static char *local_dn_to_path(TALLOC_CTX *mem_ctx, struct ldb_dn *basedn, struct ldb_dn *dn) { int basecomps; int dncomps; char *path = NULL; basecomps = ldb_dn_get_comp_num(basedn); dncomps = ldb_dn_get_comp_num(dn); for (int i = dncomps - basecomps; i > 0; i--) { const struct ldb_val *val; val = ldb_dn_get_component_val(dn, i - 1); if (!val) return NULL; if (path) { path = talloc_strdup_append_buffer(path, "/"); if (!path) return NULL; path = talloc_strndup_append_buffer(path, (char *)val->data, val->length); } else { path = talloc_strndup(mem_ctx, (char *)val->data, val->length); } if (!path) return NULL; } DEBUG(SSSDBG_TRACE_INTERNAL, "Secrets path for [%s] is [%s]\n", ldb_dn_get_linearized(dn), path); return path; }
/* Obtain the site name from a server DN */ static const char *result_site_name(struct ldb_dn *site_dn) { /* Format is cn=<NETBIOS name>,cn=Servers,cn=<site>,cn=sites.... */ const struct ldb_val *val = ldb_dn_get_component_val(site_dn, 2); const char *name = ldb_dn_get_component_name(site_dn, 2); if (!name || (ldb_attr_cmp(name, "cn") != 0)) { /* Ensure this matches the format. This gives us a * bit more confidence that a 'cn' value will be a * ascii string */ return NULL; } if (val) { return (char *)val->data; } return NULL; }
static int fix_dn(struct ldb_dn *dn) { int i, ret; char *upper_rdn_attr; for (i=0; i < ldb_dn_get_comp_num(dn); i++) { /* We need the attribute name in upper case */ upper_rdn_attr = strupper_talloc(dn, ldb_dn_get_component_name(dn, i)); if (!upper_rdn_attr) { return LDB_ERR_OPERATIONS_ERROR; } /* And replace it with CN=foo (we need the attribute in upper case */ ret = ldb_dn_set_component(dn, i, upper_rdn_attr, *ldb_dn_get_component_val(dn, i)); talloc_free(upper_rdn_attr); if (ret != LDB_SUCCESS) { return ret; } } return LDB_SUCCESS; }
/** * When loading the schema from LDIF files, we don't get the extended DNs. * * We need to set these up, so that from the moment we start the provision, * the defaultObjectCategory links are set up correctly. */ int dsdb_schema_fill_extended_dn(struct ldb_context *ldb, struct dsdb_schema *schema) { struct dsdb_class *cur; const struct dsdb_class *target_class; for (cur = schema->classes; cur; cur = cur->next) { const struct ldb_val *rdn; struct ldb_val guid; NTSTATUS status; struct ldb_dn *dn = ldb_dn_new(NULL, ldb, cur->defaultObjectCategory); if (!dn) { return LDB_ERR_INVALID_DN_SYNTAX; } rdn = ldb_dn_get_component_val(dn, 0); if (!rdn) { talloc_free(dn); return LDB_ERR_INVALID_DN_SYNTAX; } target_class = dsdb_class_by_cn_ldb_val(schema, rdn); if (!target_class) { talloc_free(dn); return LDB_ERR_CONSTRAINT_VIOLATION; } status = GUID_to_ndr_blob(&target_class->objectGUID, dn, &guid); if (!NT_STATUS_IS_OK(status)) { talloc_free(dn); return ldb_operr(ldb); } ldb_dn_set_extended_component(dn, "GUID", &guid); cur->defaultObjectCategory = ldb_dn_get_extended_linearized(cur, dn, 1); talloc_free(dn); } return LDB_SUCCESS; }
static bool torture_ldb_dn_extended(struct torture_context *torture) { TALLOC_CTX *mem_ctx = talloc_new(torture); struct ldb_context *ldb; struct ldb_dn *dn, *dn2; DATA_BLOB sid_blob = strhex_to_data_blob(mem_ctx, hex_sid); DATA_BLOB guid_blob = strhex_to_data_blob(mem_ctx, hex_guid); const char *dn_str = "cn=admin,cn=users,dc=samba,dc=org"; torture_assert(torture, ldb = ldb_init(mem_ctx, torture->ev), "Failed to init ldb"); torture_assert_int_equal(torture, ldb_register_samba_handlers(ldb), 0, "Failed to register Samba handlers"); ldb_set_utf8_fns(ldb, NULL, wrap_casefold); /* Check behaviour of a normal DN */ torture_assert(torture, dn = ldb_dn_new(mem_ctx, ldb, dn_str), "Failed to create a 'normal' DN"); torture_assert(torture, ldb_dn_validate(dn), "Failed to validate 'normal' DN"); torture_assert(torture, ldb_dn_has_extended(dn) == false, "Should not find plain DN to be 'extended'"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL, "Should not find an SID on plain DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL, "Should not find an GUID on plain DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "WKGUID") == NULL, "Should not find an WKGUID on plain DN"); /* Now make an extended DN */ torture_assert(torture, dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>;<SID=%s>;%s", guid, sid, dn_str), "Failed to create an 'extended' DN"); torture_assert(torture, dn2 = ldb_dn_copy(mem_ctx, dn), "Failed to copy the 'extended' DN"); talloc_free(dn); dn = dn2; torture_assert(torture, ldb_dn_validate(dn), "Failed to validate 'extended' DN"); torture_assert(torture, ldb_dn_has_extended(dn) == true, "Should find extended DN to be 'extended'"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL, "Should find an SID on extended DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL, "Should find an GUID on extended DN"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob, "Extended DN SID incorect"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob, "Extended DN GUID incorect"); torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), dn_str, "linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_casefold(dn), strupper_talloc(mem_ctx, dn_str), "casefolded DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_component_name(dn, 0), "cn", "componet zero incorrect"); torture_assert_data_blob_equal(torture, *ldb_dn_get_component_val(dn, 0), data_blob_string_const("admin"), "componet zero incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1), talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s", guid, sid, dn_str), "Clear extended linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0), talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s", hex_guid, hex_sid, dn_str), "HEX extended linearized DN incorrect"); torture_assert(torture, ldb_dn_remove_child_components(dn, 1) == true, "Failed to remove DN child"); torture_assert(torture, ldb_dn_has_extended(dn) == false, "Extended DN flag should be cleared after child element removal"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL, "Should not find an SID on DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL, "Should not find an GUID on DN"); /* TODO: test setting these in the other order, and ensure it still comes out 'GUID first' */ torture_assert_int_equal(torture, ldb_dn_set_extended_component(dn, "GUID", &guid_blob), 0, "Failed to set a GUID on DN"); torture_assert_int_equal(torture, ldb_dn_set_extended_component(dn, "SID", &sid_blob), 0, "Failed to set a SID on DN"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob, "Extended DN SID incorect"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob, "Extended DN GUID incorect"); torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "cn=users,dc=samba,dc=org", "linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1), talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s", guid, sid, "cn=users,dc=samba,dc=org"), "Clear extended linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0), talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s", hex_guid, hex_sid, "cn=users,dc=samba,dc=org"), "HEX extended linearized DN incorrect"); /* Now check a 'just GUID' DN (clear format) */ torture_assert(torture, dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>", guid), "Failed to create an 'extended' DN"); torture_assert(torture, ldb_dn_validate(dn), "Failed to validate 'extended' DN"); torture_assert(torture, ldb_dn_has_extended(dn) == true, "Should find extended DN to be 'extended'"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL, "Should not find an SID on this DN"); torture_assert_int_equal(torture, ldb_dn_get_comp_num(dn), 0, "Should not find an 'normal' componet on this DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL, "Should find an GUID on this DN"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob, "Extended DN GUID incorect"); torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "", "linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1), talloc_asprintf(mem_ctx, "<GUID=%s>", guid), "Clear extended linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0), talloc_asprintf(mem_ctx, "<GUID=%s>", hex_guid), "HEX extended linearized DN incorrect"); /* Now check a 'just GUID' DN (HEX format) */ torture_assert(torture, dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>", hex_guid), "Failed to create an 'extended' DN"); torture_assert(torture, ldb_dn_validate(dn), "Failed to validate 'extended' DN"); torture_assert(torture, ldb_dn_has_extended(dn) == true, "Should find extended DN to be 'extended'"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL, "Should not find an SID on this DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL, "Should find an GUID on this DN"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob, "Extended DN GUID incorect"); torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "", "linearized DN incorrect"); /* Now check a 'just SID' DN (clear format) */ torture_assert(torture, dn = ldb_dn_new_fmt(mem_ctx, ldb, "<SID=%s>", sid), "Failed to create an 'extended' DN"); torture_assert(torture, ldb_dn_validate(dn), "Failed to validate 'extended' DN"); torture_assert(torture, ldb_dn_has_extended(dn) == true, "Should find extended DN to be 'extended'"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL, "Should not find an SID on this DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL, "Should find an SID on this DN"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob, "Extended DN SID incorect"); torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "", "linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1), talloc_asprintf(mem_ctx, "<SID=%s>", sid), "Clear extended linearized DN incorrect"); torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0), talloc_asprintf(mem_ctx, "<SID=%s>", hex_sid), "HEX extended linearized DN incorrect"); /* Now check a 'just SID' DN (HEX format) */ torture_assert(torture, dn = ldb_dn_new_fmt(mem_ctx, ldb, "<SID=%s>", hex_sid), "Failed to create an 'extended' DN"); torture_assert(torture, ldb_dn_validate(dn), "Failed to validate 'extended' DN"); torture_assert(torture, ldb_dn_has_extended(dn) == true, "Should find extended DN to be 'extended'"); torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL, "Should not find an SID on this DN"); torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL, "Should find an SID on this DN"); torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob, "Extended DN SID incorect"); torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "", "linearized DN incorrect"); talloc_free(mem_ctx); return true; }
/* Map a DN into the local partition. */ struct ldb_dn *ldb_dn_map_remote(struct ldb_module *module, void *mem_ctx, const struct ldb_dn *dn) { const struct ldb_map_context *data = map_get_context(module); struct ldb_dn *newdn; const struct ldb_map_attribute *map; enum ldb_map_attr_type map_type; const char *name; struct ldb_val value; int i, ret; if (dn == NULL) { return NULL; } newdn = ldb_dn_copy(mem_ctx, dn); if (newdn == NULL) { map_oom(module); return NULL; } /* For each RDN, map the component name and possibly the value */ for (i = 0; i < ldb_dn_get_comp_num(newdn); i++) { map = map_attr_find_remote(data, ldb_dn_get_component_name(dn, i)); /* Unknown attribute - leave this RDN as is and hope the best... */ if (map == NULL) { map_type = MAP_KEEP; } else { map_type = map->type; } switch (map_type) { case MAP_IGNORE: case MAP_GENERATE: ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: " "MAP_IGNORE/MAP_GENERATE attribute '%s' " "used in DN!\n", ldb_dn_get_component_name(dn, i)); goto failed; case MAP_CONVERT: if (map->u.convert.convert_remote == NULL) { ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: " "'convert_remote' not set for attribute '%s' " "used in DN!\n", ldb_dn_get_component_name(dn, i)); goto failed; } /* fall through */ case MAP_KEEP: case MAP_RENAME: name = map_attr_map_remote(newdn, map, ldb_dn_get_component_name(dn, i)); if (name == NULL) goto failed; value = ldb_val_map_remote(module, newdn, map, ldb_dn_get_component_val(dn, i)); if (value.data == NULL) goto failed; ret = ldb_dn_set_component(newdn, i, name, value); if (ret != LDB_SUCCESS) { goto failed; } break; } } return newdn; failed: talloc_free(newdn); return NULL; }
/* serach all groups that have a memberUid attribute. * change it into a member attribute for a user of same domain. * remove the memberUid attribute * add the new member attribute * finally stop indexing memberUid * upgrade version to 0.2 */ int sysdb_upgrade_01(struct ldb_context *ldb, const char **ver) { struct ldb_message_element *el; struct ldb_result *res; struct ldb_dn *basedn; struct ldb_dn *mem_dn; struct ldb_message *msg; const struct ldb_val *val; const char *filter = "(&(memberUid=*)(objectclass=group))"; const char *attrs[] = { "memberUid", NULL }; const char *mdn; char *domain; int ret, i, j; TALLOC_CTX *tmp_ctx; tmp_ctx = talloc_new(NULL); if (!tmp_ctx) { ret = ENOMEM; goto done; } basedn = ldb_dn_new(tmp_ctx, ldb, SYSDB_BASE); if (!basedn) { ret = EIO; goto done; } ret = ldb_search(ldb, tmp_ctx, &res, basedn, LDB_SCOPE_SUBTREE, attrs, "%s", filter); if (ret != LDB_SUCCESS) { ret = EIO; goto done; } ret = ldb_transaction_start(ldb); if (ret != LDB_SUCCESS) { ret = EIO; goto done; } for (i = 0; i < res->count; i++) { el = ldb_msg_find_element(res->msgs[i], "memberUid"); if (!el) { DEBUG(1, ("memberUid is missing from message [%s], skipping\n", ldb_dn_get_linearized(res->msgs[i]->dn))); continue; } /* create modification message */ msg = ldb_msg_new(tmp_ctx); if (!msg) { ret = ENOMEM; goto done; } msg->dn = res->msgs[i]->dn; ret = ldb_msg_add_empty(msg, "memberUid", LDB_FLAG_MOD_DELETE, NULL); if (ret != LDB_SUCCESS) { ret = ENOMEM; goto done; } ret = ldb_msg_add_empty(msg, SYSDB_MEMBER, LDB_FLAG_MOD_ADD, NULL); if (ret != LDB_SUCCESS) { ret = ENOMEM; goto done; } /* get domain name component value */ val = ldb_dn_get_component_val(res->msgs[i]->dn, 2); domain = talloc_strndup(tmp_ctx, (const char *)val->data, val->length); if (!domain) { ret = ENOMEM; goto done; } for (j = 0; j < el->num_values; j++) { mem_dn = ldb_dn_new_fmt(tmp_ctx, ldb, SYSDB_TMPL_USER, (const char *)el->values[j].data, domain); if (!mem_dn) { ret = ENOMEM; goto done; } mdn = talloc_strdup(msg, ldb_dn_get_linearized(mem_dn)); if (!mdn) { ret = ENOMEM; goto done; } ret = ldb_msg_add_string(msg, SYSDB_MEMBER, mdn); if (ret != LDB_SUCCESS) { ret = ENOMEM; goto done; } talloc_zfree(mem_dn); } /* ok now we are ready to modify the entry */ ret = ldb_modify(ldb, msg); if (ret != LDB_SUCCESS) { ret = sysdb_error_to_errno(ret); goto done; } talloc_zfree(msg); } /* conversion done, upgrade version number */ msg = ldb_msg_new(tmp_ctx); if (!msg) { ret = ENOMEM; goto done; } msg->dn = ldb_dn_new(tmp_ctx, ldb, SYSDB_BASE); if (!msg->dn) { ret = ENOMEM; goto done; } ret = ldb_msg_add_empty(msg, "version", LDB_FLAG_MOD_REPLACE, NULL); if (ret != LDB_SUCCESS) { ret = ENOMEM; goto done; } ret = ldb_msg_add_string(msg, "version", SYSDB_VERSION_0_2); if (ret != LDB_SUCCESS) { ret = ENOMEM; goto done; } ret = ldb_modify(ldb, msg); if (ret != LDB_SUCCESS) { ret = sysdb_error_to_errno(ret); goto done; } ret = EOK; done: ret = finish_upgrade(ret, ldb, SYSDB_VERSION_0_2, ver); talloc_free(tmp_ctx); return ret; }