search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dsdb-acl: use dsdb_get_structural_oc_from_msg() rather than class_schemaid_guid_by_lD...
[Samba/gebeck_regimport.git] / source4 / dsdb / samdb / ldb_modules / descriptor.c
blobfb100f76283d74f09b50fc07acf29082de06098c
1 /*
2 ldb database library
3
4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
6 Copyright (C) Nadezhda Ivanova 2009
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /*
23 * Name: ldb
24 *
25 * Component: DS Security descriptor module
26 *
27 * Description:
28 * - Calculate the security descriptor of a newly created object
29 * - Perform sd recalculation on a move operation
30 * - Handle sd modification invariants
31 *
32 * Author: Nadezhda Ivanova
33 */
34
35 #include "includes.h"
36 #include <ldb_module.h>
37 #include "util/dlinklist.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/ndr/libndr.h"
40 #include "librpc/gen_ndr/ndr_security.h"
41 #include "libcli/security/security.h"
42 #include "auth/auth.h"
43 #include "param/param.h"
44 #include "dsdb/samdb/ldb_modules/util.h"
45 #include "lib/util/binsearch.h"
46
47 struct descriptor_changes {
48 struct descriptor_changes *prev, *next;
49 struct descriptor_changes *children;
50 struct ldb_dn *nc_root;
51 struct ldb_dn *dn;
52 bool force_self;
53 bool force_children;
54 struct ldb_dn *stopped_dn;
55 };
56
57 struct descriptor_data {
58 TALLOC_CTX *trans_mem;
59 struct descriptor_changes *changes;
60 };
61
62 struct descriptor_context {
63 struct ldb_module *module;
64 struct ldb_request *req;
65 struct ldb_message *msg;
66 struct ldb_reply *search_res;
67 struct ldb_reply *search_oc_res;
68 struct ldb_val *parentsd_val;
69 struct ldb_message_element *sd_element;
70 struct ldb_val *sd_val;
71 uint32_t sd_flags;
72 int (*step_fn)(struct descriptor_context *);
73 };
74
75 static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
76 struct ldb_dn *dn,
77 struct security_token *token,
78 struct ldb_context *ldb)
79 {
80 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
81 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
82 struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
83 struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
84 struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
85 struct dom_sid *dag_sid;
86 struct ldb_dn *nc_root;
87 int ret;
88
89 ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
90 if (ret != LDB_SUCCESS) {
91 talloc_free(tmp_ctx);
92 return NULL;
93 }
94
95 if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
96 if (security_token_has_sid(token, sa_sid)) {
97 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
98 } else if (security_token_has_sid(token, ea_sid)) {
99 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
100 } else if (security_token_has_sid(token, da_sid)) {
101 dag_sid = dom_sid_dup(mem_ctx, da_sid);
102 } else if (security_token_is_system(token)) {
103 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
104 } else {
105 dag_sid = NULL;
106 }
107 } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
108 if (security_token_has_sid(token, ea_sid)) {
109 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
110 } else if (security_token_has_sid(token, da_sid)) {
111 dag_sid = dom_sid_dup(mem_ctx, da_sid);
112 } else if (security_token_is_system(token)) {
113 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
114 } else {
115 dag_sid = NULL;
116 }
117 } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
118 if (security_token_has_sid(token, da_sid)) {
119 dag_sid = dom_sid_dup(mem_ctx, da_sid);
120 } else if (security_token_has_sid(token, ea_sid)) {
121 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
122 } else if (security_token_is_system(token)) {
123 dag_sid = dom_sid_dup(mem_ctx, da_sid);
124 } else {
125 dag_sid = NULL;
126 }
127 } else {
128 dag_sid = NULL;
129 }
130
131 talloc_free(tmp_ctx);
132 return dag_sid;
133 }
134
135 static struct security_descriptor *get_sd_unpacked(struct ldb_module *module, TALLOC_CTX *mem_ctx,
136 const struct dsdb_class *objectclass)
137 {
138 struct ldb_context *ldb = ldb_module_get_ctx(module);
139 struct security_descriptor *sd;
140 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
141
142 if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
143 return NULL;
144 }
145
146 sd = sddl_decode(mem_ctx,
147 objectclass->defaultSecurityDescriptor,
148 domain_sid);
149 return sd;
150 }
151
152 static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
153 struct ldb_context *ldb,
154 struct dom_sid *dag)
155 {
156 if (dsdb_functional_level(ldb) >= DS_DOMAIN_FUNCTION_2008) {
157 return dag;
158 }
159
160 return NULL;
161 }
162
163 static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,
164 struct security_descriptor *new_sd,
165 struct security_descriptor *old_sd,
166 uint32_t sd_flags)
167 {
168 struct security_descriptor *final_sd;
169 /* if there is no control or control == 0 modify everything */
170 if (!sd_flags) {
171 return new_sd;
172 }
173
174 final_sd = talloc_zero(mem_ctx, struct security_descriptor);
175 final_sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
176 final_sd->type = SEC_DESC_SELF_RELATIVE;
177
178 if (sd_flags & (SECINFO_OWNER)) {
179 final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid));
180 final_sd->type |= new_sd->type & SEC_DESC_OWNER_DEFAULTED;
181 }
182 else if (old_sd) {
183 final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid));
184 final_sd->type |= old_sd->type & SEC_DESC_OWNER_DEFAULTED;
185 }
186
187 if (sd_flags & (SECINFO_GROUP)) {
188 final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid));
189 final_sd->type |= new_sd->type & SEC_DESC_GROUP_DEFAULTED;
190 }
191 else if (old_sd) {
192 final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid));
193 final_sd->type |= old_sd->type & SEC_DESC_GROUP_DEFAULTED;
194 }
195
196 if (sd_flags & (SECINFO_SACL)) {
197 final_sd->sacl = security_acl_dup(mem_ctx,new_sd->sacl);
198 final_sd->type |= new_sd->type & (SEC_DESC_SACL_PRESENT |
199 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
200 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
201 SEC_DESC_SERVER_SECURITY);
202 }
203 else if (old_sd && old_sd->sacl) {
204 final_sd->sacl = security_acl_dup(mem_ctx,old_sd->sacl);
205 final_sd->type |= old_sd->type & (SEC_DESC_SACL_PRESENT |
206 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
207 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
208 SEC_DESC_SERVER_SECURITY);
209 }
210
211 if (sd_flags & (SECINFO_DACL)) {
212 final_sd->dacl = security_acl_dup(mem_ctx,new_sd->dacl);
213 final_sd->type |= new_sd->type & (SEC_DESC_DACL_PRESENT |
214 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
215 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
216 SEC_DESC_DACL_TRUSTED);
217 }
218 else if (old_sd && old_sd->dacl) {
219 final_sd->dacl = security_acl_dup(mem_ctx,old_sd->dacl);
220 final_sd->type |= old_sd->type & (SEC_DESC_DACL_PRESENT |
221 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
222 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
223 SEC_DESC_DACL_TRUSTED);
224 }
225 /* not so sure about this */
226 final_sd->type |= new_sd->type & SEC_DESC_RM_CONTROL_VALID;
227 return final_sd;
228 }
229
230 static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
231 struct ldb_dn *dn,
232 TALLOC_CTX *mem_ctx,
233 const struct dsdb_class *objectclass,
234 const struct ldb_val *parent,
235 const struct ldb_val *object,
236 const struct ldb_val *old_sd,
237 uint32_t sd_flags)
238 {
239 struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL;
240 struct security_descriptor *old_descriptor = NULL;
241 struct security_descriptor *new_sd, *final_sd;
242 DATA_BLOB *linear_sd;
243 enum ndr_err_code ndr_err;
244 struct ldb_context *ldb = ldb_module_get_ctx(module);
245 struct auth_session_info *session_info
246 = ldb_get_opaque(ldb, "sessionInfo");
247 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
248 char *sddl_sd;
249 struct dom_sid *default_owner;
250 struct dom_sid *default_group;
251 struct security_descriptor *default_descriptor = NULL;
252 struct GUID *object_list = NULL;
253
254 if (objectclass != NULL) {
255 default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
256 object_list = talloc_zero_array(mem_ctx, struct GUID, 2);
257 if (object_list == NULL) {
258 return NULL;
259 }
260 object_list[0] = objectclass->schemaIDGUID;
261 }
262
263 if (object) {
264 user_descriptor = talloc(mem_ctx, struct security_descriptor);
265 if (!user_descriptor) {
266 return NULL;
267 }
268 ndr_err = ndr_pull_struct_blob(object, user_descriptor,
269 user_descriptor,
270 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
271
272 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
273 talloc_free(user_descriptor);
274 return NULL;
275 }
276 } else {
277 user_descriptor = default_descriptor;
278 }
279
280 if (old_sd) {
281 old_descriptor = talloc(mem_ctx, struct security_descriptor);
282 if (!old_descriptor) {
283 return NULL;
284 }
285 ndr_err = ndr_pull_struct_blob(old_sd, old_descriptor,
286 old_descriptor,
287 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
288
289 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
290 talloc_free(old_descriptor);
291 return NULL;
292 }
293 }
294
295 if (parent) {
296 parent_descriptor = talloc(mem_ctx, struct security_descriptor);
297 if (!parent_descriptor) {
298 return NULL;
299 }
300 ndr_err = ndr_pull_struct_blob(parent, parent_descriptor,
301 parent_descriptor,
302 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
303
304 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
305 talloc_free(parent_descriptor);
306 return NULL;
307 }
308 }
309
310 if (user_descriptor && default_descriptor &&
311 (user_descriptor->dacl == NULL))
312 {
313 user_descriptor->dacl = default_descriptor->dacl;
314 user_descriptor->type |= default_descriptor->type & (
315 SEC_DESC_DACL_PRESENT |
316 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
317 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
318 SEC_DESC_DACL_TRUSTED);
319 }
320
321 if (user_descriptor && default_descriptor &&
322 (user_descriptor->sacl == NULL))
323 {
324 user_descriptor->sacl = default_descriptor->sacl;
325 user_descriptor->type |= default_descriptor->type & (
326 SEC_DESC_SACL_PRESENT |
327 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
328 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
329 SEC_DESC_SERVER_SECURITY);
330 }
331
332
333 if (!(sd_flags & SECINFO_OWNER) && user_descriptor) {
334 user_descriptor->owner_sid = NULL;
335
336 /*
337 * We need the correct owner sid
338 * when calculating the DACL or SACL
339 */
340 if (old_descriptor) {
341 user_descriptor->owner_sid = old_descriptor->owner_sid;
342 }
343 }
344 if (!(sd_flags & SECINFO_GROUP) && user_descriptor) {
345 user_descriptor->group_sid = NULL;
346
347 /*
348 * We need the correct group sid
349 * when calculating the DACL or SACL
350 */
351 if (old_descriptor) {
352 user_descriptor->group_sid = old_descriptor->group_sid;
353 }
354 }
355 if (!(sd_flags & SECINFO_DACL) && user_descriptor) {
356 user_descriptor->dacl = NULL;
357
358 /*
359 * We add SEC_DESC_DACL_PROTECTED so that
360 * create_security_descriptor() skips
361 * the unused inheritance calculation
362 */
363 user_descriptor->type |= SEC_DESC_DACL_PROTECTED;
364 }
365 if (!(sd_flags & SECINFO_SACL) && user_descriptor) {
366 user_descriptor->sacl = NULL;
367
368 /*
369 * We add SEC_DESC_SACL_PROTECTED so that
370 * create_security_descriptor() skips
371 * the unused inheritance calculation
372 */
373 user_descriptor->type |= SEC_DESC_SACL_PROTECTED;
374 }
375
376 default_owner = get_default_ag(mem_ctx, dn,
377 session_info->security_token, ldb);
378 default_group = get_default_group(mem_ctx, ldb, default_owner);
379 new_sd = create_security_descriptor(mem_ctx,
380 parent_descriptor,
381 user_descriptor,
382 true,
383 object_list,
384 SEC_DACL_AUTO_INHERIT |
385 SEC_SACL_AUTO_INHERIT,
386 session_info->security_token,
387 default_owner, default_group,
388 map_generic_rights_ds);
389 if (!new_sd) {
390 return NULL;
391 }
392 final_sd = descr_handle_sd_flags(mem_ctx, new_sd, old_descriptor, sd_flags);
393
394 if (!final_sd) {
395 return NULL;
396 }
397
398 if (final_sd->dacl) {
399 final_sd->dacl->revision = SECURITY_ACL_REVISION_ADS;
400 }
401 if (final_sd->sacl) {
402 final_sd->sacl->revision = SECURITY_ACL_REVISION_ADS;
403 }
404
405 sddl_sd = sddl_encode(mem_ctx, final_sd, domain_sid);
406 DEBUG(10, ("Object %s created with desriptor %s\n\n", ldb_dn_get_linearized(dn), sddl_sd));
407
408 linear_sd = talloc(mem_ctx, DATA_BLOB);
409 if (!linear_sd) {
410 return NULL;
411 }
412
413 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
414 final_sd,
415 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
416 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
417 return NULL;
418 }
419
420 return linear_sd;
421 }
422
423 static DATA_BLOB *descr_get_descriptor_to_show(struct ldb_module *module,
424 TALLOC_CTX *mem_ctx,
425 struct ldb_val *sd,
426 uint32_t sd_flags)
427 {
428 struct security_descriptor *old_sd, *final_sd;
429 DATA_BLOB *linear_sd;
430 enum ndr_err_code ndr_err;
431
432 old_sd = talloc(mem_ctx, struct security_descriptor);
433 if (!old_sd) {
434 return NULL;
435 }
436 ndr_err = ndr_pull_struct_blob(sd, old_sd,
437 old_sd,
438 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
439
440 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
441 talloc_free(old_sd);
442 return NULL;
443 }
444
445 final_sd = descr_handle_sd_flags(mem_ctx, old_sd, NULL, sd_flags);
446
447 if (!final_sd) {
448 return NULL;
449 }
450
451 linear_sd = talloc(mem_ctx, DATA_BLOB);
452 if (!linear_sd) {
453 return NULL;
454 }
455
456 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
457 final_sd,
458 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
459 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
460 return NULL;
461 }
462
463 return linear_sd;
464 }
465
466 static struct descriptor_context *descriptor_init_context(struct ldb_module *module,
467 struct ldb_request *req)
468 {
469 struct ldb_context *ldb;
470 struct descriptor_context *ac;
471
472 ldb = ldb_module_get_ctx(module);
473
474 ac = talloc_zero(req, struct descriptor_context);
475 if (ac == NULL) {
476 ldb_set_errstring(ldb, "Out of Memory");
477 return NULL;
478 }
479
480 ac->module = module;
481 ac->req = req;
482 return ac;
483 }
484
485 static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares)
486 {
487 struct descriptor_context *ac;
488 struct ldb_val *sd_val = NULL;
489 struct ldb_message_element *sd_el;
490 DATA_BLOB *show_sd;
491 int ret;
492
493 ac = talloc_get_type(req->context, struct descriptor_context);
494
495 if (!ares) {
496 ret = LDB_ERR_OPERATIONS_ERROR;
497 goto fail;
498 }
499 if (ares->error != LDB_SUCCESS) {
500 return ldb_module_done(ac->req, ares->controls,
501 ares->response, ares->error);
502 }
503
504 switch (ares->type) {
505 case LDB_REPLY_ENTRY:
506 sd_el = ldb_msg_find_element(ares->message, "nTSecurityDescriptor");
507 if (sd_el) {
508 sd_val = sd_el->values;
509 }
510
511 if (sd_val) {
512 show_sd = descr_get_descriptor_to_show(ac->module, ac->req,
513 sd_val, ac->sd_flags);
514 if (!show_sd) {
515 ret = LDB_ERR_OPERATIONS_ERROR;
516 goto fail;
517 }
518 ldb_msg_remove_attr(ares->message, "nTSecurityDescriptor");
519 ret = ldb_msg_add_steal_value(ares->message, "nTSecurityDescriptor", show_sd);
520 if (ret != LDB_SUCCESS) {
521 goto fail;
522 }
523 }
524 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
525
526 case LDB_REPLY_REFERRAL:
527 return ldb_module_send_referral(ac->req, ares->referral);
528
529 case LDB_REPLY_DONE:
530 return ldb_module_done(ac->req, ares->controls,
531 ares->response, ares->error);
532 }
533
534 fail:
535 talloc_free(ares);
536 return ldb_module_done(ac->req, NULL, NULL, ret);
537 }
538
539 static int descriptor_add(struct ldb_module *module, struct ldb_request *req)
540 {
541 struct ldb_context *ldb = ldb_module_get_ctx(module);
542 struct ldb_request *add_req;
543 struct ldb_message *msg;
544 struct ldb_result *parent_res;
545 const struct ldb_val *parent_sd = NULL;
546 const struct ldb_val *user_sd;
547 struct ldb_dn *dn = req->op.add.message->dn;
548 struct ldb_dn *parent_dn, *nc_root;
549 struct ldb_message_element *objectclass_element, *sd_element;
550 int ret;
551 const struct dsdb_schema *schema;
552 DATA_BLOB *sd;
553 const struct dsdb_class *objectclass;
554 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
555 uint32_t instanceType;
556 bool isNC = false;
557 uint32_t sd_flags = dsdb_request_sd_flags(req, NULL);
558
559 /* do not manipulate our control entries */
560 if (ldb_dn_is_special(dn)) {
561 return ldb_next_request(module, req);
562 }
563
564 user_sd = ldb_msg_find_ldb_val(req->op.add.message, "nTSecurityDescriptor");
565 sd_element = ldb_msg_find_element(req->op.add.message, "nTSecurityDescriptor");
566 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
567 if (user_sd == NULL && sd_element) {
568 return ldb_next_request(module, req);
569 }
570
571 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: %s\n", ldb_dn_get_linearized(dn));
572
573 instanceType = ldb_msg_find_attr_as_uint(req->op.add.message, "instanceType", 0);
574
575 if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
576 isNC = true;
577 }
578
579 if (!isNC) {
580 ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
581 if (ret != LDB_SUCCESS) {
582 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find NC root for %s\n",
583 ldb_dn_get_linearized(dn));
584 return ret;
585 }
586
587 if (ldb_dn_compare(dn, nc_root) == 0) {
588 DEBUG(0, ("Found DN %s being a NC by the old method\n", ldb_dn_get_linearized(dn)));
589 isNC = true;
590 }
591 }
592
593 if (isNC) {
594 DEBUG(2, ("DN: %s is a NC\n", ldb_dn_get_linearized(dn)));
595 }
596 if (!isNC) {
597 /* if the object has a parent, retrieve its SD to
598 * use for calculation. Unfortunately we do not yet have
599 * instanceType, so we use dsdb_find_nc_root. */
600
601 parent_dn = ldb_dn_get_parent(req, dn);
602 if (parent_dn == NULL) {
603 return ldb_oom(ldb);
604 }
605
606 /* we aren't any NC */
607 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
608 parent_attrs,
609 DSDB_FLAG_NEXT_MODULE |
610 DSDB_FLAG_AS_SYSTEM |
611 DSDB_SEARCH_SHOW_RECYCLED,
612 req);
613 if (ret != LDB_SUCCESS) {
614 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find SD for %s\n",
615 ldb_dn_get_linearized(parent_dn));
616 return ret;
617 }
618 if (parent_res->count != 1) {
619 return ldb_operr(ldb);
620 }
621 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
622 }
623
624 schema = dsdb_get_schema(ldb, req);
625
626 objectclass_element = ldb_msg_find_element(req->op.add.message, "objectClass");
627 if (objectclass_element == NULL) {
628 return ldb_operr(ldb);
629 }
630
631 objectclass = dsdb_get_last_structural_class(schema,
632 objectclass_element);
633 if (objectclass == NULL) {
634 return ldb_operr(ldb);
635 }
636
637 /*
638 * The SD_FLAG control is ignored on add
639 * and we default to all bits set.
640 */
641 sd_flags = 0xF;
642
643 sd = get_new_descriptor(module, dn, req,
644 objectclass, parent_sd,
645 user_sd, NULL, sd_flags);
646 if (sd == NULL) {
647 return ldb_operr(ldb);
648 }
649 msg = ldb_msg_copy_shallow(req, req->op.add.message);
650 if (msg == NULL) {
651 return ldb_oom(ldb);
652 }
653 if (sd_element != NULL) {
654 sd_element->values[0] = *sd;
655 } else {
656 ret = ldb_msg_add_steal_value(msg,
657 "nTSecurityDescriptor",
658 sd);
659 if (ret != LDB_SUCCESS) {
660 return ret;
661 }
662 }
663
664 ret = ldb_build_add_req(&add_req, ldb, req,
665 msg,
666 req->controls,
667 req, dsdb_next_callback,
668 req);
669 LDB_REQ_SET_LOCATION(add_req);
670 if (ret != LDB_SUCCESS) {
671 return ldb_error(ldb, ret,
672 "descriptor_add: Error creating new add request.");
673 }
674
675 return ldb_next_request(module, add_req);
676 }
677
678 static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
679 {
680 struct ldb_context *ldb = ldb_module_get_ctx(module);
681 struct ldb_request *mod_req;
682 struct ldb_message *msg;
683 struct ldb_result *current_res, *parent_res;
684 const struct ldb_val *old_sd = NULL;
685 const struct ldb_val *parent_sd = NULL;
686 const struct ldb_val *user_sd;
687 struct ldb_dn *dn = req->op.mod.message->dn;
688 struct ldb_dn *parent_dn;
689 struct ldb_message_element *objectclass_element, *sd_element;
690 int ret;
691 uint32_t instanceType;
692 bool explicit_sd_flags = false;
693 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
694 const struct dsdb_schema *schema;
695 DATA_BLOB *sd;
696 const struct dsdb_class *objectclass;
697 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
698 static const char * const current_attrs[] = { "nTSecurityDescriptor",
699 "instanceType",
700 "objectClass", NULL };
701 struct ldb_control *sd_propagation_control;
702 int cmp_ret = -1;
703
704 /* do not manipulate our control entries */
705 if (ldb_dn_is_special(dn)) {
706 return ldb_next_request(module, req);
707 }
708
709 sd_propagation_control = ldb_request_get_control(req,
710 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
711 if (sd_propagation_control != NULL) {
712 if (sd_propagation_control->data != module) {
713 return ldb_operr(ldb);
714 }
715 if (req->op.mod.message->num_elements != 0) {
716 return ldb_operr(ldb);
717 }
718 if (explicit_sd_flags) {
719 return ldb_operr(ldb);
720 }
721 if (sd_flags != 0xF) {
722 return ldb_operr(ldb);
723 }
724 if (sd_propagation_control->critical == 0) {
725 return ldb_operr(ldb);
726 }
727
728 sd_propagation_control->critical = 0;
729 }
730
731 sd_element = ldb_msg_find_element(req->op.mod.message, "nTSecurityDescriptor");
732 if (sd_propagation_control == NULL && sd_element == NULL) {
733 return ldb_next_request(module, req);
734 }
735
736 /*
737 * nTSecurityDescriptor with DELETE is not supported yet.
738 * TODO: handle this correctly.
739 */
740 if (sd_propagation_control == NULL &&
741 LDB_FLAG_MOD_TYPE(sd_element->flags) == LDB_FLAG_MOD_DELETE)
742 {
743 return ldb_module_error(module,
744 LDB_ERR_UNWILLING_TO_PERFORM,
745 "MOD_DELETE for nTSecurityDescriptor "
746 "not supported yet");
747 }
748
749 user_sd = ldb_msg_find_ldb_val(req->op.mod.message, "nTSecurityDescriptor");
750 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
751 if (sd_propagation_control == NULL && user_sd == NULL) {
752 return ldb_next_request(module, req);
753 }
754
755 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_modify: %s\n", ldb_dn_get_linearized(dn));
756
757 ret = dsdb_module_search_dn(module, req, &current_res, dn,
758 current_attrs,
759 DSDB_FLAG_NEXT_MODULE |
760 DSDB_FLAG_AS_SYSTEM |
761 DSDB_SEARCH_SHOW_RECYCLED,
762 req);
763 if (ret != LDB_SUCCESS) {
764 ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
765 ldb_dn_get_linearized(dn));
766 return ret;
767 }
768
769 instanceType = ldb_msg_find_attr_as_uint(current_res->msgs[0],
770 "instanceType", 0);
771 /* if the object has a parent, retrieve its SD to
772 * use for calculation */
773 if (!ldb_dn_is_null(current_res->msgs[0]->dn) &&
774 !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
775 parent_dn = ldb_dn_get_parent(req, dn);
776 if (parent_dn == NULL) {
777 return ldb_oom(ldb);
778 }
779 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
780 parent_attrs,
781 DSDB_FLAG_NEXT_MODULE |
782 DSDB_FLAG_AS_SYSTEM |
783 DSDB_SEARCH_SHOW_RECYCLED,
784 req);
785 if (ret != LDB_SUCCESS) {
786 ldb_debug(ldb, LDB_DEBUG_ERROR, "descriptor_modify: Could not find SD for %s\n",
787 ldb_dn_get_linearized(parent_dn));
788 return ret;
789 }
790 if (parent_res->count != 1) {
791 return ldb_operr(ldb);
792 }
793 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
794 }
795
796 schema = dsdb_get_schema(ldb, req);
797
798 objectclass_element = ldb_msg_find_element(current_res->msgs[0], "objectClass");
799 if (objectclass_element == NULL) {
800 return ldb_operr(ldb);
801 }
802
803 objectclass = dsdb_get_last_structural_class(schema,
804 objectclass_element);
805 if (objectclass == NULL) {
806 return ldb_operr(ldb);
807 }
808
809 old_sd = ldb_msg_find_ldb_val(current_res->msgs[0], "nTSecurityDescriptor");
810 if (old_sd == NULL) {
811 return ldb_operr(ldb);
812 }
813
814 if (sd_propagation_control != NULL) {
815 /*
816 * This just triggers a recalculation of the
817 * inherited aces.
818 */
819 user_sd = old_sd;
820 }
821
822 sd = get_new_descriptor(module, dn, req,
823 objectclass, parent_sd,
824 user_sd, old_sd, sd_flags);
825 if (sd == NULL) {
826 return ldb_operr(ldb);
827 }
828 msg = ldb_msg_copy_shallow(req, req->op.mod.message);
829 if (msg == NULL) {
830 return ldb_oom(ldb);
831 }
832 cmp_ret = data_blob_cmp(old_sd, sd);
833 if (sd_propagation_control != NULL) {
834 if (cmp_ret == 0) {
835 /*
836 * The nTSecurityDescriptor is unchanged,
837 * which means we can stop the processing.
838 *
839 * We mark the control as critical again,
840 * as we have not processed it, so the caller
841 * can tell that the descriptor was unchanged.
842 */
843 sd_propagation_control->critical = 1;
844 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
845 }
846
847 ret = ldb_msg_add_empty(msg, "nTSecurityDescriptor",
848 LDB_FLAG_MOD_REPLACE,
849 &sd_element);
850 if (ret != LDB_SUCCESS) {
851 return ldb_oom(ldb);
852 }
853 ret = ldb_msg_add_value(msg, "nTSecurityDescriptor",
854 sd, NULL);
855 if (ret != LDB_SUCCESS) {
856 return ldb_oom(ldb);
857 }
858 } else if (cmp_ret != 0) {
859 struct ldb_dn *nc_root;
860
861 ret = dsdb_find_nc_root(ldb, msg, dn, &nc_root);
862 if (ret != LDB_SUCCESS) {
863 return ldb_oom(ldb);
864 }
865
866 ret = dsdb_module_schedule_sd_propagation(module, nc_root,
867 dn, false);
868 if (ret != LDB_SUCCESS) {
869 return ldb_operr(ldb);
870 }
871 sd_element->values[0] = *sd;
872 } else {
873 sd_element->values[0] = *sd;
874 }
875
876 ret = ldb_build_mod_req(&mod_req, ldb, req,
877 msg,
878 req->controls,
879 req,
880 dsdb_next_callback,
881 req);
882 LDB_REQ_SET_LOCATION(mod_req);
883 if (ret != LDB_SUCCESS) {
884 return ret;
885 }
886
887 return ldb_next_request(module, mod_req);
888 }
889
890 static int descriptor_search(struct ldb_module *module, struct ldb_request *req)
891 {
892 int ret;
893 struct ldb_context *ldb;
894 struct ldb_request *down_req;
895 struct descriptor_context *ac;
896 bool explicit_sd_flags = false;
897 uint32_t sd_flags = dsdb_request_sd_flags(req, &explicit_sd_flags);
898 bool show_sd = explicit_sd_flags;
899
900 if (!show_sd &&
901 ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"))
902 {
903 show_sd = true;
904 }
905
906 if (!show_sd) {
907 return ldb_next_request(module, req);
908 }
909
910 ldb = ldb_module_get_ctx(module);
911 ac = descriptor_init_context(module, req);
912 if (ac == NULL) {
913 return ldb_operr(ldb);
914 }
915 ac->sd_flags = sd_flags;
916
917 ret = ldb_build_search_req_ex(&down_req, ldb, ac,
918 req->op.search.base,
919 req->op.search.scope,
920 req->op.search.tree,
921 req->op.search.attrs,
922 req->controls,
923 ac, descriptor_search_callback,
924 ac->req);
925 LDB_REQ_SET_LOCATION(down_req);
926 if (ret != LDB_SUCCESS) {
927 return ret;
928 }
929
930 return ldb_next_request(ac->module, down_req);
931 }
932
933 static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
934 {
935 struct ldb_context *ldb = ldb_module_get_ctx(module);
936 struct ldb_dn *olddn = req->op.rename.olddn;
937 struct ldb_dn *newdn = req->op.rename.newdn;
938 int ret;
939
940 /* do not manipulate our control entries */
941 if (ldb_dn_is_special(req->op.rename.olddn)) {
942 return ldb_next_request(module, req);
943 }
944
945 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_rename: %s\n",
946 ldb_dn_get_linearized(olddn));
947
948 if (ldb_dn_compare(olddn, newdn) != 0) {
949 struct ldb_dn *nc_root;
950
951 ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root);
952 if (ret != LDB_SUCCESS) {
953 return ldb_oom(ldb);
954 }
955
956 ret = dsdb_module_schedule_sd_propagation(module, nc_root,
957 newdn, true);
958 if (ret != LDB_SUCCESS) {
959 return ldb_operr(ldb);
960 }
961 }
962
963 return ldb_next_request(module, req);
964 }
965
966 static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
967 struct ldb_request *req)
968 {
969 struct descriptor_data *descriptor_private =
970 talloc_get_type_abort(ldb_module_get_private(module),
971 struct descriptor_data);
972 struct ldb_context *ldb = ldb_module_get_ctx(module);
973 struct dsdb_extended_sec_desc_propagation_op *op;
974 TALLOC_CTX *parent_mem = NULL;
975 struct descriptor_changes *parent_change = NULL;
976 struct descriptor_changes *c;
977 int ret;
978
979 op = talloc_get_type(req->op.extended.data,
980 struct dsdb_extended_sec_desc_propagation_op);
981 if (op == NULL) {
982 ldb_debug(ldb, LDB_DEBUG_FATAL,
983 "descriptor_extended_sec_desc_propagation: "
984 "invalid extended data\n");
985 return LDB_ERR_PROTOCOL_ERROR;
986 }
987
988 if (descriptor_private->trans_mem == NULL) {
989 return ldb_module_operr(module);
990 }
991
992 parent_mem = descriptor_private->trans_mem;
993
994 for (c = descriptor_private->changes; c; c = c->next) {
995 ret = ldb_dn_compare(c->nc_root, op->nc_root);
996 if (ret != 0) {
997 continue;
998 }
999
1000 ret = ldb_dn_compare(c->dn, op->dn);
1001 if (ret == 0) {
1002 if (op->include_self) {
1003 c->force_self = true;
1004 } else {
1005 c->force_children = true;
1006 }
1007 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1008 }
1009
1010 ret = ldb_dn_compare_base(c->dn, op->dn);
1011 if (ret != 0) {
1012 continue;
1013 }
1014
1015 parent_mem = c;
1016 parent_change = c;
1017 break;
1018 }
1019
1020 c = talloc_zero(parent_mem, struct descriptor_changes);
1021 if (c == NULL) {
1022 return ldb_module_oom(module);
1023 }
1024 c->nc_root = ldb_dn_copy(c, op->nc_root);
1025 if (c->nc_root == NULL) {
1026 return ldb_module_oom(module);
1027 }
1028 c->dn = ldb_dn_copy(c, op->dn);
1029 if (c->dn == NULL) {
1030 return ldb_module_oom(module);
1031 }
1032 if (op->include_self) {
1033 c->force_self = true;
1034 } else {
1035 c->force_children = true;
1036 }
1037
1038 if (parent_change != NULL) {
1039 DLIST_ADD_END(parent_change->children, c, NULL);
1040 } else {
1041 DLIST_ADD_END(descriptor_private->changes, c, NULL);
1042 }
1043
1044 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1045 }
1046
1047 static int descriptor_extended(struct ldb_module *module, struct ldb_request *req)
1048 {
1049 if (strcmp(req->op.extended.oid, DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID) == 0) {
1050 return descriptor_extended_sec_desc_propagation(module, req);
1051 }
1052
1053 return ldb_next_request(module, req);
1054 }
1055
1056 static int descriptor_init(struct ldb_module *module)
1057 {
1058 struct ldb_context *ldb = ldb_module_get_ctx(module);
1059 int ret;
1060 struct descriptor_data *descriptor_private;
1061
1062 ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
1063 if (ret != LDB_SUCCESS) {
1064 ldb_debug(ldb, LDB_DEBUG_ERROR,
1065 "descriptor: Unable to register control with rootdse!\n");
1066 return ldb_operr(ldb);
1067 }
1068
1069 descriptor_private = talloc_zero(module, struct descriptor_data);
1070 if (descriptor_private == NULL) {
1071 ldb_oom(ldb);
1072 return LDB_ERR_OPERATIONS_ERROR;
1073 }
1074 ldb_module_set_private(module, descriptor_private);
1075
1076 return ldb_next_init(module);
1077 }
1078
1079 static int descriptor_sd_propagation_object(struct ldb_module *module,
1080 struct ldb_message *msg,
1081 bool *stop)
1082 {
1083 struct ldb_context *ldb = ldb_module_get_ctx(module);
1084 struct ldb_request *sub_req;
1085 struct ldb_result *mod_res;
1086 struct ldb_control *sd_propagation_control;
1087 int ret;
1088
1089 *stop = false;
1090
1091 mod_res = talloc_zero(msg, struct ldb_result);
1092 if (mod_res == NULL) {
1093 return ldb_module_oom(module);
1094 }
1095
1096 ret = ldb_build_mod_req(&sub_req, ldb, mod_res,
1097 msg,
1098 NULL,
1099 mod_res,
1100 ldb_modify_default_callback,
1101 NULL);
1102 LDB_REQ_SET_LOCATION(sub_req);
1103 if (ret != LDB_SUCCESS) {
1104 return ldb_module_operr(module);
1105 }
1106
1107 ldb_req_mark_trusted(sub_req);
1108
1109 ret = ldb_request_add_control(sub_req,
1110 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID,
1111 true, module);
1112 if (ret != LDB_SUCCESS) {
1113 return ldb_module_operr(module);
1114 }
1115
1116 sd_propagation_control = ldb_request_get_control(sub_req,
1117 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
1118 if (sd_propagation_control == NULL) {
1119 return ldb_module_operr(module);
1120 }
1121
1122 ret = dsdb_request_add_controls(sub_req,
1123 DSDB_FLAG_AS_SYSTEM |
1124 DSDB_SEARCH_SHOW_RECYCLED);
1125 if (ret != LDB_SUCCESS) {
1126 return ldb_module_operr(module);
1127 }
1128
1129 ret = descriptor_modify(module, sub_req);
1130 if (ret == LDB_SUCCESS) {
1131 ret = ldb_wait(sub_req->handle, LDB_WAIT_ALL);
1132 }
1133 if (ret != LDB_SUCCESS) {
1134 return ldb_module_operr(module);
1135 }
1136
1137 if (sd_propagation_control->critical != 0) {
1138 *stop = true;
1139 }
1140
1141 talloc_free(mod_res);
1142
1143 return LDB_SUCCESS;
1144 }
1145
1146 static int descriptor_sd_propagation_msg_sort(struct ldb_message **m1,
1147 struct ldb_message **m2)
1148 {
1149 struct ldb_dn *dn1 = (*m1)->dn;
1150 struct ldb_dn *dn2 = (*m2)->dn;
1151
1152 /*
1153 * This sorts in tree order, parents first
1154 */
1155 return ldb_dn_compare(dn2, dn1);
1156 }
1157
1158 static int descriptor_sd_propagation_dn_sort(struct ldb_dn *dn1,
1159 struct ldb_dn *dn2)
1160 {
1161 /*
1162 * This sorts in tree order, parents first
1163 */
1164 return ldb_dn_compare(dn2, dn1);
1165 }
1166
1167 static int descriptor_sd_propagation_recursive(struct ldb_module *module,
1168 struct descriptor_changes *change)
1169 {
1170 struct ldb_context *ldb = ldb_module_get_ctx(module);
1171 struct ldb_result *res = NULL;
1172 unsigned int i;
1173 const char * const no_attrs[] = { "@__NONE__", NULL };
1174 struct descriptor_changes *c;
1175 struct descriptor_changes *stopped_stack = NULL;
1176 int ret;
1177
1178 /*
1179 * Note: that we do not search for deleted/recycled objects
1180 */
1181 ret = dsdb_module_search(module,
1182 change,
1183 &res,
1184 change->dn,
1185 LDB_SCOPE_SUBTREE,
1186 no_attrs,
1187 DSDB_FLAG_NEXT_MODULE |
1188 DSDB_FLAG_AS_SYSTEM,
1189 NULL, /* parent_req */
1190 "(objectClass=*)");
1191 if (ret != LDB_SUCCESS) {
1192 return ret;
1193 }
1194
1195 TYPESAFE_QSORT(res->msgs, res->count,
1196 descriptor_sd_propagation_msg_sort);
1197
1198 for (c = change->children; c; c = c->next) {
1199 struct ldb_message *msg = NULL;
1200
1201 BINARY_ARRAY_SEARCH_P(res->msgs, res->count, dn, c->dn,
1202 descriptor_sd_propagation_dn_sort,
1203 msg);
1204
1205 if (msg == NULL) {
1206 ldb_debug(ldb, LDB_DEBUG_WARNING,
1207 "descriptor_sd_propagation_recursive: "
1208 "%s not found under %s",
1209 ldb_dn_get_linearized(c->dn),
1210 ldb_dn_get_linearized(change->dn));
1211 continue;
1212 }
1213
1214 msg->elements = (struct ldb_message_element *)c;
1215 }
1216
1217 DLIST_ADD(stopped_stack, change);
1218
1219 if (change->force_self) {
1220 i = 0;
1221 } else {
1222 i = 1;
1223 }
1224
1225 for (; i < res->count; i++) {
1226 struct descriptor_changes *cur;
1227 bool stop = false;
1228
1229 cur = talloc_get_type(res->msgs[i]->elements,
1230 struct descriptor_changes);
1231 res->msgs[i]->elements = NULL;
1232 res->msgs[i]->num_elements = 0;
1233
1234 if (cur != NULL) {
1235 DLIST_REMOVE(change->children, cur);
1236 }
1237
1238 for (c = stopped_stack; c; c = stopped_stack) {
1239 ret = ldb_dn_compare_base(c->dn,
1240 res->msgs[i]->dn);
1241 if (ret == 0) {
1242 break;
1243 }
1244
1245 c->stopped_dn = NULL;
1246 DLIST_REMOVE(stopped_stack, c);
1247 }
1248
1249 if (cur != NULL) {
1250 DLIST_ADD(stopped_stack, cur);
1251 }
1252
1253 if (stopped_stack->stopped_dn != NULL) {
1254 ret = ldb_dn_compare_base(stopped_stack->stopped_dn,
1255 res->msgs[i]->dn);
1256 if (ret == 0) {
1257 continue;
1258 }
1259 stopped_stack->stopped_dn = NULL;
1260 }
1261
1262 ret = descriptor_sd_propagation_object(module, res->msgs[i],
1263 &stop);
1264 if (ret != LDB_SUCCESS) {
1265 return ret;
1266 }
1267
1268 if (cur != NULL && cur->force_children) {
1269 continue;
1270 }
1271
1272 if (stop) {
1273 stopped_stack->stopped_dn = res->msgs[i]->dn;
1274 continue;
1275 }
1276 }
1277
1278 TALLOC_FREE(res);
1279 return LDB_SUCCESS;
1280 }
1281
1282 static int descriptor_start_transaction(struct ldb_module *module)
1283 {
1284 struct descriptor_data *descriptor_private =
1285 talloc_get_type_abort(ldb_module_get_private(module),
1286 struct descriptor_data);
1287
1288 if (descriptor_private->trans_mem != NULL) {
1289 return ldb_module_operr(module);
1290 }
1291
1292 descriptor_private->trans_mem = talloc_new(descriptor_private);
1293 if (descriptor_private->trans_mem == NULL) {
1294 return ldb_module_oom(module);
1295 }
1296 descriptor_private->changes = NULL;
1297
1298 return ldb_next_start_trans(module);
1299 }
1300
1301 static int descriptor_prepare_commit(struct ldb_module *module)
1302 {
1303 struct descriptor_data *descriptor_private =
1304 talloc_get_type_abort(ldb_module_get_private(module),
1305 struct descriptor_data);
1306 struct descriptor_changes *c, *n;
1307 int ret;
1308
1309 for (c = descriptor_private->changes; c; c = n) {
1310 n = c->next;
1311 DLIST_REMOVE(descriptor_private->changes, c);
1312
1313 ret = descriptor_sd_propagation_recursive(module, c);
1314 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
1315 continue;
1316 }
1317 if (ret != LDB_SUCCESS) {
1318 return ret;
1319 }
1320 }
1321
1322 return ldb_next_prepare_commit(module);
1323 }
1324
1325 static int descriptor_end_transaction(struct ldb_module *module)
1326 {
1327 struct descriptor_data *descriptor_private =
1328 talloc_get_type_abort(ldb_module_get_private(module),
1329 struct descriptor_data);
1330
1331 TALLOC_FREE(descriptor_private->trans_mem);
1332 descriptor_private->changes = NULL;
1333
1334 return ldb_next_end_trans(module);
1335 }
1336
1337 static int descriptor_del_transaction(struct ldb_module *module)
1338 {
1339 struct descriptor_data *descriptor_private =
1340 talloc_get_type_abort(ldb_module_get_private(module),
1341 struct descriptor_data);
1342
1343 TALLOC_FREE(descriptor_private->trans_mem);
1344 descriptor_private->changes = NULL;
1345
1346 return ldb_next_del_trans(module);
1347 }
1348
1349 static const struct ldb_module_ops ldb_descriptor_module_ops = {
1350 .name = "descriptor",
1351 .search = descriptor_search,
1352 .add = descriptor_add,
1353 .modify = descriptor_modify,
1354 .rename = descriptor_rename,
1355 .init_context = descriptor_init,
1356 .extended = descriptor_extended,
1357 .start_transaction = descriptor_start_transaction,
1358 .prepare_commit = descriptor_prepare_commit,
1359 .end_transaction = descriptor_end_transaction,
1360 .del_transaction = descriptor_del_transaction,
1361 };
1362
1363 int ldb_descriptor_module_init(const char *version)
1364 {
1365 LDB_MODULE_CHECK_VERSION(version);
1366 return ldb_register_module(&ldb_descriptor_module_ops);
1367 }
reg import