/**
* Make this ldb use a specified schema, already fully calculated and belonging to another ldb
*/
int dsdb_reference_schema(struct ldb_context *ldb, struct dsdb_schema *schema,
bool write_attributes)
{
int ret;
struct dsdb_schema *old_schema;
old_schema = ldb_get_opaque(ldb, "dsdb_schema");
ret = ldb_set_opaque(ldb, "dsdb_schema", schema);
if (ret != LDB_SUCCESS) {
return ret;
}
/* Remove the reference to the schema we just overwrote - if there was
* none, NULL is harmless here */
talloc_unlink(ldb, old_schema);
if (talloc_reference(ldb, schema) == NULL) {
return ldb_oom(ldb);
}
/* Make this ldb use local schema preferably */
ret = ldb_set_opaque(ldb, "dsdb_use_global_schema", NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
ret = dsdb_schema_set_attributes(ldb, schema, write_attributes);
if (ret != LDB_SUCCESS) {
return ret;
}
return LDB_SUCCESS;
}
struct ldb_context *samba_ldb_init(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct loadparm_context *lp_ctx,
struct auth_session_info *session_info,
struct cli_credentials *credentials)
{
struct ldb_context *ldb;
int ret;
ldb = ldb_init(mem_ctx, ev);
if (ldb == NULL) {
return NULL;
}
ldb_set_modules_dir(ldb, modules_path(ldb, "ldb"));
ldb_set_debug(ldb, ldb_wrap_debug, NULL);
ldb_set_utf8_fns(ldb, NULL, wrap_casefold);
if (session_info) {
if (ldb_set_opaque(ldb, "sessionInfo", session_info)) {
talloc_free(ldb);
return NULL;
}
}
if (credentials) {
if (ldb_set_opaque(ldb, "credentials", credentials)) {
talloc_free(ldb);
return NULL;
}
}
if (ldb_set_opaque(ldb, "loadparm", lp_ctx)) {
talloc_free(ldb);
return NULL;
}
/* This must be done before we load the schema, as these
* handlers for objectSid and objectGUID etc must take
* precedence over the 'binary attribute' declaration in the
* schema */
ret = ldb_register_samba_handlers(ldb);
if (ret != LDB_SUCCESS) {
talloc_free(ldb);
return NULL;
}
/* we usually want Samba databases to be private. If we later
find we need one public, we will need to add a parameter to
ldb_wrap_connect() */
ldb_set_create_perms(ldb, 0600);
return ldb;
}
static PyObject *py_ldb_set_session_info(PyObject *self, PyObject *args)
{
PyObject *py_session_info;
struct auth_session_info *info;
struct ldb_context *ldb;
PyObject *mod_samba_auth;
PyObject *PyAuthSession_Type;
bool ret;
mod_samba_auth = PyImport_ImportModule("samba.dcerpc.auth");
if (mod_samba_auth == NULL)
return NULL;
PyAuthSession_Type = PyObject_GetAttrString(mod_samba_auth, "session_info");
if (PyAuthSession_Type == NULL)
return NULL;
ret = PyArg_ParseTuple(args, "O!", PyAuthSession_Type, &py_session_info);
Py_DECREF(PyAuthSession_Type);
Py_DECREF(mod_samba_auth);
if (!ret)
return NULL;
ldb = pyldb_Ldb_AsLdbContext(self);
info = PyAuthSession_AsSession(py_session_info);
ldb_set_opaque(ldb, "sessionInfo", info);
Py_RETURN_NONE;
}
static int wins_ldb_init(struct ldb_module *ctx)
{
struct winsdb_handle *h;
const char *owner;
ctx->private_data = NULL;
owner = lp_parm_string(-1, "winsdb", "local_owner");
if (!owner) {
owner = iface_n_ip(0);
if (!owner) {
owner = "0.0.0.0";
}
}
h = talloc(ctx, struct winsdb_handle);
if (!h) goto failed;
h->ldb = ctx->ldb;
h->caller = WINSDB_HANDLE_CALLER_ADMIN;
h->local_owner = talloc_strdup(h, owner);
if (!h->local_owner) goto failed;
return ldb_set_opaque(ctx->ldb, "winsdb_handle", h);
failed:
talloc_free(h);
return LDB_ERR_OTHER;
}
int dsdb_set_schema(struct ldb_context *ldb, struct dsdb_schema *schema)
{
int ret;
ret = dsdb_setup_sorted_accessors(ldb, schema);
if (ret != LDB_SUCCESS) {
return ret;
}
ret = schema_fill_constructed(schema);
if (ret != LDB_SUCCESS) {
return ret;
}
ret = ldb_set_opaque(ldb, "dsdb_schema", schema);
if (ret != LDB_SUCCESS) {
return ret;
}
/* Set the new attributes based on the new schema */
ret = dsdb_schema_set_attributes(ldb, schema, true);
if (ret != LDB_SUCCESS) {
return ret;
}
talloc_steal(ldb, schema);
return LDB_SUCCESS;
}
int samba_ldb_connect(struct ldb_context *ldb, struct loadparm_context *lp_ctx,
const char *url, unsigned int flags)
{
int ret;
char *real_url = NULL;
/* allow admins to force non-sync ldb for all databases */
if (lpcfg_parm_bool(lp_ctx, NULL, "ldb", "nosync", false)) {
flags |= LDB_FLG_NOSYNC;
}
if (DEBUGLVL(10)) {
flags |= LDB_FLG_ENABLE_TRACING;
}
real_url = lpcfg_private_path(ldb, lp_ctx, url);
if (real_url == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
ret = ldb_connect(ldb, real_url, flags, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
/* setup for leak detection */
ldb_set_opaque(ldb, "wrap_url", real_url);
return LDB_SUCCESS;
}
static int wins_ldb_init(struct ldb_module *module)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct winsdb_handle *h;
const char *owner;
struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
ldb_module_set_private(module, NULL);
owner = lpcfg_parm_string(lp_ctx, NULL, "winsdb", "local_owner");
if (!owner) {
struct interface *ifaces;
load_interface_list(module, lp_ctx, &ifaces);
owner = iface_list_first_v4(ifaces);
if (!owner) {
owner = "0.0.0.0";
}
}
h = talloc_zero(module, struct winsdb_handle);
if (!h) goto failed;
h->ldb = ldb;
h->caller = WINSDB_HANDLE_CALLER_ADMIN;
h->local_owner = talloc_strdup(h, owner);
if (!h->local_owner) goto failed;
return ldb_set_opaque(ldb, "winsdb_handle", h);
failed:
talloc_free(h);
return LDB_ERR_OTHER;
}
static PyObject *py_dsdb_set_opaque_integer(PyObject *self, PyObject *args)
{
PyObject *py_ldb;
int value;
int *old_val, *new_val;
char *py_opaque_name, *opaque_name_talloc;
struct ldb_context *ldb;
TALLOC_CTX *tmp_ctx;
if (!PyArg_ParseTuple(args, "Osi", &py_ldb, &py_opaque_name, &value))
return NULL;
PyErr_LDB_OR_RAISE(py_ldb, ldb);
/* see if we have a cached copy */
old_val = (int *)ldb_get_opaque(ldb,
py_opaque_name);
if (old_val) {
*old_val = value;
Py_RETURN_NONE;
}
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
goto failed;
}
new_val = talloc(tmp_ctx, int);
if (!new_val) {
goto failed;
}
opaque_name_talloc = talloc_strdup(tmp_ctx, py_opaque_name);
if (!opaque_name_talloc) {
goto failed;
}
*new_val = value;
/* cache the domain_sid in the ldb */
if (ldb_set_opaque(ldb, opaque_name_talloc, new_val) != LDB_SUCCESS) {
goto failed;
}
talloc_steal(ldb, new_val);
talloc_steal(ldb, opaque_name_talloc);
talloc_free(tmp_ctx);
Py_RETURN_NONE;
failed:
talloc_free(tmp_ctx);
PyErr_SetString(PyExc_RuntimeError, "Failed to set opaque integer into the ldb!\n");
return NULL;
}
/*
register the samba ldif handlers
*/
int ldb_register_samba_handlers(struct ldb_context *ldb)
{
unsigned int i;
int ret;
if (ldb_get_opaque(ldb, "SAMBA_HANDLERS_REGISTERED") != NULL) {
return LDB_SUCCESS;
}
ret = ldb_set_opaque(ldb, LDB_SECRET_ATTRIBUTE_LIST_OPAQUE, discard_const_p(char *, secret_attributes));
if (ret != LDB_SUCCESS) {
return ret;
}
for (i=0; i < ARRAY_SIZE(samba_attributes); i++) {
const struct ldb_schema_syntax *s = NULL;
s = ldb_samba_syntax_by_name(ldb, samba_attributes[i].syntax);
if (!s) {
s = ldb_standard_syntax_by_name(ldb, samba_attributes[i].syntax);
}
if (!s) {
return LDB_ERR_OPERATIONS_ERROR;
}
ret = ldb_schema_attribute_add_with_syntax(ldb, samba_attributes[i].name, LDB_ATTR_FLAG_FIXED, s);
if (ret != LDB_SUCCESS) {
return ret;
}
}
for (i=0; i < ARRAY_SIZE(samba_dn_syntax); i++) {
ret = ldb_dn_extended_add_syntax(ldb, LDB_ATTR_FLAG_FIXED, &samba_dn_syntax[i]);
if (ret != LDB_SUCCESS) {
return ret;
}
}
ret = ldb_register_samba_matching_rules(ldb);
if (ret != LDB_SUCCESS) {
talloc_free(ldb);
return LDB_SUCCESS;
}
ret = ldb_set_opaque(ldb, "SAMBA_HANDLERS_REGISTERED", (void*)1);
if (ret != LDB_SUCCESS) {
return ret;
}
return LDB_SUCCESS;
}
/*
* Test set up
*/
static int setup(void **state)
{
struct ldbtest_ctx *test_ctx = NULL;
struct ldb_module *eol = NULL;
int rc;
test_ctx = talloc_zero(NULL, struct ldbtest_ctx);
assert_non_null(test_ctx);
test_ctx->ev = tevent_context_init(test_ctx);
assert_non_null(test_ctx->ev);
test_ctx->ldb = ldb_init(test_ctx, test_ctx->ev);
assert_non_null(test_ctx->ldb);
test_ctx->domain_sid = talloc_zero(test_ctx, struct dom_sid);
assert_non_null(test_ctx->domain_sid);
assert_true(string_to_sid(test_ctx->domain_sid, DOMAIN_SID));
ldb_set_opaque(test_ctx->ldb, "cache.domain_sid", test_ctx->domain_sid);
test_ctx->module = ldb_module_new(
test_ctx,
test_ctx->ldb,
"unique_object_sids",
&ldb_unique_object_sids_module_ops);
assert_non_null(test_ctx->module);
eol = ldb_module_new(test_ctx, test_ctx->ldb, "eol", &eol_ops);
assert_non_null(eol);
ldb_module_set_next(test_ctx->module, eol);
test_ctx->dbfile = talloc_strdup(test_ctx, "duptest.ldb");
assert_non_null(test_ctx->dbfile);
test_ctx->lockfile = talloc_asprintf(test_ctx, "%s-lock",
test_ctx->dbfile);
assert_non_null(test_ctx->lockfile);
test_ctx->dbpath = talloc_asprintf(test_ctx,
TEST_BE"://%s", test_ctx->dbfile);
assert_non_null(test_ctx->dbpath);
unlink_old_db(test_ctx);
rc = ldb_connect(test_ctx->ldb, test_ctx->dbpath, 0, NULL);
assert_int_equal(rc, LDB_SUCCESS);
rc = unique_object_sids_init(test_ctx->module);
assert_int_equal(rc, LDB_SUCCESS);
*state = test_ctx;
last_request = NULL;
return 0;
}
/**
* Attach the schema to an opaque pointer on the ldb,
* so ldb modules can find it
*/
int dsdb_set_schema(struct ldb_context *ldb, struct dsdb_schema *schema)
{
struct dsdb_schema *old_schema;
int ret;
ret = dsdb_setup_sorted_accessors(ldb, schema);
if (ret != LDB_SUCCESS) {
return ret;
}
old_schema = ldb_get_opaque(ldb, "dsdb_schema");
ret = ldb_set_opaque(ldb, "dsdb_schema", schema);
if (ret != LDB_SUCCESS) {
return ret;
}
/* Remove the reference to the schema we just overwrote - if there was
* none, NULL is harmless here */
if (old_schema != schema) {
talloc_unlink(ldb, old_schema);
talloc_steal(ldb, schema);
}
ret = ldb_set_opaque(ldb, "dsdb_use_global_schema", NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
/* Set the new attributes based on the new schema */
ret = dsdb_schema_set_attributes(ldb, schema, true);
if (ret != LDB_SUCCESS) {
return ret;
}
return LDB_SUCCESS;
}
/*
return the default DN for a ldap server given a connected RPC pipe to the
server
*/
static const char *torture_get_ldap_base_dn(struct torture_context *tctx, struct dcerpc_pipe *p)
{
const char *hostname = p->binding->host;
struct ldb_context *ldb;
const char *ldap_url = talloc_asprintf(p, "ldap://%s", hostname);
const char *attrs[] = { "defaultNamingContext", NULL };
const char *dnstr;
TALLOC_CTX *tmp_ctx = talloc_new(tctx);
int ret;
struct ldb_result *res;
ldb = ldb_init(tmp_ctx, tctx->ev);
if (ldb == NULL) {
talloc_free(tmp_ctx);
return NULL;
}
if (ldb_set_opaque(ldb, "loadparm", tctx->lp_ctx)) {
talloc_free(ldb);
return NULL;
}
ldb_set_modules_dir(ldb,
modules_path(ldb, "ldb"));
ret = ldb_connect(ldb, ldap_url, 0, NULL);
if (ret != LDB_SUCCESS) {
torture_comment(tctx, "Failed to make LDB connection to target");
talloc_free(tmp_ctx);
return NULL;
}
ret = dsdb_search_dn(ldb, tmp_ctx, &res, ldb_dn_new(tmp_ctx, ldb, ""),
attrs, 0);
if (ret != LDB_SUCCESS) {
torture_comment(tctx, "Failed to get defaultNamingContext");
talloc_free(tmp_ctx);
return NULL;
}
dnstr = ldb_msg_find_attr_as_string(res->msgs[0], "defaultNamingContext", NULL);
dnstr = talloc_strdup(tctx, dnstr);
talloc_free(tmp_ctx);
return dnstr;
}
static PyObject *py_ldb_set_session_info(PyObject *self, PyObject *args)
{
PyObject *py_session_info, *py_ldb;
struct auth_session_info *info;
struct ldb_context *ldb;
if (!PyArg_ParseTuple(args, "OO", &py_ldb, &py_session_info))
return NULL;
PyErr_LDB_OR_RAISE(py_ldb, ldb);
/*if (!PyAuthSession_Check(py_session_info)) {
PyErr_SetString(PyExc_TypeError, "Expected session info object");
return NULL;
}*/
info = PyAuthSession_AsSession(py_session_info);
ldb_set_opaque(ldb, "sessionInfo", info);
Py_RETURN_NONE;
}
static PyObject *py_ldb_set_loadparm(PyObject *self, PyObject *args)
{
PyObject *py_lp_ctx, *py_ldb;
struct loadparm_context *lp_ctx;
struct ldb_context *ldb;
if (!PyArg_ParseTuple(args, "OO", &py_ldb, &py_lp_ctx))
return NULL;
PyErr_LDB_OR_RAISE(py_ldb, ldb);
lp_ctx = lp_from_py_object(py_lp_ctx);
if (lp_ctx == NULL) {
PyErr_SetString(PyExc_TypeError, "Expected loadparm object");
return NULL;
}
ldb_set_opaque(ldb, "loadparm", lp_ctx);
Py_RETURN_NONE;
}
static PyObject *py_ldb_set_credentials(PyObject *self, PyObject *args)
{
PyObject *py_creds, *py_ldb;
struct cli_credentials *creds;
struct ldb_context *ldb;
if (!PyArg_ParseTuple(args, "OO", &py_ldb, &py_creds))
return NULL;
PyErr_LDB_OR_RAISE(py_ldb, ldb);
creds = cli_credentials_from_py_object(py_creds);
if (creds == NULL) {
PyErr_SetString(PyExc_TypeError, "Expected credentials object");
return NULL;
}
ldb_set_opaque(ldb, "credentials", creds);
Py_RETURN_NONE;
}
static PyObject *py_ldb_set_loadparm(PyObject *self, PyObject *args)
{
PyObject *py_lp_ctx;
struct loadparm_context *lp_ctx;
struct ldb_context *ldb;
if (!PyArg_ParseTuple(args, "O", &py_lp_ctx))
return NULL;
ldb = pyldb_Ldb_AsLdbContext(self);
lp_ctx = lpcfg_from_py_object(ldb, py_lp_ctx);
if (lp_ctx == NULL) {
PyErr_SetString(PyExc_TypeError, "Expected loadparm object");
return NULL;
}
ldb_set_opaque(ldb, "loadparm", lp_ctx);
Py_RETURN_NONE;
}
/*
* Update session_info on samdb using the cached credentials
*/
static bool b9_set_session_info(struct dlz_bind9_data *state, const char *name)
{
int ret;
if (state->update_name == NULL || state->session_info == NULL) {
state->log(ISC_LOG_ERROR, "samba_dlz: invalid credentials");
return false;
}
/* Do not use client credentials, if we not updating the client specified name */
if (strcmp(state->update_name, name) != 0) {
return true;
}
ret = ldb_set_opaque(state->samdb, "sessionInfo", state->session_info);
if (ret != LDB_SUCCESS) {
state->log(ISC_LOG_ERROR, "samba_dlz: unable to set session info");
return false;
}
return true;
}
/**
* Make this ldb use a specified schema, already fully calculated and belonging to another ldb
*/
int dsdb_reference_schema(struct ldb_context *ldb, struct dsdb_schema *schema,
bool write_attributes)
{
int ret;
ret = ldb_set_opaque(ldb, "dsdb_schema", schema);
if (ret != LDB_SUCCESS) {
return ret;
}
/* Set the new attributes based on the new schema */
ret = dsdb_schema_set_attributes(ldb, schema, write_attributes);
if (ret != LDB_SUCCESS) {
return ret;
}
/* Keep a reference to this schema, just incase the original copy is replaced */
if (talloc_reference(ldb, schema) == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
return LDB_SUCCESS;
}
/**
* Make this ldb use the 'global' schema, setup to avoid having multiple copies in this process
*/
int dsdb_set_global_schema(struct ldb_context *ldb)
{
int ret;
void *use_global_schema = (void *)1;
if (!global_schema) {
return LDB_SUCCESS;
}
ret = ldb_set_opaque(ldb, "dsdb_use_global_schema", use_global_schema);
if (ret != LDB_SUCCESS) {
return ret;
}
/* Set the new attributes based on the new schema */
ret = dsdb_schema_set_attributes(ldb, global_schema, false /* Don't write attributes, it's expensive */);
if (ret == LDB_SUCCESS) {
/* Keep a reference to this schema, just in case the original copy is replaced */
if (talloc_reference(ldb, global_schema) == NULL) {
return ldb_oom(ldb);
}
}
return ret;
}
static int pdc_fsmo_init(struct ldb_module *module)
{
struct ldb_context *ldb;
TALLOC_CTX *mem_ctx;
struct ldb_dn *pdc_dn;
struct dsdb_pdc_fsmo *pdc_fsmo;
struct ldb_result *pdc_res;
int ret;
static const char *pdc_attrs[] = {
"fSMORoleOwner",
NULL
};
ldb = ldb_module_get_ctx(module);
mem_ctx = talloc_new(module);
if (!mem_ctx) {
return ldb_oom(ldb);
}
pdc_dn = ldb_get_default_basedn(ldb);
if (!pdc_dn) {
ldb_debug_set(ldb, LDB_DEBUG_FATAL,
"pdc_fsmo_init: could not determine default basedn");
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
pdc_fsmo = talloc_zero(mem_ctx, struct dsdb_pdc_fsmo);
if (!pdc_fsmo) {
return ldb_oom(ldb);
}
ldb_module_set_private(module, pdc_fsmo);
ret = dsdb_module_search_dn(module, mem_ctx, &pdc_res,
pdc_dn,
pdc_attrs,
DSDB_FLAG_NEXT_MODULE, NULL);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
ldb_debug(ldb, LDB_DEBUG_TRACE,
"pdc_fsmo_init: no domain object present: (skip loading of domain details)");
talloc_free(mem_ctx);
return ldb_next_init(module);
} else if (ret != LDB_SUCCESS) {
ldb_debug_set(ldb, LDB_DEBUG_FATAL,
"pdc_fsmo_init: failed to search the domain object: %d:%s: %s",
ret, ldb_strerror(ret), ldb_errstring(ldb));
talloc_free(mem_ctx);
return ret;
}
pdc_fsmo->master_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, pdc_res->msgs[0], "fSMORoleOwner");
if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), pdc_fsmo->master_dn) == 0) {
pdc_fsmo->we_are_master = true;
} else {
pdc_fsmo->we_are_master = false;
}
if (ldb_set_opaque(ldb, "dsdb_pdc_fsmo", pdc_fsmo) != LDB_SUCCESS) {
return ldb_oom(ldb);
}
talloc_steal(module, pdc_fsmo);
ldb_debug(ldb, LDB_DEBUG_TRACE,
"pdc_fsmo_init: we are master: %s\n",
(pdc_fsmo->we_are_master?"yes":"no"));
talloc_free(mem_ctx);
return ldb_next_init(module);
}
/**
process command line options
*/
struct ldb_cmdline *ldb_cmdline_process(struct ldb_context *ldb,
int argc, const char **argv,
void (*usage)(void))
{
struct ldb_cmdline *ret=NULL;
poptContext pc;
#if (_SAMBA_BUILD_ >= 4)
int r;
#endif
int num_options = 0;
int opt;
int flags = 0;
#if (_SAMBA_BUILD_ >= 4)
r = ldb_register_samba_handlers(ldb);
if (r != 0) {
goto failed;
}
#endif
/* make the ldb utilities line buffered */
setlinebuf(stdout);
ret = talloc_zero(ldb, struct ldb_cmdline);
if (ret == NULL) {
fprintf(stderr, "Out of memory!\n");
goto failed;
}
options = *ret;
/* pull in URL */
options.url = getenv("LDB_URL");
/* and editor (used by ldbedit) */
options.editor = getenv("VISUAL");
if (!options.editor) {
options.editor = getenv("EDITOR");
}
if (!options.editor) {
options.editor = "vi";
}
options.scope = LDB_SCOPE_DEFAULT;
pc = poptGetContext(argv[0], argc, argv, popt_options,
POPT_CONTEXT_KEEP_FIRST);
while((opt = poptGetNextOpt(pc)) != -1) {
switch (opt) {
case 's': {
const char *arg = poptGetOptArg(pc);
if (strcmp(arg, "base") == 0) {
options.scope = LDB_SCOPE_BASE;
} else if (strcmp(arg, "sub") == 0) {
options.scope = LDB_SCOPE_SUBTREE;
} else if (strcmp(arg, "one") == 0) {
options.scope = LDB_SCOPE_ONELEVEL;
} else {
fprintf(stderr, "Invalid scope '%s'\n", arg);
goto failed;
}
break;
}
case 'v':
options.verbose++;
break;
case 'o':
options.options = talloc_realloc(ret, options.options,
const char *, num_options+3);
if (options.options == NULL) {
fprintf(stderr, "Out of memory!\n");
goto failed;
}
options.options[num_options] = poptGetOptArg(pc);
options.options[num_options+1] = NULL;
num_options++;
break;
case 'c': {
const char *cs = poptGetOptArg(pc);
const char *p;
for (p = cs; p != NULL; ) {
const char *t, *c;
t = strchr(p, ',');
if (t == NULL) {
c = talloc_strdup(options.controls, p);
p = NULL;
} else {
c = talloc_strndup(options.controls, p, t-p);
p = t + 1;
}
if (c == NULL || !add_control(ret, c)) {
fprintf(stderr, __location__ ": out of memory\n");
goto failed;
}
}
break;
}
case 'P':
if (!add_control(ret, "paged_results:1:1024")) {
fprintf(stderr, __location__ ": out of memory\n");
goto failed;
}
break;
case 'D':
if (!add_control(ret, "show_deleted:1")) {
fprintf(stderr, __location__ ": out of memory\n");
goto failed;
}
break;
case 'R':
if (!add_control(ret, "show_recycled:0")) {
fprintf(stderr, __location__ ": out of memory\n");
goto failed;
}
break;
case 'd':
if (!add_control(ret, "show_deactivated_link:0")) {
fprintf(stderr, __location__ ": out of memory\n");
goto failed;
}
break;
case 'r':
if (!add_control(ret, "reveal_internals:0")) {
fprintf(stderr, __location__ ": out of memory\n");
goto failed;
}
break;
case 'N':
if (!add_control(ret, "search_options:1:2")) {
fprintf(stderr, __location__ ": out of memory\n");
goto failed;
}
break;
case 'E':
if (!add_control(ret, "extended_dn:1:1")) {
fprintf(stderr, __location__ ": out of memory\n");
goto failed;
}
break;
default:
fprintf(stderr, "Invalid option %s: %s\n",
poptBadOption(pc, 0), poptStrerror(opt));
if (usage) usage();
goto failed;
}
}
/* setup the remaining options for the main program to use */
options.argv = poptGetArgs(pc);
if (options.argv) {
options.argv++;
while (options.argv[options.argc]) options.argc++;
}
*ret = options;
/* all utils need some option */
if (ret->url == NULL) {
fprintf(stderr, "You must supply a url with -H or with $LDB_URL\n");
if (usage) usage();
goto failed;
}
if (strcmp(ret->url, "NONE") == 0) {
return ret;
}
if (options.nosync) {
flags |= LDB_FLG_NOSYNC;
}
if (options.show_binary) {
flags |= LDB_FLG_SHOW_BINARY;
}
if (options.tracing) {
flags |= LDB_FLG_ENABLE_TRACING;
}
#if (_SAMBA_BUILD_ >= 4)
/* Must be after we have processed command line options */
gensec_init(cmdline_lp_ctx);
if (ldb_set_opaque(ldb, "sessionInfo", system_session(cmdline_lp_ctx))) {
goto failed;
}
if (ldb_set_opaque(ldb, "credentials", cmdline_credentials)) {
goto failed;
}
if (ldb_set_opaque(ldb, "loadparm", cmdline_lp_ctx)) {
goto failed;
}
ldb_set_utf8_fns(ldb, NULL, wrap_casefold);
#endif
if (options.modules_path != NULL) {
ldb_set_modules_dir(ldb, options.modules_path);
} else if (getenv("LDB_MODULES_PATH") != NULL) {
ldb_set_modules_dir(ldb, getenv("LDB_MODULES_PATH"));
}
/* now connect to the ldb */
if (ldb_connect(ldb, ret->url, flags, ret->options) != 0) {
fprintf(stderr, "Failed to connect to %s - %s\n",
ret->url, ldb_errstring(ldb));
goto failed;
}
return ret;
failed:
talloc_free(ret);
exit(1);
return NULL;
}
/*
* Reset session_info on samdb as system session
*/
static void b9_reset_session_info(struct dlz_bind9_data *state)
{
ldb_set_opaque(state->samdb, "sessionInfo", system_session(state->lp));
}
static NTSTATUS torture_leave_ads_domain(struct torture_context *torture,
TALLOC_CTX *mem_ctx,
struct libnet_JoinDomain *libnet_r)
{
int rtn;
TALLOC_CTX *tmp_ctx;
struct ldb_dn *server_dn;
struct ldb_context *ldb_ctx;
char *remote_ldb_url;
/* Check if we are a domain controller. If not, exit. */
if (!libnet_r->out.server_dn_str) {
return NT_STATUS_OK;
}
tmp_ctx = talloc_named(mem_ctx, 0, "torture_leave temporary context");
if (!tmp_ctx) {
libnet_r->out.error_string = NULL;
return NT_STATUS_NO_MEMORY;
}
ldb_ctx = ldb_init(tmp_ctx, torture->ev);
if (!ldb_ctx) {
libnet_r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
/* Remove CN=Servers,... entry from the AD. */
server_dn = ldb_dn_new(tmp_ctx, ldb_ctx, libnet_r->out.server_dn_str);
if (! ldb_dn_validate(server_dn)) {
libnet_r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
remote_ldb_url = talloc_asprintf(tmp_ctx, "ldap://%s", libnet_r->out.samr_binding->host);
if (!remote_ldb_url) {
libnet_r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
ldb_set_opaque(ldb_ctx, "credentials", cmdline_credentials);
ldb_set_opaque(ldb_ctx, "loadparm", cmdline_lp_ctx);
rtn = ldb_connect(ldb_ctx, remote_ldb_url, 0, NULL);
if (rtn != 0) {
libnet_r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
rtn = ldb_delete(ldb_ctx, server_dn);
if (rtn != 0) {
libnet_r->out.error_string = NULL;
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
DEBUG(0, ("%s removed successfully.\n", libnet_r->out.server_dn_str));
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/* XXX: This function really should be in libldb's pyldb.c */
static PyObject *py_ldb_set_opaque_integer(PyObject *self, PyObject *args)
{
int value;
int *old_val, *new_val;
char *py_opaque_name, *opaque_name_talloc;
struct ldb_context *ldb;
int ret;
TALLOC_CTX *tmp_ctx;
if (!PyArg_ParseTuple(args, "si", &py_opaque_name, &value))
return NULL;
ldb = pyldb_Ldb_AsLdbContext(self);
/* see if we have a cached copy */
old_val = (int *)ldb_get_opaque(ldb, py_opaque_name);
/* XXX: We shouldn't just blindly assume that the value that is
* already present has the size of an int and is not shared
* with other code that may rely on it not changing.
* JRV 20100403 */
if (old_val) {
*old_val = value;
Py_RETURN_NONE;
}
tmp_ctx = talloc_new(ldb);
if (tmp_ctx == NULL) {
PyErr_NoMemory();
return NULL;
}
new_val = talloc(tmp_ctx, int);
if (new_val == NULL) {
talloc_free(tmp_ctx);
PyErr_NoMemory();
return NULL;
}
opaque_name_talloc = talloc_strdup(tmp_ctx, py_opaque_name);
if (opaque_name_talloc == NULL) {
talloc_free(tmp_ctx);
PyErr_NoMemory();
return NULL;
}
*new_val = value;
/* cache the domain_sid in the ldb */
ret = ldb_set_opaque(ldb, opaque_name_talloc, new_val);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
PyErr_SetLdbError(py_ldb_error, ret, ldb);
return NULL;
}
talloc_steal(ldb, new_val);
talloc_steal(ldb, opaque_name_talloc);
talloc_free(tmp_ctx);
Py_RETURN_NONE;
}
static int samba_dsdb_init(struct ldb_module *module)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
int ret, len, i;
TALLOC_CTX *tmp_ctx = talloc_new(module);
struct ldb_result *res;
struct ldb_message *rootdse_msg, *partition_msg;
struct ldb_dn *samba_dsdb_dn;
struct ldb_module *backend_module, *module_chain;
const char **final_module_list, **reverse_module_list;
/*
Add modules to the list to activate them by default
beware often order is important
Some Known ordering constraints:
- rootdse must be first, as it makes redirects from "" -> cn=rootdse
- extended_dn_in must be before objectclass.c, as it resolves the DN
- objectclass must be before password_hash, because password_hash checks
that the objectclass is of type person (filled in by objectclass
module when expanding the objectclass list)
- partition must be last
- each partition has its own module list then
The list is presented here as a set of declarations to show the
stack visually - the code below then handles the creation of the list
based on the parameters loaded from the database.
*/
static const char *modules_list[] = {"resolve_oids",
"rootdse",
"lazy_commit",
"paged_results",
"ranged_results",
"anr",
"server_sort",
"asq",
"extended_dn_store",
"extended_dn_in",
"rdn_name",
"objectclass",
"descriptor",
"acl",
"samldb",
"password_hash",
"operational",
"kludge_acl",
"schema_load",
"instancetype",
NULL };
const char *objectguid_module;
/* if serverrole == "domain controller": */
const char *repl_meta_data = "repl_meta_data";
/* else: */
const char *objectguid = "objectguid";
const char **link_modules;
static const char *tdb_modules_list[] = {
"subtree_rename",
"subtree_delete",
"linked_attributes",
NULL};
const char *extended_dn_module;
const char *extended_dn_module_ldb = "extended_dn_out_ldb";
const char *extended_dn_module_fds = "extended_dn_out_fds";
const char *extended_dn_module_openldap = "extended_dn_out_openldap";
static const char *modules_list2[] = {"show_deleted",
"new_partition",
"partition",
NULL };
const char **backend_modules;
static const char *fedora_ds_backend_modules[] = {
"nsuniqueid", "paged_searches", NULL };
static const char *openldap_backend_modules[] = {
"entryuuid", "paged_searches", NULL };
static const char *samba_dsdb_attrs[] = { "backendType", "serverRole", NULL };
const char *backendType, *serverRole;
if (!tmp_ctx) {
ldb_oom(ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
samba_dsdb_dn = ldb_dn_new(tmp_ctx, ldb, "@SAMBA_DSDB");
if (!samba_dsdb_dn) {
talloc_free(tmp_ctx);
ldb_oom(ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
#define CHECK_LDB_RET(check_ret) \
do { \
if (check_ret != LDB_SUCCESS) { \
talloc_free(tmp_ctx); \
return check_ret; \
} \
} while (0)
ret = dsdb_module_search_dn(module, tmp_ctx, &res, samba_dsdb_dn, samba_dsdb_attrs, 0);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
backendType = "ldb";
serverRole = "domain controller";
} else if (ret == LDB_SUCCESS) {
backendType = ldb_msg_find_attr_as_string(res->msgs[0], "backendType", "ldb");
serverRole = ldb_msg_find_attr_as_string(res->msgs[0], "serverRole", "domain controller");
} else {
talloc_free(tmp_ctx);
return ret;
}
backend_modules = NULL;
if (strcasecmp(backendType, "ldb") == 0) {
if (strcasecmp(serverRole, "dc") == 0 || strcasecmp(serverRole, "domain controller") == 0) {
objectguid_module = repl_meta_data;
} else {
objectguid_module = objectguid;
}
extended_dn_module = extended_dn_module_ldb;
link_modules = tdb_modules_list;
} else {
objectguid_module = NULL;
link_modules = NULL;
if (strcasecmp(backendType, "fedora-ds") == 0) {
backend_modules = fedora_ds_backend_modules;
extended_dn_module = extended_dn_module_fds;
} else if (strcasecmp(backendType, "openldap") == 0) {
backend_modules = openldap_backend_modules;
extended_dn_module = extended_dn_module_openldap;
}
}
#define CHECK_MODULE_LIST \
do { \
if (!final_module_list) { \
talloc_free(tmp_ctx); \
ldb_oom(ldb); \
return LDB_ERR_OPERATIONS_ERROR; \
} \
} while (0)
final_module_list = str_list_copy_const(tmp_ctx, modules_list);
CHECK_MODULE_LIST;
final_module_list = str_list_add_const(final_module_list, objectguid_module);
CHECK_MODULE_LIST;
final_module_list = str_list_append_const(final_module_list, link_modules);
CHECK_MODULE_LIST;
final_module_list = str_list_add_const(final_module_list, extended_dn_module);
CHECK_MODULE_LIST;
final_module_list = str_list_append_const(final_module_list, modules_list2);
CHECK_MODULE_LIST;
ret = read_at_rootdse_record(ldb, module, tmp_ctx, &rootdse_msg);
CHECK_LDB_RET(ret);
partition_msg = ldb_msg_new(tmp_ctx);
partition_msg->dn = ldb_dn_new(partition_msg, ldb, "@" DSDB_OPAQUE_PARTITION_MODULE_MSG_OPAQUE_NAME);
ret = prepare_modules_line(ldb, tmp_ctx,
rootdse_msg,
partition_msg, "defaultNamingContext",
"pdc_fsmo", backend_modules);
CHECK_LDB_RET(ret);
ret = prepare_modules_line(ldb, tmp_ctx,
rootdse_msg,
partition_msg, "configurationNamingContext",
"naming_fsmo", backend_modules);
CHECK_LDB_RET(ret);
ret = prepare_modules_line(ldb, tmp_ctx,
rootdse_msg,
partition_msg, "schemaNamingContext",
"schema_data", backend_modules);
CHECK_LDB_RET(ret);
ret = prepare_modules_line(ldb, tmp_ctx,
rootdse_msg,
partition_msg, NULL,
NULL, backend_modules);
CHECK_LDB_RET(ret);
ret = ldb_set_opaque(ldb, DSDB_OPAQUE_PARTITION_MODULE_MSG_OPAQUE_NAME, partition_msg);
CHECK_LDB_RET(ret);
talloc_steal(ldb, partition_msg);
/* Now prepare the module chain. Oddly, we must give it to ldb_load_modules_list in REVERSE */
for (len = 0; final_module_list[len]; len++) { /* noop */};
reverse_module_list = talloc_array(tmp_ctx, const char *, len+1);
if (!reverse_module_list) {
talloc_free(tmp_ctx);
ldb_oom(ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
for (i=0; i < len; i++) {
reverse_module_list[i] = final_module_list[(len - 1) - i];
}
reverse_module_list[i] = NULL;
/* The backend (at least until the partitions module
* reconfigures things) is the next module in the currently
* loaded chain */
backend_module = module->next;
ret = ldb_load_modules_list(ldb, reverse_module_list, backend_module, &module_chain);
CHECK_LDB_RET(ret);
talloc_free(tmp_ctx);
/* Set this as the 'next' module, so that we effectivly append it to module chain */
module->next = module_chain;
return ldb_next_init(module);
}
static int samba_dsdb_init(struct ldb_module *module)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
int ret, len, i;
TALLOC_CTX *tmp_ctx = talloc_new(module);
struct ldb_result *res;
struct ldb_message *rootdse_msg = NULL, *partition_msg;
struct ldb_dn *samba_dsdb_dn, *partition_dn;
struct ldb_module *backend_module, *module_chain;
const char **final_module_list, **reverse_module_list;
/*
Add modules to the list to activate them by default
beware often order is important
Some Known ordering constraints:
- rootdse must be first, as it makes redirects from "" -> cn=rootdse
- extended_dn_in must be before objectclass.c, as it resolves the DN
- objectclass must be before password_hash and samldb since these LDB
modules require the expanded "objectClass" list
- objectclass must be before descriptor and acl, as both assume that
objectClass values are sorted
- objectclass_attrs must be behind operational in order to see all
attributes (the operational module protects and therefore
suppresses per default some important ones)
- partition must be last
- each partition has its own module list then
The list is presented here as a set of declarations to show the
stack visually - the code below then handles the creation of the list
based on the parameters loaded from the database.
*/
static const char *modules_list1[] = {"resolve_oids",
"rootdse",
"schema_load",
"lazy_commit",
"dirsync",
"paged_results",
"ranged_results",
"anr",
"server_sort",
"asq",
"extended_dn_store",
NULL };
/* extended_dn_in or extended_dn_in_openldap goes here */
static const char *modules_list1a[] = {"objectclass",
"descriptor",
"acl",
"aclread",
"samldb",
"password_hash",
"operational",
"instancetype",
"objectclass_attrs",
NULL };
const char **link_modules;
static const char *fedora_ds_modules[] = {
"rdn_name", NULL };
static const char *openldap_modules[] = {
NULL };
static const char *tdb_modules_list[] = {
"rdn_name",
"subtree_delete",
"repl_meta_data",
"subtree_rename",
"linked_attributes",
NULL};
const char *extended_dn_module;
const char *extended_dn_module_ldb = "extended_dn_out_ldb";
const char *extended_dn_module_fds = "extended_dn_out_fds";
const char *extended_dn_module_openldap = "extended_dn_out_openldap";
const char *extended_dn_in_module = "extended_dn_in";
static const char *modules_list2[] = {"show_deleted",
"new_partition",
"partition",
NULL };
const char **backend_modules;
static const char *fedora_ds_backend_modules[] = {
"nsuniqueid", "paged_searches", "simple_dn", NULL };
static const char *openldap_backend_modules[] = {
"entryuuid", "simple_dn", NULL };
static const char *samba_dsdb_attrs[] = { "backendType", NULL };
static const char *partition_attrs[] = { "ldapBackend", NULL };
const char *backendType, *backendUrl;
bool use_sasl_external = false;
if (!tmp_ctx) {
return ldb_oom(ldb);
}
ret = ldb_register_samba_handlers(ldb);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
samba_dsdb_dn = ldb_dn_new(tmp_ctx, ldb, "@SAMBA_DSDB");
if (!samba_dsdb_dn) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
partition_dn = ldb_dn_new(tmp_ctx, ldb, DSDB_PARTITION_DN);
if (!partition_dn) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
#define CHECK_LDB_RET(check_ret) \
do { \
if (check_ret != LDB_SUCCESS) { \
talloc_free(tmp_ctx); \
return check_ret; \
} \
} while (0)
ret = dsdb_module_search_dn(module, tmp_ctx, &res, samba_dsdb_dn,
samba_dsdb_attrs, DSDB_FLAG_NEXT_MODULE, NULL);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
backendType = "ldb";
} else if (ret == LDB_SUCCESS) {
backendType = ldb_msg_find_attr_as_string(res->msgs[0], "backendType", "ldb");
} else {
talloc_free(tmp_ctx);
return ret;
}
backend_modules = NULL;
if (strcasecmp(backendType, "ldb") == 0) {
extended_dn_module = extended_dn_module_ldb;
link_modules = tdb_modules_list;
} else {
struct cli_credentials *cred;
bool is_ldapi = false;
ret = dsdb_module_search_dn(module, tmp_ctx, &res, partition_dn,
partition_attrs, DSDB_FLAG_NEXT_MODULE, NULL);
if (ret == LDB_SUCCESS) {
backendUrl = ldb_msg_find_attr_as_string(res->msgs[0], "ldapBackend", "ldapi://");
if (!strncasecmp(backendUrl, "ldapi://", sizeof("ldapi://")-1)) {
is_ldapi = true;
}
} else if (ret != LDB_ERR_NO_SUCH_OBJECT) {
talloc_free(tmp_ctx);
return ret;
}
if (strcasecmp(backendType, "fedora-ds") == 0) {
link_modules = fedora_ds_modules;
backend_modules = fedora_ds_backend_modules;
extended_dn_module = extended_dn_module_fds;
} else if (strcasecmp(backendType, "openldap") == 0) {
link_modules = openldap_modules;
backend_modules = openldap_backend_modules;
extended_dn_module = extended_dn_module_openldap;
extended_dn_in_module = "extended_dn_in_openldap";
if (is_ldapi) {
use_sasl_external = true;
}
} else {
return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "invalid backend type");
}
ret = ldb_set_opaque(ldb, "readOnlySchema", (void*)1);
if (ret != LDB_SUCCESS) {
ldb_set_errstring(ldb, "Failed to set readOnlySchema opaque");
}
cred = ldb_get_opaque(ldb, "credentials");
if (!cred || !cli_credentials_authentication_requested(cred)) {
ret = set_ldap_credentials(ldb, use_sasl_external);
if (ret != LDB_SUCCESS) {
return ret;
}
}
}
#define CHECK_MODULE_LIST \
do { \
if (!final_module_list) { \
talloc_free(tmp_ctx); \
return ldb_oom(ldb); \
} \
} while (0)
final_module_list = str_list_copy_const(tmp_ctx, modules_list1);
CHECK_MODULE_LIST;
final_module_list = str_list_add_const(final_module_list, extended_dn_in_module);
CHECK_MODULE_LIST;
final_module_list = str_list_append_const(final_module_list, modules_list1a);
CHECK_MODULE_LIST;
final_module_list = str_list_append_const(final_module_list, link_modules);
CHECK_MODULE_LIST;
final_module_list = str_list_add_const(final_module_list, extended_dn_module);
CHECK_MODULE_LIST;
final_module_list = str_list_append_const(final_module_list, modules_list2);
CHECK_MODULE_LIST;
ret = read_at_rootdse_record(ldb, module, tmp_ctx, &rootdse_msg, NULL);
CHECK_LDB_RET(ret);
partition_msg = ldb_msg_new(tmp_ctx);
partition_msg->dn = ldb_dn_new(partition_msg, ldb, "@" DSDB_OPAQUE_PARTITION_MODULE_MSG_OPAQUE_NAME);
ret = prepare_modules_line(ldb, tmp_ctx,
rootdse_msg,
partition_msg, "schemaNamingContext",
"schema_data", backend_modules);
CHECK_LDB_RET(ret);
ret = prepare_modules_line(ldb, tmp_ctx,
rootdse_msg,
partition_msg, NULL,
NULL, backend_modules);
CHECK_LDB_RET(ret);
ret = ldb_set_opaque(ldb, DSDB_OPAQUE_PARTITION_MODULE_MSG_OPAQUE_NAME, partition_msg);
CHECK_LDB_RET(ret);
talloc_steal(ldb, partition_msg);
/* Now prepare the module chain. Oddly, we must give it to ldb_load_modules_list in REVERSE */
for (len = 0; final_module_list[len]; len++) { /* noop */};
reverse_module_list = talloc_array(tmp_ctx, const char *, len+1);
if (!reverse_module_list) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
for (i=0; i < len; i++) {
reverse_module_list[i] = final_module_list[(len - 1) - i];
}
reverse_module_list[i] = NULL;
/* The backend (at least until the partitions module
* reconfigures things) is the next module in the currently
* loaded chain */
backend_module = ldb_module_next(module);
ret = ldb_module_load_list(ldb, reverse_module_list, backend_module, &module_chain);
CHECK_LDB_RET(ret);
talloc_free(tmp_ctx);
/* Set this as the 'next' module, so that we effectivly append it to module chain */
ldb_module_set_next(module, module_chain);
return ldb_next_init(module);
}
static int set_ldap_credentials(struct ldb_context *ldb, bool use_external)
{
const char *secrets_ldb_path, *sam_ldb_path;
char *private_dir, *p, *error_string;
struct ldb_context *secrets_ldb;
struct cli_credentials *cred;
struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
TALLOC_CTX *tmp_ctx = talloc_new(ldb);
if (!tmp_ctx) {
return ldb_oom(ldb);
}
cred = cli_credentials_init(ldb);
if (!cred) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
cli_credentials_set_anonymous(cred);
if (use_external) {
cli_credentials_set_forced_sasl_mech(cred, "EXTERNAL");
} else {
cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5");
/*
* We don't want to use krb5 to talk to our samdb - recursion
* here would be bad, and this account isn't in the KDC
* anyway
*/
cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
/*
* Work out where *our* secrets.ldb is. It must be in
* the same directory as sam.ldb
*/
sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url");
if (!sam_ldb_path) {
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
if (strncmp("tdb://", sam_ldb_path, 6) == 0) {
sam_ldb_path += 6;
}
private_dir = talloc_strdup(tmp_ctx, sam_ldb_path);
p = strrchr(private_dir, '/');
if (p) {
*p = '\0';
} else {
private_dir = talloc_strdup(tmp_ctx, ".");
}
secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb",
private_dir);
if (!secrets_ldb_path) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
/*
* Now that we have found the location, connect to
* secrets.ldb so we can read the SamDB Credentials
* record
*/
secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path,
NULL, NULL, 0);
if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL,
SECRETS_LDAP_FILTER, &error_string))) {
ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path);
talloc_free(tmp_ctx);
return LDB_ERR_STRONG_AUTH_REQUIRED;
}
}
/*
* Finally overwrite any supplied credentials with
* these ones, as only secrets.ldb contains the magic
* credentials to talk on the ldapi socket
*/
if (ldb_set_opaque(ldb, "credentials", cred)) {
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
/*
wrapped connection to a ldb database
to close just talloc_free() the returned ldb_context
TODO: We need an error_string parameter
*/
struct ldb_context *ldb_wrap_connect(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct loadparm_context *lp_ctx,
const char *url,
struct auth_session_info *session_info,
struct cli_credentials *credentials,
unsigned int flags)
{
struct ldb_context *ldb;
int ret;
char *real_url = NULL;
struct ldb_wrap *w;
struct ldb_wrap_context c;
c.url = url;
c.ev = ev;
c.lp_ctx = lp_ctx;
c.session_info = session_info;
c.credentials = credentials;
c.flags = flags;
/* see if we can re-use an existing ldb */
for (w=ldb_wrap_list; w; w=w->next) {
if (ldb_wrap_same_context(&c, &w->context)) {
return talloc_reference(mem_ctx, w->ldb);
}
}
/* we want to use the existing event context if possible. This
relies on the fact that in smbd, everything is a child of
the main event_context */
if (ev == NULL) {
return NULL;
}
ldb = ldb_init(mem_ctx, ev);
if (ldb == NULL) {
return NULL;
}
ldb_set_modules_dir(ldb,
talloc_asprintf(ldb,
"%s/ldb",
lp_modulesdir(lp_ctx)));
if (ldb_set_opaque(ldb, "sessionInfo", session_info)) {
talloc_free(ldb);
return NULL;
}
if (ldb_set_opaque(ldb, "credentials", credentials)) {
talloc_free(ldb);
return NULL;
}
if (ldb_set_opaque(ldb, "loadparm", lp_ctx)) {
talloc_free(ldb);
return NULL;
}
/* This must be done before we load the schema, as these
* handlers for objectSid and objectGUID etc must take
* precedence over the 'binary attribute' declaration in the
* schema */
ret = ldb_register_samba_handlers(ldb);
if (ret == -1) {
talloc_free(ldb);
return NULL;
}
if (lp_ctx != NULL && strcmp(lp_sam_url(lp_ctx), url) == 0) {
dsdb_set_global_schema(ldb);
}
ldb_set_debug(ldb, ldb_wrap_debug, NULL);
ldb_set_utf8_fns(ldb, NULL, wrap_casefold);
real_url = private_path(ldb, lp_ctx, url);
if (real_url == NULL) {
talloc_free(ldb);
return NULL;
}
/* allow admins to force non-sync ldb for all databases */
if (lp_parm_bool(lp_ctx, NULL, "ldb", "nosync", false)) {
flags |= LDB_FLG_NOSYNC;
}
if (DEBUGLVL(10)) {
flags |= LDB_FLG_ENABLE_TRACING;
}
/* we usually want Samba databases to be private. If we later
find we need one public, we will need to add a parameter to
ldb_wrap_connect() */
ldb_set_create_perms(ldb, 0600);
ret = ldb_connect(ldb, real_url, flags, NULL);
if (ret != LDB_SUCCESS) {
talloc_free(ldb);
return NULL;
}
/* setup for leak detection */
ldb_set_opaque(ldb, "wrap_url", real_url);
/* add to the list of open ldb contexts */
w = talloc(ldb, struct ldb_wrap);
if (w == NULL) {
talloc_free(ldb);
return NULL;
}
w->context = c;
w->context.url = talloc_strdup(w, url);
if (w->context.url == NULL) {
talloc_free(ldb);
return NULL;
}
w->ldb = ldb;
DLIST_ADD(ldb_wrap_list, w);
/* make the resulting schema global */
if (lp_ctx != NULL && strcmp(lp_sam_url(lp_ctx), url) == 0) {
dsdb_make_schema_global(ldb);
}
DEBUG(3,("ldb_wrap open of %s\n", url));
talloc_set_destructor(w, ldb_wrap_destructor);
return ldb;
}
