summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2007-05-11 12:52:48 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:21:57 -0500
commit9c170fce2632e76bda6bb9a644777c978785cff1 (patch)
treeeb3fe76940b7867e6f13fd2f919ef55e16bddac3
parent95bc08e9545850ba57cdcf79bf9f62872b2946c0 (diff)
downloadsamba-9c170fce2632e76bda6bb9a644777c978785cff1.tar.gz
samba-9c170fce2632e76bda6bb9a644777c978785cff1.tar.bz2
samba-9c170fce2632e76bda6bb9a644777c978785cff1.zip
r22797: We are only interested in the DACL of the security descriptor, so search with
the SD_FLAGS control. Guenther (This used to be commit 648df57e53ddabe74052e816b8eba95180736208)
-rw-r--r--source3/include/ads.h1
-rw-r--r--source3/include/ads_protos.h10
-rw-r--r--source3/libads/ldap.c54
-rw-r--r--source3/libads/ldap_utils.c16
-rw-r--r--source3/libgpo/gpo_ldap.c11
5 files changed, 69 insertions, 23 deletions
diff --git a/source3/include/ads.h b/source3/include/ads.h
index 0e4df629a7..d72c82adb7 100644
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -121,6 +121,7 @@ typedef void **ADS_MODLIST;
#define ADS_PERMIT_MODIFY_OID "1.2.840.113556.1.4.1413"
#define ADS_ASQ_OID "1.2.840.113556.1.4.1504"
#define ADS_EXTENDED_DN_OID "1.2.840.113556.1.4.529"
+#define ADS_SD_FLAGS_OID "1.2.840.113556.1.4.801"
/* ldap attribute oids (Services for Unix) */
#define ADS_ATTR_SFU_UIDNUMBER_OID "1.2.840.113556.1.6.18.1.310"
diff --git a/source3/include/ads_protos.h b/source3/include/ads_protos.h
index 3e312408e4..2565e2ca9b 100644
--- a/source3/include/ads_protos.h
+++ b/source3/include/ads_protos.h
@@ -102,3 +102,13 @@ ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads,
LDAPMessage *res,
const char *gpo_dn,
struct GROUP_POLICY_OBJECT *gpo);
+ADS_STATUS ads_search_retry_dn_sd_flags(ADS_STRUCT *ads, LDAPMessage **res,
+ uint32 sd_flags,
+ const char *dn,
+ const char **attrs);
+ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, uint32 sd_flags,
+ LDAPMessage **res);
+
+
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index af4347c147..ff416b0085 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -570,11 +570,11 @@ static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads,
{
int rc, i, version;
char *utf8_expr, *utf8_path, **search_attrs;
- LDAPControl PagedResults, NoReferrals, ExtendedDn, *controls[4], **rcontrols;
+ LDAPControl PagedResults, NoReferrals, ExternalCtrl, *controls[4], **rcontrols;
BerElement *cookie_be = NULL;
struct berval *cookie_bv= NULL;
- BerElement *extdn_be = NULL;
- struct berval *extdn_bv= NULL;
+ BerElement *ext_be = NULL;
+ struct berval *ext_bv= NULL;
TALLOC_CTX *ctx;
ads_control *external_control = (ads_control *) args;
@@ -604,7 +604,6 @@ static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads,
}
}
-
/* Paged results only available on ldap v3 or later */
ldap_get_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (version < LDAP_VERSION3) {
@@ -631,40 +630,42 @@ static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads,
NoReferrals.ldctl_value.bv_len = 0;
NoReferrals.ldctl_value.bv_val = CONST_DISCARD(char *, "");
- if (external_control && strequal(external_control->control, ADS_EXTENDED_DN_OID)) {
+ if (external_control &&
+ (strequal(external_control->control, ADS_EXTENDED_DN_OID) ||
+ strequal(external_control->control, ADS_SD_FLAGS_OID))) {
- ExtendedDn.ldctl_oid = CONST_DISCARD(char *, external_control->control);
- ExtendedDn.ldctl_iscritical = (char) external_control->critical;
+ ExternalCtrl.ldctl_oid = CONST_DISCARD(char *, external_control->control);
+ ExternalCtrl.ldctl_iscritical = (char) external_control->critical;
/* win2k does not accept a ldctl_value beeing passed in */
if (external_control->val != 0) {
- if ((extdn_be = ber_alloc_t(LBER_USE_DER)) == NULL ) {
+ if ((ext_be = ber_alloc_t(LBER_USE_DER)) == NULL ) {
rc = LDAP_NO_MEMORY;
goto done;
}
- if ((ber_printf(extdn_be, "{i}", (ber_int_t) external_control->val)) == -1) {
+ if ((ber_printf(ext_be, "{i}", (ber_int_t) external_control->val)) == -1) {
rc = LDAP_NO_MEMORY;
goto done;
}
- if ((ber_flatten(extdn_be, &extdn_bv)) == -1) {
+ if ((ber_flatten(ext_be, &extdn_bv)) == -1) {
rc = LDAP_NO_MEMORY;
goto done;
}
- ExtendedDn.ldctl_value.bv_len = extdn_bv->bv_len;
- ExtendedDn.ldctl_value.bv_val = extdn_bv->bv_val;
+ ExternalCtrl.ldctl_value.bv_len = ext_bv->bv_len;
+ ExternalCtrl.ldctl_value.bv_val = ext_bv->bv_val;
} else {
- ExtendedDn.ldctl_value.bv_len = 0;
- ExtendedDn.ldctl_value.bv_val = NULL;
+ ExternalCtrl.ldctl_value.bv_len = 0;
+ ExternalCtrl.ldctl_value.bv_val = NULL;
}
controls[0] = &NoReferrals;
controls[1] = &PagedResults;
- controls[2] = &ExtendedDn;
+ controls[2] = &ExternalCtrl;
controls[3] = NULL;
} else {
@@ -725,12 +726,12 @@ static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads,
done:
talloc_destroy(ctx);
- if (extdn_be) {
- ber_free(extdn_be, 1);
+ if (ext_be) {
+ ber_free(ext_be, 1);
}
- if (extdn_bv) {
- ber_bvfree(extdn_bv);
+ if (ext_bv) {
+ ber_bvfree(ext_bv);
}
/* if/when we decide to utf8-encode attrs, take out this next line */
@@ -810,6 +811,21 @@ static ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path,
return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, NULL, res);
}
+ ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT *ads, const char *bind_path,
+ int scope, const char *expr,
+ const char **attrs, uint32 sd_flags,
+ LDAPMessage **res)
+{
+ ads_control args;
+
+ args.control = ADS_SD_FLAGS_OID;
+ args.val = sd_flags;
+ args.critical = True;
+
+ return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, &args, res);
+}
+
+
/**
* Run a function on all results for a search. Uses ads_do_paged_search() and
* runs the function as each page is returned, using ads_process_results()
diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c
index 383b652f97..6417e92e92 100644
--- a/source3/libads/ldap_utils.c
+++ b/source3/libads/ldap_utils.c
@@ -4,6 +4,7 @@
Some Helpful wrappers on LDAP
Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Guenther Deschner 2006,2007
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -187,6 +188,21 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
}
+ ADS_STATUS ads_search_retry_dn_sd_flags(ADS_STRUCT *ads, LDAPMessage **res,
+ uint32 sd_flags,
+ const char *dn,
+ const char **attrs)
+{
+ ads_control args;
+
+ args.control = ADS_SD_FLAGS_OID;
+ args.val = sd_flags;
+ args.critical = True;
+
+ return ads_do_search_retry_args(ads, dn, LDAP_SCOPE_BASE,
+ "(objectclass=*)", attrs, &args, res);
+}
+
ADS_STATUS ads_search_retry_sid(ADS_STRUCT *ads, LDAPMessage **res,
const DOM_SID *sid,
const char **attrs)
diff --git a/source3/libgpo/gpo_ldap.c b/source3/libgpo/gpo_ldap.c
index 112d2bb1f9..b19ef0cd7e 100644
--- a/source3/libgpo/gpo_ldap.c
+++ b/source3/libgpo/gpo_ldap.c
@@ -459,6 +459,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
"gPCFunctionalityVersion", "gPCMachineExtensionNames",
"gPCUserExtensionNames", "gPCWQLFilter", "name",
"versionNumber", "ntSecurityDescriptor", NULL};
+ uint32 sd_flags = DACL_SECURITY_INFORMATION;
ZERO_STRUCTP(gpo);
@@ -472,7 +473,9 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
gpo_dn = gpo_dn + strlen("LDAP://");
}
- status = ads_search_dn(ads, &res, gpo_dn, attrs);
+ status = ads_search_retry_dn_sd_flags(ads, &res,
+ sd_flags,
+ gpo_dn, attrs);
} else if (display_name || guid_name) {
@@ -482,9 +485,9 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
display_name ? display_name : guid_name);
ADS_ERROR_HAVE_NO_MEMORY(filter);
- status = ads_do_search_all(ads, ads->config.bind_path,
- LDAP_SCOPE_SUBTREE, filter,
- attrs, &res);
+ status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
+ LDAP_SCOPE_SUBTREE, filter,
+ attrs, sd_flags, &res);
}
if (!ADS_ERR_OK(status)) {