summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2013-01-02 15:01:00 +1100
committerStefan Metzmacher <metze@samba.org>2013-01-21 16:12:45 +0100
commita1b421e8cca24a5831f4c6d77714cf54faf8c48e (patch)
tree8e0959aa8b0a9a4e8b3c32ebdb561bbe398e894e
parent6ab41506857814d69d897471a14002d98fb4c172 (diff)
downloadsamba-a1b421e8cca24a5831f4c6d77714cf54faf8c48e.tar.gz
samba-a1b421e8cca24a5831f4c6d77714cf54faf8c48e.tar.bz2
samba-a1b421e8cca24a5831f4c6d77714cf54faf8c48e.zip
dsdb-acl: ask for the objectClass attribute if it's not in the scope of the clients search
This will be used later. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl_read.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 9955451e77..dcabd56a78 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -48,6 +48,7 @@ struct aclread_context {
bool added_nTSecurityDescriptor;
bool added_instanceType;
bool added_objectSid;
+ bool added_objectClass;
bool indirsync;
};
@@ -123,10 +124,11 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
goto fail;
}
}
+
/* for every element in the message check RP */
for (i=0; i < msg->num_elements; i++) {
const struct dsdb_attribute *attr;
- bool is_sd, is_objectsid, is_instancetype;
+ bool is_sd, is_objectsid, is_instancetype, is_objectclass;
uint32_t access_mask;
attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
msg->elements[i].name);
@@ -144,6 +146,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
msg->elements[i].name) == 0;
is_instancetype = ldb_attr_cmp("instanceType",
msg->elements[i].name) == 0;
+ is_objectclass = ldb_attr_cmp("objectClass",
+ msg->elements[i].name) == 0;
/* these attributes were added to perform access checks and must be removed */
if (is_objectsid && ac->added_objectSid) {
aclread_mark_inaccesslible(&msg->elements[i]);
@@ -153,6 +157,10 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
aclread_mark_inaccesslible(&msg->elements[i]);
continue;
}
+ if (is_objectclass && ac->added_objectClass) {
+ aclread_mark_inaccesslible(&msg->elements[i]);
+ continue;
+ }
if (is_sd && ac->added_nTSecurityDescriptor) {
aclread_mark_inaccesslible(&msg->elements[i]);
continue;
@@ -409,6 +417,13 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
}
ac->added_objectSid = true;
}
+ if (!ldb_attr_in_list(req->op.search.attrs, "objectClass")) {
+ attrs = ldb_attr_list_copy_add(ac, attrs, "objectClass");
+ if (attrs == NULL) {
+ return ldb_oom(ldb);
+ }
+ ac->added_objectClass = true;
+ }
}
if (need_sd) {