4.2.1.3 Server Behavior of the IDL_DSAPrepareScript Method

Informative summary of behavior: The IDL_DSAPrepareScript method prepares for a subsequent call to IDL_DSAExecuteScript. The partitions container that is a child object of the root of the configuration NC is altered as follows:

• The value of msDS-UpdateScript is validated.

• If valid, a password is generated and stored in the value for msDS-ExecuteScriptPassword.

The password, a hash of the value stored in msDS-UpdateScript, and a hash of that same value with the GUID {0916C8E3-3431-4586-AF77-44BD3B16F961} appended are returned to the client. The returned password value is later passed back by the client in a call to IDL_DSAExecuteScript as a form of authorization.

 ULONG
 IDL_DSAPrepareScript( 
     [in] handle_t hRpc,
     [in] DWORD dwInVersion,
     [in, ref, switch_is(dwInVersion)]
         DSA_MSG_PREPARE_SCRIPT_REQ *pmsgIn,
     [out, ref] DWORD *pdwOutVersion,
     [out, ref, switch_is(*pdwOutVersion)]
         DSA_MSG_PREPARE_SCRIPT_REPLY *pmsgOut);
  
 pc: DSName
 msgIn: DSA_MSG_PREPARE_SCRIPT_REQ_V1
 byteseq: sequence of BYTE
  
 /* Returned message will be version 1 */
 pdwOutVersion^ := 1
 pmsgOut^V1.dwOperationStatus := ERROR_DS_INTERNAL_FAILURE
 pmsgOut^V1.pwErrMessage := null
 pmsgOut^V1.cbPassword := 0
 pmsgOut^V1.pbPassword := null
 pmsgOut^V1.cbHashBody := 0
 pmsgOut^V1.pbHashBody := null
 pmsgOut^V1.cbHashSignature := 0
 pmsgOut^V1.pbHashSignature := null
  
  
 /* Validate the version */
 if dwInVersion ≠ 1 then
   return ERROR_INVALID_PARAMETER
 endif
 msgIn := pmsgIn^.V1
  
 /* Validate input params */
 if msgIn.Reserved ≠ 0 then
   return ERROR_INVALID_PARAMETER
 endif
  
 /* Only 1 instance of this call can be running. */
 if PrepareScriptInProgress() then
   pmsgOut^.V1.dwOperationStatus := ERROR_ACCESS_DENIED
   pmsgOut^.V1.pwErrMessage := human-readable description of the error
   return 0
 endif
  
 /* Locate the Partitions container directly beneath ConfigNC */
 pc := DescendantObject(ConfigNC(), "CN=Partitions,")
  
 /* Forest functionality level must be Win2K3 or above */
 if pc!msDS-Behavior-Version = null or
    pc!msDS-Behavior-Version < DS_BEHAVIOR_WIN2003 then
   return ERROR_DS_NOT_SUPPORTED
 endif
  
 /* Security checks */
 if not AccessCheckAttr(
     pc, msDS-UpdateScript, RIGHT_DS_WRITE_PROPERTY) then
   pmsgOut^.V1.dwOperationStatus := ERROR_DS_AUTHORIZATION_FAILED
   pmsgOut^.V1.pwErrMessage := human-readable description of the error
   return 0
 endif
  
 if not AccessCheckCAR(pc, DS-Execute-Intentions-Script) then
   pmsgOut^.V1.dwOperationStatus := ERROR_DS_AUTHORIZATION_FAILED
   pmsgOut^.V1.pwErrMessage := human-readable description of the error
   return 0
 endif
  
 if GetKeyLengthHandleT(hRpc) < 128 then
   pmsgOut^.V1.dwOperationStatus := ERROR_DS_STRONG_AUTH_REQUIRED
   pmsgOut^.V1.pwErrMessage := human-readable description of the error
   return 0
 endif
  
 /* Validate stored script */
 if not PrepareScriptVerifyScript(pc) then
   pmsgOut^.V1.dwOperationStatus := ERROR_DS_INVALID_SCRIPT
   pmsgOut^.V1.pwErrMessage := human-readable description of the error
   return 0
 endif
  
 /* Generate and return password for subsequent call to
  * IDL_DSAExecuteScript() */
 pc!msDS-ExecuteScriptPassword := PrepareScriptGeneratePassword()
  
 /* Return password and hashes */
 byteseq := pc!msDS-ExecuteScriptPassword
 pmsgOut^.V1.pbPassword := byteseq
 pmsgOut^.V1.cbPassword := byteseq.length
  
 byteseq := PrepareScriptHashBody(pc)
 pmsgOut^.V1.pbHashBody := byteseq
 pmsgOut^.V1.cbHashBody := byteseq.length
  
 byteseq := PrepareScriptHashSignature(pc)
 pmsgOut^.V1.pbHashSignature := byteseq
 pmsgOut^.V1.cbHashSignature := byteseq.length
  
 pmsgOut^.V1.dwOperationStatus := 0
 return 0