summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-01-08 01:46:30 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:49:51 -0500
commit8c9d212f2a1984322118257e63f7a3280da6b392 (patch)
tree7410a8bd584a82b8faae14cd598f5c160ff82c2f /source4
parent74eb3f2af140700515f7bafd2aaea98307b80471 (diff)
downloadsamba-8c9d212f2a1984322118257e63f7a3280da6b392.tar.gz
samba-8c9d212f2a1984322118257e63f7a3280da6b392.tar.bz2
samba-8c9d212f2a1984322118257e63f7a3280da6b392.zip
r12762: Simo correctly asked that the policy logic (which attributes contain
passwords) be moved into the database, and not be hard-coded in the module source. Andrew Bartlett (This used to be commit 1fbe09ce818ac1603bd747610262865b8698fe04)
Diffstat (limited to 'source4')
-rw-r--r--source4/dsdb/samdb/ldb_modules/kludge_acl.c88
-rw-r--r--source4/setup/provision_init.ldif9
2 files changed, 71 insertions, 26 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
index d2fd96267d..09d8e82576 100644
--- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -45,12 +45,6 @@
*/
const char *password_attribs[] = {
- "sambaPassword",
- "ntPwdHash",
- "sambaNTPwdHistory",
- "lmPwdHash",
- "sambaLMPwdHistory",
- "krb5key"
};
enum user_is {
@@ -60,9 +54,8 @@ enum user_is {
SYSTEM
};
-struct private_data {
-
- char *some_private_data;
+struct kludge_private_data {
+ const char **password_attrs;
};
static enum user_is what_is_user(struct ldb_module *module)
@@ -78,7 +71,7 @@ static enum user_is what_is_user(struct ldb_module *module)
}
if (is_administrator_token(session_info->security_token)) {
- return SYSTEM;
+ return ADMINISTRATOR;
}
if (is_authenticated_token(session_info->security_token)) {
return USER;
@@ -95,6 +88,7 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
enum user_is user_type;
int ret = ldb_next_request(module, req);
struct ldb_message *msg;
+ struct kludge_private_data *data = talloc_get_type(module->private_data, struct kludge_private_data);
int i, j;
if (ret != LDB_SUCCESS) {
@@ -110,8 +104,8 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
/* For every message, remove password attributes */
for (i=0; i < req->op.search.res->count; i++) {
msg = req->op.search.res->msgs[i];
- for (j=0; j < ARRAY_SIZE(password_attribs); j++) {
- ldb_msg_remove_attr(msg, password_attribs[j]);
+ for (j=0; data->password_attrs[j]; j++) {
+ ldb_msg_remove_attr(msg, data->password_attrs[j]);
}
}
}
@@ -151,15 +145,6 @@ static int kludge_acl_del_trans(struct ldb_module *module)
return ldb_next_del_trans(module);
}
-static int kludge_acl_destructor(void *module_ctx)
-{
- struct ldb_module *ctx = talloc_get_type(module_ctx, struct ldb_module);
- struct private_data *data = talloc_get_type(ctx->private_data, struct private_data);
- /* put your clean-up functions here */
- if (data->some_private_data) talloc_free(data->some_private_data);
- return 0;
-}
-
static int kludge_acl_request(struct ldb_module *module, struct ldb_request *req)
{
switch (req->operation) {
@@ -174,37 +159,88 @@ static int kludge_acl_request(struct ldb_module *module, struct ldb_request *req
}
}
+static int kludge_acl_init_2(struct ldb_module *module)
+{
+ int ret, i;
+ TALLOC_CTX *mem_ctx = talloc_new(module);
+ const char *attrs[] = { "attribute", NULL };
+ struct ldb_result *res;
+ struct ldb_message *msg;
+ struct ldb_message_element *password_attributes;
+
+ struct kludge_private_data *data = talloc_get_type(module->private_data, struct kludge_private_data);
+ data->password_attrs = NULL;
+
+ if (!mem_ctx) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ ret = ldb_search(module->ldb, ldb_dn_explode(mem_ctx, "@KLUDGEACL"),
+ LDB_SCOPE_BASE,
+ NULL, attrs,
+ &res);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(mem_ctx);
+ return ret;
+ }
+ if (res->count == 0) {
+ talloc_free(mem_ctx);
+ data->password_attrs = NULL;
+ return LDB_SUCCESS;
+ }
+
+ if (res->count > 1) {
+ return LDB_ERR_CONSTRAINT_VIOLAION;
+ }
+
+ msg = res->msgs[0];
+
+ password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
+ if (!password_attributes) {
+ return LDB_SUCCESS;
+ }
+ data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
+ if (!data->password_attrs) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ for (i=0; i < password_attributes->num_values; i++) {
+ data->password_attrs[i] = (const char *)password_attributes->values[i].data;
+ talloc_steal(data->password_attrs, password_attributes->values[i].data);
+ }
+ data->password_attrs[i] = NULL;
+ return LDB_SUCCESS;
+}
+
static const struct ldb_module_ops kludge_acl_ops = {
.name = "kludge_acl",
.request = kludge_acl_request,
.start_transaction = kludge_acl_start_trans,
.end_transaction = kludge_acl_end_trans,
.del_transaction = kludge_acl_del_trans,
+ .second_stage_init = kludge_acl_init_2
};
struct ldb_module *kludge_acl_module_init(struct ldb_context *ldb, const char *options[])
{
struct ldb_module *ctx;
- struct private_data *data;
+ struct kludge_private_data *data;
ctx = talloc(ldb, struct ldb_module);
if (!ctx)
return NULL;
- data = talloc(ctx, struct private_data);
+ data = talloc(ctx, struct kludge_private_data);
if (data == NULL) {
talloc_free(ctx);
return NULL;
}
- data->some_private_data = NULL;
+ data->password_attrs = NULL;
ctx->private_data = data;
ctx->ldb = ldb;
ctx->prev = ctx->next = NULL;
ctx->ops = &kludge_acl_ops;
- talloc_set_destructor (ctx, kludge_acl_destructor);
-
return ctx;
}
diff --git a/source4/setup/provision_init.ldif b/source4/setup/provision_init.ldif
index db532f3078..0d0261cf52 100644
--- a/source4/setup/provision_init.ldif
+++ b/source4/setup/provision_init.ldif
@@ -46,6 +46,15 @@ user: computer
template: userTemplate
template: groupTemplate
+dn: @KLUDGEACL
+passwordAttribute: sambaPassword
+passwordAttribute: ntPwdHash
+passwordAttribute: sambaNTPwdHistory
+passwordAttribute: lmPwdHash
+passwordAttribute: sambaLMPwdHistory
+passwordAttribute: krb5key
+
+
# the rootDSE module looks in this record for its base data
dn: cn=ROOTDSE
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,${BASEDN}