This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "ldap_server/ldap_server.h"
-#include "lib/util/dlinklist.h"
+#include "../lib/util/dlinklist.h"
#include "libcli/ldap/ldap.h"
-#include "lib/ldb/include/ldb.h"
-#include "lib/ldb/include/ldb_errors.h"
-#include "lib/db_wrap.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
+#include "param/param.h"
+#include "smbd/service_stream.h"
+#include "dsdb/samdb/samdb.h"
+#include "lib/ldb/include/ldb_errors.h"
+#include "lib/ldb_wrap.h"
-#define VALID_DN_SYNTAX(dn,i) do {\
+#define VALID_DN_SYNTAX(dn) do {\
if (!(dn)) {\
return NT_STATUS_NO_MEMORY;\
} else if ( ! ldb_dn_validate(dn)) {\
result = LDAP_INVALID_DN_SYNTAX;\
errstr = "Invalid DN format";\
goto reply;\
- } else if (ldb_dn_get_comp_num(dn) < (i)) {\
- result = LDAP_INVALID_DN_SYNTAX;\
- errstr = "Invalid DN (" #i " components needed for '" #dn "')";\
- goto reply;\
}\
} while(0)
*/
NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
{
- conn->ldb = ldb_wrap_connect(conn, lp_sam_url(), conn->session_info,
- NULL, conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL);
+ conn->ldb = ldb_wrap_connect(conn,
+ conn->connection->event.ctx,
+ conn->lp_ctx,
+ lp_sam_url(conn->lp_ctx),
+ conn->session_info,
+ samdb_credentials(conn, conn->connection->event.ctx, conn->lp_ctx),
+ conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL);
if (conn->ldb == NULL) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (conn->server_credentials) {
char **sasl_mechs = NULL;
struct gensec_security_ops **backends = gensec_security_all();
- enum credentials_use_kerberos use_kerberos
- = cli_credentials_get_kerberos_state(conn->server_credentials);
struct gensec_security_ops **ops
- = gensec_use_kerberos_mechs(conn, backends, use_kerberos);
+ = gensec_use_kerberos_mechs(conn, backends, conn->server_credentials);
int i, j = 0;
for (i = 0; ops && ops[i]; i++) {
+ if (!gensec_security_ops_enabled(ops[i], conn->lp_ctx))
+ continue;
+
if (ops[i]->sasl_name && ops[i]->server_start) {
char *sasl_name = talloc_strdup(conn, ops[i]->sasl_name);
ldb_set_opaque(conn->ldb, "supportedSASLMechanims", sasl_mechs);
}
- if (conn->global_catalog) {
- ldb_set_opaque(conn->ldb, "global_catalog", (void *)(-1));
- }
-
return NT_STATUS_OK;
}
DLIST_ADD_END(call->replies, reply, struct ldapsrv_reply *);
}
-NTSTATUS ldapsrv_unwilling(struct ldapsrv_call *call, int error)
+static NTSTATUS ldapsrv_unwilling(struct ldapsrv_call *call, int error)
{
struct ldapsrv_reply *reply;
struct ldap_ExtendedResponse *r;
struct ldb_dn *basedn;
struct ldb_result *res = NULL;
struct ldb_request *lreq;
+ struct ldb_control *search_control;
+ struct ldb_search_options_control *search_options;
enum ldb_scope scope = LDB_SCOPE_DEFAULT;
const char **attrs = NULL;
- const char *errstr = NULL;
+ const char *scope_str, *errstr = NULL;
int success_limit = 1;
int result = -1;
int ldb_ret = -1;
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
basedn = ldb_dn_new(local_ctx, samdb, req->basedn);
- VALID_DN_SYNTAX(basedn, 0);
+ VALID_DN_SYNTAX(basedn);
DEBUG(10, ("SearchRequest: basedn: [%s]\n", req->basedn));
DEBUG(10, ("SearchRequest: filter: [%s]\n", ldb_filter_from_tree(call, req->tree)));
switch (req->scope) {
case LDAP_SEARCH_SCOPE_BASE:
- DEBUG(10,("SearchRequest: scope: [BASE]\n"));
+ scope_str = "BASE";
scope = LDB_SCOPE_BASE;
success_limit = 0;
break;
case LDAP_SEARCH_SCOPE_SINGLE:
- DEBUG(10,("SearchRequest: scope: [ONE]\n"));
+ scope_str = "ONE";
scope = LDB_SCOPE_ONELEVEL;
success_limit = 0;
break;
case LDAP_SEARCH_SCOPE_SUB:
- DEBUG(10,("SearchRequest: scope: [SUB]\n"));
+ scope_str = "SUB";
scope = LDB_SCOPE_SUBTREE;
success_limit = 0;
break;
default:
result = LDAP_PROTOCOL_ERROR;
errstr = "Invalid scope";
- break;
+ goto reply;
}
+ DEBUG(10,("SearchRequest: scope: [%s]\n", scope_str));
if (req->num_attributes >= 1) {
attrs = talloc_array(local_ctx, const char *, req->num_attributes+1);
attrs[i] = NULL;
}
- DEBUG(5,("ldb_request dn=%s filter=%s\n",
- req->basedn, ldb_filter_from_tree(call, req->tree)));
-
- lreq = talloc(local_ctx, struct ldb_request);
- NT_STATUS_HAVE_NO_MEMORY(lreq);
+ DEBUG(5,("ldb_request %s dn=%s filter=%s\n",
+ scope_str, req->basedn, ldb_filter_from_tree(call, req->tree)));
res = talloc_zero(local_ctx, struct ldb_result);
NT_STATUS_HAVE_NO_MEMORY(res);
-
- lreq->operation = LDB_SEARCH;
- lreq->op.search.base = basedn;
- lreq->op.search.scope = scope;
- lreq->op.search.tree = req->tree;
- lreq->op.search.attrs = attrs;
- lreq->controls = call->request->controls;
+ ldb_ret = ldb_build_search_req_ex(&lreq, samdb, local_ctx,
+ basedn, scope,
+ req->tree, attrs,
+ call->request->controls,
+ res, ldb_search_default_callback,
+ NULL);
- lreq->context = res;
- lreq->callback = ldb_search_default_callback;
+ if (ldb_ret != LDB_SUCCESS) {
+ goto reply;
+ }
- /* Copy the timeout from the incoming call */
+ if (call->conn->global_catalog) {
+ search_control = ldb_request_get_control(lreq, LDB_CONTROL_SEARCH_OPTIONS_OID);
+
+ search_options = NULL;
+ if (search_control) {
+ search_options = talloc_get_type(search_control->data, struct ldb_search_options_control);
+ search_options->search_options |= LDB_SEARCH_OPTION_PHANTOM_ROOT;
+ } else {
+ search_options = talloc(lreq, struct ldb_search_options_control);
+ NT_STATUS_HAVE_NO_MEMORY(search_options);
+ search_options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
+ ldb_request_add_control(lreq, LDB_CONTROL_SEARCH_OPTIONS_OID, false, search_options);
+ }
+ }
ldb_set_timeout(samdb, lreq, req->timelimit);
ldb_ret = ldb_request(samdb, lreq);
ent_r = ldapsrv_init_reply(call, LDAP_TAG_SearchResultEntry);
NT_STATUS_HAVE_NO_MEMORY(ent_r);
+ /* Better to have the whole message kept here,
+ * than to find someone further up didn't put
+ * a value in the right spot in the talloc tree */
+ talloc_steal(ent_r, res->msgs[i]);
+
ent = &ent_r->msg->r.SearchResultEntry;
ent->dn = ldb_dn_alloc_linearized(ent_r, res->msgs[i]->dn);
ent->num_attributes = 0;
DEBUG(10,("SearchRequest: results: [%d]\n", res->count));
result = LDAP_SUCCESS;
errstr = NULL;
- } else if (res->count == 0) {
- DEBUG(10,("SearchRequest: no results\n"));
- result = LDAP_NO_SUCH_OBJECT;
- errstr = ldb_errstring(samdb);
}
if (res->controls) {
done_r->msg->controls = res->controls;
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
- VALID_DN_SYNTAX(dn, 1);
+ VALID_DN_SYNTAX(dn);
DEBUG(10, ("ModifyRequest: dn: [%s]\n", req->dn));
NT_STATUS_HAVE_NO_MEMORY(msg);
msg->dn = dn;
- msg->private_data = NULL;
msg->num_elements = 0;
msg->elements = NULL;
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
- VALID_DN_SYNTAX(dn,1);
+ VALID_DN_SYNTAX(dn);
DEBUG(10, ("AddRequest: dn: [%s]\n", req->dn));
NT_STATUS_HAVE_NO_MEMORY(msg);
msg->dn = dn;
- msg->private_data = NULL;
msg->num_elements = 0;
msg->elements = NULL;
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
- VALID_DN_SYNTAX(dn,1);
+ VALID_DN_SYNTAX(dn);
DEBUG(10, ("DelRequest: dn: [%s]\n", req->dn));
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
olddn = ldb_dn_new(local_ctx, samdb, req->dn);
- VALID_DN_SYNTAX(olddn, 2);
+ VALID_DN_SYNTAX(olddn);
newrdn = ldb_dn_new(local_ctx, samdb, req->newrdn);
- VALID_DN_SYNTAX(newrdn, 1);
+ VALID_DN_SYNTAX(newrdn);
DEBUG(10, ("ModifyDNRequest: olddn: [%s]\n", req->dn));
DEBUG(10, ("ModifyDNRequest: newrdn: [%s]\n", req->newrdn));
if (req->newsuperior) {
parentdn = ldb_dn_new(local_ctx, samdb, req->newsuperior);
- VALID_DN_SYNTAX(parentdn, 0);
+ VALID_DN_SYNTAX(parentdn);
DEBUG(10, ("ModifyDNRequest: newsuperior: [%s]\n", req->newsuperior));
if (ldb_dn_get_comp_num(parentdn) < 1) {
result = LDAP_OTHER;
goto reply;
}
+ newdn = parentdn;
reply:
modifydn_r = ldapsrv_init_reply(call, LDAP_TAG_ModifyDNResponse);
NT_STATUS_HAVE_NO_MEMORY(local_ctx);
dn = ldb_dn_new(local_ctx, samdb, req->dn);
- VALID_DN_SYNTAX(dn, 1);
+ VALID_DN_SYNTAX(dn);
DEBUG(10, ("CompareRequest: dn: [%s]\n", req->dn));
filter = talloc_asprintf(local_ctx, "(%s=%*s)", req->attribute,
NT_STATUS_HAVE_NO_MEMORY(compare_r);
if (result == LDAP_SUCCESS) {
- ldb_ret = ldb_search(samdb, dn, LDB_SCOPE_BASE, filter, attrs, &res);
- talloc_steal(local_ctx, res);
+ ldb_ret = ldb_search(samdb, local_ctx, &res,
+ dn, LDB_SCOPE_BASE, attrs, "%s", filter);
if (ldb_ret != LDB_SUCCESS) {
result = map_ldb_error(samdb, ldb_ret, &errstr);
DEBUG(10,("CompareRequest: error: %s\n", errstr));
NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
{
+ int i;
+ struct ldap_message *msg = call->request;
+ /* Check for undecoded critical extensions */
+ for (i=0; msg->controls && msg->controls[i]; i++) {
+ if (!msg->controls_decoded[i] &&
+ msg->controls[i]->critical) {
+ DEBUG(3, ("ldapsrv_do_call: Critical extension %s is not known to this server\n",
+ msg->controls[i]->oid));
+ return ldapsrv_unwilling(call, LDAP_UNAVAILABLE_CRITICAL_EXTENSION);
+ }
+ }
+
switch(call->request->type) {
case LDAP_TAG_BindRequest:
return ldapsrv_BindRequest(call);