static char *local_dn_to_path(TALLOC_CTX *mem_ctx, struct ldb_dn *basedn, struct ldb_dn *dn) { int basecomps; int dncomps; char *path = NULL; basecomps = ldb_dn_get_comp_num(basedn); dncomps = ldb_dn_get_comp_num(dn); for (int i = dncomps - basecomps; i > 0; i--) { const struct ldb_val *val; val = ldb_dn_get_component_val(dn, i - 1); if (!val) return NULL; if (path) { path = talloc_strdup_append_buffer(path, "/"); if (!path) return NULL; path = talloc_strndup_append_buffer(path, (char *)val->data, val->length); } else { path = talloc_strndup(mem_ctx, (char *)val->data, val->length); } if (!path) return NULL; } DEBUG(SSSDBG_TRACE_INTERNAL, "Secrets path for [%s] is [%s]\n", ldb_dn_get_linearized(dn), path); return path; }
/* Copy a DN with the base DN of the remote partition. */ static struct ldb_dn *ldb_dn_rebase_remote(void *mem_ctx, const struct ldb_map_context *data, struct ldb_dn *dn) { struct ldb_dn *new_dn; new_dn = ldb_dn_copy(mem_ctx, dn); if ( ! ldb_dn_validate(new_dn)) { talloc_free(new_dn); return NULL; } /* may be we don't need to rebase at all */ if ( ! data->remote_base_dn || ! data->local_base_dn) { return new_dn; } if ( ! ldb_dn_remove_base_components(new_dn, ldb_dn_get_comp_num(data->local_base_dn))) { talloc_free(new_dn); return NULL; } if ( ! ldb_dn_add_base(new_dn, data->remote_base_dn)) { talloc_free(new_dn); return NULL; } return new_dn; }
static int local_db_check_containers(TALLOC_CTX *mem_ctx, struct local_context *lctx, struct ldb_dn *leaf_dn) { TALLOC_CTX *tmp_ctx; static const char *attrs[] = { NULL}; struct ldb_result *res = NULL; struct ldb_dn *dn; int num; int ret; tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) return ENOMEM; dn = ldb_dn_copy(tmp_ctx, leaf_dn); if (!dn) { ret = ENOMEM; goto done; } /* We need to exclude the leaf as that will be the new child entry, * We also do not care for the synthetic containers that constitute the * base path (cn=<uidnumber>,cn=users,cn=secrets), so in total we remove * 4 components */ num = ldb_dn_get_comp_num(dn) - 4; for (int i = 0; i < num; i++) { /* remove the child first (we do not want to check the leaf) */ if (!ldb_dn_remove_child_components(dn, 1)) return EFAULT; /* and check the parent container exists */ DEBUG(SSSDBG_TRACE_INTERNAL, "Searching for [%s] at [%s] with scope=base\n", LOCAL_CONTAINER_FILTER, ldb_dn_get_linearized(dn)); ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, LOCAL_CONTAINER_FILTER); if (ret != LDB_SUCCESS || res->count != 1) { DEBUG(SSSDBG_TRACE_LIBS, "DN [%s] does not exist\n", ldb_dn_get_linearized(dn)); return ENOENT; } } ret = EOK; done: talloc_free(tmp_ctx); return ret; }
/* check if the scope matches in a search result */ static int ldb_match_scope(struct ldb_context *ldb, struct ldb_dn *base, struct ldb_dn *dn, enum ldb_scope scope) { int ret = 0; if (base == NULL || dn == NULL) { return 1; } switch (scope) { case LDB_SCOPE_BASE: if (ldb_dn_compare(base, dn) == 0) { ret = 1; } break; case LDB_SCOPE_ONELEVEL: if (ldb_dn_get_comp_num(dn) == (ldb_dn_get_comp_num(base) + 1)) { if (ldb_dn_compare_base(base, dn) == 0) { ret = 1; } } break; case LDB_SCOPE_SUBTREE: default: if (ldb_dn_compare_base(base, dn) == 0) { ret = 1; } break; } return ret; }
static int local_db_check_containers_nest_level(struct local_context *lctx, struct ldb_dn *leaf_dn) { int nest_level; /* We need do not care for the synthetic containers that constitute the * base path (cn=<uidnumber>,cn=user,cn=secrets). */ nest_level = ldb_dn_get_comp_num(leaf_dn) - 3; if (nest_level > lctx->containers_nest_level) { DEBUG(SSSDBG_OP_FAILURE, "Cannot create a nested container of depth %d as the maximum" "allowed number of nested containers is %d.\n", nest_level, lctx->containers_nest_level); return ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL; } return EOK; }
static int fix_dn(struct ldb_dn *dn) { int i, ret; char *upper_rdn_attr; for (i=0; i < ldb_dn_get_comp_num(dn); i++) { /* We need the attribute name in upper case */ upper_rdn_attr = strupper_talloc(dn, ldb_dn_get_component_name(dn, i)); if (!upper_rdn_attr) { return LDB_ERR_OPERATIONS_ERROR; } /* And replace it with CN=foo (we need the attribute in upper case */ ret = ldb_dn_set_component(dn, i, upper_rdn_attr, *ldb_dn_get_component_val(dn, i)); talloc_free(upper_rdn_attr); if (ret != LDB_SUCCESS) { return ret; } } return LDB_SUCCESS; }
static bool torture_ldb_dn_extended(struct torture_context *torture) { TALLOC_CTX *mem_ctx = talloc_new(torture); struct ldb_context *ldb; struct ldb_dn *dn, *dn2; DATA_BLOB sid_blob = strhex_to_data_blob(mem_ctx, hex_sid); DATA_BLOB guid_blob = strhex_to_data_blob(mem_ctx, hex_guid); const char *dn_str = "cn=admin,cn=users,dc=samba,dc=org"; torture_assert(torture, ldb = ldb_init(mem_ctx, torture->ev), "Failed to init ldb"); torture_assert_int_equal(torture, ldb_register_samba_handlers(ldb), 0, "Failed to register Samba handlers"); ldb_set_utf8_fns(ldb, NULL, wrap_casefold); /* Check behaviour of a normal DN */ torture_assert(torture, dn = ldb_dn_new(mem_ctx, ldb, dn_str), "Failed to create a 'normal' DN"); torture_assert(torture, ldb_dn_validate(dn), "Failed to validate 'normal' DN"); torture_assert(torture, ldb_dn_has_extended(dn) == false, "Should not find plain DN to be 'extended'"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL, "Should not find an SID on plain DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL, "Should not find an GUID on plain DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "WKGUID") == NULL, "Should not find an WKGUID on plain DN"); /* Now make an extended DN */ torture_assert(torture, dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>;<SID=%s>;%s", guid, sid, dn_str), "Failed to create an 'extended' DN"); torture_assert(torture, dn2 = ldb_dn_copy(mem_ctx, dn), "Failed to copy the 'extended' DN"); talloc_free(dn); dn = dn2; torture_assert(torture, ldb_dn_validate(dn), "Failed to validate 'extended' DN"); torture_assert(torture, ldb_dn_has_extended(dn) == true, "Should find extended DN to be 'extended'"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL, "Should find an SID on extended DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL, "Should find an GUID on extended DN"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob, "Extended DN SID incorect"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob, "Extended DN GUID incorect"); torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), dn_str, "linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_casefold(dn), strupper_talloc(mem_ctx, dn_str), "casefolded DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_component_name(dn, 0), "cn", "componet zero incorrect"); torture_assert_data_blob_equal(torture, *ldb_dn_get_component_val(dn, 0), data_blob_string_const("admin"), "componet zero incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1), talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s", guid, sid, dn_str), "Clear extended linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0), talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s", hex_guid, hex_sid, dn_str), "HEX extended linearized DN incorrect"); torture_assert(torture, ldb_dn_remove_child_components(dn, 1) == true, "Failed to remove DN child"); torture_assert(torture, ldb_dn_has_extended(dn) == false, "Extended DN flag should be cleared after child element removal"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL, "Should not find an SID on DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL, "Should not find an GUID on DN"); /* TODO: test setting these in the other order, and ensure it still comes out 'GUID first' */ torture_assert_int_equal(torture, ldb_dn_set_extended_component(dn, "GUID", &guid_blob), 0, "Failed to set a GUID on DN"); torture_assert_int_equal(torture, ldb_dn_set_extended_component(dn, "SID", &sid_blob), 0, "Failed to set a SID on DN"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob, "Extended DN SID incorect"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob, "Extended DN GUID incorect"); torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "cn=users,dc=samba,dc=org", "linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1), talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s", guid, sid, "cn=users,dc=samba,dc=org"), "Clear extended linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0), talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s", hex_guid, hex_sid, "cn=users,dc=samba,dc=org"), "HEX extended linearized DN incorrect"); /* Now check a 'just GUID' DN (clear format) */ torture_assert(torture, dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>", guid), "Failed to create an 'extended' DN"); torture_assert(torture, ldb_dn_validate(dn), "Failed to validate 'extended' DN"); torture_assert(torture, ldb_dn_has_extended(dn) == true, "Should find extended DN to be 'extended'"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL, "Should not find an SID on this DN"); torture_assert_int_equal(torture, ldb_dn_get_comp_num(dn), 0, "Should not find an 'normal' componet on this DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL, "Should find an GUID on this DN"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob, "Extended DN GUID incorect"); torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "", "linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1), talloc_asprintf(mem_ctx, "<GUID=%s>", guid), "Clear extended linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0), talloc_asprintf(mem_ctx, "<GUID=%s>", hex_guid), "HEX extended linearized DN incorrect"); /* Now check a 'just GUID' DN (HEX format) */ torture_assert(torture, dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>", hex_guid), "Failed to create an 'extended' DN"); torture_assert(torture, ldb_dn_validate(dn), "Failed to validate 'extended' DN"); torture_assert(torture, ldb_dn_has_extended(dn) == true, "Should find extended DN to be 'extended'"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL, "Should not find an SID on this DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL, "Should find an GUID on this DN"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob, "Extended DN GUID incorect"); torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "", "linearized DN incorrect"); /* Now check a 'just SID' DN (clear format) */ torture_assert(torture, dn = ldb_dn_new_fmt(mem_ctx, ldb, "<SID=%s>", sid), "Failed to create an 'extended' DN"); torture_assert(torture, ldb_dn_validate(dn), "Failed to validate 'extended' DN"); torture_assert(torture, ldb_dn_has_extended(dn) == true, "Should find extended DN to be 'extended'"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL, "Should not find an SID on this DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL, "Should find an SID on this DN"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob, "Extended DN SID incorect"); torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "", "linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1), talloc_asprintf(mem_ctx, "<SID=%s>", sid), "Clear extended linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0), talloc_asprintf(mem_ctx, "<SID=%s>", hex_sid), "HEX extended linearized DN incorrect"); /* Now check a 'just SID' DN (HEX format) */ torture_assert(torture, dn = ldb_dn_new_fmt(mem_ctx, ldb, "<SID=%s>", hex_sid), "Failed to create an 'extended' DN"); torture_assert(torture, ldb_dn_validate(dn), "Failed to validate 'extended' DN"); torture_assert(torture, ldb_dn_has_extended(dn) == true, "Should find extended DN to be 'extended'"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL, "Should not find an SID on this DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL, "Should find an SID on this DN"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob, "Extended DN SID incorect"); torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "", "linearized DN incorrect"); talloc_free(mem_ctx); return true; }
/* Map a DN into the local partition. */ struct ldb_dn *ldb_dn_map_remote(struct ldb_module *module, void *mem_ctx, const struct ldb_dn *dn) { const struct ldb_map_context *data = map_get_context(module); struct ldb_dn *newdn; const struct ldb_map_attribute *map; enum ldb_map_attr_type map_type; const char *name; struct ldb_val value; int i, ret; if (dn == NULL) { return NULL; } newdn = ldb_dn_copy(mem_ctx, dn); if (newdn == NULL) { map_oom(module); return NULL; } /* For each RDN, map the component name and possibly the value */ for (i = 0; i < ldb_dn_get_comp_num(newdn); i++) { map = map_attr_find_remote(data, ldb_dn_get_component_name(dn, i)); /* Unknown attribute - leave this RDN as is and hope the best... */ if (map == NULL) { map_type = MAP_KEEP; } else { map_type = map->type; } switch (map_type) { case MAP_IGNORE: case MAP_GENERATE: ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: " "MAP_IGNORE/MAP_GENERATE attribute '%s' " "used in DN!\n", ldb_dn_get_component_name(dn, i)); goto failed; case MAP_CONVERT: if (map->u.convert.convert_remote == NULL) { ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: " "'convert_remote' not set for attribute '%s' " "used in DN!\n", ldb_dn_get_component_name(dn, i)); goto failed; } /* fall through */ case MAP_KEEP: case MAP_RENAME: name = map_attr_map_remote(newdn, map, ldb_dn_get_component_name(dn, i)); if (name == NULL) goto failed; value = ldb_val_map_remote(module, newdn, map, ldb_dn_get_component_val(dn, i)); if (value.data == NULL) goto failed; ret = ldb_dn_set_component(newdn, i, name, value); if (ret != LDB_SUCCESS) { goto failed; } break; } } return newdn; failed: talloc_free(newdn); return NULL; }