diff options
author | Fernando J V da Silva <fernandojvsilva@yahoo.com.br> | 2010-03-25 16:58:58 -0300 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-04-22 19:36:14 +1000 |
commit | c023fc217ed370e5c890c1984da533e0133060d9 (patch) | |
tree | d3d929e25d640f54905410b46af1f2426734f119 | |
parent | e11f92ba73028b608207ed91aaa22376756d7a73 (diff) | |
download | samba-c023fc217ed370e5c890c1984da533e0133060d9.tar.gz samba-c023fc217ed370e5c890c1984da533e0133060d9.tar.bz2 samba-c023fc217ed370e5c890c1984da533e0133060d9.zip |
s4-drs: Do not allow system-critical attributes to be RODC filtered
Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r-- | libds/common/flags.h | 3 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 33 |
2 files changed, 36 insertions, 0 deletions
diff --git a/libds/common/flags.h b/libds/common/flags.h index aa88487d38..de3e71ccac 100644 --- a/libds/common/flags.h +++ b/libds/common/flags.h @@ -155,6 +155,9 @@ #define SYSTEM_FLAG_CONFIG_ALLOW_RENAME 0x40000000 #define SYSTEM_FLAG_DISALLOW_DELETE 0x80000000 +/* schemaFlags_Ex */ +#define SCHEMA_FLAG_ATTR_IS_CRITICAL 0x0000001 + /* "searchFlags" */ #define SEARCH_FLAG_ATTINDEX 0x0000001 #define SEARCH_FLAG_PDNTATTINDEX 0x0000002 diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 329bd81ae3..e51038d06f 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -378,6 +378,27 @@ static int fix_check_attributes(struct ldb_context *ldb, return LDB_SUCCESS; } +/* + * return true if msg carries an attributeSchema that is intended to be RODC + * filtered but is also a system-critical attribute. + */ +static bool check_rodc_critical_attribute(struct ldb_message *msg) +{ + uint32_t schemaFlagsEx, searchFlags, rodc_filtered_flags; + + schemaFlagsEx = ldb_msg_find_attr_as_uint(msg, "schemaFlagsEx", 0); + searchFlags = ldb_msg_find_attr_as_uint(msg, "searchFlags", 0); + rodc_filtered_flags = (SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL); + + if ((schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) && + ((searchFlags & rodc_filtered_flags) == rodc_filtered_flags)) { + return true; + } else { + return false; + } +} + + static int objectclass_do_add(struct oc_context *ac); static int objectclass_add(struct ldb_module *module, struct ldb_request *req) @@ -404,6 +425,12 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_OBJECT_CLASS_VIOLATION; } + /* do not allow to mark an attributeSchema as RODC filtered if it + * is system-critical */ + if (check_rodc_critical_attribute(req->op.add.message)) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + ac = oc_init_context(module, req); if (ac == NULL) { return LDB_ERR_OPERATIONS_ERROR; @@ -722,6 +749,12 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req return LDB_ERR_UNWILLING_TO_PERFORM; } + /* do not allow to mark an attributeSchema as RODC filtered if it + * is system-critical */ + if (check_rodc_critical_attribute(req->op.mod.message)) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + ac = oc_init_context(module, req); if (ac == NULL) { ldb_oom(ldb); |