4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
5 Copyright (C) Simo Sorce 2004-2008
6 Copyright (C) Matthias Dieter Wallnöfer 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: ldb samldb module
27 * Description: add embedded user/group creation functionality
33 #include "libcli/ldap/ldap_ndr.h"
34 #include "ldb_module.h"
35 #include "dsdb/samdb/samdb.h"
36 #include "dsdb/samdb/ldb_modules/util.h"
37 #include "libcli/security/security.h"
38 #include "librpc/gen_ndr/ndr_security.h"
39 #include "../lib/util/util_ldb.h"
41 #include "param/param.h"
45 typedef int (*samldb_step_fn_t)(struct samldb_ctx *);
48 struct samldb_step *next;
53 struct ldb_module *module;
54 struct ldb_request *req;
56 /* used for add operations */
59 /* the resulting message */
60 struct ldb_message *msg;
62 /* used to find parent domain */
63 struct ldb_dn *check_dn;
64 struct ldb_dn *domain_dn;
65 struct dom_sid *domain_sid;
68 /* holds the entry SID */
71 /* holds a generic dn */
74 /* used in conjunction with "sid" in "samldb_dn_from_sid" */
75 struct ldb_dn *res_dn;
77 /* used in conjunction with "dn" in "samldb_sid_from_dn" */
78 struct dom_sid *res_sid;
80 /* used in "samldb_user_dn_to_prim_group_rid" */
81 uint32_t prim_group_rid;
83 /* used in conjunction with "prim_group_rid" in
84 * "samldb_prim_group_rid_to_users_cnt" */
85 unsigned int users_cnt;
87 /* used in "samldb_group_add_member" and "samldb_group_del_member" */
88 struct ldb_dn *group_dn;
89 struct ldb_dn *member_dn;
91 /* used in "samldb_primary_group_change" */
92 struct ldb_dn *user_dn;
93 struct ldb_dn *old_prim_group_dn, *new_prim_group_dn;
95 /* generic counter - used in "samldb_member_check" */
98 /* all the async steps necessary to complete the operation */
99 struct samldb_step *steps;
100 struct samldb_step *curstep;
102 /* If someone set an ares to forward controls and response back to the caller */
103 struct ldb_reply *ares;
106 static struct samldb_ctx *samldb_ctx_init(struct ldb_module *module,
107 struct ldb_request *req)
109 struct ldb_context *ldb;
110 struct samldb_ctx *ac;
112 ldb = ldb_module_get_ctx(module);
114 ac = talloc_zero(req, struct samldb_ctx);
126 static int samldb_add_step(struct samldb_ctx *ac, samldb_step_fn_t fn)
128 struct samldb_step *step, *stepper;
130 step = talloc_zero(ac, struct samldb_step);
132 return LDB_ERR_OPERATIONS_ERROR;
137 if (ac->steps == NULL) {
141 if (ac->curstep == NULL)
142 return LDB_ERR_OPERATIONS_ERROR;
143 for (stepper = ac->curstep; stepper->next != NULL;
144 stepper = stepper->next);
145 stepper->next = step;
151 static int samldb_first_step(struct samldb_ctx *ac)
153 if (ac->steps == NULL) {
154 return LDB_ERR_OPERATIONS_ERROR;
157 ac->curstep = ac->steps;
158 return ac->curstep->fn(ac);
161 static int samldb_next_step(struct samldb_ctx *ac)
163 if (ac->curstep->next) {
164 ac->curstep = ac->curstep->next;
165 return ac->curstep->fn(ac);
168 /* we exit the samldb module here */
169 /* If someone set an ares to forward controls and response back to the caller, use them */
171 return ldb_module_done(ac->req, ac->ares->controls,
172 ac->ares->response, LDB_SUCCESS);
174 return ldb_module_done(ac->req, NULL, NULL, LDB_SUCCESS);
179 * samldb_get_parent_domain (async)
182 static int samldb_get_parent_domain(struct samldb_ctx *ac);
184 static int samldb_get_parent_domain_callback(struct ldb_request *req,
185 struct ldb_reply *ares)
187 struct ldb_context *ldb;
188 struct samldb_ctx *ac;
192 ac = talloc_get_type(req->context, struct samldb_ctx);
193 ldb = ldb_module_get_ctx(ac->module);
196 ret = LDB_ERR_OPERATIONS_ERROR;
199 if (ares->error != LDB_SUCCESS) {
200 return ldb_module_done(ac->req, ares->controls,
201 ares->response, ares->error);
204 switch (ares->type) {
205 case LDB_REPLY_ENTRY:
207 if ((ac->domain_dn != NULL) || (ac->domain_sid != NULL)) {
209 ldb_set_errstring(ldb,
210 "Invalid number of results while searching "
211 "for domain object!\n");
212 ret = LDB_ERR_OPERATIONS_ERROR;
216 nextRid = ldb_msg_find_attr_as_string(ares->message,
218 if (nextRid == NULL) {
219 ldb_asprintf_errstring(ldb,
220 "While looking for domain above %s attribute nextRid not found in %s!\n",
221 ldb_dn_get_linearized(
222 ac->req->op.add.message->dn),
223 ldb_dn_get_linearized(ares->message->dn));
224 ret = LDB_ERR_OPERATIONS_ERROR;
228 ac->next_rid = strtol(nextRid, NULL, 0);
230 ac->domain_sid = samdb_result_dom_sid(ac, ares->message,
232 if (ac->domain_sid == NULL) {
233 ldb_set_errstring(ldb,
234 "Unable to get the parent domain SID!\n");
235 ret = LDB_ERR_CONSTRAINT_VIOLATION;
238 ac->domain_dn = ldb_dn_copy(ac, ares->message->dn);
244 case LDB_REPLY_REFERRAL:
252 if ((ac->domain_dn == NULL) || (ac->domain_sid == NULL)) {
253 /* not found -> retry */
254 ret = samldb_get_parent_domain(ac);
257 ret = samldb_next_step(ac);
263 if (ret != LDB_SUCCESS) {
264 return ldb_module_done(ac->req, NULL, NULL, ret);
270 /* Find a domain object in the parents of a particular DN. */
271 static int samldb_get_parent_domain(struct samldb_ctx *ac)
273 struct ldb_context *ldb;
274 static const char * const attrs[] = { "objectSid", "nextRid", NULL };
275 struct ldb_request *req;
279 ldb = ldb_module_get_ctx(ac->module);
281 if (ac->check_dn == NULL) {
282 return LDB_ERR_OPERATIONS_ERROR;
285 dn = ldb_dn_get_parent(ac, ac->check_dn);
287 ldb_set_errstring(ldb,
288 "Unable to find parent domain object!\n");
289 return LDB_ERR_CONSTRAINT_VIOLATION;
294 ret = ldb_build_search_req(&req, ldb, ac,
296 "(|(objectClass=domain)"
297 "(objectClass=builtinDomain))",
300 ac, samldb_get_parent_domain_callback,
303 if (ret != LDB_SUCCESS) {
307 return ldb_next_request(ac->module, req);
311 static int samldb_generate_samAccountName(struct ldb_message *msg)
315 /* Format: $000000-000000000000 */
317 name = talloc_asprintf(msg, "$%.6X-%.6X%.6X",
318 (unsigned int)generate_random(),
319 (unsigned int)generate_random(),
320 (unsigned int)generate_random());
322 return LDB_ERR_OPERATIONS_ERROR;
324 return ldb_msg_add_steal_string(msg, "samAccountName", name);
328 * samldb_check_samAccountName (async)
331 static int samldb_check_samAccountName_callback(struct ldb_request *req,
332 struct ldb_reply *ares)
334 struct samldb_ctx *ac;
337 ac = talloc_get_type(req->context, struct samldb_ctx);
339 if (ares->error != LDB_SUCCESS) {
340 return ldb_module_done(ac->req, ares->controls,
341 ares->response, ares->error);
344 switch (ares->type) {
345 case LDB_REPLY_ENTRY:
346 /* if we get an entry it means this samAccountName
348 return ldb_module_done(ac->req, NULL, NULL,
349 LDB_ERR_ENTRY_ALREADY_EXISTS);
351 case LDB_REPLY_REFERRAL:
352 /* this should not happen */
353 return ldb_module_done(ac->req, NULL, NULL,
354 LDB_ERR_OPERATIONS_ERROR);
357 /* not found, go on */
359 ret = samldb_next_step(ac);
363 if (ret != LDB_SUCCESS) {
364 return ldb_module_done(ac->req, NULL, NULL, ret);
370 static int samldb_check_samAccountName(struct samldb_ctx *ac)
372 struct ldb_context *ldb;
373 struct ldb_request *req;
378 ldb = ldb_module_get_ctx(ac->module);
380 if (ldb_msg_find_element(ac->msg, "samAccountName") == NULL) {
381 ret = samldb_generate_samAccountName(ac->msg);
382 if (ret != LDB_SUCCESS) {
387 name = ldb_msg_find_attr_as_string(ac->msg, "samAccountName", NULL);
389 return LDB_ERR_OPERATIONS_ERROR;
391 filter = talloc_asprintf(ac, "samAccountName=%s", ldb_binary_encode_string(ac, name));
392 if (filter == NULL) {
393 return LDB_ERR_OPERATIONS_ERROR;
396 ret = ldb_build_search_req(&req, ldb, ac,
397 ac->domain_dn, LDB_SCOPE_SUBTREE,
400 ac, samldb_check_samAccountName_callback,
403 if (ret != LDB_SUCCESS) {
406 return ldb_next_request(ac->module, req);
410 static int samldb_check_samAccountType(struct samldb_ctx *ac)
412 struct ldb_context *ldb;
413 unsigned int account_type;
414 unsigned int group_type;
418 ldb = ldb_module_get_ctx(ac->module);
420 /* make sure sAMAccountType is not specified */
421 if (ldb_msg_find_element(ac->msg, "sAMAccountType") != NULL) {
422 ldb_asprintf_errstring(ldb,
423 "sAMAccountType must not be specified!");
424 return LDB_ERR_UNWILLING_TO_PERFORM;
427 if (strcmp("user", ac->type) == 0) {
428 uac = samdb_result_uint(ac->msg, "userAccountControl", 0);
430 ldb_asprintf_errstring(ldb,
431 "userAccountControl invalid!\n");
432 return LDB_ERR_UNWILLING_TO_PERFORM;
434 account_type = ds_uf2atype(uac);
435 ret = samdb_msg_add_uint(ldb,
439 if (ret != LDB_SUCCESS) {
444 if (strcmp("group", ac->type) == 0) {
446 group_type = samdb_result_uint(ac->msg, "groupType", 0);
447 if (group_type == 0) {
448 ldb_asprintf_errstring(ldb,
449 "groupType invalid!\n");
450 return LDB_ERR_UNWILLING_TO_PERFORM;
452 account_type = ds_gtype2atype(group_type);
453 ret = samdb_msg_add_uint(ldb,
457 if (ret != LDB_SUCCESS) {
463 return samldb_next_step(ac);
468 * samldb_get_sid_domain (async)
471 static int samldb_get_sid_domain_callback(struct ldb_request *req,
472 struct ldb_reply *ares)
474 struct ldb_context *ldb;
475 struct samldb_ctx *ac;
479 ac = talloc_get_type(req->context, struct samldb_ctx);
480 ldb = ldb_module_get_ctx(ac->module);
483 ret = LDB_ERR_OPERATIONS_ERROR;
486 if (ares->error != LDB_SUCCESS) {
487 return ldb_module_done(ac->req, ares->controls,
488 ares->response, ares->error);
491 switch (ares->type) {
492 case LDB_REPLY_ENTRY:
494 if (ac->next_rid != 0) {
496 ldb_set_errstring(ldb,
497 "Invalid number of results while searching "
498 "for domain object!\n");
499 ret = LDB_ERR_OPERATIONS_ERROR;
503 nextRid = ldb_msg_find_attr_as_string(ares->message,
505 if (nextRid == NULL) {
506 ldb_asprintf_errstring(ldb,
507 "Attribute nextRid not found in %s!\n",
508 ldb_dn_get_linearized(ares->message->dn));
509 ret = LDB_ERR_OPERATIONS_ERROR;
513 ac->next_rid = strtol(nextRid, NULL, 0);
515 ac->domain_dn = ldb_dn_copy(ac, ares->message->dn);
521 case LDB_REPLY_REFERRAL:
529 if (ac->next_rid == 0) {
530 ldb_asprintf_errstring(ldb,
531 "Unable to get nextRid from domain entry!\n");
532 ret = LDB_ERR_OPERATIONS_ERROR;
537 ret = samldb_next_step(ac);
542 if (ret != LDB_SUCCESS) {
543 return ldb_module_done(ac->req, NULL, NULL, ret);
549 /* Find a domain object in the parents of a particular DN. */
550 static int samldb_get_sid_domain(struct samldb_ctx *ac)
552 struct ldb_context *ldb;
553 static const char * const attrs[] = { "nextRid", NULL };
554 struct ldb_request *req;
558 ldb = ldb_module_get_ctx(ac->module);
560 if (ac->sid == NULL) {
561 return LDB_ERR_OPERATIONS_ERROR;
564 ac->domain_sid = dom_sid_dup(ac, ac->sid);
565 if (!ac->domain_sid) {
566 return LDB_ERR_OPERATIONS_ERROR;
568 /* get the domain component part of the provided SID */
569 ac->domain_sid->num_auths--;
571 filter = talloc_asprintf(ac,
573 "(|(objectClass=domain)"
574 "(objectClass=builtinDomain)))",
575 ldap_encode_ndr_dom_sid(ac, ac->domain_sid));
576 if (filter == NULL) {
577 return LDB_ERR_OPERATIONS_ERROR;
580 ret = ldb_build_search_req(&req, ldb, ac,
581 ldb_get_default_basedn(ldb),
585 ac, samldb_get_sid_domain_callback,
588 if (ret != LDB_SUCCESS) {
593 return ldb_next_request(ac->module, req);
597 * samldb_dn_from_sid (async)
600 static int samldb_dn_from_sid(struct samldb_ctx *ac);
602 static int samldb_dn_from_sid_callback(struct ldb_request *req,
603 struct ldb_reply *ares)
605 struct ldb_context *ldb;
606 struct samldb_ctx *ac;
609 ac = talloc_get_type(req->context, struct samldb_ctx);
610 ldb = ldb_module_get_ctx(ac->module);
613 ret = LDB_ERR_OPERATIONS_ERROR;
616 if (ares->error != LDB_SUCCESS) {
617 return ldb_module_done(ac->req, ares->controls,
618 ares->response, ares->error);
621 switch (ares->type) {
622 case LDB_REPLY_ENTRY:
624 if (ac->res_dn != NULL) {
626 ldb_set_errstring(ldb,
627 "Invalid number of results while searching "
628 "for domain objects!\n");
629 ret = LDB_ERR_OPERATIONS_ERROR;
632 ac->res_dn = ldb_dn_copy(ac, ares->message->dn);
638 case LDB_REPLY_REFERRAL:
647 /* found or not found, go on */
648 ret = samldb_next_step(ac);
653 if (ret != LDB_SUCCESS) {
654 return ldb_module_done(ac->req, NULL, NULL, ret);
660 /* Finds the DN "res_dn" of an object with a given SID "sid" */
661 static int samldb_dn_from_sid(struct samldb_ctx *ac)
663 struct ldb_context *ldb;
664 static const char * const attrs[] = { NULL };
665 struct ldb_request *req;
669 ldb = ldb_module_get_ctx(ac->module);
672 return LDB_ERR_OPERATIONS_ERROR;
674 filter = talloc_asprintf(ac, "(objectSid=%s)",
675 ldap_encode_ndr_dom_sid(ac, ac->sid));
677 return LDB_ERR_OPERATIONS_ERROR;
679 ret = ldb_build_search_req(&req, ldb, ac,
680 ldb_get_default_basedn(ldb),
684 ac, samldb_dn_from_sid_callback,
686 if (ret != LDB_SUCCESS)
689 return ldb_next_request(ac->module, req);
693 static int samldb_check_primaryGroupID_1(struct samldb_ctx *ac)
695 struct ldb_context *ldb;
698 ldb = ldb_module_get_ctx(ac->module);
700 rid = samdb_result_uint(ac->msg, "primaryGroupID", ~0);
701 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid);
703 return LDB_ERR_OPERATIONS_ERROR;
706 return samldb_next_step(ac);
709 static int samldb_check_primaryGroupID_2(struct samldb_ctx *ac)
711 if (ac->res_dn == NULL) {
712 struct ldb_context *ldb;
713 ldb = ldb_module_get_ctx(ac->module);
714 ldb_asprintf_errstring(ldb,
715 "Failed to find group sid %s!\n",
716 dom_sid_string(ac->sid, ac->sid));
717 return LDB_ERR_UNWILLING_TO_PERFORM;
720 return samldb_next_step(ac);
724 static bool samldb_msg_add_sid(struct ldb_message *msg,
726 const struct dom_sid *sid)
729 enum ndr_err_code ndr_err;
731 ndr_err = ndr_push_struct_blob(&v, msg, NULL, sid,
732 (ndr_push_flags_fn_t)ndr_push_dom_sid);
733 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
736 return (ldb_msg_add_value(msg, name, &v, NULL) == 0);
739 static int samldb_new_sid(struct samldb_ctx *ac)
742 if (ac->domain_sid == NULL || ac->next_rid == 0) {
743 return LDB_ERR_OPERATIONS_ERROR;
746 ac->sid = dom_sid_add_rid(ac, ac->domain_sid, ac->next_rid + 1);
747 if (ac->sid == NULL) {
748 return LDB_ERR_OPERATIONS_ERROR;
751 if ( ! samldb_msg_add_sid(ac->msg, "objectSid", ac->sid)) {
752 return LDB_ERR_OPERATIONS_ERROR;
755 return samldb_next_step(ac);
759 * samldb_notice_sid_callback (async)
762 static int samldb_notice_sid_callback(struct ldb_request *req,
763 struct ldb_reply *ares)
765 struct ldb_context *ldb;
766 struct samldb_ctx *ac;
769 ac = talloc_get_type(req->context, struct samldb_ctx);
770 ldb = ldb_module_get_ctx(ac->module);
773 ret = LDB_ERR_OPERATIONS_ERROR;
776 if (ares->error != LDB_SUCCESS) {
777 return ldb_module_done(ac->req, ares->controls,
778 ares->response, ares->error);
780 if (ares->type != LDB_REPLY_DONE) {
781 ldb_set_errstring(ldb,
782 "Invalid reply type!\n");
783 ret = LDB_ERR_OPERATIONS_ERROR;
787 ret = samldb_next_step(ac);
790 if (ret != LDB_SUCCESS) {
791 return ldb_module_done(ac->req, NULL, NULL, ret);
797 /* If we are adding new users/groups, we need to update the nextRid
798 * attribute to be 'above' the new/incoming RID. Attempt to do it
800 static int samldb_notice_sid(struct samldb_ctx *ac)
802 struct ldb_context *ldb;
803 uint32_t old_id, new_id;
804 struct ldb_request *req;
805 struct ldb_message *msg;
806 struct ldb_message_element *els;
807 struct ldb_val *vals;
810 ldb = ldb_module_get_ctx(ac->module);
811 old_id = ac->next_rid;
812 new_id = ac->sid->sub_auths[ac->sid->num_auths - 1];
814 if (old_id >= new_id) {
815 /* no need to update the domain nextRid attribute */
816 return samldb_next_step(ac);
819 /* we do a delete and add as a single operation. That prevents
820 a race, in case we are not actually on a transaction db */
821 msg = ldb_msg_new(ac);
824 return LDB_ERR_OPERATIONS_ERROR;
826 els = talloc_array(msg, struct ldb_message_element, 2);
829 return LDB_ERR_OPERATIONS_ERROR;
831 vals = talloc_array(msg, struct ldb_val, 2);
834 return LDB_ERR_OPERATIONS_ERROR;
836 msg->dn = ac->domain_dn;
837 msg->num_elements = 2;
840 els[0].num_values = 1;
841 els[0].values = &vals[0];
842 els[0].flags = LDB_FLAG_MOD_DELETE;
843 els[0].name = talloc_strdup(msg, "nextRid");
846 return LDB_ERR_OPERATIONS_ERROR;
849 els[1].num_values = 1;
850 els[1].values = &vals[1];
851 els[1].flags = LDB_FLAG_MOD_ADD;
852 els[1].name = els[0].name;
854 vals[0].data = (uint8_t *)talloc_asprintf(vals, "%u", old_id);
857 return LDB_ERR_OPERATIONS_ERROR;
859 vals[0].length = strlen((char *)vals[0].data);
861 vals[1].data = (uint8_t *)talloc_asprintf(vals, "%u", new_id);
864 return LDB_ERR_OPERATIONS_ERROR;
866 vals[1].length = strlen((char *)vals[1].data);
868 ret = ldb_build_mod_req(&req, ldb, ac,
870 ac, samldb_notice_sid_callback,
872 if (ret != LDB_SUCCESS) {
876 return ldb_next_request(ac->module, req);
880 * samldb_set_defaultObjectCategory_callback (async)
883 static int samldb_set_defaultObjectCategory_callback(struct ldb_request *req,
884 struct ldb_reply *ares)
886 struct ldb_context *ldb;
887 struct samldb_ctx *ac;
890 ac = talloc_get_type(req->context, struct samldb_ctx);
891 ldb = ldb_module_get_ctx(ac->module);
894 ret = LDB_ERR_OPERATIONS_ERROR;
897 if (ares->error != LDB_SUCCESS) {
898 return ldb_module_done(ac->req, ares->controls,
899 ares->response, ares->error);
901 if (ares->type != LDB_REPLY_DONE) {
902 ldb_set_errstring(ldb,
903 "Invalid reply type!\n");
904 ret = LDB_ERR_OPERATIONS_ERROR;
908 ret = samldb_next_step(ac);
911 if (ret != LDB_SUCCESS) {
912 return ldb_module_done(ac->req, NULL, NULL, ret);
918 static int samldb_set_defaultObjectCategory(struct samldb_ctx *ac)
922 struct ldb_request *req;
923 struct ldb_context *ldb;
924 struct ldb_message *msg = ldb_msg_new(ac);
928 ldb_msg_add_empty(msg, "defaultObjectCategory", LDB_FLAG_MOD_REPLACE, NULL);
930 ldb_msg_add_steal_string(msg, "defaultObjectCategory", ldb_dn_alloc_linearized(msg, ac->dn));
932 ldb = ldb_module_get_ctx(ac->module);
934 ret = ldb_build_mod_req(&req, ldb, ac,
936 ac, samldb_set_defaultObjectCategory_callback,
938 if (ret != LDB_SUCCESS) {
942 return ldb_next_request(ac->module, req);
945 ret = samldb_next_step(ac);
946 if (ret != LDB_SUCCESS) {
947 return ldb_module_done(ac->req, NULL, NULL, ret);
953 * samldb_find_for_defaultObjectCategory (async)
956 static int samldb_find_for_defaultObjectCategory_callback(struct ldb_request *req,
957 struct ldb_reply *ares)
959 struct samldb_ctx *ac;
962 ac = talloc_get_type(req->context, struct samldb_ctx);
964 if (ares->error != LDB_SUCCESS) {
965 return ldb_module_done(ac->req, ares->controls,
966 ares->response, ares->error);
969 switch (ares->type) {
970 case LDB_REPLY_ENTRY:
971 ac->dn = talloc_steal(ac, ares->message->dn);
973 case LDB_REPLY_REFERRAL:
974 /* this should not happen */
975 return ldb_module_done(ac->req, NULL, NULL,
976 LDB_ERR_OPERATIONS_ERROR);
979 /* found or not found, go on */
981 ret = samldb_next_step(ac);
982 if (ret != LDB_SUCCESS) {
983 return ldb_module_done(ac->req, NULL, NULL, ret);
991 static int samldb_find_for_defaultObjectCategory(struct samldb_ctx *ac)
993 struct ldb_context *ldb;
994 struct ldb_request *req;
996 static const char *no_attrs[] = { NULL };
998 ldb = ldb_module_get_ctx(ac->module);
1002 if (ldb_msg_find_element(ac->msg, "defaultObjectCategory") == NULL) {
1003 ret = ldb_build_search_req(&req, ldb, ac,
1004 ac->msg->dn, LDB_SCOPE_BASE,
1005 "objectClass=classSchema", no_attrs,
1007 ac, samldb_find_for_defaultObjectCategory_callback,
1009 if (ret != LDB_SUCCESS) {
1012 ret = dsdb_module_search_handle_flags(ac->module, req, DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT);
1013 if (ret != LDB_SUCCESS) {
1016 return ldb_next_request(ac->module, req);
1019 ret = samldb_next_step(ac);
1020 if (ret != LDB_SUCCESS) {
1021 return ldb_module_done(ac->req, NULL, NULL, ret);
1030 * samldb_add_entry (async)
1033 static int samldb_add_entry_callback(struct ldb_request *req,
1034 struct ldb_reply *ares)
1036 struct ldb_context *ldb;
1037 struct samldb_ctx *ac;
1040 ac = talloc_get_type(req->context, struct samldb_ctx);
1041 ldb = ldb_module_get_ctx(ac->module);
1044 return ldb_module_done(ac->req, NULL, NULL,
1045 LDB_ERR_OPERATIONS_ERROR);
1047 if (ares->error != LDB_SUCCESS) {
1048 return ldb_module_done(ac->req, ares->controls,
1049 ares->response, ares->error);
1051 if (ares->type != LDB_REPLY_DONE) {
1052 ldb_set_errstring(ldb,
1053 "Invalid reply type!\n");
1054 return ldb_module_done(ac->req, NULL, NULL,
1055 LDB_ERR_OPERATIONS_ERROR);
1058 /* The caller may wish to get controls back from the add */
1059 ac->ares = talloc_steal(ac, ares);
1061 ret = samldb_next_step(ac);
1062 if (ret != LDB_SUCCESS) {
1063 return ldb_module_done(ac->req, NULL, NULL, ret);
1068 static int samldb_add_entry(struct samldb_ctx *ac)
1070 struct ldb_context *ldb;
1071 struct ldb_request *req;
1074 ldb = ldb_module_get_ctx(ac->module);
1076 ret = ldb_build_add_req(&req, ldb, ac,
1079 ac, samldb_add_entry_callback,
1081 if (ret != LDB_SUCCESS) {
1085 return ldb_next_request(ac->module, req);
1089 static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
1091 struct ldb_context *ldb;
1092 struct loadparm_context *lp_ctx;
1093 enum sid_generator sid_generator;
1096 ldb = ldb_module_get_ctx(ac->module);
1098 /* search for a parent domain objet */
1099 ac->check_dn = ac->req->op.add.message->dn;
1100 ret = samldb_add_step(ac, samldb_get_parent_domain);
1101 if (ret != LDB_SUCCESS) return ret;
1103 /* Add informations for the different account types */
1105 if (strcmp(ac->type, "user") == 0) {
1106 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1107 "userAccountControl", "546");
1108 if (ret != LDB_SUCCESS) return ret;
1109 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1110 "badPwdCount", "0");
1111 if (ret != LDB_SUCCESS) return ret;
1112 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1114 if (ret != LDB_SUCCESS) return ret;
1115 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1116 "countryCode", "0");
1117 if (ret != LDB_SUCCESS) return ret;
1118 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1119 "badPasswordTime", "0");
1120 if (ret != LDB_SUCCESS) return ret;
1121 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1123 if (ret != LDB_SUCCESS) return ret;
1124 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1126 if (ret != LDB_SUCCESS) return ret;
1127 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1129 if (ret != LDB_SUCCESS) return ret;
1130 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1131 "primaryGroupID", "513");
1132 if (ret != LDB_SUCCESS) return ret;
1133 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1134 "accountExpires", "9223372036854775807");
1135 if (ret != LDB_SUCCESS) return ret;
1136 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1138 if (ret != LDB_SUCCESS) return ret;
1139 } else if (strcmp(ac->type, "group") == 0) {
1140 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1141 "groupType", "-2147483646");
1142 if (ret != LDB_SUCCESS) return ret;
1143 } else if (strcmp(ac->type, "classSchema") == 0) {
1144 const struct ldb_val *rdn_value;
1146 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1148 if (ret != LDB_SUCCESS) return ret;
1150 rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
1151 if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) {
1152 /* the RDN has prefix "CN" */
1153 ret = ldb_msg_add_string(ac->msg, "lDAPDisplayName",
1154 samdb_cn_to_lDAPDisplayName(ac,
1155 (const char *) rdn_value->data));
1156 if (ret != LDB_SUCCESS) {
1162 if (!ldb_msg_find_element(ac->msg, "schemaIDGUID")) {
1163 enum ndr_err_code ndr_err;
1164 struct ldb_val guid_value;
1167 guid = GUID_random();
1168 /* generated NDR encoded values */
1169 ndr_err = ndr_push_struct_blob(&guid_value, ac->msg,
1172 (ndr_push_flags_fn_t)ndr_push_GUID);
1173 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1175 return LDB_ERR_OPERATIONS_ERROR;
1177 ret = ldb_msg_add_value(ac->msg, "schemaIDGUID", &guid_value, NULL);
1178 if (ret != LDB_SUCCESS) {
1184 ret = samldb_add_step(ac, samldb_add_entry);
1185 if (ret != LDB_SUCCESS) return ret;
1187 ret = samldb_add_step(ac, samldb_find_for_defaultObjectCategory);
1188 if (ret != LDB_SUCCESS) return ret;
1190 ret = samldb_add_step(ac, samldb_set_defaultObjectCategory);
1191 if (ret != LDB_SUCCESS) return ret;
1193 return samldb_first_step(ac);
1194 } else if (strcmp(ac->type, "attributeSchema") == 0) {
1195 const struct ldb_val *rdn_value;
1196 rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
1197 if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) {
1198 /* the RDN has prefix "CN" */
1199 ret = ldb_msg_add_string(ac->msg, "lDAPDisplayName",
1200 samdb_cn_to_lDAPDisplayName(ac,
1201 (const char *) rdn_value->data));
1202 if (ret != LDB_SUCCESS) {
1208 ret = samdb_find_or_add_attribute(ldb, ac->msg,
1209 "isSingleValued", "FALSE");
1210 if (ret != LDB_SUCCESS) return ret;
1212 if (!ldb_msg_find_element(ac->msg, "schemaIDGUID")) {
1213 enum ndr_err_code ndr_err;
1214 struct ldb_val guid_value;
1217 guid = GUID_random();
1218 /* generated NDR encoded values */
1219 ndr_err = ndr_push_struct_blob(&guid_value, ac->msg,
1222 (ndr_push_flags_fn_t)ndr_push_GUID);
1223 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1225 return LDB_ERR_OPERATIONS_ERROR;
1227 ret = ldb_msg_add_value(ac->msg, "schemaIDGUID", &guid_value, NULL);
1228 if (ret != LDB_SUCCESS) {
1234 ret = samldb_add_step(ac, samldb_add_entry);
1235 if (ret != LDB_SUCCESS) return ret;
1237 return samldb_first_step(ac);
1239 ldb_asprintf_errstring(ldb,
1240 "Invalid entry type!\n");
1241 return LDB_ERR_OPERATIONS_ERROR;
1244 /* check if we have a valid samAccountName */
1245 ret = samldb_add_step(ac, samldb_check_samAccountName);
1246 if (ret != LDB_SUCCESS) return ret;
1248 /* check account_type/group_type */
1249 ret = samldb_add_step(ac, samldb_check_samAccountType);
1250 if (ret != LDB_SUCCESS) return ret;
1252 /* check if we have a valid primary group ID */
1253 if (strcmp(ac->type, "user") == 0) {
1254 ret = samldb_add_step(ac, samldb_check_primaryGroupID_1);
1255 if (ret != LDB_SUCCESS) return ret;
1256 ret = samldb_add_step(ac, samldb_dn_from_sid);
1257 if (ret != LDB_SUCCESS) return ret;
1258 ret = samldb_add_step(ac, samldb_check_primaryGroupID_2);
1259 if (ret != LDB_SUCCESS) return ret;
1262 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
1263 struct loadparm_context);
1265 sid_generator = lp_sid_generator(lp_ctx);
1266 if (sid_generator == SID_GENERATOR_INTERNAL) {
1267 /* check if we have a valid SID */
1268 ac->sid = samdb_result_dom_sid(ac, ac->msg, "objectSid");
1270 ret = samldb_add_step(ac, samldb_new_sid);
1271 if (ret != LDB_SUCCESS) return ret;
1273 ret = samldb_add_step(ac, samldb_get_sid_domain);
1274 if (ret != LDB_SUCCESS) return ret;
1277 ret = samldb_add_step(ac, samldb_notice_sid);
1278 if (ret != LDB_SUCCESS) return ret;
1281 /* finally proceed with adding the entry */
1282 ret = samldb_add_step(ac, samldb_add_entry);
1283 if (ret != LDB_SUCCESS) return ret;
1285 return samldb_first_step(ac);
1289 * samldb_foreign_notice_sid (async)
1292 static int samldb_foreign_notice_sid_callback(struct ldb_request *req,
1293 struct ldb_reply *ares)
1295 struct ldb_context *ldb;
1296 struct samldb_ctx *ac;
1297 const char *nextRid;
1301 ac = talloc_get_type(req->context, struct samldb_ctx);
1302 ldb = ldb_module_get_ctx(ac->module);
1305 ret = LDB_ERR_OPERATIONS_ERROR;
1308 if (ares->error != LDB_SUCCESS) {
1309 return ldb_module_done(ac->req, ares->controls,
1310 ares->response, ares->error);
1313 switch (ares->type) {
1314 case LDB_REPLY_ENTRY:
1316 if (ac->next_rid != 0) {
1318 ldb_set_errstring(ldb,
1319 "Invalid number of results while searching "
1320 "for domain object!\n");
1321 ret = LDB_ERR_OPERATIONS_ERROR;
1325 nextRid = ldb_msg_find_attr_as_string(ares->message,
1327 if (nextRid == NULL) {
1328 ldb_asprintf_errstring(ldb,
1329 "while looking for forign sid %s attribute nextRid not found in %s\n",
1330 dom_sid_string(ares, ac->sid),
1331 ldb_dn_get_linearized(ares->message->dn));
1332 ret = LDB_ERR_OPERATIONS_ERROR;
1336 ac->next_rid = strtol(nextRid, NULL, 0);
1338 ac->domain_dn = ldb_dn_copy(ac, ares->message->dn);
1340 name = samdb_result_string(ares->message, "name", NULL);
1341 ldb_debug(ldb, LDB_DEBUG_TRACE,
1342 "NOTE (strange but valid): Adding foreign SID "
1343 "record with SID %s, but this domain (%s) is "
1344 "not foreign in the database",
1345 dom_sid_string(ares, ac->sid), name);
1351 case LDB_REPLY_REFERRAL:
1357 case LDB_REPLY_DONE:
1360 /* if this is a fake foreign SID, notice the SID */
1361 if (ac->domain_dn) {
1362 ret = samldb_notice_sid(ac);
1367 ret = samldb_next_step(ac);
1372 if (ret != LDB_SUCCESS) {
1373 return ldb_module_done(ac->req, NULL, NULL, ret);
1379 /* Find a domain object in the parents of a particular DN. */
1380 static int samldb_foreign_notice_sid(struct samldb_ctx *ac)
1382 struct ldb_context *ldb;
1383 static const char * const attrs[3] = { "nextRid", "name", NULL };
1384 struct ldb_request *req;
1389 ldb = ldb_module_get_ctx(ac->module);
1391 if (ac->sid == NULL) {
1392 return LDB_ERR_OPERATIONS_ERROR;
1395 status = dom_sid_split_rid(ac, ac->sid, &ac->domain_sid, NULL);
1396 if (!NT_STATUS_IS_OK(status)) {
1397 return LDB_ERR_OPERATIONS_ERROR;
1400 filter = talloc_asprintf(ac, "(&(objectSid=%s)(objectclass=domain))",
1401 ldap_encode_ndr_dom_sid(ac, ac->domain_sid));
1402 if (filter == NULL) {
1403 return LDB_ERR_OPERATIONS_ERROR;
1406 ret = ldb_build_search_req(&req, ldb, ac,
1407 ldb_get_default_basedn(ldb),
1411 ac, samldb_foreign_notice_sid_callback,
1414 if (ret != LDB_SUCCESS) {
1418 return ldb_next_request(ac->module, req);
1422 static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac)
1424 struct ldb_context *ldb;
1427 ldb = ldb_module_get_ctx(ac->module);
1431 ac->sid = samdb_result_dom_sid(ac->msg, ac->msg, "objectSid");
1432 if (ac->sid == NULL) {
1433 ac->sid = dom_sid_parse_talloc(ac->msg,
1434 (const char *)ldb_dn_get_rdn_val(ac->msg->dn)->data);
1436 ldb_set_errstring(ldb,
1437 "No valid SID found in "
1438 "ForeignSecurityPrincipal CN!\n");
1440 return LDB_ERR_CONSTRAINT_VIOLATION;
1442 if ( ! samldb_msg_add_sid(ac->msg, "objectSid", ac->sid)) {
1444 return LDB_ERR_OPERATIONS_ERROR;
1448 /* check if we need to notice this SID */
1449 ret = samldb_add_step(ac, samldb_foreign_notice_sid);
1450 if (ret != LDB_SUCCESS) return ret;
1452 /* finally proceed with adding the entry */
1453 ret = samldb_add_step(ac, samldb_add_entry);
1454 if (ret != LDB_SUCCESS) return ret;
1456 return samldb_first_step(ac);
1459 static int samldb_check_rdn(struct ldb_module *module, struct ldb_dn *dn)
1461 struct ldb_context *ldb;
1462 const char *rdn_name;
1464 ldb = ldb_module_get_ctx(module);
1465 rdn_name = ldb_dn_get_rdn_name(dn);
1467 if (strcasecmp(rdn_name, "cn") != 0) {
1468 ldb_asprintf_errstring(ldb,
1469 "Bad RDN (%s=) for samldb object, "
1470 "should be CN=!\n", rdn_name);
1471 return LDB_ERR_CONSTRAINT_VIOLATION;
1478 * samldb_sid_from_dn (async)
1481 static int samldb_sid_from_dn(struct samldb_ctx *ac);
1483 static int samldb_sid_from_dn_callback(struct ldb_request *req,
1484 struct ldb_reply *ares)
1486 struct ldb_context *ldb;
1487 struct samldb_ctx *ac;
1490 ac = talloc_get_type(req->context, struct samldb_ctx);
1491 ldb = ldb_module_get_ctx(ac->module);
1494 ret = LDB_ERR_OPERATIONS_ERROR;
1497 if (ares->error != LDB_SUCCESS) {
1498 return ldb_module_done(ac->req, ares->controls,
1499 ares->response, ares->error);
1502 switch (ares->type) {
1503 case LDB_REPLY_ENTRY:
1505 if (ac->res_sid != NULL) {
1507 ldb_set_errstring(ldb,
1508 "Invalid number of results while searching "
1509 "for domain objects!\n");
1510 ret = LDB_ERR_OPERATIONS_ERROR;
1513 ac->res_sid = samdb_result_dom_sid(ac, ares->message,
1520 case LDB_REPLY_REFERRAL:
1526 case LDB_REPLY_DONE:
1529 /* found or not found, go on */
1530 ret = samldb_next_step(ac);
1535 if (ret != LDB_SUCCESS) {
1536 return ldb_module_done(ac->req, NULL, NULL, ret);
1542 /* Finds the SID "res_sid" of an object with a given DN "dn" */
1543 static int samldb_sid_from_dn(struct samldb_ctx *ac)
1545 struct ldb_context *ldb;
1546 static const char * const attrs[] = { "objectSid", NULL };
1547 struct ldb_request *req;
1550 ldb = ldb_module_get_ctx(ac->module);
1553 return LDB_ERR_OPERATIONS_ERROR;
1555 ret = ldb_build_search_req(&req, ldb, ac,
1560 ac, samldb_sid_from_dn_callback,
1562 if (ret != LDB_SUCCESS)
1565 return ldb_next_request(ac->module, req);
1569 * samldb_user_dn_to_prim_group_rid (async)
1572 static int samldb_user_dn_to_prim_group_rid(struct samldb_ctx *ac);
1574 static int samldb_user_dn_to_prim_group_rid_callback(struct ldb_request *req,
1575 struct ldb_reply *ares)
1577 struct ldb_context *ldb;
1578 struct samldb_ctx *ac;
1581 ac = talloc_get_type(req->context, struct samldb_ctx);
1582 ldb = ldb_module_get_ctx(ac->module);
1585 ret = LDB_ERR_OPERATIONS_ERROR;
1588 if (ares->error != LDB_SUCCESS) {
1589 return ldb_module_done(ac->req, ares->controls,
1590 ares->response, ares->error);
1593 switch (ares->type) {
1594 case LDB_REPLY_ENTRY:
1596 if (ac->prim_group_rid != 0) {
1598 ldb_set_errstring(ldb,
1599 "Invalid number of results while searching "
1600 "for domain objects!\n");
1601 ret = LDB_ERR_OPERATIONS_ERROR;
1604 ac->prim_group_rid = samdb_result_uint(ares->message,
1605 "primaryGroupID", ~0);
1611 case LDB_REPLY_REFERRAL:
1617 case LDB_REPLY_DONE:
1619 if (ac->prim_group_rid == 0) {
1620 ldb_asprintf_errstring(ldb,
1621 "Unable to get the primary group RID!\n");
1622 ret = LDB_ERR_OPERATIONS_ERROR;
1627 ret = samldb_next_step(ac);
1632 if (ret != LDB_SUCCESS) {
1633 return ldb_module_done(ac->req, NULL, NULL, ret);
1639 /* Locates the "primaryGroupID" attribute from a certain user specified as
1640 * "user_dn". Saves the result in "prim_group_rid". */
1641 static int samldb_user_dn_to_prim_group_rid(struct samldb_ctx *ac)
1643 struct ldb_context *ldb;
1644 static const char * const attrs[] = { "primaryGroupID", NULL };
1645 struct ldb_request *req;
1648 ldb = ldb_module_get_ctx(ac->module);
1650 if (ac->user_dn == NULL)
1651 return LDB_ERR_OPERATIONS_ERROR;
1653 ret = ldb_build_search_req(&req, ldb, ac,
1658 ac, samldb_user_dn_to_prim_group_rid_callback,
1660 if (ret != LDB_SUCCESS)
1663 return ldb_next_request(ac->module, req);
1667 * samldb_prim_group_rid_to_users_cnt (async)
1670 static int samldb_prim_group_rid_to_users_cnt(struct samldb_ctx *ac);
1672 static int samldb_prim_group_rid_to_users_cnt_callback(struct ldb_request *req,
1673 struct ldb_reply *ares)
1675 struct ldb_context *ldb;
1676 struct samldb_ctx *ac;
1679 ac = talloc_get_type(req->context, struct samldb_ctx);
1680 ldb = ldb_module_get_ctx(ac->module);
1683 ret = LDB_ERR_OPERATIONS_ERROR;
1686 if (ares->error != LDB_SUCCESS) {
1687 return ldb_module_done(ac->req, ares->controls,
1688 ares->response, ares->error);
1691 switch (ares->type) {
1692 case LDB_REPLY_ENTRY:
1700 case LDB_REPLY_REFERRAL:
1706 case LDB_REPLY_DONE:
1709 /* found or not found, go on */
1710 ret = samldb_next_step(ac);
1715 if (ret != LDB_SUCCESS) {
1716 return ldb_module_done(ac->req, NULL, NULL, ret);
1722 /* Finds the amount of users which have the primary group "prim_group_rid" and
1723 * save the result in "users_cnt" */
1724 static int samldb_prim_group_rid_to_users_cnt(struct samldb_ctx *ac)
1726 struct ldb_context *ldb;
1727 static const char * const attrs[] = { NULL };
1728 struct ldb_request *req;
1732 ldb = ldb_module_get_ctx(ac->module);
1734 if ((ac->prim_group_rid == 0) || (ac->users_cnt != 0))
1735 return LDB_ERR_OPERATIONS_ERROR;
1737 filter = talloc_asprintf(ac, "(&(primaryGroupID=%u)(objectclass=user))",
1738 ac->prim_group_rid);
1740 return LDB_ERR_OPERATIONS_ERROR;
1742 ret = ldb_build_search_req(&req, ldb, ac,
1743 ldb_get_default_basedn(ldb),
1748 samldb_prim_group_rid_to_users_cnt_callback,
1750 if (ret != LDB_SUCCESS)
1753 return ldb_next_request(ac->module, req);
1757 * samldb_group_add_member (async)
1758 * samldb_group_del_member (async)
1761 static int samldb_group_add_del_member_callback(struct ldb_request *req,
1762 struct ldb_reply *ares)
1764 struct ldb_context *ldb;
1765 struct samldb_ctx *ac;
1768 ac = talloc_get_type(req->context, struct samldb_ctx);
1769 ldb = ldb_module_get_ctx(ac->module);
1772 ret = LDB_ERR_OPERATIONS_ERROR;
1775 if (ares->error != LDB_SUCCESS) {
1776 if (ares->error == LDB_ERR_NO_SUCH_ATTRIBUTE) {
1777 /* On error "NO_SUCH_ATTRIBUTE" (delete of an invalid
1778 * "member" attribute) return "UNWILLING_TO_PERFORM" */
1779 ares->error = LDB_ERR_UNWILLING_TO_PERFORM;
1781 return ldb_module_done(ac->req, ares->controls,
1782 ares->response, ares->error);
1784 if (ares->type != LDB_REPLY_DONE) {
1785 ldb_set_errstring(ldb,
1786 "Invalid reply type!\n");
1787 ret = LDB_ERR_OPERATIONS_ERROR;
1791 ret = samldb_next_step(ac);
1794 if (ret != LDB_SUCCESS) {
1795 return ldb_module_done(ac->req, NULL, NULL, ret);
1801 /* Adds a member with DN "member_dn" to a group with DN "group_dn" */
1802 static int samldb_group_add_member(struct samldb_ctx *ac)
1804 struct ldb_context *ldb;
1805 struct ldb_request *req;
1806 struct ldb_message *msg;
1809 ldb = ldb_module_get_ctx(ac->module);
1811 if ((ac->group_dn == NULL) || (ac->member_dn == NULL))
1812 return LDB_ERR_OPERATIONS_ERROR;
1814 msg = ldb_msg_new(ac);
1815 msg->dn = ac->group_dn;
1816 samdb_msg_add_addval(ldb, ac, msg, "member",
1817 ldb_dn_get_linearized(ac->member_dn));
1819 ret = ldb_build_mod_req(&req, ldb, ac,
1821 ac, samldb_group_add_del_member_callback,
1823 if (ret != LDB_SUCCESS)
1826 return ldb_next_request(ac->module, req);
1829 /* Removes a member with DN "member_dn" from a group with DN "group_dn" */
1830 static int samldb_group_del_member(struct samldb_ctx *ac)
1832 struct ldb_context *ldb;
1833 struct ldb_request *req;
1834 struct ldb_message *msg;
1837 ldb = ldb_module_get_ctx(ac->module);
1839 if ((ac->group_dn == NULL) || (ac->member_dn == NULL))
1840 return LDB_ERR_OPERATIONS_ERROR;
1842 msg = ldb_msg_new(ac);
1843 msg->dn = ac->group_dn;
1844 samdb_msg_add_delval(ldb, ac, msg, "member",
1845 ldb_dn_get_linearized(ac->member_dn));
1847 ret = ldb_build_mod_req(&req, ldb, ac,
1849 ac, samldb_group_add_del_member_callback,
1851 if (ret != LDB_SUCCESS)
1854 return ldb_next_request(ac->module, req);
1858 static int samldb_prim_group_change_1(struct samldb_ctx *ac)
1860 struct ldb_context *ldb;
1863 ldb = ldb_module_get_ctx(ac->module);
1865 ac->user_dn = ac->msg->dn;
1867 rid = samdb_result_uint(ac->msg, "primaryGroupID", ~0);
1868 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid);
1869 if (ac->sid == NULL)
1870 return LDB_ERR_OPERATIONS_ERROR;
1873 ac->prim_group_rid = 0;
1875 return samldb_next_step(ac);
1878 static int samldb_prim_group_change_2(struct samldb_ctx *ac)
1880 struct ldb_context *ldb;
1882 ldb = ldb_module_get_ctx(ac->module);
1884 if (ac->res_dn != NULL)
1885 ac->new_prim_group_dn = ac->res_dn;
1887 return LDB_ERR_UNWILLING_TO_PERFORM;
1889 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb),
1890 ac->prim_group_rid);
1891 if (ac->sid == NULL)
1892 return LDB_ERR_OPERATIONS_ERROR;
1895 return samldb_next_step(ac);
1898 static int samldb_prim_group_change_4(struct samldb_ctx *ac);
1899 static int samldb_prim_group_change_5(struct samldb_ctx *ac);
1900 static int samldb_prim_group_change_6(struct samldb_ctx *ac);
1902 static int samldb_prim_group_change_3(struct samldb_ctx *ac)
1906 if (ac->res_dn != NULL)
1907 ac->old_prim_group_dn = ac->res_dn;
1909 return LDB_ERR_UNWILLING_TO_PERFORM;
1911 /* Only update when the primary group changed */
1912 if (ldb_dn_compare(ac->old_prim_group_dn, ac->new_prim_group_dn) != 0) {
1913 ac->member_dn = ac->user_dn;
1914 /* Remove the "member" attribute of the actual (new) primary
1917 ret = samldb_add_step(ac, samldb_prim_group_change_4);
1918 if (ret != LDB_SUCCESS) return ret;
1920 ret = samldb_add_step(ac, samldb_group_del_member);
1921 if (ret != LDB_SUCCESS) return ret;
1923 /* Add a "member" attribute for the previous primary group */
1925 ret = samldb_add_step(ac, samldb_prim_group_change_5);
1926 if (ret != LDB_SUCCESS) return ret;
1928 ret = samldb_add_step(ac, samldb_group_add_member);
1929 if (ret != LDB_SUCCESS) return ret;
1932 ret = samldb_add_step(ac, samldb_prim_group_change_6);
1933 if (ret != LDB_SUCCESS) return ret;
1935 return samldb_next_step(ac);
1938 static int samldb_prim_group_change_4(struct samldb_ctx *ac)
1940 ac->group_dn = ac->new_prim_group_dn;
1942 return samldb_next_step(ac);
1945 static int samldb_prim_group_change_5(struct samldb_ctx *ac)
1947 ac->group_dn = ac->old_prim_group_dn;
1949 return samldb_next_step(ac);
1952 static int samldb_prim_group_change_6(struct samldb_ctx *ac)
1954 return ldb_next_request(ac->module, ac->req);
1957 static int samldb_prim_group_change(struct samldb_ctx *ac)
1961 /* Finds out the DN of the new primary group */
1963 ret = samldb_add_step(ac, samldb_prim_group_change_1);
1964 if (ret != LDB_SUCCESS) return ret;
1966 ret = samldb_add_step(ac, samldb_dn_from_sid);
1967 if (ret != LDB_SUCCESS) return ret;
1969 ret = samldb_add_step(ac, samldb_user_dn_to_prim_group_rid);
1970 if (ret != LDB_SUCCESS) return ret;
1972 /* Finds out the DN of the old primary group */
1974 ret = samldb_add_step(ac, samldb_prim_group_change_2);
1975 if (ret != LDB_SUCCESS) return ret;
1977 ret = samldb_add_step(ac, samldb_dn_from_sid);
1978 if (ret != LDB_SUCCESS) return ret;
1980 ret = samldb_add_step(ac, samldb_prim_group_change_3);
1981 if (ret != LDB_SUCCESS) return ret;
1983 return samldb_first_step(ac);
1987 static int samldb_member_check_1(struct samldb_ctx *ac)
1989 struct ldb_context *ldb;
1990 struct ldb_message_element *el;
1992 ldb = ldb_module_get_ctx(ac->module);
1994 el = ldb_msg_find_element(ac->msg, "member");
1996 ac->user_dn = ldb_dn_from_ldb_val(ac, ldb, &el->values[ac->cnt]);
1997 if (!ldb_dn_validate(ac->user_dn))
1998 return LDB_ERR_OPERATIONS_ERROR;
1999 ac->prim_group_rid = 0;
2001 return samldb_next_step(ac);
2004 static int samldb_member_check_2(struct samldb_ctx *ac)
2006 struct ldb_context *ldb;
2008 ldb = ldb_module_get_ctx(ac->module);
2010 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb),
2011 ac->prim_group_rid);
2012 if (ac->sid == NULL)
2013 return LDB_ERR_OPERATIONS_ERROR;
2016 return samldb_next_step(ac);
2019 static int samldb_member_check_3(struct samldb_ctx *ac)
2021 if (ldb_dn_compare(ac->res_dn, ac->msg->dn) == 0)
2022 return LDB_ERR_ENTRY_ALREADY_EXISTS;
2026 return samldb_next_step(ac);
2029 static int samldb_member_check_4(struct samldb_ctx *ac)
2031 return ldb_next_request(ac->module, ac->req);
2034 static int samldb_member_check(struct samldb_ctx *ac)
2036 struct ldb_message_element *el;
2039 el = ldb_msg_find_element(ac->msg, "member");
2041 for (i = 0; i < el->num_values; i++) {
2042 /* Denies to add "member"s to groups which are primary ones
2044 ret = samldb_add_step(ac, samldb_member_check_1);
2045 if (ret != LDB_SUCCESS) return ret;
2047 ret = samldb_add_step(ac, samldb_user_dn_to_prim_group_rid);
2048 if (ret != LDB_SUCCESS) return ret;
2050 ret = samldb_add_step(ac, samldb_member_check_2);
2051 if (ret != LDB_SUCCESS) return ret;
2053 ret = samldb_add_step(ac, samldb_dn_from_sid);
2054 if (ret != LDB_SUCCESS) return ret;
2056 ret = samldb_add_step(ac, samldb_member_check_3);
2057 if (ret != LDB_SUCCESS) return ret;
2060 ret = samldb_add_step(ac, samldb_member_check_4);
2061 if (ret != LDB_SUCCESS) return ret;
2063 return samldb_first_step(ac);
2067 static int samldb_prim_group_users_check_1(struct samldb_ctx *ac)
2069 ac->dn = ac->req->op.del.dn;
2072 return samldb_next_step(ac);
2075 static int samldb_prim_group_users_check_2(struct samldb_ctx *ac)
2080 if (ac->res_sid == NULL) {
2081 /* No SID - therefore ok here */
2082 return ldb_next_request(ac->module, ac->req);
2084 status = dom_sid_split_rid(ac, ac->res_sid, NULL, &rid);
2085 if (!NT_STATUS_IS_OK(status))
2086 return LDB_ERR_OPERATIONS_ERROR;
2089 /* Special object (security principal?) */
2090 return ldb_next_request(ac->module, ac->req);
2093 ac->prim_group_rid = rid;
2096 return samldb_next_step(ac);
2099 static int samldb_prim_group_users_check_3(struct samldb_ctx *ac)
2101 if (ac->users_cnt > 0)
2102 return LDB_ERR_ENTRY_ALREADY_EXISTS;
2104 return ldb_next_request(ac->module, ac->req);
2107 static int samldb_prim_group_users_check(struct samldb_ctx *ac)
2111 /* Finds out the SID/RID of the domain object */
2113 ret = samldb_add_step(ac, samldb_prim_group_users_check_1);
2114 if (ret != LDB_SUCCESS) return ret;
2116 ret = samldb_add_step(ac, samldb_sid_from_dn);
2117 if (ret != LDB_SUCCESS) return ret;
2119 /* Deny delete requests from groups which are primary ones */
2121 ret = samldb_add_step(ac, samldb_prim_group_users_check_2);
2122 if (ret != LDB_SUCCESS) return ret;
2124 ret = samldb_add_step(ac, samldb_prim_group_rid_to_users_cnt);
2125 if (ret != LDB_SUCCESS) return ret;
2127 ret = samldb_add_step(ac, samldb_prim_group_users_check_3);
2128 if (ret != LDB_SUCCESS) return ret;
2130 return samldb_first_step(ac);
2135 static int samldb_add(struct ldb_module *module, struct ldb_request *req)
2137 struct ldb_context *ldb;
2138 struct samldb_ctx *ac;
2141 ldb = ldb_module_get_ctx(module);
2142 ldb_debug(ldb, LDB_DEBUG_TRACE, "samldb_add\n");
2144 /* do not manipulate our control entries */
2145 if (ldb_dn_is_special(req->op.add.message->dn)) {
2146 return ldb_next_request(module, req);
2149 ac = samldb_ctx_init(module, req);
2151 return LDB_ERR_OPERATIONS_ERROR;
2154 /* build the new msg */
2155 ac->msg = ldb_msg_copy(ac, ac->req->op.add.message);
2158 ldb_debug(ldb, LDB_DEBUG_FATAL,
2159 "samldb_add: ldb_msg_copy failed!\n");
2160 return LDB_ERR_OPERATIONS_ERROR;
2163 if (samdb_find_attribute(ldb, ac->msg,
2164 "objectclass", "computer") != NULL) {
2166 /* make sure the computer object also has the 'user'
2167 * objectclass so it will be handled by the next call */
2168 ret = samdb_find_or_add_value(ldb, ac->msg,
2169 "objectclass", "user");
2170 if (ret != LDB_SUCCESS) {
2176 if (samdb_find_attribute(ldb, ac->msg,
2177 "objectclass", "user") != NULL) {
2179 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
2180 if (ret != LDB_SUCCESS) {
2185 return samldb_fill_object(ac, "user");
2188 if (samdb_find_attribute(ldb, ac->msg,
2189 "objectclass", "group") != NULL) {
2191 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
2192 if (ret != LDB_SUCCESS) {
2197 return samldb_fill_object(ac, "group");
2200 /* perhaps a foreignSecurityPrincipal? */
2201 if (samdb_find_attribute(ldb, ac->msg,
2203 "foreignSecurityPrincipal") != NULL) {
2205 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
2206 if (ret != LDB_SUCCESS) {
2211 return samldb_fill_foreignSecurityPrincipal_object(ac);
2214 if (samdb_find_attribute(ldb, ac->msg,
2215 "objectclass", "classSchema") != NULL) {
2217 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
2218 if (ret != LDB_SUCCESS) {
2223 return samldb_fill_object(ac, "classSchema");
2226 if (samdb_find_attribute(ldb, ac->msg,
2227 "objectclass", "attributeSchema") != NULL) {
2229 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
2230 if (ret != LDB_SUCCESS) {
2235 return samldb_fill_object(ac, "attributeSchema");
2240 /* nothing matched, go on */
2241 return ldb_next_request(module, req);
2245 static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
2247 struct ldb_context *ldb;
2248 struct ldb_message *msg;
2249 struct ldb_message_element *el, *el2;
2251 uint32_t account_type;
2253 if (ldb_dn_is_special(req->op.mod.message->dn)) {
2254 /* do not manipulate our control entries */
2255 return ldb_next_request(module, req);
2258 ldb = ldb_module_get_ctx(module);
2260 if (ldb_msg_find_element(req->op.mod.message, "sAMAccountType") != NULL) {
2261 ldb_asprintf_errstring(ldb,
2262 "sAMAccountType must not be specified!\n");
2263 return LDB_ERR_UNWILLING_TO_PERFORM;
2266 /* TODO: do not modify original request, create a new one */
2268 el = ldb_msg_find_element(req->op.mod.message, "groupType");
2269 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
2270 uint32_t group_type;
2272 req->op.mod.message = msg = ldb_msg_copy_shallow(req,
2273 req->op.mod.message);
2275 group_type = strtoul((const char *)el->values[0].data, NULL, 0);
2276 account_type = ds_gtype2atype(group_type);
2277 ret = samdb_msg_add_uint(ldb, msg, msg,
2280 if (ret != LDB_SUCCESS) {
2283 el2 = ldb_msg_find_element(msg, "sAMAccountType");
2284 el2->flags = LDB_FLAG_MOD_REPLACE;
2287 el = ldb_msg_find_element(req->op.mod.message, "userAccountControl");
2288 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
2289 uint32_t user_account_control;
2291 req->op.mod.message = msg = ldb_msg_copy_shallow(req,
2292 req->op.mod.message);
2294 user_account_control = strtoul((const char *)el->values[0].data,
2296 account_type = ds_uf2atype(user_account_control);
2297 ret = samdb_msg_add_uint(ldb, msg, msg,
2300 if (ret != LDB_SUCCESS) {
2303 el2 = ldb_msg_find_element(msg, "sAMAccountType");
2304 el2->flags = LDB_FLAG_MOD_REPLACE;
2306 if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
2307 ret = samdb_msg_add_string(ldb, msg, msg,
2308 "isCriticalSystemObject", "TRUE");
2309 if (ret != LDB_SUCCESS) {
2312 el2 = ldb_msg_find_element(msg, "isCriticalSystemObject");
2313 el2->flags = LDB_FLAG_MOD_REPLACE;
2317 el = ldb_msg_find_element(req->op.mod.message, "primaryGroupID");
2318 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
2319 struct samldb_ctx *ac;
2321 ac = samldb_ctx_init(module, req);
2323 return LDB_ERR_OPERATIONS_ERROR;
2325 req->op.mod.message = ac->msg = ldb_msg_copy_shallow(req,
2326 req->op.mod.message);
2328 return samldb_prim_group_change(ac);
2331 el = ldb_msg_find_element(req->op.mod.message, "member");
2332 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
2333 struct samldb_ctx *ac;
2335 ac = samldb_ctx_init(module, req);
2337 return LDB_ERR_OPERATIONS_ERROR;
2339 req->op.mod.message = ac->msg = ldb_msg_copy_shallow(req,
2340 req->op.mod.message);
2342 return samldb_member_check(ac);
2345 /* nothing matched, go on */
2346 return ldb_next_request(module, req);
2350 static int samldb_delete(struct ldb_module *module, struct ldb_request *req)
2352 struct samldb_ctx *ac;
2354 if (ldb_dn_is_special(req->op.del.dn)) {
2355 /* do not manipulate our control entries */
2356 return ldb_next_request(module, req);
2359 ac = samldb_ctx_init(module, req);
2361 return LDB_ERR_OPERATIONS_ERROR;
2363 return samldb_prim_group_users_check(ac);
2367 static int samldb_init(struct ldb_module *module)
2369 return ldb_next_init(module);
2372 _PUBLIC_ const struct ldb_module_ops ldb_samldb_module_ops = {
2374 .init_context = samldb_init,
2376 .modify = samldb_modify,
2377 .del = samldb_delete