/*
Enumerate the group mappings for a domain
*/
static bool enum_group_mapping(const DOM_SID *domsid, enum lsa_SidType sid_name_use,
GROUP_MAP **pp_rmap,
size_t *p_num_entries, bool unix_only)
{
int i, ret;
fstring name;
struct ldb_result *res = NULL;
struct ldb_dn *basedn=NULL;
TALLOC_CTX *tmp_ctx;
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) goto failed;
/* we do a subtree search on the domain */
if (domsid != NULL) {
sid_to_fstring(name, domsid);
basedn = ldb_dn_string_compose(tmp_ctx, NULL, "domain=%s", name);
if (basedn == NULL) goto failed;
}
if (sid_name_use == SID_NAME_UNKNOWN) {
ret = ldb_search(ldb, tmp_ctx, &res, basedn, LDB_SCOPE_SUBTREE,
NULL, "(&(objectClass=groupMap))");
} else {
ret = ldb_search(ldb, tmp_ctx, &res, basedn, LDB_SCOPE_SUBTREE,
NULL, "(&(sidNameUse=%u)(objectClass=groupMap))",
sid_name_use);
}
if (ret != LDB_SUCCESS) goto failed;
(*pp_rmap) = NULL;
*p_num_entries = 0;
for (i=0;i<res->count;i++) {
(*pp_rmap) = SMB_REALLOC_ARRAY((*pp_rmap), GROUP_MAP,
(*p_num_entries)+1);
if (!(*pp_rmap)) goto failed;
if (!msg_to_group_map(res->msgs[i], &(*pp_rmap)[*p_num_entries])) {
goto failed;
}
(*p_num_entries)++;
}
talloc_free(tmp_ctx);
return True;
failed:
talloc_free(tmp_ctx);
return False;
}
/**
\details Get the organization name (like "First Organization") as a DN.
\param emsmdbp_ctx pointer to the EMSMDBP context
\param basedn pointer to the returned struct ldb_dn
\return MAPI_E_SUCCESS or an error if something happens
*/
_PUBLIC_ enum MAPISTATUS emsmdbp_get_org_dn(struct emsmdbp_context *emsmdbp_ctx, struct ldb_dn **basedn)
{
enum MAPISTATUS retval;
int ret;
struct ldb_result *res = NULL;
char *org_name;
OPENCHANGE_RETVAL_IF(!emsmdbp_ctx, MAPI_E_NOT_INITIALIZED, NULL);
OPENCHANGE_RETVAL_IF(!emsmdbp_ctx->samdb_ctx, MAPI_E_NOT_INITIALIZED, NULL);
OPENCHANGE_RETVAL_IF(!basedn, MAPI_E_INVALID_PARAMETER, NULL);
retval = emsmdbp_fetch_organizational_units(emsmdbp_ctx, emsmdbp_ctx, &org_name, NULL);
OPENCHANGE_RETVAL_IF(retval != MAPI_E_SUCCESS, retval, NULL);
ret = ldb_search(emsmdbp_ctx->samdb_ctx, emsmdbp_ctx, &res,
ldb_get_config_basedn(emsmdbp_ctx->samdb_ctx),
LDB_SCOPE_SUBTREE, NULL,
"(&(objectClass=msExchOrganizationContainer)(cn=%s))",
ldb_binary_encode_string(emsmdbp_ctx, org_name));
talloc_free(org_name);
/* If the search failed */
if (ret != LDB_SUCCESS) {
DEBUG(1, ("emsmdbp_get_org_dn ldb_search failure.\n"));
return MAPI_E_NOT_FOUND;
}
*basedn = ldb_dn_new(emsmdbp_ctx, emsmdbp_ctx->samdb_ctx,
ldb_msg_find_attr_as_string(res->msgs[0], "distinguishedName", NULL));
return MAPI_E_SUCCESS;
}
NSS_STATUS _nss_ldb_setpwent(void)
{
int ret;
ret = _ldb_nss_init();
if (ret != NSS_STATUS_SUCCESS) {
return ret;
}
_ldb_nss_ctx->pw_cur = 0;
if (_ldb_nss_ctx->pw_res != NULL) {
talloc_free(_ldb_nss_ctx->pw_res);
_ldb_nss_ctx->pw_res = NULL;
}
ret = ldb_search(_ldb_nss_ctx->ldb,
_ldb_nss_ctx->base,
LDB_SCOPE_SUBTREE,
_LDB_NSS_PWENT_FILTER,
_ldb_nss_pw_attrs,
&_ldb_nss_ctx->pw_res);
if (ret != LDB_SUCCESS) {
return NSS_STATUS_UNAVAIL;
}
return NSS_STATUS_SUCCESS;
}
/*
Return the sid and the type of the unix group.
*/
static bool get_group_map_from_ntname(const char *name, GROUP_MAP *map)
{
int ret;
char *expr;
struct ldb_result *res=NULL;
expr = talloc_asprintf(ldb, "(&(ntName=%s)(objectClass=groupMap))", name);
if (expr == NULL) goto failed;
ret = ldb_search(ldb, NULL, LDB_SCOPE_SUBTREE, expr, NULL, &res);
if (ret != LDB_SUCCESS) {
goto failed;
}
talloc_steal(expr, res);
if (res->count != 1) {
goto failed;
}
if (!msg_to_group_map(res->msgs[0], map)) goto failed;
talloc_free(expr);
return True;
failed:
talloc_free(expr);
return False;
}
/*
return a group map entry for a given sid
*/
static bool get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
{
int ret;
struct ldb_dn *dn;
struct ldb_result *res=NULL;
dn = mapping_dn(ldb, &sid);
if (dn == NULL) goto failed;
ret = ldb_search(ldb, dn, LDB_SCOPE_BASE, NULL, NULL, &res);
if (ret != LDB_SUCCESS) {
goto failed;
}
talloc_steal(dn, res);
if (res->count != 1) {
goto failed;
}
if (!msg_to_group_map(res->msgs[0], map)) goto failed;
talloc_free(dn);
return True;
failed:
talloc_free(dn);
return False;
}
/*
return a group map entry for a given sid
*/
static bool get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
{
int ret;
struct ldb_dn *dn;
struct ldb_result *res=NULL;
bool result = false;
dn = mapping_dn(talloc_tos(), &sid);
if (dn == NULL) {
goto failed;
}
ret = ldb_search(ldb, dn, &res, dn, LDB_SCOPE_BASE, NULL, NULL);
if (ret != LDB_SUCCESS || res->count != 1) {
goto failed;
}
if (!msg_to_group_map(res->msgs[0], map)) {
goto failed;
}
result = true;
failed:
talloc_free(dn);
return result;
}
NSS_STATUS _nss_ldb_getpwnam_r(const char *name, struct passwd *result_buf, char *buffer, size_t buflen, int *errnop)
{
int ret;
char *filter;
struct ldb_result *res;
ret = _ldb_nss_init();
if (ret != NSS_STATUS_SUCCESS) {
return ret;
}
/* build the filter for this name */
filter = talloc_asprintf(_ldb_nss_ctx, _LDB_NSS_PWNAM_FILTER, name);
if (filter == NULL) {
/* this is a fatal error */
*errnop = errno = ENOENT;
ret = NSS_STATUS_UNAVAIL;
goto done;
}
/* search the entry */
ret = ldb_search(_ldb_nss_ctx->ldb,
_ldb_nss_ctx->base,
LDB_SCOPE_SUBTREE,
filter,
_ldb_nss_pw_attrs,
&res);
if (ret != LDB_SUCCESS) {
/* this is a fatal error */
*errnop = errno = ENOENT;
ret = NSS_STATUS_UNAVAIL;
goto done;
}
/* if none found return */
if (res->count == 0) {
*errnop = errno = ENOENT;
ret = NSS_STATUS_NOTFOUND;
goto done;
}
if (res->count != 1) {
/* this is a fatal error */
*errnop = errno = ENOENT;
ret = NSS_STATUS_UNAVAIL;
goto done;
}
/* fill in the passwd struct */
ret = _ldb_nss_fill_passwd(result_buf,
buffer,
buflen,
errnop,
res->msgs[0]);
done:
talloc_free(filter);
talloc_free(res);
return ret;
}
static int local_db_check_number_of_secrets(TALLOC_CTX *mem_ctx,
struct local_context *lctx)
{
TALLOC_CTX *tmp_ctx;
static const char *attrs[] = { NULL };
struct ldb_result *res = NULL;
struct ldb_dn *dn;
int ret;
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) return ENOMEM;
dn = ldb_dn_new(tmp_ctx, lctx->ldb, "cn=secrets");
if (!dn) {
ret = ENOMEM;
goto done;
}
ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE,
attrs, LOCAL_SIMPLE_FILTER);
if (res->count >= lctx->max_secrets) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot store any more secrets as the maximum allowed limit (%d) "
"has been reached\n", lctx->max_secrets);
ret = ERR_SEC_INVALID_TOO_MANY_SECRETS;
goto done;
}
ret = EOK;
done:
talloc_free(tmp_ctx);
return ret;
}
static BOOL test_search_rootDSE(struct ldb_context *ldb, struct test_rootDSE *root)
{
int ret;
struct ldb_message *msg;
struct ldb_result *r;
d_printf("Testing RootDSE Search\n");
ret = ldb_search(ldb, ldb_dn_new(ldb, ldb, NULL), LDB_SCOPE_BASE,
NULL, NULL, &r);
if (ret != LDB_SUCCESS) {
return False;
} else if (r->count != 1) {
talloc_free(r);
return False;
}
msg = r->msgs[0];
root->defaultdn = ldb_msg_find_attr_as_string(msg, "defaultNamingContext", NULL);
talloc_steal(ldb, root->defaultdn);
root->rootdn = ldb_msg_find_attr_as_string(msg, "rootDomainNamingContext", NULL);
talloc_steal(ldb, root->rootdn);
root->configdn = ldb_msg_find_attr_as_string(msg, "configurationNamingContext", NULL);
talloc_steal(ldb, root->configdn);
root->schemadn = ldb_msg_find_attr_as_string(msg, "schemaNamingContext", NULL);
talloc_steal(ldb, root->schemadn);
talloc_free(r);
return True;
}
/**
\details return the next unmapped property ID
\param ldb_ctx pointer to the namedprops ldb context
\return 0 on error, the next mapped id otherwise
*/
_PUBLIC_ uint16_t mapistore_namedprops_next_unused_id(struct ldb_context *ldb_ctx)
{
uint16_t highest_id = 0, current_id;
TALLOC_CTX *mem_ctx;
struct ldb_result *res = NULL;
const char * const attrs[] = { "mappedId", NULL };
int ret;
unsigned int i;
mem_ctx = talloc_named(NULL, 0, "mapistore_namedprops_get_mapped_propID");
ret = ldb_search(ldb_ctx, mem_ctx, &res, ldb_get_default_basedn(ldb_ctx),
LDB_SCOPE_SUBTREE, attrs, "(cn=*)");
MAPISTORE_RETVAL_IF(ret != LDB_SUCCESS, 0, mem_ctx);
for (i = 0; i < res->count; i++) {
current_id = ldb_msg_find_attr_as_uint(res->msgs[i], "mappedId", 0);
if (current_id > 0 && highest_id < current_id) {
highest_id = current_id;
}
}
talloc_free(mem_ctx);
DEBUG(5, ("next_mapped_id: %d\n", (highest_id + 1)));
return (highest_id + 1);
}
/*
* GetUniqueFMID
*
* This function is a copy of original openchangedb_get_new_folderID from libproxy/openchangedb.C
*
* I extract this function because :
* - Function can be implemented directly in the backend
* -
*/
enum MAPISTATUS GetUniqueFMID(struct EasyLinuxContext *elContext, uint64_t *FMID)
{
int ret;
struct ldb_result *res;
struct ldb_message *msg;
const char * const attrs[] = { "*", NULL };
/* Get the current GlobalCount */
ret = ldb_search(elContext->LdbTable, elContext->mem_ctx, &res, ldb_get_root_basedn(elContext->LdbTable),
LDB_SCOPE_SUBTREE, attrs, "(objectClass=server)");
if( ret != LDB_SUCCESS || !res->count )
return MAPI_E_NOT_FOUND;
*FMID = ldb_msg_find_attr_as_uint64(res->msgs[0], "GlobalCount", 0);
/* Update GlobalCount value */
msg = ldb_msg_new(elContext->mem_ctx);
msg->dn = ldb_dn_copy(msg, ldb_msg_find_attr_as_dn(elContext->LdbTable, elContext->mem_ctx, res->msgs[0], "distinguishedName"));
ldb_msg_add_fmt(msg, "GlobalCount", "%llu", (long long unsigned int) ((*FMID) + 1));
msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
ret = ldb_modify(elContext->LdbTable, msg);
if( ret != LDB_SUCCESS || !res->count )
return MAPI_E_NOT_FOUND;
*FMID = (exchange_globcnt(*FMID) << 16) | 0x0001;
return MAPI_E_SUCCESS;
}
/**
\details Check if the user record which legacyExchangeDN points to
belongs to the Exchange organization and is enabled
\param dce_call pointer to the session context
\param emsmdbp_ctx pointer to the EMSMDBP context
\param legacyExchangeDN pointer to the userDN to lookup
\param msg pointer on pointer to the LDB message matching the record
\note Users can set msg to NULL if they do not intend to retrieve
the message
\return true on success, otherwise false
*/
_PUBLIC_ bool emsmdbp_verify_userdn(struct dcesrv_call_state *dce_call,
struct emsmdbp_context *emsmdbp_ctx,
const char *legacyExchangeDN,
struct ldb_message **msg)
{
int ret;
int msExchUserAccountControl;
struct ldb_result *res = NULL;
const char * const recipient_attrs[] = { "*", NULL };
/* Sanity Checks */
if (!legacyExchangeDN) return false;
ret = ldb_search(emsmdbp_ctx->samdb_ctx, emsmdbp_ctx, &res,
ldb_get_default_basedn(emsmdbp_ctx->samdb_ctx),
LDB_SCOPE_SUBTREE, recipient_attrs, "(legacyExchangeDN=%s)",
legacyExchangeDN);
/* If the search failed */
if (ret != LDB_SUCCESS || !res->count) {
return false;
}
/* Checks msExchUserAccountControl value */
msExchUserAccountControl = ldb_msg_find_attr_as_int(res->msgs[0], "msExchUserAccountControl", 2);
if (msExchUserAccountControl == 2) {
return false;
}
if (msg) {
*msg = res->msgs[0];
}
return true;
}
static NTSTATUS unbecomeDC_ldap_computer_object(struct libnet_UnbecomeDC_state *s)
{
int ret;
struct ldb_result *r;
struct ldb_dn *basedn;
static const char *attrs[] = {
"distinguishedName",
"userAccountControl",
NULL
};
basedn = ldb_dn_new(s, s->ldap.ldb, s->domain.dn_str);
NT_STATUS_HAVE_NO_MEMORY(basedn);
ret = ldb_search(s->ldap.ldb, s, &r, basedn, LDB_SCOPE_SUBTREE, attrs,
"(&(|(objectClass=user)(objectClass=computer))(sAMAccountName=%s$))",
s->dest_dsa.netbios_name);
talloc_free(basedn);
if (ret != LDB_SUCCESS) {
return NT_STATUS_LDAP(ret);
} else if (r->count != 1) {
talloc_free(r);
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
s->dest_dsa.computer_dn_str = ldb_msg_find_attr_as_string(r->msgs[0], "distinguishedName", NULL);
if (!s->dest_dsa.computer_dn_str) return NT_STATUS_INVALID_NETWORK_RESPONSE;
talloc_steal(s, s->dest_dsa.computer_dn_str);
s->dest_dsa.user_account_control = ldb_msg_find_attr_as_uint(r->msgs[0], "userAccountControl", 0);
talloc_free(r);
return NT_STATUS_OK;
}
/*
allocate a new id, attempting to do it atomically
return 0 on failure, the id on success
*/
static int samldb_find_next_rid(struct ldb_module *module, TALLOC_CTX *mem_ctx,
struct ldb_dn *dn, uint32_t *old_rid)
{
const char * const attrs[2] = { "nextRid", NULL };
struct ldb_result *res = NULL;
int ret;
const char *str;
ret = ldb_search(module->ldb, dn, LDB_SCOPE_BASE, "nextRid=*", attrs, &res);
if (ret != LDB_SUCCESS) {
return ret;
}
if (res->count != 1) {
talloc_free(res);
return LDB_ERR_OPERATIONS_ERROR;
}
str = ldb_msg_find_attr_as_string(res->msgs[0], "nextRid", NULL);
if (str == NULL) {
ldb_asprintf_errstring(module->ldb,
"attribute nextRid not found in %s\n",
ldb_dn_get_linearized(dn));
talloc_free(res);
return LDB_ERR_OPERATIONS_ERROR;
}
*old_rid = strtol(str, NULL, 0);
talloc_free(res);
return LDB_SUCCESS;
}
static int ldb_delete_recursive(struct ldb_context *ldb, struct ldb_dn *dn)
{
int ret, i, total=0;
const char *attrs[] = { NULL };
struct ldb_result *res;
ret = ldb_search(ldb, ldb, &res, dn, LDB_SCOPE_SUBTREE, attrs, "distinguishedName=*");
if (ret != LDB_SUCCESS) return -1;
/* sort the DNs, deepest first */
qsort(res->msgs, res->count, sizeof(res->msgs[0]), dn_cmp);
for (i = 0; i < res->count; i++) {
if (ldb_delete(ldb, res->msgs[i]->dn) == 0) {
total++;
} else {
printf("Failed to delete '%s' - %s\n",
ldb_dn_get_linearized(res->msgs[i]->dn),
ldb_errstring(ldb));
}
}
talloc_free(res);
if (total == 0) {
return -1;
}
printf("Deleted %d records\n", total);
return 0;
}
/* Find a domain object in the parents of a particular DN. */
static struct ldb_dn *samldb_search_domain(struct ldb_module *module, TALLOC_CTX *mem_ctx, struct ldb_dn *dn)
{
TALLOC_CTX *local_ctx;
struct ldb_dn *sdn;
struct ldb_result *res = NULL;
int ret = 0;
const char *attrs[] = { NULL };
local_ctx = talloc_new(mem_ctx);
if (local_ctx == NULL) return NULL;
sdn = ldb_dn_copy(local_ctx, dn);
do {
ret = ldb_search(module->ldb, sdn, LDB_SCOPE_BASE,
"(|(objectClass=domain)(objectClass=builtinDomain))", attrs, &res);
if (ret == LDB_SUCCESS) {
talloc_steal(local_ctx, res);
if (res->count == 1) {
break;
}
}
} while ((sdn = ldb_dn_get_parent(local_ctx, sdn)));
if (ret != LDB_SUCCESS || res->count != 1) {
talloc_free(local_ctx);
return NULL;
}
talloc_steal(mem_ctx, sdn);
talloc_free(local_ctx);
return sdn;
}
static int confdb_purge(struct confdb_ctx *cdb)
{
int ret, i;
TALLOC_CTX *tmp_ctx;
struct ldb_result *res;
struct ldb_dn *dn;
const char *attrs[] = { "dn", NULL };
tmp_ctx = talloc_new(NULL);
dn = ldb_dn_new(tmp_ctx, cdb->ldb, "cn=config");
/* Get the list of all DNs */
ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn,
LDB_SCOPE_SUBTREE, attrs, NULL);
if (ret != LDB_SUCCESS) {
ret = sysdb_error_to_errno(ret);
goto done;
}
for(i=0; i<res->count; i++) {
/* Delete this DN */
ret = ldb_delete(cdb->ldb, res->msgs[i]->dn);
if (ret != LDB_SUCCESS) {
ret = sysdb_error_to_errno(ret);
goto done;
}
}
done:
talloc_free(tmp_ctx);
return ret;
}
WERROR dreplsrv_load_partitions(struct dreplsrv_service *s)
{
WERROR status;
static const char *attrs[] = { "namingContexts", NULL };
unsigned int i;
int ret;
TALLOC_CTX *tmp_ctx;
struct ldb_result *res;
struct ldb_message_element *el;
tmp_ctx = talloc_new(s);
W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
ret = ldb_search(s->samdb, tmp_ctx, &res,
ldb_dn_new(tmp_ctx, s->samdb, ""), LDB_SCOPE_BASE, attrs, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(1,("Searching for namingContexts in rootDSE failed: %s\n", ldb_errstring(s->samdb)));
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
el = ldb_msg_find_element(res->msgs[0], "namingContexts");
if (!el) {
DEBUG(1,("Finding namingContexts element in root_res failed: %s\n",
ldb_errstring(s->samdb)));
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
for (i=0; i<el->num_values; i++) {
struct ldb_dn *pdn;
struct dreplsrv_partition *p;
pdn = ldb_dn_from_ldb_val(tmp_ctx, s->samdb, &el->values[i]);
if (pdn == NULL) {
talloc_free(tmp_ctx);
return WERR_DS_DRA_INTERNAL_ERROR;
}
if (!ldb_dn_validate(pdn)) {
return WERR_DS_DRA_INTERNAL_ERROR;
}
p = talloc_zero(s, struct dreplsrv_partition);
W_ERROR_HAVE_NO_MEMORY(p);
p->dn = talloc_steal(p, pdn);
DLIST_ADD(s->partitions, p);
DEBUG(2, ("dreplsrv_partition[%s] loaded\n", ldb_dn_get_linearized(p->dn)));
}
talloc_free(tmp_ctx);
status = dreplsrv_refresh_partitions(s);
W_ERROR_NOT_OK_RETURN(status);
return WERR_OK;
}
/* search the domain related to the provided dn
allocate a new RID for the domain
return the new sid string
*/
static int samldb_get_new_sid(struct ldb_module *module,
TALLOC_CTX *mem_ctx, struct ldb_dn *obj_dn,
struct dom_sid **sid)
{
const char * const attrs[2] = { "objectSid", NULL };
struct ldb_result *res = NULL;
struct ldb_dn *dom_dn;
int ret;
struct dom_sid *dom_sid;
/* get the domain component part of the provided dn */
dom_dn = samldb_search_domain(module, mem_ctx, obj_dn);
if (dom_dn == NULL) {
ldb_asprintf_errstring(module->ldb,
"Invalid dn (%s) not child of a domain object!\n",
ldb_dn_get_linearized(obj_dn));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
/* find the domain sid */
ret = ldb_search(module->ldb, dom_dn, LDB_SCOPE_BASE, "objectSid=*", attrs, &res);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(module->ldb,
"samldb_get_new_sid: error retrieving domain sid from %s: %s!\n",
ldb_dn_get_linearized(dom_dn),
ldb_errstring(module->ldb));
talloc_free(res);
return ret;
}
if (res->count != 1) {
ldb_asprintf_errstring(module->ldb,
"samldb_get_new_sid: error retrieving domain sid from %s: not found!\n",
ldb_dn_get_linearized(dom_dn));
talloc_free(res);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
dom_sid = samdb_result_dom_sid(res, res->msgs[0], "objectSid");
if (dom_sid == NULL) {
ldb_set_errstring(module->ldb, "samldb_get_new_sid: error parsing domain sid!\n");
talloc_free(res);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
/* allocate a new Rid for the domain */
ret = samldb_allocate_next_rid(module, mem_ctx, dom_dn, dom_sid, sid);
if (ret != 0) {
ldb_debug(module->ldb, LDB_DEBUG_FATAL, "Failed to increment nextRid of %s: %s\n", ldb_dn_get_linearized(dom_dn), ldb_errstring(module->ldb));
talloc_free(res);
return ret;
}
talloc_free(res);
return ret;
}
static NTSTATUS sldb_get_config(TALLOC_CTX *mem_ctx,
struct share_context *ctx,
const char *name,
struct share_config **scfg)
{
int ret;
struct share_config *s;
struct ldb_context *ldb;
struct ldb_result *res;
TALLOC_CTX *tmp_ctx;
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
DEBUG(0,("ERROR: Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
ldb = talloc_get_type(ctx->priv_data, struct ldb_context);
ret = ldb_search(ldb, tmp_ctx, &res,
ldb_dn_new(tmp_ctx, ldb, "CN=SHARES"), LDB_SCOPE_SUBTREE, NULL,
"(name=%s)", name);
if (ret != LDB_SUCCESS || res->count > 1) {
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (res->count != 1) {
talloc_free(tmp_ctx);
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
s = talloc(tmp_ctx, struct share_config);
if (!s) {
DEBUG(0,("ERROR: Out of memory!\n"));
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
s->name = talloc_strdup(s, ldb_msg_find_attr_as_string(res->msgs[0], "name", NULL));
if (!s->name) {
DEBUG(0,("ERROR: Invalid share object!\n"));
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
s->opaque = talloc_steal(s, res->msgs[0]);
if (!s->opaque) {
DEBUG(0,("ERROR: Invalid share object!\n"));
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
s->ctx = ctx;
*scfg = talloc_steal(mem_ctx, s);
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
WERROR dreplsrv_load_partitions(struct dreplsrv_service *s)
{
WERROR status;
struct ldb_dn *basedn;
struct ldb_result *r;
struct ldb_message_element *el;
static const char *attrs[] = { "namingContexts", NULL };
uint32_t i;
int ret;
basedn = ldb_dn_new(s, s->samdb, NULL);
W_ERROR_HAVE_NO_MEMORY(basedn);
ret = ldb_search(s->samdb, s, &r, basedn, LDB_SCOPE_BASE, attrs,
"(objectClass=*)");
talloc_free(basedn);
if (ret != LDB_SUCCESS) {
return WERR_FOOBAR;
} else if (r->count != 1) {
talloc_free(r);
return WERR_FOOBAR;
}
el = ldb_msg_find_element(r->msgs[0], "namingContexts");
if (!el) {
return WERR_FOOBAR;
}
for (i=0; el && i < el->num_values; i++) {
const char *v = (const char *)el->values[i].data;
struct ldb_dn *pdn;
struct dreplsrv_partition *p;
pdn = ldb_dn_new(s, s->samdb, v);
if (!ldb_dn_validate(pdn)) {
return WERR_FOOBAR;
}
p = talloc_zero(s, struct dreplsrv_partition);
W_ERROR_HAVE_NO_MEMORY(p);
p->dn = talloc_steal(p, pdn);
DLIST_ADD(s->partitions, p);
DEBUG(2, ("dreplsrv_partition[%s] loaded\n", v));
}
talloc_free(r);
status = dreplsrv_refresh_partitions(s);
W_ERROR_NOT_OK_RETURN(status);
return WERR_OK;
}
static NTSTATUS unbecomeDC_ldap_move_computer(struct libnet_UnbecomeDC_state *s)
{
int ret;
struct ldb_result *r;
struct ldb_dn *basedn;
struct ldb_dn *old_dn;
struct ldb_dn *new_dn;
static const char *_1_1_attrs[] = {
"1.1",
NULL
};
basedn = ldb_dn_new_fmt(s, s->ldap.ldb, "<WKGUID=aa312825768811d1aded00c04fd8d5cd,%s>",
s->domain.dn_str);
NT_STATUS_HAVE_NO_MEMORY(basedn);
ret = ldb_search(s->ldap.ldb, s, &r, basedn, LDB_SCOPE_BASE,
_1_1_attrs, "(objectClass=*)");
talloc_free(basedn);
if (ret != LDB_SUCCESS) {
return NT_STATUS_LDAP(ret);
} else if (r->count != 1) {
talloc_free(r);
return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
old_dn = ldb_dn_new(r, s->ldap.ldb, s->dest_dsa.computer_dn_str);
NT_STATUS_HAVE_NO_MEMORY(old_dn);
new_dn = r->msgs[0]->dn;
if (!ldb_dn_add_child_fmt(new_dn, "CN=%s", s->dest_dsa.netbios_name)) {
talloc_free(r);
return NT_STATUS_NO_MEMORY;
}
if (ldb_dn_compare(old_dn, new_dn) == 0) {
/* we don't need to rename if the old and new dn match */
talloc_free(r);
return NT_STATUS_OK;
}
ret = ldb_rename(s->ldap.ldb, old_dn, new_dn);
if (ret != LDB_SUCCESS) {
talloc_free(r);
return NT_STATUS_LDAP(ret);
}
s->dest_dsa.computer_dn_str = ldb_dn_alloc_linearized(s, new_dn);
NT_STATUS_HAVE_NO_MEMORY(s->dest_dsa.computer_dn_str);
talloc_free(r);
return NT_STATUS_OK;
}
static int check_access_on_dn(struct ldb_module *module,
TALLOC_CTX *mem_ctx,
struct ldb_dn *dn,
uint32_t access,
struct object_tree *tree)
{
int ret;
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct ldb_result *acl_res;
struct security_descriptor *sd = NULL;
struct dom_sid *sid = NULL;
NTSTATUS status;
uint32_t access_granted;
static const char *acl_attrs[] = {
"nTSecurityDescriptor",
"objectSid",
NULL
};
ret = ldb_search(ldb, mem_ctx, &acl_res, dn, LDB_SCOPE_BASE, acl_attrs, NULL);
/* we sould be able to find the parent */
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl: failed to find object %s\n", ldb_dn_get_linearized(dn)));
return ret;
}
ret = get_sd_from_ldb_message(mem_ctx, acl_res->msgs[0], &sd);
if (ret != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* Theoretically we pass the check if the object has no sd */
if (!sd) {
return LDB_SUCCESS;
}
ret = get_dom_sid_from_ldb_message(mem_ctx, acl_res->msgs[0], &sid);
if (ret != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
status = sec_access_check_ds(sd, acl_user_token(module),
access,
&access_granted,
tree,
sid);
if (!NT_STATUS_IS_OK(status)) {
acl_debug(sd,
acl_user_token(module),
dn,
true,
10);
return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
}
return LDB_SUCCESS;
}
int sysdb_getpwnam(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain,
const char *name,
struct ldb_result **_res)
{
TALLOC_CTX *tmp_ctx;
static const char *attrs[] = SYSDB_PW_ATTRS;
struct ldb_dn *base_dn;
struct ldb_result *res;
char *sanitized_name;
char *lc_sanitized_name;
const char *src_name;
int ret;
tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) {
return ENOMEM;
}
base_dn = sysdb_user_base_dn(tmp_ctx, domain);
if (!base_dn) {
ret = ENOMEM;
goto done;
}
/* If this is a subdomain we need to use fully qualified names for the
* search as well by default */
src_name = sss_get_domain_name(tmp_ctx, name, domain);
if (!src_name) {
ret = ENOMEM;
goto done;
}
ret = sss_filter_sanitize_for_dom(tmp_ctx, src_name, domain,
&sanitized_name, &lc_sanitized_name);
if (ret != EOK) {
goto done;
}
ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
LDB_SCOPE_SUBTREE, attrs, SYSDB_PWNAM_FILTER,
lc_sanitized_name,
sanitized_name, sanitized_name);
if (ret) {
ret = sysdb_error_to_errno(ret);
goto done;
}
*_res = talloc_steal(mem_ctx, res);
done:
talloc_zfree(tmp_ctx);
return ret;
}
/*
enumerate sids that have the given alias set in member
*/
static NTSTATUS enum_aliasmem(const DOM_SID *alias, DOM_SID **sids, size_t *num)
{
const char *attrs[] = {
"member",
NULL
};
int ret, i;
NTSTATUS status = NT_STATUS_OK;
struct ldb_result *res=NULL;
struct ldb_dn *dn;
struct ldb_message_element *el;
*sids = NULL;
*num = 0;
dn = mapping_dn(ldb, alias);
if (dn == NULL) {
return NT_STATUS_NO_MEMORY;
}
ret = ldb_search(ldb, dn, LDB_SCOPE_BASE, NULL, attrs, &res);
if (ret == LDB_SUCCESS && res->count == 0) {
talloc_free(res);
talloc_free(dn);
return NT_STATUS_OK;
}
if (ret != LDB_SUCCESS) {
talloc_free(dn);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
talloc_steal(dn, res);
el = ldb_msg_find_element(res->msgs[0], "member");
if (el == NULL) {
talloc_free(dn);
return NT_STATUS_OK;
}
for (i=0;i<el->num_values;i++) {
DOM_SID sid;
string_to_sid(&sid, (const char *)el->values[i].data);
status = add_sid_to_array_unique(NULL, &sid, sids, num);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
done:
talloc_free(dn);
return status;
}
/**
* Find out user's samAccountName for given
* user RDN. We need samAccountName value
* when deleting users.
*/
static bool _get_account_name_for_user_rdn(struct torture_context *tctx,
const char *user_rdn,
TALLOC_CTX *mem_ctx,
const char **_account_name)
{
const char *url;
struct ldb_context *ldb;
TALLOC_CTX *tmp_ctx;
bool test_res = true;
const char *hostname = torture_setting_string(tctx, "host", NULL);
int ldb_ret;
struct ldb_result *ldb_res;
const char *account_name = NULL;
static const char *attrs[] = {
"samAccountName",
NULL
};
torture_assert(tctx, hostname != NULL, "Failed to get hostname");
tmp_ctx = talloc_new(tctx);
torture_assert(tctx, tmp_ctx != NULL, "Failed to create temporary mem context");
url = talloc_asprintf(tmp_ctx, "ldap://%s/", hostname);
torture_assert_goto(tctx, url != NULL, test_res, done, "Failed to allocate URL for ldb");
ldb = ldb_wrap_connect(tmp_ctx,
tctx->ev, tctx->lp_ctx,
url, NULL, cmdline_credentials, 0);
torture_assert_goto(tctx, ldb != NULL, test_res, done, "Failed to make LDB connection");
ldb_ret = ldb_search(ldb, tmp_ctx, &ldb_res,
ldb_get_default_basedn(ldb), LDB_SCOPE_SUBTREE,
attrs,
"(&(objectClass=user)(name=%s))", user_rdn);
if (LDB_SUCCESS == ldb_ret && 1 == ldb_res->count) {
account_name = ldb_msg_find_attr_as_string(ldb_res->msgs[0], "samAccountName", NULL);
}
/* return user_rdn by default */
if (!account_name) {
account_name = user_rdn;
}
/* duplicate memory in parent context */
*_account_name = talloc_strdup(mem_ctx, account_name);
done:
talloc_free(tmp_ctx);
return test_res;
}
ADS_STATUS ads_search_dn(ADS_STRUCT *ads, LDAPMessage **res,
const char *dn, const char **attrs)
{
ADS_STATUS status;
status.err.rc = ldb_search(ads->ldbctx, ads, res,
ldb_dn_new(ads, ads->ldbctx, dn),
LDB_SCOPE_BASE,
attrs,
"(objectclass=*)");
status.error_type = ENUM_ADS_ERROR_LDAP;
return status;
}
static int local_db_check_containers(TALLOC_CTX *mem_ctx,
struct local_context *lctx,
struct ldb_dn *leaf_dn)
{
TALLOC_CTX *tmp_ctx;
static const char *attrs[] = { NULL};
struct ldb_result *res = NULL;
struct ldb_dn *dn;
int num;
int ret;
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) return ENOMEM;
dn = ldb_dn_copy(tmp_ctx, leaf_dn);
if (!dn) {
ret = ENOMEM;
goto done;
}
/* We need to exclude the leaf as that will be the new child entry,
* We also do not care for the synthetic containers that constitute the
* base path (cn=<uidnumber>,cn=users,cn=secrets), so in total we remove
* 4 components */
num = ldb_dn_get_comp_num(dn) - 4;
for (int i = 0; i < num; i++) {
/* remove the child first (we do not want to check the leaf) */
if (!ldb_dn_remove_child_components(dn, 1)) return EFAULT;
/* and check the parent container exists */
DEBUG(SSSDBG_TRACE_INTERNAL,
"Searching for [%s] at [%s] with scope=base\n",
LOCAL_CONTAINER_FILTER, ldb_dn_get_linearized(dn));
ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
attrs, LOCAL_CONTAINER_FILTER);
if (ret != LDB_SUCCESS || res->count != 1) {
DEBUG(SSSDBG_TRACE_LIBS,
"DN [%s] does not exist\n", ldb_dn_get_linearized(dn));
return ENOENT;
}
}
ret = EOK;
done:
talloc_free(tmp_ctx);
return ret;
}
/*
search the sam for the specified attributes - va_list variant
*/
int gendb_search_v(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *basedn,
struct ldb_message ***msgs,
const char * const *attrs,
const char *format,
va_list ap)
{
enum ldb_scope scope = LDB_SCOPE_SUBTREE;
struct ldb_result *res;
char *expr = NULL;
int ret;
if (format) {
expr = talloc_vasprintf(mem_ctx, format, ap);
if (expr == NULL) {
return -1;
}
} else {
scope = LDB_SCOPE_BASE;
}
res = NULL;
ret = ldb_search(ldb, mem_ctx, &res, basedn, scope, attrs,
expr?"%s":NULL, expr);
if (ret == LDB_SUCCESS) {
talloc_steal(mem_ctx, res->msgs);
DEBUG(6,("gendb_search_v: %s %s -> %d\n",
basedn?ldb_dn_get_linearized(basedn):"NULL",
expr?expr:"NULL", res->count));
ret = res->count;
*msgs = res->msgs;
talloc_free(res);
} else if (scope == LDB_SCOPE_BASE && ret == LDB_ERR_NO_SUCH_OBJECT) {
ret = 0;
*msgs = NULL;
} else {
DEBUG(4,("gendb_search_v: search failed: %s\n",
ldb_errstring(ldb)));
ret = -1;
}
talloc_free(expr);
return ret;
}
/*
This operation happens on session setup, so it should better be fast. We
store a list of aliases a SID is member of hanging off MEMBEROF/SID.
*/
static NTSTATUS one_alias_membership(const DOM_SID *member,
DOM_SID **sids, size_t *num)
{
const char *attrs[] = {
"sid",
NULL
};
DOM_SID alias;
char *expr;
int ret, i;
struct ldb_result *res=NULL;
fstring string_sid;
NTSTATUS status = NT_STATUS_INTERNAL_DB_CORRUPTION;
if (!sid_to_fstring(string_sid, member)) {
return NT_STATUS_INVALID_PARAMETER;
}
expr = talloc_asprintf(ldb, "(&(member=%s)(objectClass=groupMap))",
string_sid);
if (expr == NULL) goto failed;
ret = ldb_search(ldb, NULL, LDB_SCOPE_SUBTREE, expr, attrs, &res);
talloc_steal(expr, res);
if (ret != LDB_SUCCESS) {
goto failed;
}
for (i=0;i<res->count;i++) {
struct ldb_message_element *el;
el = ldb_msg_find_element(res->msgs[i], "sid");
if (el == NULL || el->num_values != 1) {
status = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto failed;
}
string_to_sid(&alias, (char *)el->values[0].data);
status = add_sid_to_array_unique(NULL, &alias, sids, num);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
}
talloc_free(expr);
return NT_STATUS_OK;
failed:
talloc_free(expr);
return status;
}
