search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:registry: do not use regdb functions during db upgrade
[Samba/gebeck_regimport.git] / source4 / dsdb / samdb / ldb_modules / rootdse.c
blob46dbb75b371828dac61ebe41929f5662fe55b8c4
1 /*
2 Unix SMB/CIFS implementation.
3
4 rootDSE ldb module
5
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Simo Sorce 2005-2008
8 Copyright (C) Matthieu Patou <mat@matws.net> 2011
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include <ldb.h>
26 #include <ldb_module.h>
27 #include "system/time.h"
28 #include "dsdb/samdb/samdb.h"
29 #include "version.h"
30 #include "dsdb/samdb/ldb_modules/util.h"
31 #include "libcli/security/security.h"
32 #include "librpc/ndr/libndr.h"
33 #include "auth/auth.h"
34 #include "param/param.h"
35 #include "lib/messaging/irpc.h"
36 #include "librpc/gen_ndr/ndr_irpc_c.h"
37
38 struct private_data {
39 unsigned int num_controls;
40 char **controls;
41 unsigned int num_partitions;
42 struct ldb_dn **partitions;
43 bool block_anonymous;
44 };
45
46 /*
47 return 1 if a specific attribute has been requested
48 */
49 static int do_attribute(const char * const *attrs, const char *name)
50 {
51 return attrs == NULL ||
52 ldb_attr_in_list(attrs, name) ||
53 ldb_attr_in_list(attrs, "*");
54 }
55
56 static int do_attribute_explicit(const char * const *attrs, const char *name)
57 {
58 return attrs != NULL && ldb_attr_in_list(attrs, name);
59 }
60
61
62 /*
63 expand a DN attribute to include extended DN information if requested
64 */
65 static int expand_dn_in_message(struct ldb_module *module, struct ldb_message *msg,
66 const char *attrname, struct ldb_control *edn_control,
67 struct ldb_request *req)
68 {
69 struct ldb_dn *dn, *dn2;
70 struct ldb_val *v;
71 int ret;
72 struct ldb_request *req2;
73 char *dn_string;
74 const char *no_attrs[] = { NULL };
75 struct ldb_result *res;
76 struct ldb_extended_dn_control *edn;
77 TALLOC_CTX *tmp_ctx = talloc_new(req);
78 struct ldb_context *ldb;
79 int edn_type = 0;
80 unsigned int i;
81 struct ldb_message_element *el;
82
83 ldb = ldb_module_get_ctx(module);
84
85 edn = talloc_get_type(edn_control->data, struct ldb_extended_dn_control);
86 if (edn) {
87 edn_type = edn->type;
88 }
89
90 el = ldb_msg_find_element(msg, attrname);
91 if (!el || el->num_values == 0) {
92 return LDB_SUCCESS;
93 }
94
95 for (i = 0; i < el->num_values; i++) {
96 v = &el->values[i];
97 if (v == NULL) {
98 talloc_free(tmp_ctx);
99 return LDB_SUCCESS;
100 }
101
102 dn_string = talloc_strndup(tmp_ctx, (const char *)v->data, v->length);
103 if (dn_string == NULL) {
104 talloc_free(tmp_ctx);
105 return ldb_operr(ldb);
106 }
107
108 res = talloc_zero(tmp_ctx, struct ldb_result);
109 if (res == NULL) {
110 talloc_free(tmp_ctx);
111 return ldb_operr(ldb);
112 }
113
114 dn = ldb_dn_new(tmp_ctx, ldb, dn_string);
115 if (dn == NULL) {
116 talloc_free(tmp_ctx);
117 return ldb_operr(ldb);
118 }
119
120 ret = ldb_build_search_req(&req2, ldb, tmp_ctx,
121 dn,
122 LDB_SCOPE_BASE,
123 NULL,
124 no_attrs,
125 NULL,
126 res, ldb_search_default_callback,
127 req);
128 LDB_REQ_SET_LOCATION(req2);
129 if (ret != LDB_SUCCESS) {
130 talloc_free(tmp_ctx);
131 return ret;
132 }
133
134
135 ret = ldb_request_add_control(req2,
136 LDB_CONTROL_EXTENDED_DN_OID,
137 edn_control->critical, edn);
138 if (ret != LDB_SUCCESS) {
139 talloc_free(tmp_ctx);
140 return ldb_error(ldb, ret, "Failed to add control");
141 }
142
143 ret = ldb_next_request(module, req2);
144 if (ret == LDB_SUCCESS) {
145 ret = ldb_wait(req2->handle, LDB_WAIT_ALL);
146 }
147
148 if (ret != LDB_SUCCESS) {
149 talloc_free(tmp_ctx);
150 return ret;
151 }
152
153 if (!res || res->count != 1) {
154 talloc_free(tmp_ctx);
155 return ldb_operr(ldb);
156 }
157
158 dn2 = res->msgs[0]->dn;
159
160 v->data = (uint8_t *)ldb_dn_get_extended_linearized(msg->elements, dn2, edn_type);
161 if (v->data == NULL) {
162 talloc_free(tmp_ctx);
163 return ldb_operr(ldb);
164 }
165 v->length = strlen((char *)v->data);
166 }
167
168 talloc_free(tmp_ctx);
169
170 return LDB_SUCCESS;
171 }
172
173 /*
174 see if we are master for a FSMO role
175 */
176 static int dsdb_module_we_are_master(struct ldb_module *module, struct ldb_dn *dn, bool *master,
177 struct ldb_request *parent)
178 {
179 const char *attrs[] = { "fSMORoleOwner", NULL };
180 TALLOC_CTX *tmp_ctx = talloc_new(parent);
181 struct ldb_result *res;
182 int ret;
183 struct ldb_dn *owner_dn;
184
185 ret = dsdb_module_search_dn(module, tmp_ctx, &res,
186 dn, attrs, DSDB_FLAG_NEXT_MODULE, parent);
187 if (ret != LDB_SUCCESS) {
188 talloc_free(tmp_ctx);
189 return ret;
190 }
191
192 owner_dn = ldb_msg_find_attr_as_dn(ldb_module_get_ctx(module),
193 tmp_ctx, res->msgs[0], "fSMORoleOwner");
194 if (!owner_dn) {
195 *master = false;
196 talloc_free(tmp_ctx);
197 return LDB_SUCCESS;
198 }
199
200 *master = (ldb_dn_compare(owner_dn, samdb_ntds_settings_dn(ldb_module_get_ctx(module))) == 0);
201 talloc_free(tmp_ctx);
202 return LDB_SUCCESS;
203 }
204
205 /*
206 add dynamically generated attributes to rootDSE result
207 */
208 static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *msg,
209 const char * const *attrs, struct ldb_request *req)
210 {
211 struct ldb_context *ldb;
212 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
213 char **server_sasl;
214 const struct dsdb_schema *schema;
215 int *val;
216 struct ldb_control *edn_control;
217 const char *dn_attrs[] = {
218 "configurationNamingContext",
219 "defaultNamingContext",
220 "rootDomainNamingContext",
221 "schemaNamingContext",
222 "serverName",
223 "validFSMOs",
224 NULL
225 };
226 const char *guid_attrs[] = {
227 "dsServiceName",
228 NULL
229 };
230 unsigned int i;
231
232 ldb = ldb_module_get_ctx(module);
233 schema = dsdb_get_schema(ldb, NULL);
234
235 msg->dn = ldb_dn_new(msg, ldb, NULL);
236
237 /* don't return the distinguishedName, cn and name attributes */
238 ldb_msg_remove_attr(msg, "distinguishedName");
239 ldb_msg_remove_attr(msg, "cn");
240 ldb_msg_remove_attr(msg, "name");
241
242 if (do_attribute(attrs, "serverName")) {
243 if (ldb_msg_add_linearized_dn(msg, "serverName",
244 samdb_server_dn(ldb, msg)) != LDB_SUCCESS) {
245 goto failed;
246 }
247 }
248
249 if (do_attribute(attrs, "dnsHostName")) {
250 struct ldb_result *res;
251 int ret;
252 const char *dns_attrs[] = { "dNSHostName", NULL };
253 ret = dsdb_module_search_dn(module, msg, &res, samdb_server_dn(ldb, msg),
254 dns_attrs, DSDB_FLAG_NEXT_MODULE, req);
255 if (ret == LDB_SUCCESS) {
256 const char *hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
257 if (hostname != NULL) {
258 if (ldb_msg_add_string(msg, "dNSHostName", hostname)) {
259 goto failed;
260 }
261 }
262 }
263 }
264
265 if (do_attribute(attrs, "ldapServiceName")) {
266 struct loadparm_context *lp_ctx
267 = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
268 struct loadparm_context);
269 char *ldap_service_name, *hostname;
270
271 hostname = strlower_talloc(msg, lpcfg_netbios_name(lp_ctx));
272 if (hostname == NULL) {
273 goto failed;
274 }
275
276 ldap_service_name = talloc_asprintf(msg, "%s:%s$@%s",
277 samdb_forest_name(ldb, msg),
278 hostname, lpcfg_realm(lp_ctx));
279 if (ldap_service_name == NULL) {
280 goto failed;
281 }
282
283 if (ldb_msg_add_string(msg, "ldapServiceName",
284 ldap_service_name) != LDB_SUCCESS) {
285 goto failed;
286 }
287 }
288
289 if (do_attribute(attrs, "currentTime")) {
290 if (ldb_msg_add_steal_string(msg, "currentTime",
291 ldb_timestring(msg, time(NULL))) != LDB_SUCCESS) {
292 goto failed;
293 }
294 }
295
296 if (priv && do_attribute(attrs, "supportedControl")) {
297 for (i = 0; i < priv->num_controls; i++) {
298 char *control = talloc_strdup(msg, priv->controls[i]);
299 if (!control) {
300 goto failed;
301 }
302 if (ldb_msg_add_steal_string(msg, "supportedControl",
303 control) != LDB_SUCCESS) {
304 goto failed;
305 }
306 }
307 }
308
309 if (priv && do_attribute(attrs, "namingContexts")) {
310 for (i = 0; i < priv->num_partitions; i++) {
311 struct ldb_dn *dn = priv->partitions[i];
312 if (ldb_msg_add_steal_string(msg, "namingContexts",
313 ldb_dn_alloc_linearized(msg, dn)) != LDB_SUCCESS) {
314 goto failed;
315 }
316 }
317 }
318
319 server_sasl = talloc_get_type(ldb_get_opaque(ldb, "supportedSASLMechanisms"),
320 char *);
321 if (server_sasl && do_attribute(attrs, "supportedSASLMechanisms")) {
322 for (i = 0; server_sasl && server_sasl[i]; i++) {
323 char *sasl_name = talloc_strdup(msg, server_sasl[i]);
324 if (!sasl_name) {
325 goto failed;
326 }
327 if (ldb_msg_add_steal_string(msg, "supportedSASLMechanisms",
328 sasl_name) != LDB_SUCCESS) {
329 goto failed;
330 }
331 }
332 }
333
334 if (do_attribute(attrs, "highestCommittedUSN")) {
335 uint64_t seq_num;
336 int ret = ldb_sequence_number(ldb, LDB_SEQ_HIGHEST_SEQ, &seq_num);
337 if (ret == LDB_SUCCESS) {
338 if (samdb_msg_add_uint64(ldb, msg, msg,
339 "highestCommittedUSN",
340 seq_num) != LDB_SUCCESS) {
341 goto failed;
342 }
343 }
344 }
345
346 if (schema && do_attribute_explicit(attrs, "dsSchemaAttrCount")) {
347 struct dsdb_attribute *cur;
348 unsigned int n = 0;
349
350 for (cur = schema->attributes; cur; cur = cur->next) {
351 n++;
352 }
353
354 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaAttrCount",
355 n) != LDB_SUCCESS) {
356 goto failed;
357 }
358 }
359
360 if (schema && do_attribute_explicit(attrs, "dsSchemaClassCount")) {
361 struct dsdb_class *cur;
362 unsigned int n = 0;
363
364 for (cur = schema->classes; cur; cur = cur->next) {
365 n++;
366 }
367
368 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaClassCount",
369 n) != LDB_SUCCESS) {
370 goto failed;
371 }
372 }
373
374 if (schema && do_attribute_explicit(attrs, "dsSchemaPrefixCount")) {
375 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaPrefixCount",
376 schema->prefixmap->length) != LDB_SUCCESS) {
377 goto failed;
378 }
379 }
380
381 if (do_attribute_explicit(attrs, "validFSMOs")) {
382 struct ldb_dn *dns[3];
383
384 dns[0] = ldb_get_schema_basedn(ldb);
385 dns[1] = samdb_partitions_dn(ldb, msg);
386 dns[2] = ldb_get_default_basedn(ldb);
387
388 for (i=0; i<3; i++) {
389 bool master;
390 int ret = dsdb_module_we_are_master(module, dns[i], &master, req);
391 if (ret != LDB_SUCCESS) {
392 goto failed;
393 }
394 if (master && ldb_msg_add_fmt(msg, "validFSMOs", "%s",
395 ldb_dn_get_linearized(dns[i])) != LDB_SUCCESS) {
396 goto failed;
397 }
398 }
399 }
400
401 if (do_attribute_explicit(attrs, "vendorVersion")) {
402 if (ldb_msg_add_fmt(msg, "vendorVersion",
403 "%s", SAMBA_VERSION_STRING) != LDB_SUCCESS) {
404 goto failed;
405 }
406 }
407
408 if (do_attribute(attrs, "domainFunctionality")) {
409 if (samdb_msg_add_int(ldb, msg, msg, "domainFunctionality",
410 dsdb_functional_level(ldb)) != LDB_SUCCESS) {
411 goto failed;
412 }
413 }
414
415 if (do_attribute(attrs, "forestFunctionality")) {
416 if (samdb_msg_add_int(ldb, msg, msg, "forestFunctionality",
417 dsdb_forest_functional_level(ldb)) != LDB_SUCCESS) {
418 goto failed;
419 }
420 }
421
422 if (do_attribute(attrs, "domainControllerFunctionality")
423 && (val = talloc_get_type(ldb_get_opaque(ldb, "domainControllerFunctionality"), int))) {
424 if (samdb_msg_add_int(ldb, msg, msg,
425 "domainControllerFunctionality",
426 *val) != LDB_SUCCESS) {
427 goto failed;
428 }
429 }
430
431 if (do_attribute(attrs, "isGlobalCatalogReady")) {
432 /* MS-ADTS 3.1.1.3.2.10
433 Note, we should only return true here is we have
434 completed at least one synchronisation. As both
435 provision and vampire do a full sync, this means we
436 can return true is the gc bit is set in the NTDSDSA
437 options */
438 if (ldb_msg_add_fmt(msg, "isGlobalCatalogReady",
439 "%s", samdb_is_gc(ldb)?"TRUE":"FALSE") != LDB_SUCCESS) {
440 goto failed;
441 }
442 }
443
444 if (do_attribute_explicit(attrs, "tokenGroups")) {
445 /* Obtain the user's session_info */
446 struct auth_session_info *session_info
447 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
448 if (session_info && session_info->security_token) {
449 /* The list of groups this user is in */
450 for (i = 0; i < session_info->security_token->num_sids; i++) {
451 if (samdb_msg_add_dom_sid(ldb, msg, msg,
452 "tokenGroups",
453 &session_info->security_token->sids[i]) != LDB_SUCCESS) {
454 goto failed;
455 }
456 }
457 }
458 }
459
460 /* TODO: lots more dynamic attributes should be added here */
461
462 edn_control = ldb_request_get_control(req, LDB_CONTROL_EXTENDED_DN_OID);
463
464 /* convert any GUID attributes to be in the right form */
465 for (i=0; guid_attrs[i]; i++) {
466 struct ldb_result *res;
467 struct ldb_message_element *el;
468 struct ldb_dn *attr_dn;
469 const char *no_attrs[] = { NULL };
470 int ret;
471
472 if (!do_attribute(attrs, guid_attrs[i])) continue;
473
474 attr_dn = ldb_msg_find_attr_as_dn(ldb, req, msg, guid_attrs[i]);
475 if (attr_dn == NULL) {
476 continue;
477 }
478
479 ret = dsdb_module_search_dn(module, req, &res,
480 attr_dn, no_attrs,
481 DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_EXTENDED_DN,
482 req);
483 if (ret != LDB_SUCCESS) {
484 return ldb_operr(ldb);
485 }
486
487 el = ldb_msg_find_element(msg, guid_attrs[i]);
488 if (el == NULL) {
489 return ldb_operr(ldb);
490 }
491
492 talloc_steal(el->values, res->msgs[0]->dn);
493 if (edn_control) {
494 struct ldb_extended_dn_control *edn;
495 int edn_type = 0;
496 edn = talloc_get_type(edn_control->data, struct ldb_extended_dn_control);
497 if (edn != NULL) {
498 edn_type = edn->type;
499 }
500 el->values[0].data = (uint8_t *)ldb_dn_get_extended_linearized(el->values,
501 res->msgs[0]->dn,
502 edn_type);
503 } else {
504 el->values[0].data = (uint8_t *)talloc_strdup(el->values,
505 ldb_dn_get_linearized(res->msgs[0]->dn));
506 }
507 if (el->values[0].data == NULL) {
508 return ldb_oom(ldb);
509 }
510 el->values[0].length = strlen((const char *)el->values[0].data);
511 }
512
513 /* if the client sent us the EXTENDED_DN control then we need
514 to expand the DNs to have GUID and SID. W2K8 join relies on
515 this */
516 if (edn_control) {
517 int ret;
518 for (i=0; dn_attrs[i]; i++) {
519 if (!do_attribute(attrs, dn_attrs[i])) continue;
520 ret = expand_dn_in_message(module, msg, dn_attrs[i],
521 edn_control, req);
522 if (ret != LDB_SUCCESS) {
523 DEBUG(0,(__location__ ": Failed to expand DN in rootDSE for %s\n",
524 dn_attrs[i]));
525 goto failed;
526 }
527 }
528 }
529
530 return LDB_SUCCESS;
531
532 failed:
533 return ldb_operr(ldb);
534 }
535
536 /*
537 handle search requests
538 */
539
540 struct rootdse_context {
541 struct ldb_module *module;
542 struct ldb_request *req;
543 };
544
545 static struct rootdse_context *rootdse_init_context(struct ldb_module *module,
546 struct ldb_request *req)
547 {
548 struct ldb_context *ldb;
549 struct rootdse_context *ac;
550
551 ldb = ldb_module_get_ctx(module);
552
553 ac = talloc_zero(req, struct rootdse_context);
554 if (ac == NULL) {
555 ldb_set_errstring(ldb, "Out of Memory");
556 return NULL;
557 }
558
559 ac->module = module;
560 ac->req = req;
561
562 return ac;
563 }
564
565 static int rootdse_callback(struct ldb_request *req, struct ldb_reply *ares)
566 {
567 struct rootdse_context *ac;
568 int ret;
569
570 ac = talloc_get_type(req->context, struct rootdse_context);
571
572 if (!ares) {
573 return ldb_module_done(ac->req, NULL, NULL,
574 LDB_ERR_OPERATIONS_ERROR);
575 }
576 if (ares->error != LDB_SUCCESS) {
577 return ldb_module_done(ac->req, ares->controls,
578 ares->response, ares->error);
579 }
580
581 switch (ares->type) {
582 case LDB_REPLY_ENTRY:
583 /*
584 * if the client explicit asks for the 'netlogon' attribute
585 * the reply_entry needs to be skipped
586 */
587 if (ac->req->op.search.attrs &&
588 ldb_attr_in_list(ac->req->op.search.attrs, "netlogon")) {
589 talloc_free(ares);
590 return LDB_SUCCESS;
591 }
592
593 /* for each record returned post-process to add any dynamic
594 attributes that have been asked for */
595 ret = rootdse_add_dynamic(ac->module, ares->message,
596 ac->req->op.search.attrs, ac->req);
597 if (ret != LDB_SUCCESS) {
598 talloc_free(ares);
599 return ldb_module_done(ac->req, NULL, NULL, ret);
600 }
601
602 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
603
604 case LDB_REPLY_REFERRAL:
605 /* should we allow the backend to return referrals in this case
606 * ?? */
607 break;
608
609 case LDB_REPLY_DONE:
610 return ldb_module_done(ac->req, ares->controls,
611 ares->response, ares->error);
612 }
613
614 talloc_free(ares);
615 return LDB_SUCCESS;
616 }
617
618 /*
619 filter from controls from clients in several ways
620
621 1) mark our registered controls as non-critical in the request
622
623 This is needed as clients may mark controls as critical even if
624 they are not needed at all in a request. For example, the centrify
625 client sets the SD_FLAGS control as critical on ldap modify
626 requests which are setting the dNSHostName attribute on the
627 machine account. That request doesn't need SD_FLAGS at all, but
628 centrify adds it on all ldap requests.
629
630 2) if this request is untrusted then remove any non-registered
631 controls that are non-critical
632
633 This is used on ldap:// connections to prevent remote users from
634 setting an internal control that may be dangerous
635
636 3) if this request is untrusted then fail any request that includes
637 a critical non-registered control
638 */
639 static int rootdse_filter_controls(struct ldb_module *module, struct ldb_request *req)
640 {
641 unsigned int i, j;
642 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
643 bool is_untrusted;
644
645 if (!req->controls) {
646 return LDB_SUCCESS;
647 }
648
649 is_untrusted = ldb_req_is_untrusted(req);
650
651 for (i=0; req->controls[i]; i++) {
652 bool is_registered = false;
653 bool is_critical = (req->controls[i]->critical != 0);
654
655 if (req->controls[i]->oid == NULL) {
656 continue;
657 }
658
659 if (is_untrusted || is_critical) {
660 for (j=0; j<priv->num_controls; j++) {
661 if (strcasecmp(priv->controls[j], req->controls[i]->oid) == 0) {
662 is_registered = true;
663 break;
664 }
665 }
666 }
667
668 if (is_untrusted && !is_registered) {
669 if (!is_critical) {
670 /* remove it by marking the oid NULL */
671 req->controls[i]->oid = NULL;
672 req->controls[i]->data = NULL;
673 req->controls[i]->critical = 0;
674 continue;
675 }
676 /* its a critical unregistered control - give
677 an error */
678 ldb_asprintf_errstring(ldb_module_get_ctx(module),
679 "Attempt to use critical non-registered control '%s'",
680 req->controls[i]->oid);
681 return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION;
682 }
683
684 if (!is_critical) {
685 continue;
686 }
687
688 /* If the control is DIRSYNC control then we keep the critical
689 * flag as the dirsync module will need to act upon it
690 */
691 if (is_registered && strcmp(req->controls[i]->oid,
692 LDB_CONTROL_DIRSYNC_OID)!= 0) {
693 req->controls[i]->critical = 0;
694 }
695 }
696
697 return LDB_SUCCESS;
698 }
699
700 /* Ensure that anonymous users are not allowed to make anything other than rootDSE search operations */
701
702 static int rootdse_filter_operations(struct ldb_module *module, struct ldb_request *req)
703 {
704 struct auth_session_info *session_info;
705 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
706 bool is_untrusted = ldb_req_is_untrusted(req);
707 bool is_anonymous = true;
708 if (is_untrusted == false) {
709 return LDB_SUCCESS;
710 }
711
712 session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
713 if (session_info) {
714 is_anonymous = security_token_is_anonymous(session_info->security_token);
715 }
716
717 if (is_anonymous == false || (priv && priv->block_anonymous == false)) {
718 return LDB_SUCCESS;
719 }
720
721 if (req->operation == LDB_SEARCH) {
722 if (req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base)) {
723 return LDB_SUCCESS;
724 }
725 }
726 ldb_set_errstring(ldb_module_get_ctx(module), "Operation unavailable without authentication");
727 return LDB_ERR_OPERATIONS_ERROR;
728 }
729
730 static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
731 {
732 struct ldb_context *ldb;
733 struct rootdse_context *ac;
734 struct ldb_request *down_req;
735 int ret;
736
737 ret = rootdse_filter_operations(module, req);
738 if (ret != LDB_SUCCESS) {
739 return ret;
740 }
741
742 ret = rootdse_filter_controls(module, req);
743 if (ret != LDB_SUCCESS) {
744 return ret;
745 }
746
747 ldb = ldb_module_get_ctx(module);
748
749 /* see if its for the rootDSE - only a base search on the "" DN qualifies */
750 if (!(req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base))) {
751 /* Otherwise, pass down to the rest of the stack */
752 return ldb_next_request(module, req);
753 }
754
755 ac = rootdse_init_context(module, req);
756 if (ac == NULL) {
757 return ldb_operr(ldb);
758 }
759
760 /* in our db we store the rootDSE with a DN of @ROOTDSE */
761 ret = ldb_build_search_req(&down_req, ldb, ac,
762 ldb_dn_new(ac, ldb, "@ROOTDSE"),
763 LDB_SCOPE_BASE,
764 NULL,
765 req->op.search.attrs,
766 NULL,/* for now skip the controls from the client */
767 ac, rootdse_callback,
768 req);
769 LDB_REQ_SET_LOCATION(down_req);
770 if (ret != LDB_SUCCESS) {
771 return ret;
772 }
773
774 return ldb_next_request(module, down_req);
775 }
776
777 static int rootdse_register_control(struct ldb_module *module, struct ldb_request *req)
778 {
779 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
780 char **list;
781
782 list = talloc_realloc(priv, priv->controls, char *, priv->num_controls + 1);
783 if (!list) {
784 return ldb_oom(ldb_module_get_ctx(module));
785 }
786
787 list[priv->num_controls] = talloc_strdup(list, req->op.reg_control.oid);
788 if (!list[priv->num_controls]) {
789 return ldb_oom(ldb_module_get_ctx(module));
790 }
791
792 priv->num_controls += 1;
793 priv->controls = list;
794
795 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
796 }
797
798 static int rootdse_register_partition(struct ldb_module *module, struct ldb_request *req)
799 {
800 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
801 struct ldb_dn **list;
802
803 list = talloc_realloc(priv, priv->partitions, struct ldb_dn *, priv->num_partitions + 1);
804 if (!list) {
805 return ldb_oom(ldb_module_get_ctx(module));
806 }
807
808 list[priv->num_partitions] = ldb_dn_copy(list, req->op.reg_partition.dn);
809 if (!list[priv->num_partitions]) {
810 return ldb_operr(ldb_module_get_ctx(module));
811 }
812
813 priv->num_partitions += 1;
814 priv->partitions = list;
815
816 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
817 }
818
819
820 static int rootdse_request(struct ldb_module *module, struct ldb_request *req)
821 {
822 switch (req->operation) {
823
824 case LDB_REQ_REGISTER_CONTROL:
825 return rootdse_register_control(module, req);
826 case LDB_REQ_REGISTER_PARTITION:
827 return rootdse_register_partition(module, req);
828
829 default:
830 break;
831 }
832 return ldb_next_request(module, req);
833 }
834
835 static int rootdse_init(struct ldb_module *module)
836 {
837 int ret;
838 struct ldb_context *ldb;
839 struct ldb_result *res;
840 struct private_data *data;
841 const char *attrs[] = { "msDS-Behavior-Version", NULL };
842 const char *ds_attrs[] = { "dsServiceName", NULL };
843 TALLOC_CTX *mem_ctx;
844
845 ldb = ldb_module_get_ctx(module);
846
847 data = talloc_zero(module, struct private_data);
848 if (data == NULL) {
849 return ldb_oom(ldb);
850 }
851
852 data->num_controls = 0;
853 data->controls = NULL;
854 data->num_partitions = 0;
855 data->partitions = NULL;
856 data->block_anonymous = true;
857
858 ldb_module_set_private(module, data);
859
860 ldb_set_default_dns(ldb);
861
862 ret = ldb_next_init(module);
863
864 if (ret != LDB_SUCCESS) {
865 return ret;
866 }
867
868 mem_ctx = talloc_new(data);
869 if (!mem_ctx) {
870 return ldb_oom(ldb);
871 }
872
873 /* Now that the partitions are set up, do a search for:
874 - domainControllerFunctionality
875 - domainFunctionality
876 - forestFunctionality
877
878 Then stuff these values into an opaque
879 */
880 ret = dsdb_module_search(module, mem_ctx, &res,
881 ldb_get_default_basedn(ldb),
882 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
883 if (ret == LDB_SUCCESS && res->count == 1) {
884 int domain_behaviour_version
885 = ldb_msg_find_attr_as_int(res->msgs[0],
886 "msDS-Behavior-Version", -1);
887 if (domain_behaviour_version != -1) {
888 int *val = talloc(ldb, int);
889 if (!val) {
890 talloc_free(mem_ctx);
891 return ldb_oom(ldb);
892 }
893 *val = domain_behaviour_version;
894 ret = ldb_set_opaque(ldb, "domainFunctionality", val);
895 if (ret != LDB_SUCCESS) {
896 talloc_free(mem_ctx);
897 return ret;
898 }
899 }
900 }
901
902 ret = dsdb_module_search(module, mem_ctx, &res,
903 samdb_partitions_dn(ldb, mem_ctx),
904 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
905 if (ret == LDB_SUCCESS && res->count == 1) {
906 int forest_behaviour_version
907 = ldb_msg_find_attr_as_int(res->msgs[0],
908 "msDS-Behavior-Version", -1);
909 if (forest_behaviour_version != -1) {
910 int *val = talloc(ldb, int);
911 if (!val) {
912 talloc_free(mem_ctx);
913 return ldb_oom(ldb);
914 }
915 *val = forest_behaviour_version;
916 ret = ldb_set_opaque(ldb, "forestFunctionality", val);
917 if (ret != LDB_SUCCESS) {
918 talloc_free(mem_ctx);
919 return ret;
920 }
921 }
922 }
923
924 /* For now, our own server's location in the DB is recorded in
925 * the @ROOTDSE record */
926 ret = dsdb_module_search(module, mem_ctx, &res,
927 ldb_dn_new(mem_ctx, ldb, "@ROOTDSE"),
928 LDB_SCOPE_BASE, ds_attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
929 if (ret == LDB_SUCCESS && res->count == 1) {
930 struct ldb_dn *ds_dn
931 = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0],
932 "dsServiceName");
933 if (ds_dn) {
934 ret = dsdb_module_search(module, mem_ctx, &res, ds_dn,
935 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
936 if (ret == LDB_SUCCESS && res->count == 1) {
937 int domain_controller_behaviour_version
938 = ldb_msg_find_attr_as_int(res->msgs[0],
939 "msDS-Behavior-Version", -1);
940 if (domain_controller_behaviour_version != -1) {
941 int *val = talloc(ldb, int);
942 if (!val) {
943 talloc_free(mem_ctx);
944 return ldb_oom(ldb);
945 }
946 *val = domain_controller_behaviour_version;
947 ret = ldb_set_opaque(ldb,
948 "domainControllerFunctionality", val);
949 if (ret != LDB_SUCCESS) {
950 talloc_free(mem_ctx);
951 return ret;
952 }
953 }
954 }
955 }
956 }
957
958 data->block_anonymous = dsdb_block_anonymous_ops(module, NULL);
959
960 talloc_free(mem_ctx);
961
962 return LDB_SUCCESS;
963 }
964
965 /*
966 * This function gets the string SCOPE_DN:OPTIONAL_FEATURE_GUID and parse it
967 * to a DN and a GUID object
968 */
969 static int get_optional_feature_dn_guid(struct ldb_request *req, struct ldb_context *ldb,
970 TALLOC_CTX *mem_ctx,
971 struct ldb_dn **op_feature_scope_dn,
972 struct GUID *op_feature_guid)
973 {
974 const struct ldb_message *msg = req->op.mod.message;
975 const char *ldb_val_str;
976 char *dn, *guid;
977 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
978 NTSTATUS status;
979
980 ldb_val_str = ldb_msg_find_attr_as_string(msg, "enableOptionalFeature", NULL);
981 if (!ldb_val_str) {
982 ldb_set_errstring(ldb,
983 "rootdse: unable to find 'enableOptionalFeature'!");
984 return LDB_ERR_UNWILLING_TO_PERFORM;
985 }
986
987 guid = strchr(ldb_val_str, ':');
988 if (!guid) {
989 ldb_set_errstring(ldb,
990 "rootdse: unable to find GUID in 'enableOptionalFeature'!");
991 return LDB_ERR_UNWILLING_TO_PERFORM;
992 }
993 status = GUID_from_string(guid+1, op_feature_guid);
994 if (!NT_STATUS_IS_OK(status)) {
995 ldb_set_errstring(ldb,
996 "rootdse: bad GUID in 'enableOptionalFeature'!");
997 return LDB_ERR_UNWILLING_TO_PERFORM;
998 }
999
1000 dn = talloc_strndup(tmp_ctx, ldb_val_str, guid-ldb_val_str);
1001 if (!dn) {
1002 ldb_set_errstring(ldb,
1003 "rootdse: bad DN in 'enableOptionalFeature'!");
1004 return LDB_ERR_UNWILLING_TO_PERFORM;
1005 }
1006
1007 *op_feature_scope_dn = ldb_dn_new(mem_ctx, ldb, dn);
1008
1009 talloc_free(tmp_ctx);
1010 return LDB_SUCCESS;
1011 }
1012
1013 /*
1014 * This function gets the OPTIONAL_FEATURE_GUID and looks for the optional feature
1015 * ldb_message object.
1016 */
1017 static int dsdb_find_optional_feature(struct ldb_module *module, struct ldb_context *ldb,
1018 TALLOC_CTX *mem_ctx, struct GUID op_feature_guid, struct ldb_message **msg,
1019 struct ldb_request *parent)
1020 {
1021 struct ldb_result *res;
1022 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1023 int ret;
1024
1025 ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
1026 NULL,
1027 DSDB_FLAG_NEXT_MODULE |
1028 DSDB_SEARCH_SEARCH_ALL_PARTITIONS,
1029 parent,
1030 "(&(objectClass=msDS-OptionalFeature)"
1031 "(msDS-OptionalFeatureGUID=%s))",GUID_string(tmp_ctx, &op_feature_guid));
1032
1033 if (ret != LDB_SUCCESS) {
1034 talloc_free(tmp_ctx);
1035 return ret;
1036 }
1037 if (res->count == 0) {
1038 talloc_free(tmp_ctx);
1039 return LDB_ERR_NO_SUCH_OBJECT;
1040 }
1041 if (res->count != 1) {
1042 ldb_asprintf_errstring(ldb,
1043 "More than one object found matching optional feature GUID %s\n",
1044 GUID_string(tmp_ctx, &op_feature_guid));
1045 talloc_free(tmp_ctx);
1046 return LDB_ERR_OPERATIONS_ERROR;
1047 }
1048
1049 *msg = talloc_steal(mem_ctx, res->msgs[0]);
1050
1051 talloc_free(tmp_ctx);
1052 return LDB_SUCCESS;
1053 }
1054
1055 static int rootdse_enable_recycle_bin(struct ldb_module *module,struct ldb_context *ldb,
1056 TALLOC_CTX *mem_ctx, struct ldb_dn *op_feature_scope_dn,
1057 struct ldb_message *op_feature_msg, struct ldb_request *parent)
1058 {
1059 int ret;
1060 const int domain_func_level = dsdb_functional_level(ldb);
1061 struct ldb_dn *ntds_settings_dn;
1062 TALLOC_CTX *tmp_ctx;
1063 unsigned int el_count = 0;
1064 struct ldb_message *msg;
1065
1066 ret = ldb_msg_find_attr_as_int(op_feature_msg, "msDS-RequiredForestBehaviorVersion", 0);
1067 if (domain_func_level < ret){
1068 ldb_asprintf_errstring(ldb,
1069 "rootdse_enable_recycle_bin: Domain functional level must be at least %d\n",
1070 ret);
1071 return LDB_ERR_UNWILLING_TO_PERFORM;
1072 }
1073
1074 tmp_ctx = talloc_new(mem_ctx);
1075 ntds_settings_dn = samdb_ntds_settings_dn(ldb);
1076 if (!ntds_settings_dn) {
1077 talloc_free(tmp_ctx);
1078 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "Failed to find NTDS settings DN");
1079 }
1080
1081 ntds_settings_dn = ldb_dn_copy(tmp_ctx, ntds_settings_dn);
1082 if (!ntds_settings_dn) {
1083 talloc_free(tmp_ctx);
1084 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "Failed to copy NTDS settings DN");
1085 }
1086
1087 msg = ldb_msg_new(tmp_ctx);
1088 msg->dn = ntds_settings_dn;
1089
1090 ldb_msg_add_linearized_dn(msg, "msDS-EnabledFeature", op_feature_msg->dn);
1091 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
1092
1093 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1094 if (ret != LDB_SUCCESS) {
1095 ldb_asprintf_errstring(ldb,
1096 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1097 ldb_dn_get_linearized(ntds_settings_dn),
1098 ldb_errstring(ldb));
1099 talloc_free(tmp_ctx);
1100 return ret;
1101 }
1102
1103 msg->dn = op_feature_scope_dn;
1104 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1105 if (ret != LDB_SUCCESS) {
1106 ldb_asprintf_errstring(ldb,
1107 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1108 ldb_dn_get_linearized(op_feature_scope_dn),
1109 ldb_errstring(ldb));
1110 talloc_free(tmp_ctx);
1111 return ret;
1112 }
1113
1114 return LDB_SUCCESS;
1115 }
1116
1117 static int rootdse_enableoptionalfeature(struct ldb_module *module, struct ldb_request *req)
1118 {
1119 /*
1120 steps:
1121 - check for system (only system can enable features)
1122 - extract GUID from the request
1123 - find the feature object
1124 - check functional level, must be at least msDS-RequiredForestBehaviorVersion
1125 - check if it is already enabled (if enabled return LDAP_ATTRIBUTE_OR_VALUE_EXISTS) - probably not needed, just return error from the add/modify
1126 - add/modify objects (see ntdsconnection code for an example)
1127 */
1128
1129 struct ldb_context *ldb = ldb_module_get_ctx(module);
1130 struct GUID op_feature_guid;
1131 struct ldb_dn *op_feature_scope_dn;
1132 struct ldb_message *op_feature_msg;
1133 struct auth_session_info *session_info =
1134 (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
1135 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
1136 int ret;
1137 const char *guid_string;
1138
1139 if (security_session_user_level(session_info, NULL) != SECURITY_SYSTEM) {
1140 ldb_set_errstring(ldb, "rootdse: Insufficient rights for enableoptionalfeature");
1141 return LDB_ERR_UNWILLING_TO_PERFORM;
1142 }
1143
1144 ret = get_optional_feature_dn_guid(req, ldb, tmp_ctx, &op_feature_scope_dn, &op_feature_guid);
1145 if (ret != LDB_SUCCESS) {
1146 talloc_free(tmp_ctx);
1147 return ret;
1148 }
1149
1150 guid_string = GUID_string(tmp_ctx, &op_feature_guid);
1151 if (!guid_string) {
1152 ldb_set_errstring(ldb, "rootdse: bad optional feature GUID");
1153 return LDB_ERR_UNWILLING_TO_PERFORM;
1154 }
1155
1156 ret = dsdb_find_optional_feature(module, ldb, tmp_ctx, op_feature_guid, &op_feature_msg, req);
1157 if (ret != LDB_SUCCESS) {
1158 ldb_asprintf_errstring(ldb,
1159 "rootdse: unable to find optional feature for %s - %s",
1160 guid_string, ldb_errstring(ldb));
1161 talloc_free(tmp_ctx);
1162 return ret;
1163 }
1164
1165 if (strcasecmp(DS_GUID_FEATURE_RECYCLE_BIN, guid_string) == 0) {
1166 ret = rootdse_enable_recycle_bin(module, ldb,
1167 tmp_ctx, op_feature_scope_dn,
1168 op_feature_msg, req);
1169 } else {
1170 ldb_asprintf_errstring(ldb,
1171 "rootdse: unknown optional feature %s",
1172 guid_string);
1173 talloc_free(tmp_ctx);
1174 return LDB_ERR_UNWILLING_TO_PERFORM;
1175 }
1176 if (ret != LDB_SUCCESS) {
1177 ldb_asprintf_errstring(ldb,
1178 "rootdse: failed to set optional feature for %s - %s",
1179 guid_string, ldb_errstring(ldb));
1180 talloc_free(tmp_ctx);
1181 return ret;
1182 }
1183
1184 talloc_free(tmp_ctx);
1185 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);;
1186 }
1187
1188 static int rootdse_schemaupdatenow(struct ldb_module *module, struct ldb_request *req)
1189 {
1190 struct ldb_context *ldb = ldb_module_get_ctx(module);
1191 struct ldb_result *ext_res;
1192 int ret;
1193 struct ldb_dn *schema_dn;
1194
1195 schema_dn = ldb_get_schema_basedn(ldb);
1196 if (!schema_dn) {
1197 ldb_reset_err_string(ldb);
1198 ldb_debug(ldb, LDB_DEBUG_WARNING,
1199 "rootdse_modify: no schema dn present: (skip ldb_extended call)\n");
1200 return ldb_next_request(module, req);
1201 }
1202
1203 ret = ldb_extended(ldb, DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID, schema_dn, &ext_res);
1204 if (ret != LDB_SUCCESS) {
1205 return ldb_operr(ldb);
1206 }
1207
1208 talloc_free(ext_res);
1209 return ldb_module_done(req, NULL, NULL, ret);
1210 }
1211
1212 static int rootdse_add(struct ldb_module *module, struct ldb_request *req)
1213 {
1214 struct ldb_context *ldb = ldb_module_get_ctx(module);
1215 int ret;
1216
1217 ret = rootdse_filter_operations(module, req);
1218 if (ret != LDB_SUCCESS) {
1219 return ret;
1220 }
1221
1222 ret = rootdse_filter_controls(module, req);
1223 if (ret != LDB_SUCCESS) {
1224 return ret;
1225 }
1226
1227 /*
1228 If dn is not "" we should let it pass through
1229 */
1230 if (!ldb_dn_is_null(req->op.add.message->dn)) {
1231 return ldb_next_request(module, req);
1232 }
1233
1234 ldb_set_errstring(ldb, "rootdse_add: you cannot add a new rootdse entry!");
1235 return LDB_ERR_NAMING_VIOLATION;
1236 }
1237
1238 struct fsmo_transfer_state {
1239 struct ldb_context *ldb;
1240 struct ldb_request *req;
1241 };
1242
1243 /*
1244 called when a FSMO transfer operation has completed
1245 */
1246 static void rootdse_fsmo_transfer_callback(struct tevent_req *treq)
1247 {
1248 struct fsmo_transfer_state *fsmo = tevent_req_callback_data(treq, struct fsmo_transfer_state);
1249 NTSTATUS status;
1250 WERROR werr;
1251 struct ldb_request *req = fsmo->req;
1252 struct ldb_context *ldb = fsmo->ldb;
1253
1254 status = dcerpc_drepl_takeFSMORole_recv(treq, fsmo, &werr);
1255 talloc_free(fsmo);
1256 if (!NT_STATUS_IS_OK(status)) {
1257 ldb_asprintf_errstring(ldb, "Failed FSMO transfer: %s", nt_errstr(status));
1258 ldb_module_done(req, NULL, NULL, LDB_ERR_UNAVAILABLE);
1259 return;
1260 }
1261 if (!W_ERROR_IS_OK(werr)) {
1262 ldb_asprintf_errstring(ldb, "Failed FSMO transfer: %s", win_errstr(werr));
1263 ldb_module_done(req, NULL, NULL, LDB_ERR_UNAVAILABLE);
1264 return;
1265 }
1266
1267 ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1268 }
1269
1270 static int rootdse_become_master(struct ldb_module *module,
1271 struct ldb_request *req,
1272 enum drepl_role_master role)
1273 {
1274 struct imessaging_context *msg;
1275 struct ldb_context *ldb = ldb_module_get_ctx(module);
1276 TALLOC_CTX *tmp_ctx = talloc_new(req);
1277 struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
1278 bool am_rodc;
1279 struct dcerpc_binding_handle *irpc_handle;
1280 int ret;
1281 struct auth_session_info *session_info;
1282 enum security_user_level level;
1283 struct fsmo_transfer_state *fsmo;
1284 struct tevent_req *treq;
1285
1286 session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
1287 level = security_session_user_level(session_info, NULL);
1288 if (level < SECURITY_ADMINISTRATOR) {
1289 return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS, "Denied rootDSE modify for non-administrator");
1290 }
1291
1292 ret = samdb_rodc(ldb, &am_rodc);
1293 if (ret != LDB_SUCCESS) {
1294 return ldb_error(ldb, ret, "Could not determine if server is RODC.");
1295 }
1296
1297 if (am_rodc) {
1298 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM,
1299 "RODC cannot become a role master.");
1300 }
1301
1302 msg = imessaging_client_init(tmp_ctx, lp_ctx,
1303 ldb_get_event_context(ldb));
1304 if (!msg) {
1305 ldb_asprintf_errstring(ldb, "Failed to generate client messaging context in %s", lpcfg_imessaging_path(tmp_ctx, lp_ctx));
1306 return LDB_ERR_OPERATIONS_ERROR;
1307 }
1308 irpc_handle = irpc_binding_handle_by_name(tmp_ctx, msg,
1309 "dreplsrv",
1310 &ndr_table_irpc);
1311 if (irpc_handle == NULL) {
1312 return ldb_oom(ldb);
1313 }
1314 fsmo = talloc_zero(req, struct fsmo_transfer_state);
1315 if (fsmo == NULL) {
1316 return ldb_oom(ldb);
1317 }
1318 fsmo->ldb = ldb;
1319 fsmo->req = req;
1320
1321 /* we send the call asynchronously, as the ldap client is
1322 * expecting to get an error back if the role transfer fails
1323 */
1324
1325 treq = dcerpc_drepl_takeFSMORole_send(req, ldb_get_event_context(ldb), irpc_handle, role);
1326 if (treq == NULL) {
1327 return ldb_oom(ldb);
1328 }
1329
1330 tevent_req_set_callback(treq, rootdse_fsmo_transfer_callback, fsmo);
1331 return LDB_SUCCESS;
1332 }
1333
1334 static int rootdse_modify(struct ldb_module *module, struct ldb_request *req)
1335 {
1336 struct ldb_context *ldb = ldb_module_get_ctx(module);
1337 int ret;
1338
1339 ret = rootdse_filter_operations(module, req);
1340 if (ret != LDB_SUCCESS) {
1341 return ret;
1342 }
1343
1344 ret = rootdse_filter_controls(module, req);
1345 if (ret != LDB_SUCCESS) {
1346 return ret;
1347 }
1348
1349 /*
1350 If dn is not "" we should let it pass through
1351 */
1352 if (!ldb_dn_is_null(req->op.mod.message->dn)) {
1353 return ldb_next_request(module, req);
1354 }
1355
1356 /*
1357 dn is empty so check for schemaUpdateNow attribute
1358 "The type of modification and values specified in the LDAP modify operation do not matter." MSDN
1359 */
1360 if (ldb_msg_find_element(req->op.mod.message, "schemaUpdateNow")) {
1361 return rootdse_schemaupdatenow(module, req);
1362 }
1363 if (ldb_msg_find_element(req->op.mod.message, "becomeDomainMaster")) {
1364 return rootdse_become_master(module, req, DREPL_NAMING_MASTER);
1365 }
1366 if (ldb_msg_find_element(req->op.mod.message, "becomeInfrastructureMaster")) {
1367 return rootdse_become_master(module, req, DREPL_INFRASTRUCTURE_MASTER);
1368 }
1369 if (ldb_msg_find_element(req->op.mod.message, "becomeRidMaster")) {
1370 return rootdse_become_master(module, req, DREPL_RID_MASTER);
1371 }
1372 if (ldb_msg_find_element(req->op.mod.message, "becomeSchemaMaster")) {
1373 return rootdse_become_master(module, req, DREPL_SCHEMA_MASTER);
1374 }
1375 if (ldb_msg_find_element(req->op.mod.message, "becomePdc")) {
1376 return rootdse_become_master(module, req, DREPL_PDC_MASTER);
1377 }
1378 if (ldb_msg_find_element(req->op.mod.message, "enableOptionalFeature")) {
1379 return rootdse_enableoptionalfeature(module, req);
1380 }
1381
1382 ldb_set_errstring(ldb, "rootdse_modify: unknown attribute to change!");
1383 return LDB_ERR_UNWILLING_TO_PERFORM;
1384 }
1385
1386 static int rootdse_rename(struct ldb_module *module, struct ldb_request *req)
1387 {
1388 struct ldb_context *ldb = ldb_module_get_ctx(module);
1389 int ret;
1390
1391 ret = rootdse_filter_operations(module, req);
1392 if (ret != LDB_SUCCESS) {
1393 return ret;
1394 }
1395
1396 ret = rootdse_filter_controls(module, req);
1397 if (ret != LDB_SUCCESS) {
1398 return ret;
1399 }
1400
1401 /*
1402 If dn is not "" we should let it pass through
1403 */
1404 if (!ldb_dn_is_null(req->op.rename.olddn)) {
1405 return ldb_next_request(module, req);
1406 }
1407
1408 ldb_set_errstring(ldb, "rootdse_remove: you cannot rename the rootdse entry!");
1409 return LDB_ERR_NO_SUCH_OBJECT;
1410 }
1411
1412 static int rootdse_delete(struct ldb_module *module, struct ldb_request *req)
1413 {
1414 struct ldb_context *ldb = ldb_module_get_ctx(module);
1415 int ret;
1416
1417 ret = rootdse_filter_operations(module, req);
1418 if (ret != LDB_SUCCESS) {
1419 return ret;
1420 }
1421
1422 ret = rootdse_filter_controls(module, req);
1423 if (ret != LDB_SUCCESS) {
1424 return ret;
1425 }
1426
1427 /*
1428 If dn is not "" we should let it pass through
1429 */
1430 if (!ldb_dn_is_null(req->op.del.dn)) {
1431 return ldb_next_request(module, req);
1432 }
1433
1434 ldb_set_errstring(ldb, "rootdse_remove: you cannot delete the rootdse entry!");
1435 return LDB_ERR_NO_SUCH_OBJECT;
1436 }
1437
1438 static int rootdse_extended(struct ldb_module *module, struct ldb_request *req)
1439 {
1440 int ret;
1441
1442 ret = rootdse_filter_operations(module, req);
1443 if (ret != LDB_SUCCESS) {
1444 return ret;
1445 }
1446
1447 ret = rootdse_filter_controls(module, req);
1448 if (ret != LDB_SUCCESS) {
1449 return ret;
1450 }
1451
1452 return ldb_next_request(module, req);
1453 }
1454
1455 static const struct ldb_module_ops ldb_rootdse_module_ops = {
1456 .name = "rootdse",
1457 .init_context = rootdse_init,
1458 .search = rootdse_search,
1459 .request = rootdse_request,
1460 .add = rootdse_add,
1461 .modify = rootdse_modify,
1462 .rename = rootdse_rename,
1463 .extended = rootdse_extended,
1464 .del = rootdse_delete
1465 };
1466
1467 int ldb_rootdse_module_init(const char *version)
1468 {
1469 LDB_MODULE_CHECK_VERSION(version);
1470 return ldb_register_module(&ldb_rootdse_module_ops);
1471 }
reg import