1 /*
2 ldb database library
3
4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
6 Copyright (C) Stefan Metzmacher 2009
7 Copyright (C) Matthias Dieter Wallnöfer 2010
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU Lesser General Public
20 License along with this library; if not, see <http://www.gnu.org/licenses/>.
21 */
22
23 /*
24 * Name: ldb
25 *
26 * Component: objectclass attribute checking module
27 *
28 * Description: this checks the attributes on a directory entry (if they're
29 * allowed, if the syntax is correct, if mandatory ones are missing,
30 * denies the deletion of mandatory ones...). The module contains portions
31 * of the "objectclass" and the "validate_update" LDB module.
32 *
33 * Author: Matthias Dieter Wallnöfer
34 */
35
36 #include "includes.h"
37 #include "ldb_module.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "dsdb/samdb/ldb_modules/util.h"
40
41 struct oc_context {
42
43 struct ldb_module *module;
44 struct ldb_request *req;
45 const struct dsdb_schema *schema;
46
47 struct ldb_message *msg;
48
49 struct ldb_reply *search_res;
50 struct ldb_reply *mod_ares;
51 };
52
oc_init_context(struct ldb_module * module,struct ldb_request * req)53 static struct oc_context *oc_init_context(struct ldb_module *module,
54 struct ldb_request *req)
55 {
56 struct ldb_context *ldb;
57 struct oc_context *ac;
58
59 ldb = ldb_module_get_ctx(module);
60
61 ac = talloc_zero(req, struct oc_context);
62 if (ac == NULL) {
63 ldb_oom(ldb);
64 return NULL;
65 }
66
67 ac->module = module;
68 ac->req = req;
69 ac->schema = dsdb_get_schema(ldb, ac);
70
71 return ac;
72 }
73
74 static int oc_op_callback(struct ldb_request *req, struct ldb_reply *ares);
75
76 /*
77 * Checks the correctness of the "dSHeuristics" attribute as described in both
78 * MS-ADTS 7.1.1.2.4.1.2 dSHeuristics and MS-ADTS 3.1.1.5.3.2 Constraints
79 */
oc_validate_dsheuristics(struct ldb_message_element * el)80 static int oc_validate_dsheuristics(struct ldb_message_element *el)
81 {
82 if (el->num_values > 0) {
83 if ((el->values[0].length >= DS_HR_NINETIETH_CHAR) &&
84 (el->values[0].data[DS_HR_NINETIETH_CHAR-1] != '9')) {
85 return LDB_ERR_CONSTRAINT_VIOLATION;
86 }
87 if ((el->values[0].length >= DS_HR_EIGHTIETH_CHAR) &&
88 (el->values[0].data[DS_HR_EIGHTIETH_CHAR-1] != '8')) {
89 return LDB_ERR_CONSTRAINT_VIOLATION;
90 }
91 if ((el->values[0].length >= DS_HR_SEVENTIETH_CHAR) &&
92 (el->values[0].data[DS_HR_SEVENTIETH_CHAR-1] != '7')) {
93 return LDB_ERR_CONSTRAINT_VIOLATION;
94 }
95 if ((el->values[0].length >= DS_HR_SIXTIETH_CHAR) &&
96 (el->values[0].data[DS_HR_SIXTIETH_CHAR-1] != '6')) {
97 return LDB_ERR_CONSTRAINT_VIOLATION;
98 }
99 if ((el->values[0].length >= DS_HR_FIFTIETH_CHAR) &&
100 (el->values[0].data[DS_HR_FIFTIETH_CHAR-1] != '5')) {
101 return LDB_ERR_CONSTRAINT_VIOLATION;
102 }
103 if ((el->values[0].length >= DS_HR_FOURTIETH_CHAR) &&
104 (el->values[0].data[DS_HR_FOURTIETH_CHAR-1] != '4')) {
105 return LDB_ERR_CONSTRAINT_VIOLATION;
106 }
107 if ((el->values[0].length >= DS_HR_THIRTIETH_CHAR) &&
108 (el->values[0].data[DS_HR_THIRTIETH_CHAR-1] != '3')) {
109 return LDB_ERR_CONSTRAINT_VIOLATION;
110 }
111 if ((el->values[0].length >= DS_HR_TWENTIETH_CHAR) &&
112 (el->values[0].data[DS_HR_TWENTIETH_CHAR-1] != '2')) {
113 return LDB_ERR_CONSTRAINT_VIOLATION;
114 }
115 if ((el->values[0].length >= DS_HR_TENTH_CHAR) &&
116 (el->values[0].data[DS_HR_TENTH_CHAR-1] != '1')) {
117 return LDB_ERR_CONSTRAINT_VIOLATION;
118 }
119 }
120
121 return LDB_SUCCESS;
122 }
123
124 /*
125 auto normalise values on input
126 */
oc_auto_normalise(struct ldb_context * ldb,const struct dsdb_attribute * attr,struct ldb_message * msg,struct ldb_message_element * el)127 static int oc_auto_normalise(struct ldb_context *ldb, const struct dsdb_attribute *attr,
128 struct ldb_message *msg, struct ldb_message_element *el)
129 {
130 int i;
131 bool values_copied = false;
132
133 for (i=0; i<el->num_values; i++) {
134 struct ldb_val v;
135 int ret;
136 /*
137 * We use msg->elements (owned by this module due to
138 * ldb_msg_copy_shallow()) as a memory context and
139 * then steal from there to the right spot if we don't
140 * free it.
141 */
142 ret = attr->ldb_schema_attribute->syntax->canonicalise_fn(ldb,
143 msg->elements,
144 &el->values[i],
145 &v);
146 if (ret != LDB_SUCCESS) {
147 return ret;
148 }
149 if (data_blob_cmp(&v, &el->values[i]) == 0) {
150 /* no need to replace it */
151 talloc_free(v.data);
152 continue;
153 }
154
155 /* we need to copy the values array on the first change */
156 if (!values_copied) {
157 struct ldb_val *v2;
158 v2 = talloc_array(msg->elements, struct ldb_val, el->num_values);
159 if (v2 == NULL) {
160 return ldb_oom(ldb);
161 }
162 memcpy(v2, el->values, sizeof(struct ldb_val) * el->num_values);
163 el->values = v2;
164 values_copied = true;
165 }
166
167 el->values[i] = v;
168
169 /*
170 * By now el->values is a talloc pointer under
171 * msg->elements and may now be used
172 */
173 talloc_steal(el->values, v.data);
174 }
175 return LDB_SUCCESS;
176 }
177
attr_handler(struct oc_context * ac)178 static int attr_handler(struct oc_context *ac)
179 {
180 struct ldb_context *ldb;
181 struct ldb_message *msg;
182 struct ldb_request *child_req;
183 const struct dsdb_attribute *attr;
184 unsigned int i;
185 int ret;
186 WERROR werr;
187 struct dsdb_syntax_ctx syntax_ctx;
188
189 ldb = ldb_module_get_ctx(ac->module);
190
191 if (ac->req->operation == LDB_ADD) {
192 msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message);
193 } else {
194 msg = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
195 }
196 if (msg == NULL) {
197 return ldb_oom(ldb);
198 }
199 ac->msg = msg;
200
201 /* initialize syntax checking context */
202 dsdb_syntax_ctx_init(&syntax_ctx, ldb, ac->schema);
203
204 /* Check if attributes exist in the schema, if the values match,
205 * if they're not operational and fix the names to the match the schema
206 * case */
207 for (i = 0; i < msg->num_elements; i++) {
208 attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
209 msg->elements[i].name);
210 if (attr == NULL) {
211 if (ldb_request_get_control(ac->req, DSDB_CONTROL_DBCHECK) &&
212 ac->req->operation != LDB_ADD) {
213 /* we allow this for dbcheck to fix
214 broken attributes */
215 goto no_attribute;
216 }
217 ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' was not found in the schema!",
218 msg->elements[i].name,
219 ldb_dn_get_linearized(msg->dn));
220 return LDB_ERR_NO_SUCH_ATTRIBUTE;
221 }
222
223 if ((attr->linkID & 1) == 1 &&
224 !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) &&
225 !ldb_request_get_control(ac->req, DSDB_CONTROL_DBCHECK)) {
226 /* Odd is for the target. Illegal to modify */
227 ldb_asprintf_errstring(ldb,
228 "objectclass_attrs: attribute '%s' on entry '%s' must not be modified directly, it is a linked attribute",
229 msg->elements[i].name,
230 ldb_dn_get_linearized(msg->dn));
231 return LDB_ERR_UNWILLING_TO_PERFORM;
232 }
233
234 /*
235 * Enforce systemOnly checks from [ADTS] 3.1.1.5.3.2
236 * Constraints in Modify Operation
237 */
238 if (ac->req->operation == LDB_MODIFY && attr->systemOnly) {
239 /*
240 * Allow dbcheck and relax to bypass. objectClass, name
241 * and distinguishedName are generally handled
242 * elsewhere.
243 *
244 * The remaining cases, undelete, msDS-AdditionalDnsHostName
245 * and wellKnownObjects are documented in the specification.
246 */
247 if (!ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) &&
248 !ldb_request_get_control(ac->req, DSDB_CONTROL_DBCHECK) &&
249 !ldb_request_get_control(ac->req, DSDB_CONTROL_RESTORE_TOMBSTONE_OID) &&
250 ldb_attr_cmp(attr->lDAPDisplayName, "objectClass") != 0 &&
251 ldb_attr_cmp(attr->lDAPDisplayName, "name") != 0 &&
252 ldb_attr_cmp(attr->lDAPDisplayName, "distinguishedName") != 0 &&
253 ldb_attr_cmp(attr->lDAPDisplayName, "msDS-AdditionalDnsHostName") != 0 &&
254 ldb_attr_cmp(attr->lDAPDisplayName, "wellKnownObjects") != 0) {
255 /*
256 * Comparison against base schema DN is used as a substitute for
257 * fschemaUpgradeInProgress and other specific schema checks.
258 */
259 if (ldb_dn_compare_base(ldb_get_schema_basedn(ldb), msg->dn) != 0) {
260 struct ldb_control *as_system = ldb_request_get_control(ac->req,
261 LDB_CONTROL_AS_SYSTEM_OID);
262 if (!dsdb_module_am_system(ac->module) && !as_system) {
263 ldb_asprintf_errstring(ldb,
264 "objectclass_attrs: attribute '%s' on entry '%s' must can only be modified as system",
265 msg->elements[i].name,
266 ldb_dn_get_linearized(msg->dn));
267 return LDB_ERR_CONSTRAINT_VIOLATION;
268 }
269 }
270 }
271 }
272
273 if (!(msg->elements[i].flags & LDB_FLAG_INTERNAL_DISABLE_VALIDATION)) {
274 werr = attr->syntax->validate_ldb(&syntax_ctx, attr,
275 &msg->elements[i]);
276 if (!W_ERROR_IS_OK(werr) &&
277 !ldb_request_get_control(ac->req, DSDB_CONTROL_DBCHECK)) {
278 ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' contains at least one invalid value!",
279 msg->elements[i].name,
280 ldb_dn_get_linearized(msg->dn));
281 return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
282 }
283 }
284
285 if ((attr->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED) != 0) {
286 ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' is constructed!",
287 msg->elements[i].name,
288 ldb_dn_get_linearized(msg->dn));
289 if (ac->req->operation == LDB_ADD) {
290 return LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE;
291 } else {
292 return LDB_ERR_CONSTRAINT_VIOLATION;
293 }
294 }
295
296 /* "dSHeuristics" syntax check */
297 if (ldb_attr_cmp(attr->lDAPDisplayName, "dSHeuristics") == 0) {
298 ret = oc_validate_dsheuristics(&(msg->elements[i]));
299 if (ret != LDB_SUCCESS) {
300 return ret;
301 }
302 }
303
304 /* auto normalise some attribute values */
305 if (attr->syntax->auto_normalise) {
306 ret = oc_auto_normalise(ldb, attr, msg, &msg->elements[i]);
307 if (ret != LDB_SUCCESS) {
308 return ret;
309 }
310 }
311
312 /* Substitute the attribute name to match in case */
313 msg->elements[i].name = attr->lDAPDisplayName;
314 }
315
316 no_attribute:
317 if (ac->req->operation == LDB_ADD) {
318 ret = ldb_build_add_req(&child_req, ldb, ac,
319 msg, ac->req->controls,
320 ac, oc_op_callback, ac->req);
321 LDB_REQ_SET_LOCATION(child_req);
322 } else {
323 ret = ldb_build_mod_req(&child_req, ldb, ac,
324 msg, ac->req->controls,
325 ac, oc_op_callback, ac->req);
326 LDB_REQ_SET_LOCATION(child_req);
327 }
328 if (ret != LDB_SUCCESS) {
329 return ret;
330 }
331
332 return ldb_next_request(ac->module, child_req);
333 }
334
335 /*
336 these are attributes which are left over from old ways of doing
337 things in ldb, and are harmless
338 */
339 static const char *harmless_attrs[] = { "parentGUID", NULL };
340
attr_handler2(struct oc_context * ac)341 static int attr_handler2(struct oc_context *ac)
342 {
343 struct ldb_context *ldb;
344 struct ldb_message_element *oc_element;
345 struct ldb_message *msg;
346 const char **must_contain, **may_contain, **found_must_contain;
347 /* There exists a hardcoded delete-protected attributes list in AD */
348 const char *del_prot_attributes[] = { "nTSecurityDescriptor",
349 "objectSid", "sAMAccountType", "sAMAccountName", "groupType",
350 "primaryGroupID", "userAccountControl", "accountExpires",
351 "badPasswordTime", "badPwdCount", "codePage", "countryCode",
352 "lastLogoff", "lastLogon", "logonCount", "pwdLastSet", NULL },
353 **l;
354 const struct dsdb_attribute *attr;
355 unsigned int i;
356 bool found;
357 bool isSchemaAttr = false;
358
359 ldb = ldb_module_get_ctx(ac->module);
360
361 if (ac->search_res == NULL) {
362 return ldb_operr(ldb);
363 }
364
365 /* We rely here on the preceding "objectclass" LDB module which did
366 * already fix up the objectclass list (inheritance, order...). */
367 oc_element = ldb_msg_find_element(ac->search_res->message,
368 "objectClass");
369 if (oc_element == NULL) {
370 return ldb_operr(ldb);
371 }
372
373 /* LSA-specific object classes are not allowed to be created over LDAP,
374 * so we need to tell if this connection is internal (trusted) or not
375 * (untrusted).
376 *
377 * Hongwei Sun from Microsoft explains:
378 * The constraint in 3.1.1.5.2.2 MS-ADTS means that LSA objects cannot
379 * be added or modified through the LDAP interface, instead they can
380 * only be handled through LSA Policy API. This is also explained in
381 * 7.1.6.9.7 MS-ADTS as follows:
382 * "Despite being replicated normally between peer DCs in a domain,
383 * the process of creating or manipulating TDOs is specifically
384 * restricted to the LSA Policy APIs, as detailed in [MS-LSAD] section
385 * 3.1.1.5. Unlike other objects in the DS, TDOs may not be created or
386 * manipulated by client machines over the LDAPv3 transport."
387 */
388 for (i = 0; i < oc_element->num_values; i++) {
389 char * attname = (char *)oc_element->values[i].data;
390 if (ldb_req_is_untrusted(ac->req)) {
391 if (strcmp(attname, "secret") == 0 ||
392 strcmp(attname, "trustedDomain") == 0) {
393 ldb_asprintf_errstring(ldb, "objectclass_attrs: LSA objectclasses (entry '%s') cannot be created or changed over LDAP!",
394 ldb_dn_get_linearized(ac->search_res->message->dn));
395 return LDB_ERR_UNWILLING_TO_PERFORM;
396 }
397 }
398 if (strcmp(attname, "attributeSchema") == 0) {
399 isSchemaAttr = true;
400 }
401 }
402
403 must_contain = dsdb_full_attribute_list(ac, ac->schema, oc_element,
404 DSDB_SCHEMA_ALL_MUST);
405 may_contain = dsdb_full_attribute_list(ac, ac->schema, oc_element,
406 DSDB_SCHEMA_ALL_MAY);
407 found_must_contain = const_str_list(str_list_copy(ac, must_contain));
408 if ((must_contain == NULL) || (may_contain == NULL)
409 || (found_must_contain == NULL)) {
410 return ldb_operr(ldb);
411 }
412
413 /* Check the delete-protected attributes list */
414 msg = ac->search_res->message;
415 for (l = del_prot_attributes; *l != NULL; l++) {
416 struct ldb_message_element *el;
417
418 el = ldb_msg_find_element(ac->msg, *l);
419 if (el == NULL) {
420 /*
421 * It was not specified in the add or modify,
422 * so it doesn't need to be in the stored record
423 */
424 continue;
425 }
426
427 found = str_list_check_ci(must_contain, *l);
428 if (!found) {
429 found = str_list_check_ci(may_contain, *l);
430 }
431 if (found && (ldb_msg_find_element(msg, *l) == NULL)) {
432 ldb_asprintf_errstring(ldb, "objectclass_attrs: delete protected attribute '%s' on entry '%s' missing!",
433 *l,
434 ldb_dn_get_linearized(msg->dn));
435 return LDB_ERR_UNWILLING_TO_PERFORM;
436 }
437 }
438
439 /* Check if all specified attributes are valid in the given
440 * objectclasses and if they meet additional schema restrictions. */
441 for (i = 0; i < msg->num_elements; i++) {
442 attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
443 msg->elements[i].name);
444 if (attr == NULL) {
445 if (ldb_request_get_control(ac->req, DSDB_CONTROL_DBCHECK)) {
446 /* allow this to make it possible for dbcheck
447 to remove bad attributes */
448 continue;
449 }
450 return ldb_operr(ldb);
451 }
452
453 /* We can use "str_list_check" with "strcmp" here since the
454 * attribute information from the schema are always equal
455 * up-down-cased. */
456 found = str_list_check(must_contain, attr->lDAPDisplayName);
457 if (found) {
458 str_list_remove(found_must_contain, attr->lDAPDisplayName);
459 } else {
460 found = str_list_check(may_contain, attr->lDAPDisplayName);
461 }
462 if (!found) {
463 found = str_list_check(harmless_attrs, attr->lDAPDisplayName);
464 }
465 if (!found) {
466 /* we allow this for dbcheck to fix the rest of this broken entry */
467 if (!ldb_request_get_control(ac->req, DSDB_CONTROL_DBCHECK) ||
468 ac->req->operation == LDB_ADD) {
469 ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' does not exist in the specified objectclasses!",
470 msg->elements[i].name,
471 ldb_dn_get_linearized(msg->dn));
472 return LDB_ERR_OBJECT_CLASS_VIOLATION;
473 }
474 }
475 }
476
477 /*
478 * We skip this check under dbcheck to allow fixing of other
479 * attributes even if an attribute is missing. This matters
480 * for CN=RID Set as the required attribute rIDNextRid is not
481 * replicated.
482 */
483 if (found_must_contain[0] != NULL &&
484 ldb_msg_check_string_attribute(msg, "isDeleted", "TRUE") == 0) {
485
486 for (i = 0; found_must_contain[i] != NULL; i++) {
487 const struct dsdb_attribute *broken_attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
488 found_must_contain[i]);
489
490 bool replicated = (broken_attr->systemFlags &
491 (DS_FLAG_ATTR_NOT_REPLICATED | DS_FLAG_ATTR_IS_CONSTRUCTED)) == 0;
492
493 if (replicated) {
494 ldb_asprintf_errstring(ldb, "objectclass_attrs: at least one mandatory "
495 "attribute ('%s') on entry '%s' wasn't specified!",
496 found_must_contain[i],
497 ldb_dn_get_linearized(msg->dn));
498 return LDB_ERR_OBJECT_CLASS_VIOLATION;
499 }
500 }
501 }
502
503 if (isSchemaAttr) {
504 /*
505 * Before really adding an attribute in the database,
506 * let's check that we can translate it into a dsdb_attribute and
507 * that we can find a valid syntax object.
508 * If not it's better to reject this attribute than not be able
509 * to start samba next time due to schema being unloadable.
510 */
511 struct dsdb_attribute *att = talloc(ac, struct dsdb_attribute);
512 const struct dsdb_syntax *attrSyntax;
513 WERROR status;
514
515 status = dsdb_attribute_from_ldb(NULL, msg, att);
516 if (!W_ERROR_IS_OK(status)) {
517 ldb_set_errstring(ldb,
518 "objectclass: failed to translate the schemaAttribute to a dsdb_attribute");
519 return LDB_ERR_UNWILLING_TO_PERFORM;
520 }
521
522 attrSyntax = dsdb_syntax_for_attribute(att);
523 if (!attrSyntax) {
524 ldb_set_errstring(ldb,
525 "objectclass: unknown attribute syntax");
526 return LDB_ERR_UNWILLING_TO_PERFORM;
527 }
528 }
529 return ldb_module_done(ac->req, ac->mod_ares->controls,
530 ac->mod_ares->response, LDB_SUCCESS);
531 }
532
get_search_callback(struct ldb_request * req,struct ldb_reply * ares)533 static int get_search_callback(struct ldb_request *req, struct ldb_reply *ares)
534 {
535 struct ldb_context *ldb;
536 struct oc_context *ac;
537 int ret;
538
539 ac = talloc_get_type(req->context, struct oc_context);
540 ldb = ldb_module_get_ctx(ac->module);
541
542 if (!ares) {
543 return ldb_module_done(ac->req, NULL, NULL,
544 LDB_ERR_OPERATIONS_ERROR);
545 }
546 if (ares->error != LDB_SUCCESS) {
547 return ldb_module_done(ac->req, ares->controls,
548 ares->response, ares->error);
549 }
550
551 ldb_reset_err_string(ldb);
552
553 switch (ares->type) {
554 case LDB_REPLY_ENTRY:
555 if (ac->search_res != NULL) {
556 ldb_set_errstring(ldb, "Too many results");
557 talloc_free(ares);
558 return ldb_module_done(ac->req, NULL, NULL,
559 LDB_ERR_OPERATIONS_ERROR);
560 }
561
562 ac->search_res = talloc_steal(ac, ares);
563 break;
564
565 case LDB_REPLY_REFERRAL:
566 /* ignore */
567 talloc_free(ares);
568 break;
569
570 case LDB_REPLY_DONE:
571 talloc_free(ares);
572 ret = attr_handler2(ac);
573 if (ret != LDB_SUCCESS) {
574 return ldb_module_done(ac->req, NULL, NULL, ret);
575 }
576 break;
577 }
578
579 return LDB_SUCCESS;
580 }
581
oc_op_callback(struct ldb_request * req,struct ldb_reply * ares)582 static int oc_op_callback(struct ldb_request *req, struct ldb_reply *ares)
583 {
584 struct oc_context *ac;
585 struct ldb_context *ldb;
586 struct ldb_request *search_req;
587 struct ldb_dn *base_dn;
588 int ret;
589 static const char *attrs[] = {"nTSecurityDescriptor", "*", NULL};
590
591 ac = talloc_get_type(req->context, struct oc_context);
592 ldb = ldb_module_get_ctx(ac->module);
593
594 if (!ares) {
595 return ldb_module_done(ac->req, NULL, NULL,
596 LDB_ERR_OPERATIONS_ERROR);
597 }
598
599 if (ares->type == LDB_REPLY_REFERRAL) {
600 return ldb_module_send_referral(ac->req, ares->referral);
601 }
602
603 if (ares->error != LDB_SUCCESS) {
604 return ldb_module_done(ac->req, ares->controls, ares->response,
605 ares->error);
606 }
607
608 if (ares->type != LDB_REPLY_DONE) {
609 talloc_free(ares);
610 return ldb_module_done(ac->req, NULL, NULL,
611 LDB_ERR_OPERATIONS_ERROR);
612 }
613
614 ac->search_res = NULL;
615 ac->mod_ares = talloc_steal(ac, ares);
616
617 /* This looks up all attributes of our just added/modified entry */
618 base_dn = ac->req->operation == LDB_ADD ? ac->req->op.add.message->dn
619 : ac->req->op.mod.message->dn;
620 ret = ldb_build_search_req(&search_req, ldb, ac, base_dn,
621 LDB_SCOPE_BASE, "(objectClass=*)",
622 attrs, NULL, ac,
623 get_search_callback, ac->req);
624 LDB_REQ_SET_LOCATION(search_req);
625 if (ret != LDB_SUCCESS) {
626 return ldb_module_done(ac->req, NULL, NULL, ret);
627 }
628
629 ret = ldb_request_add_control(search_req, LDB_CONTROL_SHOW_RECYCLED_OID,
630 true, NULL);
631 if (ret != LDB_SUCCESS) {
632 return ldb_module_done(ac->req, NULL, NULL, ret);
633 }
634
635 /*
636 * This ensures we see if there was a DN, that pointed at an
637 * object that is now deleted, that we still consider the
638 * schema check to have passed
639 */
640 ret = ldb_request_add_control(search_req, LDB_CONTROL_REVEAL_INTERNALS,
641 false, NULL);
642 if (ret != LDB_SUCCESS) {
643 return ldb_module_done(ac->req, NULL, NULL, ret);
644 }
645
646 ret = ldb_next_request(ac->module, search_req);
647 if (ret != LDB_SUCCESS) {
648 return ldb_module_done(ac->req, NULL, NULL, ret);
649 }
650
651 /* "ldb_module_done" isn't called here since we need to do additional
652 * checks. It is called at the end of "attr_handler2". */
653 return LDB_SUCCESS;
654 }
655
objectclass_attrs_add(struct ldb_module * module,struct ldb_request * req)656 static int objectclass_attrs_add(struct ldb_module *module,
657 struct ldb_request *req)
658 {
659 struct ldb_context *ldb;
660 struct oc_context *ac;
661
662 ldb = ldb_module_get_ctx(module);
663
664 ldb_debug(ldb, LDB_DEBUG_TRACE, "objectclass_attrs_add\n");
665
666 /* do not manipulate our control entries */
667 if (ldb_dn_is_special(req->op.add.message->dn)) {
668 return ldb_next_request(module, req);
669 }
670
671 ac = oc_init_context(module, req);
672 if (ac == NULL) {
673 return ldb_operr(ldb);
674 }
675
676 /* without schema, there isn't much to do here */
677 if (ac->schema == NULL) {
678 talloc_free(ac);
679 return ldb_next_request(module, req);
680 }
681
682 return attr_handler(ac);
683 }
684
objectclass_attrs_modify(struct ldb_module * module,struct ldb_request * req)685 static int objectclass_attrs_modify(struct ldb_module *module,
686 struct ldb_request *req)
687 {
688 struct ldb_context *ldb;
689 struct ldb_control *sd_propagation_control;
690 int ret;
691
692 struct oc_context *ac;
693
694 ldb = ldb_module_get_ctx(module);
695
696 ldb_debug(ldb, LDB_DEBUG_TRACE, "objectclass_attrs_modify\n");
697
698 /* do not manipulate our control entries */
699 if (ldb_dn_is_special(req->op.mod.message->dn)) {
700 return ldb_next_request(module, req);
701 }
702
703 sd_propagation_control = ldb_request_get_control(req,
704 DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
705 if (sd_propagation_control != NULL) {
706 if (req->op.mod.message->num_elements != 1) {
707 return ldb_module_operr(module);
708 }
709 ret = strcmp(req->op.mod.message->elements[0].name,
710 "nTSecurityDescriptor");
711 if (ret != 0) {
712 return ldb_module_operr(module);
713 }
714
715 return ldb_next_request(module, req);
716 }
717
718 ac = oc_init_context(module, req);
719 if (ac == NULL) {
720 return ldb_operr(ldb);
721 }
722
723 /* without schema, there isn't much to do here */
724 if (ac->schema == NULL) {
725 talloc_free(ac);
726 return ldb_next_request(module, req);
727 }
728
729 return attr_handler(ac);
730 }
731
732 static const struct ldb_module_ops ldb_objectclass_attrs_module_ops = {
733 .name = "objectclass_attrs",
734 .add = objectclass_attrs_add,
735 .modify = objectclass_attrs_modify
736 };
737
ldb_objectclass_attrs_module_init(const char * version)738 int ldb_objectclass_attrs_module_init(const char *version)
739 {
740 LDB_MODULE_CHECK_VERSION(version);
741 return ldb_register_module(&ldb_objectclass_attrs_module_ops);
742 }
743