2 Unix SMB/CIFS implementation.
3 Samba utility functions
5 Copyright (C) Andrew Tridgell 2009
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "ldb_module.h"
25 #include "librpc/ndr/libndr.h"
26 #include "dsdb/samdb/ldb_modules/util.h"
27 #include "dsdb/samdb/samdb.h"
29 #include "libcli/security/security.h"
32 search for attrs on one DN, in the modules below
34 int dsdb_module_search_dn(struct ldb_module *module,
36 struct ldb_result **_res,
37 struct ldb_dn *basedn,
38 const char * const *attrs,
40 struct ldb_request *parent)
43 struct ldb_request *req;
45 struct ldb_result *res;
47 tmp_ctx = talloc_new(mem_ctx);
49 res = talloc_zero(tmp_ctx, struct ldb_result);
52 return ldb_oom(ldb_module_get_ctx(module));
55 ret = ldb_build_search_req(&req, ldb_module_get_ctx(module), tmp_ctx,
62 ldb_search_default_callback,
64 LDB_REQ_SET_LOCATION(req);
65 if (ret != LDB_SUCCESS) {
70 ret = dsdb_request_add_controls(req, dsdb_flags);
71 if (ret != LDB_SUCCESS) {
76 if (dsdb_flags & DSDB_FLAG_TRUSTED) {
77 ldb_req_mark_trusted(req);
80 /* Run the new request */
81 if (dsdb_flags & DSDB_FLAG_NEXT_MODULE) {
82 ret = ldb_next_request(module, req);
83 } else if (dsdb_flags & DSDB_FLAG_TOP_MODULE) {
84 ret = ldb_request(ldb_module_get_ctx(module), req);
86 const struct ldb_module_ops *ops = ldb_module_get_ops(module);
87 SMB_ASSERT(dsdb_flags & DSDB_FLAG_OWN_MODULE);
88 ret = ops->search(module, req);
90 if (ret == LDB_SUCCESS) {
91 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
94 if (ret != LDB_SUCCESS) {
99 if (res->count != 1) {
100 /* we may be reading a DB that does not have the 'check base on search' option... */
101 ret = LDB_ERR_NO_SUCH_OBJECT;
102 ldb_asprintf_errstring(ldb_module_get_ctx(module),
103 "dsdb_module_search_dn: did not find base dn %s (%d results)",
104 ldb_dn_get_linearized(basedn), res->count);
106 *_res = talloc_steal(mem_ctx, res);
108 talloc_free(tmp_ctx);
112 int dsdb_module_search_tree(struct ldb_module *module,
114 struct ldb_result **_res,
115 struct ldb_dn *basedn,
116 enum ldb_scope scope,
117 struct ldb_parse_tree *tree,
118 const char * const *attrs,
120 struct ldb_request *parent)
123 struct ldb_request *req;
125 struct ldb_result *res;
127 tmp_ctx = talloc_new(mem_ctx);
130 res = talloc_zero(tmp_ctx, struct ldb_result);
132 talloc_free(tmp_ctx);
133 return ldb_oom(ldb_module_get_ctx(module));
136 ret = ldb_build_search_req_ex(&req, ldb_module_get_ctx(module), tmp_ctx,
143 ldb_search_default_callback,
145 LDB_REQ_SET_LOCATION(req);
146 if (ret != LDB_SUCCESS) {
147 talloc_free(tmp_ctx);
151 ret = dsdb_request_add_controls(req, dsdb_flags);
152 if (ret != LDB_SUCCESS) {
153 talloc_free(tmp_ctx);
157 if (dsdb_flags & DSDB_FLAG_TRUSTED) {
158 ldb_req_mark_trusted(req);
161 if (dsdb_flags & DSDB_FLAG_NEXT_MODULE) {
162 ret = ldb_next_request(module, req);
163 } else if (dsdb_flags & DSDB_FLAG_TOP_MODULE) {
164 ret = ldb_request(ldb_module_get_ctx(module), req);
166 const struct ldb_module_ops *ops = ldb_module_get_ops(module);
167 SMB_ASSERT(dsdb_flags & DSDB_FLAG_OWN_MODULE);
168 ret = ops->search(module, req);
170 if (ret == LDB_SUCCESS) {
171 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
175 if (ret == LDB_SUCCESS) {
176 *_res = talloc_steal(mem_ctx, res);
178 talloc_free(tmp_ctx);
183 search for attrs in the modules below
185 int dsdb_module_search(struct ldb_module *module,
187 struct ldb_result **_res,
188 struct ldb_dn *basedn, enum ldb_scope scope,
189 const char * const *attrs,
191 struct ldb_request *parent,
192 const char *format, ...) _PRINTF_ATTRIBUTE(9, 10)
198 struct ldb_parse_tree *tree;
200 tmp_ctx = talloc_new(mem_ctx);
203 va_start(ap, format);
204 expression = talloc_vasprintf(tmp_ctx, format, ap);
208 talloc_free(tmp_ctx);
209 return ldb_oom(ldb_module_get_ctx(module));
215 tree = ldb_parse_tree(tmp_ctx, expression);
217 talloc_free(tmp_ctx);
218 ldb_set_errstring(ldb_module_get_ctx(module),
219 "Unable to parse search expression");
220 return LDB_ERR_OPERATIONS_ERROR;
223 ret = dsdb_module_search_tree(module,
233 talloc_free(tmp_ctx);
238 find a DN given a GUID. This searches across all partitions
240 int dsdb_module_dn_by_guid(struct ldb_module *module, TALLOC_CTX *mem_ctx,
241 const struct GUID *guid, struct ldb_dn **dn,
242 struct ldb_request *parent)
244 struct ldb_result *res;
245 const char *attrs[] = { NULL };
246 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
249 ret = dsdb_module_search(module, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
251 DSDB_FLAG_NEXT_MODULE |
252 DSDB_SEARCH_SHOW_RECYCLED |
253 DSDB_SEARCH_SEARCH_ALL_PARTITIONS |
254 DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT,
256 "objectGUID=%s", GUID_string(tmp_ctx, guid));
257 if (ret != LDB_SUCCESS) {
258 talloc_free(tmp_ctx);
261 if (res->count == 0) {
262 talloc_free(tmp_ctx);
263 return LDB_ERR_NO_SUCH_OBJECT;
265 if (res->count != 1) {
266 ldb_asprintf_errstring(ldb_module_get_ctx(module), "More than one object found matching objectGUID %s\n",
267 GUID_string(tmp_ctx, guid));
268 talloc_free(tmp_ctx);
269 return LDB_ERR_OPERATIONS_ERROR;
272 *dn = talloc_steal(mem_ctx, res->msgs[0]->dn);
274 talloc_free(tmp_ctx);
279 find a GUID given a DN.
281 int dsdb_module_guid_by_dn(struct ldb_module *module, struct ldb_dn *dn, struct GUID *guid,
282 struct ldb_request *parent)
284 const char *attrs[] = { NULL };
285 struct ldb_result *res;
286 TALLOC_CTX *tmp_ctx = talloc_new(module);
290 ret = dsdb_module_search_dn(module, tmp_ctx, &res, dn, attrs,
291 DSDB_FLAG_NEXT_MODULE |
292 DSDB_SEARCH_SHOW_RECYCLED |
293 DSDB_SEARCH_SHOW_EXTENDED_DN,
295 if (ret != LDB_SUCCESS) {
296 ldb_asprintf_errstring(ldb_module_get_ctx(module), "Failed to find GUID for %s",
297 ldb_dn_get_linearized(dn));
298 talloc_free(tmp_ctx);
302 status = dsdb_get_extended_dn_guid(res->msgs[0]->dn, guid, "GUID");
303 if (!NT_STATUS_IS_OK(status)) {
304 talloc_free(tmp_ctx);
305 return ldb_operr(ldb_module_get_ctx(module));
308 talloc_free(tmp_ctx);
313 a ldb_modify request operating on modules below the
316 int dsdb_module_modify(struct ldb_module *module,
317 const struct ldb_message *message,
319 struct ldb_request *parent)
321 struct ldb_request *mod_req;
323 struct ldb_context *ldb = ldb_module_get_ctx(module);
324 TALLOC_CTX *tmp_ctx = talloc_new(module);
325 struct ldb_result *res;
327 res = talloc_zero(tmp_ctx, struct ldb_result);
329 talloc_free(tmp_ctx);
330 return ldb_oom(ldb_module_get_ctx(module));
333 ret = ldb_build_mod_req(&mod_req, ldb, tmp_ctx,
337 ldb_modify_default_callback,
339 LDB_REQ_SET_LOCATION(mod_req);
340 if (ret != LDB_SUCCESS) {
341 talloc_free(tmp_ctx);
345 ret = dsdb_request_add_controls(mod_req, dsdb_flags);
346 if (ret != LDB_SUCCESS) {
347 talloc_free(tmp_ctx);
351 if (dsdb_flags & DSDB_FLAG_TRUSTED) {
352 ldb_req_mark_trusted(mod_req);
355 /* Run the new request */
356 if (dsdb_flags & DSDB_FLAG_NEXT_MODULE) {
357 ret = ldb_next_request(module, mod_req);
358 } else if (dsdb_flags & DSDB_FLAG_TOP_MODULE) {
359 ret = ldb_request(ldb_module_get_ctx(module), mod_req);
361 const struct ldb_module_ops *ops = ldb_module_get_ops(module);
362 SMB_ASSERT(dsdb_flags & DSDB_FLAG_OWN_MODULE);
363 ret = ops->modify(module, mod_req);
365 if (ret == LDB_SUCCESS) {
366 ret = ldb_wait(mod_req->handle, LDB_WAIT_ALL);
369 talloc_free(tmp_ctx);
376 a ldb_rename request operating on modules below the
379 int dsdb_module_rename(struct ldb_module *module,
380 struct ldb_dn *olddn, struct ldb_dn *newdn,
382 struct ldb_request *parent)
384 struct ldb_request *req;
386 struct ldb_context *ldb = ldb_module_get_ctx(module);
387 TALLOC_CTX *tmp_ctx = talloc_new(module);
388 struct ldb_result *res;
390 res = talloc_zero(tmp_ctx, struct ldb_result);
392 talloc_free(tmp_ctx);
393 return ldb_oom(ldb_module_get_ctx(module));
396 ret = ldb_build_rename_req(&req, ldb, tmp_ctx,
401 ldb_modify_default_callback,
403 LDB_REQ_SET_LOCATION(req);
404 if (ret != LDB_SUCCESS) {
405 talloc_free(tmp_ctx);
409 ret = dsdb_request_add_controls(req, dsdb_flags);
410 if (ret != LDB_SUCCESS) {
411 talloc_free(tmp_ctx);
415 if (dsdb_flags & DSDB_FLAG_TRUSTED) {
416 ldb_req_mark_trusted(req);
419 /* Run the new request */
420 if (dsdb_flags & DSDB_FLAG_NEXT_MODULE) {
421 ret = ldb_next_request(module, req);
422 } else if (dsdb_flags & DSDB_FLAG_TOP_MODULE) {
423 ret = ldb_request(ldb_module_get_ctx(module), req);
425 const struct ldb_module_ops *ops = ldb_module_get_ops(module);
426 SMB_ASSERT(dsdb_flags & DSDB_FLAG_OWN_MODULE);
427 ret = ops->rename(module, req);
429 if (ret == LDB_SUCCESS) {
430 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
433 talloc_free(tmp_ctx);
438 a ldb_add request operating on modules below the
441 int dsdb_module_add(struct ldb_module *module,
442 const struct ldb_message *message,
444 struct ldb_request *parent)
446 struct ldb_request *req;
448 struct ldb_context *ldb = ldb_module_get_ctx(module);
449 TALLOC_CTX *tmp_ctx = talloc_new(module);
450 struct ldb_result *res;
452 res = talloc_zero(tmp_ctx, struct ldb_result);
454 talloc_free(tmp_ctx);
455 return ldb_oom(ldb_module_get_ctx(module));
458 ret = ldb_build_add_req(&req, ldb, tmp_ctx,
462 ldb_modify_default_callback,
464 LDB_REQ_SET_LOCATION(req);
465 if (ret != LDB_SUCCESS) {
466 talloc_free(tmp_ctx);
470 ret = dsdb_request_add_controls(req, dsdb_flags);
471 if (ret != LDB_SUCCESS) {
472 talloc_free(tmp_ctx);
476 if (dsdb_flags & DSDB_FLAG_TRUSTED) {
477 ldb_req_mark_trusted(req);
480 /* Run the new request */
481 if (dsdb_flags & DSDB_FLAG_NEXT_MODULE) {
482 ret = ldb_next_request(module, req);
483 } else if (dsdb_flags & DSDB_FLAG_TOP_MODULE) {
484 ret = ldb_request(ldb_module_get_ctx(module), req);
486 const struct ldb_module_ops *ops = ldb_module_get_ops(module);
487 SMB_ASSERT(dsdb_flags & DSDB_FLAG_OWN_MODULE);
488 ret = ops->add(module, req);
490 if (ret == LDB_SUCCESS) {
491 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
494 talloc_free(tmp_ctx);
499 a ldb_delete request operating on modules below the
502 int dsdb_module_del(struct ldb_module *module,
505 struct ldb_request *parent)
507 struct ldb_request *req;
509 struct ldb_context *ldb = ldb_module_get_ctx(module);
510 TALLOC_CTX *tmp_ctx = talloc_new(module);
511 struct ldb_result *res;
513 res = talloc_zero(tmp_ctx, struct ldb_result);
515 talloc_free(tmp_ctx);
519 ret = ldb_build_del_req(&req, ldb, tmp_ctx,
523 ldb_modify_default_callback,
525 LDB_REQ_SET_LOCATION(req);
526 if (ret != LDB_SUCCESS) {
527 talloc_free(tmp_ctx);
531 ret = dsdb_request_add_controls(req, dsdb_flags);
532 if (ret != LDB_SUCCESS) {
533 talloc_free(tmp_ctx);
537 if (dsdb_flags & DSDB_FLAG_TRUSTED) {
538 ldb_req_mark_trusted(req);
541 /* Run the new request */
542 if (dsdb_flags & DSDB_FLAG_NEXT_MODULE) {
543 ret = ldb_next_request(module, req);
544 } else if (dsdb_flags & DSDB_FLAG_TOP_MODULE) {
545 ret = ldb_request(ldb_module_get_ctx(module), req);
547 const struct ldb_module_ops *ops = ldb_module_get_ops(module);
548 SMB_ASSERT(dsdb_flags & DSDB_FLAG_OWN_MODULE);
549 ret = ops->del(module, req);
551 if (ret == LDB_SUCCESS) {
552 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
555 talloc_free(tmp_ctx);
560 check if a single valued link has multiple non-deleted values
562 This is needed when we will be using the RELAX control to stop
563 ldb_tdb from checking single valued links
565 int dsdb_check_single_valued_link(const struct dsdb_attribute *attr,
566 const struct ldb_message_element *el)
568 bool found_active = false;
571 if (!(attr->ldb_schema_attribute->flags & LDB_ATTR_FLAG_SINGLE_VALUE) ||
572 el->num_values < 2) {
576 for (i=0; i<el->num_values; i++) {
577 if (!dsdb_dn_is_deleted_val(&el->values[i])) {
579 return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
588 int dsdb_check_optional_feature(struct ldb_module *module, struct ldb_dn *scope,
589 struct GUID op_feature_guid, bool *feature_enabled)
592 struct ldb_context *ldb = ldb_module_get_ctx(module);
593 struct ldb_result *res;
594 struct ldb_dn *search_dn;
595 struct GUID search_guid;
596 const char *attrs[] = {"msDS-EnabledFeature", NULL};
599 struct ldb_message_element *el;
601 *feature_enabled = false;
603 tmp_ctx = talloc_new(ldb);
605 ret = ldb_search(ldb, tmp_ctx, &res,
606 scope, LDB_SCOPE_BASE, attrs,
608 if (ret != LDB_SUCCESS) {
609 ldb_asprintf_errstring(ldb,
610 "Could no find the scope object - dn: %s\n",
611 ldb_dn_get_linearized(scope));
612 talloc_free(tmp_ctx);
613 return LDB_ERR_OPERATIONS_ERROR;
615 if (res->msgs[0]->num_elements > 0) {
617 el = ldb_msg_find_element(res->msgs[0],"msDS-EnabledFeature");
619 attrs[0] = "msDS-OptionalFeatureGUID";
621 for (i=0; i<el->num_values; i++) {
622 search_dn = ldb_dn_from_ldb_val(tmp_ctx, ldb, &el->values[i]);
624 ret = ldb_search(ldb, tmp_ctx, &res,
625 search_dn, LDB_SCOPE_BASE, attrs,
627 if (ret != LDB_SUCCESS) {
628 ldb_asprintf_errstring(ldb,
629 "Could no find object dn: %s\n",
630 ldb_dn_get_linearized(search_dn));
631 talloc_free(tmp_ctx);
632 return LDB_ERR_OPERATIONS_ERROR;
635 search_guid = samdb_result_guid(res->msgs[0], "msDS-OptionalFeatureGUID");
637 if (GUID_compare(&search_guid, &op_feature_guid) == 0){
638 *feature_enabled = true;
643 talloc_free(tmp_ctx);
648 find the NTDS GUID from a computers DN record
650 int dsdb_module_find_ntdsguid_for_computer(struct ldb_module *module,
652 struct ldb_dn *computer_dn,
653 struct GUID *ntds_guid,
654 struct ldb_request *parent)
659 *ntds_guid = GUID_zero();
661 ret = dsdb_module_reference_dn(module, mem_ctx, computer_dn,
662 "serverReferenceBL", &dn, parent);
663 if (ret != LDB_SUCCESS) {
667 if (!ldb_dn_add_child_fmt(dn, "CN=NTDS Settings")) {
669 return LDB_ERR_OPERATIONS_ERROR;
672 ret = dsdb_module_guid_by_dn(module, dn, ntds_guid, parent);
678 find a 'reference' DN that points at another object
679 (eg. serverReference, rIDManagerReference etc)
681 int dsdb_module_reference_dn(struct ldb_module *module, TALLOC_CTX *mem_ctx, struct ldb_dn *base,
682 const char *attribute, struct ldb_dn **dn, struct ldb_request *parent)
684 const char *attrs[2];
685 struct ldb_result *res;
688 attrs[0] = attribute;
691 ret = dsdb_module_search_dn(module, mem_ctx, &res, base, attrs,
692 DSDB_FLAG_NEXT_MODULE, parent);
693 if (ret != LDB_SUCCESS) {
697 *dn = ldb_msg_find_attr_as_dn(ldb_module_get_ctx(module),
698 mem_ctx, res->msgs[0], attribute);
700 ldb_reset_err_string(ldb_module_get_ctx(module));
702 return LDB_ERR_NO_SUCH_ATTRIBUTE;
710 find the RID Manager$ DN via the rIDManagerReference attribute in the
713 int dsdb_module_rid_manager_dn(struct ldb_module *module, TALLOC_CTX *mem_ctx, struct ldb_dn **dn,
714 struct ldb_request *parent)
716 return dsdb_module_reference_dn(module, mem_ctx,
717 ldb_get_default_basedn(ldb_module_get_ctx(module)),
718 "rIDManagerReference", dn, parent);
722 used to chain to the callers callback
724 int dsdb_next_callback(struct ldb_request *req, struct ldb_reply *ares)
726 struct ldb_request *up_req = talloc_get_type(req->context, struct ldb_request);
728 talloc_steal(up_req, req);
729 return up_req->callback(up_req, ares);
733 load the uSNHighest and the uSNUrgent attributes from the @REPLCHANGED
734 object for a partition
736 int dsdb_module_load_partition_usn(struct ldb_module *module, struct ldb_dn *dn,
737 uint64_t *uSN, uint64_t *urgent_uSN, struct ldb_request *parent)
739 struct ldb_context *ldb = ldb_module_get_ctx(module);
740 struct ldb_request *req;
742 TALLOC_CTX *tmp_ctx = talloc_new(module);
743 struct dsdb_control_current_partition *p_ctrl;
744 struct ldb_result *res;
746 res = talloc_zero(tmp_ctx, struct ldb_result);
748 talloc_free(tmp_ctx);
749 return ldb_module_oom(module);
752 ret = ldb_build_search_req(&req, ldb, tmp_ctx,
753 ldb_dn_new(tmp_ctx, ldb, "@REPLCHANGED"),
757 res, ldb_search_default_callback,
759 LDB_REQ_SET_LOCATION(req);
760 if (ret != LDB_SUCCESS) {
761 talloc_free(tmp_ctx);
765 p_ctrl = talloc(req, struct dsdb_control_current_partition);
766 if (p_ctrl == NULL) {
767 talloc_free(tmp_ctx);
768 return ldb_module_oom(module);
770 p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION;
774 ret = ldb_request_add_control(req,
775 DSDB_CONTROL_CURRENT_PARTITION_OID,
777 if (ret != LDB_SUCCESS) {
778 talloc_free(tmp_ctx);
782 /* Run the new request */
783 ret = ldb_next_request(module, req);
785 if (ret == LDB_SUCCESS) {
786 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
789 if (ret == LDB_ERR_NO_SUCH_OBJECT || ret == LDB_ERR_INVALID_DN_SYNTAX) {
790 /* it hasn't been created yet, which means
791 an implicit value of zero */
793 talloc_free(tmp_ctx);
794 ldb_reset_err_string(ldb);
798 if (ret != LDB_SUCCESS) {
799 talloc_free(tmp_ctx);
803 if (res->count != 1) {
809 *uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNHighest", 0);
811 *urgent_uSN = ldb_msg_find_attr_as_uint64(res->msgs[0], "uSNUrgent", 0);
815 talloc_free(tmp_ctx);
821 save uSNHighest and uSNUrgent attributes in the @REPLCHANGED object for a
824 int dsdb_module_save_partition_usn(struct ldb_module *module, struct ldb_dn *dn,
825 uint64_t uSN, uint64_t urgent_uSN,
826 struct ldb_request *parent)
828 struct ldb_context *ldb = ldb_module_get_ctx(module);
829 struct ldb_request *req;
830 struct ldb_message *msg;
831 struct dsdb_control_current_partition *p_ctrl;
833 struct ldb_result *res;
835 msg = ldb_msg_new(module);
837 return ldb_module_oom(module);
840 msg->dn = ldb_dn_new(msg, ldb, "@REPLCHANGED");
841 if (msg->dn == NULL) {
843 return ldb_operr(ldb_module_get_ctx(module));
846 res = talloc_zero(msg, struct ldb_result);
849 return ldb_module_oom(module);
852 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNHighest", uSN);
853 if (ret != LDB_SUCCESS) {
857 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
859 /* urgent_uSN is optional so may not be stored */
861 ret = samdb_msg_add_uint64(ldb, msg, msg, "uSNUrgent",
863 if (ret != LDB_SUCCESS) {
867 msg->elements[1].flags = LDB_FLAG_MOD_REPLACE;
871 p_ctrl = talloc(msg, struct dsdb_control_current_partition);
872 if (p_ctrl == NULL) {
876 p_ctrl->version = DSDB_CONTROL_CURRENT_PARTITION_VERSION;
878 ret = ldb_build_mod_req(&req, ldb, msg,
882 ldb_modify_default_callback,
884 LDB_REQ_SET_LOCATION(req);
886 if (ret != LDB_SUCCESS) {
891 ret = ldb_request_add_control(req,
892 DSDB_CONTROL_CURRENT_PARTITION_OID,
894 if (ret != LDB_SUCCESS) {
899 /* Run the new request */
900 ret = ldb_next_request(module, req);
902 if (ret == LDB_SUCCESS) {
903 ret = ldb_wait(req->handle, LDB_WAIT_ALL);
905 if (ret == LDB_ERR_NO_SUCH_OBJECT) {
906 ret = ldb_build_add_req(&req, ldb, msg,
910 ldb_modify_default_callback,
912 LDB_REQ_SET_LOCATION(req);
921 bool dsdb_module_am_system(struct ldb_module *module)
923 struct ldb_context *ldb = ldb_module_get_ctx(module);
924 struct auth_session_info *session_info
925 = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"), struct auth_session_info);
926 return security_session_user_level(session_info, NULL) == SECURITY_SYSTEM;
929 bool dsdb_module_am_administrator(struct ldb_module *module)
931 struct ldb_context *ldb = ldb_module_get_ctx(module);
932 struct auth_session_info *session_info
933 = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"), struct auth_session_info);
934 return security_session_user_level(session_info, NULL) == SECURITY_ADMINISTRATOR;
938 check if the recyclebin is enabled
940 int dsdb_recyclebin_enabled(struct ldb_module *module, bool *enabled)
942 struct ldb_context *ldb = ldb_module_get_ctx(module);
943 struct ldb_dn *partitions_dn;
944 struct GUID recyclebin_guid;
947 partitions_dn = samdb_partitions_dn(ldb, module);
949 GUID_from_string(DS_GUID_FEATURE_RECYCLE_BIN, &recyclebin_guid);
951 ret = dsdb_check_optional_feature(module, partitions_dn, recyclebin_guid, enabled);
952 if (ret != LDB_SUCCESS) {
953 ldb_asprintf_errstring(ldb, "Could not verify if Recycle Bin is enabled \n");
954 talloc_free(partitions_dn);
955 return LDB_ERR_UNWILLING_TO_PERFORM;
958 talloc_free(partitions_dn);
962 int dsdb_msg_constrainted_update_int32(struct ldb_module *module,
963 struct ldb_message *msg,
965 const int32_t *old_val,
966 const int32_t *new_val)
968 struct ldb_message_element *el;
973 ret = ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_DELETE, &el);
974 if (ret != LDB_SUCCESS) {
978 el->values = talloc_array(msg, struct ldb_val, el->num_values);
980 return ldb_module_oom(module);
982 vstring = talloc_asprintf(el->values, "%ld", (long)*old_val);
984 return ldb_module_oom(module);
986 *el->values = data_blob_string_const(vstring);
990 ret = ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_ADD, &el);
991 if (ret != LDB_SUCCESS) {
995 el->values = talloc_array(msg, struct ldb_val, el->num_values);
997 return ldb_module_oom(module);
999 vstring = talloc_asprintf(el->values, "%ld", (long)*new_val);
1001 return ldb_module_oom(module);
1003 *el->values = data_blob_string_const(vstring);
1009 int dsdb_msg_constrainted_update_uint32(struct ldb_module *module,
1010 struct ldb_message *msg,
1012 const uint32_t *old_val,
1013 const uint32_t *new_val)
1015 return dsdb_msg_constrainted_update_int32(module, msg, attr,
1016 (const int32_t *)old_val,
1017 (const int32_t *)new_val);
1020 int dsdb_msg_constrainted_update_int64(struct ldb_module *module,
1021 struct ldb_message *msg,
1023 const int64_t *old_val,
1024 const int64_t *new_val)
1026 struct ldb_message_element *el;
1031 ret = ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_DELETE, &el);
1032 if (ret != LDB_SUCCESS) {
1036 el->values = talloc_array(msg, struct ldb_val, el->num_values);
1038 return ldb_module_oom(module);
1040 vstring = talloc_asprintf(el->values, "%lld", (long long)*old_val);
1042 return ldb_module_oom(module);
1044 *el->values = data_blob_string_const(vstring);
1048 ret = ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_ADD, &el);
1049 if (ret != LDB_SUCCESS) {
1053 el->values = talloc_array(msg, struct ldb_val, el->num_values);
1055 return ldb_module_oom(module);
1057 vstring = talloc_asprintf(el->values, "%lld", (long long)*new_val);
1059 return ldb_module_oom(module);
1061 *el->values = data_blob_string_const(vstring);
1067 int dsdb_msg_constrainted_update_uint64(struct ldb_module *module,
1068 struct ldb_message *msg,
1070 const uint64_t *old_val,
1071 const uint64_t *new_val)
1073 return dsdb_msg_constrainted_update_int64(module, msg, attr,
1074 (const int64_t *)old_val,
1075 (const int64_t *)new_val);
1079 update an int32 attribute safely via a constrained delete/add
1081 int dsdb_module_constrainted_update_int32(struct ldb_module *module,
1084 const int32_t *old_val,
1085 const int32_t *new_val,
1086 struct ldb_request *parent)
1088 struct ldb_message *msg;
1091 msg = ldb_msg_new(module);
1094 ret = dsdb_msg_constrainted_update_int32(module,
1098 if (ret != LDB_SUCCESS) {
1103 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1108 int dsdb_module_constrainted_update_uint32(struct ldb_module *module,
1111 const uint32_t *old_val,
1112 const uint32_t *new_val,
1113 struct ldb_request *parent)
1115 return dsdb_module_constrainted_update_int32(module, dn, attr,
1116 (const int32_t *)old_val,
1117 (const int32_t *)new_val, parent);
1121 update an int64 attribute safely via a constrained delete/add
1123 int dsdb_module_constrainted_update_int64(struct ldb_module *module,
1126 const int64_t *old_val,
1127 const int64_t *new_val,
1128 struct ldb_request *parent)
1130 struct ldb_message *msg;
1133 msg = ldb_msg_new(module);
1136 ret = dsdb_msg_constrainted_update_int64(module,
1140 if (ret != LDB_SUCCESS) {
1145 ret = dsdb_module_modify(module, msg, DSDB_FLAG_NEXT_MODULE, parent);
1150 int dsdb_module_constrainted_update_uint64(struct ldb_module *module,
1153 const uint64_t *old_val,
1154 const uint64_t *new_val,
1155 struct ldb_request *parent)
1157 return dsdb_module_constrainted_update_int64(module, dn, attr,
1158 (const int64_t *)old_val,
1159 (const int64_t *)new_val,
1164 const struct ldb_val *dsdb_module_find_dsheuristics(struct ldb_module *module,
1165 TALLOC_CTX *mem_ctx, struct ldb_request *parent)
1168 struct ldb_dn *new_dn;
1169 struct ldb_context *ldb = ldb_module_get_ctx(module);
1170 static const char *attrs[] = { "dSHeuristics", NULL };
1171 struct ldb_result *res;
1173 new_dn = ldb_dn_copy(mem_ctx, ldb_get_config_basedn(ldb));
1174 if (!ldb_dn_add_child_fmt(new_dn,
1175 "CN=Directory Service,CN=Windows NT,CN=Services")) {
1176 talloc_free(new_dn);
1179 ret = dsdb_module_search_dn(module, mem_ctx, &res,
1182 DSDB_FLAG_NEXT_MODULE,
1184 if (ret == LDB_SUCCESS && res->count == 1) {
1185 talloc_free(new_dn);
1186 return ldb_msg_find_ldb_val(res->msgs[0],
1189 talloc_free(new_dn);
1193 bool dsdb_block_anonymous_ops(struct ldb_module *module, struct ldb_request *parent)
1195 TALLOC_CTX *tmp_ctx = talloc_new(module);
1197 const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module,
1199 if (hr_val == NULL || hr_val->length < DS_HR_BLOCK_ANONYMOUS_OPS) {
1201 } else if (hr_val->data[DS_HR_BLOCK_ANONYMOUS_OPS -1] == '2') {
1207 talloc_free(tmp_ctx);
1211 bool dsdb_user_password_support(struct ldb_module *module,
1212 TALLOC_CTX *mem_ctx,
1213 struct ldb_request *parent)
1215 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1217 const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module,
1220 if (hr_val == NULL || hr_val->length < DS_HR_USER_PASSWORD_SUPPORT) {
1222 } else if ((hr_val->data[DS_HR_USER_PASSWORD_SUPPORT -1] == '2') ||
1223 (hr_val->data[DS_HR_USER_PASSWORD_SUPPORT -1] == '0')) {
1229 talloc_free(tmp_ctx);
1234 show the chain of requests, useful for debugging async requests
1236 void dsdb_req_chain_debug(struct ldb_request *req, int level)
1238 char *s = ldb_module_call_chain(req, req);
1239 DEBUG(level, ("%s\n", s));
1244 * Gets back a single-valued attribute by the rules of the DSDB triggers when
1245 * performing a modify operation.
1247 * In order that the constraint checking by the "objectclass_attrs" LDB module
1248 * does work properly, the change request should remain similar or only be
1249 * enhanced (no other modifications as deletions, variations).
1251 struct ldb_message_element *dsdb_get_single_valued_attr(const struct ldb_message *msg,
1252 const char *attr_name,
1253 enum ldb_request_type operation)
1255 struct ldb_message_element *el = NULL;
1258 /* We've to walk over all modification entries and consider the last
1259 * non-delete one which belongs to "attr_name".
1261 * If "el" is NULL afterwards then that means there was no interesting
1263 for (i = 0; i < msg->num_elements; i++) {
1264 if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) {
1265 if ((operation == LDB_MODIFY) &&
1266 (LDB_FLAG_MOD_TYPE(msg->elements[i].flags)
1267 == LDB_FLAG_MOD_DELETE)) {
1270 el = &msg->elements[i];