2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Simo Sorce 2005-2008
8 Copyright (C) Matthieu Patou <mat@matws.net> 2011
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include <ldb_module.h>
27 #include "system/time.h"
28 #include "dsdb/samdb/samdb.h"
30 #include "dsdb/samdb/ldb_modules/util.h"
31 #include "libcli/security/security.h"
32 #include "librpc/ndr/libndr.h"
33 #include "auth/auth.h"
34 #include "param/param.h"
35 #include "lib/messaging/irpc.h"
36 #include "librpc/gen_ndr/ndr_irpc_c.h"
37 #include "lib/tsocket/tsocket.h"
38 #include "cldap_server/cldap_server.h"
40 struct rootdse_private_data {
41 unsigned int num_controls;
43 unsigned int num_partitions;
44 struct ldb_dn **partitions;
48 struct rootdse_context {
49 struct ldb_module *module;
50 struct ldb_request *req;
51 struct ldb_val netlogon;
55 return 1 if a specific attribute has been requested
57 static int do_attribute(const char * const *attrs, const char *name)
59 return attrs == NULL ||
60 ldb_attr_in_list(attrs, name) ||
61 ldb_attr_in_list(attrs, "*");
64 static int do_attribute_explicit(const char * const *attrs, const char *name)
66 return attrs != NULL && ldb_attr_in_list(attrs, name);
71 expand a DN attribute to include extended DN information if requested
73 static int expand_dn_in_message(struct ldb_module *module, struct ldb_message *msg,
74 const char *attrname, struct ldb_control *edn_control,
75 struct ldb_request *req)
77 struct ldb_dn *dn, *dn2;
80 struct ldb_request *req2;
82 const char *no_attrs[] = { NULL };
83 struct ldb_result *res;
84 struct ldb_extended_dn_control *edn;
85 TALLOC_CTX *tmp_ctx = talloc_new(req);
86 struct ldb_context *ldb;
89 struct ldb_message_element *el;
91 ldb = ldb_module_get_ctx(module);
93 edn = talloc_get_type(edn_control->data, struct ldb_extended_dn_control);
98 el = ldb_msg_find_element(msg, attrname);
99 if (!el || el->num_values == 0) {
103 for (i = 0; i < el->num_values; i++) {
106 talloc_free(tmp_ctx);
110 dn_string = talloc_strndup(tmp_ctx, (const char *)v->data, v->length);
111 if (dn_string == NULL) {
112 talloc_free(tmp_ctx);
113 return ldb_operr(ldb);
116 res = talloc_zero(tmp_ctx, struct ldb_result);
118 talloc_free(tmp_ctx);
119 return ldb_operr(ldb);
122 dn = ldb_dn_new(tmp_ctx, ldb, dn_string);
124 talloc_free(tmp_ctx);
125 return ldb_operr(ldb);
128 ret = ldb_build_search_req(&req2, ldb, tmp_ctx,
134 res, ldb_search_default_callback,
136 LDB_REQ_SET_LOCATION(req2);
137 if (ret != LDB_SUCCESS) {
138 talloc_free(tmp_ctx);
143 ret = ldb_request_add_control(req2,
144 LDB_CONTROL_EXTENDED_DN_OID,
145 edn_control->critical, edn);
146 if (ret != LDB_SUCCESS) {
147 talloc_free(tmp_ctx);
148 return ldb_error(ldb, ret, "Failed to add control");
151 ret = ldb_next_request(module, req2);
152 if (ret == LDB_SUCCESS) {
153 ret = ldb_wait(req2->handle, LDB_WAIT_ALL);
156 if (ret != LDB_SUCCESS) {
157 talloc_free(tmp_ctx);
161 if (!res || res->count != 1) {
162 talloc_free(tmp_ctx);
163 return ldb_operr(ldb);
166 dn2 = res->msgs[0]->dn;
168 v->data = (uint8_t *)ldb_dn_get_extended_linearized(msg->elements, dn2, edn_type);
169 if (v->data == NULL) {
170 talloc_free(tmp_ctx);
171 return ldb_operr(ldb);
173 v->length = strlen((char *)v->data);
176 talloc_free(tmp_ctx);
182 see if we are master for a FSMO role
184 static int dsdb_module_we_are_master(struct ldb_module *module, struct ldb_dn *dn, bool *master,
185 struct ldb_request *parent)
187 const char *attrs[] = { "fSMORoleOwner", NULL };
188 TALLOC_CTX *tmp_ctx = talloc_new(parent);
189 struct ldb_result *res;
191 struct ldb_dn *owner_dn;
193 ret = dsdb_module_search_dn(module, tmp_ctx, &res,
195 DSDB_FLAG_NEXT_MODULE |
196 DSDB_FLAG_AS_SYSTEM |
197 DSDB_SEARCH_SHOW_EXTENDED_DN,
199 if (ret != LDB_SUCCESS) {
200 talloc_free(tmp_ctx);
204 owner_dn = ldb_msg_find_attr_as_dn(ldb_module_get_ctx(module),
205 tmp_ctx, res->msgs[0], "fSMORoleOwner");
208 talloc_free(tmp_ctx);
212 ret = samdb_dn_is_our_ntdsa(ldb_module_get_ctx(module), dn, master);
213 if (ret != LDB_SUCCESS) {
214 ldb_asprintf_errstring(ldb_module_get_ctx(module), "Failed to confirm if our ntdsDsa is %s: %s",
215 ldb_dn_get_linearized(owner_dn), ldb_errstring(ldb_module_get_ctx(module)));
216 talloc_free(tmp_ctx);
220 talloc_free(tmp_ctx);
225 add dynamically generated attributes to rootDSE result
227 static int rootdse_add_dynamic(struct rootdse_context *ac, struct ldb_message *msg)
229 struct ldb_context *ldb;
230 struct rootdse_private_data *priv = talloc_get_type(ldb_module_get_private(ac->module), struct rootdse_private_data);
231 const char * const *attrs = ac->req->op.search.attrs;
233 const struct dsdb_schema *schema;
235 struct ldb_control *edn_control;
236 const char *dn_attrs[] = {
237 "configurationNamingContext",
238 "defaultNamingContext",
239 "rootDomainNamingContext",
240 "schemaNamingContext",
246 const char *guid_attrs[] = {
252 ldb = ldb_module_get_ctx(ac->module);
253 schema = dsdb_get_schema(ldb, NULL);
255 msg->dn = ldb_dn_new(msg, ldb, NULL);
257 /* don't return the distinguishedName, cn and name attributes */
258 ldb_msg_remove_attr(msg, "distinguishedName");
259 ldb_msg_remove_attr(msg, "cn");
260 ldb_msg_remove_attr(msg, "name");
262 if (do_attribute(attrs, "serverName")) {
263 if (ldb_msg_add_linearized_dn(msg, "serverName",
264 samdb_server_dn(ldb, msg)) != LDB_SUCCESS) {
269 if (do_attribute(attrs, "dnsHostName")) {
270 struct ldb_result *res;
272 const char *dns_attrs[] = { "dNSHostName", NULL };
273 ret = dsdb_module_search_dn(ac->module, msg, &res, samdb_server_dn(ldb, msg),
275 DSDB_FLAG_NEXT_MODULE |
278 if (ret == LDB_SUCCESS) {
279 const char *hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
280 if (hostname != NULL) {
281 if (ldb_msg_add_string(msg, "dnsHostName", hostname)) {
288 if (do_attribute(attrs, "ldapServiceName")) {
289 struct loadparm_context *lp_ctx
290 = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
291 struct loadparm_context);
292 char *ldap_service_name, *hostname;
294 hostname = strlower_talloc(msg, lpcfg_netbios_name(lp_ctx));
295 if (hostname == NULL) {
299 ldap_service_name = talloc_asprintf(msg, "%s:%s$@%s",
300 samdb_forest_name(ldb, msg),
301 hostname, lpcfg_realm(lp_ctx));
302 if (ldap_service_name == NULL) {
306 if (ldb_msg_add_string(msg, "ldapServiceName",
307 ldap_service_name) != LDB_SUCCESS) {
312 if (do_attribute(attrs, "currentTime")) {
313 if (ldb_msg_add_steal_string(msg, "currentTime",
314 ldb_timestring(msg, time(NULL))) != LDB_SUCCESS) {
319 if (priv && do_attribute(attrs, "supportedControl")) {
320 for (i = 0; i < priv->num_controls; i++) {
321 char *control = talloc_strdup(msg, priv->controls[i]);
325 if (ldb_msg_add_steal_string(msg, "supportedControl",
326 control) != LDB_SUCCESS) {
332 if (priv && do_attribute(attrs, "namingContexts")) {
333 for (i = 0; i < priv->num_partitions; i++) {
334 struct ldb_dn *dn = priv->partitions[i];
335 if (ldb_msg_add_steal_string(msg, "namingContexts",
336 ldb_dn_alloc_linearized(msg, dn)) != LDB_SUCCESS) {
342 server_sasl = talloc_get_type(ldb_get_opaque(ldb, "supportedSASLMechanisms"),
344 if (server_sasl && do_attribute(attrs, "supportedSASLMechanisms")) {
345 for (i = 0; server_sasl && server_sasl[i]; i++) {
346 char *sasl_name = talloc_strdup(msg, server_sasl[i]);
350 if (ldb_msg_add_steal_string(msg, "supportedSASLMechanisms",
351 sasl_name) != LDB_SUCCESS) {
357 if (do_attribute(attrs, "highestCommittedUSN")) {
359 int ret = ldb_sequence_number(ldb, LDB_SEQ_HIGHEST_SEQ, &seq_num);
360 if (ret == LDB_SUCCESS) {
361 if (samdb_msg_add_uint64(ldb, msg, msg,
362 "highestCommittedUSN",
363 seq_num) != LDB_SUCCESS) {
369 if (schema && do_attribute_explicit(attrs, "dsSchemaAttrCount")) {
370 struct dsdb_attribute *cur;
373 for (cur = schema->attributes; cur; cur = cur->next) {
377 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaAttrCount",
383 if (schema && do_attribute_explicit(attrs, "dsSchemaClassCount")) {
384 struct dsdb_class *cur;
387 for (cur = schema->classes; cur; cur = cur->next) {
391 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaClassCount",
397 if (schema && do_attribute_explicit(attrs, "dsSchemaPrefixCount")) {
398 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaPrefixCount",
399 schema->prefixmap->length) != LDB_SUCCESS) {
404 if (do_attribute_explicit(attrs, "validFSMOs")) {
405 struct ldb_dn *dns[3];
407 dns[0] = ldb_get_schema_basedn(ldb);
408 dns[1] = samdb_partitions_dn(ldb, msg);
409 dns[2] = ldb_get_default_basedn(ldb);
411 for (i=0; i<3; i++) {
413 int ret = dsdb_module_we_are_master(ac->module, dns[i], &master, ac->req);
414 if (ret != LDB_SUCCESS) {
417 if (master && ldb_msg_add_fmt(msg, "validFSMOs", "%s",
418 ldb_dn_get_linearized(dns[i])) != LDB_SUCCESS) {
424 if (do_attribute_explicit(attrs, "vendorVersion")) {
425 if (ldb_msg_add_fmt(msg, "vendorVersion",
426 "%s", SAMBA_VERSION_STRING) != LDB_SUCCESS) {
431 if (do_attribute(attrs, "domainFunctionality")) {
432 if (samdb_msg_add_int(ldb, msg, msg, "domainFunctionality",
433 dsdb_functional_level(ldb)) != LDB_SUCCESS) {
438 if (do_attribute(attrs, "forestFunctionality")) {
439 if (samdb_msg_add_int(ldb, msg, msg, "forestFunctionality",
440 dsdb_forest_functional_level(ldb)) != LDB_SUCCESS) {
445 if (do_attribute(attrs, "domainControllerFunctionality")
446 && (val = talloc_get_type(ldb_get_opaque(ldb, "domainControllerFunctionality"), int))) {
447 if (samdb_msg_add_int(ldb, msg, msg,
448 "domainControllerFunctionality",
449 *val) != LDB_SUCCESS) {
454 if (do_attribute(attrs, "isGlobalCatalogReady")) {
455 /* MS-ADTS 3.1.1.3.2.10
456 Note, we should only return true here is we have
457 completed at least one synchronisation. As both
458 provision and vampire do a full sync, this means we
459 can return true is the gc bit is set in the NTDSDSA
461 if (ldb_msg_add_fmt(msg, "isGlobalCatalogReady",
462 "%s", samdb_is_gc(ldb)?"TRUE":"FALSE") != LDB_SUCCESS) {
467 if (do_attribute_explicit(attrs, "tokenGroups")) {
468 /* Obtain the user's session_info */
469 struct auth_session_info *session_info
470 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
471 if (session_info && session_info->security_token) {
472 /* The list of groups this user is in */
473 for (i = 0; i < session_info->security_token->num_sids; i++) {
474 if (samdb_msg_add_dom_sid(ldb, msg, msg,
476 &session_info->security_token->sids[i]) != LDB_SUCCESS) {
483 if (ac->netlogon.length > 0) {
484 if (ldb_msg_add_steal_value(msg, "netlogon", &ac->netlogon) != LDB_SUCCESS) {
489 /* TODO: lots more dynamic attributes should be added here */
491 edn_control = ldb_request_get_control(ac->req, LDB_CONTROL_EXTENDED_DN_OID);
493 /* convert any GUID attributes to be in the right form */
494 for (i=0; guid_attrs[i]; i++) {
495 struct ldb_result *res;
496 struct ldb_message_element *el;
497 struct ldb_dn *attr_dn;
498 const char *no_attrs[] = { NULL };
501 if (!do_attribute(attrs, guid_attrs[i])) continue;
503 attr_dn = ldb_msg_find_attr_as_dn(ldb, ac->req, msg, guid_attrs[i]);
504 if (attr_dn == NULL) {
508 ret = dsdb_module_search_dn(ac->module, ac->req, &res,
510 DSDB_FLAG_NEXT_MODULE |
511 DSDB_FLAG_AS_SYSTEM |
512 DSDB_SEARCH_SHOW_EXTENDED_DN,
514 if (ret != LDB_SUCCESS) {
515 return ldb_operr(ldb);
518 el = ldb_msg_find_element(msg, guid_attrs[i]);
520 return ldb_operr(ldb);
523 talloc_steal(el->values, res->msgs[0]->dn);
525 struct ldb_extended_dn_control *edn;
527 edn = talloc_get_type(edn_control->data, struct ldb_extended_dn_control);
529 edn_type = edn->type;
531 el->values[0].data = (uint8_t *)ldb_dn_get_extended_linearized(el->values,
535 el->values[0].data = (uint8_t *)talloc_strdup(el->values,
536 ldb_dn_get_linearized(res->msgs[0]->dn));
538 if (el->values[0].data == NULL) {
541 el->values[0].length = strlen((const char *)el->values[0].data);
544 /* if the client sent us the EXTENDED_DN control then we need
545 to expand the DNs to have GUID and SID. W2K8 join relies on
549 for (i=0; dn_attrs[i]; i++) {
550 if (!do_attribute(attrs, dn_attrs[i])) continue;
551 ret = expand_dn_in_message(ac->module, msg, dn_attrs[i],
552 edn_control, ac->req);
553 if (ret != LDB_SUCCESS) {
554 DEBUG(0,(__location__ ": Failed to expand DN in rootDSE for %s\n",
564 return ldb_operr(ldb);
568 handle search requests
571 static struct rootdse_context *rootdse_init_context(struct ldb_module *module,
572 struct ldb_request *req)
574 struct ldb_context *ldb;
575 struct rootdse_context *ac;
577 ldb = ldb_module_get_ctx(module);
579 ac = talloc_zero(req, struct rootdse_context);
581 ldb_set_errstring(ldb, "Out of Memory");
591 static int rootdse_callback(struct ldb_request *req, struct ldb_reply *ares)
593 struct rootdse_context *ac;
596 ac = talloc_get_type(req->context, struct rootdse_context);
599 return ldb_module_done(ac->req, NULL, NULL,
600 LDB_ERR_OPERATIONS_ERROR);
602 if (ares->error != LDB_SUCCESS) {
603 return ldb_module_done(ac->req, ares->controls,
604 ares->response, ares->error);
607 switch (ares->type) {
608 case LDB_REPLY_ENTRY:
609 /* for each record returned post-process to add any dynamic
610 attributes that have been asked for */
611 ret = rootdse_add_dynamic(ac, ares->message);
612 if (ret != LDB_SUCCESS) {
614 return ldb_module_done(ac->req, NULL, NULL, ret);
617 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
619 case LDB_REPLY_REFERRAL:
620 /* should we allow the backend to return referrals in this case
625 return ldb_module_done(ac->req, ares->controls,
626 ares->response, ares->error);
634 filter from controls from clients in several ways
636 1) mark our registered controls as non-critical in the request
638 This is needed as clients may mark controls as critical even if
639 they are not needed at all in a request. For example, the centrify
640 client sets the SD_FLAGS control as critical on ldap modify
641 requests which are setting the dNSHostName attribute on the
642 machine account. That request doesn't need SD_FLAGS at all, but
643 centrify adds it on all ldap requests.
645 2) if this request is untrusted then remove any non-registered
646 controls that are non-critical
648 This is used on ldap:// connections to prevent remote users from
649 setting an internal control that may be dangerous
651 3) if this request is untrusted then fail any request that includes
652 a critical non-registered control
654 static int rootdse_filter_controls(struct ldb_module *module, struct ldb_request *req)
657 struct rootdse_private_data *priv = talloc_get_type(ldb_module_get_private(module), struct rootdse_private_data);
660 if (!req->controls) {
664 is_untrusted = ldb_req_is_untrusted(req);
666 for (i=0; req->controls[i]; i++) {
667 bool is_registered = false;
668 bool is_critical = (req->controls[i]->critical != 0);
670 if (req->controls[i]->oid == NULL) {
674 if (is_untrusted || is_critical) {
675 for (j=0; j<priv->num_controls; j++) {
676 if (strcasecmp(priv->controls[j], req->controls[i]->oid) == 0) {
677 is_registered = true;
683 if (is_untrusted && !is_registered) {
685 /* remove it by marking the oid NULL */
686 req->controls[i]->oid = NULL;
687 req->controls[i]->data = NULL;
688 req->controls[i]->critical = 0;
691 /* its a critical unregistered control - give
693 ldb_asprintf_errstring(ldb_module_get_ctx(module),
694 "Attempt to use critical non-registered control '%s'",
695 req->controls[i]->oid);
696 return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION;
703 /* If the control is DIRSYNC control then we keep the critical
704 * flag as the dirsync module will need to act upon it
706 if (is_registered && strcmp(req->controls[i]->oid,
707 LDB_CONTROL_DIRSYNC_OID)!= 0) {
708 req->controls[i]->critical = 0;
715 /* Ensure that anonymous users are not allowed to make anything other than rootDSE search operations */
717 static int rootdse_filter_operations(struct ldb_module *module, struct ldb_request *req)
719 struct auth_session_info *session_info;
720 struct rootdse_private_data *priv = talloc_get_type(ldb_module_get_private(module), struct rootdse_private_data);
721 bool is_untrusted = ldb_req_is_untrusted(req);
722 bool is_anonymous = true;
723 if (is_untrusted == false) {
727 session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
729 is_anonymous = security_token_is_anonymous(session_info->security_token);
732 if (is_anonymous == false || (priv && priv->block_anonymous == false)) {
736 if (req->operation == LDB_SEARCH) {
737 if (req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base)) {
741 ldb_set_errstring(ldb_module_get_ctx(module), "Operation unavailable without authentication");
742 return LDB_ERR_OPERATIONS_ERROR;
745 static int rootdse_handle_netlogon(struct rootdse_context *ac)
747 struct ldb_context *ldb;
748 struct ldb_parse_tree *tree;
749 struct loadparm_context *lp_ctx;
750 struct tsocket_address *src_addr;
751 TALLOC_CTX *tmp_ctx = talloc_new(ac->req);
752 const char *domain, *host, *user, *domain_guid;
753 char *src_addr_s = NULL;
754 struct dom_sid *domain_sid;
755 int acct_control = -1;
758 struct netlogon_samlogon_response netlogon;
759 int ret = LDB_ERR_OPERATIONS_ERROR;
761 ldb = ldb_module_get_ctx(ac->module);
762 tree = ac->req->op.search.tree;
763 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
764 struct loadparm_context);
765 src_addr = talloc_get_type(ldb_get_opaque(ldb, "remoteAddress"),
766 struct tsocket_address);
768 src_addr_s = tsocket_address_inet_addr_string(src_addr,
772 status = parse_netlogon_request(tree, lp_ctx, tmp_ctx,
773 &domain, &host, &user, &domain_guid,
774 &domain_sid, &acct_control, &version);
775 if (!NT_STATUS_IS_OK(status)) {
779 status = fill_netlogon_samlogon_response(ldb, tmp_ctx,
780 domain, NULL, domain_sid,
786 if (!NT_STATUS_IS_OK(status)) {
790 status = push_netlogon_samlogon_response(&ac->netlogon, ac, &netlogon);
791 if (!NT_STATUS_IS_OK(status)) {
797 talloc_free(tmp_ctx);
801 static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
803 struct ldb_context *ldb;
804 struct rootdse_context *ac;
805 struct ldb_request *down_req;
808 ret = rootdse_filter_operations(module, req);
809 if (ret != LDB_SUCCESS) {
813 ret = rootdse_filter_controls(module, req);
814 if (ret != LDB_SUCCESS) {
818 ldb = ldb_module_get_ctx(module);
820 /* see if its for the rootDSE - only a base search on the "" DN qualifies */
821 if (!(req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base))) {
822 /* Otherwise, pass down to the rest of the stack */
823 return ldb_next_request(module, req);
826 ac = rootdse_init_context(module, req);
828 return ldb_operr(ldb);
831 if (do_attribute_explicit(req->op.search.attrs, "netlogon")) {
832 ret = rootdse_handle_netlogon(ac);
833 /* We have to return an empty result, so dont forward `ret' */
834 if (ret != LDB_SUCCESS) {
835 return ldb_module_done(ac->req, NULL, NULL, LDB_SUCCESS);
839 /* in our db we store the rootDSE with a DN of @ROOTDSE */
840 ret = ldb_build_search_req(&down_req, ldb, ac,
841 ldb_dn_new(ac, ldb, "@ROOTDSE"),
844 req->op.search.attrs,
845 NULL,/* for now skip the controls from the client */
846 ac, rootdse_callback,
848 LDB_REQ_SET_LOCATION(down_req);
849 if (ret != LDB_SUCCESS) {
853 return ldb_next_request(module, down_req);
856 static int rootdse_register_control(struct ldb_module *module, struct ldb_request *req)
858 struct rootdse_private_data *priv = talloc_get_type(ldb_module_get_private(module), struct rootdse_private_data);
861 list = talloc_realloc(priv, priv->controls, char *, priv->num_controls + 1);
863 return ldb_oom(ldb_module_get_ctx(module));
866 list[priv->num_controls] = talloc_strdup(list, req->op.reg_control.oid);
867 if (!list[priv->num_controls]) {
868 return ldb_oom(ldb_module_get_ctx(module));
871 priv->num_controls += 1;
872 priv->controls = list;
874 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
877 static int rootdse_register_partition(struct ldb_module *module, struct ldb_request *req)
879 struct rootdse_private_data *priv = talloc_get_type(ldb_module_get_private(module), struct rootdse_private_data);
880 struct ldb_dn **list;
882 list = talloc_realloc(priv, priv->partitions, struct ldb_dn *, priv->num_partitions + 1);
884 return ldb_oom(ldb_module_get_ctx(module));
887 list[priv->num_partitions] = ldb_dn_copy(list, req->op.reg_partition.dn);
888 if (!list[priv->num_partitions]) {
889 return ldb_operr(ldb_module_get_ctx(module));
892 priv->num_partitions += 1;
893 priv->partitions = list;
895 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
899 static int rootdse_request(struct ldb_module *module, struct ldb_request *req)
901 switch (req->operation) {
903 case LDB_REQ_REGISTER_CONTROL:
904 return rootdse_register_control(module, req);
905 case LDB_REQ_REGISTER_PARTITION:
906 return rootdse_register_partition(module, req);
911 return ldb_next_request(module, req);
914 static int rootdse_init(struct ldb_module *module)
917 struct ldb_context *ldb;
918 struct ldb_result *res;
919 struct rootdse_private_data *data;
920 const char *attrs[] = { "msDS-Behavior-Version", NULL };
921 const char *ds_attrs[] = { "dsServiceName", NULL };
924 ldb = ldb_module_get_ctx(module);
926 data = talloc_zero(module, struct rootdse_private_data);
931 data->num_controls = 0;
932 data->controls = NULL;
933 data->num_partitions = 0;
934 data->partitions = NULL;
935 data->block_anonymous = true;
937 ldb_module_set_private(module, data);
939 ldb_set_default_dns(ldb);
941 ret = ldb_next_init(module);
943 if (ret != LDB_SUCCESS) {
947 mem_ctx = talloc_new(data);
952 /* Now that the partitions are set up, do a search for:
953 - domainControllerFunctionality
954 - domainFunctionality
955 - forestFunctionality
957 Then stuff these values into an opaque
959 ret = dsdb_module_search(module, mem_ctx, &res,
960 ldb_get_default_basedn(ldb),
961 LDB_SCOPE_BASE, attrs,
962 DSDB_FLAG_NEXT_MODULE |
965 if (ret == LDB_SUCCESS && res->count == 1) {
966 int domain_behaviour_version
967 = ldb_msg_find_attr_as_int(res->msgs[0],
968 "msDS-Behavior-Version", -1);
969 if (domain_behaviour_version != -1) {
970 int *val = talloc(ldb, int);
972 talloc_free(mem_ctx);
975 *val = domain_behaviour_version;
976 ret = ldb_set_opaque(ldb, "domainFunctionality", val);
977 if (ret != LDB_SUCCESS) {
978 talloc_free(mem_ctx);
984 ret = dsdb_module_search(module, mem_ctx, &res,
985 samdb_partitions_dn(ldb, mem_ctx),
986 LDB_SCOPE_BASE, attrs,
987 DSDB_FLAG_NEXT_MODULE |
990 if (ret == LDB_SUCCESS && res->count == 1) {
991 int forest_behaviour_version
992 = ldb_msg_find_attr_as_int(res->msgs[0],
993 "msDS-Behavior-Version", -1);
994 if (forest_behaviour_version != -1) {
995 int *val = talloc(ldb, int);
997 talloc_free(mem_ctx);
1000 *val = forest_behaviour_version;
1001 ret = ldb_set_opaque(ldb, "forestFunctionality", val);
1002 if (ret != LDB_SUCCESS) {
1003 talloc_free(mem_ctx);
1009 /* For now, our own server's location in the DB is recorded in
1010 * the @ROOTDSE record */
1011 ret = dsdb_module_search(module, mem_ctx, &res,
1012 ldb_dn_new(mem_ctx, ldb, "@ROOTDSE"),
1013 LDB_SCOPE_BASE, ds_attrs,
1014 DSDB_FLAG_NEXT_MODULE |
1015 DSDB_FLAG_AS_SYSTEM,
1017 if (ret == LDB_SUCCESS && res->count == 1) {
1018 struct ldb_dn *ds_dn
1019 = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0],
1022 ret = dsdb_module_search(module, mem_ctx, &res, ds_dn,
1023 LDB_SCOPE_BASE, attrs,
1024 DSDB_FLAG_NEXT_MODULE |
1025 DSDB_FLAG_AS_SYSTEM,
1027 if (ret == LDB_SUCCESS && res->count == 1) {
1028 int domain_controller_behaviour_version
1029 = ldb_msg_find_attr_as_int(res->msgs[0],
1030 "msDS-Behavior-Version", -1);
1031 if (domain_controller_behaviour_version != -1) {
1032 int *val = talloc(ldb, int);
1034 talloc_free(mem_ctx);
1035 return ldb_oom(ldb);
1037 *val = domain_controller_behaviour_version;
1038 ret = ldb_set_opaque(ldb,
1039 "domainControllerFunctionality", val);
1040 if (ret != LDB_SUCCESS) {
1041 talloc_free(mem_ctx);
1049 data->block_anonymous = dsdb_block_anonymous_ops(module, NULL);
1051 talloc_free(mem_ctx);
1057 * This function gets the string SCOPE_DN:OPTIONAL_FEATURE_GUID and parse it
1058 * to a DN and a GUID object
1060 static int get_optional_feature_dn_guid(struct ldb_request *req, struct ldb_context *ldb,
1061 TALLOC_CTX *mem_ctx,
1062 struct ldb_dn **op_feature_scope_dn,
1063 struct GUID *op_feature_guid)
1065 const struct ldb_message *msg = req->op.mod.message;
1066 const char *ldb_val_str;
1068 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1071 ldb_val_str = ldb_msg_find_attr_as_string(msg, "enableOptionalFeature", NULL);
1073 ldb_set_errstring(ldb,
1074 "rootdse: unable to find 'enableOptionalFeature'!");
1075 return LDB_ERR_UNWILLING_TO_PERFORM;
1078 guid = strchr(ldb_val_str, ':');
1080 ldb_set_errstring(ldb,
1081 "rootdse: unable to find GUID in 'enableOptionalFeature'!");
1082 return LDB_ERR_UNWILLING_TO_PERFORM;
1084 status = GUID_from_string(guid+1, op_feature_guid);
1085 if (!NT_STATUS_IS_OK(status)) {
1086 ldb_set_errstring(ldb,
1087 "rootdse: bad GUID in 'enableOptionalFeature'!");
1088 return LDB_ERR_UNWILLING_TO_PERFORM;
1091 dn = talloc_strndup(tmp_ctx, ldb_val_str, guid-ldb_val_str);
1093 ldb_set_errstring(ldb,
1094 "rootdse: bad DN in 'enableOptionalFeature'!");
1095 return LDB_ERR_UNWILLING_TO_PERFORM;
1098 *op_feature_scope_dn = ldb_dn_new(mem_ctx, ldb, dn);
1100 talloc_free(tmp_ctx);
1105 * This function gets the OPTIONAL_FEATURE_GUID and looks for the optional feature
1106 * ldb_message object.
1108 static int dsdb_find_optional_feature(struct ldb_module *module, struct ldb_context *ldb,
1109 TALLOC_CTX *mem_ctx, struct GUID op_feature_guid, struct ldb_message **msg,
1110 struct ldb_request *parent)
1112 struct ldb_result *res;
1113 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1116 ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
1118 DSDB_FLAG_NEXT_MODULE |
1119 DSDB_FLAG_AS_SYSTEM |
1120 DSDB_SEARCH_SEARCH_ALL_PARTITIONS,
1122 "(&(objectClass=msDS-OptionalFeature)"
1123 "(msDS-OptionalFeatureGUID=%s))",GUID_string(tmp_ctx, &op_feature_guid));
1125 if (ret != LDB_SUCCESS) {
1126 talloc_free(tmp_ctx);
1129 if (res->count == 0) {
1130 talloc_free(tmp_ctx);
1131 return LDB_ERR_NO_SUCH_OBJECT;
1133 if (res->count != 1) {
1134 ldb_asprintf_errstring(ldb,
1135 "More than one object found matching optional feature GUID %s\n",
1136 GUID_string(tmp_ctx, &op_feature_guid));
1137 talloc_free(tmp_ctx);
1138 return LDB_ERR_OPERATIONS_ERROR;
1141 *msg = talloc_steal(mem_ctx, res->msgs[0]);
1143 talloc_free(tmp_ctx);
1147 static int rootdse_enable_recycle_bin(struct ldb_module *module,struct ldb_context *ldb,
1148 TALLOC_CTX *mem_ctx, struct ldb_dn *op_feature_scope_dn,
1149 struct ldb_message *op_feature_msg, struct ldb_request *parent)
1152 const int domain_func_level = dsdb_functional_level(ldb);
1153 struct ldb_dn *ntds_settings_dn;
1154 TALLOC_CTX *tmp_ctx;
1155 unsigned int el_count = 0;
1156 struct ldb_message *msg;
1158 ret = ldb_msg_find_attr_as_int(op_feature_msg, "msDS-RequiredForestBehaviorVersion", 0);
1159 if (domain_func_level < ret){
1160 ldb_asprintf_errstring(ldb,
1161 "rootdse_enable_recycle_bin: Domain functional level must be at least %d\n",
1163 return LDB_ERR_UNWILLING_TO_PERFORM;
1166 tmp_ctx = talloc_new(mem_ctx);
1167 ntds_settings_dn = samdb_ntds_settings_dn(ldb, tmp_ctx);
1168 if (!ntds_settings_dn) {
1169 talloc_free(tmp_ctx);
1170 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "Failed to find NTDS settings DN");
1173 ntds_settings_dn = ldb_dn_copy(tmp_ctx, ntds_settings_dn);
1174 if (!ntds_settings_dn) {
1175 talloc_free(tmp_ctx);
1176 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "Failed to copy NTDS settings DN");
1179 msg = ldb_msg_new(tmp_ctx);
1180 msg->dn = ntds_settings_dn;
1182 ldb_msg_add_linearized_dn(msg, "msDS-EnabledFeature", op_feature_msg->dn);
1183 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
1185 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1186 if (ret != LDB_SUCCESS) {
1187 ldb_asprintf_errstring(ldb,
1188 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1189 ldb_dn_get_linearized(ntds_settings_dn),
1190 ldb_errstring(ldb));
1191 talloc_free(tmp_ctx);
1195 msg->dn = op_feature_scope_dn;
1196 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1197 if (ret != LDB_SUCCESS) {
1198 ldb_asprintf_errstring(ldb,
1199 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1200 ldb_dn_get_linearized(op_feature_scope_dn),
1201 ldb_errstring(ldb));
1202 talloc_free(tmp_ctx);
1209 static int rootdse_enableoptionalfeature(struct ldb_module *module, struct ldb_request *req)
1213 - check for system (only system can enable features)
1214 - extract GUID from the request
1215 - find the feature object
1216 - check functional level, must be at least msDS-RequiredForestBehaviorVersion
1217 - check if it is already enabled (if enabled return LDAP_ATTRIBUTE_OR_VALUE_EXISTS) - probably not needed, just return error from the add/modify
1218 - add/modify objects (see ntdsconnection code for an example)
1221 struct ldb_context *ldb = ldb_module_get_ctx(module);
1222 struct GUID op_feature_guid;
1223 struct ldb_dn *op_feature_scope_dn;
1224 struct ldb_message *op_feature_msg;
1225 struct auth_session_info *session_info =
1226 (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
1227 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
1229 const char *guid_string;
1231 if (security_session_user_level(session_info, NULL) != SECURITY_SYSTEM) {
1232 ldb_set_errstring(ldb, "rootdse: Insufficient rights for enableoptionalfeature");
1233 return LDB_ERR_UNWILLING_TO_PERFORM;
1236 ret = get_optional_feature_dn_guid(req, ldb, tmp_ctx, &op_feature_scope_dn, &op_feature_guid);
1237 if (ret != LDB_SUCCESS) {
1238 talloc_free(tmp_ctx);
1242 guid_string = GUID_string(tmp_ctx, &op_feature_guid);
1244 ldb_set_errstring(ldb, "rootdse: bad optional feature GUID");
1245 return LDB_ERR_UNWILLING_TO_PERFORM;
1248 ret = dsdb_find_optional_feature(module, ldb, tmp_ctx, op_feature_guid, &op_feature_msg, req);
1249 if (ret != LDB_SUCCESS) {
1250 ldb_asprintf_errstring(ldb,
1251 "rootdse: unable to find optional feature for %s - %s",
1252 guid_string, ldb_errstring(ldb));
1253 talloc_free(tmp_ctx);
1257 if (strcasecmp(DS_GUID_FEATURE_RECYCLE_BIN, guid_string) == 0) {
1258 ret = rootdse_enable_recycle_bin(module, ldb,
1259 tmp_ctx, op_feature_scope_dn,
1260 op_feature_msg, req);
1262 ldb_asprintf_errstring(ldb,
1263 "rootdse: unknown optional feature %s",
1265 talloc_free(tmp_ctx);
1266 return LDB_ERR_UNWILLING_TO_PERFORM;
1268 if (ret != LDB_SUCCESS) {
1269 ldb_asprintf_errstring(ldb,
1270 "rootdse: failed to set optional feature for %s - %s",
1271 guid_string, ldb_errstring(ldb));
1272 talloc_free(tmp_ctx);
1276 talloc_free(tmp_ctx);
1277 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);;
1280 static int rootdse_schemaupdatenow(struct ldb_module *module, struct ldb_request *req)
1282 struct ldb_context *ldb = ldb_module_get_ctx(module);
1283 struct ldb_result *ext_res;
1285 struct ldb_dn *schema_dn;
1287 schema_dn = ldb_get_schema_basedn(ldb);
1289 ldb_reset_err_string(ldb);
1290 ldb_debug(ldb, LDB_DEBUG_WARNING,
1291 "rootdse_modify: no schema dn present: (skip ldb_extended call)\n");
1292 return ldb_next_request(module, req);
1295 ret = ldb_extended(ldb, DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID, schema_dn, &ext_res);
1296 if (ret != LDB_SUCCESS) {
1297 return ldb_operr(ldb);
1300 talloc_free(ext_res);
1301 return ldb_module_done(req, NULL, NULL, ret);
1304 static int rootdse_schemaupgradeinprogress(struct ldb_module *module, struct ldb_request *req)
1306 struct ldb_context *ldb = ldb_module_get_ctx(module);
1307 int ret = LDB_SUCCESS;
1308 struct ldb_dn *schema_dn;
1310 schema_dn = ldb_get_schema_basedn(ldb);
1312 ldb_reset_err_string(ldb);
1313 ldb_debug(ldb, LDB_DEBUG_WARNING,
1314 "rootdse_modify: no schema dn present: (skip ldb_extended call)\n");
1315 return ldb_next_request(module, req);
1318 /* FIXME we have to do something in order to relax constraints for DRS
1319 * setting schemaUpgradeInProgress cause the fschemaUpgradeInProgress
1320 * in all LDAP connection (2K3/2K3R2) or in the current connection (2K8 and +)
1321 * to be set to true.
1324 /* from 5.113 LDAPConnections in DRSR.pdf
1325 * fschemaUpgradeInProgress: A Boolean that specifies certain constraint
1326 * validations are skipped when adding, updating, or removing directory
1327 * objects on the opened connection. The skipped constraint validations
1328 * are documented in the applicable constraint sections in [MS-ADTS].
1330 return ldb_module_done(req, NULL, NULL, ret);
1333 static int rootdse_add(struct ldb_module *module, struct ldb_request *req)
1335 struct ldb_context *ldb = ldb_module_get_ctx(module);
1338 ret = rootdse_filter_operations(module, req);
1339 if (ret != LDB_SUCCESS) {
1343 ret = rootdse_filter_controls(module, req);
1344 if (ret != LDB_SUCCESS) {
1349 If dn is not "" we should let it pass through
1351 if (!ldb_dn_is_null(req->op.add.message->dn)) {
1352 return ldb_next_request(module, req);
1355 ldb_set_errstring(ldb, "rootdse_add: you cannot add a new rootdse entry!");
1356 return LDB_ERR_NAMING_VIOLATION;
1359 struct fsmo_transfer_state {
1360 struct ldb_context *ldb;
1361 struct ldb_request *req;
1362 struct ldb_module *module;
1366 called when a FSMO transfer operation has completed
1368 static void rootdse_fsmo_transfer_callback(struct tevent_req *treq)
1370 struct fsmo_transfer_state *fsmo = tevent_req_callback_data(treq, struct fsmo_transfer_state);
1374 struct ldb_request *req = fsmo->req;
1375 struct ldb_context *ldb = fsmo->ldb;
1376 struct ldb_module *module = fsmo->module;
1378 status = dcerpc_drepl_takeFSMORole_recv(treq, fsmo, &werr);
1380 if (!NT_STATUS_IS_OK(status)) {
1381 ldb_asprintf_errstring(ldb, "Failed FSMO transfer: %s", nt_errstr(status));
1383 * Now that it is failed, start the transaction up
1384 * again so the wrappers can close it without additional error
1386 ldb_next_start_trans(module);
1387 ldb_module_done(req, NULL, NULL, LDB_ERR_UNAVAILABLE);
1390 if (!W_ERROR_IS_OK(werr)) {
1391 ldb_asprintf_errstring(ldb, "Failed FSMO transfer: %s", win_errstr(werr));
1393 * Now that it is failed, start the transaction up
1394 * again so the wrappers can close it without additional error
1396 ldb_next_start_trans(module);
1397 ldb_module_done(req, NULL, NULL, LDB_ERR_UNAVAILABLE);
1402 * Now that it is done, start the transaction up again so the
1403 * wrappers can close it without error
1405 ret = ldb_next_start_trans(module);
1406 ldb_module_done(req, NULL, NULL, ret);
1409 static int rootdse_become_master(struct ldb_module *module,
1410 struct ldb_request *req,
1411 enum drepl_role_master role)
1413 struct imessaging_context *msg;
1414 struct ldb_context *ldb = ldb_module_get_ctx(module);
1415 TALLOC_CTX *tmp_ctx = talloc_new(req);
1416 struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
1418 struct dcerpc_binding_handle *irpc_handle;
1420 struct auth_session_info *session_info;
1421 enum security_user_level level;
1422 struct fsmo_transfer_state *fsmo;
1423 struct tevent_req *treq;
1425 session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
1426 level = security_session_user_level(session_info, NULL);
1427 if (level < SECURITY_ADMINISTRATOR) {
1428 return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS, "Denied rootDSE modify for non-administrator");
1431 ret = samdb_rodc(ldb, &am_rodc);
1432 if (ret != LDB_SUCCESS) {
1433 return ldb_error(ldb, ret, "Could not determine if server is RODC.");
1437 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM,
1438 "RODC cannot become a role master.");
1442 * We always delete the transaction, not commit it, because
1443 * this gives the least supprise to this supprising action (as
1444 * we will never record anything done to this point
1446 ldb_next_del_trans(module);
1448 msg = imessaging_client_init(tmp_ctx, lp_ctx,
1449 ldb_get_event_context(ldb));
1451 ldb_asprintf_errstring(ldb, "Failed to generate client messaging context in %s", lpcfg_imessaging_path(tmp_ctx, lp_ctx));
1452 return LDB_ERR_OPERATIONS_ERROR;
1454 irpc_handle = irpc_binding_handle_by_name(tmp_ctx, msg,
1457 if (irpc_handle == NULL) {
1458 return ldb_oom(ldb);
1460 fsmo = talloc_zero(req, struct fsmo_transfer_state);
1462 return ldb_oom(ldb);
1466 fsmo->module = module;
1469 * we send the call asynchronously, as the ldap client is
1470 * expecting to get an error back if the role transfer fails
1472 * We need more than the default 10 seconds IRPC allows, so
1473 * set a longer timeout (default ldb timeout is 300 seconds).
1474 * We send an async reply when we are done.
1476 * We are the first module, so don't bother working out how
1477 * long we have spent so far.
1479 dcerpc_binding_handle_set_timeout(irpc_handle, req->timeout);
1481 treq = dcerpc_drepl_takeFSMORole_send(req, ldb_get_event_context(ldb), irpc_handle, role);
1483 return ldb_oom(ldb);
1486 tevent_req_set_callback(treq, rootdse_fsmo_transfer_callback, fsmo);
1490 static int rootdse_modify(struct ldb_module *module, struct ldb_request *req)
1492 struct ldb_context *ldb = ldb_module_get_ctx(module);
1495 ret = rootdse_filter_operations(module, req);
1496 if (ret != LDB_SUCCESS) {
1500 ret = rootdse_filter_controls(module, req);
1501 if (ret != LDB_SUCCESS) {
1506 If dn is not "" we should let it pass through
1508 if (!ldb_dn_is_null(req->op.mod.message->dn)) {
1509 return ldb_next_request(module, req);
1513 dn is empty so check for schemaUpdateNow attribute
1514 "The type of modification and values specified in the LDAP modify operation do not matter." MSDN
1516 if (ldb_msg_find_element(req->op.mod.message, "schemaUpdateNow")) {
1517 return rootdse_schemaupdatenow(module, req);
1519 if (ldb_msg_find_element(req->op.mod.message, "becomeDomainMaster")) {
1520 return rootdse_become_master(module, req, DREPL_NAMING_MASTER);
1522 if (ldb_msg_find_element(req->op.mod.message, "becomeInfrastructureMaster")) {
1523 return rootdse_become_master(module, req, DREPL_INFRASTRUCTURE_MASTER);
1525 if (ldb_msg_find_element(req->op.mod.message, "becomeRidMaster")) {
1526 return rootdse_become_master(module, req, DREPL_RID_MASTER);
1528 if (ldb_msg_find_element(req->op.mod.message, "becomeSchemaMaster")) {
1529 return rootdse_become_master(module, req, DREPL_SCHEMA_MASTER);
1531 if (ldb_msg_find_element(req->op.mod.message, "becomePdc")) {
1532 return rootdse_become_master(module, req, DREPL_PDC_MASTER);
1534 if (ldb_msg_find_element(req->op.mod.message, "enableOptionalFeature")) {
1535 return rootdse_enableoptionalfeature(module, req);
1537 if (ldb_msg_find_element(req->op.mod.message, "schemaUpgradeInProgress")) {
1538 return rootdse_schemaupgradeinprogress(module, req);
1541 ldb_set_errstring(ldb, "rootdse_modify: unknown attribute to change!");
1542 return LDB_ERR_UNWILLING_TO_PERFORM;
1545 static int rootdse_rename(struct ldb_module *module, struct ldb_request *req)
1547 struct ldb_context *ldb = ldb_module_get_ctx(module);
1550 ret = rootdse_filter_operations(module, req);
1551 if (ret != LDB_SUCCESS) {
1555 ret = rootdse_filter_controls(module, req);
1556 if (ret != LDB_SUCCESS) {
1561 If dn is not "" we should let it pass through
1563 if (!ldb_dn_is_null(req->op.rename.olddn)) {
1564 return ldb_next_request(module, req);
1567 ldb_set_errstring(ldb, "rootdse_remove: you cannot rename the rootdse entry!");
1568 return LDB_ERR_NO_SUCH_OBJECT;
1571 static int rootdse_delete(struct ldb_module *module, struct ldb_request *req)
1573 struct ldb_context *ldb = ldb_module_get_ctx(module);
1576 ret = rootdse_filter_operations(module, req);
1577 if (ret != LDB_SUCCESS) {
1581 ret = rootdse_filter_controls(module, req);
1582 if (ret != LDB_SUCCESS) {
1587 If dn is not "" we should let it pass through
1589 if (!ldb_dn_is_null(req->op.del.dn)) {
1590 return ldb_next_request(module, req);
1593 ldb_set_errstring(ldb, "rootdse_remove: you cannot delete the rootdse entry!");
1594 return LDB_ERR_NO_SUCH_OBJECT;
1597 static int rootdse_extended(struct ldb_module *module, struct ldb_request *req)
1601 ret = rootdse_filter_operations(module, req);
1602 if (ret != LDB_SUCCESS) {
1606 ret = rootdse_filter_controls(module, req);
1607 if (ret != LDB_SUCCESS) {
1611 return ldb_next_request(module, req);
1614 static const struct ldb_module_ops ldb_rootdse_module_ops = {
1616 .init_context = rootdse_init,
1617 .search = rootdse_search,
1618 .request = rootdse_request,
1620 .modify = rootdse_modify,
1621 .rename = rootdse_rename,
1622 .extended = rootdse_extended,
1623 .del = rootdse_delete
1626 int ldb_rootdse_module_init(const char *version)
1628 LDB_MODULE_CHECK_VERSION(version);
1629 return ldb_register_module(&ldb_rootdse_module_ops);
git.samba.org / samba.git / blob