2 Unix SMB/CIFS implementation.
4 ldb database library - Extended match rules
6 Copyright (C) 2014 Samuel Cabrero <samuelcabrero@kernevil.me>
7 Copyright (C) Andrew Bartlett <abartlet@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include <ldb_module.h>
25 #include "dsdb/samdb/samdb.h"
26 #include "ldb_matching_rules.h"
27 #include "libcli/security/security.h"
28 #include "dsdb/common/util.h"
29 #include "librpc/gen_ndr/ndr_dnsp.h"
30 #include "lib/util/smb_strtox.h"
34 static int ldb_eval_transitive_filter_helper(TALLOC_CTX
*mem_ctx
,
35 struct ldb_context
*ldb
,
37 const struct dsdb_dn
*dn_to_match
,
39 struct dsdb_dn
*to_visit
,
40 struct dsdb_dn
***visited
,
41 unsigned int *visited_count
,
46 struct ldb_result
*res
;
47 struct ldb_message
*msg
;
48 struct ldb_message_element
*el
;
49 const char *attrs
[] = { attr
, NULL
};
51 tmp_ctx
= talloc_new(mem_ctx
);
52 if (tmp_ctx
== NULL
) {
53 return LDB_ERR_OPERATIONS_ERROR
;
57 * Fetch the entry to_visit
59 * NOTE: This is a new LDB search from the TOP of the module
60 * stack. This means that this search runs the whole stack
63 * This may seem to be in-efficient, but it is also the only
64 * way to ensure that the ACLs for this search are applied
67 * Note also that we don't have the original request
68 * here, so we can not apply controls or timeouts here.
70 ret
= dsdb_search_dn(ldb
,
75 DSDB_MARK_REQ_UNTRUSTED
);
76 if (ret
!= LDB_SUCCESS
) {
80 if (res
->count
!= 1) {
82 return LDB_ERR_OPERATIONS_ERROR
;
86 /* Fetch the attribute to match from the entry being visited */
87 el
= ldb_msg_find_element(msg
, attr
);
89 /* This entry does not have the attribute to match */
96 * If the value to match is present in the attribute values of the
97 * current entry being visited, set matched to true and return OK
99 for (i
=0; i
<el
->num_values
; i
++) {
101 dn
= dsdb_dn_parse(tmp_ctx
, ldb
, &el
->values
[i
], dn_oid
);
103 talloc_free(tmp_ctx
);
105 return LDB_ERR_INVALID_DN_SYNTAX
;
108 if (ldb_dn_compare(dn_to_match
->dn
, dn
->dn
) == 0) {
109 talloc_free(tmp_ctx
);
116 * If arrived here, the value to match is not in the values of the
117 * entry being visited. Add the entry being visited (to_visit)
118 * to the visited array. The array is (re)allocated in the parent
121 if (visited
== NULL
) {
122 return LDB_ERR_OPERATIONS_ERROR
;
123 } else if (*visited
== NULL
) {
124 *visited
= talloc_array(mem_ctx
, struct dsdb_dn
*, 1);
125 if (*visited
== NULL
) {
126 talloc_free(tmp_ctx
);
127 return LDB_ERR_OPERATIONS_ERROR
;
129 (*visited
)[0] = to_visit
;
130 (*visited_count
) = 1;
132 *visited
= talloc_realloc(mem_ctx
, *visited
, struct dsdb_dn
*,
133 (*visited_count
) + 1);
134 if (*visited
== NULL
) {
135 talloc_free(tmp_ctx
);
136 return LDB_ERR_OPERATIONS_ERROR
;
138 (*visited
)[(*visited_count
)] = to_visit
;
143 * steal to_visit into visited array context, as it has to live until
144 * the array is freed.
146 talloc_steal(*visited
, to_visit
);
149 * Iterate over the values of the attribute of the entry being
150 * visited (to_visit) and follow them, calling this function
152 * If the value is in the visited array, skip it.
153 * Otherwise, follow the link and visit it.
155 for (i
=0; i
<el
->num_values
; i
++) {
156 struct dsdb_dn
*next_to_visit
;
159 next_to_visit
= dsdb_dn_parse(tmp_ctx
, ldb
, &el
->values
[i
], dn_oid
);
160 if (next_to_visit
== NULL
) {
161 talloc_free(tmp_ctx
);
163 return LDB_ERR_INVALID_DN_SYNTAX
;
167 * If the value is already in the visited array, skip it.
168 * Note the last element of the array is ignored because it is
169 * the current entry DN.
171 for (j
=0; j
< (*visited_count
) - 1; j
++) {
172 struct dsdb_dn
*visited_dn
= (*visited
)[j
];
173 if (ldb_dn_compare(visited_dn
->dn
,
174 next_to_visit
->dn
) == 0) {
180 talloc_free(next_to_visit
);
184 /* If the value is not in the visited array, evaluate it */
185 ret
= ldb_eval_transitive_filter_helper(tmp_ctx
, ldb
, attr
,
188 visited
, visited_count
,
190 if (ret
!= LDB_SUCCESS
) {
191 talloc_free(tmp_ctx
);
195 talloc_free(tmp_ctx
);
200 talloc_free(tmp_ctx
);
206 * This function parses the linked attribute value to match, whose syntax
207 * will be one of the different DN syntaxes, into a ldb_dn struct.
209 static int ldb_eval_transitive_filter(TALLOC_CTX
*mem_ctx
,
210 struct ldb_context
*ldb
,
212 const struct ldb_val
*value_to_match
,
213 struct dsdb_dn
*current_object_dn
,
216 const struct dsdb_schema
*schema
;
217 const struct dsdb_attribute
*schema_attr
;
218 struct dsdb_dn
*dn_to_match
;
221 struct dsdb_dn
**visited
= NULL
;
223 schema
= dsdb_get_schema(ldb
, mem_ctx
);
224 if (schema
== NULL
) {
225 return LDB_ERR_OPERATIONS_ERROR
;
228 schema_attr
= dsdb_attribute_by_lDAPDisplayName(schema
, attr
);
229 if (schema_attr
== NULL
) {
230 return LDB_ERR_NO_SUCH_ATTRIBUTE
;
233 /* This is the DN syntax of the attribute being matched */
234 dn_oid
= schema_attr
->syntax
->ldap_oid
;
237 * Build a ldb_dn struct holding the value to match, which is the
238 * value entered in the search filter
240 dn_to_match
= dsdb_dn_parse(mem_ctx
, ldb
, value_to_match
, dn_oid
);
241 if (dn_to_match
== NULL
) {
246 return ldb_eval_transitive_filter_helper(mem_ctx
, ldb
, attr
,
249 &visited
, &count
, matched
);
253 * This rule provides recursive search of a link attribute
255 * Documented in [MS-ADTS] section 3.1.1.3.4.4.3 LDAP_MATCHING_RULE_TRANSITIVE_EVAL
256 * This allows a search filter such as:
258 * member:1.2.840.113556.1.4.1941:=cn=user,cn=users,dc=samba,dc=example,dc=com
260 * This searches not only the member attribute, but also any member
261 * attributes that point at an object with this member in them. All the
262 * various DN syntax types are supported, not just plain DNs.
265 static int ldb_comparator_trans(struct ldb_context
*ldb
,
267 const struct ldb_message
*msg
,
268 const char *attribute_to_match
,
269 const struct ldb_val
*value_to_match
,
272 const struct dsdb_schema
*schema
;
273 const struct dsdb_attribute
*schema_attr
;
274 struct ldb_dn
*msg_dn
;
275 struct dsdb_dn
*dsdb_msg_dn
;
279 tmp_ctx
= talloc_new(ldb
);
280 if (tmp_ctx
== NULL
) {
281 return LDB_ERR_OPERATIONS_ERROR
;
285 * If the target attribute to match is not a linked attribute, then
286 * the filter evaluates to undefined
288 schema
= dsdb_get_schema(ldb
, tmp_ctx
);
289 if (schema
== NULL
) {
290 talloc_free(tmp_ctx
);
291 return LDB_ERR_OPERATIONS_ERROR
;
294 schema_attr
= dsdb_attribute_by_lDAPDisplayName(schema
, attribute_to_match
);
295 if (schema_attr
== NULL
) {
296 talloc_free(tmp_ctx
);
297 return LDB_ERR_NO_SUCH_ATTRIBUTE
;
301 * This extended match filter is only valid for linked attributes,
302 * following the MS definition (the schema attribute has a linkID
303 * defined). See dochelp request 114111212024789 on cifs-protocols
306 if (schema_attr
->linkID
== 0) {
308 talloc_free(tmp_ctx
);
312 /* Duplicate original msg dn as the msg must not be modified */
313 msg_dn
= ldb_dn_copy(tmp_ctx
, msg
->dn
);
314 if (msg_dn
== NULL
) {
315 talloc_free(tmp_ctx
);
316 return LDB_ERR_OPERATIONS_ERROR
;
320 * Build a dsdb dn from the message copied DN, which should be a plain
323 dsdb_msg_dn
= dsdb_dn_construct(tmp_ctx
, msg_dn
, data_blob_null
,
325 if (dsdb_msg_dn
== NULL
) {
327 return LDB_ERR_INVALID_DN_SYNTAX
;
330 ret
= ldb_eval_transitive_filter(tmp_ctx
, ldb
,
333 dsdb_msg_dn
, matched
);
334 talloc_free(tmp_ctx
);
340 * This rule provides match of a dns object with expired records.
342 * This allows a search filter such as:
344 * dnsRecord:1.3.6.1.4.1.7165.4.5.3:=3694869
346 * where the value is a number of hours since the start of 1601.
348 * This allows the caller to find records that should become a DNS
349 * tomestone, despite that information being deep within an NDR packed
352 static int dsdb_match_for_dns_to_tombstone_time(struct ldb_context
*ldb
,
354 const struct ldb_message
*msg
,
355 const char *attribute_to_match
,
356 const struct ldb_val
*value_to_match
,
361 struct ldb_message_element
*el
= NULL
;
362 struct auth_session_info
*session_info
= NULL
;
363 uint64_t tombstone_time
;
364 struct dnsp_DnssrvRpcRecord
*rec
= NULL
;
365 enum ndr_err_code err
;
368 /* Needs to be dnsRecord, no match otherwise */
369 if (ldb_attr_cmp(attribute_to_match
, "dnsRecord") != 0) {
373 el
= ldb_msg_find_element(msg
, attribute_to_match
);
378 if (ldb_msg_element_is_inaccessible(el
)) {
383 session_info
= talloc_get_type(ldb_get_opaque(ldb
, "sessionInfo"),
384 struct auth_session_info
);
385 if (session_info
== NULL
) {
388 if (security_session_user_level(session_info
, NULL
)
389 != SECURITY_SYSTEM
) {
391 DBG_ERR("unauthorised access\n");
392 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
;
395 /* We only expect uint32_t <= 10 digits */
396 if (value_to_match
->length
>= 12) {
397 DBG_ERR("Invalid timestamp passed\n");
398 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
403 memcpy(s
, value_to_match
->data
, value_to_match
->length
);
404 s
[value_to_match
->length
] = 0;
406 DBG_ERR("Empty timestamp passed\n");
407 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
409 tombstone_time
= smb_strtoull(s
,
413 SMB_STR_FULL_STR_CONV
);
415 DBG_ERR("Invalid timestamp string passed\n");
416 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
420 tmp_ctx
= talloc_new(ldb
);
421 if (tmp_ctx
== NULL
) {
425 for (i
= 0; i
< el
->num_values
; i
++) {
426 rec
= talloc_zero(tmp_ctx
, struct dnsp_DnssrvRpcRecord
);
428 TALLOC_FREE(tmp_ctx
);
431 err
= ndr_pull_struct_blob(
435 (ndr_pull_flags_fn_t
)ndr_pull_dnsp_DnssrvRpcRecord
);
436 if (!NDR_ERR_CODE_IS_SUCCESS(err
)){
437 DBG_ERR("Failed to pull dns rec blob.\n");
438 TALLOC_FREE(tmp_ctx
);
439 return LDB_ERR_OPERATIONS_ERROR
;
442 if (rec
->wType
== DNS_TYPE_SOA
|| rec
->wType
== DNS_TYPE_NS
) {
447 if (rec
->wType
== DNS_TYPE_TOMBSTONE
) {
451 if (rec
->dwTimeStamp
== 0) {
455 if (rec
->dwTimeStamp
> tombstone_time
) {
464 TALLOC_FREE(tmp_ctx
);
470 * This rule provides match of a link attribute against a 'should be expunged' criteria
472 * This allows a search filter such as:
474 * member:1.3.6.1.4.1.7165.4.5.2:=131139216000000000
476 * This searches the member attribute, but also any member attributes
477 * that are deleted and should be expunged after the specified NTTIME
481 static int dsdb_match_for_expunge(struct ldb_context
*ldb
,
483 const struct ldb_message
*msg
,
484 const char *attribute_to_match
,
485 const struct ldb_val
*value_to_match
,
488 const struct dsdb_schema
*schema
;
489 const struct dsdb_attribute
*schema_attr
;
492 struct ldb_message_element
*el
;
493 struct auth_session_info
*session_info
;
494 uint64_t tombstone_time
;
497 el
= ldb_msg_find_element(msg
, attribute_to_match
);
502 if (ldb_msg_element_is_inaccessible(el
)) {
508 = talloc_get_type(ldb_get_opaque(ldb
, DSDB_SESSION_INFO
),
509 struct auth_session_info
);
510 if (security_session_user_level(session_info
, NULL
) != SECURITY_SYSTEM
) {
511 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
;
515 * If the target attribute to match is not a linked attribute, then
516 * the filter evaluates to undefined
518 schema
= dsdb_get_schema(ldb
, NULL
);
519 if (schema
== NULL
) {
520 return LDB_ERR_OPERATIONS_ERROR
;
523 /* TODO this is O(log n) per attribute */
524 schema_attr
= dsdb_attribute_by_lDAPDisplayName(schema
, attribute_to_match
);
525 if (schema_attr
== NULL
) {
526 return LDB_ERR_NO_SUCH_ATTRIBUTE
;
530 * This extended match filter is only valid for forward linked attributes.
532 if (schema_attr
->linkID
== 0 || (schema_attr
->linkID
& 1) == 1) {
533 return LDB_ERR_NO_SUCH_ATTRIBUTE
;
536 /* Just check we don't allow the caller to fill our stack */
537 if (value_to_match
->length
>=64) {
538 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
541 char s
[value_to_match
->length
+1];
543 memcpy(s
, value_to_match
->data
, value_to_match
->length
);
544 s
[value_to_match
->length
] = 0;
545 if (s
[0] == '\0' || s
[0] == '-') {
546 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
548 tombstone_time
= smb_strtoull(s
,
552 SMB_STR_FULL_STR_CONV
);
554 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX
;
558 tmp_ctx
= talloc_new(ldb
);
559 if (tmp_ctx
== NULL
) {
560 return LDB_ERR_OPERATIONS_ERROR
;
563 for (i
= 0; i
< el
->num_values
; i
++) {
566 uint64_t rmd_changetime
;
567 if (dsdb_dn_is_deleted_val(&el
->values
[i
]) == false) {
571 dn
= dsdb_dn_parse(tmp_ctx
, ldb
, &el
->values
[i
],
572 schema_attr
->syntax
->ldap_oid
);
574 DEBUG(1, ("Error: Failed to parse linked attribute blob of %s.\n", el
->name
));
578 status
= dsdb_get_extended_dn_uint64(dn
->dn
, &rmd_changetime
,
580 if (!NT_STATUS_IS_OK(status
)) {
581 DEBUG(1, ("Error: RMD_CHANGETIME is missing on a forward link.\n"));
585 if (rmd_changetime
> tombstone_time
) {
592 talloc_free(tmp_ctx
);
597 int ldb_register_samba_matching_rules(struct ldb_context
*ldb
)
599 struct ldb_extended_match_rule
*transitive_eval
= NULL
,
600 *match_for_expunge
= NULL
,
601 *match_for_dns_to_tombstone_time
= NULL
;
604 transitive_eval
= talloc_zero(ldb
, struct ldb_extended_match_rule
);
605 transitive_eval
->oid
= SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL
;
606 transitive_eval
->callback
= ldb_comparator_trans
;
607 ret
= ldb_register_extended_match_rule(ldb
, transitive_eval
);
608 if (ret
!= LDB_SUCCESS
) {
609 talloc_free(transitive_eval
);
613 match_for_expunge
= talloc_zero(ldb
, struct ldb_extended_match_rule
);
614 match_for_expunge
->oid
= DSDB_MATCH_FOR_EXPUNGE
;
615 match_for_expunge
->callback
= dsdb_match_for_expunge
;
616 ret
= ldb_register_extended_match_rule(ldb
, match_for_expunge
);
617 if (ret
!= LDB_SUCCESS
) {
618 talloc_free(match_for_expunge
);
622 match_for_dns_to_tombstone_time
= talloc_zero(
624 struct ldb_extended_match_rule
);
625 match_for_dns_to_tombstone_time
->oid
= DSDB_MATCH_FOR_DNS_TO_TOMBSTONE_TIME
;
626 match_for_dns_to_tombstone_time
->callback
627 = dsdb_match_for_dns_to_tombstone_time
;
628 ret
= ldb_register_extended_match_rule(ldb
,
629 match_for_dns_to_tombstone_time
);
630 if (ret
!= LDB_SUCCESS
) {
631 TALLOC_FREE(match_for_dns_to_tombstone_time
);