static char *local_dn_to_path(TALLOC_CTX *mem_ctx,
struct ldb_dn *basedn,
struct ldb_dn *dn)
{
int basecomps;
int dncomps;
char *path = NULL;
basecomps = ldb_dn_get_comp_num(basedn);
dncomps = ldb_dn_get_comp_num(dn);
for (int i = dncomps - basecomps; i > 0; i--) {
const struct ldb_val *val;
val = ldb_dn_get_component_val(dn, i - 1);
if (!val) return NULL;
if (path) {
path = talloc_strdup_append_buffer(path, "/");
if (!path) return NULL;
path = talloc_strndup_append_buffer(path, (char *)val->data,
val->length);
} else {
path = talloc_strndup(mem_ctx, (char *)val->data, val->length);
}
if (!path) return NULL;
}
DEBUG(SSSDBG_TRACE_INTERNAL,
"Secrets path for [%s] is [%s]\n",
ldb_dn_get_linearized(dn), path);
return path;
}
/* Copy a DN with the base DN of the remote partition. */
static struct ldb_dn *ldb_dn_rebase_remote(void *mem_ctx, const struct ldb_map_context *data, struct ldb_dn *dn)
{
struct ldb_dn *new_dn;
new_dn = ldb_dn_copy(mem_ctx, dn);
if ( ! ldb_dn_validate(new_dn)) {
talloc_free(new_dn);
return NULL;
}
/* may be we don't need to rebase at all */
if ( ! data->remote_base_dn || ! data->local_base_dn) {
return new_dn;
}
if ( ! ldb_dn_remove_base_components(new_dn, ldb_dn_get_comp_num(data->local_base_dn))) {
talloc_free(new_dn);
return NULL;
}
if ( ! ldb_dn_add_base(new_dn, data->remote_base_dn)) {
talloc_free(new_dn);
return NULL;
}
return new_dn;
}
static int local_db_check_containers(TALLOC_CTX *mem_ctx,
struct local_context *lctx,
struct ldb_dn *leaf_dn)
{
TALLOC_CTX *tmp_ctx;
static const char *attrs[] = { NULL};
struct ldb_result *res = NULL;
struct ldb_dn *dn;
int num;
int ret;
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) return ENOMEM;
dn = ldb_dn_copy(tmp_ctx, leaf_dn);
if (!dn) {
ret = ENOMEM;
goto done;
}
/* We need to exclude the leaf as that will be the new child entry,
* We also do not care for the synthetic containers that constitute the
* base path (cn=<uidnumber>,cn=users,cn=secrets), so in total we remove
* 4 components */
num = ldb_dn_get_comp_num(dn) - 4;
for (int i = 0; i < num; i++) {
/* remove the child first (we do not want to check the leaf) */
if (!ldb_dn_remove_child_components(dn, 1)) return EFAULT;
/* and check the parent container exists */
DEBUG(SSSDBG_TRACE_INTERNAL,
"Searching for [%s] at [%s] with scope=base\n",
LOCAL_CONTAINER_FILTER, ldb_dn_get_linearized(dn));
ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
attrs, LOCAL_CONTAINER_FILTER);
if (ret != LDB_SUCCESS || res->count != 1) {
DEBUG(SSSDBG_TRACE_LIBS,
"DN [%s] does not exist\n", ldb_dn_get_linearized(dn));
return ENOENT;
}
}
ret = EOK;
done:
talloc_free(tmp_ctx);
return ret;
}
/*
check if the scope matches in a search result
*/
static int ldb_match_scope(struct ldb_context *ldb,
struct ldb_dn *base,
struct ldb_dn *dn,
enum ldb_scope scope)
{
int ret = 0;
if (base == NULL || dn == NULL) {
return 1;
}
switch (scope) {
case LDB_SCOPE_BASE:
if (ldb_dn_compare(base, dn) == 0) {
ret = 1;
}
break;
case LDB_SCOPE_ONELEVEL:
if (ldb_dn_get_comp_num(dn) == (ldb_dn_get_comp_num(base) + 1)) {
if (ldb_dn_compare_base(base, dn) == 0) {
ret = 1;
}
}
break;
case LDB_SCOPE_SUBTREE:
default:
if (ldb_dn_compare_base(base, dn) == 0) {
ret = 1;
}
break;
}
return ret;
}
static int local_db_check_containers_nest_level(struct local_context *lctx,
struct ldb_dn *leaf_dn)
{
int nest_level;
/* We need do not care for the synthetic containers that constitute the
* base path (cn=<uidnumber>,cn=user,cn=secrets). */
nest_level = ldb_dn_get_comp_num(leaf_dn) - 3;
if (nest_level > lctx->containers_nest_level) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot create a nested container of depth %d as the maximum"
"allowed number of nested containers is %d.\n",
nest_level, lctx->containers_nest_level);
return ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL;
}
return EOK;
}
static int fix_dn(struct ldb_dn *dn)
{
int i, ret;
char *upper_rdn_attr;
for (i=0; i < ldb_dn_get_comp_num(dn); i++) {
/* We need the attribute name in upper case */
upper_rdn_attr = strupper_talloc(dn,
ldb_dn_get_component_name(dn, i));
if (!upper_rdn_attr) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* And replace it with CN=foo (we need the attribute in upper case */
ret = ldb_dn_set_component(dn, i, upper_rdn_attr,
*ldb_dn_get_component_val(dn, i));
talloc_free(upper_rdn_attr);
if (ret != LDB_SUCCESS) {
return ret;
}
}
return LDB_SUCCESS;
}
static bool torture_ldb_dn_extended(struct torture_context *torture)
{
TALLOC_CTX *mem_ctx = talloc_new(torture);
struct ldb_context *ldb;
struct ldb_dn *dn, *dn2;
DATA_BLOB sid_blob = strhex_to_data_blob(mem_ctx, hex_sid);
DATA_BLOB guid_blob = strhex_to_data_blob(mem_ctx, hex_guid);
const char *dn_str = "cn=admin,cn=users,dc=samba,dc=org";
torture_assert(torture,
ldb = ldb_init(mem_ctx, torture->ev),
"Failed to init ldb");
torture_assert_int_equal(torture,
ldb_register_samba_handlers(ldb), 0,
"Failed to register Samba handlers");
ldb_set_utf8_fns(ldb, NULL, wrap_casefold);
/* Check behaviour of a normal DN */
torture_assert(torture,
dn = ldb_dn_new(mem_ctx, ldb, dn_str),
"Failed to create a 'normal' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'normal' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == false,
"Should not find plain DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL,
"Should not find an SID on plain DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL,
"Should not find an GUID on plain DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "WKGUID") == NULL,
"Should not find an WKGUID on plain DN");
/* Now make an extended DN */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>;<SID=%s>;%s",
guid, sid, dn_str),
"Failed to create an 'extended' DN");
torture_assert(torture,
dn2 = ldb_dn_copy(mem_ctx, dn),
"Failed to copy the 'extended' DN");
talloc_free(dn);
dn = dn2;
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL,
"Should find an SID on extended DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL,
"Should find an GUID on extended DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob,
"Extended DN SID incorect");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob,
"Extended DN GUID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), dn_str,
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_casefold(dn), strupper_talloc(mem_ctx, dn_str),
"casefolded DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_component_name(dn, 0), "cn",
"componet zero incorrect");
torture_assert_data_blob_equal(torture, *ldb_dn_get_component_val(dn, 0), data_blob_string_const("admin"),
"componet zero incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1),
talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
guid, sid, dn_str),
"Clear extended linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0),
talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
hex_guid, hex_sid, dn_str),
"HEX extended linearized DN incorrect");
torture_assert(torture, ldb_dn_remove_child_components(dn, 1) == true,
"Failed to remove DN child");
torture_assert(torture, ldb_dn_has_extended(dn) == false,
"Extended DN flag should be cleared after child element removal");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL,
"Should not find an SID on DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL,
"Should not find an GUID on DN");
/* TODO: test setting these in the other order, and ensure it still comes out 'GUID first' */
torture_assert_int_equal(torture, ldb_dn_set_extended_component(dn, "GUID", &guid_blob), 0,
"Failed to set a GUID on DN");
torture_assert_int_equal(torture, ldb_dn_set_extended_component(dn, "SID", &sid_blob), 0,
"Failed to set a SID on DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob,
"Extended DN SID incorect");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob,
"Extended DN GUID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "cn=users,dc=samba,dc=org",
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1),
talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
guid, sid, "cn=users,dc=samba,dc=org"),
"Clear extended linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0),
talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
hex_guid, hex_sid, "cn=users,dc=samba,dc=org"),
"HEX extended linearized DN incorrect");
/* Now check a 'just GUID' DN (clear format) */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>",
guid),
"Failed to create an 'extended' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL,
"Should not find an SID on this DN");
torture_assert_int_equal(torture, ldb_dn_get_comp_num(dn), 0,
"Should not find an 'normal' componet on this DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL,
"Should find an GUID on this DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob,
"Extended DN GUID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "",
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1),
talloc_asprintf(mem_ctx, "<GUID=%s>",
guid),
"Clear extended linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0),
talloc_asprintf(mem_ctx, "<GUID=%s>",
hex_guid),
"HEX extended linearized DN incorrect");
/* Now check a 'just GUID' DN (HEX format) */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>",
hex_guid),
"Failed to create an 'extended' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL,
"Should not find an SID on this DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL,
"Should find an GUID on this DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob,
"Extended DN GUID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "",
"linearized DN incorrect");
/* Now check a 'just SID' DN (clear format) */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<SID=%s>",
sid),
"Failed to create an 'extended' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL,
"Should not find an SID on this DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL,
"Should find an SID on this DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob,
"Extended DN SID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "",
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1),
talloc_asprintf(mem_ctx, "<SID=%s>",
sid),
"Clear extended linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0),
talloc_asprintf(mem_ctx, "<SID=%s>",
hex_sid),
"HEX extended linearized DN incorrect");
/* Now check a 'just SID' DN (HEX format) */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<SID=%s>",
hex_sid),
"Failed to create an 'extended' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL,
"Should not find an SID on this DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL,
"Should find an SID on this DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob,
"Extended DN SID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "",
"linearized DN incorrect");
talloc_free(mem_ctx);
return true;
}
/* Map a DN into the local partition. */
struct ldb_dn *ldb_dn_map_remote(struct ldb_module *module, void *mem_ctx, const struct ldb_dn *dn)
{
const struct ldb_map_context *data = map_get_context(module);
struct ldb_dn *newdn;
const struct ldb_map_attribute *map;
enum ldb_map_attr_type map_type;
const char *name;
struct ldb_val value;
int i, ret;
if (dn == NULL) {
return NULL;
}
newdn = ldb_dn_copy(mem_ctx, dn);
if (newdn == NULL) {
map_oom(module);
return NULL;
}
/* For each RDN, map the component name and possibly the value */
for (i = 0; i < ldb_dn_get_comp_num(newdn); i++) {
map = map_attr_find_remote(data, ldb_dn_get_component_name(dn, i));
/* Unknown attribute - leave this RDN as is and hope the best... */
if (map == NULL) {
map_type = MAP_KEEP;
} else {
map_type = map->type;
}
switch (map_type) {
case MAP_IGNORE:
case MAP_GENERATE:
ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
"MAP_IGNORE/MAP_GENERATE attribute '%s' "
"used in DN!\n", ldb_dn_get_component_name(dn, i));
goto failed;
case MAP_CONVERT:
if (map->u.convert.convert_remote == NULL) {
ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
"'convert_remote' not set for attribute '%s' "
"used in DN!\n", ldb_dn_get_component_name(dn, i));
goto failed;
}
/* fall through */
case MAP_KEEP:
case MAP_RENAME:
name = map_attr_map_remote(newdn, map, ldb_dn_get_component_name(dn, i));
if (name == NULL) goto failed;
value = ldb_val_map_remote(module, newdn, map, ldb_dn_get_component_val(dn, i));
if (value.data == NULL) goto failed;
ret = ldb_dn_set_component(newdn, i, name, value);
if (ret != LDB_SUCCESS) {
goto failed;
}
break;
}
}
return newdn;
failed:
talloc_free(newdn);
return NULL;
}
