4 Copyright (C) Simo Sorce 2005-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2007-2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * Component: ldb extended dn control module
26 * Description: this module builds a special dn for returned search
27 * results nad creates the special DN in the backend store for new
30 * This also has the curious result that we convert <SID=S-1-2-345>
31 * in an attribute value into a normal DN for the rest of the stack
39 #include "ldb/include/ldb.h"
40 #include "ldb/include/ldb_errors.h"
41 #include "ldb/include/ldb_module.h"
42 #include "librpc/gen_ndr/ndr_misc.h"
43 #include "dsdb/samdb/samdb.h"
44 #include "libcli/security/security.h"
48 struct extended_dn_replace_list
{
49 struct extended_dn_replace_list
*next
;
50 struct dsdb_dn
*dsdb_dn
;
52 struct ldb_val
*replace_dn
;
53 struct extended_dn_context
*ac
;
54 struct ldb_request
*search_req
;
58 struct extended_dn_context
{
59 const struct dsdb_schema
*schema
;
60 struct ldb_module
*module
;
61 struct ldb_request
*req
;
62 struct ldb_request
*new_req
;
64 struct extended_dn_replace_list
*ops
;
65 struct extended_dn_replace_list
*cur
;
69 static struct extended_dn_context
*extended_dn_context_init(struct ldb_module
*module
,
70 struct ldb_request
*req
)
72 struct extended_dn_context
*ac
;
74 ac
= talloc_zero(req
, struct extended_dn_context
);
76 ldb_oom(ldb_module_get_ctx(module
));
80 ac
->schema
= dsdb_get_schema(ldb_module_get_ctx(module
));
87 /* An extra layer of indirection because LDB does not allow the original request to be altered */
89 static int extended_final_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
91 int ret
= LDB_ERR_OPERATIONS_ERROR
;
92 struct extended_dn_context
*ac
;
93 ac
= talloc_get_type(req
->context
, struct extended_dn_context
);
95 if (ares
->error
!= LDB_SUCCESS
) {
96 ret
= ldb_module_done(ac
->req
, ares
->controls
,
97 ares
->response
, ares
->error
);
100 case LDB_REPLY_ENTRY
:
102 ret
= ldb_module_send_entry(ac
->req
, ares
->message
, ares
->controls
);
104 case LDB_REPLY_REFERRAL
:
106 ret
= ldb_module_send_referral(ac
->req
, ares
->referral
);
110 ret
= ldb_module_done(ac
->req
, ares
->controls
,
111 ares
->response
, ares
->error
);
118 static int extended_replace_dn(struct ldb_request
*req
, struct ldb_reply
*ares
)
120 struct extended_dn_replace_list
*os
= talloc_get_type(req
->context
,
121 struct extended_dn_replace_list
);
124 return ldb_module_done(os
->ac
->req
, NULL
, NULL
,
125 LDB_ERR_OPERATIONS_ERROR
);
127 if (ares
->error
== LDB_ERR_NO_SUCH_OBJECT
) {
128 /* Don't worry too much about dangling references */
130 ldb_reset_err_string(ldb_module_get_ctx(os
->ac
->module
));
132 struct extended_dn_replace_list
*next
;
139 return ldb_next_request(os
->ac
->module
, next
->search_req
);
141 /* Otherwise, we are done - let's run the
142 * request now we have swapped the DNs for the
144 return ldb_next_request(os
->ac
->module
, os
->ac
->req
);
147 if (ares
->error
!= LDB_SUCCESS
) {
148 return ldb_module_done(os
->ac
->req
, ares
->controls
,
149 ares
->response
, ares
->error
);
152 /* Only entries are interesting, and we only want the olddn */
153 switch (ares
->type
) {
154 case LDB_REPLY_ENTRY
:
156 /* This *must* be the right DN, as this is a base
157 * search. We can't check, as it could be an extended
158 * DN, so a module below will resolve it */
159 struct ldb_dn
*dn
= ares
->message
->dn
;
161 /* Rebuild with the string or binary 'extra part' the
162 * DN may have had as a prefix */
163 struct dsdb_dn
*dsdb_dn
= dsdb_dn_construct(ares
, dn
,
164 os
->dsdb_dn
->extra_part
,
167 /* Replace the DN with the extended version of the DN
168 * (ie, add SID and GUID) */
169 *os
->replace_dn
= data_blob_string_const(
170 dsdb_dn_get_extended_linearized(os
->mem_ctx
,
172 talloc_free(dsdb_dn
);
174 if (os
->replace_dn
->data
== NULL
) {
175 return ldb_module_done(os
->ac
->req
, NULL
, NULL
,
176 LDB_ERR_OPERATIONS_ERROR
);
180 case LDB_REPLY_REFERRAL
:
188 /* Run the next search */
191 struct extended_dn_replace_list
*next
;
198 return ldb_next_request(os
->ac
->module
, next
->search_req
);
200 /* Otherwise, we are done - let's run the
201 * request now we have swapped the DNs for the
203 return ldb_next_request(os
->ac
->module
, os
->ac
->new_req
);
211 /* We have a 'normal' DN in the inbound request. We need to find out
212 * what the GUID and SID are on the DN it points to, so we can
213 * construct an extended DN for storage.
215 * This creates a list of DNs to look up, and the plain DN to replace
218 static int extended_store_replace(struct extended_dn_context
*ac
,
219 TALLOC_CTX
*callback_mem_ctx
,
220 struct ldb_val
*plain_dn
,
225 struct extended_dn_replace_list
*os
;
226 static const char *attrs
[] = {
232 os
= talloc_zero(ac
, struct extended_dn_replace_list
);
234 return LDB_ERR_OPERATIONS_ERROR
;
239 os
->mem_ctx
= callback_mem_ctx
;
241 os
->dsdb_dn
= dsdb_dn_parse(os
, ldb_module_get_ctx(ac
->module
), plain_dn
, oid
);
242 if (!os
->dsdb_dn
|| !ldb_dn_validate(os
->dsdb_dn
->dn
)) {
244 ldb_asprintf_errstring(ldb_module_get_ctx(ac
->module
),
245 "could not parse %.*s as a %s DN", (int)plain_dn
->length
, plain_dn
->data
,
247 return LDB_ERR_INVALID_DN_SYNTAX
;
250 if (is_delete
&& !ldb_dn_has_extended(os
->dsdb_dn
->dn
)) {
251 /* NO need to figure this DN out, this element is
252 * going to be deleted anyway, and becuase it's not
253 * extended, we have enough information to do the
260 os
->replace_dn
= plain_dn
;
262 /* The search request here might happen to be for an
263 * 'extended' style DN, such as <GUID=abced...>. The next
264 * module in the stack will convert this into a normal DN for
266 ret
= ldb_build_search_req(&os
->search_req
,
267 ldb_module_get_ctx(ac
->module
), os
, os
->dsdb_dn
->dn
, LDB_SCOPE_BASE
, NULL
,
268 attrs
, NULL
, os
, extended_replace_dn
,
271 if (ret
!= LDB_SUCCESS
) {
276 ret
= ldb_request_add_control(os
->search_req
,
277 DSDB_CONTROL_DN_STORAGE_FORMAT_OID
,
279 if (ret
!= LDB_SUCCESS
) {
296 static int extended_dn_add(struct ldb_module
*module
, struct ldb_request
*req
)
298 struct extended_dn_context
*ac
;
302 if (ldb_dn_is_special(req
->op
.add
.message
->dn
)) {
303 /* do not manipulate our control entries */
304 return ldb_next_request(module
, req
);
307 ac
= extended_dn_context_init(module
, req
);
309 return LDB_ERR_OPERATIONS_ERROR
;
313 /* without schema, this doesn't make any sense */
315 return ldb_next_request(module
, req
);
318 for (i
=0; i
< req
->op
.add
.message
->num_elements
; i
++) {
319 const struct ldb_message_element
*el
= &req
->op
.add
.message
->elements
[i
];
320 const struct dsdb_attribute
*schema_attr
321 = dsdb_attribute_by_lDAPDisplayName(ac
->schema
, el
->name
);
326 /* We only setup an extended DN GUID on DN elements */
327 if (dsdb_dn_oid_to_format(schema_attr
->syntax
->ldap_oid
) == DSDB_INVALID_DN
) {
331 /* Before we setup a procedure to modify the incoming message, we must copy it */
333 struct ldb_message
*msg
= ldb_msg_copy(ac
, req
->op
.add
.message
);
335 ldb_oom(ldb_module_get_ctx(module
));
336 return LDB_ERR_OPERATIONS_ERROR
;
339 ret
= ldb_build_add_req(&ac
->new_req
, ldb_module_get_ctx(module
), ac
, msg
, req
->controls
, ac
, extended_final_callback
, req
);
340 if (ret
!= LDB_SUCCESS
) {
344 /* Re-calculate el */
345 el
= &ac
->new_req
->op
.add
.message
->elements
[i
];
346 for (j
= 0; j
< el
->num_values
; j
++) {
347 ret
= extended_store_replace(ac
, ac
->new_req
->op
.add
.message
->elements
, &el
->values
[j
],
348 false, schema_attr
->syntax
->ldap_oid
);
349 if (ret
!= LDB_SUCCESS
) {
355 /* if no DNs were set continue */
356 if (ac
->ops
== NULL
) {
358 return ldb_next_request(module
, req
);
361 /* start with the searches */
362 return ldb_next_request(module
, ac
->ops
->search_req
);
366 static int extended_dn_modify(struct ldb_module
*module
, struct ldb_request
*req
)
368 /* Look over list of modifications */
369 /* Find if any are for linked attributes */
370 /* Determine the effect of the modification */
371 /* Apply the modify to the linked entry */
374 struct extended_dn_context
*ac
;
377 if (ldb_dn_is_special(req
->op
.mod
.message
->dn
)) {
378 /* do not manipulate our control entries */
379 return ldb_next_request(module
, req
);
382 ac
= extended_dn_context_init(module
, req
);
384 return LDB_ERR_OPERATIONS_ERROR
;
388 /* without schema, this doesn't make any sense */
389 return ldb_next_request(module
, req
);
392 for (i
=0; i
< req
->op
.mod
.message
->num_elements
; i
++) {
393 const struct ldb_message_element
*el
= &req
->op
.mod
.message
->elements
[i
];
394 const struct dsdb_attribute
*schema_attr
395 = dsdb_attribute_by_lDAPDisplayName(ac
->schema
, el
->name
);
400 /* We only setup an extended DN GUID on these particular DN objects */
401 if (dsdb_dn_oid_to_format(schema_attr
->syntax
->ldap_oid
) == DSDB_INVALID_DN
) {
405 /* Before we setup a procedure to modify the incoming message, we must copy it */
407 struct ldb_message
*msg
= ldb_msg_copy(ac
, req
->op
.mod
.message
);
409 ldb_oom(ldb_module_get_ctx(module
));
410 return LDB_ERR_OPERATIONS_ERROR
;
413 ret
= ldb_build_mod_req(&ac
->new_req
, ldb_module_get_ctx(module
), ac
, msg
, req
->controls
, ac
, extended_final_callback
, req
);
414 if (ret
!= LDB_SUCCESS
) {
418 /* Re-calculate el */
419 el
= &ac
->new_req
->op
.mod
.message
->elements
[i
];
420 /* For each value being added, we need to setup the lookups to fill in the extended DN */
421 for (j
= 0; j
< el
->num_values
; j
++) {
422 /* If we are just going to delete this
423 * element, only do a lookup if
424 * extended_store_replace determines it's an
425 * input of an extended DN */
426 bool is_delete
= ((el
->flags
& LDB_FLAG_MOD_MASK
) == LDB_FLAG_MOD_DELETE
);
428 ret
= extended_store_replace(ac
, req
->op
.mod
.message
->elements
, &el
->values
[j
],
429 is_delete
, schema_attr
->syntax
->ldap_oid
);
430 if (ret
!= LDB_SUCCESS
) {
436 /* if DNs were set continue */
437 if (ac
->ops
== NULL
) {
439 return ldb_next_request(module
, req
);
442 /* start with the searches */
443 return ldb_next_request(module
, ac
->ops
->search_req
);
446 _PUBLIC_
const struct ldb_module_ops ldb_extended_dn_store_module_ops
= {
447 .name
= "extended_dn_store",
448 .add
= extended_dn_add
,
449 .modify
= extended_dn_modify
,