2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Simo Sorce 2005-2008
8 Copyright (C) Matthieu Patou <mat@matws.net> 2011
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include <ldb_module.h>
27 #include "system/time.h"
28 #include "dsdb/samdb/samdb.h"
30 #include "dsdb/samdb/ldb_modules/util.h"
31 #include "libcli/security/security.h"
32 #include "librpc/ndr/libndr.h"
33 #include "auth/auth.h"
34 #include "param/param.h"
35 #include "lib/messaging/irpc.h"
36 #include "librpc/gen_ndr/ndr_irpc_c.h"
39 unsigned int num_controls
;
41 unsigned int num_partitions
;
42 struct ldb_dn
**partitions
;
47 return 1 if a specific attribute has been requested
49 static int do_attribute(const char * const *attrs
, const char *name
)
51 return attrs
== NULL
||
52 ldb_attr_in_list(attrs
, name
) ||
53 ldb_attr_in_list(attrs
, "*");
56 static int do_attribute_explicit(const char * const *attrs
, const char *name
)
58 return attrs
!= NULL
&& ldb_attr_in_list(attrs
, name
);
63 expand a DN attribute to include extended DN information if requested
65 static int expand_dn_in_message(struct ldb_module
*module
, struct ldb_message
*msg
,
66 const char *attrname
, struct ldb_control
*edn_control
,
67 struct ldb_request
*req
)
69 struct ldb_dn
*dn
, *dn2
;
72 struct ldb_request
*req2
;
74 const char *no_attrs
[] = { NULL
};
75 struct ldb_result
*res
;
76 struct ldb_extended_dn_control
*edn
;
77 TALLOC_CTX
*tmp_ctx
= talloc_new(req
);
78 struct ldb_context
*ldb
;
81 struct ldb_message_element
*el
;
83 ldb
= ldb_module_get_ctx(module
);
85 edn
= talloc_get_type(edn_control
->data
, struct ldb_extended_dn_control
);
90 el
= ldb_msg_find_element(msg
, attrname
);
91 if (!el
|| el
->num_values
== 0) {
95 for (i
= 0; i
< el
->num_values
; i
++) {
102 dn_string
= talloc_strndup(tmp_ctx
, (const char *)v
->data
, v
->length
);
103 if (dn_string
== NULL
) {
104 talloc_free(tmp_ctx
);
105 return ldb_operr(ldb
);
108 res
= talloc_zero(tmp_ctx
, struct ldb_result
);
110 talloc_free(tmp_ctx
);
111 return ldb_operr(ldb
);
114 dn
= ldb_dn_new(tmp_ctx
, ldb
, dn_string
);
116 talloc_free(tmp_ctx
);
117 return ldb_operr(ldb
);
120 ret
= ldb_build_search_req(&req2
, ldb
, tmp_ctx
,
126 res
, ldb_search_default_callback
,
128 LDB_REQ_SET_LOCATION(req2
);
129 if (ret
!= LDB_SUCCESS
) {
130 talloc_free(tmp_ctx
);
135 ret
= ldb_request_add_control(req2
,
136 LDB_CONTROL_EXTENDED_DN_OID
,
137 edn_control
->critical
, edn
);
138 if (ret
!= LDB_SUCCESS
) {
139 talloc_free(tmp_ctx
);
140 return ldb_error(ldb
, ret
, "Failed to add control");
143 ret
= ldb_next_request(module
, req2
);
144 if (ret
== LDB_SUCCESS
) {
145 ret
= ldb_wait(req2
->handle
, LDB_WAIT_ALL
);
148 if (ret
!= LDB_SUCCESS
) {
149 talloc_free(tmp_ctx
);
153 if (!res
|| res
->count
!= 1) {
154 talloc_free(tmp_ctx
);
155 return ldb_operr(ldb
);
158 dn2
= res
->msgs
[0]->dn
;
160 v
->data
= (uint8_t *)ldb_dn_get_extended_linearized(msg
->elements
, dn2
, edn_type
);
161 if (v
->data
== NULL
) {
162 talloc_free(tmp_ctx
);
163 return ldb_operr(ldb
);
165 v
->length
= strlen((char *)v
->data
);
168 talloc_free(tmp_ctx
);
174 see if we are master for a FSMO role
176 static int dsdb_module_we_are_master(struct ldb_module
*module
, struct ldb_dn
*dn
, bool *master
,
177 struct ldb_request
*parent
)
179 const char *attrs
[] = { "fSMORoleOwner", NULL
};
180 TALLOC_CTX
*tmp_ctx
= talloc_new(parent
);
181 struct ldb_result
*res
;
183 struct ldb_dn
*owner_dn
;
185 ret
= dsdb_module_search_dn(module
, tmp_ctx
, &res
,
187 DSDB_FLAG_NEXT_MODULE
|
188 DSDB_FLAG_AS_SYSTEM
|
189 DSDB_SEARCH_SHOW_EXTENDED_DN
,
191 if (ret
!= LDB_SUCCESS
) {
192 talloc_free(tmp_ctx
);
196 owner_dn
= ldb_msg_find_attr_as_dn(ldb_module_get_ctx(module
),
197 tmp_ctx
, res
->msgs
[0], "fSMORoleOwner");
200 talloc_free(tmp_ctx
);
204 ret
= samdb_dn_is_our_ntdsa(ldb_module_get_ctx(module
), dn
, master
);
205 if (ret
!= LDB_SUCCESS
) {
206 ldb_asprintf_errstring(ldb_module_get_ctx(module
), "Failed to confirm if our ntdsDsa is %s: %s",
207 ldb_dn_get_linearized(owner_dn
), ldb_errstring(ldb_module_get_ctx(module
)));
208 talloc_free(tmp_ctx
);
212 talloc_free(tmp_ctx
);
217 add dynamically generated attributes to rootDSE result
219 static int rootdse_add_dynamic(struct ldb_module
*module
, struct ldb_message
*msg
,
220 const char * const *attrs
, struct ldb_request
*req
)
222 struct ldb_context
*ldb
;
223 struct private_data
*priv
= talloc_get_type(ldb_module_get_private(module
), struct private_data
);
225 const struct dsdb_schema
*schema
;
227 struct ldb_control
*edn_control
;
228 const char *dn_attrs
[] = {
229 "configurationNamingContext",
230 "defaultNamingContext",
231 "rootDomainNamingContext",
232 "schemaNamingContext",
238 const char *guid_attrs
[] = {
244 ldb
= ldb_module_get_ctx(module
);
245 schema
= dsdb_get_schema(ldb
, NULL
);
247 msg
->dn
= ldb_dn_new(msg
, ldb
, NULL
);
249 /* don't return the distinguishedName, cn and name attributes */
250 ldb_msg_remove_attr(msg
, "distinguishedName");
251 ldb_msg_remove_attr(msg
, "cn");
252 ldb_msg_remove_attr(msg
, "name");
254 if (do_attribute(attrs
, "serverName")) {
255 if (ldb_msg_add_linearized_dn(msg
, "serverName",
256 samdb_server_dn(ldb
, msg
)) != LDB_SUCCESS
) {
261 if (do_attribute(attrs
, "dnsHostName")) {
262 struct ldb_result
*res
;
264 const char *dns_attrs
[] = { "dNSHostName", NULL
};
265 ret
= dsdb_module_search_dn(module
, msg
, &res
, samdb_server_dn(ldb
, msg
),
267 DSDB_FLAG_NEXT_MODULE
|
270 if (ret
== LDB_SUCCESS
) {
271 const char *hostname
= ldb_msg_find_attr_as_string(res
->msgs
[0], "dNSHostName", NULL
);
272 if (hostname
!= NULL
) {
273 if (ldb_msg_add_string(msg
, "dNSHostName", hostname
)) {
280 if (do_attribute(attrs
, "ldapServiceName")) {
281 struct loadparm_context
*lp_ctx
282 = talloc_get_type(ldb_get_opaque(ldb
, "loadparm"),
283 struct loadparm_context
);
284 char *ldap_service_name
, *hostname
;
286 hostname
= strlower_talloc(msg
, lpcfg_netbios_name(lp_ctx
));
287 if (hostname
== NULL
) {
291 ldap_service_name
= talloc_asprintf(msg
, "%s:%s$@%s",
292 samdb_forest_name(ldb
, msg
),
293 hostname
, lpcfg_realm(lp_ctx
));
294 if (ldap_service_name
== NULL
) {
298 if (ldb_msg_add_string(msg
, "ldapServiceName",
299 ldap_service_name
) != LDB_SUCCESS
) {
304 if (do_attribute(attrs
, "currentTime")) {
305 if (ldb_msg_add_steal_string(msg
, "currentTime",
306 ldb_timestring(msg
, time(NULL
))) != LDB_SUCCESS
) {
311 if (priv
&& do_attribute(attrs
, "supportedControl")) {
312 for (i
= 0; i
< priv
->num_controls
; i
++) {
313 char *control
= talloc_strdup(msg
, priv
->controls
[i
]);
317 if (ldb_msg_add_steal_string(msg
, "supportedControl",
318 control
) != LDB_SUCCESS
) {
324 if (priv
&& do_attribute(attrs
, "namingContexts")) {
325 for (i
= 0; i
< priv
->num_partitions
; i
++) {
326 struct ldb_dn
*dn
= priv
->partitions
[i
];
327 if (ldb_msg_add_steal_string(msg
, "namingContexts",
328 ldb_dn_alloc_linearized(msg
, dn
)) != LDB_SUCCESS
) {
334 server_sasl
= talloc_get_type(ldb_get_opaque(ldb
, "supportedSASLMechanisms"),
336 if (server_sasl
&& do_attribute(attrs
, "supportedSASLMechanisms")) {
337 for (i
= 0; server_sasl
&& server_sasl
[i
]; i
++) {
338 char *sasl_name
= talloc_strdup(msg
, server_sasl
[i
]);
342 if (ldb_msg_add_steal_string(msg
, "supportedSASLMechanisms",
343 sasl_name
) != LDB_SUCCESS
) {
349 if (do_attribute(attrs
, "highestCommittedUSN")) {
351 int ret
= ldb_sequence_number(ldb
, LDB_SEQ_HIGHEST_SEQ
, &seq_num
);
352 if (ret
== LDB_SUCCESS
) {
353 if (samdb_msg_add_uint64(ldb
, msg
, msg
,
354 "highestCommittedUSN",
355 seq_num
) != LDB_SUCCESS
) {
361 if (schema
&& do_attribute_explicit(attrs
, "dsSchemaAttrCount")) {
362 struct dsdb_attribute
*cur
;
365 for (cur
= schema
->attributes
; cur
; cur
= cur
->next
) {
369 if (samdb_msg_add_uint(ldb
, msg
, msg
, "dsSchemaAttrCount",
375 if (schema
&& do_attribute_explicit(attrs
, "dsSchemaClassCount")) {
376 struct dsdb_class
*cur
;
379 for (cur
= schema
->classes
; cur
; cur
= cur
->next
) {
383 if (samdb_msg_add_uint(ldb
, msg
, msg
, "dsSchemaClassCount",
389 if (schema
&& do_attribute_explicit(attrs
, "dsSchemaPrefixCount")) {
390 if (samdb_msg_add_uint(ldb
, msg
, msg
, "dsSchemaPrefixCount",
391 schema
->prefixmap
->length
) != LDB_SUCCESS
) {
396 if (do_attribute_explicit(attrs
, "validFSMOs")) {
397 struct ldb_dn
*dns
[3];
399 dns
[0] = ldb_get_schema_basedn(ldb
);
400 dns
[1] = samdb_partitions_dn(ldb
, msg
);
401 dns
[2] = ldb_get_default_basedn(ldb
);
403 for (i
=0; i
<3; i
++) {
405 int ret
= dsdb_module_we_are_master(module
, dns
[i
], &master
, req
);
406 if (ret
!= LDB_SUCCESS
) {
409 if (master
&& ldb_msg_add_fmt(msg
, "validFSMOs", "%s",
410 ldb_dn_get_linearized(dns
[i
])) != LDB_SUCCESS
) {
416 if (do_attribute_explicit(attrs
, "vendorVersion")) {
417 if (ldb_msg_add_fmt(msg
, "vendorVersion",
418 "%s", SAMBA_VERSION_STRING
) != LDB_SUCCESS
) {
423 if (do_attribute(attrs
, "domainFunctionality")) {
424 if (samdb_msg_add_int(ldb
, msg
, msg
, "domainFunctionality",
425 dsdb_functional_level(ldb
)) != LDB_SUCCESS
) {
430 if (do_attribute(attrs
, "forestFunctionality")) {
431 if (samdb_msg_add_int(ldb
, msg
, msg
, "forestFunctionality",
432 dsdb_forest_functional_level(ldb
)) != LDB_SUCCESS
) {
437 if (do_attribute(attrs
, "domainControllerFunctionality")
438 && (val
= talloc_get_type(ldb_get_opaque(ldb
, "domainControllerFunctionality"), int))) {
439 if (samdb_msg_add_int(ldb
, msg
, msg
,
440 "domainControllerFunctionality",
441 *val
) != LDB_SUCCESS
) {
446 if (do_attribute(attrs
, "isGlobalCatalogReady")) {
447 /* MS-ADTS 3.1.1.3.2.10
448 Note, we should only return true here is we have
449 completed at least one synchronisation. As both
450 provision and vampire do a full sync, this means we
451 can return true is the gc bit is set in the NTDSDSA
453 if (ldb_msg_add_fmt(msg
, "isGlobalCatalogReady",
454 "%s", samdb_is_gc(ldb
)?"TRUE":"FALSE") != LDB_SUCCESS
) {
459 if (do_attribute_explicit(attrs
, "tokenGroups")) {
460 /* Obtain the user's session_info */
461 struct auth_session_info
*session_info
462 = (struct auth_session_info
*)ldb_get_opaque(ldb
, "sessionInfo");
463 if (session_info
&& session_info
->security_token
) {
464 /* The list of groups this user is in */
465 for (i
= 0; i
< session_info
->security_token
->num_sids
; i
++) {
466 if (samdb_msg_add_dom_sid(ldb
, msg
, msg
,
468 &session_info
->security_token
->sids
[i
]) != LDB_SUCCESS
) {
475 /* TODO: lots more dynamic attributes should be added here */
477 edn_control
= ldb_request_get_control(req
, LDB_CONTROL_EXTENDED_DN_OID
);
479 /* convert any GUID attributes to be in the right form */
480 for (i
=0; guid_attrs
[i
]; i
++) {
481 struct ldb_result
*res
;
482 struct ldb_message_element
*el
;
483 struct ldb_dn
*attr_dn
;
484 const char *no_attrs
[] = { NULL
};
487 if (!do_attribute(attrs
, guid_attrs
[i
])) continue;
489 attr_dn
= ldb_msg_find_attr_as_dn(ldb
, req
, msg
, guid_attrs
[i
]);
490 if (attr_dn
== NULL
) {
494 ret
= dsdb_module_search_dn(module
, req
, &res
,
496 DSDB_FLAG_NEXT_MODULE
|
497 DSDB_FLAG_AS_SYSTEM
|
498 DSDB_SEARCH_SHOW_EXTENDED_DN
,
500 if (ret
!= LDB_SUCCESS
) {
501 return ldb_operr(ldb
);
504 el
= ldb_msg_find_element(msg
, guid_attrs
[i
]);
506 return ldb_operr(ldb
);
509 talloc_steal(el
->values
, res
->msgs
[0]->dn
);
511 struct ldb_extended_dn_control
*edn
;
513 edn
= talloc_get_type(edn_control
->data
, struct ldb_extended_dn_control
);
515 edn_type
= edn
->type
;
517 el
->values
[0].data
= (uint8_t *)ldb_dn_get_extended_linearized(el
->values
,
521 el
->values
[0].data
= (uint8_t *)talloc_strdup(el
->values
,
522 ldb_dn_get_linearized(res
->msgs
[0]->dn
));
524 if (el
->values
[0].data
== NULL
) {
527 el
->values
[0].length
= strlen((const char *)el
->values
[0].data
);
530 /* if the client sent us the EXTENDED_DN control then we need
531 to expand the DNs to have GUID and SID. W2K8 join relies on
535 for (i
=0; dn_attrs
[i
]; i
++) {
536 if (!do_attribute(attrs
, dn_attrs
[i
])) continue;
537 ret
= expand_dn_in_message(module
, msg
, dn_attrs
[i
],
539 if (ret
!= LDB_SUCCESS
) {
540 DEBUG(0,(__location__
": Failed to expand DN in rootDSE for %s\n",
550 return ldb_operr(ldb
);
554 handle search requests
557 struct rootdse_context
{
558 struct ldb_module
*module
;
559 struct ldb_request
*req
;
562 static struct rootdse_context
*rootdse_init_context(struct ldb_module
*module
,
563 struct ldb_request
*req
)
565 struct ldb_context
*ldb
;
566 struct rootdse_context
*ac
;
568 ldb
= ldb_module_get_ctx(module
);
570 ac
= talloc_zero(req
, struct rootdse_context
);
572 ldb_set_errstring(ldb
, "Out of Memory");
582 static int rootdse_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
584 struct rootdse_context
*ac
;
587 ac
= talloc_get_type(req
->context
, struct rootdse_context
);
590 return ldb_module_done(ac
->req
, NULL
, NULL
,
591 LDB_ERR_OPERATIONS_ERROR
);
593 if (ares
->error
!= LDB_SUCCESS
) {
594 return ldb_module_done(ac
->req
, ares
->controls
,
595 ares
->response
, ares
->error
);
598 switch (ares
->type
) {
599 case LDB_REPLY_ENTRY
:
601 * if the client explicit asks for the 'netlogon' attribute
602 * the reply_entry needs to be skipped
604 if (ac
->req
->op
.search
.attrs
&&
605 ldb_attr_in_list(ac
->req
->op
.search
.attrs
, "netlogon")) {
610 /* for each record returned post-process to add any dynamic
611 attributes that have been asked for */
612 ret
= rootdse_add_dynamic(ac
->module
, ares
->message
,
613 ac
->req
->op
.search
.attrs
, ac
->req
);
614 if (ret
!= LDB_SUCCESS
) {
616 return ldb_module_done(ac
->req
, NULL
, NULL
, ret
);
619 return ldb_module_send_entry(ac
->req
, ares
->message
, ares
->controls
);
621 case LDB_REPLY_REFERRAL
:
622 /* should we allow the backend to return referrals in this case
627 return ldb_module_done(ac
->req
, ares
->controls
,
628 ares
->response
, ares
->error
);
636 filter from controls from clients in several ways
638 1) mark our registered controls as non-critical in the request
640 This is needed as clients may mark controls as critical even if
641 they are not needed at all in a request. For example, the centrify
642 client sets the SD_FLAGS control as critical on ldap modify
643 requests which are setting the dNSHostName attribute on the
644 machine account. That request doesn't need SD_FLAGS at all, but
645 centrify adds it on all ldap requests.
647 2) if this request is untrusted then remove any non-registered
648 controls that are non-critical
650 This is used on ldap:// connections to prevent remote users from
651 setting an internal control that may be dangerous
653 3) if this request is untrusted then fail any request that includes
654 a critical non-registered control
656 static int rootdse_filter_controls(struct ldb_module
*module
, struct ldb_request
*req
)
659 struct private_data
*priv
= talloc_get_type(ldb_module_get_private(module
), struct private_data
);
662 if (!req
->controls
) {
666 is_untrusted
= ldb_req_is_untrusted(req
);
668 for (i
=0; req
->controls
[i
]; i
++) {
669 bool is_registered
= false;
670 bool is_critical
= (req
->controls
[i
]->critical
!= 0);
672 if (req
->controls
[i
]->oid
== NULL
) {
676 if (is_untrusted
|| is_critical
) {
677 for (j
=0; j
<priv
->num_controls
; j
++) {
678 if (strcasecmp(priv
->controls
[j
], req
->controls
[i
]->oid
) == 0) {
679 is_registered
= true;
685 if (is_untrusted
&& !is_registered
) {
687 /* remove it by marking the oid NULL */
688 req
->controls
[i
]->oid
= NULL
;
689 req
->controls
[i
]->data
= NULL
;
690 req
->controls
[i
]->critical
= 0;
693 /* its a critical unregistered control - give
695 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
696 "Attempt to use critical non-registered control '%s'",
697 req
->controls
[i
]->oid
);
698 return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION
;
705 /* If the control is DIRSYNC control then we keep the critical
706 * flag as the dirsync module will need to act upon it
708 if (is_registered
&& strcmp(req
->controls
[i
]->oid
,
709 LDB_CONTROL_DIRSYNC_OID
)!= 0) {
710 req
->controls
[i
]->critical
= 0;
717 /* Ensure that anonymous users are not allowed to make anything other than rootDSE search operations */
719 static int rootdse_filter_operations(struct ldb_module
*module
, struct ldb_request
*req
)
721 struct auth_session_info
*session_info
;
722 struct private_data
*priv
= talloc_get_type(ldb_module_get_private(module
), struct private_data
);
723 bool is_untrusted
= ldb_req_is_untrusted(req
);
724 bool is_anonymous
= true;
725 if (is_untrusted
== false) {
729 session_info
= (struct auth_session_info
*)ldb_get_opaque(ldb_module_get_ctx(module
), "sessionInfo");
731 is_anonymous
= security_token_is_anonymous(session_info
->security_token
);
734 if (is_anonymous
== false || (priv
&& priv
->block_anonymous
== false)) {
738 if (req
->operation
== LDB_SEARCH
) {
739 if (req
->op
.search
.scope
== LDB_SCOPE_BASE
&& ldb_dn_is_null(req
->op
.search
.base
)) {
743 ldb_set_errstring(ldb_module_get_ctx(module
), "Operation unavailable without authentication");
744 return LDB_ERR_OPERATIONS_ERROR
;
747 static int rootdse_search(struct ldb_module
*module
, struct ldb_request
*req
)
749 struct ldb_context
*ldb
;
750 struct rootdse_context
*ac
;
751 struct ldb_request
*down_req
;
754 ret
= rootdse_filter_operations(module
, req
);
755 if (ret
!= LDB_SUCCESS
) {
759 ret
= rootdse_filter_controls(module
, req
);
760 if (ret
!= LDB_SUCCESS
) {
764 ldb
= ldb_module_get_ctx(module
);
766 /* see if its for the rootDSE - only a base search on the "" DN qualifies */
767 if (!(req
->op
.search
.scope
== LDB_SCOPE_BASE
&& ldb_dn_is_null(req
->op
.search
.base
))) {
768 /* Otherwise, pass down to the rest of the stack */
769 return ldb_next_request(module
, req
);
772 ac
= rootdse_init_context(module
, req
);
774 return ldb_operr(ldb
);
777 /* in our db we store the rootDSE with a DN of @ROOTDSE */
778 ret
= ldb_build_search_req(&down_req
, ldb
, ac
,
779 ldb_dn_new(ac
, ldb
, "@ROOTDSE"),
782 req
->op
.search
.attrs
,
783 NULL
,/* for now skip the controls from the client */
784 ac
, rootdse_callback
,
786 LDB_REQ_SET_LOCATION(down_req
);
787 if (ret
!= LDB_SUCCESS
) {
791 return ldb_next_request(module
, down_req
);
794 static int rootdse_register_control(struct ldb_module
*module
, struct ldb_request
*req
)
796 struct private_data
*priv
= talloc_get_type(ldb_module_get_private(module
), struct private_data
);
799 list
= talloc_realloc(priv
, priv
->controls
, char *, priv
->num_controls
+ 1);
801 return ldb_oom(ldb_module_get_ctx(module
));
804 list
[priv
->num_controls
] = talloc_strdup(list
, req
->op
.reg_control
.oid
);
805 if (!list
[priv
->num_controls
]) {
806 return ldb_oom(ldb_module_get_ctx(module
));
809 priv
->num_controls
+= 1;
810 priv
->controls
= list
;
812 return ldb_module_done(req
, NULL
, NULL
, LDB_SUCCESS
);
815 static int rootdse_register_partition(struct ldb_module
*module
, struct ldb_request
*req
)
817 struct private_data
*priv
= talloc_get_type(ldb_module_get_private(module
), struct private_data
);
818 struct ldb_dn
**list
;
820 list
= talloc_realloc(priv
, priv
->partitions
, struct ldb_dn
*, priv
->num_partitions
+ 1);
822 return ldb_oom(ldb_module_get_ctx(module
));
825 list
[priv
->num_partitions
] = ldb_dn_copy(list
, req
->op
.reg_partition
.dn
);
826 if (!list
[priv
->num_partitions
]) {
827 return ldb_operr(ldb_module_get_ctx(module
));
830 priv
->num_partitions
+= 1;
831 priv
->partitions
= list
;
833 return ldb_module_done(req
, NULL
, NULL
, LDB_SUCCESS
);
837 static int rootdse_request(struct ldb_module
*module
, struct ldb_request
*req
)
839 switch (req
->operation
) {
841 case LDB_REQ_REGISTER_CONTROL
:
842 return rootdse_register_control(module
, req
);
843 case LDB_REQ_REGISTER_PARTITION
:
844 return rootdse_register_partition(module
, req
);
849 return ldb_next_request(module
, req
);
852 static int rootdse_init(struct ldb_module
*module
)
855 struct ldb_context
*ldb
;
856 struct ldb_result
*res
;
857 struct private_data
*data
;
858 const char *attrs
[] = { "msDS-Behavior-Version", NULL
};
859 const char *ds_attrs
[] = { "dsServiceName", NULL
};
862 ldb
= ldb_module_get_ctx(module
);
864 data
= talloc_zero(module
, struct private_data
);
869 data
->num_controls
= 0;
870 data
->controls
= NULL
;
871 data
->num_partitions
= 0;
872 data
->partitions
= NULL
;
873 data
->block_anonymous
= true;
875 ldb_module_set_private(module
, data
);
877 ldb_set_default_dns(ldb
);
879 ret
= ldb_next_init(module
);
881 if (ret
!= LDB_SUCCESS
) {
885 mem_ctx
= talloc_new(data
);
890 /* Now that the partitions are set up, do a search for:
891 - domainControllerFunctionality
892 - domainFunctionality
893 - forestFunctionality
895 Then stuff these values into an opaque
897 ret
= dsdb_module_search(module
, mem_ctx
, &res
,
898 ldb_get_default_basedn(ldb
),
899 LDB_SCOPE_BASE
, attrs
,
900 DSDB_FLAG_NEXT_MODULE
|
903 if (ret
== LDB_SUCCESS
&& res
->count
== 1) {
904 int domain_behaviour_version
905 = ldb_msg_find_attr_as_int(res
->msgs
[0],
906 "msDS-Behavior-Version", -1);
907 if (domain_behaviour_version
!= -1) {
908 int *val
= talloc(ldb
, int);
910 talloc_free(mem_ctx
);
913 *val
= domain_behaviour_version
;
914 ret
= ldb_set_opaque(ldb
, "domainFunctionality", val
);
915 if (ret
!= LDB_SUCCESS
) {
916 talloc_free(mem_ctx
);
922 ret
= dsdb_module_search(module
, mem_ctx
, &res
,
923 samdb_partitions_dn(ldb
, mem_ctx
),
924 LDB_SCOPE_BASE
, attrs
,
925 DSDB_FLAG_NEXT_MODULE
|
928 if (ret
== LDB_SUCCESS
&& res
->count
== 1) {
929 int forest_behaviour_version
930 = ldb_msg_find_attr_as_int(res
->msgs
[0],
931 "msDS-Behavior-Version", -1);
932 if (forest_behaviour_version
!= -1) {
933 int *val
= talloc(ldb
, int);
935 talloc_free(mem_ctx
);
938 *val
= forest_behaviour_version
;
939 ret
= ldb_set_opaque(ldb
, "forestFunctionality", val
);
940 if (ret
!= LDB_SUCCESS
) {
941 talloc_free(mem_ctx
);
947 /* For now, our own server's location in the DB is recorded in
948 * the @ROOTDSE record */
949 ret
= dsdb_module_search(module
, mem_ctx
, &res
,
950 ldb_dn_new(mem_ctx
, ldb
, "@ROOTDSE"),
951 LDB_SCOPE_BASE
, ds_attrs
,
952 DSDB_FLAG_NEXT_MODULE
|
955 if (ret
== LDB_SUCCESS
&& res
->count
== 1) {
957 = ldb_msg_find_attr_as_dn(ldb
, mem_ctx
, res
->msgs
[0],
960 ret
= dsdb_module_search(module
, mem_ctx
, &res
, ds_dn
,
961 LDB_SCOPE_BASE
, attrs
,
962 DSDB_FLAG_NEXT_MODULE
|
965 if (ret
== LDB_SUCCESS
&& res
->count
== 1) {
966 int domain_controller_behaviour_version
967 = ldb_msg_find_attr_as_int(res
->msgs
[0],
968 "msDS-Behavior-Version", -1);
969 if (domain_controller_behaviour_version
!= -1) {
970 int *val
= talloc(ldb
, int);
972 talloc_free(mem_ctx
);
975 *val
= domain_controller_behaviour_version
;
976 ret
= ldb_set_opaque(ldb
,
977 "domainControllerFunctionality", val
);
978 if (ret
!= LDB_SUCCESS
) {
979 talloc_free(mem_ctx
);
987 data
->block_anonymous
= dsdb_block_anonymous_ops(module
, NULL
);
989 talloc_free(mem_ctx
);
995 * This function gets the string SCOPE_DN:OPTIONAL_FEATURE_GUID and parse it
996 * to a DN and a GUID object
998 static int get_optional_feature_dn_guid(struct ldb_request
*req
, struct ldb_context
*ldb
,
1000 struct ldb_dn
**op_feature_scope_dn
,
1001 struct GUID
*op_feature_guid
)
1003 const struct ldb_message
*msg
= req
->op
.mod
.message
;
1004 const char *ldb_val_str
;
1006 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
1009 ldb_val_str
= ldb_msg_find_attr_as_string(msg
, "enableOptionalFeature", NULL
);
1011 ldb_set_errstring(ldb
,
1012 "rootdse: unable to find 'enableOptionalFeature'!");
1013 return LDB_ERR_UNWILLING_TO_PERFORM
;
1016 guid
= strchr(ldb_val_str
, ':');
1018 ldb_set_errstring(ldb
,
1019 "rootdse: unable to find GUID in 'enableOptionalFeature'!");
1020 return LDB_ERR_UNWILLING_TO_PERFORM
;
1022 status
= GUID_from_string(guid
+1, op_feature_guid
);
1023 if (!NT_STATUS_IS_OK(status
)) {
1024 ldb_set_errstring(ldb
,
1025 "rootdse: bad GUID in 'enableOptionalFeature'!");
1026 return LDB_ERR_UNWILLING_TO_PERFORM
;
1029 dn
= talloc_strndup(tmp_ctx
, ldb_val_str
, guid
-ldb_val_str
);
1031 ldb_set_errstring(ldb
,
1032 "rootdse: bad DN in 'enableOptionalFeature'!");
1033 return LDB_ERR_UNWILLING_TO_PERFORM
;
1036 *op_feature_scope_dn
= ldb_dn_new(mem_ctx
, ldb
, dn
);
1038 talloc_free(tmp_ctx
);
1043 * This function gets the OPTIONAL_FEATURE_GUID and looks for the optional feature
1044 * ldb_message object.
1046 static int dsdb_find_optional_feature(struct ldb_module
*module
, struct ldb_context
*ldb
,
1047 TALLOC_CTX
*mem_ctx
, struct GUID op_feature_guid
, struct ldb_message
**msg
,
1048 struct ldb_request
*parent
)
1050 struct ldb_result
*res
;
1051 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
1054 ret
= dsdb_module_search(module
, tmp_ctx
, &res
, NULL
, LDB_SCOPE_SUBTREE
,
1056 DSDB_FLAG_NEXT_MODULE
|
1057 DSDB_FLAG_AS_SYSTEM
|
1058 DSDB_SEARCH_SEARCH_ALL_PARTITIONS
,
1060 "(&(objectClass=msDS-OptionalFeature)"
1061 "(msDS-OptionalFeatureGUID=%s))",GUID_string(tmp_ctx
, &op_feature_guid
));
1063 if (ret
!= LDB_SUCCESS
) {
1064 talloc_free(tmp_ctx
);
1067 if (res
->count
== 0) {
1068 talloc_free(tmp_ctx
);
1069 return LDB_ERR_NO_SUCH_OBJECT
;
1071 if (res
->count
!= 1) {
1072 ldb_asprintf_errstring(ldb
,
1073 "More than one object found matching optional feature GUID %s\n",
1074 GUID_string(tmp_ctx
, &op_feature_guid
));
1075 talloc_free(tmp_ctx
);
1076 return LDB_ERR_OPERATIONS_ERROR
;
1079 *msg
= talloc_steal(mem_ctx
, res
->msgs
[0]);
1081 talloc_free(tmp_ctx
);
1085 static int rootdse_enable_recycle_bin(struct ldb_module
*module
,struct ldb_context
*ldb
,
1086 TALLOC_CTX
*mem_ctx
, struct ldb_dn
*op_feature_scope_dn
,
1087 struct ldb_message
*op_feature_msg
, struct ldb_request
*parent
)
1090 const int domain_func_level
= dsdb_functional_level(ldb
);
1091 struct ldb_dn
*ntds_settings_dn
;
1092 TALLOC_CTX
*tmp_ctx
;
1093 unsigned int el_count
= 0;
1094 struct ldb_message
*msg
;
1096 ret
= ldb_msg_find_attr_as_int(op_feature_msg
, "msDS-RequiredForestBehaviorVersion", 0);
1097 if (domain_func_level
< ret
){
1098 ldb_asprintf_errstring(ldb
,
1099 "rootdse_enable_recycle_bin: Domain functional level must be at least %d\n",
1101 return LDB_ERR_UNWILLING_TO_PERFORM
;
1104 tmp_ctx
= talloc_new(mem_ctx
);
1105 ntds_settings_dn
= samdb_ntds_settings_dn(ldb
, tmp_ctx
);
1106 if (!ntds_settings_dn
) {
1107 talloc_free(tmp_ctx
);
1108 return ldb_error(ldb
, LDB_ERR_OPERATIONS_ERROR
, "Failed to find NTDS settings DN");
1111 ntds_settings_dn
= ldb_dn_copy(tmp_ctx
, ntds_settings_dn
);
1112 if (!ntds_settings_dn
) {
1113 talloc_free(tmp_ctx
);
1114 return ldb_error(ldb
, LDB_ERR_OPERATIONS_ERROR
, "Failed to copy NTDS settings DN");
1117 msg
= ldb_msg_new(tmp_ctx
);
1118 msg
->dn
= ntds_settings_dn
;
1120 ldb_msg_add_linearized_dn(msg
, "msDS-EnabledFeature", op_feature_msg
->dn
);
1121 msg
->elements
[el_count
++].flags
= LDB_FLAG_MOD_ADD
;
1123 ret
= dsdb_module_modify(module
, msg
, DSDB_FLAG_NEXT_MODULE
, parent
);
1124 if (ret
!= LDB_SUCCESS
) {
1125 ldb_asprintf_errstring(ldb
,
1126 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1127 ldb_dn_get_linearized(ntds_settings_dn
),
1128 ldb_errstring(ldb
));
1129 talloc_free(tmp_ctx
);
1133 msg
->dn
= op_feature_scope_dn
;
1134 ret
= dsdb_module_modify(module
, msg
, DSDB_FLAG_NEXT_MODULE
, parent
);
1135 if (ret
!= LDB_SUCCESS
) {
1136 ldb_asprintf_errstring(ldb
,
1137 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1138 ldb_dn_get_linearized(op_feature_scope_dn
),
1139 ldb_errstring(ldb
));
1140 talloc_free(tmp_ctx
);
1147 static int rootdse_enableoptionalfeature(struct ldb_module
*module
, struct ldb_request
*req
)
1151 - check for system (only system can enable features)
1152 - extract GUID from the request
1153 - find the feature object
1154 - check functional level, must be at least msDS-RequiredForestBehaviorVersion
1155 - check if it is already enabled (if enabled return LDAP_ATTRIBUTE_OR_VALUE_EXISTS) - probably not needed, just return error from the add/modify
1156 - add/modify objects (see ntdsconnection code for an example)
1159 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1160 struct GUID op_feature_guid
;
1161 struct ldb_dn
*op_feature_scope_dn
;
1162 struct ldb_message
*op_feature_msg
;
1163 struct auth_session_info
*session_info
=
1164 (struct auth_session_info
*)ldb_get_opaque(ldb
, "sessionInfo");
1165 TALLOC_CTX
*tmp_ctx
= talloc_new(ldb
);
1167 const char *guid_string
;
1169 if (security_session_user_level(session_info
, NULL
) != SECURITY_SYSTEM
) {
1170 ldb_set_errstring(ldb
, "rootdse: Insufficient rights for enableoptionalfeature");
1171 return LDB_ERR_UNWILLING_TO_PERFORM
;
1174 ret
= get_optional_feature_dn_guid(req
, ldb
, tmp_ctx
, &op_feature_scope_dn
, &op_feature_guid
);
1175 if (ret
!= LDB_SUCCESS
) {
1176 talloc_free(tmp_ctx
);
1180 guid_string
= GUID_string(tmp_ctx
, &op_feature_guid
);
1182 ldb_set_errstring(ldb
, "rootdse: bad optional feature GUID");
1183 return LDB_ERR_UNWILLING_TO_PERFORM
;
1186 ret
= dsdb_find_optional_feature(module
, ldb
, tmp_ctx
, op_feature_guid
, &op_feature_msg
, req
);
1187 if (ret
!= LDB_SUCCESS
) {
1188 ldb_asprintf_errstring(ldb
,
1189 "rootdse: unable to find optional feature for %s - %s",
1190 guid_string
, ldb_errstring(ldb
));
1191 talloc_free(tmp_ctx
);
1195 if (strcasecmp(DS_GUID_FEATURE_RECYCLE_BIN
, guid_string
) == 0) {
1196 ret
= rootdse_enable_recycle_bin(module
, ldb
,
1197 tmp_ctx
, op_feature_scope_dn
,
1198 op_feature_msg
, req
);
1200 ldb_asprintf_errstring(ldb
,
1201 "rootdse: unknown optional feature %s",
1203 talloc_free(tmp_ctx
);
1204 return LDB_ERR_UNWILLING_TO_PERFORM
;
1206 if (ret
!= LDB_SUCCESS
) {
1207 ldb_asprintf_errstring(ldb
,
1208 "rootdse: failed to set optional feature for %s - %s",
1209 guid_string
, ldb_errstring(ldb
));
1210 talloc_free(tmp_ctx
);
1214 talloc_free(tmp_ctx
);
1215 return ldb_module_done(req
, NULL
, NULL
, LDB_SUCCESS
);;
1218 static int rootdse_schemaupdatenow(struct ldb_module
*module
, struct ldb_request
*req
)
1220 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1221 struct ldb_result
*ext_res
;
1223 struct ldb_dn
*schema_dn
;
1225 schema_dn
= ldb_get_schema_basedn(ldb
);
1227 ldb_reset_err_string(ldb
);
1228 ldb_debug(ldb
, LDB_DEBUG_WARNING
,
1229 "rootdse_modify: no schema dn present: (skip ldb_extended call)\n");
1230 return ldb_next_request(module
, req
);
1233 ret
= ldb_extended(ldb
, DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID
, schema_dn
, &ext_res
);
1234 if (ret
!= LDB_SUCCESS
) {
1235 return ldb_operr(ldb
);
1238 talloc_free(ext_res
);
1239 return ldb_module_done(req
, NULL
, NULL
, ret
);
1242 static int rootdse_schemaupgradeinprogress(struct ldb_module
*module
, struct ldb_request
*req
)
1244 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1245 int ret
= LDB_SUCCESS
;
1246 struct ldb_dn
*schema_dn
;
1248 schema_dn
= ldb_get_schema_basedn(ldb
);
1250 ldb_reset_err_string(ldb
);
1251 ldb_debug(ldb
, LDB_DEBUG_WARNING
,
1252 "rootdse_modify: no schema dn present: (skip ldb_extended call)\n");
1253 return ldb_next_request(module
, req
);
1256 /* FIXME we have to do something in order to relax constraints for DRS
1257 * setting schemaUpgradeInProgress cause the fschemaUpgradeInProgress
1258 * in all LDAP connection (2K3/2K3R2) or in the current connection (2K8 and +)
1259 * to be set to true.
1262 /* from 5.113 LDAPConnections in DRSR.pdf
1263 * fschemaUpgradeInProgress: A Boolean that specifies certain constraint
1264 * validations are skipped when adding, updating, or removing directory
1265 * objects on the opened connection. The skipped constraint validations
1266 * are documented in the applicable constraint sections in [MS-ADTS].
1268 return ldb_module_done(req
, NULL
, NULL
, ret
);
1271 static int rootdse_add(struct ldb_module
*module
, struct ldb_request
*req
)
1273 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1276 ret
= rootdse_filter_operations(module
, req
);
1277 if (ret
!= LDB_SUCCESS
) {
1281 ret
= rootdse_filter_controls(module
, req
);
1282 if (ret
!= LDB_SUCCESS
) {
1287 If dn is not "" we should let it pass through
1289 if (!ldb_dn_is_null(req
->op
.add
.message
->dn
)) {
1290 return ldb_next_request(module
, req
);
1293 ldb_set_errstring(ldb
, "rootdse_add: you cannot add a new rootdse entry!");
1294 return LDB_ERR_NAMING_VIOLATION
;
1297 struct fsmo_transfer_state
{
1298 struct ldb_context
*ldb
;
1299 struct ldb_request
*req
;
1300 struct ldb_module
*module
;
1304 called when a FSMO transfer operation has completed
1306 static void rootdse_fsmo_transfer_callback(struct tevent_req
*treq
)
1308 struct fsmo_transfer_state
*fsmo
= tevent_req_callback_data(treq
, struct fsmo_transfer_state
);
1312 struct ldb_request
*req
= fsmo
->req
;
1313 struct ldb_context
*ldb
= fsmo
->ldb
;
1315 status
= dcerpc_drepl_takeFSMORole_recv(treq
, fsmo
, &werr
);
1317 if (!NT_STATUS_IS_OK(status
)) {
1318 ldb_asprintf_errstring(ldb
, "Failed FSMO transfer: %s", nt_errstr(status
));
1320 * Now that it is failed, start the transaction up
1321 * again so the wrappers can close it without additional error
1323 ldb_next_start_trans(fsmo
->module
);
1324 ldb_module_done(req
, NULL
, NULL
, LDB_ERR_UNAVAILABLE
);
1327 if (!W_ERROR_IS_OK(werr
)) {
1328 ldb_asprintf_errstring(ldb
, "Failed FSMO transfer: %s", win_errstr(werr
));
1330 * Now that it is failed, start the transaction up
1331 * again so the wrappers can close it without additional error
1333 ldb_next_start_trans(fsmo
->module
);
1334 ldb_module_done(req
, NULL
, NULL
, LDB_ERR_UNAVAILABLE
);
1339 * Now that it is done, start the transaction up again so the
1340 * wrappers can close it without error
1342 ret
= ldb_next_start_trans(fsmo
->module
);
1343 ldb_module_done(req
, NULL
, NULL
, ret
);
1346 static int rootdse_become_master(struct ldb_module
*module
,
1347 struct ldb_request
*req
,
1348 enum drepl_role_master role
)
1350 struct imessaging_context
*msg
;
1351 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1352 TALLOC_CTX
*tmp_ctx
= talloc_new(req
);
1353 struct loadparm_context
*lp_ctx
= ldb_get_opaque(ldb
, "loadparm");
1355 struct dcerpc_binding_handle
*irpc_handle
;
1357 struct auth_session_info
*session_info
;
1358 enum security_user_level level
;
1359 struct fsmo_transfer_state
*fsmo
;
1360 struct tevent_req
*treq
;
1362 session_info
= (struct auth_session_info
*)ldb_get_opaque(ldb_module_get_ctx(module
), "sessionInfo");
1363 level
= security_session_user_level(session_info
, NULL
);
1364 if (level
< SECURITY_ADMINISTRATOR
) {
1365 return ldb_error(ldb
, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
, "Denied rootDSE modify for non-administrator");
1368 ret
= samdb_rodc(ldb
, &am_rodc
);
1369 if (ret
!= LDB_SUCCESS
) {
1370 return ldb_error(ldb
, ret
, "Could not determine if server is RODC.");
1374 return ldb_error(ldb
, LDB_ERR_UNWILLING_TO_PERFORM
,
1375 "RODC cannot become a role master.");
1379 * We always delete the transaction, not commit it, because
1380 * this gives the least supprise to this supprising action (as
1381 * we will never record anything done to this point
1383 ldb_next_del_trans(module
);
1385 msg
= imessaging_client_init(tmp_ctx
, lp_ctx
,
1386 ldb_get_event_context(ldb
));
1388 ldb_asprintf_errstring(ldb
, "Failed to generate client messaging context in %s", lpcfg_imessaging_path(tmp_ctx
, lp_ctx
));
1389 return LDB_ERR_OPERATIONS_ERROR
;
1391 irpc_handle
= irpc_binding_handle_by_name(tmp_ctx
, msg
,
1394 if (irpc_handle
== NULL
) {
1395 return ldb_oom(ldb
);
1397 fsmo
= talloc_zero(req
, struct fsmo_transfer_state
);
1399 return ldb_oom(ldb
);
1403 fsmo
->module
= module
;
1406 * we send the call asynchronously, as the ldap client is
1407 * expecting to get an error back if the role transfer fails
1409 * We need more than the default 10 seconds IRPC allows, so
1410 * set a longer timeout (default ldb timeout is 300 seconds).
1411 * We send an async reply when we are done.
1413 * We are the first module, so don't bother working out how
1414 * long we have spent so far.
1416 dcerpc_binding_handle_set_timeout(irpc_handle
, req
->timeout
);
1418 treq
= dcerpc_drepl_takeFSMORole_send(req
, ldb_get_event_context(ldb
), irpc_handle
, role
);
1420 return ldb_oom(ldb
);
1423 tevent_req_set_callback(treq
, rootdse_fsmo_transfer_callback
, fsmo
);
1427 static int rootdse_modify(struct ldb_module
*module
, struct ldb_request
*req
)
1429 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1432 ret
= rootdse_filter_operations(module
, req
);
1433 if (ret
!= LDB_SUCCESS
) {
1437 ret
= rootdse_filter_controls(module
, req
);
1438 if (ret
!= LDB_SUCCESS
) {
1443 If dn is not "" we should let it pass through
1445 if (!ldb_dn_is_null(req
->op
.mod
.message
->dn
)) {
1446 return ldb_next_request(module
, req
);
1450 dn is empty so check for schemaUpdateNow attribute
1451 "The type of modification and values specified in the LDAP modify operation do not matter." MSDN
1453 if (ldb_msg_find_element(req
->op
.mod
.message
, "schemaUpdateNow")) {
1454 return rootdse_schemaupdatenow(module
, req
);
1456 if (ldb_msg_find_element(req
->op
.mod
.message
, "becomeDomainMaster")) {
1457 return rootdse_become_master(module
, req
, DREPL_NAMING_MASTER
);
1459 if (ldb_msg_find_element(req
->op
.mod
.message
, "becomeInfrastructureMaster")) {
1460 return rootdse_become_master(module
, req
, DREPL_INFRASTRUCTURE_MASTER
);
1462 if (ldb_msg_find_element(req
->op
.mod
.message
, "becomeRidMaster")) {
1463 return rootdse_become_master(module
, req
, DREPL_RID_MASTER
);
1465 if (ldb_msg_find_element(req
->op
.mod
.message
, "becomeSchemaMaster")) {
1466 return rootdse_become_master(module
, req
, DREPL_SCHEMA_MASTER
);
1468 if (ldb_msg_find_element(req
->op
.mod
.message
, "becomePdc")) {
1469 return rootdse_become_master(module
, req
, DREPL_PDC_MASTER
);
1471 if (ldb_msg_find_element(req
->op
.mod
.message
, "enableOptionalFeature")) {
1472 return rootdse_enableoptionalfeature(module
, req
);
1474 if (ldb_msg_find_element(req
->op
.mod
.message
, "schemaUpgradeInProgress")) {
1475 return rootdse_schemaupgradeinprogress(module
, req
);
1478 ldb_set_errstring(ldb
, "rootdse_modify: unknown attribute to change!");
1479 return LDB_ERR_UNWILLING_TO_PERFORM
;
1482 static int rootdse_rename(struct ldb_module
*module
, struct ldb_request
*req
)
1484 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1487 ret
= rootdse_filter_operations(module
, req
);
1488 if (ret
!= LDB_SUCCESS
) {
1492 ret
= rootdse_filter_controls(module
, req
);
1493 if (ret
!= LDB_SUCCESS
) {
1498 If dn is not "" we should let it pass through
1500 if (!ldb_dn_is_null(req
->op
.rename
.olddn
)) {
1501 return ldb_next_request(module
, req
);
1504 ldb_set_errstring(ldb
, "rootdse_remove: you cannot rename the rootdse entry!");
1505 return LDB_ERR_NO_SUCH_OBJECT
;
1508 static int rootdse_delete(struct ldb_module
*module
, struct ldb_request
*req
)
1510 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1513 ret
= rootdse_filter_operations(module
, req
);
1514 if (ret
!= LDB_SUCCESS
) {
1518 ret
= rootdse_filter_controls(module
, req
);
1519 if (ret
!= LDB_SUCCESS
) {
1524 If dn is not "" we should let it pass through
1526 if (!ldb_dn_is_null(req
->op
.del
.dn
)) {
1527 return ldb_next_request(module
, req
);
1530 ldb_set_errstring(ldb
, "rootdse_remove: you cannot delete the rootdse entry!");
1531 return LDB_ERR_NO_SUCH_OBJECT
;
1534 static int rootdse_extended(struct ldb_module
*module
, struct ldb_request
*req
)
1538 ret
= rootdse_filter_operations(module
, req
);
1539 if (ret
!= LDB_SUCCESS
) {
1543 ret
= rootdse_filter_controls(module
, req
);
1544 if (ret
!= LDB_SUCCESS
) {
1548 return ldb_next_request(module
, req
);
1551 static const struct ldb_module_ops ldb_rootdse_module_ops
= {
1553 .init_context
= rootdse_init
,
1554 .search
= rootdse_search
,
1555 .request
= rootdse_request
,
1557 .modify
= rootdse_modify
,
1558 .rename
= rootdse_rename
,
1559 .extended
= rootdse_extended
,
1560 .del
= rootdse_delete
1563 int ldb_rootdse_module_init(const char *version
)
1565 LDB_MODULE_CHECK_VERSION(version
);
1566 return ldb_register_module(&ldb_rootdse_module_ops
);