ldb_oom(ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
- current->objectclass = dsdb_class_by_lDAPDisplayName(schema, (const char *)objectclass_element->values[i].data);
+ current->objectclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &objectclass_element->values[i]);
if (!current->objectclass) {
- ldb_asprintf_errstring(ldb, "objectclass %s is not a valid objectClass in schema", (const char *)objectclass_element->values[i].data);
+ ldb_asprintf_errstring(ldb, "objectclass %.*s is not a valid objectClass in schema",
+ (int)objectclass_element->values[i].length, (const char *)objectclass_element->values[i].data);
return LDB_ERR_OBJECT_CLASS_VIOLATION;
}
return LDB_ERR_OBJECT_CLASS_VIOLATION;
}
-static DATA_BLOB *get_sd(struct ldb_module *module, TALLOC_CTX *mem_ctx,
- const struct dsdb_class *objectclass)
-{
- struct ldb_context *ldb = ldb_module_get_ctx(module);
- enum ndr_err_code ndr_err;
- DATA_BLOB *linear_sd;
- struct auth_session_info *session_info
- = ldb_get_opaque(ldb, "sessionInfo");
- struct security_descriptor *sd;
- const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
-
- if (!objectclass->defaultSecurityDescriptor || !domain_sid) {
- return NULL;
- }
-
- sd = sddl_decode(mem_ctx,
- objectclass->defaultSecurityDescriptor,
- domain_sid);
-
- if (!sd || !session_info || !session_info->security_token) {
- return NULL;
- }
-
- sd->owner_sid = session_info->security_token->user_sid;
- sd->group_sid = session_info->security_token->group_sid;
-
- linear_sd = talloc(mem_ctx, DATA_BLOB);
- if (!linear_sd) {
- return NULL;
- }
-
- ndr_err = ndr_push_struct_blob(linear_sd, mem_ctx,
- lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
- sd,
- (ndr_push_flags_fn_t)ndr_push_security_descriptor);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- return NULL;
- }
-
- return linear_sd;
-
-}
-
static int get_search_callback(struct ldb_request *req, struct ldb_reply *ares)
{
struct ldb_context *ldb;
ares->response, ares->error);
}
+ ldb_reset_err_string(ldb);
+
switch (ares->type) {
case LDB_REPLY_ENTRY:
if (ac->search_res != NULL) {
return LDB_ERR_UNWILLING_TO_PERFORM;
}
}
-
if (schema) {
ret = fix_attributes(ldb, schema, msg);
if (ret != LDB_SUCCESS) {
/* This is now the objectClass list from the database */
objectclass_element = ldb_msg_find_element(msg, "objectClass");
-
+
if (!objectclass_element) {
/* Where did it go? bail now... */
talloc_free(mem_ctx);
talloc_free(mem_ctx);
return ret;
}
-
+
/* We must completely replace the existing objectClass entry,
* because we need it sorted */
-
+
/* Move from the linked list back into an ldb msg */
for (current = sorted; current; current = current->next) {
value = talloc_strdup(msg, current->objectclass->lDAPDisplayName);
}
ret = ldb_msg_add_string(msg, "objectClass", value);
if (ret != LDB_SUCCESS) {
- ldb_set_errstring(ldb,
+ ldb_set_errstring(ldb,
"objectclass: could not re-add sorted "
"objectclass to modify msg");
talloc_free(mem_ctx);
if (!current->next) {
struct ldb_message_element *el;
int32_t systemFlags = 0;
+ const char *rdn_name = ldb_dn_get_rdn_name(msg->dn);
+ if (ldb_attr_cmp(rdn_name, current->objectclass->rDNAttID) != 0) {
+ ldb_asprintf_errstring(ldb, "RDN %s is not correct for most specific structural objectclass %s, should be %s",
+ rdn_name, current->objectclass->lDAPDisplayName, current->objectclass->rDNAttID);
+ return LDB_ERR_NAMING_VIOLATION;
+ }
+
if (!ldb_msg_find_element(msg, "objectCategory")) {
value = talloc_strdup(msg, current->objectclass->defaultObjectCategory);
if (value == NULL) {
ldb_msg_add_string(msg, "objectCategory", value);
}
if (!ldb_msg_find_element(msg, "showInAdvancedViewOnly") && (current->objectclass->defaultHidingValue == true)) {
- ldb_msg_add_string(msg, "showInAdvancedViewOnly",
+ ldb_msg_add_string(msg, "showInAdvancedViewOnly",
"TRUE");
}
- if (!ldb_msg_find_element(msg, "nTSecurityDescriptor")) {
- DATA_BLOB *sd = get_sd(ac->module, mem_ctx, current->objectclass);
- if (sd) {
- ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
- }
- }
/* There are very special rules for systemFlags, see MS-ADTS 3.1.1.5.2.4 */
el = ldb_msg_find_element(msg, "systemFlags");
/* systemFlags &= ( SYSTEM_FLAG_CONFIG_ALLOW_RENAME | SYSTEM_FLAG_CONFIG_ALLOW_MOVE | SYSTEM_FLAG_CONFIG_LIMITED_MOVE); */
ldb_msg_remove_element(msg, el);
}
-
+
/* This flag is only allowed on attributeSchema objects */
if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "attributeSchema") == 0) {
systemFlags &= ~SYSTEM_FLAG_ATTR_IS_RDN;
|| ldb_attr_cmp(current->objectclass->lDAPDisplayName, "ntDSDSA") == 0) {
systemFlags |= (int32_t)(SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE);
- } else if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "siteLink") == 0
+ } else if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "siteLink") == 0
|| ldb_attr_cmp(current->objectclass->lDAPDisplayName, "siteLinkBridge") == 0
|| ldb_attr_cmp(current->objectclass->lDAPDisplayName, "nTDSConnection") == 0) {
systemFlags |= (int32_t)(SYSTEM_FLAG_CONFIG_ALLOW_RENAME);
return ret;
}
+ /* we have to add the show deleted control, as otherwise DRS
+ deletes will be refused as we will think the target parent
+ does not exist */
+ ret = ldb_request_add_control(search_req, LDB_CONTROL_SHOW_DELETED_OID, false, NULL);
+
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
ac->step_fn = objectclass_do_rename;
return ldb_next_request(ac->module, search_req);