*/
#include "includes.h"
-#include "lib/ldb/include/ldb.h"
-#include "lib/ldb/include/ldb_errors.h"
-#include "lib/ldb/include/ldb_module.h"
-#include "lib/ldb/include/ldb_private.h"
-
+#include <ldb.h>
+#include <ldb_errors.h>
+#include <ldb_module.h>
#include "dsdb/samdb/ldb_modules/util.h"
#include "dsdb/samdb/samdb.h"
#include "librpc/ndr/libndr.h"
+#include "auth/credentials/credentials.h"
+#include "param/secrets.h"
+#include "lib/ldb-samba/ldb_wrap.h"
static int read_at_rootdse_record(struct ldb_context *ldb, struct ldb_module *module, TALLOC_CTX *mem_ctx,
- struct ldb_message **msg)
+ struct ldb_message **msg, struct ldb_request *parent)
{
int ret;
static const char *rootdse_attrs[] = { "defaultNamingContext", "configurationNamingContext", "schemaNamingContext", NULL };
struct ldb_dn *rootdse_dn;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
}
rootdse_dn = ldb_dn_new(tmp_ctx, ldb, "@ROOTDSE");
if (!rootdse_dn) {
talloc_free(tmp_ctx);
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
}
- ret = dsdb_module_search_dn(module, tmp_ctx, &rootdse_res, rootdse_dn, rootdse_attrs, 0);
+ ret = dsdb_module_search_dn(module, tmp_ctx, &rootdse_res, rootdse_dn,
+ rootdse_attrs, DSDB_FLAG_NEXT_MODULE, parent);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
char *full_string;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
}
if (backend_attr) {
}
if (backend_mod) {
- backend_full_list = (const char **)str_list_make_single(tmp_ctx, backend_mod);
+ char **b = str_list_make_single(tmp_ctx, backend_mod);
+ backend_full_list = discard_const_p(const char *, b);
} else {
- backend_full_list = (const char **)str_list_make_empty(tmp_ctx);
+ char **b = str_list_make_empty(tmp_ctx);
+ backend_full_list = discard_const_p(const char *, b);
}
if (!backend_full_list) {
talloc_free(tmp_ctx);
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
}
backend_full_list = str_list_append_const(backend_full_list, backend_mod_list);
if (!backend_full_list) {
talloc_free(tmp_ctx);
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
}
mod_list_string = str_list_join(tmp_ctx, backend_full_list, ',');
if (!mod_list_string) {
talloc_free(tmp_ctx);
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
}
full_string = talloc_asprintf(tmp_ctx, "%s:%s", backend_dn, mod_list_string);
return ret;
}
+/*
+ * Force overwrite of the credentials with those
+ * specified in secrets.ldb, to connect across the
+ * ldapi socket to an LDAP backend
+ */
+
+static int set_ldap_credentials(struct ldb_context *ldb, bool use_external)
+{
+ const char *secrets_ldb_path, *sam_ldb_path;
+ char *private_dir, *p, *error_string;
+ struct ldb_context *secrets_ldb;
+ struct cli_credentials *cred;
+ struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
+ TALLOC_CTX *tmp_ctx = talloc_new(ldb);
+
+ if (!tmp_ctx) {
+ return ldb_oom(ldb);
+ }
+
+ cred = cli_credentials_init(ldb);
+ if (!cred) {
+ talloc_free(tmp_ctx);
+ return ldb_oom(ldb);
+ }
+ cli_credentials_set_anonymous(cred);
+ if (use_external) {
+ cli_credentials_set_forced_sasl_mech(cred, "EXTERNAL");
+ } else {
+ cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5");
+
+ /*
+ * We don't want to use krb5 to talk to our samdb - recursion
+ * here would be bad, and this account isn't in the KDC
+ * anyway
+ */
+ cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+
+ /*
+ * Work out where *our* secrets.ldb is. It must be in
+ * the same directory as sam.ldb
+ */
+ sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url");
+ if (!sam_ldb_path) {
+ talloc_free(tmp_ctx);
+ return ldb_operr(ldb);
+ }
+ if (strncmp("tdb://", sam_ldb_path, 6) == 0) {
+ sam_ldb_path += 6;
+ }
+ private_dir = talloc_strdup(tmp_ctx, sam_ldb_path);
+ p = strrchr(private_dir, '/');
+ if (p) {
+ *p = '\0';
+ } else {
+ private_dir = talloc_strdup(tmp_ctx, ".");
+ }
+
+ secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb",
+ private_dir);
+ if (!secrets_ldb_path) {
+ talloc_free(tmp_ctx);
+ return ldb_oom(ldb);
+ }
+
+ /*
+ * Now that we have found the location, connect to
+ * secrets.ldb so we can read the SamDB Credentials
+ * record
+ */
+ secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path,
+ NULL, NULL, 0);
+
+ if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL,
+ SECRETS_LDAP_FILTER, &error_string))) {
+ ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path);
+ talloc_free(tmp_ctx);
+ return LDB_ERR_STRONG_AUTH_REQUIRED;
+ }
+ }
+
+ /*
+ * Finally overwrite any supplied credentials with
+ * these ones, as only secrets.ldb contains the magic
+ * credentials to talk on the ldapi socket
+ */
+ if (ldb_set_opaque(ldb, "credentials", cred)) {
+ talloc_free(tmp_ctx);
+ return ldb_operr(ldb);
+ }
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+}
+
+static bool check_required_features(struct ldb_message_element *el)
+{
+ if (el != NULL) {
+ int k;
+ DATA_BLOB esf = data_blob_string_const(
+ SAMBA_ENCRYPTED_SECRETS_FEATURE);
+ DATA_BLOB lmdbl1 = data_blob_string_const(
+ SAMBA_LMDB_LEVEL_ONE_FEATURE);
+ for (k = 0; k < el->num_values; k++) {
+ if ((data_blob_cmp(&esf, &el->values[k]) != 0) &&
+ (data_blob_cmp(&lmdbl1, &el->values[k]) != 0)) {
+ return false;
+ }
+ }
+ }
+ return true;
+}
static int samba_dsdb_init(struct ldb_module *module)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
- int ret, len, i;
+ int ret, lock_ret, len, i, j;
TALLOC_CTX *tmp_ctx = talloc_new(module);
struct ldb_result *res;
- struct ldb_message *rootdse_msg, *partition_msg;
- struct ldb_dn *samba_dsdb_dn;
+ struct ldb_message *rootdse_msg = NULL, *partition_msg;
+ struct ldb_dn *samba_dsdb_dn, *partition_dn, *indexlist_dn;
struct ldb_module *backend_module, *module_chain;
const char **final_module_list, **reverse_module_list;
/*
Some Known ordering constraints:
- rootdse must be first, as it makes redirects from "" -> cn=rootdse
- extended_dn_in must be before objectclass.c, as it resolves the DN
- - objectclass must be before password_hash, because password_hash checks
- that the objectclass is of type person (filled in by objectclass
- module when expanding the objectclass list)
+ - objectclass must be before password_hash and samldb since these LDB
+ modules require the expanded "objectClass" list
+ - objectclass must be before descriptor and acl, as both assume that
+ objectClass values are sorted
+ - objectclass_attrs must be behind operational in order to see all
+ attributes (the operational module protects and therefore
+ suppresses per default some important ones)
- partition must be last
- each partition has its own module list then
stack visually - the code below then handles the creation of the list
based on the parameters loaded from the database.
*/
- static const char *modules_list[] = {"resolve_oids",
+ static const char *modules_list1[] = {"resolve_oids",
"rootdse",
+ "dsdb_notification",
+ "schema_load",
"lazy_commit",
+ "dirsync",
"paged_results",
+ "vlv",
"ranged_results",
"anr",
"server_sort",
"asq",
"extended_dn_store",
- "extended_dn_in",
+ NULL };
+ /* extended_dn_in or extended_dn_in_openldap goes here */
+ static const char *modules_list1a[] = {"audit_log",
"objectclass",
+ "tombstone_reanimate",
"descriptor",
"acl",
+ "aclread",
"samldb",
"password_hash",
- "operational",
- "validate_update",
- "kludge_acl",
- "schema_load",
"instancetype",
+ "objectclass_attrs",
NULL };
const char **link_modules;
"rdn_name",
"subtree_delete",
"repl_meta_data",
+ "group_audit_log",
+ "encrypted_secrets",
+ "operational",
+ "unique_object_sids",
"subtree_rename",
"linked_attributes",
NULL};
const char *extended_dn_module_ldb = "extended_dn_out_ldb";
const char *extended_dn_module_fds = "extended_dn_out_fds";
const char *extended_dn_module_openldap = "extended_dn_out_openldap";
+ const char *extended_dn_in_module = "extended_dn_in";
- static const char *modules_list2[] = {"show_deleted",
+ static const char *modules_list2[] = {"dns_notify",
+ "show_deleted",
"new_partition",
"partition",
NULL };
const char **backend_modules;
static const char *fedora_ds_backend_modules[] = {
- "nsuniqueid", "paged_searches", NULL };
+ "dsdb_flags_ignore", "nsuniqueid", "paged_searches", "simple_dn", NULL };
static const char *openldap_backend_modules[] = {
- "entryuuid", "paged_searches", NULL };
+ "dsdb_flags_ignore", "entryuuid", "simple_dn", NULL };
- static const char *samba_dsdb_attrs[] = { "backendType", "serverRole", NULL };
- const char *backendType, *serverRole;
+ static const char *samba_dsdb_attrs[] = { "backendType",
+ SAMBA_COMPATIBLE_FEATURES_ATTR,
+ SAMBA_REQUIRED_FEATURES_ATTR, NULL };
+ static const char *indexlist_attrs[] = { SAMBA_FEATURES_SUPPORTED_FLAG, NULL };
+ static const char *partition_attrs[] = { "ldapBackend", NULL };
+ const char *backendType, *backendUrl;
+ bool use_sasl_external = false;
+
+ const char *current_supportedFeatures[] = {SAMBA_SORTED_LINKS_FEATURE};
if (!tmp_ctx) {
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
+ }
+
+ ret = ldb_register_samba_handlers(ldb);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return ret;
}
samba_dsdb_dn = ldb_dn_new(tmp_ctx, ldb, "@SAMBA_DSDB");
if (!samba_dsdb_dn) {
talloc_free(tmp_ctx);
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
+ }
+
+ indexlist_dn = ldb_dn_new(tmp_ctx, ldb, "@INDEXLIST");
+ if (!samba_dsdb_dn) {
+ talloc_free(tmp_ctx);
+ return ldb_oom(ldb);
+ }
+
+ partition_dn = ldb_dn_new(tmp_ctx, ldb, DSDB_PARTITION_DN);
+ if (!partition_dn) {
+ talloc_free(tmp_ctx);
+ return ldb_oom(ldb);
}
#define CHECK_LDB_RET(check_ret) \
} \
} while (0)
- ret = dsdb_module_search_dn(module, tmp_ctx, &res, samba_dsdb_dn, samba_dsdb_attrs, 0);
+ ret = dsdb_module_search_dn(module, tmp_ctx, &res, samba_dsdb_dn,
+ samba_dsdb_attrs, DSDB_FLAG_NEXT_MODULE, NULL);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
backendType = "ldb";
- serverRole = "domain controller";
} else if (ret == LDB_SUCCESS) {
+ struct ldb_message_element *requiredFeatures;
+ struct ldb_message_element *old_compatibleFeatures;
+
backendType = ldb_msg_find_attr_as_string(res->msgs[0], "backendType", "ldb");
- serverRole = ldb_msg_find_attr_as_string(res->msgs[0], "serverRole", "domain controller");
+
+ requiredFeatures = ldb_msg_find_element(res->msgs[0], SAMBA_REQUIRED_FEATURES_ATTR);
+ if (!check_required_features(requiredFeatures)) {
+ ldb_set_errstring(
+ ldb,
+ "This Samba database was created with "
+ "a newer Samba version and is marked "
+ "with extra requiredFeatures in "
+ "@SAMBA_DSDB. This database can not "
+ "safely be read by this Samba version");
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ old_compatibleFeatures = ldb_msg_find_element(res->msgs[0],
+ SAMBA_COMPATIBLE_FEATURES_ATTR);
+
+ if (old_compatibleFeatures) {
+ struct ldb_message *features_msg;
+ struct ldb_message_element *features_el;
+ int samba_options_supported = 0;
+ ret = dsdb_module_search_dn(module, tmp_ctx, &res,
+ indexlist_dn,
+ indexlist_attrs,
+ DSDB_FLAG_NEXT_MODULE, NULL);
+ if (ret == LDB_SUCCESS) {
+ samba_options_supported
+ = ldb_msg_find_attr_as_int(res->msgs[0],
+ SAMBA_FEATURES_SUPPORTED_FLAG,
+ 0);
+
+ } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ /*
+ * If we don't have @INDEXLIST yet, then we
+ * are so early in set-up that we know this is
+ * a blank DB, so no need to wripe out old
+ * features
+ */
+ samba_options_supported = 1;
+ }
+
+ features_msg = ldb_msg_new(res);
+ if (features_msg == NULL) {
+ return ldb_module_operr(module);
+ }
+ features_msg->dn = samba_dsdb_dn;
+
+ ldb_msg_add_empty(features_msg, SAMBA_COMPATIBLE_FEATURES_ATTR,
+ LDB_FLAG_MOD_DELETE, &features_el);
+
+ if (samba_options_supported == 1) {
+ for (i = 0;
+ old_compatibleFeatures && i < old_compatibleFeatures->num_values;
+ i++) {
+ for (j = 0;
+ j < ARRAY_SIZE(current_supportedFeatures); j++) {
+ if (strcmp((char *)old_compatibleFeatures->values[i].data,
+ current_supportedFeatures[j]) == 0) {
+ break;
+ }
+ }
+ if (j == ARRAY_SIZE(current_supportedFeatures)) {
+ /*
+ * Add to list of features to remove
+ * (rather than all features)
+ */
+ ret = ldb_msg_add_value(features_msg, SAMBA_COMPATIBLE_FEATURES_ATTR,
+ &old_compatibleFeatures->values[i],
+ NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+ }
+
+ if (features_el->num_values > 0) {
+ /* Delete by list */
+ ret = ldb_next_start_trans(module);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ret = dsdb_module_modify(module, features_msg, DSDB_FLAG_NEXT_MODULE, NULL);
+ if (ret != LDB_SUCCESS) {
+ ldb_next_del_trans(module);
+ return ret;
+ }
+ ret = ldb_next_end_trans(module);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+ } else {
+ /* Delete all */
+ ret = ldb_next_start_trans(module);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ret = dsdb_module_modify(module, features_msg, DSDB_FLAG_NEXT_MODULE, NULL);
+ if (ret != LDB_SUCCESS) {
+ ldb_next_del_trans(module);
+ return ret;
+ }
+ ret = ldb_next_end_trans(module);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+ }
+
} else {
talloc_free(tmp_ctx);
return ret;
extended_dn_module = extended_dn_module_ldb;
link_modules = tdb_modules_list;
} else {
+ struct cli_credentials *cred;
+ bool is_ldapi = false;
+
+ ret = dsdb_module_search_dn(module, tmp_ctx, &res, partition_dn,
+ partition_attrs, DSDB_FLAG_NEXT_MODULE, NULL);
+ if (ret == LDB_SUCCESS) {
+ backendUrl = ldb_msg_find_attr_as_string(res->msgs[0], "ldapBackend", "ldapi://");
+ if (!strncasecmp(backendUrl, "ldapi://", sizeof("ldapi://")-1)) {
+ is_ldapi = true;
+ }
+ } else if (ret != LDB_ERR_NO_SUCH_OBJECT) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
if (strcasecmp(backendType, "fedora-ds") == 0) {
link_modules = fedora_ds_modules;
backend_modules = fedora_ds_backend_modules;
link_modules = openldap_modules;
backend_modules = openldap_backend_modules;
extended_dn_module = extended_dn_module_openldap;
+ extended_dn_in_module = "extended_dn_in_openldap";
+ if (is_ldapi) {
+ use_sasl_external = true;
+ }
+ } else {
+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "invalid backend type");
+ }
+ ret = ldb_set_opaque(ldb, "readOnlySchema", (void*)1);
+ if (ret != LDB_SUCCESS) {
+ ldb_set_errstring(ldb, "Failed to set readOnlySchema opaque");
+ }
+
+ cred = ldb_get_opaque(ldb, "credentials");
+ if (!cred || !cli_credentials_authentication_requested(cred)) {
+ ret = set_ldap_credentials(ldb, use_sasl_external);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
}
}
do { \
if (!final_module_list) { \
talloc_free(tmp_ctx); \
- ldb_oom(ldb); \
- return LDB_ERR_OPERATIONS_ERROR; \
+ return ldb_oom(ldb); \
} \
} while (0)
- final_module_list = str_list_copy_const(tmp_ctx, modules_list);
+ final_module_list = str_list_copy_const(tmp_ctx, modules_list1);
+ CHECK_MODULE_LIST;
+
+ final_module_list = str_list_add_const(final_module_list, extended_dn_in_module);
+ CHECK_MODULE_LIST;
+
+ final_module_list = str_list_append_const(final_module_list, modules_list1a);
CHECK_MODULE_LIST;
final_module_list = str_list_append_const(final_module_list, link_modules);
CHECK_MODULE_LIST;
- ret = read_at_rootdse_record(ldb, module, tmp_ctx, &rootdse_msg);
+ ret = read_at_rootdse_record(ldb, module, tmp_ctx, &rootdse_msg, NULL);
CHECK_LDB_RET(ret);
partition_msg = ldb_msg_new(tmp_ctx);
partition_msg->dn = ldb_dn_new(partition_msg, ldb, "@" DSDB_OPAQUE_PARTITION_MODULE_MSG_OPAQUE_NAME);
- ret = prepare_modules_line(ldb, tmp_ctx,
- rootdse_msg,
- partition_msg, "defaultNamingContext",
- "pdc_fsmo", backend_modules);
- CHECK_LDB_RET(ret);
-
- ret = prepare_modules_line(ldb, tmp_ctx,
- rootdse_msg,
- partition_msg, "configurationNamingContext",
- "naming_fsmo", backend_modules);
- CHECK_LDB_RET(ret);
-
ret = prepare_modules_line(ldb, tmp_ctx,
rootdse_msg,
partition_msg, "schemaNamingContext",
reverse_module_list = talloc_array(tmp_ctx, const char *, len+1);
if (!reverse_module_list) {
talloc_free(tmp_ctx);
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
}
for (i=0; i < len; i++) {
reverse_module_list[i] = final_module_list[(len - 1) - i];
/* The backend (at least until the partitions module
* reconfigures things) is the next module in the currently
* loaded chain */
- backend_module = module->next;
- ret = ldb_load_modules_list(ldb, reverse_module_list, backend_module, &module_chain);
+ backend_module = ldb_module_next(module);
+ ret = ldb_module_load_list(ldb, reverse_module_list, backend_module, &module_chain);
CHECK_LDB_RET(ret);
talloc_free(tmp_ctx);
/* Set this as the 'next' module, so that we effectivly append it to module chain */
- module->next = module_chain;
+ ldb_module_set_next(module, module_chain);
+
+ ret = ldb_next_read_lock(module);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ret = ldb_next_init(module);
+
+ lock_ret = ldb_next_read_unlock(module);
+
+ if (lock_ret != LDB_SUCCESS) {
+ return lock_ret;
+ }
- return ldb_next_init(module);
+ return ret;
}
-const struct ldb_module_ops ldb_samba_dsdb_module_ops = {
+static const struct ldb_module_ops ldb_samba_dsdb_module_ops = {
.name = "samba_dsdb",
.init_context = samba_dsdb_init,
};
+
+static struct ldb_message *dsdb_flags_ignore_fixup(TALLOC_CTX *mem_ctx,
+ const struct ldb_message *_msg)
+{
+ struct ldb_message *msg = NULL;
+ unsigned int i;
+
+ /* we have to copy the message as the caller might have it as a const */
+ msg = ldb_msg_copy_shallow(mem_ctx, _msg);
+ if (msg == NULL) {
+ return NULL;
+ }
+
+ for (i=0; i < msg->num_elements;) {
+ struct ldb_message_element *e = &msg->elements[i];
+
+ if (!(e->flags & DSDB_FLAG_INTERNAL_FORCE_META_DATA)) {
+ i++;
+ continue;
+ }
+
+ e->flags &= ~DSDB_FLAG_INTERNAL_FORCE_META_DATA;
+
+ if (e->num_values != 0) {
+ i++;
+ continue;
+ }
+
+ ldb_msg_remove_element(msg, e);
+ }
+
+ return msg;
+}
+
+static int dsdb_flags_ignore_add(struct ldb_module *module, struct ldb_request *req)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct ldb_request *down_req = NULL;
+ struct ldb_message *msg = NULL;
+ int ret;
+
+ msg = dsdb_flags_ignore_fixup(req, req->op.add.message);
+ if (msg == NULL) {
+ return ldb_module_oom(module);
+ }
+
+ ret = ldb_build_add_req(&down_req, ldb, req,
+ msg,
+ req->controls,
+ req, dsdb_next_callback,
+ req);
+ LDB_REQ_SET_LOCATION(down_req);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ /* go on with the call chain */
+ return ldb_next_request(module, down_req);
+}
+
+static int dsdb_flags_ignore_modify(struct ldb_module *module, struct ldb_request *req)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct ldb_request *down_req = NULL;
+ struct ldb_message *msg = NULL;
+ int ret;
+
+ msg = dsdb_flags_ignore_fixup(req, req->op.mod.message);
+ if (msg == NULL) {
+ return ldb_module_oom(module);
+ }
+
+ ret = ldb_build_mod_req(&down_req, ldb, req,
+ msg,
+ req->controls,
+ req, dsdb_next_callback,
+ req);
+ LDB_REQ_SET_LOCATION(down_req);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ /* go on with the call chain */
+ return ldb_next_request(module, down_req);
+}
+
+static const struct ldb_module_ops ldb_dsdb_flags_ignore_module_ops = {
+ .name = "dsdb_flags_ignore",
+ .add = dsdb_flags_ignore_add,
+ .modify = dsdb_flags_ignore_modify,
+};
+
+int ldb_samba_dsdb_module_init(const char *version)
+{
+ int ret;
+ LDB_MODULE_CHECK_VERSION(version);
+ ret = ldb_register_module(&ldb_samba_dsdb_module_ops);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ret = ldb_register_module(&ldb_dsdb_flags_ignore_module_ops);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ return LDB_SUCCESS;
+}