2 ldb database library - ildap backend
4 Copyright (C) Andrew Tridgell 2005
5 Copyright (C) Simo Sorce 2008
7 ** NOTE! The following LGPL license applies to the ldb
8 ** library. This does NOT imply that all of Samba is released
11 This library is free software; you can redistribute it and/or
12 modify it under the terms of the GNU Lesser General Public
13 License as published by the Free Software Foundation; either
14 version 3 of the License, or (at your option) any later version.
16 This library is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 Lesser General Public License for more details.
21 You should have received a copy of the GNU Lesser General Public
22 License along with this library; if not, see <http://www.gnu.org/licenses/>.
28 * Component: ldb ildap backend
30 * Description: This is a ldb backend for the internal ldap
31 * client library in Samba4. By using this backend we are
32 * independent of a system ldap library
34 * Author: Andrew Tridgell
38 * - description: make the module use asyncronous calls
45 #include "ldb_includes.h"
47 #include "lib/events/events.h"
48 #include "libcli/ldap/ldap.h"
49 #include "libcli/ldap/ldap_client.h"
50 #include "auth/auth.h"
51 #include "auth/credentials/credentials.h"
52 #include "param/param.h"
55 struct ldap_connection *ldap;
56 struct event_context *event_ctx;
60 struct ldb_module *module;
61 struct ldb_request *req;
63 struct ildb_private *ildb;
64 struct ldap_request *ireq;
68 struct ildb_destructor_ctx *dc;
71 static void ildb_request_done(struct ildb_context *ctx,
72 struct ldb_control **ctrls, int error)
74 struct ldb_reply *ares;
78 if (ctx->req == NULL) {
79 /* if the req has been freed already just return */
83 ares = talloc_zero(ctx->req, struct ldb_reply);
85 ldb_oom(ctx->req->handle->ldb);
86 ctx->req->callback(ctx->req, NULL);
89 ares->type = LDB_REPLY_DONE;
90 ares->controls = talloc_steal(ares, ctrls);
93 ctx->req->callback(ctx->req, ares);
96 static void ildb_auto_done_callback(struct event_context *ev,
97 struct timed_event *te,
101 struct ildb_context *ac;
103 ac = talloc_get_type(private_data, struct ildb_context);
104 ildb_request_done(ac, NULL, LDB_SUCCESS);
108 convert a ldb_message structure to a list of ldap_mod structures
109 ready for ildap_add() or ildap_modify()
111 static struct ldap_mod **ildb_msg_to_mods(void *mem_ctx, int *num_mods,
112 const struct ldb_message *msg,
115 struct ldap_mod **mods;
119 /* allocate maximum number of elements needed */
120 mods = talloc_array(mem_ctx, struct ldap_mod *, msg->num_elements+1);
127 for (i = 0; i < msg->num_elements; i++) {
128 const struct ldb_message_element *el = &msg->elements[i];
130 mods[n] = talloc(mods, struct ldap_mod);
136 mods[n]->attrib = *el;
138 switch (el->flags & LDB_FLAG_MOD_MASK) {
139 case LDB_FLAG_MOD_ADD:
140 mods[n]->type = LDAP_MODIFY_ADD;
142 case LDB_FLAG_MOD_DELETE:
143 mods[n]->type = LDAP_MODIFY_DELETE;
145 case LDB_FLAG_MOD_REPLACE:
146 mods[n]->type = LDAP_MODIFY_REPLACE;
163 map an ildap NTSTATUS to a ldb error code
165 static int ildb_map_error(struct ldb_module *module, NTSTATUS status)
167 struct ildb_private *ildb = talloc_get_type(module->private_data, struct ildb_private);
169 TALLOC_CTX *mem_ctx = talloc_new(ildb);
170 if (NT_STATUS_IS_OK(status)) {
174 ldb_oom(module->ldb);
175 return LDB_ERR_OPERATIONS_ERROR;
177 ldb_set_errstring(module->ldb,
178 ldap_errstr(ildb->ldap, mem_ctx, status));
179 talloc_free(mem_ctx);
180 if (NT_STATUS_IS_LDAP(status)) {
181 return NT_STATUS_LDAP_CODE(status);
183 return LDB_ERR_OPERATIONS_ERROR;
186 static void ildb_request_timeout(struct event_context *ev, struct timed_event *te,
187 struct timeval t, void *private_data)
189 struct ildb_context *ac = talloc_get_type(private_data, struct ildb_context);
191 if (ac->ireq->state == LDAP_REQUEST_PENDING) {
192 DLIST_REMOVE(ac->ireq->conn->pending, ac->ireq);
195 ildb_request_done(ac, NULL, LDB_ERR_TIME_LIMIT_EXCEEDED);
198 static void ildb_callback(struct ldap_request *req)
200 struct ildb_context *ac;
202 struct ldap_SearchResEntry *search;
203 struct ldap_message *msg;
204 struct ldb_control **controls;
205 struct ldb_message *ldbmsg;
207 bool callback_failed;
212 ac = talloc_get_type(req->async.private_data, struct ildb_context);
213 callback_failed = false;
214 request_done = false;
217 if (!NT_STATUS_IS_OK(req->status)) {
218 ret = ildb_map_error(ac->module, req->status);
219 ildb_request_done(ac, NULL, ret);
223 if (req->num_replies < 1) {
224 ret = LDB_ERR_OPERATIONS_ERROR;
225 ildb_request_done(ac, NULL, ret);
231 case LDAP_TAG_ModifyRequest:
232 if (req->replies[0]->type != LDAP_TAG_ModifyResponse) {
233 ret = LDB_ERR_PROTOCOL_ERROR;
236 status = ldap_check_response(ac->ireq->conn, &req->replies[0]->r.GeneralResult);
237 ret = ildb_map_error(ac->module, status);
241 case LDAP_TAG_AddRequest:
242 if (req->replies[0]->type != LDAP_TAG_AddResponse) {
243 ret = LDB_ERR_PROTOCOL_ERROR;
246 status = ldap_check_response(ac->ireq->conn, &req->replies[0]->r.GeneralResult);
247 ret = ildb_map_error(ac->module, status);
251 case LDAP_TAG_DelRequest:
252 if (req->replies[0]->type != LDAP_TAG_DelResponse) {
253 ret = LDB_ERR_PROTOCOL_ERROR;
256 status = ldap_check_response(ac->ireq->conn, &req->replies[0]->r.GeneralResult);
257 ret = ildb_map_error(ac->module, status);
261 case LDAP_TAG_ModifyDNRequest:
262 if (req->replies[0]->type != LDAP_TAG_ModifyDNResponse) {
263 ret = LDB_ERR_PROTOCOL_ERROR;
266 status = ldap_check_response(ac->ireq->conn, &req->replies[0]->r.GeneralResult);
267 ret = ildb_map_error(ac->module, status);
271 case LDAP_TAG_SearchRequest:
272 /* loop over all messages */
273 for (i = 0; i < req->num_replies; i++) {
275 msg = req->replies[i];
278 case LDAP_TAG_SearchResultDone:
280 status = ldap_check_response(ac->ireq->conn, &msg->r.GeneralResult);
281 if (!NT_STATUS_IS_OK(status)) {
282 ret = ildb_map_error(ac->module, status);
286 controls = talloc_steal(ac, msg->controls);
287 if (msg->r.SearchResultDone.resultcode) {
288 if (msg->r.SearchResultDone.errormessage) {
289 ldb_set_errstring(ac->module->ldb, msg->r.SearchResultDone.errormessage);
293 ret = msg->r.SearchResultDone.resultcode;
297 case LDAP_TAG_SearchResultEntry:
299 ldbmsg = ldb_msg_new(ac);
301 ret = LDB_ERR_OPERATIONS_ERROR;
305 search = &(msg->r.SearchResultEntry);
307 ldbmsg->dn = ldb_dn_new(ldbmsg, ac->module->ldb, search->dn);
308 if ( ! ldb_dn_validate(ldbmsg->dn)) {
309 ret = LDB_ERR_OPERATIONS_ERROR;
312 ldbmsg->num_elements = search->num_attributes;
313 ldbmsg->elements = talloc_move(ldbmsg, &search->attributes);
315 ret = ldb_module_send_entry(ac->req, ldbmsg);
316 if (ret != LDB_SUCCESS) {
317 callback_failed = true;
321 case LDAP_TAG_SearchResultReference:
323 referral = talloc_strdup(ac, msg->r.SearchResultReference.referral);
325 ret = ldb_module_send_referral(ac->req, referral);
326 if (ret != LDB_SUCCESS) {
327 callback_failed = true;
332 /* TAG not handled, fail ! */
333 ret = LDB_ERR_PROTOCOL_ERROR;
337 if (ret != LDB_SUCCESS) {
342 talloc_free(req->replies);
344 req->num_replies = 0;
349 ret = LDB_ERR_PROTOCOL_ERROR;
353 if (ret != LDB_SUCCESS) {
355 /* if the callback failed the caller will have freed the
356 * request. Just return and don't try to use it */
357 if ( ! callback_failed) {
363 ildb_request_done(ac, controls, ret);
368 static int ildb_request_send(struct ildb_context *ac, struct ldap_message *msg)
370 struct ldap_request *req;
373 return LDB_ERR_OPERATIONS_ERROR;
376 req = ldap_request_send(ac->ildb->ldap, msg);
378 ldb_set_errstring(ac->module->ldb, "async send request failed");
379 return LDB_ERR_OPERATIONS_ERROR;
381 ac->ireq = talloc_steal(ac, req);
383 if (!ac->ireq->conn) {
384 ldb_set_errstring(ac->module->ldb, "connection to remote LDAP server dropped?");
385 return LDB_ERR_OPERATIONS_ERROR;
388 talloc_free(req->time_event);
389 req->time_event = NULL;
390 if (ac->req->timeout) {
391 req->time_event = event_add_timed(ac->ildb->event_ctx, ac,
392 timeval_current_ofs(ac->req->timeout, 0),
393 ildb_request_timeout, ac);
396 req->async.fn = ildb_callback;
397 req->async.private_data = ac;
403 search for matching records using an asynchronous function
405 static int ildb_search(struct ildb_context *ac)
407 struct ldb_request *req = ac->req;
408 struct ldap_message *msg;
411 if (!req->callback || !req->context) {
412 ldb_set_errstring(ac->module->ldb, "Async interface called with NULL callback function or NULL context");
413 return LDB_ERR_OPERATIONS_ERROR;
416 if (req->op.search.tree == NULL) {
417 ldb_set_errstring(ac->module->ldb, "Invalid expression parse tree");
418 return LDB_ERR_OPERATIONS_ERROR;
421 msg = new_ldap_message(req);
423 ldb_set_errstring(ac->module->ldb, "Out of Memory");
424 return LDB_ERR_OPERATIONS_ERROR;
427 msg->type = LDAP_TAG_SearchRequest;
429 if (req->op.search.base == NULL) {
430 msg->r.SearchRequest.basedn = talloc_strdup(msg, "");
432 msg->r.SearchRequest.basedn = ldb_dn_alloc_linearized(msg, req->op.search.base);
434 if (msg->r.SearchRequest.basedn == NULL) {
435 ldb_set_errstring(ac->module->ldb, "Unable to determine baseDN");
437 return LDB_ERR_OPERATIONS_ERROR;
440 if (req->op.search.scope == LDB_SCOPE_DEFAULT) {
441 msg->r.SearchRequest.scope = LDB_SCOPE_SUBTREE;
443 msg->r.SearchRequest.scope = req->op.search.scope;
446 msg->r.SearchRequest.deref = LDAP_DEREFERENCE_NEVER;
447 msg->r.SearchRequest.timelimit = 0;
448 msg->r.SearchRequest.sizelimit = 0;
449 msg->r.SearchRequest.attributesonly = 0;
450 msg->r.SearchRequest.tree = discard_const(req->op.search.tree);
452 for (n = 0; req->op.search.attrs && req->op.search.attrs[n]; n++) /* noop */ ;
453 msg->r.SearchRequest.num_attributes = n;
454 msg->r.SearchRequest.attributes = discard_const(req->op.search.attrs);
455 msg->controls = req->controls;
457 return ildb_request_send(ac, msg);
463 static int ildb_add(struct ildb_context *ac)
465 struct ldb_request *req = ac->req;
466 struct ldap_message *msg;
467 struct ldap_mod **mods;
470 msg = new_ldap_message(req);
472 return LDB_ERR_OPERATIONS_ERROR;
475 msg->type = LDAP_TAG_AddRequest;
477 msg->r.AddRequest.dn = ldb_dn_alloc_linearized(msg, req->op.add.message->dn);
478 if (msg->r.AddRequest.dn == NULL) {
480 return LDB_ERR_INVALID_DN_SYNTAX;
483 mods = ildb_msg_to_mods(msg, &n, req->op.add.message, 0);
486 return LDB_ERR_OPERATIONS_ERROR;
489 msg->r.AddRequest.num_attributes = n;
490 msg->r.AddRequest.attributes = talloc_array(msg, struct ldb_message_element, n);
491 if (msg->r.AddRequest.attributes == NULL) {
493 return LDB_ERR_OPERATIONS_ERROR;
496 for (i = 0; i < n; i++) {
497 msg->r.AddRequest.attributes[i] = mods[i]->attrib;
500 return ildb_request_send(ac, msg);
506 static int ildb_modify(struct ildb_context *ac)
508 struct ldb_request *req = ac->req;
509 struct ldap_message *msg;
510 struct ldap_mod **mods;
513 msg = new_ldap_message(req);
515 return LDB_ERR_OPERATIONS_ERROR;
518 msg->type = LDAP_TAG_ModifyRequest;
520 msg->r.ModifyRequest.dn = ldb_dn_alloc_linearized(msg, req->op.mod.message->dn);
521 if (msg->r.ModifyRequest.dn == NULL) {
523 return LDB_ERR_INVALID_DN_SYNTAX;
526 mods = ildb_msg_to_mods(msg, &n, req->op.mod.message, 1);
529 return LDB_ERR_OPERATIONS_ERROR;
532 msg->r.ModifyRequest.num_mods = n;
533 msg->r.ModifyRequest.mods = talloc_array(msg, struct ldap_mod, n);
534 if (msg->r.ModifyRequest.mods == NULL) {
536 return LDB_ERR_OPERATIONS_ERROR;
539 for (i = 0; i < n; i++) {
540 msg->r.ModifyRequest.mods[i] = *mods[i];
543 return ildb_request_send(ac, msg);
549 static int ildb_delete(struct ildb_context *ac)
551 struct ldb_request *req = ac->req;
552 struct ldap_message *msg;
554 msg = new_ldap_message(req);
556 return LDB_ERR_OPERATIONS_ERROR;
559 msg->type = LDAP_TAG_DelRequest;
561 msg->r.DelRequest.dn = ldb_dn_alloc_linearized(msg, req->op.del.dn);
562 if (msg->r.DelRequest.dn == NULL) {
564 return LDB_ERR_INVALID_DN_SYNTAX;
567 return ildb_request_send(ac, msg);
573 static int ildb_rename(struct ildb_context *ac)
575 struct ldb_request *req = ac->req;
576 struct ldap_message *msg;
578 msg = new_ldap_message(req);
580 return LDB_ERR_OPERATIONS_ERROR;
583 msg->type = LDAP_TAG_ModifyDNRequest;
584 msg->r.ModifyDNRequest.dn = ldb_dn_alloc_linearized(msg, req->op.rename.olddn);
585 if (msg->r.ModifyDNRequest.dn == NULL) {
587 return LDB_ERR_INVALID_DN_SYNTAX;
590 msg->r.ModifyDNRequest.newrdn =
591 talloc_asprintf(msg, "%s=%s",
592 ldb_dn_get_rdn_name(req->op.rename.newdn),
593 ldb_dn_escape_value(msg, *ldb_dn_get_rdn_val(req->op.rename.newdn)));
594 if (msg->r.ModifyDNRequest.newrdn == NULL) {
596 return LDB_ERR_OPERATIONS_ERROR;
599 msg->r.ModifyDNRequest.newsuperior =
600 ldb_dn_alloc_linearized(msg, ldb_dn_get_parent(msg, req->op.rename.newdn));
601 if (msg->r.ModifyDNRequest.newsuperior == NULL) {
603 return LDB_ERR_INVALID_DN_SYNTAX;
606 msg->r.ModifyDNRequest.deleteolddn = true;
608 return ildb_request_send(ac, msg);
611 static int ildb_start_trans(struct ldb_module *module)
613 /* TODO implement a local locking mechanism here */
618 static int ildb_end_trans(struct ldb_module *module)
620 /* TODO implement a local transaction mechanism here */
625 static int ildb_del_trans(struct ldb_module *module)
627 /* TODO implement a local locking mechanism here */
632 static bool ildb_dn_is_special(struct ldb_request *req)
634 struct ldb_dn *dn = NULL;
636 switch (req->operation) {
638 dn = req->op.add.message->dn;
641 dn = req->op.mod.message->dn;
647 dn = req->op.rename.olddn;
653 if (dn && ldb_dn_is_special(dn)) {
659 static int ildb_handle_request(struct ldb_module *module, struct ldb_request *req)
661 struct ildb_private *ildb;
662 struct ildb_context *ac;
663 struct timed_event *te;
666 ildb = talloc_get_type(module->private_data, struct ildb_private);
668 if (req->starttime == 0 || req->timeout == 0) {
669 ldb_set_errstring(module->ldb, "Invalid timeout settings");
670 return LDB_ERR_TIME_LIMIT_EXCEEDED;
673 ac = talloc_zero(req, struct ildb_context);
675 ldb_set_errstring(module->ldb, "Out of Memory");
676 return LDB_ERR_OPERATIONS_ERROR;
683 if (ildb_dn_is_special(req)) {
685 te = event_add_timed(ac->ildb->event_ctx,
687 ildb_auto_done_callback, ac);
689 return LDB_ERR_OPERATIONS_ERROR;
695 switch (ac->req->operation) {
697 ret = ildb_search(ac);
703 ret = ildb_modify(ac);
706 ret = ildb_delete(ac);
709 ret = ildb_rename(ac);
712 /* no other op supported */
713 ret = LDB_ERR_OPERATIONS_ERROR;
720 static const struct ldb_module_ops ildb_ops = {
722 .search = ildb_handle_request,
723 .add = ildb_handle_request,
724 .modify = ildb_handle_request,
725 .del = ildb_handle_request,
726 .rename = ildb_handle_request,
727 /* .request = ildb_handle_request, */
728 .start_transaction = ildb_start_trans,
729 .end_transaction = ildb_end_trans,
730 .del_transaction = ildb_del_trans,
734 connect to the database
736 static int ildb_connect(struct ldb_context *ldb, const char *url,
737 unsigned int flags, const char *options[],
738 struct ldb_module **_module)
740 struct ldb_module *module;
741 struct ildb_private *ildb;
743 struct cli_credentials *creds;
745 module = talloc(ldb, struct ldb_module);
750 talloc_set_name_const(module, "ldb_ildap backend");
752 module->prev = module->next = NULL;
753 module->ops = &ildb_ops;
755 ildb = talloc(module, struct ildb_private);
760 module->private_data = ildb;
762 ildb->event_ctx = ldb_get_event_context(ldb);
765 ildb->ldap = ldap4_new_connection(ildb, ldb_get_opaque(ldb, "loadparm"),
772 if (flags & LDB_FLG_RECONNECT) {
773 ldap_set_reconn_params(ildb->ldap, 10);
776 status = ldap_connect(ildb->ldap, url);
777 if (!NT_STATUS_IS_OK(status)) {
778 ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to connect to ldap URL '%s' - %s\n",
779 url, ldap_errstr(ildb->ldap, module, status));
783 /* caller can optionally setup credentials using the opaque token 'credentials' */
784 creds = talloc_get_type(ldb_get_opaque(ldb, "credentials"), struct cli_credentials);
786 struct auth_session_info *session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"), struct auth_session_info);
788 creds = session_info->credentials;
792 if (creds != NULL && cli_credentials_authentication_requested(creds)) {
793 const char *bind_dn = cli_credentials_get_bind_dn(creds);
795 const char *password = cli_credentials_get_password(creds);
796 status = ldap_bind_simple(ildb->ldap, bind_dn, password);
797 if (!NT_STATUS_IS_OK(status)) {
798 ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s\n",
799 ldap_errstr(ildb->ldap, module, status));
803 status = ldap_bind_sasl(ildb->ldap, creds, ldb_get_opaque(ldb, "loadparm"));
804 if (!NT_STATUS_IS_OK(status)) {
805 ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s\n",
806 ldap_errstr(ildb->ldap, module, status));
820 _PUBLIC_ const struct ldb_backend_ops ldb_ldap_backend_ops = {
822 .connect_fn = ildb_connect
825 _PUBLIC_ const struct ldb_backend_ops ldb_ldapi_backend_ops = {
827 .connect_fn = ildb_connect
830 _PUBLIC_ const struct ldb_backend_ops ldb_ldaps_backend_ops = {
832 .connect_fn = ildb_connect
git.samba.org / amitay / samba.git / blob