2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Simo Sorce 2005-2008
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include <ldb_module.h>
26 #include "system/time.h"
27 #include "dsdb/samdb/samdb.h"
29 #include "dsdb/samdb/ldb_modules/util.h"
30 #include "libcli/security/security.h"
31 #include "librpc/ndr/libndr.h"
32 #include "auth/auth.h"
33 #include "param/param.h"
34 #include "lib/messaging/irpc.h"
35 #include "librpc/gen_ndr/ndr_irpc_c.h"
38 unsigned int num_controls
;
40 unsigned int num_partitions
;
41 struct ldb_dn
**partitions
;
46 return 1 if a specific attribute has been requested
48 static int do_attribute(const char * const *attrs
, const char *name
)
50 return attrs
== NULL
||
51 ldb_attr_in_list(attrs
, name
) ||
52 ldb_attr_in_list(attrs
, "*");
55 static int do_attribute_explicit(const char * const *attrs
, const char *name
)
57 return attrs
!= NULL
&& ldb_attr_in_list(attrs
, name
);
62 expand a DN attribute to include extended DN information if requested
64 static int expand_dn_in_message(struct ldb_module
*module
, struct ldb_message
*msg
,
65 const char *attrname
, struct ldb_control
*edn_control
,
66 struct ldb_request
*req
)
68 struct ldb_dn
*dn
, *dn2
;
71 struct ldb_request
*req2
;
73 const char *no_attrs
[] = { NULL
};
74 struct ldb_result
*res
;
75 struct ldb_extended_dn_control
*edn
;
76 TALLOC_CTX
*tmp_ctx
= talloc_new(req
);
77 struct ldb_context
*ldb
;
80 struct ldb_message_element
*el
;
82 ldb
= ldb_module_get_ctx(module
);
84 edn
= talloc_get_type(edn_control
->data
, struct ldb_extended_dn_control
);
89 el
= ldb_msg_find_element(msg
, attrname
);
90 if (!el
|| el
->num_values
== 0) {
94 for (i
= 0; i
< el
->num_values
; i
++) {
101 dn_string
= talloc_strndup(tmp_ctx
, (const char *)v
->data
, v
->length
);
102 if (dn_string
== NULL
) {
103 talloc_free(tmp_ctx
);
104 return ldb_operr(ldb
);
107 res
= talloc_zero(tmp_ctx
, struct ldb_result
);
109 talloc_free(tmp_ctx
);
110 return ldb_operr(ldb
);
113 dn
= ldb_dn_new(tmp_ctx
, ldb
, dn_string
);
115 talloc_free(tmp_ctx
);
116 return ldb_operr(ldb
);
119 ret
= ldb_build_search_req(&req2
, ldb
, tmp_ctx
,
125 res
, ldb_search_default_callback
,
127 LDB_REQ_SET_LOCATION(req2
);
128 if (ret
!= LDB_SUCCESS
) {
129 talloc_free(tmp_ctx
);
134 ret
= ldb_request_add_control(req2
,
135 LDB_CONTROL_EXTENDED_DN_OID
,
136 edn_control
->critical
, edn
);
137 if (ret
!= LDB_SUCCESS
) {
138 talloc_free(tmp_ctx
);
139 return ldb_error(ldb
, ret
, "Failed to add control");
142 ret
= ldb_next_request(module
, req2
);
143 if (ret
== LDB_SUCCESS
) {
144 ret
= ldb_wait(req2
->handle
, LDB_WAIT_ALL
);
147 if (ret
!= LDB_SUCCESS
) {
148 talloc_free(tmp_ctx
);
152 if (!res
|| res
->count
!= 1) {
153 talloc_free(tmp_ctx
);
154 return ldb_operr(ldb
);
157 dn2
= res
->msgs
[0]->dn
;
159 v
->data
= (uint8_t *)ldb_dn_get_extended_linearized(msg
->elements
, dn2
, edn_type
);
160 if (v
->data
== NULL
) {
161 talloc_free(tmp_ctx
);
162 return ldb_operr(ldb
);
164 v
->length
= strlen((char *)v
->data
);
167 talloc_free(tmp_ctx
);
174 add dynamically generated attributes to rootDSE result
176 static int rootdse_add_dynamic(struct ldb_module
*module
, struct ldb_message
*msg
,
177 const char * const *attrs
, struct ldb_request
*req
)
179 struct ldb_context
*ldb
;
180 struct private_data
*priv
= talloc_get_type(ldb_module_get_private(module
), struct private_data
);
182 const struct dsdb_schema
*schema
;
184 struct ldb_control
*edn_control
;
185 const char *dn_attrs
[] = {
186 "configurationNamingContext",
187 "defaultNamingContext",
189 "rootDomainNamingContext",
190 "schemaNamingContext",
195 ldb
= ldb_module_get_ctx(module
);
196 schema
= dsdb_get_schema(ldb
, NULL
);
198 msg
->dn
= ldb_dn_new(msg
, ldb
, NULL
);
200 /* don't return the distinguishedName, cn and name attributes */
201 ldb_msg_remove_attr(msg
, "distinguishedName");
202 ldb_msg_remove_attr(msg
, "cn");
203 ldb_msg_remove_attr(msg
, "name");
205 if (do_attribute(attrs
, "serverName")) {
206 if (ldb_msg_add_linearized_dn(msg
, "serverName",
207 samdb_server_dn(ldb
, msg
)) != LDB_SUCCESS
) {
212 if (do_attribute(attrs
, "dnsHostName")) {
213 struct ldb_result
*res
;
215 const char *dns_attrs
[] = { "dNSHostName", NULL
};
216 ret
= dsdb_module_search_dn(module
, msg
, &res
, samdb_server_dn(ldb
, msg
),
217 dns_attrs
, DSDB_FLAG_NEXT_MODULE
, req
);
218 if (ret
== LDB_SUCCESS
) {
219 const char *hostname
= ldb_msg_find_attr_as_string(res
->msgs
[0], "dNSHostName", NULL
);
220 if (hostname
!= NULL
) {
221 if (ldb_msg_add_string(msg
, "dNSHostName", hostname
)) {
228 if (do_attribute(attrs
, "ldapServiceName")) {
229 struct loadparm_context
*lp_ctx
230 = talloc_get_type(ldb_get_opaque(ldb
, "loadparm"),
231 struct loadparm_context
);
232 char *ldap_service_name
, *hostname
;
234 hostname
= strlower_talloc(msg
, lpcfg_netbios_name(lp_ctx
));
235 if (hostname
== NULL
) {
239 ldap_service_name
= talloc_asprintf(msg
, "%s:%s$@%s",
240 samdb_forest_name(ldb
, msg
),
241 hostname
, lpcfg_realm(lp_ctx
));
242 if (ldap_service_name
== NULL
) {
246 if (ldb_msg_add_string(msg
, "ldapServiceName",
247 ldap_service_name
) != LDB_SUCCESS
) {
252 if (do_attribute(attrs
, "currentTime")) {
253 if (ldb_msg_add_steal_string(msg
, "currentTime",
254 ldb_timestring(msg
, time(NULL
))) != LDB_SUCCESS
) {
259 if (priv
&& do_attribute(attrs
, "supportedControl")) {
261 for (i
= 0; i
< priv
->num_controls
; i
++) {
262 char *control
= talloc_strdup(msg
, priv
->controls
[i
]);
266 if (ldb_msg_add_steal_string(msg
, "supportedControl",
267 control
) != LDB_SUCCESS
) {
273 if (priv
&& do_attribute(attrs
, "namingContexts")) {
275 for (i
= 0; i
< priv
->num_partitions
; i
++) {
276 struct ldb_dn
*dn
= priv
->partitions
[i
];
277 if (ldb_msg_add_steal_string(msg
, "namingContexts",
278 ldb_dn_alloc_linearized(msg
, dn
)) != LDB_SUCCESS
) {
284 server_sasl
= talloc_get_type(ldb_get_opaque(ldb
, "supportedSASLMechanisms"),
286 if (server_sasl
&& do_attribute(attrs
, "supportedSASLMechanisms")) {
288 for (i
= 0; server_sasl
&& server_sasl
[i
]; i
++) {
289 char *sasl_name
= talloc_strdup(msg
, server_sasl
[i
]);
293 if (ldb_msg_add_steal_string(msg
, "supportedSASLMechanisms",
294 sasl_name
) != LDB_SUCCESS
) {
300 if (do_attribute(attrs
, "highestCommittedUSN")) {
302 int ret
= ldb_sequence_number(ldb
, LDB_SEQ_HIGHEST_SEQ
, &seq_num
);
303 if (ret
== LDB_SUCCESS
) {
304 if (samdb_msg_add_uint64(ldb
, msg
, msg
,
305 "highestCommittedUSN",
306 seq_num
) != LDB_SUCCESS
) {
312 if (schema
&& do_attribute_explicit(attrs
, "dsSchemaAttrCount")) {
313 struct dsdb_attribute
*cur
;
316 for (cur
= schema
->attributes
; cur
; cur
= cur
->next
) {
320 if (samdb_msg_add_uint(ldb
, msg
, msg
, "dsSchemaAttrCount",
326 if (schema
&& do_attribute_explicit(attrs
, "dsSchemaClassCount")) {
327 struct dsdb_class
*cur
;
330 for (cur
= schema
->classes
; cur
; cur
= cur
->next
) {
334 if (samdb_msg_add_uint(ldb
, msg
, msg
, "dsSchemaClassCount",
340 if (schema
&& do_attribute_explicit(attrs
, "dsSchemaPrefixCount")) {
341 if (samdb_msg_add_uint(ldb
, msg
, msg
, "dsSchemaPrefixCount",
342 schema
->prefixmap
->length
) != LDB_SUCCESS
) {
347 if (do_attribute_explicit(attrs
, "validFSMOs")) {
348 const struct dsdb_naming_fsmo
*naming_fsmo
;
349 const struct dsdb_pdc_fsmo
*pdc_fsmo
;
352 if (schema
&& schema
->fsmo
.we_are_master
) {
353 dn_str
= ldb_dn_get_linearized(ldb_get_schema_basedn(ldb
));
354 if (dn_str
&& dn_str
[0]) {
355 if (ldb_msg_add_fmt(msg
, "validFSMOs", "%s", dn_str
) != LDB_SUCCESS
) {
361 naming_fsmo
= talloc_get_type(ldb_get_opaque(ldb
, "dsdb_naming_fsmo"),
362 struct dsdb_naming_fsmo
);
363 if (naming_fsmo
&& naming_fsmo
->we_are_master
) {
364 dn_str
= ldb_dn_get_linearized(samdb_partitions_dn(ldb
, msg
));
365 if (dn_str
&& dn_str
[0]) {
366 if (ldb_msg_add_fmt(msg
, "validFSMOs", "%s", dn_str
) != LDB_SUCCESS
) {
372 pdc_fsmo
= talloc_get_type(ldb_get_opaque(ldb
, "dsdb_pdc_fsmo"),
373 struct dsdb_pdc_fsmo
);
374 if (pdc_fsmo
&& pdc_fsmo
->we_are_master
) {
375 dn_str
= ldb_dn_get_linearized(ldb_get_default_basedn(ldb
));
376 if (dn_str
&& dn_str
[0]) {
377 if (ldb_msg_add_fmt(msg
, "validFSMOs", "%s", dn_str
) != LDB_SUCCESS
) {
384 if (do_attribute_explicit(attrs
, "vendorVersion")) {
385 if (ldb_msg_add_fmt(msg
, "vendorVersion",
386 "%s", SAMBA_VERSION_STRING
) != LDB_SUCCESS
) {
391 if (do_attribute(attrs
, "domainFunctionality")) {
392 if (samdb_msg_add_int(ldb
, msg
, msg
, "domainFunctionality",
393 dsdb_functional_level(ldb
)) != LDB_SUCCESS
) {
398 if (do_attribute(attrs
, "forestFunctionality")) {
399 if (samdb_msg_add_int(ldb
, msg
, msg
, "forestFunctionality",
400 dsdb_forest_functional_level(ldb
)) != LDB_SUCCESS
) {
405 if (do_attribute(attrs
, "domainControllerFunctionality")
406 && (val
= talloc_get_type(ldb_get_opaque(ldb
, "domainControllerFunctionality"), int))) {
407 if (samdb_msg_add_int(ldb
, msg
, msg
,
408 "domainControllerFunctionality",
409 *val
) != LDB_SUCCESS
) {
414 if (do_attribute(attrs
, "isGlobalCatalogReady")) {
415 /* MS-ADTS 3.1.1.3.2.10
416 Note, we should only return true here is we have
417 completed at least one synchronisation. As both
418 provision and vampire do a full sync, this means we
419 can return true is the gc bit is set in the NTDSDSA
421 if (ldb_msg_add_fmt(msg
, "isGlobalCatalogReady",
422 "%s", samdb_is_gc(ldb
)?"TRUE":"FALSE") != LDB_SUCCESS
) {
427 if (do_attribute_explicit(attrs
, "tokenGroups")) {
429 /* Obtain the user's session_info */
430 struct auth_session_info
*session_info
431 = (struct auth_session_info
*)ldb_get_opaque(ldb
, "sessionInfo");
432 if (session_info
&& session_info
->security_token
) {
433 /* The list of groups this user is in */
434 for (i
= 0; i
< session_info
->security_token
->num_sids
; i
++) {
435 if (samdb_msg_add_dom_sid(ldb
, msg
, msg
,
437 &session_info
->security_token
->sids
[i
]) != LDB_SUCCESS
) {
444 /* TODO: lots more dynamic attributes should be added here */
446 edn_control
= ldb_request_get_control(req
, LDB_CONTROL_EXTENDED_DN_OID
);
448 /* if the client sent us the EXTENDED_DN control then we need
449 to expand the DNs to have GUID and SID. W2K8 join relies on
454 for (i
=0; dn_attrs
[i
]; i
++) {
455 if (!do_attribute(attrs
, dn_attrs
[i
])) continue;
456 ret
= expand_dn_in_message(module
, msg
, dn_attrs
[i
],
458 if (ret
!= LDB_SUCCESS
) {
459 DEBUG(0,(__location__
": Failed to expand DN in rootDSE for %s\n",
469 return ldb_operr(ldb
);
473 handle search requests
476 struct rootdse_context
{
477 struct ldb_module
*module
;
478 struct ldb_request
*req
;
481 static struct rootdse_context
*rootdse_init_context(struct ldb_module
*module
,
482 struct ldb_request
*req
)
484 struct ldb_context
*ldb
;
485 struct rootdse_context
*ac
;
487 ldb
= ldb_module_get_ctx(module
);
489 ac
= talloc_zero(req
, struct rootdse_context
);
491 ldb_set_errstring(ldb
, "Out of Memory");
501 static int rootdse_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
503 struct rootdse_context
*ac
;
506 ac
= talloc_get_type(req
->context
, struct rootdse_context
);
509 return ldb_module_done(ac
->req
, NULL
, NULL
,
510 LDB_ERR_OPERATIONS_ERROR
);
512 if (ares
->error
!= LDB_SUCCESS
) {
513 return ldb_module_done(ac
->req
, ares
->controls
,
514 ares
->response
, ares
->error
);
517 switch (ares
->type
) {
518 case LDB_REPLY_ENTRY
:
520 * if the client explicit asks for the 'netlogon' attribute
521 * the reply_entry needs to be skipped
523 if (ac
->req
->op
.search
.attrs
&&
524 ldb_attr_in_list(ac
->req
->op
.search
.attrs
, "netlogon")) {
529 /* for each record returned post-process to add any dynamic
530 attributes that have been asked for */
531 ret
= rootdse_add_dynamic(ac
->module
, ares
->message
,
532 ac
->req
->op
.search
.attrs
, ac
->req
);
533 if (ret
!= LDB_SUCCESS
) {
535 return ldb_module_done(ac
->req
, NULL
, NULL
, ret
);
538 return ldb_module_send_entry(ac
->req
, ares
->message
, ares
->controls
);
540 case LDB_REPLY_REFERRAL
:
541 /* should we allow the backend to return referrals in this case
546 return ldb_module_done(ac
->req
, ares
->controls
,
547 ares
->response
, ares
->error
);
555 filter from controls from clients in several ways
557 1) mark our registered controls as non-critical in the request
559 This is needed as clients may mark controls as critical even if
560 they are not needed at all in a request. For example, the centrify
561 client sets the SD_FLAGS control as critical on ldap modify
562 requests which are setting the dNSHostName attribute on the
563 machine account. That request doesn't need SD_FLAGS at all, but
564 centrify adds it on all ldap requests.
566 2) if this request is untrusted then remove any non-registered
567 controls that are non-critical
569 This is used on ldap:// connections to prevent remote users from
570 setting an internal control that may be dangerous
572 3) if this request is untrusted then fail any request that includes
573 a critical non-registered control
575 static int rootdse_filter_controls(struct ldb_module
*module
, struct ldb_request
*req
)
578 struct private_data
*priv
= talloc_get_type(ldb_module_get_private(module
), struct private_data
);
581 if (!req
->controls
) {
585 is_untrusted
= ldb_req_is_untrusted(req
);
587 for (i
=0; req
->controls
[i
]; i
++) {
588 bool is_registered
= false;
589 bool is_critical
= (req
->controls
[i
]->critical
!= 0);
591 if (req
->controls
[i
]->oid
== NULL
) {
595 if (is_untrusted
|| is_critical
) {
596 for (j
=0; j
<priv
->num_controls
; j
++) {
597 if (strcasecmp(priv
->controls
[j
], req
->controls
[i
]->oid
) == 0) {
598 is_registered
= true;
604 if (is_untrusted
&& !is_registered
) {
606 /* remove it by marking the oid NULL */
607 req
->controls
[i
]->oid
= NULL
;
608 req
->controls
[i
]->data
= NULL
;
609 req
->controls
[i
]->critical
= 0;
612 /* its a critical unregistered control - give
614 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
615 "Attempt to use critical non-registered control '%s'",
616 req
->controls
[i
]->oid
);
617 return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION
;
624 /* If the control is DIRSYNC control then we keep the critical
625 * flag as the dirsync module will need to act upon it
627 if (is_registered
&& strcmp(req
->controls
[i
]->oid
,
628 LDB_CONTROL_DIRSYNC_OID
)!= 0) {
629 req
->controls
[i
]->critical
= 0;
636 /* Ensure that anonymous users are not allowed to make anything other than rootDSE search operations */
638 static int rootdse_filter_operations(struct ldb_module
*module
, struct ldb_request
*req
)
640 struct auth_session_info
*session_info
;
641 struct private_data
*priv
= talloc_get_type(ldb_module_get_private(module
), struct private_data
);
642 bool is_untrusted
= ldb_req_is_untrusted(req
);
643 bool is_anonymous
= true;
644 if (is_untrusted
== false) {
648 session_info
= (struct auth_session_info
*)ldb_get_opaque(ldb_module_get_ctx(module
), "sessionInfo");
650 is_anonymous
= security_token_is_anonymous(session_info
->security_token
);
653 if (is_anonymous
== false || (priv
&& priv
->block_anonymous
== false)) {
657 if (req
->operation
== LDB_SEARCH
) {
658 if (req
->op
.search
.scope
== LDB_SCOPE_BASE
&& ldb_dn_is_null(req
->op
.search
.base
)) {
662 ldb_set_errstring(ldb_module_get_ctx(module
), "Operation unavailable without authentication");
663 return LDB_ERR_OPERATIONS_ERROR
;
666 static int rootdse_search(struct ldb_module
*module
, struct ldb_request
*req
)
668 struct ldb_context
*ldb
;
669 struct rootdse_context
*ac
;
670 struct ldb_request
*down_req
;
673 ret
= rootdse_filter_operations(module
, req
);
674 if (ret
!= LDB_SUCCESS
) {
678 ret
= rootdse_filter_controls(module
, req
);
679 if (ret
!= LDB_SUCCESS
) {
683 ldb
= ldb_module_get_ctx(module
);
685 /* see if its for the rootDSE - only a base search on the "" DN qualifies */
686 if (!(req
->op
.search
.scope
== LDB_SCOPE_BASE
&& ldb_dn_is_null(req
->op
.search
.base
))) {
687 /* Otherwise, pass down to the rest of the stack */
688 return ldb_next_request(module
, req
);
691 ac
= rootdse_init_context(module
, req
);
693 return ldb_operr(ldb
);
696 /* in our db we store the rootDSE with a DN of @ROOTDSE */
697 ret
= ldb_build_search_req(&down_req
, ldb
, ac
,
698 ldb_dn_new(ac
, ldb
, "@ROOTDSE"),
701 req
->op
.search
.attrs
,
702 NULL
,/* for now skip the controls from the client */
703 ac
, rootdse_callback
,
705 LDB_REQ_SET_LOCATION(down_req
);
706 if (ret
!= LDB_SUCCESS
) {
710 return ldb_next_request(module
, down_req
);
713 static int rootdse_register_control(struct ldb_module
*module
, struct ldb_request
*req
)
715 struct private_data
*priv
= talloc_get_type(ldb_module_get_private(module
), struct private_data
);
718 list
= talloc_realloc(priv
, priv
->controls
, char *, priv
->num_controls
+ 1);
720 return ldb_oom(ldb_module_get_ctx(module
));
723 list
[priv
->num_controls
] = talloc_strdup(list
, req
->op
.reg_control
.oid
);
724 if (!list
[priv
->num_controls
]) {
725 return ldb_oom(ldb_module_get_ctx(module
));
728 priv
->num_controls
+= 1;
729 priv
->controls
= list
;
731 return ldb_module_done(req
, NULL
, NULL
, LDB_SUCCESS
);
734 static int rootdse_register_partition(struct ldb_module
*module
, struct ldb_request
*req
)
736 struct private_data
*priv
= talloc_get_type(ldb_module_get_private(module
), struct private_data
);
737 struct ldb_dn
**list
;
739 list
= talloc_realloc(priv
, priv
->partitions
, struct ldb_dn
*, priv
->num_partitions
+ 1);
741 return ldb_oom(ldb_module_get_ctx(module
));
744 list
[priv
->num_partitions
] = ldb_dn_copy(list
, req
->op
.reg_partition
.dn
);
745 if (!list
[priv
->num_partitions
]) {
746 return ldb_operr(ldb_module_get_ctx(module
));
749 priv
->num_partitions
+= 1;
750 priv
->partitions
= list
;
752 return ldb_module_done(req
, NULL
, NULL
, LDB_SUCCESS
);
756 static int rootdse_request(struct ldb_module
*module
, struct ldb_request
*req
)
758 switch (req
->operation
) {
760 case LDB_REQ_REGISTER_CONTROL
:
761 return rootdse_register_control(module
, req
);
762 case LDB_REQ_REGISTER_PARTITION
:
763 return rootdse_register_partition(module
, req
);
768 return ldb_next_request(module
, req
);
771 static int rootdse_init(struct ldb_module
*module
)
774 struct ldb_context
*ldb
;
775 struct ldb_result
*res
;
776 struct private_data
*data
;
777 const char *attrs
[] = { "msDS-Behavior-Version", NULL
};
778 const char *ds_attrs
[] = { "dsServiceName", NULL
};
781 ldb
= ldb_module_get_ctx(module
);
783 data
= talloc_zero(module
, struct private_data
);
788 data
->num_controls
= 0;
789 data
->controls
= NULL
;
790 data
->num_partitions
= 0;
791 data
->partitions
= NULL
;
792 data
->block_anonymous
= true;
794 ldb_module_set_private(module
, data
);
796 ldb_set_default_dns(ldb
);
798 ret
= ldb_next_init(module
);
800 if (ret
!= LDB_SUCCESS
) {
804 mem_ctx
= talloc_new(data
);
809 /* Now that the partitions are set up, do a search for:
810 - domainControllerFunctionality
811 - domainFunctionality
812 - forestFunctionality
814 Then stuff these values into an opaque
816 ret
= dsdb_module_search(module
, mem_ctx
, &res
,
817 ldb_get_default_basedn(ldb
),
818 LDB_SCOPE_BASE
, attrs
, DSDB_FLAG_NEXT_MODULE
, NULL
, NULL
);
819 if (ret
== LDB_SUCCESS
&& res
->count
== 1) {
820 int domain_behaviour_version
821 = ldb_msg_find_attr_as_int(res
->msgs
[0],
822 "msDS-Behavior-Version", -1);
823 if (domain_behaviour_version
!= -1) {
824 int *val
= talloc(ldb
, int);
826 talloc_free(mem_ctx
);
829 *val
= domain_behaviour_version
;
830 ret
= ldb_set_opaque(ldb
, "domainFunctionality", val
);
831 if (ret
!= LDB_SUCCESS
) {
832 talloc_free(mem_ctx
);
838 ret
= dsdb_module_search(module
, mem_ctx
, &res
,
839 samdb_partitions_dn(ldb
, mem_ctx
),
840 LDB_SCOPE_BASE
, attrs
, DSDB_FLAG_NEXT_MODULE
, NULL
, NULL
);
841 if (ret
== LDB_SUCCESS
&& res
->count
== 1) {
842 int forest_behaviour_version
843 = ldb_msg_find_attr_as_int(res
->msgs
[0],
844 "msDS-Behavior-Version", -1);
845 if (forest_behaviour_version
!= -1) {
846 int *val
= talloc(ldb
, int);
848 talloc_free(mem_ctx
);
851 *val
= forest_behaviour_version
;
852 ret
= ldb_set_opaque(ldb
, "forestFunctionality", val
);
853 if (ret
!= LDB_SUCCESS
) {
854 talloc_free(mem_ctx
);
860 /* For now, our own server's location in the DB is recorded in
861 * the @ROOTDSE record */
862 ret
= dsdb_module_search(module
, mem_ctx
, &res
,
863 ldb_dn_new(mem_ctx
, ldb
, "@ROOTDSE"),
864 LDB_SCOPE_BASE
, ds_attrs
, DSDB_FLAG_NEXT_MODULE
, NULL
, NULL
);
865 if (ret
== LDB_SUCCESS
&& res
->count
== 1) {
867 = ldb_msg_find_attr_as_dn(ldb
, mem_ctx
, res
->msgs
[0],
870 ret
= dsdb_module_search(module
, mem_ctx
, &res
, ds_dn
,
871 LDB_SCOPE_BASE
, attrs
, DSDB_FLAG_NEXT_MODULE
, NULL
, NULL
);
872 if (ret
== LDB_SUCCESS
&& res
->count
== 1) {
873 int domain_controller_behaviour_version
874 = ldb_msg_find_attr_as_int(res
->msgs
[0],
875 "msDS-Behavior-Version", -1);
876 if (domain_controller_behaviour_version
!= -1) {
877 int *val
= talloc(ldb
, int);
879 talloc_free(mem_ctx
);
882 *val
= domain_controller_behaviour_version
;
883 ret
= ldb_set_opaque(ldb
,
884 "domainControllerFunctionality", val
);
885 if (ret
!= LDB_SUCCESS
) {
886 talloc_free(mem_ctx
);
894 data
->block_anonymous
= dsdb_block_anonymous_ops(module
, NULL
);
896 talloc_free(mem_ctx
);
902 * This function gets the string SCOPE_DN:OPTIONAL_FEATURE_GUID and parse it
903 * to a DN and a GUID object
905 static int get_optional_feature_dn_guid(struct ldb_request
*req
, struct ldb_context
*ldb
,
907 struct ldb_dn
**op_feature_scope_dn
,
908 struct GUID
*op_feature_guid
)
910 const struct ldb_message
*msg
= req
->op
.mod
.message
;
911 const char *ldb_val_str
;
913 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
916 ldb_val_str
= ldb_msg_find_attr_as_string(msg
, "enableOptionalFeature", NULL
);
918 ldb_set_errstring(ldb
,
919 "rootdse: unable to find 'enableOptionalFeature'!");
920 return LDB_ERR_UNWILLING_TO_PERFORM
;
923 guid
= strchr(ldb_val_str
, ':');
925 ldb_set_errstring(ldb
,
926 "rootdse: unable to find GUID in 'enableOptionalFeature'!");
927 return LDB_ERR_UNWILLING_TO_PERFORM
;
929 status
= GUID_from_string(guid
+1, op_feature_guid
);
930 if (!NT_STATUS_IS_OK(status
)) {
931 ldb_set_errstring(ldb
,
932 "rootdse: bad GUID in 'enableOptionalFeature'!");
933 return LDB_ERR_UNWILLING_TO_PERFORM
;
936 dn
= talloc_strndup(tmp_ctx
, ldb_val_str
, guid
-ldb_val_str
);
938 ldb_set_errstring(ldb
,
939 "rootdse: bad DN in 'enableOptionalFeature'!");
940 return LDB_ERR_UNWILLING_TO_PERFORM
;
943 *op_feature_scope_dn
= ldb_dn_new(mem_ctx
, ldb
, dn
);
945 talloc_free(tmp_ctx
);
950 * This function gets the OPTIONAL_FEATURE_GUID and looks for the optional feature
951 * ldb_message object.
953 static int dsdb_find_optional_feature(struct ldb_module
*module
, struct ldb_context
*ldb
,
954 TALLOC_CTX
*mem_ctx
, struct GUID op_feature_guid
, struct ldb_message
**msg
,
955 struct ldb_request
*parent
)
957 struct ldb_result
*res
;
958 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
961 ret
= dsdb_module_search(module
, tmp_ctx
, &res
, NULL
, LDB_SCOPE_SUBTREE
,
963 DSDB_FLAG_NEXT_MODULE
|
964 DSDB_SEARCH_SEARCH_ALL_PARTITIONS
,
966 "(&(objectClass=msDS-OptionalFeature)"
967 "(msDS-OptionalFeatureGUID=%s))",GUID_string(tmp_ctx
, &op_feature_guid
));
969 if (ret
!= LDB_SUCCESS
) {
970 talloc_free(tmp_ctx
);
973 if (res
->count
== 0) {
974 talloc_free(tmp_ctx
);
975 return LDB_ERR_NO_SUCH_OBJECT
;
977 if (res
->count
!= 1) {
978 ldb_asprintf_errstring(ldb
,
979 "More than one object found matching optional feature GUID %s\n",
980 GUID_string(tmp_ctx
, &op_feature_guid
));
981 talloc_free(tmp_ctx
);
982 return LDB_ERR_OPERATIONS_ERROR
;
985 *msg
= talloc_steal(mem_ctx
, res
->msgs
[0]);
987 talloc_free(tmp_ctx
);
991 static int rootdse_enable_recycle_bin(struct ldb_module
*module
,struct ldb_context
*ldb
,
992 TALLOC_CTX
*mem_ctx
, struct ldb_dn
*op_feature_scope_dn
,
993 struct ldb_message
*op_feature_msg
, struct ldb_request
*parent
)
996 const int domain_func_level
= dsdb_functional_level(ldb
);
997 struct ldb_dn
*ntds_settings_dn
;
999 unsigned int el_count
= 0;
1000 struct ldb_message
*msg
;
1002 ret
= ldb_msg_find_attr_as_int(op_feature_msg
, "msDS-RequiredForestBehaviorVersion", 0);
1003 if (domain_func_level
< ret
){
1004 ldb_asprintf_errstring(ldb
,
1005 "rootdse_enable_recycle_bin: Domain functional level must be at least %d\n",
1007 return LDB_ERR_UNWILLING_TO_PERFORM
;
1010 tmp_ctx
= talloc_new(mem_ctx
);
1011 ntds_settings_dn
= samdb_ntds_settings_dn(ldb
);
1012 if (!ntds_settings_dn
) {
1013 talloc_free(tmp_ctx
);
1014 return ldb_error(ldb
, LDB_ERR_OPERATIONS_ERROR
, "Failed to find NTDS settings DN");
1017 ntds_settings_dn
= ldb_dn_copy(tmp_ctx
, ntds_settings_dn
);
1018 if (!ntds_settings_dn
) {
1019 talloc_free(tmp_ctx
);
1020 return ldb_error(ldb
, LDB_ERR_OPERATIONS_ERROR
, "Failed to copy NTDS settings DN");
1023 msg
= ldb_msg_new(tmp_ctx
);
1024 msg
->dn
= ntds_settings_dn
;
1026 ldb_msg_add_linearized_dn(msg
, "msDS-EnabledFeature", op_feature_msg
->dn
);
1027 msg
->elements
[el_count
++].flags
= LDB_FLAG_MOD_ADD
;
1029 ret
= dsdb_module_modify(module
, msg
, DSDB_FLAG_NEXT_MODULE
, parent
);
1030 if (ret
!= LDB_SUCCESS
) {
1031 ldb_asprintf_errstring(ldb
,
1032 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1033 ldb_dn_get_linearized(ntds_settings_dn
),
1034 ldb_errstring(ldb
));
1035 talloc_free(tmp_ctx
);
1039 msg
->dn
= op_feature_scope_dn
;
1040 ret
= dsdb_module_modify(module
, msg
, DSDB_FLAG_NEXT_MODULE
, parent
);
1041 if (ret
!= LDB_SUCCESS
) {
1042 ldb_asprintf_errstring(ldb
,
1043 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1044 ldb_dn_get_linearized(op_feature_scope_dn
),
1045 ldb_errstring(ldb
));
1046 talloc_free(tmp_ctx
);
1053 static int rootdse_enableoptionalfeature(struct ldb_module
*module
, struct ldb_request
*req
)
1057 - check for system (only system can enable features)
1058 - extract GUID from the request
1059 - find the feature object
1060 - check functional level, must be at least msDS-RequiredForestBehaviorVersion
1061 - check if it is already enabled (if enabled return LDAP_ATTRIBUTE_OR_VALUE_EXISTS) - probably not needed, just return error from the add/modify
1062 - add/modify objects (see ntdsconnection code for an example)
1065 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1066 struct GUID op_feature_guid
;
1067 struct ldb_dn
*op_feature_scope_dn
;
1068 struct ldb_message
*op_feature_msg
;
1069 struct auth_session_info
*session_info
=
1070 (struct auth_session_info
*)ldb_get_opaque(ldb
, "sessionInfo");
1071 TALLOC_CTX
*tmp_ctx
= talloc_new(ldb
);
1073 const char *guid_string
;
1075 if (security_session_user_level(session_info
, NULL
) != SECURITY_SYSTEM
) {
1076 ldb_set_errstring(ldb
, "rootdse: Insufficient rights for enableoptionalfeature");
1077 return LDB_ERR_UNWILLING_TO_PERFORM
;
1080 ret
= get_optional_feature_dn_guid(req
, ldb
, tmp_ctx
, &op_feature_scope_dn
, &op_feature_guid
);
1081 if (ret
!= LDB_SUCCESS
) {
1082 talloc_free(tmp_ctx
);
1086 guid_string
= GUID_string(tmp_ctx
, &op_feature_guid
);
1088 ldb_set_errstring(ldb
, "rootdse: bad optional feature GUID");
1089 return LDB_ERR_UNWILLING_TO_PERFORM
;
1092 ret
= dsdb_find_optional_feature(module
, ldb
, tmp_ctx
, op_feature_guid
, &op_feature_msg
, req
);
1093 if (ret
!= LDB_SUCCESS
) {
1094 ldb_asprintf_errstring(ldb
,
1095 "rootdse: unable to find optional feature for %s - %s",
1096 guid_string
, ldb_errstring(ldb
));
1097 talloc_free(tmp_ctx
);
1101 if (strcasecmp(DS_GUID_FEATURE_RECYCLE_BIN
, guid_string
) == 0) {
1102 ret
= rootdse_enable_recycle_bin(module
, ldb
,
1103 tmp_ctx
, op_feature_scope_dn
,
1104 op_feature_msg
, req
);
1106 ldb_asprintf_errstring(ldb
,
1107 "rootdse: unknown optional feature %s",
1109 talloc_free(tmp_ctx
);
1110 return LDB_ERR_UNWILLING_TO_PERFORM
;
1112 if (ret
!= LDB_SUCCESS
) {
1113 ldb_asprintf_errstring(ldb
,
1114 "rootdse: failed to set optional feature for %s - %s",
1115 guid_string
, ldb_errstring(ldb
));
1116 talloc_free(tmp_ctx
);
1120 talloc_free(tmp_ctx
);
1121 return ldb_module_done(req
, NULL
, NULL
, LDB_SUCCESS
);;
1124 static int rootdse_schemaupdatenow(struct ldb_module
*module
, struct ldb_request
*req
)
1126 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1127 struct ldb_result
*ext_res
;
1129 struct ldb_dn
*schema_dn
;
1131 schema_dn
= ldb_get_schema_basedn(ldb
);
1133 ldb_reset_err_string(ldb
);
1134 ldb_debug(ldb
, LDB_DEBUG_WARNING
,
1135 "rootdse_modify: no schema dn present: (skip ldb_extended call)\n");
1136 return ldb_next_request(module
, req
);
1139 ret
= ldb_extended(ldb
, DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID
, schema_dn
, &ext_res
);
1140 if (ret
!= LDB_SUCCESS
) {
1141 return ldb_operr(ldb
);
1144 talloc_free(ext_res
);
1145 return ldb_module_done(req
, NULL
, NULL
, ret
);
1148 static int rootdse_add(struct ldb_module
*module
, struct ldb_request
*req
)
1150 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1153 ret
= rootdse_filter_operations(module
, req
);
1154 if (ret
!= LDB_SUCCESS
) {
1158 ret
= rootdse_filter_controls(module
, req
);
1159 if (ret
!= LDB_SUCCESS
) {
1164 If dn is not "" we should let it pass through
1166 if (!ldb_dn_is_null(req
->op
.add
.message
->dn
)) {
1167 return ldb_next_request(module
, req
);
1170 ldb_set_errstring(ldb
, "rootdse_add: you cannot add a new rootdse entry!");
1171 return LDB_ERR_NAMING_VIOLATION
;
1174 struct fsmo_transfer_state
{
1175 struct ldb_context
*ldb
;
1176 struct ldb_request
*req
;
1180 called when a FSMO transfer operation has completed
1182 static void rootdse_fsmo_transfer_callback(struct tevent_req
*treq
)
1184 struct fsmo_transfer_state
*fsmo
= tevent_req_callback_data(treq
, struct fsmo_transfer_state
);
1187 struct ldb_request
*req
= fsmo
->req
;
1188 struct ldb_context
*ldb
= fsmo
->ldb
;
1190 status
= dcerpc_drepl_takeFSMORole_recv(treq
, fsmo
, &werr
);
1192 if (!NT_STATUS_IS_OK(status
)) {
1193 ldb_asprintf_errstring(ldb
, "Failed FSMO transfer: %s", nt_errstr(status
));
1194 ldb_module_done(req
, NULL
, NULL
, LDB_ERR_UNAVAILABLE
);
1197 if (!W_ERROR_IS_OK(werr
)) {
1198 ldb_asprintf_errstring(ldb
, "Failed FSMO transfer: %s", win_errstr(werr
));
1199 ldb_module_done(req
, NULL
, NULL
, LDB_ERR_UNAVAILABLE
);
1203 ldb_module_done(req
, NULL
, NULL
, LDB_SUCCESS
);
1206 static int rootdse_become_master(struct ldb_module
*module
,
1207 struct ldb_request
*req
,
1208 enum drepl_role_master role
)
1210 struct imessaging_context
*msg
;
1211 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1212 TALLOC_CTX
*tmp_ctx
= talloc_new(req
);
1213 struct loadparm_context
*lp_ctx
= ldb_get_opaque(ldb
, "loadparm");
1215 struct dcerpc_binding_handle
*irpc_handle
;
1217 struct auth_session_info
*session_info
;
1218 enum security_user_level level
;
1219 struct fsmo_transfer_state
*fsmo
;
1220 struct tevent_req
*treq
;
1222 session_info
= (struct auth_session_info
*)ldb_get_opaque(ldb_module_get_ctx(module
), "sessionInfo");
1223 level
= security_session_user_level(session_info
, NULL
);
1224 if (level
< SECURITY_ADMINISTRATOR
) {
1225 return ldb_error(ldb
, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
, "Denied rootDSE modify for non-administrator");
1228 ret
= samdb_rodc(ldb
, &am_rodc
);
1229 if (ret
!= LDB_SUCCESS
) {
1230 return ldb_error(ldb
, ret
, "Could not determine if server is RODC.");
1234 return ldb_error(ldb
, LDB_ERR_UNWILLING_TO_PERFORM
,
1235 "RODC cannot become a role master.");
1238 msg
= imessaging_client_init(tmp_ctx
, lpcfg_imessaging_path(tmp_ctx
, lp_ctx
),
1239 ldb_get_event_context(ldb
));
1241 ldb_asprintf_errstring(ldb
, "Failed to generate client messaging context in %s", lpcfg_imessaging_path(tmp_ctx
, lp_ctx
));
1242 return LDB_ERR_OPERATIONS_ERROR
;
1244 irpc_handle
= irpc_binding_handle_by_name(tmp_ctx
, msg
,
1247 if (irpc_handle
== NULL
) {
1248 return ldb_oom(ldb
);
1250 fsmo
= talloc_zero(req
, struct fsmo_transfer_state
);
1252 return ldb_oom(ldb
);
1257 /* we send the call asynchronously, as the ldap client is
1258 * expecting to get an error back if the role transfer fails
1261 treq
= dcerpc_drepl_takeFSMORole_send(req
, ldb_get_event_context(ldb
), irpc_handle
, role
);
1263 return ldb_oom(ldb
);
1266 tevent_req_set_callback(treq
, rootdse_fsmo_transfer_callback
, fsmo
);
1270 static int rootdse_modify(struct ldb_module
*module
, struct ldb_request
*req
)
1272 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1275 ret
= rootdse_filter_operations(module
, req
);
1276 if (ret
!= LDB_SUCCESS
) {
1280 ret
= rootdse_filter_controls(module
, req
);
1281 if (ret
!= LDB_SUCCESS
) {
1286 If dn is not "" we should let it pass through
1288 if (!ldb_dn_is_null(req
->op
.mod
.message
->dn
)) {
1289 return ldb_next_request(module
, req
);
1293 dn is empty so check for schemaUpdateNow attribute
1294 "The type of modification and values specified in the LDAP modify operation do not matter." MSDN
1296 if (ldb_msg_find_element(req
->op
.mod
.message
, "schemaUpdateNow")) {
1297 return rootdse_schemaupdatenow(module
, req
);
1299 if (ldb_msg_find_element(req
->op
.mod
.message
, "becomeDomainMaster")) {
1300 return rootdse_become_master(module
, req
, DREPL_NAMING_MASTER
);
1302 if (ldb_msg_find_element(req
->op
.mod
.message
, "becomeInfrastructureMaster")) {
1303 return rootdse_become_master(module
, req
, DREPL_INFRASTRUCTURE_MASTER
);
1305 if (ldb_msg_find_element(req
->op
.mod
.message
, "becomeRidMaster")) {
1306 return rootdse_become_master(module
, req
, DREPL_RID_MASTER
);
1308 if (ldb_msg_find_element(req
->op
.mod
.message
, "becomeSchemaMaster")) {
1309 return rootdse_become_master(module
, req
, DREPL_SCHEMA_MASTER
);
1311 if (ldb_msg_find_element(req
->op
.mod
.message
, "becomePdc")) {
1312 return rootdse_become_master(module
, req
, DREPL_PDC_MASTER
);
1314 if (ldb_msg_find_element(req
->op
.mod
.message
, "enableOptionalFeature")) {
1315 return rootdse_enableoptionalfeature(module
, req
);
1318 ldb_set_errstring(ldb
, "rootdse_modify: unknown attribute to change!");
1319 return LDB_ERR_UNWILLING_TO_PERFORM
;
1322 static int rootdse_rename(struct ldb_module
*module
, struct ldb_request
*req
)
1324 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1327 ret
= rootdse_filter_operations(module
, req
);
1328 if (ret
!= LDB_SUCCESS
) {
1332 ret
= rootdse_filter_controls(module
, req
);
1333 if (ret
!= LDB_SUCCESS
) {
1338 If dn is not "" we should let it pass through
1340 if (!ldb_dn_is_null(req
->op
.rename
.olddn
)) {
1341 return ldb_next_request(module
, req
);
1344 ldb_set_errstring(ldb
, "rootdse_remove: you cannot rename the rootdse entry!");
1345 return LDB_ERR_NO_SUCH_OBJECT
;
1348 static int rootdse_delete(struct ldb_module
*module
, struct ldb_request
*req
)
1350 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1353 ret
= rootdse_filter_operations(module
, req
);
1354 if (ret
!= LDB_SUCCESS
) {
1358 ret
= rootdse_filter_controls(module
, req
);
1359 if (ret
!= LDB_SUCCESS
) {
1364 If dn is not "" we should let it pass through
1366 if (!ldb_dn_is_null(req
->op
.del
.dn
)) {
1367 return ldb_next_request(module
, req
);
1370 ldb_set_errstring(ldb
, "rootdse_remove: you cannot delete the rootdse entry!");
1371 return LDB_ERR_NO_SUCH_OBJECT
;
1374 static int rootdse_extended(struct ldb_module
*module
, struct ldb_request
*req
)
1378 ret
= rootdse_filter_operations(module
, req
);
1379 if (ret
!= LDB_SUCCESS
) {
1383 ret
= rootdse_filter_controls(module
, req
);
1384 if (ret
!= LDB_SUCCESS
) {
1388 return ldb_next_request(module
, req
);
1391 static const struct ldb_module_ops ldb_rootdse_module_ops
= {
1393 .init_context
= rootdse_init
,
1394 .search
= rootdse_search
,
1395 .request
= rootdse_request
,
1397 .modify
= rootdse_modify
,
1398 .rename
= rootdse_rename
,
1399 .extended
= rootdse_extended
,
1400 .del
= rootdse_delete
1403 int ldb_rootdse_module_init(const char *version
)
1405 LDB_MODULE_CHECK_VERSION(version
);
1406 return ldb_register_module(&ldb_rootdse_module_ops
);