4 Copyright (C) Andrew Tridgell 2004
6 ** NOTE! The following LGPL license applies to the ldb
7 ** library. This does NOT imply that all of Samba is released
10 This library is free software; you can redistribute it and/or
11 modify it under the terms of the GNU Lesser General Public
12 License as published by the Free Software Foundation; either
13 version 3 of the License, or (at your option) any later version.
15 This library is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public
21 License along with this library; if not, see <http://www.gnu.org/licenses/>.
27 * Component: ldb search functions
29 * Description: functions to search ldb+tdb databases
31 * Author: Andrew Tridgell
35 #include "ldb_private.h"
38 add one element to a message
40 static int msg_add_element(struct ldb_message *ret,
41 const struct ldb_message_element *el,
45 struct ldb_message_element *e2, *elnew;
47 if (check_duplicates && ldb_msg_find_element(ret, el->name)) {
48 /* its already there */
52 e2 = talloc_realloc(ret, ret->elements, struct ldb_message_element, ret->num_elements+1);
58 elnew = &e2[ret->num_elements];
60 elnew->name = talloc_strdup(ret->elements, el->name);
66 elnew->values = talloc_array(ret->elements, struct ldb_val, el->num_values);
74 for (i=0;i<el->num_values;i++) {
75 elnew->values[i] = ldb_val_dup(elnew->values, &el->values[i]);
76 if (elnew->values[i].length != el->values[i].length) {
81 elnew->num_values = el->num_values;
82 elnew->flags = el->flags;
90 add the special distinguishedName element
92 static int msg_add_distinguished_name(struct ldb_message *msg)
94 struct ldb_message_element el;
99 el.name = "distinguishedName";
103 val.data = (uint8_t *)ldb_dn_alloc_linearized(msg, msg->dn);
104 if (val.data == NULL) {
107 val.length = strlen((char *)val.data);
109 ret = msg_add_element(msg, &el, 1);
114 search the database for a single simple dn.
115 return LDB_ERR_NO_SUCH_OBJECT on record-not-found
116 and LDB_SUCCESS on success
118 int ldb_kv_search_base(struct ldb_module *module,
121 struct ldb_dn **ret_dn)
125 struct ldb_message *msg = NULL;
127 if (ldb_dn_is_null(dn)) {
128 return LDB_ERR_NO_SUCH_OBJECT;
132 * We can't use tdb_exists() directly on a key when the TDB
133 * key is the GUID one, not the DN based one. So we just do a
134 * normal search and avoid most of the allocation with the
135 * LDB_UNPACK_DATA_FLAG_NO_DN and
136 * LDB_UNPACK_DATA_FLAG_NO_ATTRS flags
138 msg = ldb_msg_new(module);
140 return LDB_ERR_OPERATIONS_ERROR;
143 ret = ldb_kv_search_dn1(module, dn, msg, LDB_UNPACK_DATA_FLAG_NO_ATTRS);
144 if (ret == LDB_SUCCESS) {
145 const char *dn_linearized
146 = ldb_dn_get_linearized(dn);
147 const char *msg_dn_linearlized
148 = ldb_dn_get_linearized(msg->dn);
150 if (strcmp(dn_linearized, msg_dn_linearlized) == 0) {
152 * Re-use the full incoming DN for
158 * Use the string DN from the unpack, so that
159 * we have a case-exact match of the base
161 *ret_dn = talloc_steal(mem_ctx, msg->dn);
164 } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
174 return LDB_ERR_NO_SUCH_OBJECT;
177 struct ldb_kv_parse_data_unpack_ctx {
178 struct ldb_message *msg;
179 struct ldb_module *module;
180 unsigned int unpack_flags;
183 static int ldb_kv_parse_data_unpack(struct ldb_val key,
187 struct ldb_kv_parse_data_unpack_ctx *ctx = private_data;
188 unsigned int nb_elements_in_db;
190 struct ldb_context *ldb = ldb_module_get_ctx(ctx->module);
191 struct ldb_val data_parse = data;
193 if (ctx->unpack_flags & LDB_UNPACK_DATA_FLAG_NO_DATA_ALLOC) {
195 * If we got LDB_UNPACK_DATA_FLAG_NO_DATA_ALLOC
196 * we need at least do a memdup on the whole
197 * data buffer as that may change later
198 * and the caller needs a stable result.
200 data_parse.data = talloc_memdup(ctx->msg,
203 if (data_parse.data == NULL) {
204 ldb_debug(ldb, LDB_DEBUG_ERROR,
205 "Unable to allocate data(%d) for %*.*s\n",
207 (int)key.length, (int)key.length, key.data);
208 return LDB_ERR_OPERATIONS_ERROR;
212 ret = ldb_unpack_data_only_attr_list_flags(ldb, &data_parse,
218 if (data_parse.data != data.data) {
219 talloc_free(data_parse.data);
222 ldb_debug(ldb, LDB_DEBUG_ERROR, "Invalid data for index %*.*s\n",
223 (int)key.length, (int)key.length, key.data);
224 return LDB_ERR_OPERATIONS_ERROR;
230 search the database for a single simple dn, returning all attributes
233 return LDB_ERR_NO_SUCH_OBJECT on record-not-found
234 and LDB_SUCCESS on success
236 int ldb_kv_search_key(struct ldb_module *module,
237 struct ldb_kv_private *ldb_kv,
238 const struct ldb_val ldb_key,
239 struct ldb_message *msg,
240 unsigned int unpack_flags)
243 struct ldb_kv_parse_data_unpack_ctx ctx = {
246 .unpack_flags = unpack_flags
249 memset(msg, 0, sizeof(*msg));
251 msg->num_elements = 0;
252 msg->elements = NULL;
254 ret = ldb_kv->kv_ops->fetch_and_parse(
255 ldb_kv, ldb_key, ldb_kv_parse_data_unpack, &ctx);
258 ret = ldb_kv->kv_ops->error(ldb_kv);
259 if (ret == LDB_SUCCESS) {
261 * Just to be sure we don't turn errors
264 return LDB_ERR_OPERATIONS_ERROR;
267 } else if (ret != LDB_SUCCESS) {
275 search the database for a single simple dn, returning all attributes
278 return LDB_ERR_NO_SUCH_OBJECT on record-not-found
279 and LDB_SUCCESS on success
281 int ldb_kv_search_dn1(struct ldb_module *module,
283 struct ldb_message *msg,
284 unsigned int unpack_flags)
286 void *data = ldb_module_get_private(module);
287 struct ldb_kv_private *ldb_kv =
288 talloc_get_type(data, struct ldb_kv_private);
290 uint8_t guid_key[LDB_KV_GUID_KEY_SIZE];
291 struct ldb_val key = {
293 .length = sizeof(guid_key)
295 TALLOC_CTX *tdb_key_ctx = NULL;
297 bool valid_dn = ldb_dn_validate(dn);
298 if (valid_dn == false) {
299 ldb_asprintf_errstring(ldb_module_get_ctx(module),
300 "Invalid Base DN: %s",
301 ldb_dn_get_linearized(dn));
302 return LDB_ERR_INVALID_DN_SYNTAX;
305 if (ldb_kv->cache->GUID_index_attribute == NULL ||
306 ldb_dn_is_special(dn)) {
308 tdb_key_ctx = talloc_new(msg);
310 return ldb_module_oom(module);
314 key = ldb_kv_key_dn(module, tdb_key_ctx, dn);
316 TALLOC_FREE(tdb_key_ctx);
317 return LDB_ERR_OPERATIONS_ERROR;
321 * Look in the index to find the key for this DN.
323 * the tdb_key memory is allocated above, msg is just
324 * used for internal memory.
327 ret = ldb_kv_key_dn_from_idx(module, ldb_kv, msg, dn, &key);
328 if (ret != LDB_SUCCESS) {
333 ret = ldb_kv_search_key(module, ldb_kv, key, msg, unpack_flags);
335 TALLOC_FREE(tdb_key_ctx);
337 if (ret != LDB_SUCCESS) {
341 if ((unpack_flags & LDB_UNPACK_DATA_FLAG_NO_DN) == 0) {
343 msg->dn = ldb_dn_copy(msg, dn);
346 return LDB_ERR_OPERATIONS_ERROR;
354 filter the specified list of attributes from a message
355 removing not requested attrs from the new message constructed.
357 The reason this makes a new message is that the old one may not be
358 individually allocated, which is what our callers expect.
361 int ldb_kv_filter_attrs(TALLOC_CTX *mem_ctx,
362 const struct ldb_message *msg,
363 const char *const *attrs,
364 struct ldb_message **filtered_msg)
367 bool keep_all = false;
369 uint32_t num_elements;
370 uint32_t elements_size;
371 struct ldb_message *msg2;
373 msg2 = ldb_msg_new(mem_ctx);
378 msg2->dn = ldb_dn_copy(msg2, msg->dn);
379 if (msg2->dn == NULL) {
384 /* check for special attrs */
385 for (i = 0; attrs[i]; i++) {
386 int cmp = strcmp(attrs[i], "*");
391 cmp = ldb_attr_cmp(attrs[i], "distinguishedName");
402 elements_size = msg->num_elements + 1;
404 /* Shortcuts for the simple cases */
405 } else if (add_dn && i == 1) {
406 if (msg_add_distinguished_name(msg2) != 0) {
409 *filtered_msg = msg2;
412 *filtered_msg = msg2;
415 /* Otherwise we are copying at most as many element as we have attributes */
420 msg2->elements = talloc_array(msg2, struct ldb_message_element,
422 if (msg2->elements == NULL) goto failed;
426 for (i = 0; i < msg->num_elements; i++) {
427 struct ldb_message_element *el = &msg->elements[i];
428 struct ldb_message_element *el2 = &msg2->elements[num_elements];
431 if (keep_all == false) {
433 for (j = 0; attrs[j]; j++) {
434 int cmp = ldb_attr_cmp(el->name, attrs[j]);
440 if (found == false) {
445 el2->name = talloc_strdup(msg2->elements, el->name);
446 if (el2->name == NULL) {
449 el2->values = talloc_array(msg2->elements, struct ldb_val, el->num_values);
450 if (el2->values == NULL) {
453 for (j=0;j<el->num_values;j++) {
454 el2->values[j] = ldb_val_dup(el2->values, &el->values[j]);
455 if (el2->values[j].data == NULL && el->values[j].length != 0) {
461 /* Pidginhole principle: we can't have more elements
462 * than the number of attributes if they are unique in
464 if (num_elements > elements_size) {
469 msg2->num_elements = num_elements;
472 if (msg_add_distinguished_name(msg2) != 0) {
477 if (msg2->num_elements > 0) {
478 msg2->elements = talloc_realloc(msg2, msg2->elements,
479 struct ldb_message_element,
481 if (msg2->elements == NULL) {
485 talloc_free(msg2->elements);
486 msg2->elements = NULL;
489 *filtered_msg = msg2;
498 search function for a non-indexed search
500 static int search_func(struct ldb_kv_private *ldb_kv,
505 struct ldb_context *ldb;
506 struct ldb_kv_context *ac;
507 struct ldb_message *msg, *filtered_msg;
510 unsigned int nb_elements_in_db;
512 ac = talloc_get_type(state, struct ldb_kv_context);
513 ldb = ldb_module_get_ctx(ac->module);
515 if (ldb_kv_key_is_record(key) == false) {
519 msg = ldb_msg_new(ac);
521 ac->error = LDB_ERR_OPERATIONS_ERROR;
525 /* unpack the record */
526 ret = ldb_unpack_data_only_attr_list_flags(ldb, &val,
529 LDB_UNPACK_DATA_FLAG_NO_DATA_ALLOC|
530 LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC,
534 ac->error = LDB_ERR_OPERATIONS_ERROR;
539 msg->dn = ldb_dn_new(msg, ldb,
540 (char *)key.data + 3);
541 if (msg->dn == NULL) {
543 ac->error = LDB_ERR_OPERATIONS_ERROR;
548 /* see if it matches the given expression */
549 ret = ldb_match_msg_error(ldb, msg,
550 ac->tree, ac->base, ac->scope, &matched);
551 if (ret != LDB_SUCCESS) {
553 ac->error = LDB_ERR_OPERATIONS_ERROR;
561 /* filter the attributes that the user wants */
562 ret = ldb_kv_filter_attrs(ac, msg, ac->attrs, &filtered_msg);
566 ac->error = LDB_ERR_OPERATIONS_ERROR;
570 ret = ldb_module_send_entry(ac->req, filtered_msg, NULL);
571 if (ret != LDB_SUCCESS) {
572 ac->request_terminated = true;
573 /* the callback failed, abort the operation */
574 ac->error = LDB_ERR_OPERATIONS_ERROR;
583 search the database with a LDAP-like expression.
584 this is the "full search" non-indexed variant
586 static int ldb_kv_search_full(struct ldb_kv_context *ctx)
588 void *data = ldb_module_get_private(ctx->module);
589 struct ldb_kv_private *ldb_kv =
590 talloc_get_type(data, struct ldb_kv_private);
593 ctx->error = LDB_SUCCESS;
594 ret = ldb_kv->kv_ops->iterate(ldb_kv, search_func, ctx);
597 return LDB_ERR_OPERATIONS_ERROR;
603 static int ldb_kv_search_and_return_base(struct ldb_kv_private *ldb_kv,
604 struct ldb_kv_context *ctx)
606 struct ldb_message *msg, *filtered_msg;
607 struct ldb_context *ldb = ldb_module_get_ctx(ctx->module);
608 const char *dn_linearized;
609 const char *msg_dn_linearlized;
613 msg = ldb_msg_new(ctx);
615 return LDB_ERR_OPERATIONS_ERROR;
617 ret = ldb_kv_search_dn1(ctx->module,
620 LDB_UNPACK_DATA_FLAG_NO_DATA_ALLOC |
621 LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC);
623 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
624 if (ldb_kv->check_base == false) {
626 * In this case, we are done, as no base
627 * checking is allowed in this DB
632 ldb_asprintf_errstring(ldb,
633 "No such Base DN: %s",
634 ldb_dn_get_linearized(ctx->base));
636 if (ret != LDB_SUCCESS) {
643 * We use this, not ldb_match_msg_error() as we know
644 * we matched on the scope BASE, as we just fetched
648 ret = ldb_match_message(ldb, msg,
652 if (ret != LDB_SUCCESS) {
661 dn_linearized = ldb_dn_get_linearized(ctx->base);
662 msg_dn_linearlized = ldb_dn_get_linearized(msg->dn);
664 if (strcmp(dn_linearized, msg_dn_linearlized) == 0) {
666 * If the DN is exactly the same string, then
667 * re-use the full incoming DN for the
668 * returned result, as it has already been
675 * filter the attributes that the user wants.
677 * This copies msg->dn including the casefolding, so the above
680 ret = ldb_kv_filter_attrs(ctx, msg, ctx->attrs, &filtered_msg);
683 * Remove any extended components possibly copied in from
684 * msg->dn, we just want the casefold components
686 ldb_dn_remove_extended_components(filtered_msg->dn);
690 return LDB_ERR_OPERATIONS_ERROR;
693 ret = ldb_module_send_entry(ctx->req, filtered_msg, NULL);
694 if (ret != LDB_SUCCESS) {
695 /* Regardless of success or failure, the msg
696 * is the callbacks responsiblity, and should
697 * not be talloc_free()'ed */
698 ctx->request_terminated = true;
706 search the database with a LDAP-like expression.
707 choses a search method
709 int ldb_kv_search(struct ldb_kv_context *ctx)
711 struct ldb_context *ldb;
712 struct ldb_module *module = ctx->module;
713 struct ldb_request *req = ctx->req;
714 void *data = ldb_module_get_private(module);
715 struct ldb_kv_private *ldb_kv =
716 talloc_get_type(data, struct ldb_kv_private);
719 ldb = ldb_module_get_ctx(module);
721 ldb_request_set_state(req, LDB_ASYNC_PENDING);
723 if (ldb_kv->kv_ops->lock_read(module) != 0) {
724 return LDB_ERR_OPERATIONS_ERROR;
727 if (ldb_kv_cache_load(module) != 0) {
728 ldb_kv->kv_ops->unlock_read(module);
729 return LDB_ERR_OPERATIONS_ERROR;
732 if (req->op.search.tree == NULL) {
733 ldb_kv->kv_ops->unlock_read(module);
734 return LDB_ERR_OPERATIONS_ERROR;
737 ctx->tree = req->op.search.tree;
738 ctx->scope = req->op.search.scope;
739 ctx->base = req->op.search.base;
740 ctx->attrs = req->op.search.attrs;
742 if ((req->op.search.base == NULL) || (ldb_dn_is_null(req->op.search.base) == true)) {
744 /* Check what we should do with a NULL dn */
745 switch (req->op.search.scope) {
747 ldb_asprintf_errstring(ldb,
748 "NULL Base DN invalid for a base search");
749 ret = LDB_ERR_INVALID_DN_SYNTAX;
751 case LDB_SCOPE_ONELEVEL:
752 ldb_asprintf_errstring(ldb,
753 "NULL Base DN invalid for a one-level search");
754 ret = LDB_ERR_INVALID_DN_SYNTAX;
756 case LDB_SCOPE_SUBTREE:
758 /* We accept subtree searches from a NULL base DN, ie over the whole DB */
761 } else if (req->op.search.scope == LDB_SCOPE_BASE) {
764 * If we are LDB_SCOPE_BASE, do just one search and
765 * return early. This is critical to ensure we do not
766 * go into the index code for special DNs, as that
767 * will try to look up an index record for a special
768 * record (which doesn't exist).
770 ret = ldb_kv_search_and_return_base(ldb_kv, ctx);
772 ldb_kv->kv_ops->unlock_read(module);
776 } else if (ldb_kv->check_base) {
778 * This database has been marked as
779 * 'checkBaseOnSearch', so do a spot check of the base
780 * dn. Also optimise the subsequent filter by filling
781 * in the ctx->base to be exactly case correct
783 ret = ldb_kv_search_base(
784 module, ctx, req->op.search.base, &ctx->base);
786 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
787 ldb_asprintf_errstring(ldb,
788 "No such Base DN: %s",
789 ldb_dn_get_linearized(req->op.search.base));
792 } else if (ldb_dn_validate(req->op.search.base) == false) {
794 /* We don't want invalid base DNs here */
795 ldb_asprintf_errstring(ldb,
796 "Invalid Base DN: %s",
797 ldb_dn_get_linearized(req->op.search.base));
798 ret = LDB_ERR_INVALID_DN_SYNTAX;
801 /* If we are not checking the base DN life is easy */
805 if (ret == LDB_SUCCESS) {
806 uint32_t match_count = 0;
808 ret = ldb_kv_search_indexed(ctx, &match_count);
809 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
810 /* Not in the index, therefore OK! */
814 /* Check if we got just a normal error.
815 * In that case proceed to a full search unless we got a
817 if (!ctx->request_terminated && ret != LDB_SUCCESS) {
818 /* Not indexed, so we need to do a full scan */
819 if (ldb_kv->warn_unindexed ||
820 ldb_kv->disable_full_db_scan) {
821 /* useful for debugging when slow performance
822 * is caused by unindexed searches */
823 char *expression = ldb_filter_from_tree(ctx, ctx->tree);
824 ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb FULL SEARCH: %s SCOPE: %s DN: %s",
826 req->op.search.scope==LDB_SCOPE_BASE?"base":
827 req->op.search.scope==LDB_SCOPE_ONELEVEL?"one":
828 req->op.search.scope==LDB_SCOPE_SUBTREE?"sub":"UNKNOWN",
829 ldb_dn_get_linearized(req->op.search.base));
831 talloc_free(expression);
834 if (match_count != 0) {
835 /* the indexing code gave an error
836 * after having returned at least one
837 * entry. This means the indexes are
838 * corrupt or a database record is
839 * corrupt. We cannot continue with a
840 * full search or we may return
843 ldb_kv->kv_ops->unlock_read(module);
844 return LDB_ERR_OPERATIONS_ERROR;
847 if (ldb_kv->disable_full_db_scan) {
848 ldb_set_errstring(ldb,
849 "ldb FULL SEARCH disabled");
850 ldb_kv->kv_ops->unlock_read(module);
851 return LDB_ERR_INAPPROPRIATE_MATCHING;
854 ret = ldb_kv_search_full(ctx);
855 if (ret != LDB_SUCCESS) {
856 ldb_set_errstring(ldb, "Indexed and full searches both failed!\n");
861 ldb_kv->kv_ops->unlock_read(module);