2 Unix SMB/CIFS implementation.
4 Copyright (C) Stefan Metzmacher 2004
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include "ldap_server/ldap_server.h"
23 #include "dlinklist.h"
24 #include "libcli/ldap/ldap.h"
25 #include "lib/ldb/include/ldb.h"
26 #include "lib/ldb/include/ldb_errors.h"
27 #include "dsdb/samdb/samdb.h"
29 #define VALID_DN_SYNTAX(dn,i) do {\
31 return NT_STATUS_NO_MEMORY;\
32 } else if ((dn)->comp_num < (i)) {\
33 result = LDAP_INVALID_DN_SYNTAX;\
34 errstr = "Invalid DN (" #i " components needed for '" #dn "')";\
39 static int map_ldb_error(struct ldb_context *ldb, int err, const char **errstring)
41 *errstring = ldb_errstring(ldb);
48 connect to the sam database
50 NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
52 conn->ldb = samdb_connect(conn, conn->session_info);
53 if (conn->ldb == NULL) {
54 return NT_STATUS_INTERNAL_DB_CORRUPTION;
56 ldb_set_opaque(conn->ldb, "server_credentials", conn->server_credentials);
61 struct ldapsrv_reply *ldapsrv_init_reply(struct ldapsrv_call *call, uint8_t type)
63 struct ldapsrv_reply *reply;
65 reply = talloc(call, struct ldapsrv_reply);
69 reply->msg = talloc(reply, struct ldap_message);
70 if (reply->msg == NULL) {
75 reply->msg->messageid = call->request->messageid;
76 reply->msg->type = type;
77 reply->msg->controls = NULL;
82 void ldapsrv_queue_reply(struct ldapsrv_call *call, struct ldapsrv_reply *reply)
84 DLIST_ADD_END(call->replies, reply, struct ldapsrv_reply *);
87 NTSTATUS ldapsrv_unwilling(struct ldapsrv_call *call, int error)
89 struct ldapsrv_reply *reply;
90 struct ldap_ExtendedResponse *r;
92 DEBUG(10,("Unwilling type[%d] id[%d]\n", call->request->type, call->request->messageid));
94 reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
96 return NT_STATUS_NO_MEMORY;
99 r = &reply->msg->r.ExtendedResponse;
100 r->response.resultcode = error;
101 r->response.dn = NULL;
102 r->response.errormessage = NULL;
103 r->response.referral = NULL;
107 ldapsrv_queue_reply(call, reply);
111 static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
113 struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
114 struct ldap_SearchResEntry *ent;
115 struct ldap_Result *done;
116 struct ldapsrv_reply *ent_r, *done_r;
118 struct ldb_context *samdb = talloc_get_type(call->conn->ldb, struct ldb_context);
119 struct ldb_dn *basedn;
120 struct ldb_result *res = NULL;
121 struct ldb_request *lreq;
122 enum ldb_scope scope = LDB_SCOPE_DEFAULT;
123 const char **attrs = NULL;
124 const char *errstr = NULL;
125 int success_limit = 1;
126 int result = LDAP_SUCCESS;
130 DEBUG(10, ("SearchRequest"));
131 DEBUGADD(10, (" basedn: %s", req->basedn));
132 DEBUGADD(10, (" filter: %s\n", ldb_filter_from_tree(call, req->tree)));
134 local_ctx = talloc_new(call);
135 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
137 basedn = ldb_dn_explode(local_ctx, req->basedn);
138 VALID_DN_SYNTAX(basedn, 0);
140 DEBUG(10, ("SearchRequest: basedn: [%s]\n", req->basedn));
141 DEBUG(10, ("SearchRequest: filter: [%s]\n", ldb_filter_from_tree(call, req->tree)));
143 switch (req->scope) {
144 case LDAP_SEARCH_SCOPE_BASE:
145 DEBUG(10,("SearchRequest: scope: [BASE]\n"));
146 scope = LDB_SCOPE_BASE;
149 case LDAP_SEARCH_SCOPE_SINGLE:
150 DEBUG(10,("SearchRequest: scope: [ONE]\n"));
151 scope = LDB_SCOPE_ONELEVEL;
154 case LDAP_SEARCH_SCOPE_SUB:
155 DEBUG(10,("SearchRequest: scope: [SUB]\n"));
156 scope = LDB_SCOPE_SUBTREE;
161 if (req->num_attributes >= 1) {
162 attrs = talloc_array(samdb, const char *, req->num_attributes+1);
163 NT_STATUS_HAVE_NO_MEMORY(attrs);
165 for (i=0; i < req->num_attributes; i++) {
166 DEBUG(10,("SearchRequest: attrs: [%s]\n",req->attributes[i]));
167 attrs[i] = req->attributes[i];
172 DEBUG(5,("ldb_request dn=%s filter=%s\n",
173 req->basedn, ldb_filter_from_tree(call, req->tree)));
175 lreq = talloc(local_ctx, struct ldb_request);
176 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
178 lreq->operation = LDB_REQ_SEARCH;
179 lreq->op.search.base = basedn;
180 lreq->op.search.scope = scope;
181 lreq->op.search.tree = req->tree;
182 lreq->op.search.attrs = attrs;
184 lreq->controls = call->request->controls;
186 ldb_ret = ldb_request(samdb, lreq);
188 /* Ensure we don't keep the search results around for too long */
189 res = talloc_steal(local_ctx, lreq->op.search.res);
191 if (ldb_ret == LDB_SUCCESS) {
192 for (i = 0; i < res->count; i++) {
193 ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultEntry);
194 NT_STATUS_HAVE_NO_MEMORY(ent_r);
196 ent = &ent_r->msg->r.SearchResultEntry;
197 ent->dn = ldb_dn_linearize(ent_r, res->msgs[i]->dn);
198 ent->num_attributes = 0;
199 ent->attributes = NULL;
200 if (res->msgs[i]->num_elements == 0) {
203 ent->num_attributes = res->msgs[i]->num_elements;
204 ent->attributes = talloc_array(ent_r, struct ldb_message_element, ent->num_attributes);
205 NT_STATUS_HAVE_NO_MEMORY(ent->attributes);
206 for (j=0; j < ent->num_attributes; j++) {
207 ent->attributes[j].name = talloc_steal(ent->attributes, res->msgs[i]->elements[j].name);
208 ent->attributes[j].num_values = 0;
209 ent->attributes[j].values = NULL;
210 if (req->attributesonly && (res->msgs[i]->elements[j].num_values == 0)) {
213 ent->attributes[j].num_values = res->msgs[i]->elements[j].num_values;
214 ent->attributes[j].values = res->msgs[i]->elements[j].values;
215 talloc_steal(ent->attributes, res->msgs[i]->elements[j].values);
218 ldapsrv_queue_reply(call, ent_r);
223 done_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultDone);
224 NT_STATUS_HAVE_NO_MEMORY(done_r);
226 done = &done_r->msg->r.SearchResultDone;
228 done->referral = NULL;
230 if (ldb_ret == LDB_SUCCESS) {
231 if (res->count >= success_limit) {
232 DEBUG(10,("SearchRequest: results: [%d]\n", res->count));
233 result = LDAP_SUCCESS;
235 } else if (res->count == 0) {
236 DEBUG(10,("SearchRequest: no results\n"));
237 result = LDAP_NO_SUCH_OBJECT;
238 errstr = ldb_errstring(samdb);
241 done_r->msg->controls = res->controls;
242 talloc_steal(done_r, res->controls);
245 DEBUG(10,("SearchRequest: error\n"));
246 result = map_ldb_error(samdb, ldb_ret, &errstr);
249 done->resultcode = result;
250 done->errormessage = (errstr?talloc_strdup(done_r, errstr):NULL);
252 talloc_free(local_ctx);
254 ldapsrv_queue_reply(call, done_r);
258 static NTSTATUS ldapsrv_ModifyRequest(struct ldapsrv_call *call)
260 struct ldap_ModifyRequest *req = &call->request->r.ModifyRequest;
261 struct ldap_Result *modify_result;
262 struct ldapsrv_reply *modify_reply;
264 struct ldb_context *samdb = call->conn->ldb;
265 struct ldb_message *msg = NULL;
267 const char *errstr = NULL;
268 int result = LDAP_SUCCESS;
272 DEBUG(10, ("ModifyRequest"));
273 DEBUGADD(10, (" dn: %s", req->dn));
275 local_ctx = talloc_named(call, 0, "ModifyRequest local memory context");
276 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
278 dn = ldb_dn_explode(local_ctx, req->dn);
279 VALID_DN_SYNTAX(dn, 1);
281 DEBUG(10, ("ModifyRequest: dn: [%s]\n", req->dn));
283 msg = talloc(local_ctx, struct ldb_message);
284 NT_STATUS_HAVE_NO_MEMORY(msg);
287 msg->private_data = NULL;
288 msg->num_elements = 0;
289 msg->elements = NULL;
291 if (req->num_mods > 0) {
292 msg->num_elements = req->num_mods;
293 msg->elements = talloc_array(msg, struct ldb_message_element, req->num_mods);
294 NT_STATUS_HAVE_NO_MEMORY(msg->elements);
296 for (i=0; i < msg->num_elements; i++) {
297 msg->elements[i].name = discard_const_p(char, req->mods[i].attrib.name);
298 msg->elements[i].num_values = 0;
299 msg->elements[i].values = NULL;
301 switch (req->mods[i].type) {
303 result = LDAP_PROTOCOL_ERROR;
304 errstr = "Invalid LDAP_MODIFY_* type";
306 case LDAP_MODIFY_ADD:
307 msg->elements[i].flags = LDB_FLAG_MOD_ADD;
309 case LDAP_MODIFY_DELETE:
310 msg->elements[i].flags = LDB_FLAG_MOD_DELETE;
312 case LDAP_MODIFY_REPLACE:
313 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
317 msg->elements[i].num_values = req->mods[i].attrib.num_values;
318 if (msg->elements[i].num_values > 0) {
319 msg->elements[i].values = talloc_array(msg, struct ldb_val, msg->elements[i].num_values);
320 NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
322 for (j=0; j < msg->elements[i].num_values; j++) {
323 if (!(req->mods[i].attrib.values[j].length > 0)) {
325 errstr = "Empty attribute values are not allowed";
328 msg->elements[i].values[j].length = req->mods[i].attrib.values[j].length;
329 msg->elements[i].values[j].data = req->mods[i].attrib.values[j].data;
335 errstr = "No mods are not allowed";
340 modify_reply = ldapsrv_init_reply(call, LDAP_TAG_ModifyResponse);
341 NT_STATUS_HAVE_NO_MEMORY(modify_reply);
343 if (result == LDAP_SUCCESS) {
344 ldb_ret = ldb_modify(samdb, msg);
345 result = map_ldb_error(samdb, ldb_ret, &errstr);
348 modify_result = &modify_reply->msg->r.AddResponse;
349 modify_result->dn = NULL;
350 modify_result->resultcode = result;
351 modify_result->errormessage = (errstr?talloc_strdup(modify_reply, errstr):NULL);
352 modify_result->referral = NULL;
354 talloc_free(local_ctx);
356 ldapsrv_queue_reply(call, modify_reply);
361 static NTSTATUS ldapsrv_AddRequest(struct ldapsrv_call *call)
363 struct ldap_AddRequest *req = &call->request->r.AddRequest;
364 struct ldap_Result *add_result;
365 struct ldapsrv_reply *add_reply;
367 struct ldb_context *samdb = call->conn->ldb;
368 struct ldb_message *msg = NULL;
370 const char *errstr = NULL;
371 int result = LDAP_SUCCESS;
375 DEBUG(10, ("AddRequest"));
376 DEBUGADD(10, (" dn: %s", req->dn));
378 local_ctx = talloc_named(call, 0, "AddRequest local memory context");
379 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
381 dn = ldb_dn_explode(local_ctx, req->dn);
382 VALID_DN_SYNTAX(dn,1);
384 DEBUG(10, ("AddRequest: dn: [%s]\n", req->dn));
386 msg = talloc(local_ctx, struct ldb_message);
387 NT_STATUS_HAVE_NO_MEMORY(msg);
390 msg->private_data = NULL;
391 msg->num_elements = 0;
392 msg->elements = NULL;
394 if (req->num_attributes > 0) {
395 msg->num_elements = req->num_attributes;
396 msg->elements = talloc_array(msg, struct ldb_message_element, msg->num_elements);
397 NT_STATUS_HAVE_NO_MEMORY(msg->elements);
399 for (i=0; i < msg->num_elements; i++) {
400 msg->elements[i].name = discard_const_p(char, req->attributes[i].name);
401 msg->elements[i].flags = 0;
402 msg->elements[i].num_values = 0;
403 msg->elements[i].values = NULL;
405 if (req->attributes[i].num_values > 0) {
406 msg->elements[i].num_values = req->attributes[i].num_values;
407 msg->elements[i].values = talloc_array(msg, struct ldb_val, msg->elements[i].num_values);
408 NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
410 for (j=0; j < msg->elements[i].num_values; j++) {
411 if (!(req->attributes[i].values[j].length > 0)) {
413 errstr = "Empty attribute values are not allowed";
416 msg->elements[i].values[j].length = req->attributes[i].values[j].length;
417 msg->elements[i].values[j].data = req->attributes[i].values[j].data;
421 errstr = "No attribute values are not allowed";
427 errstr = "No attributes are not allowed";
432 add_reply = ldapsrv_init_reply(call, LDAP_TAG_AddResponse);
433 NT_STATUS_HAVE_NO_MEMORY(add_reply);
435 if (result == LDAP_SUCCESS) {
436 ldb_ret = ldb_add(samdb, msg);
437 result = map_ldb_error(samdb, ldb_ret, &errstr);
440 add_result = &add_reply->msg->r.AddResponse;
441 add_result->dn = NULL;
442 add_result->resultcode = result;
443 add_result->errormessage = (errstr?talloc_strdup(add_reply,errstr):NULL);
444 add_result->referral = NULL;
446 talloc_free(local_ctx);
448 ldapsrv_queue_reply(call, add_reply);
453 static NTSTATUS ldapsrv_DelRequest(struct ldapsrv_call *call)
455 struct ldap_DelRequest *req = &call->request->r.DelRequest;
456 struct ldap_Result *del_result;
457 struct ldapsrv_reply *del_reply;
459 struct ldb_context *samdb = call->conn->ldb;
461 const char *errstr = NULL;
462 int result = LDAP_SUCCESS;
465 DEBUG(10, ("DelRequest"));
466 DEBUGADD(10, (" dn: %s", req->dn));
468 local_ctx = talloc_named(call, 0, "DelRequest local memory context");
469 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
471 dn = ldb_dn_explode(local_ctx, req->dn);
472 VALID_DN_SYNTAX(dn,1);
474 DEBUG(10, ("DelRequest: dn: [%s]\n", req->dn));
477 del_reply = ldapsrv_init_reply(call, LDAP_TAG_DelResponse);
478 NT_STATUS_HAVE_NO_MEMORY(del_reply);
480 if (result == LDAP_SUCCESS) {
481 ldb_ret = ldb_delete(samdb, dn);
482 result = map_ldb_error(samdb, ldb_ret, &errstr);
485 del_result = &del_reply->msg->r.DelResponse;
486 del_result->dn = NULL;
487 del_result->resultcode = result;
488 del_result->errormessage = (errstr?talloc_strdup(del_reply,errstr):NULL);
489 del_result->referral = NULL;
491 talloc_free(local_ctx);
493 ldapsrv_queue_reply(call, del_reply);
497 static NTSTATUS ldapsrv_ModifyDNRequest(struct ldapsrv_call *call)
499 struct ldap_ModifyDNRequest *req = &call->request->r.ModifyDNRequest;
500 struct ldap_Result *modifydn;
501 struct ldapsrv_reply *modifydn_r;
503 struct ldb_context *samdb = call->conn->ldb;
504 struct ldb_dn *olddn, *newdn, *newrdn;
505 struct ldb_dn *parentdn = NULL;
506 const char *errstr = NULL;
507 int result = LDAP_SUCCESS;
510 DEBUG(10, ("ModifyDNRequrest"));
511 DEBUGADD(10, (" dn: %s", req->dn));
512 DEBUGADD(10, (" newrdn: %s", req->newrdn));
514 local_ctx = talloc_named(call, 0, "ModifyDNRequest local memory context");
515 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
517 olddn = ldb_dn_explode(local_ctx, req->dn);
518 VALID_DN_SYNTAX(olddn, 2);
520 newrdn = ldb_dn_explode(local_ctx, req->newrdn);
521 VALID_DN_SYNTAX(newrdn, 1);
523 DEBUG(10, ("ModifyDNRequest: olddn: [%s]\n", req->dn));
524 DEBUG(10, ("ModifyDNRequest: newrdn: [%s]\n", req->newrdn));
526 /* we can't handle the rename if we should not remove the old dn */
527 if (!req->deleteolddn) {
528 result = LDAP_UNWILLING_TO_PERFORM;
529 errstr = "Old RDN must be deleted";
533 if (newrdn->comp_num > 1) {
534 result = LDAP_NAMING_VIOLATION;
535 errstr = "Error new RDN invalid";
539 if (req->newsuperior) {
540 parentdn = ldb_dn_explode(local_ctx, req->newsuperior);
541 VALID_DN_SYNTAX(parentdn, 0);
542 DEBUG(10, ("ModifyDNRequest: newsuperior: [%s]\n", req->newsuperior));
544 if (parentdn->comp_num < 1) {
545 result = LDAP_AFFECTS_MULTIPLE_DSAS;
546 errstr = "Error new Superior DN invalid";
552 parentdn = ldb_dn_get_parent(local_ctx, olddn);
553 NT_STATUS_HAVE_NO_MEMORY(parentdn);
556 newdn = ldb_dn_make_child(local_ctx, ldb_dn_get_rdn(local_ctx, newrdn), parentdn);
557 NT_STATUS_HAVE_NO_MEMORY(newdn);
560 modifydn_r = ldapsrv_init_reply(call, LDAP_TAG_ModifyDNResponse);
561 NT_STATUS_HAVE_NO_MEMORY(modifydn_r);
563 if (result == LDAP_SUCCESS) {
564 ldb_ret = ldb_rename(samdb, olddn, newdn);
565 result = map_ldb_error(samdb, ldb_ret, &errstr);
568 modifydn = &modifydn_r->msg->r.ModifyDNResponse;
570 modifydn->resultcode = result;
571 modifydn->errormessage = (errstr?talloc_strdup(modifydn_r,errstr):NULL);
572 modifydn->referral = NULL;
574 talloc_free(local_ctx);
576 ldapsrv_queue_reply(call, modifydn_r);
580 static NTSTATUS ldapsrv_CompareRequest(struct ldapsrv_call *call)
582 struct ldap_CompareRequest *req = &call->request->r.CompareRequest;
583 struct ldap_Result *compare;
584 struct ldapsrv_reply *compare_r;
586 struct ldb_context *samdb = call->conn->ldb;
587 struct ldb_result *res = NULL;
589 const char *attrs[1];
590 const char *errstr = NULL;
591 const char *filter = NULL;
592 int result = LDAP_SUCCESS;
595 DEBUG(10, ("CompareRequest"));
596 DEBUGADD(10, (" dn: %s", req->dn));
598 local_ctx = talloc_named(call, 0, "CompareRequest local_memory_context");
599 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
601 dn = ldb_dn_explode(local_ctx, req->dn);
602 VALID_DN_SYNTAX(dn, 1);
604 DEBUG(10, ("CompareRequest: dn: [%s]\n", req->dn));
605 filter = talloc_asprintf(local_ctx, "(%s=%*s)", req->attribute,
606 (int)req->value.length, req->value.data);
607 NT_STATUS_HAVE_NO_MEMORY(filter);
609 DEBUGADD(10, ("CompareRequest: attribute: [%s]\n", filter));
614 compare_r = ldapsrv_init_reply(call, LDAP_TAG_CompareResponse);
615 NT_STATUS_HAVE_NO_MEMORY(compare_r);
617 if (result == LDAP_SUCCESS) {
618 ldb_ret = ldb_search(samdb, dn, LDB_SCOPE_BASE, filter, attrs, &res);
619 talloc_steal(samdb, res);
620 if (ldb_ret != LDB_SUCCESS) {
621 result = map_ldb_error(samdb, ldb_ret, &errstr);
622 DEBUG(10,("CompareRequest: error: %s\n", errstr));
623 } else if (res->count == 0) {
624 DEBUG(10,("CompareRequest: doesn't matched\n"));
625 result = LDAP_COMPARE_FALSE;
627 } else if (res->count == 1) {
628 DEBUG(10,("CompareRequest: matched\n"));
629 result = LDAP_COMPARE_TRUE;
631 } else if (res->count > 1) {
633 errstr = "too many objects match";
634 DEBUG(10,("CompareRequest: %d results: %s\n", res->count, errstr));
638 compare = &compare_r->msg->r.CompareResponse;
640 compare->resultcode = result;
641 compare->errormessage = (errstr?talloc_strdup(compare_r,errstr):NULL);
642 compare->referral = NULL;
644 talloc_free(local_ctx);
646 ldapsrv_queue_reply(call, compare_r);
650 static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call)
652 /* struct ldap_AbandonRequest *req = &call->request.r.AbandonRequest;*/
653 DEBUG(10, ("AbandonRequest\n"));
657 static NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call)
659 /* struct ldap_ExtendedRequest *req = &call->request.r.ExtendedRequest;*/
660 struct ldapsrv_reply *reply;
662 DEBUG(10, ("Extended\n"));
664 reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
666 return NT_STATUS_NO_MEMORY;
669 ZERO_STRUCT(reply->msg->r);
671 ldapsrv_queue_reply(call, reply);
675 NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
677 switch(call->request->type) {
678 case LDAP_TAG_BindRequest:
679 return ldapsrv_BindRequest(call);
680 case LDAP_TAG_UnbindRequest:
681 return ldapsrv_UnbindRequest(call);
682 case LDAP_TAG_SearchRequest:
683 return ldapsrv_SearchRequest(call);
684 case LDAP_TAG_ModifyRequest:
685 return ldapsrv_ModifyRequest(call);
686 case LDAP_TAG_AddRequest:
687 return ldapsrv_AddRequest(call);
688 case LDAP_TAG_DelRequest:
689 return ldapsrv_DelRequest(call);
690 case LDAP_TAG_ModifyDNRequest:
691 return ldapsrv_ModifyDNRequest(call);
692 case LDAP_TAG_CompareRequest:
693 return ldapsrv_CompareRequest(call);
694 case LDAP_TAG_AbandonRequest:
695 return ldapsrv_AbandonRequest(call);
696 case LDAP_TAG_ExtendedRequest:
697 return ldapsrv_ExtendedRequest(call);
699 return ldapsrv_unwilling(call, 2);