s4:rootdse Implement "tokenGroups" in the rootDSE

This returns the currently connected user's full token.  This is very
useful for debugging, and should be used in ACL tests.

Andrew Bartlett

1 files changed, 18 insertions, 0 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 808552f327..e99fcaa516 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -29,6 +29,7 @@
 #include "dsdb/samdb/ldb_modules/util.h"
 #include "libcli/security/security.h"
 #include "librpc/ndr/libndr.h"
+#include "auth/auth.h"
 
 struct private_data {
 	unsigned int num_controls;
@@ -381,6 +382,23 @@ static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *ms
 		}
 	}
 
+	if (do_attribute(attrs, "tokenGroups")) {
+		unsigned int i;
+		/* Obtain the user's session_info */
+		struct auth_session_info *session_info
+			= (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
+		if (session_info && session_info->security_token) {
+			/* The list of groups this user is in */
+			for (i = 0; i < session_info->security_token->num_sids; i++) {
+				if (samdb_msg_add_dom_sid(ldb, msg, msg,
+							  "tokenGroups",
+							  session_info->security_token->sids[i]) != 0) {
+					goto failed;
+				}
+			}
+		}
+	}
+
 	/* TODO: lots more dynamic attributes should be added here */
 
 	return LDB_SUCCESS;