diff options
author | Andrew Bartlett <abartlet@samba.org> | 2007-06-21 10:18:20 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:53:27 -0500 |
commit | e9d19477e43b65f91bd152f5249b684dbefa5cc6 (patch) | |
tree | d8a0bae4a3d5f7cd7a6dd1069f1e174ff9c1b0f2 /source4/dsdb/samdb | |
parent | b3f3a4b52900a72de88bbb69e4ea3c425d49c2d8 (diff) | |
download | samba-e9d19477e43b65f91bd152f5249b684dbefa5cc6.tar.gz samba-e9d19477e43b65f91bd152f5249b684dbefa5cc6.tar.bz2 samba-e9d19477e43b65f91bd152f5249b684dbefa5cc6.zip |
r23560: - Activate metze's schema modules (from metze's schema-loading-13 patch).
- samba3sam.js: rework the samba3sam test to not use objectCategory,
as it's has special rules (dnsName a simple match)
- ldap.js: Test the ordering of the objectClass attributes for the baseDN
- schema_init.c: Load the mayContain and mustContain (and system...) attributes when
reading the schema from ldb
- To make the schema load not suck in terms of performance, write the
schema into a static global variable
- ldif_handlers.c: Match objectCategory for equality and canonicolisation
based on the loaded schema, not simple tring manipuation
- ldb_msg.c: don't duplicate attributes when adding attributes to a list
- kludge_acl.c: return allowedAttributesEffective based on schema results
and privilages
Andrew Bartlett
(This used to be commit dcff83ebe463bc7391841f55856d7915c204d000)
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/kludge_acl.c | 101 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/schema_fsmo.c | 4 | ||||
-rw-r--r-- | source4/dsdb/samdb/samdb.c | 1 |
3 files changed, 102 insertions, 4 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c index ff0dd062fb..6b043aeb40 100644 --- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c +++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c @@ -37,6 +37,7 @@ #include "ldb/include/ldb_private.h" #include "auth/auth.h" #include "libcli/security/security.h" +#include "dsdb/samdb/samdb.h" /* Kludge ACL rules: * @@ -105,13 +106,74 @@ struct kludge_acl_context { int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *); enum user_is user_type; + bool allowedAttributes; + bool allowedAttributesEffective; + const char **attrs; }; +/* read all objectClasses */ + +static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg, + const char *attrName) +{ + struct ldb_message_element *oc_el = ldb_msg_find_element(msg, "objectClass"); + struct ldb_message_element *allowedAttributes; + const struct dsdb_schema *schema = dsdb_get_schema(ldb); + const struct dsdb_class *class; + int i, j, ret; + ret = ldb_msg_add_empty(msg, attrName, 0, &allowedAttributes); + if (ret != LDB_SUCCESS) { + return ret; + } + + for (i=0; i < oc_el->num_values; i++) { + class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data); + if (!class) { + /* We don't know this class? what is going on? */ + continue; + } + for (j=0; class->mayContain && class->mayContain[j]; j++) { + ldb_msg_add_string(msg, attrName, class->mayContain[j]); + } + for (j=0; class->mustContain && class->mustContain[j]; j++) { + ldb_msg_add_string(msg, attrName, class->mustContain[j]); + } + for (j=0; class->systemMayContain && class->systemMayContain[j]; j++) { + ldb_msg_add_string(msg, attrName, class->systemMayContain[j]); + } + for (j=0; class->systemMustContain && class->systemMustContain[j]; j++) { + ldb_msg_add_string(msg, attrName, class->systemMustContain[j]); + } + } + + if (allowedAttributes->num_values > 1) { + qsort(allowedAttributes->values, + allowedAttributes->num_values, + sizeof(*allowedAttributes->values), + data_blob_cmp); + + for (i=1 ; i < allowedAttributes->num_values; i++) { + struct ldb_val *val1 = &allowedAttributes->values[i-1]; + struct ldb_val *val2 = &allowedAttributes->values[i]; + if (data_blob_cmp(val1, val2) == 0) { + memmove(val1, val2, (allowedAttributes->num_values - i) * sizeof( struct ldb_val)); + allowedAttributes->num_values--; + i--; + } + } + } + + return 0; + +} + +/* find all attributes allowed by all these objectClasses */ + static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares) { struct kludge_acl_context *ac; struct kludge_private_data *data; - int i; + int i, ret; if (!context || !ares) { ldb_set_errstring(ldb, "NULL Context or Result in callback"); @@ -121,12 +183,28 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld ac = talloc_get_type(context, struct kludge_acl_context); data = talloc_get_type(ac->module->private_data, struct kludge_private_data); - if (ares->type == LDB_REPLY_ENTRY - && data && data->password_attrs) /* if we are not initialized just get through */ + if (ares->type != LDB_REPLY_ENTRY) { + return ac->up_callback(ldb, ac->up_context, ares); + } + + if (ac->allowedAttributes) { + ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributes"); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + if (data && data->password_attrs) /* if we are not initialized just get through */ { switch (ac->user_type) { case SYSTEM: case ADMINISTRATOR: + if (ac->allowedAttributesEffective) { + ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective"); + if (ret != LDB_SUCCESS) { + return ret; + } + } break; default: /* remove password attributes */ @@ -136,6 +214,12 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld } } + if ((ac->allowedAttributes || ac->allowedAttributesEffective) && + (!ldb_attr_in_list(ac->attrs, "objectClass") && + !ldb_attr_in_list(ac->attrs, "*"))) { + ldb_msg_remove_attr(ares->message, "objectClass"); + } + return ac->up_callback(ldb, ac->up_context, ares); error: @@ -163,6 +247,7 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) ac->up_context = req->context; ac->up_callback = req->callback; ac->user_type = what_is_user(module); + ac->attrs = req->op.search.attrs; down_req = talloc_zero(req, struct ldb_request); if (down_req == NULL) { @@ -174,7 +259,15 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) down_req->op.search.scope = req->op.search.scope; down_req->op.search.tree = req->op.search.tree; down_req->op.search.attrs = req->op.search.attrs; - + + ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes"); + + ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective"); + + if (ac->allowedAttributes || ac->allowedAttributesEffective) { + down_req->op.search.attrs + = ldb_attr_list_copy_add(down_req, down_req->op.search.attrs, "objectClass"); + } /* FIXME: I hink we should copy the tree and keep the original * unmodified. SSS */ diff --git a/source4/dsdb/samdb/ldb_modules/schema_fsmo.c b/source4/dsdb/samdb/ldb_modules/schema_fsmo.c index eb5d7e8e8e..3df887acb6 100644 --- a/source4/dsdb/samdb/ldb_modules/schema_fsmo.c +++ b/source4/dsdb/samdb/ldb_modules/schema_fsmo.c @@ -54,6 +54,10 @@ static int schema_fsmo_init(struct ldb_module *module) NULL }; + if (dsdb_get_schema(module->ldb)) { + return ldb_next_init(module); + } + schema_dn = samdb_schema_dn(module->ldb); if (!schema_dn) { ldb_debug(module->ldb, LDB_DEBUG_WARNING, diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 2208bb9333..2ae0fe25ac 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -50,6 +50,7 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx, if (!ldb) { return NULL; } + dsdb_make_schema_global(ldb); return ldb; } |