Unix SMB/CIFS implementation.
LDAP server
Copyright (C) Stefan Metzmacher 2004
+ Copyright (C) Matthias Dieter Wallnöfer 2009
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
return NT_STATUS_NO_MEMORY;\
} else if ( ! ldb_dn_validate(dn)) {\
result = LDAP_INVALID_DN_SYNTAX;\
- errstr = "Invalid DN format";\
+ map_ldb_error(local_ctx, LDB_ERR_INVALID_DN_SYNTAX, &errstr);\
goto reply;\
}\
} while(0)
-static int map_ldb_error(struct ldb_context *ldb, int err, const char **errstring)
+static int map_ldb_error(TALLOC_CTX *mem_ctx, int ldb_err,
+ const char **errstring)
{
- *errstring = ldb_errstring(ldb);
+ WERROR err;
+
+ switch (ldb_err) {
+ case LDB_SUCCESS:
+ err = WERR_OK;
+ break;
+ case LDB_ERR_OPERATIONS_ERROR:
+ err = WERR_DS_OPERATIONS_ERROR;
+ break;
+ case LDB_ERR_PROTOCOL_ERROR:
+ err = WERR_DS_PROTOCOL_ERROR;
+ break;
+ case LDB_ERR_TIME_LIMIT_EXCEEDED:
+ err = WERR_DS_TIMELIMIT_EXCEEDED;
+ break;
+ case LDB_ERR_SIZE_LIMIT_EXCEEDED:
+ err = WERR_DS_SIZE_LIMIT_EXCEEDED;
+ break;
+ case LDB_ERR_COMPARE_FALSE:
+ err = WERR_DS_COMPARE_FALSE;
+ break;
+ case LDB_ERR_COMPARE_TRUE:
+ err = WERR_DS_COMPARE_TRUE;
+ break;
+ case LDB_ERR_AUTH_METHOD_NOT_SUPPORTED:
+ err = WERR_DS_AUTH_METHOD_NOT_SUPPORTED;
+ break;
+ case LDB_ERR_STRONG_AUTH_REQUIRED:
+ err = WERR_DS_STRONG_AUTH_REQUIRED;
+ break;
+ case LDB_ERR_REFERRAL:
+ err = WERR_DS_REFERRAL;
+ break;
+ case LDB_ERR_ADMIN_LIMIT_EXCEEDED:
+ err = WERR_DS_ADMIN_LIMIT_EXCEEDED;
+ break;
+ case LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION:
+ err = WERR_DS_UNAVAILABLE_CRIT_EXTENSION;
+ break;
+ case LDB_ERR_CONFIDENTIALITY_REQUIRED:
+ err = WERR_DS_CONFIDENTIALITY_REQUIRED;
+ break;
+ case LDB_ERR_SASL_BIND_IN_PROGRESS:
+ err = WERR_DS_BUSY;
+ break;
+ case LDB_ERR_NO_SUCH_ATTRIBUTE:
+ err = WERR_DS_NO_ATTRIBUTE_OR_VALUE;
+ break;
+ case LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE:
+ err = WERR_DS_ATTRIBUTE_TYPE_UNDEFINED;
+ break;
+ case LDB_ERR_INAPPROPRIATE_MATCHING:
+ err = WERR_DS_INAPPROPRIATE_MATCHING;
+ break;
+ case LDB_ERR_CONSTRAINT_VIOLATION:
+ err = WERR_DS_CONSTRAINT_VIOLATION;
+ break;
+ case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
+ err = WERR_DS_ATTRIBUTE_OR_VALUE_EXISTS;
+ break;
+ case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX:
+ err = WERR_DS_INVALID_ATTRIBUTE_SYNTAX;
+ break;
+ case LDB_ERR_NO_SUCH_OBJECT:
+ err = WERR_DS_NO_SUCH_OBJECT;
+ break;
+ case LDB_ERR_ALIAS_PROBLEM:
+ err = WERR_DS_ALIAS_PROBLEM;
+ break;
+ case LDB_ERR_INVALID_DN_SYNTAX:
+ err = WERR_DS_INVALID_DN_SYNTAX;
+ break;
+ case LDB_ERR_ALIAS_DEREFERENCING_PROBLEM:
+ err = WERR_DS_ALIAS_DEREF_PROBLEM;
+ break;
+ case LDB_ERR_INAPPROPRIATE_AUTHENTICATION:
+ err = WERR_DS_INAPPROPRIATE_AUTH;
+ break;
+ case LDB_ERR_INVALID_CREDENTIALS:
+ err = WERR_ACCESS_DENIED;
+ break;
+ case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
+ err = WERR_DS_INSUFF_ACCESS_RIGHTS;
+ break;
+ case LDB_ERR_BUSY:
+ err = WERR_DS_BUSY;
+ break;
+ case LDB_ERR_UNAVAILABLE:
+ err = WERR_DS_UNAVAILABLE;
+ break;
+ case LDB_ERR_UNWILLING_TO_PERFORM:
+ err = WERR_DS_UNWILLING_TO_PERFORM;
+ break;
+ case LDB_ERR_LOOP_DETECT:
+ err = WERR_DS_LOOP_DETECT;
+ break;
+ case LDB_ERR_NAMING_VIOLATION:
+ err = WERR_DS_NAMING_VIOLATION;
+ break;
+ case LDB_ERR_OBJECT_CLASS_VIOLATION:
+ err = WERR_DS_OBJ_CLASS_VIOLATION;
+ break;
+ case LDB_ERR_NOT_ALLOWED_ON_NON_LEAF:
+ err = WERR_DS_CANT_ON_NON_LEAF;
+ break;
+ case LDB_ERR_NOT_ALLOWED_ON_RDN:
+ err = WERR_DS_CANT_ON_RDN;
+ break;
+ case LDB_ERR_ENTRY_ALREADY_EXISTS:
+ err = WERR_DS_OBJ_STRING_NAME_EXISTS;
+ break;
+ case LDB_ERR_OBJECT_CLASS_MODS_PROHIBITED:
+ err = WERR_DS_CANT_MOD_OBJ_CLASS;
+ break;
+ case LDB_ERR_AFFECTS_MULTIPLE_DSAS:
+ err = WERR_DS_AFFECTS_MULTIPLE_DSAS;
+ break;
+ default:
+ err = WERR_DS_GENERIC_ERROR;
+ break;
+ }
+
+ *errstring = talloc_asprintf(mem_ctx, "%08x: %s", W_ERROR_V(err),
+ ldb_strerror(ldb_err));
- /* its 1:1 for now */
- return err;
+ /* result is 1:1 for now */
+ return ldb_err;
+}
+/* create and execute a modify request */
+static int ldb_mod_req_with_controls(struct ldb_context *ldb,
+ const struct ldb_message *message,
+ struct ldb_control **controls)
+{
+ struct ldb_request *req;
+ int ret;
+
+ ret = ldb_msg_sanity_check(ldb, message);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ret = ldb_build_mod_req(&req, ldb, ldb,
+ message,
+ controls,
+ NULL,
+ ldb_op_default_callback,
+ NULL);
+
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ret = ldb_transaction_start(ldb);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ret = ldb_request(ldb, req);
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_wait(req->handle, LDB_WAIT_ALL);
+ }
+
+ if (ret == LDB_SUCCESS) {
+ return ldb_transaction_commit(ldb);
+ }
+ ldb_transaction_cancel(ldb);
+
+ talloc_free(req);
+ return ret;
}
/*
conn->lp_ctx,
lp_sam_url(conn->lp_ctx),
conn->session_info,
- samdb_credentials(conn, conn->connection->event.ctx, conn->lp_ctx),
- conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL);
+ samdb_credentials(conn->connection->event.ctx, conn->lp_ctx),
+ conn->global_catalog ? LDB_FLG_RDONLY : 0);
if (conn->ldb == NULL) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
= gensec_use_kerberos_mechs(conn, backends, conn->server_credentials);
int i, j = 0;
for (i = 0; ops && ops[i]; i++) {
- if (!gensec_security_ops_enabled(ops[i], conn->lp_ctx))
+ if (!lp_parm_bool(conn->lp_ctx, NULL, "gensec", ops[i]->name, ops[i]->enabled))
continue;
if (ops[i]->sasl_name && ops[i]->server_start) {
j++;
}
}
- talloc_free(ops);
+ talloc_unlink(conn, ops);
ldb_set_opaque(conn->ldb, "supportedSASLMechanims", sasl_mechs);
}
struct ldap_SearchResEntry *ent;
struct ldap_Result *done;
struct ldapsrv_reply *ent_r, *done_r;
- void *local_ctx;
+ TALLOC_CTX *local_ctx;
struct ldb_context *samdb = talloc_get_type(call->conn->ldb, struct ldb_context);
struct ldb_dn *basedn;
struct ldb_result *res = NULL;
break;
default:
result = LDAP_PROTOCOL_ERROR;
- errstr = "Invalid scope";
+ map_ldb_error(local_ctx, LDB_ERR_PROTOCOL_ERROR,
+ &errstr);
+ errstr = talloc_asprintf(local_ctx,
+ "%s. Invalid scope", errstr);
goto reply;
}
DEBUG(10,("SearchRequest: scope: [%s]\n", scope_str));
ent->attributes = talloc_array(ent_r, struct ldb_message_element, ent->num_attributes);
NT_STATUS_HAVE_NO_MEMORY(ent->attributes);
for (j=0; j < ent->num_attributes; j++) {
- ent->attributes[j].name = talloc_steal(ent->attributes, res->msgs[i]->elements[j].name);
+ ent->attributes[j].name = res->msgs[i]->elements[j].name;
ent->attributes[j].num_values = 0;
ent->attributes[j].values = NULL;
if (req->attributesonly && (res->msgs[i]->elements[j].num_values == 0)) {
}
ent->attributes[j].num_values = res->msgs[i]->elements[j].num_values;
ent->attributes[j].values = res->msgs[i]->elements[j].values;
- talloc_steal(ent->attributes, res->msgs[i]->elements[j].values);
}
queue_reply:
ldapsrv_queue_reply(call, ent_r);
}
} else {
DEBUG(10,("SearchRequest: error\n"));
- result = map_ldb_error(samdb, ldb_ret, &errstr);
+ result = map_ldb_error(local_ctx, ldb_ret, &errstr);
}
done->resultcode = result;
struct ldap_ModifyRequest *req = &call->request->r.ModifyRequest;
struct ldap_Result *modify_result;
struct ldapsrv_reply *modify_reply;
- void *local_ctx;
+ TALLOC_CTX *local_ctx;
struct ldb_context *samdb = call->conn->ldb;
struct ldb_message *msg = NULL;
struct ldb_dn *dn;
switch (req->mods[i].type) {
default:
result = LDAP_PROTOCOL_ERROR;
- errstr = "Invalid LDAP_MODIFY_* type";
+ map_ldb_error(local_ctx,
+ LDB_ERR_PROTOCOL_ERROR, &errstr);
+ errstr = talloc_asprintf(local_ctx,
+ "%s. Invalid LDAP_MODIFY_* type", errstr);
goto reply;
case LDAP_MODIFY_ADD:
msg->elements[i].flags = LDB_FLAG_MOD_ADD;
NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
for (j=0; j < msg->elements[i].num_values; j++) {
- if (!(req->mods[i].attrib.values[j].length > 0)) {
- result = LDAP_OTHER;
- errstr = "Empty attribute values are not allowed";
- goto reply;
- }
msg->elements[i].values[j].length = req->mods[i].attrib.values[j].length;
msg->elements[i].values[j].data = req->mods[i].attrib.values[j].data;
}
}
}
- } else {
- result = LDAP_OTHER;
- errstr = "No mods are not allowed";
- goto reply;
}
reply:
NT_STATUS_HAVE_NO_MEMORY(modify_reply);
if (result == LDAP_SUCCESS) {
- ldb_ret = ldb_modify(samdb, msg);
- result = map_ldb_error(samdb, ldb_ret, &errstr);
+ ldb_ret = ldb_mod_req_with_controls(samdb, msg, call->request->controls);
+ result = map_ldb_error(local_ctx, ldb_ret, &errstr);
}
modify_result = &modify_reply->msg->r.AddResponse;
struct ldap_AddRequest *req = &call->request->r.AddRequest;
struct ldap_Result *add_result;
struct ldapsrv_reply *add_reply;
- void *local_ctx;
+ TALLOC_CTX *local_ctx;
struct ldb_context *samdb = call->conn->ldb;
struct ldb_message *msg = NULL;
struct ldb_dn *dn;
NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
for (j=0; j < msg->elements[i].num_values; j++) {
- if (!(req->attributes[i].values[j].length > 0)) {
- result = LDAP_OTHER;
- errstr = "Empty attribute values are not allowed";
- goto reply;
- }
msg->elements[i].values[j].length = req->attributes[i].values[j].length;
msg->elements[i].values[j].data = req->attributes[i].values[j].data;
}
- } else {
- result = LDAP_OTHER;
- errstr = "No attribute values are not allowed";
- goto reply;
}
}
- } else {
- result = LDAP_OTHER;
- errstr = "No attributes are not allowed";
- goto reply;
}
reply:
if (result == LDAP_SUCCESS) {
ldb_ret = ldb_add(samdb, msg);
- result = map_ldb_error(samdb, ldb_ret, &errstr);
+ result = map_ldb_error(local_ctx, ldb_ret, &errstr);
}
add_result = &add_reply->msg->r.AddResponse;
struct ldap_DelRequest *req = &call->request->r.DelRequest;
struct ldap_Result *del_result;
struct ldapsrv_reply *del_reply;
- void *local_ctx;
+ TALLOC_CTX *local_ctx;
struct ldb_context *samdb = call->conn->ldb;
struct ldb_dn *dn;
const char *errstr = NULL;
if (result == LDAP_SUCCESS) {
ldb_ret = ldb_delete(samdb, dn);
- result = map_ldb_error(samdb, ldb_ret, &errstr);
+ result = map_ldb_error(local_ctx, ldb_ret, &errstr);
}
del_result = &del_reply->msg->r.DelResponse;
struct ldap_ModifyDNRequest *req = &call->request->r.ModifyDNRequest;
struct ldap_Result *modifydn;
struct ldapsrv_reply *modifydn_r;
- void *local_ctx;
+ TALLOC_CTX *local_ctx;
struct ldb_context *samdb = call->conn->ldb;
struct ldb_dn *olddn, *newdn=NULL, *newrdn;
struct ldb_dn *parentdn = NULL;
int result = LDAP_SUCCESS;
int ldb_ret;
- DEBUG(10, ("ModifyDNRequrest"));
+ DEBUG(10, ("ModifyDNRequest"));
DEBUGADD(10, (" dn: %s", req->dn));
DEBUGADD(10, (" newrdn: %s", req->newrdn));
DEBUG(10, ("ModifyDNRequest: olddn: [%s]\n", req->dn));
DEBUG(10, ("ModifyDNRequest: newrdn: [%s]\n", req->newrdn));
+ if (ldb_dn_get_comp_num(newrdn) != 1) {
+ result = LDAP_INVALID_DN_SYNTAX;
+ map_ldb_error(local_ctx, LDB_ERR_INVALID_DN_SYNTAX, &errstr);
+ goto reply;
+ }
+
/* we can't handle the rename if we should not remove the old dn */
if (!req->deleteolddn) {
result = LDAP_UNWILLING_TO_PERFORM;
- errstr = "Old RDN must be deleted";
+ map_ldb_error(local_ctx, LDB_ERR_UNWILLING_TO_PERFORM, &errstr);
+ errstr = talloc_asprintf(local_ctx,
+ "%s. Old RDN must be deleted", errstr);
goto reply;
}
if (ldb_dn_get_comp_num(parentdn) < 1) {
result = LDAP_AFFECTS_MULTIPLE_DSAS;
- errstr = "Error new Superior DN invalid";
+ map_ldb_error(local_ctx, LDB_ERR_AFFECTS_MULTIPLE_DSAS,
+ &errstr);
+ errstr = talloc_asprintf(local_ctx,
+ "%s. Error new Superior DN invalid", errstr);
goto reply;
}
}
NT_STATUS_HAVE_NO_MEMORY(parentdn);
}
- if ( ! ldb_dn_add_child_fmt(parentdn,
- "%s=%s",
- ldb_dn_get_rdn_name(newrdn),
- (char *)ldb_dn_get_rdn_val(newrdn)->data)) {
+ if ( ! ldb_dn_add_child(parentdn, newrdn)) {
result = LDAP_OTHER;
goto reply;
}
if (result == LDAP_SUCCESS) {
ldb_ret = ldb_rename(samdb, olddn, newdn);
- result = map_ldb_error(samdb, ldb_ret, &errstr);
+ result = map_ldb_error(local_ctx, ldb_ret, &errstr);
}
modifydn = &modifydn_r->msg->r.ModifyDNResponse;
struct ldap_CompareRequest *req = &call->request->r.CompareRequest;
struct ldap_Result *compare;
struct ldapsrv_reply *compare_r;
- void *local_ctx;
+ TALLOC_CTX *local_ctx;
struct ldb_context *samdb = call->conn->ldb;
struct ldb_result *res = NULL;
struct ldb_dn *dn;
ldb_ret = ldb_search(samdb, local_ctx, &res,
dn, LDB_SCOPE_BASE, attrs, "%s", filter);
if (ldb_ret != LDB_SUCCESS) {
- result = map_ldb_error(samdb, ldb_ret, &errstr);
+ result = map_ldb_error(local_ctx, ldb_ret, &errstr);
DEBUG(10,("CompareRequest: error: %s\n", errstr));
} else if (res->count == 0) {
DEBUG(10,("CompareRequest: doesn't matched\n"));
errstr = NULL;
} else if (res->count > 1) {
result = LDAP_OTHER;
- errstr = "too many objects match";
+ map_ldb_error(local_ctx, LDB_ERR_OTHER, &errstr);
+ errstr = talloc_asprintf(local_ctx,
+ "%s. Too many objects match!", errstr);
DEBUG(10,("CompareRequest: %d results: %s\n", res->count, errstr));
}
}