/*
return the attribute syntax oid as a string from the attribute name
*/
static PyObject *py_dsdb_get_syntax_oid_from_lDAPDisplayName(PyObject *self, PyObject *args)
{
PyObject *py_ldb;
struct ldb_context *ldb;
struct dsdb_schema *schema;
const char *ldap_display_name;
const struct dsdb_attribute *attribute;
if (!PyArg_ParseTuple(args, "Os", &py_ldb, &ldap_display_name))
return NULL;
PyErr_LDB_OR_RAISE(py_ldb, ldb);
schema = dsdb_get_schema(ldb, NULL);
if (!schema) {
PyErr_SetString(PyExc_RuntimeError, "Failed to find a schema from ldb");
return NULL;
}
attribute = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name);
if (attribute == NULL) {
PyErr_Format(PyExc_KeyError, "Failed to find attribute '%s'", ldap_display_name);
return NULL;
}
return PyString_FromString(attribute->syntax->ldap_oid);
}
static int resolve_oids_element_replace(struct ldb_context *ldb,
struct dsdb_schema *schema,
struct ldb_message_element *el)
{
unsigned int i;
const struct dsdb_attribute *a = NULL;
const char *p1;
p1 = strchr(el->name, '.');
if (p1) {
a = dsdb_attribute_by_attributeID_oid(schema, el->name);
} else {
a = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
}
if (!a) {
return LDB_SUCCESS;
}
el->name = a->lDAPDisplayName;
for (i=0; i < el->num_values; i++) {
int ret;
ret = resolve_oids_replace_value(ldb, schema, a,
&el->values[i]);
if (ret != LDB_SUCCESS) {
return ret;
}
}
return LDB_SUCCESS;
}
const struct GUID *attribute_schemaid_guid_by_lDAPDisplayName(const struct dsdb_schema *schema,
const char *name)
{
const struct dsdb_attribute *attr = dsdb_attribute_by_lDAPDisplayName(schema, name);
if (!attr)
return NULL;
return &attr->schemaIDGUID;
}
/*
override the name to attribute handler function
*/
const struct ldb_schema_attribute *dsdb_attribute_handler_override(struct ldb_context *ldb,
void *private_data,
const char *name)
{
struct dsdb_schema *schema = talloc_get_type_abort(private_data, struct dsdb_schema);
const struct dsdb_attribute *a = dsdb_attribute_by_lDAPDisplayName(schema, name);
if (a == NULL) {
/* this will fall back to ldb internal handling */
return NULL;
}
return a->ldb_schema_attribute;
}
WERROR dsdb_attribute_ldb_to_drsuapi(const struct dsdb_schema *schema,
const struct ldb_message_element *in,
TALLOC_CTX *mem_ctx,
struct drsuapi_DsReplicaAttribute *out)
{
const struct dsdb_attribute *sa;
sa = dsdb_attribute_by_lDAPDisplayName(schema, in->name);
if (!sa) {
return WERR_FOOBAR;
}
return sa->syntax->ldb_to_drsuapi(schema, sa, in, mem_ctx, out);
}
static PyObject *py_dsdb_get_attid_from_lDAPDisplayName(PyObject *self, PyObject *args)
{
PyObject *py_ldb, *is_schema_nc;
struct ldb_context *ldb;
struct dsdb_schema *schema;
const char *ldap_display_name;
bool schema_nc = false;
const struct dsdb_attribute *a;
uint32_t attid;
if (!PyArg_ParseTuple(args, "OsO", &py_ldb, &ldap_display_name, &is_schema_nc))
return NULL;
PyErr_LDB_OR_RAISE(py_ldb, ldb);
if (is_schema_nc) {
if (!PyBool_Check(is_schema_nc)) {
PyErr_SetString(PyExc_TypeError, "Expected boolean is_schema_nc");
return NULL;
}
if (is_schema_nc == Py_True) {
schema_nc = true;
}
}
schema = dsdb_get_schema(ldb, NULL);
if (!schema) {
PyErr_SetString(PyExc_RuntimeError, "Failed to find a schema from ldb");
return NULL;
}
a = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name);
if (a == NULL) {
PyErr_Format(PyExc_KeyError, "Failed to find attribute '%s'", ldap_display_name);
return NULL;
}
attid = dsdb_attribute_get_attid(a, schema_nc);
return PyLong_FromUnsignedLong(attid);
}
static bool torture_test_syntax(struct torture_context *torture,
struct torture_dsdb_syntax *priv,
const char *oid,
const char *attr_string,
const char *ldb_str,
const char *drs_str)
{
TALLOC_CTX *tmp_ctx = talloc_new(torture);
DATA_BLOB drs_binary = hexstr_to_data_blob(tmp_ctx, drs_str);
DATA_BLOB ldb_blob = data_blob_string_const(ldb_str);
struct drsuapi_DsReplicaAttribute drs, drs2;
struct drsuapi_DsAttributeValue val;
const struct dsdb_syntax *syntax;
const struct dsdb_attribute *attr;
struct ldb_message_element el;
struct ldb_context *ldb = priv->ldb;
struct dsdb_schema *schema = priv->schema;
struct dsdb_syntax_ctx syntax_ctx;
/* use default syntax conversion context */
dsdb_syntax_ctx_init(&syntax_ctx, ldb, schema);
drs.value_ctr.num_values = 1;
drs.value_ctr.values = &val;
val.blob = &drs_binary;
torture_assert(torture, syntax = find_syntax_map_by_standard_oid(oid), "Failed to find syntax handler");
torture_assert(torture, attr = dsdb_attribute_by_lDAPDisplayName(schema, attr_string), "Failed to find attribute handler");
torture_assert_str_equal(torture, attr->syntax->name, syntax->name, "Syntax from schema not as expected");
torture_assert_werr_ok(torture, syntax->drsuapi_to_ldb(&syntax_ctx, attr, &drs, tmp_ctx, &el), "Failed to convert from DRS to ldb format");
torture_assert_data_blob_equal(torture, el.values[0], ldb_blob, "Incorrect conversion from DRS to ldb format");
torture_assert_werr_ok(torture, syntax->ldb_to_drsuapi(&syntax_ctx, attr, &el, tmp_ctx, &drs2), "Failed to convert from ldb to DRS format");
torture_assert(torture, drs2.value_ctr.values[0].blob, "No blob returned from conversion");
torture_assert_data_blob_equal(torture, *drs2.value_ctr.values[0].blob, drs_binary, "Incorrect conversion from ldb to DRS format");
return true;
}
/*
return the backlink attribute name (if any) for an attribute
*/
static PyObject *py_dsdb_get_backlink_from_lDAPDisplayName(PyObject *self, PyObject *args)
{
PyObject *py_ldb;
struct ldb_context *ldb;
struct dsdb_schema *schema;
const char *ldap_display_name;
const struct dsdb_attribute *attribute, *target_attr;
if (!PyArg_ParseTuple(args, "Os", &py_ldb, &ldap_display_name))
return NULL;
PyErr_LDB_OR_RAISE(py_ldb, ldb);
schema = dsdb_get_schema(ldb, NULL);
if (!schema) {
PyErr_SetString(PyExc_RuntimeError, "Failed to find a schema from ldb");
return NULL;
}
attribute = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name);
if (attribute == NULL) {
PyErr_Format(PyExc_KeyError, "Failed to find attribute '%s'", ldap_display_name);
return NULL;
}
if (attribute->linkID == 0) {
Py_RETURN_NONE;
}
target_attr = dsdb_attribute_by_linkID(schema, attribute->linkID ^ 1);
if (target_attr == NULL) {
/* when we add pseudo-backlinks we'll need to handle
them here */
Py_RETURN_NONE;
}
return PyString_FromString(target_attr->lDAPDisplayName);
}
static int acl_modify(struct ldb_module *module, struct ldb_request *req)
{
int ret;
struct ldb_context *ldb = ldb_module_get_ctx(module);
const struct dsdb_schema *schema = dsdb_get_schema(ldb);
int i;
bool modify_sd = false;
const struct GUID *guid;
uint32_t access_granted;
struct object_tree *root = NULL;
struct object_tree *new_node = NULL;
NTSTATUS status;
struct ldb_result *acl_res;
struct security_descriptor *sd;
struct dom_sid *sid = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(req);
static const char *acl_attrs[] = {
"nTSecurityDescriptor",
"objectClass",
"objectSid",
NULL
};
/* Don't print this debug statement if elements[0].name is going to be NULL */
if(req->op.mod.message->num_elements > 0)
{
DEBUG(10, ("ldb:acl_modify: %s\n", req->op.mod.message->elements[0].name));
}
if (what_is_user(module) == SECURITY_SYSTEM) {
return ldb_next_request(module, req);
}
if (ldb_dn_is_special(req->op.mod.message->dn)) {
return ldb_next_request(module, req);
}
ret = ldb_search(ldb, req, &acl_res, req->op.mod.message->dn,
LDB_SCOPE_BASE, acl_attrs, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
ret = get_sd_from_ldb_message(req, acl_res->msgs[0], &sd);
if (ret != LDB_SUCCESS) {
DEBUG(10, ("acl_modify: cannot get descriptor\n"));
return ret;
}
/* Theoretically we pass the check if the object has no sd */
if (!sd) {
return LDB_SUCCESS;
}
guid = get_oc_guid_from_message(module,acl_res->msgs[0]);
if (!guid) {
DEBUG(10, ("acl_modify: cannot get guid\n"));
goto fail;
}
ret = get_dom_sid_from_ldb_message(req, acl_res->msgs[0], &sid);
if (ret != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&root, &new_node)) {
DEBUG(10, ("acl_modify: cannot add to object tree\n"));
goto fail;
}
for (i=0; i < req->op.mod.message->num_elements; i++){
const struct dsdb_attribute *attr;
/* clearTextPassword is not in schema */
if (strcmp("clearTextPassword", req->op.mod.message->elements[i].name) == 0) {
attr = dsdb_attribute_by_lDAPDisplayName(schema, "unicodePwd");
} else {
attr = dsdb_attribute_by_lDAPDisplayName(schema,
req->op.mod.message->elements[i].name);
}
if (strcmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) {
modify_sd = true;
} else {
if (!attr) {
DEBUG(10, ("acl_modify: cannot find attribute %s\n",
req->op.mod.message->elements[i].name));
goto fail;
}
if (!insert_in_object_tree(tmp_ctx,
&attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {
DEBUG(10, ("acl_modify: cannot add to object tree securityGUID\n"));
goto fail;
}
if (!insert_in_object_tree(tmp_ctx,
&attr->schemaIDGUID, SEC_ADS_WRITE_PROP, &new_node, &new_node)) {
DEBUG(10, ("acl_modify: cannot add to object tree attributeGUID\n"));
goto fail;
}
}
}
if (root->num_of_children > 0) {
status = sec_access_check_ds(sd, acl_user_token(module),
SEC_ADS_WRITE_PROP,
&access_granted,
root,
sid);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Object %s nas no write property access\n",
ldb_dn_get_linearized(req->op.mod.message->dn)));
acl_debug(sd,
acl_user_token(module),
req->op.mod.message->dn,
true,
10);
talloc_free(tmp_ctx);
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
}
if (modify_sd) {
status = sec_access_check_ds(sd, acl_user_token(module),
SEC_STD_WRITE_DAC,
&access_granted,
NULL,
sid);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Object %s nas no write dacl access\n",
ldb_dn_get_linearized(req->op.mod.message->dn)));
acl_debug(sd,
acl_user_token(module),
req->op.mod.message->dn,
true,
10);
talloc_free(tmp_ctx);
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
}
talloc_free(tmp_ctx);
return ldb_next_request(module, req);
fail:
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
static int acl_allowedAttributes(struct ldb_module *module,
struct ldb_message *sd_msg,
struct ldb_message *msg,
struct acl_context *ac)
{
struct ldb_message_element *oc_el;
struct ldb_context *ldb = ldb_module_get_ctx(module);
const struct dsdb_schema *schema = dsdb_get_schema(ldb);
TALLOC_CTX *mem_ctx;
const char **attr_list;
int i, ret;
/* If we don't have a schema yet, we can't do anything... */
if (schema == NULL) {
return LDB_SUCCESS;
}
/* Must remove any existing attribute */
if (ac->allowedAttributes) {
ldb_msg_remove_attr(msg, "allowedAttributes");
}
mem_ctx = talloc_new(msg);
if (!mem_ctx) {
ldb_oom(ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
oc_el = ldb_msg_find_element(sd_msg, "objectClass");
attr_list = dsdb_full_attribute_list(mem_ctx, schema, oc_el, DSDB_SCHEMA_ALL);
if (!attr_list) {
ldb_asprintf_errstring(ldb, "acl: Failed to get list of attributes");
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
if (ac->allowedAttributes) {
for (i=0; attr_list && attr_list[i]; i++) {
ldb_msg_add_string(msg, "allowedAttributes", attr_list[i]);
}
}
if (ac->allowedAttributesEffective) {
struct security_descriptor *sd;
struct dom_sid *sid = NULL;
ldb_msg_remove_attr(msg, "allowedAttributesEffective");
if (ac->user_type == SECURITY_SYSTEM) {
for (i=0; attr_list && attr_list[i]; i++) {
ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
}
return LDB_SUCCESS;
}
ret = get_sd_from_ldb_message(mem_ctx, sd_msg, &sd);
if (ret != LDB_SUCCESS) {
return ret;
}
ret = get_dom_sid_from_ldb_message(mem_ctx, sd_msg, &sid);
if (ret != LDB_SUCCESS) {
return ret;
}
for (i=0; attr_list && attr_list[i]; i++) {
struct dsdb_attribute *attr = dsdb_attribute_by_lDAPDisplayName(schema,
attr_list[i]);
if (!attr) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* remove constructed attributes */
if (attr->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED
|| attr->systemOnly
|| (attr->linkID != 0 && attr->linkID % 2 != 0 )) {
continue;
}
ret = acl_check_access_on_attribute(module,
msg,
sd,
sid,
SEC_ADS_WRITE_PROP,
attr);
if (ret == LDB_SUCCESS) {
ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
}
}
}
return LDB_SUCCESS;
}
/*
normalise a ldb attribute list
*/
static PyObject *py_dsdb_normalise_attributes(PyObject *self, PyObject *args)
{
PyObject *py_ldb, *el_list, *ret;
struct ldb_context *ldb;
char *ldap_display_name;
const struct dsdb_attribute *a;
struct dsdb_schema *schema;
struct dsdb_syntax_ctx syntax_ctx;
struct ldb_message_element *el;
struct drsuapi_DsReplicaAttribute *attr;
TALLOC_CTX *tmp_ctx;
WERROR werr;
Py_ssize_t i;
if (!PyArg_ParseTuple(args, "OsO", &py_ldb, &ldap_display_name, &el_list)) {
return NULL;
}
PyErr_LDB_OR_RAISE(py_ldb, ldb);
if (!PyList_Check(el_list)) {
PyErr_Format(PyExc_TypeError, "ldif_elements must be a list");
return NULL;
}
schema = dsdb_get_schema(ldb, NULL);
if (!schema) {
PyErr_SetString(PyExc_RuntimeError, "Failed to find a schema from ldb");
return NULL;
}
a = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name);
if (a == NULL) {
PyErr_Format(PyExc_KeyError, "Failed to find attribute '%s'", ldap_display_name);
return NULL;
}
dsdb_syntax_ctx_init(&syntax_ctx, ldb, schema);
syntax_ctx.is_schema_nc = false;
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
PyErr_NoMemory();
return NULL;
}
el = talloc_zero(tmp_ctx, struct ldb_message_element);
if (el == NULL) {
PyErr_NoMemory();
talloc_free(tmp_ctx);
return NULL;
}
el->name = ldap_display_name;
el->num_values = PyList_Size(el_list);
el->values = talloc_array(el, struct ldb_val, el->num_values);
if (el->values == NULL) {
PyErr_NoMemory();
talloc_free(tmp_ctx);
return NULL;
}
for (i = 0; i < el->num_values; i++) {
PyObject *item = PyList_GetItem(el_list, i);
if (!PyString_Check(item)) {
PyErr_Format(PyExc_TypeError, "ldif_elements should be strings");
talloc_free(tmp_ctx);
return NULL;
}
el->values[i].data = (uint8_t *)PyString_AsString(item);
el->values[i].length = PyString_Size(item);
}
/* Normalise "objectClass" attribute if needed */
if (ldb_attr_cmp(a->lDAPDisplayName, "objectClass") == 0) {
int iret;
iret = dsdb_sort_objectClass_attr(ldb, schema, el, tmp_ctx, el);
if (iret != LDB_SUCCESS) {
PyErr_SetString(PyExc_RuntimeError, ldb_errstring(ldb));
talloc_free(tmp_ctx);
return NULL;
}
}
/* first run ldb_to_drsuapi, then convert back again. This has
* the effect of normalising the attributes
*/
attr = talloc_zero(tmp_ctx, struct drsuapi_DsReplicaAttribute);
if (attr == NULL) {
PyErr_NoMemory();
talloc_free(tmp_ctx);
return NULL;
}
werr = a->syntax->ldb_to_drsuapi(&syntax_ctx, a, el, attr, attr);
PyErr_WERROR_NOT_OK_RAISE(werr);
/* now convert back again */
werr = a->syntax->drsuapi_to_ldb(&syntax_ctx, a, attr, el, el);
PyErr_WERROR_NOT_OK_RAISE(werr);
ret = py_return_ndr_struct("ldb", "MessageElement", el, el);
talloc_free(tmp_ctx);
return ret;
}
/*
convert a python string to a DRSUAPI drsuapi_DsReplicaAttribute attribute
*/
static PyObject *py_dsdb_DsReplicaAttribute(PyObject *self, PyObject *args)
{
PyObject *py_ldb, *el_list, *ret;
struct ldb_context *ldb;
char *ldap_display_name;
const struct dsdb_attribute *a;
struct dsdb_schema *schema;
struct dsdb_syntax_ctx syntax_ctx;
struct ldb_message_element *el;
struct drsuapi_DsReplicaAttribute *attr;
TALLOC_CTX *tmp_ctx;
WERROR werr;
Py_ssize_t i;
if (!PyArg_ParseTuple(args, "OsO", &py_ldb, &ldap_display_name, &el_list)) {
return NULL;
}
PyErr_LDB_OR_RAISE(py_ldb, ldb);
if (!PyList_Check(el_list)) {
PyErr_Format(PyExc_TypeError, "ldif_elements must be a list");
return NULL;
}
schema = dsdb_get_schema(ldb, NULL);
if (!schema) {
PyErr_SetString(PyExc_RuntimeError, "Failed to find a schema from ldb");
return NULL;
}
a = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name);
if (a == NULL) {
PyErr_Format(PyExc_KeyError, "Failed to find attribute '%s'", ldap_display_name);
return NULL;
}
dsdb_syntax_ctx_init(&syntax_ctx, ldb, schema);
syntax_ctx.is_schema_nc = false;
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
PyErr_NoMemory();
return NULL;
}
el = talloc_zero(tmp_ctx, struct ldb_message_element);
if (el == NULL) {
PyErr_NoMemory();
talloc_free(tmp_ctx);
return NULL;
}
el->name = ldap_display_name;
el->num_values = PyList_Size(el_list);
el->values = talloc_array(el, struct ldb_val, el->num_values);
if (el->values == NULL) {
PyErr_NoMemory();
talloc_free(tmp_ctx);
return NULL;
}
for (i = 0; i < el->num_values; i++) {
PyObject *item = PyList_GetItem(el_list, i);
if (!PyString_Check(item)) {
PyErr_Format(PyExc_TypeError, "ldif_elements should be strings");
talloc_free(tmp_ctx);
return NULL;
}
el->values[i].data = (uint8_t *)PyString_AsString(item);
el->values[i].length = PyString_Size(item);
}
attr = talloc_zero(tmp_ctx, struct drsuapi_DsReplicaAttribute);
if (attr == NULL) {
PyErr_NoMemory();
talloc_free(tmp_ctx);
return NULL;
}
werr = a->syntax->ldb_to_drsuapi(&syntax_ctx, a, el, attr, attr);
PyErr_WERROR_NOT_OK_RAISE(werr);
ret = py_return_ndr_struct("samba.dcerpc.drsuapi", "DsReplicaAttribute", attr, attr);
talloc_free(tmp_ctx);
return ret;
}
static WERROR dsdb_convert_object_ex(struct ldb_context *ldb,
const struct dsdb_schema *schema,
const struct drsuapi_DsReplicaObjectListItemEx *in,
const DATA_BLOB *gensec_skey,
TALLOC_CTX *mem_ctx,
struct dsdb_extended_replicated_object *out)
{
NTSTATUS nt_status;
WERROR status;
uint32_t i;
struct ldb_message *msg;
struct replPropertyMetaDataBlob *md;
struct ldb_val guid_value;
NTTIME whenChanged = 0;
time_t whenChanged_t;
const char *whenChanged_s;
const char *rdn_name = NULL;
const struct ldb_val *rdn_value = NULL;
const struct dsdb_attribute *rdn_attr = NULL;
uint32_t rdn_attid;
struct drsuapi_DsReplicaAttribute *name_a = NULL;
struct drsuapi_DsReplicaMetaData *name_d = NULL;
struct replPropertyMetaData1 *rdn_m = NULL;
struct dom_sid *sid = NULL;
uint32_t rid = 0;
int ret;
if (!in->object.identifier) {
return WERR_FOOBAR;
}
if (!in->object.identifier->dn || !in->object.identifier->dn[0]) {
return WERR_FOOBAR;
}
if (in->object.attribute_ctr.num_attributes != 0 && !in->meta_data_ctr) {
return WERR_FOOBAR;
}
if (in->object.attribute_ctr.num_attributes != in->meta_data_ctr->count) {
return WERR_FOOBAR;
}
sid = &in->object.identifier->sid;
if (sid->num_auths > 0) {
rid = sid->sub_auths[sid->num_auths - 1];
}
msg = ldb_msg_new(mem_ctx);
W_ERROR_HAVE_NO_MEMORY(msg);
msg->dn = ldb_dn_new(msg, ldb, in->object.identifier->dn);
W_ERROR_HAVE_NO_MEMORY(msg->dn);
rdn_name = ldb_dn_get_rdn_name(msg->dn);
rdn_attr = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name);
if (!rdn_attr) {
return WERR_FOOBAR;
}
rdn_attid = rdn_attr->attributeID_id;
rdn_value = ldb_dn_get_rdn_val(msg->dn);
msg->num_elements = in->object.attribute_ctr.num_attributes;
msg->elements = talloc_array(msg, struct ldb_message_element,
msg->num_elements);
W_ERROR_HAVE_NO_MEMORY(msg->elements);
md = talloc(mem_ctx, struct replPropertyMetaDataBlob);
W_ERROR_HAVE_NO_MEMORY(md);
md->version = 1;
md->reserved = 0;
md->ctr.ctr1.count = in->meta_data_ctr->count;
md->ctr.ctr1.reserved = 0;
md->ctr.ctr1.array = talloc_array(mem_ctx,
struct replPropertyMetaData1,
md->ctr.ctr1.count + 1); /* +1 because of the RDN attribute */
W_ERROR_HAVE_NO_MEMORY(md->ctr.ctr1.array);
for (i=0; i < in->meta_data_ctr->count; i++) {
struct drsuapi_DsReplicaAttribute *a;
struct drsuapi_DsReplicaMetaData *d;
struct replPropertyMetaData1 *m;
struct ldb_message_element *e;
int j;
a = &in->object.attribute_ctr.attributes[i];
d = &in->meta_data_ctr->meta_data[i];
m = &md->ctr.ctr1.array[i];
e = &msg->elements[i];
for (j=0; j<a->value_ctr.num_values; j++) {
status = drsuapi_decrypt_attribute(a->value_ctr.values[j].blob, gensec_skey, rid, a);
W_ERROR_NOT_OK_RETURN(status);
}
status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, a, msg->elements, e);
if (!NT_STATUS_IS_OK(status) && a->value_ctr.num_values == 0) {
/* w2k8-r2 occasionally sends bogus empty
attributes with rubbish attribute IDs. The
only think we can do is discard these */
DEBUG(0,(__location__ ": Discarding bogus empty DsReplicaAttribute with attid 0x%x\n",
a->attid));
ZERO_STRUCTP(e);
continue;
}
W_ERROR_NOT_OK_RETURN(status);
m->attid = a->attid;
m->version = d->version;
m->originating_change_time = d->originating_change_time;
m->originating_invocation_id = d->originating_invocation_id;
m->originating_usn = d->originating_usn;
m->local_usn = 0;
if (d->originating_change_time > whenChanged) {
whenChanged = d->originating_change_time;
}
if (a->attid == DRSUAPI_ATTRIBUTE_name) {
name_a = a;
name_d = d;
rdn_m = &md->ctr.ctr1.array[md->ctr.ctr1.count];
}
}
/* delete any empty elements */
for (i=0; i < msg->num_elements; i++) {
if (msg->elements[i].name == NULL) {
ldb_msg_remove_element(msg, &msg->elements[i]);
i--;
}
}
if (rdn_m) {
struct ldb_message_element *el;
el = ldb_msg_find_element(msg, rdn_attr->lDAPDisplayName);
if (!el) {
ret = ldb_msg_add_value(msg, rdn_attr->lDAPDisplayName, rdn_value, NULL);
if (ret != LDB_SUCCESS) {
return WERR_FOOBAR;
}
} else {
if (el->num_values != 1) {
DEBUG(0,(__location__ ": Unexpected num_values=%u\n",
el->num_values));
return WERR_FOOBAR;
}
if (!ldb_val_equal_exact(&el->values[0], rdn_value)) {
DEBUG(0,(__location__ ": RDN value changed? '%*.*s' '%*.*s'\n",
(int)el->values[0].length, (int)el->values[0].length, el->values[0].data,
(int)rdn_value->length, (int)rdn_value->length, rdn_value->data));
return WERR_FOOBAR;
}
}
rdn_m->attid = rdn_attid;
rdn_m->version = name_d->version;
rdn_m->originating_change_time = name_d->originating_change_time;
rdn_m->originating_invocation_id = name_d->originating_invocation_id;
rdn_m->originating_usn = name_d->originating_usn;
rdn_m->local_usn = 0;
md->ctr.ctr1.count++;
}
whenChanged_t = nt_time_to_unix(whenChanged);
whenChanged_s = ldb_timestring(msg, whenChanged_t);
W_ERROR_HAVE_NO_MEMORY(whenChanged_s);
nt_status = GUID_to_ndr_blob(&in->object.identifier->guid, msg, &guid_value);
if (!NT_STATUS_IS_OK(nt_status)) {
return ntstatus_to_werror(nt_status);
}
out->msg = msg;
out->guid_value = guid_value;
out->when_changed = whenChanged_s;
out->meta_data = md;
return WERR_OK;
}
static int resolve_oids_parse_tree_need(struct ldb_context *ldb,
struct dsdb_schema *schema,
const struct ldb_parse_tree *tree)
{
unsigned int i;
const struct dsdb_attribute *a = NULL;
const char *attr;
const char *p1;
const void *p2;
const struct ldb_val *valp = NULL;
int ret;
switch (tree->operation) {
case LDB_OP_AND:
case LDB_OP_OR:
for (i=0;i<tree->u.list.num_elements;i++) {
ret = resolve_oids_parse_tree_need(ldb, schema,
tree->u.list.elements[i]);
if (ret != LDB_ERR_COMPARE_FALSE) {
return ret;
}
}
return LDB_ERR_COMPARE_FALSE;
case LDB_OP_NOT:
return resolve_oids_parse_tree_need(ldb, schema,
tree->u.isnot.child);
case LDB_OP_EQUALITY:
case LDB_OP_GREATER:
case LDB_OP_LESS:
case LDB_OP_APPROX:
attr = tree->u.equality.attr;
valp = &tree->u.equality.value;
break;
case LDB_OP_SUBSTRING:
attr = tree->u.substring.attr;
break;
case LDB_OP_PRESENT:
attr = tree->u.present.attr;
break;
case LDB_OP_EXTENDED:
attr = tree->u.extended.attr;
valp = &tree->u.extended.value;
break;
default:
return LDB_ERR_COMPARE_FALSE;
}
p1 = strchr(attr, '.');
if (valp) {
p2 = memchr(valp->data, '.', valp->length);
} else {
p2 = NULL;
}
if (!p1 && !p2) {
return LDB_ERR_COMPARE_FALSE;
}
if (p1) {
a = dsdb_attribute_by_attributeID_oid(schema, attr);
} else {
a = dsdb_attribute_by_lDAPDisplayName(schema, attr);
}
if (!a) {
return LDB_ERR_COMPARE_FALSE;
}
if (!p2) {
return LDB_ERR_COMPARE_FALSE;
}
return resolve_oids_need_value(ldb, schema, a, valp);
}
/*
normalise a ldb attribute list
*/
static PyObject *py_dsdb_normalise_attributes(PyObject *self, PyObject *args)
{
PyObject *py_ldb, *el_list, *py_ret;
struct ldb_context *ldb;
char *ldap_display_name;
const struct dsdb_attribute *a;
struct dsdb_schema *schema;
struct dsdb_syntax_ctx syntax_ctx;
struct ldb_message_element *el, *new_el;
struct drsuapi_DsReplicaAttribute *attr;
PyLdbMessageElementObject *ret;
TALLOC_CTX *tmp_ctx;
WERROR werr;
Py_ssize_t i;
PyTypeObject *py_type = NULL;
PyObject *module = NULL;
if (!PyArg_ParseTuple(args, "OsO", &py_ldb, &ldap_display_name, &el_list)) {
return NULL;
}
PyErr_LDB_OR_RAISE(py_ldb, ldb);
schema = dsdb_get_schema(ldb, NULL);
if (!schema) {
PyErr_SetString(PyExc_RuntimeError, "Failed to find a schema from ldb");
return NULL;
}
a = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name);
if (a == NULL) {
PyErr_Format(PyExc_KeyError, "Failed to find attribute '%s'", ldap_display_name);
return NULL;
}
dsdb_syntax_ctx_init(&syntax_ctx, ldb, schema);
syntax_ctx.is_schema_nc = false;
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
PyErr_NoMemory();
return NULL;
}
if (!PyList_Check(el_list)) {
if (!py_check_dcerpc_type(el_list, "ldb", "MessageElement")) {
PyErr_SetString(py_ldb_get_exception(),
"list of strings or ldb MessageElement object required");
return NULL;
}
/*
* NOTE:
* el may not be a valid talloc context, it
* could be part of an array
*/
el = pyldb_MessageElement_AsMessageElement(el_list);
} else {
el = talloc_zero(tmp_ctx, struct ldb_message_element);
if (el == NULL) {
PyErr_NoMemory();
talloc_free(tmp_ctx);
return NULL;
}
el->name = ldap_display_name;
el->num_values = PyList_Size(el_list);
el->values = talloc_array(el, struct ldb_val, el->num_values);
if (el->values == NULL) {
PyErr_NoMemory();
talloc_free(tmp_ctx);
return NULL;
}
for (i = 0; i < el->num_values; i++) {
PyObject *item = PyList_GetItem(el_list, i);
if (!PyString_Check(item)) {
PyErr_Format(PyExc_TypeError, "ldif_elements should be strings");
talloc_free(tmp_ctx);
return NULL;
}
el->values[i].data = (uint8_t *)PyString_AsString(item);
el->values[i].length = PyString_Size(item);
}
}
new_el = talloc_zero(tmp_ctx, struct ldb_message_element);
if (new_el == NULL) {
PyErr_NoMemory();
talloc_free(tmp_ctx);
return NULL;
}
/* Normalise "objectClass" attribute if needed */
if (ldb_attr_cmp(a->lDAPDisplayName, "objectClass") == 0) {
int iret;
iret = dsdb_sort_objectClass_attr(ldb, schema, el, new_el, new_el);
if (iret != LDB_SUCCESS) {
PyErr_SetString(PyExc_RuntimeError, ldb_errstring(ldb));
talloc_free(tmp_ctx);
return NULL;
}
}
/* first run ldb_to_drsuapi, then convert back again. This has
* the effect of normalising the attributes
*/
attr = talloc_zero(tmp_ctx, struct drsuapi_DsReplicaAttribute);
if (attr == NULL) {
PyErr_NoMemory();
talloc_free(tmp_ctx);
return NULL;
}
werr = a->syntax->ldb_to_drsuapi(&syntax_ctx, a, el, attr, attr);
PyErr_WERROR_NOT_OK_RAISE(werr);
/* now convert back again */
werr = a->syntax->drsuapi_to_ldb(&syntax_ctx, a, attr, new_el, new_el);
PyErr_WERROR_NOT_OK_RAISE(werr);
module = PyImport_ImportModule("ldb");
if (module == NULL) {
return NULL;
}
py_type = (PyTypeObject *)PyObject_GetAttrString(module, "MessageElement");
if (py_type == NULL) {
return NULL;
}
py_ret = py_type->tp_alloc(py_type, 0);
ret = (PyLdbMessageElementObject *)py_ret;
ret->mem_ctx = talloc_new(NULL);
if (talloc_reference(ret->mem_ctx, new_el) == NULL) {
PyErr_NoMemory();
return NULL;
}
ret->el = new_el;
talloc_free(tmp_ctx);
return py_ret;
}
WERROR dsdb_convert_object_ex(struct ldb_context *ldb,
const struct dsdb_schema *schema,
const struct dsdb_schema_prefixmap *pfm_remote,
const struct drsuapi_DsReplicaObjectListItemEx *in,
const DATA_BLOB *gensec_skey,
const uint32_t *ignore_attids,
uint32_t dsdb_repl_flags,
TALLOC_CTX *mem_ctx,
struct dsdb_extended_replicated_object *out)
{
NTSTATUS nt_status;
WERROR status = WERR_OK;
uint32_t i;
struct ldb_message *msg;
struct replPropertyMetaDataBlob *md;
int instanceType;
struct ldb_message_element *instanceType_e = NULL;
struct ldb_val guid_value;
struct ldb_val parent_guid_value;
NTTIME whenChanged = 0;
time_t whenChanged_t;
const char *whenChanged_s;
struct drsuapi_DsReplicaAttribute *name_a = NULL;
struct drsuapi_DsReplicaMetaData *name_d = NULL;
struct replPropertyMetaData1 *rdn_m = NULL;
struct dom_sid *sid = NULL;
uint32_t rid = 0;
uint32_t attr_count;
int ret;
if (!in->object.identifier) {
return WERR_FOOBAR;
}
if (!in->object.identifier->dn || !in->object.identifier->dn[0]) {
return WERR_FOOBAR;
}
if (in->object.attribute_ctr.num_attributes != 0 && !in->meta_data_ctr) {
return WERR_FOOBAR;
}
if (in->object.attribute_ctr.num_attributes != in->meta_data_ctr->count) {
return WERR_FOOBAR;
}
sid = &in->object.identifier->sid;
if (sid->num_auths > 0) {
rid = sid->sub_auths[sid->num_auths - 1];
}
msg = ldb_msg_new(mem_ctx);
W_ERROR_HAVE_NO_MEMORY(msg);
msg->dn = ldb_dn_new(msg, ldb, in->object.identifier->dn);
W_ERROR_HAVE_NO_MEMORY(msg->dn);
msg->num_elements = in->object.attribute_ctr.num_attributes;
msg->elements = talloc_array(msg, struct ldb_message_element,
msg->num_elements + 1); /* +1 because of the RDN attribute */
W_ERROR_HAVE_NO_MEMORY(msg->elements);
md = talloc(mem_ctx, struct replPropertyMetaDataBlob);
W_ERROR_HAVE_NO_MEMORY(md);
md->version = 1;
md->reserved = 0;
md->ctr.ctr1.count = in->meta_data_ctr->count;
md->ctr.ctr1.reserved = 0;
md->ctr.ctr1.array = talloc_array(mem_ctx,
struct replPropertyMetaData1,
md->ctr.ctr1.count + 1); /* +1 because of the RDN attribute */
W_ERROR_HAVE_NO_MEMORY(md->ctr.ctr1.array);
for (i=0, attr_count=0; i < in->meta_data_ctr->count; i++, attr_count++) {
struct drsuapi_DsReplicaAttribute *a;
struct drsuapi_DsReplicaMetaData *d;
struct replPropertyMetaData1 *m;
struct ldb_message_element *e;
uint32_t j;
a = &in->object.attribute_ctr.attributes[i];
d = &in->meta_data_ctr->meta_data[i];
m = &md->ctr.ctr1.array[attr_count];
e = &msg->elements[attr_count];
if (dsdb_attid_in_list(ignore_attids, a->attid)) {
attr_count--;
continue;
}
if (GUID_all_zero(&d->originating_invocation_id)) {
status = WERR_DS_SRC_GUID_MISMATCH;
DEBUG(0, ("Refusing replication of object containing invalid zero invocationID on attribute %d of %s: %s\n",
a->attid,
ldb_dn_get_linearized(msg->dn),
win_errstr(status)));
return status;
}
if (a->attid == DRSUAPI_ATTID_instanceType) {
if (instanceType_e != NULL) {
return WERR_FOOBAR;
}
instanceType_e = e;
}
for (j=0; j<a->value_ctr.num_values; j++) {
status = drsuapi_decrypt_attribute(a->value_ctr.values[j].blob,
gensec_skey, rid,
dsdb_repl_flags, a);
if (!W_ERROR_IS_OK(status)) {
break;
}
}
if (W_ERROR_EQUAL(status, WERR_TOO_MANY_SECRETS)) {
WERROR get_name_status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, pfm_remote,
a, msg->elements, e);
if (W_ERROR_IS_OK(get_name_status)) {
DEBUG(0, ("Unxpectedly got secret value %s on %s from DRS server\n",
e->name, ldb_dn_get_linearized(msg->dn)));
} else {
DEBUG(0, ("Unxpectedly got secret value on %s from DRS server",
ldb_dn_get_linearized(msg->dn)));
}
} else if (!W_ERROR_IS_OK(status)) {
return status;
}
status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, pfm_remote,
a, msg->elements, e);
W_ERROR_NOT_OK_RETURN(status);
m->attid = a->attid;
m->version = d->version;
m->originating_change_time = d->originating_change_time;
m->originating_invocation_id = d->originating_invocation_id;
m->originating_usn = d->originating_usn;
m->local_usn = 0;
if (d->originating_change_time > whenChanged) {
whenChanged = d->originating_change_time;
}
if (a->attid == DRSUAPI_ATTID_name) {
name_a = a;
name_d = d;
}
}
msg->num_elements = attr_count;
md->ctr.ctr1.count = attr_count;
if (name_a) {
rdn_m = &md->ctr.ctr1.array[md->ctr.ctr1.count];
}
if (rdn_m) {
struct ldb_message_element *el;
const char *rdn_name = NULL;
const struct ldb_val *rdn_value = NULL;
const struct dsdb_attribute *rdn_attr = NULL;
uint32_t rdn_attid;
/*
* We only need the schema calls for the RDN in this
* codepath, and by doing this we avoid needing to
* have the dsdb_attribute_by_lDAPDisplayName accessor
* working during the schema load.
*/
rdn_name = ldb_dn_get_rdn_name(msg->dn);
rdn_attr = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name);
if (!rdn_attr) {
return WERR_FOOBAR;
}
rdn_attid = rdn_attr->attributeID_id;
rdn_value = ldb_dn_get_rdn_val(msg->dn);
el = ldb_msg_find_element(msg, rdn_attr->lDAPDisplayName);
if (!el) {
ret = ldb_msg_add_value(msg, rdn_attr->lDAPDisplayName, rdn_value, NULL);
if (ret != LDB_SUCCESS) {
return WERR_FOOBAR;
}
} else {
if (el->num_values != 1) {
DEBUG(0,(__location__ ": Unexpected num_values=%u\n",
el->num_values));
return WERR_FOOBAR;
}
if (!ldb_val_equal_exact(&el->values[0], rdn_value)) {
DEBUG(0,(__location__ ": RDN value changed? '%*.*s' '%*.*s'\n",
(int)el->values[0].length, (int)el->values[0].length, el->values[0].data,
(int)rdn_value->length, (int)rdn_value->length, rdn_value->data));
return WERR_FOOBAR;
}
}
rdn_m->attid = rdn_attid;
rdn_m->version = name_d->version;
rdn_m->originating_change_time = name_d->originating_change_time;
rdn_m->originating_invocation_id = name_d->originating_invocation_id;
rdn_m->originating_usn = name_d->originating_usn;
rdn_m->local_usn = 0;
md->ctr.ctr1.count++;
}
if (instanceType_e == NULL) {
return WERR_FOOBAR;
}
instanceType = ldb_msg_find_attr_as_int(msg, "instanceType", 0);
if (dsdb_repl_flags & DSDB_REPL_FLAG_PARTIAL_REPLICA) {
/* the instanceType type for partial_replica
replication is sent via DRS with TYPE_WRITE set, but
must be used on the client with TYPE_WRITE removed
*/
if (instanceType & INSTANCE_TYPE_WRITE) {
/*
* Make sure we do not change the order
* of msg->elements!
*
* That's why we use
* instanceType_e->num_values = 0
* instead of
* ldb_msg_remove_attr(msg, "instanceType");
*/
struct ldb_message_element *e;
e = ldb_msg_find_element(msg, "instanceType");
if (e != instanceType_e) {
DEBUG(0,("instanceType_e[%p] changed to e[%p]\n",
instanceType_e, e));
return WERR_FOOBAR;
}
instanceType_e->num_values = 0;
instanceType &= ~INSTANCE_TYPE_WRITE;
if (ldb_msg_add_fmt(msg, "instanceType", "%d", instanceType) != LDB_SUCCESS) {
return WERR_INTERNAL_ERROR;
}
}
} else {
if (!(instanceType & INSTANCE_TYPE_WRITE)) {
DEBUG(0, ("Refusing to replicate %s from a read-only repilca into a read-write replica!\n",
ldb_dn_get_linearized(msg->dn)));
return WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA;
}
}
whenChanged_t = nt_time_to_unix(whenChanged);
whenChanged_s = ldb_timestring(msg, whenChanged_t);
W_ERROR_HAVE_NO_MEMORY(whenChanged_s);
nt_status = GUID_to_ndr_blob(&in->object.identifier->guid, msg, &guid_value);
if (!NT_STATUS_IS_OK(nt_status)) {
return ntstatus_to_werror(nt_status);
}
if (in->parent_object_guid) {
nt_status = GUID_to_ndr_blob(in->parent_object_guid, msg, &parent_guid_value);
if (!NT_STATUS_IS_OK(nt_status)) {
return ntstatus_to_werror(nt_status);
}
} else {
parent_guid_value = data_blob_null;
}
out->msg = msg;
out->guid_value = guid_value;
out->parent_guid_value = parent_guid_value;
out->when_changed = whenChanged_s;
out->meta_data = md;
return WERR_OK;
}
