/* return the attribute syntax oid as a string from the attribute name */ static PyObject *py_dsdb_get_syntax_oid_from_lDAPDisplayName(PyObject *self, PyObject *args) { PyObject *py_ldb; struct ldb_context *ldb; struct dsdb_schema *schema; const char *ldap_display_name; const struct dsdb_attribute *attribute; if (!PyArg_ParseTuple(args, "Os", &py_ldb, &ldap_display_name)) return NULL; PyErr_LDB_OR_RAISE(py_ldb, ldb); schema = dsdb_get_schema(ldb, NULL); if (!schema) { PyErr_SetString(PyExc_RuntimeError, "Failed to find a schema from ldb"); return NULL; } attribute = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name); if (attribute == NULL) { PyErr_Format(PyExc_KeyError, "Failed to find attribute '%s'", ldap_display_name); return NULL; } return PyString_FromString(attribute->syntax->ldap_oid); }
static int resolve_oids_element_replace(struct ldb_context *ldb, struct dsdb_schema *schema, struct ldb_message_element *el) { unsigned int i; const struct dsdb_attribute *a = NULL; const char *p1; p1 = strchr(el->name, '.'); if (p1) { a = dsdb_attribute_by_attributeID_oid(schema, el->name); } else { a = dsdb_attribute_by_lDAPDisplayName(schema, el->name); } if (!a) { return LDB_SUCCESS; } el->name = a->lDAPDisplayName; for (i=0; i < el->num_values; i++) { int ret; ret = resolve_oids_replace_value(ldb, schema, a, &el->values[i]); if (ret != LDB_SUCCESS) { return ret; } } return LDB_SUCCESS; }
const struct GUID *attribute_schemaid_guid_by_lDAPDisplayName(const struct dsdb_schema *schema, const char *name) { const struct dsdb_attribute *attr = dsdb_attribute_by_lDAPDisplayName(schema, name); if (!attr) return NULL; return &attr->schemaIDGUID; }
/* override the name to attribute handler function */ const struct ldb_schema_attribute *dsdb_attribute_handler_override(struct ldb_context *ldb, void *private_data, const char *name) { struct dsdb_schema *schema = talloc_get_type_abort(private_data, struct dsdb_schema); const struct dsdb_attribute *a = dsdb_attribute_by_lDAPDisplayName(schema, name); if (a == NULL) { /* this will fall back to ldb internal handling */ return NULL; } return a->ldb_schema_attribute; }
WERROR dsdb_attribute_ldb_to_drsuapi(const struct dsdb_schema *schema, const struct ldb_message_element *in, TALLOC_CTX *mem_ctx, struct drsuapi_DsReplicaAttribute *out) { const struct dsdb_attribute *sa; sa = dsdb_attribute_by_lDAPDisplayName(schema, in->name); if (!sa) { return WERR_FOOBAR; } return sa->syntax->ldb_to_drsuapi(schema, sa, in, mem_ctx, out); }
static PyObject *py_dsdb_get_attid_from_lDAPDisplayName(PyObject *self, PyObject *args) { PyObject *py_ldb, *is_schema_nc; struct ldb_context *ldb; struct dsdb_schema *schema; const char *ldap_display_name; bool schema_nc = false; const struct dsdb_attribute *a; uint32_t attid; if (!PyArg_ParseTuple(args, "OsO", &py_ldb, &ldap_display_name, &is_schema_nc)) return NULL; PyErr_LDB_OR_RAISE(py_ldb, ldb); if (is_schema_nc) { if (!PyBool_Check(is_schema_nc)) { PyErr_SetString(PyExc_TypeError, "Expected boolean is_schema_nc"); return NULL; } if (is_schema_nc == Py_True) { schema_nc = true; } } schema = dsdb_get_schema(ldb, NULL); if (!schema) { PyErr_SetString(PyExc_RuntimeError, "Failed to find a schema from ldb"); return NULL; } a = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name); if (a == NULL) { PyErr_Format(PyExc_KeyError, "Failed to find attribute '%s'", ldap_display_name); return NULL; } attid = dsdb_attribute_get_attid(a, schema_nc); return PyLong_FromUnsignedLong(attid); }
static bool torture_test_syntax(struct torture_context *torture, struct torture_dsdb_syntax *priv, const char *oid, const char *attr_string, const char *ldb_str, const char *drs_str) { TALLOC_CTX *tmp_ctx = talloc_new(torture); DATA_BLOB drs_binary = hexstr_to_data_blob(tmp_ctx, drs_str); DATA_BLOB ldb_blob = data_blob_string_const(ldb_str); struct drsuapi_DsReplicaAttribute drs, drs2; struct drsuapi_DsAttributeValue val; const struct dsdb_syntax *syntax; const struct dsdb_attribute *attr; struct ldb_message_element el; struct ldb_context *ldb = priv->ldb; struct dsdb_schema *schema = priv->schema; struct dsdb_syntax_ctx syntax_ctx; /* use default syntax conversion context */ dsdb_syntax_ctx_init(&syntax_ctx, ldb, schema); drs.value_ctr.num_values = 1; drs.value_ctr.values = &val; val.blob = &drs_binary; torture_assert(torture, syntax = find_syntax_map_by_standard_oid(oid), "Failed to find syntax handler"); torture_assert(torture, attr = dsdb_attribute_by_lDAPDisplayName(schema, attr_string), "Failed to find attribute handler"); torture_assert_str_equal(torture, attr->syntax->name, syntax->name, "Syntax from schema not as expected"); torture_assert_werr_ok(torture, syntax->drsuapi_to_ldb(&syntax_ctx, attr, &drs, tmp_ctx, &el), "Failed to convert from DRS to ldb format"); torture_assert_data_blob_equal(torture, el.values[0], ldb_blob, "Incorrect conversion from DRS to ldb format"); torture_assert_werr_ok(torture, syntax->ldb_to_drsuapi(&syntax_ctx, attr, &el, tmp_ctx, &drs2), "Failed to convert from ldb to DRS format"); torture_assert(torture, drs2.value_ctr.values[0].blob, "No blob returned from conversion"); torture_assert_data_blob_equal(torture, *drs2.value_ctr.values[0].blob, drs_binary, "Incorrect conversion from ldb to DRS format"); return true; }
/* return the backlink attribute name (if any) for an attribute */ static PyObject *py_dsdb_get_backlink_from_lDAPDisplayName(PyObject *self, PyObject *args) { PyObject *py_ldb; struct ldb_context *ldb; struct dsdb_schema *schema; const char *ldap_display_name; const struct dsdb_attribute *attribute, *target_attr; if (!PyArg_ParseTuple(args, "Os", &py_ldb, &ldap_display_name)) return NULL; PyErr_LDB_OR_RAISE(py_ldb, ldb); schema = dsdb_get_schema(ldb, NULL); if (!schema) { PyErr_SetString(PyExc_RuntimeError, "Failed to find a schema from ldb"); return NULL; } attribute = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name); if (attribute == NULL) { PyErr_Format(PyExc_KeyError, "Failed to find attribute '%s'", ldap_display_name); return NULL; } if (attribute->linkID == 0) { Py_RETURN_NONE; } target_attr = dsdb_attribute_by_linkID(schema, attribute->linkID ^ 1); if (target_attr == NULL) { /* when we add pseudo-backlinks we'll need to handle them here */ Py_RETURN_NONE; } return PyString_FromString(target_attr->lDAPDisplayName); }
static int acl_modify(struct ldb_module *module, struct ldb_request *req) { int ret; struct ldb_context *ldb = ldb_module_get_ctx(module); const struct dsdb_schema *schema = dsdb_get_schema(ldb); int i; bool modify_sd = false; const struct GUID *guid; uint32_t access_granted; struct object_tree *root = NULL; struct object_tree *new_node = NULL; NTSTATUS status; struct ldb_result *acl_res; struct security_descriptor *sd; struct dom_sid *sid = NULL; TALLOC_CTX *tmp_ctx = talloc_new(req); static const char *acl_attrs[] = { "nTSecurityDescriptor", "objectClass", "objectSid", NULL }; /* Don't print this debug statement if elements[0].name is going to be NULL */ if(req->op.mod.message->num_elements > 0) { DEBUG(10, ("ldb:acl_modify: %s\n", req->op.mod.message->elements[0].name)); } if (what_is_user(module) == SECURITY_SYSTEM) { return ldb_next_request(module, req); } if (ldb_dn_is_special(req->op.mod.message->dn)) { return ldb_next_request(module, req); } ret = ldb_search(ldb, req, &acl_res, req->op.mod.message->dn, LDB_SCOPE_BASE, acl_attrs, NULL); if (ret != LDB_SUCCESS) { return ret; } ret = get_sd_from_ldb_message(req, acl_res->msgs[0], &sd); if (ret != LDB_SUCCESS) { DEBUG(10, ("acl_modify: cannot get descriptor\n")); return ret; } /* Theoretically we pass the check if the object has no sd */ if (!sd) { return LDB_SUCCESS; } guid = get_oc_guid_from_message(module,acl_res->msgs[0]); if (!guid) { DEBUG(10, ("acl_modify: cannot get guid\n")); goto fail; } ret = get_dom_sid_from_ldb_message(req, acl_res->msgs[0], &sid); if (ret != LDB_SUCCESS) { return LDB_ERR_OPERATIONS_ERROR; } if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP, &root, &new_node)) { DEBUG(10, ("acl_modify: cannot add to object tree\n")); goto fail; } for (i=0; i < req->op.mod.message->num_elements; i++){ const struct dsdb_attribute *attr; /* clearTextPassword is not in schema */ if (strcmp("clearTextPassword", req->op.mod.message->elements[i].name) == 0) { attr = dsdb_attribute_by_lDAPDisplayName(schema, "unicodePwd"); } else { attr = dsdb_attribute_by_lDAPDisplayName(schema, req->op.mod.message->elements[i].name); } if (strcmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) { modify_sd = true; } else { if (!attr) { DEBUG(10, ("acl_modify: cannot find attribute %s\n", req->op.mod.message->elements[i].name)); goto fail; } if (!insert_in_object_tree(tmp_ctx, &attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP, &new_node, &new_node)) { DEBUG(10, ("acl_modify: cannot add to object tree securityGUID\n")); goto fail; } if (!insert_in_object_tree(tmp_ctx, &attr->schemaIDGUID, SEC_ADS_WRITE_PROP, &new_node, &new_node)) { DEBUG(10, ("acl_modify: cannot add to object tree attributeGUID\n")); goto fail; } } } if (root->num_of_children > 0) { status = sec_access_check_ds(sd, acl_user_token(module), SEC_ADS_WRITE_PROP, &access_granted, root, sid); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("Object %s nas no write property access\n", ldb_dn_get_linearized(req->op.mod.message->dn))); acl_debug(sd, acl_user_token(module), req->op.mod.message->dn, true, 10); talloc_free(tmp_ctx); return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; } } if (modify_sd) { status = sec_access_check_ds(sd, acl_user_token(module), SEC_STD_WRITE_DAC, &access_granted, NULL, sid); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("Object %s nas no write dacl access\n", ldb_dn_get_linearized(req->op.mod.message->dn))); acl_debug(sd, acl_user_token(module), req->op.mod.message->dn, true, 10); talloc_free(tmp_ctx); return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; } } talloc_free(tmp_ctx); return ldb_next_request(module, req); fail: talloc_free(tmp_ctx); return LDB_ERR_OPERATIONS_ERROR; }
static int acl_allowedAttributes(struct ldb_module *module, struct ldb_message *sd_msg, struct ldb_message *msg, struct acl_context *ac) { struct ldb_message_element *oc_el; struct ldb_context *ldb = ldb_module_get_ctx(module); const struct dsdb_schema *schema = dsdb_get_schema(ldb); TALLOC_CTX *mem_ctx; const char **attr_list; int i, ret; /* If we don't have a schema yet, we can't do anything... */ if (schema == NULL) { return LDB_SUCCESS; } /* Must remove any existing attribute */ if (ac->allowedAttributes) { ldb_msg_remove_attr(msg, "allowedAttributes"); } mem_ctx = talloc_new(msg); if (!mem_ctx) { ldb_oom(ldb); return LDB_ERR_OPERATIONS_ERROR; } oc_el = ldb_msg_find_element(sd_msg, "objectClass"); attr_list = dsdb_full_attribute_list(mem_ctx, schema, oc_el, DSDB_SCHEMA_ALL); if (!attr_list) { ldb_asprintf_errstring(ldb, "acl: Failed to get list of attributes"); talloc_free(mem_ctx); return LDB_ERR_OPERATIONS_ERROR; } if (ac->allowedAttributes) { for (i=0; attr_list && attr_list[i]; i++) { ldb_msg_add_string(msg, "allowedAttributes", attr_list[i]); } } if (ac->allowedAttributesEffective) { struct security_descriptor *sd; struct dom_sid *sid = NULL; ldb_msg_remove_attr(msg, "allowedAttributesEffective"); if (ac->user_type == SECURITY_SYSTEM) { for (i=0; attr_list && attr_list[i]; i++) { ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]); } return LDB_SUCCESS; } ret = get_sd_from_ldb_message(mem_ctx, sd_msg, &sd); if (ret != LDB_SUCCESS) { return ret; } ret = get_dom_sid_from_ldb_message(mem_ctx, sd_msg, &sid); if (ret != LDB_SUCCESS) { return ret; } for (i=0; attr_list && attr_list[i]; i++) { struct dsdb_attribute *attr = dsdb_attribute_by_lDAPDisplayName(schema, attr_list[i]); if (!attr) { return LDB_ERR_OPERATIONS_ERROR; } /* remove constructed attributes */ if (attr->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED || attr->systemOnly || (attr->linkID != 0 && attr->linkID % 2 != 0 )) { continue; } ret = acl_check_access_on_attribute(module, msg, sd, sid, SEC_ADS_WRITE_PROP, attr); if (ret == LDB_SUCCESS) { ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]); } } } return LDB_SUCCESS; }
/* normalise a ldb attribute list */ static PyObject *py_dsdb_normalise_attributes(PyObject *self, PyObject *args) { PyObject *py_ldb, *el_list, *ret; struct ldb_context *ldb; char *ldap_display_name; const struct dsdb_attribute *a; struct dsdb_schema *schema; struct dsdb_syntax_ctx syntax_ctx; struct ldb_message_element *el; struct drsuapi_DsReplicaAttribute *attr; TALLOC_CTX *tmp_ctx; WERROR werr; Py_ssize_t i; if (!PyArg_ParseTuple(args, "OsO", &py_ldb, &ldap_display_name, &el_list)) { return NULL; } PyErr_LDB_OR_RAISE(py_ldb, ldb); if (!PyList_Check(el_list)) { PyErr_Format(PyExc_TypeError, "ldif_elements must be a list"); return NULL; } schema = dsdb_get_schema(ldb, NULL); if (!schema) { PyErr_SetString(PyExc_RuntimeError, "Failed to find a schema from ldb"); return NULL; } a = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name); if (a == NULL) { PyErr_Format(PyExc_KeyError, "Failed to find attribute '%s'", ldap_display_name); return NULL; } dsdb_syntax_ctx_init(&syntax_ctx, ldb, schema); syntax_ctx.is_schema_nc = false; tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) { PyErr_NoMemory(); return NULL; } el = talloc_zero(tmp_ctx, struct ldb_message_element); if (el == NULL) { PyErr_NoMemory(); talloc_free(tmp_ctx); return NULL; } el->name = ldap_display_name; el->num_values = PyList_Size(el_list); el->values = talloc_array(el, struct ldb_val, el->num_values); if (el->values == NULL) { PyErr_NoMemory(); talloc_free(tmp_ctx); return NULL; } for (i = 0; i < el->num_values; i++) { PyObject *item = PyList_GetItem(el_list, i); if (!PyString_Check(item)) { PyErr_Format(PyExc_TypeError, "ldif_elements should be strings"); talloc_free(tmp_ctx); return NULL; } el->values[i].data = (uint8_t *)PyString_AsString(item); el->values[i].length = PyString_Size(item); } /* Normalise "objectClass" attribute if needed */ if (ldb_attr_cmp(a->lDAPDisplayName, "objectClass") == 0) { int iret; iret = dsdb_sort_objectClass_attr(ldb, schema, el, tmp_ctx, el); if (iret != LDB_SUCCESS) { PyErr_SetString(PyExc_RuntimeError, ldb_errstring(ldb)); talloc_free(tmp_ctx); return NULL; } } /* first run ldb_to_drsuapi, then convert back again. This has * the effect of normalising the attributes */ attr = talloc_zero(tmp_ctx, struct drsuapi_DsReplicaAttribute); if (attr == NULL) { PyErr_NoMemory(); talloc_free(tmp_ctx); return NULL; } werr = a->syntax->ldb_to_drsuapi(&syntax_ctx, a, el, attr, attr); PyErr_WERROR_NOT_OK_RAISE(werr); /* now convert back again */ werr = a->syntax->drsuapi_to_ldb(&syntax_ctx, a, attr, el, el); PyErr_WERROR_NOT_OK_RAISE(werr); ret = py_return_ndr_struct("ldb", "MessageElement", el, el); talloc_free(tmp_ctx); return ret; }
/* convert a python string to a DRSUAPI drsuapi_DsReplicaAttribute attribute */ static PyObject *py_dsdb_DsReplicaAttribute(PyObject *self, PyObject *args) { PyObject *py_ldb, *el_list, *ret; struct ldb_context *ldb; char *ldap_display_name; const struct dsdb_attribute *a; struct dsdb_schema *schema; struct dsdb_syntax_ctx syntax_ctx; struct ldb_message_element *el; struct drsuapi_DsReplicaAttribute *attr; TALLOC_CTX *tmp_ctx; WERROR werr; Py_ssize_t i; if (!PyArg_ParseTuple(args, "OsO", &py_ldb, &ldap_display_name, &el_list)) { return NULL; } PyErr_LDB_OR_RAISE(py_ldb, ldb); if (!PyList_Check(el_list)) { PyErr_Format(PyExc_TypeError, "ldif_elements must be a list"); return NULL; } schema = dsdb_get_schema(ldb, NULL); if (!schema) { PyErr_SetString(PyExc_RuntimeError, "Failed to find a schema from ldb"); return NULL; } a = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name); if (a == NULL) { PyErr_Format(PyExc_KeyError, "Failed to find attribute '%s'", ldap_display_name); return NULL; } dsdb_syntax_ctx_init(&syntax_ctx, ldb, schema); syntax_ctx.is_schema_nc = false; tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) { PyErr_NoMemory(); return NULL; } el = talloc_zero(tmp_ctx, struct ldb_message_element); if (el == NULL) { PyErr_NoMemory(); talloc_free(tmp_ctx); return NULL; } el->name = ldap_display_name; el->num_values = PyList_Size(el_list); el->values = talloc_array(el, struct ldb_val, el->num_values); if (el->values == NULL) { PyErr_NoMemory(); talloc_free(tmp_ctx); return NULL; } for (i = 0; i < el->num_values; i++) { PyObject *item = PyList_GetItem(el_list, i); if (!PyString_Check(item)) { PyErr_Format(PyExc_TypeError, "ldif_elements should be strings"); talloc_free(tmp_ctx); return NULL; } el->values[i].data = (uint8_t *)PyString_AsString(item); el->values[i].length = PyString_Size(item); } attr = talloc_zero(tmp_ctx, struct drsuapi_DsReplicaAttribute); if (attr == NULL) { PyErr_NoMemory(); talloc_free(tmp_ctx); return NULL; } werr = a->syntax->ldb_to_drsuapi(&syntax_ctx, a, el, attr, attr); PyErr_WERROR_NOT_OK_RAISE(werr); ret = py_return_ndr_struct("samba.dcerpc.drsuapi", "DsReplicaAttribute", attr, attr); talloc_free(tmp_ctx); return ret; }
static WERROR dsdb_convert_object_ex(struct ldb_context *ldb, const struct dsdb_schema *schema, const struct drsuapi_DsReplicaObjectListItemEx *in, const DATA_BLOB *gensec_skey, TALLOC_CTX *mem_ctx, struct dsdb_extended_replicated_object *out) { NTSTATUS nt_status; WERROR status; uint32_t i; struct ldb_message *msg; struct replPropertyMetaDataBlob *md; struct ldb_val guid_value; NTTIME whenChanged = 0; time_t whenChanged_t; const char *whenChanged_s; const char *rdn_name = NULL; const struct ldb_val *rdn_value = NULL; const struct dsdb_attribute *rdn_attr = NULL; uint32_t rdn_attid; struct drsuapi_DsReplicaAttribute *name_a = NULL; struct drsuapi_DsReplicaMetaData *name_d = NULL; struct replPropertyMetaData1 *rdn_m = NULL; struct dom_sid *sid = NULL; uint32_t rid = 0; int ret; if (!in->object.identifier) { return WERR_FOOBAR; } if (!in->object.identifier->dn || !in->object.identifier->dn[0]) { return WERR_FOOBAR; } if (in->object.attribute_ctr.num_attributes != 0 && !in->meta_data_ctr) { return WERR_FOOBAR; } if (in->object.attribute_ctr.num_attributes != in->meta_data_ctr->count) { return WERR_FOOBAR; } sid = &in->object.identifier->sid; if (sid->num_auths > 0) { rid = sid->sub_auths[sid->num_auths - 1]; } msg = ldb_msg_new(mem_ctx); W_ERROR_HAVE_NO_MEMORY(msg); msg->dn = ldb_dn_new(msg, ldb, in->object.identifier->dn); W_ERROR_HAVE_NO_MEMORY(msg->dn); rdn_name = ldb_dn_get_rdn_name(msg->dn); rdn_attr = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name); if (!rdn_attr) { return WERR_FOOBAR; } rdn_attid = rdn_attr->attributeID_id; rdn_value = ldb_dn_get_rdn_val(msg->dn); msg->num_elements = in->object.attribute_ctr.num_attributes; msg->elements = talloc_array(msg, struct ldb_message_element, msg->num_elements); W_ERROR_HAVE_NO_MEMORY(msg->elements); md = talloc(mem_ctx, struct replPropertyMetaDataBlob); W_ERROR_HAVE_NO_MEMORY(md); md->version = 1; md->reserved = 0; md->ctr.ctr1.count = in->meta_data_ctr->count; md->ctr.ctr1.reserved = 0; md->ctr.ctr1.array = talloc_array(mem_ctx, struct replPropertyMetaData1, md->ctr.ctr1.count + 1); /* +1 because of the RDN attribute */ W_ERROR_HAVE_NO_MEMORY(md->ctr.ctr1.array); for (i=0; i < in->meta_data_ctr->count; i++) { struct drsuapi_DsReplicaAttribute *a; struct drsuapi_DsReplicaMetaData *d; struct replPropertyMetaData1 *m; struct ldb_message_element *e; int j; a = &in->object.attribute_ctr.attributes[i]; d = &in->meta_data_ctr->meta_data[i]; m = &md->ctr.ctr1.array[i]; e = &msg->elements[i]; for (j=0; j<a->value_ctr.num_values; j++) { status = drsuapi_decrypt_attribute(a->value_ctr.values[j].blob, gensec_skey, rid, a); W_ERROR_NOT_OK_RETURN(status); } status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, a, msg->elements, e); if (!NT_STATUS_IS_OK(status) && a->value_ctr.num_values == 0) { /* w2k8-r2 occasionally sends bogus empty attributes with rubbish attribute IDs. The only think we can do is discard these */ DEBUG(0,(__location__ ": Discarding bogus empty DsReplicaAttribute with attid 0x%x\n", a->attid)); ZERO_STRUCTP(e); continue; } W_ERROR_NOT_OK_RETURN(status); m->attid = a->attid; m->version = d->version; m->originating_change_time = d->originating_change_time; m->originating_invocation_id = d->originating_invocation_id; m->originating_usn = d->originating_usn; m->local_usn = 0; if (d->originating_change_time > whenChanged) { whenChanged = d->originating_change_time; } if (a->attid == DRSUAPI_ATTRIBUTE_name) { name_a = a; name_d = d; rdn_m = &md->ctr.ctr1.array[md->ctr.ctr1.count]; } } /* delete any empty elements */ for (i=0; i < msg->num_elements; i++) { if (msg->elements[i].name == NULL) { ldb_msg_remove_element(msg, &msg->elements[i]); i--; } } if (rdn_m) { struct ldb_message_element *el; el = ldb_msg_find_element(msg, rdn_attr->lDAPDisplayName); if (!el) { ret = ldb_msg_add_value(msg, rdn_attr->lDAPDisplayName, rdn_value, NULL); if (ret != LDB_SUCCESS) { return WERR_FOOBAR; } } else { if (el->num_values != 1) { DEBUG(0,(__location__ ": Unexpected num_values=%u\n", el->num_values)); return WERR_FOOBAR; } if (!ldb_val_equal_exact(&el->values[0], rdn_value)) { DEBUG(0,(__location__ ": RDN value changed? '%*.*s' '%*.*s'\n", (int)el->values[0].length, (int)el->values[0].length, el->values[0].data, (int)rdn_value->length, (int)rdn_value->length, rdn_value->data)); return WERR_FOOBAR; } } rdn_m->attid = rdn_attid; rdn_m->version = name_d->version; rdn_m->originating_change_time = name_d->originating_change_time; rdn_m->originating_invocation_id = name_d->originating_invocation_id; rdn_m->originating_usn = name_d->originating_usn; rdn_m->local_usn = 0; md->ctr.ctr1.count++; } whenChanged_t = nt_time_to_unix(whenChanged); whenChanged_s = ldb_timestring(msg, whenChanged_t); W_ERROR_HAVE_NO_MEMORY(whenChanged_s); nt_status = GUID_to_ndr_blob(&in->object.identifier->guid, msg, &guid_value); if (!NT_STATUS_IS_OK(nt_status)) { return ntstatus_to_werror(nt_status); } out->msg = msg; out->guid_value = guid_value; out->when_changed = whenChanged_s; out->meta_data = md; return WERR_OK; }
static int resolve_oids_parse_tree_need(struct ldb_context *ldb, struct dsdb_schema *schema, const struct ldb_parse_tree *tree) { unsigned int i; const struct dsdb_attribute *a = NULL; const char *attr; const char *p1; const void *p2; const struct ldb_val *valp = NULL; int ret; switch (tree->operation) { case LDB_OP_AND: case LDB_OP_OR: for (i=0;i<tree->u.list.num_elements;i++) { ret = resolve_oids_parse_tree_need(ldb, schema, tree->u.list.elements[i]); if (ret != LDB_ERR_COMPARE_FALSE) { return ret; } } return LDB_ERR_COMPARE_FALSE; case LDB_OP_NOT: return resolve_oids_parse_tree_need(ldb, schema, tree->u.isnot.child); case LDB_OP_EQUALITY: case LDB_OP_GREATER: case LDB_OP_LESS: case LDB_OP_APPROX: attr = tree->u.equality.attr; valp = &tree->u.equality.value; break; case LDB_OP_SUBSTRING: attr = tree->u.substring.attr; break; case LDB_OP_PRESENT: attr = tree->u.present.attr; break; case LDB_OP_EXTENDED: attr = tree->u.extended.attr; valp = &tree->u.extended.value; break; default: return LDB_ERR_COMPARE_FALSE; } p1 = strchr(attr, '.'); if (valp) { p2 = memchr(valp->data, '.', valp->length); } else { p2 = NULL; } if (!p1 && !p2) { return LDB_ERR_COMPARE_FALSE; } if (p1) { a = dsdb_attribute_by_attributeID_oid(schema, attr); } else { a = dsdb_attribute_by_lDAPDisplayName(schema, attr); } if (!a) { return LDB_ERR_COMPARE_FALSE; } if (!p2) { return LDB_ERR_COMPARE_FALSE; } return resolve_oids_need_value(ldb, schema, a, valp); }
/* normalise a ldb attribute list */ static PyObject *py_dsdb_normalise_attributes(PyObject *self, PyObject *args) { PyObject *py_ldb, *el_list, *py_ret; struct ldb_context *ldb; char *ldap_display_name; const struct dsdb_attribute *a; struct dsdb_schema *schema; struct dsdb_syntax_ctx syntax_ctx; struct ldb_message_element *el, *new_el; struct drsuapi_DsReplicaAttribute *attr; PyLdbMessageElementObject *ret; TALLOC_CTX *tmp_ctx; WERROR werr; Py_ssize_t i; PyTypeObject *py_type = NULL; PyObject *module = NULL; if (!PyArg_ParseTuple(args, "OsO", &py_ldb, &ldap_display_name, &el_list)) { return NULL; } PyErr_LDB_OR_RAISE(py_ldb, ldb); schema = dsdb_get_schema(ldb, NULL); if (!schema) { PyErr_SetString(PyExc_RuntimeError, "Failed to find a schema from ldb"); return NULL; } a = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name); if (a == NULL) { PyErr_Format(PyExc_KeyError, "Failed to find attribute '%s'", ldap_display_name); return NULL; } dsdb_syntax_ctx_init(&syntax_ctx, ldb, schema); syntax_ctx.is_schema_nc = false; tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) { PyErr_NoMemory(); return NULL; } if (!PyList_Check(el_list)) { if (!py_check_dcerpc_type(el_list, "ldb", "MessageElement")) { PyErr_SetString(py_ldb_get_exception(), "list of strings or ldb MessageElement object required"); return NULL; } /* * NOTE: * el may not be a valid talloc context, it * could be part of an array */ el = pyldb_MessageElement_AsMessageElement(el_list); } else { el = talloc_zero(tmp_ctx, struct ldb_message_element); if (el == NULL) { PyErr_NoMemory(); talloc_free(tmp_ctx); return NULL; } el->name = ldap_display_name; el->num_values = PyList_Size(el_list); el->values = talloc_array(el, struct ldb_val, el->num_values); if (el->values == NULL) { PyErr_NoMemory(); talloc_free(tmp_ctx); return NULL; } for (i = 0; i < el->num_values; i++) { PyObject *item = PyList_GetItem(el_list, i); if (!PyString_Check(item)) { PyErr_Format(PyExc_TypeError, "ldif_elements should be strings"); talloc_free(tmp_ctx); return NULL; } el->values[i].data = (uint8_t *)PyString_AsString(item); el->values[i].length = PyString_Size(item); } } new_el = talloc_zero(tmp_ctx, struct ldb_message_element); if (new_el == NULL) { PyErr_NoMemory(); talloc_free(tmp_ctx); return NULL; } /* Normalise "objectClass" attribute if needed */ if (ldb_attr_cmp(a->lDAPDisplayName, "objectClass") == 0) { int iret; iret = dsdb_sort_objectClass_attr(ldb, schema, el, new_el, new_el); if (iret != LDB_SUCCESS) { PyErr_SetString(PyExc_RuntimeError, ldb_errstring(ldb)); talloc_free(tmp_ctx); return NULL; } } /* first run ldb_to_drsuapi, then convert back again. This has * the effect of normalising the attributes */ attr = talloc_zero(tmp_ctx, struct drsuapi_DsReplicaAttribute); if (attr == NULL) { PyErr_NoMemory(); talloc_free(tmp_ctx); return NULL; } werr = a->syntax->ldb_to_drsuapi(&syntax_ctx, a, el, attr, attr); PyErr_WERROR_NOT_OK_RAISE(werr); /* now convert back again */ werr = a->syntax->drsuapi_to_ldb(&syntax_ctx, a, attr, new_el, new_el); PyErr_WERROR_NOT_OK_RAISE(werr); module = PyImport_ImportModule("ldb"); if (module == NULL) { return NULL; } py_type = (PyTypeObject *)PyObject_GetAttrString(module, "MessageElement"); if (py_type == NULL) { return NULL; } py_ret = py_type->tp_alloc(py_type, 0); ret = (PyLdbMessageElementObject *)py_ret; ret->mem_ctx = talloc_new(NULL); if (talloc_reference(ret->mem_ctx, new_el) == NULL) { PyErr_NoMemory(); return NULL; } ret->el = new_el; talloc_free(tmp_ctx); return py_ret; }
WERROR dsdb_convert_object_ex(struct ldb_context *ldb, const struct dsdb_schema *schema, const struct dsdb_schema_prefixmap *pfm_remote, const struct drsuapi_DsReplicaObjectListItemEx *in, const DATA_BLOB *gensec_skey, const uint32_t *ignore_attids, uint32_t dsdb_repl_flags, TALLOC_CTX *mem_ctx, struct dsdb_extended_replicated_object *out) { NTSTATUS nt_status; WERROR status = WERR_OK; uint32_t i; struct ldb_message *msg; struct replPropertyMetaDataBlob *md; int instanceType; struct ldb_message_element *instanceType_e = NULL; struct ldb_val guid_value; struct ldb_val parent_guid_value; NTTIME whenChanged = 0; time_t whenChanged_t; const char *whenChanged_s; struct drsuapi_DsReplicaAttribute *name_a = NULL; struct drsuapi_DsReplicaMetaData *name_d = NULL; struct replPropertyMetaData1 *rdn_m = NULL; struct dom_sid *sid = NULL; uint32_t rid = 0; uint32_t attr_count; int ret; if (!in->object.identifier) { return WERR_FOOBAR; } if (!in->object.identifier->dn || !in->object.identifier->dn[0]) { return WERR_FOOBAR; } if (in->object.attribute_ctr.num_attributes != 0 && !in->meta_data_ctr) { return WERR_FOOBAR; } if (in->object.attribute_ctr.num_attributes != in->meta_data_ctr->count) { return WERR_FOOBAR; } sid = &in->object.identifier->sid; if (sid->num_auths > 0) { rid = sid->sub_auths[sid->num_auths - 1]; } msg = ldb_msg_new(mem_ctx); W_ERROR_HAVE_NO_MEMORY(msg); msg->dn = ldb_dn_new(msg, ldb, in->object.identifier->dn); W_ERROR_HAVE_NO_MEMORY(msg->dn); msg->num_elements = in->object.attribute_ctr.num_attributes; msg->elements = talloc_array(msg, struct ldb_message_element, msg->num_elements + 1); /* +1 because of the RDN attribute */ W_ERROR_HAVE_NO_MEMORY(msg->elements); md = talloc(mem_ctx, struct replPropertyMetaDataBlob); W_ERROR_HAVE_NO_MEMORY(md); md->version = 1; md->reserved = 0; md->ctr.ctr1.count = in->meta_data_ctr->count; md->ctr.ctr1.reserved = 0; md->ctr.ctr1.array = talloc_array(mem_ctx, struct replPropertyMetaData1, md->ctr.ctr1.count + 1); /* +1 because of the RDN attribute */ W_ERROR_HAVE_NO_MEMORY(md->ctr.ctr1.array); for (i=0, attr_count=0; i < in->meta_data_ctr->count; i++, attr_count++) { struct drsuapi_DsReplicaAttribute *a; struct drsuapi_DsReplicaMetaData *d; struct replPropertyMetaData1 *m; struct ldb_message_element *e; uint32_t j; a = &in->object.attribute_ctr.attributes[i]; d = &in->meta_data_ctr->meta_data[i]; m = &md->ctr.ctr1.array[attr_count]; e = &msg->elements[attr_count]; if (dsdb_attid_in_list(ignore_attids, a->attid)) { attr_count--; continue; } if (GUID_all_zero(&d->originating_invocation_id)) { status = WERR_DS_SRC_GUID_MISMATCH; DEBUG(0, ("Refusing replication of object containing invalid zero invocationID on attribute %d of %s: %s\n", a->attid, ldb_dn_get_linearized(msg->dn), win_errstr(status))); return status; } if (a->attid == DRSUAPI_ATTID_instanceType) { if (instanceType_e != NULL) { return WERR_FOOBAR; } instanceType_e = e; } for (j=0; j<a->value_ctr.num_values; j++) { status = drsuapi_decrypt_attribute(a->value_ctr.values[j].blob, gensec_skey, rid, dsdb_repl_flags, a); if (!W_ERROR_IS_OK(status)) { break; } } if (W_ERROR_EQUAL(status, WERR_TOO_MANY_SECRETS)) { WERROR get_name_status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, pfm_remote, a, msg->elements, e); if (W_ERROR_IS_OK(get_name_status)) { DEBUG(0, ("Unxpectedly got secret value %s on %s from DRS server\n", e->name, ldb_dn_get_linearized(msg->dn))); } else { DEBUG(0, ("Unxpectedly got secret value on %s from DRS server", ldb_dn_get_linearized(msg->dn))); } } else if (!W_ERROR_IS_OK(status)) { return status; } status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, pfm_remote, a, msg->elements, e); W_ERROR_NOT_OK_RETURN(status); m->attid = a->attid; m->version = d->version; m->originating_change_time = d->originating_change_time; m->originating_invocation_id = d->originating_invocation_id; m->originating_usn = d->originating_usn; m->local_usn = 0; if (d->originating_change_time > whenChanged) { whenChanged = d->originating_change_time; } if (a->attid == DRSUAPI_ATTID_name) { name_a = a; name_d = d; } } msg->num_elements = attr_count; md->ctr.ctr1.count = attr_count; if (name_a) { rdn_m = &md->ctr.ctr1.array[md->ctr.ctr1.count]; } if (rdn_m) { struct ldb_message_element *el; const char *rdn_name = NULL; const struct ldb_val *rdn_value = NULL; const struct dsdb_attribute *rdn_attr = NULL; uint32_t rdn_attid; /* * We only need the schema calls for the RDN in this * codepath, and by doing this we avoid needing to * have the dsdb_attribute_by_lDAPDisplayName accessor * working during the schema load. */ rdn_name = ldb_dn_get_rdn_name(msg->dn); rdn_attr = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name); if (!rdn_attr) { return WERR_FOOBAR; } rdn_attid = rdn_attr->attributeID_id; rdn_value = ldb_dn_get_rdn_val(msg->dn); el = ldb_msg_find_element(msg, rdn_attr->lDAPDisplayName); if (!el) { ret = ldb_msg_add_value(msg, rdn_attr->lDAPDisplayName, rdn_value, NULL); if (ret != LDB_SUCCESS) { return WERR_FOOBAR; } } else { if (el->num_values != 1) { DEBUG(0,(__location__ ": Unexpected num_values=%u\n", el->num_values)); return WERR_FOOBAR; } if (!ldb_val_equal_exact(&el->values[0], rdn_value)) { DEBUG(0,(__location__ ": RDN value changed? '%*.*s' '%*.*s'\n", (int)el->values[0].length, (int)el->values[0].length, el->values[0].data, (int)rdn_value->length, (int)rdn_value->length, rdn_value->data)); return WERR_FOOBAR; } } rdn_m->attid = rdn_attid; rdn_m->version = name_d->version; rdn_m->originating_change_time = name_d->originating_change_time; rdn_m->originating_invocation_id = name_d->originating_invocation_id; rdn_m->originating_usn = name_d->originating_usn; rdn_m->local_usn = 0; md->ctr.ctr1.count++; } if (instanceType_e == NULL) { return WERR_FOOBAR; } instanceType = ldb_msg_find_attr_as_int(msg, "instanceType", 0); if (dsdb_repl_flags & DSDB_REPL_FLAG_PARTIAL_REPLICA) { /* the instanceType type for partial_replica replication is sent via DRS with TYPE_WRITE set, but must be used on the client with TYPE_WRITE removed */ if (instanceType & INSTANCE_TYPE_WRITE) { /* * Make sure we do not change the order * of msg->elements! * * That's why we use * instanceType_e->num_values = 0 * instead of * ldb_msg_remove_attr(msg, "instanceType"); */ struct ldb_message_element *e; e = ldb_msg_find_element(msg, "instanceType"); if (e != instanceType_e) { DEBUG(0,("instanceType_e[%p] changed to e[%p]\n", instanceType_e, e)); return WERR_FOOBAR; } instanceType_e->num_values = 0; instanceType &= ~INSTANCE_TYPE_WRITE; if (ldb_msg_add_fmt(msg, "instanceType", "%d", instanceType) != LDB_SUCCESS) { return WERR_INTERNAL_ERROR; } } } else { if (!(instanceType & INSTANCE_TYPE_WRITE)) { DEBUG(0, ("Refusing to replicate %s from a read-only repilca into a read-write replica!\n", ldb_dn_get_linearized(msg->dn))); return WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA; } } whenChanged_t = nt_time_to_unix(whenChanged); whenChanged_s = ldb_timestring(msg, whenChanged_t); W_ERROR_HAVE_NO_MEMORY(whenChanged_s); nt_status = GUID_to_ndr_blob(&in->object.identifier->guid, msg, &guid_value); if (!NT_STATUS_IS_OK(nt_status)) { return ntstatus_to_werror(nt_status); } if (in->parent_object_guid) { nt_status = GUID_to_ndr_blob(in->parent_object_guid, msg, &parent_guid_value); if (!NT_STATUS_IS_OK(nt_status)) { return ntstatus_to_werror(nt_status); } } else { parent_guid_value = data_blob_null; } out->msg = msg; out->guid_value = guid_value; out->parent_guid_value = parent_guid_value; out->when_changed = whenChanged_s; out->meta_data = md; return WERR_OK; }