4 Copyright (C) Simo Sorce 2005-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2007-2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * Component: ldb extended dn control module
26 * Description: this module builds a special dn for returned search
27 * results nad creates the special DN in the backend store for new
30 * This also has the curious result that we convert <SID=S-1-2-345>
31 * in an attribute value into a normal DN for the rest of the stack
40 #include <ldb_errors.h>
41 #include <ldb_module.h>
42 #include "librpc/gen_ndr/ndr_misc.h"
43 #include "dsdb/samdb/samdb.h"
44 #include "libcli/security/security.h"
45 #include "dsdb/samdb/ldb_modules/util.h"
48 struct extended_dn_replace_list
{
49 struct extended_dn_replace_list
*next
;
50 struct dsdb_dn
*dsdb_dn
;
52 struct ldb_val
*replace_dn
;
53 struct extended_dn_context
*ac
;
54 struct ldb_request
*search_req
;
58 struct extended_dn_context
{
59 const struct dsdb_schema
*schema
;
60 struct ldb_module
*module
;
61 struct ldb_context
*ldb
;
62 struct ldb_request
*req
;
63 struct ldb_request
*new_req
;
65 struct extended_dn_replace_list
*ops
;
66 struct extended_dn_replace_list
*cur
;
70 static struct extended_dn_context
*extended_dn_context_init(struct ldb_module
*module
,
71 struct ldb_request
*req
)
73 struct extended_dn_context
*ac
;
74 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
75 ac
= talloc_zero(req
, struct extended_dn_context
);
81 ac
->schema
= dsdb_get_schema(ldb_module_get_ctx(module
), ac
);
89 /* An extra layer of indirection because LDB does not allow the original request to be altered */
91 static int extended_final_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
93 int ret
= LDB_ERR_OPERATIONS_ERROR
;
94 struct extended_dn_context
*ac
;
95 ac
= talloc_get_type(req
->context
, struct extended_dn_context
);
97 if (ares
->error
!= LDB_SUCCESS
) {
98 ret
= ldb_module_done(ac
->req
, ares
->controls
,
99 ares
->response
, ares
->error
);
101 switch (ares
->type
) {
102 case LDB_REPLY_ENTRY
:
104 ret
= ldb_module_send_entry(ac
->req
, ares
->message
, ares
->controls
);
106 case LDB_REPLY_REFERRAL
:
108 ret
= ldb_module_send_referral(ac
->req
, ares
->referral
);
112 ret
= ldb_module_done(ac
->req
, ares
->controls
,
113 ares
->response
, ares
->error
);
120 static int extended_replace_dn(struct ldb_request
*req
, struct ldb_reply
*ares
)
122 struct extended_dn_replace_list
*os
= talloc_get_type(req
->context
,
123 struct extended_dn_replace_list
);
126 return ldb_module_done(os
->ac
->req
, NULL
, NULL
,
127 LDB_ERR_OPERATIONS_ERROR
);
129 if (ares
->error
== LDB_ERR_NO_SUCH_OBJECT
) {
130 /* Don't worry too much about dangling references */
132 ldb_reset_err_string(os
->ac
->ldb
);
134 struct extended_dn_replace_list
*next
;
141 return ldb_next_request(os
->ac
->module
, next
->search_req
);
143 /* Otherwise, we are done - let's run the
144 * request now we have swapped the DNs for the
146 return ldb_next_request(os
->ac
->module
, os
->ac
->req
);
149 if (ares
->error
!= LDB_SUCCESS
) {
150 return ldb_module_done(os
->ac
->req
, ares
->controls
,
151 ares
->response
, ares
->error
);
154 /* Only entries are interesting, and we only want the olddn */
155 switch (ares
->type
) {
156 case LDB_REPLY_ENTRY
:
158 /* This *must* be the right DN, as this is a base
159 * search. We can't check, as it could be an extended
160 * DN, so a module below will resolve it */
161 struct ldb_dn
*dn
= ares
->message
->dn
;
163 /* Rebuild with the string or binary 'extra part' the
164 * DN may have had as a prefix */
165 struct dsdb_dn
*dsdb_dn
= dsdb_dn_construct(ares
, dn
,
166 os
->dsdb_dn
->extra_part
,
169 /* Replace the DN with the extended version of the DN
170 * (ie, add SID and GUID) */
171 *os
->replace_dn
= data_blob_string_const(
172 dsdb_dn_get_extended_linearized(os
->mem_ctx
,
174 talloc_free(dsdb_dn
);
176 if (os
->replace_dn
->data
== NULL
) {
177 return ldb_module_done(os
->ac
->req
, NULL
, NULL
,
178 LDB_ERR_OPERATIONS_ERROR
);
182 case LDB_REPLY_REFERRAL
:
190 /* Run the next search */
193 struct extended_dn_replace_list
*next
;
200 return ldb_next_request(os
->ac
->module
, next
->search_req
);
202 /* Otherwise, we are done - let's run the
203 * request now we have swapped the DNs for the
205 return ldb_next_request(os
->ac
->module
, os
->ac
->new_req
);
213 /* We have a 'normal' DN in the inbound request. We need to find out
214 * what the GUID and SID are on the DN it points to, so we can
215 * construct an extended DN for storage.
217 * This creates a list of DNs to look up, and the plain DN to replace
220 static int extended_store_replace(struct extended_dn_context
*ac
,
221 TALLOC_CTX
*callback_mem_ctx
,
222 struct ldb_val
*plain_dn
,
227 struct extended_dn_replace_list
*os
;
228 static const char *attrs
[] = {
234 os
= talloc_zero(ac
, struct extended_dn_replace_list
);
236 return ldb_oom(ac
->ldb
);
241 os
->mem_ctx
= callback_mem_ctx
;
243 os
->dsdb_dn
= dsdb_dn_parse(os
, ac
->ldb
, plain_dn
, oid
);
244 if (!os
->dsdb_dn
|| !ldb_dn_validate(os
->dsdb_dn
->dn
)) {
246 ldb_asprintf_errstring(ac
->ldb
,
247 "could not parse %.*s as a %s DN", (int)plain_dn
->length
, plain_dn
->data
,
249 return LDB_ERR_INVALID_DN_SYNTAX
;
252 if (is_delete
&& !ldb_dn_has_extended(os
->dsdb_dn
->dn
)) {
253 /* NO need to figure this DN out, this element is
254 * going to be deleted anyway, and becuase it's not
255 * extended, we have enough information to do the
262 os
->replace_dn
= plain_dn
;
264 /* The search request here might happen to be for an
265 * 'extended' style DN, such as <GUID=abced...>. The next
266 * module in the stack will convert this into a normal DN for
268 ret
= ldb_build_search_req(&os
->search_req
,
269 ac
->ldb
, os
, os
->dsdb_dn
->dn
, LDB_SCOPE_BASE
, NULL
,
270 attrs
, NULL
, os
, extended_replace_dn
,
272 LDB_REQ_SET_LOCATION(os
->search_req
);
273 if (ret
!= LDB_SUCCESS
) {
278 ret
= dsdb_request_add_controls(os
->search_req
,
279 DSDB_SEARCH_SHOW_RECYCLED
|DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT
);
280 if (ret
!= LDB_SUCCESS
) {
297 static int extended_dn_add(struct ldb_module
*module
, struct ldb_request
*req
)
299 struct extended_dn_context
*ac
;
303 if (ldb_dn_is_special(req
->op
.add
.message
->dn
)) {
304 /* do not manipulate our control entries */
305 return ldb_next_request(module
, req
);
308 ac
= extended_dn_context_init(module
, req
);
310 return ldb_operr(ldb_module_get_ctx(module
));
314 /* without schema, this doesn't make any sense */
316 return ldb_next_request(module
, req
);
319 for (i
=0; i
< req
->op
.add
.message
->num_elements
; i
++) {
320 const struct ldb_message_element
*el
= &req
->op
.add
.message
->elements
[i
];
321 const struct dsdb_attribute
*schema_attr
322 = dsdb_attribute_by_lDAPDisplayName(ac
->schema
, el
->name
);
327 /* We only setup an extended DN GUID on DN elements */
328 if (schema_attr
->dn_format
== DSDB_INVALID_DN
) {
332 /* Before we setup a procedure to modify the incoming message, we must copy it */
334 struct ldb_message
*msg
= ldb_msg_copy(ac
, req
->op
.add
.message
);
336 return ldb_oom(ldb_module_get_ctx(module
));
339 ret
= ldb_build_add_req(&ac
->new_req
, ac
->ldb
, ac
, msg
, req
->controls
, ac
, extended_final_callback
, req
);
340 LDB_REQ_SET_LOCATION(ac
->new_req
);
341 if (ret
!= LDB_SUCCESS
) {
345 /* Re-calculate el */
346 el
= &ac
->new_req
->op
.add
.message
->elements
[i
];
347 for (j
= 0; j
< el
->num_values
; j
++) {
348 ret
= extended_store_replace(ac
, ac
->new_req
, &el
->values
[j
],
349 false, schema_attr
->syntax
->ldap_oid
);
350 if (ret
!= LDB_SUCCESS
) {
356 /* if no DNs were set continue */
357 if (ac
->ops
== NULL
) {
359 return ldb_next_request(module
, req
);
362 /* start with the searches */
363 return ldb_next_request(module
, ac
->ops
->search_req
);
367 static int extended_dn_modify(struct ldb_module
*module
, struct ldb_request
*req
)
369 /* Look over list of modifications */
370 /* Find if any are for linked attributes */
371 /* Determine the effect of the modification */
372 /* Apply the modify to the linked entry */
375 struct extended_dn_context
*ac
;
378 if (ldb_dn_is_special(req
->op
.mod
.message
->dn
)) {
379 /* do not manipulate our control entries */
380 return ldb_next_request(module
, req
);
383 ac
= extended_dn_context_init(module
, req
);
385 return ldb_operr(ldb_module_get_ctx(module
));
390 /* without schema, this doesn't make any sense */
391 return ldb_next_request(module
, req
);
394 for (i
=0; i
< req
->op
.mod
.message
->num_elements
; i
++) {
395 const struct ldb_message_element
*el
= &req
->op
.mod
.message
->elements
[i
];
396 const struct dsdb_attribute
*schema_attr
397 = dsdb_attribute_by_lDAPDisplayName(ac
->schema
, el
->name
);
402 /* We only setup an extended DN GUID on these particular DN objects */
403 if (schema_attr
->dn_format
== DSDB_INVALID_DN
) {
407 /* Before we setup a procedure to modify the incoming message, we must copy it */
409 struct ldb_message
*msg
= ldb_msg_copy(ac
, req
->op
.mod
.message
);
412 return ldb_oom(ac
->ldb
);
415 ret
= ldb_build_mod_req(&ac
->new_req
, ac
->ldb
, ac
, msg
, req
->controls
, ac
, extended_final_callback
, req
);
416 LDB_REQ_SET_LOCATION(ac
->new_req
);
417 if (ret
!= LDB_SUCCESS
) {
422 /* Re-calculate el */
423 el
= &ac
->new_req
->op
.mod
.message
->elements
[i
];
424 /* For each value being added, we need to setup the lookups to fill in the extended DN */
425 for (j
= 0; j
< el
->num_values
; j
++) {
426 /* If we are just going to delete this
427 * element, only do a lookup if
428 * extended_store_replace determines it's an
429 * input of an extended DN */
430 bool is_delete
= (LDB_FLAG_MOD_TYPE(el
->flags
) == LDB_FLAG_MOD_DELETE
);
432 ret
= extended_store_replace(ac
, ac
->new_req
, &el
->values
[j
],
433 is_delete
, schema_attr
->syntax
->ldap_oid
);
434 if (ret
!= LDB_SUCCESS
) {
441 /* if DNs were set continue */
442 if (ac
->ops
== NULL
) {
444 return ldb_next_request(module
, req
);
447 /* start with the searches */
448 return ldb_next_request(module
, ac
->ops
->search_req
);
451 static const struct ldb_module_ops ldb_extended_dn_store_module_ops
= {
452 .name
= "extended_dn_store",
453 .add
= extended_dn_add
,
454 .modify
= extended_dn_modify
,
457 int ldb_extended_dn_store_module_init(const char *version
)
459 LDB_MODULE_CHECK_VERSION(version
);
460 return ldb_register_module(&ldb_extended_dn_store_module_ops
);