diff options
author | Andrew Bartlett <abartlet@samba.org> | 2013-01-02 15:01:00 +1100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2013-01-21 16:12:45 +0100 |
commit | a1b421e8cca24a5831f4c6d77714cf54faf8c48e (patch) | |
tree | 8e0959aa8b0a9a4e8b3c32ebdb561bbe398e894e | |
parent | 6ab41506857814d69d897471a14002d98fb4c172 (diff) | |
download | samba-a1b421e8cca24a5831f4c6d77714cf54faf8c48e.tar.gz samba-a1b421e8cca24a5831f4c6d77714cf54faf8c48e.tar.bz2 samba-a1b421e8cca24a5831f4c6d77714cf54faf8c48e.zip |
dsdb-acl: ask for the objectClass attribute if it's not in the scope of the clients search
This will be used later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_read.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c index 9955451e77..dcabd56a78 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_read.c +++ b/source4/dsdb/samdb/ldb_modules/acl_read.c @@ -48,6 +48,7 @@ struct aclread_context { bool added_nTSecurityDescriptor; bool added_instanceType; bool added_objectSid; + bool added_objectClass; bool indirsync; }; @@ -123,10 +124,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) goto fail; } } + /* for every element in the message check RP */ for (i=0; i < msg->num_elements; i++) { const struct dsdb_attribute *attr; - bool is_sd, is_objectsid, is_instancetype; + bool is_sd, is_objectsid, is_instancetype, is_objectclass; uint32_t access_mask; attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, msg->elements[i].name); @@ -144,6 +146,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) msg->elements[i].name) == 0; is_instancetype = ldb_attr_cmp("instanceType", msg->elements[i].name) == 0; + is_objectclass = ldb_attr_cmp("objectClass", + msg->elements[i].name) == 0; /* these attributes were added to perform access checks and must be removed */ if (is_objectsid && ac->added_objectSid) { aclread_mark_inaccesslible(&msg->elements[i]); @@ -153,6 +157,10 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares) aclread_mark_inaccesslible(&msg->elements[i]); continue; } + if (is_objectclass && ac->added_objectClass) { + aclread_mark_inaccesslible(&msg->elements[i]); + continue; + } if (is_sd && ac->added_nTSecurityDescriptor) { aclread_mark_inaccesslible(&msg->elements[i]); continue; @@ -409,6 +417,13 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req) } ac->added_objectSid = true; } + if (!ldb_attr_in_list(req->op.search.attrs, "objectClass")) { + attrs = ldb_attr_list_copy_add(ac, attrs, "objectClass"); + if (attrs == NULL) { + return ldb_oom(ldb); + } + ac->added_objectClass = true; + } } if (need_sd) { |