local_password.c

samba最新软件

/* 
   ldb database module

   Copyright (C) Simo Sorce  2004-2006
   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
   Copyright (C) Andrew Tridgell 2004

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.
   
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   
   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

/*
 *  Name: ldb
 *
 *  Component: ldb local_password module
 *
 *  Description: correctly update hash values based on changes to sambaPassword and friends
 *
 *  Author: Andrew Bartlett
 */

#include "includes.h"
#include "libcli/ldap/ldap.h"
#include "ldb/include/ldb_errors.h"
#include "ldb/include/ldb_private.h"
#include "dsdb/samdb/samdb.h"
#include "librpc/ndr/libndr.h"
#include "dsdb/samdb/ldb_modules/password_modules.h"

#define PASSWORD_GUID_ATTR "masterGUID"

/* This module maintains a local password database, seperate from the main LDAP server.

   This allows the password database to be syncronised in a multi-master
   fashion, seperate to the more difficult concerns of the main
   database.  (With passwords, the last writer always wins)
   
   Each incoming add/modify is split into a remote, and a local request, done in that order.

   We maintain a list of attributes that are kept locally:
 */

static const char * const password_attrs[] = {
	"supplementalCredentials",
	"unicodePwd",
	"dBCSPwd",
	"lmPwdHistory", 
	"ntPwdHistory", 
	"msDS-KeyVersionNumber",
	"pwdLastSet"
};

/* And we merge them back into search requests when asked to do so */

struct lpdb_context {

	enum lpdb_type {LPDB_ADD, LPDB_MOD, LPDB_SEARCH} type;
	enum lpdb_step {LPDB_ADD_REMOTE, LPDB_MOD_REMOTE, LPDB_MOD_SEARCH_SELF, LPDB_LOCAL, LPDB_SEARCH_REMOTE} step;

	struct ldb_module *module;
	struct ldb_request *orig_req;
	struct ldb_request *remote_req;
	struct ldb_request *search_req;
	struct ldb_request *local_req;

	struct ldb_message *local_message;

	bool added_objectGUID;
	bool added_objectClass;

	struct ldb_reply *search_res;
};

struct lpdb_local_search_context {
	struct lpdb_context *ac;
	struct ldb_reply *remote_res;
	struct ldb_reply *local_res;
};

static struct ldb_handle *lpdb_init_handle(struct ldb_request *req, struct ldb_module *module, enum lpdb_type type)
{
	struct lpdb_context *ac;
	struct ldb_handle *h;

	h = talloc_zero(req, struct ldb_handle);
	if (h == NULL) {
		ldb_set_errstring(module->ldb, "Out of Memory");
		return NULL;
	}

	h->module = module;

	ac = talloc_zero(h, struct lpdb_context);
	if (ac == NULL) {
		ldb_set_errstring(module->ldb, "Out of Memory");
		talloc_free(h);
		return NULL;
	}

	h->private_data = (void *)ac;

	h->state = LDB_ASYNC_INIT;
	h->status = LDB_SUCCESS;

	ac->type = type;
	ac->module = module;
	ac->orig_req = req;

	return h;
}

/* Add a record, splitting password attributes from the user's main
 * record */

static int local_password_add(struct ldb_module *module, struct ldb_request *req)
{
	struct ldb_handle *h;
	struct lpdb_context *ac;
	struct ldb_message *remote_message;
	struct ldb_message *local_message;
	struct GUID objectGUID;
	int i;

	ldb_debug(module->ldb, LDB_DEBUG_TRACE, "local_password_add\n");

	if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
		return ldb_next_request(module, req);
	}

	/* If the caller is manipulating the local passwords directly, let them pass */
	if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
				req->op.add.message->dn) == 0) {
		return ldb_next_request(module, req);
	}

	for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
		if (ldb_msg_find_element(req->op.add.message, password_attrs[i])) {
			break;
		}
	}

	/* It didn't match any of our password attributes, go on */
	if (i == ARRAY_SIZE(password_attrs)) {
		return ldb_next_request(module, req);
	}

	/* TODO: remove this when sambaPassword will be in schema */
	if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
		ldb_asprintf_errstring(module->ldb,
					"Cannot relocate a password on entry: %s, does not have objectClass 'person'",
					ldb_dn_get_linearized(req->op.add.message->dn));
		return LDB_ERR_OBJECT_CLASS_VIOLATION;
	}

	/* From here, we assume we have password attributes to split off */
	h = lpdb_init_handle(req, module, LPDB_ADD);
	if (!h) {
		return LDB_ERR_OPERATIONS_ERROR;
	}
	ac = talloc_get_type(h->private_data, struct lpdb_context);

	ac->orig_req = req;

	ac->remote_req = talloc(ac, struct ldb_request);
	if (ac->remote_req == NULL) {
		return LDB_ERR_OPERATIONS_ERROR;
	}

	*(ac->remote_req) = *(ac->orig_req);

	remote_message = ldb_msg_copy_shallow(ac->remote_req, ac->orig_req->op.add.message);
	if (remote_message == NULL) {
		return LDB_ERR_OPERATIONS_ERROR;
	}

	/* Remove any password attributes from the remote message */
	for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
		ldb_msg_remove_attr(remote_message, password_attrs[i]);
	}

	ac->remote_req->op.add.message = remote_message;

	ac->remote_req->context = NULL;
	ac->remote_req->callback = NULL;

	ac->local_req = talloc(ac, struct ldb_request);
	if (ac->local_req == NULL) {
		return LDB_ERR_OPERATIONS_ERROR;
	}

	*(ac->local_req) = *(ac->orig_req);
	local_message = ldb_msg_copy_shallow(ac->local_req, ac->orig_req->op.add.message);
	if (local_message == NULL) {
		return LDB_ERR_OPERATIONS_ERROR;
	}

	/* Remove anything seen in the remote message from the local
	 * message (leaving only password attributes) */
	for (i=0;i<ac->remote_req->op.add.message->num_elements;i++) {
		ldb_msg_remove_attr(local_message, ac->remote_req->op.add.message->elements[i].name);
	}

	/* We must have an objectGUID already, or we don't know where
	 * to add the password.  This may be changed to an 'add and
	 * search', to allow the directory to create the objectGUID */
	if (ldb_msg_find_ldb_val(ac->orig_req->op.add.message, "objectGUID") == NULL) {
		ldb_set_errstring(module->ldb, 
				  "no objectGUID found in search: local_password module must be configured below objectGUID module!\n");
		return LDB_ERR_CONSTRAINT_VIOLATION;
	}

	/* Find the objectGUID to use as the key */
	objectGUID = samdb_result_guid(ac->orig_req->op.add.message, "objectGUID");
	
	local_message->dn = ldb_dn_new(local_message, module->ldb, LOCAL_BASE);
	ldb_dn_add_child_fmt(local_message->dn, PASSWORD_GUID_ATTR "=%s", GUID_string(local_message, &objectGUID));

	ac->local_req->op.add.message = local_message;

	ac->local_req->context = NULL;
	ac->local_req->callback = NULL;

	ac->step = LPDB_ADD_REMOTE;

	/* Return our own handle do deal with this call */
	req->handle = h;

	return ldb_next_request(module, ac->remote_req);
}

/* After adding the remote entry, add the local one */
static int local_password_add_local(struct ldb_handle *h) {

	struct lpdb_context *ac;
	ac = talloc_get_type(h->private_data, struct lpdb_context);

	h->state = LDB_ASYNC_INIT;
	h->status = LDB_SUCCESS;

	ac->step = LPDB_LOCAL;

	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->local_req);

	/* perform the local add */
	return ldb_next_request(ac->module, ac->local_req);
}

static int local_password_mod_search_self(struct ldb_handle *h);

static int local_password_modify(struct ldb_module *module, struct ldb_request *req)
{
	struct ldb_handle *h;
	struct lpdb_context *ac;
	struct ldb_message *remote_message;
	struct ldb_message *local_message;
	int i;

	ldb_debug(module->ldb, LDB_DEBUG_TRACE, "local_password_modify\n");

	if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
		return ldb_next_request(module, req);
	}

	/* If the caller is manipulating the local passwords directly, let them pass */
	if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
				req->op.mod.message->dn) == 0) {
		return ldb_next_request(module, req);
	}

	for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
		if (ldb_msg_find_element(req->op.add.message, password_attrs[i])) {
			break;
		}
	}

	/* It didn't match any of our password attributes, then we have nothing to do here */
	if (i == ARRAY_SIZE(password_attrs)) {
		return ldb_next_request(module, req);
	}

	/* From here, we assume we have password attributes to split off */
	h = lpdb_init_handle(req, module, LPDB_MOD);
	if (!h) {
		return LDB_ERR_OPERATIONS_ERROR;
	}
	ac = talloc_get_type(h->private_data, struct lpdb_context);

	ac->orig_req = req;

	ac->remote_req = talloc(ac, struct ldb_request);
	if (ac->remote_req == NULL) {
		return LDB_ERR_OPERATIONS_ERROR;
	}

	*(ac->remote_req) = *(ac->orig_req);
	remote_message = ldb_msg_copy_shallow(ac->remote_req, ac->orig_req->op.mod.message);
	if (remote_message == NULL) {
		return LDB_ERR_OPERATIONS_ERROR;
	}
	
	/* Remove any password attributes from the remote message */
	for (i=0; i < ARRAY_SIZE(password_attrs); i++) {
		ldb_msg_remove_attr(remote_message, password_attrs[i]);
	}

	ac->remote_req->op.mod.message = remote_message;

	ac->remote_req->context = NULL;
	ac->remote_req->callback = NULL;

	ac->local_req = talloc(ac, struct ldb_request);
	if (ac->local_req == NULL) {
		return LDB_ERR_OPERATIONS_ERROR;
	}

	*(ac->local_req) = *(ac->orig_req);
	local_message = ldb_msg_copy_shallow(ac->local_req, ac->orig_req->op.mod.message);
	if (local_message == NULL) {
		return LDB_ERR_OPERATIONS_ERROR;
	}

	/* Remove anything seen in the remote message from the local
	 * message (leaving only password attributes) */
	for (i=0;i<ac->remote_req->op.mod.message->num_elements;i++) {
		ldb_msg_remove_attr(local_message, ac->remote_req->op.mod.message->elements[i].name);
	}

	ac->local_req->op.mod.message = local_message;
	ac->local_message = local_message;

	ac->local_req->context = NULL;
	ac->local_req->callback = NULL;

	ac->step = LPDB_MOD_REMOTE;

	/* Return our own handle do deal with this call */
	req->handle = h;

	return ldb_next_request(module, ac->remote_req);
}

/* Called when we search for our oen entry.  Stores the one entry we
 * expect (as it is a base search) on the context pointer */
static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
{
	struct lpdb_context *ac;

	ac = talloc_get_type(context, struct lpdb_context);

	/* we are interested only in the single reply (base search) we receive here */
	if (ares->type == LDB_REPLY_ENTRY) {
		if (ac->search_res != NULL) {
			ldb_set_errstring(ldb, "Too many results");
			talloc_free(ares);
			return LDB_ERR_OPERATIONS_ERROR;
		}

		ac->search_res = talloc_steal(ac, ares);
	} else {
		talloc_free(ares);
	}

	return LDB_SUCCESS;
}

/* On a modify, we don't have the objectGUID handy, so we need to
 * search our DN for it */
static int local_password_mod_search_self(struct ldb_handle *h) {

	struct lpdb_context *ac;
	static const char * const attrs[] = { "objectGUID", "objectClass", NULL };

	ac = talloc_get_type(h->private_data, struct lpdb_context);

	/* prepare the search operation */
	ac->search_req = talloc_zero(ac, struct ldb_request);
	if (ac->search_req == NULL) {
		ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
		return LDB_ERR_OPERATIONS_ERROR;
	}

	ac->search_req->operation = LDB_SEARCH;
	ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
	ac->search_req->op.search.scope = LDB_SCOPE_BASE;
	ac->search_req->op.search.tree = ldb_parse_tree(ac->orig_req, NULL);
	if (ac->search_req->op.search.tree == NULL) {
		ldb_set_errstring(ac->module->ldb, "Invalid search filter");
		return LDB_ERR_OPERATIONS_ERROR;
	}
	ac->search_req->op.search.attrs = attrs;
	ac->search_req->controls = NULL;
	ac->search_req->context = ac;
	ac->search_req->callback = get_self_callback;
	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->search_req);

	ac->step = LPDB_MOD_SEARCH_SELF;

	return ldb_next_request(ac->module, ac->search_req);
}

/* After we find out the objectGUID for the entry, modify the local
 * password database as required */
static int local_password_mod_local(struct ldb_handle *h) {

	struct lpdb_context *ac;
	struct GUID objectGUID;
	ac = talloc_get_type(h->private_data, struct lpdb_context);

	/* if it is not an entry of type person this is an error */
	/* TODO: remove this when sambaPassword will be in schema */
	if (!ac->search_res) {
		ldb_asprintf_errstring(ac->module->ldb, 
					"entry just modified (%s) not found!",
					ldb_dn_get_linearized(ac->remote_req->op.mod.message->dn));
		return LDB_ERR_OPERATIONS_ERROR;
	}
	if (!ldb_msg_check_string_attribute(ac->search_res->message, "objectClass", "person")) {