r6817: - fixed empty ldap search elements in filters

- added support for guids in cldap netlogon searches.

the cldap server now passes the LDAP-CLDAP torture test
(This used to be commit eb7979d9def389942fa1c54693d2dfcb8828f544)

diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c
index ce49f084f82cb1d919f4f715a5be24dd1f9fdc94..252ae884ea4a465ea815480718980e54febfcce7 100644 (file)
--- a/source4/cldap_server/netlogon.c
+++ b/source4/cldap_server/netlogon.c
@@ -33,6 +33,7 @@
 static NTSTATUS cldapd_netlogon_fill(struct cldap_socket *cldap,
                                     TALLOC_CTX *mem_ctx,
                                     const char *domain,
+                                    const char *domain_guid,
                                     const char *user,
                                     const char *src_address,
                                     uint32_t version,
@@ -61,13 +62,15 @@ static NTSTATUS cldapd_netlogon_fill(struct cldap_socket *cldap,
        }
 
        /* the domain has an optional trailing . */
-       if (domain[strlen(domain)-1] == '.') {
+       if (domain && domain[strlen(domain)-1] == '.') {
                domain = talloc_strndup(mem_ctx, domain, strlen(domain)-1);
        }
 
        /* try and find the domain */
        ret = gendb_search(samctx, samctx, NULL, &res, attrs, 
-                          "(&(dnsDomain=%s)(objectClass=domainDNS))", domain);
+                          "(&(objectClass=domainDNS)(|(dnsDomain=%s)(objectGUID=%s)))", 
+                          domain?domain:"", 
+                          domain_guid?domain_guid:"");
        if (ret != 1) {
                DEBUG(2,("Unable to find domain '%s' in sam\n", domain));
                return NT_STATUS_NO_SUCH_DOMAIN;
@@ -210,9 +213,13 @@ void cldapd_netlogon_request(struct cldap_socket *cldap,
                                              t->u.simple.value.length);
                }
                if (strcasecmp(t->u.simple.attr, "DomainGuid") == 0) {
-                       domain_guid = talloc_strndup(tmp_ctx, 
-                                                    t->u.simple.value.data,
-                                                    t->u.simple.value.length);
+                       NTSTATUS enc_status;
+                       struct GUID guid;
+                       enc_status = ldap_decode_ndr_GUID(tmp_ctx, 
+                                                         t->u.simple.value, &guid);
+                       if (NT_STATUS_IS_OK(enc_status)) {
+                               domain_guid = GUID_string(tmp_ctx, &guid);
+                       }
                }
                if (strcasecmp(t->u.simple.attr, "DomainSid") == 0) {
                        domain_sid = talloc_strndup(tmp_ctx, 
@@ -234,14 +241,19 @@ void cldapd_netlogon_request(struct cldap_socket *cldap,
                }
        }
 
-       if (domain == NULL || host == NULL || version == -1) {
+       if (domain_guid == NULL && domain == NULL) {
+               domain = lp_realm();
+       }
+
+       if (version == -1) {
                goto failed;
        }
 
-       DEBUG(0,("cldap netlogon query domain=%s host=%s user=%s version=%d\n",
-                domain, host, user, version));
+       DEBUG(0,("cldap netlogon query domain=%s host=%s user=%s version=%d guid=%s\n",
+                domain, host, user, version, domain_guid));
 
-       status = cldapd_netlogon_fill(cldap, tmp_ctx, domain, user, src_address, 
+       status = cldapd_netlogon_fill(cldap, tmp_ctx, domain, domain_guid, 
+                                     user, src_address, 
                                      version, &netlogon);
        if (!NT_STATUS_IS_OK(status)) {
                goto failed;

diff --git a/source4/lib/ldb/common/ldb_parse.c b/source4/lib/ldb/common/ldb_parse.c
index d9f7dbe524f5f582c336fec67ff06ff678c89678..5221ef45563ea8d48c3626d419821491f7d256eb 100644 (file)
--- a/source4/lib/ldb/common/ldb_parse.c
+++ b/source4/lib/ldb/common/ldb_parse.c
@@ -170,7 +170,7 @@ static struct ldb_parse_tree *ldb_parse_simple(TALLOC_CTX *ctx, const char *s)
        
        ret->operation = LDB_OP_SIMPLE;
        ret->u.simple.attr = l;
-       ret->u.simple.value.data = val;
+       ret->u.simple.value.data = val?val:discard_const_p(char, "");
        ret->u.simple.value.length = val?strlen(val):0;
 
        return ret;

diff --git a/source4/libcli/ldap/ldap.c b/source4/libcli/ldap/ldap.c
index cc7f1a10bcce00e38a4f1f08a2cff40a738f4146..0c6a466f27ca5c117dc6e159408803d09d01182c 100644 (file)
--- a/source4/libcli/ldap/ldap.c
+++ b/source4/libcli/ldap/ldap.c
@@ -110,7 +110,7 @@ static struct ldap_parse_tree *ldap_parse_filter(TALLOC_CTX *mem_ctx,
    decode a RFC2254 binary string representation of a buffer.
    Used in LDAP filters.
 */
-static struct ldap_val ldap_binary_decode(TALLOC_CTX *mem_ctx, const char *str)
+struct ldap_val ldap_binary_decode(TALLOC_CTX *mem_ctx, const char *str)
 {
        int i, j;
        struct ldap_val ret;

diff --git a/source4/libcli/ldap/ldap.h b/source4/libcli/ldap/ldap.h
index 8d4294cf76442e616df5d1ffdeb9fd413c67f8fa..54a96d9672aea348beac3bae38d16591cd522356 100644 (file)
--- a/source4/libcli/ldap/ldap.h
+++ b/source4/libcli/ldap/ldap.h
@@ -326,6 +326,7 @@ BOOL ldap_parse_basic_url(TALLOC_CTX *mem_ctx, const char *url,
 struct ldap_parse_tree *ldap_parse_filter_string(TALLOC_CTX *mem_ctx,
                                                 const char *s);
 const char *ldap_binary_encode(TALLOC_CTX *mem_ctx, DATA_BLOB blob);
+struct ldap_val ldap_binary_decode(TALLOC_CTX *mem_ctx, const char *str);
 
 /* The following definitions come from libcli/ldap/ldap_client.c  */
 
@@ -384,5 +385,6 @@ struct ldap_message *ldap_ldif2msg(TALLOC_CTX *mem_ctx, const char *s);
 const char *ldap_encode_ndr_uint32(TALLOC_CTX *mem_ctx, uint32_t value);
 const char *ldap_encode_ndr_dom_sid(TALLOC_CTX *mem_ctx, struct dom_sid *sid);
 const char *ldap_encode_ndr_GUID(TALLOC_CTX *mem_ctx, struct GUID *guid);
+NTSTATUS ldap_decode_ndr_GUID(TALLOC_CTX *mem_ctx, struct ldap_val val, struct GUID *guid);
 
 #endif

diff --git a/source4/libcli/ldap/ldap_ndr.c b/source4/libcli/ldap/ldap_ndr.c
index 45d9b2729e0a69bc1f28f3062b962ba4ffe22c01..2db85d8f092bf639c67cc124ff6a22d630ab1267 100644 (file)
--- a/source4/libcli/ldap/ldap_ndr.c
+++ b/source4/libcli/ldap/ldap_ndr.c
@@ -74,3 +74,19 @@ const char *ldap_encode_ndr_GUID(TALLOC_CTX *mem_ctx, struct GUID *guid)
        data_blob_free(&blob);
        return ret;
 }
+
+/*
+  decode a NDR GUID from a ldap filter element
+*/
+NTSTATUS ldap_decode_ndr_GUID(TALLOC_CTX *mem_ctx, struct ldap_val val, struct GUID *guid)
+{
+       DATA_BLOB blob;
+       NTSTATUS status;
+
+       blob.data = val.data;
+       blob.length = val.length;
+       status = ndr_pull_struct_blob(&blob, mem_ctx, guid, 
+                                     (ndr_pull_flags_fn_t)ndr_pull_GUID);
+       talloc_free(val.data);
+       return status;
+}