1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00
samba-mirror/source4/dsdb/common/util_links.c
Garming Sam 1816c84b29 dsdb: Allow parsed_dn_find to have a prefixed blob match
This allows us to search against binary DN using only the attributeID in
the case of msDS-RevealedUsers (as it appears right at the beginning).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:12 +01:00

211 lines
6.2 KiB
C

/*
Unix SMB/CIFS implementation.
Helpers to search for links in the DB
Copyright (C) Catalyst.Net Ltd 2017
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "dsdb/samdb/samdb.h"
#include "lib/util/binsearch.h"
#include "librpc/gen_ndr/ndr_misc.h"
/*
* We choose, as the sort order, the same order as is used in DRS replication,
* which is the memcmp() order of the NDR GUID, not that obtained from
* GUID_compare().
*
* This means that sorted links will be in the same order as a new DC would
* see them.
*/
int ndr_guid_compare(const struct GUID *guid1, const struct GUID *guid2)
{
uint8_t v1_data[16];
struct ldb_val v1 = data_blob_const(v1_data, sizeof(v1_data));
uint8_t v2_data[16];
struct ldb_val v2 = data_blob_const(v2_data, sizeof(v2_data));
/* This can't fail */
ndr_push_struct_into_fixed_blob(&v1, guid1,
(ndr_push_flags_fn_t)ndr_push_GUID);
/* This can't fail */
ndr_push_struct_into_fixed_blob(&v2, guid2,
(ndr_push_flags_fn_t)ndr_push_GUID);
return data_blob_cmp(&v1, &v2);
}
static int la_guid_compare_with_trusted_dn(struct compare_ctx *ctx,
struct parsed_dn *p)
{
int cmp = 0;
/*
* This works like a standard compare function in its return values,
* but has an extra trick to deal with errors: zero is returned and
* ctx->err is set to the ldb error code.
*
* That is, if (as is expected in most cases) you get a non-zero
* result, you don't need to check for errors.
*
* We assume the second argument refers to a DN is from the database
* and has a GUID -- but this GUID might not have been parsed out yet.
*/
if (p->dsdb_dn == NULL) {
int ret = really_parse_trusted_dn(ctx->mem_ctx, ctx->ldb, p,
ctx->ldap_oid);
if (ret != LDB_SUCCESS) {
ctx->err = ret;
return 0;
}
}
cmp = ndr_guid_compare(ctx->guid, &p->guid);
if (cmp == 0 && ctx->compare_extra_part) {
if (ctx->partial_extra_part_length != 0) {
/* Allow a prefix match on the blob. */
return memcmp(ctx->extra_part.data,
p->dsdb_dn->extra_part.data,
MIN(ctx->partial_extra_part_length,
p->dsdb_dn->extra_part.length));
} else {
return data_blob_cmp(&ctx->extra_part,
&p->dsdb_dn->extra_part);
}
}
return cmp;
}
/* When a parsed_dn comes from the database, sometimes it is not really parsed. */
int really_parse_trusted_dn(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
struct parsed_dn *pdn, const char *ldap_oid)
{
NTSTATUS status;
struct dsdb_dn *dsdb_dn = dsdb_dn_parse_trusted(mem_ctx, ldb, pdn->v,
ldap_oid);
if (dsdb_dn == NULL) {
return LDB_ERR_INVALID_DN_SYNTAX;
}
status = dsdb_get_extended_dn_guid(dsdb_dn->dn, &pdn->guid, "GUID");
if (!NT_STATUS_IS_OK(status)) {
return LDB_ERR_OPERATIONS_ERROR;
}
pdn->dsdb_dn = dsdb_dn;
return LDB_SUCCESS;
}
int parsed_dn_find(struct ldb_context *ldb, struct parsed_dn *pdn,
unsigned int count,
const struct GUID *guid,
struct ldb_dn *target_dn,
DATA_BLOB extra_part,
size_t partial_extra_part_length,
struct parsed_dn **exact,
struct parsed_dn **next,
const char *ldap_oid,
bool compare_extra_part)
{
unsigned int i;
struct compare_ctx ctx;
if (pdn == NULL) {
*exact = NULL;
*next = NULL;
return LDB_SUCCESS;
}
if (unlikely(GUID_all_zero(guid))) {
/*
* When updating a link using DRS, we sometimes get a NULL
* GUID when a forward link has been deleted and its GUID has
* for some reason been forgotten. The best we can do is try
* and match by DN via a linear search. Note that this
* probably only happens in the ADD case, in which we only
* allow modification of link if it is already deleted, so
* this seems very close to an elaborate NO-OP, but we are not
* quite prepared to declare it so.
*
* If the DN is not in our list, we have to add it to the
* beginning of the list, where it would naturally sort.
*/
struct parsed_dn *p;
if (target_dn == NULL) {
/* We don't know the target DN, so we can't search for DN */
DEBUG(1, ("parsed_dn_find has a NULL GUID for a linked "
"attribute but we don't have a DN to compare "
"it with\n"));
return LDB_ERR_OPERATIONS_ERROR;
}
*exact = NULL;
*next = NULL;
DEBUG(3, ("parsed_dn_find has a NULL GUID for a link to DN "
"%s; searching through links for it",
ldb_dn_get_linearized(target_dn)));
for (i = 0; i < count; i++) {
int cmp;
p = &pdn[i];
if (p->dsdb_dn == NULL) {
int ret = really_parse_trusted_dn(pdn, ldb, p, ldap_oid);
if (ret != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
}
cmp = ldb_dn_compare(p->dsdb_dn->dn, target_dn);
if (cmp == 0) {
*exact = p;
return LDB_SUCCESS;
}
}
/*
* Here we have a null guid which doesn't match any existing
* link. This is a bit unexpected because null guids occur
* when a forward link has been deleted and we are replicating
* that deletion.
*
* The best thing to do is weep into the logs and add the
* offending link to the beginning of the list which is
* at least the correct sort position.
*/
DEBUG(1, ("parsed_dn_find has been given a NULL GUID for a "
"link to unknown DN %s\n",
ldb_dn_get_linearized(target_dn)));
*next = pdn;
return LDB_SUCCESS;
}
ctx.guid = guid;
ctx.ldb = ldb;
ctx.mem_ctx = pdn;
ctx.ldap_oid = ldap_oid;
ctx.extra_part = extra_part;
ctx.partial_extra_part_length = partial_extra_part_length;
ctx.compare_extra_part = compare_extra_part;
ctx.err = 0;
BINARY_ARRAY_SEARCH_GTE(pdn, count, &ctx, la_guid_compare_with_trusted_dn,
*exact, *next);
if (ctx.err != 0) {
return ctx.err;
}
return LDB_SUCCESS;
}