4 Copyright (C) Simo Sorce 2004-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Stefan Metzmacher <metze@samba.org> 2007
8 Copyright (C) Matthieu Patou <mat@samba.org> 2010
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 * Component: ldb repl_meta_data module
29 * Description: - add a unique objectGUID onto every new record,
30 * - handle whenCreated, whenChanged timestamps
31 * - handle uSNCreated, uSNChanged numbers
32 * - handle replPropertyMetaData attribute
35 * Author: Stefan Metzmacher
39 #include "ldb_module.h"
40 #include "dsdb/samdb/samdb.h"
41 #include "dsdb/common/proto.h"
42 #include "../libds/common/flags.h"
43 #include "librpc/gen_ndr/ndr_misc.h"
44 #include "librpc/gen_ndr/ndr_drsuapi.h"
45 #include "librpc/gen_ndr/ndr_drsblobs.h"
46 #include "param/param.h"
47 #include "libcli/security/security.h"
48 #include "lib/util/dlinklist.h"
49 #include "dsdb/samdb/ldb_modules/util.h"
50 #include "lib/util/binsearch.h"
51 #include "lib/util/tsort.h"
53 struct replmd_private {
55 struct la_entry *la_list;
57 struct la_backlink *la_backlinks;
59 struct nc_entry *prev, *next;
62 uint64_t mod_usn_urgent;
67 struct la_entry *next, *prev;
68 struct drsuapi_DsReplicaLinkedAttribute *la;
71 struct replmd_replicated_request {
72 struct ldb_module *module;
73 struct ldb_request *req;
75 const struct dsdb_schema *schema;
77 /* the controls we pass down */
78 struct ldb_control **controls;
80 /* details for the mode where we apply a bunch of inbound replication meessages */
82 uint32_t index_current;
83 struct dsdb_extended_replicated_objects *objs;
85 struct ldb_message *search_msg;
91 enum urgent_situation {
92 REPL_URGENT_ON_CREATE = 1,
93 REPL_URGENT_ON_UPDATE = 2,
94 REPL_URGENT_ON_DELETE = 4
99 const char *update_name;
100 enum urgent_situation repl_situation;
101 } urgent_objects[] = {
102 {"nTDSDSA", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_DELETE)},
103 {"crossRef", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_DELETE)},
104 {"attributeSchema", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
105 {"classSchema", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
106 {"secret", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
107 {"rIDManager", (REPL_URGENT_ON_CREATE | REPL_URGENT_ON_UPDATE)},
111 /* Attributes looked for when updating or deleting, to check for a urgent replication needed */
112 static const char *urgent_attrs[] = {
115 "userAccountControl",
120 static bool replmd_check_urgent_objectclass(const struct ldb_message_element *objectclass_el,
121 enum urgent_situation situation)
124 for (i=0; urgent_objects[i].update_name; i++) {
126 if ((situation & urgent_objects[i].repl_situation) == 0) {
130 for (j=0; j<objectclass_el->num_values; j++) {
131 const struct ldb_val *v = &objectclass_el->values[j];
132 if (ldb_attr_cmp((const char *)v->data, urgent_objects[i].update_name) == 0) {
140 static bool replmd_check_urgent_attribute(const struct ldb_message_element *el)
142 if (ldb_attr_in_list(urgent_attrs, el->name)) {
149 static int replmd_replicated_apply_next(struct replmd_replicated_request *ar);
152 initialise the module
153 allocate the private structure and build the list
154 of partition DNs for use by replmd_notify()
156 static int replmd_init(struct ldb_module *module)
158 struct replmd_private *replmd_private;
159 struct ldb_context *ldb = ldb_module_get_ctx(module);
161 replmd_private = talloc_zero(module, struct replmd_private);
162 if (replmd_private == NULL) {
164 return LDB_ERR_OPERATIONS_ERROR;
166 ldb_module_set_private(module, replmd_private);
168 return ldb_next_init(module);
172 cleanup our per-transaction contexts
174 static void replmd_txn_cleanup(struct replmd_private *replmd_private)
176 talloc_free(replmd_private->la_ctx);
177 replmd_private->la_list = NULL;
178 replmd_private->la_ctx = NULL;
180 talloc_free(replmd_private->bl_ctx);
181 replmd_private->la_backlinks = NULL;
182 replmd_private->bl_ctx = NULL;
187 struct la_backlink *next, *prev;
188 const char *attr_name;
189 struct GUID forward_guid, target_guid;
194 process a backlinks we accumulated during a transaction, adding and
195 deleting the backlinks from the target objects
197 static int replmd_process_backlink(struct ldb_module *module, struct la_backlink *bl, struct ldb_request *parent)
199 struct ldb_dn *target_dn, *source_dn;
201 struct ldb_context *ldb = ldb_module_get_ctx(module);
202 struct ldb_message *msg;
203 TALLOC_CTX *tmp_ctx = talloc_new(bl);
209 - construct ldb_message
210 - either an add or a delete
212 ret = dsdb_module_dn_by_guid(module, tmp_ctx, &bl->target_guid, &target_dn, parent);
213 if (ret != LDB_SUCCESS) {
214 DEBUG(2,(__location__ ": WARNING: Failed to find target DN for linked attribute with GUID %s\n",
215 GUID_string(bl, &bl->target_guid)));
219 ret = dsdb_module_dn_by_guid(module, tmp_ctx, &bl->forward_guid, &source_dn, parent);
220 if (ret != LDB_SUCCESS) {
221 ldb_asprintf_errstring(ldb, "Failed to find source DN for linked attribute with GUID %s\n",
222 GUID_string(bl, &bl->forward_guid));
223 talloc_free(tmp_ctx);
227 msg = ldb_msg_new(tmp_ctx);
229 ldb_module_oom(module);
230 talloc_free(tmp_ctx);
231 return LDB_ERR_OPERATIONS_ERROR;
234 /* construct a ldb_message for adding/deleting the backlink */
236 dn_string = ldb_dn_get_extended_linearized(tmp_ctx, source_dn, 1);
238 ldb_module_oom(module);
239 talloc_free(tmp_ctx);
240 return LDB_ERR_OPERATIONS_ERROR;
242 ret = ldb_msg_add_steal_string(msg, bl->attr_name, dn_string);
243 if (ret != LDB_SUCCESS) {
244 talloc_free(tmp_ctx);
247 msg->elements[0].flags = bl->active?LDB_FLAG_MOD_ADD:LDB_FLAG_MOD_DELETE;
249 /* a backlink should never be single valued. Unfortunately the
250 exchange schema has a attribute
251 msExchBridgeheadedLocalConnectorsDNBL which is single
252 valued and a backlink. We need to cope with that by
253 ignoring the single value flag */
254 msg->elements[0].flags |= LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK;
256 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
257 if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE && !bl->active) {
258 /* we allow LDB_ERR_NO_SUCH_ATTRIBUTE as success to
259 cope with possible corruption where the backlink has
260 already been removed */
261 DEBUG(3,("WARNING: backlink from %s already removed from %s - %s\n",
262 ldb_dn_get_linearized(target_dn),
263 ldb_dn_get_linearized(source_dn),
264 ldb_errstring(ldb)));
266 } else if (ret != LDB_SUCCESS) {
267 ldb_asprintf_errstring(ldb, "Failed to %s backlink from %s to %s - %s",
268 bl->active?"add":"remove",
269 ldb_dn_get_linearized(source_dn),
270 ldb_dn_get_linearized(target_dn),
272 talloc_free(tmp_ctx);
275 talloc_free(tmp_ctx);
280 add a backlink to the list of backlinks to add/delete in the prepare
283 static int replmd_add_backlink(struct ldb_module *module, const struct dsdb_schema *schema,
284 struct GUID *forward_guid, struct GUID *target_guid,
285 bool active, const struct dsdb_attribute *schema_attr, bool immediate)
287 const struct dsdb_attribute *target_attr;
288 struct la_backlink *bl;
289 struct replmd_private *replmd_private =
290 talloc_get_type_abort(ldb_module_get_private(module), struct replmd_private);
292 target_attr = dsdb_attribute_by_linkID(schema, schema_attr->linkID ^ 1);
295 * windows 2003 has a broken schema where the
296 * definition of msDS-IsDomainFor is missing (which is
297 * supposed to be the backlink of the
298 * msDS-HasDomainNCs attribute
303 /* see if its already in the list */
304 for (bl=replmd_private->la_backlinks; bl; bl=bl->next) {
305 if (GUID_equal(forward_guid, &bl->forward_guid) &&
306 GUID_equal(target_guid, &bl->target_guid) &&
307 (target_attr->lDAPDisplayName == bl->attr_name ||
308 strcmp(target_attr->lDAPDisplayName, bl->attr_name) == 0)) {
314 /* we found an existing one */
315 if (bl->active == active) {
318 DLIST_REMOVE(replmd_private->la_backlinks, bl);
323 if (replmd_private->bl_ctx == NULL) {
324 replmd_private->bl_ctx = talloc_new(replmd_private);
325 if (replmd_private->bl_ctx == NULL) {
326 ldb_module_oom(module);
327 return LDB_ERR_OPERATIONS_ERROR;
332 bl = talloc(replmd_private->bl_ctx, struct la_backlink);
334 ldb_module_oom(module);
335 return LDB_ERR_OPERATIONS_ERROR;
338 /* Ensure the schema does not go away before the bl->attr_name is used */
339 if (!talloc_reference(bl, schema)) {
341 ldb_module_oom(module);
342 return LDB_ERR_OPERATIONS_ERROR;
345 bl->attr_name = target_attr->lDAPDisplayName;
346 bl->forward_guid = *forward_guid;
347 bl->target_guid = *target_guid;
350 /* the caller may ask for this backlink to be processed
353 int ret = replmd_process_backlink(module, bl, NULL);
358 DLIST_ADD(replmd_private->la_backlinks, bl);
365 * Callback for most write operations in this module:
367 * notify the repl task that a object has changed. The notifies are
368 * gathered up in the replmd_private structure then written to the
369 * @REPLCHANGED object in each partition during the prepare_commit
371 static int replmd_op_callback(struct ldb_request *req, struct ldb_reply *ares)
374 struct replmd_replicated_request *ac =
375 talloc_get_type_abort(req->context, struct replmd_replicated_request);
376 struct replmd_private *replmd_private =
377 talloc_get_type_abort(ldb_module_get_private(ac->module), struct replmd_private);
378 struct nc_entry *modified_partition;
379 struct ldb_control *partition_ctrl;
380 const struct dsdb_control_current_partition *partition;
382 struct ldb_control **controls;
384 partition_ctrl = ldb_reply_get_control(ares, DSDB_CONTROL_CURRENT_PARTITION_OID);
386 controls = ares->controls;
387 if (ldb_request_get_control(ac->req,
388 DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
390 * Remove the current partition control from what we pass up
391 * the chain if it hasn't been requested manually.
393 controls = ldb_controls_except_specified(ares->controls, ares,
397 if (ares->error != LDB_SUCCESS) {
398 DEBUG(5,("%s failure. Error is: %s\n", __FUNCTION__, ldb_strerror(ares->error)));
399 return ldb_module_done(ac->req, controls,
400 ares->response, ares->error);
403 if (ares->type != LDB_REPLY_DONE) {
404 ldb_set_errstring(ldb_module_get_ctx(ac->module), "Invalid reply type for notify\n!");
405 return ldb_module_done(ac->req, NULL,
406 NULL, LDB_ERR_OPERATIONS_ERROR);
409 if (!partition_ctrl) {
410 ldb_set_errstring(ldb_module_get_ctx(ac->module),"No partition control on reply");
411 return ldb_module_done(ac->req, NULL,
412 NULL, LDB_ERR_OPERATIONS_ERROR);
415 partition = talloc_get_type_abort(partition_ctrl->data,
416 struct dsdb_control_current_partition);
418 if (ac->seq_num > 0) {
419 for (modified_partition = replmd_private->ncs; modified_partition;
420 modified_partition = modified_partition->next) {
421 if (ldb_dn_compare(modified_partition->dn, partition->dn) == 0) {
426 if (modified_partition == NULL) {
427 modified_partition = talloc_zero(replmd_private, struct nc_entry);
428 if (!modified_partition) {
429 ldb_oom(ldb_module_get_ctx(ac->module));
430 return ldb_module_done(ac->req, NULL,
431 NULL, LDB_ERR_OPERATIONS_ERROR);
433 modified_partition->dn = ldb_dn_copy(modified_partition, partition->dn);
434 if (!modified_partition->dn) {
435 ldb_oom(ldb_module_get_ctx(ac->module));
436 return ldb_module_done(ac->req, NULL,
437 NULL, LDB_ERR_OPERATIONS_ERROR);
439 DLIST_ADD(replmd_private->ncs, modified_partition);
442 if (ac->seq_num > modified_partition->mod_usn) {
443 modified_partition->mod_usn = ac->seq_num;
445 modified_partition->mod_usn_urgent = ac->seq_num;
450 if (ac->apply_mode) {
454 ret = replmd_replicated_apply_next(ac);
455 if (ret != LDB_SUCCESS) {
456 return ldb_module_done(ac->req, NULL, NULL, ret);
460 /* free the partition control container here, for the
461 * common path. Other cases will have it cleaned up
462 * eventually with the ares */
463 talloc_free(partition_ctrl);
464 return ldb_module_done(ac->req, controls,
465 ares->response, LDB_SUCCESS);
471 * update a @REPLCHANGED record in each partition if there have been
472 * any writes of replicated data in the partition
474 static int replmd_notify_store(struct ldb_module *module, struct ldb_request *parent)
476 struct replmd_private *replmd_private =
477 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
479 while (replmd_private->ncs) {
481 struct nc_entry *modified_partition = replmd_private->ncs;
483 ret = dsdb_module_save_partition_usn(module, modified_partition->dn,
484 modified_partition->mod_usn,
485 modified_partition->mod_usn_urgent, parent);
486 if (ret != LDB_SUCCESS) {
487 DEBUG(0,(__location__ ": Failed to save partition uSN for %s\n",
488 ldb_dn_get_linearized(modified_partition->dn)));
491 DLIST_REMOVE(replmd_private->ncs, modified_partition);
492 talloc_free(modified_partition);
500 created a replmd_replicated_request context
502 static struct replmd_replicated_request *replmd_ctx_init(struct ldb_module *module,
503 struct ldb_request *req)
505 struct ldb_context *ldb;
506 struct replmd_replicated_request *ac;
508 ldb = ldb_module_get_ctx(module);
510 ac = talloc_zero(req, struct replmd_replicated_request);
519 ac->schema = dsdb_get_schema(ldb, ac);
521 ldb_debug_set(ldb, LDB_DEBUG_FATAL,
522 "replmd_modify: no dsdb_schema loaded");
523 DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
531 add a time element to a record
533 static int add_time_element(struct ldb_message *msg, const char *attr, time_t t)
535 struct ldb_message_element *el;
539 if (ldb_msg_find_element(msg, attr) != NULL) {
543 s = ldb_timestring(msg, t);
545 return LDB_ERR_OPERATIONS_ERROR;
548 ret = ldb_msg_add_string(msg, attr, s);
549 if (ret != LDB_SUCCESS) {
553 el = ldb_msg_find_element(msg, attr);
554 /* always set as replace. This works because on add ops, the flag
556 el->flags = LDB_FLAG_MOD_REPLACE;
562 add a uint64_t element to a record
564 static int add_uint64_element(struct ldb_context *ldb, struct ldb_message *msg,
565 const char *attr, uint64_t v)
567 struct ldb_message_element *el;
570 if (ldb_msg_find_element(msg, attr) != NULL) {
574 ret = samdb_msg_add_uint64(ldb, msg, msg, attr, v);
575 if (ret != LDB_SUCCESS) {
579 el = ldb_msg_find_element(msg, attr);
580 /* always set as replace. This works because on add ops, the flag
582 el->flags = LDB_FLAG_MOD_REPLACE;
587 static int replmd_replPropertyMetaData1_attid_sort(const struct replPropertyMetaData1 *m1,
588 const struct replPropertyMetaData1 *m2,
589 const uint32_t *rdn_attid)
591 if (m1->attid == m2->attid) {
596 * the rdn attribute should be at the end!
597 * so we need to return a value greater than zero
598 * which means m1 is greater than m2
600 if (m1->attid == *rdn_attid) {
605 * the rdn attribute should be at the end!
606 * so we need to return a value less than zero
607 * which means m2 is greater than m1
609 if (m2->attid == *rdn_attid) {
613 return m1->attid > m2->attid ? 1 : -1;
616 static int replmd_replPropertyMetaDataCtr1_sort(struct replPropertyMetaDataCtr1 *ctr1,
617 const struct dsdb_schema *schema,
620 const char *rdn_name;
621 const struct dsdb_attribute *rdn_sa;
623 rdn_name = ldb_dn_get_rdn_name(dn);
625 DEBUG(0,(__location__ ": No rDN for %s?\n", ldb_dn_get_linearized(dn)));
626 return LDB_ERR_OPERATIONS_ERROR;
629 rdn_sa = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name);
630 if (rdn_sa == NULL) {
631 DEBUG(0,(__location__ ": No sa found for rDN %s for %s\n", rdn_name, ldb_dn_get_linearized(dn)));
632 return LDB_ERR_OPERATIONS_ERROR;
635 DEBUG(6,("Sorting rpmd with attid exception %u rDN=%s DN=%s\n",
636 rdn_sa->attributeID_id, rdn_name, ldb_dn_get_linearized(dn)));
638 LDB_TYPESAFE_QSORT(ctr1->array, ctr1->count, &rdn_sa->attributeID_id, replmd_replPropertyMetaData1_attid_sort);
643 static int replmd_ldb_message_element_attid_sort(const struct ldb_message_element *e1,
644 const struct ldb_message_element *e2,
645 const struct dsdb_schema *schema)
647 const struct dsdb_attribute *a1;
648 const struct dsdb_attribute *a2;
651 * TODO: make this faster by caching the dsdb_attribute pointer
652 * on the ldb_messag_element
655 a1 = dsdb_attribute_by_lDAPDisplayName(schema, e1->name);
656 a2 = dsdb_attribute_by_lDAPDisplayName(schema, e2->name);
659 * TODO: remove this check, we should rely on e1 and e2 having valid attribute names
663 return strcasecmp(e1->name, e2->name);
665 if (a1->attributeID_id == a2->attributeID_id) {
668 return a1->attributeID_id > a2->attributeID_id ? 1 : -1;
671 static void replmd_ldb_message_sort(struct ldb_message *msg,
672 const struct dsdb_schema *schema)
674 LDB_TYPESAFE_QSORT(msg->elements, msg->num_elements, schema, replmd_ldb_message_element_attid_sort);
677 static int replmd_build_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
678 const struct GUID *invocation_id, uint64_t seq_num,
679 uint64_t local_usn, NTTIME nttime, uint32_t version, bool deleted);
683 fix up linked attributes in replmd_add.
684 This involves setting up the right meta-data in extended DN
685 components, and creating backlinks to the object
687 static int replmd_add_fix_la(struct ldb_module *module, struct ldb_message_element *el,
688 uint64_t seq_num, const struct GUID *invocationId, time_t t,
689 struct GUID *guid, const struct dsdb_attribute *sa, struct ldb_request *parent)
692 TALLOC_CTX *tmp_ctx = talloc_new(el->values);
693 struct ldb_context *ldb = ldb_module_get_ctx(module);
695 /* We will take a reference to the schema in replmd_add_backlink */
696 const struct dsdb_schema *schema = dsdb_get_schema(ldb, NULL);
699 unix_to_nt_time(&now, t);
701 for (i=0; i<el->num_values; i++) {
702 struct ldb_val *v = &el->values[i];
703 struct dsdb_dn *dsdb_dn = dsdb_dn_parse(tmp_ctx, ldb, v, sa->syntax->ldap_oid);
704 struct GUID target_guid;
708 /* note that the DN already has the extended
709 components from the extended_dn_store module */
710 status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &target_guid, "GUID");
711 if (!NT_STATUS_IS_OK(status) || GUID_all_zero(&target_guid)) {
712 ret = dsdb_module_guid_by_dn(module, dsdb_dn->dn, &target_guid, parent);
713 if (ret != LDB_SUCCESS) {
714 talloc_free(tmp_ctx);
717 ret = dsdb_set_extended_dn_guid(dsdb_dn->dn, &target_guid, "GUID");
718 if (ret != LDB_SUCCESS) {
719 talloc_free(tmp_ctx);
724 ret = replmd_build_la_val(el->values, v, dsdb_dn, invocationId,
725 seq_num, seq_num, now, 0, false);
726 if (ret != LDB_SUCCESS) {
727 talloc_free(tmp_ctx);
731 ret = replmd_add_backlink(module, schema, guid, &target_guid, true, sa, false);
732 if (ret != LDB_SUCCESS) {
733 talloc_free(tmp_ctx);
738 talloc_free(tmp_ctx);
744 intercept add requests
746 static int replmd_add(struct ldb_module *module, struct ldb_request *req)
748 struct ldb_context *ldb;
749 struct ldb_control *control;
750 struct replmd_replicated_request *ac;
751 enum ndr_err_code ndr_err;
752 struct ldb_request *down_req;
753 struct ldb_message *msg;
754 const DATA_BLOB *guid_blob;
756 struct replPropertyMetaDataBlob nmd;
757 struct ldb_val nmd_value;
758 const struct GUID *our_invocation_id;
759 time_t t = time(NULL);
764 unsigned int functional_level;
766 bool allow_add_guid = false;
767 bool remove_current_guid = false;
768 bool is_urgent = false;
769 struct ldb_message_element *objectclass_el;
771 /* check if there's a show relax control (used by provision to say 'I know what I'm doing') */
772 control = ldb_request_get_control(req, LDB_CONTROL_RELAX_OID);
774 allow_add_guid = true;
777 /* do not manipulate our control entries */
778 if (ldb_dn_is_special(req->op.add.message->dn)) {
779 return ldb_next_request(module, req);
782 ldb = ldb_module_get_ctx(module);
784 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_add\n");
786 guid_blob = ldb_msg_find_ldb_val(req->op.add.message, "objectGUID");
787 if (guid_blob != NULL) {
788 if (!allow_add_guid) {
789 ldb_set_errstring(ldb,
790 "replmd_add: it's not allowed to add an object with objectGUID!");
791 return LDB_ERR_UNWILLING_TO_PERFORM;
793 NTSTATUS status = GUID_from_data_blob(guid_blob,&guid);
794 if (!NT_STATUS_IS_OK(status)) {
795 ldb_set_errstring(ldb,
796 "replmd_add: Unable to parse the 'objectGUID' as a GUID!");
797 return LDB_ERR_UNWILLING_TO_PERFORM;
799 /* we remove this attribute as it can be a string and
800 * will not be treated correctly and then we will re-add
801 * it later on in the good format */
802 remove_current_guid = true;
806 guid = GUID_random();
809 ac = replmd_ctx_init(module, req);
811 return ldb_module_oom(module);
814 functional_level = dsdb_functional_level(ldb);
816 /* Get a sequence number from the backend */
817 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ac->seq_num);
818 if (ret != LDB_SUCCESS) {
823 /* get our invocationId */
824 our_invocation_id = samdb_ntds_invocation_id(ldb);
825 if (!our_invocation_id) {
826 ldb_debug_set(ldb, LDB_DEBUG_ERROR,
827 "replmd_add: unable to find invocationId\n");
829 return LDB_ERR_OPERATIONS_ERROR;
832 /* we have to copy the message as the caller might have it as a const */
833 msg = ldb_msg_copy_shallow(ac, req->op.add.message);
837 return LDB_ERR_OPERATIONS_ERROR;
840 /* generated times */
841 unix_to_nt_time(&now, t);
842 time_str = ldb_timestring(msg, t);
846 return LDB_ERR_OPERATIONS_ERROR;
848 if (remove_current_guid) {
849 ldb_msg_remove_attr(msg,"objectGUID");
853 * remove autogenerated attributes
855 ldb_msg_remove_attr(msg, "whenCreated");
856 ldb_msg_remove_attr(msg, "whenChanged");
857 ldb_msg_remove_attr(msg, "uSNCreated");
858 ldb_msg_remove_attr(msg, "uSNChanged");
859 ldb_msg_remove_attr(msg, "replPropertyMetaData");
862 * readd replicated attributes
864 ret = ldb_msg_add_string(msg, "whenCreated", time_str);
865 if (ret != LDB_SUCCESS) {
871 /* build the replication meta_data */
874 nmd.ctr.ctr1.count = msg->num_elements;
875 nmd.ctr.ctr1.array = talloc_array(msg,
876 struct replPropertyMetaData1,
878 if (!nmd.ctr.ctr1.array) {
881 return LDB_ERR_OPERATIONS_ERROR;
884 for (i=0; i < msg->num_elements; i++) {
885 struct ldb_message_element *e = &msg->elements[i];
886 struct replPropertyMetaData1 *m = &nmd.ctr.ctr1.array[ni];
887 const struct dsdb_attribute *sa;
889 if (e->name[0] == '@') continue;
891 sa = dsdb_attribute_by_lDAPDisplayName(ac->schema, e->name);
893 ldb_debug_set(ldb, LDB_DEBUG_ERROR,
894 "replmd_add: attribute '%s' not defined in schema\n",
897 return LDB_ERR_NO_SUCH_ATTRIBUTE;
900 if ((sa->systemFlags & DS_FLAG_ATTR_NOT_REPLICATED) || (sa->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED)) {
901 /* if the attribute is not replicated (0x00000001)
902 * or constructed (0x00000004) it has no metadata
907 if (sa->linkID != 0 && functional_level > DS_DOMAIN_FUNCTION_2000) {
908 ret = replmd_add_fix_la(module, e, ac->seq_num, our_invocation_id, t, &guid, sa, req);
909 if (ret != LDB_SUCCESS) {
913 /* linked attributes are not stored in
914 replPropertyMetaData in FL above w2k */
918 m->attid = sa->attributeID_id;
920 m->originating_change_time = now;
921 m->originating_invocation_id = *our_invocation_id;
922 m->originating_usn = ac->seq_num;
923 m->local_usn = ac->seq_num;
927 /* fix meta data count */
928 nmd.ctr.ctr1.count = ni;
931 * sort meta data array, and move the rdn attribute entry to the end
933 ret = replmd_replPropertyMetaDataCtr1_sort(&nmd.ctr.ctr1, ac->schema, msg->dn);
934 if (ret != LDB_SUCCESS) {
939 /* generated NDR encoded values */
940 ndr_err = ndr_push_struct_blob(&nmd_value, msg,
942 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
943 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
946 return LDB_ERR_OPERATIONS_ERROR;
950 * add the autogenerated values
952 ret = dsdb_msg_add_guid(msg, &guid, "objectGUID");
953 if (ret != LDB_SUCCESS) {
958 ret = ldb_msg_add_string(msg, "whenChanged", time_str);
959 if (ret != LDB_SUCCESS) {
964 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNCreated", ac->seq_num);
965 if (ret != LDB_SUCCESS) {
970 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNChanged", ac->seq_num);
971 if (ret != LDB_SUCCESS) {
976 ret = ldb_msg_add_value(msg, "replPropertyMetaData", &nmd_value, NULL);
977 if (ret != LDB_SUCCESS) {
984 * sort the attributes by attid before storing the object
986 replmd_ldb_message_sort(msg, ac->schema);
988 objectclass_el = ldb_msg_find_element(msg, "objectClass");
989 is_urgent = replmd_check_urgent_objectclass(objectclass_el,
990 REPL_URGENT_ON_CREATE);
992 ac->is_urgent = is_urgent;
993 ret = ldb_build_add_req(&down_req, ldb, ac,
996 ac, replmd_op_callback,
999 LDB_REQ_SET_LOCATION(down_req);
1000 if (ret != LDB_SUCCESS) {
1005 /* current partition control is needed by "replmd_op_callback" */
1006 if (ldb_request_get_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
1007 ret = ldb_request_add_control(down_req,
1008 DSDB_CONTROL_CURRENT_PARTITION_OID,
1010 if (ret != LDB_SUCCESS) {
1016 if (functional_level == DS_DOMAIN_FUNCTION_2000) {
1017 ret = ldb_request_add_control(down_req, DSDB_CONTROL_APPLY_LINKS, false, NULL);
1018 if (ret != LDB_SUCCESS) {
1024 /* mark the control done */
1026 control->critical = 0;
1029 /* go on with the call chain */
1030 return ldb_next_request(module, down_req);
1035 * update the replPropertyMetaData for one element
1037 static int replmd_update_rpmd_element(struct ldb_context *ldb,
1038 struct ldb_message *msg,
1039 struct ldb_message_element *el,
1040 struct ldb_message_element *old_el,
1041 struct replPropertyMetaDataBlob *omd,
1042 const struct dsdb_schema *schema,
1044 const struct GUID *our_invocation_id,
1046 struct ldb_request *req)
1049 const struct dsdb_attribute *a;
1050 struct replPropertyMetaData1 *md1;
1052 a = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
1054 if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID)) {
1055 /* allow this to make it possible for dbcheck
1056 to remove bad attributes */
1060 DEBUG(0,(__location__ ": Unable to find attribute %s in schema\n",
1062 return LDB_ERR_OPERATIONS_ERROR;
1065 if ((a->systemFlags & DS_FLAG_ATTR_NOT_REPLICATED) || (a->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED)) {
1069 /* if the attribute's value haven't changed then return LDB_SUCCESS */
1070 if (old_el != NULL && ldb_msg_element_compare(el, old_el) == 0) {
1071 if (!ldb_request_get_control(req, LDB_CONTROL_PROVISION_OID)) {
1073 * allow this to make it possible for dbcheck
1074 * to rebuild broken metadata
1080 for (i=0; i<omd->ctr.ctr1.count; i++) {
1081 if (a->attributeID_id == omd->ctr.ctr1.array[i].attid) break;
1084 if (a->linkID != 0 && dsdb_functional_level(ldb) > DS_DOMAIN_FUNCTION_2000) {
1085 /* linked attributes are not stored in
1086 replPropertyMetaData in FL above w2k, but we do
1087 raise the seqnum for the object */
1088 if (*seq_num == 0 &&
1089 ldb_sequence_number(ldb, LDB_SEQ_NEXT, seq_num) != LDB_SUCCESS) {
1090 return LDB_ERR_OPERATIONS_ERROR;
1095 if (i == omd->ctr.ctr1.count) {
1096 /* we need to add a new one */
1097 omd->ctr.ctr1.array = talloc_realloc(msg, omd->ctr.ctr1.array,
1098 struct replPropertyMetaData1, omd->ctr.ctr1.count+1);
1099 if (omd->ctr.ctr1.array == NULL) {
1101 return LDB_ERR_OPERATIONS_ERROR;
1103 omd->ctr.ctr1.count++;
1104 ZERO_STRUCT(omd->ctr.ctr1.array[i]);
1107 /* Get a new sequence number from the backend. We only do this
1108 * if we have a change that requires a new
1109 * replPropertyMetaData element
1111 if (*seq_num == 0) {
1112 int ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, seq_num);
1113 if (ret != LDB_SUCCESS) {
1114 return LDB_ERR_OPERATIONS_ERROR;
1118 md1 = &omd->ctr.ctr1.array[i];
1120 md1->attid = a->attributeID_id;
1121 md1->originating_change_time = now;
1122 md1->originating_invocation_id = *our_invocation_id;
1123 md1->originating_usn = *seq_num;
1124 md1->local_usn = *seq_num;
1129 static uint64_t find_max_local_usn(struct replPropertyMetaDataBlob omd)
1131 uint32_t count = omd.ctr.ctr1.count;
1134 for (i=0; i < count; i++) {
1135 struct replPropertyMetaData1 m = omd.ctr.ctr1.array[i];
1136 if (max < m.local_usn) {
1144 * update the replPropertyMetaData object each time we modify an
1145 * object. This is needed for DRS replication, as the merge on the
1146 * client is based on this object
1148 static int replmd_update_rpmd(struct ldb_module *module,
1149 const struct dsdb_schema *schema,
1150 struct ldb_request *req,
1151 const char * const *rename_attrs,
1152 struct ldb_message *msg, uint64_t *seq_num,
1156 const struct ldb_val *omd_value;
1157 enum ndr_err_code ndr_err;
1158 struct replPropertyMetaDataBlob omd;
1161 const struct GUID *our_invocation_id;
1163 const char * const *attrs = NULL;
1164 const char * const attrs1[] = { "replPropertyMetaData", "*", NULL };
1165 const char * const attrs2[] = { "uSNChanged", "objectClass", "instanceType", NULL };
1166 struct ldb_result *res;
1167 struct ldb_context *ldb;
1168 struct ldb_message_element *objectclass_el;
1169 enum urgent_situation situation;
1170 bool rodc, rmd_is_provided;
1173 attrs = rename_attrs;
1178 ldb = ldb_module_get_ctx(module);
1180 our_invocation_id = samdb_ntds_invocation_id(ldb);
1181 if (!our_invocation_id) {
1182 /* this happens during an initial vampire while
1183 updating the schema */
1184 DEBUG(5,("No invocationID - skipping replPropertyMetaData update\n"));
1188 unix_to_nt_time(&now, t);
1190 if (ldb_request_get_control(req, DSDB_CONTROL_CHANGEREPLMETADATA_OID)) {
1191 rmd_is_provided = true;
1193 rmd_is_provided = false;
1196 /* if isDeleted is present and is TRUE, then we consider we are deleting,
1197 * otherwise we consider we are updating */
1198 if (ldb_msg_check_string_attribute(msg, "isDeleted", "TRUE")) {
1199 situation = REPL_URGENT_ON_DELETE;
1200 } else if (rename_attrs) {
1201 situation = REPL_URGENT_ON_CREATE | REPL_URGENT_ON_DELETE;
1203 situation = REPL_URGENT_ON_UPDATE;
1206 if (rmd_is_provided) {
1207 /* In this case the change_replmetadata control was supplied */
1208 /* We check that it's the only attribute that is provided
1209 * (it's a rare case so it's better to keep the code simplier)
1210 * We also check that the highest local_usn is bigger than
1213 if( msg->num_elements != 1 ||
1214 strncmp(msg->elements[0].name,
1215 "replPropertyMetaData", 20) ) {
1216 DEBUG(0,(__location__ ": changereplmetada control called without "\
1217 "a specified replPropertyMetaData attribute or with others\n"));
1218 return LDB_ERR_OPERATIONS_ERROR;
1220 if (situation != REPL_URGENT_ON_UPDATE) {
1221 DEBUG(0,(__location__ ": changereplmetada control can't be called when deleting an object\n"));
1222 return LDB_ERR_OPERATIONS_ERROR;
1224 omd_value = ldb_msg_find_ldb_val(msg, "replPropertyMetaData");
1226 DEBUG(0,(__location__ ": replPropertyMetaData was not specified for Object %s\n",
1227 ldb_dn_get_linearized(msg->dn)));
1228 return LDB_ERR_OPERATIONS_ERROR;
1230 ndr_err = ndr_pull_struct_blob(omd_value, msg, &omd,
1231 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
1232 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1233 DEBUG(0,(__location__ ": Failed to parse replPropertyMetaData for %s\n",
1234 ldb_dn_get_linearized(msg->dn)));
1235 return LDB_ERR_OPERATIONS_ERROR;
1237 *seq_num = find_max_local_usn(omd);
1239 ret = dsdb_module_search_dn(module, msg, &res, msg->dn, attrs2,
1240 DSDB_FLAG_NEXT_MODULE |
1241 DSDB_SEARCH_SHOW_RECYCLED |
1242 DSDB_SEARCH_SHOW_EXTENDED_DN |
1243 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
1244 DSDB_SEARCH_REVEAL_INTERNALS, req);
1246 if (ret != LDB_SUCCESS) {
1250 objectclass_el = ldb_msg_find_element(res->msgs[0], "objectClass");
1251 if (is_urgent && replmd_check_urgent_objectclass(objectclass_el,
1256 db_seq = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNChanged", 0);
1257 if (*seq_num <= db_seq) {
1258 DEBUG(0,(__location__ ": changereplmetada control provided but max(local_usn)"\
1259 " is less or equal to uSNChanged (max = %lld uSNChanged = %lld)\n",
1260 (long long)*seq_num, (long long)db_seq));
1261 return LDB_ERR_OPERATIONS_ERROR;
1265 /* search for the existing replPropertyMetaDataBlob. We need
1266 * to use REVEAL and ask for DNs in storage format to support
1267 * the check for values being the same in
1268 * replmd_update_rpmd_element()
1270 ret = dsdb_module_search_dn(module, msg, &res, msg->dn, attrs,
1271 DSDB_FLAG_NEXT_MODULE |
1272 DSDB_SEARCH_SHOW_RECYCLED |
1273 DSDB_SEARCH_SHOW_EXTENDED_DN |
1274 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
1275 DSDB_SEARCH_REVEAL_INTERNALS, req);
1276 if (ret != LDB_SUCCESS) {
1280 objectclass_el = ldb_msg_find_element(res->msgs[0], "objectClass");
1281 if (is_urgent && replmd_check_urgent_objectclass(objectclass_el,
1286 omd_value = ldb_msg_find_ldb_val(res->msgs[0], "replPropertyMetaData");
1288 DEBUG(0,(__location__ ": Object %s does not have a replPropertyMetaData attribute\n",
1289 ldb_dn_get_linearized(msg->dn)));
1290 return LDB_ERR_OPERATIONS_ERROR;
1293 ndr_err = ndr_pull_struct_blob(omd_value, msg, &omd,
1294 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
1295 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1296 DEBUG(0,(__location__ ": Failed to parse replPropertyMetaData for %s\n",
1297 ldb_dn_get_linearized(msg->dn)));
1298 return LDB_ERR_OPERATIONS_ERROR;
1301 if (omd.version != 1) {
1302 DEBUG(0,(__location__ ": bad version %u in replPropertyMetaData for %s\n",
1303 omd.version, ldb_dn_get_linearized(msg->dn)));
1304 return LDB_ERR_OPERATIONS_ERROR;
1307 for (i=0; i<msg->num_elements; i++) {
1308 struct ldb_message_element *old_el;
1309 old_el = ldb_msg_find_element(res->msgs[0], msg->elements[i].name);
1310 ret = replmd_update_rpmd_element(ldb, msg, &msg->elements[i], old_el, &omd, schema, seq_num,
1311 our_invocation_id, now, req);
1312 if (ret != LDB_SUCCESS) {
1316 if (is_urgent && !*is_urgent && (situation == REPL_URGENT_ON_UPDATE)) {
1317 *is_urgent = replmd_check_urgent_attribute(&msg->elements[i]);
1323 * replmd_update_rpmd_element has done an update if the
1326 if (*seq_num != 0) {
1327 struct ldb_val *md_value;
1328 struct ldb_message_element *el;
1330 /*if we are RODC and this is a DRSR update then its ok*/
1331 if (!ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) {
1332 unsigned instanceType;
1334 ret = samdb_rodc(ldb, &rodc);
1335 if (ret != LDB_SUCCESS) {
1336 DEBUG(4, (__location__ ": unable to tell if we are an RODC\n"));
1338 ldb_asprintf_errstring(ldb, "RODC modify is forbidden\n");
1339 return LDB_ERR_REFERRAL;
1342 instanceType = ldb_msg_find_attr_as_uint(res->msgs[0], "instanceType", INSTANCE_TYPE_WRITE);
1343 if (!(instanceType & INSTANCE_TYPE_WRITE)) {
1344 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM,
1345 "cannot change replicated attribute on partial replica");
1349 md_value = talloc(msg, struct ldb_val);
1350 if (md_value == NULL) {
1352 return LDB_ERR_OPERATIONS_ERROR;
1355 ret = replmd_replPropertyMetaDataCtr1_sort(&omd.ctr.ctr1, schema, msg->dn);
1356 if (ret != LDB_SUCCESS) {
1360 ndr_err = ndr_push_struct_blob(md_value, msg, &omd,
1361 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
1362 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1363 DEBUG(0,(__location__ ": Failed to marshall replPropertyMetaData for %s\n",
1364 ldb_dn_get_linearized(msg->dn)));
1365 return LDB_ERR_OPERATIONS_ERROR;
1368 ret = ldb_msg_add_empty(msg, "replPropertyMetaData", LDB_FLAG_MOD_REPLACE, &el);
1369 if (ret != LDB_SUCCESS) {
1370 DEBUG(0,(__location__ ": Failed to add updated replPropertyMetaData %s\n",
1371 ldb_dn_get_linearized(msg->dn)));
1376 el->values = md_value;
1383 struct dsdb_dn *dsdb_dn;
1388 static int parsed_dn_compare(struct parsed_dn *pdn1, struct parsed_dn *pdn2)
1390 return GUID_compare(pdn1->guid, pdn2->guid);
1393 static struct parsed_dn *parsed_dn_find(struct parsed_dn *pdn,
1394 unsigned int count, struct GUID *guid,
1397 struct parsed_dn *ret;
1399 if (dn && GUID_all_zero(guid)) {
1400 /* when updating a link using DRS, we sometimes get a
1401 NULL GUID. We then need to try and match by DN */
1402 for (i=0; i<count; i++) {
1403 if (ldb_dn_compare(pdn[i].dsdb_dn->dn, dn) == 0) {
1404 dsdb_get_extended_dn_guid(pdn[i].dsdb_dn->dn, guid, "GUID");
1410 BINARY_ARRAY_SEARCH(pdn, count, guid, guid, GUID_compare, ret);
1415 get a series of message element values as an array of DNs and GUIDs
1416 the result is sorted by GUID
1418 static int get_parsed_dns(struct ldb_module *module, TALLOC_CTX *mem_ctx,
1419 struct ldb_message_element *el, struct parsed_dn **pdn,
1420 const char *ldap_oid, struct ldb_request *parent)
1423 struct ldb_context *ldb = ldb_module_get_ctx(module);
1430 (*pdn) = talloc_array(mem_ctx, struct parsed_dn, el->num_values);
1432 ldb_module_oom(module);
1433 return LDB_ERR_OPERATIONS_ERROR;
1436 for (i=0; i<el->num_values; i++) {
1437 struct ldb_val *v = &el->values[i];
1440 struct parsed_dn *p;
1444 p->dsdb_dn = dsdb_dn_parse(*pdn, ldb, v, ldap_oid);
1445 if (p->dsdb_dn == NULL) {
1446 return LDB_ERR_INVALID_DN_SYNTAX;
1449 dn = p->dsdb_dn->dn;
1451 p->guid = talloc(*pdn, struct GUID);
1452 if (p->guid == NULL) {
1453 ldb_module_oom(module);
1454 return LDB_ERR_OPERATIONS_ERROR;
1457 status = dsdb_get_extended_dn_guid(dn, p->guid, "GUID");
1458 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
1459 /* we got a DN without a GUID - go find the GUID */
1460 int ret = dsdb_module_guid_by_dn(module, dn, p->guid, parent);
1461 if (ret != LDB_SUCCESS) {
1462 ldb_asprintf_errstring(ldb, "Unable to find GUID for DN %s\n",
1463 ldb_dn_get_linearized(dn));
1464 if (ret == LDB_ERR_NO_SUCH_OBJECT &&
1465 LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE &&
1466 ldb_attr_cmp(el->name, "member") == 0) {
1467 return LDB_ERR_UNWILLING_TO_PERFORM;
1471 ret = dsdb_set_extended_dn_guid(dn, p->guid, "GUID");
1472 if (ret != LDB_SUCCESS) {
1475 } else if (!NT_STATUS_IS_OK(status)) {
1476 return LDB_ERR_OPERATIONS_ERROR;
1479 /* keep a pointer to the original ldb_val */
1483 TYPESAFE_QSORT(*pdn, el->num_values, parsed_dn_compare);
1489 build a new extended DN, including all meta data fields
1491 RMD_FLAGS = DSDB_RMD_FLAG_* bits
1492 RMD_ADDTIME = originating_add_time
1493 RMD_INVOCID = originating_invocation_id
1494 RMD_CHANGETIME = originating_change_time
1495 RMD_ORIGINATING_USN = originating_usn
1496 RMD_LOCAL_USN = local_usn
1497 RMD_VERSION = version
1499 static int replmd_build_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
1500 const struct GUID *invocation_id, uint64_t seq_num,
1501 uint64_t local_usn, NTTIME nttime, uint32_t version, bool deleted)
1503 struct ldb_dn *dn = dsdb_dn->dn;
1504 const char *tstring, *usn_string, *flags_string;
1505 struct ldb_val tval;
1507 struct ldb_val usnv, local_usnv;
1508 struct ldb_val vers, flagsv;
1511 const char *dnstring;
1513 uint32_t rmd_flags = deleted?DSDB_RMD_FLAG_DELETED:0;
1515 tstring = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)nttime);
1517 return LDB_ERR_OPERATIONS_ERROR;
1519 tval = data_blob_string_const(tstring);
1521 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)seq_num);
1523 return LDB_ERR_OPERATIONS_ERROR;
1525 usnv = data_blob_string_const(usn_string);
1527 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)local_usn);
1529 return LDB_ERR_OPERATIONS_ERROR;
1531 local_usnv = data_blob_string_const(usn_string);
1533 vstring = talloc_asprintf(mem_ctx, "%lu", (unsigned long)version);
1535 return LDB_ERR_OPERATIONS_ERROR;
1537 vers = data_blob_string_const(vstring);
1539 status = GUID_to_ndr_blob(invocation_id, dn, &iid);
1540 if (!NT_STATUS_IS_OK(status)) {
1541 return LDB_ERR_OPERATIONS_ERROR;
1544 flags_string = talloc_asprintf(mem_ctx, "%u", rmd_flags);
1545 if (!flags_string) {
1546 return LDB_ERR_OPERATIONS_ERROR;
1548 flagsv = data_blob_string_const(flags_string);
1550 ret = ldb_dn_set_extended_component(dn, "RMD_FLAGS", &flagsv);
1551 if (ret != LDB_SUCCESS) return ret;
1552 ret = ldb_dn_set_extended_component(dn, "RMD_ADDTIME", &tval);
1553 if (ret != LDB_SUCCESS) return ret;
1554 ret = ldb_dn_set_extended_component(dn, "RMD_INVOCID", &iid);
1555 if (ret != LDB_SUCCESS) return ret;
1556 ret = ldb_dn_set_extended_component(dn, "RMD_CHANGETIME", &tval);
1557 if (ret != LDB_SUCCESS) return ret;
1558 ret = ldb_dn_set_extended_component(dn, "RMD_LOCAL_USN", &local_usnv);
1559 if (ret != LDB_SUCCESS) return ret;
1560 ret = ldb_dn_set_extended_component(dn, "RMD_ORIGINATING_USN", &usnv);
1561 if (ret != LDB_SUCCESS) return ret;
1562 ret = ldb_dn_set_extended_component(dn, "RMD_VERSION", &vers);
1563 if (ret != LDB_SUCCESS) return ret;
1565 dnstring = dsdb_dn_get_extended_linearized(mem_ctx, dsdb_dn, 1);
1566 if (dnstring == NULL) {
1567 return LDB_ERR_OPERATIONS_ERROR;
1569 *v = data_blob_string_const(dnstring);
1574 static int replmd_update_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
1575 struct dsdb_dn *old_dsdb_dn, const struct GUID *invocation_id,
1576 uint64_t seq_num, uint64_t local_usn, NTTIME nttime,
1577 uint32_t version, bool deleted);
1580 check if any links need upgrading from w2k format
1582 The parent_ctx is the ldb_message_element which contains the values array that dns[i].v points at, and which should be used for allocating any new value.
1584 static int replmd_check_upgrade_links(struct parsed_dn *dns, uint32_t count, struct ldb_message_element *parent_ctx, const struct GUID *invocation_id)
1587 for (i=0; i<count; i++) {
1592 status = dsdb_get_extended_dn_uint32(dns[i].dsdb_dn->dn, &version, "RMD_VERSION");
1593 if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
1597 /* it's an old one that needs upgrading */
1598 ret = replmd_update_la_val(parent_ctx->values, dns[i].v, dns[i].dsdb_dn, dns[i].dsdb_dn, invocation_id,
1600 if (ret != LDB_SUCCESS) {
1608 update an extended DN, including all meta data fields
1610 see replmd_build_la_val for value names
1612 static int replmd_update_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, struct dsdb_dn *dsdb_dn,
1613 struct dsdb_dn *old_dsdb_dn, const struct GUID *invocation_id,
1614 uint64_t seq_num, uint64_t local_usn, NTTIME nttime,
1615 uint32_t version, bool deleted)
1617 struct ldb_dn *dn = dsdb_dn->dn;
1618 const char *tstring, *usn_string, *flags_string;
1619 struct ldb_val tval;
1621 struct ldb_val usnv, local_usnv;
1622 struct ldb_val vers, flagsv;
1623 const struct ldb_val *old_addtime;
1624 uint32_t old_version;
1627 const char *dnstring;
1629 uint32_t rmd_flags = deleted?DSDB_RMD_FLAG_DELETED:0;
1631 tstring = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)nttime);
1633 return LDB_ERR_OPERATIONS_ERROR;
1635 tval = data_blob_string_const(tstring);
1637 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)seq_num);
1639 return LDB_ERR_OPERATIONS_ERROR;
1641 usnv = data_blob_string_const(usn_string);
1643 usn_string = talloc_asprintf(mem_ctx, "%llu", (unsigned long long)local_usn);
1645 return LDB_ERR_OPERATIONS_ERROR;
1647 local_usnv = data_blob_string_const(usn_string);
1649 status = GUID_to_ndr_blob(invocation_id, dn, &iid);
1650 if (!NT_STATUS_IS_OK(status)) {
1651 return LDB_ERR_OPERATIONS_ERROR;
1654 flags_string = talloc_asprintf(mem_ctx, "%u", rmd_flags);
1655 if (!flags_string) {
1656 return LDB_ERR_OPERATIONS_ERROR;
1658 flagsv = data_blob_string_const(flags_string);
1660 ret = ldb_dn_set_extended_component(dn, "RMD_FLAGS", &flagsv);
1661 if (ret != LDB_SUCCESS) return ret;
1663 /* get the ADDTIME from the original */
1664 old_addtime = ldb_dn_get_extended_component(old_dsdb_dn->dn, "RMD_ADDTIME");
1665 if (old_addtime == NULL) {
1666 old_addtime = &tval;
1668 if (dsdb_dn != old_dsdb_dn ||
1669 ldb_dn_get_extended_component(dn, "RMD_ADDTIME") == NULL) {
1670 ret = ldb_dn_set_extended_component(dn, "RMD_ADDTIME", old_addtime);
1671 if (ret != LDB_SUCCESS) return ret;
1674 /* use our invocation id */
1675 ret = ldb_dn_set_extended_component(dn, "RMD_INVOCID", &iid);
1676 if (ret != LDB_SUCCESS) return ret;
1678 /* changetime is the current time */
1679 ret = ldb_dn_set_extended_component(dn, "RMD_CHANGETIME", &tval);
1680 if (ret != LDB_SUCCESS) return ret;
1682 /* update the USN */
1683 ret = ldb_dn_set_extended_component(dn, "RMD_ORIGINATING_USN", &usnv);
1684 if (ret != LDB_SUCCESS) return ret;
1686 ret = ldb_dn_set_extended_component(dn, "RMD_LOCAL_USN", &local_usnv);
1687 if (ret != LDB_SUCCESS) return ret;
1689 /* increase the version by 1 */
1690 status = dsdb_get_extended_dn_uint32(old_dsdb_dn->dn, &old_version, "RMD_VERSION");
1691 if (NT_STATUS_IS_OK(status) && old_version >= version) {
1692 version = old_version+1;
1694 vstring = talloc_asprintf(dn, "%lu", (unsigned long)version);
1695 vers = data_blob_string_const(vstring);
1696 ret = ldb_dn_set_extended_component(dn, "RMD_VERSION", &vers);
1697 if (ret != LDB_SUCCESS) return ret;
1699 dnstring = dsdb_dn_get_extended_linearized(mem_ctx, dsdb_dn, 1);
1700 if (dnstring == NULL) {
1701 return LDB_ERR_OPERATIONS_ERROR;
1703 *v = data_blob_string_const(dnstring);
1709 handle adding a linked attribute
1711 static int replmd_modify_la_add(struct ldb_module *module,
1712 const struct dsdb_schema *schema,
1713 struct ldb_message *msg,
1714 struct ldb_message_element *el,
1715 struct ldb_message_element *old_el,
1716 const struct dsdb_attribute *schema_attr,
1719 struct GUID *msg_guid,
1720 struct ldb_request *parent)
1723 struct parsed_dn *dns, *old_dns;
1724 TALLOC_CTX *tmp_ctx = talloc_new(msg);
1726 struct ldb_val *new_values = NULL;
1727 unsigned int num_new_values = 0;
1728 unsigned old_num_values = old_el?old_el->num_values:0;
1729 const struct GUID *invocation_id;
1730 struct ldb_context *ldb = ldb_module_get_ctx(module);
1733 unix_to_nt_time(&now, t);
1735 ret = get_parsed_dns(module, tmp_ctx, el, &dns, schema_attr->syntax->ldap_oid, parent);
1736 if (ret != LDB_SUCCESS) {
1737 talloc_free(tmp_ctx);
1741 ret = get_parsed_dns(module, tmp_ctx, old_el, &old_dns, schema_attr->syntax->ldap_oid, parent);
1742 if (ret != LDB_SUCCESS) {
1743 talloc_free(tmp_ctx);
1747 invocation_id = samdb_ntds_invocation_id(ldb);
1748 if (!invocation_id) {
1749 talloc_free(tmp_ctx);
1750 return LDB_ERR_OPERATIONS_ERROR;
1753 ret = replmd_check_upgrade_links(old_dns, old_num_values, old_el, invocation_id);
1754 if (ret != LDB_SUCCESS) {
1755 talloc_free(tmp_ctx);
1759 /* for each new value, see if it exists already with the same GUID */
1760 for (i=0; i<el->num_values; i++) {
1761 struct parsed_dn *p = parsed_dn_find(old_dns, old_num_values, dns[i].guid, NULL);
1763 /* this is a new linked attribute value */
1764 new_values = talloc_realloc(tmp_ctx, new_values, struct ldb_val, num_new_values+1);
1765 if (new_values == NULL) {
1766 ldb_module_oom(module);
1767 talloc_free(tmp_ctx);
1768 return LDB_ERR_OPERATIONS_ERROR;
1770 ret = replmd_build_la_val(new_values, &new_values[num_new_values], dns[i].dsdb_dn,
1771 invocation_id, seq_num, seq_num, now, 0, false);
1772 if (ret != LDB_SUCCESS) {
1773 talloc_free(tmp_ctx);
1778 /* this is only allowed if the GUID was
1779 previously deleted. */
1780 uint32_t rmd_flags = dsdb_dn_rmd_flags(p->dsdb_dn->dn);
1782 if (!(rmd_flags & DSDB_RMD_FLAG_DELETED)) {
1783 ldb_asprintf_errstring(ldb, "Attribute %s already exists for target GUID %s",
1784 el->name, GUID_string(tmp_ctx, p->guid));
1785 talloc_free(tmp_ctx);
1786 /* error codes for 'member' need to be
1788 if (ldb_attr_cmp(el->name, "member") == 0) {
1789 return LDB_ERR_ENTRY_ALREADY_EXISTS;
1791 return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
1794 ret = replmd_update_la_val(old_el->values, p->v, dns[i].dsdb_dn, p->dsdb_dn,
1795 invocation_id, seq_num, seq_num, now, 0, false);
1796 if (ret != LDB_SUCCESS) {
1797 talloc_free(tmp_ctx);
1802 ret = replmd_add_backlink(module, schema, msg_guid, dns[i].guid, true, schema_attr, true);
1803 if (ret != LDB_SUCCESS) {
1804 talloc_free(tmp_ctx);
1809 /* add the new ones on to the end of the old values, constructing a new el->values */
1810 el->values = talloc_realloc(msg->elements, old_el?old_el->values:NULL,
1812 old_num_values+num_new_values);
1813 if (el->values == NULL) {
1814 ldb_module_oom(module);
1815 return LDB_ERR_OPERATIONS_ERROR;
1818 memcpy(&el->values[old_num_values], new_values, num_new_values*sizeof(struct ldb_val));
1819 el->num_values = old_num_values + num_new_values;
1821 talloc_steal(msg->elements, el->values);
1822 talloc_steal(el->values, new_values);
1824 talloc_free(tmp_ctx);
1826 /* we now tell the backend to replace all existing values
1827 with the one we have constructed */
1828 el->flags = LDB_FLAG_MOD_REPLACE;
1835 handle deleting all active linked attributes
1837 static int replmd_modify_la_delete(struct ldb_module *module,
1838 const struct dsdb_schema *schema,
1839 struct ldb_message *msg,
1840 struct ldb_message_element *el,
1841 struct ldb_message_element *old_el,
1842 const struct dsdb_attribute *schema_attr,
1845 struct GUID *msg_guid,
1846 struct ldb_request *parent)
1849 struct parsed_dn *dns, *old_dns;
1850 TALLOC_CTX *tmp_ctx = talloc_new(msg);
1852 const struct GUID *invocation_id;
1853 struct ldb_context *ldb = ldb_module_get_ctx(module);
1856 unix_to_nt_time(&now, t);
1858 /* check if there is nothing to delete */
1859 if ((!old_el || old_el->num_values == 0) &&
1860 el->num_values == 0) {
1864 if (!old_el || old_el->num_values == 0) {
1865 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1868 ret = get_parsed_dns(module, tmp_ctx, el, &dns, schema_attr->syntax->ldap_oid, parent);
1869 if (ret != LDB_SUCCESS) {
1870 talloc_free(tmp_ctx);
1874 ret = get_parsed_dns(module, tmp_ctx, old_el, &old_dns, schema_attr->syntax->ldap_oid, parent);
1875 if (ret != LDB_SUCCESS) {
1876 talloc_free(tmp_ctx);
1880 invocation_id = samdb_ntds_invocation_id(ldb);
1881 if (!invocation_id) {
1882 return LDB_ERR_OPERATIONS_ERROR;
1885 ret = replmd_check_upgrade_links(old_dns, old_el->num_values, old_el, invocation_id);
1886 if (ret != LDB_SUCCESS) {
1887 talloc_free(tmp_ctx);
1893 /* see if we are being asked to delete any links that
1894 don't exist or are already deleted */
1895 for (i=0; i<el->num_values; i++) {
1896 struct parsed_dn *p = &dns[i];
1897 struct parsed_dn *p2;
1900 p2 = parsed_dn_find(old_dns, old_el->num_values, p->guid, NULL);
1902 ldb_asprintf_errstring(ldb, "Attribute %s doesn't exist for target GUID %s",
1903 el->name, GUID_string(tmp_ctx, p->guid));
1904 if (ldb_attr_cmp(el->name, "member") == 0) {
1905 return LDB_ERR_UNWILLING_TO_PERFORM;
1907 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1910 rmd_flags = dsdb_dn_rmd_flags(p2->dsdb_dn->dn);
1911 if (rmd_flags & DSDB_RMD_FLAG_DELETED) {
1912 ldb_asprintf_errstring(ldb, "Attribute %s already deleted for target GUID %s",
1913 el->name, GUID_string(tmp_ctx, p->guid));
1914 if (ldb_attr_cmp(el->name, "member") == 0) {
1915 return LDB_ERR_UNWILLING_TO_PERFORM;
1917 return LDB_ERR_NO_SUCH_ATTRIBUTE;
1922 /* for each new value, see if it exists already with the same GUID
1923 if it is not already deleted and matches the delete list then delete it
1925 for (i=0; i<old_el->num_values; i++) {
1926 struct parsed_dn *p = &old_dns[i];
1929 if (el->num_values && parsed_dn_find(dns, el->num_values, p->guid, NULL) == NULL) {
1933 rmd_flags = dsdb_dn_rmd_flags(p->dsdb_dn->dn);
1934 if (rmd_flags & DSDB_RMD_FLAG_DELETED) continue;
1936 ret = replmd_update_la_val(old_el->values, p->v, p->dsdb_dn, p->dsdb_dn,
1937 invocation_id, seq_num, seq_num, now, 0, true);
1938 if (ret != LDB_SUCCESS) {
1939 talloc_free(tmp_ctx);
1943 ret = replmd_add_backlink(module, schema, msg_guid, old_dns[i].guid, false, schema_attr, true);
1944 if (ret != LDB_SUCCESS) {
1945 talloc_free(tmp_ctx);
1950 el->values = talloc_steal(msg->elements, old_el->values);
1951 el->num_values = old_el->num_values;
1953 talloc_free(tmp_ctx);
1955 /* we now tell the backend to replace all existing values
1956 with the one we have constructed */
1957 el->flags = LDB_FLAG_MOD_REPLACE;
1963 handle replacing a linked attribute
1965 static int replmd_modify_la_replace(struct ldb_module *module,
1966 const struct dsdb_schema *schema,
1967 struct ldb_message *msg,
1968 struct ldb_message_element *el,
1969 struct ldb_message_element *old_el,
1970 const struct dsdb_attribute *schema_attr,
1973 struct GUID *msg_guid,
1974 struct ldb_request *parent)
1977 struct parsed_dn *dns, *old_dns;
1978 TALLOC_CTX *tmp_ctx = talloc_new(msg);
1980 const struct GUID *invocation_id;
1981 struct ldb_context *ldb = ldb_module_get_ctx(module);
1982 struct ldb_val *new_values = NULL;
1983 unsigned int num_new_values = 0;
1984 unsigned int old_num_values = old_el?old_el->num_values:0;
1987 unix_to_nt_time(&now, t);
1989 /* check if there is nothing to replace */
1990 if ((!old_el || old_el->num_values == 0) &&
1991 el->num_values == 0) {
1995 ret = get_parsed_dns(module, tmp_ctx, el, &dns, schema_attr->syntax->ldap_oid, parent);
1996 if (ret != LDB_SUCCESS) {
1997 talloc_free(tmp_ctx);
2001 ret = get_parsed_dns(module, tmp_ctx, old_el, &old_dns, schema_attr->syntax->ldap_oid, parent);
2002 if (ret != LDB_SUCCESS) {
2003 talloc_free(tmp_ctx);
2007 invocation_id = samdb_ntds_invocation_id(ldb);
2008 if (!invocation_id) {
2009 return LDB_ERR_OPERATIONS_ERROR;
2012 ret = replmd_check_upgrade_links(old_dns, old_num_values, old_el, invocation_id);
2013 if (ret != LDB_SUCCESS) {
2014 talloc_free(tmp_ctx);
2018 /* mark all the old ones as deleted */
2019 for (i=0; i<old_num_values; i++) {
2020 struct parsed_dn *old_p = &old_dns[i];
2021 struct parsed_dn *p;
2022 uint32_t rmd_flags = dsdb_dn_rmd_flags(old_p->dsdb_dn->dn);
2024 if (rmd_flags & DSDB_RMD_FLAG_DELETED) continue;
2026 ret = replmd_add_backlink(module, schema, msg_guid, old_dns[i].guid, false, schema_attr, false);
2027 if (ret != LDB_SUCCESS) {
2028 talloc_free(tmp_ctx);
2032 p = parsed_dn_find(dns, el->num_values, old_p->guid, NULL);
2034 /* we don't delete it if we are re-adding it */
2038 ret = replmd_update_la_val(old_el->values, old_p->v, old_p->dsdb_dn, old_p->dsdb_dn,
2039 invocation_id, seq_num, seq_num, now, 0, true);
2040 if (ret != LDB_SUCCESS) {
2041 talloc_free(tmp_ctx);
2046 /* for each new value, either update its meta-data, or add it
2049 for (i=0; i<el->num_values; i++) {
2050 struct parsed_dn *p = &dns[i], *old_p;
2053 (old_p = parsed_dn_find(old_dns,
2054 old_num_values, p->guid, NULL)) != NULL) {
2055 /* update in place */
2056 ret = replmd_update_la_val(old_el->values, old_p->v, p->dsdb_dn,
2057 old_p->dsdb_dn, invocation_id,
2058 seq_num, seq_num, now, 0, false);
2059 if (ret != LDB_SUCCESS) {
2060 talloc_free(tmp_ctx);
2065 new_values = talloc_realloc(tmp_ctx, new_values, struct ldb_val,
2067 if (new_values == NULL) {
2068 ldb_module_oom(module);
2069 talloc_free(tmp_ctx);
2070 return LDB_ERR_OPERATIONS_ERROR;
2072 ret = replmd_build_la_val(new_values, &new_values[num_new_values], dns[i].dsdb_dn,
2073 invocation_id, seq_num, seq_num, now, 0, false);
2074 if (ret != LDB_SUCCESS) {
2075 talloc_free(tmp_ctx);
2081 ret = replmd_add_backlink(module, schema, msg_guid, dns[i].guid, true, schema_attr, false);
2082 if (ret != LDB_SUCCESS) {
2083 talloc_free(tmp_ctx);
2088 /* add the new values to the end of old_el */
2089 if (num_new_values != 0) {
2090 el->values = talloc_realloc(msg->elements, old_el?old_el->values:NULL,
2091 struct ldb_val, old_num_values+num_new_values);
2092 if (el->values == NULL) {
2093 ldb_module_oom(module);
2094 return LDB_ERR_OPERATIONS_ERROR;
2096 memcpy(&el->values[old_num_values], &new_values[0],
2097 sizeof(struct ldb_val)*num_new_values);
2098 el->num_values = old_num_values + num_new_values;
2099 talloc_steal(msg->elements, new_values);
2101 el->values = old_el->values;
2102 el->num_values = old_el->num_values;
2103 talloc_steal(msg->elements, el->values);
2106 talloc_free(tmp_ctx);
2108 /* we now tell the backend to replace all existing values
2109 with the one we have constructed */
2110 el->flags = LDB_FLAG_MOD_REPLACE;
2117 handle linked attributes in modify requests
2119 static int replmd_modify_handle_linked_attribs(struct ldb_module *module,
2120 struct ldb_message *msg,
2121 uint64_t seq_num, time_t t,
2122 struct ldb_request *parent)
2124 struct ldb_result *res;
2127 struct ldb_context *ldb = ldb_module_get_ctx(module);
2128 struct ldb_message *old_msg;
2130 const struct dsdb_schema *schema;
2131 struct GUID old_guid;
2134 /* there the replmd_update_rpmd code has already
2135 * checked and saw that there are no linked
2140 if (dsdb_functional_level(ldb) == DS_DOMAIN_FUNCTION_2000) {
2141 /* don't do anything special for linked attributes */
2145 ret = dsdb_module_search_dn(module, msg, &res, msg->dn, NULL,
2146 DSDB_FLAG_NEXT_MODULE |
2147 DSDB_SEARCH_SHOW_RECYCLED |
2148 DSDB_SEARCH_REVEAL_INTERNALS |
2149 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT,
2151 if (ret != LDB_SUCCESS) {
2154 schema = dsdb_get_schema(ldb, res);
2156 return LDB_ERR_OPERATIONS_ERROR;
2159 old_msg = res->msgs[0];
2161 old_guid = samdb_result_guid(old_msg, "objectGUID");
2163 for (i=0; i<msg->num_elements; i++) {
2164 struct ldb_message_element *el = &msg->elements[i];
2165 struct ldb_message_element *old_el, *new_el;
2166 const struct dsdb_attribute *schema_attr
2167 = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
2169 ldb_asprintf_errstring(ldb,
2170 "%s: attribute %s is not a valid attribute in schema",
2171 __FUNCTION__, el->name);
2172 return LDB_ERR_OBJECT_CLASS_VIOLATION;
2174 if (schema_attr->linkID == 0) {
2177 if ((schema_attr->linkID & 1) == 1) {
2178 if (parent && ldb_request_get_control(parent, DSDB_CONTROL_DBCHECK)) {
2181 /* Odd is for the target. Illegal to modify */
2182 ldb_asprintf_errstring(ldb,
2183 "attribute %s must not be modified directly, it is a linked attribute", el->name);
2184 return LDB_ERR_UNWILLING_TO_PERFORM;
2186 old_el = ldb_msg_find_element(old_msg, el->name);
2187 switch (el->flags & LDB_FLAG_MOD_MASK) {
2188 case LDB_FLAG_MOD_REPLACE:
2189 ret = replmd_modify_la_replace(module, schema, msg, el, old_el, schema_attr, seq_num, t, &old_guid, parent);
2191 case LDB_FLAG_MOD_DELETE:
2192 ret = replmd_modify_la_delete(module, schema, msg, el, old_el, schema_attr, seq_num, t, &old_guid, parent);
2194 case LDB_FLAG_MOD_ADD:
2195 ret = replmd_modify_la_add(module, schema, msg, el, old_el, schema_attr, seq_num, t, &old_guid, parent);
2198 ldb_asprintf_errstring(ldb,
2199 "invalid flags 0x%x for %s linked attribute",
2200 el->flags, el->name);
2201 return LDB_ERR_UNWILLING_TO_PERFORM;
2203 if (dsdb_check_single_valued_link(schema_attr, el) != LDB_SUCCESS) {
2204 ldb_asprintf_errstring(ldb,
2205 "Attribute %s is single valued but more than one value has been supplied",
2207 return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
2209 el->flags |= LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK;
2214 if (ret != LDB_SUCCESS) {
2218 ldb_msg_remove_attr(old_msg, el->name);
2220 ldb_msg_add_empty(old_msg, el->name, 0, &new_el);
2221 new_el->num_values = el->num_values;
2222 new_el->values = talloc_steal(msg->elements, el->values);
2224 /* TODO: this relises a bit too heavily on the exact
2225 behaviour of ldb_msg_find_element and
2226 ldb_msg_remove_element */
2227 old_el = ldb_msg_find_element(msg, el->name);
2229 ldb_msg_remove_element(msg, old_el);
2240 static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
2242 struct ldb_context *ldb;
2243 struct replmd_replicated_request *ac;
2244 struct ldb_request *down_req;
2245 struct ldb_message *msg;
2246 time_t t = time(NULL);
2248 bool is_urgent = false;
2249 struct loadparm_context *lp_ctx;
2251 unsigned int functional_level;
2252 const DATA_BLOB *guid_blob;
2254 /* do not manipulate our control entries */
2255 if (ldb_dn_is_special(req->op.mod.message->dn)) {
2256 return ldb_next_request(module, req);
2259 ldb = ldb_module_get_ctx(module);
2261 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_modify\n");
2263 guid_blob = ldb_msg_find_ldb_val(req->op.mod.message, "objectGUID");
2264 if ( guid_blob != NULL ) {
2265 ldb_set_errstring(ldb,
2266 "replmd_modify: it's not allowed to change the objectGUID!");
2267 return LDB_ERR_CONSTRAINT_VIOLATION;
2270 ac = replmd_ctx_init(module, req);
2272 return ldb_module_oom(module);
2275 functional_level = dsdb_functional_level(ldb);
2277 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
2278 struct loadparm_context);
2280 /* we have to copy the message as the caller might have it as a const */
2281 msg = ldb_msg_copy_shallow(ac, req->op.mod.message);
2285 return LDB_ERR_OPERATIONS_ERROR;
2288 ldb_msg_remove_attr(msg, "whenChanged");
2289 ldb_msg_remove_attr(msg, "uSNChanged");
2291 ret = replmd_update_rpmd(module, ac->schema, req, NULL,
2292 msg, &ac->seq_num, t, &is_urgent);
2293 if (ret == LDB_ERR_REFERRAL) {
2294 referral = talloc_asprintf(req,
2296 lpcfg_dnsdomain(lp_ctx),
2297 ldb_dn_get_linearized(msg->dn));
2298 ret = ldb_module_send_referral(req, referral);
2300 return ldb_module_done(req, NULL, NULL, ret);
2303 if (ret != LDB_SUCCESS) {
2308 ret = replmd_modify_handle_linked_attribs(module, msg, ac->seq_num, t, req);
2309 if (ret != LDB_SUCCESS) {
2315 * - replace the old object with the newly constructed one
2318 ac->is_urgent = is_urgent;
2320 ret = ldb_build_mod_req(&down_req, ldb, ac,
2323 ac, replmd_op_callback,
2325 LDB_REQ_SET_LOCATION(down_req);
2326 if (ret != LDB_SUCCESS) {
2331 /* current partition control is needed by "replmd_op_callback" */
2332 if (ldb_request_get_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
2333 ret = ldb_request_add_control(down_req,
2334 DSDB_CONTROL_CURRENT_PARTITION_OID,
2336 if (ret != LDB_SUCCESS) {
2342 /* If we are in functional level 2000, then
2343 * replmd_modify_handle_linked_attribs will have done
2345 if (functional_level == DS_DOMAIN_FUNCTION_2000) {
2346 ret = ldb_request_add_control(down_req, DSDB_CONTROL_APPLY_LINKS, false, NULL);
2347 if (ret != LDB_SUCCESS) {
2353 talloc_steal(down_req, msg);
2355 /* we only change whenChanged and uSNChanged if the seq_num
2357 if (ac->seq_num != 0) {
2358 ret = add_time_element(msg, "whenChanged", t);
2359 if (ret != LDB_SUCCESS) {
2365 ret = add_uint64_element(ldb, msg, "uSNChanged", ac->seq_num);
2366 if (ret != LDB_SUCCESS) {
2373 /* go on with the call chain */
2374 return ldb_next_request(module, down_req);
2377 static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *ares);
2380 handle a rename request
2382 On a rename we need to do an extra ldb_modify which sets the
2383 whenChanged and uSNChanged attributes. We do this in a callback after the success.
2385 static int replmd_rename(struct ldb_module *module, struct ldb_request *req)
2387 struct ldb_context *ldb;
2388 struct replmd_replicated_request *ac;
2390 struct ldb_request *down_req;
2392 /* do not manipulate our control entries */
2393 if (ldb_dn_is_special(req->op.mod.message->dn)) {
2394 return ldb_next_request(module, req);
2397 ldb = ldb_module_get_ctx(module);
2399 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_rename\n");
2401 ac = replmd_ctx_init(module, req);
2403 return ldb_module_oom(module);
2406 ret = ldb_build_rename_req(&down_req, ldb, ac,
2407 ac->req->op.rename.olddn,
2408 ac->req->op.rename.newdn,
2410 ac, replmd_rename_callback,
2412 LDB_REQ_SET_LOCATION(down_req);
2413 if (ret != LDB_SUCCESS) {
2418 /* go on with the call chain */
2419 return ldb_next_request(module, down_req);
2422 /* After the rename is compleated, update the whenchanged etc */
2423 static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *ares)
2425 struct ldb_context *ldb;
2426 struct replmd_replicated_request *ac;
2427 struct ldb_request *down_req;
2428 struct ldb_message *msg;
2429 const struct dsdb_attribute *rdn_attr;
2430 const char *rdn_name;
2431 const struct ldb_val *rdn_val;
2432 const char *attrs[5] = { NULL, };
2433 time_t t = time(NULL);
2435 bool is_urgent = false;
2437 ac = talloc_get_type(req->context, struct replmd_replicated_request);
2438 ldb = ldb_module_get_ctx(ac->module);
2440 if (ares->error != LDB_SUCCESS) {
2441 return ldb_module_done(ac->req, ares->controls,
2442 ares->response, ares->error);
2445 if (ares->type != LDB_REPLY_DONE) {
2446 ldb_set_errstring(ldb,
2447 "invalid ldb_reply_type in callback");
2449 return ldb_module_done(ac->req, NULL, NULL,
2450 LDB_ERR_OPERATIONS_ERROR);
2454 * - replace the old object with the newly constructed one
2457 msg = ldb_msg_new(ac);
2460 return LDB_ERR_OPERATIONS_ERROR;
2463 msg->dn = ac->req->op.rename.newdn;
2465 rdn_name = ldb_dn_get_rdn_name(msg->dn);
2466 if (rdn_name == NULL) {
2468 return ldb_module_done(ac->req, NULL, NULL,
2472 /* normalize the rdn attribute name */
2473 rdn_attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, rdn_name);
2474 if (rdn_attr == NULL) {
2476 return ldb_module_done(ac->req, NULL, NULL,
2479 rdn_name = rdn_attr->lDAPDisplayName;
2481 rdn_val = ldb_dn_get_rdn_val(msg->dn);
2482 if (rdn_val == NULL) {
2484 return ldb_module_done(ac->req, NULL, NULL,
2488 if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
2490 return ldb_module_done(ac->req, NULL, NULL,
2493 if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) {
2495 return ldb_module_done(ac->req, NULL, NULL,
2498 if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
2500 return ldb_module_done(ac->req, NULL, NULL,
2503 if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) {
2505 return ldb_module_done(ac->req, NULL, NULL,
2510 * here we let replmd_update_rpmd() only search for
2511 * the existing "replPropertyMetaData" and rdn_name attributes.
2513 * We do not want the existing "name" attribute as
2514 * the "name" attribute needs to get the version
2515 * updated on rename even if the rdn value hasn't changed.
2517 * This is the diff of the meta data, for a moved user
2518 * on a w2k8r2 server:
2521 * -dn: CN=sdf df,CN=Users,DC=bla,DC=base
2522 * +dn: CN=sdf df,OU=TestOU,DC=bla,DC=base
2523 * replPropertyMetaData: NDR: struct replPropertyMetaDataBlob
2524 * version : 0x00000001 (1)
2525 * reserved : 0x00000000 (0)
2526 * @@ -66,11 +66,11 @@ replPropertyMetaData: NDR: struct re
2527 * local_usn : 0x00000000000037a5 (14245)
2528 * array: struct replPropertyMetaData1
2529 * attid : DRSUAPI_ATTID_name (0x90001)
2530 * - version : 0x00000001 (1)
2531 * - originating_change_time : Wed Feb 9 17:20:49 2011 CET
2532 * + version : 0x00000002 (2)
2533 * + originating_change_time : Wed Apr 6 15:21:01 2011 CEST
2534 * originating_invocation_id: 0d36ca05-5507-4e62-aca3-354bab0d39e1
2535 * - originating_usn : 0x00000000000037a5 (14245)
2536 * - local_usn : 0x00000000000037a5 (14245)
2537 * + originating_usn : 0x0000000000003834 (14388)
2538 * + local_usn : 0x0000000000003834 (14388)
2539 * array: struct replPropertyMetaData1
2540 * attid : DRSUAPI_ATTID_userAccountControl (0x90008)
2541 * version : 0x00000004 (4)
2543 attrs[0] = "replPropertyMetaData";
2544 attrs[1] = "objectClass";
2545 attrs[2] = "instanceType";
2546 attrs[3] = rdn_name;
2549 ret = replmd_update_rpmd(ac->module, ac->schema, req, attrs,
2550 msg, &ac->seq_num, t, &is_urgent);
2551 if (ret == LDB_ERR_REFERRAL) {
2552 struct ldb_dn *olddn = ac->req->op.rename.olddn;
2553 struct loadparm_context *lp_ctx;
2556 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
2557 struct loadparm_context);
2559 referral = talloc_asprintf(req,
2561 lpcfg_dnsdomain(lp_ctx),
2562 ldb_dn_get_linearized(olddn));
2563 ret = ldb_module_send_referral(req, referral);
2565 return ldb_module_done(req, NULL, NULL, ret);
2568 if (ret != LDB_SUCCESS) {
2570 return ldb_module_done(ac->req, NULL, NULL, ret);
2573 if (ac->seq_num == 0) {
2575 return ldb_module_done(ac->req, NULL, NULL,
2577 "internal error seq_num == 0"));
2579 ac->is_urgent = is_urgent;
2581 ret = ldb_build_mod_req(&down_req, ldb, ac,
2584 ac, replmd_op_callback,
2586 LDB_REQ_SET_LOCATION(down_req);
2587 if (ret != LDB_SUCCESS) {
2592 /* current partition control is needed by "replmd_op_callback" */
2593 if (ldb_request_get_control(req, DSDB_CONTROL_CURRENT_PARTITION_OID) == NULL) {
2594 ret = ldb_request_add_control(down_req,
2595 DSDB_CONTROL_CURRENT_PARTITION_OID,
2597 if (ret != LDB_SUCCESS) {
2603 talloc_steal(down_req, msg);
2605 ret = add_time_element(msg, "whenChanged", t);
2606 if (ret != LDB_SUCCESS) {
2612 ret = add_uint64_element(ldb, msg, "uSNChanged", ac->seq_num);
2613 if (ret != LDB_SUCCESS) {
2619 /* go on with the call chain - do the modify after the rename */
2620 return ldb_next_request(ac->module, down_req);
2624 remove links from objects that point at this object when an object
2627 static int replmd_delete_remove_link(struct ldb_module *module,
2628 const struct dsdb_schema *schema,
2630 struct ldb_message_element *el,
2631 const struct dsdb_attribute *sa,
2632 struct ldb_request *parent)
2635 TALLOC_CTX *tmp_ctx = talloc_new(module);
2636 struct ldb_context *ldb = ldb_module_get_ctx(module);
2638 for (i=0; i<el->num_values; i++) {
2639 struct dsdb_dn *dsdb_dn;
2643 struct ldb_message *msg;
2644 const struct dsdb_attribute *target_attr;
2645 struct ldb_message_element *el2;
2646 struct ldb_val dn_val;
2648 if (dsdb_dn_is_deleted_val(&el->values[i])) {
2652 dsdb_dn = dsdb_dn_parse(tmp_ctx, ldb, &el->values[i], sa->syntax->ldap_oid);
2654 talloc_free(tmp_ctx);
2655 return LDB_ERR_OPERATIONS_ERROR;
2658 status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &guid2, "GUID");
2659 if (!NT_STATUS_IS_OK(status)) {
2660 talloc_free(tmp_ctx);
2661 return LDB_ERR_OPERATIONS_ERROR;
2664 /* remove the link */
2665 msg = ldb_msg_new(tmp_ctx);
2667 ldb_module_oom(module);
2668 talloc_free(tmp_ctx);
2669 return LDB_ERR_OPERATIONS_ERROR;
2673 msg->dn = dsdb_dn->dn;
2675 target_attr = dsdb_attribute_by_linkID(schema, sa->linkID ^ 1);
2676 if (target_attr == NULL) {
2680 ret = ldb_msg_add_empty(msg, target_attr->lDAPDisplayName, LDB_FLAG_MOD_DELETE, &el2);
2681 if (ret != LDB_SUCCESS) {
2682 ldb_module_oom(module);
2683 talloc_free(tmp_ctx);
2684 return LDB_ERR_OPERATIONS_ERROR;
2686 dn_val = data_blob_string_const(ldb_dn_get_linearized(dn));
2687 el2->values = &dn_val;
2688 el2->num_values = 1;
2690 ret = dsdb_module_modify(module, msg, DSDB_FLAG_OWN_MODULE, parent);
2691 if (ret != LDB_SUCCESS) {
2692 talloc_free(tmp_ctx);
2696 talloc_free(tmp_ctx);
2702 handle update of replication meta data for deletion of objects
2704 This also handles the mapping of delete to a rename operation
2705 to allow deletes to be replicated.
2707 static int replmd_delete(struct ldb_module *module, struct ldb_request *req)
2709 int ret = LDB_ERR_OTHER;
2710 bool retb, disallow_move_on_delete;
2711 struct ldb_dn *old_dn, *new_dn;
2712 const char *rdn_name;
2713 const struct ldb_val *rdn_value, *new_rdn_value;
2715 struct ldb_context *ldb = ldb_module_get_ctx(module);
2716 const struct dsdb_schema *schema;
2717 struct ldb_message *msg, *old_msg;
2718 struct ldb_message_element *el;
2719 TALLOC_CTX *tmp_ctx;
2720 struct ldb_result *res, *parent_res;
2721 const char *preserved_attrs[] = {
2722 /* yes, this really is a hard coded list. See MS-ADTS
2723 section 3.1.1.5.5.1.1 */
2724 "nTSecurityDescriptor", "attributeID", "attributeSyntax", "dNReferenceUpdate", "dNSHostName",
2725 "flatName", "governsID", "groupType", "instanceType", "lDAPDisplayName", "legacyExchangeDN",
2726 "isDeleted", "isRecycled", "lastKnownParent", "msDS-LastKnownRDN", "mS-DS-CreatorSID",
2727 "mSMQOwnerID", "nCName", "objectClass", "distinguishedName", "objectGUID", "objectSid",
2728 "oMSyntax", "proxiedObjectName", "name", "replPropertyMetaData", "sAMAccountName",
2729 "securityIdentifier", "sIDHistory", "subClassOf", "systemFlags", "trustPartner", "trustDirection",
2730 "trustType", "trustAttributes", "userAccountControl", "uSNChanged", "uSNCreated", "whenCreated",
2731 "whenChanged", NULL};
2732 unsigned int i, el_count = 0;
2733 enum deletion_state { OBJECT_NOT_DELETED=1, OBJECT_DELETED=2, OBJECT_RECYCLED=3,
2734 OBJECT_TOMBSTONE=4, OBJECT_REMOVED=5 };
2735 enum deletion_state deletion_state, next_deletion_state;
2737 int functional_level;
2739 if (ldb_dn_is_special(req->op.del.dn)) {
2740 return ldb_next_request(module, req);
2743 tmp_ctx = talloc_new(ldb);
2746 return LDB_ERR_OPERATIONS_ERROR;
2749 schema = dsdb_get_schema(ldb, tmp_ctx);
2751 return LDB_ERR_OPERATIONS_ERROR;
2754 functional_level = dsdb_functional_level(ldb);
2756 old_dn = ldb_dn_copy(tmp_ctx, req->op.del.dn);
2758 /* we need the complete msg off disk, so we can work out which
2759 attributes need to be removed */
2760 ret = dsdb_module_search_dn(module, tmp_ctx, &res, old_dn, NULL,
2761 DSDB_FLAG_NEXT_MODULE |
2762 DSDB_SEARCH_SHOW_RECYCLED |
2763 DSDB_SEARCH_REVEAL_INTERNALS |
2764 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT, req);
2765 if (ret != LDB_SUCCESS) {
2766 talloc_free(tmp_ctx);
2769 old_msg = res->msgs[0];
2772 ret = dsdb_recyclebin_enabled(module, &enabled);
2773 if (ret != LDB_SUCCESS) {
2774 talloc_free(tmp_ctx);
2778 if (ldb_msg_check_string_attribute(old_msg, "isDeleted", "TRUE")) {
2780 deletion_state = OBJECT_TOMBSTONE;
2781 next_deletion_state = OBJECT_REMOVED;
2782 } else if (ldb_msg_check_string_attribute(old_msg, "isRecycled", "TRUE")) {
2783 deletion_state = OBJECT_RECYCLED;
2784 next_deletion_state = OBJECT_REMOVED;
2786 deletion_state = OBJECT_DELETED;
2787 next_deletion_state = OBJECT_RECYCLED;
2790 deletion_state = OBJECT_NOT_DELETED;
2792 next_deletion_state = OBJECT_DELETED;
2794 next_deletion_state = OBJECT_TOMBSTONE;
2798 if (next_deletion_state == OBJECT_REMOVED) {
2799 struct auth_session_info *session_info =
2800 (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
2801 if (security_session_user_level(session_info, NULL) != SECURITY_SYSTEM) {
2802 ldb_asprintf_errstring(ldb, "Refusing to delete deleted object %s",
2803 ldb_dn_get_linearized(old_msg->dn));
2804 return LDB_ERR_UNWILLING_TO_PERFORM;
2807 /* it is already deleted - really remove it this time */
2808 talloc_free(tmp_ctx);
2809 return ldb_next_request(module, req);
2812 rdn_name = ldb_dn_get_rdn_name(old_dn);
2813 rdn_value = ldb_dn_get_rdn_val(old_dn);
2814 if ((rdn_name == NULL) || (rdn_value == NULL)) {
2815 talloc_free(tmp_ctx);
2816 return ldb_operr(ldb);
2819 msg = ldb_msg_new(tmp_ctx);
2821 ldb_module_oom(module);
2822 talloc_free(tmp_ctx);
2823 return LDB_ERR_OPERATIONS_ERROR;
2828 if (deletion_state == OBJECT_NOT_DELETED){
2829 /* consider the SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag */
2830 disallow_move_on_delete =
2831 (ldb_msg_find_attr_as_int(old_msg, "systemFlags", 0)
2832 & SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE);
2834 /* work out where we will be renaming this object to */
2835 if (!disallow_move_on_delete) {
2836 ret = dsdb_get_deleted_objects_dn(ldb, tmp_ctx, old_dn,
2838 if (ret != LDB_SUCCESS) {
2839 /* this is probably an attempted delete on a partition
2840 * that doesn't allow delete operations, such as the
2841 * schema partition */
2842 ldb_asprintf_errstring(ldb, "No Deleted Objects container for DN %s",
2843 ldb_dn_get_linearized(old_dn));
2844 talloc_free(tmp_ctx);
2845 return LDB_ERR_UNWILLING_TO_PERFORM;
2848 new_dn = ldb_dn_get_parent(tmp_ctx, old_dn);
2849 if (new_dn == NULL) {
2850 ldb_module_oom(module);
2851 talloc_free(tmp_ctx);
2852 return LDB_ERR_OPERATIONS_ERROR;
2856 /* get the objects GUID from the search we just did */
2857 guid = samdb_result_guid(old_msg, "objectGUID");
2859 /* Add a formatted child */
2860 retb = ldb_dn_add_child_fmt(new_dn, "%s=%s\\0ADEL:%s",
2862 ldb_dn_escape_value(tmp_ctx, *rdn_value),
2863 GUID_string(tmp_ctx, &guid));
2865 DEBUG(0,(__location__ ": Unable to add a formatted child to dn: %s",
2866 ldb_dn_get_linearized(new_dn)));
2867 talloc_free(tmp_ctx);
2868 return LDB_ERR_OPERATIONS_ERROR;
2871 ret = ldb_msg_add_string(msg, "isDeleted", "TRUE");
2872 if (ret != LDB_SUCCESS) {
2873 DEBUG(0,(__location__ ": Failed to add isDeleted string to the msg\n"));
2874 ldb_module_oom(module);
2875 talloc_free(tmp_ctx);
2878 msg->elements[el_count++].flags = LDB_FLAG_MOD_REPLACE;
2882 now we need to modify the object in the following ways:
2884 - add isDeleted=TRUE
2885 - update rDN and name, with new rDN
2886 - remove linked attributes
2887 - remove objectCategory and sAMAccountType
2888 - remove attribs not on the preserved list
2889 - preserved if in above list, or is rDN
2890 - remove all linked attribs from this object
2891 - remove all links from other objects to this object
2892 - add lastKnownParent
2893 - update replPropertyMetaData?
2895 see MS-ADTS "Tombstone Requirements" section 3.1.1.5.5.1.1
2898 /* we need the storage form of the parent GUID */
2899 ret = dsdb_module_search_dn(module, tmp_ctx, &parent_res,
2900 ldb_dn_get_parent(tmp_ctx, old_dn), NULL,
2901 DSDB_FLAG_NEXT_MODULE |
2902 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
2903 DSDB_SEARCH_REVEAL_INTERNALS|
2904 DSDB_SEARCH_SHOW_RECYCLED, req);
2905 if (ret != LDB_SUCCESS) {
2906 talloc_free(tmp_ctx);
2910 if (deletion_state == OBJECT_NOT_DELETED){
2911 ret = ldb_msg_add_steal_string(msg, "lastKnownParent",
2912 ldb_dn_get_extended_linearized(tmp_ctx, parent_res->msgs[0]->dn, 1));
2913 if (ret != LDB_SUCCESS) {
2914 DEBUG(0,(__location__ ": Failed to add lastKnownParent string to the msg\n"));
2915 ldb_module_oom(module);
2916 talloc_free(tmp_ctx);
2919 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
2922 switch (next_deletion_state){
2924 case OBJECT_DELETED:
2926 ret = ldb_msg_add_value(msg, "msDS-LastKnownRDN", rdn_value, NULL);
2927 if (ret != LDB_SUCCESS) {
2928 DEBUG(0,(__location__ ": Failed to add msDS-LastKnownRDN string to the msg\n"));
2929 ldb_module_oom(module);
2930 talloc_free(tmp_ctx);
2933 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
2935 ret = ldb_msg_add_empty(msg, "objectCategory", LDB_FLAG_MOD_REPLACE, NULL);
2936 if (ret != LDB_SUCCESS) {
2937 talloc_free(tmp_ctx);
2938 ldb_module_oom(module);
2942 ret = ldb_msg_add_empty(msg, "sAMAccountType", LDB_FLAG_MOD_REPLACE, NULL);
2943 if (ret != LDB_SUCCESS) {
2944 talloc_free(tmp_ctx);
2945 ldb_module_oom(module);
2951 case OBJECT_RECYCLED:
2952 case OBJECT_TOMBSTONE:
2954 /* we also mark it as recycled, meaning this object can't be
2955 recovered (we are stripping its attributes) */
2956 if (functional_level >= DS_DOMAIN_FUNCTION_2008_R2) {
2957 ret = ldb_msg_add_string(msg, "isRecycled", "TRUE");
2958 if (ret != LDB_SUCCESS) {
2959 DEBUG(0,(__location__ ": Failed to add isRecycled string to the msg\n"));
2960 ldb_module_oom(module);
2961 talloc_free(tmp_ctx);
2964 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
2967 /* work out which of the old attributes we will be removing */
2968 for (i=0; i<old_msg->num_elements; i++) {
2969 const struct dsdb_attribute *sa;
2970 el = &old_msg->elements[i];
2971 sa = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
2973 talloc_free(tmp_ctx);
2974 return LDB_ERR_OPERATIONS_ERROR;
2976 if (ldb_attr_cmp(el->name, rdn_name) == 0) {
2977 /* don't remove the rDN */
2980 if (sa->linkID && (sa->linkID & 1)) {
2982 we have a backlink in this object
2983 that needs to be removed. We're not
2984 allowed to remove it directly
2985 however, so we instead setup a
2986 modify to delete the corresponding
2989 ret = replmd_delete_remove_link(module, schema, old_dn, el, sa, req);
2990 if (ret != LDB_SUCCESS) {
2991 talloc_free(tmp_ctx);
2992 return LDB_ERR_OPERATIONS_ERROR;
2994 /* now we continue, which means we
2995 won't remove this backlink
3000 if (!sa->linkID && ldb_attr_in_list(preserved_attrs, el->name)) {
3003 ret = ldb_msg_add_empty(msg, el->name, LDB_FLAG_MOD_DELETE, &el);
3004 if (ret != LDB_SUCCESS) {
3005 talloc_free(tmp_ctx);
3006 ldb_module_oom(module);
3016 if (deletion_state == OBJECT_NOT_DELETED) {
3017 const struct dsdb_attribute *sa;
3019 /* work out what the new rdn value is, for updating the
3020 rDN and name fields */
3021 new_rdn_value = ldb_dn_get_rdn_val(new_dn);
3022 if (new_rdn_value == NULL) {
3023 talloc_free(tmp_ctx);
3024 return ldb_operr(ldb);
3027 sa = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name);
3029 talloc_free(tmp_ctx);
3030 return LDB_ERR_OPERATIONS_ERROR;
3033 ret = ldb_msg_add_value(msg, sa->lDAPDisplayName, new_rdn_value,
3035 if (ret != LDB_SUCCESS) {
3036 talloc_free(tmp_ctx);
3039 el->flags = LDB_FLAG_MOD_REPLACE;
3041 el = ldb_msg_find_element(old_msg, "name");
3043 ret = ldb_msg_add_value(msg, "name", new_rdn_value, &el);
3044 if (ret != LDB_SUCCESS) {
3045 talloc_free(tmp_ctx);
3048 el->flags = LDB_FLAG_MOD_REPLACE;
3052 ret = dsdb_module_modify(module, msg, DSDB_FLAG_OWN_MODULE, req);
3053 if (ret != LDB_SUCCESS) {
3054 ldb_asprintf_errstring(ldb, "replmd_delete: Failed to modify object %s in delete - %s",
3055 ldb_dn_get_linearized(old_dn), ldb_errstring(ldb));
3056 talloc_free(tmp_ctx);
3060 if (deletion_state == OBJECT_NOT_DELETED) {
3061 /* now rename onto the new DN */
3062 ret = dsdb_module_rename(module, old_dn, new_dn, DSDB_FLAG_NEXT_MODULE, req);
3063 if (ret != LDB_SUCCESS){
3064 DEBUG(0,(__location__ ": Failed to rename object from '%s' to '%s' - %s\n",
3065 ldb_dn_get_linearized(old_dn),
3066 ldb_dn_get_linearized(new_dn),
3067 ldb_errstring(ldb)));
3068 talloc_free(tmp_ctx);
3073 talloc_free(tmp_ctx);
3075 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
3080 static int replmd_replicated_request_error(struct replmd_replicated_request *ar, int ret)
3085 static int replmd_replicated_request_werror(struct replmd_replicated_request *ar, WERROR status)
3087 int ret = LDB_ERR_OTHER;
3088 /* TODO: do some error mapping */
3093 static struct replPropertyMetaData1 *
3094 replmd_replPropertyMetaData1_find_attid(struct replPropertyMetaDataBlob *md_blob,
3095 enum drsuapi_DsAttributeId attid)
3098 struct replPropertyMetaDataCtr1 *rpmd_ctr = &md_blob->ctr.ctr1;
3100 for (i = 0; i < rpmd_ctr->count; i++) {
3101 if (rpmd_ctr->array[i].attid == attid) {
3102 return &rpmd_ctr->array[i];
3110 return true if an update is newer than an existing entry
3111 see section 5.11 of MS-ADTS
3113 static bool replmd_update_is_newer(const struct GUID *current_invocation_id,
3114 const struct GUID *update_invocation_id,
3115 uint32_t current_version,
3116 uint32_t update_version,
3117 NTTIME current_change_time,
3118 NTTIME update_change_time)
3120 if (update_version != current_version) {
3121 return update_version > current_version;
3123 if (update_change_time != current_change_time) {
3124 return update_change_time > current_change_time;
3126 return GUID_compare(update_invocation_id, current_invocation_id) > 0;
3129 static bool replmd_replPropertyMetaData1_is_newer(struct replPropertyMetaData1 *cur_m,
3130 struct replPropertyMetaData1 *new_m)
3132 return replmd_update_is_newer(&cur_m->originating_invocation_id,
3133 &new_m->originating_invocation_id,
3136 cur_m->originating_change_time,
3137 new_m->originating_change_time);
3144 static struct ldb_dn *replmd_conflict_dn(TALLOC_CTX *mem_ctx, struct ldb_dn *dn, struct GUID *guid)
3146 const struct ldb_val *rdn_val;
3147 const char *rdn_name;
3148 struct ldb_dn *new_dn;
3150 rdn_val = ldb_dn_get_rdn_val(dn);
3151 rdn_name = ldb_dn_get_rdn_name(dn);
3152 if (!rdn_val || !rdn_name) {
3156 new_dn = ldb_dn_copy(mem_ctx, dn);
3161 if (!ldb_dn_remove_child_components(new_dn, 1)) {
3165 if (!ldb_dn_add_child_fmt(new_dn, "%s=%s\\0ACNF:%s",
3167 ldb_dn_escape_value(new_dn, *rdn_val),
3168 GUID_string(new_dn, guid))) {
3177 perform a modify operation which sets the rDN and name attributes to
3178 their current values. This has the effect of changing these
3179 attributes to have been last updated by the current DC. This is
3180 needed to ensure that renames performed as part of conflict
3181 resolution are propogated to other DCs
3183 static int replmd_name_modify(struct replmd_replicated_request *ar,
3184 struct ldb_request *req, struct ldb_dn *dn)
3186 struct ldb_message *msg;
3187 const char *rdn_name;
3188 const struct ldb_val *rdn_val;
3189 const struct dsdb_attribute *rdn_attr;
3192 msg = ldb_msg_new(req);
3198 rdn_name = ldb_dn_get_rdn_name(dn);
3199 if (rdn_name == NULL) {
3203 /* normalize the rdn attribute name */
3204 rdn_attr = dsdb_attribute_by_lDAPDisplayName(ar->schema, rdn_name);
3205 if (rdn_attr == NULL) {
3208 rdn_name = rdn_attr->lDAPDisplayName;
3210 rdn_val = ldb_dn_get_rdn_val(dn);
3211 if (rdn_val == NULL) {
3215 if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
3218 if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) {
3221 if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
3224 if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) {
3228 ret = dsdb_module_modify(ar->module, msg, DSDB_FLAG_OWN_MODULE, req);
3229 if (ret != LDB_SUCCESS) {
3230 DEBUG(0,(__location__ ": Failed to modify rDN/name of conflict DN '%s' - %s",
3231 ldb_dn_get_linearized(dn),
3232 ldb_errstring(ldb_module_get_ctx(ar->module))));
3242 DEBUG(0,(__location__ ": Failed to setup modify rDN/name of conflict DN '%s'",
3243 ldb_dn_get_linearized(dn)));
3244 return LDB_ERR_OPERATIONS_ERROR;
3249 callback for conflict DN handling where we have renamed the incoming
3250 record. After renaming it, we need to ensure the change of name and
3251 rDN for the incoming record is seen as an originating update by this DC.
3253 static int replmd_op_name_modify_callback(struct ldb_request *req, struct ldb_reply *ares)
3255 struct replmd_replicated_request *ar =
3256 talloc_get_type_abort(req->context, struct replmd_replicated_request);
3259 if (ares->error != LDB_SUCCESS) {
3260 /* call the normal callback for everything except success */
3261 return replmd_op_callback(req, ares);
3264 /* perform a modify of the rDN and name of the record */
3265 ret = replmd_name_modify(ar, req, req->op.add.message->dn);
3266 if (ret != LDB_SUCCESS) {
3268 return replmd_op_callback(req, ares);
3271 return replmd_op_callback(req, ares);
3275 callback for replmd_replicated_apply_add()
3276 This copes with the creation of conflict records in the case where
3277 the DN exists, but with a different objectGUID
3279 static int replmd_op_add_callback(struct ldb_request *req, struct ldb_reply *ares)
3281 struct ldb_dn *conflict_dn;
3282 struct replmd_replicated_request *ar =
3283 talloc_get_type_abort(req->context, struct replmd_replicated_request);
3284 struct ldb_result *res;
3285 const char *attrs[] = { "replPropertyMetaData", "objectGUID", NULL };
3287 const struct ldb_val *rmd_value, *omd_value;
3288 struct replPropertyMetaDataBlob omd, rmd;
3289 enum ndr_err_code ndr_err;
3290 bool rename_incoming_record, rodc;
3291 struct replPropertyMetaData1 *rmd_name, *omd_name;
3293 if (ares->error != LDB_ERR_ENTRY_ALREADY_EXISTS) {
3294 /* call the normal callback for everything except
3296 return replmd_op_callback(req, ares);
3299 ret = samdb_rodc(ldb_module_get_ctx(ar->module), &rodc);
3300 if (ret != LDB_SUCCESS) {
3304 * we have a conflict, and need to decide if we will keep the
3305 * new record or the old record
3307 conflict_dn = req->op.add.message->dn;
3311 * We are on an RODC, or were a GC for this
3312 * partition, so we have to fail this until
3313 * someone who owns the partition sorts it
3316 ldb_asprintf_errstring(ldb_module_get_ctx(ar->module),
3317 "Conflict adding object '%s' from incoming replication as we are read only for the partition. \n"
3318 " - We must fail the operation until a master for this partition resolves the conflict",
3319 ldb_dn_get_linearized(conflict_dn));
3324 * we have a conflict, and need to decide if we will keep the
3325 * new record or the old record
3327 conflict_dn = req->op.add.message->dn;
3330 * first we need the replPropertyMetaData attribute from the
3333 ret = dsdb_module_search_dn(ar->module, req, &res, conflict_dn,
3335 DSDB_FLAG_NEXT_MODULE |
3336 DSDB_SEARCH_SHOW_DELETED |
3337 DSDB_SEARCH_SHOW_RECYCLED, req);
3338 if (ret != LDB_SUCCESS) {
3339 DEBUG(0,(__location__ ": Unable to find object for conflicting record '%s'\n",
3340 ldb_dn_get_linearized(conflict_dn)));
3344 omd_value = ldb_msg_find_ldb_val(res->msgs[0], "replPropertyMetaData");
3345 if (omd_value == NULL) {
3346 DEBUG(0,(__location__ ": Unable to find replPropertyMetaData for conflicting record '%s'\n",
3347 ldb_dn_get_linearized(conflict_dn)));
3351 ndr_err = ndr_pull_struct_blob(omd_value, res->msgs[0], &omd,
3352 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
3353 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3354 DEBUG(0,(__location__ ": Failed to parse old replPropertyMetaData for %s\n",
3355 ldb_dn_get_linearized(conflict_dn)));
3360 * and the replPropertyMetaData attribute from the
3363 rmd_value = ldb_msg_find_ldb_val(req->op.add.message, "replPropertyMetaData");
3364 if (rmd_value == NULL) {
3365 DEBUG(0,(__location__ ": Unable to find replPropertyMetaData for new record '%s'\n",
3366 ldb_dn_get_linearized(conflict_dn)));
3370 ndr_err = ndr_pull_struct_blob(rmd_value, req, &rmd,
3371 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
3372 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3373 DEBUG(0,(__location__ ": Failed to parse new replPropertyMetaData for %s\n",
3374 ldb_dn_get_linearized(conflict_dn)));
3378 /* we decide which is newer based on the RPMD on the name
3379 attribute. See [MS-DRSR] ResolveNameConflict */
3380 rmd_name = replmd_replPropertyMetaData1_find_attid(&rmd, DRSUAPI_ATTID_name);
3381 omd_name = replmd_replPropertyMetaData1_find_attid(&omd, DRSUAPI_ATTID_name);
3382 if (!rmd_name || !omd_name) {
3383 DEBUG(0,(__location__ ": Failed to find name attribute in replPropertyMetaData for %s\n",
3384 ldb_dn_get_linearized(conflict_dn)));
3388 rename_incoming_record = !replmd_replPropertyMetaData1_is_newer(omd_name, rmd_name);
3390 if (rename_incoming_record) {
3392 struct ldb_dn *new_dn;
3393 struct ldb_message *new_msg;
3395 guid = samdb_result_guid(req->op.add.message, "objectGUID");
3396 if (GUID_all_zero(&guid)) {
3397 DEBUG(0,(__location__ ": Failed to find objectGUID for conflicting incoming record %s\n",
3398 ldb_dn_get_linearized(conflict_dn)));
3401 new_dn = replmd_conflict_dn(req, conflict_dn, &guid);
3402 if (new_dn == NULL) {
3403 DEBUG(0,(__location__ ": Failed to form conflict DN for %s\n",
3404 ldb_dn_get_linearized(conflict_dn)));
3408 DEBUG(1,(__location__ ": Resolving conflict record via incoming rename '%s' -> '%s'\n",
3409 ldb_dn_get_linearized(conflict_dn), ldb_dn_get_linearized(new_dn)));
3411 /* re-submit the request, but with a different
3412 callback, so we don't loop forever. */
3413 new_msg = ldb_msg_copy_shallow(req, req->op.add.message);
3416 DEBUG(0,(__location__ ": Failed to copy conflict DN message for %s\n",
3417 ldb_dn_get_linearized(conflict_dn)));
3419 new_msg->dn = new_dn;
3420 req->op.add.message = new_msg;
3421 req->callback = replmd_op_name_modify_callback;
3423 return ldb_next_request(ar->module, req);
3425 /* we are renaming the existing record */
3427 struct ldb_dn *new_dn;
3429 guid = samdb_result_guid(res->msgs[0], "objectGUID");
3430 if (GUID_all_zero(&guid)) {
3431 DEBUG(0,(__location__ ": Failed to find objectGUID for existing conflict record %s\n",
3432 ldb_dn_get_linearized(conflict_dn)));
3436 new_dn = replmd_conflict_dn(req, conflict_dn, &guid);
3437 if (new_dn == NULL) {
3438 DEBUG(0,(__location__ ": Failed to form conflict DN for %s\n",
3439 ldb_dn_get_linearized(conflict_dn)));
3443 DEBUG(1,(__location__ ": Resolving conflict record via existing rename '%s' -> '%s'\n",
3444 ldb_dn_get_linearized(conflict_dn), ldb_dn_get_linearized(new_dn)));
3446 ret = dsdb_module_rename(ar->module, conflict_dn, new_dn,
3447 DSDB_FLAG_OWN_MODULE, req);
3448 if (ret != LDB_SUCCESS) {
3449 DEBUG(0,(__location__ ": Failed to rename conflict dn '%s' to '%s' - %s\n",
3450 ldb_dn_get_linearized(conflict_dn),
3451 ldb_dn_get_linearized(new_dn),
3452 ldb_errstring(ldb_module_get_ctx(ar->module))));
3457 * now we need to ensure that the rename is seen as an
3458 * originating update. We do that with a modify.
3460 ret = replmd_name_modify(ar, req, new_dn);
3461 if (ret != LDB_SUCCESS) {
3465 req->callback = replmd_op_callback;
3467 return ldb_next_request(ar->module, req);
3471 /* on failure do the original callback. This means replication
3472 * will stop with an error, but there is not much else we can
3475 return replmd_op_callback(req, ares);
3479 this is called when a new object comes in over DRS
3481 static int replmd_replicated_apply_add(struct replmd_replicated_request *ar)
3483 struct ldb_context *ldb;
3484 struct ldb_request *change_req;
3485 enum ndr_err_code ndr_err;
3486 struct ldb_message *msg;
3487 struct replPropertyMetaDataBlob *md;
3488 struct ldb_val md_value;
3493 * TODO: check if the parent object exist
3497 * TODO: handle the conflict case where an object with the
3501 ldb = ldb_module_get_ctx(ar->module);
3502 msg = ar->objs->objects[ar->index_current].msg;
3503 md = ar->objs->objects[ar->index_current].meta_data;
3505 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ar->seq_num);
3506 if (ret != LDB_SUCCESS) {
3507 return replmd_replicated_request_error(ar, ret);
3510 ret = ldb_msg_add_value(msg, "objectGUID", &ar->objs->objects[ar->index_current].guid_value, NULL);
3511 if (ret != LDB_SUCCESS) {
3512 return replmd_replicated_request_error(ar, ret);
3515 ret = ldb_msg_add_string(msg, "whenChanged", ar->objs->objects[ar->index_current].when_changed);
3516 if (ret != LDB_SUCCESS) {
3517 return replmd_replicated_request_error(ar, ret);
3520 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNCreated", ar->seq_num);
3521 if (ret != LDB_SUCCESS) {
3522 return replmd_replicated_request_error(ar, ret);
3525 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNChanged", ar->seq_num);
3526 if (ret != LDB_SUCCESS) {
3527 return replmd_replicated_request_error(ar, ret);
3530 /* remove any message elements that have zero values */
3531 for (i=0; i<msg->num_elements; i++) {
3532 struct ldb_message_element *el = &msg->elements[i];
3534 if (el->num_values == 0) {
3535 DEBUG(4,(__location__ ": Removing attribute %s with num_values==0\n",
3537 memmove(el, el+1, sizeof(*el)*(msg->num_elements - (i+1)));
3538 msg->num_elements--;
3545 * the meta data array is already sorted by the caller
3547 for (i=0; i < md->ctr.ctr1.count; i++) {
3548 md->ctr.ctr1.array[i].local_usn = ar->seq_num;
3550 ndr_err = ndr_push_struct_blob(&md_value, msg, md,
3551 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
3552 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3553 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
3554 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
3556 ret = ldb_msg_add_value(msg, "replPropertyMetaData", &md_value, NULL);
3557 if (ret != LDB_SUCCESS) {
3558 return replmd_replicated_request_error(ar, ret);
3561 replmd_ldb_message_sort(msg, ar->schema);
3564 char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_ADD, msg);
3565 DEBUG(4, ("DRS replication add message:\n%s\n", s));
3569 ret = ldb_build_add_req(&change_req,
3575 replmd_op_add_callback,
3577 LDB_REQ_SET_LOCATION(change_req);
3578 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
3580 /* current partition control needed by "repmd_op_callback" */
3581 ret = ldb_request_add_control(change_req,
3582 DSDB_CONTROL_CURRENT_PARTITION_OID,
3584 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
3586 if (ar->objs->dsdb_repl_flags & DSDB_REPL_FLAG_PARTIAL_REPLICA) {
3587 /* this tells the partition module to make it a
3588 partial replica if creating an NC */
3589 ret = ldb_request_add_control(change_req,
3590 DSDB_CONTROL_PARTIAL_REPLICA,
3592 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
3595 return ldb_next_request(ar->module, change_req);
3599 handle renames that come in over DRS replication
3601 static int replmd_replicated_handle_rename(struct replmd_replicated_request *ar,
3602 struct ldb_message *msg,
3603 struct replPropertyMetaDataBlob *rmd,
3604 struct replPropertyMetaDataBlob *omd,
3605 struct ldb_request *parent)
3607 struct replPropertyMetaData1 *md_remote;
3608 struct replPropertyMetaData1 *md_local;
3610 if (ldb_dn_compare(msg->dn, ar->search_msg->dn) == 0) {
3615 /* now we need to check for double renames. We could have a
3616 * local rename pending which our replication partner hasn't
3617 * received yet. We choose which one wins by looking at the
3618 * attribute stamps on the two objects, the newer one wins
3620 md_remote = replmd_replPropertyMetaData1_find_attid(rmd, DRSUAPI_ATTID_name);
3621 md_local = replmd_replPropertyMetaData1_find_attid(omd, DRSUAPI_ATTID_name);
3622 /* if there is no name attribute then we have to assume the
3623 object we've received is in fact newer */
3624 if (!md_remote || !md_local ||
3625 replmd_replPropertyMetaData1_is_newer(md_local, md_remote)) {
3626 DEBUG(4,("replmd_replicated_request rename %s => %s\n",
3627 ldb_dn_get_linearized(ar->search_msg->dn),
3628 ldb_dn_get_linearized(msg->dn)));
3629 /* pass rename to the next module
3630 * so it doesn't appear as an originating update */
3631 return dsdb_module_rename(ar->module,
3632 ar->search_msg->dn, msg->dn,
3633 DSDB_FLAG_NEXT_MODULE | DSDB_MODIFY_RELAX, parent);
3636 /* we're going to keep our old object */
3637 DEBUG(4,(__location__ ": Keeping object %s and rejecting older rename to %s\n",
3638 ldb_dn_get_linearized(ar->search_msg->dn),
3639 ldb_dn_get_linearized(msg->dn)));
3644 static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
3646 struct ldb_context *ldb;
3647 struct ldb_request *change_req;
3648 enum ndr_err_code ndr_err;
3649 struct ldb_message *msg;
3650 struct replPropertyMetaDataBlob *rmd;
3651 struct replPropertyMetaDataBlob omd;
3652 const struct ldb_val *omd_value;
3653 struct replPropertyMetaDataBlob nmd;
3654 struct ldb_val nmd_value;
3657 unsigned int removed_attrs = 0;
3660 ldb = ldb_module_get_ctx(ar->module);
3661 msg = ar->objs->objects[ar->index_current].msg;
3662 rmd = ar->objs->objects[ar->index_current].meta_data;
3666 /* find existing meta data */
3667 omd_value = ldb_msg_find_ldb_val(ar->search_msg, "replPropertyMetaData");
3669 ndr_err = ndr_pull_struct_blob(omd_value, ar, &omd,
3670 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
3671 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3672 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
3673 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
3676 if (omd.version != 1) {
3677 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
3681 /* handle renames that come in over DRS */
3682 ret = replmd_replicated_handle_rename(ar, msg, rmd, &omd, ar->req);
3683 if (ret != LDB_SUCCESS) {
3684 ldb_debug(ldb, LDB_DEBUG_FATAL,
3685 "replmd_replicated_request rename %s => %s failed - %s\n",
3686 ldb_dn_get_linearized(ar->search_msg->dn),
3687 ldb_dn_get_linearized(msg->dn),
3688 ldb_errstring(ldb));
3689 return replmd_replicated_request_werror(ar, WERR_DS_DRA_DB_ERROR);
3694 nmd.ctr.ctr1.count = omd.ctr.ctr1.count + rmd->ctr.ctr1.count;
3695 nmd.ctr.ctr1.array = talloc_array(ar,
3696 struct replPropertyMetaData1,
3697 nmd.ctr.ctr1.count);
3698 if (!nmd.ctr.ctr1.array) return replmd_replicated_request_werror(ar, WERR_NOMEM);
3700 /* first copy the old meta data */
3701 for (i=0; i < omd.ctr.ctr1.count; i++) {
3702 nmd.ctr.ctr1.array[ni] = omd.ctr.ctr1.array[i];
3707 /* now merge in the new meta data */
3708 for (i=0; i < rmd->ctr.ctr1.count; i++) {
3711 for (j=0; j < ni; j++) {
3714 if (rmd->ctr.ctr1.array[i].attid != nmd.ctr.ctr1.array[j].attid) {
3718 if (ar->objs->dsdb_repl_flags & DSDB_REPL_FLAG_PRIORITISE_INCOMING) {
3719 /* if we compare equal then do an
3720 update. This is used when a client
3721 asks for a FULL_SYNC, and can be
3722 used to recover a corrupt
3724 cmp = !replmd_replPropertyMetaData1_is_newer(&rmd->ctr.ctr1.array[i],
3725 &nmd.ctr.ctr1.array[j]);
3727 cmp = replmd_replPropertyMetaData1_is_newer(&nmd.ctr.ctr1.array[j],
3728 &rmd->ctr.ctr1.array[i]);
3731 /* replace the entry */
3732 nmd.ctr.ctr1.array[j] = rmd->ctr.ctr1.array[i];
3733 if (ar->seq_num == 0) {
3734 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ar->seq_num);
3735 if (ret != LDB_SUCCESS) {
3736 return replmd_replicated_request_error(ar, ret);
3739 nmd.ctr.ctr1.array[j].local_usn = ar->seq_num;
3744 if (rmd->ctr.ctr1.array[i].attid != DRSUAPI_ATTID_instanceType) {
3745 DEBUG(3,("Discarding older DRS attribute update to %s on %s from %s\n",
3746 msg->elements[i-removed_attrs].name,
3747 ldb_dn_get_linearized(msg->dn),
3748 GUID_string(ar, &rmd->ctr.ctr1.array[i].originating_invocation_id)));
3751 /* we don't want to apply this change so remove the attribute */
3752 ldb_msg_remove_element(msg, &msg->elements[i-removed_attrs]);
3759 if (found) continue;
3761 nmd.ctr.ctr1.array[ni] = rmd->ctr.ctr1.array[i];
3762 if (ar->seq_num == 0) {
3763 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &ar->seq_num);
3764 if (ret != LDB_SUCCESS) {
3765 return replmd_replicated_request_error(ar, ret);
3768 nmd.ctr.ctr1.array[ni].local_usn = ar->seq_num;
3773 * finally correct the size of the meta_data array
3775 nmd.ctr.ctr1.count = ni;
3778 * the rdn attribute (the alias for the name attribute),
3779 * 'cn' for most objects is the last entry in the meta data array
3782 * sort the new meta data array
3784 ret = replmd_replPropertyMetaDataCtr1_sort(&nmd.ctr.ctr1, ar->schema, msg->dn);
3785 if (ret != LDB_SUCCESS) {
3790 * check if some replicated attributes left, otherwise skip the ldb_modify() call
3792 if (msg->num_elements == 0) {
3793 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_replicated_apply_merge[%u]: skip replace\n",
3796 ar->index_current++;
3797 return replmd_replicated_apply_next(ar);
3800 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_replicated_apply_merge[%u]: replace %u attributes\n",
3801 ar->index_current, msg->num_elements);
3803 /* create the meta data value */
3804 ndr_err = ndr_push_struct_blob(&nmd_value, msg, &nmd,
3805 (ndr_push_flags_fn_t)ndr_push_replPropertyMetaDataBlob);
3806 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3807 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
3808 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
3812 * when we know that we'll modify the record, add the whenChanged, uSNChanged
3813 * and replPopertyMetaData attributes
3815 ret = ldb_msg_add_string(msg, "whenChanged", ar->objs->objects[ar->index_current].when_changed);
3816 if (ret != LDB_SUCCESS) {
3817 return replmd_replicated_request_error(ar, ret);
3819 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNChanged", ar->seq_num);
3820 if (ret != LDB_SUCCESS) {
3821 return replmd_replicated_request_error(ar, ret);
3823 ret = ldb_msg_add_value(msg, "replPropertyMetaData", &nmd_value, NULL);
3824 if (ret != LDB_SUCCESS) {
3825 return replmd_replicated_request_error(ar, ret);
3828 replmd_ldb_message_sort(msg, ar->schema);
3830 /* we want to replace the old values */
3831 for (i=0; i < msg->num_elements; i++) {
3832 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
3836 char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_MODIFY, msg);
3837 DEBUG(4, ("DRS replication modify message:\n%s\n", s));
3841 ret = ldb_build_mod_req(&change_req,
3849 LDB_REQ_SET_LOCATION(change_req);
3850 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
3852 /* current partition control needed by "repmd_op_callback" */
3853 ret = ldb_request_add_control(change_req,
3854 DSDB_CONTROL_CURRENT_PARTITION_OID,
3856 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
3858 return ldb_next_request(ar->module, change_req);
3861 static int replmd_replicated_apply_search_callback(struct ldb_request *req,
3862 struct ldb_reply *ares)
3864 struct replmd_replicated_request *ar = talloc_get_type(req->context,
3865 struct replmd_replicated_request);
3869 return ldb_module_done(ar->req, NULL, NULL,
3870 LDB_ERR_OPERATIONS_ERROR);
3872 if (ares->error != LDB_SUCCESS &&
3873 ares->error != LDB_ERR_NO_SUCH_OBJECT) {
3874 return ldb_module_done(ar->req, ares->controls,
3875 ares->response, ares->error);
3878 switch (ares->type) {
3879 case LDB_REPLY_ENTRY:
3880 ar->search_msg = talloc_steal(ar, ares->message);
3883 case LDB_REPLY_REFERRAL:
3884 /* we ignore referrals */
3887 case LDB_REPLY_DONE:
3888 if (ar->search_msg != NULL) {
3889 ret = replmd_replicated_apply_merge(ar);
3891 ret = replmd_replicated_apply_add(ar);
3893 if (ret != LDB_SUCCESS) {
3894 return ldb_module_done(ar->req, NULL, NULL, ret);
3902 static int replmd_replicated_uptodate_vector(struct replmd_replicated_request *ar);
3904 static int replmd_replicated_apply_next(struct replmd_replicated_request *ar)
3906 struct ldb_context *ldb;
3910 struct ldb_request *search_req;
3911 struct ldb_search_options_control *options;
3913 if (ar->index_current >= ar->objs->num_objects) {
3914 /* done with it, go to next stage */
3915 return replmd_replicated_uptodate_vector(ar);
3918 ldb = ldb_module_get_ctx(ar->module);
3919 ar->search_msg = NULL;
3921 tmp_str = ldb_binary_encode(ar, ar->objs->objects[ar->index_current].guid_value);
3922 if (!tmp_str) return replmd_replicated_request_werror(ar, WERR_NOMEM);
3924 filter = talloc_asprintf(ar, "(objectGUID=%s)", tmp_str);
3925 if (!filter) return replmd_replicated_request_werror(ar, WERR_NOMEM);
3926 talloc_free(tmp_str);
3928 ret = ldb_build_search_req(&search_req,
3937 replmd_replicated_apply_search_callback,
3939 LDB_REQ_SET_LOCATION(search_req);
3941 ret = ldb_request_add_control(search_req, LDB_CONTROL_SHOW_RECYCLED_OID,
3943 if (ret != LDB_SUCCESS) {
3947 /* we need to cope with cross-partition links, so search for
3948 the GUID over all partitions */
3949 options = talloc(search_req, struct ldb_search_options_control);
3950 if (options == NULL) {
3951 DEBUG(0, (__location__ ": out of memory\n"));
3952 return LDB_ERR_OPERATIONS_ERROR;
3954 options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
3956 ret = ldb_request_add_control(search_req,
3957 LDB_CONTROL_SEARCH_OPTIONS_OID,
3959 if (ret != LDB_SUCCESS) {
3963 return ldb_next_request(ar->module, search_req);
3966 static int replmd_replicated_uptodate_modify_callback(struct ldb_request *req,
3967 struct ldb_reply *ares)
3969 struct ldb_context *ldb;
3970 struct replmd_replicated_request *ar = talloc_get_type(req->context,
3971 struct replmd_replicated_request);
3972 ldb = ldb_module_get_ctx(ar->module);
3975 return ldb_module_done(ar->req, NULL, NULL,
3976 LDB_ERR_OPERATIONS_ERROR);
3978 if (ares->error != LDB_SUCCESS) {
3979 return ldb_module_done(ar->req, ares->controls,
3980 ares->response, ares->error);
3983 if (ares->type != LDB_REPLY_DONE) {
3984 ldb_asprintf_errstring(ldb, "Invalid LDB reply type %d", ares->type);
3985 return ldb_module_done(ar->req, NULL, NULL,
3986 LDB_ERR_OPERATIONS_ERROR);
3991 return ldb_module_done(ar->req, NULL, NULL, LDB_SUCCESS);
3994 static int replmd_replicated_uptodate_modify(struct replmd_replicated_request *ar)
3996 struct ldb_context *ldb;
3997 struct ldb_request *change_req;
3998 enum ndr_err_code ndr_err;
3999 struct ldb_message *msg;
4000 struct replUpToDateVectorBlob ouv;
4001 const struct ldb_val *ouv_value;
4002 const struct drsuapi_DsReplicaCursor2CtrEx *ruv;
4003 struct replUpToDateVectorBlob nuv;
4004 struct ldb_val nuv_value;
4005 struct ldb_message_element *nuv_el = NULL;
4006 const struct GUID *our_invocation_id;
4007 struct ldb_message_element *orf_el = NULL;
4008 struct repsFromToBlob nrf;
4009 struct ldb_val *nrf_value = NULL;
4010 struct ldb_message_element *nrf_el = NULL;
4014 time_t t = time(NULL);
4017 uint32_t instanceType;
4019 ldb = ldb_module_get_ctx(ar->module);
4020 ruv = ar->objs->uptodateness_vector;
4026 unix_to_nt_time(&now, t);
4028 if (ar->search_msg == NULL) {
4029 /* this happens for a REPL_OBJ call where we are
4030 creating the target object by replicating it. The
4031 subdomain join code does this for the partition DN
4033 DEBUG(4,(__location__ ": Skipping UDV and repsFrom update as no target DN\n"));
4034 return ldb_module_done(ar->req, NULL, NULL, LDB_SUCCESS);
4037 instanceType = ldb_msg_find_attr_as_uint(ar->search_msg, "instanceType", 0);
4038 if (! (instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
4039 DEBUG(4,(__location__ ": Skipping UDV and repsFrom update as not NC root: %s\n",
4040 ldb_dn_get_linearized(ar->search_msg->dn)));
4041 return ldb_module_done(ar->req, NULL, NULL, LDB_SUCCESS);
4045 * first create the new replUpToDateVector
4047 ouv_value = ldb_msg_find_ldb_val(ar->search_msg, "replUpToDateVector");
4049 ndr_err = ndr_pull_struct_blob(ouv_value, ar, &ouv,
4050 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
4051 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4052 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4053 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4056 if (ouv.version != 2) {
4057 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
4062 * the new uptodateness vector will at least
4063 * contain 1 entry, one for the source_dsa
4065 * plus optional values from our old vector and the one from the source_dsa
4067 nuv.ctr.ctr2.count = 1 + ouv.ctr.ctr2.count;
4068 if (ruv) nuv.ctr.ctr2.count += ruv->count;
4069 nuv.ctr.ctr2.cursors = talloc_array(ar,
4070 struct drsuapi_DsReplicaCursor2,
4071 nuv.ctr.ctr2.count);
4072 if (!nuv.ctr.ctr2.cursors) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4074 /* first copy the old vector */
4075 for (i=0; i < ouv.ctr.ctr2.count; i++) {
4076 nuv.ctr.ctr2.cursors[ni] = ouv.ctr.ctr2.cursors[i];
4080 /* get our invocation_id if we have one already attached to the ldb */
4081 our_invocation_id = samdb_ntds_invocation_id(ldb);
4083 /* merge in the source_dsa vector is available */
4084 for (i=0; (ruv && i < ruv->count); i++) {
4087 if (our_invocation_id &&
4088 GUID_equal(&ruv->cursors[i].source_dsa_invocation_id,
4089 our_invocation_id)) {
4093 for (j=0; j < ni; j++) {
4094 if (!GUID_equal(&ruv->cursors[i].source_dsa_invocation_id,
4095 &nuv.ctr.ctr2.cursors[j].source_dsa_invocation_id)) {
4102 * we update only the highest_usn and not the latest_sync_success time,
4103 * because the last success stands for direct replication
4105 if (ruv->cursors[i].highest_usn > nuv.ctr.ctr2.cursors[j].highest_usn) {
4106 nuv.ctr.ctr2.cursors[j].highest_usn = ruv->cursors[i].highest_usn;
4111 if (found) continue;
4113 /* if it's not there yet, add it */
4114 nuv.ctr.ctr2.cursors[ni] = ruv->cursors[i];
4119 * merge in the current highwatermark for the source_dsa
4122 for (j=0; j < ni; j++) {
4123 if (!GUID_equal(&ar->objs->source_dsa->source_dsa_invocation_id,
4124 &nuv.ctr.ctr2.cursors[j].source_dsa_invocation_id)) {
4131 * here we update the highest_usn and last_sync_success time
4132 * because we're directly replicating from the source_dsa
4134 * and use the tmp_highest_usn because this is what we have just applied
4137 nuv.ctr.ctr2.cursors[j].highest_usn = ar->objs->source_dsa->highwatermark.tmp_highest_usn;
4138 nuv.ctr.ctr2.cursors[j].last_sync_success = now;
4143 * here we update the highest_usn and last_sync_success time
4144 * because we're directly replicating from the source_dsa
4146 * and use the tmp_highest_usn because this is what we have just applied
4149 nuv.ctr.ctr2.cursors[ni].source_dsa_invocation_id= ar->objs->source_dsa->source_dsa_invocation_id;
4150 nuv.ctr.ctr2.cursors[ni].highest_usn = ar->objs->source_dsa->highwatermark.tmp_highest_usn;
4151 nuv.ctr.ctr2.cursors[ni].last_sync_success = now;
4156 * finally correct the size of the cursors array
4158 nuv.ctr.ctr2.count = ni;
4163 TYPESAFE_QSORT(nuv.ctr.ctr2.cursors, nuv.ctr.ctr2.count, drsuapi_DsReplicaCursor2_compare);
4166 * create the change ldb_message
4168 msg = ldb_msg_new(ar);
4169 if (!msg) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4170 msg->dn = ar->search_msg->dn;
4172 ndr_err = ndr_push_struct_blob(&nuv_value, msg, &nuv,
4173 (ndr_push_flags_fn_t)ndr_push_replUpToDateVectorBlob);
4174 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4175 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4176 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4178 ret = ldb_msg_add_value(msg, "replUpToDateVector", &nuv_value, &nuv_el);
4179 if (ret != LDB_SUCCESS) {
4180 return replmd_replicated_request_error(ar, ret);
4182 nuv_el->flags = LDB_FLAG_MOD_REPLACE;
4185 * now create the new repsFrom value from the given repsFromTo1 structure
4189 nrf.ctr.ctr1 = *ar->objs->source_dsa;
4190 nrf.ctr.ctr1.highwatermark.highest_usn = nrf.ctr.ctr1.highwatermark.tmp_highest_usn;
4193 * first see if we already have a repsFrom value for the current source dsa
4194 * if so we'll later replace this value
4196 orf_el = ldb_msg_find_element(ar->search_msg, "repsFrom");
4198 for (i=0; i < orf_el->num_values; i++) {
4199 struct repsFromToBlob *trf;
4201 trf = talloc(ar, struct repsFromToBlob);
4202 if (!trf) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4204 ndr_err = ndr_pull_struct_blob(&orf_el->values[i], trf, trf,
4205 (ndr_pull_flags_fn_t)ndr_pull_repsFromToBlob);
4206 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4207 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4208 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4211 if (trf->version != 1) {
4212 return replmd_replicated_request_werror(ar, WERR_DS_DRA_INTERNAL_ERROR);
4216 * we compare the source dsa objectGUID not the invocation_id
4217 * because we want only one repsFrom value per source dsa
4218 * and when the invocation_id of the source dsa has changed we don't need
4219 * the old repsFrom with the old invocation_id
4221 if (!GUID_equal(&trf->ctr.ctr1.source_dsa_obj_guid,
4222 &ar->objs->source_dsa->source_dsa_obj_guid)) {
4228 nrf_value = &orf_el->values[i];
4233 * copy over all old values to the new ldb_message
4235 ret = ldb_msg_add_empty(msg, "repsFrom", 0, &nrf_el);
4236 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4241 * if we haven't found an old repsFrom value for the current source dsa
4242 * we'll add a new value
4245 struct ldb_val zero_value;
4246 ZERO_STRUCT(zero_value);
4247 ret = ldb_msg_add_value(msg, "repsFrom", &zero_value, &nrf_el);
4248 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4250 nrf_value = &nrf_el->values[nrf_el->num_values - 1];
4253 /* we now fill the value which is already attached to ldb_message */
4254 ndr_err = ndr_push_struct_blob(nrf_value, msg,
4256 (ndr_push_flags_fn_t)ndr_push_repsFromToBlob);
4257 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
4258 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
4259 return replmd_replicated_request_werror(ar, ntstatus_to_werror(nt_status));
4263 * the ldb_message_element for the attribute, has all the old values and the new one
4264 * so we'll replace the whole attribute with all values
4266 nrf_el->flags = LDB_FLAG_MOD_REPLACE;
4268 if (CHECK_DEBUGLVL(4)) {
4269 char *s = ldb_ldif_message_string(ldb, ar, LDB_CHANGETYPE_MODIFY, msg);
4270 DEBUG(4, ("DRS replication uptodate modify message:\n%s\n", s));
4274 /* prepare the ldb_modify() request */
4275 ret = ldb_build_mod_req(&change_req,
4281 replmd_replicated_uptodate_modify_callback,
4283 LDB_REQ_SET_LOCATION(change_req);
4284 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4286 return ldb_next_request(ar->module, change_req);
4289 static int replmd_replicated_uptodate_search_callback(struct ldb_request *req,
4290 struct ldb_reply *ares)
4292 struct replmd_replicated_request *ar = talloc_get_type(req->context,
4293 struct replmd_replicated_request);
4297 return ldb_module_done(ar->req, NULL, NULL,
4298 LDB_ERR_OPERATIONS_ERROR);
4300 if (ares->error != LDB_SUCCESS &&
4301 ares->error != LDB_ERR_NO_SUCH_OBJECT) {
4302 return ldb_module_done(ar->req, ares->controls,
4303 ares->response, ares->error);
4306 switch (ares->type) {
4307 case LDB_REPLY_ENTRY:
4308 ar->search_msg = talloc_steal(ar, ares->message);
4311 case LDB_REPLY_REFERRAL:
4312 /* we ignore referrals */
4315 case LDB_REPLY_DONE:
4316 ret = replmd_replicated_uptodate_modify(ar);
4317 if (ret != LDB_SUCCESS) {
4318 return ldb_module_done(ar->req, NULL, NULL, ret);
4327 static int replmd_replicated_uptodate_vector(struct replmd_replicated_request *ar)
4329 struct ldb_context *ldb;
4331 static const char *attrs[] = {
4332 "replUpToDateVector",
4337 struct ldb_request *search_req;
4339 ldb = ldb_module_get_ctx(ar->module);
4340 ar->search_msg = NULL;
4342 ret = ldb_build_search_req(&search_req,
4345 ar->objs->partition_dn,
4351 replmd_replicated_uptodate_search_callback,
4353 LDB_REQ_SET_LOCATION(search_req);
4354 if (ret != LDB_SUCCESS) return replmd_replicated_request_error(ar, ret);
4356 return ldb_next_request(ar->module, search_req);
4361 static int replmd_extended_replicated_objects(struct ldb_module *module, struct ldb_request *req)
4363 struct ldb_context *ldb;
4364 struct dsdb_extended_replicated_objects *objs;
4365 struct replmd_replicated_request *ar;
4366 struct ldb_control **ctrls;
4369 struct replmd_private *replmd_private =
4370 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
4371 struct dsdb_control_replicated_update *rep_update;
4373 ldb = ldb_module_get_ctx(module);
4375 ldb_debug(ldb, LDB_DEBUG_TRACE, "replmd_extended_replicated_objects\n");
4377 objs = talloc_get_type(req->op.extended.data, struct dsdb_extended_replicated_objects);
4379 ldb_debug(ldb, LDB_DEBUG_FATAL, "replmd_extended_replicated_objects: invalid extended data\n");
4380 return LDB_ERR_PROTOCOL_ERROR;
4383 if (objs->version != DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION) {
4384 ldb_debug(ldb, LDB_DEBUG_FATAL, "replmd_extended_replicated_objects: extended data invalid version [%u != %u]\n",
4385 objs->version, DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION);
4386 return LDB_ERR_PROTOCOL_ERROR;
4389 ar = replmd_ctx_init(module, req);
4391 return LDB_ERR_OPERATIONS_ERROR;
4393 /* Set the flags to have the replmd_op_callback run over the full set of objects */
4394 ar->apply_mode = true;
4396 ar->schema = dsdb_get_schema(ldb, ar);
4398 ldb_debug_set(ldb, LDB_DEBUG_FATAL, "replmd_ctx_init: no loaded schema found\n");
4400 DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
4401 return LDB_ERR_CONSTRAINT_VIOLATION;
4404 ctrls = req->controls;
4406 if (req->controls) {
4407 req->controls = talloc_memdup(ar, req->controls,
4408 talloc_get_size(req->controls));
4409 if (!req->controls) return replmd_replicated_request_werror(ar, WERR_NOMEM);
4412 /* This allows layers further down to know if a change came in
4413 over replication and what the replication flags were */
4414 rep_update = talloc_zero(ar, struct dsdb_control_replicated_update);
4415 if (rep_update == NULL) {
4416 return ldb_module_oom(module);
4418 rep_update->dsdb_repl_flags = objs->dsdb_repl_flags;
4420 ret = ldb_request_add_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID, false, rep_update);
4421 if (ret != LDB_SUCCESS) {
4425 /* If this change contained linked attributes in the body
4426 * (rather than in the links section) we need to update
4427 * backlinks in linked_attributes */
4428 ret = ldb_request_add_control(req, DSDB_CONTROL_APPLY_LINKS, false, NULL);
4429 if (ret != LDB_SUCCESS) {
4433 ar->controls = req->controls;
4434 req->controls = ctrls;
4436 DEBUG(4,("linked_attributes_count=%u\n", objs->linked_attributes_count));
4438 /* save away the linked attributes for the end of the
4440 for (i=0; i<ar->objs->linked_attributes_count; i++) {
4441 struct la_entry *la_entry;
4443 if (replmd_private->la_ctx == NULL) {
4444 replmd_private->la_ctx = talloc_new(replmd_private);
4446 la_entry = talloc(replmd_private->la_ctx, struct la_entry);
4447 if (la_entry == NULL) {
4449 return LDB_ERR_OPERATIONS_ERROR;
4451 la_entry->la = talloc(la_entry, struct drsuapi_DsReplicaLinkedAttribute);
4452 if (la_entry->la == NULL) {
4453 talloc_free(la_entry);
4455 return LDB_ERR_OPERATIONS_ERROR;
4457 *la_entry->la = ar->objs->linked_attributes[i];
4459 /* we need to steal the non-scalars so they stay
4460 around until the end of the transaction */
4461 talloc_steal(la_entry->la, la_entry->la->identifier);
4462 talloc_steal(la_entry->la, la_entry->la->value.blob);
4464 DLIST_ADD(replmd_private->la_list, la_entry);
4467 return replmd_replicated_apply_next(ar);
4471 process one linked attribute structure
4473 static int replmd_process_linked_attribute(struct ldb_module *module,
4474 struct la_entry *la_entry,
4475 struct ldb_request *parent)
4477 struct drsuapi_DsReplicaLinkedAttribute *la = la_entry->la;
4478 struct ldb_context *ldb = ldb_module_get_ctx(module);
4479 struct ldb_message *msg;
4480 TALLOC_CTX *tmp_ctx = talloc_new(la_entry);
4481 const struct dsdb_schema *schema = dsdb_get_schema(ldb, tmp_ctx);
4483 const struct dsdb_attribute *attr;
4484 struct dsdb_dn *dsdb_dn;
4485 uint64_t seq_num = 0;
4486 struct ldb_message_element *old_el;
4488 time_t t = time(NULL);
4489 struct ldb_result *res;
4490 const char *attrs[2];
4491 struct parsed_dn *pdn_list, *pdn;
4492 struct GUID guid = GUID_zero();
4494 bool active = (la->flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE)?true:false;
4495 const struct GUID *our_invocation_id;
4498 linked_attributes[0]:
4499 &objs->linked_attributes[i]: struct drsuapi_DsReplicaLinkedAttribute
4501 identifier: struct drsuapi_DsReplicaObjectIdentifier
4502 __ndr_size : 0x0000003a (58)
4503 __ndr_size_sid : 0x00000000 (0)
4504 guid : 8e95b6a9-13dd-4158-89db-3220a5be5cc7
4506 __ndr_size_dn : 0x00000000 (0)
4508 attid : DRSUAPI_ATTID_member (0x1F)
4509 value: struct drsuapi_DsAttributeValue
4510 __ndr_size : 0x0000007e (126)
4512 blob : DATA_BLOB length=126
4513 flags : 0x00000001 (1)
4514 1: DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE
4515 originating_add_time : Wed Sep 2 22:20:01 2009 EST
4516 meta_data: struct drsuapi_DsReplicaMetaData
4517 version : 0x00000015 (21)
4518 originating_change_time : Wed Sep 2 23:39:07 2009 EST
4519 originating_invocation_id: 794640f3-18cf-40ee-a211-a93992b67a64
4520 originating_usn : 0x000000000001e19c (123292)
4522 (for cases where the link is to a normal DN)
4523 &target: struct drsuapi_DsReplicaObjectIdentifier3
4524 __ndr_size : 0x0000007e (126)
4525 __ndr_size_sid : 0x0000001c (28)
4526 guid : 7639e594-db75-4086-b0d4-67890ae46031
4527 sid : S-1-5-21-2848215498-2472035911-1947525656-19924
4528 __ndr_size_dn : 0x00000022 (34)
4529 dn : 'CN=UOne,OU=TestOU,DC=vsofs8,DC=com'
4532 /* find the attribute being modified */
4533 attr = dsdb_attribute_by_attributeID_id(schema, la->attid);
4535 DEBUG(0, (__location__ ": Unable to find attributeID 0x%x\n", la->attid));
4536 talloc_free(tmp_ctx);
4537 return LDB_ERR_OPERATIONS_ERROR;
4540 attrs[0] = attr->lDAPDisplayName;
4543 /* get the existing message from the db for the object with
4544 this GUID, returning attribute being modified. We will then
4545 use this msg as the basis for a modify call */
4546 ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE, attrs,
4547 DSDB_FLAG_NEXT_MODULE |
4548 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
4549 DSDB_SEARCH_SHOW_RECYCLED |
4550 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
4551 DSDB_SEARCH_REVEAL_INTERNALS,
4553 "objectGUID=%s", GUID_string(tmp_ctx, &la->identifier->guid));
4554 if (ret != LDB_SUCCESS) {
4555 talloc_free(tmp_ctx);
4558 if (res->count != 1) {
4559 ldb_asprintf_errstring(ldb, "DRS linked attribute for GUID %s - DN not found",
4560 GUID_string(tmp_ctx, &la->identifier->guid));
4561 talloc_free(tmp_ctx);
4562 return LDB_ERR_NO_SUCH_OBJECT;
4566 if (msg->num_elements == 0) {
4567 ret = ldb_msg_add_empty(msg, attr->lDAPDisplayName, LDB_FLAG_MOD_REPLACE, &old_el);
4568 if (ret != LDB_SUCCESS) {
4569 ldb_module_oom(module);
4570 talloc_free(tmp_ctx);
4571 return LDB_ERR_OPERATIONS_ERROR;
4574 old_el = &msg->elements[0];
4575 old_el->flags = LDB_FLAG_MOD_REPLACE;
4578 /* parse the existing links */
4579 ret = get_parsed_dns(module, tmp_ctx, old_el, &pdn_list, attr->syntax->ldap_oid, parent);
4580 if (ret != LDB_SUCCESS) {
4581 talloc_free(tmp_ctx);
4585 /* get our invocationId */
4586 our_invocation_id = samdb_ntds_invocation_id(ldb);
4587 if (!our_invocation_id) {
4588 ldb_debug_set(ldb, LDB_DEBUG_ERROR, __location__ ": unable to find invocationId\n");
4589 talloc_free(tmp_ctx);
4590 return LDB_ERR_OPERATIONS_ERROR;
4593 ret = replmd_check_upgrade_links(pdn_list, old_el->num_values, old_el, our_invocation_id);
4594 if (ret != LDB_SUCCESS) {
4595 talloc_free(tmp_ctx);
4599 status = dsdb_dn_la_from_blob(ldb, attr, schema, tmp_ctx, la->value.blob, &dsdb_dn);
4600 if (!W_ERROR_IS_OK(status)) {
4601 ldb_asprintf_errstring(ldb, "Failed to parsed linked attribute blob for %s on %s - %s\n",
4602 old_el->name, ldb_dn_get_linearized(msg->dn), win_errstr(status));
4603 return LDB_ERR_OPERATIONS_ERROR;
4606 ntstatus = dsdb_get_extended_dn_guid(dsdb_dn->dn, &guid, "GUID");
4607 if (!NT_STATUS_IS_OK(ntstatus) && active) {
4608 ldb_asprintf_errstring(ldb, "Failed to find GUID in linked attribute blob for %s on %s from %s",
4610 ldb_dn_get_linearized(dsdb_dn->dn),
4611 ldb_dn_get_linearized(msg->dn));
4612 return LDB_ERR_OPERATIONS_ERROR;
4615 /* re-resolve the DN by GUID, as the DRS server may give us an
4617 ret = dsdb_module_dn_by_guid(module, dsdb_dn, &guid, &dsdb_dn->dn, parent);
4618 if (ret != LDB_SUCCESS) {
4619 DEBUG(2,(__location__ ": WARNING: Failed to re-resolve GUID %s - using %s\n",
4620 GUID_string(tmp_ctx, &guid),
4621 ldb_dn_get_linearized(dsdb_dn->dn)));
4624 /* see if this link already exists */
4625 pdn = parsed_dn_find(pdn_list, old_el->num_values, &guid, dsdb_dn->dn);
4627 /* see if this update is newer than what we have already */
4628 struct GUID invocation_id = GUID_zero();
4629 uint32_t version = 0;
4630 uint32_t originating_usn = 0;
4631 NTTIME change_time = 0;
4632 uint32_t rmd_flags = dsdb_dn_rmd_flags(pdn->dsdb_dn->dn);
4634 dsdb_get_extended_dn_guid(pdn->dsdb_dn->dn, &invocation_id, "RMD_INVOCID");
4635 dsdb_get_extended_dn_uint32(pdn->dsdb_dn->dn, &version, "RMD_VERSION");
4636 dsdb_get_extended_dn_uint32(pdn->dsdb_dn->dn, &originating_usn, "RMD_ORIGINATING_USN");
4637 dsdb_get_extended_dn_nttime(pdn->dsdb_dn->dn, &change_time, "RMD_CHANGETIME");
4639 if (!replmd_update_is_newer(&invocation_id,
4640 &la->meta_data.originating_invocation_id,
4642 la->meta_data.version,
4644 la->meta_data.originating_change_time)) {
4645 DEBUG(3,("Discarding older DRS linked attribute update to %s on %s from %s\n",
4646 old_el->name, ldb_dn_get_linearized(msg->dn),
4647 GUID_string(tmp_ctx, &la->meta_data.originating_invocation_id)));
4648 talloc_free(tmp_ctx);
4652 /* get a seq_num for this change */
4653 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &seq_num);
4654 if (ret != LDB_SUCCESS) {
4655 talloc_free(tmp_ctx);
4659 if (!(rmd_flags & DSDB_RMD_FLAG_DELETED)) {
4660 /* remove the existing backlink */
4661 ret = replmd_add_backlink(module, schema, &la->identifier->guid, &guid, false, attr, false);
4662 if (ret != LDB_SUCCESS) {
4663 talloc_free(tmp_ctx);
4668 ret = replmd_update_la_val(tmp_ctx, pdn->v, dsdb_dn, pdn->dsdb_dn,
4669 &la->meta_data.originating_invocation_id,
4670 la->meta_data.originating_usn, seq_num,
4671 la->meta_data.originating_change_time,
4672 la->meta_data.version,
4674 if (ret != LDB_SUCCESS) {
4675 talloc_free(tmp_ctx);
4680 /* add the new backlink */
4681 ret = replmd_add_backlink(module, schema, &la->identifier->guid, &guid, true, attr, false);
4682 if (ret != LDB_SUCCESS) {
4683 talloc_free(tmp_ctx);
4688 /* get a seq_num for this change */
4689 ret = ldb_sequence_number(ldb, LDB_SEQ_NEXT, &seq_num);
4690 if (ret != LDB_SUCCESS) {
4691 talloc_free(tmp_ctx);
4695 old_el->values = talloc_realloc(msg->elements, old_el->values,
4696 struct ldb_val, old_el->num_values+1);
4697 if (!old_el->values) {
4698 ldb_module_oom(module);
4699 return LDB_ERR_OPERATIONS_ERROR;
4701 old_el->num_values++;
4703 ret = replmd_build_la_val(tmp_ctx, &old_el->values[old_el->num_values-1], dsdb_dn,
4704 &la->meta_data.originating_invocation_id,
4705 la->meta_data.originating_usn, seq_num,
4706 la->meta_data.originating_change_time,
4707 la->meta_data.version,
4708 (la->flags & DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE)?false:true);
4709 if (ret != LDB_SUCCESS) {
4710 talloc_free(tmp_ctx);
4715 ret = replmd_add_backlink(module, schema, &la->identifier->guid, &guid,
4717 if (ret != LDB_SUCCESS) {
4718 talloc_free(tmp_ctx);
4724 /* we only change whenChanged and uSNChanged if the seq_num
4726 ret = add_time_element(msg, "whenChanged", t);
4727 if (ret != LDB_SUCCESS) {
4728 talloc_free(tmp_ctx);
4733 ret = add_uint64_element(ldb, msg, "uSNChanged", seq_num);
4734 if (ret != LDB_SUCCESS) {
4735 talloc_free(tmp_ctx);
4740 old_el = ldb_msg_find_element(msg, attr->lDAPDisplayName);
4741 if (old_el == NULL) {
4742 talloc_free(tmp_ctx);
4743 return ldb_operr(ldb);
4746 ret = dsdb_check_single_valued_link(attr, old_el);
4747 if (ret != LDB_SUCCESS) {
4748 talloc_free(tmp_ctx);
4752 old_el->flags |= LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK;
4754 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
4755 if (ret != LDB_SUCCESS) {
4756 ldb_debug(ldb, LDB_DEBUG_WARNING, "Failed to apply linked attribute change '%s'\n%s\n",
4758 ldb_ldif_message_string(ldb, tmp_ctx, LDB_CHANGETYPE_MODIFY, msg));
4759 talloc_free(tmp_ctx);
4763 talloc_free(tmp_ctx);
4768 static int replmd_extended(struct ldb_module *module, struct ldb_request *req)
4770 if (strcmp(req->op.extended.oid, DSDB_EXTENDED_REPLICATED_OBJECTS_OID) == 0) {
4771 return replmd_extended_replicated_objects(module, req);
4774 return ldb_next_request(module, req);
4779 we hook into the transaction operations to allow us to
4780 perform the linked attribute updates at the end of the whole
4781 transaction. This allows a forward linked attribute to be created
4782 before the object is created. During a vampire, w2k8 sends us linked
4783 attributes before the objects they are part of.
4785 static int replmd_start_transaction(struct ldb_module *module)
4787 /* create our private structure for this transaction */
4788 struct replmd_private *replmd_private = talloc_get_type(ldb_module_get_private(module),
4789 struct replmd_private);
4790 replmd_txn_cleanup(replmd_private);
4792 /* free any leftover mod_usn records from cancelled
4794 while (replmd_private->ncs) {
4795 struct nc_entry *e = replmd_private->ncs;
4796 DLIST_REMOVE(replmd_private->ncs, e);
4800 return ldb_next_start_trans(module);
4804 on prepare commit we loop over our queued la_context structures and
4807 static int replmd_prepare_commit(struct ldb_module *module)
4809 struct replmd_private *replmd_private =
4810 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
4811 struct la_entry *la, *prev;
4812 struct la_backlink *bl;
4815 /* walk the list backwards, to do the first entry first, as we
4816 * added the entries with DLIST_ADD() which puts them at the
4817 * start of the list */
4818 for (la = DLIST_TAIL(replmd_private->la_list); la; la=prev) {
4819 prev = DLIST_PREV(la);
4820 DLIST_REMOVE(replmd_private->la_list, la);
4821 ret = replmd_process_linked_attribute(module, la, NULL);
4822 if (ret != LDB_SUCCESS) {
4823 replmd_txn_cleanup(replmd_private);
4828 /* process our backlink list, creating and deleting backlinks
4830 for (bl=replmd_private->la_backlinks; bl; bl=bl->next) {
4831 ret = replmd_process_backlink(module, bl, NULL);
4832 if (ret != LDB_SUCCESS) {
4833 replmd_txn_cleanup(replmd_private);
4838 replmd_txn_cleanup(replmd_private);
4840 /* possibly change @REPLCHANGED */
4841 ret = replmd_notify_store(module, NULL);
4842 if (ret != LDB_SUCCESS) {
4846 return ldb_next_prepare_commit(module);
4849 static int replmd_del_transaction(struct ldb_module *module)
4851 struct replmd_private *replmd_private =
4852 talloc_get_type(ldb_module_get_private(module), struct replmd_private);
4853 replmd_txn_cleanup(replmd_private);
4855 return ldb_next_del_trans(module);
4859 static const struct ldb_module_ops ldb_repl_meta_data_module_ops = {
4860 .name = "repl_meta_data",
4861 .init_context = replmd_init,
4863 .modify = replmd_modify,
4864 .rename = replmd_rename,
4865 .del = replmd_delete,
4866 .extended = replmd_extended,
4867 .start_transaction = replmd_start_transaction,
4868 .prepare_commit = replmd_prepare_commit,
4869 .del_transaction = replmd_del_transaction,
4872 int ldb_repl_meta_data_module_init(const char *version)
4874 LDB_MODULE_CHECK_VERSION(version);
4875 return ldb_register_module(&ldb_repl_meta_data_module_ops);
git.samba.org / kai / samba-autobuild / .git / blob