search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-dsdb: In rootdse add extended dn info on all values for a given attribute
[Samba/gebeck_regimport.git] / source4 / dsdb / samdb / ldb_modules / rootdse.c
blob9176b4e02b576b8054f38dd92703d468c35d643b
1 /*
2 Unix SMB/CIFS implementation.
3
4 rootDSE ldb module
5
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Simo Sorce 2005-2008
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include <ldb.h>
25 #include <ldb_module.h>
26 #include "system/time.h"
27 #include "dsdb/samdb/samdb.h"
28 #include "version.h"
29 #include "dsdb/samdb/ldb_modules/util.h"
30 #include "libcli/security/security.h"
31 #include "librpc/ndr/libndr.h"
32 #include "auth/auth.h"
33 #include "param/param.h"
34 #include "lib/messaging/irpc.h"
35 #include "librpc/gen_ndr/ndr_irpc_c.h"
36
37 struct private_data {
38 unsigned int num_controls;
39 char **controls;
40 unsigned int num_partitions;
41 struct ldb_dn **partitions;
42 bool block_anonymous;
43 };
44
45 /*
46 return 1 if a specific attribute has been requested
47 */
48 static int do_attribute(const char * const *attrs, const char *name)
49 {
50 return attrs == NULL ||
51 ldb_attr_in_list(attrs, name) ||
52 ldb_attr_in_list(attrs, "*");
53 }
54
55 static int do_attribute_explicit(const char * const *attrs, const char *name)
56 {
57 return attrs != NULL && ldb_attr_in_list(attrs, name);
58 }
59
60
61 /*
62 expand a DN attribute to include extended DN information if requested
63 */
64 static int expand_dn_in_message(struct ldb_module *module, struct ldb_message *msg,
65 const char *attrname, struct ldb_control *edn_control,
66 struct ldb_request *req)
67 {
68 struct ldb_dn *dn, *dn2;
69 struct ldb_val *v;
70 int ret;
71 struct ldb_request *req2;
72 char *dn_string;
73 const char *no_attrs[] = { NULL };
74 struct ldb_result *res;
75 struct ldb_extended_dn_control *edn;
76 TALLOC_CTX *tmp_ctx = talloc_new(req);
77 struct ldb_context *ldb;
78 int edn_type = 0;
79 unsigned int i;
80 struct ldb_message_element *el;
81
82 ldb = ldb_module_get_ctx(module);
83
84 edn = talloc_get_type(edn_control->data, struct ldb_extended_dn_control);
85 if (edn) {
86 edn_type = edn->type;
87 }
88
89 el = ldb_msg_find_element(msg, attrname);
90 if (!el || el->num_values == 0) {
91 return LDB_SUCCESS;
92 }
93
94 for (i = 0; i < el->num_values; i++) {
95 v = &el->values[i];
96 if (v == NULL) {
97 talloc_free(tmp_ctx);
98 return LDB_SUCCESS;
99 }
100
101 dn_string = talloc_strndup(tmp_ctx, (const char *)v->data, v->length);
102 if (dn_string == NULL) {
103 talloc_free(tmp_ctx);
104 return ldb_operr(ldb);
105 }
106
107 res = talloc_zero(tmp_ctx, struct ldb_result);
108 if (res == NULL) {
109 talloc_free(tmp_ctx);
110 return ldb_operr(ldb);
111 }
112
113 dn = ldb_dn_new(tmp_ctx, ldb, dn_string);
114 if (dn == NULL) {
115 talloc_free(tmp_ctx);
116 return ldb_operr(ldb);
117 }
118
119 ret = ldb_build_search_req(&req2, ldb, tmp_ctx,
120 dn,
121 LDB_SCOPE_BASE,
122 NULL,
123 no_attrs,
124 NULL,
125 res, ldb_search_default_callback,
126 req);
127 LDB_REQ_SET_LOCATION(req2);
128 if (ret != LDB_SUCCESS) {
129 talloc_free(tmp_ctx);
130 return ret;
131 }
132
133
134 ret = ldb_request_add_control(req2,
135 LDB_CONTROL_EXTENDED_DN_OID,
136 edn_control->critical, edn);
137 if (ret != LDB_SUCCESS) {
138 talloc_free(tmp_ctx);
139 return ldb_error(ldb, ret, "Failed to add control");
140 }
141
142 ret = ldb_next_request(module, req2);
143 if (ret == LDB_SUCCESS) {
144 ret = ldb_wait(req2->handle, LDB_WAIT_ALL);
145 }
146
147 if (ret != LDB_SUCCESS) {
148 talloc_free(tmp_ctx);
149 return ret;
150 }
151
152 if (!res || res->count != 1) {
153 talloc_free(tmp_ctx);
154 return ldb_operr(ldb);
155 }
156
157 dn2 = res->msgs[0]->dn;
158
159 v->data = (uint8_t *)ldb_dn_get_extended_linearized(msg->elements, dn2, edn_type);
160 if (v->data == NULL) {
161 talloc_free(tmp_ctx);
162 return ldb_operr(ldb);
163 }
164 v->length = strlen((char *)v->data);
165 }
166
167 talloc_free(tmp_ctx);
168
169 return LDB_SUCCESS;
170 }
171
172
173 /*
174 add dynamically generated attributes to rootDSE result
175 */
176 static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *msg,
177 const char * const *attrs, struct ldb_request *req)
178 {
179 struct ldb_context *ldb;
180 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
181 char **server_sasl;
182 const struct dsdb_schema *schema;
183 int *val;
184 struct ldb_control *edn_control;
185 const char *dn_attrs[] = {
186 "configurationNamingContext",
187 "defaultNamingContext",
188 "dsServiceName",
189 "rootDomainNamingContext",
190 "schemaNamingContext",
191 "serverName",
192 NULL
193 };
194
195 ldb = ldb_module_get_ctx(module);
196 schema = dsdb_get_schema(ldb, NULL);
197
198 msg->dn = ldb_dn_new(msg, ldb, NULL);
199
200 /* don't return the distinguishedName, cn and name attributes */
201 ldb_msg_remove_attr(msg, "distinguishedName");
202 ldb_msg_remove_attr(msg, "cn");
203 ldb_msg_remove_attr(msg, "name");
204
205 if (do_attribute(attrs, "serverName")) {
206 if (ldb_msg_add_linearized_dn(msg, "serverName",
207 samdb_server_dn(ldb, msg)) != LDB_SUCCESS) {
208 goto failed;
209 }
210 }
211
212 if (do_attribute(attrs, "dnsHostName")) {
213 struct ldb_result *res;
214 int ret;
215 const char *dns_attrs[] = { "dNSHostName", NULL };
216 ret = dsdb_module_search_dn(module, msg, &res, samdb_server_dn(ldb, msg),
217 dns_attrs, DSDB_FLAG_NEXT_MODULE, req);
218 if (ret == LDB_SUCCESS) {
219 const char *hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
220 if (hostname != NULL) {
221 if (ldb_msg_add_string(msg, "dNSHostName", hostname)) {
222 goto failed;
223 }
224 }
225 }
226 }
227
228 if (do_attribute(attrs, "ldapServiceName")) {
229 struct loadparm_context *lp_ctx
230 = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
231 struct loadparm_context);
232 char *ldap_service_name, *hostname;
233
234 hostname = strlower_talloc(msg, lpcfg_netbios_name(lp_ctx));
235 if (hostname == NULL) {
236 goto failed;
237 }
238
239 ldap_service_name = talloc_asprintf(msg, "%s:%s$@%s",
240 samdb_forest_name(ldb, msg),
241 hostname, lpcfg_realm(lp_ctx));
242 if (ldap_service_name == NULL) {
243 goto failed;
244 }
245
246 if (ldb_msg_add_string(msg, "ldapServiceName",
247 ldap_service_name) != LDB_SUCCESS) {
248 goto failed;
249 }
250 }
251
252 if (do_attribute(attrs, "currentTime")) {
253 if (ldb_msg_add_steal_string(msg, "currentTime",
254 ldb_timestring(msg, time(NULL))) != LDB_SUCCESS) {
255 goto failed;
256 }
257 }
258
259 if (priv && do_attribute(attrs, "supportedControl")) {
260 unsigned int i;
261 for (i = 0; i < priv->num_controls; i++) {
262 char *control = talloc_strdup(msg, priv->controls[i]);
263 if (!control) {
264 goto failed;
265 }
266 if (ldb_msg_add_steal_string(msg, "supportedControl",
267 control) != LDB_SUCCESS) {
268 goto failed;
269 }
270 }
271 }
272
273 if (priv && do_attribute(attrs, "namingContexts")) {
274 unsigned int i;
275 for (i = 0; i < priv->num_partitions; i++) {
276 struct ldb_dn *dn = priv->partitions[i];
277 if (ldb_msg_add_steal_string(msg, "namingContexts",
278 ldb_dn_alloc_linearized(msg, dn)) != LDB_SUCCESS) {
279 goto failed;
280 }
281 }
282 }
283
284 server_sasl = talloc_get_type(ldb_get_opaque(ldb, "supportedSASLMechanisms"),
285 char *);
286 if (server_sasl && do_attribute(attrs, "supportedSASLMechanisms")) {
287 unsigned int i;
288 for (i = 0; server_sasl && server_sasl[i]; i++) {
289 char *sasl_name = talloc_strdup(msg, server_sasl[i]);
290 if (!sasl_name) {
291 goto failed;
292 }
293 if (ldb_msg_add_steal_string(msg, "supportedSASLMechanisms",
294 sasl_name) != LDB_SUCCESS) {
295 goto failed;
296 }
297 }
298 }
299
300 if (do_attribute(attrs, "highestCommittedUSN")) {
301 uint64_t seq_num;
302 int ret = ldb_sequence_number(ldb, LDB_SEQ_HIGHEST_SEQ, &seq_num);
303 if (ret == LDB_SUCCESS) {
304 if (samdb_msg_add_uint64(ldb, msg, msg,
305 "highestCommittedUSN",
306 seq_num) != LDB_SUCCESS) {
307 goto failed;
308 }
309 }
310 }
311
312 if (schema && do_attribute_explicit(attrs, "dsSchemaAttrCount")) {
313 struct dsdb_attribute *cur;
314 unsigned int n = 0;
315
316 for (cur = schema->attributes; cur; cur = cur->next) {
317 n++;
318 }
319
320 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaAttrCount",
321 n) != LDB_SUCCESS) {
322 goto failed;
323 }
324 }
325
326 if (schema && do_attribute_explicit(attrs, "dsSchemaClassCount")) {
327 struct dsdb_class *cur;
328 unsigned int n = 0;
329
330 for (cur = schema->classes; cur; cur = cur->next) {
331 n++;
332 }
333
334 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaClassCount",
335 n) != LDB_SUCCESS) {
336 goto failed;
337 }
338 }
339
340 if (schema && do_attribute_explicit(attrs, "dsSchemaPrefixCount")) {
341 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaPrefixCount",
342 schema->prefixmap->length) != LDB_SUCCESS) {
343 goto failed;
344 }
345 }
346
347 if (do_attribute_explicit(attrs, "validFSMOs")) {
348 const struct dsdb_naming_fsmo *naming_fsmo;
349 const struct dsdb_pdc_fsmo *pdc_fsmo;
350 const char *dn_str;
351
352 if (schema && schema->fsmo.we_are_master) {
353 dn_str = ldb_dn_get_linearized(ldb_get_schema_basedn(ldb));
354 if (dn_str && dn_str[0]) {
355 if (ldb_msg_add_fmt(msg, "validFSMOs", "%s", dn_str) != LDB_SUCCESS) {
356 goto failed;
357 }
358 }
359 }
360
361 naming_fsmo = talloc_get_type(ldb_get_opaque(ldb, "dsdb_naming_fsmo"),
362 struct dsdb_naming_fsmo);
363 if (naming_fsmo && naming_fsmo->we_are_master) {
364 dn_str = ldb_dn_get_linearized(samdb_partitions_dn(ldb, msg));
365 if (dn_str && dn_str[0]) {
366 if (ldb_msg_add_fmt(msg, "validFSMOs", "%s", dn_str) != LDB_SUCCESS) {
367 goto failed;
368 }
369 }
370 }
371
372 pdc_fsmo = talloc_get_type(ldb_get_opaque(ldb, "dsdb_pdc_fsmo"),
373 struct dsdb_pdc_fsmo);
374 if (pdc_fsmo && pdc_fsmo->we_are_master) {
375 dn_str = ldb_dn_get_linearized(ldb_get_default_basedn(ldb));
376 if (dn_str && dn_str[0]) {
377 if (ldb_msg_add_fmt(msg, "validFSMOs", "%s", dn_str) != LDB_SUCCESS) {
378 goto failed;
379 }
380 }
381 }
382 }
383
384 if (do_attribute_explicit(attrs, "vendorVersion")) {
385 if (ldb_msg_add_fmt(msg, "vendorVersion",
386 "%s", SAMBA_VERSION_STRING) != LDB_SUCCESS) {
387 goto failed;
388 }
389 }
390
391 if (do_attribute(attrs, "domainFunctionality")) {
392 if (samdb_msg_add_int(ldb, msg, msg, "domainFunctionality",
393 dsdb_functional_level(ldb)) != LDB_SUCCESS) {
394 goto failed;
395 }
396 }
397
398 if (do_attribute(attrs, "forestFunctionality")) {
399 if (samdb_msg_add_int(ldb, msg, msg, "forestFunctionality",
400 dsdb_forest_functional_level(ldb)) != LDB_SUCCESS) {
401 goto failed;
402 }
403 }
404
405 if (do_attribute(attrs, "domainControllerFunctionality")
406 && (val = talloc_get_type(ldb_get_opaque(ldb, "domainControllerFunctionality"), int))) {
407 if (samdb_msg_add_int(ldb, msg, msg,
408 "domainControllerFunctionality",
409 *val) != LDB_SUCCESS) {
410 goto failed;
411 }
412 }
413
414 if (do_attribute(attrs, "isGlobalCatalogReady")) {
415 /* MS-ADTS 3.1.1.3.2.10
416 Note, we should only return true here is we have
417 completed at least one synchronisation. As both
418 provision and vampire do a full sync, this means we
419 can return true is the gc bit is set in the NTDSDSA
420 options */
421 if (ldb_msg_add_fmt(msg, "isGlobalCatalogReady",
422 "%s", samdb_is_gc(ldb)?"TRUE":"FALSE") != LDB_SUCCESS) {
423 goto failed;
424 }
425 }
426
427 if (do_attribute_explicit(attrs, "tokenGroups")) {
428 unsigned int i;
429 /* Obtain the user's session_info */
430 struct auth_session_info *session_info
431 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
432 if (session_info && session_info->security_token) {
433 /* The list of groups this user is in */
434 for (i = 0; i < session_info->security_token->num_sids; i++) {
435 if (samdb_msg_add_dom_sid(ldb, msg, msg,
436 "tokenGroups",
437 &session_info->security_token->sids[i]) != LDB_SUCCESS) {
438 goto failed;
439 }
440 }
441 }
442 }
443
444 /* TODO: lots more dynamic attributes should be added here */
445
446 edn_control = ldb_request_get_control(req, LDB_CONTROL_EXTENDED_DN_OID);
447
448 /* if the client sent us the EXTENDED_DN control then we need
449 to expand the DNs to have GUID and SID. W2K8 join relies on
450 this */
451 if (edn_control) {
452 unsigned int i;
453 int ret;
454 for (i=0; dn_attrs[i]; i++) {
455 if (!do_attribute(attrs, dn_attrs[i])) continue;
456 ret = expand_dn_in_message(module, msg, dn_attrs[i],
457 edn_control, req);
458 if (ret != LDB_SUCCESS) {
459 DEBUG(0,(__location__ ": Failed to expand DN in rootDSE for %s\n",
460 dn_attrs[i]));
461 goto failed;
462 }
463 }
464 }
465
466 return LDB_SUCCESS;
467
468 failed:
469 return ldb_operr(ldb);
470 }
471
472 /*
473 handle search requests
474 */
475
476 struct rootdse_context {
477 struct ldb_module *module;
478 struct ldb_request *req;
479 };
480
481 static struct rootdse_context *rootdse_init_context(struct ldb_module *module,
482 struct ldb_request *req)
483 {
484 struct ldb_context *ldb;
485 struct rootdse_context *ac;
486
487 ldb = ldb_module_get_ctx(module);
488
489 ac = talloc_zero(req, struct rootdse_context);
490 if (ac == NULL) {
491 ldb_set_errstring(ldb, "Out of Memory");
492 return NULL;
493 }
494
495 ac->module = module;
496 ac->req = req;
497
498 return ac;
499 }
500
501 static int rootdse_callback(struct ldb_request *req, struct ldb_reply *ares)
502 {
503 struct rootdse_context *ac;
504 int ret;
505
506 ac = talloc_get_type(req->context, struct rootdse_context);
507
508 if (!ares) {
509 return ldb_module_done(ac->req, NULL, NULL,
510 LDB_ERR_OPERATIONS_ERROR);
511 }
512 if (ares->error != LDB_SUCCESS) {
513 return ldb_module_done(ac->req, ares->controls,
514 ares->response, ares->error);
515 }
516
517 switch (ares->type) {
518 case LDB_REPLY_ENTRY:
519 /*
520 * if the client explicit asks for the 'netlogon' attribute
521 * the reply_entry needs to be skipped
522 */
523 if (ac->req->op.search.attrs &&
524 ldb_attr_in_list(ac->req->op.search.attrs, "netlogon")) {
525 talloc_free(ares);
526 return LDB_SUCCESS;
527 }
528
529 /* for each record returned post-process to add any dynamic
530 attributes that have been asked for */
531 ret = rootdse_add_dynamic(ac->module, ares->message,
532 ac->req->op.search.attrs, ac->req);
533 if (ret != LDB_SUCCESS) {
534 talloc_free(ares);
535 return ldb_module_done(ac->req, NULL, NULL, ret);
536 }
537
538 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
539
540 case LDB_REPLY_REFERRAL:
541 /* should we allow the backend to return referrals in this case
542 * ?? */
543 break;
544
545 case LDB_REPLY_DONE:
546 return ldb_module_done(ac->req, ares->controls,
547 ares->response, ares->error);
548 }
549
550 talloc_free(ares);
551 return LDB_SUCCESS;
552 }
553
554 /*
555 filter from controls from clients in several ways
556
557 1) mark our registered controls as non-critical in the request
558
559 This is needed as clients may mark controls as critical even if
560 they are not needed at all in a request. For example, the centrify
561 client sets the SD_FLAGS control as critical on ldap modify
562 requests which are setting the dNSHostName attribute on the
563 machine account. That request doesn't need SD_FLAGS at all, but
564 centrify adds it on all ldap requests.
565
566 2) if this request is untrusted then remove any non-registered
567 controls that are non-critical
568
569 This is used on ldap:// connections to prevent remote users from
570 setting an internal control that may be dangerous
571
572 3) if this request is untrusted then fail any request that includes
573 a critical non-registered control
574 */
575 static int rootdse_filter_controls(struct ldb_module *module, struct ldb_request *req)
576 {
577 unsigned int i, j;
578 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
579 bool is_untrusted;
580
581 if (!req->controls) {
582 return LDB_SUCCESS;
583 }
584
585 is_untrusted = ldb_req_is_untrusted(req);
586
587 for (i=0; req->controls[i]; i++) {
588 bool is_registered = false;
589 bool is_critical = (req->controls[i]->critical != 0);
590
591 if (req->controls[i]->oid == NULL) {
592 continue;
593 }
594
595 if (is_untrusted || is_critical) {
596 for (j=0; j<priv->num_controls; j++) {
597 if (strcasecmp(priv->controls[j], req->controls[i]->oid) == 0) {
598 is_registered = true;
599 break;
600 }
601 }
602 }
603
604 if (is_untrusted && !is_registered) {
605 if (!is_critical) {
606 /* remove it by marking the oid NULL */
607 req->controls[i]->oid = NULL;
608 req->controls[i]->data = NULL;
609 req->controls[i]->critical = 0;
610 continue;
611 }
612 /* its a critical unregistered control - give
613 an error */
614 ldb_asprintf_errstring(ldb_module_get_ctx(module),
615 "Attempt to use critical non-registered control '%s'",
616 req->controls[i]->oid);
617 return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION;
618 }
619
620 if (!is_critical) {
621 continue;
622 }
623
624 /* If the control is DIRSYNC control then we keep the critical
625 * flag as the dirsync module will need to act upon it
626 */
627 if (is_registered && strcmp(req->controls[i]->oid,
628 LDB_CONTROL_DIRSYNC_OID)!= 0) {
629 req->controls[i]->critical = 0;
630 }
631 }
632
633 return LDB_SUCCESS;
634 }
635
636 /* Ensure that anonymous users are not allowed to make anything other than rootDSE search operations */
637
638 static int rootdse_filter_operations(struct ldb_module *module, struct ldb_request *req)
639 {
640 struct auth_session_info *session_info;
641 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
642 bool is_untrusted = ldb_req_is_untrusted(req);
643 bool is_anonymous = true;
644 if (is_untrusted == false) {
645 return LDB_SUCCESS;
646 }
647
648 session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
649 if (session_info) {
650 is_anonymous = security_token_is_anonymous(session_info->security_token);
651 }
652
653 if (is_anonymous == false || (priv && priv->block_anonymous == false)) {
654 return LDB_SUCCESS;
655 }
656
657 if (req->operation == LDB_SEARCH) {
658 if (req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base)) {
659 return LDB_SUCCESS;
660 }
661 }
662 ldb_set_errstring(ldb_module_get_ctx(module), "Operation unavailable without authentication");
663 return LDB_ERR_OPERATIONS_ERROR;
664 }
665
666 static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
667 {
668 struct ldb_context *ldb;
669 struct rootdse_context *ac;
670 struct ldb_request *down_req;
671 int ret;
672
673 ret = rootdse_filter_operations(module, req);
674 if (ret != LDB_SUCCESS) {
675 return ret;
676 }
677
678 ret = rootdse_filter_controls(module, req);
679 if (ret != LDB_SUCCESS) {
680 return ret;
681 }
682
683 ldb = ldb_module_get_ctx(module);
684
685 /* see if its for the rootDSE - only a base search on the "" DN qualifies */
686 if (!(req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base))) {
687 /* Otherwise, pass down to the rest of the stack */
688 return ldb_next_request(module, req);
689 }
690
691 ac = rootdse_init_context(module, req);
692 if (ac == NULL) {
693 return ldb_operr(ldb);
694 }
695
696 /* in our db we store the rootDSE with a DN of @ROOTDSE */
697 ret = ldb_build_search_req(&down_req, ldb, ac,
698 ldb_dn_new(ac, ldb, "@ROOTDSE"),
699 LDB_SCOPE_BASE,
700 NULL,
701 req->op.search.attrs,
702 NULL,/* for now skip the controls from the client */
703 ac, rootdse_callback,
704 req);
705 LDB_REQ_SET_LOCATION(down_req);
706 if (ret != LDB_SUCCESS) {
707 return ret;
708 }
709
710 return ldb_next_request(module, down_req);
711 }
712
713 static int rootdse_register_control(struct ldb_module *module, struct ldb_request *req)
714 {
715 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
716 char **list;
717
718 list = talloc_realloc(priv, priv->controls, char *, priv->num_controls + 1);
719 if (!list) {
720 return ldb_oom(ldb_module_get_ctx(module));
721 }
722
723 list[priv->num_controls] = talloc_strdup(list, req->op.reg_control.oid);
724 if (!list[priv->num_controls]) {
725 return ldb_oom(ldb_module_get_ctx(module));
726 }
727
728 priv->num_controls += 1;
729 priv->controls = list;
730
731 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
732 }
733
734 static int rootdse_register_partition(struct ldb_module *module, struct ldb_request *req)
735 {
736 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
737 struct ldb_dn **list;
738
739 list = talloc_realloc(priv, priv->partitions, struct ldb_dn *, priv->num_partitions + 1);
740 if (!list) {
741 return ldb_oom(ldb_module_get_ctx(module));
742 }
743
744 list[priv->num_partitions] = ldb_dn_copy(list, req->op.reg_partition.dn);
745 if (!list[priv->num_partitions]) {
746 return ldb_operr(ldb_module_get_ctx(module));
747 }
748
749 priv->num_partitions += 1;
750 priv->partitions = list;
751
752 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
753 }
754
755
756 static int rootdse_request(struct ldb_module *module, struct ldb_request *req)
757 {
758 switch (req->operation) {
759
760 case LDB_REQ_REGISTER_CONTROL:
761 return rootdse_register_control(module, req);
762 case LDB_REQ_REGISTER_PARTITION:
763 return rootdse_register_partition(module, req);
764
765 default:
766 break;
767 }
768 return ldb_next_request(module, req);
769 }
770
771 static int rootdse_init(struct ldb_module *module)
772 {
773 int ret;
774 struct ldb_context *ldb;
775 struct ldb_result *res;
776 struct private_data *data;
777 const char *attrs[] = { "msDS-Behavior-Version", NULL };
778 const char *ds_attrs[] = { "dsServiceName", NULL };
779 TALLOC_CTX *mem_ctx;
780
781 ldb = ldb_module_get_ctx(module);
782
783 data = talloc_zero(module, struct private_data);
784 if (data == NULL) {
785 return ldb_oom(ldb);
786 }
787
788 data->num_controls = 0;
789 data->controls = NULL;
790 data->num_partitions = 0;
791 data->partitions = NULL;
792 data->block_anonymous = true;
793
794 ldb_module_set_private(module, data);
795
796 ldb_set_default_dns(ldb);
797
798 ret = ldb_next_init(module);
799
800 if (ret != LDB_SUCCESS) {
801 return ret;
802 }
803
804 mem_ctx = talloc_new(data);
805 if (!mem_ctx) {
806 return ldb_oom(ldb);
807 }
808
809 /* Now that the partitions are set up, do a search for:
810 - domainControllerFunctionality
811 - domainFunctionality
812 - forestFunctionality
813
814 Then stuff these values into an opaque
815 */
816 ret = dsdb_module_search(module, mem_ctx, &res,
817 ldb_get_default_basedn(ldb),
818 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
819 if (ret == LDB_SUCCESS && res->count == 1) {
820 int domain_behaviour_version
821 = ldb_msg_find_attr_as_int(res->msgs[0],
822 "msDS-Behavior-Version", -1);
823 if (domain_behaviour_version != -1) {
824 int *val = talloc(ldb, int);
825 if (!val) {
826 talloc_free(mem_ctx);
827 return ldb_oom(ldb);
828 }
829 *val = domain_behaviour_version;
830 ret = ldb_set_opaque(ldb, "domainFunctionality", val);
831 if (ret != LDB_SUCCESS) {
832 talloc_free(mem_ctx);
833 return ret;
834 }
835 }
836 }
837
838 ret = dsdb_module_search(module, mem_ctx, &res,
839 samdb_partitions_dn(ldb, mem_ctx),
840 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
841 if (ret == LDB_SUCCESS && res->count == 1) {
842 int forest_behaviour_version
843 = ldb_msg_find_attr_as_int(res->msgs[0],
844 "msDS-Behavior-Version", -1);
845 if (forest_behaviour_version != -1) {
846 int *val = talloc(ldb, int);
847 if (!val) {
848 talloc_free(mem_ctx);
849 return ldb_oom(ldb);
850 }
851 *val = forest_behaviour_version;
852 ret = ldb_set_opaque(ldb, "forestFunctionality", val);
853 if (ret != LDB_SUCCESS) {
854 talloc_free(mem_ctx);
855 return ret;
856 }
857 }
858 }
859
860 /* For now, our own server's location in the DB is recorded in
861 * the @ROOTDSE record */
862 ret = dsdb_module_search(module, mem_ctx, &res,
863 ldb_dn_new(mem_ctx, ldb, "@ROOTDSE"),
864 LDB_SCOPE_BASE, ds_attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
865 if (ret == LDB_SUCCESS && res->count == 1) {
866 struct ldb_dn *ds_dn
867 = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0],
868 "dsServiceName");
869 if (ds_dn) {
870 ret = dsdb_module_search(module, mem_ctx, &res, ds_dn,
871 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
872 if (ret == LDB_SUCCESS && res->count == 1) {
873 int domain_controller_behaviour_version
874 = ldb_msg_find_attr_as_int(res->msgs[0],
875 "msDS-Behavior-Version", -1);
876 if (domain_controller_behaviour_version != -1) {
877 int *val = talloc(ldb, int);
878 if (!val) {
879 talloc_free(mem_ctx);
880 return ldb_oom(ldb);
881 }
882 *val = domain_controller_behaviour_version;
883 ret = ldb_set_opaque(ldb,
884 "domainControllerFunctionality", val);
885 if (ret != LDB_SUCCESS) {
886 talloc_free(mem_ctx);
887 return ret;
888 }
889 }
890 }
891 }
892 }
893
894 data->block_anonymous = dsdb_block_anonymous_ops(module, NULL);
895
896 talloc_free(mem_ctx);
897
898 return LDB_SUCCESS;
899 }
900
901 /*
902 * This function gets the string SCOPE_DN:OPTIONAL_FEATURE_GUID and parse it
903 * to a DN and a GUID object
904 */
905 static int get_optional_feature_dn_guid(struct ldb_request *req, struct ldb_context *ldb,
906 TALLOC_CTX *mem_ctx,
907 struct ldb_dn **op_feature_scope_dn,
908 struct GUID *op_feature_guid)
909 {
910 const struct ldb_message *msg = req->op.mod.message;
911 const char *ldb_val_str;
912 char *dn, *guid;
913 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
914 NTSTATUS status;
915
916 ldb_val_str = ldb_msg_find_attr_as_string(msg, "enableOptionalFeature", NULL);
917 if (!ldb_val_str) {
918 ldb_set_errstring(ldb,
919 "rootdse: unable to find 'enableOptionalFeature'!");
920 return LDB_ERR_UNWILLING_TO_PERFORM;
921 }
922
923 guid = strchr(ldb_val_str, ':');
924 if (!guid) {
925 ldb_set_errstring(ldb,
926 "rootdse: unable to find GUID in 'enableOptionalFeature'!");
927 return LDB_ERR_UNWILLING_TO_PERFORM;
928 }
929 status = GUID_from_string(guid+1, op_feature_guid);
930 if (!NT_STATUS_IS_OK(status)) {
931 ldb_set_errstring(ldb,
932 "rootdse: bad GUID in 'enableOptionalFeature'!");
933 return LDB_ERR_UNWILLING_TO_PERFORM;
934 }
935
936 dn = talloc_strndup(tmp_ctx, ldb_val_str, guid-ldb_val_str);
937 if (!dn) {
938 ldb_set_errstring(ldb,
939 "rootdse: bad DN in 'enableOptionalFeature'!");
940 return LDB_ERR_UNWILLING_TO_PERFORM;
941 }
942
943 *op_feature_scope_dn = ldb_dn_new(mem_ctx, ldb, dn);
944
945 talloc_free(tmp_ctx);
946 return LDB_SUCCESS;
947 }
948
949 /*
950 * This function gets the OPTIONAL_FEATURE_GUID and looks for the optional feature
951 * ldb_message object.
952 */
953 static int dsdb_find_optional_feature(struct ldb_module *module, struct ldb_context *ldb,
954 TALLOC_CTX *mem_ctx, struct GUID op_feature_guid, struct ldb_message **msg,
955 struct ldb_request *parent)
956 {
957 struct ldb_result *res;
958 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
959 int ret;
960
961 ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
962 NULL,
963 DSDB_FLAG_NEXT_MODULE |
964 DSDB_SEARCH_SEARCH_ALL_PARTITIONS,
965 parent,
966 "(&(objectClass=msDS-OptionalFeature)"
967 "(msDS-OptionalFeatureGUID=%s))",GUID_string(tmp_ctx, &op_feature_guid));
968
969 if (ret != LDB_SUCCESS) {
970 talloc_free(tmp_ctx);
971 return ret;
972 }
973 if (res->count == 0) {
974 talloc_free(tmp_ctx);
975 return LDB_ERR_NO_SUCH_OBJECT;
976 }
977 if (res->count != 1) {
978 ldb_asprintf_errstring(ldb,
979 "More than one object found matching optional feature GUID %s\n",
980 GUID_string(tmp_ctx, &op_feature_guid));
981 talloc_free(tmp_ctx);
982 return LDB_ERR_OPERATIONS_ERROR;
983 }
984
985 *msg = talloc_steal(mem_ctx, res->msgs[0]);
986
987 talloc_free(tmp_ctx);
988 return LDB_SUCCESS;
989 }
990
991 static int rootdse_enable_recycle_bin(struct ldb_module *module,struct ldb_context *ldb,
992 TALLOC_CTX *mem_ctx, struct ldb_dn *op_feature_scope_dn,
993 struct ldb_message *op_feature_msg, struct ldb_request *parent)
994 {
995 int ret;
996 const int domain_func_level = dsdb_functional_level(ldb);
997 struct ldb_dn *ntds_settings_dn;
998 TALLOC_CTX *tmp_ctx;
999 unsigned int el_count = 0;
1000 struct ldb_message *msg;
1001
1002 ret = ldb_msg_find_attr_as_int(op_feature_msg, "msDS-RequiredForestBehaviorVersion", 0);
1003 if (domain_func_level < ret){
1004 ldb_asprintf_errstring(ldb,
1005 "rootdse_enable_recycle_bin: Domain functional level must be at least %d\n",
1006 ret);
1007 return LDB_ERR_UNWILLING_TO_PERFORM;
1008 }
1009
1010 tmp_ctx = talloc_new(mem_ctx);
1011 ntds_settings_dn = samdb_ntds_settings_dn(ldb);
1012 if (!ntds_settings_dn) {
1013 talloc_free(tmp_ctx);
1014 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "Failed to find NTDS settings DN");
1015 }
1016
1017 ntds_settings_dn = ldb_dn_copy(tmp_ctx, ntds_settings_dn);
1018 if (!ntds_settings_dn) {
1019 talloc_free(tmp_ctx);
1020 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "Failed to copy NTDS settings DN");
1021 }
1022
1023 msg = ldb_msg_new(tmp_ctx);
1024 msg->dn = ntds_settings_dn;
1025
1026 ldb_msg_add_linearized_dn(msg, "msDS-EnabledFeature", op_feature_msg->dn);
1027 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
1028
1029 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1030 if (ret != LDB_SUCCESS) {
1031 ldb_asprintf_errstring(ldb,
1032 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1033 ldb_dn_get_linearized(ntds_settings_dn),
1034 ldb_errstring(ldb));
1035 talloc_free(tmp_ctx);
1036 return ret;
1037 }
1038
1039 msg->dn = op_feature_scope_dn;
1040 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1041 if (ret != LDB_SUCCESS) {
1042 ldb_asprintf_errstring(ldb,
1043 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1044 ldb_dn_get_linearized(op_feature_scope_dn),
1045 ldb_errstring(ldb));
1046 talloc_free(tmp_ctx);
1047 return ret;
1048 }
1049
1050 return LDB_SUCCESS;
1051 }
1052
1053 static int rootdse_enableoptionalfeature(struct ldb_module *module, struct ldb_request *req)
1054 {
1055 /*
1056 steps:
1057 - check for system (only system can enable features)
1058 - extract GUID from the request
1059 - find the feature object
1060 - check functional level, must be at least msDS-RequiredForestBehaviorVersion
1061 - check if it is already enabled (if enabled return LDAP_ATTRIBUTE_OR_VALUE_EXISTS) - probably not needed, just return error from the add/modify
1062 - add/modify objects (see ntdsconnection code for an example)
1063 */
1064
1065 struct ldb_context *ldb = ldb_module_get_ctx(module);
1066 struct GUID op_feature_guid;
1067 struct ldb_dn *op_feature_scope_dn;
1068 struct ldb_message *op_feature_msg;
1069 struct auth_session_info *session_info =
1070 (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
1071 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
1072 int ret;
1073 const char *guid_string;
1074
1075 if (security_session_user_level(session_info, NULL) != SECURITY_SYSTEM) {
1076 ldb_set_errstring(ldb, "rootdse: Insufficient rights for enableoptionalfeature");
1077 return LDB_ERR_UNWILLING_TO_PERFORM;
1078 }
1079
1080 ret = get_optional_feature_dn_guid(req, ldb, tmp_ctx, &op_feature_scope_dn, &op_feature_guid);
1081 if (ret != LDB_SUCCESS) {
1082 talloc_free(tmp_ctx);
1083 return ret;
1084 }
1085
1086 guid_string = GUID_string(tmp_ctx, &op_feature_guid);
1087 if (!guid_string) {
1088 ldb_set_errstring(ldb, "rootdse: bad optional feature GUID");
1089 return LDB_ERR_UNWILLING_TO_PERFORM;
1090 }
1091
1092 ret = dsdb_find_optional_feature(module, ldb, tmp_ctx, op_feature_guid, &op_feature_msg, req);
1093 if (ret != LDB_SUCCESS) {
1094 ldb_asprintf_errstring(ldb,
1095 "rootdse: unable to find optional feature for %s - %s",
1096 guid_string, ldb_errstring(ldb));
1097 talloc_free(tmp_ctx);
1098 return ret;
1099 }
1100
1101 if (strcasecmp(DS_GUID_FEATURE_RECYCLE_BIN, guid_string) == 0) {
1102 ret = rootdse_enable_recycle_bin(module, ldb,
1103 tmp_ctx, op_feature_scope_dn,
1104 op_feature_msg, req);
1105 } else {
1106 ldb_asprintf_errstring(ldb,
1107 "rootdse: unknown optional feature %s",
1108 guid_string);
1109 talloc_free(tmp_ctx);
1110 return LDB_ERR_UNWILLING_TO_PERFORM;
1111 }
1112 if (ret != LDB_SUCCESS) {
1113 ldb_asprintf_errstring(ldb,
1114 "rootdse: failed to set optional feature for %s - %s",
1115 guid_string, ldb_errstring(ldb));
1116 talloc_free(tmp_ctx);
1117 return ret;
1118 }
1119
1120 talloc_free(tmp_ctx);
1121 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);;
1122 }
1123
1124 static int rootdse_schemaupdatenow(struct ldb_module *module, struct ldb_request *req)
1125 {
1126 struct ldb_context *ldb = ldb_module_get_ctx(module);
1127 struct ldb_result *ext_res;
1128 int ret;
1129 struct ldb_dn *schema_dn;
1130
1131 schema_dn = ldb_get_schema_basedn(ldb);
1132 if (!schema_dn) {
1133 ldb_reset_err_string(ldb);
1134 ldb_debug(ldb, LDB_DEBUG_WARNING,
1135 "rootdse_modify: no schema dn present: (skip ldb_extended call)\n");
1136 return ldb_next_request(module, req);
1137 }
1138
1139 ret = ldb_extended(ldb, DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID, schema_dn, &ext_res);
1140 if (ret != LDB_SUCCESS) {
1141 return ldb_operr(ldb);
1142 }
1143
1144 talloc_free(ext_res);
1145 return ldb_module_done(req, NULL, NULL, ret);
1146 }
1147
1148 static int rootdse_add(struct ldb_module *module, struct ldb_request *req)
1149 {
1150 struct ldb_context *ldb = ldb_module_get_ctx(module);
1151 int ret;
1152
1153 ret = rootdse_filter_operations(module, req);
1154 if (ret != LDB_SUCCESS) {
1155 return ret;
1156 }
1157
1158 ret = rootdse_filter_controls(module, req);
1159 if (ret != LDB_SUCCESS) {
1160 return ret;
1161 }
1162
1163 /*
1164 If dn is not "" we should let it pass through
1165 */
1166 if (!ldb_dn_is_null(req->op.add.message->dn)) {
1167 return ldb_next_request(module, req);
1168 }
1169
1170 ldb_set_errstring(ldb, "rootdse_add: you cannot add a new rootdse entry!");
1171 return LDB_ERR_NAMING_VIOLATION;
1172 }
1173
1174 struct fsmo_transfer_state {
1175 struct ldb_context *ldb;
1176 struct ldb_request *req;
1177 };
1178
1179 /*
1180 called when a FSMO transfer operation has completed
1181 */
1182 static void rootdse_fsmo_transfer_callback(struct tevent_req *treq)
1183 {
1184 struct fsmo_transfer_state *fsmo = tevent_req_callback_data(treq, struct fsmo_transfer_state);
1185 NTSTATUS status;
1186 WERROR werr;
1187 struct ldb_request *req = fsmo->req;
1188 struct ldb_context *ldb = fsmo->ldb;
1189
1190 status = dcerpc_drepl_takeFSMORole_recv(treq, fsmo, &werr);
1191 talloc_free(fsmo);
1192 if (!NT_STATUS_IS_OK(status)) {
1193 ldb_asprintf_errstring(ldb, "Failed FSMO transfer: %s", nt_errstr(status));
1194 ldb_module_done(req, NULL, NULL, LDB_ERR_UNAVAILABLE);
1195 return;
1196 }
1197 if (!W_ERROR_IS_OK(werr)) {
1198 ldb_asprintf_errstring(ldb, "Failed FSMO transfer: %s", win_errstr(werr));
1199 ldb_module_done(req, NULL, NULL, LDB_ERR_UNAVAILABLE);
1200 return;
1201 }
1202
1203 ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1204 }
1205
1206 static int rootdse_become_master(struct ldb_module *module,
1207 struct ldb_request *req,
1208 enum drepl_role_master role)
1209 {
1210 struct imessaging_context *msg;
1211 struct ldb_context *ldb = ldb_module_get_ctx(module);
1212 TALLOC_CTX *tmp_ctx = talloc_new(req);
1213 struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
1214 bool am_rodc;
1215 struct dcerpc_binding_handle *irpc_handle;
1216 int ret;
1217 struct auth_session_info *session_info;
1218 enum security_user_level level;
1219 struct fsmo_transfer_state *fsmo;
1220 struct tevent_req *treq;
1221
1222 session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
1223 level = security_session_user_level(session_info, NULL);
1224 if (level < SECURITY_ADMINISTRATOR) {
1225 return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS, "Denied rootDSE modify for non-administrator");
1226 }
1227
1228 ret = samdb_rodc(ldb, &am_rodc);
1229 if (ret != LDB_SUCCESS) {
1230 return ldb_error(ldb, ret, "Could not determine if server is RODC.");
1231 }
1232
1233 if (am_rodc) {
1234 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM,
1235 "RODC cannot become a role master.");
1236 }
1237
1238 msg = imessaging_client_init(tmp_ctx, lpcfg_imessaging_path(tmp_ctx, lp_ctx),
1239 ldb_get_event_context(ldb));
1240 if (!msg) {
1241 ldb_asprintf_errstring(ldb, "Failed to generate client messaging context in %s", lpcfg_imessaging_path(tmp_ctx, lp_ctx));
1242 return LDB_ERR_OPERATIONS_ERROR;
1243 }
1244 irpc_handle = irpc_binding_handle_by_name(tmp_ctx, msg,
1245 "dreplsrv",
1246 &ndr_table_irpc);
1247 if (irpc_handle == NULL) {
1248 return ldb_oom(ldb);
1249 }
1250 fsmo = talloc_zero(req, struct fsmo_transfer_state);
1251 if (fsmo == NULL) {
1252 return ldb_oom(ldb);
1253 }
1254 fsmo->ldb = ldb;
1255 fsmo->req = req;
1256
1257 /* we send the call asynchronously, as the ldap client is
1258 * expecting to get an error back if the role transfer fails
1259 */
1260
1261 treq = dcerpc_drepl_takeFSMORole_send(req, ldb_get_event_context(ldb), irpc_handle, role);
1262 if (treq == NULL) {
1263 return ldb_oom(ldb);
1264 }
1265
1266 tevent_req_set_callback(treq, rootdse_fsmo_transfer_callback, fsmo);
1267 return LDB_SUCCESS;
1268 }
1269
1270 static int rootdse_modify(struct ldb_module *module, struct ldb_request *req)
1271 {
1272 struct ldb_context *ldb = ldb_module_get_ctx(module);
1273 int ret;
1274
1275 ret = rootdse_filter_operations(module, req);
1276 if (ret != LDB_SUCCESS) {
1277 return ret;
1278 }
1279
1280 ret = rootdse_filter_controls(module, req);
1281 if (ret != LDB_SUCCESS) {
1282 return ret;
1283 }
1284
1285 /*
1286 If dn is not "" we should let it pass through
1287 */
1288 if (!ldb_dn_is_null(req->op.mod.message->dn)) {
1289 return ldb_next_request(module, req);
1290 }
1291
1292 /*
1293 dn is empty so check for schemaUpdateNow attribute
1294 "The type of modification and values specified in the LDAP modify operation do not matter." MSDN
1295 */
1296 if (ldb_msg_find_element(req->op.mod.message, "schemaUpdateNow")) {
1297 return rootdse_schemaupdatenow(module, req);
1298 }
1299 if (ldb_msg_find_element(req->op.mod.message, "becomeDomainMaster")) {
1300 return rootdse_become_master(module, req, DREPL_NAMING_MASTER);
1301 }
1302 if (ldb_msg_find_element(req->op.mod.message, "becomeInfrastructureMaster")) {
1303 return rootdse_become_master(module, req, DREPL_INFRASTRUCTURE_MASTER);
1304 }
1305 if (ldb_msg_find_element(req->op.mod.message, "becomeRidMaster")) {
1306 return rootdse_become_master(module, req, DREPL_RID_MASTER);
1307 }
1308 if (ldb_msg_find_element(req->op.mod.message, "becomeSchemaMaster")) {
1309 return rootdse_become_master(module, req, DREPL_SCHEMA_MASTER);
1310 }
1311 if (ldb_msg_find_element(req->op.mod.message, "becomePdc")) {
1312 return rootdse_become_master(module, req, DREPL_PDC_MASTER);
1313 }
1314 if (ldb_msg_find_element(req->op.mod.message, "enableOptionalFeature")) {
1315 return rootdse_enableoptionalfeature(module, req);
1316 }
1317
1318 ldb_set_errstring(ldb, "rootdse_modify: unknown attribute to change!");
1319 return LDB_ERR_UNWILLING_TO_PERFORM;
1320 }
1321
1322 static int rootdse_rename(struct ldb_module *module, struct ldb_request *req)
1323 {
1324 struct ldb_context *ldb = ldb_module_get_ctx(module);
1325 int ret;
1326
1327 ret = rootdse_filter_operations(module, req);
1328 if (ret != LDB_SUCCESS) {
1329 return ret;
1330 }
1331
1332 ret = rootdse_filter_controls(module, req);
1333 if (ret != LDB_SUCCESS) {
1334 return ret;
1335 }
1336
1337 /*
1338 If dn is not "" we should let it pass through
1339 */
1340 if (!ldb_dn_is_null(req->op.rename.olddn)) {
1341 return ldb_next_request(module, req);
1342 }
1343
1344 ldb_set_errstring(ldb, "rootdse_remove: you cannot rename the rootdse entry!");
1345 return LDB_ERR_NO_SUCH_OBJECT;
1346 }
1347
1348 static int rootdse_delete(struct ldb_module *module, struct ldb_request *req)
1349 {
1350 struct ldb_context *ldb = ldb_module_get_ctx(module);
1351 int ret;
1352
1353 ret = rootdse_filter_operations(module, req);
1354 if (ret != LDB_SUCCESS) {
1355 return ret;
1356 }
1357
1358 ret = rootdse_filter_controls(module, req);
1359 if (ret != LDB_SUCCESS) {
1360 return ret;
1361 }
1362
1363 /*
1364 If dn is not "" we should let it pass through
1365 */
1366 if (!ldb_dn_is_null(req->op.del.dn)) {
1367 return ldb_next_request(module, req);
1368 }
1369
1370 ldb_set_errstring(ldb, "rootdse_remove: you cannot delete the rootdse entry!");
1371 return LDB_ERR_NO_SUCH_OBJECT;
1372 }
1373
1374 static int rootdse_extended(struct ldb_module *module, struct ldb_request *req)
1375 {
1376 int ret;
1377
1378 ret = rootdse_filter_operations(module, req);
1379 if (ret != LDB_SUCCESS) {
1380 return ret;
1381 }
1382
1383 ret = rootdse_filter_controls(module, req);
1384 if (ret != LDB_SUCCESS) {
1385 return ret;
1386 }
1387
1388 return ldb_next_request(module, req);
1389 }
1390
1391 static const struct ldb_module_ops ldb_rootdse_module_ops = {
1392 .name = "rootdse",
1393 .init_context = rootdse_init,
1394 .search = rootdse_search,
1395 .request = rootdse_request,
1396 .add = rootdse_add,
1397 .modify = rootdse_modify,
1398 .rename = rootdse_rename,
1399 .extended = rootdse_extended,
1400 .del = rootdse_delete
1401 };
1402
1403 int ldb_rootdse_module_init(const char *version)
1404 {
1405 LDB_MODULE_CHECK_VERSION(version);
1406 return ldb_register_module(&ldb_rootdse_module_ops);
1407 }
reg import