search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:dsdb Use new dsdb_dn code in LDB modules and Samba4 schema
[Samba/cd1.git] / source4 / dsdb / samdb / ldb_modules / extended_dn_store.c
blobef8532c82aecd8b5dfb9c88b19c01ec0ead94e49
1 /*
2 ldb database library
3
4 Copyright (C) Simo Sorce 2005-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2007-2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 /*
22 * Name: ldb
23 *
24 * Component: ldb extended dn control module
25 *
26 * Description: this module builds a special dn for returned search
27 * results nad creates the special DN in the backend store for new
28 * values.
29 *
30 * This also has the curious result that we convert <SID=S-1-2-345>
31 * in an attribute value into a normal DN for the rest of the stack
32 * to process
33 *
34 * Authors: Simo Sorce
35 * Andrew Bartlett
36 */
37
38 #include "includes.h"
39 #include "ldb/include/ldb.h"
40 #include "ldb/include/ldb_errors.h"
41 #include "ldb/include/ldb_module.h"
42 #include "librpc/gen_ndr/ndr_misc.h"
43 #include "dsdb/samdb/samdb.h"
44 #include "libcli/security/security.h"
45
46 #include <time.h>
47
48 struct extended_dn_replace_list {
49 struct extended_dn_replace_list *next;
50 struct dsdb_dn *dsdb_dn;
51 TALLOC_CTX *mem_ctx;
52 struct ldb_val *replace_dn;
53 struct extended_dn_context *ac;
54 struct ldb_request *search_req;
55 };
56
57
58 struct extended_dn_context {
59 const struct dsdb_schema *schema;
60 struct ldb_module *module;
61 struct ldb_request *req;
62 struct ldb_request *new_req;
63
64 struct extended_dn_replace_list *ops;
65 struct extended_dn_replace_list *cur;
66 };
67
68
69 static struct extended_dn_context *extended_dn_context_init(struct ldb_module *module,
70 struct ldb_request *req)
71 {
72 struct extended_dn_context *ac;
73
74 ac = talloc_zero(req, struct extended_dn_context);
75 if (ac == NULL) {
76 ldb_oom(ldb_module_get_ctx(module));
77 return NULL;
78 }
79
80 ac->schema = dsdb_get_schema(ldb_module_get_ctx(module));
81 ac->module = module;
82 ac->req = req;
83
84 return ac;
85 }
86
87 /* An extra layer of indirection because LDB does not allow the original request to be altered */
88
89 static int extended_final_callback(struct ldb_request *req, struct ldb_reply *ares)
90 {
91 int ret = LDB_ERR_OPERATIONS_ERROR;
92 struct extended_dn_context *ac;
93 ac = talloc_get_type(req->context, struct extended_dn_context);
94
95 if (ares->error != LDB_SUCCESS) {
96 ret = ldb_module_done(ac->req, ares->controls,
97 ares->response, ares->error);
98 } else {
99 switch (ares->type) {
100 case LDB_REPLY_ENTRY:
101
102 ret = ldb_module_send_entry(ac->req, ares->message, ares->controls);
103 break;
104 case LDB_REPLY_REFERRAL:
105
106 ret = ldb_module_send_referral(ac->req, ares->referral);
107 break;
108 case LDB_REPLY_DONE:
109
110 ret = ldb_module_done(ac->req, ares->controls,
111 ares->response, ares->error);
112 break;
113 }
114 }
115 return ret;
116 }
117
118 static int extended_replace_dn(struct ldb_request *req, struct ldb_reply *ares)
119 {
120 struct extended_dn_replace_list *os = talloc_get_type(req->context,
121 struct extended_dn_replace_list);
122
123 if (!ares) {
124 return ldb_module_done(os->ac->req, NULL, NULL,
125 LDB_ERR_OPERATIONS_ERROR);
126 }
127 if (ares->error == LDB_ERR_NO_SUCH_OBJECT) {
128 /* Don't worry too much about dangling references */
129
130 ldb_reset_err_string(ldb_module_get_ctx(os->ac->module));
131 if (os->next) {
132 struct extended_dn_replace_list *next;
133
134 next = os->next;
135
136 talloc_free(os);
137
138 os = next;
139 return ldb_next_request(os->ac->module, next->search_req);
140 } else {
141 /* Otherwise, we are done - let's run the
142 * request now we have swapped the DNs for the
143 * full versions */
144 return ldb_next_request(os->ac->module, os->ac->req);
145 }
146 }
147 if (ares->error != LDB_SUCCESS) {
148 return ldb_module_done(os->ac->req, ares->controls,
149 ares->response, ares->error);
150 }
151
152 /* Only entries are interesting, and we only want the olddn */
153 switch (ares->type) {
154 case LDB_REPLY_ENTRY:
155 {
156 /* This *must* be the right DN, as this is a base
157 * search. We can't check, as it could be an extended
158 * DN, so a module below will resolve it */
159 struct ldb_dn *dn = ares->message->dn;
160
161 /* Rebuild with the string or binary 'extra part' the
162 * DN may have had as a prefix */
163 struct dsdb_dn *dsdb_dn = dsdb_dn_construct(ares, dn,
164 os->dsdb_dn->extra_part,
165 os->dsdb_dn->oid);
166 if (dsdb_dn) {
167 /* Replace the DN with the extended version of the DN
168 * (ie, add SID and GUID) */
169 *os->replace_dn = data_blob_string_const(
170 dsdb_dn_get_extended_linearized(os->mem_ctx,
171 dsdb_dn, 1));
172 talloc_free(dsdb_dn);
173 }
174 if (os->replace_dn->data == NULL) {
175 return ldb_module_done(os->ac->req, NULL, NULL,
176 LDB_ERR_OPERATIONS_ERROR);
177 }
178 break;
179 }
180 case LDB_REPLY_REFERRAL:
181 /* ignore */
182 break;
183
184 case LDB_REPLY_DONE:
185
186 talloc_free(ares);
187
188 /* Run the next search */
189
190 if (os->next) {
191 struct extended_dn_replace_list *next;
192
193 next = os->next;
194
195 talloc_free(os);
196
197 os = next;
198 return ldb_next_request(os->ac->module, next->search_req);
199 } else {
200 /* Otherwise, we are done - let's run the
201 * request now we have swapped the DNs for the
202 * full versions */
203 return ldb_next_request(os->ac->module, os->ac->new_req);
204 }
205 }
206
207 talloc_free(ares);
208 return LDB_SUCCESS;
209 }
210
211 /* We have a 'normal' DN in the inbound request. We need to find out
212 * what the GUID and SID are on the DN it points to, so we can
213 * construct an extended DN for storage.
214 *
215 * This creates a list of DNs to look up, and the plain DN to replace
216 */
217
218 static int extended_store_replace(struct extended_dn_context *ac,
219 TALLOC_CTX *callback_mem_ctx,
220 struct ldb_val *plain_dn,
221 bool is_delete,
222 const char *oid)
223 {
224 int ret;
225 struct extended_dn_replace_list *os;
226 static const char *attrs[] = {
227 "objectSid",
228 "objectGUID",
229 NULL
230 };
231
232 os = talloc_zero(ac, struct extended_dn_replace_list);
233 if (!os) {
234 return LDB_ERR_OPERATIONS_ERROR;
235 }
236
237 os->ac = ac;
238
239 os->mem_ctx = callback_mem_ctx;
240
241 os->dsdb_dn = dsdb_dn_parse(os, ldb_module_get_ctx(ac->module), plain_dn, oid);
242 if (!os->dsdb_dn || !ldb_dn_validate(os->dsdb_dn->dn)) {
243 talloc_free(os);
244 ldb_asprintf_errstring(ldb_module_get_ctx(ac->module),
245 "could not parse %.*s as a %s DN", (int)plain_dn->length, plain_dn->data,
246 oid);
247 return LDB_ERR_INVALID_DN_SYNTAX;
248 }
249
250 if (is_delete && !ldb_dn_has_extended(os->dsdb_dn->dn)) {
251 /* NO need to figure this DN out, this element is
252 * going to be deleted anyway, and becuase it's not
253 * extended, we have enough information to do the
254 * delete */
255 talloc_free(os);
256 return LDB_SUCCESS;
257 }
258
259
260 os->replace_dn = plain_dn;
261
262 /* The search request here might happen to be for an
263 * 'extended' style DN, such as <GUID=abced...>. The next
264 * module in the stack will convert this into a normal DN for
265 * processing */
266 ret = ldb_build_search_req(&os->search_req,
267 ldb_module_get_ctx(ac->module), os, os->dsdb_dn->dn, LDB_SCOPE_BASE, NULL,
268 attrs, NULL, os, extended_replace_dn,
269 ac->req);
270
271 if (ret != LDB_SUCCESS) {
272 talloc_free(os);
273 return ret;
274 }
275
276 ret = ldb_request_add_control(os->search_req,
277 DSDB_CONTROL_DN_STORAGE_FORMAT_OID,
278 true, NULL);
279 if (ret != LDB_SUCCESS) {
280 talloc_free(os);
281 return ret;
282 }
283
284 if (ac->ops) {
285 ac->cur->next = os;
286 } else {
287 ac->ops = os;
288 }
289 ac->cur = os;
290
291 return LDB_SUCCESS;
292 }
293
294
295 /* add */
296 static int extended_dn_add(struct ldb_module *module, struct ldb_request *req)
297 {
298 struct extended_dn_context *ac;
299 int ret;
300 int i, j;
301
302 if (ldb_dn_is_special(req->op.add.message->dn)) {
303 /* do not manipulate our control entries */
304 return ldb_next_request(module, req);
305 }
306
307 ac = extended_dn_context_init(module, req);
308 if (!ac) {
309 return LDB_ERR_OPERATIONS_ERROR;
310 }
311
312 if (!ac->schema) {
313 /* without schema, this doesn't make any sense */
314 talloc_free(ac);
315 return ldb_next_request(module, req);
316 }
317
318 for (i=0; i < req->op.add.message->num_elements; i++) {
319 const struct ldb_message_element *el = &req->op.add.message->elements[i];
320 const struct dsdb_attribute *schema_attr
321 = dsdb_attribute_by_lDAPDisplayName(ac->schema, el->name);
322 if (!schema_attr) {
323 continue;
324 }
325
326 /* We only setup an extended DN GUID on DN elements */
327 if (dsdb_dn_oid_to_format(schema_attr->syntax->ldap_oid) == DSDB_INVALID_DN) {
328 continue;
329 }
330
331 /* Before we setup a procedure to modify the incoming message, we must copy it */
332 if (!ac->new_req) {
333 struct ldb_message *msg = ldb_msg_copy(ac, req->op.add.message);
334 if (!msg) {
335 ldb_oom(ldb_module_get_ctx(module));
336 return LDB_ERR_OPERATIONS_ERROR;
337 }
338
339 ret = ldb_build_add_req(&ac->new_req, ldb_module_get_ctx(module), ac, msg, req->controls, ac, extended_final_callback, req);
340 if (ret != LDB_SUCCESS) {
341 return ret;
342 }
343 }
344 /* Re-calculate el */
345 el = &ac->new_req->op.add.message->elements[i];
346 for (j = 0; j < el->num_values; j++) {
347 ret = extended_store_replace(ac, ac->new_req->op.add.message->elements, &el->values[j],
348 false, schema_attr->syntax->ldap_oid);
349 if (ret != LDB_SUCCESS) {
350 return ret;
351 }
352 }
353 }
354
355 /* if no DNs were set continue */
356 if (ac->ops == NULL) {
357 talloc_free(ac);
358 return ldb_next_request(module, req);
359 }
360
361 /* start with the searches */
362 return ldb_next_request(module, ac->ops->search_req);
363 }
364
365 /* modify */
366 static int extended_dn_modify(struct ldb_module *module, struct ldb_request *req)
367 {
368 /* Look over list of modifications */
369 /* Find if any are for linked attributes */
370 /* Determine the effect of the modification */
371 /* Apply the modify to the linked entry */
372
373 int i, j;
374 struct extended_dn_context *ac;
375 int ret;
376
377 if (ldb_dn_is_special(req->op.mod.message->dn)) {
378 /* do not manipulate our control entries */
379 return ldb_next_request(module, req);
380 }
381
382 ac = extended_dn_context_init(module, req);
383 if (!ac) {
384 return LDB_ERR_OPERATIONS_ERROR;
385 }
386
387 if (!ac->schema) {
388 /* without schema, this doesn't make any sense */
389 return ldb_next_request(module, req);
390 }
391
392 for (i=0; i < req->op.mod.message->num_elements; i++) {
393 const struct ldb_message_element *el = &req->op.mod.message->elements[i];
394 const struct dsdb_attribute *schema_attr
395 = dsdb_attribute_by_lDAPDisplayName(ac->schema, el->name);
396 if (!schema_attr) {
397 continue;
398 }
399
400 /* We only setup an extended DN GUID on these particular DN objects */
401 if (dsdb_dn_oid_to_format(schema_attr->syntax->ldap_oid) == DSDB_INVALID_DN) {
402 continue;
403 }
404
405 /* Before we setup a procedure to modify the incoming message, we must copy it */
406 if (!ac->new_req) {
407 struct ldb_message *msg = ldb_msg_copy(ac, req->op.mod.message);
408 if (!msg) {
409 ldb_oom(ldb_module_get_ctx(module));
410 return LDB_ERR_OPERATIONS_ERROR;
411 }
412
413 ret = ldb_build_mod_req(&ac->new_req, ldb_module_get_ctx(module), ac, msg, req->controls, ac, extended_final_callback, req);
414 if (ret != LDB_SUCCESS) {
415 return ret;
416 }
417 }
418 /* Re-calculate el */
419 el = &ac->new_req->op.mod.message->elements[i];
420 /* For each value being added, we need to setup the lookups to fill in the extended DN */
421 for (j = 0; j < el->num_values; j++) {
422 /* If we are just going to delete this
423 * element, only do a lookup if
424 * extended_store_replace determines it's an
425 * input of an extended DN */
426 bool is_delete = ((el->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE);
427
428 ret = extended_store_replace(ac, req->op.mod.message->elements, &el->values[j],
429 is_delete, schema_attr->syntax->ldap_oid);
430 if (ret != LDB_SUCCESS) {
431 return ret;
432 }
433 }
434 }
435
436 /* if DNs were set continue */
437 if (ac->ops == NULL) {
438 talloc_free(ac);
439 return ldb_next_request(module, req);
440 }
441
442 /* start with the searches */
443 return ldb_next_request(module, ac->ops->search_req);
444 }
445
446 _PUBLIC_ const struct ldb_module_ops ldb_extended_dn_store_module_ops = {
447 .name = "extended_dn_store",
448 .add = extended_dn_add,
449 .modify = extended_dn_modify,
450 };
Crístian's Samba branch