summaryrefslogtreecommitdiff
path: root/source4/lib/ldb
diff options
context:
space:
mode:
authorSimo Sorce <idra@samba.org>2005-05-17 21:43:47 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:16:52 -0500
commitca4e0c8539e5b0e01ca9d68eba8692c544d7a4d6 (patch)
tree018e9cc324cb33f16408d960368f2e79c08d638e /source4/lib/ldb
parentf9ad3029ae97f5d5beed3f85ad912830fa8d7930 (diff)
downloadsamba-ca4e0c8539e5b0e01ca9d68eba8692c544d7a4d6.tar.gz
samba-ca4e0c8539e5b0e01ca9d68eba8692c544d7a4d6.tar.bz2
samba-ca4e0c8539e5b0e01ca9d68eba8692c544d7a4d6.zip
r6867: this code will change the way the @ATTRIBUTES object is handled
this object properties are now used as multivalue attributes now all values inserted are checked against a "valid values table" eg: this form is now accepted: dn: @ATTRIBUTES uid: CASE_INSENSITIVE uid: WILDCARD this form is now rejected: dn: @ATTRIBUTES uid: CASE_INSENSITIVE WILDCARD please update your .ldb files if you make use of @ATTRIBUTES (sam.ldb heavily uses it) the code passes all make test tests for both tdb and ldap, it also passes the new test to check for wrong @ATTRIBUTES attribute values Simo. (This used to be commit 1295b891a26c2cb2c34540f90ded83390cf87da2)
Diffstat (limited to 'source4/lib/ldb')
-rw-r--r--source4/lib/ldb/ldb_tdb/ldb_cache.c64
-rw-r--r--source4/lib/ldb/ldb_tdb/ldb_tdb.c39
-rw-r--r--source4/lib/ldb/ldb_tdb/ldb_tdb.h2
-rw-r--r--source4/lib/ldb/tests/schema-tests/schema.ldif9
-rw-r--r--source4/lib/ldb/tests/test-attribs.ldif3
-rwxr-xr-xsource4/lib/ldb/tests/test-generic.sh3
-rw-r--r--source4/lib/ldb/tests/test-index.ldif3
-rw-r--r--source4/lib/ldb/tests/test-wrong_attributes.ldif3
8 files changed, 93 insertions, 33 deletions
diff --git a/source4/lib/ldb/ldb_tdb/ldb_cache.c b/source4/lib/ldb/ldb_tdb/ldb_cache.c
index ec22aca3ec..0fe573a829 100644
--- a/source4/lib/ldb/ldb_tdb/ldb_cache.c
+++ b/source4/lib/ldb/ldb_tdb/ldb_cache.c
@@ -37,6 +37,21 @@
#include "ldb/include/ldb_private.h"
#include "ldb/ldb_tdb/ldb_tdb.h"
+
+/* valid attribute flags */
+static const struct {
+ const char *name;
+ int value;
+} ltdb_valid_attr_flags[] = {
+ { "CASE_INSENSITIVE", LTDB_FLAG_CASE_INSENSITIVE },
+ { "INTEGER", LTDB_FLAG_INTEGER },
+ { "WILDCARD", LTDB_FLAG_WILDCARD },
+ { "HIDDEN", LTDB_FLAG_HIDDEN },
+ { "NONE", LTDB_FLAG_NONE },
+ { NULL, 0 }
+};
+
+
/*
initialise the baseinfo record
*/
@@ -245,18 +260,7 @@ int ltdb_increase_sequence_number(struct ldb_module *module)
int ltdb_attribute_flags(struct ldb_module *module, const char *attr_name)
{
struct ltdb_private *ltdb = module->private_data;
- const char *attrs;
- const struct {
- const char *name;
- int value;
- } names[] = {
- { "CASE_INSENSITIVE", LTDB_FLAG_CASE_INSENSITIVE },
- { "INTEGER", LTDB_FLAG_INTEGER },
- { "WILDCARD", LTDB_FLAG_WILDCARD },
- { "HIDDEN", LTDB_FLAG_HIDDEN },
- { NULL, 0}
- };
- size_t len;
+ const struct ldb_message_element *attr_el;
int i, ret=0;
if (ltdb->cache->last_attribute.name &&
@@ -269,30 +273,22 @@ int ltdb_attribute_flags(struct ldb_module *module, const char *attr_name)
ret = LTDB_FLAG_OBJECTCLASS | LTDB_FLAG_CASE_INSENSITIVE;
}
- attrs = ldb_msg_find_string(ltdb->cache->attributes, attr_name, NULL);
+ attr_el = ldb_msg_find_element(ltdb->cache->attributes, attr_name);
- if (!attrs) {
+ if (!attr_el) {
/* check if theres a wildcard attribute */
- attrs = ldb_msg_find_string(ltdb->cache->attributes, "*", NULL);
+ attr_el = ldb_msg_find_element(ltdb->cache->attributes, "*");
- if (!attrs) {
+ if (!attr_el) {
return ret;
}
}
- /* we avoid using strtok and friends due to their nasty
- interface. This is a little trickier, but much nicer
- from a C interface point of view */
- while ((len = strcspn(attrs, " ,")) > 0) {
- for (i=0;names[i].name;i++) {
- if (strncmp(names[i].name, attrs, len) == 0 &&
- names[i].name[len] == 0) {
- ret |= names[i].value;
- }
+ for (i = 0; i < attr_el->num_values; i++) {
+ if (strcmp(ltdb_valid_attr_flags[i].name, attr_el->values[i].data) == 0) {
+ ret |= ltdb_valid_attr_flags[i].value;
}
- attrs += len;
- attrs += strspn(attrs, " ,");
}
talloc_free(ltdb->cache->last_attribute.name);
@@ -302,3 +298,17 @@ int ltdb_attribute_flags(struct ldb_module *module, const char *attr_name)
return ret;
}
+
+int ltdb_check_at_attributes_values(const struct ldb_val *value)
+{
+ int i;
+
+ for (i = 0; ltdb_valid_attr_flags[i].name != NULL; i++) {
+ if ((strcmp(ltdb_valid_attr_flags[i].name, value->data) == 0)) {
+ return 0;
+ }
+ }
+
+ return -1;
+}
+
diff --git a/source4/lib/ldb/ldb_tdb/ldb_tdb.c b/source4/lib/ldb/ldb_tdb/ldb_tdb.c
index b47d79de52..f6a23d7433 100644
--- a/source4/lib/ldb/ldb_tdb/ldb_tdb.c
+++ b/source4/lib/ldb/ldb_tdb/ldb_tdb.c
@@ -281,6 +281,33 @@ int ltdb_unlock_read(struct ldb_module *module)
return 0;
}
+/*
+ check special dn's have valid attributes
+ currently only @ATTRIBUTES is checked
+*/
+int ltdb_check_special_dn(struct ldb_module *module, const struct ldb_message *msg)
+{
+ struct ltdb_private *ltdb = module->private_data;
+ int i, j;
+
+ if (strcmp(msg->dn, LTDB_ATTRIBUTES) != 0) {
+ return 0;
+ }
+
+ /* we have @ATTRIBUTES, let's check attributes are fine */
+ /* should we check that we deny multivalued attributes ? */
+ for (i = 0; i < msg->num_elements; i++) {
+ for (j = 0; j < msg->elements[i].num_values; j++) {
+ if (ltdb_check_at_attributes_values(&msg->elements[i].values[j]) != 0) {
+ ltdb->last_err_string = "Invalid attribute value in an @ATTRIBUTES entry";
+ return -1;
+ }
+ }
+ }
+
+ return 0;
+}
+
/*
we've made a modification to a dn - possibly reindex and
@@ -351,6 +378,11 @@ static int ltdb_add(struct ldb_module *module, const struct ldb_message *msg)
ltdb->last_err_string = NULL;
+ ret = ltdb_check_special_dn(module, msg);
+ if (ret != 0) {
+ return ret;
+ }
+
if (ltdb_lock(module, LDBLOCK) != 0) {
return -1;
}
@@ -359,7 +391,7 @@ static int ltdb_add(struct ldb_module *module, const struct ldb_message *msg)
ltdb_unlock(module, LDBLOCK);
return -1;
}
-
+
ret = ltdb_store(module, msg, TDB_INSERT);
if (ret == 0) {
@@ -736,6 +768,11 @@ static int ltdb_modify(struct ldb_module *module, const struct ldb_message *msg)
ltdb->last_err_string = NULL;
+ ret = ltdb_check_special_dn(module, msg);
+ if (ret != 0) {
+ return ret;
+ }
+
if (ltdb_lock(module, LDBLOCK) != 0) {
return -1;
}
diff --git a/source4/lib/ldb/ldb_tdb/ldb_tdb.h b/source4/lib/ldb/ldb_tdb/ldb_tdb.h
index dfb985319e..eb6c7825d2 100644
--- a/source4/lib/ldb/ldb_tdb/ldb_tdb.h
+++ b/source4/lib/ldb/ldb_tdb/ldb_tdb.h
@@ -51,6 +51,7 @@ struct ltdb_private {
#define LTDB_FLAG_WILDCARD (1<<2)
#define LTDB_FLAG_OBJECTCLASS (1<<3)
#define LTDB_FLAG_HIDDEN (1<<4)
+#define LTDB_FLAG_NONE 0
/* The following definitions come from lib/ldb/ldb_tdb/ldb_cache.c */
@@ -58,6 +59,7 @@ int ltdb_cache_reload(struct ldb_module *module);
int ltdb_cache_load(struct ldb_module *module);
int ltdb_increase_sequence_number(struct ldb_module *module);
int ltdb_attribute_flags(struct ldb_module *module, const char *attr_name);
+int ltdb_check_at_attributes_values(const struct ldb_val *value);
/* The following definitions come from lib/ldb/ldb_tdb/ldb_index.c */
diff --git a/source4/lib/ldb/tests/schema-tests/schema.ldif b/source4/lib/ldb/tests/schema-tests/schema.ldif
index 651fdac41f..59757d22a9 100644
--- a/source4/lib/ldb/tests/schema-tests/schema.ldif
+++ b/source4/lib/ldb/tests/schema-tests/schema.ldif
@@ -12,9 +12,12 @@ dn: @ATTRIBUTES
realm: CASE_INSENSITIVE
userPrincipalName: CASE_INSENSITIVE
servicePrincipalName: CASE_INSENSITIVE
-name: CASE_INSENSITIVE WILDCARD
-dn: CASE_INSENSITIVE WILDCARD
-sAMAccountName: CASE_INSENSITIVE WILDCARD
+name: CASE_INSENSITIVE
+name: WILDCARD
+dn: CASE_INSENSITIVE
+dn: WILDCARD
+sAMAccountName: CASE_INSENSITIVE
+sAMAccountName: WILDCARD
objectClass: CASE_INSENSITIVE
unicodePwd: HIDDEN
ntPwdHash: HIDDEN
diff --git a/source4/lib/ldb/tests/test-attribs.ldif b/source4/lib/ldb/tests/test-attribs.ldif
index 4bfb1ebd65..e6fe1dcf5a 100644
--- a/source4/lib/ldb/tests/test-attribs.ldif
+++ b/source4/lib/ldb/tests/test-attribs.ldif
@@ -1,5 +1,6 @@
dn: @ATTRIBUTES
-uid: CASE_INSENSITIVE WILDCARD
+uid: CASE_INSENSITIVE
+uid: WILDCARD
cn: CASE_INSENSITIVE
ou: CASE_INSENSITIVE
dn: CASE_INSENSITIVE
diff --git a/source4/lib/ldb/tests/test-generic.sh b/source4/lib/ldb/tests/test-generic.sh
index 2b2ab2e78a..78fed1c12b 100755
--- a/source4/lib/ldb/tests/test-generic.sh
+++ b/source4/lib/ldb/tests/test-generic.sh
@@ -25,6 +25,9 @@ time $VALGRIND bin/ldbtest -r 1000 -s 10 || exit 1
echo "Adding index"
$VALGRIND bin/ldbadd tests/test-index.ldif || exit 1
+echo "Adding attributes"
+$VALGRIND bin/ldbadd tests/test-wrong_attributes.ldif || exit 1
+
echo "testing indexed search"
$VALGRIND bin/ldbsearch '(uid=uham)' || exit 1
$VALGRIND bin/ldbsearch '(&(objectclass=person)(objectclass=person)(objectclass=top))' || exit 1
diff --git a/source4/lib/ldb/tests/test-index.ldif b/source4/lib/ldb/tests/test-index.ldif
index 24ac408764..7ba0106394 100644
--- a/source4/lib/ldb/tests/test-index.ldif
+++ b/source4/lib/ldb/tests/test-index.ldif
@@ -3,7 +3,8 @@ dn: @INDEXLIST
@IDXATTR: objectclass
dn: @ATTRIBUTES
-uid: CASE_INSENSITIVE WILDCARD
+uid: CASE_INSENSITIVE
+uid: WILDCARD
dn: @SUBCLASSES
top: person
diff --git a/source4/lib/ldb/tests/test-wrong_attributes.ldif b/source4/lib/ldb/tests/test-wrong_attributes.ldif
new file mode 100644
index 0000000000..27f45f0e56
--- /dev/null
+++ b/source4/lib/ldb/tests/test-wrong_attributes.ldif
@@ -0,0 +1,3 @@
+dn: @ATTRIBUTES
+uid: CASE_INTENSIVE
+