static int handle_dereference(struct ldb_dn *dn,
struct dsdb_openldap_dereference_result **dereference_attrs,
const char *attr, const DATA_BLOB *val)
{
const struct ldb_val *entryUUIDblob, *sid_blob;
struct ldb_message fake_msg; /* easier to use routines that expect an ldb_message */
int j;
fake_msg.num_elements = 0;
/* Look for this attribute in the returned control */
for (j = 0; dereference_attrs && dereference_attrs[j]; j++) {
struct ldb_val source_dn = data_blob_string_const(dereference_attrs[j]->dereferenced_dn);
if (ldb_attr_cmp(dereference_attrs[j]->source_attribute, attr) == 0
&& data_blob_cmp(&source_dn, val) == 0) {
fake_msg.num_elements = dereference_attrs[j]->num_attributes;
fake_msg.elements = dereference_attrs[j]->attributes;
break;
}
}
if (!fake_msg.num_elements) {
return LDB_SUCCESS;
}
/* Look for an OpenLDAP entryUUID */
entryUUIDblob = ldb_msg_find_ldb_val(&fake_msg, "entryUUID");
if (entryUUIDblob) {
NTSTATUS status;
enum ndr_err_code ndr_err;
struct ldb_val guid_blob;
struct GUID guid;
status = GUID_from_data_blob(entryUUIDblob, &guid);
if (!NT_STATUS_IS_OK(status)) {
return LDB_ERR_INVALID_DN_SYNTAX;
}
ndr_err = ndr_push_struct_blob(&guid_blob, NULL, NULL, &guid,
(ndr_push_flags_fn_t)ndr_push_GUID);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return LDB_ERR_INVALID_DN_SYNTAX;
}
ldb_dn_set_extended_component(dn, "GUID", &guid_blob);
}
sid_blob = ldb_msg_find_ldb_val(&fake_msg, "objectSID");
/* Look for the objectSID */
if (sid_blob) {
ldb_dn_set_extended_component(dn, "SID", sid_blob);
}
return LDB_SUCCESS;
}
static int inject_extended_dn_out(struct ldb_reply *ares,
struct ldb_context *ldb,
int type,
bool remove_guid,
bool remove_sid)
{
int ret;
const DATA_BLOB *guid_blob;
const DATA_BLOB *sid_blob;
guid_blob = ldb_msg_find_ldb_val(ares->message, "objectGUID");
sid_blob = ldb_msg_find_ldb_val(ares->message, "objectSID");
if (!guid_blob) {
ldb_set_errstring(ldb, "Did not find objectGUID to inject into extended DN");
return LDB_ERR_OPERATIONS_ERROR;
}
ret = ldb_dn_set_extended_component(ares->message->dn, "GUID", guid_blob);
if (ret != LDB_SUCCESS) {
return ret;
}
if (sid_blob) {
ret = ldb_dn_set_extended_component(ares->message->dn, "SID", sid_blob);
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (remove_guid) {
ldb_msg_remove_attr(ares->message, "objectGUID");
}
if (sid_blob && remove_sid) {
ldb_msg_remove_attr(ares->message, "objectSID");
}
return LDB_SUCCESS;
}
/**
* When loading the schema from LDIF files, we don't get the extended DNs.
*
* We need to set these up, so that from the moment we start the provision,
* the defaultObjectCategory links are set up correctly.
*/
int dsdb_schema_fill_extended_dn(struct ldb_context *ldb, struct dsdb_schema *schema)
{
struct dsdb_class *cur;
const struct dsdb_class *target_class;
for (cur = schema->classes; cur; cur = cur->next) {
const struct ldb_val *rdn;
struct ldb_val guid;
NTSTATUS status;
struct ldb_dn *dn = ldb_dn_new(NULL, ldb, cur->defaultObjectCategory);
if (!dn) {
return LDB_ERR_INVALID_DN_SYNTAX;
}
rdn = ldb_dn_get_component_val(dn, 0);
if (!rdn) {
talloc_free(dn);
return LDB_ERR_INVALID_DN_SYNTAX;
}
target_class = dsdb_class_by_cn_ldb_val(schema, rdn);
if (!target_class) {
talloc_free(dn);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
status = GUID_to_ndr_blob(&target_class->objectGUID, dn, &guid);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(dn);
return ldb_operr(ldb);
}
ldb_dn_set_extended_component(dn, "GUID", &guid);
cur->defaultObjectCategory = ldb_dn_get_extended_linearized(cur, dn, 1);
talloc_free(dn);
}
return LDB_SUCCESS;
}
static bool torture_ldb_dn_extended(struct torture_context *torture)
{
TALLOC_CTX *mem_ctx = talloc_new(torture);
struct ldb_context *ldb;
struct ldb_dn *dn, *dn2;
DATA_BLOB sid_blob = strhex_to_data_blob(mem_ctx, hex_sid);
DATA_BLOB guid_blob = strhex_to_data_blob(mem_ctx, hex_guid);
const char *dn_str = "cn=admin,cn=users,dc=samba,dc=org";
torture_assert(torture,
ldb = ldb_init(mem_ctx, torture->ev),
"Failed to init ldb");
torture_assert_int_equal(torture,
ldb_register_samba_handlers(ldb), 0,
"Failed to register Samba handlers");
ldb_set_utf8_fns(ldb, NULL, wrap_casefold);
/* Check behaviour of a normal DN */
torture_assert(torture,
dn = ldb_dn_new(mem_ctx, ldb, dn_str),
"Failed to create a 'normal' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'normal' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == false,
"Should not find plain DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL,
"Should not find an SID on plain DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL,
"Should not find an GUID on plain DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "WKGUID") == NULL,
"Should not find an WKGUID on plain DN");
/* Now make an extended DN */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>;<SID=%s>;%s",
guid, sid, dn_str),
"Failed to create an 'extended' DN");
torture_assert(torture,
dn2 = ldb_dn_copy(mem_ctx, dn),
"Failed to copy the 'extended' DN");
talloc_free(dn);
dn = dn2;
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL,
"Should find an SID on extended DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL,
"Should find an GUID on extended DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob,
"Extended DN SID incorect");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob,
"Extended DN GUID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), dn_str,
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_casefold(dn), strupper_talloc(mem_ctx, dn_str),
"casefolded DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_component_name(dn, 0), "cn",
"componet zero incorrect");
torture_assert_data_blob_equal(torture, *ldb_dn_get_component_val(dn, 0), data_blob_string_const("admin"),
"componet zero incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1),
talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
guid, sid, dn_str),
"Clear extended linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0),
talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
hex_guid, hex_sid, dn_str),
"HEX extended linearized DN incorrect");
torture_assert(torture, ldb_dn_remove_child_components(dn, 1) == true,
"Failed to remove DN child");
torture_assert(torture, ldb_dn_has_extended(dn) == false,
"Extended DN flag should be cleared after child element removal");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL,
"Should not find an SID on DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL,
"Should not find an GUID on DN");
/* TODO: test setting these in the other order, and ensure it still comes out 'GUID first' */
torture_assert_int_equal(torture, ldb_dn_set_extended_component(dn, "GUID", &guid_blob), 0,
"Failed to set a GUID on DN");
torture_assert_int_equal(torture, ldb_dn_set_extended_component(dn, "SID", &sid_blob), 0,
"Failed to set a SID on DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob,
"Extended DN SID incorect");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob,
"Extended DN GUID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "cn=users,dc=samba,dc=org",
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1),
talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
guid, sid, "cn=users,dc=samba,dc=org"),
"Clear extended linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0),
talloc_asprintf(mem_ctx, "<GUID=%s>;<SID=%s>;%s",
hex_guid, hex_sid, "cn=users,dc=samba,dc=org"),
"HEX extended linearized DN incorrect");
/* Now check a 'just GUID' DN (clear format) */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>",
guid),
"Failed to create an 'extended' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL,
"Should not find an SID on this DN");
torture_assert_int_equal(torture, ldb_dn_get_comp_num(dn), 0,
"Should not find an 'normal' componet on this DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL,
"Should find an GUID on this DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob,
"Extended DN GUID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "",
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1),
talloc_asprintf(mem_ctx, "<GUID=%s>",
guid),
"Clear extended linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0),
talloc_asprintf(mem_ctx, "<GUID=%s>",
hex_guid),
"HEX extended linearized DN incorrect");
/* Now check a 'just GUID' DN (HEX format) */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<GUID=%s>",
hex_guid),
"Failed to create an 'extended' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") == NULL,
"Should not find an SID on this DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") != NULL,
"Should find an GUID on this DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "GUID"), guid_blob,
"Extended DN GUID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "",
"linearized DN incorrect");
/* Now check a 'just SID' DN (clear format) */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<SID=%s>",
sid),
"Failed to create an 'extended' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL,
"Should not find an SID on this DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL,
"Should find an SID on this DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob,
"Extended DN SID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "",
"linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 1),
talloc_asprintf(mem_ctx, "<SID=%s>",
sid),
"Clear extended linearized DN incorrect");
torture_assert_str_equal(torture, ldb_dn_get_extended_linearized(mem_ctx, dn, 0),
talloc_asprintf(mem_ctx, "<SID=%s>",
hex_sid),
"HEX extended linearized DN incorrect");
/* Now check a 'just SID' DN (HEX format) */
torture_assert(torture,
dn = ldb_dn_new_fmt(mem_ctx, ldb, "<SID=%s>",
hex_sid),
"Failed to create an 'extended' DN");
torture_assert(torture,
ldb_dn_validate(dn),
"Failed to validate 'extended' DN");
torture_assert(torture, ldb_dn_has_extended(dn) == true,
"Should find extended DN to be 'extended'");
torture_assert(torture, ldb_dn_get_extended_component(dn, "GUID") == NULL,
"Should not find an SID on this DN");
torture_assert(torture, ldb_dn_get_extended_component(dn, "SID") != NULL,
"Should find an SID on this DN");
torture_assert_data_blob_equal(torture, *ldb_dn_get_extended_component(dn, "SID"), sid_blob,
"Extended DN SID incorect");
torture_assert_str_equal(torture, ldb_dn_get_linearized(dn), "",
"linearized DN incorrect");
talloc_free(mem_ctx);
return true;
}
static WERROR dsdb_syntax_DN_drsuapi_to_ldb(struct ldb_context *ldb,
const struct dsdb_schema *schema,
const struct dsdb_attribute *attr,
const struct drsuapi_DsReplicaAttribute *in,
TALLOC_CTX *mem_ctx,
struct ldb_message_element *out)
{
uint32_t i;
int ret;
out->flags = 0;
out->name = talloc_strdup(mem_ctx, attr->lDAPDisplayName);
W_ERROR_HAVE_NO_MEMORY(out->name);
out->num_values = in->value_ctr.num_values;
out->values = talloc_array(mem_ctx, struct ldb_val, out->num_values);
W_ERROR_HAVE_NO_MEMORY(out->values);
for (i=0; i < out->num_values; i++) {
struct drsuapi_DsReplicaObjectIdentifier3 id3;
enum ndr_err_code ndr_err;
DATA_BLOB guid_blob;
struct ldb_dn *dn;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
}
if (in->value_ctr.values[i].blob == NULL) {
talloc_free(tmp_ctx);
return WERR_FOOBAR;
}
if (in->value_ctr.values[i].blob->length == 0) {
talloc_free(tmp_ctx);
return WERR_FOOBAR;
}
ndr_err = ndr_pull_struct_blob_all(in->value_ctr.values[i].blob,
tmp_ctx, schema->iconv_convenience, &id3,
(ndr_pull_flags_fn_t)ndr_pull_drsuapi_DsReplicaObjectIdentifier3);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
talloc_free(tmp_ctx);
return ntstatus_to_werror(status);
}
dn = ldb_dn_new(tmp_ctx, ldb, id3.dn);
if (!dn) {
talloc_free(tmp_ctx);
/* If this fails, it must be out of memory, as it does not do much parsing */
W_ERROR_HAVE_NO_MEMORY(dn);
}
ndr_err = ndr_push_struct_blob(&guid_blob, tmp_ctx, schema->iconv_convenience, &id3.guid,
(ndr_push_flags_fn_t)ndr_push_GUID);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
talloc_free(tmp_ctx);
return ntstatus_to_werror(status);
}
ret = ldb_dn_set_extended_component(dn, "GUID", &guid_blob);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return WERR_FOOBAR;
}
talloc_free(guid_blob.data);
if (id3.__ndr_size_sid) {
DATA_BLOB sid_blob;
ndr_err = ndr_push_struct_blob(&sid_blob, tmp_ctx, schema->iconv_convenience, &id3.sid,
(ndr_push_flags_fn_t)ndr_push_dom_sid);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
talloc_free(tmp_ctx);
return ntstatus_to_werror(status);
}
ret = ldb_dn_set_extended_component(dn, "SID", &sid_blob);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return WERR_FOOBAR;
}
}
out->values[i] = data_blob_string_const(ldb_dn_get_extended_linearized(out->values, dn, 1));
talloc_free(tmp_ctx);
}
return WERR_OK;
}
