#include "includes.h"
#include "ldap_server/ldap_server.h"
#include "../lib/util/dlinklist.h"
-#include "libcli/ldap/ldap.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
+#include "auth/common_auth.h"
#include "param/param.h"
#include "smbd/service_stream.h"
#include "dsdb/samdb/samdb.h"
-#include "lib/ldb/include/ldb_errors.h"
-#include "lib/ldb_wrap.h"
-
-#define VALID_DN_SYNTAX(dn) do {\
- if (!(dn)) {\
- return NT_STATUS_NO_MEMORY;\
- } else if ( ! ldb_dn_validate(dn)) {\
- result = LDAP_INVALID_DN_SYNTAX;\
- map_ldb_error(local_ctx, LDB_ERR_INVALID_DN_SYNTAX, &errstr);\
- goto reply;\
- }\
-} while(0)
+#include <ldb_errors.h>
+#include <ldb_module.h>
+#include "ldb_wrap.h"
static int map_ldb_error(TALLOC_CTX *mem_ctx, int ldb_err,
- const char **errstring)
+ const char *add_err_string, const char **errstring)
{
WERROR err;
+ /* Certain LDB modules need to return very special WERROR codes. Proof
+ * for them here and if they exist skip the rest of the mapping. */
+ if (add_err_string != NULL) {
+ char *endptr;
+ strtol(add_err_string, &endptr, 16);
+ if (endptr != add_err_string) {
+ *errstring = add_err_string;
+ return ldb_err;
+ }
+ }
+
+ /* Otherwise we calculate here a generic, but appropriate WERROR. */
+
switch (ldb_err) {
case LDB_SUCCESS:
err = WERR_OK;
err = WERR_DS_TIMELIMIT_EXCEEDED;
break;
case LDB_ERR_SIZE_LIMIT_EXCEEDED:
- err = WERR_DS_SIZE_LIMIT_EXCEEDED;
+ err = WERR_DS_SIZELIMIT_EXCEEDED;
break;
case LDB_ERR_COMPARE_FALSE:
err = WERR_DS_COMPARE_FALSE;
break;
}
- *errstring = talloc_asprintf(mem_ctx, "%08x: %s", W_ERROR_V(err),
- ldb_strerror(ldb_err));
-
+ *errstring = talloc_asprintf(mem_ctx, "%08X: %s", W_ERROR_V(err),
+ add_err_string != NULL ? add_err_string : ldb_strerror(ldb_err));
+
/* result is 1:1 for now */
return ldb_err;
}
*/
NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
{
- conn->ldb = ldb_wrap_connect(conn,
+ conn->ldb = samdb_connect(conn,
conn->connection->event.ctx,
conn->lp_ctx,
- lp_sam_url(conn->lp_ctx),
conn->session_info,
- samdb_credentials(conn, conn->connection->event.ctx, conn->lp_ctx),
- conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL);
+ conn->global_catalog ? LDB_FLG_RDONLY : 0);
if (conn->ldb == NULL) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (conn->server_credentials) {
char **sasl_mechs = NULL;
- struct gensec_security_ops **backends = gensec_security_all();
- struct gensec_security_ops **ops
+ const struct gensec_security_ops * const *backends = gensec_security_all();
+ const struct gensec_security_ops **ops
= gensec_use_kerberos_mechs(conn, backends, conn->server_credentials);
- int i, j = 0;
+ unsigned int i, j = 0;
for (i = 0; ops && ops[i]; i++) {
- if (!lp_parm_bool(conn->lp_ctx, NULL, "gensec", ops[i]->name, ops[i]->enabled))
+ if (!lpcfg_parm_bool(conn->lp_ctx, NULL, "gensec", ops[i]->name, ops[i]->enabled))
continue;
if (ops[i]->sasl_name && ops[i]->server_start) {
}
}
talloc_unlink(conn, ops);
- ldb_set_opaque(conn->ldb, "supportedSASLMechanims", sasl_mechs);
+
+ /* ldb can have a different lifetime to conn, so we
+ need to ensure that sasl_mechs lives as long as the
+ ldb does */
+ talloc_steal(conn->ldb, sasl_mechs);
+
+ ldb_set_opaque(conn->ldb, "supportedSASLMechanisms", sasl_mechs);
}
+ ldb_set_opaque(conn->ldb, "remoteAddress",
+ conn->connection->remote_address);
+
return NT_STATUS_OK;
}
void ldapsrv_queue_reply(struct ldapsrv_call *call, struct ldapsrv_reply *reply)
{
- DLIST_ADD_END(call->replies, reply, struct ldapsrv_reply *);
+ DLIST_ADD_END(call->replies, reply);
}
static NTSTATUS ldapsrv_unwilling(struct ldapsrv_call *call, int error)
return NT_STATUS_OK;
}
+static int ldapsrv_add_with_controls(struct ldapsrv_call *call,
+ const struct ldb_message *message,
+ struct ldb_control **controls,
+ struct ldb_result *res)
+{
+ struct ldb_context *ldb = call->conn->ldb;
+ struct ldb_request *req;
+ int ret;
+
+ ret = ldb_msg_sanity_check(ldb, message);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ret = ldb_build_add_req(&req, ldb, ldb,
+ message,
+ controls,
+ res,
+ ldb_modify_default_callback,
+ NULL);
+
+ if (ret != LDB_SUCCESS) return ret;
+
+ if (call->conn->global_catalog) {
+ return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, "modify forbidden on global catalog port");
+ }
+ ldb_request_add_control(req, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
+
+ ret = ldb_transaction_start(ldb);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (!call->conn->is_privileged) {
+ ldb_req_mark_untrusted(req);
+ }
+
+ LDB_REQ_SET_LOCATION(req);
+
+ ret = ldb_request(ldb, req);
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_wait(req->handle, LDB_WAIT_ALL);
+ }
+
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_transaction_commit(ldb);
+ }
+ else {
+ ldb_transaction_cancel(ldb);
+ }
+
+ talloc_free(req);
+ return ret;
+}
+
+/* create and execute a modify request */
+static int ldapsrv_mod_with_controls(struct ldapsrv_call *call,
+ const struct ldb_message *message,
+ struct ldb_control **controls,
+ struct ldb_result *res)
+{
+ struct ldb_context *ldb = call->conn->ldb;
+ struct ldb_request *req;
+ int ret;
+
+ ret = ldb_msg_sanity_check(ldb, message);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ret = ldb_build_mod_req(&req, ldb, ldb,
+ message,
+ controls,
+ res,
+ ldb_modify_default_callback,
+ NULL);
+
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (call->conn->global_catalog) {
+ return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, "modify forbidden on global catalog port");
+ }
+ ldb_request_add_control(req, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
+
+ ret = ldb_transaction_start(ldb);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (!call->conn->is_privileged) {
+ ldb_req_mark_untrusted(req);
+ }
+
+ LDB_REQ_SET_LOCATION(req);
+
+ ret = ldb_request(ldb, req);
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_wait(req->handle, LDB_WAIT_ALL);
+ }
+
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_transaction_commit(ldb);
+ }
+ else {
+ ldb_transaction_cancel(ldb);
+ }
+
+ talloc_free(req);
+ return ret;
+}
+
+/* create and execute a delete request */
+static int ldapsrv_del_with_controls(struct ldapsrv_call *call,
+ struct ldb_dn *dn,
+ struct ldb_control **controls,
+ struct ldb_result *res)
+{
+ struct ldb_context *ldb = call->conn->ldb;
+ struct ldb_request *req;
+ int ret;
+
+ ret = ldb_build_del_req(&req, ldb, ldb,
+ dn,
+ controls,
+ res,
+ ldb_modify_default_callback,
+ NULL);
+
+ if (ret != LDB_SUCCESS) return ret;
+
+ if (call->conn->global_catalog) {
+ return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, "modify forbidden on global catalog port");
+ }
+ ldb_request_add_control(req, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
+
+ ret = ldb_transaction_start(ldb);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (!call->conn->is_privileged) {
+ ldb_req_mark_untrusted(req);
+ }
+
+ LDB_REQ_SET_LOCATION(req);
+
+ ret = ldb_request(ldb, req);
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_wait(req->handle, LDB_WAIT_ALL);
+ }
+
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_transaction_commit(ldb);
+ }
+ else {
+ ldb_transaction_cancel(ldb);
+ }
+
+ talloc_free(req);
+ return ret;
+}
+
+static int ldapsrv_rename_with_controls(struct ldapsrv_call *call,
+ struct ldb_dn *olddn,
+ struct ldb_dn *newdn,
+ struct ldb_control **controls,
+ struct ldb_result *res)
+{
+ struct ldb_context *ldb = call->conn->ldb;
+ struct ldb_request *req;
+ int ret;
+
+ ret = ldb_build_rename_req(&req, ldb, ldb,
+ olddn,
+ newdn,
+ controls,
+ res,
+ ldb_modify_default_callback,
+ NULL);
+
+ if (ret != LDB_SUCCESS) return ret;
+
+ if (call->conn->global_catalog) {
+ return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, "modify forbidden on global catalog port");
+ }
+ ldb_request_add_control(req, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
+
+ ret = ldb_transaction_start(ldb);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (!call->conn->is_privileged) {
+ ldb_req_mark_untrusted(req);
+ }
+
+ LDB_REQ_SET_LOCATION(req);
+
+ ret = ldb_request(ldb, req);
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_wait(req->handle, LDB_WAIT_ALL);
+ }
+
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_transaction_commit(ldb);
+ }
+ else {
+ ldb_transaction_cancel(ldb);
+ }
+
+ talloc_free(req);
+ return ret;
+}
+
static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
{
struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
struct ldb_search_options_control *search_options;
struct ldb_control *extended_dn_control;
struct ldb_extended_dn_control *extended_dn_decoded = NULL;
+ struct ldb_control *notification_control = NULL;
enum ldb_scope scope = LDB_SCOPE_DEFAULT;
const char **attrs = NULL;
const char *scope_str, *errstr = NULL;
int success_limit = 1;
int result = -1;
int ldb_ret = -1;
- int i, j;
+ unsigned int i, j;
int extended_type = 1;
DEBUG(10, ("SearchRequest"));
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
basedn = ldb_dn_new(local_ctx, samdb, req->basedn);
- VALID_DN_SYNTAX(basedn);
+ NT_STATUS_HAVE_NO_MEMORY(basedn);
DEBUG(10, ("SearchRequest: basedn: [%s]\n", req->basedn));
DEBUG(10, ("SearchRequest: filter: [%s]\n", ldb_filter_from_tree(call, req->tree)));
break;
default:
result = LDAP_PROTOCOL_ERROR;
- map_ldb_error(local_ctx, LDB_ERR_PROTOCOL_ERROR,
+ map_ldb_error(local_ctx, LDB_ERR_PROTOCOL_ERROR, NULL,
&errstr);
errstr = talloc_asprintf(local_ctx,
"%s. Invalid scope", errstr);
search_options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
ldb_request_add_control(lreq, LDB_CONTROL_SEARCH_OPTIONS_OID, false, search_options);
}
+ } else {
+ ldb_request_add_control(lreq, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);
}
extended_dn_control = ldb_request_get_control(lreq, LDB_CONTROL_EXTENDED_DN_OID);
}
}
+ notification_control = ldb_request_get_control(lreq, LDB_CONTROL_NOTIFICATION_OID);
+ if (notification_control != NULL) {
+ const struct ldapsrv_call *pc = NULL;
+ size_t count = 0;
+
+ for (pc = call->conn->pending_calls; pc != NULL; pc = pc->next) {
+ count += 1;
+ }
+
+ if (count >= call->conn->limits.max_notifications) {
+ DEBUG(10,("SearchRequest: error MaxNotificationPerConn\n"));
+ result = map_ldb_error(local_ctx,
+ LDB_ERR_ADMIN_LIMIT_EXCEEDED,
+ "MaxNotificationPerConn reached",
+ &errstr);
+ goto reply;
+ }
+
+ /*
+ * For now we need to do periodic retries on our own.
+ * As the dsdb_notification module will return after each run.
+ */
+ call->notification.busy = true;
+ }
+
ldb_set_timeout(samdb, lreq, req->timelimit);
+ if (!call->conn->is_privileged) {
+ ldb_req_mark_untrusted(lreq);
+ }
+
+ LDB_REQ_SET_LOCATION(lreq);
+
ldb_ret = ldb_request(samdb, lreq);
if (ldb_ret != LDB_SUCCESS) {
queue_reply:
ldapsrv_queue_reply(call, ent_r);
}
+
+ if (call->notification.busy) {
+ /* Move/Add it to the end */
+ DLIST_DEMOTE(call->conn->pending_calls, call);
+ call->notification.generation =
+ call->conn->service->notification.generation;
+
+ if (res->count != 0) {
+ call->notification.generation += 1;
+ ldapsrv_notification_retry_setup(call->conn->service,
+ true);
+ }
+
+ talloc_free(local_ctx);
+ return NT_STATUS_OK;
+ }
+
+ /* Send back referrals if they do exist (search operations) */
+ if (res->refs != NULL) {
+ char **ref;
+ struct ldap_SearchResRef *ent_ref;
+
+ for (ref = res->refs; *ref != NULL; ++ref) {
+ ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultReference);
+ NT_STATUS_HAVE_NO_MEMORY(ent_r);
+
+ /* Better to have the whole referrals kept here,
+ * than to find someone further up didn't put
+ * a value in the right spot in the talloc tree
+ */
+ talloc_steal(ent_r, *ref);
+
+ ent_ref = &ent_r->msg->r.SearchResultReference;
+ ent_ref->referral = *ref;
+
+ ldapsrv_queue_reply(call, ent_r);
+ }
+ }
}
reply:
+ DLIST_REMOVE(call->conn->pending_calls, call);
+ call->notification.busy = false;
+
done_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultDone);
NT_STATUS_HAVE_NO_MEMORY(done_r);
}
} else {
DEBUG(10,("SearchRequest: error\n"));
- result = map_ldb_error(local_ctx, ldb_ret, &errstr);
+ result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
+ &errstr);
}
done->resultcode = result;
const char *errstr = NULL;
int result = LDAP_SUCCESS;
int ldb_ret;
- int i,j;
+ unsigned int i,j;
+ struct ldb_result *res = NULL;
DEBUG(10, ("ModifyRequest"));
- DEBUGADD(10, (" dn: %s", req->dn));
+ DEBUGADD(10, (" dn: %s\n", req->dn));
local_ctx = talloc_named(call, 0, "ModifyRequest local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
- VALID_DN_SYNTAX(dn);
+ NT_STATUS_HAVE_NO_MEMORY(dn);
DEBUG(10, ("ModifyRequest: dn: [%s]\n", req->dn));
default:
result = LDAP_PROTOCOL_ERROR;
map_ldb_error(local_ctx,
- LDB_ERR_PROTOCOL_ERROR, &errstr);
+ LDB_ERR_PROTOCOL_ERROR, NULL, &errstr);
errstr = talloc_asprintf(local_ctx,
"%s. Invalid LDAP_MODIFY_* type", errstr);
goto reply;
NT_STATUS_HAVE_NO_MEMORY(modify_reply);
if (result == LDAP_SUCCESS) {
- ldb_ret = ldb_modify(samdb, msg);
- result = map_ldb_error(local_ctx, ldb_ret, &errstr);
+ res = talloc_zero(local_ctx, struct ldb_result);
+ NT_STATUS_HAVE_NO_MEMORY(res);
+ ldb_ret = ldapsrv_mod_with_controls(call, msg, call->request->controls, res);
+ result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
+ &errstr);
}
- modify_result = &modify_reply->msg->r.AddResponse;
+ modify_result = &modify_reply->msg->r.ModifyResponse;
modify_result->dn = NULL;
- modify_result->resultcode = result;
- modify_result->errormessage = (errstr?talloc_strdup(modify_reply, errstr):NULL);
- modify_result->referral = NULL;
-
+ if ((res != NULL) && (res->refs != NULL)) {
+ modify_result->resultcode = map_ldb_error(local_ctx,
+ LDB_ERR_REFERRAL,
+ NULL, &errstr);
+ modify_result->errormessage = (errstr?talloc_strdup(modify_reply, errstr):NULL);
+ modify_result->referral = talloc_strdup(call, *res->refs);
+ } else {
+ modify_result->resultcode = result;
+ modify_result->errormessage = (errstr?talloc_strdup(modify_reply, errstr):NULL);
+ modify_result->referral = NULL;
+ }
talloc_free(local_ctx);
ldapsrv_queue_reply(call, modify_reply);
const char *errstr = NULL;
int result = LDAP_SUCCESS;
int ldb_ret;
- int i,j;
+ unsigned int i,j;
+ struct ldb_result *res = NULL;
DEBUG(10, ("AddRequest"));
- DEBUGADD(10, (" dn: %s", req->dn));
+ DEBUGADD(10, (" dn: %s\n", req->dn));
local_ctx = talloc_named(call, 0, "AddRequest local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
- VALID_DN_SYNTAX(dn);
+ NT_STATUS_HAVE_NO_MEMORY(dn);
DEBUG(10, ("AddRequest: dn: [%s]\n", req->dn));
}
}
-reply:
add_reply = ldapsrv_init_reply(call, LDAP_TAG_AddResponse);
NT_STATUS_HAVE_NO_MEMORY(add_reply);
if (result == LDAP_SUCCESS) {
- ldb_ret = ldb_add(samdb, msg);
- result = map_ldb_error(local_ctx, ldb_ret, &errstr);
+ res = talloc_zero(local_ctx, struct ldb_result);
+ NT_STATUS_HAVE_NO_MEMORY(res);
+ ldb_ret = ldapsrv_add_with_controls(call, msg, call->request->controls, res);
+ result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
+ &errstr);
}
add_result = &add_reply->msg->r.AddResponse;
add_result->dn = NULL;
- add_result->resultcode = result;
- add_result->errormessage = (errstr?talloc_strdup(add_reply,errstr):NULL);
- add_result->referral = NULL;
-
+ if ((res != NULL) && (res->refs != NULL)) {
+ add_result->resultcode = map_ldb_error(local_ctx,
+ LDB_ERR_REFERRAL, NULL,
+ &errstr);
+ add_result->errormessage = (errstr?talloc_strdup(add_reply,errstr):NULL);
+ add_result->referral = talloc_strdup(call, *res->refs);
+ } else {
+ add_result->resultcode = result;
+ add_result->errormessage = (errstr?talloc_strdup(add_reply,errstr):NULL);
+ add_result->referral = NULL;
+ }
talloc_free(local_ctx);
ldapsrv_queue_reply(call, add_reply);
const char *errstr = NULL;
int result = LDAP_SUCCESS;
int ldb_ret;
+ struct ldb_result *res = NULL;
DEBUG(10, ("DelRequest"));
- DEBUGADD(10, (" dn: %s", req->dn));
+ DEBUGADD(10, (" dn: %s\n", req->dn));
local_ctx = talloc_named(call, 0, "DelRequest local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
- VALID_DN_SYNTAX(dn);
+ NT_STATUS_HAVE_NO_MEMORY(dn);
DEBUG(10, ("DelRequest: dn: [%s]\n", req->dn));
-reply:
del_reply = ldapsrv_init_reply(call, LDAP_TAG_DelResponse);
NT_STATUS_HAVE_NO_MEMORY(del_reply);
if (result == LDAP_SUCCESS) {
- ldb_ret = ldb_delete(samdb, dn);
- result = map_ldb_error(local_ctx, ldb_ret, &errstr);
+ res = talloc_zero(local_ctx, struct ldb_result);
+ NT_STATUS_HAVE_NO_MEMORY(res);
+ ldb_ret = ldapsrv_del_with_controls(call, dn, call->request->controls, res);
+ result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
+ &errstr);
}
del_result = &del_reply->msg->r.DelResponse;
del_result->dn = NULL;
- del_result->resultcode = result;
- del_result->errormessage = (errstr?talloc_strdup(del_reply,errstr):NULL);
- del_result->referral = NULL;
+ if ((res != NULL) && (res->refs != NULL)) {
+ del_result->resultcode = map_ldb_error(local_ctx,
+ LDB_ERR_REFERRAL, NULL,
+ &errstr);
+ del_result->errormessage = (errstr?talloc_strdup(del_reply,errstr):NULL);
+ del_result->referral = talloc_strdup(call, *res->refs);
+ } else {
+ del_result->resultcode = result;
+ del_result->errormessage = (errstr?talloc_strdup(del_reply,errstr):NULL);
+ del_result->referral = NULL;
+ }
talloc_free(local_ctx);
const char *errstr = NULL;
int result = LDAP_SUCCESS;
int ldb_ret;
+ struct ldb_result *res = NULL;
DEBUG(10, ("ModifyDNRequest"));
DEBUGADD(10, (" dn: %s", req->dn));
- DEBUGADD(10, (" newrdn: %s", req->newrdn));
+ DEBUGADD(10, (" newrdn: %s\n", req->newrdn));
local_ctx = talloc_named(call, 0, "ModifyDNRequest local memory context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
olddn = ldb_dn_new(local_ctx, samdb, req->dn);
- VALID_DN_SYNTAX(olddn);
+ NT_STATUS_HAVE_NO_MEMORY(olddn);
newrdn = ldb_dn_new(local_ctx, samdb, req->newrdn);
- VALID_DN_SYNTAX(newrdn);
+ NT_STATUS_HAVE_NO_MEMORY(newrdn);
DEBUG(10, ("ModifyDNRequest: olddn: [%s]\n", req->dn));
DEBUG(10, ("ModifyDNRequest: newrdn: [%s]\n", req->newrdn));
- if (ldb_dn_get_comp_num(newrdn) != 1) {
- result = LDAP_INVALID_DN_SYNTAX;
- map_ldb_error(local_ctx, LDB_ERR_INVALID_DN_SYNTAX, &errstr);
+ if (ldb_dn_get_comp_num(newrdn) == 0) {
+ result = LDAP_PROTOCOL_ERROR;
+ map_ldb_error(local_ctx, LDB_ERR_PROTOCOL_ERROR, NULL,
+ &errstr);
+ goto reply;
+ }
+
+ if (ldb_dn_get_comp_num(newrdn) > 1) {
+ result = LDAP_NAMING_VIOLATION;
+ map_ldb_error(local_ctx, LDB_ERR_NAMING_VIOLATION, NULL,
+ &errstr);
goto reply;
}
/* we can't handle the rename if we should not remove the old dn */
if (!req->deleteolddn) {
result = LDAP_UNWILLING_TO_PERFORM;
- map_ldb_error(local_ctx, LDB_ERR_UNWILLING_TO_PERFORM, &errstr);
+ map_ldb_error(local_ctx, LDB_ERR_UNWILLING_TO_PERFORM, NULL,
+ &errstr);
errstr = talloc_asprintf(local_ctx,
"%s. Old RDN must be deleted", errstr);
goto reply;
}
if (req->newsuperior) {
- parentdn = ldb_dn_new(local_ctx, samdb, req->newsuperior);
- VALID_DN_SYNTAX(parentdn);
DEBUG(10, ("ModifyDNRequest: newsuperior: [%s]\n", req->newsuperior));
-
- if (ldb_dn_get_comp_num(parentdn) < 1) {
- result = LDAP_AFFECTS_MULTIPLE_DSAS;
- map_ldb_error(local_ctx, LDB_ERR_AFFECTS_MULTIPLE_DSAS,
- &errstr);
- errstr = talloc_asprintf(local_ctx,
- "%s. Error new Superior DN invalid", errstr);
- goto reply;
- }
+ parentdn = ldb_dn_new(local_ctx, samdb, req->newsuperior);
}
if (!parentdn) {
parentdn = ldb_dn_get_parent(local_ctx, olddn);
- NT_STATUS_HAVE_NO_MEMORY(parentdn);
+ }
+ if (!parentdn) {
+ result = LDAP_NO_SUCH_OBJECT;
+ map_ldb_error(local_ctx, LDB_ERR_NO_SUCH_OBJECT, NULL, &errstr);
+ goto reply;
}
if ( ! ldb_dn_add_child(parentdn, newrdn)) {
result = LDAP_OTHER;
+ map_ldb_error(local_ctx, LDB_ERR_OTHER, NULL, &errstr);
goto reply;
}
newdn = parentdn;
NT_STATUS_HAVE_NO_MEMORY(modifydn_r);
if (result == LDAP_SUCCESS) {
- ldb_ret = ldb_rename(samdb, olddn, newdn);
- result = map_ldb_error(local_ctx, ldb_ret, &errstr);
+ res = talloc_zero(local_ctx, struct ldb_result);
+ NT_STATUS_HAVE_NO_MEMORY(res);
+ ldb_ret = ldapsrv_rename_with_controls(call, olddn, newdn, call->request->controls, res);
+ result = map_ldb_error(local_ctx, ldb_ret, ldb_errstring(samdb),
+ &errstr);
}
modifydn = &modifydn_r->msg->r.ModifyDNResponse;
modifydn->dn = NULL;
- modifydn->resultcode = result;
- modifydn->errormessage = (errstr?talloc_strdup(modifydn_r,errstr):NULL);
- modifydn->referral = NULL;
+ if ((res != NULL) && (res->refs != NULL)) {
+ modifydn->resultcode = map_ldb_error(local_ctx,
+ LDB_ERR_REFERRAL, NULL,
+ &errstr);;
+ modifydn->errormessage = (errstr?talloc_strdup(modifydn_r,errstr):NULL);
+ modifydn->referral = talloc_strdup(call, *res->refs);
+ } else {
+ modifydn->resultcode = result;
+ modifydn->errormessage = (errstr?talloc_strdup(modifydn_r,errstr):NULL);
+ modifydn->referral = NULL;
+ }
talloc_free(local_ctx);
int ldb_ret;
DEBUG(10, ("CompareRequest"));
- DEBUGADD(10, (" dn: %s", req->dn));
+ DEBUGADD(10, (" dn: %s\n", req->dn));
local_ctx = talloc_named(call, 0, "CompareRequest local_memory_context");
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
- VALID_DN_SYNTAX(dn);
+ NT_STATUS_HAVE_NO_MEMORY(dn);
DEBUG(10, ("CompareRequest: dn: [%s]\n", req->dn));
filter = talloc_asprintf(local_ctx, "(%s=%*s)", req->attribute,
attrs[0] = NULL;
-reply:
compare_r = ldapsrv_init_reply(call, LDAP_TAG_CompareResponse);
NT_STATUS_HAVE_NO_MEMORY(compare_r);
ldb_ret = ldb_search(samdb, local_ctx, &res,
dn, LDB_SCOPE_BASE, attrs, "%s", filter);
if (ldb_ret != LDB_SUCCESS) {
- result = map_ldb_error(local_ctx, ldb_ret, &errstr);
+ result = map_ldb_error(local_ctx, ldb_ret,
+ ldb_errstring(samdb), &errstr);
DEBUG(10,("CompareRequest: error: %s\n", errstr));
} else if (res->count == 0) {
DEBUG(10,("CompareRequest: doesn't matched\n"));
errstr = NULL;
} else if (res->count > 1) {
result = LDAP_OTHER;
- map_ldb_error(local_ctx, LDB_ERR_OTHER, &errstr);
+ map_ldb_error(local_ctx, LDB_ERR_OTHER, NULL, &errstr);
errstr = talloc_asprintf(local_ctx,
"%s. Too many objects match!", errstr);
DEBUG(10,("CompareRequest: %d results: %s\n", res->count, errstr));
static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call)
{
-/* struct ldap_AbandonRequest *req = &call->request.r.AbandonRequest;*/
+ struct ldap_AbandonRequest *req = &call->request->r.AbandonRequest;
+ struct ldapsrv_call *c = NULL;
+ struct ldapsrv_call *n = NULL;
+
DEBUG(10, ("AbandonRequest\n"));
+
+ for (c = call->conn->pending_calls; c != NULL; c = n) {
+ n = c->next;
+
+ if (c->request->messageid != req->messageid) {
+ continue;
+ }
+
+ DLIST_REMOVE(call->conn->pending_calls, c);
+ TALLOC_FREE(c);
+ }
+
return NT_STATUS_OK;
}
NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
{
- int i;
+ unsigned int i;
struct ldap_message *msg = call->request;
+ NTSTATUS status;
+ bool log = true;
+
/* Check for undecoded critical extensions */
for (i=0; msg->controls && msg->controls[i]; i++) {
if (!msg->controls_decoded[i] &&
}
}
+ if (call->conn->authz_logged == false) {
+
+ /*
+ * We do not want to log anonymous access if the query
+ * is just for the rootDSE, or it is a startTLS or a
+ * Bind.
+ *
+ * A rootDSE search could also be done over
+ * CLDAP anonymously for example, so these don't
+ * really count.
+ * Essentially we want to know about
+ * access beyond that normally done prior to a
+ * bind.
+ */
+
+ switch(call->request->type) {
+ case LDAP_TAG_BindRequest:
+ log = false;
+ break;
+ case LDAP_TAG_ExtendedResponse: {
+ struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
+ if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) {
+ log = false;
+ }
+ break;
+ }
+ case LDAP_TAG_SearchRequest: {
+ struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
+ if (req->scope == LDAP_SEARCH_SCOPE_BASE) {
+ if (req->basedn[0] == '\0') {
+ log = false;
+ }
+ }
+ break;
+ }
+ default:
+ break;
+ }
+
+ if (log) {
+ const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
+ if (call->conn->sockets.active == call->conn->sockets.tls) {
+ transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
+ }
+
+ log_successful_authz_event(call->conn->connection->msg_ctx,
+ call->conn->connection->lp_ctx,
+ call->conn->connection->remote_address,
+ call->conn->connection->local_address,
+ "LDAP",
+ "no bind",
+ transport_protection,
+ call->conn->session_info);
+
+ call->conn->authz_logged = true;
+ }
+ }
+
switch(call->request->type) {
case LDAP_TAG_BindRequest:
return ldapsrv_BindRequest(call);
case LDAP_TAG_SearchRequest:
return ldapsrv_SearchRequest(call);
case LDAP_TAG_ModifyRequest:
- return ldapsrv_ModifyRequest(call);
+ status = ldapsrv_ModifyRequest(call);
+ break;
case LDAP_TAG_AddRequest:
- return ldapsrv_AddRequest(call);
+ status = ldapsrv_AddRequest(call);
+ break;
case LDAP_TAG_DelRequest:
- return ldapsrv_DelRequest(call);
+ status = ldapsrv_DelRequest(call);
+ break;
case LDAP_TAG_ModifyDNRequest:
- return ldapsrv_ModifyDNRequest(call);
+ status = ldapsrv_ModifyDNRequest(call);
+ break;
case LDAP_TAG_CompareRequest:
return ldapsrv_CompareRequest(call);
case LDAP_TAG_AbandonRequest:
return ldapsrv_AbandonRequest(call);
case LDAP_TAG_ExtendedRequest:
- return ldapsrv_ExtendedRequest(call);
+ status = ldapsrv_ExtendedRequest(call);
+ break;
default:
- return ldapsrv_unwilling(call, 2);
+ return ldapsrv_unwilling(call, LDAP_PROTOCOL_ERROR);
}
+
+ if (NT_STATUS_IS_OK(status)) {
+ ldapsrv_notification_retry_setup(call->conn->service, true);
+ }
+
+ return status;
}