4 Copyright (C) Simo Sorce 2006
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * Component: objectClass sorting module
26 * Description: sort the objectClass attribute into the class hierarchy
28 * Author: Andrew Bartlett
33 #include "ldb/include/ldb.h"
34 #include "ldb/include/ldb_errors.h"
35 #include "ldb/include/ldb_private.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "lib/util/dlinklist.h"
38 #include "librpc/ndr/libndr.h"
39 #include "librpc/gen_ndr/ndr_security.h"
40 #include "libcli/security/security.h"
41 #include "auth/auth.h"
45 enum oc_step {OC_DO_REQ, OC_SEARCH_SELF, OC_DO_MOD} step;
47 struct ldb_module *module;
48 struct ldb_request *orig_req;
50 struct ldb_request *down_req;
52 struct ldb_request *search_req;
53 struct ldb_reply *search_res;
55 struct ldb_request *mod_req;
59 struct class_list *prev, *next;
60 const char *objectclass;
63 static struct ldb_handle *oc_init_handle(struct ldb_request *req, struct ldb_module *module)
65 struct oc_context *ac;
68 h = talloc_zero(req, struct ldb_handle);
70 ldb_set_errstring(module->ldb, "Out of Memory");
76 ac = talloc_zero(h, struct oc_context);
78 ldb_set_errstring(module->ldb, "Out of Memory");
83 h->private_data = (void *)ac;
85 h->state = LDB_ASYNC_INIT;
86 h->status = LDB_SUCCESS;
94 static int objectclass_sort(struct ldb_module *module,
96 struct ldb_message_element *objectclass_element,
97 struct class_list **sorted_out)
101 const struct dsdb_schema *schema = dsdb_get_schema(module->ldb);
102 struct class_list *sorted = NULL, *parent_class = NULL,
103 *subclass = NULL, *unsorted = NULL, *current, *poss_subclass;
106 * We work on 4 different 'bins' (implemented here as linked lists):
108 * * sorted: the eventual list, in the order we wish to push
109 * into the database. This is the only ordered list.
111 * * parent_class: The current parent class 'bin' we are
112 * trying to find subclasses for
114 * * subclass: The subclasses we have found so far
116 * * unsorted: The remaining objectClasses
118 * The process is a matter of filtering objectClasses up from
119 * unsorted into sorted. Order is irrelevent in the later 3 'bins'.
121 * We start with 'top' (found and promoted to parent_class
122 * initially). Then we find (in unsorted) all the direct
123 * subclasses of 'top'. parent_classes is concatenated onto
124 * the end of 'sorted', and subclass becomes the list in
127 * We then repeat, until we find no more subclasses. Any left
128 * over classes are added to the end.
132 /* Firstly, dump all the objectClass elements into the
133 * unsorted bin, except for 'top', which is special */
134 for (i=0; i < objectclass_element->num_values; i++) {
135 current = talloc(mem_ctx, struct class_list);
137 ldb_set_errstring(module->ldb, "objectclass: out of memory allocating objectclass list");
138 talloc_free(mem_ctx);
139 return LDB_ERR_OPERATIONS_ERROR;
141 current->objectclass = (const char *)objectclass_element->values[i].data;
143 /* this is the root of the tree. We will start
144 * looking for subclasses from here */
145 if (ldb_attr_cmp("top", current->objectclass) == 0) {
146 DLIST_ADD_END(parent_class, current, struct class_list *);
148 DLIST_ADD_END(unsorted, current, struct class_list *);
152 /* DEBUGGING aid: how many layers are we down now? */
156 /* Find all the subclasses of classes in the
157 * parent_classes. Push them onto the subclass list */
159 /* Ensure we don't bother if there are no unsorted entries left */
160 for (current = parent_class; schema && unsorted && current; current = current->next) {
161 /* Walk the list of possible subclasses in unsorted */
162 for (poss_subclass = unsorted; poss_subclass; ) {
163 const struct dsdb_class *class = dsdb_class_by_lDAPDisplayName(schema, poss_subclass->objectclass);
164 struct class_list *next;
166 /* Save the next pointer, as the DLIST_ macros will change poss_subclass->next */
167 next = poss_subclass->next;
169 if (class && ldb_attr_cmp(class->subClassOf, current->objectclass) == 0) {
170 DLIST_REMOVE(unsorted, poss_subclass);
171 DLIST_ADD(subclass, poss_subclass);
175 poss_subclass = next;
179 /* Now push the parent_classes as sorted, we are done with
180 these. Add to the END of the list by concatenation */
181 DLIST_CONCATENATE(sorted, parent_class, struct class_list *);
183 /* and now find subclasses of these */
184 parent_class = subclass;
187 /* If we didn't find any subclasses we will fall out
189 } while (parent_class);
191 /* This shouldn't happen, and would break MMC, but we can't
192 * afford to loose objectClasses. Perhaps there was no 'top',
193 * or some other schema error?
195 * Detecting schema errors is the job of the schema module, so
196 * at this layer we just try not to loose data
198 DLIST_CONCATENATE(sorted, unsorted, struct class_list *);
200 *sorted_out = sorted;
204 static DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx,
205 const struct dsdb_class *objectclass)
208 DATA_BLOB *linear_sd;
209 struct auth_session_info *session_info
210 = ldb_get_opaque(module->ldb, "sessionInfo");
211 struct security_descriptor *sd
212 = sddl_decode(mem_ctx,
213 objectclass->defaultSecurityDescriptor,
214 samdb_domain_sid(module->ldb));
216 if (!session_info || !session_info->security_token) {
220 sd->owner_sid = session_info->security_token->user_sid;
221 sd->group_sid = session_info->security_token->group_sid;
223 linear_sd = talloc(mem_ctx, DATA_BLOB);
228 status = ndr_push_struct_blob(linear_sd, mem_ctx, sd,
229 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
231 if (!NT_STATUS_IS_OK(status)) {
239 static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
241 struct ldb_message_element *objectclass_element;
242 const struct dsdb_schema *schema = dsdb_get_schema(module->ldb);
243 struct class_list *sorted, *current;
244 struct ldb_request *down_req;
245 struct ldb_message *msg;
249 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "objectclass_add\n");
251 if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
252 return ldb_next_request(module, req);
255 objectclass_element = ldb_msg_find_element(req->op.add.message, "objectClass");
257 /* If no part of this add has an objectClass, then we don't
258 * need to make any changes. cn=rootdse doesn't have an objectClass */
259 if (!objectclass_element) {
260 return ldb_next_request(module, req);
263 mem_ctx = talloc_new(req);
264 if (mem_ctx == NULL) {
265 return LDB_ERR_OPERATIONS_ERROR;
268 ret = objectclass_sort(module, mem_ctx, objectclass_element, &sorted);
269 if (ret != LDB_SUCCESS) {
273 /* prepare the first operation */
274 down_req = talloc(req, struct ldb_request);
275 if (down_req == NULL) {
276 ldb_set_errstring(module->ldb, "Out of memory!");
277 talloc_free(mem_ctx);
278 return LDB_ERR_OPERATIONS_ERROR;
281 *down_req = *req; /* copy the request */
283 down_req->op.add.message = msg = ldb_msg_copy_shallow(down_req, req->op.add.message);
285 if (down_req->op.add.message == NULL) {
286 talloc_free(mem_ctx);
287 return LDB_ERR_OPERATIONS_ERROR;
290 ldb_msg_remove_attr(msg, "objectClass");
291 ret = ldb_msg_add_empty(msg, "objectClass", 0, NULL);
293 if (ret != LDB_SUCCESS) {
294 talloc_free(mem_ctx);
298 /* We must completely replace the existing objectClass entry,
299 * because we need it sorted */
301 /* Move from the linked list back into an ldb msg */
302 for (current = sorted; current; current = current->next) {
303 ret = ldb_msg_add_string(msg, "objectClass", current->objectclass);
304 if (ret != LDB_SUCCESS) {
305 ldb_set_errstring(module->ldb,
306 "objectclass: could not re-add sorted "
307 "objectclass to modify msg");
308 talloc_free(mem_ctx);
311 /* Last one is the critical one */
312 if (schema && !current->next) {
313 const struct dsdb_class *objectclass
314 = dsdb_class_by_lDAPDisplayName(schema,
315 current->objectclass);
317 if (!ldb_msg_find_element(msg, "objectCategory")) {
318 ldb_msg_add_string(msg, "objectCategory",
319 objectclass->defaultObjectCategory);
321 if (!ldb_msg_find_element(msg, "nTSecurityDescriptor")) {
322 DATA_BLOB *sd = get_sd(module, mem_ctx, objectclass);
323 ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
329 talloc_free(mem_ctx);
330 ret = ldb_msg_sanity_check(module->ldb, msg);
332 if (ret != LDB_SUCCESS) {
336 /* go on with the call chain */
337 ret = ldb_next_request(module, down_req);
339 /* do not free down_req as the call results may be linked to it,
340 * it will be freed when the upper level request get freed */
341 if (ret == LDB_SUCCESS) {
342 req->handle = down_req->handle;
347 static int objectclass_modify(struct ldb_module *module, struct ldb_request *req)
349 struct ldb_message_element *objectclass_element;
350 struct ldb_message *msg;
351 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "objectclass_modify\n");
353 if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
354 return ldb_next_request(module, req);
357 objectclass_element = ldb_msg_find_element(req->op.mod.message, "objectClass");
359 /* If no part of this touches the objectClass, then we don't
360 * need to make any changes. */
361 /* If the only operation is the deletion of the objectClass then go on */
362 if (!objectclass_element) {
363 return ldb_next_request(module, req);
366 switch (objectclass_element->flags & LDB_FLAG_MOD_MASK) {
367 case LDB_FLAG_MOD_DELETE:
368 /* Delete everything? Probably totally illigal, but hey! */
369 if (objectclass_element->num_values == 0) {
370 return ldb_next_request(module, req);
373 case LDB_FLAG_MOD_REPLACE:
375 struct ldb_request *down_req;
376 struct class_list *sorted, *current;
379 mem_ctx = talloc_new(req);
380 if (mem_ctx == NULL) {
381 return LDB_ERR_OPERATIONS_ERROR;
384 /* prepare the first operation */
385 down_req = talloc(req, struct ldb_request);
386 if (down_req == NULL) {
387 ldb_set_errstring(module->ldb, "Out of memory!");
388 talloc_free(mem_ctx);
389 return LDB_ERR_OPERATIONS_ERROR;
392 *down_req = *req; /* copy the request */
394 down_req->op.mod.message = msg = ldb_msg_copy_shallow(down_req, req->op.mod.message);
396 if (down_req->op.add.message == NULL) {
397 talloc_free(mem_ctx);
398 return LDB_ERR_OPERATIONS_ERROR;
401 ret = objectclass_sort(module, mem_ctx, objectclass_element, &sorted);
402 if (ret != LDB_SUCCESS) {
406 /* We must completely replace the existing objectClass entry,
407 * because we need it sorted */
409 ldb_msg_remove_attr(msg, "objectClass");
410 ret = ldb_msg_add_empty(msg, "objectClass", LDB_FLAG_MOD_REPLACE, NULL);
412 if (ret != LDB_SUCCESS) {
413 talloc_free(mem_ctx);
417 /* Move from the linked list back into an ldb msg */
418 for (current = sorted; current; current = current->next) {
419 ret = ldb_msg_add_string(msg, "objectClass", current->objectclass);
420 if (ret != LDB_SUCCESS) {
421 ldb_set_errstring(module->ldb, "objectclass: could not re-add sorted objectclass to modify msg");
422 talloc_free(mem_ctx);
427 talloc_free(mem_ctx);
429 ret = ldb_msg_sanity_check(module->ldb, msg);
430 if (ret != LDB_SUCCESS) {
431 talloc_free(mem_ctx);
435 /* go on with the call chain */
436 ret = ldb_next_request(module, down_req);
438 /* do not free down_req as the call results may be linked to it,
439 * it will be freed when the upper level request get freed */
440 if (ret == LDB_SUCCESS) {
441 req->handle = down_req->handle;
448 struct ldb_handle *h;
449 struct oc_context *ac;
451 h = oc_init_handle(req, module);
453 return LDB_ERR_OPERATIONS_ERROR;
455 ac = talloc_get_type(h->private_data, struct oc_context);
457 /* return or own handle to deal with this call */
460 /* prepare the first operation */
461 ac->down_req = talloc(ac, struct ldb_request);
462 if (ac->down_req == NULL) {
463 ldb_set_errstring(module->ldb, "Out of memory!");
464 return LDB_ERR_OPERATIONS_ERROR;
467 *(ac->down_req) = *req; /* copy the request */
469 ac->down_req->context = NULL;
470 ac->down_req->callback = NULL;
471 ldb_set_timeout_from_prev_req(module->ldb, req, ac->down_req);
473 ac->step = OC_DO_REQ;
475 return ldb_next_request(module, ac->down_req);
479 static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
481 struct oc_context *ac;
483 ac = talloc_get_type(context, struct oc_context);
485 /* we are interested only in the single reply (base search) we receive here */
486 if (ares->type == LDB_REPLY_ENTRY) {
487 if (ac->search_res != NULL) {
488 ldb_set_errstring(ldb, "Too many results");
490 return LDB_ERR_OPERATIONS_ERROR;
493 ac->search_res = talloc_move(ac, &ares);
501 static int objectclass_search_self(struct ldb_handle *h) {
503 struct oc_context *ac;
504 static const char * const attrs[] = { "objectClass", NULL };
506 ac = talloc_get_type(h->private_data, struct oc_context);
508 /* prepare the search operation */
509 ac->search_req = talloc_zero(ac, struct ldb_request);
510 if (ac->search_req == NULL) {
511 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
512 return LDB_ERR_OPERATIONS_ERROR;
515 ac->search_req->operation = LDB_SEARCH;
516 ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
517 ac->search_req->op.search.scope = LDB_SCOPE_BASE;
518 ac->search_req->op.search.tree = ldb_parse_tree(ac->search_req, NULL);
519 if (ac->search_req->op.search.tree == NULL) {
520 ldb_set_errstring(ac->module->ldb, "objectclass: Internal error producing null search");
521 return LDB_ERR_OPERATIONS_ERROR;
523 ac->search_req->op.search.attrs = attrs;
524 ac->search_req->controls = NULL;
525 ac->search_req->context = ac;
526 ac->search_req->callback = get_self_callback;
527 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->search_req);
529 ac->step = OC_SEARCH_SELF;
531 return ldb_next_request(ac->module, ac->search_req);
534 static int objectclass_do_mod(struct ldb_handle *h) {
536 struct oc_context *ac;
537 struct ldb_message_element *objectclass_element;
538 struct ldb_message *msg;
540 struct class_list *sorted, *current;
543 ac = talloc_get_type(h->private_data, struct oc_context);
545 mem_ctx = talloc_new(ac);
546 if (mem_ctx == NULL) {
547 return LDB_ERR_OPERATIONS_ERROR;
550 ac->mod_req = talloc(ac, struct ldb_request);
551 if (ac->mod_req == NULL) {
552 talloc_free(mem_ctx);
553 return LDB_ERR_OPERATIONS_ERROR;
556 ac->mod_req->operation = LDB_MODIFY;
557 ac->mod_req->controls = NULL;
558 ac->mod_req->context = ac;
559 ac->mod_req->callback = NULL;
560 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->mod_req);
562 /* use a new message structure */
563 ac->mod_req->op.mod.message = msg = ldb_msg_new(ac->mod_req);
565 ldb_set_errstring(ac->module->ldb, "objectclass: could not create new modify msg");
566 talloc_free(mem_ctx);
567 return LDB_ERR_OPERATIONS_ERROR;
570 /* This is now the objectClass list from the database */
571 objectclass_element = ldb_msg_find_element(ac->search_res->message,
573 if (!objectclass_element) {
574 /* Where did it go? Move along now, nothing to see here */
575 talloc_free(mem_ctx);
580 msg->dn = ac->orig_req->op.mod.message->dn;
582 ret = objectclass_sort(ac->module, mem_ctx, objectclass_element, &sorted);
583 if (ret != LDB_SUCCESS) {
587 /* We must completely replace the existing objectClass entry.
588 * We could do a constrained add/del, but we are meant to be
589 * in a transaction... */
591 ret = ldb_msg_add_empty(msg, "objectClass", LDB_FLAG_MOD_REPLACE, NULL);
592 if (ret != LDB_SUCCESS) {
593 ldb_set_errstring(ac->module->ldb, "objectclass: could not clear objectclass in modify msg");
594 talloc_free(mem_ctx);
598 /* Move from the linked list back into an ldb msg */
599 for (current = sorted; current; current = current->next) {
600 ret = ldb_msg_add_string(msg, "objectClass", current->objectclass);
601 if (ret != LDB_SUCCESS) {
602 ldb_set_errstring(ac->module->ldb, "objectclass: could not re-add sorted objectclass to modify msg");
603 talloc_free(mem_ctx);
608 ret = ldb_msg_sanity_check(ac->module->ldb, msg);
609 if (ret != LDB_SUCCESS) {
610 talloc_free(mem_ctx);
615 h->state = LDB_ASYNC_INIT;
616 h->status = LDB_SUCCESS;
618 ac->step = OC_DO_MOD;
620 talloc_free(mem_ctx);
621 /* perform the search */
622 return ldb_next_request(ac->module, ac->mod_req);
625 static int oc_wait(struct ldb_handle *handle) {
626 struct oc_context *ac;
629 if (!handle || !handle->private_data) {
630 return LDB_ERR_OPERATIONS_ERROR;
633 if (handle->state == LDB_ASYNC_DONE) {
634 return handle->status;
637 handle->state = LDB_ASYNC_PENDING;
638 handle->status = LDB_SUCCESS;
640 ac = talloc_get_type(handle->private_data, struct oc_context);
644 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
646 if (ret != LDB_SUCCESS) {
647 handle->status = ret;
650 if (ac->down_req->handle->status != LDB_SUCCESS) {
651 handle->status = ac->down_req->handle->status;
655 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
659 /* mods done, go on */
660 return objectclass_search_self(handle);
663 ret = ldb_wait(ac->search_req->handle, LDB_WAIT_NONE);
665 if (ret != LDB_SUCCESS) {
666 handle->status = ret;
669 if (ac->search_req->handle->status != LDB_SUCCESS) {
670 handle->status = ac->search_req->handle->status;
674 if (ac->search_req->handle->state != LDB_ASYNC_DONE) {
678 /* self search done, go on */
679 return objectclass_do_mod(handle);
682 ret = ldb_wait(ac->mod_req->handle, LDB_WAIT_NONE);
684 if (ret != LDB_SUCCESS) {
685 handle->status = ret;
688 if (ac->mod_req->handle->status != LDB_SUCCESS) {
689 handle->status = ac->mod_req->handle->status;
693 if (ac->mod_req->handle->state != LDB_ASYNC_DONE) {
700 ret = LDB_ERR_OPERATIONS_ERROR;
707 handle->state = LDB_ASYNC_DONE;
711 static int oc_wait_all(struct ldb_handle *handle) {
715 while (handle->state != LDB_ASYNC_DONE) {
716 ret = oc_wait(handle);
717 if (ret != LDB_SUCCESS) {
722 return handle->status;
725 static int objectclass_wait(struct ldb_handle *handle, enum ldb_wait_type type)
727 if (type == LDB_WAIT_ALL) {
728 return oc_wait_all(handle);
730 return oc_wait(handle);
734 static const struct ldb_module_ops objectclass_ops = {
735 .name = "objectclass",
736 .add = objectclass_add,
737 .modify = objectclass_modify,
738 .wait = objectclass_wait
741 int ldb_objectclass_init(void)
743 return ldb_register_module(&objectclass_ops);
git.samba.org / ira / wip.git / blob