4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
5 Copyright (C) Simo Sorce 2004-2008
6 Copyright (C) Matthias Dieter Wallnöfer 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: ldb samldb module
27 * Description: add embedded user/group creation functionality
33 #include "libcli/ldap/ldap_ndr.h"
34 #include "ldb_module.h"
35 #include "dsdb/samdb/samdb.h"
36 #include "libcli/security/security.h"
37 #include "librpc/gen_ndr/ndr_security.h"
38 #include "../lib/util/util_ldb.h"
43 typedef int (*samldb_step_fn_t)(struct samldb_ctx *);
46 struct samldb_step *next;
51 struct ldb_module *module;
52 struct ldb_request *req;
54 /* used for add operations */
57 /* the resulting message */
58 struct ldb_message *msg;
60 /* used to find parent domain */
61 struct ldb_dn *check_dn;
62 struct ldb_dn *domain_dn;
63 struct dom_sid *domain_sid;
66 /* holds the entry SID */
69 /* holds a generic dn */
72 /* used in conjunction with "sid" in "samldb_dn_from_sid" */
73 struct ldb_dn *res_dn;
75 /* used in conjunction with "dn" in "samldb_sid_from_dn" */
76 struct dom_sid *res_sid;
78 /* used in "samldb_user_dn_to_prim_group_rid" */
79 uint32_t prim_group_rid;
81 /* used in conjunction with "prim_group_rid" in
82 * "samldb_prim_group_rid_to_users_cnt" */
83 unsigned int users_cnt;
85 /* used in "samldb_group_add_member" and "samldb_group_del_member" */
86 struct ldb_dn *group_dn;
87 struct ldb_dn *member_dn;
89 /* used in "samldb_primary_group_change" */
90 struct ldb_dn *user_dn;
91 struct ldb_dn *old_prim_group_dn, *new_prim_group_dn;
93 /* generic counter - used in "samldb_member_check" */
96 /* all the async steps necessary to complete the operation */
97 struct samldb_step *steps;
98 struct samldb_step *curstep;
101 static struct samldb_ctx *samldb_ctx_init(struct ldb_module *module,
102 struct ldb_request *req)
104 struct ldb_context *ldb;
105 struct samldb_ctx *ac;
107 ldb = ldb_module_get_ctx(module);
109 ac = talloc_zero(req, struct samldb_ctx);
121 static int samldb_add_step(struct samldb_ctx *ac, samldb_step_fn_t fn)
123 struct samldb_step *step, *stepper;
125 step = talloc_zero(ac, struct samldb_step);
127 return LDB_ERR_OPERATIONS_ERROR;
132 if (ac->steps == NULL) {
136 if (ac->curstep == NULL)
137 return LDB_ERR_OPERATIONS_ERROR;
138 for (stepper = ac->curstep; stepper->next != NULL;
139 stepper = stepper->next);
140 stepper->next = step;
146 static int samldb_first_step(struct samldb_ctx *ac)
148 if (ac->steps == NULL) {
149 return LDB_ERR_OPERATIONS_ERROR;
152 ac->curstep = ac->steps;
153 return ac->curstep->fn(ac);
156 static int samldb_next_step(struct samldb_ctx *ac)
158 if (ac->curstep->next) {
159 ac->curstep = ac->curstep->next;
160 return ac->curstep->fn(ac);
163 /* it is an error if the last step does not properly
164 * return to the upper module by itself */
165 return LDB_ERR_OPERATIONS_ERROR;
169 * samldb_get_parent_domain (async)
172 static int samldb_get_parent_domain(struct samldb_ctx *ac);
174 static int samldb_get_parent_domain_callback(struct ldb_request *req,
175 struct ldb_reply *ares)
177 struct ldb_context *ldb;
178 struct samldb_ctx *ac;
182 ac = talloc_get_type(req->context, struct samldb_ctx);
183 ldb = ldb_module_get_ctx(ac->module);
186 ret = LDB_ERR_OPERATIONS_ERROR;
189 if (ares->error != LDB_SUCCESS) {
190 return ldb_module_done(ac->req, ares->controls,
191 ares->response, ares->error);
194 switch (ares->type) {
195 case LDB_REPLY_ENTRY:
197 if ((ac->domain_dn != NULL) || (ac->domain_sid != NULL)) {
199 ldb_set_errstring(ldb,
200 "Invalid number of results while searching "
201 "for domain object!");
202 ret = LDB_ERR_OPERATIONS_ERROR;
206 nextRid = ldb_msg_find_attr_as_string(ares->message,
208 if (nextRid == NULL) {
209 ldb_asprintf_errstring(ldb,
210 "While looking for domain above %s attribute nextRid not found in %s!\n",
211 ldb_dn_get_linearized(
212 ac->req->op.add.message->dn),
213 ldb_dn_get_linearized(ares->message->dn));
214 ret = LDB_ERR_OPERATIONS_ERROR;
218 ac->next_rid = strtol(nextRid, NULL, 0);
220 ac->domain_sid = samdb_result_dom_sid(ac, ares->message,
222 if (ac->domain_sid == NULL) {
223 ldb_set_errstring(ldb,
224 "Unable to get the parent domain SID!\n");
225 ret = LDB_ERR_CONSTRAINT_VIOLATION;
228 ac->domain_dn = ldb_dn_copy(ac, ares->message->dn);
234 case LDB_REPLY_REFERRAL:
242 if ((ac->domain_dn == NULL) || (ac->domain_sid == NULL)) {
243 /* not found -> retry */
244 ret = samldb_get_parent_domain(ac);
247 ret = samldb_next_step(ac);
253 if (ret != LDB_SUCCESS) {
254 return ldb_module_done(ac->req, NULL, NULL, ret);
260 /* Find a domain object in the parents of a particular DN. */
261 static int samldb_get_parent_domain(struct samldb_ctx *ac)
263 struct ldb_context *ldb;
264 static const char * const attrs[] = { "objectSid", "nextRid", NULL };
265 struct ldb_request *req;
269 ldb = ldb_module_get_ctx(ac->module);
271 if (ac->check_dn == NULL) {
272 return LDB_ERR_OPERATIONS_ERROR;
275 dn = ldb_dn_get_parent(ac, ac->check_dn);
277 ldb_set_errstring(ldb,
278 "Unable to find parent domain object!");
279 return LDB_ERR_CONSTRAINT_VIOLATION;
284 ret = ldb_build_search_req(&req, ldb, ac,
286 "(|(objectClass=domain)"
287 "(objectClass=builtinDomain))",
290 ac, samldb_get_parent_domain_callback,
293 if (ret != LDB_SUCCESS) {
297 return ldb_next_request(ac->module, req);
301 static int samldb_generate_samAccountName(struct ldb_message *msg)
305 /* Format: $000000-000000000000 */
307 name = talloc_asprintf(msg, "$%.6X-%.6X%.6X",
308 (unsigned int)generate_random(),
309 (unsigned int)generate_random(),
310 (unsigned int)generate_random());
312 return LDB_ERR_OPERATIONS_ERROR;
314 return ldb_msg_add_steal_string(msg, "samAccountName", name);
318 * samldb_check_samAccountName (async)
321 static int samldb_check_samAccountName_callback(struct ldb_request *req,
322 struct ldb_reply *ares)
324 struct samldb_ctx *ac;
327 ac = talloc_get_type(req->context, struct samldb_ctx);
329 if (ares->error != LDB_SUCCESS) {
330 return ldb_module_done(ac->req, ares->controls,
331 ares->response, ares->error);
334 switch (ares->type) {
335 case LDB_REPLY_ENTRY:
336 /* if we get an entry it means this samAccountName
338 return ldb_module_done(ac->req, NULL, NULL,
339 LDB_ERR_ENTRY_ALREADY_EXISTS);
341 case LDB_REPLY_REFERRAL:
342 /* this should not happen */
343 return ldb_module_done(ac->req, NULL, NULL,
344 LDB_ERR_OPERATIONS_ERROR);
347 /* not found, go on */
349 ret = samldb_next_step(ac);
353 if (ret != LDB_SUCCESS) {
354 return ldb_module_done(ac->req, NULL, NULL, ret);
360 static int samldb_check_samAccountName(struct samldb_ctx *ac)
362 struct ldb_context *ldb;
363 struct ldb_request *req;
368 ldb = ldb_module_get_ctx(ac->module);
370 if (ldb_msg_find_element(ac->msg, "samAccountName") == NULL) {
371 ret = samldb_generate_samAccountName(ac->msg);
372 if (ret != LDB_SUCCESS) {
377 name = ldb_msg_find_attr_as_string(ac->msg, "samAccountName", NULL);
379 return LDB_ERR_OPERATIONS_ERROR;
381 filter = talloc_asprintf(ac, "samAccountName=%s", ldb_binary_encode_string(ac, name));
382 if (filter == NULL) {
383 return LDB_ERR_OPERATIONS_ERROR;
386 ret = ldb_build_search_req(&req, ldb, ac,
387 ac->domain_dn, LDB_SCOPE_SUBTREE,
390 ac, samldb_check_samAccountName_callback,
393 if (ret != LDB_SUCCESS) {
396 return ldb_next_request(ac->module, req);
400 static int samldb_check_samAccountType(struct samldb_ctx *ac)
402 struct ldb_context *ldb;
403 unsigned int account_type;
404 unsigned int group_type;
408 ldb = ldb_module_get_ctx(ac->module);
410 /* make sure sAMAccountType is not specified */
411 if (ldb_msg_find_element(ac->msg, "sAMAccountType") != NULL) {
412 ldb_asprintf_errstring(ldb,
413 "sAMAccountType must not be specified!");
414 return LDB_ERR_UNWILLING_TO_PERFORM;
417 if (strcmp("user", ac->type) == 0) {
418 uac = samdb_result_uint(ac->msg, "userAccountControl", 0);
420 ldb_asprintf_errstring(ldb,
421 "userAccountControl invalid!");
422 return LDB_ERR_UNWILLING_TO_PERFORM;
424 account_type = ds_uf2atype(uac);
425 ret = samdb_msg_add_uint(ldb,
429 if (ret != LDB_SUCCESS) {
434 if (strcmp("group", ac->type) == 0) {
436 group_type = samdb_result_uint(ac->msg, "groupType", 0);
437 if (group_type == 0) {
438 ldb_asprintf_errstring(ldb,
439 "groupType invalid!");
440 return LDB_ERR_UNWILLING_TO_PERFORM;
442 account_type = ds_gtype2atype(group_type);
443 ret = samdb_msg_add_uint(ldb,
447 if (ret != LDB_SUCCESS) {
453 return samldb_next_step(ac);
458 * samldb_get_sid_domain (async)
461 static int samldb_get_sid_domain_callback(struct ldb_request *req,
462 struct ldb_reply *ares)
464 struct ldb_context *ldb;
465 struct samldb_ctx *ac;
469 ac = talloc_get_type(req->context, struct samldb_ctx);
470 ldb = ldb_module_get_ctx(ac->module);
473 ret = LDB_ERR_OPERATIONS_ERROR;
476 if (ares->error != LDB_SUCCESS) {
477 return ldb_module_done(ac->req, ares->controls,
478 ares->response, ares->error);
481 switch (ares->type) {
482 case LDB_REPLY_ENTRY:
484 if (ac->next_rid != 0) {
486 ldb_set_errstring(ldb,
487 "Invalid number of results while searching "
488 "for domain object!");
489 ret = LDB_ERR_OPERATIONS_ERROR;
493 nextRid = ldb_msg_find_attr_as_string(ares->message,
495 if (nextRid == NULL) {
496 ldb_asprintf_errstring(ldb,
497 "Attribute nextRid not found in %s!\n",
498 ldb_dn_get_linearized(ares->message->dn));
499 ret = LDB_ERR_OPERATIONS_ERROR;
503 ac->next_rid = strtol(nextRid, NULL, 0);
505 ac->domain_dn = ldb_dn_copy(ac, ares->message->dn);
511 case LDB_REPLY_REFERRAL:
519 if (ac->next_rid == 0) {
520 ldb_asprintf_errstring(ldb,
521 "Unable to get nextRid from domain entry!\n");
522 ret = LDB_ERR_OPERATIONS_ERROR;
527 ret = samldb_next_step(ac);
532 if (ret != LDB_SUCCESS) {
533 return ldb_module_done(ac->req, NULL, NULL, ret);
539 /* Find a domain object in the parents of a particular DN. */
540 static int samldb_get_sid_domain(struct samldb_ctx *ac)
542 struct ldb_context *ldb;
543 static const char * const attrs[2] = { "nextRid", NULL };
544 struct ldb_request *req;
548 ldb = ldb_module_get_ctx(ac->module);
550 if (ac->sid == NULL) {
551 return LDB_ERR_OPERATIONS_ERROR;
554 ac->domain_sid = dom_sid_dup(ac, ac->sid);
555 if (!ac->domain_sid) {
556 return LDB_ERR_OPERATIONS_ERROR;
558 /* get the domain component part of the provided SID */
559 ac->domain_sid->num_auths--;
561 filter = talloc_asprintf(ac,
563 "(|(objectClass=domain)"
564 "(objectClass=builtinDomain)))",
565 ldap_encode_ndr_dom_sid(ac, ac->domain_sid));
566 if (filter == NULL) {
567 return LDB_ERR_OPERATIONS_ERROR;
570 ret = ldb_build_search_req(&req, ldb, ac,
571 ldb_get_default_basedn(ldb),
575 ac, samldb_get_sid_domain_callback,
578 if (ret != LDB_SUCCESS) {
583 return ldb_next_request(ac->module, req);
587 * samldb_dn_from_sid (async)
590 static int samldb_dn_from_sid(struct samldb_ctx *ac);
592 static int samldb_dn_from_sid_callback(struct ldb_request *req,
593 struct ldb_reply *ares)
595 struct ldb_context *ldb;
596 struct samldb_ctx *ac;
599 ac = talloc_get_type(req->context, struct samldb_ctx);
600 ldb = ldb_module_get_ctx(ac->module);
603 ret = LDB_ERR_OPERATIONS_ERROR;
606 if (ares->error != LDB_SUCCESS) {
607 return ldb_module_done(ac->req, ares->controls,
608 ares->response, ares->error);
611 switch (ares->type) {
612 case LDB_REPLY_ENTRY:
614 if (ac->res_dn != NULL) {
616 ldb_set_errstring(ldb,
617 "Invalid number of results while searching "
618 "for domain objects!");
619 ret = LDB_ERR_OPERATIONS_ERROR;
622 ac->res_dn = ldb_dn_copy(ac, ares->message->dn);
628 case LDB_REPLY_REFERRAL:
637 /* found or not found, go on */
638 ret = samldb_next_step(ac);
643 if (ret != LDB_SUCCESS) {
644 return ldb_module_done(ac->req, NULL, NULL, ret);
650 /* Finds the DN "res_dn" of an object with a given SID "sid" */
651 static int samldb_dn_from_sid(struct samldb_ctx *ac)
653 struct ldb_context *ldb;
654 static const char * const attrs[] = { NULL };
655 struct ldb_request *req;
659 ldb = ldb_module_get_ctx(ac->module);
662 return LDB_ERR_OPERATIONS_ERROR;
664 filter = talloc_asprintf(ac, "(objectSid=%s)",
665 ldap_encode_ndr_dom_sid(ac, ac->sid));
667 return LDB_ERR_OPERATIONS_ERROR;
669 ret = ldb_build_search_req(&req, ldb, ac,
670 ldb_get_default_basedn(ldb),
674 ac, samldb_dn_from_sid_callback,
676 if (ret != LDB_SUCCESS)
679 return ldb_next_request(ac->module, req);
683 static int samldb_check_primaryGroupID_1(struct samldb_ctx *ac)
685 struct ldb_context *ldb;
688 ldb = ldb_module_get_ctx(ac->module);
690 rid = samdb_result_uint(ac->msg, "primaryGroupID", ~0);
691 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid);
693 return LDB_ERR_OPERATIONS_ERROR;
696 return samldb_next_step(ac);
699 static int samldb_check_primaryGroupID_2(struct samldb_ctx *ac)
701 if (ac->res_dn == NULL) {
702 struct ldb_context *ldb;
703 ldb = ldb_module_get_ctx(ac->module);
704 ldb_asprintf_errstring(ldb,
705 "Failed to find group sid %s",
706 dom_sid_string(ac->sid, ac->sid));
707 return LDB_ERR_UNWILLING_TO_PERFORM;
710 return samldb_next_step(ac);
714 static bool samldb_msg_add_sid(struct ldb_message *msg,
716 const struct dom_sid *sid)
719 enum ndr_err_code ndr_err;
721 ndr_err = ndr_push_struct_blob(&v, msg, NULL, sid,
722 (ndr_push_flags_fn_t)ndr_push_dom_sid);
723 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
726 return (ldb_msg_add_value(msg, name, &v, NULL) == 0);
729 static int samldb_new_sid(struct samldb_ctx *ac)
732 if (ac->domain_sid == NULL || ac->next_rid == 0) {
733 return LDB_ERR_OPERATIONS_ERROR;
736 ac->sid = dom_sid_add_rid(ac, ac->domain_sid, ac->next_rid + 1);
737 if (ac->sid == NULL) {
738 return LDB_ERR_OPERATIONS_ERROR;
741 if ( ! samldb_msg_add_sid(ac->msg, "objectSid", ac->sid)) {
742 return LDB_ERR_OPERATIONS_ERROR;
745 return samldb_next_step(ac);
749 * samldb_notice_sid_callback (async)
752 static int samldb_notice_sid_callback(struct ldb_request *req,
753 struct ldb_reply *ares)
755 struct ldb_context *ldb;
756 struct samldb_ctx *ac;
759 ac = talloc_get_type(req->context, struct samldb_ctx);
760 ldb = ldb_module_get_ctx(ac->module);
763 ret = LDB_ERR_OPERATIONS_ERROR;
766 if (ares->error != LDB_SUCCESS) {
767 return ldb_module_done(ac->req, ares->controls,
768 ares->response, ares->error);
770 if (ares->type != LDB_REPLY_DONE) {
771 ldb_set_errstring(ldb,
772 "Invalid reply type!\n");
773 ret = LDB_ERR_OPERATIONS_ERROR;
777 ret = samldb_next_step(ac);
780 if (ret != LDB_SUCCESS) {
781 return ldb_module_done(ac->req, NULL, NULL, ret);
787 /* If we are adding new users/groups, we need to update the nextRid
788 * attribute to be 'above' the new/incoming RID. Attempt to do it
790 static int samldb_notice_sid(struct samldb_ctx *ac)
792 struct ldb_context *ldb;
793 uint32_t old_id, new_id;
794 struct ldb_request *req;
795 struct ldb_message *msg;
796 struct ldb_message_element *els;
797 struct ldb_val *vals;
800 ldb = ldb_module_get_ctx(ac->module);
801 old_id = ac->next_rid;
802 new_id = ac->sid->sub_auths[ac->sid->num_auths - 1];
804 if (old_id >= new_id) {
805 /* no need to update the domain nextRid attribute */
806 return samldb_next_step(ac);
809 /* we do a delete and add as a single operation. That prevents
810 a race, in case we are not actually on a transaction db */
811 msg = ldb_msg_new(ac);
814 return LDB_ERR_OPERATIONS_ERROR;
816 els = talloc_array(msg, struct ldb_message_element, 2);
819 return LDB_ERR_OPERATIONS_ERROR;
821 vals = talloc_array(msg, struct ldb_val, 2);
824 return LDB_ERR_OPERATIONS_ERROR;
826 msg->dn = ac->domain_dn;
827 msg->num_elements = 2;
830 els[0].num_values = 1;
831 els[0].values = &vals[0];
832 els[0].flags = LDB_FLAG_MOD_DELETE;
833 els[0].name = talloc_strdup(msg, "nextRid");
836 return LDB_ERR_OPERATIONS_ERROR;
839 els[1].num_values = 1;
840 els[1].values = &vals[1];
841 els[1].flags = LDB_FLAG_MOD_ADD;
842 els[1].name = els[0].name;
844 vals[0].data = (uint8_t *)talloc_asprintf(vals, "%u", old_id);
847 return LDB_ERR_OPERATIONS_ERROR;
849 vals[0].length = strlen((char *)vals[0].data);
851 vals[1].data = (uint8_t *)talloc_asprintf(vals, "%u", new_id);
854 return LDB_ERR_OPERATIONS_ERROR;
856 vals[1].length = strlen((char *)vals[1].data);
858 ret = ldb_build_mod_req(&req, ldb, ac,
860 ac, samldb_notice_sid_callback,
862 if (ret != LDB_SUCCESS) {
866 return ldb_next_request(ac->module, req);
870 * samldb_add_entry (async)
873 static int samldb_add_entry_callback(struct ldb_request *req,
874 struct ldb_reply *ares)
876 struct ldb_context *ldb;
877 struct samldb_ctx *ac;
879 ac = talloc_get_type(req->context, struct samldb_ctx);
880 ldb = ldb_module_get_ctx(ac->module);
883 return ldb_module_done(ac->req, NULL, NULL,
884 LDB_ERR_OPERATIONS_ERROR);
886 if (ares->error != LDB_SUCCESS) {
887 return ldb_module_done(ac->req, ares->controls,
888 ares->response, ares->error);
890 if (ares->type != LDB_REPLY_DONE) {
891 ldb_set_errstring(ldb,
892 "Invalid reply type!\n");
893 return ldb_module_done(ac->req, NULL, NULL,
894 LDB_ERR_OPERATIONS_ERROR);
897 /* we exit the samldb module here */
898 return ldb_module_done(ac->req, ares->controls,
899 ares->response, LDB_SUCCESS);
902 static int samldb_add_entry(struct samldb_ctx *ac)
904 struct ldb_context *ldb;
905 struct ldb_request *req;
908 ldb = ldb_module_get_ctx(ac->module);
910 ret = ldb_build_add_req(&req, ldb, ac,
913 ac, samldb_add_entry_callback,
915 if (ret != LDB_SUCCESS) {
919 return ldb_next_request(ac->module, req);
923 static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
925 struct ldb_context *ldb;
928 ldb = ldb_module_get_ctx(ac->module);
930 /* search for a parent domain objet */
931 ac->check_dn = ac->req->op.add.message->dn;
932 ret = samldb_add_step(ac, samldb_get_parent_domain);
933 if (ret != LDB_SUCCESS) return ret;
935 /* Add informations for the different account types */
937 if (strcmp(ac->type, "user") == 0) {
938 ret = samdb_find_or_add_attribute(ldb, ac->msg,
939 "userAccountControl", "546");
940 if (ret != LDB_SUCCESS) return ret;
941 ret = samdb_find_or_add_attribute(ldb, ac->msg,
943 if (ret != LDB_SUCCESS) return ret;
944 ret = samdb_find_or_add_attribute(ldb, ac->msg,
946 if (ret != LDB_SUCCESS) return ret;
947 ret = samdb_find_or_add_attribute(ldb, ac->msg,
949 if (ret != LDB_SUCCESS) return ret;
950 ret = samdb_find_or_add_attribute(ldb, ac->msg,
951 "badPasswordTime", "0");
952 if (ret != LDB_SUCCESS) return ret;
953 ret = samdb_find_or_add_attribute(ldb, ac->msg,
955 if (ret != LDB_SUCCESS) return ret;
956 ret = samdb_find_or_add_attribute(ldb, ac->msg,
958 if (ret != LDB_SUCCESS) return ret;
959 ret = samdb_find_or_add_attribute(ldb, ac->msg,
961 if (ret != LDB_SUCCESS) return ret;
962 ret = samdb_find_or_add_attribute(ldb, ac->msg,
963 "primaryGroupID", "513");
964 if (ret != LDB_SUCCESS) return ret;
965 ret = samdb_find_or_add_attribute(ldb, ac->msg,
966 "accountExpires", "9223372036854775807");
967 if (ret != LDB_SUCCESS) return ret;
968 ret = samdb_find_or_add_attribute(ldb, ac->msg,
970 if (ret != LDB_SUCCESS) return ret;
971 } else if (strcmp(ac->type, "group") == 0) {
972 ret = samdb_find_or_add_attribute(ldb, ac->msg,
973 "groupType", "-2147483646");
974 if (ret != LDB_SUCCESS) return ret;
976 /* we should only have "user" and "group" */
977 ldb_asprintf_errstring(ldb,
978 "Invalid entry type!\n");
979 return LDB_ERR_OPERATIONS_ERROR;
982 /* check if we have a valid samAccountName */
983 ret = samldb_add_step(ac, samldb_check_samAccountName);
984 if (ret != LDB_SUCCESS) return ret;
986 /* check account_type/group_type */
987 ret = samldb_add_step(ac, samldb_check_samAccountType);
988 if (ret != LDB_SUCCESS) return ret;
990 /* check if we have a valid primary group ID */
991 if (strcmp(ac->type, "user") == 0) {
992 ret = samldb_add_step(ac, samldb_check_primaryGroupID_1);
993 if (ret != LDB_SUCCESS) return ret;
994 ret = samldb_add_step(ac, samldb_dn_from_sid);
995 if (ret != LDB_SUCCESS) return ret;
996 ret = samldb_add_step(ac, samldb_check_primaryGroupID_2);
997 if (ret != LDB_SUCCESS) return ret;
1000 /* check if we have a valid SID */
1001 ac->sid = samdb_result_dom_sid(ac, ac->msg, "objectSid");
1003 ret = samldb_add_step(ac, samldb_new_sid);
1004 if (ret != LDB_SUCCESS) return ret;
1006 ret = samldb_add_step(ac, samldb_get_sid_domain);
1007 if (ret != LDB_SUCCESS) return ret;
1010 ret = samldb_add_step(ac, samldb_notice_sid);
1011 if (ret != LDB_SUCCESS) return ret;
1013 /* finally proceed with adding the entry */
1014 ret = samldb_add_step(ac, samldb_add_entry);
1015 if (ret != LDB_SUCCESS) return ret;
1017 return samldb_first_step(ac);
1021 * samldb_foreign_notice_sid (async)
1024 static int samldb_foreign_notice_sid_callback(struct ldb_request *req,
1025 struct ldb_reply *ares)
1027 struct ldb_context *ldb;
1028 struct samldb_ctx *ac;
1029 const char *nextRid;
1033 ac = talloc_get_type(req->context, struct samldb_ctx);
1034 ldb = ldb_module_get_ctx(ac->module);
1037 ret = LDB_ERR_OPERATIONS_ERROR;
1040 if (ares->error != LDB_SUCCESS) {
1041 return ldb_module_done(ac->req, ares->controls,
1042 ares->response, ares->error);
1045 switch (ares->type) {
1046 case LDB_REPLY_ENTRY:
1048 if (ac->next_rid != 0) {
1050 ldb_set_errstring(ldb,
1051 "Invalid number of results while searching "
1052 "for domain object!");
1053 ret = LDB_ERR_OPERATIONS_ERROR;
1057 nextRid = ldb_msg_find_attr_as_string(ares->message,
1059 if (nextRid == NULL) {
1060 ldb_asprintf_errstring(ldb,
1061 "while looking for forign sid %s attribute nextRid not found in %s\n",
1062 dom_sid_string(ares, ac->sid),
1063 ldb_dn_get_linearized(ares->message->dn));
1064 ret = LDB_ERR_OPERATIONS_ERROR;
1068 ac->next_rid = strtol(nextRid, NULL, 0);
1070 ac->domain_dn = ldb_dn_copy(ac, ares->message->dn);
1072 name = samdb_result_string(ares->message, "name", NULL);
1073 ldb_debug(ldb, LDB_DEBUG_TRACE,
1074 "NOTE (strange but valid): Adding foreign SID "
1075 "record with SID %s, but this domain (%s) is "
1076 "not foreign in the database",
1077 dom_sid_string(ares, ac->sid), name);
1083 case LDB_REPLY_REFERRAL:
1089 case LDB_REPLY_DONE:
1092 /* if this is a fake foreign SID, notice the SID */
1093 if (ac->domain_dn) {
1094 ret = samldb_notice_sid(ac);
1099 ret = samldb_next_step(ac);
1104 if (ret != LDB_SUCCESS) {
1105 return ldb_module_done(ac->req, NULL, NULL, ret);
1111 /* Find a domain object in the parents of a particular DN. */
1112 static int samldb_foreign_notice_sid(struct samldb_ctx *ac)
1114 struct ldb_context *ldb;
1115 static const char * const attrs[3] = { "nextRid", "name", NULL };
1116 struct ldb_request *req;
1121 ldb = ldb_module_get_ctx(ac->module);
1123 if (ac->sid == NULL) {
1124 return LDB_ERR_OPERATIONS_ERROR;
1127 status = dom_sid_split_rid(ac, ac->sid, &ac->domain_sid, NULL);
1128 if (!NT_STATUS_IS_OK(status)) {
1129 return LDB_ERR_OPERATIONS_ERROR;
1132 filter = talloc_asprintf(ac, "(&(objectSid=%s)(objectclass=domain))",
1133 ldap_encode_ndr_dom_sid(ac, ac->domain_sid));
1134 if (filter == NULL) {
1135 return LDB_ERR_OPERATIONS_ERROR;
1138 ret = ldb_build_search_req(&req, ldb, ac,
1139 ldb_get_default_basedn(ldb),
1143 ac, samldb_foreign_notice_sid_callback,
1146 if (ret != LDB_SUCCESS) {
1150 return ldb_next_request(ac->module, req);
1154 static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac)
1156 struct ldb_context *ldb;
1159 ldb = ldb_module_get_ctx(ac->module);
1163 ac->sid = samdb_result_dom_sid(ac->msg, ac->msg, "objectSid");
1164 if (ac->sid == NULL) {
1165 ac->sid = dom_sid_parse_talloc(ac->msg,
1166 (const char *)ldb_dn_get_rdn_val(ac->msg->dn)->data);
1168 ldb_set_errstring(ldb,
1169 "No valid SID found in "
1170 "ForeignSecurityPrincipal CN!");
1172 return LDB_ERR_CONSTRAINT_VIOLATION;
1174 if ( ! samldb_msg_add_sid(ac->msg, "objectSid", ac->sid)) {
1176 return LDB_ERR_OPERATIONS_ERROR;
1180 /* check if we need to notice this SID */
1181 ret = samldb_add_step(ac, samldb_foreign_notice_sid);
1182 if (ret != LDB_SUCCESS) return ret;
1184 /* finally proceed with adding the entry */
1185 ret = samldb_add_step(ac, samldb_add_entry);
1186 if (ret != LDB_SUCCESS) return ret;
1188 return samldb_first_step(ac);
1191 static int samldb_check_rdn(struct ldb_module *module, struct ldb_dn *dn)
1193 struct ldb_context *ldb;
1194 const char *rdn_name;
1196 ldb = ldb_module_get_ctx(module);
1197 rdn_name = ldb_dn_get_rdn_name(dn);
1199 if (strcasecmp(rdn_name, "cn") != 0) {
1200 ldb_asprintf_errstring(ldb,
1201 "Bad RDN (%s=) for samldb object, "
1202 "should be CN=!\n", rdn_name);
1203 return LDB_ERR_CONSTRAINT_VIOLATION;
1210 * samldb_sid_from_dn (async)
1213 static int samldb_sid_from_dn(struct samldb_ctx *ac);
1215 static int samldb_sid_from_dn_callback(struct ldb_request *req,
1216 struct ldb_reply *ares)
1218 struct ldb_context *ldb;
1219 struct samldb_ctx *ac;
1222 ac = talloc_get_type(req->context, struct samldb_ctx);
1223 ldb = ldb_module_get_ctx(ac->module);
1226 ret = LDB_ERR_OPERATIONS_ERROR;
1229 if (ares->error != LDB_SUCCESS) {
1230 return ldb_module_done(ac->req, ares->controls,
1231 ares->response, ares->error);
1234 switch (ares->type) {
1235 case LDB_REPLY_ENTRY:
1237 if (ac->res_sid != NULL) {
1239 ldb_set_errstring(ldb,
1240 "Invalid number of results while searching "
1241 "for domain objects!");
1242 ret = LDB_ERR_OPERATIONS_ERROR;
1245 ac->res_sid = samdb_result_dom_sid(ac, ares->message,
1252 case LDB_REPLY_REFERRAL:
1258 case LDB_REPLY_DONE:
1261 /* found or not found, go on */
1262 ret = samldb_next_step(ac);
1267 if (ret != LDB_SUCCESS) {
1268 return ldb_module_done(ac->req, NULL, NULL, ret);
1274 /* Finds the SID "res_sid" of an object with a given DN "dn" */
1275 static int samldb_sid_from_dn(struct samldb_ctx *ac)
1277 struct ldb_context *ldb;
1278 static const char * const attrs[] = { "objectSid" };
1279 struct ldb_request *req;
1282 ldb = ldb_module_get_ctx(ac->module);
1285 return LDB_ERR_OPERATIONS_ERROR;
1287 ret = ldb_build_search_req(&req, ldb, ac,
1292 ac, samldb_sid_from_dn_callback,
1294 if (ret != LDB_SUCCESS)
1297 return ldb_next_request(ac->module, req);
1301 * samldb_user_dn_to_prim_group_rid (async)
1304 static int samldb_user_dn_to_prim_group_rid(struct samldb_ctx *ac);
1306 static int samldb_user_dn_to_prim_group_rid_callback(struct ldb_request *req,
1307 struct ldb_reply *ares)
1309 struct ldb_context *ldb;
1310 struct samldb_ctx *ac;
1313 ac = talloc_get_type(req->context, struct samldb_ctx);
1314 ldb = ldb_module_get_ctx(ac->module);
1317 ret = LDB_ERR_OPERATIONS_ERROR;
1320 if (ares->error != LDB_SUCCESS) {
1321 return ldb_module_done(ac->req, ares->controls,
1322 ares->response, ares->error);
1325 switch (ares->type) {
1326 case LDB_REPLY_ENTRY:
1328 if (ac->prim_group_rid != 0) {
1330 ldb_set_errstring(ldb,
1331 "Invalid number of results while searching "
1332 "for domain objects!");
1333 ret = LDB_ERR_OPERATIONS_ERROR;
1336 ac->prim_group_rid = samdb_result_uint(ares->message,
1337 "primaryGroupID", ~0);
1343 case LDB_REPLY_REFERRAL:
1349 case LDB_REPLY_DONE:
1351 if (ac->prim_group_rid == 0) {
1352 ldb_asprintf_errstring(ldb,
1353 "Unable to get the primary group RID!\n");
1354 ret = LDB_ERR_OPERATIONS_ERROR;
1359 ret = samldb_next_step(ac);
1364 if (ret != LDB_SUCCESS) {
1365 return ldb_module_done(ac->req, NULL, NULL, ret);
1371 /* Locates the "primaryGroupID" attribute from a certain user specified as
1372 * "user_dn". Saves the result in "prim_group_rid". */
1373 static int samldb_user_dn_to_prim_group_rid(struct samldb_ctx *ac)
1375 struct ldb_context *ldb;
1376 static const char * const attrs[] = { "primaryGroupID", NULL };
1377 struct ldb_request *req;
1380 ldb = ldb_module_get_ctx(ac->module);
1382 if (ac->user_dn == NULL)
1383 return LDB_ERR_OPERATIONS_ERROR;
1385 ret = ldb_build_search_req(&req, ldb, ac,
1390 ac, samldb_user_dn_to_prim_group_rid_callback,
1392 if (ret != LDB_SUCCESS)
1395 return ldb_next_request(ac->module, req);
1399 * samldb_prim_group_rid_to_users_cnt (async)
1402 static int samldb_prim_group_rid_to_users_cnt(struct samldb_ctx *ac);
1404 static int samldb_prim_group_rid_to_users_cnt_callback(struct ldb_request *req,
1405 struct ldb_reply *ares)
1407 struct ldb_context *ldb;
1408 struct samldb_ctx *ac;
1411 ac = talloc_get_type(req->context, struct samldb_ctx);
1412 ldb = ldb_module_get_ctx(ac->module);
1415 ret = LDB_ERR_OPERATIONS_ERROR;
1418 if (ares->error != LDB_SUCCESS) {
1419 return ldb_module_done(ac->req, ares->controls,
1420 ares->response, ares->error);
1423 switch (ares->type) {
1424 case LDB_REPLY_ENTRY:
1432 case LDB_REPLY_REFERRAL:
1438 case LDB_REPLY_DONE:
1441 /* found or not found, go on */
1442 ret = samldb_next_step(ac);
1447 if (ret != LDB_SUCCESS) {
1448 return ldb_module_done(ac->req, NULL, NULL, ret);
1454 /* Finds the amount of users which have the primary group "prim_group_rid" and
1455 * save the result in "users_cnt" */
1456 static int samldb_prim_group_rid_to_users_cnt(struct samldb_ctx *ac)
1458 struct ldb_context *ldb;
1459 static const char * const attrs[] = { NULL };
1460 struct ldb_request *req;
1464 ldb = ldb_module_get_ctx(ac->module);
1466 if ((ac->prim_group_rid == 0) || (ac->users_cnt != 0))
1467 return LDB_ERR_OPERATIONS_ERROR;
1469 filter = talloc_asprintf(ac, "(&(primaryGroupID=%u)(objectclass=user))",
1470 ac->prim_group_rid);
1472 return LDB_ERR_OPERATIONS_ERROR;
1474 ret = ldb_build_search_req(&req, ldb, ac,
1475 ldb_get_default_basedn(ldb),
1480 samldb_prim_group_rid_to_users_cnt_callback,
1482 if (ret != LDB_SUCCESS)
1485 return ldb_next_request(ac->module, req);
1489 * samldb_group_add_member (async)
1490 * samldb_group_del_member (async)
1493 static int samldb_group_add_del_member_callback(struct ldb_request *req,
1494 struct ldb_reply *ares)
1496 struct ldb_context *ldb;
1497 struct samldb_ctx *ac;
1500 ac = talloc_get_type(req->context, struct samldb_ctx);
1501 ldb = ldb_module_get_ctx(ac->module);
1504 ret = LDB_ERR_OPERATIONS_ERROR;
1507 if (ares->error != LDB_SUCCESS) {
1508 if (ares->error == LDB_ERR_NO_SUCH_ATTRIBUTE) {
1509 /* On error "NO_SUCH_ATTRIBUTE" (delete of an invalid
1510 * "member" attribute) return "UNWILLING_TO_PERFORM" */
1511 ares->error = LDB_ERR_UNWILLING_TO_PERFORM;
1513 return ldb_module_done(ac->req, ares->controls,
1514 ares->response, ares->error);
1516 if (ares->type != LDB_REPLY_DONE) {
1517 ldb_set_errstring(ldb,
1518 "Invalid reply type!\n");
1519 ret = LDB_ERR_OPERATIONS_ERROR;
1523 ret = samldb_next_step(ac);
1526 if (ret != LDB_SUCCESS) {
1527 return ldb_module_done(ac->req, NULL, NULL, ret);
1533 /* Adds a member with DN "member_dn" to a group with DN "group_dn" */
1534 static int samldb_group_add_member(struct samldb_ctx *ac)
1536 struct ldb_context *ldb;
1537 struct ldb_request *req;
1538 struct ldb_message *msg;
1541 ldb = ldb_module_get_ctx(ac->module);
1543 if ((ac->group_dn == NULL) || (ac->member_dn == NULL))
1544 return LDB_ERR_OPERATIONS_ERROR;
1546 msg = ldb_msg_new(ac);
1547 msg->dn = ac->group_dn;
1548 samdb_msg_add_addval(ldb, ac, msg, "member",
1549 ldb_dn_get_linearized(ac->member_dn));
1551 ret = ldb_build_mod_req(&req, ldb, ac,
1553 ac, samldb_group_add_del_member_callback,
1555 if (ret != LDB_SUCCESS)
1558 return ldb_next_request(ac->module, req);
1561 /* Removes a member with DN "member_dn" from a group with DN "group_dn" */
1562 static int samldb_group_del_member(struct samldb_ctx *ac)
1564 struct ldb_context *ldb;
1565 struct ldb_request *req;
1566 struct ldb_message *msg;
1569 ldb = ldb_module_get_ctx(ac->module);
1571 if ((ac->group_dn == NULL) || (ac->member_dn == NULL))
1572 return LDB_ERR_OPERATIONS_ERROR;
1574 msg = ldb_msg_new(ac);
1575 msg->dn = ac->group_dn;
1576 samdb_msg_add_delval(ldb, ac, msg, "member",
1577 ldb_dn_get_linearized(ac->member_dn));
1579 ret = ldb_build_mod_req(&req, ldb, ac,
1581 ac, samldb_group_add_del_member_callback,
1583 if (ret != LDB_SUCCESS)
1586 return ldb_next_request(ac->module, req);
1590 static int samldb_prim_group_change_1(struct samldb_ctx *ac)
1592 struct ldb_context *ldb;
1595 ldb = ldb_module_get_ctx(ac->module);
1597 ac->user_dn = ac->msg->dn;
1599 rid = samdb_result_uint(ac->msg, "primaryGroupID", ~0);
1600 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), rid);
1601 if (ac->sid == NULL)
1602 return LDB_ERR_OPERATIONS_ERROR;
1605 ac->prim_group_rid = 0;
1607 return samldb_next_step(ac);
1610 static int samldb_prim_group_change_2(struct samldb_ctx *ac)
1612 struct ldb_context *ldb;
1614 ldb = ldb_module_get_ctx(ac->module);
1616 if (ac->res_dn != NULL)
1617 ac->new_prim_group_dn = ac->res_dn;
1619 return LDB_ERR_UNWILLING_TO_PERFORM;
1621 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb),
1622 ac->prim_group_rid);
1623 if (ac->sid == NULL)
1624 return LDB_ERR_OPERATIONS_ERROR;
1627 return samldb_next_step(ac);
1630 static int samldb_prim_group_change_4(struct samldb_ctx *ac);
1631 static int samldb_prim_group_change_5(struct samldb_ctx *ac);
1632 static int samldb_prim_group_change_6(struct samldb_ctx *ac);
1634 static int samldb_prim_group_change_3(struct samldb_ctx *ac)
1638 if (ac->res_dn != NULL)
1639 ac->old_prim_group_dn = ac->res_dn;
1641 return LDB_ERR_UNWILLING_TO_PERFORM;
1643 /* Only update when the primary group changed */
1644 if (ldb_dn_compare(ac->old_prim_group_dn, ac->new_prim_group_dn) != 0) {
1645 ac->member_dn = ac->user_dn;
1646 /* Remove the "member" attribute of the actual (new) primary
1649 ret = samldb_add_step(ac, samldb_prim_group_change_4);
1650 if (ret != LDB_SUCCESS) return ret;
1652 ret = samldb_add_step(ac, samldb_group_del_member);
1653 if (ret != LDB_SUCCESS) return ret;
1655 /* Add a "member" attribute for the previous primary group */
1657 ret = samldb_add_step(ac, samldb_prim_group_change_5);
1658 if (ret != LDB_SUCCESS) return ret;
1660 ret = samldb_add_step(ac, samldb_group_add_member);
1661 if (ret != LDB_SUCCESS) return ret;
1664 ret = samldb_add_step(ac, samldb_prim_group_change_6);
1665 if (ret != LDB_SUCCESS) return ret;
1667 return samldb_next_step(ac);
1670 static int samldb_prim_group_change_4(struct samldb_ctx *ac)
1672 ac->group_dn = ac->new_prim_group_dn;
1674 return samldb_next_step(ac);
1677 static int samldb_prim_group_change_5(struct samldb_ctx *ac)
1679 ac->group_dn = ac->old_prim_group_dn;
1681 return samldb_next_step(ac);
1684 static int samldb_prim_group_change_6(struct samldb_ctx *ac)
1686 return ldb_next_request(ac->module, ac->req);
1689 static int samldb_prim_group_change(struct samldb_ctx *ac)
1693 /* Finds out the DN of the new primary group */
1695 ret = samldb_add_step(ac, samldb_prim_group_change_1);
1696 if (ret != LDB_SUCCESS) return ret;
1698 ret = samldb_add_step(ac, samldb_dn_from_sid);
1699 if (ret != LDB_SUCCESS) return ret;
1701 ret = samldb_add_step(ac, samldb_user_dn_to_prim_group_rid);
1702 if (ret != LDB_SUCCESS) return ret;
1704 /* Finds out the DN of the old primary group */
1706 ret = samldb_add_step(ac, samldb_prim_group_change_2);
1707 if (ret != LDB_SUCCESS) return ret;
1709 ret = samldb_add_step(ac, samldb_dn_from_sid);
1710 if (ret != LDB_SUCCESS) return ret;
1712 ret = samldb_add_step(ac, samldb_prim_group_change_3);
1713 if (ret != LDB_SUCCESS) return ret;
1715 return samldb_first_step(ac);
1719 static int samldb_member_check_1(struct samldb_ctx *ac)
1721 struct ldb_context *ldb;
1722 struct ldb_message_element *el;
1724 ldb = ldb_module_get_ctx(ac->module);
1726 el = ldb_msg_find_element(ac->msg, "member");
1728 ac->user_dn = ldb_dn_from_ldb_val(ac, ldb, &el->values[ac->cnt]);
1729 if (!ldb_dn_validate(ac->user_dn))
1730 return LDB_ERR_OPERATIONS_ERROR;
1731 ac->prim_group_rid = 0;
1733 return samldb_next_step(ac);
1736 static int samldb_member_check_2(struct samldb_ctx *ac)
1738 struct ldb_context *ldb;
1740 ldb = ldb_module_get_ctx(ac->module);
1742 ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb),
1743 ac->prim_group_rid);
1744 if (ac->sid == NULL)
1745 return LDB_ERR_OPERATIONS_ERROR;
1748 return samldb_next_step(ac);
1751 static int samldb_member_check_3(struct samldb_ctx *ac)
1753 if (ldb_dn_compare(ac->res_dn, ac->msg->dn) == 0)
1754 return LDB_ERR_ENTRY_ALREADY_EXISTS;
1758 return samldb_next_step(ac);
1761 static int samldb_member_check_4(struct samldb_ctx *ac)
1763 return ldb_next_request(ac->module, ac->req);
1766 static int samldb_member_check(struct samldb_ctx *ac)
1768 struct ldb_message_element *el;
1771 el = ldb_msg_find_element(ac->msg, "member");
1773 for (i = 0; i < el->num_values; i++) {
1774 /* Denies to add "member"s to groups which are primary ones
1776 ret = samldb_add_step(ac, samldb_member_check_1);
1777 if (ret != LDB_SUCCESS) return ret;
1779 ret = samldb_add_step(ac, samldb_user_dn_to_prim_group_rid);
1780 if (ret != LDB_SUCCESS) return ret;
1782 ret = samldb_add_step(ac, samldb_member_check_2);
1783 if (ret != LDB_SUCCESS) return ret;
1785 ret = samldb_add_step(ac, samldb_dn_from_sid);
1786 if (ret != LDB_SUCCESS) return ret;
1788 ret = samldb_add_step(ac, samldb_member_check_3);
1789 if (ret != LDB_SUCCESS) return ret;
1792 ret = samldb_add_step(ac, samldb_member_check_4);
1793 if (ret != LDB_SUCCESS) return ret;
1795 return samldb_first_step(ac);
1799 static int samldb_prim_group_users_check_1(struct samldb_ctx *ac)
1801 ac->dn = ac->req->op.del.dn;
1804 return samldb_next_step(ac);
1807 static int samldb_prim_group_users_check_2(struct samldb_ctx *ac)
1812 if (ac->res_sid == NULL) {
1813 /* No SID - therefore ok here */
1814 return ldb_next_request(ac->module, ac->req);
1816 status = dom_sid_split_rid(ac, ac->res_sid, NULL, &rid);
1817 if (!NT_STATUS_IS_OK(status))
1818 return LDB_ERR_OPERATIONS_ERROR;
1821 /* Special object (security principal?) */
1822 return ldb_next_request(ac->module, ac->req);
1825 ac->prim_group_rid = rid;
1828 return samldb_next_step(ac);
1831 static int samldb_prim_group_users_check_3(struct samldb_ctx *ac)
1833 if (ac->users_cnt > 0)
1834 return LDB_ERR_ENTRY_ALREADY_EXISTS;
1836 return ldb_next_request(ac->module, ac->req);
1839 static int samldb_prim_group_users_check(struct samldb_ctx *ac)
1843 /* Finds out the SID/RID of the domain object */
1845 ret = samldb_add_step(ac, samldb_prim_group_users_check_1);
1846 if (ret != LDB_SUCCESS) return ret;
1848 ret = samldb_add_step(ac, samldb_sid_from_dn);
1849 if (ret != LDB_SUCCESS) return ret;
1851 /* Deny delete requests from groups which are primary ones */
1853 ret = samldb_add_step(ac, samldb_prim_group_users_check_2);
1854 if (ret != LDB_SUCCESS) return ret;
1856 ret = samldb_add_step(ac, samldb_prim_group_rid_to_users_cnt);
1857 if (ret != LDB_SUCCESS) return ret;
1859 ret = samldb_add_step(ac, samldb_prim_group_users_check_3);
1860 if (ret != LDB_SUCCESS) return ret;
1862 return samldb_first_step(ac);
1867 static int samldb_add(struct ldb_module *module, struct ldb_request *req)
1869 struct ldb_context *ldb;
1870 struct samldb_ctx *ac;
1873 ldb = ldb_module_get_ctx(module);
1874 ldb_debug(ldb, LDB_DEBUG_TRACE, "samldb_add\n");
1876 /* do not manipulate our control entries */
1877 if (ldb_dn_is_special(req->op.add.message->dn)) {
1878 return ldb_next_request(module, req);
1881 ac = samldb_ctx_init(module, req);
1883 return LDB_ERR_OPERATIONS_ERROR;
1886 /* build the new msg */
1887 ac->msg = ldb_msg_copy(ac, ac->req->op.add.message);
1890 ldb_debug(ldb, LDB_DEBUG_FATAL,
1891 "samldb_add: ldb_msg_copy failed!\n");
1892 return LDB_ERR_OPERATIONS_ERROR;
1895 if (samdb_find_attribute(ldb, ac->msg,
1896 "objectclass", "computer") != NULL) {
1898 /* make sure the computer object also has the 'user'
1899 * objectclass so it will be handled by the next call */
1900 ret = samdb_find_or_add_value(ldb, ac->msg,
1901 "objectclass", "user");
1902 if (ret != LDB_SUCCESS) {
1908 if (samdb_find_attribute(ldb, ac->msg,
1909 "objectclass", "user") != NULL) {
1911 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
1912 if (ret != LDB_SUCCESS) {
1917 return samldb_fill_object(ac, "user");
1920 if (samdb_find_attribute(ldb, ac->msg,
1921 "objectclass", "group") != NULL) {
1923 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
1924 if (ret != LDB_SUCCESS) {
1929 return samldb_fill_object(ac, "group");
1932 /* perhaps a foreignSecurityPrincipal? */
1933 if (samdb_find_attribute(ldb, ac->msg,
1935 "foreignSecurityPrincipal") != NULL) {
1937 ret = samldb_check_rdn(module, ac->req->op.add.message->dn);
1938 if (ret != LDB_SUCCESS) {
1943 return samldb_fill_foreignSecurityPrincipal_object(ac);
1948 /* nothing matched, go on */
1949 return ldb_next_request(module, req);
1953 static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
1955 struct ldb_context *ldb;
1956 struct ldb_message *msg;
1957 struct ldb_message_element *el, *el2;
1959 uint32_t account_type;
1961 if (ldb_dn_is_special(req->op.mod.message->dn)) {
1962 /* do not manipulate our control entries */
1963 return ldb_next_request(module, req);
1966 ldb = ldb_module_get_ctx(module);
1968 if (ldb_msg_find_element(req->op.mod.message, "sAMAccountType") != NULL) {
1969 ldb_asprintf_errstring(ldb,
1970 "sAMAccountType must not be specified!");
1971 return LDB_ERR_UNWILLING_TO_PERFORM;
1974 /* TODO: do not modify original request, create a new one */
1976 el = ldb_msg_find_element(req->op.mod.message, "groupType");
1977 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
1978 uint32_t group_type;
1980 req->op.mod.message = msg = ldb_msg_copy_shallow(req,
1981 req->op.mod.message);
1983 group_type = strtoul((const char *)el->values[0].data, NULL, 0);
1984 account_type = ds_gtype2atype(group_type);
1985 ret = samdb_msg_add_uint(ldb, msg, msg,
1988 if (ret != LDB_SUCCESS) {
1991 el2 = ldb_msg_find_element(msg, "sAMAccountType");
1992 el2->flags = LDB_FLAG_MOD_REPLACE;
1995 el = ldb_msg_find_element(req->op.mod.message, "userAccountControl");
1996 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
1997 uint32_t user_account_control;
1999 req->op.mod.message = msg = ldb_msg_copy_shallow(req,
2000 req->op.mod.message);
2002 user_account_control = strtoul((const char *)el->values[0].data,
2004 account_type = ds_uf2atype(user_account_control);
2005 ret = samdb_msg_add_uint(ldb, msg, msg,
2008 if (ret != LDB_SUCCESS) {
2011 el2 = ldb_msg_find_element(msg, "sAMAccountType");
2012 el2->flags = LDB_FLAG_MOD_REPLACE;
2014 if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
2015 ret = samdb_msg_add_string(ldb, msg, msg,
2016 "isCriticalSystemObject", "TRUE");
2017 if (ret != LDB_SUCCESS) {
2020 el2 = ldb_msg_find_element(msg, "isCriticalSystemObject");
2021 el2->flags = LDB_FLAG_MOD_REPLACE;
2025 el = ldb_msg_find_element(req->op.mod.message, "primaryGroupID");
2026 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
2027 struct samldb_ctx *ac;
2029 ac = samldb_ctx_init(module, req);
2031 return LDB_ERR_OPERATIONS_ERROR;
2033 req->op.mod.message = ac->msg = ldb_msg_copy_shallow(req,
2034 req->op.mod.message);
2036 return samldb_prim_group_change(ac);
2039 el = ldb_msg_find_element(req->op.mod.message, "member");
2040 if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
2041 struct samldb_ctx *ac;
2043 ac = samldb_ctx_init(module, req);
2045 return LDB_ERR_OPERATIONS_ERROR;
2047 req->op.mod.message = ac->msg = ldb_msg_copy_shallow(req,
2048 req->op.mod.message);
2050 return samldb_member_check(ac);
2053 /* nothing matched, go on */
2054 return ldb_next_request(module, req);
2058 static int samldb_delete(struct ldb_module *module, struct ldb_request *req)
2060 struct samldb_ctx *ac;
2062 if (ldb_dn_is_special(req->op.del.dn)) {
2063 /* do not manipulate our control entries */
2064 return ldb_next_request(module, req);
2067 ac = samldb_ctx_init(module, req);
2069 return LDB_ERR_OPERATIONS_ERROR;
2071 return samldb_prim_group_users_check(ac);
2075 static int samldb_init(struct ldb_module *module)
2077 return ldb_next_init(module);
2080 _PUBLIC_ const struct ldb_module_ops ldb_samldb_module_ops = {
2082 .init_context = samldb_init,
2084 .modify = samldb_modify,
2085 .del = samldb_delete