diff options
| author | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-12-21 12:24:30 +0100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2011-01-25 12:27:20 +0100 |
| commit | 3468f8de1e408389bd12f2d3f5294bd835431a05 (patch) | |
| tree | 65b1d2c24ee564a42e4e58be87dde342deff026f /source4/dsdb/samdb/ldb_modules/objectclass.c | |
| parent | c9f4fad75cf9749709cbebfe55c59f3c2d01858e (diff) | |
| download | samba-3468f8de1e408389bd12f2d3f5294bd835431a05.tar.gz samba-3468f8de1e408389bd12f2d3f5294bd835431a05.tar.bz2 samba-3468f8de1e408389bd12f2d3f5294bd835431a05.zip | |
s4:dsdb/samdb/ldb_modules/objectclass.c - move LSA specific object checks into "objectclass_attrs" LDB module
LSA object classes are protected on both LDAP add and LDAP modify
operations, so I've refactored the previous check in the objectclass LDB
module only for LDAP adds in a new one in the objectclass_attrs LDB
module for both adds and modifies.
This is the result of the investigations done by Hongwei Sun and I in
the last months.
Interestingly these protection mechansim doesn't apply on LDAP deletes!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules/objectclass.c')
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 31 |
1 files changed, 0 insertions, 31 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index b72b9bb8e7..39f456dcca 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -565,37 +565,6 @@ static int objectclass_do_add(struct oc_context *ac) for (current = sorted; current; current = current->next) { const char *objectclass_name = current->objectclass->lDAPDisplayName; - /* LSA-specific objectclasses per default not - * allowed to be created over LDAP, so we need - * to tell if this connection is LDAP (ie - * marked as untrusted), and if the client is - * adding these particular objectClass values - * we must reject */ - - /* Hongwei Sun from Microsoft explians: - The constraint in 3.1.1.5.2.2 MS-ADTS means that the TDO - cannot be added through LDAP interface, instead it can only be - created through LSA Policy API. This is also explained in - 7.1.6.9.7 MS-ADTS as follows: - - "Despite being replicated normally between peer DCs in a domain, - the process of creating or manipulating TDOs is specifically - restricted to the LSA Policy APIs, as detailed in [MS-LSAD] section - 3.1.1.5. Unlike other objects in the DS, TDOs may not be created or - manipulated by client machines over the LDAPv3 transport." - */ - - if (ldb_req_is_untrusted(ac->req) && - ((strcasecmp(objectclass_name, "secret") == 0) || - (strcasecmp(objectclass_name, "trustedDomain") == 0))) { - ldb_asprintf_errstring(ldb, - "objectclass: object class '%s' is LSA-specific, rejecting creation of '%s' over LDAP!", - objectclass_name, - ldb_dn_get_linearized(msg->dn)); - talloc_free(mem_ctx); - return LDB_ERR_UNWILLING_TO_PERFORM; - } - ret = ldb_msg_add_string(msg, "objectClass", objectclass_name); if (ret != LDB_SUCCESS) { ldb_set_errstring(ldb, |