s4:ldb: make it possible to return per entry controls
[kai/samba.git] / source4 / dsdb / samdb / ldb_modules / local_password.c
1 /* 
2    ldb database module
3
4    Copyright (C) Simo Sorce  2004-2008
5    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
6    Copyright (C) Andrew Tridgell 2004
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /*
23  *  Name: ldb
24  *
25  *  Component: ldb local_password module
26  *
27  *  Description: correctly update hash values based on changes to userPassword and friends
28  *
29  *  Author: Andrew Bartlett
30  */
31
32 #include "includes.h"
33 #include "libcli/ldap/ldap.h"
34 #include "ldb/include/ldb_errors.h"
35 #include "ldb/include/ldb_private.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "librpc/ndr/libndr.h"
38 #include "dsdb/samdb/ldb_modules/password_modules.h"
39
40 #define PASSWORD_GUID_ATTR "masterGUID"
41
42 /* This module maintains a local password database, seperate from the main LDAP server.
43
44    This allows the password database to be syncronised in a multi-master
45    fashion, seperate to the more difficult concerns of the main
46    database.  (With passwords, the last writer always wins)
47
48    Each incoming add/modify is split into a remote, and a local request, done in that order.
49
50    We maintain a list of attributes that are kept locally - perhaps
51    this should use the @KLUDGE_ACL list of passwordAttribute
52  */
53
54 static const char * const password_attrs[] = {
55         "supplementalCredentials",
56         "unicodePwd",
57         "dBCSPwd",
58         "lmPwdHistory", 
59         "ntPwdHistory", 
60         "msDS-KeyVersionNumber",
61         "pwdLastSet"
62 };
63
64 /* And we merge them back into search requests when asked to do so */
65
66 struct lpdb_reply {
67         struct lpdb_reply *next;
68         struct ldb_reply *remote;
69         struct ldb_dn *local_dn;
70 };
71
72 struct lpdb_context {
73
74         struct ldb_module *module;
75         struct ldb_request *req;
76
77         struct ldb_message *local_message;
78
79         struct lpdb_reply *list;
80         struct lpdb_reply *current;
81         struct ldb_reply *remote_done;
82         struct ldb_reply *remote;
83
84         bool added_objectGUID;
85         bool added_objectClass;
86
87 };
88
89 static struct lpdb_context *lpdb_init_context(struct ldb_module *module,
90                                               struct ldb_request *req)
91 {
92         struct lpdb_context *ac;
93
94         ac = talloc_zero(req, struct lpdb_context);
95         if (ac == NULL) {
96                 ldb_set_errstring(module->ldb, "Out of Memory");
97                 return NULL;
98         }
99
100         ac->module = module;
101         ac->req = req;
102
103         return ac;
104 }
105
106 static int lpdb_local_callback(struct ldb_request *req, struct ldb_reply *ares)
107 {
108         struct lpdb_context *ac;
109
110         ac = talloc_get_type(req->context, struct lpdb_context);
111
112         if (!ares) {
113                 return ldb_module_done(ac->req, NULL, NULL,
114                                         LDB_ERR_OPERATIONS_ERROR);
115         }
116         if (ares->error != LDB_SUCCESS) {
117                 return ldb_module_done(ac->req, ares->controls,
118                                         ares->response, ares->error);
119         }
120
121         if (ares->type != LDB_REPLY_DONE) {
122                 ldb_set_errstring(ac->module->ldb, "Unexpected reply type");
123                 talloc_free(ares);
124                 return ldb_module_done(ac->req, NULL, NULL,
125                                         LDB_ERR_OPERATIONS_ERROR);
126         }
127
128         talloc_free(ares);
129         return ldb_module_done(ac->req,
130                                 ac->remote_done->controls,
131                                 ac->remote_done->response,
132                                 ac->remote_done->error);
133 }
134
135 /*****************************************************************************
136  * ADD
137  ****************************************************************************/
138
139 static int lpdb_add_callback(struct ldb_request *req,
140                                 struct ldb_reply *ares);
141
142 static int local_password_add(struct ldb_module *module, struct ldb_request *req)
143 {
144         struct ldb_message *remote_message;
145         struct ldb_request *remote_req;
146         struct lpdb_context *ac;
147         struct GUID objectGUID;
148         int ret;
149         int i;
150
151         ldb_debug(module->ldb, LDB_DEBUG_TRACE, "local_password_add\n");
152
153         if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
154                 return ldb_next_request(module, req);
155         }
156
157         /* If the caller is manipulating the local passwords directly, let them pass */
158         if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
159                                 req->op.add.message->dn) == 0) {
160                 return ldb_next_request(module, req);
161         }
162
163         for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
164                 if (ldb_msg_find_element(req->op.add.message, password_attrs[i])) {
165                         break;
166                 }
167         }
168
169         /* It didn't match any of our password attributes, go on */
170         if (i == ARRAY_SIZE(password_attrs)) {
171                 return ldb_next_request(module, req);
172         }
173
174         /* TODO: remove this when userPassword will be in schema */
175         if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
176                 ldb_asprintf_errstring(module->ldb,
177                                         "Cannot relocate a password on entry: %s, does not have objectClass 'person'",
178                                         ldb_dn_get_linearized(req->op.add.message->dn));
179                 return LDB_ERR_OBJECT_CLASS_VIOLATION;
180         }
181
182         /* From here, we assume we have password attributes to split off */
183         ac = lpdb_init_context(module, req);
184         if (!ac) {
185                 return LDB_ERR_OPERATIONS_ERROR;
186         }
187
188         remote_message = ldb_msg_copy_shallow(remote_req, req->op.add.message);
189         if (remote_message == NULL) {
190                 return LDB_ERR_OPERATIONS_ERROR;
191         }
192
193         /* Remove any password attributes from the remote message */
194         for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
195                 ldb_msg_remove_attr(remote_message, password_attrs[i]);
196         }
197
198         /* Find the objectGUID to use as the key */
199         objectGUID = samdb_result_guid(ac->req->op.add.message, "objectGUID");
200
201         ac->local_message = ldb_msg_copy_shallow(ac, req->op.add.message);
202         if (ac->local_message == NULL) {
203                 return LDB_ERR_OPERATIONS_ERROR;
204         }
205
206         /* Remove anything seen in the remote message from the local
207          * message (leaving only password attributes) */
208         for (i=0; i < remote_message->num_elements; i++) {
209                 ldb_msg_remove_attr(ac->local_message, remote_message->elements[i].name);
210         }
211
212         /* We must have an objectGUID already, or we don't know where
213          * to add the password.  This may be changed to an 'add and
214          * search', to allow the directory to create the objectGUID */
215         if (ldb_msg_find_ldb_val(req->op.add.message, "objectGUID") == NULL) {
216                 ldb_set_errstring(module->ldb,
217                                   "no objectGUID found in search: "
218                                   "local_password module must be "
219                                   "onfigured below objectGUID module!\n");
220                 return LDB_ERR_CONSTRAINT_VIOLATION;
221         }
222
223         ac->local_message->dn = ldb_dn_new(ac->local_message,
224                                            module->ldb, LOCAL_BASE);
225         if ((ac->local_message->dn == NULL) ||
226             ( ! ldb_dn_add_child_fmt(ac->local_message->dn,
227                                      PASSWORD_GUID_ATTR "=%s",
228                                      GUID_string(ac->local_message,
229                                                         &objectGUID)))) {
230                 return LDB_ERR_OPERATIONS_ERROR;
231         }
232
233         ret = ldb_build_add_req(&remote_req, module->ldb, ac,
234                                 remote_message,
235                                 req->controls,
236                                 ac, lpdb_add_callback,
237                                 req);
238         if (ret != LDB_SUCCESS) {
239                 return ret;
240         }
241
242         return ldb_next_request(module, remote_req);
243 }
244
245 /* Add a record, splitting password attributes from the user's main
246  * record */
247 static int lpdb_add_callback(struct ldb_request *req,
248                                 struct ldb_reply *ares)
249 {
250         struct ldb_request *local_req;
251         struct lpdb_context *ac;
252         int ret;
253
254         ac = talloc_get_type(req->context, struct lpdb_context);
255
256         if (!ares) {
257                 return ldb_module_done(ac->req, NULL, NULL,
258                                         LDB_ERR_OPERATIONS_ERROR);
259         }
260         if (ares->error != LDB_SUCCESS) {
261                 return ldb_module_done(ac->req, ares->controls,
262                                         ares->response, ares->error);
263         }
264
265         if (ares->type != LDB_REPLY_DONE) {
266                 ldb_set_errstring(ac->module->ldb, "Unexpected reply type");
267                 talloc_free(ares);
268                 return ldb_module_done(ac->req, NULL, NULL,
269                                         LDB_ERR_OPERATIONS_ERROR);
270         }
271
272         ac->remote_done = talloc_steal(ac, ares);
273
274         ret = ldb_build_add_req(&local_req, ac->module->ldb, ac,
275                                 ac->local_message,
276                                 NULL,
277                                 ac, lpdb_local_callback,
278                                 ac->req);
279         if (ret != LDB_SUCCESS) {
280                 return ldb_module_done(ac->req, NULL, NULL, ret);
281         }
282
283         ret = ldb_next_request(ac->module, local_req);
284         if (ret != LDB_SUCCESS) {
285                 return ldb_module_done(ac->req, NULL, NULL, ret);
286         }
287         return LDB_SUCCESS;
288 }
289
290 /*****************************************************************************
291  * MODIFY
292  ****************************************************************************/
293
294 static int lpdb_modify_callabck(struct ldb_request *req,
295                                 struct ldb_reply *ares);
296 static int lpdb_mod_search_callback(struct ldb_request *req,
297                                     struct ldb_reply *ares);
298
299 static int local_password_modify(struct ldb_module *module, struct ldb_request *req)
300 {
301         struct lpdb_context *ac;
302         struct ldb_message *remote_message;
303         struct ldb_request *remote_req;
304         int ret;
305         int i;
306
307         ldb_debug(module->ldb, LDB_DEBUG_TRACE, "local_password_modify\n");
308
309         if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
310                 return ldb_next_request(module, req);
311         }
312
313         /* If the caller is manipulating the local passwords directly, let them pass */
314         if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
315                                 req->op.mod.message->dn) == 0) {
316                 return ldb_next_request(module, req);
317         }
318
319         for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
320                 if (ldb_msg_find_element(req->op.add.message, password_attrs[i])) {
321                         break;
322                 }
323         }
324
325         /* It didn't match any of our password attributes, then we have nothing to do here */
326         if (i == ARRAY_SIZE(password_attrs)) {
327                 return ldb_next_request(module, req);
328         }
329
330         /* From here, we assume we have password attributes to split off */
331         ac = lpdb_init_context(module, req);
332         if (!ac) {
333                 return LDB_ERR_OPERATIONS_ERROR;
334         }
335
336         remote_message = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
337         if (remote_message == NULL) {
338                 return LDB_ERR_OPERATIONS_ERROR;
339         }
340
341         /* Remove any password attributes from the remote message */
342         for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
343                 ldb_msg_remove_attr(remote_message, password_attrs[i]);
344         }
345
346         ac->local_message = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
347         if (ac->local_message == NULL) {
348                 return LDB_ERR_OPERATIONS_ERROR;
349         }
350
351         /* Remove anything seen in the remote message from the local
352          * message (leaving only password attributes) */
353         for (i=0; i < remote_message->num_elements;i++) {
354                 ldb_msg_remove_attr(ac->local_message, remote_message->elements[i].name);
355         }
356
357         ret = ldb_build_mod_req(&remote_req, module->ldb, ac,
358                                 remote_message,
359                                 req->controls,
360                                 ac, lpdb_modify_callabck,
361                                 req);
362         if (ret != LDB_SUCCESS) {
363                 return ret;
364         }
365
366         return ldb_next_request(module, remote_req);
367 }
368
369 /* On a modify, we don't have the objectGUID handy, so we need to
370  * search our DN for it */
371 static int lpdb_modify_callabck(struct ldb_request *req,
372                                 struct ldb_reply *ares)
373 {
374         static const char * const attrs[] = { "objectGUID", "objectClass", NULL };
375         struct ldb_request *search_req;
376         struct lpdb_context *ac;
377         int ret;
378
379         ac = talloc_get_type(req->context, struct lpdb_context);
380
381         if (!ares) {
382                 return ldb_module_done(ac->req, NULL, NULL,
383                                         LDB_ERR_OPERATIONS_ERROR);
384         }
385         if (ares->error != LDB_SUCCESS) {
386                 return ldb_module_done(ac->req, ares->controls,
387                                         ares->response, ares->error);
388         }
389
390         if (ares->type != LDB_REPLY_DONE) {
391                 ldb_set_errstring(ac->module->ldb, "Unexpected reply type");
392                 talloc_free(ares);
393                 return ldb_module_done(ac->req, NULL, NULL,
394                                         LDB_ERR_OPERATIONS_ERROR);
395         }
396
397         ac->remote_done = talloc_steal(ac, ares);
398
399         /* prepare the search operation */
400         ret = ldb_build_search_req(&search_req, ac->module->ldb, ac,
401                                    ac->req->op.mod.message->dn, LDB_SCOPE_BASE,
402                                    "(objectclass=*)", attrs,
403                                    NULL,
404                                    ac, lpdb_mod_search_callback,
405                                    ac->req);
406         if (ret != LDB_SUCCESS) {
407                 return ldb_module_done(ac->req, NULL, NULL,
408                                         LDB_ERR_OPERATIONS_ERROR);
409         }
410
411         ret = ldb_next_request(ac->module, search_req);
412         if (ret != LDB_SUCCESS) {
413                 return ldb_module_done(ac->req, NULL, NULL,
414                                         LDB_ERR_OPERATIONS_ERROR);
415         }
416         return LDB_SUCCESS;
417 }
418
419 /* Called when we search for our own entry.  Stores the one entry we
420  * expect (as it is a base search) on the context pointer */
421 static int lpdb_mod_search_callback(struct ldb_request *req,
422                                     struct ldb_reply *ares)
423 {
424         struct ldb_request *local_req;
425         struct lpdb_context *ac;
426         struct ldb_dn *local_dn;
427         struct GUID objectGUID;
428         int ret = LDB_SUCCESS;
429
430         ac = talloc_get_type(req->context, struct lpdb_context);
431
432         if (!ares) {
433                 return ldb_module_done(ac->req, NULL, NULL,
434                                         LDB_ERR_OPERATIONS_ERROR);
435         }
436         if (ares->error != LDB_SUCCESS) {
437                 return ldb_module_done(ac->req, ares->controls,
438                                         ares->response, ares->error);
439         }
440
441         switch (ares->type) {
442         case LDB_REPLY_ENTRY:
443                 if (ac->remote != NULL) {
444                         ldb_set_errstring(ac->module->ldb, "Too many results");
445                         talloc_free(ares);
446                         return ldb_module_done(ac->req, NULL, NULL,
447                                                 LDB_ERR_OPERATIONS_ERROR);
448                 }
449
450                 ac->remote = talloc_steal(ac, ares);
451                 break;
452
453         case LDB_REPLY_REFERRAL:
454
455                 /* ignore */
456                 talloc_free(ares);
457                 break;
458
459         case LDB_REPLY_DONE:
460                 /* After we find out the objectGUID for the entry, modify the local
461                  * password database as required */
462
463                 talloc_free(ares);
464
465                 /* if it is not an entry of type person this is an error */
466                 /* TODO: remove this when sambaPassword will be in schema */
467                 if (ac->remote == NULL) {
468                         ldb_asprintf_errstring(ac->module->ldb,
469                                 "entry just modified (%s) not found!",
470                                 ldb_dn_get_linearized(req->op.search.base));
471                         return ldb_module_done(ac->req, NULL, NULL,
472                                                 LDB_ERR_OPERATIONS_ERROR);
473                 }
474                 if (!ldb_msg_check_string_attribute(ac->remote->message,
475                                                     "objectClass", "person")) {
476                         /* Not relevent to us */
477                         return ldb_module_done(ac->req,
478                                                 ac->remote_done->controls,
479                                                 ac->remote_done->response,
480                                                 ac->remote_done->error);
481                 }
482
483                 if (ldb_msg_find_ldb_val(ac->remote->message,
484                                          "objectGUID") == NULL) {
485                         ldb_set_errstring(ac->module->ldb,
486                                           "no objectGUID found in search: "
487                                           "local_password module must be "
488                                           "configured below objectGUID "
489                                           "module!\n");
490                         return ldb_module_done(ac->req, NULL, NULL,
491                                         LDB_ERR_OBJECT_CLASS_VIOLATION);
492                 }
493
494                 objectGUID = samdb_result_guid(ac->remote->message,
495                                                 "objectGUID");
496
497                 local_dn = ldb_dn_new(ac, ac->module->ldb, LOCAL_BASE);
498                 if ((local_dn == NULL) ||
499                     ( ! ldb_dn_add_child_fmt(local_dn,
500                                             PASSWORD_GUID_ATTR "=%s",
501                                             GUID_string(ac, &objectGUID)))) {
502                         return ldb_module_done(ac->req, NULL, NULL,
503                                                 LDB_ERR_OPERATIONS_ERROR);
504                 }
505                 ac->local_message->dn = local_dn;
506
507                 ret = ldb_build_mod_req(&local_req, ac->module->ldb, ac,
508                                         ac->local_message,
509                                         NULL,
510                                         ac, lpdb_local_callback,
511                                         ac->req);
512                 if (ret != LDB_SUCCESS) {
513                         return ldb_module_done(ac->req, NULL, NULL, ret);
514                 }
515
516                 /* perform the local update */
517                 ret = ldb_next_request(ac->module, local_req);
518                 if (ret != LDB_SUCCESS) {
519                         return ldb_module_done(ac->req, NULL, NULL, ret);
520                 }
521         }
522
523         return LDB_SUCCESS;
524 }
525
526 /*****************************************************************************
527  * DELETE
528  ****************************************************************************/
529
530 static int lpdb_delete_callabck(struct ldb_request *req,
531                                 struct ldb_reply *ares);
532 static int lpdb_del_search_callback(struct ldb_request *req,
533                                     struct ldb_reply *ares);
534
535 static int local_password_delete(struct ldb_module *module,
536                                  struct ldb_request *req)
537 {
538         struct ldb_request *remote_req;
539         struct lpdb_context *ac;
540         int ret;
541
542         ldb_debug(module->ldb, LDB_DEBUG_TRACE, "local_password_delete\n");
543
544         /* do not manipulate our control entries */
545         if (ldb_dn_is_special(req->op.mod.message->dn)) {
546                 return ldb_next_request(module, req);
547         }
548
549         /* If the caller is manipulating the local passwords directly,
550          * let them pass */
551         if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
552                                 req->op.del.dn) == 0) {
553                 return ldb_next_request(module, req);
554         }
555
556         /* From here, we assume we have password attributes to split off */
557         ac = lpdb_init_context(module, req);
558         if (!ac) {
559                 return LDB_ERR_OPERATIONS_ERROR;
560         }
561
562         ret = ldb_build_del_req(&remote_req, module->ldb, ac,
563                                 req->op.del.dn,
564                                 req->controls,
565                                 ac, lpdb_delete_callabck,
566                                 req);
567         if (ret != LDB_SUCCESS) {
568                 return ret;
569         }
570
571         return ldb_next_request(module, remote_req);
572 }
573
574 /* On a modify, we don't have the objectGUID handy, so we need to
575  * search our DN for it */
576 static int lpdb_delete_callabck(struct ldb_request *req,
577                                 struct ldb_reply *ares)
578 {
579         static const char * const attrs[] = { "objectGUID", "objectClass", NULL };
580         struct ldb_request *search_req;
581         struct lpdb_context *ac;
582         int ret;
583
584         ac = talloc_get_type(req->context, struct lpdb_context);
585
586         if (!ares) {
587                 return ldb_module_done(ac->req, NULL, NULL,
588                                         LDB_ERR_OPERATIONS_ERROR);
589         }
590         if (ares->error != LDB_SUCCESS) {
591                 return ldb_module_done(ac->req, ares->controls,
592                                         ares->response, ares->error);
593         }
594
595         if (ares->type != LDB_REPLY_DONE) {
596                 ldb_set_errstring(ac->module->ldb, "Unexpected reply type");
597                 talloc_free(ares);
598                 return ldb_module_done(ac->req, NULL, NULL,
599                                         LDB_ERR_OPERATIONS_ERROR);
600         }
601
602         ac->remote_done = talloc_steal(ac, ares);
603
604         /* prepare the search operation */
605         ret = ldb_build_search_req(&search_req, ac->module->ldb, ac,
606                                    ac->req->op.del.dn, LDB_SCOPE_BASE,
607                                    "(objectclass=*)", attrs,
608                                    NULL,
609                                    ac, lpdb_del_search_callback,
610                                    ac->req);
611         if (ret != LDB_SUCCESS) {
612                 return ldb_module_done(ac->req, NULL, NULL,
613                                         LDB_ERR_OPERATIONS_ERROR);
614         }
615
616         ret = ldb_next_request(ac->module, search_req);
617         if (ret != LDB_SUCCESS) {
618                 return ldb_module_done(ac->req, NULL, NULL,
619                                         LDB_ERR_OPERATIONS_ERROR);
620         }
621         return LDB_SUCCESS;
622 }
623
624 /* Called when we search for our own entry.  Stores the one entry we
625  * expect (as it is a base search) on the context pointer */
626 static int lpdb_del_search_callback(struct ldb_request *req,
627                                     struct ldb_reply *ares)
628 {
629         struct ldb_request *local_req;
630         struct lpdb_context *ac;
631         struct ldb_dn *local_dn;
632         struct GUID objectGUID;
633         int ret = LDB_SUCCESS;
634
635         ac = talloc_get_type(req->context, struct lpdb_context);
636
637         if (!ares) {
638                 return ldb_module_done(ac->req, NULL, NULL,
639                                         LDB_ERR_OPERATIONS_ERROR);
640         }
641         if (ares->error != LDB_SUCCESS) {
642                 return ldb_module_done(ac->req, ares->controls,
643                                         ares->response, ares->error);
644         }
645
646         switch (ares->type) {
647         case LDB_REPLY_ENTRY:
648                 if (ac->remote != NULL) {
649                         ldb_set_errstring(ac->module->ldb, "Too many results");
650                         talloc_free(ares);
651                         return ldb_module_done(ac->req, NULL, NULL,
652                                                 LDB_ERR_OPERATIONS_ERROR);
653                 }
654
655                 ac->remote = talloc_steal(ac, ares);
656                 break;
657
658         case LDB_REPLY_REFERRAL:
659
660                 /* ignore */
661                 talloc_free(ares);
662                 break;
663
664         case LDB_REPLY_DONE:
665                 /* After we find out the objectGUID for the entry, modify the local
666                  * password database as required */
667
668                 talloc_free(ares);
669
670                 /* if it is not an entry of type person this is NOT an error */
671                 /* TODO: remove this when sambaPassword will be in schema */
672                 if (ac->remote == NULL) {
673                         return ldb_module_done(ac->req,
674                                                 ac->remote_done->controls,
675                                                 ac->remote_done->response,
676                                                 ac->remote_done->error);
677                 }
678                 if (!ldb_msg_check_string_attribute(ac->remote->message,
679                                                     "objectClass", "person")) {
680                         /* Not relevent to us */
681                         return ldb_module_done(ac->req,
682                                                 ac->remote_done->controls,
683                                                 ac->remote_done->response,
684                                                 ac->remote_done->error);
685                 }
686
687                 if (ldb_msg_find_ldb_val(ac->remote->message,
688                                          "objectGUID") == NULL) {
689                         ldb_set_errstring(ac->module->ldb,
690                                           "no objectGUID found in search: "
691                                           "local_password module must be "
692                                           "configured below objectGUID "
693                                           "module!\n");
694                         return ldb_module_done(ac->req, NULL, NULL,
695                                         LDB_ERR_OBJECT_CLASS_VIOLATION);
696                 }
697
698                 objectGUID = samdb_result_guid(ac->remote->message,
699                                                 "objectGUID");
700
701                 local_dn = ldb_dn_new(ac, ac->module->ldb, LOCAL_BASE);
702                 if ((local_dn == NULL) ||
703                     ( ! ldb_dn_add_child_fmt(local_dn,
704                                             PASSWORD_GUID_ATTR "=%s",
705                                             GUID_string(ac, &objectGUID)))) {
706                         return ldb_module_done(ac->req, NULL, NULL,
707                                                 LDB_ERR_OPERATIONS_ERROR);
708                 }
709
710                 ret = ldb_build_del_req(&local_req, ac->module->ldb, ac,
711                                         local_dn,
712                                         NULL,
713                                         ac, lpdb_local_callback,
714                                         ac->req);
715                 if (ret != LDB_SUCCESS) {
716                         return ldb_module_done(ac->req, NULL, NULL, ret);
717                 }
718
719                 /* perform the local update */
720                 ret = ldb_next_request(ac->module, local_req);
721                 if (ret != LDB_SUCCESS) {
722                         return ldb_module_done(ac->req, NULL, NULL, ret);
723                 }
724         }
725
726         return LDB_SUCCESS;
727 }
728
729
730 /*****************************************************************************
731  * SEARCH
732  ****************************************************************************/
733
734 static int lpdb_local_search_callback(struct ldb_request *req,
735                                         struct ldb_reply *ares);
736
737 static int lpdb_local_search(struct lpdb_context *ac)
738 {
739         struct ldb_request *local_req;
740         int ret;
741
742         ret = ldb_build_search_req(&local_req, ac->module->ldb, ac,
743                                    ac->current->local_dn,
744                                    LDB_SCOPE_BASE,
745                                    "(objectclass=*)",
746                                    ac->req->op.search.attrs,
747                                    NULL,
748                                    ac, lpdb_local_search_callback,
749                                    ac->req);
750         if (ret != LDB_SUCCESS) {
751                 return LDB_ERR_OPERATIONS_ERROR;
752         }
753
754         return ldb_next_request(ac->module, local_req);
755 }
756
757 static int lpdb_local_search_callback(struct ldb_request *req,
758                                         struct ldb_reply *ares)
759 {
760         struct lpdb_context *ac;
761         struct ldb_reply *merge;
762         struct lpdb_reply *lr;
763         int ret;
764         int i;
765
766         ac = talloc_get_type(req->context, struct lpdb_context);
767
768         if (!ares) {
769                 return ldb_module_done(ac->req, NULL, NULL,
770                                         LDB_ERR_OPERATIONS_ERROR);
771         }
772         if (ares->error != LDB_SUCCESS) {
773                 return ldb_module_done(ac->req, ares->controls,
774                                         ares->response, ares->error);
775         }
776
777         lr = ac->current;
778
779         /* we are interested only in a single reply (base search) */
780         switch (ares->type) {
781         case LDB_REPLY_ENTRY:
782
783                 if (lr->remote == NULL) {
784                         ldb_set_errstring(ac->module->ldb,
785                                 "Too many results for password entry search!");
786                         talloc_free(ares);
787                         return ldb_module_done(ac->req, NULL, NULL,
788                                                 LDB_ERR_OPERATIONS_ERROR);
789                 }
790
791                 merge = lr->remote;
792                 lr->remote = NULL;
793
794                 /* steal the local results on the remote results to be
795                  * returned all together */
796                 talloc_steal(merge, ares->message->elements);
797
798                 /* Make sure never to return the internal key attribute */
799                 ldb_msg_remove_attr(ares->message, PASSWORD_GUID_ATTR);
800
801                 for (i=0; i < ares->message->num_elements; i++) {
802                         struct ldb_message_element *el;
803                         
804                         el = ldb_msg_find_element(merge->message,
805                                                   ares->message->elements[i].name);
806                         if (!el) {
807                                 ret = ldb_msg_add_empty(merge->message,
808                                                         ares->message->elements[i].name,
809                                                         0, &el);
810                                 if (ret != LDB_SUCCESS) {
811                                         talloc_free(ares);
812                                         return ldb_module_done(ac->req,
813                                                                 NULL, NULL,
814                                                                 LDB_ERR_OPERATIONS_ERROR);
815                                 }
816                                 *el = ares->message->elements[i];
817                         }
818                 }
819
820                 /* free the rest */
821                 talloc_free(ares);
822
823                 return ldb_module_send_entry(ac->req, merge->message, merge->controls);
824
825         case LDB_REPLY_REFERRAL:
826                 /* ignore */
827                 talloc_free(ares);
828                 break;
829
830         case LDB_REPLY_DONE:
831
832                 talloc_free(ares);
833
834                 /* if this entry was not returned yet, return it now */
835                 if (lr->remote) {
836                         ret = ldb_module_send_entry(ac->req, ac->remote->message, ac->remote->controls);
837                         if (ret != LDB_SUCCESS) {
838                                 return ldb_module_done(ac->req,
839                                                         NULL, NULL, ret);
840                         }
841                         lr->remote = NULL;
842                 }
843
844                 if (lr->next->remote->type == LDB_REPLY_DONE) {
845                         /* this was the last one */
846                         return ldb_module_done(ac->req,
847                                                 lr->next->remote->controls,
848                                                 lr->next->remote->response,
849                                                 lr->next->remote->error);
850                 } else {
851                         /* next one */
852                         ac->current = lr->next;
853                         talloc_free(lr);
854
855                         ret = lpdb_local_search(ac);
856                         if (ret != LDB_SUCCESS) {
857                                 return ldb_module_done(ac->req,
858                                                         NULL, NULL, ret);
859                         }
860                 }
861         }
862
863         return LDB_SUCCESS;
864 }
865
866 /* For each entry returned in a remote search, do a local base search,
867  * based on the objectGUID we asked for as an additional attribute */
868 static int lpdb_remote_search_callback(struct ldb_request *req,
869                                         struct ldb_reply *ares)
870 {
871         struct lpdb_context *ac;
872         struct ldb_dn *local_dn;
873         struct GUID objectGUID;
874         struct lpdb_reply *lr;
875         int ret;
876
877         ac = talloc_get_type(req->context, struct lpdb_context);
878
879         if (!ares) {
880                 return ldb_module_done(ac->req, NULL, NULL,
881                                         LDB_ERR_OPERATIONS_ERROR);
882         }
883         if (ares->error != LDB_SUCCESS) {
884                 return ldb_module_done(ac->req, ares->controls,
885                                         ares->response, ares->error);
886         }
887
888         switch (ares->type) {
889         case LDB_REPLY_ENTRY:
890                 /* No point searching further if it's not a 'person' entry */
891                 if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
892
893                         /* Make sure to remove anything we added */
894                         if (ac->added_objectGUID) {
895                                 ldb_msg_remove_attr(ares->message, "objectGUID");
896                         }
897                         
898                         if (ac->added_objectClass) {
899                                 ldb_msg_remove_attr(ares->message, "objectClass");
900                         }
901                         
902                         return ldb_module_send_entry(ac->req, ares->message, ares->controls);
903                 }
904
905                 if (ldb_msg_find_ldb_val(ares->message, "objectGUID") == NULL) {
906                         ldb_set_errstring(ac->module->ldb, 
907                                           "no objectGUID found in search: local_password module must be configured below objectGUID module!\n");
908                         return ldb_module_done(ac->req, NULL, NULL,
909                                                 LDB_ERR_OPERATIONS_ERROR);
910                 }
911         
912                 objectGUID = samdb_result_guid(ares->message, "objectGUID");
913
914                 if (ac->added_objectGUID) {
915                         ldb_msg_remove_attr(ares->message, "objectGUID");
916                 }
917
918                 if (ac->added_objectClass) {
919                         ldb_msg_remove_attr(ares->message, "objectClass");
920                 }
921
922                 local_dn = ldb_dn_new(ac, ac->module->ldb, LOCAL_BASE);
923                 if ((local_dn == NULL) ||
924                     (! ldb_dn_add_child_fmt(local_dn,
925                                             PASSWORD_GUID_ATTR "=%s",
926                                             GUID_string(ac, &objectGUID)))) {
927                         return ldb_module_done(ac->req, NULL, NULL,
928                                                 LDB_ERR_OPERATIONS_ERROR);
929                 }
930
931                 lr = talloc_zero(ac, struct lpdb_reply);
932                 if (lr == NULL) {
933                         return ldb_module_done(ac->req, NULL, NULL,
934                                                 LDB_ERR_OPERATIONS_ERROR);
935                 }
936                 lr->local_dn = talloc_steal(lr, local_dn);
937                 lr->remote = talloc_steal(lr, ares);
938
939                 if (ac->list) {
940                         ac->current->next = lr;
941                 } else {
942                         ac->list = lr;
943                 }
944                 ac->current= lr;
945
946                 break;
947
948         case LDB_REPLY_REFERRAL:
949
950                 return ldb_module_send_referral(ac->req, ares->referral);
951
952         case LDB_REPLY_DONE:
953
954                 if (ac->list == NULL) {
955                         /* found nothing */
956                         return ldb_module_done(ac->req, ares->controls,
957                                                 ares->response, ares->error);
958                 }
959
960                 lr = talloc_zero(ac, struct lpdb_reply);
961                 if (lr == NULL) {
962                         return ldb_module_done(ac->req, NULL, NULL,
963                                                 LDB_ERR_OPERATIONS_ERROR);
964                 }
965                 lr->remote = talloc_steal(lr, ares);
966
967                 ac->current->next = lr;
968
969                 /* rewind current and start local searches */
970                 ac->current= ac->list;
971
972                 ret = lpdb_local_search(ac);
973                 if (ret != LDB_SUCCESS) {
974                         return ldb_module_done(ac->req, NULL, NULL, ret);
975                 }
976         }
977
978         return LDB_SUCCESS;
979 }
980
981 /* Search for passwords and other attributes.  The passwords are
982  * local, but the other attributes are remote, and we need to glue the
983  * two search spaces back togeather */
984
985 static int local_password_search(struct ldb_module *module, struct ldb_request *req)
986 {
987         struct ldb_request *remote_req;
988         struct lpdb_context *ac;
989         int i;
990         int ret;
991         const char * const *search_attrs = NULL;
992
993         ldb_debug(module->ldb, LDB_DEBUG_TRACE, "local_password_search\n");
994
995         if (ldb_dn_is_special(req->op.search.base)) { /* do not manipulate our control entries */
996                 return ldb_next_request(module, req);
997         }
998
999         search_attrs = NULL;
1000
1001         /* If the caller is searching for the local passwords directly, let them pass */
1002         if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
1003                                 req->op.search.base) == 0) {
1004                 return ldb_next_request(module, req);
1005         }
1006
1007         if (req->op.search.attrs && (!ldb_attr_in_list(req->op.search.attrs, "*"))) {
1008                 for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
1009                         if (ldb_attr_in_list(req->op.search.attrs, password_attrs[i])) {
1010                                 break;
1011                         }
1012                 }
1013                 
1014                 /* It didn't match any of our password attributes, go on */
1015                 if (i == ARRAY_SIZE(password_attrs)) {
1016                         return ldb_next_request(module, req);
1017                 }
1018         }
1019
1020         ac = lpdb_init_context(module, req);
1021         if (!ac) {
1022                 return LDB_ERR_OPERATIONS_ERROR;
1023         }
1024
1025         /* Remote search is for all attributes: if the remote LDAP server has these attributes, then it overrides the local database */
1026         if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
1027                 if (!ldb_attr_in_list(req->op.search.attrs, "objectGUID")) {
1028                         search_attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "objectGUID");
1029                         ac->added_objectGUID = true;
1030                         if (!search_attrs) {
1031                                 return LDB_ERR_OPERATIONS_ERROR;
1032                         }
1033                 } else {
1034                         search_attrs = req->op.search.attrs;
1035                 }
1036                 if (!ldb_attr_in_list(search_attrs, "objectClass")) {
1037                         search_attrs = ldb_attr_list_copy_add(ac, search_attrs, "objectClass");
1038                         ac->added_objectClass = true;
1039                         if (!search_attrs) {
1040                                 return LDB_ERR_OPERATIONS_ERROR;
1041                         }
1042                 }
1043         } else {
1044                 search_attrs = req->op.search.attrs;
1045         }
1046
1047         ret = ldb_build_search_req_ex(&remote_req, module->ldb, ac,
1048                                         req->op.search.base,
1049                                         req->op.search.scope,
1050                                         req->op.search.tree,
1051                                         search_attrs,
1052                                         req->controls,
1053                                         ac, lpdb_remote_search_callback,
1054                                         req);
1055         if (ret != LDB_SUCCESS) {
1056                 return LDB_ERR_OPERATIONS_ERROR;
1057         }
1058
1059         /* perform the search */
1060         return ldb_next_request(module, remote_req);
1061 }
1062
1063 _PUBLIC_ const struct ldb_module_ops ldb_local_password_module_ops = {
1064         .name          = "local_password",
1065         .add           = local_password_add,
1066         .modify        = local_password_modify,
1067         .del           = local_password_delete,
1068         .search        = local_password_search
1069 };