4 Copyright (C) Simo Sorce 2004
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7 * NOTICE: this module is NOT released under the GNU LGPL license as
8 * other ldb code. This module is release under the GNU GPL v2 or
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 * Component: ldb samldb module
31 * Description: add embedded user/group creation functionality
37 #include "libcli/ldap/ldap.h"
38 #include "lib/ldb/include/ldb_errors.h"
39 #include "lib/ldb/include/ldb_private.h"
40 #include "dsdb/samdb/samdb.h"
41 #include "libcli/security/security.h"
42 #include "librpc/gen_ndr/ndr_security.h"
46 /* if value is not null also check for attribute to have exactly that value */
47 static struct ldb_message_element *samldb_find_attribute(const struct ldb_message *msg, const char *name, const char *value)
50 struct ldb_message_element *el = ldb_msg_find_element(msg, name);
59 for (j = 0; j < el->num_values; j++) {
61 (char *)el->values[j].data) == 0) {
69 static BOOL samldb_msg_add_string(struct ldb_module *module, struct ldb_message *msg, const char *name, const char *value)
71 char *aval = talloc_strdup(msg, value);
74 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_msg_add_string: talloc_strdup failed!\n");
78 if (ldb_msg_add_string(msg, name, aval) != 0) {
85 static BOOL samldb_msg_add_sid(struct ldb_module *module, struct ldb_message *msg, const char *name, const struct dom_sid *sid)
89 status = ndr_push_struct_blob(&v, msg, sid,
90 (ndr_push_flags_fn_t)ndr_push_dom_sid);
91 if (!NT_STATUS_IS_OK(status)) {
94 return (ldb_msg_add_value(msg, name, &v) == 0);
97 static BOOL samldb_find_or_add_attribute(struct ldb_module *module, struct ldb_message *msg, const char *name, const char *value, const char *set_value)
99 if (samldb_find_attribute(msg, name, value) == NULL) {
100 return samldb_msg_add_string(module, msg, name, set_value);
106 allocate a new id, attempting to do it atomically
107 return 0 on failure, the id on success
109 static int samldb_set_next_rid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
110 const struct ldb_dn *dn, uint32_t old_id, uint32_t new_id)
112 struct ldb_message msg;
114 struct ldb_val vals[2];
115 struct ldb_message_element els[2];
119 ldb_debug(ldb, LDB_DEBUG_FATAL, "Are we out of valid IDs ?\n");
120 return LDB_ERR_OPERATIONS_ERROR;
123 /* we do a delete and add as a single operation. That prevents
124 a race, in case we are not actually on a transaction db */
126 msg.dn = ldb_dn_copy(mem_ctx, dn);
128 return LDB_ERR_OPERATIONS_ERROR;
130 msg.num_elements = 2;
133 els[0].num_values = 1;
134 els[0].values = &vals[0];
135 els[0].flags = LDB_FLAG_MOD_DELETE;
136 els[0].name = talloc_strdup(mem_ctx, "nextRid");
138 return LDB_ERR_OPERATIONS_ERROR;
141 els[1].num_values = 1;
142 els[1].values = &vals[1];
143 els[1].flags = LDB_FLAG_MOD_ADD;
144 els[1].name = els[0].name;
146 vals[0].data = (uint8_t *)talloc_asprintf(mem_ctx, "%u", old_id);
148 return LDB_ERR_OPERATIONS_ERROR;
150 vals[0].length = strlen((char *)vals[0].data);
152 vals[1].data = (uint8_t *)talloc_asprintf(mem_ctx, "%u", new_id);
154 return LDB_ERR_OPERATIONS_ERROR;
156 vals[1].length = strlen((char *)vals[1].data);
158 ret = ldb_modify(ldb, &msg);
163 allocate a new id, attempting to do it atomically
164 return 0 on failure, the id on success
166 static int samldb_find_next_rid(struct ldb_module *module, TALLOC_CTX *mem_ctx,
167 const struct ldb_dn *dn, uint32_t *old_rid)
169 const char * const attrs[2] = { "nextRid", NULL };
170 struct ldb_result *res = NULL;
174 ret = ldb_search(module->ldb, dn, LDB_SCOPE_BASE, "nextRid=*", attrs, &res);
175 if (ret != LDB_SUCCESS) {
178 talloc_steal(mem_ctx, res);
179 if (res->count != 1) {
184 str = ldb_msg_find_string(res->msgs[0], "nextRid", NULL);
186 ldb_set_errstring(module->ldb,
187 talloc_asprintf(mem_ctx, "attribute nextRid not found in %s\n",
188 ldb_dn_linearize(res, dn)));
193 *old_rid = strtol(str, NULL, 0);
198 static int samldb_allocate_next_rid(struct ldb_module *module, TALLOC_CTX *mem_ctx,
199 const struct ldb_dn *dn, const struct dom_sid *dom_sid,
200 struct dom_sid **new_sid)
202 struct dom_sid *obj_sid;
205 struct ldb_message **sid_msgs;
206 const char *sid_attrs[] = { NULL };
209 ret = samldb_find_next_rid(module, mem_ctx, dn, &old_rid);
214 /* return the new object sid */
215 obj_sid = dom_sid_add_rid(mem_ctx, dom_sid, old_rid);
217 ret = samldb_set_next_rid(module->ldb, mem_ctx, dn, old_rid, old_rid + 1);
222 *new_sid = dom_sid_add_rid(mem_ctx, dom_sid, old_rid + 1);
224 return LDB_ERR_OPERATIONS_ERROR;
227 ret = gendb_search(module->ldb,
228 mem_ctx, NULL, &sid_msgs, sid_attrs,
230 ldap_encode_ndr_dom_sid(mem_ctx, *new_sid));
232 /* Great. There are no conflicting users/groups/etc */
234 } else if (ret == -1) {
235 /* Bugger, there is a problem, and we don't know what it is until gendb_search improves */
238 /* gah, there are conflicting sids, lets move around the loop again... */
244 /* Find a domain object in the parents of a particular DN. */
245 static struct ldb_dn *samldb_search_domain(struct ldb_module *module, TALLOC_CTX *mem_ctx, const struct ldb_dn *dn)
247 TALLOC_CTX *local_ctx;
249 struct ldb_result *res = NULL;
252 local_ctx = talloc_new(mem_ctx);
253 if (local_ctx == NULL) return NULL;
255 sdn = ldb_dn_copy(local_ctx, dn);
257 ret = ldb_search(module->ldb, sdn, LDB_SCOPE_BASE, "objectClass=domain", NULL, &res);
258 talloc_steal(local_ctx, res);
259 if (ret == LDB_SUCCESS && res->count == 1)
261 } while ((sdn = ldb_dn_get_parent(local_ctx, sdn)));
263 if (ret != LDB_SUCCESS || res->count != 1) {
264 talloc_free(local_ctx);
268 talloc_steal(mem_ctx, sdn);
269 talloc_free(local_ctx);
274 /* search the domain related to the provided dn
275 allocate a new RID for the domain
276 return the new sid string
278 static struct dom_sid *samldb_get_new_sid(struct ldb_module *module,
279 TALLOC_CTX *mem_ctx, const struct ldb_dn *obj_dn)
281 const char * const attrs[2] = { "objectSid", NULL };
282 struct ldb_result *res = NULL;
283 const struct ldb_dn *dom_dn;
285 struct dom_sid *dom_sid, *obj_sid;
287 /* get the domain component part of the provided dn */
289 dom_dn = samldb_search_domain(module, mem_ctx, obj_dn);
290 if (dom_dn == NULL) {
291 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "Invalid dn (%s) not child of a domain object!\n", ldb_dn_linearize(mem_ctx, obj_dn));
295 /* find the domain sid */
297 ret = ldb_search(module->ldb, dom_dn, LDB_SCOPE_BASE, "objectSid=*", attrs, &res);
298 if (ret != LDB_SUCCESS || res->count != 1) {
299 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_get_new_sid: error retrieving domain sid!\n");
304 dom_sid = samdb_result_dom_sid(res, res->msgs[0], "objectSid");
305 if (dom_sid == NULL) {
306 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_get_new_sid: error retrieving domain sid!\n");
311 /* allocate a new Rid for the domain */
312 ret = samldb_allocate_next_rid(module, mem_ctx, dom_dn, dom_sid, &obj_sid);
314 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "Failed to increment nextRid of %s\n", ldb_dn_linearize(mem_ctx, dom_dn));
324 /* If we are adding new users/groups, we need to update the nextRid
325 * attribute to be 'above' all incoming users RIDs. This tries to
326 * avoid clashes in future */
328 int samldb_notice_sid(struct ldb_module *module,
329 TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
332 struct ldb_dn *dom_dn;
333 struct dom_sid *dom_sid;
334 const char *dom_attrs[] = { NULL };
335 struct ldb_message **dom_msgs;
338 /* find the domain DN */
340 ret = gendb_search(module->ldb,
341 mem_ctx, NULL, &dom_msgs, dom_attrs,
343 ldap_encode_ndr_dom_sid(mem_ctx, sid));
345 ldb_set_errstring(module->ldb,
346 talloc_asprintf(mem_ctx,
347 "Attempt to add record with SID %s rejected,"
348 " because this SID is already in the database",
349 dom_sid_string(mem_ctx, sid)));
350 /* We have a duplicate SID, we must reject the add */
351 talloc_free(dom_msgs);
352 return LDB_ERR_CONSTRAINT_VIOLATION;
356 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_get_new_sid: error searching for proposed sid!\n");
360 dom_sid = dom_sid_dup(mem_ctx, sid);
362 return LDB_ERR_OPERATIONS_ERROR;
364 /* get the domain component part of the provided SID */
365 dom_sid->num_auths--;
367 /* find the domain DN */
369 ret = gendb_search(module->ldb,
370 mem_ctx, NULL, &dom_msgs, dom_attrs,
371 "(&(objectSid=%s)(objectclass=domain))",
372 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
374 /* This isn't an operation on a domain we know about, so nothing to update */
379 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_get_new_sid: error retrieving domain from sid: duplicate domains!\n");
380 talloc_free(dom_msgs);
385 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_get_new_sid: error retrieving domain sid!\n");
389 dom_dn = dom_msgs[0]->dn;
391 ret = samldb_find_next_rid(module, mem_ctx,
394 talloc_free(dom_msgs);
398 if (old_rid <= sid->sub_auths[sid->num_auths - 1]) {
399 ret = samldb_set_next_rid(module->ldb, mem_ctx, dom_dn, old_rid,
400 sid->sub_auths[sid->num_auths - 1] + 1);
402 talloc_free(dom_msgs);
406 static int samldb_handle_sid(struct ldb_module *module,
407 TALLOC_CTX *mem_ctx, struct ldb_message *msg2)
411 struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, msg2, "objectSid");
413 sid = samldb_get_new_sid(module, msg2, msg2->dn);
415 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_user_or_computer_object: internal error! Can't generate new sid\n");
416 return LDB_ERR_OPERATIONS_ERROR;
419 if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) {
421 return LDB_ERR_OPERATIONS_ERROR;
426 ret = samldb_notice_sid(module, msg2, sid);
431 static char *samldb_generate_samAccountName(struct ldb_module *module, TALLOC_CTX *mem_ctx)
434 const char *attrs[] = { NULL };
435 struct ldb_message **msgs;
438 /* Format: $000000-000000000000 */
441 name = talloc_asprintf(mem_ctx, "$%.6X-%.6X%.6X", (unsigned int)random(), (unsigned int)random(), (unsigned int)random());
442 /* TODO: Figure out exactly what this is meant to conflict with */
443 ret = gendb_search(module->ldb,
444 mem_ctx, NULL, &msgs, attrs,
446 ldb_binary_encode_string(mem_ctx, name));
448 /* Great. There are no conflicting users/groups/etc */
450 } else if (ret == -1) {
451 /* Bugger, there is a problem, and we don't know what it is until gendb_search improves */
455 /* gah, there are conflicting sids, lets move around the loop again... */
460 static int samldb_copy_template(struct ldb_module *module, struct ldb_message *msg, const char *filter)
462 struct ldb_result *res;
463 struct ldb_message *t;
467 /* pull the template record */
468 ret = ldb_search(module->ldb, NULL, LDB_SCOPE_SUBTREE, filter, NULL, &res);
469 if (ret != LDB_SUCCESS || res->count != 1) {
470 ldb_debug(module->ldb, LDB_DEBUG_WARNING, "samldb: ERROR: template '%s' matched too many records\n", filter);
475 for (i = 0; i < t->num_elements; i++) {
476 struct ldb_message_element *el = &t->elements[i];
477 /* some elements should not be copied from the template */
478 if (strcasecmp(el->name, "cn") == 0 ||
479 strcasecmp(el->name, "name") == 0 ||
480 strcasecmp(el->name, "sAMAccountName") == 0 ||
481 strcasecmp(el->name, "objectGUID") == 0) {
484 for (j = 0; j < el->num_values; j++) {
485 if (strcasecmp(el->name, "objectClass") == 0) {
486 if (strcasecmp((char *)el->values[j].data, "Template") == 0 ||
487 strcasecmp((char *)el->values[j].data, "userTemplate") == 0 ||
488 strcasecmp((char *)el->values[j].data, "groupTemplate") == 0 ||
489 strcasecmp((char *)el->values[j].data, "foreignSecurityPrincipalTemplate") == 0 ||
490 strcasecmp((char *)el->values[j].data, "aliasTemplate") == 0 ||
491 strcasecmp((char *)el->values[j].data, "trustedDomainTemplate") == 0 ||
492 strcasecmp((char *)el->values[j].data, "secretTemplate") == 0) {
495 if ( ! samldb_find_or_add_attribute(module, msg, el->name,
496 (char *)el->values[j].data,
497 (char *)el->values[j].data)) {
498 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "Attribute adding failed...\n");
503 if ( ! samldb_find_or_add_attribute(module, msg, el->name,
505 (char *)el->values[j].data)) {
506 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "Attribute adding failed...\n");
519 static int samldb_fill_group_object(struct ldb_module *module, const struct ldb_message *msg,
520 struct ldb_message **ret_msg)
524 struct ldb_message *msg2;
525 struct ldb_dn_component *rdn;
526 TALLOC_CTX *mem_ctx = talloc_new(msg);
528 return LDB_ERR_OPERATIONS_ERROR;
531 /* build the new msg */
532 msg2 = ldb_msg_copy(mem_ctx, msg);
534 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_group_object: ldb_msg_copy failed!\n");
535 talloc_free(mem_ctx);
536 return LDB_ERR_OPERATIONS_ERROR;
539 ret = samldb_copy_template(module, msg2, "(&(CN=TemplateGroup)(objectclass=groupTemplate))");
541 ldb_debug(module->ldb, LDB_DEBUG_WARNING, "samldb_fill_group_object: Error copying template!\n");
542 talloc_free(mem_ctx);
546 rdn = ldb_dn_get_rdn(msg2, msg2->dn);
548 if (strcasecmp(rdn->name, "cn") != 0) {
549 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_group_object: Bad RDN (%s) for group!\n", rdn->name);
550 talloc_free(mem_ctx);
551 return LDB_ERR_CONSTRAINT_VIOLATION;
554 /* Generate a random name, if no samAccountName was supplied */
555 if (ldb_msg_find_element(msg2, "samAccountName") == NULL) {
556 name = samldb_generate_samAccountName(module, mem_ctx);
558 talloc_free(mem_ctx);
559 return LDB_ERR_OPERATIONS_ERROR;
561 if ( ! samldb_find_or_add_attribute(module, msg2, "sAMAccountName", NULL, name)) {
562 talloc_free(mem_ctx);
563 return LDB_ERR_OPERATIONS_ERROR;
567 /* Manage SID allocation, conflicts etc */
568 ret = samldb_handle_sid(module, mem_ctx, msg2);
571 talloc_steal(msg, msg2);
574 talloc_free(mem_ctx);
578 static int samldb_fill_user_or_computer_object(struct ldb_module *module, const struct ldb_message *msg,
579 struct ldb_message **ret_msg)
583 struct ldb_message *msg2;
584 struct ldb_dn_component *rdn;
585 TALLOC_CTX *mem_ctx = talloc_new(msg);
587 return LDB_ERR_OPERATIONS_ERROR;
590 /* build the new msg */
591 msg2 = ldb_msg_copy(mem_ctx, msg);
593 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_group_object: ldb_msg_copy failed!\n");
594 talloc_free(mem_ctx);
595 return LDB_ERR_OPERATIONS_ERROR;
598 if (samldb_find_attribute(msg, "objectclass", "computer") != NULL) {
599 ret = samldb_copy_template(module, msg2, "(&(CN=TemplateComputer)(objectclass=userTemplate))");
601 ldb_debug(module->ldb, LDB_DEBUG_WARNING, "samldb_fill_user_or_computer_object: Error copying computer template!\n");
602 talloc_free(mem_ctx);
606 ret = samldb_copy_template(module, msg2, "(&(CN=TemplateUser)(objectclass=userTemplate))");
608 ldb_debug(module->ldb, LDB_DEBUG_WARNING, "samldb_fill_user_or_computer_object: Error copying user template!\n");
609 talloc_free(mem_ctx);
614 rdn = ldb_dn_get_rdn(msg2, msg2->dn);
616 if (strcasecmp(rdn->name, "cn") != 0) {
617 ldb_set_errstring(module->ldb, talloc_asprintf(module, "Bad RDN (%s=) for user/computer, should be CN=!\n", rdn->name));
618 talloc_free(mem_ctx);
619 return LDB_ERR_CONSTRAINT_VIOLATION;
622 /* if the only attribute was: "objectclass: computer", then make sure we also add "user" objectclass */
623 if ( ! samldb_find_or_add_attribute(module, msg2, "objectclass", "user", "user")) {
624 talloc_free(mem_ctx);
625 return LDB_ERR_OPERATIONS_ERROR;
628 /* make sure we also add person, organizationalPerson and top */
629 if ( ! samldb_find_or_add_attribute(module, msg2, "objectclass", "person", "person")) {
630 talloc_free(mem_ctx);
631 return LDB_ERR_OPERATIONS_ERROR;
633 if ( ! samldb_find_or_add_attribute(module, msg2, "objectclass", "organizationalPerson", "organizationalPerson")) {
634 talloc_free(mem_ctx);
635 return LDB_ERR_OPERATIONS_ERROR;
637 if ( ! samldb_find_or_add_attribute(module, msg2, "objectclass", "top", "top")) {
638 talloc_free(mem_ctx);
639 return LDB_ERR_OPERATIONS_ERROR;
642 /* meddle with objectclass */
644 if (ldb_msg_find_element(msg2, "samAccountName") == NULL) {
645 name = samldb_generate_samAccountName(module, mem_ctx);
647 talloc_free(mem_ctx);
648 return LDB_ERR_OPERATIONS_ERROR;
650 if ( ! samldb_find_or_add_attribute(module, msg2, "sAMAccountName", NULL, name)) {
651 talloc_free(mem_ctx);
652 return LDB_ERR_OPERATIONS_ERROR;
657 TODO: useraccountcontrol: setting value 0 gives 0x200 for users
660 /* Manage SID allocation, conflicts etc */
661 ret = samldb_handle_sid(module, mem_ctx, msg2);
663 /* TODO: objectCategory, userAccountControl, badPwdCount, codePage, countryCode, badPasswordTime, lastLogoff, lastLogon, pwdLastSet, primaryGroupID, accountExpires, logonCount */
667 talloc_steal(msg, msg2);
669 talloc_free(mem_ctx);
673 static int samldb_fill_foreignSecurityPrincipal_object(struct ldb_module *module, const struct ldb_message *msg,
674 struct ldb_message **ret_msg)
676 struct ldb_message *msg2;
677 struct ldb_dn_component *rdn;
678 struct dom_sid *dom_sid;
680 const char *dom_attrs[] = { "name", NULL };
681 struct ldb_message **dom_msgs;
684 TALLOC_CTX *mem_ctx = talloc_new(msg);
686 return LDB_ERR_OPERATIONS_ERROR;
689 /* build the new msg */
690 msg2 = ldb_msg_copy(mem_ctx, msg);
692 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_foreignSecurityPrincpal_object: ldb_msg_copy failed!\n");
693 talloc_free(mem_ctx);
694 return LDB_ERR_OPERATIONS_ERROR;
697 ret = samldb_copy_template(module, msg2, "(&(CN=TemplateForeignSecurityPrincipal)(objectclass=foreignSecurityPrincipalTemplate))");
699 ldb_debug(module->ldb, LDB_DEBUG_WARNING, "samldb_fill_foreignSecurityPrincipal_object: Error copying template!\n");
700 talloc_free(mem_ctx);
704 rdn = ldb_dn_get_rdn(msg2, msg2->dn);
706 if (strcasecmp(rdn->name, "cn") != 0) {
707 ldb_set_errstring(module->ldb, talloc_asprintf(module, "Bad RDN (%s=) for ForeignSecurityPrincipal, should be CN=!", rdn->name));
708 talloc_free(mem_ctx);
709 return LDB_ERR_CONSTRAINT_VIOLATION;
712 /* Slightly different for the foreign sids. We don't want
713 * domain SIDs ending up there, it would cause all sorts of
716 sid = dom_sid_parse_talloc(msg2, (const char *)rdn->value.data);
718 ldb_set_errstring(module->ldb, talloc_asprintf(module, "No valid found SID in ForeignSecurityPrincipal CN!"));
719 talloc_free(mem_ctx);
720 return LDB_ERR_CONSTRAINT_VIOLATION;
723 if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) {
725 return LDB_ERR_OPERATIONS_ERROR;
728 dom_sid = dom_sid_dup(mem_ctx, sid);
730 talloc_free(mem_ctx);
731 return LDB_ERR_OPERATIONS_ERROR;
733 /* get the domain component part of the provided SID */
734 dom_sid->num_auths--;
736 /* find the domain DN */
738 ret = gendb_search(module->ldb,
739 mem_ctx, NULL, &dom_msgs, dom_attrs,
740 "(&(objectSid=%s)(objectclass=domain))",
741 ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
743 const char *name = samdb_result_string(dom_msgs[0], "name", NULL);
744 ldb_set_errstring(module->ldb, talloc_asprintf(mem_ctx, "Attempt to add foreign SID record with SID %s rejected, because this domian (%s) is already in the database", dom_sid_string(mem_ctx, sid), name));
745 /* We don't really like the idea of foreign sids that are not foreign */
746 return LDB_ERR_CONSTRAINT_VIOLATION;
747 } else if (ret == -1) {
748 ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_foreignSecurityPrincipal_object: error searching for a domain with this sid: %s\n", dom_sid_string(mem_ctx, dom_sid));
749 talloc_free(dom_msgs);
753 /* This isn't an operation on a domain we know about, so just
754 * check for the SID, looking for duplicates via the common
756 ret = samldb_notice_sid(module, msg2, sid);
758 talloc_steal(msg, msg2);
766 static int samldb_add(struct ldb_module *module, struct ldb_request *req)
768 struct ldb_message *msg = req->op.add.message;
769 struct ldb_message *msg2 = NULL;
772 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "samldb_add_record\n");
775 if (ldb_dn_is_special(msg->dn)) { /* do not manipulate our control entries */
776 return ldb_next_request(module, req);
779 /* is user or computer? */
780 if ((samldb_find_attribute(msg, "objectclass", "user") != NULL) ||
781 (samldb_find_attribute(msg, "objectclass", "computer") != NULL)) {
782 /* add all relevant missing objects */
783 ret = samldb_fill_user_or_computer_object(module, msg, &msg2);
789 /* is group? add all relevant missing objects */
791 if (samldb_find_attribute(msg, "objectclass", "group") != NULL) {
792 ret = samldb_fill_group_object(module, msg, &msg2);
799 /* perhaps a foreignSecurityPrincipal? */
801 if (samldb_find_attribute(msg, "objectclass", "foreignSecurityPrincipal") != NULL) {
802 ret = samldb_fill_foreignSecurityPrincipal_object(module, msg, &msg2);
810 req->op.add.message = msg2;
811 ret = ldb_next_request(module, req);
812 req->op.add.message = msg;
814 ret = ldb_next_request(module, req);
825 * Actually this module is not async at all as it does a number of sync searches
826 * in the process. It still to be decided how to deal with it properly so it is
827 * left SYNC for now until we think of a good solution.
830 static int samldb_add_async(struct ldb_module *module, struct ldb_request *req)
832 const struct ldb_message *msg = req->op.add.message;
833 struct ldb_message *msg2 = NULL;
834 struct ldb_request *down_req;
837 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "samldb_add_record\n");
839 if (ldb_dn_is_special(msg->dn)) { /* do not manipulate our control entries */
840 return ldb_next_request(module, req);
843 /* is user or computer? */
844 if ((samldb_find_attribute(msg, "objectclass", "user") == NULL) &&
845 (samldb_find_attribute(msg, "objectclass", "computer") == NULL)) {
846 /* add all relevant missing objects */
847 ret = samldb_fill_user_or_computer_object(module, msg, &msg2);
853 /* is group? add all relevant missing objects */
855 if (samldb_find_attribute(msg, "objectclass", "group") != NULL) {
856 ret = samldb_fill_group_object(module, msg, &msg2);
863 /* perhaps a foreignSecurityPrincipal? */
865 if (samldb_find_attribute(msg, "objectclass", "foreignSecurityPrincipal") != NULL) {
866 ret = samldb_fill_foreignSecurityPrincipal_object(module, msg, &msg2);
874 return ldb_next_request(module, req);
877 down_req = talloc(module, struct ldb_request);
878 if (down_req == NULL) {
879 return LDB_ERR_OPERATIONS_ERROR;
884 down_req->op.add.message = talloc_steal(down_req, msg2);
886 /* go on with the call chain */
887 ret = ldb_next_request(module, down_req);
889 /* do not free down_req as the call results may be linked to it,
890 * it will be freed when the upper level request get freed */
891 if (ret == LDB_SUCCESS) {
892 req->async.handle = down_req->async.handle;
898 static int samldb_destructor(void *module_ctx)
900 /* struct ldb_module *ctx = module_ctx; */
901 /* put your clean-up functions here */
905 static int samldb_request(struct ldb_module *module, struct ldb_request *req)
907 switch (req->operation) {
910 return samldb_add(module, req);
913 return samldb_add_async(module, req);
916 return ldb_next_request(module, req);
921 static int samldb_init(struct ldb_module *module)
923 talloc_set_destructor(module, samldb_destructor);
924 return ldb_next_init(module);
927 static const struct ldb_module_ops samldb_ops = {
929 .init_context = samldb_init,
930 .request = samldb_request
934 int samldb_module_init(void)
936 return ldb_register_module(&samldb_ops);