) any later version.
15 This library is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public
21 License along with this library; if not, see <http://www.gnu.org/licenses/>.
27 * Component: ldb search functions
29 * Description: functions to search ldb+tdb databases
31 * Author: Andrew Tridgell
35 #include "ldb_private.h"
37 search the database for a single simple dn.
38 return LDB_ERR_NO_SUCH_OBJECT on record-not-found
39 and LDB_SUCCESS on success
41 int ldb_kv_search_base(struct ldb_module
*module
,
44 struct ldb_dn
**ret_dn
)
48 struct ldb_message
*msg
= NULL
;
50 if (ldb_dn_is_null(dn
)) {
51 return LDB_ERR_NO_SUCH_OBJECT
;
55 * We can't use tdb_exists() directly on a key when the TDB
56 * key is the GUID one, not the DN based one. So we just do a
57 * normal search and avoid most of the allocation with the
58 * LDB_UNPACK_DATA_FLAG_NO_ATTRS flag
60 msg
= ldb_msg_new(module
);
62 return LDB_ERR_OPERATIONS_ERROR
;
65 ret
= ldb_kv_search_dn1(module
, dn
, msg
, LDB_UNPACK_DATA_FLAG_NO_ATTRS
);
66 if (ret
== LDB_SUCCESS
) {
67 const char *dn_linearized
68 = ldb_dn_get_linearized(dn
);
69 const char *msg_dn_linearized
70 = ldb_dn_get_linearized(msg
->dn
);
72 if (strcmp(dn_linearized
, msg_dn_linearized
) == 0) {
74 * Re-use the full incoming DN for
80 * Use the string DN from the unpack, so that
81 * we have a case-exact match of the base
83 *ret_dn
= talloc_steal(mem_ctx
, msg
->dn
);
86 } else if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
96 return LDB_ERR_NO_SUCH_OBJECT
;
99 struct ldb_kv_parse_data_unpack_ctx
{
100 struct ldb_message
*msg
;
101 struct ldb_module
*module
;
102 struct ldb_kv_private
*ldb_kv
;
103 unsigned int unpack_flags
;
106 static int ldb_kv_parse_data_unpack(struct ldb_val key
,
110 struct ldb_kv_parse_data_unpack_ctx
*ctx
= private_data
;
112 struct ldb_context
*ldb
= ldb_module_get_ctx(ctx
->module
);
113 struct ldb_val data_parse
= data
;
115 struct ldb_kv_private
*ldb_kv
= ctx
->ldb_kv
;
117 if ((ldb_kv
->kv_ops
->options
& LDB_KV_OPTION_STABLE_READ_LOCK
) &&
118 (ctx
->unpack_flags
& LDB_UNPACK_DATA_FLAG_READ_LOCKED
) &&
119 !ldb_kv
->kv_ops
->transaction_active(ldb_kv
)) {
121 * In the case where no transactions are active and
122 * we're in a read-lock, we can point directly into
125 * The database can't be changed underneath us and we
126 * will duplicate this data in the call to filter.
129 * - ldb_kv_index_filter
130 * - ldb_kv_search_and_return_base
134 * In every other case, since unpack doesn't memdup, we need
135 * to at least do a memdup on the whole data buffer as that
136 * may change later and the caller needs a stable result.
138 * During transactions, pointers could change and in
139 * TDB, there just aren't the same guarantees.
141 data_parse
.data
= talloc_memdup(ctx
->msg
,
144 if (data_parse
.data
== NULL
) {
145 ldb_debug(ldb
, LDB_DEBUG_ERROR
,
146 "Unable to allocate data(%d) for %*.*s\n",
148 (int)key
.length
, (int)key
.length
, key
.data
);
149 return LDB_ERR_OPERATIONS_ERROR
;
153 ret
= ldb_unpack_data_flags(ldb
, &data_parse
,
154 ctx
->msg
, ctx
->unpack_flags
);
156 if (data_parse
.data
!= data
.data
) {
157 talloc_free(data_parse
.data
);
160 ldb_debug(ldb
, LDB_DEBUG_ERROR
, "Invalid data for index %*.*s\n",
161 (int)key
.length
, (int)key
.length
, key
.data
);
162 return LDB_ERR_OPERATIONS_ERROR
;
168 search the database for a single simple dn, returning all attributes
171 return LDB_ERR_NO_SUCH_OBJECT on record-not-found
172 and LDB_SUCCESS on success
174 int ldb_kv_search_key(struct ldb_module
*module
,
175 struct ldb_kv_private
*ldb_kv
,
176 const struct ldb_val ldb_key
,
177 struct ldb_message
*msg
,
178 unsigned int unpack_flags
)
181 struct ldb_kv_parse_data_unpack_ctx ctx
= {
184 .unpack_flags
= unpack_flags
,
188 memset(msg
, 0, sizeof(*msg
));
190 msg
->num_elements
= 0;
191 msg
->elements
= NULL
;
193 ret
= ldb_kv
->kv_ops
->fetch_and_parse(
194 ldb_kv
, ldb_key
, ldb_kv_parse_data_unpack
, &ctx
);
197 ret
= ldb_kv
->kv_ops
->error(ldb_kv
);
198 if (ret
== LDB_SUCCESS
) {
200 * Just to be sure we don't turn errors
203 return LDB_ERR_OPERATIONS_ERROR
;
206 } else if (ret
!= LDB_SUCCESS
) {
214 search the database for a single simple dn, returning all attributes
217 return LDB_ERR_NO_SUCH_OBJECT on record-not-found
218 and LDB_SUCCESS on success
220 int ldb_kv_search_dn1(struct ldb_module
*module
,
222 struct ldb_message
*msg
,
223 unsigned int unpack_flags
)
225 void *data
= ldb_module_get_private(module
);
226 struct ldb_kv_private
*ldb_kv
=
227 talloc_get_type(data
, struct ldb_kv_private
);
229 uint8_t guid_key
[LDB_KV_GUID_KEY_SIZE
];
230 struct ldb_val key
= {
232 .length
= sizeof(guid_key
)
234 TALLOC_CTX
*tdb_key_ctx
= NULL
;
236 bool valid_dn
= ldb_dn_validate(dn
);
237 if (valid_dn
== false) {
238 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
239 "Invalid Base DN: %s",
240 ldb_dn_get_linearized(dn
));
241 return LDB_ERR_INVALID_DN_SYNTAX
;
244 if (ldb_kv
->cache
->GUID_index_attribute
== NULL
||
245 ldb_dn_is_special(dn
)) {
247 tdb_key_ctx
= talloc_new(msg
);
249 return ldb_module_oom(module
);
253 key
= ldb_kv_key_dn(tdb_key_ctx
, dn
);
255 TALLOC_FREE(tdb_key_ctx
);
256 return LDB_ERR_OPERATIONS_ERROR
;
260 * Look in the index to find the key for this DN.
262 * the tdb_key memory is allocated above, msg is just
263 * used for internal memory.
266 ret
= ldb_kv_key_dn_from_idx(module
, ldb_kv
, msg
, dn
, &key
);
267 if (ret
!= LDB_SUCCESS
) {
272 ret
= ldb_kv_search_key(module
, ldb_kv
, key
, msg
, unpack_flags
);
274 TALLOC_FREE(tdb_key_ctx
);
276 if (ret
!= LDB_SUCCESS
) {
280 if ((unpack_flags
& LDB_UNPACK_DATA_FLAG_NO_DN
) == 0) {
282 msg
->dn
= ldb_dn_copy(msg
, dn
);
285 return LDB_ERR_OPERATIONS_ERROR
;
293 * filter the specified list of attributes from msg,
294 * adding requested attributes, and perhaps all for *,
295 * but not the DN to filtered_msg.
297 int ldb_kv_filter_attrs(struct ldb_context
*ldb
,
298 const struct ldb_message
*msg
,
299 const char *const *attrs
,
300 struct ldb_message
*filtered_msg
)
302 return ldb_filter_attrs(ldb
, msg
, attrs
, filtered_msg
);
306 search function for a non-indexed search
308 static int search_func(struct ldb_kv_private
*ldb_kv
,
313 struct ldb_context
*ldb
;
314 struct ldb_kv_context
*ac
;
315 struct ldb_message
*msg
, *filtered_msg
;
319 ac
= talloc_get_type(state
, struct ldb_kv_context
);
320 ldb
= ldb_module_get_ctx(ac
->module
);
323 * We want to skip @ records early in a search full scan
325 * @ records like @IDXLIST are only available via a base
326 * search on the specific name but the method by which they
327 * were excluded was expensive, after the unpack the DN is
328 * exploded and ldb_match_msg_error() would reject it for
329 * failing to match the scope.
331 * ldb_kv_key_is_normal_record() uses the fact that @ records
332 * have the DN=@ prefix on their TDB/LMDB key to quickly
333 * exclude them from consideration.
335 * (any other non-records are also excluded by the same key
339 if (ldb_kv_key_is_normal_record(key
) == false) {
343 msg
= ldb_msg_new(ac
);
345 ac
->error
= LDB_ERR_OPERATIONS_ERROR
;
349 /* unpack the record */
350 ret
= ldb_unpack_data_flags(ldb
, &val
, msg
,
351 LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC
);
354 ac
->error
= LDB_ERR_OPERATIONS_ERROR
;
359 msg
->dn
= ldb_dn_new(msg
, ldb
,
360 (char *)key
.data
+ 3);
361 if (msg
->dn
== NULL
) {
363 ac
->error
= LDB_ERR_OPERATIONS_ERROR
;
368 /* see if it matches the given expression */
369 ret
= ldb_match_msg_error(ldb
, msg
,
370 ac
->tree
, ac
->base
, ac
->scope
, &matched
);
371 if (ret
!= LDB_SUCCESS
) {
373 ac
->error
= LDB_ERR_OPERATIONS_ERROR
;
381 filtered_msg
= ldb_msg_new(ac
);
382 if (filtered_msg
== NULL
) {
384 return LDB_ERR_OPERATIONS_ERROR
;
387 filtered_msg
->dn
= talloc_steal(filtered_msg
, msg
->dn
);
389 /* filter the attributes that the user wants */
390 ret
= ldb_kv_filter_attrs(ldb
, msg
, ac
->attrs
, filtered_msg
);
394 TALLOC_FREE(filtered_msg
);
395 ac
->error
= LDB_ERR_OPERATIONS_ERROR
;
399 ret
= ldb_module_send_entry(ac
->req
, filtered_msg
, NULL
);
400 if (ret
!= LDB_SUCCESS
) {
401 ac
->request_terminated
= true;
402 /* the callback failed, abort the operation */
403 ac
->error
= LDB_ERR_OPERATIONS_ERROR
;
412 search the database with a LDAP-like expression.
413 this is the "full search" non-indexed variant
415 static int ldb_kv_search_full(struct ldb_kv_context
*ctx
)
417 void *data
= ldb_module_get_private(ctx
->module
);
418 struct ldb_kv_private
*ldb_kv
=
419 talloc_get_type(data
, struct ldb_kv_private
);
422 ctx
->error
= LDB_SUCCESS
;
423 ret
= ldb_kv
->kv_ops
->iterate(ldb_kv
, search_func
, ctx
);
426 return LDB_ERR_OPERATIONS_ERROR
;
432 static int ldb_kv_search_and_return_base(struct ldb_kv_private
*ldb_kv
,
433 struct ldb_kv_context
*ctx
)
435 struct ldb_message
*msg
, *filtered_msg
;
436 struct ldb_context
*ldb
= ldb_module_get_ctx(ctx
->module
);
437 const char *dn_linearized
;
438 const char *msg_dn_linearized
;
442 msg
= ldb_msg_new(ctx
);
444 return LDB_ERR_OPERATIONS_ERROR
;
446 ret
= ldb_kv_search_dn1(ctx
->module
,
449 LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC
|
450 LDB_UNPACK_DATA_FLAG_READ_LOCKED
);
452 if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
453 if (ldb_kv
->check_base
== false) {
455 * In this case, we are done, as no base
456 * checking is allowed in this DB
461 ldb_asprintf_errstring(ldb
,
462 "No such Base DN: %s",
463 ldb_dn_get_linearized(ctx
->base
));
465 if (ret
!= LDB_SUCCESS
) {
472 * We use this, not ldb_match_msg_error() as we know
473 * we matched on the scope BASE, as we just fetched
477 ret
= ldb_match_message(ldb
, msg
,
481 if (ret
!= LDB_SUCCESS
) {
490 dn_linearized
= ldb_dn_get_linearized(ctx
->base
);
491 msg_dn_linearized
= ldb_dn_get_linearized(msg
->dn
);
493 filtered_msg
= ldb_msg_new(ctx
);
494 if (filtered_msg
== NULL
) {
496 return LDB_ERR_OPERATIONS_ERROR
;
499 if (strcmp(dn_linearized
, msg_dn_linearized
) == 0) {
501 * If the DN is exactly the same string, then
502 * re-use the full incoming DN for the
503 * returned result, as it has already been
506 filtered_msg
->dn
= ldb_dn_copy(filtered_msg
, ctx
->base
);
510 * If the ldb_dn_copy() failed, or if we did not choose that
511 * optimisation (filtered_msg is zeroed at allocation),
512 * steal the one from the unpack
514 if (filtered_msg
->dn
== NULL
) {
515 filtered_msg
->dn
= talloc_steal(filtered_msg
, msg
->dn
);
519 * filter the attributes that the user wants.
521 ret
= ldb_kv_filter_attrs(ldb
, msg
, ctx
->attrs
, filtered_msg
);
525 return LDB_ERR_OPERATIONS_ERROR
;
529 * Remove any extended components possibly copied in from
530 * msg->dn, we just want the casefold components
532 ldb_dn_remove_extended_components(filtered_msg
->dn
);
535 ret
= ldb_module_send_entry(ctx
->req
, filtered_msg
, NULL
);
536 if (ret
!= LDB_SUCCESS
) {
537 /* Regardless of success or failure, the msg
538 * is the callbacks responsiblity, and should
539 * not be talloc_free()'ed */
540 ctx
->request_terminated
= true;
548 search the database with a LDAP-like expression.
549 choses a search method
551 int ldb_kv_search(struct ldb_kv_context
*ctx
)
553 struct ldb_context
*ldb
;
554 struct ldb_module
*module
= ctx
->module
;
555 struct ldb_request
*req
= ctx
->req
;
556 void *data
= ldb_module_get_private(module
);
557 struct ldb_kv_private
*ldb_kv
=
558 talloc_get_type(data
, struct ldb_kv_private
);
561 ldb
= ldb_module_get_ctx(module
);
563 ldb_request_set_state(req
, LDB_ASYNC_PENDING
);
565 if (ldb_kv
->kv_ops
->lock_read(module
) != 0) {
566 return LDB_ERR_OPERATIONS_ERROR
;
569 if (ldb_kv_cache_load(module
) != 0) {
570 ldb_kv
->kv_ops
->unlock_read(module
);
571 return LDB_ERR_OPERATIONS_ERROR
;
574 if (req
->op
.search
.tree
== NULL
) {
575 ldb_kv
->kv_ops
->unlock_read(module
);
576 return LDB_ERR_OPERATIONS_ERROR
;
579 ctx
->tree
= req
->op
.search
.tree
;
580 ctx
->scope
= req
->op
.search
.scope
;
581 ctx
->base
= req
->op
.search
.base
;
582 ctx
->attrs
= req
->op
.search
.attrs
;
584 if ((req
->op
.search
.base
== NULL
) || (ldb_dn_is_null(req
->op
.search
.base
) == true)) {
586 /* Check what we should do with a NULL dn */
587 switch (req
->op
.search
.scope
) {
589 ldb_asprintf_errstring(ldb
,
590 "NULL Base DN invalid for a base search");
591 ret
= LDB_ERR_INVALID_DN_SYNTAX
;
593 case LDB_SCOPE_ONELEVEL
:
594 ldb_asprintf_errstring(ldb
,
595 "NULL Base DN invalid for a one-level search");
596 ret
= LDB_ERR_INVALID_DN_SYNTAX
;
598 case LDB_SCOPE_SUBTREE
:
600 /* We accept subtree searches from a NULL base DN, ie over the whole DB */
603 } else if (req
->op
.search
.scope
== LDB_SCOPE_BASE
) {
606 * If we are LDB_SCOPE_BASE, do just one search and
607 * return early. This is critical to ensure we do not
608 * go into the index code for special DNs, as that
609 * will try to look up an index record for a special
610 * record (which doesn't exist).
612 ret
= ldb_kv_search_and_return_base(ldb_kv
, ctx
);
614 ldb_kv
->kv_ops
->unlock_read(module
);
618 } else if (ldb_kv
->check_base
) {
620 * This database has been marked as
621 * 'checkBaseOnSearch', so do a spot check of the base
622 * dn. Also optimise the subsequent filter by filling
623 * in the ctx->base to be exactly case correct
625 ret
= ldb_kv_search_base(
626 module
, ctx
, req
->op
.search
.base
, &ctx
->base
);
628 if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
629 ldb_asprintf_errstring(ldb
,
630 "No such Base DN: %s",
631 ldb_dn_get_linearized(req
->op
.search
.base
));
634 } else if (ldb_dn_validate(req
->op
.search
.base
) == false) {
636 /* We don't want invalid base DNs here */
637 ldb_asprintf_errstring(ldb
,
638 "Invalid Base DN: %s",
639 ldb_dn_get_linearized(req
->op
.search
.base
));
640 ret
= LDB_ERR_INVALID_DN_SYNTAX
;
643 /* If we are not checking the base DN life is easy */
647 if (ret
== LDB_SUCCESS
) {
648 uint32_t match_count
= 0;
650 ret
= ldb_kv_search_indexed(ctx
, &match_count
);
651 if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
652 /* Not in the index, therefore OK! */
656 /* Check if we got just a normal error.
657 * In that case proceed to a full search unless we got a
659 if (!ctx
->request_terminated
&& ret
!= LDB_SUCCESS
) {
660 /* Not indexed, so we need to do a full scan */
661 if (ldb_kv
->warn_unindexed
||
662 ldb_kv
->disable_full_db_scan
) {
663 /* useful for debugging when slow performance
664 * is caused by unindexed searches */
665 char *expression
= ldb_filter_from_tree(ctx
, ctx
->tree
);
666 ldb_debug(ldb
, LDB_DEBUG_ERROR
, "ldb FULL SEARCH: %s SCOPE: %s DN: %s",
668 req
->op
.search
.scope
==LDB_SCOPE_BASE
?"base":
669 req
->op
.search
.scope
==LDB_SCOPE_ONELEVEL
?"one":
670 req
->op
.search
.scope
==LDB_SCOPE_SUBTREE
?"sub":"UNKNOWN",
671 ldb_dn_get_linearized(req
->op
.search
.base
));
673 talloc_free(expression
);
676 if (match_count
!= 0) {
677 /* the indexing code gave an error
678 * after having returned at least one
679 * entry. This means the indexes are
680 * corrupt or a database record is
681 * corrupt. We cannot continue with a
682 * full search or we may return
685 ldb_kv
->kv_ops
->unlock_read(module
);
686 return LDB_ERR_OPERATIONS_ERROR
;
689 if (ldb_kv
->disable_full_db_scan
) {
690 ldb_set_errstring(ldb
,
691 "ldb FULL SEARCH disabled");
692 ldb_kv
->kv_ops
->unlock_read(module
);
693 return LDB_ERR_INAPPROPRIATE_MATCHING
;
696 ret
= ldb_kv_search_full(ctx
);
697 if (ret
!= LDB_SUCCESS
) {
698 ldb_set_errstring(ldb
, "Indexed and full searches both failed!\n");
703 ldb_kv
->kv_ops
->unlock_read(module
);