2 Unix SMB/CIFS implementation.
4 Copyright (C) Stefan Metzmacher 2004
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include "ldap_server/ldap_server.h"
23 #include "dlinklist.h"
24 #include "libcli/ldap/ldap.h"
25 #include "lib/ldb/include/ldb.h"
26 #include "lib/ldb/include/ldb_errors.h"
27 #include "dsdb/samdb/samdb.h"
29 #define VALID_DN_SYNTAX(dn,i) do {\
31 return NT_STATUS_NO_MEMORY;\
32 } else if ((dn)->comp_num < (i)) {\
33 result = LDAP_INVALID_DN_SYNTAX;\
34 errstr = "Invalid DN (" #i " components needed for '" #dn "')";\
39 static int map_ldb_error(struct ldb_context *ldb, int err, const char **errstring)
41 *errstring = ldb_errstring(ldb);
48 connect to the sam database
50 NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
52 conn->ldb = samdb_connect(conn, conn->session_info);
53 if (conn->ldb == NULL) {
54 return NT_STATUS_INTERNAL_DB_CORRUPTION;
56 ldb_set_opaque(conn->ldb, "server_credentials", conn->server_credentials);
61 struct ldapsrv_reply *ldapsrv_init_reply(struct ldapsrv_call *call, uint8_t type)
63 struct ldapsrv_reply *reply;
65 reply = talloc(call, struct ldapsrv_reply);
69 reply->msg = talloc(reply, struct ldap_message);
70 if (reply->msg == NULL) {
75 reply->msg->messageid = call->request->messageid;
76 reply->msg->type = type;
77 reply->msg->controls = NULL;
82 void ldapsrv_queue_reply(struct ldapsrv_call *call, struct ldapsrv_reply *reply)
84 DLIST_ADD_END(call->replies, reply, struct ldapsrv_reply *);
87 NTSTATUS ldapsrv_unwilling(struct ldapsrv_call *call, int error)
89 struct ldapsrv_reply *reply;
90 struct ldap_ExtendedResponse *r;
92 DEBUG(10,("Unwilling type[%d] id[%d]\n", call->request->type, call->request->messageid));
94 reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
96 return NT_STATUS_NO_MEMORY;
99 r = &reply->msg->r.ExtendedResponse;
100 r->response.resultcode = error;
101 r->response.dn = NULL;
102 r->response.errormessage = NULL;
103 r->response.referral = NULL;
107 ldapsrv_queue_reply(call, reply);
111 static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
113 struct ldap_SearchRequest *req = &call->request->r.SearchRequest;
114 struct ldap_SearchResEntry *ent;
115 struct ldap_Result *done;
116 struct ldapsrv_reply *ent_r, *done_r;
118 struct ldb_context *samdb = talloc_get_type(call->conn->ldb, struct ldb_context);
119 struct ldb_dn *basedn;
120 struct ldb_result *res = NULL;
121 struct ldb_request lreq;
122 enum ldb_scope scope = LDB_SCOPE_DEFAULT;
123 const char **attrs = NULL;
124 const char *errstr = NULL;
125 int success_limit = 1;
126 int result = LDAP_SUCCESS;
130 DEBUG(10, ("SearchRequest"));
131 DEBUGADD(10, (" basedn: %s", req->basedn));
132 DEBUGADD(10, (" filter: %s\n", ldb_filter_from_tree(call, req->tree)));
134 local_ctx = talloc_new(call);
135 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
137 basedn = ldb_dn_explode(local_ctx, req->basedn);
138 VALID_DN_SYNTAX(basedn, 0);
140 DEBUG(10, ("SearchRequest: basedn: [%s]\n", req->basedn));
141 DEBUG(10, ("SearchRequest: filter: [%s]\n", ldb_filter_from_tree(call, req->tree)));
143 switch (req->scope) {
144 case LDAP_SEARCH_SCOPE_BASE:
145 DEBUG(10,("SearchRequest: scope: [BASE]\n"));
146 scope = LDB_SCOPE_BASE;
149 case LDAP_SEARCH_SCOPE_SINGLE:
150 DEBUG(10,("SearchRequest: scope: [ONE]\n"));
151 scope = LDB_SCOPE_ONELEVEL;
154 case LDAP_SEARCH_SCOPE_SUB:
155 DEBUG(10,("SearchRequest: scope: [SUB]\n"));
156 scope = LDB_SCOPE_SUBTREE;
161 if (req->num_attributes >= 1) {
162 attrs = talloc_array(samdb, const char *, req->num_attributes+1);
163 NT_STATUS_HAVE_NO_MEMORY(attrs);
165 for (i=0; i < req->num_attributes; i++) {
166 DEBUG(10,("SearchRequest: attrs: [%s]\n",req->attributes[i]));
167 attrs[i] = req->attributes[i];
172 DEBUG(5,("ldb_request dn=%s filter=%s\n",
173 req->basedn, ldb_filter_from_tree(call, req->tree)));
176 lreq.operation = LDB_REQ_SEARCH;
177 lreq.op.search.base = basedn;
178 lreq.op.search.scope = scope;
179 lreq.op.search.tree = req->tree;
180 lreq.op.search.attrs = attrs;
182 lreq.controls = call->request->controls;
184 ldb_ret = ldb_request(samdb, &lreq);
186 /* Ensure we don't keep the search results around for too long */
187 res = talloc_steal(local_ctx, lreq.op.search.res);
189 if (ldb_ret == LDB_SUCCESS) {
190 for (i = 0; i < res->count; i++) {
191 ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultEntry);
192 NT_STATUS_HAVE_NO_MEMORY(ent_r);
194 ent = &ent_r->msg->r.SearchResultEntry;
195 ent->dn = ldb_dn_linearize(ent_r, res->msgs[i]->dn);
196 ent->num_attributes = 0;
197 ent->attributes = NULL;
198 if (res->msgs[i]->num_elements == 0) {
201 ent->num_attributes = res->msgs[i]->num_elements;
202 ent->attributes = talloc_array(ent_r, struct ldb_message_element, ent->num_attributes);
203 NT_STATUS_HAVE_NO_MEMORY(ent->attributes);
204 for (j=0; j < ent->num_attributes; j++) {
205 ent->attributes[j].name = talloc_steal(ent->attributes, res->msgs[i]->elements[j].name);
206 ent->attributes[j].num_values = 0;
207 ent->attributes[j].values = NULL;
208 if (req->attributesonly && (res->msgs[i]->elements[j].num_values == 0)) {
211 ent->attributes[j].num_values = res->msgs[i]->elements[j].num_values;
212 ent->attributes[j].values = res->msgs[i]->elements[j].values;
213 talloc_steal(ent->attributes, res->msgs[i]->elements[j].values);
216 ldapsrv_queue_reply(call, ent_r);
221 done_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultDone);
222 NT_STATUS_HAVE_NO_MEMORY(done_r);
224 done = &done_r->msg->r.SearchResultDone;
226 done->referral = NULL;
228 if (ldb_ret == LDB_SUCCESS) {
229 if (res->count >= success_limit) {
230 DEBUG(10,("SearchRequest: results: [%d]\n", res->count));
231 result = LDAP_SUCCESS;
233 } else if (res->count == 0) {
234 DEBUG(10,("SearchRequest: no results\n"));
235 result = LDAP_NO_SUCH_OBJECT;
236 errstr = ldb_errstring(samdb);
239 done_r->msg->controls = res->controls;
240 talloc_steal(done_r, res->controls);
243 DEBUG(10,("SearchRequest: error\n"));
244 result = map_ldb_error(samdb, ldb_ret, &errstr);
247 done->resultcode = result;
248 done->errormessage = (errstr?talloc_strdup(done_r, errstr):NULL);
250 talloc_free(local_ctx);
252 ldapsrv_queue_reply(call, done_r);
256 static NTSTATUS ldapsrv_ModifyRequest(struct ldapsrv_call *call)
258 struct ldap_ModifyRequest *req = &call->request->r.ModifyRequest;
259 struct ldap_Result *modify_result;
260 struct ldapsrv_reply *modify_reply;
262 struct ldb_context *samdb = call->conn->ldb;
263 struct ldb_message *msg = NULL;
265 const char *errstr = NULL;
266 int result = LDAP_SUCCESS;
270 DEBUG(10, ("ModifyRequest"));
271 DEBUGADD(10, (" dn: %s", req->dn));
273 local_ctx = talloc_named(call, 0, "ModifyRequest local memory context");
274 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
276 dn = ldb_dn_explode(local_ctx, req->dn);
277 VALID_DN_SYNTAX(dn, 1);
279 DEBUG(10, ("ModifyRequest: dn: [%s]\n", req->dn));
281 msg = talloc(local_ctx, struct ldb_message);
282 NT_STATUS_HAVE_NO_MEMORY(msg);
285 msg->private_data = NULL;
286 msg->num_elements = 0;
287 msg->elements = NULL;
289 if (req->num_mods > 0) {
290 msg->num_elements = req->num_mods;
291 msg->elements = talloc_array(msg, struct ldb_message_element, req->num_mods);
292 NT_STATUS_HAVE_NO_MEMORY(msg->elements);
294 for (i=0; i < msg->num_elements; i++) {
295 msg->elements[i].name = discard_const_p(char, req->mods[i].attrib.name);
296 msg->elements[i].num_values = 0;
297 msg->elements[i].values = NULL;
299 switch (req->mods[i].type) {
301 result = LDAP_PROTOCOL_ERROR;
302 errstr = "Invalid LDAP_MODIFY_* type";
304 case LDAP_MODIFY_ADD:
305 msg->elements[i].flags = LDB_FLAG_MOD_ADD;
307 case LDAP_MODIFY_DELETE:
308 msg->elements[i].flags = LDB_FLAG_MOD_DELETE;
310 case LDAP_MODIFY_REPLACE:
311 msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
315 msg->elements[i].num_values = req->mods[i].attrib.num_values;
316 if (msg->elements[i].num_values > 0) {
317 msg->elements[i].values = talloc_array(msg, struct ldb_val, msg->elements[i].num_values);
318 NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
320 for (j=0; j < msg->elements[i].num_values; j++) {
321 if (!(req->mods[i].attrib.values[j].length > 0)) {
323 errstr = "Empty attribute values are not allowed";
326 msg->elements[i].values[j].length = req->mods[i].attrib.values[j].length;
327 msg->elements[i].values[j].data = req->mods[i].attrib.values[j].data;
333 errstr = "No mods are not allowed";
338 modify_reply = ldapsrv_init_reply(call, LDAP_TAG_ModifyResponse);
339 NT_STATUS_HAVE_NO_MEMORY(modify_reply);
341 if (result == LDAP_SUCCESS) {
342 ldb_ret = ldb_modify(samdb, msg);
343 result = map_ldb_error(samdb, ldb_ret, &errstr);
346 modify_result = &modify_reply->msg->r.AddResponse;
347 modify_result->dn = NULL;
348 modify_result->resultcode = result;
349 modify_result->errormessage = (errstr?talloc_strdup(modify_reply, errstr):NULL);
350 modify_result->referral = NULL;
352 talloc_free(local_ctx);
354 ldapsrv_queue_reply(call, modify_reply);
359 static NTSTATUS ldapsrv_AddRequest(struct ldapsrv_call *call)
361 struct ldap_AddRequest *req = &call->request->r.AddRequest;
362 struct ldap_Result *add_result;
363 struct ldapsrv_reply *add_reply;
365 struct ldb_context *samdb = call->conn->ldb;
366 struct ldb_message *msg = NULL;
368 const char *errstr = NULL;
369 int result = LDAP_SUCCESS;
373 DEBUG(10, ("AddRequest"));
374 DEBUGADD(10, (" dn: %s", req->dn));
376 local_ctx = talloc_named(call, 0, "AddRequest local memory context");
377 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
379 dn = ldb_dn_explode(local_ctx, req->dn);
380 VALID_DN_SYNTAX(dn,1);
382 DEBUG(10, ("AddRequest: dn: [%s]\n", req->dn));
384 msg = talloc(local_ctx, struct ldb_message);
385 NT_STATUS_HAVE_NO_MEMORY(msg);
388 msg->private_data = NULL;
389 msg->num_elements = 0;
390 msg->elements = NULL;
392 if (req->num_attributes > 0) {
393 msg->num_elements = req->num_attributes;
394 msg->elements = talloc_array(msg, struct ldb_message_element, msg->num_elements);
395 NT_STATUS_HAVE_NO_MEMORY(msg->elements);
397 for (i=0; i < msg->num_elements; i++) {
398 msg->elements[i].name = discard_const_p(char, req->attributes[i].name);
399 msg->elements[i].flags = 0;
400 msg->elements[i].num_values = 0;
401 msg->elements[i].values = NULL;
403 if (req->attributes[i].num_values > 0) {
404 msg->elements[i].num_values = req->attributes[i].num_values;
405 msg->elements[i].values = talloc_array(msg, struct ldb_val, msg->elements[i].num_values);
406 NT_STATUS_HAVE_NO_MEMORY(msg->elements[i].values);
408 for (j=0; j < msg->elements[i].num_values; j++) {
409 if (!(req->attributes[i].values[j].length > 0)) {
411 errstr = "Empty attribute values are not allowed";
414 msg->elements[i].values[j].length = req->attributes[i].values[j].length;
415 msg->elements[i].values[j].data = req->attributes[i].values[j].data;
419 errstr = "No attribute values are not allowed";
425 errstr = "No attributes are not allowed";
430 add_reply = ldapsrv_init_reply(call, LDAP_TAG_AddResponse);
431 NT_STATUS_HAVE_NO_MEMORY(add_reply);
433 if (result == LDAP_SUCCESS) {
434 ldb_ret = ldb_add(samdb, msg);
435 result = map_ldb_error(samdb, ldb_ret, &errstr);
438 add_result = &add_reply->msg->r.AddResponse;
439 add_result->dn = NULL;
440 add_result->resultcode = result;
441 add_result->errormessage = (errstr?talloc_strdup(add_reply,errstr):NULL);
442 add_result->referral = NULL;
444 talloc_free(local_ctx);
446 ldapsrv_queue_reply(call, add_reply);
451 static NTSTATUS ldapsrv_DelRequest(struct ldapsrv_call *call)
453 struct ldap_DelRequest *req = &call->request->r.DelRequest;
454 struct ldap_Result *del_result;
455 struct ldapsrv_reply *del_reply;
457 struct ldb_context *samdb = call->conn->ldb;
459 const char *errstr = NULL;
460 int result = LDAP_SUCCESS;
463 DEBUG(10, ("DelRequest"));
464 DEBUGADD(10, (" dn: %s", req->dn));
466 local_ctx = talloc_named(call, 0, "DelRequest local memory context");
467 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
469 dn = ldb_dn_explode(local_ctx, req->dn);
470 VALID_DN_SYNTAX(dn,1);
472 DEBUG(10, ("DelRequest: dn: [%s]\n", req->dn));
475 del_reply = ldapsrv_init_reply(call, LDAP_TAG_DelResponse);
476 NT_STATUS_HAVE_NO_MEMORY(del_reply);
478 if (result == LDAP_SUCCESS) {
479 ldb_ret = ldb_delete(samdb, dn);
480 result = map_ldb_error(samdb, ldb_ret, &errstr);
483 del_result = &del_reply->msg->r.DelResponse;
484 del_result->dn = NULL;
485 del_result->resultcode = result;
486 del_result->errormessage = (errstr?talloc_strdup(del_reply,errstr):NULL);
487 del_result->referral = NULL;
489 talloc_free(local_ctx);
491 ldapsrv_queue_reply(call, del_reply);
495 static NTSTATUS ldapsrv_ModifyDNRequest(struct ldapsrv_call *call)
497 struct ldap_ModifyDNRequest *req = &call->request->r.ModifyDNRequest;
498 struct ldap_Result *modifydn;
499 struct ldapsrv_reply *modifydn_r;
501 struct ldb_context *samdb = call->conn->ldb;
502 struct ldb_dn *olddn, *newdn, *newrdn;
503 struct ldb_dn *parentdn = NULL;
504 const char *errstr = NULL;
505 int result = LDAP_SUCCESS;
508 DEBUG(10, ("ModifyDNRequrest"));
509 DEBUGADD(10, (" dn: %s", req->dn));
510 DEBUGADD(10, (" newrdn: %s", req->newrdn));
512 local_ctx = talloc_named(call, 0, "ModifyDNRequest local memory context");
513 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
515 olddn = ldb_dn_explode(local_ctx, req->dn);
516 VALID_DN_SYNTAX(olddn, 2);
518 newrdn = ldb_dn_explode(local_ctx, req->newrdn);
519 VALID_DN_SYNTAX(newrdn, 1);
521 DEBUG(10, ("ModifyDNRequest: olddn: [%s]\n", req->dn));
522 DEBUG(10, ("ModifyDNRequest: newrdn: [%s]\n", req->newrdn));
524 /* we can't handle the rename if we should not remove the old dn */
525 if (!req->deleteolddn) {
526 result = LDAP_UNWILLING_TO_PERFORM;
527 errstr = "Old RDN must be deleted";
531 if (newrdn->comp_num > 1) {
532 result = LDAP_NAMING_VIOLATION;
533 errstr = "Error new RDN invalid";
537 if (req->newsuperior) {
538 parentdn = ldb_dn_explode(local_ctx, req->newsuperior);
539 VALID_DN_SYNTAX(parentdn, 0);
540 DEBUG(10, ("ModifyDNRequest: newsuperior: [%s]\n", req->newsuperior));
542 if (parentdn->comp_num < 1) {
543 result = LDAP_AFFECTS_MULTIPLE_DSAS;
544 errstr = "Error new Superior DN invalid";
550 parentdn = ldb_dn_get_parent(local_ctx, olddn);
551 NT_STATUS_HAVE_NO_MEMORY(parentdn);
554 newdn = ldb_dn_make_child(local_ctx, ldb_dn_get_rdn(local_ctx, newrdn), parentdn);
555 NT_STATUS_HAVE_NO_MEMORY(newdn);
558 modifydn_r = ldapsrv_init_reply(call, LDAP_TAG_ModifyDNResponse);
559 NT_STATUS_HAVE_NO_MEMORY(modifydn_r);
561 if (result == LDAP_SUCCESS) {
562 ldb_ret = ldb_rename(samdb, olddn, newdn);
563 result = map_ldb_error(samdb, ldb_ret, &errstr);
566 modifydn = &modifydn_r->msg->r.ModifyDNResponse;
568 modifydn->resultcode = result;
569 modifydn->errormessage = (errstr?talloc_strdup(modifydn_r,errstr):NULL);
570 modifydn->referral = NULL;
572 talloc_free(local_ctx);
574 ldapsrv_queue_reply(call, modifydn_r);
578 static NTSTATUS ldapsrv_CompareRequest(struct ldapsrv_call *call)
580 struct ldap_CompareRequest *req = &call->request->r.CompareRequest;
581 struct ldap_Result *compare;
582 struct ldapsrv_reply *compare_r;
584 struct ldb_context *samdb = call->conn->ldb;
585 struct ldb_result *res = NULL;
587 const char *attrs[1];
588 const char *errstr = NULL;
589 const char *filter = NULL;
590 int result = LDAP_SUCCESS;
593 DEBUG(10, ("CompareRequest"));
594 DEBUGADD(10, (" dn: %s", req->dn));
596 local_ctx = talloc_named(call, 0, "CompareRequest local_memory_context");
597 NT_STATUS_HAVE_NO_MEMORY(local_ctx);
599 dn = ldb_dn_explode(local_ctx, req->dn);
600 VALID_DN_SYNTAX(dn, 1);
602 DEBUG(10, ("CompareRequest: dn: [%s]\n", req->dn));
603 filter = talloc_asprintf(local_ctx, "(%s=%*s)", req->attribute,
604 (int)req->value.length, req->value.data);
605 NT_STATUS_HAVE_NO_MEMORY(filter);
607 DEBUGADD(10, ("CompareRequest: attribute: [%s]\n", filter));
612 compare_r = ldapsrv_init_reply(call, LDAP_TAG_CompareResponse);
613 NT_STATUS_HAVE_NO_MEMORY(compare_r);
615 if (result == LDAP_SUCCESS) {
616 ldb_ret = ldb_search(samdb, dn, LDB_SCOPE_BASE, filter, attrs, &res);
617 talloc_steal(samdb, res);
618 if (ldb_ret != LDB_SUCCESS) {
619 result = map_ldb_error(samdb, ldb_ret, &errstr);
620 DEBUG(10,("CompareRequest: error: %s\n", errstr));
621 } else if (res->count == 0) {
622 DEBUG(10,("CompareRequest: doesn't matched\n"));
623 result = LDAP_COMPARE_FALSE;
625 } else if (res->count == 1) {
626 DEBUG(10,("CompareRequest: matched\n"));
627 result = LDAP_COMPARE_TRUE;
629 } else if (res->count > 1) {
631 errstr = "too many objects match";
632 DEBUG(10,("CompareRequest: %d results: %s\n", res->count, errstr));
636 compare = &compare_r->msg->r.CompareResponse;
638 compare->resultcode = result;
639 compare->errormessage = (errstr?talloc_strdup(compare_r,errstr):NULL);
640 compare->referral = NULL;
642 talloc_free(local_ctx);
644 ldapsrv_queue_reply(call, compare_r);
648 static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call)
650 /* struct ldap_AbandonRequest *req = &call->request.r.AbandonRequest;*/
651 DEBUG(10, ("AbandonRequest\n"));
655 static NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call)
657 /* struct ldap_ExtendedRequest *req = &call->request.r.ExtendedRequest;*/
658 struct ldapsrv_reply *reply;
660 DEBUG(10, ("Extended\n"));
662 reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse);
664 return NT_STATUS_NO_MEMORY;
667 ZERO_STRUCT(reply->msg->r);
669 ldapsrv_queue_reply(call, reply);
673 NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
675 switch(call->request->type) {
676 case LDAP_TAG_BindRequest:
677 return ldapsrv_BindRequest(call);
678 case LDAP_TAG_UnbindRequest:
679 return ldapsrv_UnbindRequest(call);
680 case LDAP_TAG_SearchRequest:
681 return ldapsrv_SearchRequest(call);
682 case LDAP_TAG_ModifyRequest:
683 return ldapsrv_ModifyRequest(call);
684 case LDAP_TAG_AddRequest:
685 return ldapsrv_AddRequest(call);
686 case LDAP_TAG_DelRequest:
687 return ldapsrv_DelRequest(call);
688 case LDAP_TAG_ModifyDNRequest:
689 return ldapsrv_ModifyDNRequest(call);
690 case LDAP_TAG_CompareRequest:
691 return ldapsrv_CompareRequest(call);
692 case LDAP_TAG_AbandonRequest:
693 return ldapsrv_AbandonRequest(call);
694 case LDAP_TAG_ExtendedRequest:
695 return ldapsrv_ExtendedRequest(call);
697 return ldapsrv_unwilling(call, 2);