2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2005
7 Copyright (C) Simo Sorce 2005-2008
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "lib/ldb/include/ldb.h"
25 #include "lib/ldb/include/ldb_module.h"
26 #include "system/time.h"
27 #include "dsdb/samdb/samdb.h"
29 #include "dsdb/samdb/ldb_modules/util.h"
30 #include "libcli/security/security.h"
31 #include "libcli/security/session.h"
32 #include "librpc/ndr/libndr.h"
33 #include "auth/auth.h"
34 #include "param/param.h"
35 #include "lib/messaging/irpc.h"
36 #include "librpc/gen_ndr/ndr_irpc_c.h"
39 unsigned int num_controls;
41 unsigned int num_partitions;
42 struct ldb_dn **partitions;
47 return 1 if a specific attribute has been requested
49 static int do_attribute(const char * const *attrs, const char *name)
51 return attrs == NULL ||
52 ldb_attr_in_list(attrs, name) ||
53 ldb_attr_in_list(attrs, "*");
56 static int do_attribute_explicit(const char * const *attrs, const char *name)
58 return attrs != NULL && ldb_attr_in_list(attrs, name);
63 expand a DN attribute to include extended DN information if requested
65 static int expand_dn_in_message(struct ldb_module *module, struct ldb_message *msg,
66 const char *attrname, struct ldb_control *edn_control,
67 struct ldb_request *req)
69 struct ldb_dn *dn, *dn2;
72 struct ldb_request *req2;
74 const char *no_attrs[] = { NULL };
75 struct ldb_result *res;
76 struct ldb_extended_dn_control *edn;
77 TALLOC_CTX *tmp_ctx = talloc_new(req);
78 struct ldb_context *ldb;
81 ldb = ldb_module_get_ctx(module);
83 edn = talloc_get_type(edn_control->data, struct ldb_extended_dn_control);
88 v = discard_const_p(struct ldb_val, ldb_msg_find_ldb_val(msg, attrname));
94 dn_string = talloc_strndup(tmp_ctx, (const char *)v->data, v->length);
95 if (dn_string == NULL) {
97 return ldb_operr(ldb);
100 res = talloc_zero(tmp_ctx, struct ldb_result);
102 talloc_free(tmp_ctx);
103 return ldb_operr(ldb);
106 dn = ldb_dn_new(tmp_ctx, ldb, dn_string);
107 if (!ldb_dn_validate(dn)) {
108 talloc_free(tmp_ctx);
109 return ldb_operr(ldb);
112 ret = ldb_build_search_req(&req2, ldb, tmp_ctx,
118 res, ldb_search_default_callback,
120 LDB_REQ_SET_LOCATION(req2);
121 if (ret != LDB_SUCCESS) {
122 talloc_free(tmp_ctx);
127 ret = ldb_request_add_control(req2,
128 LDB_CONTROL_EXTENDED_DN_OID,
129 edn_control->critical, edn);
130 if (ret != LDB_SUCCESS) {
131 talloc_free(tmp_ctx);
135 ret = ldb_next_request(module, req2);
136 if (ret == LDB_SUCCESS) {
137 ret = ldb_wait(req2->handle, LDB_WAIT_ALL);
139 if (ret != LDB_SUCCESS) {
140 talloc_free(tmp_ctx);
144 if (!res || res->count != 1) {
145 talloc_free(tmp_ctx);
146 return ldb_operr(ldb);
149 dn2 = res->msgs[0]->dn;
151 v->data = (uint8_t *)ldb_dn_get_extended_linearized(msg->elements, dn2, edn_type);
152 if (v->data == NULL) {
153 talloc_free(tmp_ctx);
154 return ldb_operr(ldb);
156 v->length = strlen((char *)v->data);
159 talloc_free(tmp_ctx);
166 add dynamically generated attributes to rootDSE result
168 static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *msg,
169 const char * const *attrs, struct ldb_request *req)
171 struct ldb_context *ldb;
172 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
174 const struct dsdb_schema *schema;
176 struct ldb_control *edn_control;
177 const char *dn_attrs[] = {
178 "configurationNamingContext",
179 "defaultNamingContext",
181 "rootDomainNamingContext",
182 "schemaNamingContext",
187 ldb = ldb_module_get_ctx(module);
188 schema = dsdb_get_schema(ldb, NULL);
190 msg->dn = ldb_dn_new(msg, ldb, NULL);
192 /* don't return the distinguishedName, cn and name attributes */
193 ldb_msg_remove_attr(msg, "distinguishedName");
194 ldb_msg_remove_attr(msg, "cn");
195 ldb_msg_remove_attr(msg, "name");
197 if (do_attribute(attrs, "serverName")) {
198 if (ldb_msg_add_linearized_dn(msg, "serverName",
199 samdb_server_dn(ldb, msg)) != LDB_SUCCESS) {
204 if (do_attribute(attrs, "dnsHostName")) {
205 struct ldb_result *res;
207 const char *dns_attrs[] = { "dNSHostName", NULL };
208 ret = dsdb_module_search_dn(module, msg, &res, samdb_server_dn(ldb, msg),
209 dns_attrs, DSDB_FLAG_NEXT_MODULE, req);
210 if (ret == LDB_SUCCESS) {
211 const char *hostname = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL);
212 if (hostname != NULL) {
213 if (ldb_msg_add_string(msg, "dNSHostName", hostname)) {
220 if (do_attribute(attrs, "ldapServiceName")) {
221 struct loadparm_context *lp_ctx
222 = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
223 struct loadparm_context);
224 char *ldap_service_name, *hostname;
226 hostname = talloc_strdup(msg, lpcfg_netbios_name(lp_ctx));
227 if (hostname == NULL) {
230 strlower_m(hostname);
232 ldap_service_name = talloc_asprintf(msg, "%s:%s$@%s",
233 samdb_forest_name(ldb, msg),
234 hostname, lpcfg_realm(lp_ctx));
235 if (ldap_service_name == NULL) {
239 if (ldb_msg_add_string(msg, "ldapServiceName",
240 ldap_service_name) != LDB_SUCCESS) {
245 if (do_attribute(attrs, "currentTime")) {
246 if (ldb_msg_add_steal_string(msg, "currentTime",
247 ldb_timestring(msg, time(NULL))) != LDB_SUCCESS) {
252 if (priv && do_attribute(attrs, "supportedControl")) {
254 for (i = 0; i < priv->num_controls; i++) {
255 char *control = talloc_strdup(msg, priv->controls[i]);
259 if (ldb_msg_add_steal_string(msg, "supportedControl",
260 control) != LDB_SUCCESS) {
266 if (priv && do_attribute(attrs, "namingContexts")) {
268 for (i = 0; i < priv->num_partitions; i++) {
269 struct ldb_dn *dn = priv->partitions[i];
270 if (ldb_msg_add_steal_string(msg, "namingContexts",
271 ldb_dn_alloc_linearized(msg, dn)) != LDB_SUCCESS) {
277 server_sasl = talloc_get_type(ldb_get_opaque(ldb, "supportedSASLMechanisms"),
279 if (server_sasl && do_attribute(attrs, "supportedSASLMechanisms")) {
281 for (i = 0; server_sasl && server_sasl[i]; i++) {
282 char *sasl_name = talloc_strdup(msg, server_sasl[i]);
286 if (ldb_msg_add_steal_string(msg, "supportedSASLMechanisms",
287 sasl_name) != LDB_SUCCESS) {
293 if (do_attribute(attrs, "highestCommittedUSN")) {
295 int ret = ldb_sequence_number(ldb, LDB_SEQ_HIGHEST_SEQ, &seq_num);
296 if (ret == LDB_SUCCESS) {
297 if (samdb_msg_add_uint64(ldb, msg, msg,
298 "highestCommittedUSN",
299 seq_num) != LDB_SUCCESS) {
305 if (schema && do_attribute_explicit(attrs, "dsSchemaAttrCount")) {
306 struct dsdb_attribute *cur;
309 for (cur = schema->attributes; cur; cur = cur->next) {
313 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaAttrCount",
319 if (schema && do_attribute_explicit(attrs, "dsSchemaClassCount")) {
320 struct dsdb_class *cur;
323 for (cur = schema->classes; cur; cur = cur->next) {
327 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaClassCount",
333 if (schema && do_attribute_explicit(attrs, "dsSchemaPrefixCount")) {
334 if (samdb_msg_add_uint(ldb, msg, msg, "dsSchemaPrefixCount",
335 schema->prefixmap->length) != LDB_SUCCESS) {
340 if (do_attribute_explicit(attrs, "validFSMOs")) {
341 const struct dsdb_naming_fsmo *naming_fsmo;
342 const struct dsdb_pdc_fsmo *pdc_fsmo;
345 if (schema && schema->fsmo.we_are_master) {
346 dn_str = ldb_dn_get_linearized(ldb_get_schema_basedn(ldb));
347 if (dn_str && dn_str[0]) {
348 if (ldb_msg_add_fmt(msg, "validFSMOs", "%s", dn_str) != LDB_SUCCESS) {
354 naming_fsmo = talloc_get_type(ldb_get_opaque(ldb, "dsdb_naming_fsmo"),
355 struct dsdb_naming_fsmo);
356 if (naming_fsmo && naming_fsmo->we_are_master) {
357 dn_str = ldb_dn_get_linearized(samdb_partitions_dn(ldb, msg));
358 if (dn_str && dn_str[0]) {
359 if (ldb_msg_add_fmt(msg, "validFSMOs", "%s", dn_str) != LDB_SUCCESS) {
365 pdc_fsmo = talloc_get_type(ldb_get_opaque(ldb, "dsdb_pdc_fsmo"),
366 struct dsdb_pdc_fsmo);
367 if (pdc_fsmo && pdc_fsmo->we_are_master) {
368 dn_str = ldb_dn_get_linearized(ldb_get_default_basedn(ldb));
369 if (dn_str && dn_str[0]) {
370 if (ldb_msg_add_fmt(msg, "validFSMOs", "%s", dn_str) != LDB_SUCCESS) {
377 if (do_attribute_explicit(attrs, "vendorVersion")) {
378 if (ldb_msg_add_fmt(msg, "vendorVersion",
379 "%s", SAMBA_VERSION_STRING) != LDB_SUCCESS) {
384 if (do_attribute(attrs, "domainFunctionality")) {
385 if (samdb_msg_add_int(ldb, msg, msg, "domainFunctionality",
386 dsdb_functional_level(ldb)) != LDB_SUCCESS) {
391 if (do_attribute(attrs, "forestFunctionality")) {
392 if (samdb_msg_add_int(ldb, msg, msg, "forestFunctionality",
393 dsdb_forest_functional_level(ldb)) != LDB_SUCCESS) {
398 if (do_attribute(attrs, "domainControllerFunctionality")
399 && (val = talloc_get_type(ldb_get_opaque(ldb, "domainControllerFunctionality"), int))) {
400 if (samdb_msg_add_int(ldb, msg, msg,
401 "domainControllerFunctionality",
402 *val) != LDB_SUCCESS) {
407 if (do_attribute(attrs, "isGlobalCatalogReady")) {
408 /* MS-ADTS 3.1.1.3.2.10
409 Note, we should only return true here is we have
410 completed at least one synchronisation. As both
411 provision and vampire do a full sync, this means we
412 can return true is the gc bit is set in the NTDSDSA
414 if (ldb_msg_add_fmt(msg, "isGlobalCatalogReady",
415 "%s", samdb_is_gc(ldb)?"TRUE":"FALSE") != LDB_SUCCESS) {
420 if (do_attribute_explicit(attrs, "tokenGroups")) {
422 /* Obtain the user's session_info */
423 struct auth_session_info *session_info
424 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
425 if (session_info && session_info->security_token) {
426 /* The list of groups this user is in */
427 for (i = 0; i < session_info->security_token->num_sids; i++) {
428 if (samdb_msg_add_dom_sid(ldb, msg, msg,
430 &session_info->security_token->sids[i]) != LDB_SUCCESS) {
437 /* TODO: lots more dynamic attributes should be added here */
439 edn_control = ldb_request_get_control(req, LDB_CONTROL_EXTENDED_DN_OID);
441 /* if the client sent us the EXTENDED_DN control then we need
442 to expand the DNs to have GUID and SID. W2K8 join relies on
447 for (i=0; dn_attrs[i]; i++) {
448 if (!do_attribute(attrs, dn_attrs[i])) continue;
449 ret = expand_dn_in_message(module, msg, dn_attrs[i],
451 if (ret != LDB_SUCCESS) {
452 DEBUG(0,(__location__ ": Failed to expand DN in rootDSE for %s\n",
462 return ldb_operr(ldb);
466 handle search requests
469 struct rootdse_context {
470 struct ldb_module *module;
471 struct ldb_request *req;
474 static struct rootdse_context *rootdse_init_context(struct ldb_module *module,
475 struct ldb_request *req)
477 struct ldb_context *ldb;
478 struct rootdse_context *ac;
480 ldb = ldb_module_get_ctx(module);
482 ac = talloc_zero(req, struct rootdse_context);
484 ldb_set_errstring(ldb, "Out of Memory");
494 static int rootdse_callback(struct ldb_request *req, struct ldb_reply *ares)
496 struct rootdse_context *ac;
499 ac = talloc_get_type(req->context, struct rootdse_context);
502 return ldb_module_done(ac->req, NULL, NULL,
503 LDB_ERR_OPERATIONS_ERROR);
505 if (ares->error != LDB_SUCCESS) {
506 return ldb_module_done(ac->req, ares->controls,
507 ares->response, ares->error);
510 switch (ares->type) {
511 case LDB_REPLY_ENTRY:
513 * if the client explicit asks for the 'netlogon' attribute
514 * the reply_entry needs to be skipped
516 if (ac->req->op.search.attrs &&
517 ldb_attr_in_list(ac->req->op.search.attrs, "netlogon")) {
522 /* for each record returned post-process to add any dynamic
523 attributes that have been asked for */
524 ret = rootdse_add_dynamic(ac->module, ares->message,
525 ac->req->op.search.attrs, ac->req);
526 if (ret != LDB_SUCCESS) {
528 return ldb_module_done(ac->req, NULL, NULL, ret);
531 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
533 case LDB_REPLY_REFERRAL:
534 /* should we allow the backend to return referrals in this case
539 return ldb_module_done(ac->req, ares->controls,
540 ares->response, ares->error);
548 filter from controls from clients in several ways
550 1) mark our registered controls as non-critical in the request
552 This is needed as clients may mark controls as critical even if
553 they are not needed at all in a request. For example, the centrify
554 client sets the SD_FLAGS control as critical on ldap modify
555 requests which are setting the dNSHostName attribute on the
556 machine account. That request doesn't need SD_FLAGS at all, but
557 centrify adds it on all ldap requests.
559 2) if this request is untrusted then remove any non-registered
560 controls that are non-critical
562 This is used on ldap:// connections to prevent remote users from
563 setting an internal control that may be dangerous
565 3) if this request is untrusted then fail any request that includes
566 a critical non-registered control
568 static int rootdse_filter_controls(struct ldb_module *module, struct ldb_request *req)
571 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
574 if (!req->controls) {
578 is_untrusted = ldb_req_is_untrusted(req);
580 for (i=0; req->controls[i]; i++) {
581 bool is_registered = false;
582 bool is_critical = (req->controls[i]->critical != 0);
584 if (req->controls[i]->oid == NULL) {
588 if (is_untrusted || is_critical) {
589 for (j=0; j<priv->num_controls; j++) {
590 if (strcasecmp(priv->controls[j], req->controls[i]->oid) == 0) {
591 is_registered = true;
597 if (is_untrusted && !is_registered) {
599 /* remove it by marking the oid NULL */
600 req->controls[i]->oid = NULL;
601 req->controls[i]->data = NULL;
602 req->controls[i]->critical = 0;
605 /* its a critical unregistered control - give
607 ldb_asprintf_errstring(ldb_module_get_ctx(module),
608 "Attempt to use critical non-registered control '%s'",
609 req->controls[i]->oid);
610 return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION;
618 req->controls[i]->critical = 0;
625 /* Ensure that anonymous users are not allowed to make anything other than rootDSE search operations */
627 static int rootdse_filter_operations(struct ldb_module *module, struct ldb_request *req)
629 struct auth_session_info *session_info;
630 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
631 bool is_untrusted = ldb_req_is_untrusted(req);
632 bool is_anonymous = true;
633 if (is_untrusted == false) {
637 session_info = (struct auth_session_info *)ldb_get_opaque(ldb_module_get_ctx(module), "sessionInfo");
639 is_anonymous = security_token_is_anonymous(session_info->security_token);
642 if (is_anonymous == false || (priv && priv->block_anonymous == false)) {
646 if (req->operation == LDB_SEARCH) {
647 if (req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base)) {
651 ldb_set_errstring(ldb_module_get_ctx(module), "Operation unavailable without authentication");
652 return LDB_ERR_OPERATIONS_ERROR;
655 static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
657 struct ldb_context *ldb;
658 struct rootdse_context *ac;
659 struct ldb_request *down_req;
662 ret = rootdse_filter_operations(module, req);
663 if (ret != LDB_SUCCESS) {
667 ret = rootdse_filter_controls(module, req);
668 if (ret != LDB_SUCCESS) {
672 ldb = ldb_module_get_ctx(module);
674 /* see if its for the rootDSE - only a base search on the "" DN qualifies */
675 if (!(req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base))) {
676 /* Otherwise, pass down to the rest of the stack */
677 return ldb_next_request(module, req);
680 ac = rootdse_init_context(module, req);
682 return ldb_operr(ldb);
685 /* in our db we store the rootDSE with a DN of @ROOTDSE */
686 ret = ldb_build_search_req(&down_req, ldb, ac,
687 ldb_dn_new(ac, ldb, "@ROOTDSE"),
690 req->op.search.attrs,
691 NULL,/* for now skip the controls from the client */
692 ac, rootdse_callback,
694 LDB_REQ_SET_LOCATION(down_req);
695 if (ret != LDB_SUCCESS) {
699 return ldb_next_request(module, down_req);
702 static int rootdse_register_control(struct ldb_module *module, struct ldb_request *req)
704 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
707 list = talloc_realloc(priv, priv->controls, char *, priv->num_controls + 1);
709 return ldb_oom(ldb_module_get_ctx(module));
712 list[priv->num_controls] = talloc_strdup(list, req->op.reg_control.oid);
713 if (!list[priv->num_controls]) {
714 return ldb_oom(ldb_module_get_ctx(module));
717 priv->num_controls += 1;
718 priv->controls = list;
720 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
723 static int rootdse_register_partition(struct ldb_module *module, struct ldb_request *req)
725 struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data);
726 struct ldb_dn **list;
728 list = talloc_realloc(priv, priv->partitions, struct ldb_dn *, priv->num_partitions + 1);
730 return ldb_oom(ldb_module_get_ctx(module));
733 list[priv->num_partitions] = ldb_dn_copy(list, req->op.reg_partition.dn);
734 if (!list[priv->num_partitions]) {
735 return ldb_operr(ldb_module_get_ctx(module));
738 priv->num_partitions += 1;
739 priv->partitions = list;
741 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
745 static int rootdse_request(struct ldb_module *module, struct ldb_request *req)
747 switch (req->operation) {
749 case LDB_REQ_REGISTER_CONTROL:
750 return rootdse_register_control(module, req);
751 case LDB_REQ_REGISTER_PARTITION:
752 return rootdse_register_partition(module, req);
757 return ldb_next_request(module, req);
760 static int rootdse_init(struct ldb_module *module)
763 struct ldb_context *ldb;
764 struct ldb_result *res;
765 struct private_data *data;
766 const char *attrs[] = { "msDS-Behavior-Version", NULL };
767 const char *ds_attrs[] = { "dsServiceName", NULL };
770 ldb = ldb_module_get_ctx(module);
772 data = talloc_zero(module, struct private_data);
777 data->num_controls = 0;
778 data->controls = NULL;
779 data->num_partitions = 0;
780 data->partitions = NULL;
781 data->block_anonymous = true;
783 ldb_module_set_private(module, data);
785 ldb_set_default_dns(ldb);
787 ret = ldb_next_init(module);
789 if (ret != LDB_SUCCESS) {
793 mem_ctx = talloc_new(data);
798 /* Now that the partitions are set up, do a search for:
799 - domainControllerFunctionality
800 - domainFunctionality
801 - forestFunctionality
803 Then stuff these values into an opaque
805 ret = dsdb_module_search(module, mem_ctx, &res,
806 ldb_get_default_basedn(ldb),
807 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
808 if (ret == LDB_SUCCESS && res->count == 1) {
809 int domain_behaviour_version
810 = ldb_msg_find_attr_as_int(res->msgs[0],
811 "msDS-Behavior-Version", -1);
812 if (domain_behaviour_version != -1) {
813 int *val = talloc(ldb, int);
815 talloc_free(mem_ctx);
818 *val = domain_behaviour_version;
819 ret = ldb_set_opaque(ldb, "domainFunctionality", val);
820 if (ret != LDB_SUCCESS) {
821 talloc_free(mem_ctx);
827 ret = dsdb_module_search(module, mem_ctx, &res,
828 samdb_partitions_dn(ldb, mem_ctx),
829 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
830 if (ret == LDB_SUCCESS && res->count == 1) {
831 int forest_behaviour_version
832 = ldb_msg_find_attr_as_int(res->msgs[0],
833 "msDS-Behavior-Version", -1);
834 if (forest_behaviour_version != -1) {
835 int *val = talloc(ldb, int);
837 talloc_free(mem_ctx);
840 *val = forest_behaviour_version;
841 ret = ldb_set_opaque(ldb, "forestFunctionality", val);
842 if (ret != LDB_SUCCESS) {
843 talloc_free(mem_ctx);
849 /* For now, our own server's location in the DB is recorded in
850 * the @ROOTDSE record */
851 ret = dsdb_module_search(module, mem_ctx, &res,
852 ldb_dn_new(mem_ctx, ldb, "@ROOTDSE"),
853 LDB_SCOPE_BASE, ds_attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
854 if (ret == LDB_SUCCESS && res->count == 1) {
856 = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0],
859 ret = dsdb_module_search(module, mem_ctx, &res, ds_dn,
860 LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE, NULL, NULL);
861 if (ret == LDB_SUCCESS && res->count == 1) {
862 int domain_controller_behaviour_version
863 = ldb_msg_find_attr_as_int(res->msgs[0],
864 "msDS-Behavior-Version", -1);
865 if (domain_controller_behaviour_version != -1) {
866 int *val = talloc(ldb, int);
868 talloc_free(mem_ctx);
871 *val = domain_controller_behaviour_version;
872 ret = ldb_set_opaque(ldb,
873 "domainControllerFunctionality", val);
874 if (ret != LDB_SUCCESS) {
875 talloc_free(mem_ctx);
883 data->block_anonymous = dsdb_block_anonymous_ops(module, NULL);
885 talloc_free(mem_ctx);
891 * This function gets the string SCOPE_DN:OPTIONAL_FEATURE_GUID and parse it
892 * to a DN and a GUID object
894 static int get_optional_feature_dn_guid(struct ldb_request *req, struct ldb_context *ldb,
896 struct ldb_dn **op_feature_scope_dn,
897 struct GUID *op_feature_guid)
899 const struct ldb_message *msg = req->op.mod.message;
900 const char *ldb_val_str;
902 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
905 ldb_val_str = ldb_msg_find_attr_as_string(msg, "enableOptionalFeature", NULL);
907 ldb_set_errstring(ldb,
908 "rootdse: unable to find 'enableOptionalFeature'!");
909 return LDB_ERR_UNWILLING_TO_PERFORM;
912 guid = strchr(ldb_val_str, ':');
914 ldb_set_errstring(ldb,
915 "rootdse: unable to find GUID in 'enableOptionalFeature'!");
916 return LDB_ERR_UNWILLING_TO_PERFORM;
918 status = GUID_from_string(guid+1, op_feature_guid);
919 if (!NT_STATUS_IS_OK(status)) {
920 ldb_set_errstring(ldb,
921 "rootdse: bad GUID in 'enableOptionalFeature'!");
922 return LDB_ERR_UNWILLING_TO_PERFORM;
925 dn = talloc_strndup(tmp_ctx, ldb_val_str, guid-ldb_val_str);
927 ldb_set_errstring(ldb,
928 "rootdse: bad DN in 'enableOptionalFeature'!");
929 return LDB_ERR_UNWILLING_TO_PERFORM;
932 *op_feature_scope_dn = ldb_dn_new(mem_ctx, ldb, dn);
934 talloc_free(tmp_ctx);
939 * This function gets the OPTIONAL_FEATURE_GUID and looks for the optional feature
940 * ldb_message object.
942 static int dsdb_find_optional_feature(struct ldb_module *module, struct ldb_context *ldb,
943 TALLOC_CTX *mem_ctx, struct GUID op_feature_guid, struct ldb_message **msg,
944 struct ldb_request *parent)
946 struct ldb_result *res;
947 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
950 ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
952 DSDB_FLAG_NEXT_MODULE |
953 DSDB_SEARCH_SEARCH_ALL_PARTITIONS,
955 "(&(objectClass=msDS-OptionalFeature)"
956 "(msDS-OptionalFeatureGUID=%s))",GUID_string(tmp_ctx, &op_feature_guid));
958 if (ret != LDB_SUCCESS) {
959 talloc_free(tmp_ctx);
962 if (res->count == 0) {
963 talloc_free(tmp_ctx);
964 return LDB_ERR_NO_SUCH_OBJECT;
966 if (res->count != 1) {
967 ldb_asprintf_errstring(ldb,
968 "More than one object found matching optional feature GUID %s\n",
969 GUID_string(tmp_ctx, &op_feature_guid));
970 talloc_free(tmp_ctx);
971 return LDB_ERR_OPERATIONS_ERROR;
974 *msg = talloc_steal(mem_ctx, res->msgs[0]);
976 talloc_free(tmp_ctx);
980 static int rootdse_enable_recycle_bin(struct ldb_module *module,struct ldb_context *ldb,
981 TALLOC_CTX *mem_ctx, struct ldb_dn *op_feature_scope_dn,
982 struct ldb_message *op_feature_msg, struct ldb_request *parent)
985 const int domain_func_level = dsdb_functional_level(ldb);
986 struct ldb_dn *ntds_settings_dn;
988 unsigned int el_count = 0;
989 struct ldb_message *msg;
991 ret = ldb_msg_find_attr_as_int(op_feature_msg, "msDS-RequiredForestBehaviorVersion", 0);
992 if (domain_func_level < ret){
993 ldb_asprintf_errstring(ldb,
994 "rootdse_enable_recycle_bin: Domain functional level must be at least %d\n",
996 return LDB_ERR_UNWILLING_TO_PERFORM;
999 tmp_ctx = talloc_new(mem_ctx);
1000 ntds_settings_dn = samdb_ntds_settings_dn(ldb);
1001 if (!ntds_settings_dn) {
1002 DEBUG(0, (__location__ ": Failed to find NTDS settings DN\n"));
1003 ret = LDB_ERR_OPERATIONS_ERROR;
1004 talloc_free(tmp_ctx);
1008 ntds_settings_dn = ldb_dn_copy(tmp_ctx, ntds_settings_dn);
1009 if (!ntds_settings_dn) {
1010 DEBUG(0, (__location__ ": Failed to copy NTDS settings DN\n"));
1011 ret = LDB_ERR_OPERATIONS_ERROR;
1012 talloc_free(tmp_ctx);
1016 msg = ldb_msg_new(tmp_ctx);
1017 msg->dn = ntds_settings_dn;
1019 ldb_msg_add_linearized_dn(msg, "msDS-EnabledFeature", op_feature_msg->dn);
1020 msg->elements[el_count++].flags = LDB_FLAG_MOD_ADD;
1022 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1023 if (ret != LDB_SUCCESS) {
1024 ldb_asprintf_errstring(ldb,
1025 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1026 ldb_dn_get_linearized(ntds_settings_dn),
1027 ldb_errstring(ldb));
1028 talloc_free(tmp_ctx);
1032 msg->dn = op_feature_scope_dn;
1033 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1034 if (ret != LDB_SUCCESS) {
1035 ldb_asprintf_errstring(ldb,
1036 "rootdse_enable_recycle_bin: Failed to modify object %s - %s",
1037 ldb_dn_get_linearized(op_feature_scope_dn),
1038 ldb_errstring(ldb));
1039 talloc_free(tmp_ctx);
1046 static int rootdse_enableoptionalfeature(struct ldb_module *module, struct ldb_request *req)
1050 - check for system (only system can enable features)
1051 - extract GUID from the request
1052 - find the feature object
1053 - check functional level, must be at least msDS-RequiredForestBehaviorVersion
1054 - check if it is already enabled (if enabled return LDAP_ATTRIBUTE_OR_VALUE_EXISTS) - probably not needed, just return error from the add/modify
1055 - add/modify objects (see ntdsconnection code for an example)
1058 struct ldb_context *ldb = ldb_module_get_ctx(module);
1059 struct GUID op_feature_guid;
1060 struct ldb_dn *op_feature_scope_dn;
1061 struct ldb_message *op_feature_msg;
1062 struct auth_session_info *session_info =
1063 (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
1064 TALLOC_CTX *tmp_ctx = talloc_new(ldb);
1066 const char *guid_string;
1068 if (security_session_user_level(session_info, NULL) != SECURITY_SYSTEM) {
1069 ldb_set_errstring(ldb, "rootdse: Insufficient rights for enableoptionalfeature");
1070 return LDB_ERR_UNWILLING_TO_PERFORM;
1073 ret = get_optional_feature_dn_guid(req, ldb, tmp_ctx, &op_feature_scope_dn, &op_feature_guid);
1074 if (ret != LDB_SUCCESS) {
1075 talloc_free(tmp_ctx);
1079 guid_string = GUID_string(tmp_ctx, &op_feature_guid);
1081 ldb_set_errstring(ldb, "rootdse: bad optional feature GUID");
1082 return LDB_ERR_UNWILLING_TO_PERFORM;
1085 ret = dsdb_find_optional_feature(module, ldb, tmp_ctx, op_feature_guid, &op_feature_msg, req);
1086 if (ret != LDB_SUCCESS) {
1087 ldb_asprintf_errstring(ldb,
1088 "rootdse: unable to find optional feature for %s - %s",
1089 guid_string, ldb_errstring(ldb));
1090 talloc_free(tmp_ctx);
1094 if (strcasecmp(DS_GUID_FEATURE_RECYCLE_BIN, guid_string) == 0) {
1095 ret = rootdse_enable_recycle_bin(module, ldb,
1096 tmp_ctx, op_feature_scope_dn,
1097 op_feature_msg, req);
1099 ldb_asprintf_errstring(ldb,
1100 "rootdse: unknown optional feature %s",
1102 talloc_free(tmp_ctx);
1103 return LDB_ERR_UNWILLING_TO_PERFORM;
1105 if (ret != LDB_SUCCESS) {
1106 ldb_asprintf_errstring(ldb,
1107 "rootdse: failed to set optional feature for %s - %s",
1108 guid_string, ldb_errstring(ldb));
1109 talloc_free(tmp_ctx);
1113 talloc_free(tmp_ctx);
1114 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);;
1117 static int rootdse_schemaupdatenow(struct ldb_module *module, struct ldb_request *req)
1119 struct ldb_context *ldb = ldb_module_get_ctx(module);
1120 struct ldb_result *ext_res;
1122 struct ldb_dn *schema_dn;
1124 schema_dn = ldb_get_schema_basedn(ldb);
1126 ldb_reset_err_string(ldb);
1127 ldb_debug(ldb, LDB_DEBUG_WARNING,
1128 "rootdse_modify: no schema dn present: (skip ldb_extended call)\n");
1129 return ldb_next_request(module, req);
1132 ret = ldb_extended(ldb, DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID, schema_dn, &ext_res);
1133 if (ret != LDB_SUCCESS) {
1134 return ldb_operr(ldb);
1137 talloc_free(ext_res);
1138 return ldb_module_done(req, NULL, NULL, ret);
1141 static int rootdse_add(struct ldb_module *module, struct ldb_request *req)
1143 struct ldb_context *ldb = ldb_module_get_ctx(module);
1146 ret = rootdse_filter_operations(module, req);
1147 if (ret != LDB_SUCCESS) {
1151 ret = rootdse_filter_controls(module, req);
1152 if (ret != LDB_SUCCESS) {
1157 If dn is not "" we should let it pass through
1159 if (!ldb_dn_is_null(req->op.add.message->dn)) {
1160 return ldb_next_request(module, req);
1163 ldb_set_errstring(ldb, "rootdse_add: you cannot add a new rootdse entry!");
1164 return LDB_ERR_NAMING_VIOLATION;
1167 static int rootdse_become_master(struct ldb_module *module,
1168 struct ldb_request *req,
1169 enum drepl_role_master role)
1171 struct drepl_takeFSMORole r;
1172 struct messaging_context *msg;
1173 struct ldb_context *ldb = ldb_module_get_ctx(module);
1174 TALLOC_CTX *tmp_ctx = talloc_new(req);
1175 struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
1176 NTSTATUS status_call;
1179 struct dcerpc_binding_handle *irpc_handle;
1182 ret = samdb_rodc(ldb, &am_rodc);
1183 if (ret != LDB_SUCCESS) {
1184 return ldb_error(ldb, ret, "Could not determine if server is RODC.");
1188 return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM,
1189 "RODC cannot become a role master.");
1192 msg = messaging_client_init(tmp_ctx, lpcfg_messaging_path(tmp_ctx, lp_ctx),
1193 ldb_get_event_context(ldb));
1195 ldb_asprintf_errstring(ldb, "Failed to generate client messaging context in %s", lpcfg_messaging_path(tmp_ctx, lp_ctx));
1196 return LDB_ERR_OPERATIONS_ERROR;
1198 irpc_handle = irpc_binding_handle_by_name(tmp_ctx, msg,
1201 if (irpc_handle == NULL) {
1202 return ldb_oom(ldb);
1206 status_call = dcerpc_drepl_takeFSMORole_r(irpc_handle, tmp_ctx, &r);
1207 if (!NT_STATUS_IS_OK(status_call)) {
1208 return LDB_ERR_OPERATIONS_ERROR;
1210 status_fn = r.out.result;
1211 if (!W_ERROR_IS_OK(status_fn)) {
1212 return LDB_ERR_OPERATIONS_ERROR;
1214 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1217 static int rootdse_modify(struct ldb_module *module, struct ldb_request *req)
1219 struct ldb_context *ldb = ldb_module_get_ctx(module);
1222 ret = rootdse_filter_operations(module, req);
1223 if (ret != LDB_SUCCESS) {
1227 ret = rootdse_filter_controls(module, req);
1228 if (ret != LDB_SUCCESS) {
1233 If dn is not "" we should let it pass through
1235 if (!ldb_dn_is_null(req->op.mod.message->dn)) {
1236 return ldb_next_request(module, req);
1240 dn is empty so check for schemaUpdateNow attribute
1241 "The type of modification and values specified in the LDAP modify operation do not matter." MSDN
1243 if (ldb_msg_find_element(req->op.mod.message, "schemaUpdateNow")) {
1244 return rootdse_schemaupdatenow(module, req);
1246 if (ldb_msg_find_element(req->op.mod.message, "becomeDomainMaster")) {
1247 return rootdse_become_master(module, req, DREPL_NAMING_MASTER);
1249 if (ldb_msg_find_element(req->op.mod.message, "becomeInfrastructureMaster")) {
1250 return rootdse_become_master(module, req, DREPL_INFRASTRUCTURE_MASTER);
1252 if (ldb_msg_find_element(req->op.mod.message, "becomeRidMaster")) {
1253 return rootdse_become_master(module, req, DREPL_RID_MASTER);
1255 if (ldb_msg_find_element(req->op.mod.message, "becomeSchemaMaster")) {
1256 return rootdse_become_master(module, req, DREPL_SCHEMA_MASTER);
1258 if (ldb_msg_find_element(req->op.mod.message, "becomePdc")) {
1259 return rootdse_become_master(module, req, DREPL_PDC_MASTER);
1261 if (ldb_msg_find_element(req->op.mod.message, "enableOptionalFeature")) {
1262 return rootdse_enableoptionalfeature(module, req);
1265 ldb_set_errstring(ldb, "rootdse_modify: unknown attribute to change!");
1266 return LDB_ERR_UNWILLING_TO_PERFORM;
1269 static int rootdse_rename(struct ldb_module *module, struct ldb_request *req)
1271 struct ldb_context *ldb = ldb_module_get_ctx(module);
1274 ret = rootdse_filter_operations(module, req);
1275 if (ret != LDB_SUCCESS) {
1279 ret = rootdse_filter_controls(module, req);
1280 if (ret != LDB_SUCCESS) {
1285 If dn is not "" we should let it pass through
1287 if (!ldb_dn_is_null(req->op.rename.olddn)) {
1288 return ldb_next_request(module, req);
1291 ldb_set_errstring(ldb, "rootdse_remove: you cannot rename the rootdse entry!");
1292 return LDB_ERR_NO_SUCH_OBJECT;
1295 static int rootdse_delete(struct ldb_module *module, struct ldb_request *req)
1297 struct ldb_context *ldb = ldb_module_get_ctx(module);
1300 ret = rootdse_filter_operations(module, req);
1301 if (ret != LDB_SUCCESS) {
1305 ret = rootdse_filter_controls(module, req);
1306 if (ret != LDB_SUCCESS) {
1311 If dn is not "" we should let it pass through
1313 if (!ldb_dn_is_null(req->op.del.dn)) {
1314 return ldb_next_request(module, req);
1317 ldb_set_errstring(ldb, "rootdse_remove: you cannot delete the rootdse entry!");
1318 return LDB_ERR_NO_SUCH_OBJECT;
1321 static int rootdse_extended(struct ldb_module *module, struct ldb_request *req)
1325 ret = rootdse_filter_operations(module, req);
1326 if (ret != LDB_SUCCESS) {
1330 ret = rootdse_filter_controls(module, req);
1331 if (ret != LDB_SUCCESS) {
1335 return ldb_next_request(module, req);
1338 static const struct ldb_module_ops ldb_rootdse_module_ops = {
1340 .init_context = rootdse_init,
1341 .search = rootdse_search,
1342 .request = rootdse_request,
1344 .modify = rootdse_modify,
1345 .rename = rootdse_rename,
1346 .extended = rootdse_extended,
1347 .del = rootdse_delete
1350 int ldb_rootdse_module_init(const char *version)
1352 LDB_MODULE_CHECK_VERSION(version);
1353 return ldb_register_module(&ldb_rootdse_module_ops);