search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dsdb-descriptor: get_default_group() should always return the DAG sid (bug #9481)
[Samba/gebeck_regimport.git] / source4 / dsdb / samdb / ldb_modules / descriptor.c
blobd9bc89fe62eec83d7447d5320b05231cea80021f
1 /*
2 ldb database library
3
4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
6 Copyright (C) Nadezhda Ivanova 2009
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /*
23 * Name: ldb
24 *
25 * Component: DS Security descriptor module
26 *
27 * Description:
28 * - Calculate the security descriptor of a newly created object
29 * - Perform sd recalculation on a move operation
30 * - Handle sd modification invariants
31 *
32 * Author: Nadezhda Ivanova
33 */
34
35 #include "includes.h"
36 #include <ldb_module.h>
37 #include "util/dlinklist.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/ndr/libndr.h"
40 #include "librpc/gen_ndr/ndr_security.h"
41 #include "libcli/security/security.h"
42 #include "auth/auth.h"
43 #include "param/param.h"
44 #include "dsdb/samdb/ldb_modules/util.h"
45 #include "lib/util/binsearch.h"
46
47 struct descriptor_changes {
48 struct descriptor_changes *prev, *next;
49 struct descriptor_changes *children;
50 struct ldb_dn *nc_root;
51 struct ldb_dn *dn;
52 bool force_self;
53 bool force_children;
54 struct ldb_dn *stopped_dn;
55 };
56
57 struct descriptor_data {
58 TALLOC_CTX *trans_mem;
59 struct descriptor_changes *changes;
60 };
61
62 struct descriptor_context {
63 struct ldb_module *module;
64 struct ldb_request *req;
65 struct ldb_message *msg;
66 struct ldb_reply *search_res;
67 struct ldb_reply *search_oc_res;
68 struct ldb_val *parentsd_val;
69 struct ldb_message_element *sd_element;
70 struct ldb_val *sd_val;
71 uint32_t sd_flags;
72 int (*step_fn)(struct descriptor_context *);
73 };
74
75 static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
76 struct ldb_dn *dn,
77 struct security_token *token,
78 struct ldb_context *ldb)
79 {
80 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
81 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
82 struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
83 struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
84 struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
85 struct dom_sid *dag_sid;
86 struct ldb_dn *nc_root;
87 int ret;
88
89 ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
90 if (ret != LDB_SUCCESS) {
91 talloc_free(tmp_ctx);
92 return NULL;
93 }
94
95 if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
96 if (security_token_has_sid(token, sa_sid)) {
97 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
98 } else if (security_token_has_sid(token, ea_sid)) {
99 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
100 } else if (security_token_has_sid(token, da_sid)) {
101 dag_sid = dom_sid_dup(mem_ctx, da_sid);
102 } else if (security_token_is_system(token)) {
103 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
104 } else {
105 dag_sid = NULL;
106 }
107 } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
108 if (security_token_has_sid(token, ea_sid)) {
109 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
110 } else if (security_token_has_sid(token, da_sid)) {
111 dag_sid = dom_sid_dup(mem_ctx, da_sid);
112 } else if (security_token_is_system(token)) {
113 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
114 } else {
115 dag_sid = NULL;
116 }
117 } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
118 if (security_token_has_sid(token, da_sid)) {
119 dag_sid = dom_sid_dup(mem_ctx, da_sid);
120 } else if (security_token_has_sid(token, ea_sid)) {
121 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
122 } else if (security_token_is_system(token)) {
123 dag_sid = dom_sid_dup(mem_ctx, da_sid);
124 } else {
125 dag_sid = NULL;
126 }
127 } else {
128 dag_sid = NULL;
129 }
130
131 talloc_free(tmp_ctx);
132 return dag_sid;
133 }
134
135 static struct security_descriptor *get_sd_unpacked(struct ldb_module *module, TALLOC_CTX *mem_ctx,
136 const struct dsdb_class *objectclass)
137 {
138 struct ldb_context *ldb = ldb_module_get_ctx(module);
139 struct security_descriptor *sd;
140 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
141
142 if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
143 return NULL;
144 }
145
146 sd = sddl_decode(mem_ctx,
147 objectclass->defaultSecurityDescriptor,
148 domain_sid);
149 return sd;
150 }
151
152 static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
153 struct ldb_context *ldb,
154 struct dom_sid *dag)
155 {
156 /*
157 * This depends on the function level of the DC
158 * which is 2008R2 in our case. Which means it is
159 * higher than 2003 and we should use the
160 * "default administrator group" also as owning group.
161 *
162 * This matches dcpromo for a 2003 domain
163 * on a Windows 2008R2 DC.
164 */
165 return dag;
166 }
167
168 static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,
169 struct security_descriptor *new_sd,
170 struct security_descriptor *old_sd,
171 uint32_t sd_flags)
172 {
173 struct security_descriptor *final_sd;
174 /* if there is no control or control == 0 modify everything */
175 if (!sd_flags) {
176 return new_sd;
177 }
178
179 final_sd = talloc_zero(mem_ctx, struct security_descriptor);
180 final_sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
181 final_sd->type = SEC_DESC_SELF_RELATIVE;
182
183 if (sd_flags & (SECINFO_OWNER)) {
184 final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid));
185 final_sd->type |= new_sd->type & SEC_DESC_OWNER_DEFAULTED;
186 }
187 else if (old_sd) {
188 final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid));
189 final_sd->type |= old_sd->type & SEC_DESC_OWNER_DEFAULTED;
190 }
191
192 if (sd_flags & (SECINFO_GROUP)) {
193 final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid));
194 final_sd->type |= new_sd->type & SEC_DESC_GROUP_DEFAULTED;
195 }
196 else if (old_sd) {
197 final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid));
198 final_sd->type |= old_sd->type & SEC_DESC_GROUP_DEFAULTED;
199 }
200
201 if (sd_flags & (SECINFO_SACL)) {
202 final_sd->sacl = security_acl_dup(mem_ctx,new_sd->sacl);
203 final_sd->type |= new_sd->type & (SEC_DESC_SACL_PRESENT |
204 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
205 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
206 SEC_DESC_SERVER_SECURITY);
207 }
208 else if (old_sd && old_sd->sacl) {
209 final_sd->sacl = security_acl_dup(mem_ctx,old_sd->sacl);
210 final_sd->type |= old_sd->type & (SEC_DESC_SACL_PRESENT |
211 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
212 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
213 SEC_DESC_SERVER_SECURITY);
214 }
215
216 if (sd_flags & (SECINFO_DACL)) {
217 final_sd->dacl = security_acl_dup(mem_ctx,new_sd->dacl);
218 final_sd->type |= new_sd->type & (SEC_DESC_DACL_PRESENT |
219 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
220 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
221 SEC_DESC_DACL_TRUSTED);
222 }
223 else if (old_sd && old_sd->dacl) {
224 final_sd->dacl = security_acl_dup(mem_ctx,old_sd->dacl);
225 final_sd->type |= old_sd->type & (SEC_DESC_DACL_PRESENT |
226 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
227 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
228 SEC_DESC_DACL_TRUSTED);
229 }
230 /* not so sure about this */
231 final_sd->type |= new_sd->type & SEC_DESC_RM_CONTROL_VALID;
232 return final_sd;
233 }
234
235 static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
236 struct ldb_dn *dn,
237 TALLOC_CTX *mem_ctx,
238 const struct dsdb_class *objectclass,
239 const struct ldb_val *parent,
240 const struct ldb_val *object,
241 const struct ldb_val *old_sd,
242 uint32_t sd_flags)
243 {
244 struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL;
245 struct security_descriptor *old_descriptor = NULL;
246 struct security_descriptor *new_sd, *final_sd;
247 DATA_BLOB *linear_sd;
248 enum ndr_err_code ndr_err;
249 struct ldb_context *ldb = ldb_module_get_ctx(module);
250 struct auth_session_info *session_info
251 = ldb_get_opaque(ldb, "sessionInfo");
252 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
253 char *sddl_sd;
254 struct dom_sid *default_owner;
255 struct dom_sid *default_group;
256 struct security_descriptor *default_descriptor = NULL;
257 struct GUID *object_list = NULL;
258
259 if (objectclass != NULL) {
260 default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
261 object_list = talloc_zero_array(mem_ctx, struct GUID, 2);
262 if (object_list == NULL) {
263 return NULL;
264 }
265 object_list[0] = objectclass->schemaIDGUID;
266 }
267
268 if (object) {
269 user_descriptor = talloc(mem_ctx, struct security_descriptor);
270 if (!user_descriptor) {
271 return NULL;
272 }
273 ndr_err = ndr_pull_struct_blob(object, user_descriptor,
274 user_descriptor,
275 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
276
277 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
278 talloc_free(user_descriptor);
279 return NULL;
280 }
281 } else {
282 user_descriptor = default_descriptor;
283 }
284
285 if (old_sd) {
286 old_descriptor = talloc(mem_ctx, struct security_descriptor);
287 if (!old_descriptor) {
288 return NULL;
289 }
290 ndr_err = ndr_pull_struct_blob(old_sd, old_descriptor,
291 old_descriptor,
292 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
293
294 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
295 talloc_free(old_descriptor);
296 return NULL;
297 }
298 }
299
300 if (parent) {
301 parent_descriptor = talloc(mem_ctx, struct security_descriptor);
302 if (!parent_descriptor) {
303 return NULL;
304 }
305 ndr_err = ndr_pull_struct_blob(parent, parent_descriptor,
306 parent_descriptor,
307 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
308
309 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
310 talloc_free(parent_descriptor);
311 return NULL;
312 }
313 }
314
315 if (user_descriptor && default_descriptor &&
316 (user_descriptor->dacl == NULL))
317 {
318 user_descriptor->dacl = default_descriptor->dacl;
319 user_descriptor->type |= default_descriptor->type & (
320 SEC_DESC_DACL_PRESENT |
321 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
322 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
323 SEC_DESC_DACL_TRUSTED);
324 }
325
326 if (user_descriptor && default_descriptor &&
327 (user_descriptor->sacl == NULL))
328 {
329 user_descriptor->sacl = default_descriptor->sacl;
330 user_descriptor->type |= default_descriptor->type & (
331 SEC_DESC_SACL_PRESENT |
332 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
333 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
334 SEC_DESC_SERVER_SECURITY);
335 }
336
337
338 if (!(sd_flags & SECINFO_OWNER) && user_descriptor) {
339 user_descriptor->owner_sid = NULL;
340
341 /*
342 * We need the correct owner sid
343 * when calculating the DACL or SACL
344 */
345 if (old_descriptor) {
346 user_descriptor->owner_sid = old_descriptor->owner_sid;
347 }
348 }
349 if (!(sd_flags & SECINFO_GROUP) && user_descriptor) {
350 user_descriptor->group_sid = NULL;
351
352 /*
353 * We need the correct group sid
354 * when calculating the DACL or SACL
355 */
356 if (old_descriptor) {
357 user_descriptor->group_sid = old_descriptor->group_sid;
358 }
359 }
360 if (!(sd_flags & SECINFO_DACL) && user_descriptor) {
361 user_descriptor->dacl = NULL;
362
363 /*
364 * We add SEC_DESC_DACL_PROTECTED so that
365 * create_security_descriptor() skips
366 * the unused inheritance calculation
367 */
368 user_descriptor->type |= SEC_DESC_DACL_PROTECTED;
369 }
370 if (!(sd_flags & SECINFO_SACL) && user_descriptor) {
371 user_descriptor->sacl = NULL;
372
373 /*
374 * We add SEC_DESC_SACL_PROTECTED so that
375 * create_security_descriptor() skips
376 * the unused inheritance calculation
377 */
378 user_descriptor->type |= SEC_DESC_SACL_PROTECTED;
379 }
380
381 default_owner = get_default_ag(mem_ctx, dn,
382 session_info->security_token, ldb);
383 default_group = get_default_group(mem_ctx, ldb, default_owner);
384 new_sd = create_security_descriptor(mem_ctx,
385 parent_descriptor,
386 user_descriptor,
387 true,
388 object_list,
389 SEC_DACL_AUTO_INHERIT |
390 SEC_SACL_AUTO_INHERIT,
391 session_info->security_token,
392 default_owner, default_group,
393 map_generic_rights_ds);
394 if (!new_sd) {
395 return NULL;
396 }
397 final_sd = descr_handle_sd_flags(mem_ctx, new_sd, old_descriptor, sd_flags);
398
399 if (!final_sd) {
400 return NULL;
401 }
402
403 if (final_sd->dacl) {
404 final_sd->dacl->revision = SECURITY_ACL_REVISION_ADS;
405 }
406 if (final_sd->sacl) {
407 final_sd->sacl->revision = SECURITY_ACL_REVISION_ADS;
408 }
409
410 sddl_sd = sddl_encode(mem_ctx, final_sd, domain_sid);
411 DEBUG(10, ("Object %s created with desriptor %s\n\n", ldb_dn_get_linearized(dn), sddl_sd));
412
413 linear_sd = talloc(mem_ctx, DATA_BLOB);
414 if (!linear_sd) {
415 return NULL;
416 }
417
418 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
419 final_sd,
420 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
421 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
422 return NULL;
423 }
424
425 return linear_sd;
426 }
427
428 static DATA_BLOB *descr_get_descriptor_to_show(struct ldb_module *module,
429 TALLOC_CTX *mem_ctx,
430 struct ldb_val *sd,
431 uint32_t sd_flags)
432 {
433 struct security_descriptor *old_sd, *final_sd;
434 DATA_BLOB *linear_sd;
435 enum ndr_err_code ndr_err;
436
437 old_sd = talloc(mem_ctx, struct security_descriptor);
438 if (!old_sd) {
439 return NULL;
440 }
441 ndr_err = ndr_pull_struct_blob(sd, old_sd,
442 old_sd,
443 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
444
445 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
446 talloc_free(old_sd);
447 return NULL;
448 }
449
450 final_sd = descr_handle_sd_flags(mem_ctx, old_sd, NULL, sd_flags);
451
452 if (!final_sd) {
453 return NULL;
454 }
455
456 linear_sd = talloc(mem_ctx, DATA_BLOB);
457 if (!linear_sd) {
458 return NULL;
459 }
460
461 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
462 final_sd,
463 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
464 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
465 return NULL;
466 }
467
468 return linear_sd;
469 }
470
471 static struct descriptor_context *descriptor_init_context(struct ldb_module *module,
472 struct ldb_request *req)
473 {
474 struct ldb_context *ldb;
475 struct descriptor_context *ac;
476
477 ldb = ldb_module_get_ctx(module);
478
479 ac = talloc_zero(req, struct descriptor_context);
480 if (ac == NULL) {
481 ldb_set_errstring(ldb, "Out of Memory");
482 return NULL;
483 }
484
485 ac->module = module;
486 ac->req = req;
487 return ac;
488 }
489
490 static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares)
491 {
492 struct descriptor_context *ac;
493 struct ldb_val *sd_val = NULL;
494 struct ldb_message_element *sd_el;
495 DATA_BLOB *show_sd;
496 int ret;
497
498 ac = talloc_get_type(req->context, struct descriptor_context);
499
500 if (!ares) {
501 ret = LDB_ERR_OPERATIONS_ERROR;
502 goto fail;
503 }
504 if (ares->error != LDB_SUCCESS) {
505 return ldb_module_done(ac->req, ares->controls,
506 ares->response, ares->error);
507 }
508
509 switch (ares->type) {
510 case LDB_REPLY_ENTRY:
511 sd_el = ldb_msg_find_element(ares->message, "nTSecurityDescriptor");
512 if (sd_el) {
513 sd_val = sd_el->values;
514 }
515
516 if (sd_val) {
517 show_sd = descr_get_descriptor_to_show(ac->module, ac->req,
518 sd_val, ac->sd_flags);
519 if (!show_sd) {
520 ret = LDB_ERR_OPERATIONS_ERROR;
521 goto fail;
522 }
523 ldb_msg_remove_attr(ares->message, "nTSecurityDescriptor");
524 ret = ldb_msg_add_steal_value(ares->message, "nTSecurityDescriptor", show_sd);
525 if (ret != LDB_SUCCESS) {
526 goto fail;
527 }
528 }
529 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
530
531 case LDB_REPLY_REFERRAL:
532 return ldb_module_send_referral(ac->req, ares->referral);
533
534 case LDB_REPLY_DONE:
535 return ldb_module_done(ac->req, ares->controls,
536 ares->response, ares->error);
537 }
538
539 fail:
540 talloc_free(ares);
541 return ldb_module_done(ac->req, NULL, NULL, ret);
542 }
543
544 static int descriptor_add(struct ldb_module *module, struct ldb_request *req)
545 {
546 struct ldb_context *ldb = ldb_module_get_ctx(module);
547 struct ldb_request *add_req;
548 struct ldb_message *msg;
549 struct ldb_result *parent_res;
550 const struct ldb_val *parent_sd = NULL;
551 const struct ldb_val *user_sd;
552 struct ldb_dn *dn = req->op.add.message->dn;
553 struct ldb_dn *parent_dn, *nc_root;
554 struct ldb_message_element *objectclass_element, *sd_element;
555 int ret;
556 const struct dsdb_schema *schema;
557 DATA_BLOB *sd;
558 const struct dsdb_class *objectclass;
559 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
560 uint32_t instanceType;
561 bool isNC = false;
562 uint32_t sd_flags = dsdb_request_sd_flags(req, NULL);
563
564 /* do not manipulate our control entries */
565 if (ldb_dn_is_special(dn)) {
566 return ldb_next_request(module, req);
567 }
568
569 user_sd = ldb_msg_find_ldb_val(req->op.add.message, "nTSecurityDescriptor");
570 sd_element = ldb_msg_find_element(req->op.add.message, "nTSecurityDescriptor");
571 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
572 if (user_sd == NULL && sd_element) {
573 return ldb_next_request(module, req);
574 }
575
576 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: %s\n", ldb_dn_get_linearized(dn));
577
578 instanceType = ldb_msg_find_attr_as_uint(req->op.add.message, "instanceType", 0);
579
580 if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
581 isNC = true;
582 }
583
584 if (!isNC) {
585 ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
586 if (ret != LDB_SUCCESS) {
587 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find NC root for %s\n",
588 ldb_dn_get_linearized(dn));
589 return ret;
590 }
591
592 if (ldb_dn_compare(dn, nc_root) == 0) {
593 DEBUG(0, ("Found DN %s being a NC by the old method\n", ldb_dn_get_linearized(dn)));
594 isNC = true;
595 }
596 }
597
598 if (isNC) {
599 DEBUG(2, ("DN: %s is a NC\n", ldb_dn_get_linearized(dn)));
600 }
601 if (!isNC) {
602 /* if the object has a parent, retrieve its SD to
603 * use for calculation. Unfortunately we do not yet have
604 * instanceType, so we use dsdb_find_nc_root. */
605
606 parent_dn = ldb_dn_get_parent(req, dn);
607 if (parent_dn == NULL) {
608 return ldb_oom(ldb);
609 }
610
611 /* we aren't any NC */
612 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
613 parent_attrs,
614 DSDB_FLAG_NEXT_MODULE |
615 DSDB_FLAG_AS_SYSTEM |
616 DSDB_SEARCH_SHOW_RECYCLED,
617 req);
618 if (ret != LDB_SUCCESS) {
619 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find SD for %s\n",
620 ldb_dn_get_linearized(parent_dn));
621 return ret;
622 }
623 if (parent_res->count != 1) {
624 return ldb_operr(ldb);
625 }
626 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
627 }
628
629 schema = dsdb_get_schema(ldb, req);
630
631 objectclass_element = ldb_msg_find_element(req->op.add.message, "objectClass");
632 if (objectclass_element == NULL) {
633 return ldb_operr(ldb);
634 }
635
636 objectclass = dsdb_get_last_structural_class(schema,
637 objectclass_element);
638 if (objectclass == NULL) {
639 return ldb_operr(ldb);
640 }
641
642 /*
643 * The SD_FLAG control is ignored on add
644 * and we default to all bits set.
645 */
646 sd_flags = 0xF;
647
648 sd = get_new_descriptor(module, dn, req,
649 objectclass, parent_sd,
650 user_sd, NULL, sd_flags);
651 if (sd == NULL) {
652 return ldb_operr(ldb);
653 }
654 msg = ldb_msg_copy_shallow(req, req->op.add.message);
655 if (msg == NULL) {
656 return ldb_oom(ldb);
657 }
658 if (sd_element != NULL) {
659 sd_element->values[0] = *sd;
660 } else {
661 ret = ldb_msg_add_steal_value(msg,
662 "nTSecurityDescriptor",
663 sd);
664 if (ret != LDB_SUCCESS) {
665 return ret;
666 }
667 }
668
669 ret = ldb_build_add_req(&add_req, ldb, req,
670 msg,
671 req->controls,
672 req, dsdb_next_callback,
673 req);
674 LDB_REQ_SET_LOCATION(add_req);
675 if (ret != LDB_SUCCESS) {
676 return ldb_error(ldb, ret,
677 "descriptor_add: Error creating new add request.");
678 }
679
680 return ldb_next_request(module, add_req);
681 }
682
683 static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
684 {
685 struct ldb_context *ldb = ldb_module_get_ctx(module);
686 struct ldb_request *mod_req;
687 struct ldb_message *msg;
688 struct ldb_result *current_res, *parent_res;
689 const struct ldb_val *old_sd = NULL;
690 const struct ldb_val *parent_sd = NULL;
691 const struct ldb_val *user_sd;
692 struct ldb_dn *dn = req->op.mod.message->dn;
693 struct ldb_dn *parent_dn;
694 struct ldb_message_element *objectclass_element, *sd_element;
695 int ret;
696 uint32_t instanceType;
697 bool explicit_sd_flags = false;
698 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
699 const struct dsdb_schema *schema;
700 DATA_BLOB *sd;
701 const struct dsdb_class *objectclass;
702 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
703 static const char * const current_attrs[] = { "nTSecurityDescriptor",
704 "instanceType",
705 "objectClass", NULL };
706 struct ldb_control *sd_propagation_control;
707 int cmp_ret = -1;
708
709 /* do not manipulate our control entries */
710 if (ldb_dn_is_special(dn)) {
711 return ldb_next_request(module, req);
712 }
713
714 sd_propagation_control = ldb_request_get_control(req,
715 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
716 if (sd_propagation_control != NULL) {
717 if (sd_propagation_control->data != module) {
718 return ldb_operr(ldb);
719 }
720 if (req->op.mod.message->num_elements != 0) {
721 return ldb_operr(ldb);
722 }
723 if (explicit_sd_flags) {
724 return ldb_operr(ldb);
725 }
726 if (sd_flags != 0xF) {
727 return ldb_operr(ldb);
728 }
729 if (sd_propagation_control->critical == 0) {
730 return ldb_operr(ldb);
731 }
732
733 sd_propagation_control->critical = 0;
734 }
735
736 sd_element = ldb_msg_find_element(req->op.mod.message, "nTSecurityDescriptor");
737 if (sd_propagation_control == NULL && sd_element == NULL) {
738 return ldb_next_request(module, req);
739 }
740
741 /*
742 * nTSecurityDescriptor with DELETE is not supported yet.
743 * TODO: handle this correctly.
744 */
745 if (sd_propagation_control == NULL &&
746 LDB_FLAG_MOD_TYPE(sd_element->flags) == LDB_FLAG_MOD_DELETE)
747 {
748 return ldb_module_error(module,
749 LDB_ERR_UNWILLING_TO_PERFORM,
750 "MOD_DELETE for nTSecurityDescriptor "
751 "not supported yet");
752 }
753
754 user_sd = ldb_msg_find_ldb_val(req->op.mod.message, "nTSecurityDescriptor");
755 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
756 if (sd_propagation_control == NULL && user_sd == NULL) {
757 return ldb_next_request(module, req);
758 }
759
760 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_modify: %s\n", ldb_dn_get_linearized(dn));
761
762 ret = dsdb_module_search_dn(module, req, &current_res, dn,
763 current_attrs,
764 DSDB_FLAG_NEXT_MODULE |
765 DSDB_FLAG_AS_SYSTEM |
766 DSDB_SEARCH_SHOW_RECYCLED,
767 req);
768 if (ret != LDB_SUCCESS) {
769 ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
770 ldb_dn_get_linearized(dn));
771 return ret;
772 }
773
774 instanceType = ldb_msg_find_attr_as_uint(current_res->msgs[0],
775 "instanceType", 0);
776 /* if the object has a parent, retrieve its SD to
777 * use for calculation */
778 if (!ldb_dn_is_null(current_res->msgs[0]->dn) &&
779 !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
780 parent_dn = ldb_dn_get_parent(req, dn);
781 if (parent_dn == NULL) {
782 return ldb_oom(ldb);
783 }
784 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
785 parent_attrs,
786 DSDB_FLAG_NEXT_MODULE |
787 DSDB_FLAG_AS_SYSTEM |
788 DSDB_SEARCH_SHOW_RECYCLED,
789 req);
790 if (ret != LDB_SUCCESS) {
791 ldb_debug(ldb, LDB_DEBUG_ERROR, "descriptor_modify: Could not find SD for %s\n",
792 ldb_dn_get_linearized(parent_dn));
793 return ret;
794 }
795 if (parent_res->count != 1) {
796 return ldb_operr(ldb);
797 }
798 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
799 }
800
801 schema = dsdb_get_schema(ldb, req);
802
803 objectclass_element = ldb_msg_find_element(current_res->msgs[0], "objectClass");
804 if (objectclass_element == NULL) {
805 return ldb_operr(ldb);
806 }
807
808 objectclass = dsdb_get_last_structural_class(schema,
809 objectclass_element);
810 if (objectclass == NULL) {
811 return ldb_operr(ldb);
812 }
813
814 old_sd = ldb_msg_find_ldb_val(current_res->msgs[0], "nTSecurityDescriptor");
815 if (old_sd == NULL) {
816 return ldb_operr(ldb);
817 }
818
819 if (sd_propagation_control != NULL) {
820 /*
821 * This just triggers a recalculation of the
822 * inherited aces.
823 */
824 user_sd = old_sd;
825 }
826
827 sd = get_new_descriptor(module, dn, req,
828 objectclass, parent_sd,
829 user_sd, old_sd, sd_flags);
830 if (sd == NULL) {
831 return ldb_operr(ldb);
832 }
833 msg = ldb_msg_copy_shallow(req, req->op.mod.message);
834 if (msg == NULL) {
835 return ldb_oom(ldb);
836 }
837 cmp_ret = data_blob_cmp(old_sd, sd);
838 if (sd_propagation_control != NULL) {
839 if (cmp_ret == 0) {
840 /*
841 * The nTSecurityDescriptor is unchanged,
842 * which means we can stop the processing.
843 *
844 * We mark the control as critical again,
845 * as we have not processed it, so the caller
846 * can tell that the descriptor was unchanged.
847 */
848 sd_propagation_control->critical = 1;
849 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
850 }
851
852 ret = ldb_msg_add_empty(msg, "nTSecurityDescriptor",
853 LDB_FLAG_MOD_REPLACE,
854 &sd_element);
855 if (ret != LDB_SUCCESS) {
856 return ldb_oom(ldb);
857 }
858 ret = ldb_msg_add_value(msg, "nTSecurityDescriptor",
859 sd, NULL);
860 if (ret != LDB_SUCCESS) {
861 return ldb_oom(ldb);
862 }
863 } else if (cmp_ret != 0) {
864 struct ldb_dn *nc_root;
865
866 ret = dsdb_find_nc_root(ldb, msg, dn, &nc_root);
867 if (ret != LDB_SUCCESS) {
868 return ldb_oom(ldb);
869 }
870
871 ret = dsdb_module_schedule_sd_propagation(module, nc_root,
872 dn, false);
873 if (ret != LDB_SUCCESS) {
874 return ldb_operr(ldb);
875 }
876 sd_element->values[0] = *sd;
877 } else {
878 sd_element->values[0] = *sd;
879 }
880
881 ret = ldb_build_mod_req(&mod_req, ldb, req,
882 msg,
883 req->controls,
884 req,
885 dsdb_next_callback,
886 req);
887 LDB_REQ_SET_LOCATION(mod_req);
888 if (ret != LDB_SUCCESS) {
889 return ret;
890 }
891
892 return ldb_next_request(module, mod_req);
893 }
894
895 static int descriptor_search(struct ldb_module *module, struct ldb_request *req)
896 {
897 int ret;
898 struct ldb_context *ldb;
899 struct ldb_request *down_req;
900 struct descriptor_context *ac;
901 bool explicit_sd_flags = false;
902 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
903 bool show_sd = explicit_sd_flags;
904
905 if (!show_sd &&
906 ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"))
907 {
908 show_sd = true;
909 }
910
911 if (!show_sd) {
912 return ldb_next_request(module, req);
913 }
914
915 ldb = ldb_module_get_ctx(module);
916 ac = descriptor_init_context(module, req);
917 if (ac == NULL) {
918 return ldb_operr(ldb);
919 }
920 ac->sd_flags = sd_flags;
921
922 ret = ldb_build_search_req_ex(&down_req, ldb, ac,
923 req->op.search.base,
924 req->op.search.scope,
925 req->op.search.tree,
926 req->op.search.attrs,
927 req->controls,
928 ac, descriptor_search_callback,
929 ac->req);
930 LDB_REQ_SET_LOCATION(down_req);
931 if (ret != LDB_SUCCESS) {
932 return ret;
933 }
934
935 return ldb_next_request(ac->module, down_req);
936 }
937
938 static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
939 {
940 struct ldb_context *ldb = ldb_module_get_ctx(module);
941 struct ldb_dn *olddn = req->op.rename.olddn;
942 struct ldb_dn *newdn = req->op.rename.newdn;
943 int ret;
944
945 /* do not manipulate our control entries */
946 if (ldb_dn_is_special(req->op.rename.olddn)) {
947 return ldb_next_request(module, req);
948 }
949
950 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_rename: %s\n",
951 ldb_dn_get_linearized(olddn));
952
953 if (ldb_dn_compare(olddn, newdn) != 0) {
954 struct ldb_dn *nc_root;
955
956 ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root);
957 if (ret != LDB_SUCCESS) {
958 return ldb_oom(ldb);
959 }
960
961 ret = dsdb_module_schedule_sd_propagation(module, nc_root,
962 newdn, true);
963 if (ret != LDB_SUCCESS) {
964 return ldb_operr(ldb);
965 }
966 }
967
968 return ldb_next_request(module, req);
969 }
970
971 static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
972 struct ldb_request *req)
973 {
974 struct descriptor_data *descriptor_private =
975 talloc_get_type_abort(ldb_module_get_private(module),
976 struct descriptor_data);
977 struct ldb_context *ldb = ldb_module_get_ctx(module);
978 struct dsdb_extended_sec_desc_propagation_op *op;
979 TALLOC_CTX *parent_mem = NULL;
980 struct descriptor_changes *parent_change = NULL;
981 struct descriptor_changes *c;
982 int ret;
983
984 op = talloc_get_type(req->op.extended.data,
985 struct dsdb_extended_sec_desc_propagation_op);
986 if (op == NULL) {
987 ldb_debug(ldb, LDB_DEBUG_FATAL,
988 "descriptor_extended_sec_desc_propagation: "
989 "invalid extended data\n");
990 return LDB_ERR_PROTOCOL_ERROR;
991 }
992
993 if (descriptor_private->trans_mem == NULL) {
994 return ldb_module_operr(module);
995 }
996
997 parent_mem = descriptor_private->trans_mem;
998
999 for (c = descriptor_private->changes; c; c = c->next) {
1000 ret = ldb_dn_compare(c->nc_root, op->nc_root);
1001 if (ret != 0) {
1002 continue;
1003 }
1004
1005 ret = ldb_dn_compare(c->dn, op->dn);
1006 if (ret == 0) {
1007 if (op->include_self) {
1008 c->force_self = true;
1009 } else {
1010 c->force_children = true;
1011 }
1012 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1013 }
1014
1015 ret = ldb_dn_compare_base(c->dn, op->dn);
1016 if (ret != 0) {
1017 continue;
1018 }
1019
1020 parent_mem = c;
1021 parent_change = c;
1022 break;
1023 }
1024
1025 c = talloc_zero(parent_mem, struct descriptor_changes);
1026 if (c == NULL) {
1027 return ldb_module_oom(module);
1028 }
1029 c->nc_root = ldb_dn_copy(c, op->nc_root);
1030 if (c->nc_root == NULL) {
1031 return ldb_module_oom(module);
1032 }
1033 c->dn = ldb_dn_copy(c, op->dn);
1034 if (c->dn == NULL) {
1035 return ldb_module_oom(module);
1036 }
1037 if (op->include_self) {
1038 c->force_self = true;
1039 } else {
1040 c->force_children = true;
1041 }
1042
1043 if (parent_change != NULL) {
1044 DLIST_ADD_END(parent_change->children, c, NULL);
1045 } else {
1046 DLIST_ADD_END(descriptor_private->changes, c, NULL);
1047 }
1048
1049 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1050 }
1051
1052 static int descriptor_extended(struct ldb_module *module, struct ldb_request *req)
1053 {
1054 if (strcmp(req->op.extended.oid, DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID) == 0) {
1055 return descriptor_extended_sec_desc_propagation(module, req);
1056 }
1057
1058 return ldb_next_request(module, req);
1059 }
1060
1061 static int descriptor_init(struct ldb_module *module)
1062 {
1063 struct ldb_context *ldb = ldb_module_get_ctx(module);
1064 int ret;
1065 struct descriptor_data *descriptor_private;
1066
1067 ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
1068 if (ret != LDB_SUCCESS) {
1069 ldb_debug(ldb, LDB_DEBUG_ERROR,
1070 "descriptor: Unable to register control with rootdse!\n");
1071 return ldb_operr(ldb);
1072 }
1073
1074 descriptor_private = talloc_zero(module, struct descriptor_data);
1075 if (descriptor_private == NULL) {
1076 ldb_oom(ldb);
1077 return LDB_ERR_OPERATIONS_ERROR;
1078 }
1079 ldb_module_set_private(module, descriptor_private);
1080
1081 return ldb_next_init(module);
1082 }
1083
1084 static int descriptor_sd_propagation_object(struct ldb_module *module,
1085 struct ldb_message *msg,
1086 bool *stop)
1087 {
1088 struct ldb_context *ldb = ldb_module_get_ctx(module);
1089 struct ldb_request *sub_req;
1090 struct ldb_result *mod_res;
1091 struct ldb_control *sd_propagation_control;
1092 int ret;
1093
1094 *stop = false;
1095
1096 mod_res = talloc_zero(msg, struct ldb_result);
1097 if (mod_res == NULL) {
1098 return ldb_module_oom(module);
1099 }
1100
1101 ret = ldb_build_mod_req(&sub_req, ldb, mod_res,
1102 msg,
1103 NULL,
1104 mod_res,
1105 ldb_modify_default_callback,
1106 NULL);
1107 LDB_REQ_SET_LOCATION(sub_req);
1108 if (ret != LDB_SUCCESS) {
1109 return ldb_module_operr(module);
1110 }
1111
1112 ldb_req_mark_trusted(sub_req);
1113
1114 ret = ldb_request_add_control(sub_req,
1115 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID,
1116 true, module);
1117 if (ret != LDB_SUCCESS) {
1118 return ldb_module_operr(module);
1119 }
1120
1121 sd_propagation_control = ldb_request_get_control(sub_req,
1122 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
1123 if (sd_propagation_control == NULL) {
1124 return ldb_module_operr(module);
1125 }
1126
1127 ret = dsdb_request_add_controls(sub_req,
1128 DSDB_FLAG_AS_SYSTEM |
1129 DSDB_SEARCH_SHOW_RECYCLED);
1130 if (ret != LDB_SUCCESS) {
1131 return ldb_module_operr(module);
1132 }
1133
1134 ret = descriptor_modify(module, sub_req);
1135 if (ret == LDB_SUCCESS) {
1136 ret = ldb_wait(sub_req->handle, LDB_WAIT_ALL);
1137 }
1138 if (ret != LDB_SUCCESS) {
1139 return ldb_module_operr(module);
1140 }
1141
1142 if (sd_propagation_control->critical != 0) {
1143 *stop = true;
1144 }
1145
1146 talloc_free(mod_res);
1147
1148 return LDB_SUCCESS;
1149 }
1150
1151 static int descriptor_sd_propagation_msg_sort(struct ldb_message **m1,
1152 struct ldb_message **m2)
1153 {
1154 struct ldb_dn *dn1 = (*m1)->dn;
1155 struct ldb_dn *dn2 = (*m2)->dn;
1156
1157 /*
1158 * This sorts in tree order, parents first
1159 */
1160 return ldb_dn_compare(dn2, dn1);
1161 }
1162
1163 static int descriptor_sd_propagation_dn_sort(struct ldb_dn *dn1,
1164 struct ldb_dn *dn2)
1165 {
1166 /*
1167 * This sorts in tree order, parents first
1168 */
1169 return ldb_dn_compare(dn2, dn1);
1170 }
1171
1172 static int descriptor_sd_propagation_recursive(struct ldb_module *module,
1173 struct descriptor_changes *change)
1174 {
1175 struct ldb_context *ldb = ldb_module_get_ctx(module);
1176 struct ldb_result *res = NULL;
1177 unsigned int i;
1178 const char * const no_attrs[] = { "@__NONE__", NULL };
1179 struct descriptor_changes *c;
1180 struct descriptor_changes *stopped_stack = NULL;
1181 int ret;
1182
1183 /*
1184 * Note: that we do not search for deleted/recycled objects
1185 */
1186 ret = dsdb_module_search(module,
1187 change,
1188 &res,
1189 change->dn,
1190 LDB_SCOPE_SUBTREE,
1191 no_attrs,
1192 DSDB_FLAG_NEXT_MODULE |
1193 DSDB_FLAG_AS_SYSTEM,
1194 NULL, /* parent_req */
1195 "(objectClass=*)");
1196 if (ret != LDB_SUCCESS) {
1197 return ret;
1198 }
1199
1200 TYPESAFE_QSORT(res->msgs, res->count,
1201 descriptor_sd_propagation_msg_sort);
1202
1203 for (c = change->children; c; c = c->next) {
1204 struct ldb_message *msg = NULL;
1205
1206 BINARY_ARRAY_SEARCH_P(res->msgs, res->count, dn, c->dn,
1207 descriptor_sd_propagation_dn_sort,
1208 msg);
1209
1210 if (msg == NULL) {
1211 ldb_debug(ldb, LDB_DEBUG_WARNING,
1212 "descriptor_sd_propagation_recursive: "
1213 "%s not found under %s",
1214 ldb_dn_get_linearized(c->dn),
1215 ldb_dn_get_linearized(change->dn));
1216 continue;
1217 }
1218
1219 msg->elements = (struct ldb_message_element *)c;
1220 }
1221
1222 DLIST_ADD(stopped_stack, change);
1223
1224 if (change->force_self) {
1225 i = 0;
1226 } else {
1227 i = 1;
1228 }
1229
1230 for (; i < res->count; i++) {
1231 struct descriptor_changes *cur;
1232 bool stop = false;
1233
1234 cur = talloc_get_type(res->msgs[i]->elements,
1235 struct descriptor_changes);
1236 res->msgs[i]->elements = NULL;
1237 res->msgs[i]->num_elements = 0;
1238
1239 if (cur != NULL) {
1240 DLIST_REMOVE(change->children, cur);
1241 }
1242
1243 for (c = stopped_stack; c; c = stopped_stack) {
1244 ret = ldb_dn_compare_base(c->dn,
1245 res->msgs[i]->dn);
1246 if (ret == 0) {
1247 break;
1248 }
1249
1250 c->stopped_dn = NULL;
1251 DLIST_REMOVE(stopped_stack, c);
1252 }
1253
1254 if (cur != NULL) {
1255 DLIST_ADD(stopped_stack, cur);
1256 }
1257
1258 if (stopped_stack->stopped_dn != NULL) {
1259 ret = ldb_dn_compare_base(stopped_stack->stopped_dn,
1260 res->msgs[i]->dn);
1261 if (ret == 0) {
1262 continue;
1263 }
1264 stopped_stack->stopped_dn = NULL;
1265 }
1266
1267 ret = descriptor_sd_propagation_object(module, res->msgs[i],
1268 &stop);
1269 if (ret != LDB_SUCCESS) {
1270 return ret;
1271 }
1272
1273 if (cur != NULL && cur->force_children) {
1274 continue;
1275 }
1276
1277 if (stop) {
1278 stopped_stack->stopped_dn = res->msgs[i]->dn;
1279 continue;
1280 }
1281 }
1282
1283 TALLOC_FREE(res);
1284 return LDB_SUCCESS;
1285 }
1286
1287 static int descriptor_start_transaction(struct ldb_module *module)
1288 {
1289 struct descriptor_data *descriptor_private =
1290 talloc_get_type_abort(ldb_module_get_private(module),
1291 struct descriptor_data);
1292
1293 if (descriptor_private->trans_mem != NULL) {
1294 return ldb_module_operr(module);
1295 }
1296
1297 descriptor_private->trans_mem = talloc_new(descriptor_private);
1298 if (descriptor_private->trans_mem == NULL) {
1299 return ldb_module_oom(module);
1300 }
1301 descriptor_private->changes = NULL;
1302
1303 return ldb_next_start_trans(module);
1304 }
1305
1306 static int descriptor_prepare_commit(struct ldb_module *module)
1307 {
1308 struct descriptor_data *descriptor_private =
1309 talloc_get_type_abort(ldb_module_get_private(module),
1310 struct descriptor_data);
1311 struct descriptor_changes *c, *n;
1312 int ret;
1313
1314 for (c = descriptor_private->changes; c; c = n) {
1315 n = c->next;
1316 DLIST_REMOVE(descriptor_private->changes, c);
1317
1318 ret = descriptor_sd_propagation_recursive(module, c);
1319 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
1320 continue;
1321 }
1322 if (ret != LDB_SUCCESS) {
1323 return ret;
1324 }
1325 }
1326
1327 return ldb_next_prepare_commit(module);
1328 }
1329
1330 static int descriptor_end_transaction(struct ldb_module *module)
1331 {
1332 struct descriptor_data *descriptor_private =
1333 talloc_get_type_abort(ldb_module_get_private(module),
1334 struct descriptor_data);
1335
1336 TALLOC_FREE(descriptor_private->trans_mem);
1337 descriptor_private->changes = NULL;
1338
1339 return ldb_next_end_trans(module);
1340 }
1341
1342 static int descriptor_del_transaction(struct ldb_module *module)
1343 {
1344 struct descriptor_data *descriptor_private =
1345 talloc_get_type_abort(ldb_module_get_private(module),
1346 struct descriptor_data);
1347
1348 TALLOC_FREE(descriptor_private->trans_mem);
1349 descriptor_private->changes = NULL;
1350
1351 return ldb_next_del_trans(module);
1352 }
1353
1354 static const struct ldb_module_ops ldb_descriptor_module_ops = {
1355 .name = "descriptor",
1356 .search = descriptor_search,
1357 .add = descriptor_add,
1358 .modify = descriptor_modify,
1359 .rename = descriptor_rename,
1360 .init_context = descriptor_init,
1361 .extended = descriptor_extended,
1362 .start_transaction = descriptor_start_transaction,
1363 .prepare_commit = descriptor_prepare_commit,
1364 .end_transaction = descriptor_end_transaction,
1365 .del_transaction = descriptor_del_transaction,
1366 };
1367
1368 int ldb_descriptor_module_init(const char *version)
1369 {
1370 LDB_MODULE_CHECK_VERSION(version);
1371 return ldb_register_module(&ldb_descriptor_module_ops);
1372 }
reg import