mirror of
https://github.com/samba-team/samba.git
synced 2025-01-21 18:04:06 +03:00
24b0dad5b5
A Coverity false positive (we check for error) but it is worth doing per README.Coding Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <josutton@catalyst.net.nz>
2015 lines
56 KiB
C
2015 lines
56 KiB
C
/*
|
|
ldb database library
|
|
|
|
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2010
|
|
Copyright (C) Andrew Tridgell 2005
|
|
Copyright (C) Simo Sorce 2006-2008
|
|
Copyright (C) Matthias Dieter Wallnöfer 2009
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
/*
|
|
handle operational attributes
|
|
*/
|
|
|
|
/*
|
|
createTimeStamp: HIDDEN, searchable, ldaptime, alias for whenCreated
|
|
modifyTimeStamp: HIDDEN, searchable, ldaptime, alias for whenChanged
|
|
|
|
for the above two, we do the search as normal, and if
|
|
createTimeStamp or modifyTimeStamp is asked for, then do
|
|
additional searches for whenCreated and whenChanged and fill in
|
|
the resulting values
|
|
|
|
we also need to replace these with the whenCreated/whenChanged
|
|
equivalent in the search expression trees
|
|
|
|
whenCreated: not-HIDDEN, CONSTRUCTED, SEARCHABLE
|
|
whenChanged: not-HIDDEN, CONSTRUCTED, SEARCHABLE
|
|
|
|
on init we need to setup attribute handlers for these so
|
|
comparisons are done correctly. The resolution is 1 second.
|
|
|
|
on add we need to add both the above, for current time
|
|
|
|
on modify we need to change whenChanged
|
|
|
|
structuralObjectClass: HIDDEN, CONSTRUCTED, not-searchable. always same as objectclass?
|
|
|
|
for this one we do the search as normal, then if requested ask
|
|
for objectclass, change the attribute name, and add it
|
|
|
|
primaryGroupToken: HIDDEN, CONSTRUCTED, SEARCHABLE
|
|
|
|
contains the RID of a certain group object
|
|
|
|
|
|
attributeTypes: in schema only
|
|
objectClasses: in schema only
|
|
matchingRules: in schema only
|
|
matchingRuleUse: in schema only
|
|
creatorsName: not supported by w2k3?
|
|
modifiersName: not supported by w2k3?
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include <ldb.h>
|
|
#include <ldb_module.h>
|
|
|
|
#include "librpc/gen_ndr/ndr_misc.h"
|
|
#include "librpc/gen_ndr/ndr_drsblobs.h"
|
|
#include "dsdb/samdb/samdb.h"
|
|
#include "dsdb/samdb/ldb_modules/managed_pwd.h"
|
|
#include "dsdb/samdb/ldb_modules/util.h"
|
|
|
|
#include "auth/auth.h"
|
|
|
|
#ifndef ARRAY_SIZE
|
|
#define ARRAY_SIZE(a) (sizeof(a)/sizeof(a[0]))
|
|
#endif
|
|
|
|
#undef strcasecmp
|
|
|
|
struct operational_data {
|
|
struct ldb_dn *aggregate_dn;
|
|
};
|
|
|
|
enum search_type {
|
|
TOKEN_GROUPS,
|
|
TOKEN_GROUPS_GLOBAL_AND_UNIVERSAL,
|
|
TOKEN_GROUPS_NO_GC_ACCEPTABLE,
|
|
|
|
/*
|
|
* MS-DRSR 4.1.8.1.3 RevMembGetAccountGroups: Transitive membership in
|
|
* all account groups in a given domain, excluding built-in groups.
|
|
* (Used internally for msDS-ResultantPSO support)
|
|
*/
|
|
ACCOUNT_GROUPS
|
|
};
|
|
|
|
enum expire_uf_smartcard {
|
|
EXPIRE_UF_SMARTCARD_UNINIT = 0,
|
|
NO_EXPIRE_UF_SMARTCARD = 1,
|
|
EXPIRE_UF_SMARTCARD = 2
|
|
};
|
|
|
|
struct operational_context {
|
|
struct ldb_module *module;
|
|
struct ldb_request *req;
|
|
enum ldb_scope scope;
|
|
const char * const *attrs;
|
|
struct ldb_parse_tree *tree;
|
|
struct op_controls_flags* controls_flags;
|
|
struct op_attributes_operations *list_operations;
|
|
unsigned int list_operations_size;
|
|
struct op_attributes_replace *attrs_to_replace;
|
|
unsigned int attrs_to_replace_size;
|
|
enum expire_uf_smartcard expire_passwords_onsmartcardonlyaccounts;
|
|
NTTIME now;
|
|
};
|
|
|
|
static int get_pso_for_user(struct ldb_module *module,
|
|
struct ldb_message *user_msg,
|
|
struct ldb_request *parent,
|
|
struct ldb_message **pso_msg);
|
|
|
|
/*
|
|
construct a canonical name from a message
|
|
*/
|
|
static int construct_canonical_name(struct ldb_module *module,
|
|
struct ldb_message *msg, enum ldb_scope scope,
|
|
struct ldb_request *parent, struct ldb_reply *ares)
|
|
{
|
|
char *canonicalName;
|
|
canonicalName = ldb_dn_canonical_string(msg, msg->dn);
|
|
if (canonicalName == NULL) {
|
|
return ldb_operr(ldb_module_get_ctx(module));
|
|
}
|
|
return ldb_msg_add_steal_string(msg, "canonicalName", canonicalName);
|
|
}
|
|
|
|
/*
|
|
construct a primary group token for groups from a message
|
|
*/
|
|
static int construct_primary_group_token(struct ldb_module *module,
|
|
struct ldb_message *msg, enum ldb_scope scope,
|
|
struct ldb_request *parent, struct ldb_reply *ares)
|
|
{
|
|
struct ldb_context *ldb;
|
|
uint32_t primary_group_token;
|
|
|
|
ldb = ldb_module_get_ctx(module);
|
|
if (ldb_match_msg_objectclass(msg, "group") == 1) {
|
|
primary_group_token
|
|
= samdb_result_rid_from_sid(msg, msg, "objectSid", 0);
|
|
if (primary_group_token == 0) {
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
return samdb_msg_add_uint(ldb, msg, msg, "primaryGroupToken",
|
|
primary_group_token);
|
|
} else {
|
|
return LDB_SUCCESS;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Returns the group SIDs for the user in the given LDB message
|
|
*/
|
|
static int get_group_sids(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
|
|
struct ldb_message *msg, const char *attribute_string,
|
|
enum search_type type, struct auth_SidAttr **groupSIDs,
|
|
uint32_t *num_groupSIDs)
|
|
{
|
|
const char *filter = NULL;
|
|
NTSTATUS status;
|
|
struct dom_sid *primary_group_sid;
|
|
const char *primary_group_string;
|
|
const char *primary_group_dn;
|
|
DATA_BLOB primary_group_blob;
|
|
struct dom_sid *account_sid;
|
|
const char *account_sid_string;
|
|
const char *account_sid_dn;
|
|
DATA_BLOB account_sid_blob;
|
|
struct dom_sid *domain_sid;
|
|
|
|
/* If it's not a user, it won't have a primaryGroupID */
|
|
if (ldb_msg_find_element(msg, "primaryGroupID") == NULL) {
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
/* Ensure it has an objectSID too */
|
|
account_sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
|
|
if (account_sid == NULL) {
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
status = dom_sid_split_rid(mem_ctx, account_sid, &domain_sid, NULL);
|
|
if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
|
|
return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
|
|
} else if (!NT_STATUS_IS_OK(status)) {
|
|
return LDB_ERR_OPERATIONS_ERROR;
|
|
}
|
|
|
|
primary_group_sid = dom_sid_add_rid(mem_ctx,
|
|
domain_sid,
|
|
ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0));
|
|
if (!primary_group_sid) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
|
|
/* only return security groups */
|
|
switch(type) {
|
|
case TOKEN_GROUPS_GLOBAL_AND_UNIVERSAL:
|
|
filter = talloc_asprintf(mem_ctx,
|
|
"(&(objectClass=group)"
|
|
"(groupType:"LDB_OID_COMPARATOR_AND":=%u)"
|
|
"(groupType:"LDB_OID_COMPARATOR_OR":=%u))",
|
|
GROUP_TYPE_SECURITY_ENABLED,
|
|
GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_UNIVERSAL_GROUP);
|
|
break;
|
|
case TOKEN_GROUPS_NO_GC_ACCEPTABLE:
|
|
case TOKEN_GROUPS:
|
|
filter = talloc_asprintf(mem_ctx,
|
|
"(&(objectClass=group)"
|
|
"(groupType:"LDB_OID_COMPARATOR_AND":=%u))",
|
|
GROUP_TYPE_SECURITY_ENABLED);
|
|
break;
|
|
|
|
/* for RevMembGetAccountGroups, exclude built-in groups */
|
|
case ACCOUNT_GROUPS:
|
|
filter = talloc_asprintf(mem_ctx,
|
|
"(&(objectClass=group)"
|
|
"(!(groupType:"LDB_OID_COMPARATOR_AND":=%u))"
|
|
"(groupType:"LDB_OID_COMPARATOR_AND":=%u))",
|
|
GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED);
|
|
break;
|
|
}
|
|
|
|
if (!filter) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
|
|
primary_group_string = dom_sid_string(mem_ctx, primary_group_sid);
|
|
if (!primary_group_string) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
|
|
primary_group_dn = talloc_asprintf(mem_ctx, "<SID=%s>", primary_group_string);
|
|
if (!primary_group_dn) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
|
|
primary_group_blob = data_blob_string_const(primary_group_dn);
|
|
|
|
account_sid_string = dom_sid_string(mem_ctx, account_sid);
|
|
if (!account_sid_string) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
|
|
account_sid_dn = talloc_asprintf(mem_ctx, "<SID=%s>", account_sid_string);
|
|
if (!account_sid_dn) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
|
|
account_sid_blob = data_blob_string_const(account_sid_dn);
|
|
|
|
status = dsdb_expand_nested_groups(ldb, &account_sid_blob,
|
|
true, /* We don't want to add the object's SID itself,
|
|
it's not returned in this attribute */
|
|
filter,
|
|
mem_ctx, groupSIDs, num_groupSIDs);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
ldb_asprintf_errstring(ldb, "Failed to construct %s: expanding groups of SID %s failed: %s",
|
|
attribute_string, account_sid_string,
|
|
nt_errstr(status));
|
|
return LDB_ERR_OPERATIONS_ERROR;
|
|
}
|
|
|
|
/* Expands the primary group - this function takes in
|
|
* memberOf-like values, so we fake one up with the
|
|
* <SID=S-...> format of DN and then let it expand
|
|
* them, as long as they meet the filter - so only
|
|
* domain groups, not builtin groups
|
|
*/
|
|
status = dsdb_expand_nested_groups(ldb, &primary_group_blob, false, filter,
|
|
mem_ctx, groupSIDs, num_groupSIDs);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
ldb_asprintf_errstring(ldb, "Failed to construct %s: expanding groups of SID %s failed: %s",
|
|
attribute_string, account_sid_string,
|
|
nt_errstr(status));
|
|
return LDB_ERR_OPERATIONS_ERROR;
|
|
}
|
|
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
/*
|
|
construct the token groups for SAM objects from a message
|
|
*/
|
|
static int construct_generic_token_groups(struct ldb_module *module,
|
|
struct ldb_message *msg, enum ldb_scope scope,
|
|
struct ldb_request *parent,
|
|
const char *attribute_string,
|
|
enum search_type type)
|
|
{
|
|
struct ldb_context *ldb = ldb_module_get_ctx(module);
|
|
TALLOC_CTX *tmp_ctx = talloc_new(msg);
|
|
uint32_t i;
|
|
int ret;
|
|
struct auth_SidAttr *groupSIDs = NULL;
|
|
uint32_t num_groupSIDs = 0;
|
|
|
|
if (scope != LDB_SCOPE_BASE) {
|
|
ldb_set_errstring(ldb, "Cannot provide tokenGroups attribute, this is not a BASE search");
|
|
return LDB_ERR_OPERATIONS_ERROR;
|
|
}
|
|
|
|
/* calculate the group SIDs for this object */
|
|
ret = get_group_sids(ldb, tmp_ctx, msg, attribute_string, type,
|
|
&groupSIDs, &num_groupSIDs);
|
|
|
|
if (ret != LDB_SUCCESS) {
|
|
talloc_free(tmp_ctx);
|
|
return LDB_ERR_OPERATIONS_ERROR;
|
|
}
|
|
|
|
/* add these SIDs to the search result */
|
|
for (i=0; i < num_groupSIDs; i++) {
|
|
ret = samdb_msg_add_dom_sid(ldb, msg, msg, attribute_string, &groupSIDs[i].sid);
|
|
if (ret) {
|
|
talloc_free(tmp_ctx);
|
|
return ret;
|
|
}
|
|
}
|
|
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
static int construct_token_groups(struct ldb_module *module,
|
|
struct ldb_message *msg, enum ldb_scope scope,
|
|
struct ldb_request *parent, struct ldb_reply *ares)
|
|
{
|
|
/**
|
|
* TODO: Add in a limiting domain when we start to support
|
|
* trusted domains.
|
|
*/
|
|
return construct_generic_token_groups(module, msg, scope, parent,
|
|
"tokenGroups",
|
|
TOKEN_GROUPS);
|
|
}
|
|
|
|
static int construct_token_groups_no_gc(struct ldb_module *module,
|
|
struct ldb_message *msg, enum ldb_scope scope,
|
|
struct ldb_request *parent, struct ldb_reply *ares)
|
|
{
|
|
/**
|
|
* TODO: Add in a limiting domain when we start to support
|
|
* trusted domains.
|
|
*/
|
|
return construct_generic_token_groups(module, msg, scope, parent,
|
|
"tokenGroupsNoGCAcceptable",
|
|
TOKEN_GROUPS);
|
|
}
|
|
|
|
static int construct_global_universal_token_groups(struct ldb_module *module,
|
|
struct ldb_message *msg, enum ldb_scope scope,
|
|
struct ldb_request *parent, struct ldb_reply *ares)
|
|
{
|
|
return construct_generic_token_groups(module, msg, scope, parent,
|
|
"tokenGroupsGlobalAndUniversal",
|
|
TOKEN_GROUPS_GLOBAL_AND_UNIVERSAL);
|
|
}
|
|
/*
|
|
construct the parent GUID for an entry from a message
|
|
*/
|
|
static int construct_parent_guid(struct ldb_module *module,
|
|
struct ldb_message *msg, enum ldb_scope scope,
|
|
struct ldb_request *parent, struct ldb_reply *ares)
|
|
{
|
|
struct ldb_result *res, *parent_res;
|
|
const struct ldb_val *parent_guid;
|
|
const char *attrs[] = { "instanceType", NULL };
|
|
const char *attrs2[] = { "objectGUID", NULL };
|
|
uint32_t instanceType;
|
|
int ret;
|
|
struct ldb_dn *parent_dn;
|
|
struct ldb_val v;
|
|
|
|
/* determine if the object is NC by instance type */
|
|
ret = dsdb_module_search_dn(module, msg, &res, msg->dn, attrs,
|
|
DSDB_FLAG_NEXT_MODULE |
|
|
DSDB_SEARCH_SHOW_RECYCLED, parent);
|
|
if (ret != LDB_SUCCESS) {
|
|
return ret;
|
|
}
|
|
|
|
instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
|
|
"instanceType", 0);
|
|
talloc_free(res);
|
|
if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
|
|
DEBUG(4,(__location__ ": Object %s is NC\n",
|
|
ldb_dn_get_linearized(msg->dn)));
|
|
return LDB_SUCCESS;
|
|
}
|
|
parent_dn = ldb_dn_get_parent(msg, msg->dn);
|
|
|
|
if (parent_dn == NULL) {
|
|
DEBUG(4,(__location__ ": Failed to find parent for dn %s\n",
|
|
ldb_dn_get_linearized(msg->dn)));
|
|
return LDB_ERR_OTHER;
|
|
}
|
|
ret = dsdb_module_search_dn(module, msg, &parent_res, parent_dn, attrs2,
|
|
DSDB_FLAG_NEXT_MODULE |
|
|
DSDB_SEARCH_SHOW_RECYCLED, parent);
|
|
/* not NC, so the object should have a parent*/
|
|
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
|
|
ret = ldb_error(ldb_module_get_ctx(module), LDB_ERR_OPERATIONS_ERROR,
|
|
talloc_asprintf(msg, "Parent dn %s for %s does not exist",
|
|
ldb_dn_get_linearized(parent_dn),
|
|
ldb_dn_get_linearized(msg->dn)));
|
|
talloc_free(parent_dn);
|
|
return ret;
|
|
} else if (ret != LDB_SUCCESS) {
|
|
talloc_free(parent_dn);
|
|
return ret;
|
|
}
|
|
talloc_free(parent_dn);
|
|
|
|
parent_guid = ldb_msg_find_ldb_val(parent_res->msgs[0], "objectGUID");
|
|
if (!parent_guid) {
|
|
talloc_free(parent_res);
|
|
return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
|
|
}
|
|
|
|
v = data_blob_dup_talloc(parent_res, *parent_guid);
|
|
if (!v.data) {
|
|
talloc_free(parent_res);
|
|
return ldb_oom(ldb_module_get_ctx(module));
|
|
}
|
|
ret = ldb_msg_add_steal_value(msg, "parentGUID", &v);
|
|
talloc_free(parent_res);
|
|
return ret;
|
|
}
|
|
|
|
static int construct_modifyTimeStamp(struct ldb_module *module,
|
|
struct ldb_message *msg, enum ldb_scope scope,
|
|
struct ldb_request *parent, struct ldb_reply *ares)
|
|
{
|
|
struct operational_data *data = talloc_get_type(ldb_module_get_private(module), struct operational_data);
|
|
struct ldb_context *ldb = ldb_module_get_ctx(module);
|
|
|
|
/* We may be being called before the init function has finished */
|
|
if (!data) {
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
/* Try and set this value up, if possible. Don't worry if it
|
|
* fails, we may not have the DB set up yet.
|
|
*/
|
|
if (!data->aggregate_dn) {
|
|
data->aggregate_dn = samdb_aggregate_schema_dn(ldb, data);
|
|
}
|
|
|
|
if (data->aggregate_dn && ldb_dn_compare(data->aggregate_dn, msg->dn) == 0) {
|
|
/*
|
|
* If we have the DN for the object with common name = Aggregate and
|
|
* the request is for this DN then let's do the following:
|
|
* 1) search the object which changedUSN correspond to the one of the loaded
|
|
* schema.
|
|
* 2) Get the whenChanged attribute
|
|
* 3) Generate the modifyTimestamp out of the whenChanged attribute
|
|
*/
|
|
const struct dsdb_schema *schema = dsdb_get_schema(ldb, NULL);
|
|
char *value = ldb_timestring(msg, schema->ts_last_change);
|
|
|
|
if (value == NULL) {
|
|
return ldb_oom(ldb_module_get_ctx(module));
|
|
}
|
|
|
|
return ldb_msg_add_string(msg, "modifyTimeStamp", value);
|
|
}
|
|
return ldb_msg_copy_attr(msg, "whenChanged", "modifyTimeStamp");
|
|
}
|
|
|
|
/*
|
|
construct a subSchemaSubEntry
|
|
*/
|
|
static int construct_subschema_subentry(struct ldb_module *module,
|
|
struct ldb_message *msg, enum ldb_scope scope,
|
|
struct ldb_request *parent, struct ldb_reply *ares)
|
|
{
|
|
struct operational_data *data = talloc_get_type(ldb_module_get_private(module), struct operational_data);
|
|
char *subSchemaSubEntry;
|
|
|
|
/* We may be being called before the init function has finished */
|
|
if (!data) {
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
/* Try and set this value up, if possible. Don't worry if it
|
|
* fails, we may not have the DB set up yet, and it's not
|
|
* really vital anyway */
|
|
if (!data->aggregate_dn) {
|
|
struct ldb_context *ldb = ldb_module_get_ctx(module);
|
|
data->aggregate_dn = samdb_aggregate_schema_dn(ldb, data);
|
|
}
|
|
|
|
if (data->aggregate_dn) {
|
|
subSchemaSubEntry = ldb_dn_alloc_linearized(msg, data->aggregate_dn);
|
|
return ldb_msg_add_steal_string(msg, "subSchemaSubEntry", subSchemaSubEntry);
|
|
}
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
|
|
static int construct_msds_isrodc_with_dn(struct ldb_module *module,
|
|
struct ldb_message *msg,
|
|
struct ldb_message_element *object_category)
|
|
{
|
|
struct ldb_context *ldb;
|
|
struct ldb_dn *dn;
|
|
const struct ldb_val *val;
|
|
|
|
ldb = ldb_module_get_ctx(module);
|
|
if (!ldb) {
|
|
DEBUG(4, (__location__ ": Failed to get ldb \n"));
|
|
return LDB_ERR_OPERATIONS_ERROR;
|
|
}
|
|
|
|
dn = ldb_dn_new(msg, ldb, (const char *)object_category->values[0].data);
|
|
if (!dn) {
|
|
DEBUG(4, (__location__ ": Failed to create dn from %s \n",
|
|
(const char *)object_category->values[0].data));
|
|
return ldb_operr(ldb);
|
|
}
|
|
|
|
val = ldb_dn_get_rdn_val(dn);
|
|
if (!val) {
|
|
DEBUG(4, (__location__ ": Failed to get rdn val from %s \n",
|
|
ldb_dn_get_linearized(dn)));
|
|
return ldb_operr(ldb);
|
|
}
|
|
|
|
if (strequal((const char *)val->data, "NTDS-DSA")) {
|
|
ldb_msg_add_string(msg, "msDS-isRODC", "FALSE");
|
|
} else {
|
|
ldb_msg_add_string(msg, "msDS-isRODC", "TRUE");
|
|
}
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
static int construct_msds_isrodc_with_server_dn(struct ldb_module *module,
|
|
struct ldb_message *msg,
|
|
struct ldb_dn *dn,
|
|
struct ldb_request *parent)
|
|
{
|
|
struct ldb_dn *server_dn = NULL;
|
|
const char *attr_obj_cat[] = { "objectCategory", NULL };
|
|
struct ldb_result *res;
|
|
struct ldb_message_element *object_category;
|
|
int ret;
|
|
|
|
server_dn = ldb_dn_copy(msg, dn);
|
|
if (!ldb_dn_add_child_fmt(server_dn, "CN=NTDS Settings")) {
|
|
DEBUG(4, (__location__ ": Failed to add child to %s \n",
|
|
ldb_dn_get_linearized(server_dn)));
|
|
return ldb_operr(ldb_module_get_ctx(module));
|
|
}
|
|
|
|
ret = dsdb_module_search_dn(module, msg, &res, server_dn, attr_obj_cat,
|
|
DSDB_FLAG_NEXT_MODULE, parent);
|
|
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
|
|
DEBUG(4,(__location__ ": Can't get objectCategory for %s \n",
|
|
ldb_dn_get_linearized(server_dn)));
|
|
return LDB_SUCCESS;
|
|
} else if (ret != LDB_SUCCESS) {
|
|
return ret;
|
|
}
|
|
|
|
object_category = ldb_msg_find_element(res->msgs[0], "objectCategory");
|
|
if (!object_category) {
|
|
DEBUG(4,(__location__ ": Can't find objectCategory for %s \n",
|
|
ldb_dn_get_linearized(res->msgs[0]->dn)));
|
|
return LDB_SUCCESS;
|
|
}
|
|
return construct_msds_isrodc_with_dn(module, msg, object_category);
|
|
}
|
|
|
|
static int construct_msds_isrodc_with_computer_dn(struct ldb_module *module,
|
|
struct ldb_message *msg,
|
|
struct ldb_request *parent)
|
|
{
|
|
int ret;
|
|
struct ldb_dn *server_dn = NULL;
|
|
|
|
ret = dsdb_module_reference_dn(module, msg, msg->dn, "serverReferenceBL",
|
|
&server_dn, parent);
|
|
if (ret == LDB_ERR_NO_SUCH_OBJECT || ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
|
|
/* it's OK if we can't find serverReferenceBL attribute */
|
|
DEBUG(4,(__location__ ": Can't get serverReferenceBL for %s \n",
|
|
ldb_dn_get_linearized(msg->dn)));
|
|
return LDB_SUCCESS;
|
|
} else if (ret != LDB_SUCCESS) {
|
|
return ret;
|
|
}
|
|
|
|
return construct_msds_isrodc_with_server_dn(module, msg, server_dn, parent);
|
|
}
|
|
|
|
/*
|
|
construct msDS-isRODC attr
|
|
*/
|
|
static int construct_msds_isrodc(struct ldb_module *module,
|
|
struct ldb_message *msg, enum ldb_scope scope,
|
|
struct ldb_request *parent, struct ldb_reply *ares)
|
|
{
|
|
struct ldb_message_element * object_class;
|
|
struct ldb_message_element * object_category;
|
|
unsigned int i;
|
|
|
|
object_class = ldb_msg_find_element(msg, "objectClass");
|
|
if (!object_class) {
|
|
DEBUG(4,(__location__ ": Can't get objectClass for %s \n",
|
|
ldb_dn_get_linearized(msg->dn)));
|
|
return ldb_operr(ldb_module_get_ctx(module));
|
|
}
|
|
|
|
for (i=0; i<object_class->num_values; i++) {
|
|
if (strequal((const char*)object_class->values[i].data, "nTDSDSA")) {
|
|
/* If TO!objectCategory equals the DN of the classSchema object for the nTDSDSA
|
|
* object class, then TO!msDS-isRODC is false. Otherwise, TO!msDS-isRODC is true.
|
|
*/
|
|
object_category = ldb_msg_find_element(msg, "objectCategory");
|
|
if (!object_category) {
|
|
DEBUG(4,(__location__ ": Can't get objectCategory for %s \n",
|
|
ldb_dn_get_linearized(msg->dn)));
|
|
return LDB_SUCCESS;
|
|
}
|
|
return construct_msds_isrodc_with_dn(module, msg, object_category);
|
|
}
|
|
if (strequal((const char*)object_class->values[i].data, "server")) {
|
|
/* Let TN be the nTDSDSA object whose DN is "CN=NTDS Settings," prepended to
|
|
* the DN of TO. Apply the previous rule for the "TO is an nTDSDSA object" case,
|
|
* substituting TN for TO.
|
|
*/
|
|
return construct_msds_isrodc_with_server_dn(module, msg, msg->dn, parent);
|
|
}
|
|
if (strequal((const char*)object_class->values[i].data, "computer")) {
|
|
/* Let TS be the server object named by TO!serverReferenceBL. Apply the previous
|
|
* rule for the "TO is a server object" case, substituting TS for TO.
|
|
*/
|
|
return construct_msds_isrodc_with_computer_dn(module, msg, parent);
|
|
}
|
|
}
|
|
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
|
|
/*
|
|
construct msDS-keyVersionNumber attr
|
|
|
|
TODO: Make this based on the 'win2k' DS heuristics bit...
|
|
|
|
*/
|
|
static int construct_msds_keyversionnumber(struct ldb_module *module,
|
|
struct ldb_message *msg,
|
|
enum ldb_scope scope,
|
|
struct ldb_request *parent,
|
|
struct ldb_reply *ares)
|
|
{
|
|
uint32_t i;
|
|
enum ndr_err_code ndr_err;
|
|
const struct ldb_val *omd_value;
|
|
struct replPropertyMetaDataBlob *omd;
|
|
int ret;
|
|
|
|
omd_value = ldb_msg_find_ldb_val(msg, "replPropertyMetaData");
|
|
if (!omd_value) {
|
|
/* We can't make up a key version number without meta data */
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
omd = talloc(msg, struct replPropertyMetaDataBlob);
|
|
if (!omd) {
|
|
ldb_module_oom(module);
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
ndr_err = ndr_pull_struct_blob(omd_value, omd, omd,
|
|
(ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
|
|
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
|
DEBUG(0,(__location__ ": Failed to parse replPropertyMetaData for %s when trying to add msDS-KeyVersionNumber\n",
|
|
ldb_dn_get_linearized(msg->dn)));
|
|
return ldb_operr(ldb_module_get_ctx(module));
|
|
}
|
|
|
|
if (omd->version != 1) {
|
|
DEBUG(0,(__location__ ": bad version %u in replPropertyMetaData for %s when trying to add msDS-KeyVersionNumber\n",
|
|
omd->version, ldb_dn_get_linearized(msg->dn)));
|
|
talloc_free(omd);
|
|
return LDB_SUCCESS;
|
|
}
|
|
for (i=0; i<omd->ctr.ctr1.count; i++) {
|
|
if (omd->ctr.ctr1.array[i].attid == DRSUAPI_ATTID_unicodePwd) {
|
|
ret = samdb_msg_add_uint(ldb_module_get_ctx(module),
|
|
msg, msg,
|
|
"msDS-KeyVersionNumber",
|
|
omd->ctr.ctr1.array[i].version);
|
|
if (ret != LDB_SUCCESS) {
|
|
talloc_free(omd);
|
|
return ret;
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
return LDB_SUCCESS;
|
|
|
|
}
|
|
|
|
#define _UF_NO_EXPIRY_ACCOUNTS ( \
|
|
UF_DONT_EXPIRE_PASSWD | \
|
|
UF_TRUST_ACCOUNT_MASK \
|
|
)
|
|
|
|
|
|
/*
|
|
* Returns the Effective-MaximumPasswordAge for a user
|
|
*/
|
|
static int64_t get_user_max_pwd_age(struct ldb_module *module,
|
|
struct ldb_message *user_msg,
|
|
struct ldb_request *parent,
|
|
struct ldb_dn *nc_root)
|
|
{
|
|
int ret;
|
|
struct ldb_message *pso = NULL;
|
|
struct ldb_context *ldb = ldb_module_get_ctx(module);
|
|
|
|
/* if a PSO applies to the user, use its maxPwdAge */
|
|
ret = get_pso_for_user(module, user_msg, parent, &pso);
|
|
if (ret != LDB_SUCCESS) {
|
|
|
|
/* log the error, but fallback to the domain default */
|
|
DBG_ERR("Error retrieving PSO for %s\n",
|
|
ldb_dn_get_linearized(user_msg->dn));
|
|
}
|
|
|
|
if (pso != NULL) {
|
|
return ldb_msg_find_attr_as_int64(pso,
|
|
"msDS-MaximumPasswordAge", 0);
|
|
}
|
|
|
|
/* otherwise return the default domain value */
|
|
return samdb_search_int64(ldb, user_msg, 0, nc_root, "maxPwdAge", NULL);
|
|
}
|
|
|
|
static enum expire_uf_smartcard get_expire_passwords_onsmartcardonlyaccounts(struct ldb_module *module,
|
|
struct operational_context *ac)
|
|
{
|
|
struct ldb_context *ldb = ldb_module_get_ctx(module);
|
|
if (ac->expire_passwords_onsmartcardonlyaccounts != EXPIRE_UF_SMARTCARD_UNINIT) {
|
|
return ac->expire_passwords_onsmartcardonlyaccounts;
|
|
}
|
|
|
|
if (dsdb_functional_level(ldb) < DS_DOMAIN_FUNCTION_2016) {
|
|
ac->expire_passwords_onsmartcardonlyaccounts
|
|
= NO_EXPIRE_UF_SMARTCARD;
|
|
} else {
|
|
const char *base_attrs[] = { "msDS-ExpirePasswordsOnSmartCardOnlyAccounts",
|
|
NULL };
|
|
struct ldb_message *base_msg;
|
|
bool attr_in_ldb;
|
|
|
|
int ldb_ret = dsdb_search_one(ldb, ac,
|
|
&base_msg,
|
|
ldb_get_default_basedn(ldb),
|
|
LDB_SCOPE_BASE,
|
|
base_attrs, 0, NULL);
|
|
if (ldb_ret != LDB_SUCCESS) {
|
|
DBG_WARNING("could not find own base DN in DB: %s\n", ldb_errstring(ldb));
|
|
return EXPIRE_UF_SMARTCARD_UNINIT;
|
|
}
|
|
/*
|
|
* This attribute is to allow these passwords to
|
|
* expire, and if they expire to rotate them. TRUE
|
|
* means rotate, FALSE or absent meant never allow to
|
|
* expire.
|
|
*/
|
|
attr_in_ldb = ldb_msg_find_attr_as_bool(base_msg,
|
|
"msDS-ExpirePasswordsOnSmartCardOnlyAccounts",
|
|
false);
|
|
talloc_free(base_msg);
|
|
if (attr_in_ldb) {
|
|
ac->expire_passwords_onsmartcardonlyaccounts
|
|
= EXPIRE_UF_SMARTCARD;
|
|
} else {
|
|
ac->expire_passwords_onsmartcardonlyaccounts
|
|
= NO_EXPIRE_UF_SMARTCARD;
|
|
}
|
|
}
|
|
return ac->expire_passwords_onsmartcardonlyaccounts;
|
|
}
|
|
|
|
|
|
/*
|
|
calculate msDS-UserPasswordExpiryTimeComputed
|
|
*/
|
|
static NTTIME get_msds_user_password_expiry_time_computed(struct ldb_module *module,
|
|
struct operational_context *ac,
|
|
struct ldb_message *msg,
|
|
struct ldb_request *parent,
|
|
struct ldb_dn *domain_dn)
|
|
{
|
|
int64_t pwdLastSet, maxPwdAge;
|
|
uint32_t userAccountControl;
|
|
NTTIME ret;
|
|
|
|
userAccountControl = ldb_msg_find_attr_as_uint(msg,
|
|
"userAccountControl",
|
|
0);
|
|
if (userAccountControl & _UF_NO_EXPIRY_ACCOUNTS) {
|
|
return INT64_MAX;
|
|
}
|
|
|
|
if (userAccountControl & UF_SMARTCARD_REQUIRED) {
|
|
enum expire_uf_smartcard expire_uf_smartcard =
|
|
get_expire_passwords_onsmartcardonlyaccounts(module, ac);
|
|
|
|
if (expire_uf_smartcard != EXPIRE_UF_SMARTCARD) {
|
|
return INT64_MAX;
|
|
}
|
|
}
|
|
|
|
pwdLastSet = ldb_msg_find_attr_as_int64(msg, "pwdLastSet", 0);
|
|
if (pwdLastSet == 0) {
|
|
return 0;
|
|
}
|
|
|
|
if (pwdLastSet <= -1) {
|
|
/*
|
|
* This can't really happen...
|
|
*/
|
|
return INT64_MAX;
|
|
}
|
|
|
|
if (pwdLastSet >= INT64_MAX) {
|
|
/*
|
|
* Somethings wrong with the clock...
|
|
*/
|
|
return INT64_MAX;
|
|
}
|
|
|
|
/*
|
|
* Note that maxPwdAge is a stored as negative value.
|
|
*
|
|
* Possible values are in the range of:
|
|
*
|
|
* maxPwdAge: -2
|
|
* to
|
|
* maxPwdAge: -9223372036854775808 (INT64_MIN)
|
|
*
|
|
*/
|
|
maxPwdAge = get_user_max_pwd_age(module, msg, parent, domain_dn);
|
|
if (maxPwdAge >= -1) {
|
|
/*
|
|
* This is not really possible...
|
|
*/
|
|
return INT64_MAX;
|
|
}
|
|
|
|
if (maxPwdAge == INT64_MIN) {
|
|
return INT64_MAX;
|
|
}
|
|
|
|
/*
|
|
* Note we already caught maxPwdAge == INT64_MIN
|
|
* and pwdLastSet >= INT64_MAX above.
|
|
*
|
|
* Remember maxPwdAge is a negative number,
|
|
* so it results in the following.
|
|
*
|
|
* 0x7FFFFFFFFFFFFFFEULL + INT64_MAX
|
|
* =
|
|
* 0xFFFFFFFFFFFFFFFDULL
|
|
*
|
|
* or to put it another way, adding two numbers less than 1<<63 can't
|
|
* ever be more than 1<<64, therefore this result can't wrap.
|
|
*/
|
|
ret = (NTTIME)pwdLastSet - (NTTIME)maxPwdAge;
|
|
if (ret >= INT64_MAX) {
|
|
return INT64_MAX;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Returns the Effective-LockoutDuration for a user
|
|
*/
|
|
static int64_t get_user_lockout_duration(struct ldb_module *module,
|
|
struct ldb_message *user_msg,
|
|
struct ldb_request *parent,
|
|
struct ldb_dn *nc_root)
|
|
{
|
|
int ret;
|
|
struct ldb_message *pso = NULL;
|
|
struct ldb_context *ldb = ldb_module_get_ctx(module);
|
|
|
|
/* if a PSO applies to the user, use its lockoutDuration */
|
|
ret = get_pso_for_user(module, user_msg, parent, &pso);
|
|
if (ret != LDB_SUCCESS) {
|
|
|
|
/* log the error, but fallback to the domain default */
|
|
DBG_ERR("Error retrieving PSO for %s\n",
|
|
ldb_dn_get_linearized(user_msg->dn));
|
|
}
|
|
|
|
if (pso != NULL) {
|
|
return ldb_msg_find_attr_as_int64(pso,
|
|
"msDS-LockoutDuration", 0);
|
|
}
|
|
|
|
/* otherwise return the default domain value */
|
|
return samdb_search_int64(ldb, user_msg, 0, nc_root, "lockoutDuration",
|
|
NULL);
|
|
}
|
|
|
|
/*
|
|
construct msDS-User-Account-Control-Computed attr
|
|
*/
|
|
static int construct_msds_user_account_control_computed(struct ldb_module *module,
|
|
struct ldb_message *msg, enum ldb_scope scope,
|
|
struct ldb_request *parent, struct ldb_reply *ares)
|
|
{
|
|
uint32_t msDS_User_Account_Control_Computed = 0;
|
|
struct ldb_context *ldb = ldb_module_get_ctx(module);
|
|
struct ldb_dn *nc_root;
|
|
NTTIME must_change_time;
|
|
int ret;
|
|
struct operational_context *ac
|
|
= talloc_get_type_abort(parent->context,
|
|
struct operational_context);
|
|
|
|
ret = dsdb_find_nc_root(ldb, msg, msg->dn, &nc_root);
|
|
if (ret != 0) {
|
|
ldb_asprintf_errstring(ldb,
|
|
"Failed to find NC root of DN: %s: %s",
|
|
ldb_dn_get_linearized(msg->dn),
|
|
ldb_errstring(ldb_module_get_ctx(module)));
|
|
return ret;
|
|
}
|
|
if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) != 0) {
|
|
/* Only calculate this on our default NC */
|
|
return 0;
|
|
}
|
|
|
|
if (ac->now == 0) {
|
|
/* Get the current or simulated time */
|
|
bool time_ok = dsdb_gmsa_current_time(ldb, &ac->now);
|
|
if (!time_ok) {
|
|
return ldb_module_operr(module);
|
|
}
|
|
}
|
|
|
|
if (!dsdb_account_is_trust(msg)) {
|
|
|
|
int64_t lockoutTime = ldb_msg_find_attr_as_int64(msg, "lockoutTime", 0);
|
|
if (lockoutTime != 0) {
|
|
int64_t lockoutDuration;
|
|
|
|
lockoutDuration = get_user_lockout_duration(module, msg,
|
|
parent,
|
|
nc_root);
|
|
|
|
/* zero locks out until the administrator intervenes */
|
|
if (lockoutDuration >= 0) {
|
|
msDS_User_Account_Control_Computed |= UF_LOCKOUT;
|
|
} else if (lockoutTime - lockoutDuration >= ac->now) {
|
|
msDS_User_Account_Control_Computed |= UF_LOCKOUT;
|
|
}
|
|
}
|
|
}
|
|
|
|
must_change_time
|
|
= get_msds_user_password_expiry_time_computed(module,
|
|
ac,
|
|
msg,
|
|
parent,
|
|
nc_root);
|
|
/* check for expired password */
|
|
if (must_change_time < ac->now) {
|
|
msDS_User_Account_Control_Computed |= UF_PASSWORD_EXPIRED;
|
|
}
|
|
|
|
return samdb_msg_add_int64(ldb,
|
|
msg->elements, msg,
|
|
"msDS-User-Account-Control-Computed",
|
|
msDS_User_Account_Control_Computed);
|
|
}
|
|
|
|
/*
|
|
construct msDS-UserPasswordExpiryTimeComputed
|
|
*/
|
|
static int construct_msds_user_password_expiry_time_computed(struct ldb_module *module,
|
|
struct ldb_message *msg, enum ldb_scope scope,
|
|
struct ldb_request *parent, struct ldb_reply *ares)
|
|
{
|
|
struct ldb_context *ldb = ldb_module_get_ctx(module);
|
|
struct operational_context *ac
|
|
= talloc_get_type_abort(parent->context,
|
|
struct operational_context);
|
|
struct ldb_dn *nc_root;
|
|
int64_t password_expiry_time;
|
|
int ret;
|
|
|
|
ret = dsdb_find_nc_root(ldb, msg, msg->dn, &nc_root);
|
|
if (ret != 0) {
|
|
ldb_asprintf_errstring(ldb,
|
|
"Failed to find NC root of DN: %s: %s",
|
|
ldb_dn_get_linearized(msg->dn),
|
|
ldb_errstring(ldb));
|
|
return ret;
|
|
}
|
|
|
|
if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) != 0) {
|
|
/* Only calculate this on our default NC */
|
|
return 0;
|
|
}
|
|
|
|
password_expiry_time
|
|
= get_msds_user_password_expiry_time_computed(module,
|
|
ac,
|
|
msg,
|
|
parent, nc_root);
|
|
|
|
return samdb_msg_add_int64(ldb,
|
|
msg->elements, msg,
|
|
"msDS-UserPasswordExpiryTimeComputed",
|
|
password_expiry_time);
|
|
}
|
|
|
|
/*
|
|
* Checks whether the msDS-ResultantPSO attribute is supported for a given
|
|
* user object. As per MS-ADTS, section 3.1.1.4.5.36 msDS-ResultantPSO.
|
|
*/
|
|
static bool pso_is_supported(struct ldb_context *ldb, struct ldb_message *msg)
|
|
{
|
|
int functional_level;
|
|
uint32_t uac;
|
|
uint32_t user_rid;
|
|
|
|
functional_level = dsdb_functional_level(ldb);
|
|
if (functional_level < DS_DOMAIN_FUNCTION_2008) {
|
|
return false;
|
|
}
|
|
|
|
/* msDS-ResultantPSO is only supported for user objects */
|
|
if (!ldb_match_msg_objectclass(msg, "user")) {
|
|
return false;
|
|
}
|
|
|
|
/* ...and only if the ADS_UF_NORMAL_ACCOUNT bit is set */
|
|
uac = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
|
|
if (!(uac & UF_NORMAL_ACCOUNT)) {
|
|
return false;
|
|
}
|
|
|
|
/* skip it if it's the special KRBTGT default account */
|
|
user_rid = samdb_result_rid_from_sid(msg, msg, "objectSid", 0);
|
|
if (user_rid == DOMAIN_RID_KRBTGT) {
|
|
return false;
|
|
}
|
|
|
|
/* ...or if it's a special KRBTGT account for an RODC KDC */
|
|
if (ldb_msg_find_ldb_val(msg, "msDS-SecondaryKrbTgtNumber") != NULL) {
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* Returns the number of PSO objects that exist in the DB
|
|
*/
|
|
static int get_pso_count(struct ldb_module *module, TALLOC_CTX *mem_ctx,
|
|
struct ldb_request *parent, int *pso_count)
|
|
{
|
|
static const char * const attrs[] = { NULL };
|
|
int ret;
|
|
struct ldb_dn *psc_dn = NULL;
|
|
struct ldb_result *res = NULL;
|
|
struct ldb_context *ldb = ldb_module_get_ctx(module);
|
|
bool psc_ok;
|
|
|
|
*pso_count = 0;
|
|
psc_dn = samdb_system_container_dn(ldb, mem_ctx);
|
|
if (psc_dn == NULL) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
psc_ok = ldb_dn_add_child_fmt(psc_dn, "CN=Password Settings Container");
|
|
if (psc_ok == false) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
|
|
/* get the number of PSO children */
|
|
ret = dsdb_module_search(module, mem_ctx, &res, psc_dn,
|
|
LDB_SCOPE_ONELEVEL, attrs,
|
|
DSDB_FLAG_NEXT_MODULE, parent,
|
|
"(objectClass=msDS-PasswordSettings)");
|
|
|
|
/*
|
|
* Just ignore PSOs if the container doesn't exist. This is a weird
|
|
* corner-case where the AD DB was created from a pre-2008 base schema,
|
|
* and then the FL was manually upgraded.
|
|
*/
|
|
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
|
|
DBG_NOTICE("No Password Settings Container exists\n");
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
if (ret != LDB_SUCCESS) {
|
|
return ret;
|
|
}
|
|
|
|
*pso_count = res->count;
|
|
talloc_free(res);
|
|
talloc_free(psc_dn);
|
|
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
/*
|
|
* Compares two PSO objects returned by a search, to work out the better PSO.
|
|
* The PSO with the lowest precedence is better, otherwise (if the precedence
|
|
* is equal) the PSO with the lower GUID wins.
|
|
*/
|
|
static int pso_compare(struct ldb_message **m1, struct ldb_message **m2)
|
|
{
|
|
uint32_t prec1;
|
|
uint32_t prec2;
|
|
|
|
prec1 = ldb_msg_find_attr_as_uint(*m1, "msDS-PasswordSettingsPrecedence",
|
|
0xffffffff);
|
|
prec2 = ldb_msg_find_attr_as_uint(*m2, "msDS-PasswordSettingsPrecedence",
|
|
0xffffffff);
|
|
|
|
/* if precedence is equal, use the lowest GUID */
|
|
if (prec1 == prec2) {
|
|
struct GUID guid1 = samdb_result_guid(*m1, "objectGUID");
|
|
struct GUID guid2 = samdb_result_guid(*m2, "objectGUID");
|
|
|
|
return ndr_guid_compare(&guid1, &guid2);
|
|
} else {
|
|
return NUMERIC_CMP(prec1, prec2);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Search for PSO objects that apply to the object SIDs specified
|
|
*/
|
|
static int pso_search_by_sids(struct ldb_module *module, TALLOC_CTX *mem_ctx,
|
|
struct ldb_request *parent,
|
|
struct auth_SidAttr *sid_array, unsigned int num_sids,
|
|
struct ldb_result **result)
|
|
{
|
|
int ret;
|
|
int i;
|
|
struct ldb_context *ldb = ldb_module_get_ctx(module);
|
|
char *sid_filter = NULL;
|
|
struct ldb_dn *psc_dn = NULL;
|
|
bool psc_ok;
|
|
const char *attrs[] = {
|
|
"msDS-PasswordSettingsPrecedence",
|
|
"objectGUID",
|
|
"msDS-LockoutDuration",
|
|
"msDS-MaximumPasswordAge",
|
|
NULL
|
|
};
|
|
|
|
/* build a query for PSO objects that apply to any of the SIDs given */
|
|
sid_filter = talloc_strdup(mem_ctx, "");
|
|
if (sid_filter == NULL) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
|
|
for (i = 0; sid_filter && i < num_sids; i++) {
|
|
struct dom_sid_buf sid_buf;
|
|
|
|
sid_filter = talloc_asprintf_append(
|
|
sid_filter,
|
|
"(msDS-PSOAppliesTo=<SID=%s>)",
|
|
dom_sid_str_buf(&sid_array[i].sid, &sid_buf));
|
|
if (sid_filter == NULL) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
}
|
|
|
|
/* only PSOs located in the Password Settings Container are valid */
|
|
psc_dn = samdb_system_container_dn(ldb, mem_ctx);
|
|
if (psc_dn == NULL) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
psc_ok = ldb_dn_add_child_fmt(psc_dn, "CN=Password Settings Container");
|
|
if (psc_ok == false) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
|
|
ret = dsdb_module_search(module, mem_ctx, result, psc_dn,
|
|
LDB_SCOPE_ONELEVEL, attrs,
|
|
DSDB_FLAG_NEXT_MODULE, parent,
|
|
"(&(objectClass=msDS-PasswordSettings)(|%s))",
|
|
sid_filter);
|
|
talloc_free(sid_filter);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Returns the best PSO object that applies to the object SID(s) specified
|
|
*/
|
|
static int pso_find_best(struct ldb_module *module, TALLOC_CTX *mem_ctx,
|
|
struct ldb_request *parent, struct auth_SidAttr *sid_array,
|
|
unsigned int num_sids, struct ldb_message **best_pso)
|
|
{
|
|
struct ldb_result *res = NULL;
|
|
int ret;
|
|
|
|
*best_pso = NULL;
|
|
|
|
/* find any PSOs that apply to the SIDs specified */
|
|
ret = pso_search_by_sids(module, mem_ctx, parent, sid_array, num_sids,
|
|
&res);
|
|
if (ret != LDB_SUCCESS) {
|
|
DBG_ERR("Error %d retrieving PSO for SID(s)\n", ret);
|
|
return ret;
|
|
}
|
|
|
|
/* sort the list so that the best PSO is first */
|
|
TYPESAFE_QSORT(res->msgs, res->count, pso_compare);
|
|
|
|
if (res->count > 0) {
|
|
*best_pso = res->msgs[0];
|
|
}
|
|
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
/*
|
|
* Determines the Password Settings Object (PSO) that applies to the given user
|
|
*/
|
|
static int get_pso_for_user(struct ldb_module *module,
|
|
struct ldb_message *user_msg,
|
|
struct ldb_request *parent,
|
|
struct ldb_message **pso_msg)
|
|
{
|
|
bool pso_supported;
|
|
struct auth_SidAttr *groupSIDs = NULL;
|
|
uint32_t num_groupSIDs = 0;
|
|
struct ldb_context *ldb = ldb_module_get_ctx(module);
|
|
struct ldb_message *best_pso = NULL;
|
|
struct ldb_dn *pso_dn = NULL;
|
|
int ret;
|
|
struct ldb_message_element *el = NULL;
|
|
TALLOC_CTX *tmp_ctx = NULL;
|
|
int pso_count = 0;
|
|
struct ldb_result *res = NULL;
|
|
static const char *attrs[] = {
|
|
"msDS-LockoutDuration",
|
|
"msDS-MaximumPasswordAge",
|
|
NULL
|
|
};
|
|
|
|
*pso_msg = NULL;
|
|
|
|
/* first, check msDS-ResultantPSO is supported for this object */
|
|
pso_supported = pso_is_supported(ldb, user_msg);
|
|
|
|
if (!pso_supported) {
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
tmp_ctx = talloc_new(user_msg);
|
|
|
|
/*
|
|
* Several different constructed attributes try to use the PSO info. If
|
|
* we've already constructed the msDS-ResultantPSO for this user, we can
|
|
* just re-use the result, rather than calculating it from scratch again
|
|
*/
|
|
pso_dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, user_msg,
|
|
"msDS-ResultantPSO");
|
|
|
|
if (pso_dn != NULL) {
|
|
ret = dsdb_module_search_dn(module, tmp_ctx, &res, pso_dn,
|
|
attrs, DSDB_FLAG_NEXT_MODULE,
|
|
parent);
|
|
if (ret != LDB_SUCCESS) {
|
|
DBG_ERR("Error %d retrieving PSO %s\n", ret,
|
|
ldb_dn_get_linearized(pso_dn));
|
|
talloc_free(tmp_ctx);
|
|
return ret;
|
|
}
|
|
|
|
if (res->count == 1) {
|
|
*pso_msg = res->msgs[0];
|
|
return LDB_SUCCESS;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* if any PSOs apply directly to the user, they are considered first
|
|
* before we check group membership PSOs
|
|
*/
|
|
el = ldb_msg_find_element(user_msg, "msDS-PSOApplied");
|
|
|
|
if (el != NULL && el->num_values > 0) {
|
|
struct auth_SidAttr *user_sid = NULL;
|
|
|
|
/* lookup the best PSO object, based on the user's SID */
|
|
user_sid = samdb_result_dom_sid_attrs(
|
|
tmp_ctx, user_msg, "objectSid",
|
|
SE_GROUP_DEFAULT_FLAGS);
|
|
|
|
ret = pso_find_best(module, tmp_ctx, parent, user_sid, 1,
|
|
&best_pso);
|
|
if (ret != LDB_SUCCESS) {
|
|
talloc_free(tmp_ctx);
|
|
return ret;
|
|
}
|
|
|
|
if (best_pso != NULL) {
|
|
*pso_msg = best_pso;
|
|
return LDB_SUCCESS;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* If no valid PSO applies directly to the user, then try its groups.
|
|
* The group expansion is expensive, so check there are actually
|
|
* PSOs in the DB first (which is a quick search). Note in the above
|
|
* cases we could tell that a PSO applied to the user, based on info
|
|
* already retrieved by the user search.
|
|
*/
|
|
ret = get_pso_count(module, tmp_ctx, parent, &pso_count);
|
|
if (ret != LDB_SUCCESS) {
|
|
DBG_ERR("Error %d determining PSOs in system\n", ret);
|
|
talloc_free(tmp_ctx);
|
|
return ret;
|
|
}
|
|
|
|
if (pso_count == 0) {
|
|
talloc_free(tmp_ctx);
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
/* Work out the SIDs of any account groups the user is a member of */
|
|
ret = get_group_sids(ldb, tmp_ctx, user_msg,
|
|
"msDS-ResultantPSO", ACCOUNT_GROUPS,
|
|
&groupSIDs, &num_groupSIDs);
|
|
if (ret != LDB_SUCCESS) {
|
|
DBG_ERR("Error %d determining group SIDs for %s\n", ret,
|
|
ldb_dn_get_linearized(user_msg->dn));
|
|
talloc_free(tmp_ctx);
|
|
return ret;
|
|
}
|
|
|
|
/* lookup the best PSO that applies to any of these groups */
|
|
ret = pso_find_best(module, tmp_ctx, parent, groupSIDs,
|
|
num_groupSIDs, &best_pso);
|
|
if (ret != LDB_SUCCESS) {
|
|
talloc_free(tmp_ctx);
|
|
return ret;
|
|
}
|
|
|
|
*pso_msg = best_pso;
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
/*
|
|
* Constructs the msDS-ResultantPSO attribute, which is the DN of the Password
|
|
* Settings Object (PSO) that applies to that user.
|
|
*/
|
|
static int construct_resultant_pso(struct ldb_module *module,
|
|
struct ldb_message *msg,
|
|
enum ldb_scope scope,
|
|
struct ldb_request *parent,
|
|
struct ldb_reply *ares)
|
|
{
|
|
struct ldb_message *pso = NULL;
|
|
int ret;
|
|
|
|
/* work out the PSO (if any) that applies to this user */
|
|
ret = get_pso_for_user(module, msg, parent, &pso);
|
|
if (ret != LDB_SUCCESS) {
|
|
DBG_ERR("Couldn't determine PSO for %s\n",
|
|
ldb_dn_get_linearized(msg->dn));
|
|
return ret;
|
|
}
|
|
|
|
if (pso != NULL) {
|
|
DBG_INFO("%s is resultant PSO for user %s\n",
|
|
ldb_dn_get_linearized(pso->dn),
|
|
ldb_dn_get_linearized(msg->dn));
|
|
return ldb_msg_add_string(msg, "msDS-ResultantPSO",
|
|
ldb_dn_get_linearized(pso->dn));
|
|
}
|
|
|
|
/* no PSO applies to this user */
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
struct op_controls_flags {
|
|
bool sd;
|
|
bool bypassoperational;
|
|
};
|
|
|
|
static bool check_keep_control_for_attribute(struct op_controls_flags* controls_flags, const char* attr) {
|
|
if (controls_flags->bypassoperational && ldb_attr_cmp(attr, "msDS-KeyVersionNumber") == 0 ) {
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/*
|
|
a list of attribute names that should be substituted in the parse
|
|
tree before the search is done
|
|
*/
|
|
static const struct {
|
|
const char *attr;
|
|
const char *replace;
|
|
} parse_tree_sub[] = {
|
|
{ "createTimeStamp", "whenCreated" },
|
|
{ "modifyTimeStamp", "whenChanged" }
|
|
};
|
|
|
|
|
|
struct op_attributes_replace {
|
|
const char *attr;
|
|
const char *replace;
|
|
const char * const *extra_attrs;
|
|
int (*constructor)(struct ldb_module *, struct ldb_message *, enum ldb_scope, struct ldb_request *, struct ldb_reply *);
|
|
};
|
|
|
|
/* the 'extra_attrs' required for msDS-ResultantPSO */
|
|
#define RESULTANT_PSO_COMPUTED_ATTRS \
|
|
"msDS-PSOApplied", \
|
|
"userAccountControl", \
|
|
"objectSid", \
|
|
"msDS-SecondaryKrbTgtNumber", \
|
|
"primaryGroupID"
|
|
|
|
/*
|
|
* any other constructed attributes that want to work out the PSO also need to
|
|
* include objectClass (this gets included via 'replace' for msDS-ResultantPSO)
|
|
*/
|
|
#define PSO_ATTR_DEPENDENCIES \
|
|
RESULTANT_PSO_COMPUTED_ATTRS, \
|
|
"objectClass"
|
|
|
|
static const char *objectSid_attr[] =
|
|
{
|
|
"objectSid",
|
|
NULL
|
|
};
|
|
|
|
|
|
static const char *objectCategory_attr[] =
|
|
{
|
|
"objectCategory",
|
|
NULL
|
|
};
|
|
|
|
|
|
static const char *user_account_control_computed_attrs[] =
|
|
{
|
|
"lockoutTime",
|
|
"pwdLastSet",
|
|
PSO_ATTR_DEPENDENCIES,
|
|
NULL
|
|
};
|
|
|
|
|
|
static const char *user_password_expiry_time_computed_attrs[] =
|
|
{
|
|
"pwdLastSet",
|
|
PSO_ATTR_DEPENDENCIES,
|
|
NULL
|
|
};
|
|
|
|
static const char *resultant_pso_computed_attrs[] =
|
|
{
|
|
RESULTANT_PSO_COMPUTED_ATTRS,
|
|
NULL
|
|
};
|
|
|
|
static const char *managed_password_computed_attrs[] = {
|
|
"msDS-GroupMSAMembership",
|
|
"msDS-ManagedPasswordId",
|
|
"msDS-ManagedPasswordInterval",
|
|
"msDS-ManagedPasswordPreviousId",
|
|
"objectClass",
|
|
"objectSid",
|
|
"whenCreated",
|
|
NULL,
|
|
};
|
|
|
|
/*
|
|
a list of attribute names that are hidden, but can be searched for
|
|
using another (non-hidden) name to produce the correct result
|
|
*/
|
|
static const struct op_attributes_replace search_sub[] = {
|
|
{ "createTimeStamp", "whenCreated", NULL , NULL },
|
|
{ "modifyTimeStamp", "whenChanged", NULL , construct_modifyTimeStamp},
|
|
{ "structuralObjectClass", "objectClass", NULL , NULL },
|
|
{ "canonicalName", NULL, NULL , construct_canonical_name },
|
|
{ "primaryGroupToken", "objectClass", objectSid_attr, construct_primary_group_token },
|
|
{ "tokenGroups", "primaryGroupID", objectSid_attr, construct_token_groups },
|
|
{ "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr, construct_token_groups_no_gc},
|
|
{ "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr, construct_global_universal_token_groups },
|
|
{ "parentGUID", "objectGUID", NULL, construct_parent_guid },
|
|
{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry },
|
|
{ "msDS-isRODC", "objectClass", objectCategory_attr, construct_msds_isrodc },
|
|
{ "msDS-KeyVersionNumber", "replPropertyMetaData", NULL, construct_msds_keyversionnumber },
|
|
{ "msDS-User-Account-Control-Computed", "userAccountControl", user_account_control_computed_attrs,
|
|
construct_msds_user_account_control_computed },
|
|
{ "msDS-UserPasswordExpiryTimeComputed", "userAccountControl", user_password_expiry_time_computed_attrs,
|
|
construct_msds_user_password_expiry_time_computed },
|
|
{ "msDS-ResultantPSO", "objectClass", resultant_pso_computed_attrs,
|
|
construct_resultant_pso },
|
|
{"msDS-ManagedPassword",
|
|
NULL,
|
|
managed_password_computed_attrs,
|
|
constructed_msds_managed_password},
|
|
};
|
|
|
|
|
|
enum op_remove {
|
|
OPERATIONAL_REMOVE_ALWAYS, /* remove always */
|
|
OPERATIONAL_REMOVE_UNASKED,/* remove if not requested */
|
|
OPERATIONAL_SD_FLAGS, /* show if SD_FLAGS_OID set, or asked for */
|
|
OPERATIONAL_REMOVE_UNLESS_CONTROL /* remove always unless an ad hoc control has been specified */
|
|
};
|
|
|
|
/*
|
|
a list of attributes that may need to be removed from the
|
|
underlying db return
|
|
|
|
Some of these are attributes that were once stored, but are now calculated
|
|
*/
|
|
struct op_attributes_operations {
|
|
const char *attr;
|
|
enum op_remove op;
|
|
};
|
|
|
|
static const struct op_attributes_operations operational_remove[] = {
|
|
{ "nTSecurityDescriptor", OPERATIONAL_SD_FLAGS },
|
|
{ "msDS-KeyVersionNumber", OPERATIONAL_REMOVE_UNLESS_CONTROL },
|
|
{ "parentGUID", OPERATIONAL_REMOVE_ALWAYS },
|
|
{ "replPropertyMetaData", OPERATIONAL_REMOVE_UNASKED },
|
|
#define _SEP ,OPERATIONAL_REMOVE_UNASKED},{
|
|
{ DSDB_SECRET_ATTRIBUTES_EX(_SEP), OPERATIONAL_REMOVE_UNASKED }
|
|
};
|
|
|
|
|
|
/*
|
|
post process a search result record. For any search_sub[] attributes that were
|
|
asked for, we need to call the appropriate copy routine to copy the result
|
|
into the message, then remove any attributes that we added to the search but
|
|
were not asked for by the user
|
|
*/
|
|
static int operational_search_post_process(struct ldb_module *module,
|
|
struct ldb_message *msg,
|
|
enum ldb_scope scope,
|
|
const char * const *attrs_from_user,
|
|
const char * const *attrs_searched_for,
|
|
struct op_controls_flags* controls_flags,
|
|
struct op_attributes_operations *list,
|
|
unsigned int list_size,
|
|
struct op_attributes_replace *list_replace,
|
|
unsigned int list_replace_size,
|
|
struct ldb_request *parent,
|
|
struct ldb_reply *ares)
|
|
{
|
|
struct ldb_context *ldb;
|
|
unsigned int i, a = 0;
|
|
bool constructed_attributes = false;
|
|
|
|
ldb = ldb_module_get_ctx(module);
|
|
|
|
/* removed any attrs that should not be shown to the user */
|
|
for (i=0; i < list_size; i++) {
|
|
ldb_msg_remove_attr(msg, list[i].attr);
|
|
}
|
|
|
|
for (a=0; a < list_replace_size; a++) {
|
|
if (check_keep_control_for_attribute(controls_flags,
|
|
list_replace[a].attr)) {
|
|
continue;
|
|
}
|
|
|
|
/* construct the new attribute, using either a supplied
|
|
constructor or a simple copy */
|
|
constructed_attributes = true;
|
|
if (list_replace[a].constructor != NULL) {
|
|
if (list_replace[a].constructor(module, msg, scope, parent, ares) != LDB_SUCCESS) {
|
|
goto failed;
|
|
}
|
|
} else if (ldb_msg_copy_attr(msg,
|
|
list_replace[a].replace,
|
|
list_replace[a].attr) != LDB_SUCCESS) {
|
|
goto failed;
|
|
}
|
|
}
|
|
|
|
/* Deletion of the search helper attributes are needed if:
|
|
* - we generated constructed attributes and
|
|
* - we aren't requesting all attributes
|
|
*/
|
|
if ((constructed_attributes) && (!ldb_attr_in_list(attrs_from_user, "*"))) {
|
|
for (i=0; i < list_replace_size; i++) {
|
|
/* remove the added search helper attributes, unless
|
|
* they were asked for by the user */
|
|
if (list_replace[i].replace != NULL &&
|
|
!ldb_attr_in_list(attrs_from_user, list_replace[i].replace)) {
|
|
ldb_msg_remove_attr(msg, list_replace[i].replace);
|
|
}
|
|
if (list_replace[i].extra_attrs != NULL) {
|
|
unsigned int j;
|
|
for (j=0; list_replace[i].extra_attrs[j]; j++) {
|
|
if (!ldb_attr_in_list(attrs_from_user, list_replace[i].extra_attrs[j])) {
|
|
ldb_msg_remove_attr(msg, list_replace[i].extra_attrs[j]);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
|
|
failed:
|
|
ldb_debug_set(ldb, LDB_DEBUG_WARNING,
|
|
"operational_search_post_process failed for attribute '%s' - %s",
|
|
list_replace[a].attr, ldb_errstring(ldb));
|
|
return -1;
|
|
}
|
|
|
|
/*
|
|
hook search operations
|
|
*/
|
|
|
|
static int operational_callback(struct ldb_request *req, struct ldb_reply *ares)
|
|
{
|
|
struct operational_context *ac;
|
|
int ret;
|
|
|
|
ac = talloc_get_type_abort(req->context, struct operational_context);
|
|
|
|
if (!ares) {
|
|
return ldb_module_done(ac->req, NULL, NULL,
|
|
LDB_ERR_OPERATIONS_ERROR);
|
|
}
|
|
if (ares->error != LDB_SUCCESS) {
|
|
return ldb_module_done(ac->req, ares->controls,
|
|
ares->response, ares->error);
|
|
}
|
|
|
|
switch (ares->type) {
|
|
case LDB_REPLY_ENTRY:
|
|
/* for each record returned post-process to add any derived
|
|
attributes that have been asked for */
|
|
ret = operational_search_post_process(ac->module,
|
|
ares->message,
|
|
ac->scope,
|
|
ac->attrs,
|
|
req->op.search.attrs,
|
|
ac->controls_flags,
|
|
ac->list_operations,
|
|
ac->list_operations_size,
|
|
ac->attrs_to_replace,
|
|
ac->attrs_to_replace_size,
|
|
req,
|
|
ares);
|
|
if (ret != 0) {
|
|
return ldb_module_done(ac->req, NULL, NULL,
|
|
LDB_ERR_OPERATIONS_ERROR);
|
|
}
|
|
return ldb_module_send_entry(ac->req, ares->message, ares->controls);
|
|
|
|
case LDB_REPLY_REFERRAL:
|
|
return ldb_module_send_referral(ac->req, ares->referral);
|
|
|
|
case LDB_REPLY_DONE:
|
|
|
|
return ldb_module_done(ac->req, ares->controls,
|
|
ares->response, LDB_SUCCESS);
|
|
}
|
|
|
|
talloc_free(ares);
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
static struct op_attributes_operations* operation_get_op_list(TALLOC_CTX *ctx,
|
|
const char* const* attrs,
|
|
const char* const* searched_attrs,
|
|
struct op_controls_flags* controls_flags)
|
|
{
|
|
int idx = 0;
|
|
int i;
|
|
struct op_attributes_operations *list = talloc_zero_array(ctx,
|
|
struct op_attributes_operations,
|
|
ARRAY_SIZE(operational_remove) + 1);
|
|
|
|
if (list == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
for (i=0; i<ARRAY_SIZE(operational_remove); i++) {
|
|
switch (operational_remove[i].op) {
|
|
case OPERATIONAL_REMOVE_UNASKED:
|
|
if (ldb_attr_in_list(attrs, operational_remove[i].attr)) {
|
|
continue;
|
|
}
|
|
if (ldb_attr_in_list(searched_attrs, operational_remove[i].attr)) {
|
|
continue;
|
|
}
|
|
list[idx].attr = operational_remove[i].attr;
|
|
list[idx].op = OPERATIONAL_REMOVE_UNASKED;
|
|
idx++;
|
|
break;
|
|
|
|
case OPERATIONAL_REMOVE_ALWAYS:
|
|
list[idx].attr = operational_remove[i].attr;
|
|
list[idx].op = OPERATIONAL_REMOVE_ALWAYS;
|
|
idx++;
|
|
break;
|
|
|
|
case OPERATIONAL_REMOVE_UNLESS_CONTROL:
|
|
if (!check_keep_control_for_attribute(controls_flags, operational_remove[i].attr)) {
|
|
list[idx].attr = operational_remove[i].attr;
|
|
list[idx].op = OPERATIONAL_REMOVE_UNLESS_CONTROL;
|
|
idx++;
|
|
}
|
|
break;
|
|
|
|
case OPERATIONAL_SD_FLAGS:
|
|
if (ldb_attr_in_list(attrs, operational_remove[i].attr)) {
|
|
continue;
|
|
}
|
|
if (controls_flags->sd) {
|
|
if (attrs == NULL) {
|
|
continue;
|
|
}
|
|
if (attrs[0] == NULL) {
|
|
continue;
|
|
}
|
|
if (ldb_attr_in_list(attrs, "*")) {
|
|
continue;
|
|
}
|
|
}
|
|
list[idx].attr = operational_remove[i].attr;
|
|
list[idx].op = OPERATIONAL_SD_FLAGS;
|
|
idx++;
|
|
break;
|
|
}
|
|
}
|
|
|
|
return list;
|
|
}
|
|
|
|
struct operational_present_ctx {
|
|
const char *attr;
|
|
bool found_operational;
|
|
};
|
|
|
|
/*
|
|
callback to determine if an operational attribute (needing
|
|
replacement) is in use at all
|
|
*/
|
|
static int operational_present(struct ldb_parse_tree *tree, void *private_context)
|
|
{
|
|
struct operational_present_ctx *ctx = private_context;
|
|
switch (tree->operation) {
|
|
case LDB_OP_EQUALITY:
|
|
if (ldb_attr_cmp(tree->u.equality.attr, ctx->attr) == 0) {
|
|
ctx->found_operational = true;
|
|
}
|
|
break;
|
|
case LDB_OP_GREATER:
|
|
case LDB_OP_LESS:
|
|
case LDB_OP_APPROX:
|
|
if (ldb_attr_cmp(tree->u.comparison.attr, ctx->attr) == 0) {
|
|
ctx->found_operational = true;
|
|
}
|
|
break;
|
|
case LDB_OP_SUBSTRING:
|
|
if (ldb_attr_cmp(tree->u.substring.attr, ctx->attr) == 0) {
|
|
ctx->found_operational = true;
|
|
}
|
|
break;
|
|
case LDB_OP_PRESENT:
|
|
if (ldb_attr_cmp(tree->u.present.attr, ctx->attr) == 0) {
|
|
ctx->found_operational = true;
|
|
}
|
|
break;
|
|
case LDB_OP_EXTENDED:
|
|
if (tree->u.extended.attr &&
|
|
ldb_attr_cmp(tree->u.extended.attr, ctx->attr) == 0) {
|
|
ctx->found_operational = true;
|
|
}
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
|
|
static int operational_search(struct ldb_module *module, struct ldb_request *req)
|
|
{
|
|
struct ldb_context *ldb;
|
|
struct operational_context *ac;
|
|
struct ldb_request *down_req;
|
|
const char **search_attrs = NULL;
|
|
struct operational_present_ctx ctx;
|
|
unsigned int i, a;
|
|
int ret;
|
|
|
|
/* There are no operational attributes on special DNs */
|
|
if (ldb_dn_is_special(req->op.search.base)) {
|
|
return ldb_next_request(module, req);
|
|
}
|
|
|
|
ldb = ldb_module_get_ctx(module);
|
|
|
|
ac = talloc(req, struct operational_context);
|
|
if (ac == NULL) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
|
|
ac->expire_passwords_onsmartcardonlyaccounts
|
|
= EXPIRE_UF_SMARTCARD_UNINIT;
|
|
|
|
ac->now = 0;
|
|
|
|
ac->module = module;
|
|
ac->req = req;
|
|
ac->scope = req->op.search.scope;
|
|
ac->attrs = req->op.search.attrs;
|
|
ctx.found_operational = false;
|
|
|
|
/*
|
|
* find any attributes in the parse tree that are searchable,
|
|
* but are stored using a different name in the backend, so we
|
|
* only duplicate the memory when needed
|
|
*/
|
|
for (i=0;i<ARRAY_SIZE(parse_tree_sub);i++) {
|
|
ctx.attr = parse_tree_sub[i].attr;
|
|
|
|
ldb_parse_tree_walk(req->op.search.tree,
|
|
operational_present,
|
|
&ctx);
|
|
if (ctx.found_operational) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (ctx.found_operational) {
|
|
|
|
ac->tree = ldb_parse_tree_copy_shallow(ac,
|
|
req->op.search.tree);
|
|
|
|
if (ac->tree == NULL) {
|
|
return ldb_operr(ldb);
|
|
}
|
|
|
|
/* replace any attributes in the parse tree that are
|
|
searchable, but are stored using a different name in the
|
|
backend */
|
|
for (i=0;i<ARRAY_SIZE(parse_tree_sub);i++) {
|
|
ldb_parse_tree_attr_replace(ac->tree,
|
|
parse_tree_sub[i].attr,
|
|
parse_tree_sub[i].replace);
|
|
}
|
|
} else {
|
|
/* Avoid allocating a copy if we do not need to */
|
|
ac->tree = req->op.search.tree;
|
|
}
|
|
|
|
ac->controls_flags = talloc(ac, struct op_controls_flags);
|
|
/* remember if the SD_FLAGS_OID was set */
|
|
ac->controls_flags->sd = (ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID) != NULL);
|
|
/* remember if the LDB_CONTROL_BYPASS_OPERATIONAL_OID */
|
|
ac->controls_flags->bypassoperational =
|
|
(ldb_request_get_control(req, LDB_CONTROL_BYPASS_OPERATIONAL_OID) != NULL);
|
|
|
|
ac->attrs_to_replace = NULL;
|
|
ac->attrs_to_replace_size = 0;
|
|
/* in the list of attributes we are looking for, rename any
|
|
attributes to the alias for any hidden attributes that can
|
|
be fetched directly using non-hidden names.
|
|
Note that order here can affect performance, e.g. we should process
|
|
msDS-ResultantPSO before msDS-User-Account-Control-Computed (as the
|
|
latter is also dependent on the PSO information) */
|
|
for (a=0;ac->attrs && ac->attrs[a];a++) {
|
|
if (check_keep_control_for_attribute(ac->controls_flags, ac->attrs[a])) {
|
|
continue;
|
|
}
|
|
for (i=0;i<ARRAY_SIZE(search_sub);i++) {
|
|
|
|
if (ldb_attr_cmp(ac->attrs[a], search_sub[i].attr) != 0 ) {
|
|
continue;
|
|
}
|
|
|
|
ac->attrs_to_replace = talloc_realloc(ac,
|
|
ac->attrs_to_replace,
|
|
struct op_attributes_replace,
|
|
ac->attrs_to_replace_size + 1);
|
|
|
|
ac->attrs_to_replace[ac->attrs_to_replace_size] = search_sub[i];
|
|
ac->attrs_to_replace_size++;
|
|
|
|
if (search_sub[i].extra_attrs && search_sub[i].extra_attrs[0]) {
|
|
unsigned int j;
|
|
const char **search_attrs2;
|
|
/* Only adds to the end of the list */
|
|
for (j = 0; search_sub[i].extra_attrs[j]; j++) {
|
|
search_attrs2 = ldb_attr_list_copy_add(req, search_attrs
|
|
? search_attrs
|
|
: ac->attrs,
|
|
search_sub[i].extra_attrs[j]);
|
|
if (search_attrs2 == NULL) {
|
|
return ldb_operr(ldb);
|
|
}
|
|
/* may be NULL, talloc_free() doesn't mind */
|
|
talloc_free(search_attrs);
|
|
search_attrs = search_attrs2;
|
|
}
|
|
}
|
|
|
|
if (!search_sub[i].replace) {
|
|
continue;
|
|
}
|
|
|
|
if (!search_attrs) {
|
|
search_attrs = ldb_attr_list_copy(req, ac->attrs);
|
|
if (search_attrs == NULL) {
|
|
return ldb_operr(ldb);
|
|
}
|
|
}
|
|
/* Despite the ldb_attr_list_copy_add, this is safe as that fn only adds to the end */
|
|
search_attrs[a] = search_sub[i].replace;
|
|
}
|
|
}
|
|
ac->list_operations = operation_get_op_list(ac, ac->attrs,
|
|
search_attrs == NULL?req->op.search.attrs:search_attrs,
|
|
ac->controls_flags);
|
|
ac->list_operations_size = 0;
|
|
i = 0;
|
|
|
|
while (ac->list_operations && ac->list_operations[i].attr != NULL) {
|
|
i++;
|
|
}
|
|
ac->list_operations_size = i;
|
|
ret = ldb_build_search_req_ex(&down_req, ldb, ac,
|
|
req->op.search.base,
|
|
req->op.search.scope,
|
|
ac->tree,
|
|
/* use new set of attrs if any */
|
|
search_attrs == NULL?req->op.search.attrs:search_attrs,
|
|
req->controls,
|
|
ac, operational_callback,
|
|
req);
|
|
LDB_REQ_SET_LOCATION(down_req);
|
|
if (ret != LDB_SUCCESS) {
|
|
return ldb_operr(ldb);
|
|
}
|
|
|
|
/* perform the search */
|
|
return ldb_next_request(module, down_req);
|
|
}
|
|
|
|
static int operational_init(struct ldb_module *ctx)
|
|
{
|
|
struct operational_data *data;
|
|
int ret;
|
|
|
|
ret = ldb_next_init(ctx);
|
|
|
|
if (ret != LDB_SUCCESS) {
|
|
return ret;
|
|
}
|
|
|
|
data = talloc_zero(ctx, struct operational_data);
|
|
if (!data) {
|
|
return ldb_module_oom(ctx);
|
|
}
|
|
|
|
ldb_module_set_private(ctx, data);
|
|
|
|
return LDB_SUCCESS;
|
|
}
|
|
|
|
static const struct ldb_module_ops ldb_operational_module_ops = {
|
|
.name = "operational",
|
|
.search = operational_search,
|
|
.init_context = operational_init
|
|
};
|
|
|
|
int ldb_operational_module_init(const char *version)
|
|
{
|
|
LDB_MODULE_CHECK_VERSION(version);
|
|
return ldb_register_module(&ldb_operational_module_ops);
|
|
}
|