search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:registry: do not use regdb functions during db upgrade
[Samba/gebeck_regimport.git] / source4 / dsdb / samdb / ldb_modules / descriptor.c
blob409d08dea976bf848139fdedd45b85c53e3d549e
1 /*
2 ldb database library
3
4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
6 Copyright (C) Nadezhda Ivanova 2009
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /*
23 * Name: ldb
24 *
25 * Component: DS Security descriptor module
26 *
27 * Description:
28 * - Calculate the security descriptor of a newly created object
29 * - Perform sd recalculation on a move operation
30 * - Handle sd modification invariants
31 *
32 * Author: Nadezhda Ivanova
33 */
34
35 #include "includes.h"
36 #include <ldb_module.h>
37 #include "util/dlinklist.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/ndr/libndr.h"
40 #include "librpc/gen_ndr/ndr_security.h"
41 #include "libcli/security/security.h"
42 #include "dsdb/samdb/ldb_modules/schema.h"
43 #include "auth/auth.h"
44 #include "param/param.h"
45 #include "dsdb/samdb/ldb_modules/util.h"
46
47 struct descriptor_data {
48 int _dummy;
49 };
50
51 struct descriptor_context {
52 struct ldb_module *module;
53 struct ldb_request *req;
54 struct ldb_message *msg;
55 struct ldb_reply *search_res;
56 struct ldb_reply *search_oc_res;
57 struct ldb_val *parentsd_val;
58 struct ldb_message_element *sd_element;
59 struct ldb_val *sd_val;
60 int (*step_fn)(struct descriptor_context *);
61 };
62
63 static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx,
64 struct ldb_dn *dn,
65 struct security_token *token,
66 struct ldb_context *ldb)
67 {
68 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
69 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
70 struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
71 struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
72 struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
73 struct dom_sid *dag_sid;
74 struct ldb_dn *nc_root;
75 int ret;
76
77 ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root);
78 if (ret != LDB_SUCCESS) {
79 talloc_free(tmp_ctx);
80 return NULL;
81 }
82
83 if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
84 if (security_token_has_sid(token, sa_sid)) {
85 dag_sid = dom_sid_dup(mem_ctx, sa_sid);
86 } else if (security_token_has_sid(token, ea_sid)) {
87 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
88 } else if (security_token_has_sid(token, da_sid)) {
89 dag_sid = dom_sid_dup(mem_ctx, da_sid);
90 } else {
91 dag_sid = NULL;
92 }
93 } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
94 if (security_token_has_sid(token, ea_sid)) {
95 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
96 } else if (security_token_has_sid(token, da_sid)) {
97 dag_sid = dom_sid_dup(mem_ctx, da_sid);
98 } else {
99 dag_sid = NULL;
100 }
101 } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
102 if (security_token_has_sid(token, da_sid)) {
103 dag_sid = dom_sid_dup(mem_ctx, da_sid);
104 } else if (security_token_has_sid(token, ea_sid)) {
105 dag_sid = dom_sid_dup(mem_ctx, ea_sid);
106 } else {
107 dag_sid = NULL;
108 }
109 } else {
110 dag_sid = NULL;
111 }
112
113 talloc_free(tmp_ctx);
114 return dag_sid;
115 }
116
117 static struct security_descriptor *get_sd_unpacked(struct ldb_module *module, TALLOC_CTX *mem_ctx,
118 const struct dsdb_class *objectclass)
119 {
120 struct ldb_context *ldb = ldb_module_get_ctx(module);
121 struct security_descriptor *sd;
122 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
123
124 if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
125 return NULL;
126 }
127
128 sd = sddl_decode(mem_ctx,
129 objectclass->defaultSecurityDescriptor,
130 domain_sid);
131 return sd;
132 }
133
134 static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
135 struct ldb_context *ldb,
136 struct dom_sid *dag)
137 {
138 if (dsdb_functional_level(ldb) >= DS_DOMAIN_FUNCTION_2008) {
139 return dag;
140 }
141
142 return NULL;
143 }
144
145 static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,
146 struct security_descriptor *new_sd,
147 struct security_descriptor *old_sd,
148 uint32_t sd_flags)
149 {
150 struct security_descriptor *final_sd;
151 /* if there is no control or control == 0 modify everything */
152 if (!sd_flags) {
153 return new_sd;
154 }
155
156 final_sd = talloc_zero(mem_ctx, struct security_descriptor);
157 final_sd->revision = SECURITY_DESCRIPTOR_REVISION_1;
158 final_sd->type = SEC_DESC_SELF_RELATIVE;
159
160 if (sd_flags & (SECINFO_OWNER)) {
161 final_sd->owner_sid = talloc_memdup(mem_ctx, new_sd->owner_sid, sizeof(struct dom_sid));
162 final_sd->type |= new_sd->type & SEC_DESC_OWNER_DEFAULTED;
163 }
164 else if (old_sd) {
165 final_sd->owner_sid = talloc_memdup(mem_ctx, old_sd->owner_sid, sizeof(struct dom_sid));
166 final_sd->type |= old_sd->type & SEC_DESC_OWNER_DEFAULTED;
167 }
168
169 if (sd_flags & (SECINFO_GROUP)) {
170 final_sd->group_sid = talloc_memdup(mem_ctx, new_sd->group_sid, sizeof(struct dom_sid));
171 final_sd->type |= new_sd->type & SEC_DESC_GROUP_DEFAULTED;
172 }
173 else if (old_sd) {
174 final_sd->group_sid = talloc_memdup(mem_ctx, old_sd->group_sid, sizeof(struct dom_sid));
175 final_sd->type |= old_sd->type & SEC_DESC_GROUP_DEFAULTED;
176 }
177
178 if (sd_flags & (SECINFO_SACL)) {
179 final_sd->sacl = security_acl_dup(mem_ctx,new_sd->sacl);
180 final_sd->type |= new_sd->type & (SEC_DESC_SACL_PRESENT |
181 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
182 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
183 SEC_DESC_SERVER_SECURITY);
184 }
185 else if (old_sd && old_sd->sacl) {
186 final_sd->sacl = security_acl_dup(mem_ctx,old_sd->sacl);
187 final_sd->type |= old_sd->type & (SEC_DESC_SACL_PRESENT |
188 SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
189 SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
190 SEC_DESC_SERVER_SECURITY);
191 }
192
193 if (sd_flags & (SECINFO_DACL)) {
194 final_sd->dacl = security_acl_dup(mem_ctx,new_sd->dacl);
195 final_sd->type |= new_sd->type & (SEC_DESC_DACL_PRESENT |
196 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
197 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
198 SEC_DESC_DACL_TRUSTED);
199 }
200 else if (old_sd && old_sd->dacl) {
201 final_sd->dacl = security_acl_dup(mem_ctx,old_sd->dacl);
202 final_sd->type |= old_sd->type & (SEC_DESC_DACL_PRESENT |
203 SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
204 SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
205 SEC_DESC_DACL_TRUSTED);
206 }
207 /* not so sure about this */
208 final_sd->type |= new_sd->type & SEC_DESC_RM_CONTROL_VALID;
209 return final_sd;
210 }
211
212 static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
213 struct ldb_dn *dn,
214 TALLOC_CTX *mem_ctx,
215 const struct dsdb_class *objectclass,
216 const struct ldb_val *parent,
217 const struct ldb_val *object,
218 const struct ldb_val *old_sd,
219 uint32_t sd_flags)
220 {
221 struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL;
222 struct security_descriptor *old_descriptor = NULL;
223 struct security_descriptor *new_sd, *final_sd;
224 DATA_BLOB *linear_sd;
225 enum ndr_err_code ndr_err;
226 struct ldb_context *ldb = ldb_module_get_ctx(module);
227 struct auth_session_info *session_info
228 = ldb_get_opaque(ldb, "sessionInfo");
229 const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
230 char *sddl_sd;
231 struct dom_sid *default_owner;
232 struct dom_sid *default_group;
233
234 if (object) {
235 user_descriptor = talloc(mem_ctx, struct security_descriptor);
236 if (!user_descriptor) {
237 return NULL;
238 }
239 ndr_err = ndr_pull_struct_blob(object, user_descriptor,
240 user_descriptor,
241 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
242
243 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
244 talloc_free(user_descriptor);
245 return NULL;
246 }
247 } else {
248 user_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
249 }
250
251 if (old_sd) {
252 old_descriptor = talloc(mem_ctx, struct security_descriptor);
253 if (!old_descriptor) {
254 return NULL;
255 }
256 ndr_err = ndr_pull_struct_blob(old_sd, old_descriptor,
257 old_descriptor,
258 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
259
260 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
261 talloc_free(old_descriptor);
262 return NULL;
263 }
264 }
265
266 if (parent) {
267 parent_descriptor = talloc(mem_ctx, struct security_descriptor);
268 if (!parent_descriptor) {
269 return NULL;
270 }
271 ndr_err = ndr_pull_struct_blob(parent, parent_descriptor,
272 parent_descriptor,
273 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
274
275 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
276 talloc_free(parent_descriptor);
277 return NULL;
278 }
279 }
280
281 default_owner = get_default_ag(mem_ctx, dn,
282 session_info->security_token, ldb);
283 default_group = get_default_group(mem_ctx, ldb, default_owner);
284 new_sd = create_security_descriptor(mem_ctx, parent_descriptor, user_descriptor, true,
285 NULL, SEC_DACL_AUTO_INHERIT|SEC_SACL_AUTO_INHERIT,
286 session_info->security_token,
287 default_owner, default_group,
288 map_generic_rights_ds);
289 if (!new_sd) {
290 return NULL;
291 }
292 final_sd = descr_handle_sd_flags(mem_ctx, new_sd, old_descriptor, sd_flags);
293
294 if (!final_sd) {
295 return NULL;
296 }
297
298 if (final_sd->dacl) {
299 final_sd->dacl->revision = SECURITY_ACL_REVISION_ADS;
300 }
301 if (final_sd->sacl) {
302 final_sd->sacl->revision = SECURITY_ACL_REVISION_ADS;
303 }
304
305 sddl_sd = sddl_encode(mem_ctx, final_sd, domain_sid);
306 DEBUG(10, ("Object %s created with desriptor %s\n\n", ldb_dn_get_linearized(dn), sddl_sd));
307
308 linear_sd = talloc(mem_ctx, DATA_BLOB);
309 if (!linear_sd) {
310 return NULL;
311 }
312
313 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
314 final_sd,
315 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
316 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
317 return NULL;
318 }
319
320 return linear_sd;
321 }
322
323 static DATA_BLOB *descr_get_descriptor_to_show(struct ldb_module *module,
324 TALLOC_CTX *mem_ctx,
325 struct ldb_val *sd,
326 uint32_t sd_flags)
327 {
328 struct security_descriptor *old_sd, *final_sd;
329 DATA_BLOB *linear_sd;
330 enum ndr_err_code ndr_err;
331
332 old_sd = talloc(mem_ctx, struct security_descriptor);
333 if (!old_sd) {
334 return NULL;
335 }
336 ndr_err = ndr_pull_struct_blob(sd, old_sd,
337 old_sd,
338 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
339
340 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
341 talloc_free(old_sd);
342 return NULL;
343 }
344
345 final_sd = descr_handle_sd_flags(mem_ctx, old_sd, NULL, sd_flags);
346
347 if (!final_sd) {
348 return NULL;
349 }
350
351 linear_sd = talloc(mem_ctx, DATA_BLOB);
352 if (!linear_sd) {
353 return NULL;
354 }
355
356 ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
357 final_sd,
358 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
359 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
360 return NULL;
361 }
362
363 return linear_sd;
364 }
365
366 static struct descriptor_context *descriptor_init_context(struct ldb_module *module,
367 struct ldb_request *req)
368 {
369 struct ldb_context *ldb;
370 struct descriptor_context *ac;
371
372 ldb = ldb_module_get_ctx(module);
373
374 ac = talloc_zero(req, struct descriptor_context);
375 if (ac == NULL) {
376 ldb_set_errstring(ldb, "Out of Memory");
377 return NULL;
378 }
379
380 ac->module = module;
381 ac->req = req;
382 return ac;
383 }
384
385 static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares)
386 {
387 struct descriptor_context *ac;
388 struct ldb_control *sd_control;
389 struct ldb_val *sd_val = NULL;
390 struct ldb_message_element *sd_el;
391 DATA_BLOB *show_sd;
392 int ret;
393 uint32_t sd_flags = 0;
394
395 ac = talloc_get_type(req->context, struct descriptor_context);
396
397 if (!ares) {
398 ret = LDB_ERR_OPERATIONS_ERROR;
399 goto fail;
400 }
401 if (ares->error != LDB_SUCCESS) {
402 return ldb_module_done(ac->req, ares->controls,
403 ares->response, ares->error);
404 }
405
406 sd_control = ldb_request_get_control(ac->req, LDB_CONTROL_SD_FLAGS_OID);
407 if (sd_control) {
408 struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
409 sd_flags = sdctr->secinfo_flags;
410 /* we only care for the last 4 bits */
411 sd_flags = sd_flags & 0x0000000F;
412 if (sd_flags == 0) {
413 /* MS-ADTS 3.1.1.3.4.1.11 says that no bits
414 equals all 4 bits */
415 sd_flags = 0xF;
416 }
417 }
418
419 switch (ares->type) {
420 case LDB_REPLY_ENTRY:
421 if (sd_flags != 0) {
422 sd_el = ldb_msg_find_element(ares->message, "nTSecurityDescriptor");
423 if (sd_el) {
424 sd_val = sd_el->values;
425 }
426 }
427 if (sd_val) {
428 show_sd = descr_get_descriptor_to_show(ac->module, ac->req,
429 sd_val, sd_flags);
430 if (!show_sd) {
431 ret = LDB_ERR_OPERATIONS_ERROR;
432 goto fail;
433 }
434 ldb_msg_remove_attr(ares->message, "nTSecurityDescriptor");
435 ret = ldb_msg_add_steal_value(ares->message, "nTSecurityDescriptor", show_sd);
436 if (ret != LDB_SUCCESS) {
437 goto fail;
438 }
439 }
440 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
441
442 case LDB_REPLY_REFERRAL:
443 return ldb_module_send_referral(ac->req, ares->referral);
444
445 case LDB_REPLY_DONE:
446 return ldb_module_done(ac->req, ares->controls,
447 ares->response, ares->error);
448 }
449
450 fail:
451 talloc_free(ares);
452 return ldb_module_done(ac->req, NULL, NULL, ret);
453 }
454
455 static int descriptor_add(struct ldb_module *module, struct ldb_request *req)
456 {
457 struct ldb_context *ldb;
458 struct ldb_request *add_req;
459 struct ldb_message *msg;
460 struct ldb_result *parent_res;
461 const struct ldb_val *parent_sd = NULL;
462 const struct ldb_val *user_sd;
463 struct ldb_dn *parent_dn, *dn, *nc_root;
464 struct ldb_message_element *objectclass_element, *sd_element;
465 int ret;
466 const struct dsdb_schema *schema;
467 DATA_BLOB *sd;
468 const struct dsdb_class *objectclass;
469 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
470 uint32_t instanceType;
471 bool isNC = false;
472
473 ldb = ldb_module_get_ctx(module);
474 dn = req->op.add.message->dn;
475 user_sd = ldb_msg_find_ldb_val(req->op.add.message, "nTSecurityDescriptor");
476 sd_element = ldb_msg_find_element(req->op.add.message, "nTSecurityDescriptor");
477 /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
478 if (user_sd == NULL && sd_element) {
479 return ldb_next_request(module, req);
480 }
481
482 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: %s\n", ldb_dn_get_linearized(dn));
483
484 /* do not manipulate our control entries */
485 if (ldb_dn_is_special(dn)) {
486 return ldb_next_request(module, req);
487 }
488
489 instanceType = ldb_msg_find_attr_as_uint(req->op.add.message, "instanceType", 0);
490
491 if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
492 isNC = true;
493 }
494
495 if (!isNC) {
496 ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
497 if (ret != LDB_SUCCESS) {
498 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find NC root for %s\n",
499 ldb_dn_get_linearized(dn));
500 return ret;
501 }
502
503 if (ldb_dn_compare(dn, nc_root) == 0) {
504 DEBUG(0, ("Found DN %s being a NC by the old method\n", ldb_dn_get_linearized(dn)));
505 isNC = true;
506 }
507 }
508
509 if (isNC) {
510 DEBUG(2, ("DN: %s is a NC\n", ldb_dn_get_linearized(dn)));
511 }
512 if (!isNC) {
513 /* if the object has a parent, retrieve its SD to
514 * use for calculation. Unfortunately we do not yet have
515 * instanceType, so we use dsdb_find_nc_root. */
516
517 parent_dn = ldb_dn_get_parent(req, dn);
518 if (parent_dn == NULL) {
519 return ldb_oom(ldb);
520 }
521
522 /* we aren't any NC */
523 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
524 parent_attrs,
525 DSDB_FLAG_NEXT_MODULE,
526 req);
527 if (ret != LDB_SUCCESS) {
528 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find SD for %s\n",
529 ldb_dn_get_linearized(parent_dn));
530 return ret;
531 }
532 if (parent_res->count != 1) {
533 return ldb_operr(ldb);
534 }
535 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
536 }
537
538 schema = dsdb_get_schema(ldb, req);
539
540 objectclass_element = ldb_msg_find_element(req->op.add.message, "objectClass");
541 if (objectclass_element == NULL) {
542 return ldb_operr(ldb);
543 }
544
545 objectclass = get_last_structural_class(schema, objectclass_element, req);
546 if (objectclass == NULL) {
547 return ldb_operr(ldb);
548 }
549
550 sd = get_new_descriptor(module, dn, req,
551 objectclass, parent_sd,
552 user_sd, NULL, 0);
553 msg = ldb_msg_copy_shallow(req, req->op.add.message);
554 if (sd != NULL) {
555 if (sd_element != NULL) {
556 sd_element->values[0] = *sd;
557 } else {
558 ret = ldb_msg_add_steal_value(msg,
559 "nTSecurityDescriptor",
560 sd);
561 if (ret != LDB_SUCCESS) {
562 return ret;
563 }
564 }
565 }
566
567 ret = ldb_build_add_req(&add_req, ldb, req,
568 msg,
569 req->controls,
570 req, dsdb_next_callback,
571 req);
572 LDB_REQ_SET_LOCATION(add_req);
573 if (ret != LDB_SUCCESS) {
574 return ldb_error(ldb, ret,
575 "descriptor_add: Error creating new add request.");
576 }
577
578 return ldb_next_request(module, add_req);
579 }
580
581 static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
582 {
583 struct ldb_context *ldb;
584 struct ldb_control *sd_recalculate_control, *sd_flags_control;
585 struct ldb_request *mod_req;
586 struct ldb_message *msg;
587 struct ldb_result *current_res, *parent_res;
588 const struct ldb_val *old_sd = NULL;
589 const struct ldb_val *parent_sd = NULL;
590 const struct ldb_val *user_sd;
591 struct ldb_dn *parent_dn, *dn;
592 struct ldb_message_element *objectclass_element;
593 int ret;
594 uint32_t instanceType, sd_flags = 0;
595 const struct dsdb_schema *schema;
596 DATA_BLOB *sd;
597 const struct dsdb_class *objectclass;
598 static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
599 static const char * const current_attrs[] = { "nTSecurityDescriptor",
600 "instanceType",
601 "objectClass", NULL };
602 ldb = ldb_module_get_ctx(module);
603 dn = req->op.mod.message->dn;
604 user_sd = ldb_msg_find_ldb_val(req->op.mod.message, "nTSecurityDescriptor");
605 /* This control forces the recalculation of the SD also when
606 * no modification is performed. */
607 sd_recalculate_control = ldb_request_get_control(req,
608 LDB_CONTROL_RECALCULATE_SD_OID);
609 if (!user_sd && !sd_recalculate_control) {
610 return ldb_next_request(module, req);
611 }
612
613 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_modify: %s\n", ldb_dn_get_linearized(dn));
614
615 /* do not manipulate our control entries */
616 if (ldb_dn_is_special(dn)) {
617 return ldb_next_request(module, req);
618 }
619
620 ret = dsdb_module_search_dn(module, req, &current_res, dn,
621 current_attrs,
622 DSDB_FLAG_NEXT_MODULE,
623 req);
624 if (ret != LDB_SUCCESS) {
625 ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
626 ldb_dn_get_linearized(dn));
627 return ret;
628 }
629
630 instanceType = ldb_msg_find_attr_as_uint(current_res->msgs[0],
631 "instanceType", 0);
632 /* if the object has a parent, retrieve its SD to
633 * use for calculation */
634 if (!ldb_dn_is_null(current_res->msgs[0]->dn) &&
635 !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
636 parent_dn = ldb_dn_get_parent(req, dn);
637 if (parent_dn == NULL) {
638 return ldb_oom(ldb);
639 }
640 ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
641 parent_attrs,
642 DSDB_FLAG_NEXT_MODULE,
643 req);
644 if (ret != LDB_SUCCESS) {
645 ldb_debug(ldb, LDB_DEBUG_ERROR, "descriptor_modify: Could not find SD for %s\n",
646 ldb_dn_get_linearized(parent_dn));
647 return ret;
648 }
649 if (parent_res->count != 1) {
650 return ldb_operr(ldb);
651 }
652 parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
653 }
654 sd_flags_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
655
656 schema = dsdb_get_schema(ldb, req);
657
658 objectclass_element = ldb_msg_find_element(current_res->msgs[0], "objectClass");
659 if (objectclass_element == NULL) {
660 return ldb_operr(ldb);
661 }
662
663 objectclass = get_last_structural_class(schema, objectclass_element, req);
664 if (objectclass == NULL) {
665 return ldb_operr(ldb);
666 }
667
668 if (sd_flags_control) {
669 struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_flags_control->data;
670 sd_flags = sdctr->secinfo_flags;
671 /* we only care for the last 4 bits */
672 sd_flags = sd_flags & 0x0000000F;
673 }
674 if (sd_flags != 0) {
675 old_sd = ldb_msg_find_ldb_val(current_res->msgs[0], "nTSecurityDescriptor");
676 }
677
678 sd = get_new_descriptor(module, dn, req,
679 objectclass, parent_sd,
680 user_sd, old_sd, sd_flags);
681 msg = ldb_msg_copy_shallow(req, req->op.mod.message);
682 if (sd != NULL) {
683 struct ldb_message_element *sd_element;
684 if (user_sd != NULL) {
685 sd_element = ldb_msg_find_element(msg,
686 "nTSecurityDescriptor");
687 sd_element->values[0] = *sd;
688 } else if (sd_recalculate_control != NULL) {
689 /* In this branch we really do force the recalculation
690 * of the SD */
691 ldb_msg_remove_attr(msg, "nTSecurityDescriptor");
692
693 ret = ldb_msg_add_steal_value(msg,
694 "nTSecurityDescriptor",
695 sd);
696 if (ret != LDB_SUCCESS) {
697 return ldb_error(ldb, ret,
698 "descriptor_modify: Could not replace SD value in message.");
699 }
700 sd_element = ldb_msg_find_element(msg,
701 "nTSecurityDescriptor");
702 sd_element->flags = LDB_FLAG_MOD_REPLACE;
703 }
704 }
705
706 /* mark the controls as non-critical since we've handled them */
707 if (sd_flags_control != NULL) {
708 sd_flags_control->critical = 0;
709 }
710 if (sd_recalculate_control != NULL) {
711 sd_recalculate_control->critical = 0;
712 }
713
714 ret = ldb_build_mod_req(&mod_req, ldb, req,
715 msg,
716 req->controls,
717 req,
718 dsdb_next_callback,
719 req);
720 LDB_REQ_SET_LOCATION(mod_req);
721 if (ret != LDB_SUCCESS) {
722 return ret;
723 }
724
725 return ldb_next_request(module, mod_req);
726 }
727
728 static int descriptor_search(struct ldb_module *module, struct ldb_request *req)
729 {
730 int ret;
731 struct ldb_context *ldb;
732 struct ldb_control *sd_control;
733 struct ldb_request *down_req;
734 struct descriptor_context *ac;
735
736 sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
737 if (!sd_control) {
738 return ldb_next_request(module, req);
739 }
740
741 ldb = ldb_module_get_ctx(module);
742 ac = descriptor_init_context(module, req);
743 if (ac == NULL) {
744 return ldb_operr(ldb);
745 }
746
747 ret = ldb_build_search_req_ex(&down_req, ldb, ac,
748 req->op.search.base,
749 req->op.search.scope,
750 req->op.search.tree,
751 req->op.search.attrs,
752 req->controls,
753 ac, descriptor_search_callback,
754 ac->req);
755 LDB_REQ_SET_LOCATION(down_req);
756 if (ret != LDB_SUCCESS) {
757 return ret;
758 }
759 /* mark it as handled */
760 if (sd_control) {
761 sd_control->critical = 0;
762 }
763
764 return ldb_next_request(ac->module, down_req);
765 }
766 /* TODO */
767 static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
768 {
769 struct ldb_context *ldb = ldb_module_get_ctx(module);
770 ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn));
771
772 /* do not manipulate our control entries */
773 if (ldb_dn_is_special(req->op.rename.olddn)) {
774 return ldb_next_request(module, req);
775 }
776
777 return ldb_next_request(module, req);
778 }
779
780 static int descriptor_init(struct ldb_module *module)
781 {
782 int ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
783 struct ldb_context *ldb = ldb_module_get_ctx(module);
784 if (ret != LDB_SUCCESS) {
785 ldb_debug(ldb, LDB_DEBUG_ERROR,
786 "descriptor: Unable to register control with rootdse!\n");
787 return ldb_operr(ldb);
788 }
789 return ldb_next_init(module);
790 }
791
792
793 static const struct ldb_module_ops ldb_descriptor_module_ops = {
794 .name = "descriptor",
795 .search = descriptor_search,
796 .add = descriptor_add,
797 .modify = descriptor_modify,
798 .rename = descriptor_rename,
799 .init_context = descriptor_init
800 };
801
802 int ldb_descriptor_module_init(const char *version)
803 {
804 LDB_MODULE_CHECK_VERSION(version);
805 return ldb_register_module(&ldb_descriptor_module_ops);
806 }
reg import