4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
6 Copyright (C) Nadezhda Ivanova 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: DS Security descriptor module
28 * - Calculate the security descriptor of a newly created object
29 * - Perform sd recalculation on a move operation
30 * - Handle sd modification invariants
32 * Author: Nadezhda Ivanova
36 #include "ldb_module.h"
37 #include "dlinklist.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/ndr/libndr.h"
40 #include "librpc/gen_ndr/ndr_security.h"
41 #include "libcli/security/security.h"
42 #include "auth/auth.h"
43 #include "param/param.h"
46 struct descriptor_data
{
50 struct descriptor_context
{
51 struct ldb_module
*module
;
52 struct ldb_request
*req
;
53 struct ldb_reply
*search_res
;
54 struct ldb_reply
*search_oc_res
;
55 struct ldb_val
*parentsd_val
;
56 struct ldb_val
*sd_val
;
57 int (*step_fn
)(struct descriptor_context
*);
60 struct dom_sid
*get_default_ag(TALLOC_CTX
*mem_ctx
,
62 struct security_token
*token
,
63 struct ldb_context
*ldb
)
65 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
66 struct ldb_dn
*root_base_dn
= ldb_get_root_basedn(ldb
);
67 struct ldb_dn
*schema_base_dn
= ldb_get_schema_basedn(ldb
);
68 struct ldb_dn
*config_base_dn
= ldb_get_config_basedn(ldb
);
69 const struct dom_sid
*domain_sid
= samdb_domain_sid(ldb
);
70 struct dom_sid
*da_sid
= dom_sid_add_rid(tmp_ctx
, domain_sid
, DOMAIN_RID_ADMINS
);
71 struct dom_sid
*ea_sid
= dom_sid_add_rid(tmp_ctx
, domain_sid
, DOMAIN_RID_ENTERPRISE_ADMINS
);
72 struct dom_sid
*sa_sid
= dom_sid_add_rid(tmp_ctx
, domain_sid
, DOMAIN_RID_SCHEMA_ADMINS
);
73 struct dom_sid
*dag_sid
;
75 /* FIXME: this has to be fixed regarding the forest DN (root DN) and
76 * the domain DN (default DN) - they aren't always the same. */
78 if (ldb_dn_compare_base(schema_base_dn
, dn
) == 0){
79 if (security_token_has_sid(token
, sa_sid
))
80 dag_sid
= dom_sid_dup(mem_ctx
, sa_sid
);
81 else if (security_token_has_sid(token
, ea_sid
))
82 dag_sid
= dom_sid_dup(mem_ctx
, ea_sid
);
83 else if (security_token_has_sid(token
, da_sid
))
84 dag_sid
= dom_sid_dup(mem_ctx
, da_sid
);
88 else if (ldb_dn_compare_base(config_base_dn
, dn
) == 0){
89 if (security_token_has_sid(token
, ea_sid
))
90 dag_sid
= dom_sid_dup(mem_ctx
, ea_sid
);
91 else if (security_token_has_sid(token
, da_sid
))
92 dag_sid
= dom_sid_dup(mem_ctx
, da_sid
);
96 else if (ldb_dn_compare_base(root_base_dn
, dn
) == 0){
97 if (security_token_has_sid(token
, da_sid
))
98 dag_sid
= dom_sid_dup(mem_ctx
, da_sid
);
99 else if (security_token_has_sid(token
, ea_sid
))
100 dag_sid
= dom_sid_dup(mem_ctx
, ea_sid
);
107 talloc_free(tmp_ctx
);
111 static struct security_descriptor
*get_sd_unpacked(struct ldb_module
*module
, TALLOC_CTX
*mem_ctx
,
112 const struct dsdb_class
*objectclass
)
114 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
115 struct security_descriptor
*sd
;
116 const struct dom_sid
*domain_sid
= samdb_domain_sid(ldb
);
118 if (!objectclass
->defaultSecurityDescriptor
|| !domain_sid
) {
122 sd
= sddl_decode(mem_ctx
,
123 objectclass
->defaultSecurityDescriptor
,
128 static struct dom_sid
*get_default_group(TALLOC_CTX
*mem_ctx
,
129 struct ldb_context
*ldb
,
132 if (dsdb_functional_level(ldb
) >= DS_DOMAIN_FUNCTION_2008
) {
139 static struct security_descriptor
*descr_handle_sd_flags(TALLOC_CTX
*mem_ctx
,
140 struct security_descriptor
*new_sd
,
141 struct security_descriptor
*old_sd
,
144 struct security_descriptor
*final_sd
;
145 /* if there is no control or control == 0 modify everything */
150 final_sd
= talloc_zero(mem_ctx
, struct security_descriptor
);
151 final_sd
->revision
= SECURITY_DESCRIPTOR_REVISION_1
;
152 final_sd
->type
= SEC_DESC_SELF_RELATIVE
;
154 if (sd_flags
& (SECINFO_OWNER
)) {
155 final_sd
->owner_sid
= talloc_memdup(mem_ctx
, new_sd
->owner_sid
, sizeof(struct dom_sid
));
156 final_sd
->type
|= new_sd
->type
& SEC_DESC_OWNER_DEFAULTED
;
159 final_sd
->owner_sid
= talloc_memdup(mem_ctx
, old_sd
->owner_sid
, sizeof(struct dom_sid
));
160 final_sd
->type
|= old_sd
->type
& SEC_DESC_OWNER_DEFAULTED
;
163 if (sd_flags
& (SECINFO_GROUP
)) {
164 final_sd
->group_sid
= talloc_memdup(mem_ctx
, new_sd
->group_sid
, sizeof(struct dom_sid
));
165 final_sd
->type
|= new_sd
->type
& SEC_DESC_GROUP_DEFAULTED
;
168 final_sd
->group_sid
= talloc_memdup(mem_ctx
, old_sd
->group_sid
, sizeof(struct dom_sid
));
169 final_sd
->type
|= old_sd
->type
& SEC_DESC_GROUP_DEFAULTED
;
172 if (sd_flags
& (SECINFO_SACL
)) {
173 final_sd
->sacl
= security_acl_dup(mem_ctx
,new_sd
->sacl
);
174 final_sd
->type
|= new_sd
->type
& (SEC_DESC_SACL_PRESENT
|
175 SEC_DESC_SACL_DEFAULTED
|SEC_DESC_SACL_AUTO_INHERIT_REQ
|
176 SEC_DESC_SACL_AUTO_INHERITED
|SEC_DESC_SACL_PROTECTED
|
177 SEC_DESC_SERVER_SECURITY
);
179 else if (old_sd
&& old_sd
->sacl
) {
180 final_sd
->sacl
= security_acl_dup(mem_ctx
,old_sd
->sacl
);
181 final_sd
->type
|= old_sd
->type
& (SEC_DESC_SACL_PRESENT
|
182 SEC_DESC_SACL_DEFAULTED
|SEC_DESC_SACL_AUTO_INHERIT_REQ
|
183 SEC_DESC_SACL_AUTO_INHERITED
|SEC_DESC_SACL_PROTECTED
|
184 SEC_DESC_SERVER_SECURITY
);
187 if (sd_flags
& (SECINFO_DACL
)) {
188 final_sd
->dacl
= security_acl_dup(mem_ctx
,new_sd
->dacl
);
189 final_sd
->type
|= new_sd
->type
& (SEC_DESC_DACL_PRESENT
|
190 SEC_DESC_DACL_DEFAULTED
|SEC_DESC_DACL_AUTO_INHERIT_REQ
|
191 SEC_DESC_DACL_AUTO_INHERITED
|SEC_DESC_DACL_PROTECTED
|
192 SEC_DESC_DACL_TRUSTED
);
194 else if (old_sd
&& old_sd
->dacl
) {
195 final_sd
->dacl
= security_acl_dup(mem_ctx
,old_sd
->dacl
);
196 final_sd
->type
|= old_sd
->type
& (SEC_DESC_DACL_PRESENT
|
197 SEC_DESC_DACL_DEFAULTED
|SEC_DESC_DACL_AUTO_INHERIT_REQ
|
198 SEC_DESC_DACL_AUTO_INHERITED
|SEC_DESC_DACL_PROTECTED
|
199 SEC_DESC_DACL_TRUSTED
);
201 /* not so sure about this */
202 final_sd
->type
|= new_sd
->type
& SEC_DESC_RM_CONTROL_VALID
;
206 static DATA_BLOB
*get_new_descriptor(struct ldb_module
*module
,
209 const struct dsdb_class
*objectclass
,
210 const struct ldb_val
*parent
,
211 struct ldb_val
*object
,
212 struct ldb_val
*old_sd
,
215 struct security_descriptor
*user_descriptor
= NULL
, *parent_descriptor
= NULL
;
216 struct security_descriptor
*old_descriptor
= NULL
;
217 struct security_descriptor
*new_sd
, *final_sd
;
218 DATA_BLOB
*linear_sd
;
219 enum ndr_err_code ndr_err
;
220 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
221 struct auth_session_info
*session_info
222 = ldb_get_opaque(ldb
, "sessionInfo");
223 const struct dom_sid
*domain_sid
= samdb_domain_sid(ldb
);
225 struct dom_sid
*default_owner
;
226 struct dom_sid
*default_group
;
229 user_descriptor
= talloc(mem_ctx
, struct security_descriptor
);
230 if (!user_descriptor
) {
233 ndr_err
= ndr_pull_struct_blob(object
, user_descriptor
,
235 (ndr_pull_flags_fn_t
)ndr_pull_security_descriptor
);
237 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
238 talloc_free(user_descriptor
);
242 user_descriptor
= get_sd_unpacked(module
, mem_ctx
, objectclass
);
246 old_descriptor
= talloc(mem_ctx
, struct security_descriptor
);
247 if (!old_descriptor
) {
250 ndr_err
= ndr_pull_struct_blob(old_sd
, old_descriptor
,
252 (ndr_pull_flags_fn_t
)ndr_pull_security_descriptor
);
254 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
255 talloc_free(old_descriptor
);
261 parent_descriptor
= talloc(mem_ctx
, struct security_descriptor
);
262 if (!parent_descriptor
) {
265 ndr_err
= ndr_pull_struct_blob(parent
, parent_descriptor
,
267 (ndr_pull_flags_fn_t
)ndr_pull_security_descriptor
);
269 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
270 talloc_free(parent_descriptor
);
275 default_owner
= get_default_ag(mem_ctx
, dn
,
276 session_info
->security_token
, ldb
);
277 default_group
= get_default_group(mem_ctx
, ldb
, default_owner
);
278 new_sd
= create_security_descriptor(mem_ctx
, parent_descriptor
, user_descriptor
, true,
279 NULL
, SEC_DACL_AUTO_INHERIT
|SEC_SACL_AUTO_INHERIT
,
280 session_info
->security_token
,
281 default_owner
, default_group
,
282 map_generic_rights_ds
);
286 final_sd
= descr_handle_sd_flags(mem_ctx
, new_sd
, old_descriptor
, sd_flags
);
292 if (final_sd
->dacl
) {
293 final_sd
->dacl
->revision
= SECURITY_ACL_REVISION_ADS
;
295 if (final_sd
->sacl
) {
296 final_sd
->sacl
->revision
= SECURITY_ACL_REVISION_ADS
;
299 sddl_sd
= sddl_encode(mem_ctx
, final_sd
, domain_sid
);
300 DEBUG(10, ("Object %s created with desriptor %s\n\n", ldb_dn_get_linearized(dn
), sddl_sd
));
302 linear_sd
= talloc(mem_ctx
, DATA_BLOB
);
307 ndr_err
= ndr_push_struct_blob(linear_sd
, mem_ctx
,
309 (ndr_push_flags_fn_t
)ndr_push_security_descriptor
);
310 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
317 static DATA_BLOB
*descr_get_descriptor_to_show(struct ldb_module
*module
,
322 struct security_descriptor
*old_sd
, *final_sd
;
323 DATA_BLOB
*linear_sd
;
324 enum ndr_err_code ndr_err
;
326 old_sd
= talloc(mem_ctx
, struct security_descriptor
);
330 ndr_err
= ndr_pull_struct_blob(sd
, old_sd
,
332 (ndr_pull_flags_fn_t
)ndr_pull_security_descriptor
);
334 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
339 final_sd
= descr_handle_sd_flags(mem_ctx
, old_sd
, NULL
, sd_flags
);
345 linear_sd
= talloc(mem_ctx
, DATA_BLOB
);
350 ndr_err
= ndr_push_struct_blob(linear_sd
, mem_ctx
,
352 (ndr_push_flags_fn_t
)ndr_push_security_descriptor
);
353 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
360 static struct descriptor_context
*descriptor_init_context(struct ldb_module
*module
,
361 struct ldb_request
*req
)
363 struct ldb_context
*ldb
;
364 struct descriptor_context
*ac
;
366 ldb
= ldb_module_get_ctx(module
);
368 ac
= talloc_zero(req
, struct descriptor_context
);
370 ldb_set_errstring(ldb
, "Out of Memory");
379 static int get_search_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
381 struct ldb_context
*ldb
;
382 struct descriptor_context
*ac
;
385 ac
= talloc_get_type(req
->context
, struct descriptor_context
);
386 ldb
= ldb_module_get_ctx(ac
->module
);
389 return ldb_module_done(ac
->req
, NULL
, NULL
,
390 LDB_ERR_OPERATIONS_ERROR
);
392 if (ares
->error
!= LDB_SUCCESS
&&
393 ares
->error
!= LDB_ERR_NO_SUCH_OBJECT
) {
394 return ldb_module_done(ac
->req
, ares
->controls
,
395 ares
->response
, ares
->error
);
398 ldb_reset_err_string(ldb
);
400 switch (ares
->type
) {
401 case LDB_REPLY_ENTRY
:
402 if (ac
->search_res
!= NULL
) {
403 ldb_set_errstring(ldb
, "Too many results");
405 return ldb_module_done(ac
->req
, NULL
, NULL
,
406 LDB_ERR_OPERATIONS_ERROR
);
409 ac
->search_res
= talloc_steal(ac
, ares
);
412 case LDB_REPLY_REFERRAL
:
419 ret
= ac
->step_fn(ac
);
420 if (ret
!= LDB_SUCCESS
) {
421 return ldb_module_done(ac
->req
, NULL
, NULL
, ret
);
429 static int get_search_oc_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
431 struct ldb_context
*ldb
;
432 struct descriptor_context
*ac
;
435 ac
= talloc_get_type(req
->context
, struct descriptor_context
);
436 ldb
= ldb_module_get_ctx(ac
->module
);
439 return ldb_module_done(ac
->req
, NULL
, NULL
,
440 LDB_ERR_OPERATIONS_ERROR
);
442 if (ares
->error
!= LDB_SUCCESS
&&
443 ares
->error
!= LDB_ERR_NO_SUCH_OBJECT
) {
444 return ldb_module_done(ac
->req
, ares
->controls
,
445 ares
->response
, ares
->error
);
448 ldb_reset_err_string(ldb
);
450 switch (ares
->type
) {
451 case LDB_REPLY_ENTRY
:
452 if (ac
->search_oc_res
!= NULL
) {
453 ldb_set_errstring(ldb
, "Too many results");
455 return ldb_module_done(ac
->req
, NULL
, NULL
,
456 LDB_ERR_OPERATIONS_ERROR
);
459 ac
->search_oc_res
= talloc_steal(ac
, ares
);
462 case LDB_REPLY_REFERRAL
:
469 ret
= ac
->step_fn(ac
);
470 if (ret
!= LDB_SUCCESS
) {
471 return ldb_module_done(ac
->req
, NULL
, NULL
, ret
);
480 static int descriptor_op_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
482 struct descriptor_context
*ac
;
484 ac
= talloc_get_type(req
->context
, struct descriptor_context
);
487 return ldb_module_done(ac
->req
, NULL
, NULL
,
488 LDB_ERR_OPERATIONS_ERROR
);
491 if (ares
->type
== LDB_REPLY_REFERRAL
) {
492 return ldb_module_send_referral(ac
->req
, ares
->referral
);
495 if (ares
->error
!= LDB_SUCCESS
) {
496 return ldb_module_done(ac
->req
, ares
->controls
,
497 ares
->response
, ares
->error
);
500 if (ares
->type
!= LDB_REPLY_DONE
) {
502 return ldb_module_done(ac
->req
, NULL
, NULL
,
503 LDB_ERR_OPERATIONS_ERROR
);
506 return ldb_module_done(ac
->req
, ares
->controls
,
507 ares
->response
, ares
->error
);
510 static int descriptor_search_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
512 struct descriptor_context
*ac
;
513 struct ldb_control
*sd_control
;
514 struct ldb_val
*sd_val
= NULL
;
515 struct ldb_message_element
*sd_el
;
518 uint32_t sd_flags
= 0;
520 ac
= talloc_get_type(req
->context
, struct descriptor_context
);
523 ret
= LDB_ERR_OPERATIONS_ERROR
;
526 if (ares
->error
!= LDB_SUCCESS
) {
527 return ldb_module_done(ac
->req
, ares
->controls
,
528 ares
->response
, ares
->error
);
531 sd_control
= ldb_request_get_control(ac
->req
, LDB_CONTROL_SD_FLAGS_OID
);
533 struct ldb_sd_flags_control
*sdctr
= (struct ldb_sd_flags_control
*)sd_control
->data
;
534 sd_flags
= sdctr
->secinfo_flags
;
535 /* we only care for the last 4 bits */
536 sd_flags
= sd_flags
& 0x0000000F;
538 /* MS-ADTS 3.1.1.3.4.1.11 says that no bits
544 switch (ares
->type
) {
545 case LDB_REPLY_ENTRY
:
547 sd_el
= ldb_msg_find_element(ares
->message
, "nTSecurityDescriptor");
549 sd_val
= sd_el
->values
;
553 show_sd
= descr_get_descriptor_to_show(ac
->module
, ac
->req
,
556 ret
= LDB_ERR_OPERATIONS_ERROR
;
559 ldb_msg_remove_attr(ares
->message
, "nTSecurityDescriptor");
560 ret
= ldb_msg_add_steal_value(ares
->message
, "nTSecurityDescriptor", show_sd
);
561 if (ret
!= LDB_SUCCESS
) {
565 return ldb_module_send_entry(ac
->req
, ares
->message
, ares
->controls
);
567 case LDB_REPLY_REFERRAL
:
568 /* ignore referrals */
572 return ldb_module_done(ac
->req
, ares
->controls
,
573 ares
->response
, ares
->error
);
579 return ldb_module_done(ac
->req
, NULL
, NULL
, ret
);
582 static int descriptor_do_mod(struct descriptor_context
*ac
)
584 struct ldb_context
*ldb
;
585 const struct dsdb_schema
*schema
;
586 struct ldb_request
*mod_req
;
587 struct ldb_message_element
*objectclass_element
, *tmp_element
, *oldsd_el
;
588 struct ldb_val
*oldsd_val
= NULL
;
591 const struct dsdb_class
*objectclass
;
592 struct ldb_message
*msg
;
593 struct ldb_control
*sd_control
;
594 struct ldb_control
*sd_control2
;
596 uint32_t sd_flags
= 0;
598 ldb
= ldb_module_get_ctx(ac
->module
);
599 schema
= dsdb_get_schema(ldb
, ac
);
600 msg
= ldb_msg_copy_shallow(ac
, ac
->req
->op
.mod
.message
);
601 objectclass_element
= ldb_msg_find_element(ac
->search_oc_res
->message
, "objectClass");
602 objectclass
= get_last_structural_class(schema
, objectclass_element
);
605 ldb_asprintf_errstring(ldb
, "No last structural objectclass found on %s",
606 ldb_dn_get_linearized(ac
->search_oc_res
->message
->dn
));
607 return LDB_ERR_OPERATIONS_ERROR
;
609 sd_control
= ldb_request_get_control(ac
->req
, LDB_CONTROL_SD_FLAGS_OID
);
610 sd_control2
= ldb_request_get_control(ac
->req
, LDB_CONTROL_RECALCULATE_SD_OID
);
612 struct ldb_sd_flags_control
*sdctr
= (struct ldb_sd_flags_control
*)sd_control
->data
;
613 sd_flags
= sdctr
->secinfo_flags
;
614 /* we only care for the last 4 bits */
615 sd_flags
= sd_flags
& 0x0000000F;
618 oldsd_el
= ldb_msg_find_element(ac
->search_oc_res
->message
, "nTSecurityDescriptor");
620 oldsd_val
= oldsd_el
->values
;
623 sd
= get_new_descriptor(ac
->module
, msg
->dn
, ac
, objectclass
,
624 ac
->parentsd_val
, ac
->sd_val
, oldsd_val
, sd_flags
);
626 tmp_element
= ldb_msg_find_element(msg
, "ntSecurityDescriptor");
627 flags
= tmp_element
->flags
;
628 ldb_msg_remove_attr(msg
, "nTSecurityDescriptor");
632 ret
= ldb_msg_add_steal_value(msg
, "nTSecurityDescriptor", sd
);
633 if (ret
!= LDB_SUCCESS
) {
636 tmp_element
= ldb_msg_find_element(msg
, "ntSecurityDescriptor");
638 tmp_element
->flags
= LDB_FLAG_MOD_REPLACE
;
640 tmp_element
->flags
= flags
;
643 ret
= ldb_build_mod_req(&mod_req
, ldb
, ac
,
646 ac
, descriptor_op_callback
,
648 if (ret
!= LDB_SUCCESS
) {
651 /* mark it non-critical, so we don't get an error from the
652 backend, but mark that we've handled it */
654 sd_control
->critical
= 0;
657 return ldb_next_request(ac
->module
, mod_req
);
660 static int descriptor_do_add(struct descriptor_context
*ac
)
662 struct ldb_context
*ldb
;
663 const struct dsdb_schema
*schema
;
664 struct ldb_request
*add_req
;
665 struct ldb_message_element
*objectclass_element
, *sd_element
= NULL
;
666 struct ldb_message
*msg
;
670 const struct dsdb_class
*objectclass
;
671 static const char *const attrs
[] = { "objectClass", "nTSecurityDescriptor", NULL
};
672 struct ldb_request
*search_req
;
674 ldb
= ldb_module_get_ctx(ac
->module
);
675 schema
= dsdb_get_schema(ldb
, ac
);
676 mem_ctx
= talloc_new(ac
);
677 if (mem_ctx
== NULL
) {
678 return LDB_ERR_OPERATIONS_ERROR
;
680 switch (ac
->req
->operation
) {
682 msg
= ldb_msg_copy_shallow(ac
, ac
->req
->op
.add
.message
);
683 objectclass_element
= ldb_msg_find_element(msg
, "objectClass");
684 objectclass
= get_last_structural_class(schema
, objectclass_element
);
687 ldb_asprintf_errstring(ldb
, "No last structural objectclass found on %s", ldb_dn_get_linearized(msg
->dn
));
688 return LDB_ERR_OPERATIONS_ERROR
;
692 msg
= ldb_msg_copy_shallow(ac
, ac
->req
->op
.mod
.message
);
695 return LDB_ERR_OPERATIONS_ERROR
;
699 /* get the security descriptor values*/
700 sd_element
= ldb_msg_find_element(msg
, "nTSecurityDescriptor");
702 ac
->sd_val
= talloc_memdup(ac
, &sd_element
->values
[0], sizeof(struct ldb_val
));
704 /* NC's have no parent */
705 /* FIXME: this has to be made dynamic at some point */
706 if ((ldb_dn_compare(msg
->dn
, (ldb_get_schema_basedn(ldb
))) == 0) ||
707 (ldb_dn_compare(msg
->dn
, (ldb_get_config_basedn(ldb
))) == 0) ||
708 (ldb_dn_compare(msg
->dn
, (ldb_get_default_basedn(ldb
))) == 0) ||
709 (ldb_dn_compare(msg
->dn
, (ldb_get_root_basedn(ldb
))) == 0)) {
710 ac
->parentsd_val
= NULL
;
711 } else if (ac
->search_res
!= NULL
) {
712 struct ldb_message_element
*parent_element
= ldb_msg_find_element(ac
->search_res
->message
, "nTSecurityDescriptor");
713 if (parent_element
) {
714 ac
->parentsd_val
= talloc_memdup(ac
, &parent_element
->values
[0], sizeof(struct ldb_val
));
718 if (ac
->req
->operation
== LDB_ADD
) {
719 /* get the parent descriptor and the one provided. If not provided, get the default.*/
720 /* convert to security descriptor and calculate */
721 sd
= get_new_descriptor(ac
->module
, msg
->dn
, mem_ctx
, objectclass
,
722 ac
->parentsd_val
, ac
->sd_val
, NULL
, 0);
724 ldb_msg_remove_attr(msg
, "nTSecurityDescriptor");
728 ret
= ldb_msg_add_steal_value(msg
, "nTSecurityDescriptor", sd
);
729 if (ret
!= LDB_SUCCESS
) {
734 talloc_free(mem_ctx
);
735 ret
= ldb_msg_sanity_check(ldb
, msg
);
737 if (ret
!= LDB_SUCCESS
) {
738 ldb_asprintf_errstring(ldb
, "No last structural objectclass found on %s",
739 ldb_dn_get_linearized(msg
->dn
));
743 ret
= ldb_build_add_req(&add_req
, ldb
, ac
,
746 ac
, descriptor_op_callback
,
748 if (ret
!= LDB_SUCCESS
) {
751 return ldb_next_request(ac
->module
, add_req
);
753 ret
= ldb_build_search_req(&search_req
, ldb
,
754 ac
, msg
->dn
, LDB_SCOPE_BASE
,
755 "(objectClass=*)", attrs
,
757 ac
, get_search_oc_callback
,
759 if (ret
!= LDB_SUCCESS
) {
762 ac
->step_fn
= descriptor_do_mod
;
763 return ldb_next_request(ac
->module
, search_req
);
767 static int descriptor_change(struct ldb_module
*module
, struct ldb_request
*req
)
769 struct ldb_context
*ldb
;
770 struct ldb_control
*sd_control
;
771 struct ldb_request
*search_req
;
772 struct descriptor_context
*ac
;
773 struct ldb_dn
*parent_dn
, *dn
;
774 struct ldb_message_element
*sd_element
;
776 static const char * const descr_attrs
[] = { "nTSecurityDescriptor", NULL
};
778 ldb
= ldb_module_get_ctx(module
);
780 switch (req
->operation
) {
782 dn
= req
->op
.add
.message
->dn
;
785 dn
= req
->op
.mod
.message
->dn
;
786 sd_element
= ldb_msg_find_element(req
->op
.mod
.message
, "nTSecurityDescriptor");
787 /* This control allow forcing the recalculation of the SD */
788 sd_control
= ldb_request_get_control(req
, LDB_CONTROL_RECALCULATE_SD_OID
);
789 if (!sd_element
&& !sd_control
) {
790 return ldb_next_request(module
, req
);
794 return LDB_ERR_OPERATIONS_ERROR
;
796 ldb_debug(ldb
, LDB_DEBUG_TRACE
,"descriptor_change: %s\n", ldb_dn_get_linearized(dn
));
798 if (ldb_dn_is_special(dn
)) {
799 return ldb_next_request(module
, req
);
802 ac
= descriptor_init_context(module
, req
);
804 return LDB_ERR_OPERATIONS_ERROR
;
807 /* If there isn't a parent, just go on to the add processing */
808 if (ldb_dn_get_comp_num(dn
) == 1) {
809 return descriptor_do_add(ac
);
812 /* get copy of parent DN */
813 parent_dn
= ldb_dn_get_parent(ac
, dn
);
814 if (parent_dn
== NULL
) {
816 return LDB_ERR_OPERATIONS_ERROR
;
819 ret
= ldb_build_search_req(&search_req
, ldb
,
820 ac
, parent_dn
, LDB_SCOPE_BASE
,
821 "(objectClass=*)", descr_attrs
,
823 ac
, get_search_callback
,
825 if (ret
!= LDB_SUCCESS
) {
828 talloc_steal(search_req
, parent_dn
);
830 ac
->step_fn
= descriptor_do_add
;
832 return ldb_next_request(ac
->module
, search_req
);
835 static int descriptor_search(struct ldb_module
*module
, struct ldb_request
*req
)
838 struct ldb_context
*ldb
;
839 struct ldb_control
*sd_control
;
840 struct ldb_request
*down_req
;
841 struct descriptor_context
*ac
;
843 sd_control
= ldb_request_get_control(req
, LDB_CONTROL_SD_FLAGS_OID
);
845 return ldb_next_request(module
, req
);
848 ldb
= ldb_module_get_ctx(module
);
849 ac
= descriptor_init_context(module
, req
);
851 return LDB_ERR_OPERATIONS_ERROR
;
854 ret
= ldb_build_search_req_ex(&down_req
, ldb
, ac
,
856 req
->op
.search
.scope
,
858 req
->op
.search
.attrs
,
860 ac
, descriptor_search_callback
,
862 if (ret
!= LDB_SUCCESS
) {
865 /* mark it as handled */
867 sd_control
->critical
= 0;
870 return ldb_next_request(ac
->module
, down_req
);
873 static int descriptor_rename(struct ldb_module
*module
, struct ldb_request
*req
)
875 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
876 ldb_debug(ldb
, LDB_DEBUG_TRACE
,"descriptor_rename: %s\n", ldb_dn_get_linearized(req
->op
.rename
.olddn
));
877 return ldb_next_request(module
, req
);
880 static int descriptor_init(struct ldb_module
*module
)
882 int ret
= ldb_mod_register_control(module
, LDB_CONTROL_SD_FLAGS_OID
);
883 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
884 if (ret
!= LDB_SUCCESS
) {
885 ldb_debug(ldb
, LDB_DEBUG_ERROR
,
886 "descriptor: Unable to register control with rootdse!\n");
887 return LDB_ERR_OPERATIONS_ERROR
;
889 return ldb_next_init(module
);
893 _PUBLIC_
const struct ldb_module_ops ldb_descriptor_module_ops
= {
894 .name
= "descriptor",
895 .search
= descriptor_search
,
896 .add
= descriptor_change
,
897 .modify
= descriptor_change
,
898 .rename
= descriptor_rename
,
899 .init_context
= descriptor_init
