The branch, master has been updated via fff3f29 s4-ldb: two DNs only match if they have the same deletion status via 7367787 talloc: check block count aftter references test via 2331610 s4-samdb: save the url in the samdb class via 37799b0 s4-dsdb: extend the extended_dn_in module to handle DN links via 23598d5 ldb: rule_id in ldb_parse_tree should be const via 849d042 ldb: added a new always-fail ldap extended match OID via e07ca09 ldb: changed DN matching rules to obey GUID/SID/string ordering via 7b5f0a7 s4-dsdb: handle search expressions containing extended DNs via d4a1f6a s4-dsdb: added dn_format attribute of a dsdb_attribute via d669e83 s4-dsdb: fixed outgoing one way link DNs via a74f467 s4-dsdb: setup a one_way_link attribute on schema attributes via fc40769 s4-dsdb: fixed a warning on dsdb_delete() via d10553a s4-dsdb: make requests for STORAGE_FORMAT control non-critical via a8293a5 ldb: added signatures for 1.1.2 via 39576e9 ldb: raise minor version via 841d17f ldb: added ldb_parse_tree_walk() via 4ba8069 ldb: added ldb_dn_replace_components() from ed59f21 s3-ntlmssp void function cannot return value
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit fff3f290736f0b75903bfefeb961ee935930303b Author: Andrew Tridgell <tri...@samba.org> Date: Thu Aug 4 14:59:47 2011 +1000 s4-ldb: two DNs only match if they have the same deletion status Autobuild-User: Andrew Tridgell <tri...@samba.org> Autobuild-Date: Thu Aug 4 09:34:08 CEST 2011 on sn-devel-104 commit 73677875b46251f59b66c9713f1decc89bd2ea3e Author: Andrew Tridgell <tri...@samba.org> Date: Thu Aug 4 12:07:19 2011 +1000 talloc: check block count aftter references test Pair-Programmed-With: Amitay Isaacs <ami...@gmail.com> commit 2331610a2e33498527070c45debfea418a97717d Author: Andrew Tridgell <tri...@samba.org> Date: Wed Aug 3 11:31:45 2011 +1000 s4-samdb: save the url in the samdb class this is useful for debugging, so we know which database we are dealing with Pair-Programmed-With: Amitay Isaacs <ami...@gmail.com> commit 37799b0644af6d0135af52f07414efd52bbe697e Author: Andrew Tridgell <tri...@samba.org> Date: Tue Aug 2 17:19:16 2011 +1000 s4-dsdb: extend the extended_dn_in module to handle DN links this replaces DN components in incoming filter expressions with the full extended DN of the target, which allows search expressions based on <GUID=> and <SID=> DNs, as well as fixing the problem with one-way links in search expressions Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 23598d56ff7a0bf9cb55606da0ede234e12dbc57 Author: Andrew Tridgell <tri...@samba.org> Date: Tue Aug 2 17:17:13 2011 +1000 ldb: rule_id in ldb_parse_tree should be const this allows assignment to a constant string without allocation Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 849d042dd88e8e7de2748524b054b350af06a859 Author: Andrew Tridgell <tri...@samba.org> Date: Tue Aug 2 17:16:44 2011 +1000 ldb: added a new always-fail ldap extended match OID this is used when rewriting filter rules to replace a filter rule with one that is guaranteed not to match Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit e07ca09a7bac30b99b0033a59746ba166e429aec Author: Andrew Tridgell <tri...@samba.org> Date: Tue Aug 2 17:15:28 2011 +1000 ldb: changed DN matching rules to obey GUID/SID/string ordering when matching two DNs, the GUID takes priority, then the SID, then the string component Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Pair-Programmed-With: Amitay Isaacs <ami...@gmail.com> commit 7b5f0a7120c91989976d2f946ad1af9d6dc934c7 Author: Andrew Tridgell <tri...@samba.org> Date: Mon Aug 1 17:48:53 2011 +1000 s4-dsdb: handle search expressions containing extended DNs this allows for searches like member=<SID=S-1-2-3> Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Pair-Programmed-With: Amitay Isaacs <ami...@gmail.com> commit d4a1f6a42b06a5d63a789cad438cfde693df24a7 Author: Andrew Tridgell <tri...@samba.org> Date: Mon Aug 1 17:47:34 2011 +1000 s4-dsdb: added dn_format attribute of a dsdb_attribute this is faster than string comparisons during searches at runtime Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Pair-Programmed-With: Amitay Isaacs <ami...@gmail.com> commit d669e83857600ec59afc5b11c0286f28fceb0d0a Author: Andrew Tridgell <tri...@samba.org> Date: Mon Aug 1 13:55:58 2011 +1000 s4-dsdb: fixed outgoing one way link DNs when we return a DN which is a one way link, fix the string DN component by searching for the GUID and replacing the DN components Pair-Programmed-With: Amitay Isaacs <ami...@gmail.com> Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit a74f4673eda682bbca4adfed8a924b16114a0dcd Author: Andrew Tridgell <tri...@samba.org> Date: Mon Aug 1 13:54:58 2011 +1000 s4-dsdb: setup a one_way_link attribute on schema attributes this allows us to quickly determine if a DN is a one way link Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Pair-Programmed-With: Amitay Isaacs <ami...@gmail.com> commit fc40769b64188adedf273913fa94d30b307970d3 Author: Andrew Tridgell <tri...@samba.org> Date: Mon Aug 1 12:40:24 2011 +1000 s4-dsdb: fixed a warning on dsdb_delete() struct ldb_dn is never const Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Pair-Programmed-With: Amitay Isaacs <ami...@gmail.com> commit d10553a51c518407c48529dcfd3e7a5e6f6207c7 Author: Andrew Tridgell <tri...@samba.org> Date: Mon Aug 1 12:25:11 2011 +1000 s4-dsdb: make requests for STORAGE_FORMAT control non-critical this allows us to use dsdb_module_dn_by_guid() from levels below the extended_dn_out module Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Pair-Programmed-With: Amitay Isaacs <ami...@gmail.com> commit a8293a5baac4a1869b81a739c4dab750c50de840 Author: Andrew Tridgell <tri...@samba.org> Date: Wed Aug 3 16:44:28 2011 +1000 ldb: added signatures for 1.1.2 commit 39576e9d65ad71fd2f980275a51837695404de2c Author: Andrew Tridgell <tri...@samba.org> Date: Mon Aug 1 12:24:38 2011 +1000 ldb: raise minor version needed for new module function ldb_dn_replace_components() Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Pair-Programmed-With: Amitay Isaacs <ami...@gmail.com> commit 841d17ff83ff3737070117a32199164b0b006402 Author: Andrew Tridgell <tri...@samba.org> Date: Mon Aug 1 17:46:39 2011 +1000 ldb: added ldb_parse_tree_walk() this walks a ldb parse tree, calling a callback on each node Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Pair-Programmed-With: Amitay Isaacs <ami...@gmail.com> commit 4ba8069e3d33dca53780521026c972425c1d66c5 Author: Andrew Tridgell <tri...@samba.org> Date: Mon Aug 1 12:24:13 2011 +1000 ldb: added ldb_dn_replace_components() this allows you to replace the string part of a DN with the string part from another DN. This is useful when you want to fix a DN that has the right GUID but the wrong string part, because the target object has moved. Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Pair-Programmed-With: Amitay Isaacs <ami...@gmail.com> ----------------------------------------------------------------------- Summary of changes: lib/ldb-samba/ldif_handlers.c | 67 ++++++ lib/ldb/ABI/{ldb-1.1.1.sigs => ldb-1.1.2.sigs} | 2 + lib/ldb/common/ldb_dn.c | 56 +++++ lib/ldb/common/ldb_match.c | 13 +- lib/ldb/common/ldb_parse.c | 86 ++++++-- lib/ldb/include/ldb.h | 2 +- lib/ldb/include/ldb_module.h | 16 ++ lib/ldb/wscript | 2 +- lib/talloc/testsuite.c | 1 + source4/dsdb/common/dsdb_dn.h | 7 - source4/dsdb/common/util.c | 4 +- source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 268 ++++++++++++++++++++-- source4/dsdb/samdb/ldb_modules/extended_dn_out.c | 64 +++++- source4/dsdb/samdb/ldb_modules/wscript_build | 4 +- source4/dsdb/schema/schema.h | 11 + source4/dsdb/schema/schema_inferiors.c | 31 +++ source4/scripting/python/samba/samdb.py | 3 + source4/setup/schema_samba4.ldif | 8 + 18 files changed, 592 insertions(+), 53 deletions(-) copy lib/ldb/ABI/{ldb-1.1.1.sigs => ldb-1.1.2.sigs} (99%) Changeset truncated at 500 lines: diff --git a/lib/ldb-samba/ldif_handlers.c b/lib/ldb-samba/ldif_handlers.c index ca6fa74..6ca419b 100644 --- a/lib/ldb-samba/ldif_handlers.c +++ b/lib/ldb-samba/ldif_handlers.c @@ -1119,6 +1119,65 @@ static int samba_syntax_operator_fn(struct ldb_context *ldb, enum ldb_parse_op o } /* + see if two DNs match, comparing first by GUID, then by SID, and + finally by string components + */ +static int samba_dn_extended_match(struct ldb_context *ldb, + const struct ldb_val *v1, + const struct ldb_val *v2, + bool *matched) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_dn *dn1, *dn2; + const struct ldb_val *guid1, *guid2, *sid1, *sid2; + uint32_t rmd_flags1, rmd_flags2; + + tmp_ctx = talloc_new(ldb); + + dn1 = ldb_dn_from_ldb_val(tmp_ctx, ldb, v1); + dn2 = ldb_dn_from_ldb_val(tmp_ctx, ldb, v2); + if (!dn1 || !dn2) { + /* couldn't parse as DN's */ + talloc_free(tmp_ctx); + (*matched) = false; + return LDB_SUCCESS; + } + + rmd_flags1 = dsdb_dn_rmd_flags(dn1); + rmd_flags2 = dsdb_dn_rmd_flags(dn2); + + if ((rmd_flags1 & DSDB_RMD_FLAG_DELETED) != + (rmd_flags2 & DSDB_RMD_FLAG_DELETED)) { + /* only match if they have the same deletion status */ + talloc_free(tmp_ctx); + (*matched) = false; + return LDB_SUCCESS; + } + + + guid1 = ldb_dn_get_extended_component(dn1, "GUID"); + guid2 = ldb_dn_get_extended_component(dn2, "GUID"); + if (guid1 && guid2) { + (*matched) = (data_blob_cmp(guid1, guid2) == 0); + talloc_free(tmp_ctx); + return LDB_SUCCESS; + } + + sid1 = ldb_dn_get_extended_component(dn1, "SID"); + sid2 = ldb_dn_get_extended_component(dn2, "SID"); + if (sid1 && sid2) { + (*matched) = (data_blob_cmp(sid1, sid2) == 0); + talloc_free(tmp_ctx); + return LDB_SUCCESS; + } + + (*matched) = (ldb_dn_compare(dn1, dn2) == 0); + + talloc_free(tmp_ctx); + return LDB_SUCCESS; +} + +/* special operation for DNs, to take account of the RMD_FLAGS deleted bit */ static int samba_syntax_operator_dn(struct ldb_context *ldb, enum ldb_parse_op operation, @@ -1127,9 +1186,17 @@ static int samba_syntax_operator_dn(struct ldb_context *ldb, enum ldb_parse_op o { if (operation == LDB_OP_PRESENT && dsdb_dn_is_deleted_val(v1)) { /* If the DN is deleted, then we can't search for it */ + + /* should this be for equality too? */ *matched = false; return LDB_SUCCESS; } + + if (operation == LDB_OP_EQUALITY && + samba_dn_extended_match(ldb, v1, v2, matched) == LDB_SUCCESS) { + return LDB_SUCCESS; + } + return samba_syntax_operator_fn(ldb, operation, a, v1, v2, matched); } diff --git a/lib/ldb/ABI/ldb-1.1.1.sigs b/lib/ldb/ABI/ldb-1.1.2.sigs similarity index 99% copy from lib/ldb/ABI/ldb-1.1.1.sigs copy to lib/ldb/ABI/ldb-1.1.2.sigs index 2fe215c..d0df756 100644 --- a/lib/ldb/ABI/ldb-1.1.1.sigs +++ b/lib/ldb/ABI/ldb-1.1.2.sigs @@ -73,6 +73,7 @@ ldb_dn_new_fmt: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char * ldb_dn_remove_base_components: bool (struct ldb_dn *, unsigned int) ldb_dn_remove_child_components: bool (struct ldb_dn *, unsigned int) ldb_dn_remove_extended_components: void (struct ldb_dn *) +ldb_dn_replace_components: bool (struct ldb_dn *, struct ldb_dn *) ldb_dn_set_component: int (struct ldb_dn *, int, const char *, const struct ldb_val) ldb_dn_set_extended_component: int (struct ldb_dn *, const char *, const struct ldb_val *) ldb_dn_update_components: int (struct ldb_dn *, const struct ldb_dn *) @@ -187,6 +188,7 @@ ldb_parse_control_strings: struct ldb_control **(struct ldb_context *, TALLOC_CT ldb_parse_tree: struct ldb_parse_tree *(TALLOC_CTX *, const char *) ldb_parse_tree_attr_replace: void (struct ldb_parse_tree *, const char *, const char *) ldb_parse_tree_copy_shallow: struct ldb_parse_tree *(TALLOC_CTX *, const struct ldb_parse_tree *) +ldb_parse_tree_walk: int (struct ldb_parse_tree *, int (*)(struct ldb_parse_tree *, void *), void *) ldb_qsort: void (void * const, size_t, size_t, void *, ldb_qsort_cmp_fn_t) ldb_register_backend: int (const char *, ldb_connect_fn, bool) ldb_register_hook: int (ldb_hook_fn) diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c index 6b1ef03..b910489 100644 --- a/lib/ldb/common/ldb_dn.c +++ b/lib/ldb/common/ldb_dn.c @@ -1684,6 +1684,62 @@ bool ldb_dn_remove_child_components(struct ldb_dn *dn, unsigned int num) return true; } + +/* replace the components of a DN with those from another DN, without + * touching the extended components + * + * return true if successful and false if not + * if false is returned the dn may be marked invalid + */ +bool ldb_dn_replace_components(struct ldb_dn *dn, struct ldb_dn *new_dn) +{ + int i; + + if ( ! ldb_dn_validate(dn) || ! ldb_dn_validate(new_dn)) { + return false; + } + + /* free components */ + for (i = 0; i < dn->comp_num; i++) { + LDB_FREE(dn->components[i].name); + LDB_FREE(dn->components[i].value.data); + LDB_FREE(dn->components[i].cf_name); + LDB_FREE(dn->components[i].cf_value.data); + } + + dn->components = talloc_realloc(dn, + dn->components, + struct ldb_dn_component, + new_dn->comp_num); + if (dn->components == NULL) { + ldb_dn_mark_invalid(dn); + return false; + } + + dn->comp_num = new_dn->comp_num; + dn->valid_case = new_dn->valid_case; + + for (i = 0; i < dn->comp_num; i++) { + dn->components[i] = ldb_dn_copy_component(dn->components, &new_dn->components[i]); + if (dn->components[i].name == NULL) { + ldb_dn_mark_invalid(dn); + return false; + } + } + if (new_dn->linearized == NULL) { + dn->linearized = NULL; + } else { + dn->linearized = talloc_strdup(dn, new_dn->linearized); + if (dn->linearized == NULL) { + ldb_dn_mark_invalid(dn); + return false; + } + } + + return true; +} + + struct ldb_dn *ldb_dn_get_parent(TALLOC_CTX *mem_ctx, struct ldb_dn *dn) { struct ldb_dn *new_dn; diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c index c23e804..5eee02d 100644 --- a/lib/ldb/common/ldb_match.c +++ b/lib/ldb/common/ldb_match.c @@ -380,6 +380,16 @@ static int ldb_comparator_bitmask(const char *oid, const struct ldb_val *v1, con return LDB_SUCCESS; } +/* + always return false +*/ +static int ldb_comparator_false(const char *oid, const struct ldb_val *v1, const struct ldb_val *v2, + bool *matched) +{ + *matched = false; + return LDB_SUCCESS; +} + /* extended match, handles things like bitops @@ -395,7 +405,8 @@ static int ldb_match_extended(struct ldb_context *ldb, int (*comparator)(const char *, const struct ldb_val *, const struct ldb_val *, bool *); } rules[] = { { LDB_OID_COMPARATOR_AND, ldb_comparator_bitmask}, - { LDB_OID_COMPARATOR_OR, ldb_comparator_bitmask} + { LDB_OID_COMPARATOR_OR, ldb_comparator_bitmask}, + { SAMBA_LDAP_MATCH_ALWAYS_FALSE, ldb_comparator_false} }; int (*comp)(const char *,const struct ldb_val *, const struct ldb_val *, bool *) = NULL; struct ldb_message_element *el; diff --git a/lib/ldb/common/ldb_parse.c b/lib/ldb/common/ldb_parse.c index 8c6c2d9..407af9f 100644 --- a/lib/ldb/common/ldb_parse.c +++ b/lib/ldb/common/ldb_parse.c @@ -808,50 +808,104 @@ char *ldb_filter_from_tree(TALLOC_CTX *mem_ctx, const struct ldb_parse_tree *tre /* - replace any occurrences of an attribute name in the parse tree with a - new name + walk a parse tree, calling the provided callback on each node */ -void ldb_parse_tree_attr_replace(struct ldb_parse_tree *tree, - const char *attr, - const char *replace) +int ldb_parse_tree_walk(struct ldb_parse_tree *tree, + int (*callback)(struct ldb_parse_tree *tree, void *), + void *private_context) { unsigned int i; + int ret; + + ret = callback(tree, private_context); + if (ret != LDB_SUCCESS) { + return ret; + } + switch (tree->operation) { case LDB_OP_AND: case LDB_OP_OR: for (i=0;i<tree->u.list.num_elements;i++) { - ldb_parse_tree_attr_replace(tree->u.list.elements[i], - attr, replace); + ret = ldb_parse_tree_walk(tree->u.list.elements[i], callback, private_context); + if (ret != LDB_SUCCESS) { + return ret; + } } break; case LDB_OP_NOT: - ldb_parse_tree_attr_replace(tree->u.isnot.child, attr, replace); + ret = ldb_parse_tree_walk(tree->u.isnot.child, callback, private_context); + if (ret != LDB_SUCCESS) { + return ret; + } break; case LDB_OP_EQUALITY: case LDB_OP_GREATER: case LDB_OP_LESS: case LDB_OP_APPROX: - if (ldb_attr_cmp(tree->u.equality.attr, attr) == 0) { - tree->u.equality.attr = replace; + case LDB_OP_SUBSTRING: + case LDB_OP_PRESENT: + case LDB_OP_EXTENDED: + break; + } + return LDB_SUCCESS; +} + +struct parse_tree_attr_replace_ctx { + const char *attr; + const char *replace; +}; + +/* + callback for ldb_parse_tree_attr_replace() + */ +static int parse_tree_attr_replace(struct ldb_parse_tree *tree, void *private_context) +{ + struct parse_tree_attr_replace_ctx *ctx = private_context; + switch (tree->operation) { + case LDB_OP_EQUALITY: + case LDB_OP_GREATER: + case LDB_OP_LESS: + case LDB_OP_APPROX: + if (ldb_attr_cmp(tree->u.equality.attr, ctx->attr) == 0) { + tree->u.equality.attr = ctx->replace; } break; case LDB_OP_SUBSTRING: - if (ldb_attr_cmp(tree->u.substring.attr, attr) == 0) { - tree->u.substring.attr = replace; + if (ldb_attr_cmp(tree->u.substring.attr, ctx->attr) == 0) { + tree->u.substring.attr = ctx->replace; } break; case LDB_OP_PRESENT: - if (ldb_attr_cmp(tree->u.present.attr, attr) == 0) { - tree->u.present.attr = replace; + if (ldb_attr_cmp(tree->u.present.attr, ctx->attr) == 0) { + tree->u.present.attr = ctx->replace; } break; case LDB_OP_EXTENDED: if (tree->u.extended.attr && - ldb_attr_cmp(tree->u.extended.attr, attr) == 0) { - tree->u.extended.attr = replace; + ldb_attr_cmp(tree->u.extended.attr, ctx->attr) == 0) { + tree->u.extended.attr = ctx->replace; } break; + default: + break; } + return LDB_SUCCESS; +} + +/* + replace any occurrences of an attribute name in the parse tree with a + new name +*/ +void ldb_parse_tree_attr_replace(struct ldb_parse_tree *tree, + const char *attr, + const char *replace) +{ + struct parse_tree_attr_replace_ctx ctx; + + ctx.attr = attr; + ctx.replace = replace; + + ldb_parse_tree_walk(tree, parse_tree_attr_replace, &ctx); } /* diff --git a/lib/ldb/include/ldb.h b/lib/ldb/include/ldb.h index 1305d8e..4220ed0 100644 --- a/lib/ldb/include/ldb.h +++ b/lib/ldb/include/ldb.h @@ -305,7 +305,7 @@ struct ldb_parse_tree { struct { const char *attr; int dnAttributes; - char *rule_id; + const char *rule_id; struct ldb_val value; } extended; struct { diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h index 6d6fff2..2acd8f3 100644 --- a/lib/ldb/include/ldb_module.h +++ b/lib/ldb/include/ldb_module.h @@ -52,6 +52,8 @@ struct ldb_module; /* force single value checking on this attribute */ #define LDB_FLAG_INTERNAL_FORCE_SINGLE_VALUE_CHECK 0x80 +/* an extended match rule that always fails to match */ +#define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1" /* these function pointers define the operations that a ldb module can intercept @@ -340,5 +342,19 @@ int ldb_module_init_chain(struct ldb_context *ldb, struct ldb_module *module); */ int ldb_init_module(const char *version); +/* replace the components of a DN with those from another DN, without + * touching the extended components + * + * return true if successful and false if not + * if false is returned the dn may be marked invalid + */ +bool ldb_dn_replace_components(struct ldb_dn *dn, struct ldb_dn *new_dn); + +/* + walk a parse tree, calling the provided callback on each node +*/ +int ldb_parse_tree_walk(struct ldb_parse_tree *tree, + int (*callback)(struct ldb_parse_tree *tree, void *), + void *private_context); #endif diff --git a/lib/ldb/wscript b/lib/ldb/wscript index d05453e..c4b9973 100755 --- a/lib/ldb/wscript +++ b/lib/ldb/wscript @@ -1,7 +1,7 @@ #!/usr/bin/env python APPNAME = 'ldb' -VERSION = '1.1.1' +VERSION = '1.1.2' blddir = 'bin' diff --git a/lib/talloc/testsuite.c b/lib/talloc/testsuite.c index b038d34..003d74b 100644 --- a/lib/talloc/testsuite.c +++ b/lib/talloc/testsuite.c @@ -1317,6 +1317,7 @@ static bool test_rusty(void) talloc_increase_ref_count(p1); talloc_report_full(root, stdout); talloc_free(root); + CHECK_BLOCKS("null_context", NULL, 2); return true; } diff --git a/source4/dsdb/common/dsdb_dn.h b/source4/dsdb/common/dsdb_dn.h index b713bdd..b455c7f 100644 --- a/source4/dsdb/common/dsdb_dn.h +++ b/source4/dsdb/common/dsdb_dn.h @@ -1,10 +1,3 @@ -enum dsdb_dn_format { - DSDB_NORMAL_DN, - DSDB_BINARY_DN, - DSDB_STRING_DN, - DSDB_INVALID_DN -}; - struct dsdb_dn { struct ldb_dn *dn; DATA_BLOB extra_part; diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index ae2ca74..f306748 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -3598,7 +3598,7 @@ int dsdb_request_add_controls(struct ldb_request *req, uint32_t dsdb_flags) } if (dsdb_flags & DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT) { - ret = ldb_request_add_control(req, DSDB_CONTROL_DN_STORAGE_FORMAT_OID, true, NULL); + ret = ldb_request_add_control(req, DSDB_CONTROL_DN_STORAGE_FORMAT_OID, false, NULL); if (ret != LDB_SUCCESS) { return ret; } @@ -3725,7 +3725,7 @@ int dsdb_modify(struct ldb_context *ldb, const struct ldb_message *message, /* a delete with a set of flags */ -int dsdb_delete(struct ldb_context *ldb, const struct ldb_dn *dn, +int dsdb_delete(struct ldb_context *ldb, struct ldb_dn *dn, uint32_t dsdb_flags) { struct ldb_request *req; diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c index 4944137..76a9518 100644 --- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c @@ -33,6 +33,8 @@ #include <ldb.h> #include <ldb_errors.h> #include <ldb_module.h> +#include "dsdb/samdb/samdb.h" +#include "util.h" /* TODO: if relax is not set then we need to reject the fancy RMD_* and @@ -261,6 +263,243 @@ static int extended_base_callback(struct ldb_request *req, struct ldb_reply *are return LDB_SUCCESS; } + +/* + windows ldap searchs don't allow a baseDN with more + than one extended component, or an extended + component and a string DN + + We only enforce this over ldap, not for internal + use, as there are just too many places where we + internally want to use a DN that has come from a + search with extended DN enabled, or comes from a DRS + naming context. + + Enforcing this would also make debugging samba much + harder, as we'd need to use ldb_dn_minimise() in a + lot of places, and that would lose the DN string + which is so useful for working out what a request is + for +*/ +static bool ldb_dn_match_allowed(struct ldb_dn *dn, struct ldb_request *req) +{ + int num_components = ldb_dn_get_comp_num(dn); + int num_ex_components = ldb_dn_get_extended_comp_num(dn); + + if (num_ex_components == 0) { + return true; + } + + if ((num_components != 0 || num_ex_components != 1) && + ldb_req_is_untrusted(req)) { + return false; + } + return true; +} + + +struct extended_dn_filter_ctx { + bool test_only; + bool matched; + struct ldb_module *module; + struct ldb_request *req; + struct dsdb_schema *schema; -- Samba Shared Repository